From 05ed7e1e54103c8fb7ba310aeb4c164ca3353a1b Mon Sep 17 00:00:00 2001 From: basney Date: Tue, 1 Jul 2008 19:09:37 +0000 Subject: [PATCH] Add server-side GSSAPIDelegateCredentials option, enabled for use with the Match keyword, to control delegation on a per-user basis: http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=376 --- openssh/servconf.c | 13 ++++++++++++- openssh/servconf.h | 1 + openssh/sshd.c | 2 +- openssh/sshd_config | 1 + openssh/sshd_config.5 | 4 ++++ 5 files changed, 19 insertions(+), 2 deletions(-) diff --git a/openssh/servconf.c b/openssh/servconf.c index 54ab140..f906e10 100644 --- a/openssh/servconf.c +++ b/openssh/servconf.c @@ -94,7 +94,8 @@ initialize_server_options(ServerOptions *options) options->session_hooks_shutdown_cmd = NULL; #endif options->kerberos_get_afs_token = -1; - options->gss_authentication=-1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; options->gss_keyex = -1; options->gss_cleanup_creds = -1; options->gss_strict_acceptor = -1; @@ -221,6 +222,8 @@ fill_default_server_options(ServerOptions *options) options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 1; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 1; if (options->gss_keyex == -1) options->gss_keyex = 1; if (options->gss_cleanup_creds == -1) @@ -353,6 +356,7 @@ typedef enum { sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, + sGssDelegateCreds, sGssStrictAcceptor, sGssKeyEx, sGssCredsPath, @@ -418,6 +422,7 @@ static struct { { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, + { "gssapidelegatecredentials", sGssDelegateCreds, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, { "gssapicredentialspath", sGssCredsPath, SSHCFG_GLOBAL }, @@ -427,6 +432,7 @@ static struct { #endif #else { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, + { "gssapidelegatecredentials", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, { "gssapicredentialspath", sUnsupported, SSHCFG_GLOBAL }, @@ -980,6 +986,10 @@ parse_flag: intptr = &options->gss_authentication; goto parse_flag; + case sGssDelegateCreds: + intptr = &options->gss_deleg_creds; + goto parse_flag; + case sGssKeyEx: intptr = &options->gss_keyex; goto parse_flag; @@ -1498,6 +1508,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) { M_CP_INTOPT(password_authentication); M_CP_INTOPT(gss_authentication); + M_CP_INTOPT(gss_deleg_creds); M_CP_INTOPT(rsa_authentication); M_CP_INTOPT(pubkey_authentication); M_CP_INTOPT(kerberos_authentication); diff --git a/openssh/servconf.h b/openssh/servconf.h index 26dfd2e..a0bc834 100644 --- a/openssh/servconf.h +++ b/openssh/servconf.h @@ -95,6 +95,7 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ + int gss_deleg_creds; /* If true, store delegated GSSAPI credentials*/ int gss_keyex; /* If true, permit GSSAPI key exchange */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ diff --git a/openssh/sshd.c b/openssh/sshd.c index f5fd963..f0c0a2f 100644 --- a/openssh/sshd.c +++ b/openssh/sshd.c @@ -1929,7 +1929,7 @@ main(int ac, char **av) #endif #ifdef GSSAPI - if (options.gss_authentication) { + if (options.gss_authentication && options.gss_deleg_creds) { temporarily_use_uid(authctxt->pw); ssh_gssapi_storecreds(); restore_uid(); diff --git a/openssh/sshd_config b/openssh/sshd_config index 6b584e5..d096785 100644 --- a/openssh/sshd_config +++ b/openssh/sshd_config @@ -76,6 +76,7 @@ Protocol 2 # GSSAPI options #GSSAPIAuthentication yes +#GSSAPIDelegateCredentials yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange yes diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5 index e07eb3b..98d2e07 100644 --- a/openssh/sshd_config.5 +++ b/openssh/sshd_config.5 @@ -365,6 +365,10 @@ Specifies whether user authentication based on GSSAPI is allowed. The default is .Dq yes . Note that this option applies to protocol version 2 only. +.It Cm GSSAPIDelegateCredentials +Specifies whether delegated credentials are stored in the user's environment. +The default is +.Dq yes . .It Cm GSSAPIKeyExchange Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange doesn't rely on ssh keys to verify host identity. -- 2.45.2