X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/76d45d2f37f58d1a9703830d75ce8b56feae38c6..c7931c9aedd8e12fdd0df715dcefce0e0c95be6a:/openssh/auth2-gss.c diff --git a/openssh/auth2-gss.c b/openssh/auth2-gss.c index a192d28..1db62c4 100644 --- a/openssh/auth2-gss.c +++ b/openssh/auth2-gss.c @@ -47,11 +47,26 @@ extern ServerOptions options; +static void ssh_gssapi_userauth_error(Gssctxt *ctxt); static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); static void input_gssapi_errtok(int, u_int32_t, void *); +static int gssapi_with_mic = 1; /* flag to toggle "gssapi-with-mic" vs. + "gssapi" */ + +static int +userauth_external(Authctxt *authctxt) +{ + packet_check_eom(); + + if (authctxt->valid && authctxt->user && authctxt->user[0]) { + return(PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw))); + } + return 0; +} + /* * The 'gssapi_keyex' userauth mechanism. */ @@ -59,8 +74,8 @@ static int userauth_gsskeyex(Authctxt *authctxt) { int authenticated = 0; - Buffer b; - gss_buffer_desc mic, gssbuf; + Buffer b, b2; + gss_buffer_desc mic, gssbuf, gssbuf2; u_int len; mic.value = packet_get_string(&len); @@ -74,13 +89,26 @@ userauth_gsskeyex(Authctxt *authctxt) gssbuf.value = buffer_ptr(&b); gssbuf.length = buffer_len(&b); + /* client may have used empty username to determine target + name from GSSAPI context */ + ssh_gssapi_buildmic(&b2, "", authctxt->service, "gssapi-keyex"); + + gssbuf2.value = buffer_ptr(&b2); + gssbuf2.length = buffer_len(&b2); + /* gss_kex_context is NULL with privsep, so we can't check it here */ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, - &gssbuf, &mic)))) - authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, - authctxt->pw)); + &gssbuf, &mic))) || + !GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, + &gssbuf2, &mic)))) { + if (authctxt->valid && authctxt->user && authctxt->user[0]) { + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, + authctxt->pw)); + } + } buffer_free(&b); + buffer_free(&b2); xfree(mic.value); return (authenticated); @@ -102,7 +130,10 @@ userauth_gssapi(Authctxt *authctxt) u_int len; u_char *doid = NULL; - if (!authctxt->valid || authctxt->user == NULL) + /* authctxt->valid may be 0 if we haven't yet determined + username from gssapi context. */ + + if (authctxt->user == NULL) return (0); mechs = packet_get_int(); @@ -172,7 +203,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) Gssctxt *gssctxt; gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; gss_buffer_desc recv_tok; - OM_uint32 maj_status, min_status, flags; + OM_uint32 maj_status, min_status, flags=0; u_int len; if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) @@ -190,6 +221,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) xfree(recv_tok.value); if (GSS_ERROR(maj_status)) { + ssh_gssapi_userauth_error(gssctxt); if (send_tok.length != 0) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); packet_put_string(send_tok.value, send_tok.length); @@ -197,7 +229,9 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) } authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); - userauth_finish(authctxt, 0, "gssapi-with-mic"); + userauth_finish(authctxt, 0, + gssapi_with_mic ? "gssapi-with-mic" : + "gssapi"); } else { if (send_tok.length != 0) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); @@ -206,7 +240,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) } if (maj_status == GSS_S_COMPLETE) { dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); - if (flags & GSS_C_INTEG_FLAG) + if (flags & GSS_C_INTEG_FLAG && gssapi_with_mic) dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, &input_gssapi_mic); else @@ -253,6 +287,32 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) gss_release_buffer(&maj_status, &send_tok); } +static void +gssapi_set_username(Authctxt *authctxt) +{ + char *lname = NULL; + + if ((authctxt->user == NULL) || (authctxt->user[0] == '\0')) { + PRIVSEP(ssh_gssapi_localname(&lname)); + if (lname && lname[0] != '\0') { + if (authctxt->user) xfree(authctxt->user); + authctxt->user = lname; + debug("set username to %s from gssapi context", lname); + authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user)); + if (authctxt->pw) { + authctxt->valid = 1; +#ifdef USE_PAM + if (options.use_pam) + PRIVSEP(start_pam(authctxt)); +#endif + } + } else { + debug("failed to set username from gssapi context"); + packet_send_debug("failed to set username from gssapi context"); + } + } +} + /* * This is called when the client thinks we've completed authentication. * It should only be enabled in the dispatch handler by the function above, @@ -269,6 +329,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) fatal("No authentication or GSSAPI context"); + gssapi_set_username(authctxt); + gssctxt = authctxt->methoddata; /* @@ -278,15 +340,35 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) packet_check_eom(); - authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, - authctxt->pw)); + /* user should be set if valid but we double-check here */ + if (authctxt->valid && authctxt->user && authctxt->user[0]) { + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, + authctxt->pw)); + } else { + authenticated = 0; + } authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); - userauth_finish(authctxt, authenticated, "gssapi-with-mic"); + userauth_finish(authctxt, authenticated, + gssapi_with_mic ? "gssapi-with-mic" : "gssapi"); +} + +static int +userauth_gssapi_with_mic(Authctxt *authctxt) +{ + gssapi_with_mic = 1; + return userauth_gssapi(authctxt); +} + +static int +userauth_gssapi_without_mic(Authctxt *authctxt) +{ + gssapi_with_mic = 0; + return userauth_gssapi(authctxt); } static void @@ -313,9 +395,15 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) gssbuf.value = buffer_ptr(&b); gssbuf.length = buffer_len(&b); + gssapi_set_username(authctxt); + if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) - authenticated = - PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)); + if (authctxt->valid && authctxt->user && authctxt->user[0]) { + authenticated = + PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)); + } else { + authenticated = 0; + } else logit("GSSAPI MIC check failed"); @@ -330,6 +418,29 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) userauth_finish(authctxt, authenticated, "gssapi-with-mic"); } +static void ssh_gssapi_userauth_error(Gssctxt *ctxt) { + char *errstr; + OM_uint32 maj,min; + + errstr=PRIVSEP(ssh_gssapi_last_error(ctxt,&maj,&min)); + if (errstr) { + packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERROR); + packet_put_int(maj); + packet_put_int(min); + packet_put_cstring(errstr); + packet_put_cstring(""); + packet_send(); + packet_write_wait(); + xfree(errstr); + } +} + +Authmethod method_external = { + "external-keyx", + userauth_external, + &options.gss_authentication +}; + Authmethod method_gsskeyex = { "gssapi-keyex", userauth_gsskeyex, @@ -338,7 +449,13 @@ Authmethod method_gsskeyex = { Authmethod method_gssapi = { "gssapi-with-mic", - userauth_gssapi, + userauth_gssapi_with_mic, + &options.gss_authentication +}; + +Authmethod method_gssapi_compat = { + "gssapi", + userauth_gssapi_without_mic, &options.gss_authentication };