rpms/openssh/devel openssh-5.2p1-gsskex-all-20090726.patch, NONE, 1.1 openssh-5.3p1-gsskex.patch, NONE, 1.1 openssh.spec, 1.178, 1.179
Jan F. Chadima
jfch2222 at fedoraproject.org
Fri Nov 20 15:06:47 UTC 2009
Author: jfch2222
Update of /cvs/pkgs/rpms/openssh/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5949
Modified Files:
openssh.spec
Added Files:
openssh-5.2p1-gsskex-all-20090726.patch
openssh-5.3p1-gsskex.patch
Log Message:
Add gssapi key exchange patch
openssh-5.2p1-gsskex-all-20090726.patch:
ChangeLog.gssapi | 95 +++++++++++++++
Makefile.in | 5
auth-krb5.c | 17 ++
auth.h | 1
auth2-gss.c | 50 +++++++-
auth2.c | 6
clientloop.c | 11 +
configure.ac | 24 +++
gss-genr.c | 276 ++++++++++++++++++++++++++++++++++++++++++++-
gss-serv-krb5.c | 84 ++++++++++++-
gss-serv.c | 220 +++++++++++++++++++++++++++++++-----
kex.c | 18 ++
kex.h | 14 ++
kexgssc.c | 334 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
kexgsss.c | 288 +++++++++++++++++++++++++++++++++++++++++++++++
key.c | 2
key.h | 1
monitor.c | 108 +++++++++++++++++
monitor.h | 2
monitor_wrap.c | 47 +++++++
monitor_wrap.h | 4
readconf.c | 35 +++++
readconf.h | 4
servconf.c | 31 ++++-
servconf.h | 3
ssh-gss.h | 39 +++++-
ssh_config | 2
ssh_config.5 | 29 ++++
sshconnect2.c | 117 ++++++++++++++++++-
sshd.c | 110 ++++++++++++++++++
sshd_config | 2
sshd_config.5 | 28 ++++
32 files changed, 1948 insertions(+), 59 deletions(-)
--- NEW FILE openssh-5.2p1-gsskex-all-20090726.patch ---
? .kex.h.swp
? .pc
? openssh-5.0p1-gsskex-20080404.patch
? openssh-5.0p1-gssrenew-20080707.patch
? openssh-5.2p1-gsskex-20090726.patch
? openssh-5.2p1-gsskex-all-20090726.patch
? patches
Index: ChangeLog.gssapi
===================================================================
RCS file: ChangeLog.gssapi
diff -N ChangeLog.gssapi
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ ChangeLog.gssapi 26 Jul 2009 12:21:52 -0000
@@ -0,0 +1,95 @@
+20090615
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
+ sshd.c ]
+ Fix issues identified by Greg Hudson following a code review
+ Check return value of gss_indicate_mechs
+ Protect GSSAPI calls in monitor, so they can only be used if enabled
+ Check return values of bignum functions in key exchange
+ Use BN_clear_free to clear other side's DH value
+ Make ssh_gssapi_id_kex more robust
+ Only configure kex table pointers if GSSAPI is enabled
+ Don't leak mechanism list, or gss mechanism list
+ Cast data.length before printing
+ If serverkey isn't provided, use an empty string, rather than NULL
+
+20090201
+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
+ ssh_config.5 sshconnet2.c ]
+ Add support for the GSSAPIClientIdentity option, which allows the user
+ to specify which GSSAPI identity to use to contact a given server
+
+20080404
+ - [ gss-serv.c ]
+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
+ been omitted from a previous version of this patch. Reported by Borislav
+ Stoichkov
+
+20070317
+ - [ gss-serv-krb5.c ]
+ Remove C99ism, where new_ccname was being declared in the middle of a
+ function
+
+20061220
+ - [ servconf.c ]
+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
+ documented, behaviour. Reported by Dan Watson.
+
+20060910
+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
+ ssh-gss.h ]
+ add support for gss-group14-sha1 key exchange mechanisms
+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
+ acceptor principal checking on multi-homed machines.
