X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/d037a8b0691afd8685d1a1202b3bf88c9542a8a9..c7931c9aedd8e12fdd0df715dcefce0e0c95be6a:/openssh/monitor.c diff --git a/openssh/monitor.c b/openssh/monitor.c index bc018a4..e0434d5 100644 --- a/openssh/monitor.c +++ b/openssh/monitor.c @@ -174,6 +174,7 @@ int mm_answer_gss_sign(int, Buffer *); int mm_answer_gss_error(int, Buffer *); int mm_answer_gss_indicate_mechs(int, Buffer *); int mm_answer_gss_localname(int, Buffer *); +int mm_answer_gss_updatecreds(int, Buffer *); #endif #ifdef SSH_AUDIT_EVENTS @@ -265,6 +266,7 @@ struct mon_table mon_dispatch_postauth20[] = { {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, {MONITOR_REQ_GSSERR, 0, mm_answer_gss_error}, {MONITOR_REQ_GSSMECHS, 0, mm_answer_gss_indicate_mechs}, + {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, #endif {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_SIGN, 0, mm_answer_sign}, @@ -1737,9 +1739,11 @@ mm_get_kex(Buffer *m) kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; #ifdef GSSAPI - kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; - kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; - kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; + if (options.gss_keyex) { + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; + kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; + } #endif kex->server = 1; kex->hostkey_type = buffer_get_int(m); @@ -1940,6 +1944,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) OM_uint32 major; u_int len; + if (!options.gss_authentication && !options.gss_keyex) + fatal("In GSSAPI monitor when GSSAPI is disabled"); + goid.elements = buffer_get_string(m, &len); goid.length = len; @@ -1967,6 +1974,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) OM_uint32 flags = 0; /* GSI needs this */ u_int len; + if (!options.gss_authentication && !options.gss_keyex) + fatal("In GSSAPI monitor when GSSAPI is disabled"); + in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); @@ -1997,6 +2007,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) OM_uint32 ret; u_int len; + if (!options.gss_authentication && !options.gss_keyex) + fatal("In GSSAPI monitor when GSSAPI is disabled"); + gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); @@ -2023,7 +2036,11 @@ mm_answer_gss_userok(int sock, Buffer *m) { int authenticated; - authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); + if (!options.gss_authentication && !options.gss_keyex) + fatal("In GSSAPI monitor when GSSAPI is disabled"); + + authenticated = authctxt->valid && + ssh_gssapi_userok(authctxt->user, authctxt->pw); buffer_clear(m); buffer_put_int(m, authenticated); @@ -2037,43 +2054,6 @@ mm_answer_gss_userok(int sock, Buffer *m) return (authenticated); } -int -mm_answer_gss_sign(int socket, Buffer *m) -{ - gss_buffer_desc data; - gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; - OM_uint32 major, minor; - u_int len; - - data.value = buffer_get_string(m, &len); - data.length = len; - if (data.length != 20) - fatal("%s: data length incorrect: %d", __func__, (int)data.length); - - /* Save the session ID on the first time around */ - if (session_id2_len == 0) { - session_id2_len = data.length; - session_id2 = xmalloc(session_id2_len); - memcpy(session_id2, data.value, session_id2_len); - } - major = ssh_gssapi_sign(gsscontext, &data, &hash); - - xfree(data.value); - - buffer_clear(m); - buffer_put_int(m, major); - buffer_put_string(m, hash.value, hash.length); - - mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); - - gss_release_buffer(&minor, &hash); - - /* Turn on getpwnam permissions */ - monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); - - return (0); -} - int mm_answer_gss_error(int socket, Buffer *m) { OM_uint32 major,minor; @@ -2137,6 +2117,74 @@ mm_answer_gss_localname(int socket, Buffer *m) { return(0); } + +int +mm_answer_gss_sign(int socket, Buffer *m) +{ + gss_buffer_desc data; + gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; + OM_uint32 major, minor; + u_int len; + + if (!options.gss_authentication && !options.gss_keyex) + fatal("In GSSAPI monitor when GSSAPI is disabled"); + + data.value = buffer_get_string(m, &len); + data.length = len; + if (data.length != 20) + fatal("%s: data length incorrect: %d", __func__, + (int) data.length); + + /* Save the session ID on the first time around */ + if (session_id2_len == 0) { + session_id2_len = data.length; + session_id2 = xmalloc(session_id2_len); + memcpy(session_id2, data.value, session_id2_len); + } + major = ssh_gssapi_sign(gsscontext, &data, &hash); + + xfree(data.value); + + buffer_clear(m); + buffer_put_int(m, major); + buffer_put_string(m, hash.value, hash.length); + + mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); + + gss_release_buffer(&minor, &hash); + + /* Turn on getpwnam permissions */ + monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); + + /* And credential updating, for when rekeying */ + monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1); + + return (0); +} + +int +mm_answer_gss_updatecreds(int socket, Buffer *m) { + ssh_gssapi_ccache store; + int ok; + + store.filename = buffer_get_string(m, NULL); + store.envvar = buffer_get_string(m, NULL); + store.envval = buffer_get_string(m, NULL); + + ok = ssh_gssapi_update_creds(&store); + + xfree(store.filename); + xfree(store.envvar); + xfree(store.envval); + + buffer_clear(m); + buffer_put_int(m, ok); + + mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); + + return(0); +} + #endif /* GSSAPI */ #ifdef JPAKE