X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/5262cbfbbd270876de2cd547ff0032d85b1d2640..HEAD:/openssh/sshconnect2.c diff --git a/openssh/sshconnect2.c b/openssh/sshconnect2.c index 7c4e84e..c4136d5 100644 --- a/openssh/sshconnect2.c +++ b/openssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.170 2008/11/04 08:22:13 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.171 2009/03/05 07:18:19 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -68,6 +68,7 @@ #include "msg.h" #include "pathnames.h" #include "uidswap.h" +#include "schnorr.h" #include "jpake.h" #ifdef GSSAPI @@ -78,6 +79,12 @@ extern char *client_version_string; extern char *server_version_string; extern Options options; +extern Kex *xxx_kex; + +/* tty_flag is set in ssh.c. use this in ssh_userauth2 */ +/* if it is set then prevent the switch to the null cipher */ + +extern int tty_flag; /* tty_flag is set in ssh.c. use this in ssh_userauth2 */ /* if it is set then prevent the switch to the null cipher */ @@ -133,7 +140,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) else gss_host = host; - gss = ssh_gssapi_client_mechanisms(gss_host); + gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); if (gss) { debug("Offering GSSAPI proposal: %s", gss); xasprintf(&myproposal[PROPOSAL_KEX_ALGS], @@ -176,6 +183,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], "%s,null", orig); + xfree(gss); } #endif @@ -189,18 +197,23 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; #ifdef GSSAPI - kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; - kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client; - kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; + if (options.gss_keyex) { + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; + kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client; + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; + } #endif kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; kex->verify_host_key=&verify_host_key_callback; #ifdef GSSAPI - kex->gss_deleg_creds = options.gss_deleg_creds; - kex->gss_trust_dns = options.gss_trust_dns; - kex->gss_host = gss_host; + if (options.gss_keyex) { + kex->gss_deleg_creds = options.gss_deleg_creds; + kex->gss_trust_dns = options.gss_trust_dns; + kex->gss_client = options.gss_client_identity; + kex->gss_host = gss_host; + } #endif xxx_kex = kex; @@ -285,10 +298,7 @@ int userauth_jpake(Authctxt *); void userauth_jpake_cleanup(Authctxt *); #ifdef GSSAPI -int userauth_external(Authctxt *authctxt); int userauth_gssapi(Authctxt *authctxt); -int userauth_gssapi_with_mic(Authctxt *authctxt); -int userauth_gssapi_without_mic(Authctxt *authctxt); void input_gssapi_response(int type, u_int32_t, void *); void input_gssapi_token(int type, u_int32_t, void *); void input_gssapi_hash(int type, u_int32_t, void *); @@ -312,10 +322,7 @@ Authmethod authmethods[] = { #ifdef GSSAPI {"gssapi-keyex", userauth_gsskeyex, - &options.gss_authentication, - NULL}, - {"external-keyx", - userauth_external, + NULL, &options.gss_authentication, NULL}, {"gssapi-with-mic", @@ -323,10 +330,6 @@ Authmethod authmethods[] = { NULL, &options.gss_authentication, NULL}, - {"gssapi", - userauth_gssapi, - &options.gss_authentication, - NULL}, #endif {"hostbased", userauth_hostbased, @@ -651,14 +654,18 @@ userauth_gssapi(Authctxt *authctxt) * once. */ if (gss_supported == NULL) - gss_indicate_mechs(&min, &gss_supported); + if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) { + gss_supported = NULL; + return 0; + } /* Check to see if the mechanism is usable before we offer it */ while (mech < gss_supported->count && !ok) { /* My DER encoding requires length<128 */ if (gss_supported->elements[mech].length < 128 && ssh_gssapi_check_mechanism(&gssctxt, - &gss_supported->elements[mech], gss_host)) { + &gss_supported->elements[mech], gss_host, + options.gss_client_identity)) { ok = 1; /* Mechanism works */ } else { mech++; @@ -877,39 +884,6 @@ const gss_OID_desc * const gss_mech_globus_gssapi_openssl; oid->length) == 0)) #endif -int -userauth_external(Authctxt *authctxt) -{ - static int attempt = 0; - - if (attempt++ >= 1) - return 0; - - /* The client MUST NOT try this method if initial key exchange - was not performed using a GSSAPI-based key exchange - method. */ - if (gss_kex_context == NULL) { - debug2("gsskex not performed, skipping external-keyx"); - return 0; - } - - debug2("userauth_external"); - packet_start(SSH2_MSG_USERAUTH_REQUEST); -#ifdef GSI - if (options.implicit && is_gsi_oid(gss_kex_context->oid)) { - packet_put_cstring(""); - } else { -#endif - packet_put_cstring(authctxt->server_user); -#ifdef GSI - } -#endif - packet_put_cstring(authctxt->service); - packet_put_cstring(authctxt->method->name); - packet_send(); - packet_write_wait(); - return 1; -} int userauth_gsskeyex(Authctxt *authctxt) { @@ -928,12 +902,12 @@ userauth_gsskeyex(Authctxt *authctxt) } #ifdef GSI - if (options.implicit && is_gsi_oid(gss_kex_context->oid)) { - ssh_gssapi_buildmic(&b, "", authctxt->service, "gssapi-keyex"); + if (options.implicit && is_gsi_oid(gss_kex_context->oid)) { + ssh_gssapi_buildmic(&b, "", authctxt->service, "gssapi-keyex"); } else { #endif - ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service, - "gssapi-keyex"); + ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service, + "gssapi-keyex"); #ifdef GSI } #endif @@ -948,8 +922,8 @@ userauth_gsskeyex(Authctxt *authctxt) packet_start(SSH2_MSG_USERAUTH_REQUEST); #ifdef GSI - if (options.implicit && is_gsi_oid(gss_kex_context->oid)) { - packet_put_cstring(""); + if (options.implicit && is_gsi_oid(gss_kex_context->oid)) { + packet_put_cstring(""); } else { #endif packet_put_cstring(authctxt->server_user);