-/* $OpenBSD: sshconnect2.c,v 1.170 2008/11/04 08:22:13 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.171 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
#include "msg.h"
#include "pathnames.h"
#include "uidswap.h"
+#include "schnorr.h"
#include "jpake.h"
#ifdef GSSAPI
extern char *client_version_string;
extern char *server_version_string;
extern Options options;
+extern Kex *xxx_kex;
+
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag;
+
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag;
+
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag;
/*
* SSH2 key exchange
void userauth_jpake_cleanup(Authctxt *);
#ifdef GSSAPI
+int userauth_external(Authctxt *authctxt);
int userauth_gssapi(Authctxt *authctxt);
+int userauth_gssapi_with_mic(Authctxt *authctxt);
+int userauth_gssapi_without_mic(Authctxt *authctxt);
void input_gssapi_response(int type, u_int32_t, void *);
void input_gssapi_token(int type, u_int32_t, void *);
void input_gssapi_hash(int type, u_int32_t, void *);
#ifdef GSSAPI
{"gssapi-keyex",
userauth_gsskeyex,
+ NULL,
+ &options.gss_authentication,
+ NULL},
+ {"external-keyx",
+ userauth_external,
+ NULL,
&options.gss_authentication,
NULL},
{"gssapi-with-mic",
NULL,
&options.gss_authentication,
NULL},
+ {"gssapi",
+ userauth_gssapi,
+ NULL,
+ &options.gss_authentication,
+ NULL},
#endif
{"hostbased",
userauth_hostbased,
pubkey_cleanup(&authctxt);
dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
+ /* if the user wants to use the none cipher do it */
+ /* post authentication and only if the right conditions are met */
+ /* both of the NONE commands must be true and there must be no */
+ /* tty allocated */
+ if ((options.none_switch == 1) && (options.none_enabled == 1))
+ {
+ if (!tty_flag) /* no null on tty sessions */
+ {
+ debug("Requesting none rekeying...");
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
+ kex_prop2buf(&xxx_kex->my,myproposal);
+ packet_request_rekeying();
+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
+ }
+ else
+ {
+ /* requested NONE cipher when in a tty */
+ debug("Cannot switch to NONE cipher with tty allocated");
+ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
+ }
+ }
debug("Authentication succeeded (%s).", authctxt.method->name);
}
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
- const char *gss_host;
+ char *gss_host = NULL;
+
+ if (!options.gss_authentication) {
+ verbose("GSSAPI authentication disabled.");
+ return 0;
+ }
if (options.gss_trust_dns)
- gss_host = get_canonical_hostname(1);
+ gss_host = (char *)get_canonical_hostname(1);
else
- gss_host = authctxt->host;
+ gss_host = (char *)authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
if (status == GSS_S_COMPLETE) {
/* send either complete or MIC, depending on mechanism */
- if (!(flags & GSS_C_INTEG_FLAG)) {
+ if (strcmp(authctxt->method->name,"gssapi")==0 ||
+ (!(flags & GSS_C_INTEG_FLAG))) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
packet_send();
} else {
xfree(lang);
}
+#ifdef GSI
+extern
+const gss_OID_desc * const gss_mech_globus_gssapi_openssl;
+#define is_gsi_oid(oid) \
+ (oid->length == gss_mech_globus_gssapi_openssl->length && \
+ (memcmp(oid->elements, gss_mech_globus_gssapi_openssl->elements, \
+ oid->length) == 0))
+#endif
+
+int
+userauth_external(Authctxt *authctxt)
+{
+ static int attempt = 0;
+
+ if (attempt++ >= 1)
+ return 0;
+
+ /* The client MUST NOT try this method if initial key exchange
+ was not performed using a GSSAPI-based key exchange
+ method. */
+ if (gss_kex_context == NULL) {
+ debug2("gsskex not performed, skipping external-keyx");
+ return 0;
+ }
+
+ debug2("userauth_external");
+ packet_start(SSH2_MSG_USERAUTH_REQUEST);
+#ifdef GSI
+ if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+ packet_put_cstring("");
+ } else {
+#endif
+ packet_put_cstring(authctxt->server_user);
+#ifdef GSI
+ }
+#endif
+ packet_put_cstring(authctxt->service);
+ packet_put_cstring(authctxt->method->name);
+ packet_send();
+ packet_write_wait();
+ return 1;
+}
int
userauth_gsskeyex(Authctxt *authctxt)
{
return (0);
}
- ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
- "gssapi-keyex");
+#ifdef GSI
+ if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+ ssh_gssapi_buildmic(&b, "", authctxt->service, "gssapi-keyex");
+ } else {
+#endif
+ ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
+ "gssapi-keyex");
+#ifdef GSI
+ }
+#endif
gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b);
}
packet_start(SSH2_MSG_USERAUTH_REQUEST);
+#ifdef GSI
+ if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+ packet_put_cstring("");
+ } else {
+#endif
packet_put_cstring(authctxt->server_user);
+#ifdef GSI
+ }
+#endif
packet_put_cstring(authctxt->service);
packet_put_cstring(authctxt->method->name);
packet_put_string(mic.value, mic.length);