From 85740ad298cbf045f4037fc0a6c00aca85ccd733 Mon Sep 17 00:00:00 2001 From: jbasney Date: Sat, 17 Jan 2004 04:51:35 +0000 Subject: [PATCH] remove GSSAPI authentication support for SSH protocol 1 --- openssh/auth1.c | 174 -------------- openssh/auth2-gss.c | 51 ---- openssh/auth2.c | 17 -- openssh/gss-genr.c | 13 - openssh/monitor.c | 47 ---- openssh/monitor.h | 1 - openssh/monitor_wrap.c | 29 --- openssh/monitor_wrap.h | 4 - openssh/packet.c | 7 - openssh/packet.h | 1 - openssh/ssh-gss.h | 4 - openssh/ssh1.h | 9 - openssh/ssh_config.5 | 6 +- openssh/sshconnect1.c | 521 ----------------------------------------- openssh/sshd.c | 47 ---- 15 files changed, 4 insertions(+), 927 deletions(-) diff --git a/openssh/auth1.c b/openssh/auth1.c index 9e4a293..dfe944d 100644 --- a/openssh/auth1.c +++ b/openssh/auth1.c @@ -15,7 +15,6 @@ RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $"); #include "xmalloc.h" #include "rsa.h" #include "ssh1.h" -#include "dispatch.h" #include "packet.h" #include "buffer.h" #include "mpaux.h" @@ -31,132 +30,6 @@ RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $"); /* import */ extern ServerOptions options; -#ifdef GSSAPI -#ifdef GSI -#include "globus_gss_assist.h" -#endif - -extern Authmethod method_gssapi; - -int userauth_gssapi(Authctxt *authctxt); - -void -auth1_gss_protocol_error(int type, u_int32_t plen, void *ctxt) -{ - Authctxt *authctxt = ctxt; - /* Other side told us to abort, dont need to tell him */ - /* maybe we can use some other method. */ - if (type == SSH_MSG_AUTH_GSSAPI_ABORT) { - logit("auth1: GSSAPI aborting"); - dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL); - authctxt->success = 1; /* get out of loop*/ - return; - } - - logit("auth1: protocol error: type %d plen %d", type, plen); - packet_disconnect("Protocol error during GSSAPI authentication: " - "Unknown packet type %d", type); -} - -#ifdef GSI -int -gsi_gridmap(char *subject_name, char **mapped_name) -{ -#ifdef GLOBUS_GSI_GSS_ASSIST_MODULE - if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) { - return 0; - } -#endif - return(globus_gss_assist_gridmap(subject_name, mapped_name) == 0); -} -#endif - -/* - * SSH1 GSSAPI clients may send us a user name of the form: - * - * (1) username:x:SSL Subject Name - * or - * (2) username:i:SSL Subject Name - * or - * (3) username - * - * if case 1, then uname is an explicit name (ssh -l uname). Keep this - * name always, rewrite the user parameter to be just uname. We'll pull - * the GSSAPI idenity out and deal with (or skip it) later. - * - * if case 2, then uname is implicit (user didn't use the -l option), so - * use the default gridmap mapping and replace uname with whatever - * the gridmap maps to. If the gridmap mapping fails, drop down - * to just uname - * - * if case 3, then leave it be. - * - * This function may return the original pointer to the orginal string, - * the original pointer to a modified string, or a completely new pointer. - */ -static char * -ssh1_gssapi_parse_userstring(char *userstring) -{ - char name_type = '\0'; /* explicit 'x' or implicit 'i' */ - char *ssl_subject_name = NULL; - char *delim = NULL; - - debug("Looking at username '%s' for gssapi-ssleay type name", userstring); - if((delim = strchr(userstring, ':')) != NULL) { - /* Parse and split into components */ - ssl_subject_name = strchr(delim + 1, ':'); - - if (ssl_subject_name) { - /* Successful parse, split into components */ - *delim = '\0'; - name_type = *(delim + 1); - *ssl_subject_name = '\0'; - ssl_subject_name++; - - debug("Name parsed. type = '%c'. ssl subject name is \"%s\"", - name_type, ssl_subject_name); - - } else { - - debug("Don't understand name format. Letting it pass."); - } - } - -#ifdef GSI - if(ssl_subject_name) { - char *gridmapped_name = NULL; - switch (name_type) { - case 'x': - debug("explicit name given, using %s as username", userstring); - break; - - case 'i': - /* gridmap check */ - debug("implicit name given. gridmapping '%s'", ssl_subject_name); - - PRIVSEP(gsi_gridmap(ssl_subject_name, &gridmapped_name)); - if (gridmapped_name && gridmapped_name[0] != '\0') { - userstring = gridmapped_name; - debug("I gridmapped and got %s", userstring); - - } else { - debug("I gridmapped and got null, reverting to %s", userstring); - } - break; - - default: - debug("Unknown name type '%c'. Ignoring.", name_type); - break; - } - } else { - debug("didn't find any :'s so I assume it's just a user name"); - } -#endif /* GSI */ - - return userstring; -} -#endif - /* * convert ssh auth msg type into description */ @@ -176,10 +49,6 @@ get_authname(int type) case SSH_CMSG_AUTH_TIS: case SSH_CMSG_AUTH_TIS_RESPONSE: return "challenge-response"; -#if defined(GSSAPI) - case SSH_CMSG_AUTH_GSSAPI: - return "gssapi"; -#endif } snprintf(buf, sizeof buf, "bad-auth-msg-%d", type); return buf; @@ -246,44 +115,6 @@ do_authloop(Authctxt *authctxt) /* Process the packet. */ switch (type) { -#ifdef GSSAPI - case SSH_CMSG_AUTH_GSSAPI: - if (!options.gss_authentication) { - verbose("GSSAPI authentication disabled."); - break; - } - /* - * GSSAPI was first added to ssh1 in ssh-1.2.27, and - * was added to the SecurtCRT product. In order - * to continue operating with these, we will add - * the equivelent GSSAPI support to SSH1. - * Will use the gssapi routines from the ssh2 as - * they are almost identical. But they use dispatch - * so we need to setup the dispatch tables here - * auth1.c for use only by the gssapi code. - * Since we already have the packet, we will call - * userauth_gssapi then start the dispatch loop. - */ - if (!authctxt->valid) { - packet_disconnect("Authentication rejected for invalid user"); - } - dispatch_init(&auth1_gss_protocol_error); - method_gssapi.userauth(authctxt); - if (!authctxt->postponed) { /* failed before starting dispatch */ - authctxt->success = 0; - authctxt->postponed = 0; - break; - } - dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); - if (authctxt->postponed) { /* failed, try other methods */ - authctxt->success = 0; - authctxt->postponed = 0; - break; - } - authenticated = 1; - break; -#endif /* GSSAPI */ - case SSH_CMSG_AUTH_RHOSTS_RSA: if (!options.rhosts_rsa_authentication) { verbose("Rhosts with RSA authentication disabled."); @@ -458,11 +289,6 @@ do_authentication(void) user = packet_get_string(&ulen); packet_check_eom(); -#ifdef GSSAPI - /* Parse GSSAPI identity from userstring */ - user = ssh1_gssapi_parse_userstring(user); -#endif /* GSSAPI */ - if ((style = strchr(user, ':')) != NULL) *style++ = '\0'; diff --git a/openssh/auth2-gss.c b/openssh/auth2-gss.c index 252c1b9..559dac4 100644 --- a/openssh/auth2-gss.c +++ b/openssh/auth2-gss.c @@ -30,7 +30,6 @@ #include "auth.h" #include "ssh2.h" -#include "ssh1.h" #include "xmalloc.h" #include "log.h" #include "dispatch.h" @@ -42,7 +41,6 @@ #include "ssh-gss.h" extern ServerOptions options; -unsigned char ssh1_key_digest[16]; static int userauth_external(Authctxt *authctxt) @@ -116,26 +114,14 @@ userauth_gssapi(Authctxt *authctxt) authctxt->methoddata=(void *)ctxt; - if (!compat20) { - - packet_start(SSH_SMSG_AUTH_GSSAPI_RESPONSE); - packet_put_string(oid.elements,oid.length); - - } else { - packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); /* Return OID in same format as we received it*/ packet_put_string(doid, len); - } /* !compat20 */ - packet_send(); xfree(doid); - if (!compat20) - dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, &input_gssapi_token); - else dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); authctxt->postponed = 1; @@ -170,32 +156,21 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) if (GSS_ERROR(maj_status)) { ssh_gssapi_userauth_error(gssctxt); if (send_tok.length != 0) { - if (!compat20) - packet_start(SSH_MSG_AUTH_GSSAPI_TOKEN); - else packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); packet_put_string(send_tok.value, send_tok.length); packet_send(); } authctxt->postponed = 0; - dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); userauth_finish(authctxt, 0, "gssapi"); } else { if (send_tok.length != 0) { - if (!compat20) - packet_start(SSH_MSG_AUTH_GSSAPI_TOKEN); - else packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); packet_put_string(send_tok.value, send_tok.length); packet_send(); } if (maj_status == GSS_S_COMPLETE) { - dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); - if (!compat20) - input_gssapi_exchange_complete(0, 0, ctxt); - else dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, &input_gssapi_exchange_complete); } @@ -230,7 +205,6 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) xfree(recv_tok.value); /* We can't return anything to the client, even if we wanted to */ - dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); @@ -279,27 +253,6 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) gssctxt = authctxt->methoddata; - /* ssh1 needs to exchange the hash of the keys */ - if (!compat20) { - - OM_uint32 