+ <Bugzilla #928>
+ - [ sshd_config ssh_config ]
+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
+ configuration files
+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
+ Limit length of error messages displayed by client
+
+20060909
+ - [ gss-genr.c gss-serv.c ]
+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
+ only, where they belong
+ <Bugzilla #1225>
+
+20060829
+ - [ gss-serv-krb5.c ]
+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
+ variable
+
+20060828
+ - [ gss-genr.c ]
+ Avoid Heimdal context freeing problem
+ <Fixed upstream 20060829>
+
+20060818
+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
+ Make sure that SPENGO is disabled
+ <Bugzilla #1218 - Fixed upstream 20060818>
+
+20060421
+ - [ gssgenr.c, sshconnect2.c ]
+ a few type changes (signed versus unsigned, int versus size_t) to
+ fix compiler errors/warnings
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ kexgssc.c, sshconnect2.c ]
+ fix uninitialized variable warnings
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ gssgenr.c ]
+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
+ (from jbasney AT ncsa.uiuc.edu)
+ <Bugzilla #1220 >
+ - [ gss-serv-krb5.c ]
+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
+ (from jbasney AT ncsa.uiuc.edu)
+ <Fixed upstream 20060304>
+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
+ add client-side GssapiKeyExchange option
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ sshconnect2.c ]
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
Index: Makefile.in
===================================================================
RCS file: /cvs/openssh/Makefile.in,v
retrieving revision 1.298
diff -u -r1.298 Makefile.in
--- Makefile.in 5 Nov 2008 05:20:46 -0000 1.298
+++ Makefile.in 26 Jul 2009 12:21:53 -0000
@@ -71,7 +71,8 @@
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
- entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o
+ entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o \
+ kexgssc.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o
@@ -84,7 +85,7 @@
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o
Index: auth-krb5.c
===================================================================
RCS file: /cvs/openssh/auth-krb5.c,v
retrieving revision 1.35
diff -u -r1.35 auth-krb5.c
--- auth-krb5.c 5 Aug 2006 02:39:39 -0000 1.35
+++ auth-krb5.c 26 Jul 2009 12:21:53 -0000
@@ -166,8 +166,13 @@
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
+#ifdef USE_CCAPI
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
+ authctxt->krb5_ticket_file);
+#else
snprintf(authctxt->krb5_ccname, len, "FILE:%s",
authctxt->krb5_ticket_file);
+#endif
#ifdef USE_PAM
if (options.use_pam)
@@ -219,15 +224,22 @@
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret;
+ int ret;
char ccname[40];
mode_t old_umask;
+#ifdef USE_CCAPI
+ char cctemplate[] = "API:krb5cc_%d";
+#else
+ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
+ int tmpfd;
+#endif
ret = snprintf(ccname, sizeof(ccname),
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+ cctemplate, geteuid());
if (ret < 0 || (size_t)ret >= sizeof(ccname))
return ENOMEM;
+#ifndef USE_CCAPI
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
umask(old_umask);
@@ -242,6 +254,7 @@
return errno;
}
close(tmpfd);
+#endif
return (krb5_cc_resolve(ctx, ccname, ccache));
}
Index: auth.h
===================================================================
RCS file: /cvs/openssh/auth.h,v
retrieving revision 1.80
diff -u -r1.80 auth.h
--- auth.h 5 Nov 2008 05:20:46 -0000 1.80
+++ auth.h 26 Jul 2009 12:21:53 -0000
@@ -53,6 +53,7 @@
int valid; /* user exists and is allowed to login */
int attempt;
[...2663 lines suppressed...]
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
+#ifndef GSSAPI
+ /* The GSSAPI key exchange can run without a host key */
if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
logit("Disabling protocol version 2. Could not load host key");
options.protocol &= ~SSH_PROTO_2;
}
+#endif
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
@@ -1817,6 +1824,60 @@
/* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port);
+#ifdef USE_SECURITY_SESSION_API
+ /*
+ * Create a new security session for use by the new user login if
+ * the current session is the root session or we are not launched
+ * by inetd (eg: debugging mode or server mode). We do not
+ * necessarily need to create a session if we are launched from
+ * inetd because Panther xinetd will create a session for us.
