&gssbuf2, &mic)))) {
if (authctxt->valid && authctxt->user && authctxt->user[0]) {
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
- authctxt->pw));
+ authctxt->pw,
+ 1 /* gssapi-keyex */));
}
}
/* user should be set if valid but we double-check here */
if (authctxt->valid && authctxt->user && authctxt->user[0]) {
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
- authctxt->pw));
+ authctxt->pw, 0 /* !gssapi-keyex */));
} else {
authenticated = 0;
}
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
if (authctxt->valid && authctxt->user && authctxt->user[0]) {
authenticated =
- PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
+ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw,
+ 0 /* !gssapi-keyex */));
} else {
authenticated = 0;
}
/* Privileged */
int
-ssh_gssapi_userok(char *user, struct passwd *pw)
+ssh_gssapi_userok(char *user, struct passwd *pw, int gssapi_keyex)
{
OM_uint32 lmin;
mm_answer_gss_userok(int sock, Buffer *m)
{
int authenticated;
+ int gssapi_keyex;
if (!options.gss_authentication && !options.gss_keyex)
fatal("In GSSAPI monitor when GSSAPI is disabled");
+ gssapi_keyex = buffer_get_int(m);
+
authenticated = authctxt->valid &&
- ssh_gssapi_userok(authctxt->user, authctxt->pw);
+ ssh_gssapi_userok(authctxt->user, authctxt->pw, gssapi_keyex);
buffer_clear(m);
buffer_put_int(m, authenticated);
debug3("%s: sending result %d", __func__, authenticated);
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
- auth_method = "gssapi-with-mic";
+ if (gssapi_keyex)
+ auth_method = "gssapi-keyex";
+ else
+ auth_method = "gssapi-with-mic";
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
int
-mm_ssh_gssapi_userok(char *user, struct passwd *pw)
+mm_ssh_gssapi_userok(char *user, struct passwd *pw, int gssapi_keyex)
{
Buffer m;
int authenticated = 0;
buffer_init(&m);
+ buffer_put_int(&m, gssapi_keyex);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK,
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
-int mm_ssh_gssapi_userok(char *user, struct passwd *);
+int mm_ssh_gssapi_userok(char *user, struct passwd *, int gssapi_keyex);
OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
int mm_ssh_gssapi_localname(char **user);
int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
const char *);
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
-int ssh_gssapi_userok(char *name, struct passwd *);
+int ssh_gssapi_userok(char *name, struct passwd *, int gssapi_keyex);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);