min_status; - gss_buffer_desc dummy, msg_tok; - - /* ssh1 wraps the keys, in the monitor */ - - dummy.value=malloc(sizeof(ssh1_key_digest)); - memcpy(dummy.value,ssh1_key_digest,sizeof(ssh1_key_digest)); - dummy.length=sizeof(ssh1_key_digest); - if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(gssctxt,&dummy,&msg_tok)))) - fatal("Couldn't wrap keys"); - - packet_start(SSH_SMSG_AUTH_GSSAPI_HASH); - packet_put_string((char *)msg_tok.value,msg_tok.length); - packet_send(); - packet_write_wait(); - gss_release_buffer(&min_status,&msg_tok); - } - /* * We don't need to check the status, because the stored credentials * which userok uses are only populated once the context init step @@ -324,9 +277,6 @@ static void ssh_gssapi_userauth_error(Gssctxt *ctxt) { errstr=PRIVSEP(ssh_gssapi_last_error(ctxt,&maj,&min)); if (errstr) { - if (!compat20) { - packet_send_debug(errstr); - } else { packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERROR); packet_put_int(maj); packet_put_int(min); @@ -335,7 +285,6 @@ static void ssh_gssapi_userauth_error(Gssctxt *ctxt) { packet_send(); packet_write_wait(); xfree(errstr); - } } } diff --git a/openssh/auth2.c b/openssh/auth2.c index 57b391f..7c0dc57 100644 --- a/openssh/auth2.c +++ b/openssh/auth2.c @@ -26,7 +26,6 @@ RCSID("$OpenBSD: auth2.c,v 1.102 2003/08/26 09:58:43 markus Exp $"); #include "ssh2.h" -#include "ssh1.h" #include "xmalloc.h" #include "packet.h" #include "log.h" @@ -288,9 +287,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) #endif /* _UNICOS */ /* Log before sending the reply */ - if (!compat20) - auth_log(authctxt, authenticated, method, " ssh1"); - else auth_log(authctxt, authenticated, method, " ssh2"); if (authctxt->postponed) @@ -300,26 +296,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) if (authenticated == 1) { /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); - if (compat20) { packet_start(SSH2_MSG_USERAUTH_SUCCESS); packet_send(); packet_write_wait(); - } /* now we can break out */ authctxt->success = 1; } else { if (authctxt->failures++ > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); - if (!compat20) { - /* - * Break out of the dispatch loop now and go back to - * SSH1 code. We need to set the 'success' flag to - * break out of the loop. Set the 'postponed' flag to - * tell the SSH1 code that authentication failed. The - * SSH1 code will handle sending SSH_SMSG_FAILURE. - */ - authctxt->success = authctxt->postponed = 1; - } else { methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); @@ -327,7 +311,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) packet_send(); packet_write_wait(); xfree(methods); - } } } diff --git a/openssh/gss-genr.c b/openssh/gss-genr.c index 5af081b..1d08e5b 100644 --- a/openssh/gss-genr.c +++ b/openssh/gss-genr.c @@ -436,19 +436,6 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) { OM_uint32 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *buffer, gss_buffer_desc *hash) { - /* ssh1 needs to exchange the hash of the keys */ - /* will us this hash to return it */ - if (!compat20) { - if ((ctx->major=gss_wrap(&ctx->minor,ctx->context, - 0, - GSS_C_QOP_DEFAULT, - buffer, - NULL, - hash))) - ssh_gssapi_error(ctx); - } - else - if ((ctx->major=gss_get_mic(&ctx->minor,ctx->context, GSS_C_QOP_DEFAULT, buffer, hash))) { ssh_gssapi_error(ctx); diff --git a/openssh/monitor.c b/openssh/monitor.c index b06e0f7..21fd681 100644 --- a/openssh/monitor.c +++ b/openssh/monitor.c @@ -146,10 +146,6 @@ int mm_answer_gss_indicate_mechs(int, Buffer *); int mm_answer_gss_localname(int, Buffer *); #endif -#ifdef GSI -int mm_answer_gsi_gridmap(int, Buffer *); -#endif - static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -255,9 +251,6 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSMECHS, MON_ISAUTH, mm_answer_gss_indicate_mechs}, #endif -#ifdef GSI - {MONITOR_REQ_GSIGRIDMAP, MON_PERMIT, mm_answer_gsi_gridmap}, -#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start}, {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, @@ -270,12 +263,6 @@ struct mon_table mon_dispatch_proto15[] = { }; struct mon_table mon_dispatch_postauth15[] = { -#ifdef GSSAPI - {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, - {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, - {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, - {MONITOR_REQ_GSSMECHS, 0, mm_answer_gss_indicate_mechs}, -#endif {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, @@ -337,13 +324,6 @@ monitor_child_preauth(struct monitor *pmonitor) mon_dispatch = mon_dispatch_proto15; monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); -#ifdef GSSAPI - monitor_permit(mon_dispatch, MONITOR_REQ_GSSMECHS, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR, 1); -#endif -#ifdef GSI - monitor_permit(mon_dispatch, MONITOR_REQ_GSIGRIDMAP, 1); -#endif } authctxt = authctxt_new(); @@ -1802,33 +1782,6 @@ monitor_reinit(struct monitor *mon) mon->m_sendfd = pair[1]; } -#ifdef GSI - -int -mm_answer_gsi_gridmap(int socket, Buffer *m) { - char *subject, *name; - - subject = buffer_get_string(m, NULL); - - gsi_gridmap(subject, &name); - - buffer_clear(m); - if (name) { - buffer_put_cstring(m, name); - debug3("%s: sending result %s", __func__, name); - xfree(name); - } else { - buffer_put_cstring(m, ""); - debug3("%s: sending result \"\"", __func__); - } - - mm_request_send(socket, MONITOR_ANS_GSIGRIDMAP, m); - - return(0); -} - -#endif /* GSI */ - #ifdef GSSAPI int mm_answer_gss_setup_ctx(int socket, Buffer *m) diff --git a/openssh/monitor.h b/openssh/monitor.h index ac538d0..ce76ab6 100644 --- a/openssh/monitor.h +++ b/openssh/monitor.h @@ -55,7 +55,6 @@ enum monitor_reqtype { MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN, MONITOR_REQ_GSSMECHS, MONITOR_ANS_GSSMECHS, MONITOR_REQ_GSSLOCALNAME, MONITOR_ANS_GSSLOCALNAME, - MONITOR_REQ_GSIGRIDMAP, MONITOR_ANS_GSIGRIDMAP, MONITOR_REQ_GSSERR, MONITOR_ANS_GSSERR, MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, diff --git a/openssh/monitor_wrap.c b/openssh/monitor_wrap.c index 08bac5e..3137b48 100644 --- a/openssh/monitor_wrap.c +++ b/openssh/monitor_wrap.c @@ -1233,32 +1233,3 @@ mm_ssh_gssapi_localname(char **lname) return(0); } #endif /* GSSAPI */ - -#ifdef GSI -int mm_gsi_gridmap(char *subject_name, char **lname) -{ - Buffer m; - - buffer_init(&m); - buffer_put_cstring(&m, subject_name); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSIGRIDMAP, &m); - - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSIGRIDMAP, - &m); - - *lname = buffer_get_string(&m, NULL); - - buffer_free(&m); - if (lname[0] == '\0') { - debug3("%s: gssapi identity %s mapping failed", __func__, - subject_name); - } else { - debug3("%s: gssapi identity %s mapped to %s", __func__, - subject_name, *lname); - } - - return(0); - -} - -#endif /* GSI */ diff --git a/openssh/monitor_wrap.h b/openssh/monitor_wrap.h index 59aedbf..19c75e4 100644 --- a/openssh/monitor_wrap.h +++ b/openssh/monitor_wrap.h @@ -87,10 +87,6 @@ char *mm_ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *maj, OM_uint32 *min); #endif -#ifdef GSI -int mm_gsi_gridmap(char *subject_name, char **mapped_name); -#endif - void mm_terminate(void); int mm_pty_allocate(int *, int *, char *, int); void mm_session_pty_cleanup2(void *); diff --git a/openssh/packet.c b/openssh/packet.c index 7534148..02b629f 100644 --- a/openssh/packet.c +++ b/openssh/packet.c @@ -1256,13 +1256,6 @@ packet_get_string(u_int *length_ptr) return buffer_get_string(&incoming_packet, length_ptr); } -/* Clears incoming data buffer */ - -void packet_get_all(void) -{ - buffer_clear(&incoming_packet); -} - /* * Sends a diagnostic message from the server to the client. This message * can be sent at any time (but not while constructing another message). The diff --git a/openssh/packet.h b/openssh/packet.h index 1793030..7732faf 100644 --- a/openssh/packet.h +++ b/openssh/packet.h @@ -54,7 +54,6 @@ void packet_get_bignum(BIGNUM * value); void packet_get_bignum2(BIGNUM * value); void *packet_get_raw(int *length_ptr); void *packet_get_string(u_int *length_ptr); -void packet_get_all(void); void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2))); void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); diff --git a/openssh/ssh-gss.h b/openssh/ssh-gss.h index 18ba713..08d102a 100644 --- a/openssh/ssh-gss.h +++ b/openssh/ssh-gss.h @@ -139,10 +139,6 @@ void ssh_gssapi_cleanup_creds(void *ignored); void ssh_gssapi_storecreds(void); char *ssh_gssapi_server_mechanisms(); -#ifdef GSI -int gsi_gridmap(char *subject_name, char **mapped_name); -#endif - #ifdef MECHGLUE gss_cred_id_t __gss_get_mechanism_cred (gss_cred_id_t, /* union_cred */ diff --git a/openssh/ssh1.h b/openssh/ssh1.h index 4cfe2a3..98d1dc9 100644 --- a/openssh/ssh1.h +++ b/openssh/ssh1.h @@ -70,13 +70,6 @@ #define SSH_MSG_CHANNEL_INPUT_EOF SSH_MSG_CHANNEL_CLOSE #define SSH_MSG_CHANNEL_OUTPUT_CLOSE SSH_MSG_CHANNEL_CLOSE_CONFIRMATION -/* GSS-API authentication */ -#define SSH_CMSG_AUTH_GSSAPI 88 /* int, strings... */ -#define SSH_SMSG_AUTH_GSSAPI_RESPONSE 89 /* string */ -#define SSH_MSG_AUTH_GSSAPI_TOKEN 90 /* string */ -#define SSH_SMSG_AUTH_GSSAPI_HASH 91 /* string */ -#define SSH_MSG_AUTH_GSSAPI_ABORT 92 /* */ - /* * Authentication methods. New types can be added, but old types should not * be removed for compatibility. The maximum allowed value is 31. @@ -91,8 +84,6 @@ /* 8 to 15 are reserved */ #define SSH_PASS_AFS_TOKEN 21 -#define SSH_AUTH_GSSAPI 24 - /* Protocol flags. These are bit masks. */ #define SSH_PROTOFLAG_SCREEN_NUMBER 1 /* X11 forwarding includes screen */ #define SSH_PROTOFLAG_HOST_IN_FWD_OPEN 2 /* forwarding opens contain host */ diff --git a/openssh/ssh_config.5 b/openssh/ssh_config.5 index e15dd9b..f38622b 100644 --- a/openssh/ssh_config.5 +++ b/openssh/ssh_config.5 @@ -343,16 +343,18 @@ the result of a successful key exchange, or using GSSAPI user authentication. The default is .Dq yes . +Note that this option applies to protocol version 2 only. .It Cm GSSAPIKeyExchange Specifies whether key exchange based on GSSAPI may be used. When using GSSAPI key exchange the server need not have a host key. The default is .Dq yes . +Note that this option applies to protocol version 2 only. .It Cm GSSAPIDelegateCredentials -Specifies whether GSSAPI credentials will be delegated (forwarded) to -the server. +Forward (delegate) credentials to the server. The default is .Dq yes . +Note that this option applies to protocol version 2 only. .It Cm HostbasedAuthentication Specifies whether to try rhosts based authentication with public key authentication. diff --git a/openssh/sshconnect1.c b/openssh/sshconnect1.c index 8d358e1..2f89964 100644 --- a/openssh/sshconnect1.c +++ b/openssh/sshconnect1.c @@ -37,17 +37,6 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.56 2003/08/28 12:54:34 markus Exp $"); #include "canohost.h" #include "auth.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#include "bufaux.h" - -/* - * MD5 hash of host and session keys for verification. This is filled - * in in ssh_login() and then checked in try_gssapi_authentication(). - */ -unsigned char ssh_key_digest[16]; -#endif /* GSSAPI */ - /* Session id for the current session. */ u_char session_id[16]; u_int supported_authentications = 0; @@ -472,401 +461,6 @@ try_password_authentication(char *prompt) return 0; } -#ifdef GSSAPI -#ifdef GSI -static gss_OID_desc gsioid={9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"}; -char * get_gsi_name() -{ - gss_name_t pname = GSS_C_NO_NAME; - gss_buffer_desc tmpname; - gss_buffer_t tmpnamed = &tmpname; - char *retname=NULL; - gss_OID_set oidset; - gss_cred_id_t gss_cred = GSS_C_NO_CREDENTIAL; - Gssctxt *ctx = NULL; - - ssh_gssapi_build_ctx(&ctx); - - gss_create_empty_oid_set(&ctx->minor,&oidset); - gss_add_oid_set_member(&ctx->minor,&gsioid,&oidset); - ssh_gssapi_set_oid(ctx,&gsioid); - ctx->major = gss_acquire_cred(&ctx->minor, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - oidset, - GSS_C_INITIATE, - &gss_cred, - NULL, - NULL); - - if (ctx->major != GSS_S_COMPLETE) { - goto cleanup; - } - - debug("calling gss_inquire_cred"); - ctx->major = gss_inquire_cred(&ctx->minor, - gss_cred, - &pname, - NULL, - NULL, - NULL); - if (ctx->major != GSS_S_COMPLETE) { - goto cleanup; - } - - ctx->major = gss_display_name(&ctx->minor, - pname, - tmpnamed, - NULL); - if (ctx->major != GSS_S_COMPLETE) { - goto cleanup; - } - debug("gss_display_name finsished"); - retname = xmalloc(tmpname.length + 1); - memcpy(retname, tmpname.value, tmpname.length); - retname[tmpname.length] = '\0'; - - gss_release_name(&ctx->minor, &pname); - gss_release_buffer(&ctx->minor, tmpnamed); - - cleanup: - if (!retname) { - debug("Failed to set GSI username from credentials"); - ssh_gssapi_error(ctx); - } - if (ctx) ssh_gssapi_delete_ctx(&ctx); - return retname; -} -#endif /* GSI */ - -int try_gssapi_authentication(char *host, Options *options) -{ - char *service_name = NULL; - gss_buffer_desc name_tok; - gss_buffer_desc send_tok; - gss_buffer_desc recv_tok; - gss_buffer_desc *token_ptr; - gss_name_t target_name = NULL; - gss_ctx_id_t gss_context; - gss_OID_desc mech_oid; - gss_OID name_type; - gss_OID_set gss_mechs, my_mechs; - int my_mech_num, i; - int ret_stat = 0; /* 1 == success */ - OM_uint32 req_flags = 0; - OM_uint32 ret_flags; - int type; - char *xhost; - unsigned int slen; - Gssctxt *ctx = NULL; - - ssh_gssapi_build_ctx(&ctx); - - xhost = xstrdup(get_canonical_hostname(1)); - resolve_localhost(&xhost); - - /* - * Default flags - */ - req_flags |= GSS_C_REPLAY_FLAG; - - /* Do mutual authentication */ - req_flags |= GSS_C_MUTUAL_FLAG; - - service_name = (char *) xmalloc(strlen("host") + - strlen(xhost) + - 2 /* 1 for '@', 1 for NUL */); - - sprintf(service_name, "host@%s", xhost); - - xfree(xhost); - xhost = NULL; - - name_type = GSS_C_NT_HOSTBASED_SERVICE; - - debug("Service name is %s", service_name); - - /* Forward credentials? */ - if(options->gss_deleg_creds) { - debug("Delegating GSSAPI credentials"); - req_flags |= GSS_C_DELEG_FLAG; - } - - debug("req_flags = %u", (unsigned int)req_flags); - - name_tok.value = service_name; - name_tok.length = strlen(service_name) + 1; - ctx->major = gss_import_name(&ctx->minor, &name_tok, - name_type, &target_name); - - free(service_name); - service_name = NULL; - - if (ctx->major != GSS_S_COMPLETE) { - ssh_gssapi_error(ctx); - goto cleanup; - } - - ctx->major = gss_indicate_mechs(&ctx->minor, &gss_mechs); - - if (ctx->major != GSS_S_COMPLETE) { - ssh_gssapi_error(ctx); - goto cleanup; - } - - /* The GSSAPI supports the mechs in gss_mechs, but which ones do - we have credentials for? We only get one try, so we don't want - to propose a mechanism we know is going to fail. */ - ctx->major = gss_create_empty_oid_set(&ctx->minor, &my_mechs); - for (i=0; icount; i++) { - if (ssh_gssapi_check_mechanism(&(gss_mechs->elements[i]), host)) { - ctx->major = gss_add_oid_set_member(&ctx->minor, - &(gss_mechs->elements[i]), - &my_mechs); - } - } - - if (my_mechs->count == 0) { - debug("No GSSAPI mechanisms."); - goto cleanup; - } - - /* - * Send over a packet to the daemon, letting it know we're doing - * GSSAPI and our mech_oid(s). - */ - debug("Sending mech oid(s) to server"); - packet_start(SSH_CMSG_AUTH_GSSAPI); - packet_put_int(my_mechs->count); /* Number of mechs we're sending */ -#ifdef GSI - { - int present; - /* Send GSI before Kerberos, because if GSI fails, we can always - fall back and try regular Kerberos authentication with our - Kerberos cred. */ - ctx->major = gss_test_oid_set_member(&ctx->minor, &gsioid, - my_mechs, &present); - if (present) { - packet_put_string(gsioid.elements,gsioid.length); - } - } -#endif - for (my_mech_num = 0; my_mech_num < my_mechs->count; my_mech_num++) { -#ifdef GSI - /* Skip GSI. We already sent it above. */ - if ((my_mechs->elements[my_mech_num].length == - gsioid.length) && - memcmp(my_mechs->elements[my_mech_num].elements, - gsioid.elements, - my_mechs->elements[my_mech_num].length) == 0) { - continue; - } -#endif - packet_put_string(my_mechs->elements[my_mech_num].elements, - my_mechs->elements[my_mech_num].length); - } - packet_send(); - packet_write_wait(); - - /* - * Get reply from the daemon to see if our mech was acceptable - */ - type = packet_read(); - - switch (type) { - case SSH_SMSG_AUTH_GSSAPI_RESPONSE: - debug("Server accepted mechanism"); - /* Successful negotiation */ - break; - - case SSH_MSG_AUTH_GSSAPI_ABORT: - case SSH_SMSG_FAILURE: - debug("Unable to negotiate GSSAPI mechanism type with server"); - packet_get_all(); - goto cleanup; - - default: - packet_disconnect("Protocol error during GSSAPI authentication:" - " packet type %d received", - type); - /* Does not return */ - } - - /* Read the mechanism the server returned */ - mech_oid.elements = packet_get_string(&slen); - mech_oid.length = slen; /* safe typecast */ - packet_get_all(); - - ssh_gssapi_set_oid(ctx, &mech_oid); - - /* - * Perform the context-establishement loop. - * - * On each pass through the loop, token_ptr points to the token - * to send to the server (or GSS_C_NO_BUFFER on the first pass). - * Every generated token is stored in send_tok which is then - * transmitted to the server; every received token is stored in - * recv_tok, which token_ptr is then set to, to be processed by - * the next call to gss_init_sec_context. - * - * GSS-API guarantees that send_tok's length will be non-zero - * if and only if the server is expecting another token from us, - * and that gss_init_sec_context returns GSS_S_CONTINUE_NEEDED if - * and only if the server has another token to send us. - */ - - token_ptr = GSS_C_NO_BUFFER; - gss_context = GSS_C_NO_CONTEXT; - - do { - ctx->major = - gss_init_sec_context(&ctx->minor, - GSS_C_NO_CREDENTIAL, - &gss_context, - target_name, - ctx->oid, - req_flags, - 0, - NULL, /* no