+ *
+ * The only case where this logic will fail is if there is an
+ * inetd running in a non-root session which is not creating
+ * new sessions for us. Then all the users will end up in the
+ * same session (bad).
+ *
+ * When the client exits, the session will be destroyed for us
+ * automatically.
+ *
+ * We must create the session before any credentials are stored
+ * (including AFS pags, which happens a few lines below).
+ */
+ {
+ OSStatus err = 0;
+ SecuritySessionId sid = 0;
+ SessionAttributeBits sattrs = 0;
+
+ err = SessionGetInfo(callerSecuritySession, &sid, &sattrs);
+ if (err)
+ error("SessionGetInfo() failed with error %.8X",
+ (unsigned) err);
+ else
+ debug("Current Session ID is %.8X / Session Attributes are %.8X",
+ (unsigned) sid, (unsigned) sattrs);
+
+ if (inetd_flag && !(sattrs & sessionIsRoot))
+ debug("Running in inetd mode in a non-root session... "
+ "assuming inetd created the session for us.");
+ else {
+ debug("Creating new security session...");
+ err = SessionCreate(0, sessionHasTTY | sessionIsRemote);
+ if (err)
+ error("SessionCreate() failed with error %.8X",
+ (unsigned) err);
+
+ err = SessionGetInfo(callerSecuritySession, &sid,
+ &sattrs);
+ if (err)
+ error("SessionGetInfo() failed with error %.8X",
+ (unsigned) err);
+ else
+ debug("New Session ID is %.8X / Session Attributes are %.8X",
+ (unsigned) sid, (unsigned) sattrs);
+ }
+ }
+#endif
+
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
@@ -2194,12 +2255,61 @@
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
+#ifdef GSSAPI
+ {
+ char *orig;
+ char *gss = NULL;
+ char *newstr = NULL;
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
+ /*
+ * If we don't have a host key, then there's no point advertising
+ * the other key exchange algorithms
+ */
+
+ if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
+ orig = NULL;
+
+ if (options.gss_keyex)
+ gss = ssh_gssapi_server_mechanisms();
+ else
+ gss = NULL;
+
+ if (gss && orig)
+ xasprintf(&newstr, "%s,%s", gss, orig);
+ else if (gss)
+ newstr = gss;
+ else if (orig)
+ newstr = orig;
+
+ /*
+ * If we've got GSSAPI mechanisms, then we've got the 'null' host
+ * key alg, but we can't tell people about it unless its the only
+ * host key algorithm we support
+ */
+ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
+
+ if (newstr)
+ myproposal[PROPOSAL_KEX_ALGS] = newstr;
+ else
+ fatal("No supported key exchange algorithms");
+ }
+#endif
+
/* start key exchange */
kex = kex_setup(myproposal);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+ }
+#endif
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
Index: sshd_config
===================================================================
RCS file: /cvs/openssh/sshd_config,v
retrieving revision 1.82
diff -u -r1.82 sshd_config
--- sshd_config 2 Jul 2008 12:35:43 -0000 1.82
+++ sshd_config 26 Jul 2009 12:22:19 -0000
@@ -73,6 +73,8 @@
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
Index: sshd_config.5
===================================================================
RCS file: /cvs/openssh/sshd_config.5,v
retrieving revision 1.108
diff -u -r1.108 sshd_config.5
--- sshd_config.5 23 Feb 2009 00:00:24 -0000 1.108
+++ sshd_config.5 26 Jul 2009 12:22:20 -0000
@@ -374,12 +374,40 @@
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor
+a client authenticates against. If
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname. If
+.Dq no
+then the client may authenticate against any service key stored in the
+machine's default store. This facility is provided to assist with operation
+on multi homed machines.
+The default is
+.Dq yes .
+Note that this option applies only to protocol version 2 GSSAPI connections,
+and setting it to
+.Dq no
+may only work with recent Kerberos GSSAPI libraries.
+.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a
+successful connection rekeying. This option can be used to accepted renewed
+or updated credentials from a compatible client. The default is
+.Dq no .
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
openssh-5.3p1-gsskex.patch:
ChangeLog.gssapi | 95 +++++++++++++++
Makefile.in | 5
auth-krb5.c | 17 ++
auth.h | 1
auth2-gss.c | 50 +++++++-
auth2.c | 6
clientloop.c | 11 +
configure.ac | 24 +++
gss-genr.c | 274 ++++++++++++++++++++++++++++++++++++++++++++-
gss-serv-krb5.c | 84 ++++++++++++-
gss-serv.c | 220 +++++++++++++++++++++++++++++++-----
kex.c | 18 ++
kex.h | 14 ++
kexgssc.c | 334 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
kexgsss.c | 288 +++++++++++++++++++++++++++++++++++++++++++++++
key.c | 2
key.h | 1
monitor.c | 108 +++++++++++++++++
monitor.h | 2
monitor_wrap.c | 47 +++++++
monitor_wrap.h | 4
readconf.c | 35 +++++
readconf.h | 4
servconf.c | 31 ++++-
servconf.h | 3
ssh-gss.h | 39 +++++-
ssh_config | 2
ssh_config.5 | 29 ++++
sshconnect2.c | 119 ++++++++++++++++++-
sshd.c | 110 ++++++++++++++++++
sshd_config | 2
sshd_config.5 | 28 ++++
32 files changed, 1949 insertions(+), 58 deletions(-)
--- NEW FILE openssh-5.3p1-gsskex.patch ---
diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c
--- openssh-5.3p1/auth2.c.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/auth2.c 2009-11-20 14:39:04.000000000 +0100
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
#ifdef GSSAPI
+extern Authmethod method_gsskeyex;
extern Authmethod method_gssapi;
#endif
#ifdef JPAKE
@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
&method_none,
&method_pubkey,
#ifdef GSSAPI
+ &method_gsskeyex,
&method_gssapi,
#endif
#ifdef JPAKE
@@ -289,6 +291,7 @@ input_userauth_request(int type, u_int32
#endif
authctxt->postponed = 0;
+ authctxt->server_caused_failure = 0;
/* try to authenticate user */
m = authmethod_lookup(method);
@@ -361,7 +364,8 @@ userauth_finish(Authctxt *authctxt, int
} else {
/* Allow initial try of "none" auth without failure penalty */
- if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
+ if (!authctxt->server_caused_failure &&
+ (authctxt->attempt > 1 || strcmp(method, "none") != 0))
authctxt->failures++;
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c
--- openssh-5.3p1/auth2-gss.c.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/auth2-gss.c 2009-11-20 14:39:04.000000000 +0100
@@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_errtok(int, u_int32_t, void *);
+/*
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
+userauth_gsskeyex(Authctxt *authctxt)
+{
+ int authenticated = 0;
+ Buffer b;
+ gss_buffer_desc mic, gssbuf;
+ u_int len;
+
+ mic.value = packet_get_string(&len);
+ mic.length = len;
+
+ packet_check_eom();
+
+ ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+ "gssapi-keyex");
+
+ gssbuf.value = buffer_ptr(&b);
+ gssbuf.length = buffer_len(&b);
+
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
+ &gssbuf, &mic))))
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+ authctxt->pw));
+
+ buffer_free(&b);
+ xfree(mic.value);
+
+ return (authenticated);
+}
+
/*
* We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like)
@@ -102,6 +136,7 @@ userauth_gssapi(Authctxt *authctxt)
if (!present) {
xfree(doid);
+ authctxt->server_caused_failure = 1;
return (0);
}
@@ -109,6 +144,7 @@ userauth_gssapi(Authctxt *authctxt)
if (ctxt != NULL)
ssh_gssapi_delete_ctx(&ctxt);
xfree(doid);
+ authctxt->server_caused_failure = 1;
return (0);
}
@@ -242,7 +278,8 @@ input_gssapi_exchange_complete(int type,
packet_check_eom();
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+ authctxt->pw));