channel bindings */ - token_ptr, - NULL, /* ignore mech type */ - &send_tok, - &ret_flags, - NULL); /* ignore time_rec */ - - if (token_ptr != GSS_C_NO_BUFFER) - (void) gss_release_buffer(&ctx->minor, &recv_tok); - - if (ctx->major != GSS_S_COMPLETE && ctx->major != GSS_S_CONTINUE_NEEDED) { - ssh_gssapi_error(ctx); - - /* Send an abort message */ - packet_start(SSH_MSG_AUTH_GSSAPI_ABORT); - packet_send(); - packet_write_wait(); - - goto cleanup; - } - - if (send_tok.length != 0) { - debug("Sending authenticaton token..."); - packet_start(SSH_MSG_AUTH_GSSAPI_TOKEN); - packet_put_string((char *) send_tok.value, send_tok.length); - packet_send(); - packet_write_wait(); - - (void) gss_release_buffer(&ctx->minor, &send_tok); - } - - if (ctx->major == GSS_S_CONTINUE_NEEDED) { - - debug("Continue needed. Reading response..."); - - type = packet_read(); - - switch(type) { - - case SSH_MSG_AUTH_GSSAPI_TOKEN: - /* This is what we expected */ - break; - - case SSH_MSG_AUTH_GSSAPI_ABORT: - case SSH_SMSG_FAILURE: - debug("Server aborted GSSAPI authentication."); - packet_get_all(); - goto cleanup; - - default: - packet_disconnect("Protocol error during GSSAPI authentication:" - " packet type %d received", - type); - /* Does not return */ - } - - recv_tok.value = packet_get_string(&slen); - recv_tok.length=slen; /* safe typecast */ - packet_get_all(); - token_ptr = &recv_tok; - } - } while (ctx->major == GSS_S_CONTINUE_NEEDED); - - /* Success */ - ret_stat = 1; - - debug("GSSAPI authentication successful"); - - /* - * Read hash of host and server keys and make sure it - * matches what we got earlier. - */ - debug("Reading hash of server and host keys..."); - type = packet_read(); - - if (type == SSH_MSG_AUTH_GSSAPI_ABORT || type == SSH_SMSG_FAILURE) { - debug("Server aborted GSSAPI authentication."); - packet_get_all(); - ret_stat = 0; - goto cleanup; - - } else if (type == SSH_SMSG_AUTH_GSSAPI_HASH) { - gss_buffer_desc wrapped_buf; - gss_buffer_desc unwrapped_buf; - int conf_state; - gss_qop_t qop_state; - - - wrapped_buf.value = packet_get_string(&slen); - wrapped_buf.length=slen; /* safe typecast */ - packet_get_all(); - - ctx->major = gss_unwrap(&ctx->minor, - gss_context, - &wrapped_buf, - &unwrapped_buf, - &conf_state, - &qop_state); - - if (ctx->major != GSS_S_COMPLETE) { - ssh_gssapi_error(ctx); - packet_disconnect("Verification of SSHD keys through GSSAPI-secured channel failed: " - "Unwrapping of hash failed."); - } - - if (unwrapped_buf.length != sizeof(ssh_key_digest)) { - packet_disconnect("Verification of SSHD keys through GSSAPI-secured channel failed: " - "Size of key hashes do not match (%d != %d)!", - (int)unwrapped_buf.length, - (int)sizeof(ssh_key_digest)); - } - - if (memcmp(ssh_key_digest, unwrapped_buf.value, sizeof(ssh_key_digest)) != 0) { - packet_disconnect("Verification of SSHD keys through GSSAPI-secured channel failed: " - "Hashes don't match!"); - } - - debug("Verified SSHD keys through GSSAPI-secured channel."); - - gss_release_buffer(&ctx->minor, &unwrapped_buf); - - } else { - packet_disconnect("Protocol error during GSSAPI authentication:" - "packet type %d received", type); - /* Does not return */ - } - - - cleanup: - if (target_name != NULL) - (void) gss_release_name(&ctx->minor, &target_name); - if (ctx) - ssh_gssapi_delete_ctx(&ctx); - - return ret_stat; -} - -#endif /* GSSAPI */ - - /* * SSH1 key exchange */ @@ -918,45 +512,6 @@ ssh_kex(char *host, struct sockaddr *hostaddr) logit("Warning: This may be due to an old implementation of ssh."); } -#ifdef GSSAPI - { - MD5_CTX md5context; - Buffer buf; - unsigned char *data; - unsigned int data_len; - - /* - * Hash the server and host keys. Later we will check them against - * a hash sent over a secure channel to make sure they are legit. - */ - debug("Calculating MD5 hash of server and host keys..."); - - /* Write all the keys to a temporary buffer */ - buffer_init(&buf); - - /* Server key */ - buffer_put_bignum(&buf, server_key->rsa->e); - buffer_put_bignum(&buf, server_key->rsa->n); - - /* Host key */ - buffer_put_bignum(&buf, host_key->rsa->e); - buffer_put_bignum(&buf, host_key->rsa->n); - - /* Get the resulting data */ - data = (unsigned char *) buffer_ptr(&buf); - data_len = buffer_len(&buf); - - /* And hash it */ - MD5_Init(&md5context); - MD5_Update(&md5context, data, data_len); - MD5_Final(ssh_key_digest, &md5context); - - /* Clean up */ - buffer_clear(&buf); - buffer_free(&buf); - } -#endif /* GSSAPI */ - /* Get protocol flags. */ server_flags = packet_get_int(); packet_set_protocol_flags(server_flags); @@ -1099,67 +654,17 @@ void ssh_userauth1(const char *local_user, const char *server_user, char *host, Sensitive *sensitive) { -#ifdef GSSAPI -#ifdef GSI - const char *save_server_user = NULL; -#endif /* GSI */ -#endif /* GSSAPI */ - int i, type; if (supported_authentications == 0) fatal("ssh_userauth1: server supports no auth methods"); -#ifdef GSSAPI -#ifdef GSI - /* if no user given, tack on the subject name after the server_user. - * This will allow us to run gridmap early to get real user - * This name will start with /C= - */ - if ((supported_authentications & (1 << SSH_AUTH_GSSAPI)) && - options.gss_authentication) { - char * retname; - char * newname; - - - save_server_user = server_user; - - retname = get_gsi_name(); - - if (retname) { - debug("passing gssapi name '%s'", retname); - if (server_user) { - newname = (char *) malloc(strlen(retname) + strlen(server_user) + 4); - if (newname) { - strcpy(newname, server_user); - if(options.implicit) { - strcat(newname,":i:"); - } else { - strcat(newname,":x:"); - } - strcat(newname, retname); - server_user = newname; - free(retname); - } - } - } - debug("server_user %s", server_user); - } -#endif /* GSI */ -#endif /* GSSAPI */ - /* Send the name of the user to log in as on the server. */ packet_start(SSH_CMSG_USER); packet_put_cstring(server_user); packet_send(); packet_write_wait(); -#if defined(GSI) - if(save_server_user) - { - server_user = save_server_user; - } -#endif /* * The server should respond with success if no authentication is * needed (the user has no password). Otherwise the server responds @@ -1173,32 +678,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host, if (type != SSH_SMSG_FAILURE) packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type); -#ifdef GSSAPI - /* Try GSSAPI authentication */ - if ((supported_authentications & (1 << SSH_AUTH_GSSAPI)) && - options.gss_authentication) - { - char *canonhost; - int gssapi_succeeded; - debug("Trying GSSAPI authentication..."); - canonhost = xstrdup(get_canonical_hostname(1)); - resolve_localhost(&canonhost); - gssapi_succeeded = try_gssapi_authentication(canonhost, &options); - xfree(canonhost); - canonhost=NULL; - - if (gssapi_succeeded) { - type = packet_read(); - if (type == SSH_SMSG_SUCCESS) - goto success; - if (type != SSH_SMSG_FAILURE) - packet_disconnect("Protocol error: got %d in response to GSSAPI auth", type); - } - - debug("GSSAPI authentication failed"); - } -#endif /* GSSAPI */ - /* * Try .rhosts or /etc/hosts.equiv authentication with RSA host * authentication. diff --git a/openssh/sshd.c b/openssh/sshd.c index e4dcf89..b0e6ed6 100644 --- a/openssh/sshd.c +++ b/openssh/sshd.c @@ -1645,10 +1645,6 @@ do_ssh1_kex(void) auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; if (options.rsa_authentication) auth_mask |= 1 << SSH_AUTH_RSA; -#ifdef GSSAPI - if (options.gss_authentication) - auth_mask |= 1 << SSH_AUTH_GSSAPI; -#endif if (options.challenge_response_authentication == 1) auth_mask |= 1 << SSH_AUTH_TIS; if (options.password_authentication) @@ -1742,49 +1738,6 @@ do_ssh1_kex(void) for (i = 0; i < 16; i++) session_id[i] = session_key[i] ^ session_key[i + 16]; } - -#ifdef GSSAPI - /* - * Before we destroy the host and server keys, hash them so we can - * send the hash over to the client via a secure channel so that it - * can verify them. - */ - { - MD5_CTX md5context; - Buffer buf; - unsigned char *data; - unsigned int data_len; - extern unsigned char ssh1_key_digest[16]; /* in auth2-gss.c */ - - - debug("Calculating MD5 hash of server and host keys..."); - - /* Write all the keys to a temporary buffer */ - buffer_init(&buf); - - /* Server key */ - buffer_put_bignum(&buf, sensitive_data.server_key->rsa->e); - buffer_put_bignum(&buf, sensitive_data.server_key->rsa->n); - - /* Host key */ - buffer_put_bignum(&buf, sensitive_data.ssh1_host_key->rsa->e); - buffer_put_bignum(&buf, sensitive_data.ssh1_host_key->rsa->n); - - /* Get the resulting data */ - data = (unsigned char *) buffer_ptr(&buf); - data_len = buffer_len(&buf); - - /* And hash it */ - MD5_Init(&md5context); - MD5_Update(&md5context, data, data_len); - MD5_Final(ssh1_key_digest, &md5context); - - /* Clean up */ - buffer_clear(&buf); - buffer_free(&buf); - } -#endif /* GSSAPI */ - /* Destroy the private and public keys. No longer. */ destroy_sensitive_data(); -- 2.45.1