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -284,7 +321,8 @@ input_gssapi_mic(int type, u_int32_t ple
gssbuf.length = buffer_len(&b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+ authenticated =
+ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
else
logit("GSSAPI MIC check failed");
@@ -301,6 +339,12 @@ input_gssapi_mic(int type, u_int32_t ple
userauth_finish(authctxt, authenticated, "gssapi-with-mic");
}
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
+
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h
--- openssh-5.3p1/auth.h.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/auth.h 2009-11-20 14:39:04.000000000 +0100
@@ -53,6 +53,7 @@ struct Authctxt {
int valid; /* user exists and is allowed to login */
int attempt;
int failures;
+ int server_caused_failure;
int force_pwchange;
char *user; /* username sent by the client */
char *service;
diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
--- openssh-5.3p1/auth-krb5.c.gsskex 2006-08-05 04:39:39.000000000 +0200
+++ openssh-5.3p1/auth-krb5.c 2009-11-20 14:39:04.000000000 +0100
@@ -166,8 +166,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
+#ifdef USE_CCAPI
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
+ authctxt->krb5_ticket_file);
+#else
snprintf(authctxt->krb5_ccname, len, "FILE:%s",
authctxt->krb5_ticket_file);
+#endif
#ifdef USE_PAM
if (options.use_pam)
@@ -219,15 +224,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret;
+ int ret;
char ccname[40];
mode_t old_umask;
+#ifdef USE_CCAPI
+ char cctemplate[] = "API:krb5cc_%d";
+#else
+ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
+ int tmpfd;
+#endif
ret = snprintf(ccname, sizeof(ccname),
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+ cctemplate, geteuid());
if (ret < 0 || (size_t)ret >= sizeof(ccname))
return ENOMEM;
+#ifndef USE_CCAPI
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
umask(old_umask);
@@ -242,6 +254,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
return errno;
}
close(tmpfd);
+#endif
return (krb5_cc_resolve(ctx, ccname, ccache));
[...2530 lines suppressed...]
+
+ if (options.gss_keyex)
+ gss = ssh_gssapi_server_mechanisms();
+ else
+ gss = NULL;
+
+ if (gss && orig)
+ xasprintf(&newstr, "%s,%s", gss, orig);
+ else if (gss)
+ newstr = gss;
+ else if (orig)
+ newstr = orig;
+
+ /*
+ * If we've got GSSAPI mechanisms, then we've got the 'null' host
+ * key alg, but we can't tell people about it unless its the only
+ * host key algorithm we support
+ */
+ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
+
+ if (newstr)
+ myproposal[PROPOSAL_KEX_ALGS] = newstr;
+ else
+ fatal("No supported key exchange algorithms");
+ }
+#endif
+
/* start key exchange */
kex = kex_setup(myproposal);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+ }
+#endif
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5
--- openssh-5.3p1/sshd_config.5.gsskex 2009-11-20 14:39:03.000000000 +0100
+++ openssh-5.3p1/sshd_config.5 2009-11-20 14:39:06.000000000 +0100
@@ -379,12 +379,40 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor
+a client authenticates against. If
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname. If
+.Dq no
+then the client may authenticate against any service key stored in the
+machine's default store. This facility is provided to assist with operation
+on multi homed machines.
+The default is
+.Dq yes .
+Note that this option applies only to protocol version 2 GSSAPI connections,
+and setting it to
+.Dq no
+may only work with recent Kerberos GSSAPI libraries.
+.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a
+successful connection rekeying. This option can be used to accepted renewed
+or updated credentials from a compatible client. The default is
+.Dq no .
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config
--- openssh-5.3p1/sshd_config.gsskex 2009-11-20 14:39:04.000000000 +0100
+++ openssh-5.3p1/sshd_config 2009-11-20 14:54:30.000000000 +0100
@@ -80,6 +80,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -up openssh-5.3p1/ssh-gss.h.gsskex openssh-5.3p1/ssh-gss.h
--- openssh-5.3p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
+++ openssh-5.3p1/ssh-gss.h 2009-11-20 14:39:06.000000000 +0100
@@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -60,10 +60,22 @@
#define SSH_GSS_OIDTYPE 0x06
+#define SSH2_MSG_KEXGSS_INIT 30
+#define SSH2_MSG_KEXGSS_CONTINUE 31
+#define SSH2_MSG_KEXGSS_COMPLETE 32
+#define SSH2_MSG_KEXGSS_HOSTKEY 33
+#define SSH2_MSG_KEXGSS_ERROR 34
+#define SSH2_MSG_KEXGSS_GROUPREQ 40
+#define SSH2_MSG_KEXGSS_GROUP 41
+#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-"
+#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
+#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
+
typedef struct {
char *filename;
char *envvar;
char *envval;
+ struct passwd *owner;
void *data;
} ssh_gssapi_ccache;
@@ -71,8 +83,11 @@ typedef struct {
gss_buffer_desc displayname;
gss_buffer_desc exportedname;
gss_cred_id_t creds;
+ gss_name_t name;
struct ssh_gssapi_mech_struct *mech;
ssh_gssapi_ccache store;
+ int used;
+ int updated;
} ssh_gssapi_client;
typedef struct ssh_gssapi_mech_struct {
@@ -83,6 +98,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
void (*storecreds) (ssh_gssapi_client *);
+ int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
} ssh_gssapi_mech;
typedef struct {
@@ -93,10 +109,11 @@ typedef struct {
gss_OID oid; /* client */
gss_cred_id_t creds; /* server */
gss_name_t client; /* server */
- gss_cred_id_t client_creds; /* server */
+ gss_cred_id_t client_creds; /* both */
} Gssctxt;
extern ssh_gssapi_mech *supported_mechs[];
+extern Gssctxt *gss_kex_context;
int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
@@ -116,16 +133,30 @@ void ssh_gssapi_build_ctx(Gssctxt **);
void ssh_gssapi_delete_ctx(Gssctxt **);
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
+int ssh_gssapi_credentials_updated(Gssctxt *);
/* In the server */
+typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
+ const char *);
+char *ssh_gssapi_client_mechanisms(const char *, const char *);
+char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
+ const char *);
+gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
+int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
+ const char *);
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
-int ssh_gssapi_userok(char *name);
+int ssh_gssapi_userok(char *name, struct passwd *);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
void ssh_gssapi_storecreds(void);
+char *ssh_gssapi_server_mechanisms(void);
+int ssh_gssapi_oid_table_ok();
+
+int ssh_gssapi_update_creds(ssh_gssapi_ccache *store);
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
Index: openssh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.178
retrieving revision 1.179
diff -u -p -r1.178 -r1.179
--- openssh.spec 20 Nov 2009 10:51:18 -0000 1.178
+++ openssh.spec 20 Nov 2009 15:06:47 -0000 1.179
@@ -69,7 +69,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 5.3p1
-Release: 8%{?dist}%{?rescue_rel}
+Release: 9%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#URL1: http://pamsshauth.sourceforge.net
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -108,6 +108,7 @@ Patch65: openssh-5.3p1-fips.patch
Patch69: openssh-5.3p1-selabel.patch
Patch71: openssh-5.2p1-edns.patch
Patch72: openssh-5.3p1-pka.patch
+Patch73: openssh-5.3p1-gsskex.patch
License: BSD
Group: Applications/Internet
@@ -264,6 +265,7 @@ popd
%patch69 -p1 -b .selabel
%patch71 -p1 -b .edns
%patch72 -p1 -b .pka
+%patch73 -p1 -b .gsskex
autoreconf
@@ -524,6 +526,9 @@ fi
%changelog
* Fri Nov 20 2009 Jan F. Chadima <jchadima at redhat.com> - 5.3p1-8
+- Add gssapi key exchange patch (#455351)
+
+* Fri Nov 20 2009 Jan F. Chadima <jchadima at redhat.com> - 5.3p1-8
- Add public key agent patch (#455350)
* Mon Nov 2 2009 Jan F. Chadima <jchadima at redhat.com> - 5.3p1-7
More information about the fedora-extras-commits
mailing list