| Index: gss-serv.c |
| =================================================================== |
| RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v |
| retrieving revision 1.22 |
| diff -u -p -r1.22 gss-serv.c |
| --- gss-serv.c 8 May 2008 12:02:23 -0000 1.22 |
| +++ gss-serv.c 11 Jan 2010 05:38:29 -0000 |
| @@ -41,9 +41,12 @@ |
| #include "channels.h" |
| #include "session.h" |
| #include "misc.h" |
| +#include "servconf.h" |
| |
| #include "ssh-gss.h" |
| |
| +extern ServerOptions options; |
| + |
| static ssh_gssapi_client gssapi_client = |
| { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
| GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; |
| @@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) |
| char lname[MAXHOSTNAMELEN]; |
| gss_OID_set oidset; |
| |
| - gss_create_empty_oid_set(&status, &oidset); |
| - gss_add_oid_set_member(&status, ctx->oid, &oidset); |
| - |
| - if (gethostname(lname, MAXHOSTNAMELEN)) { |
| - gss_release_oid_set(&status, &oidset); |
| - return (-1); |
| - } |
| + if (options.gss_strict_acceptor) { |
| + gss_create_empty_oid_set(&status, &oidset); |
| + gss_add_oid_set_member(&status, ctx->oid, &oidset); |
| + |
| + if (gethostname(lname, MAXHOSTNAMELEN)) { |
| + gss_release_oid_set(&status, &oidset); |
| + return (-1); |
| + } |
| + |
| + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
| + gss_release_oid_set(&status, &oidset); |
| + return (ctx->major); |
| + } |
| + |
| + if ((ctx->major = gss_acquire_cred(&ctx->minor, |
| + ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, |
| + NULL, NULL))) |
| + ssh_gssapi_error(ctx); |
| |
| - if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
| gss_release_oid_set(&status, &oidset); |
| return (ctx->major); |
| + } else { |
| + ctx->name = GSS_C_NO_NAME; |
| + ctx->creds = GSS_C_NO_CREDENTIAL; |
| } |
| - |
| - if ((ctx->major = gss_acquire_cred(&ctx->minor, |
| - ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) |
| - ssh_gssapi_error(ctx); |
| - |
| - gss_release_oid_set(&status, &oidset); |
| - return (ctx->major); |
| + return GSS_S_COMPLETE; |
| } |
| |
| /* Privileged */ |
| Index: servconf.c |
| =================================================================== |
| RCS file: /cvs/src/usr.bin/ssh/servconf.c,v |
| retrieving revision 1.201 |
| diff -u -p -r1.201 servconf.c |
| --- servconf.c 10 Jan 2010 03:51:17 -0000 1.201 |
| +++ servconf.c 11 Jan 2010 05:34:56 -0000 |
| @@ -86,6 +86,7 @@ initialize_server_options(ServerOptions |
| options->kerberos_get_afs_token = -1; |
| options->gss_authentication=-1; |
| options->gss_cleanup_creds = -1; |
| + options->gss_strict_acceptor = -1; |
| options->password_authentication = -1; |
| options->kbd_interactive_authentication = -1; |
| options->challenge_response_authentication = -1; |
| @@ -200,6 +201,8 @@ fill_default_server_options(ServerOption |
| options->gss_authentication = 0; |
| if (options->gss_cleanup_creds == -1) |
| options->gss_cleanup_creds = 1; |
| + if (options->gss_strict_acceptor == -1) |
| + options->gss_strict_acceptor = 0; |
| if (options->password_authentication == -1) |
| options->password_authentication = 1; |
| if (options->kbd_interactive_authentication == -1) |
| @@ -277,7 +280,8 @@ typedef enum { |
| sBanner, sUseDNS, sHostbasedAuthentication, |
| sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
| sClientAliveCountMax, sAuthorizedKeysFile, |
| - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, |
| + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
| + sAcceptEnv, sPermitTunnel, |
| sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
| sUsePrivilegeSeparation, sAllowAgentForwarding, |
| sZeroKnowledgePasswordAuthentication, sHostCertificate, |
| @@ -327,9 +331,11 @@ static struct { |
| #ifdef GSSAPI |
| { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
| { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
| + { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, |
| #else |
| { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
| { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
| + { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
| #endif |
| { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
| { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
| @@ -850,6 +856,10 @@ process_server_config_line(ServerOptions |
| |
| case sGssCleanupCreds: |
| intptr = &options->gss_cleanup_creds; |
| + goto parse_flag; |
| + |
| + case sGssStrictAcceptor: |
| + intptr = &options->gss_strict_acceptor; |
| goto parse_flag; |
| |
| case sPasswordAuthentication: |
| Index: servconf.h |
| =================================================================== |
| RCS file: /cvs/src/usr.bin/ssh/servconf.h,v |
| retrieving revision 1.89 |
| diff -u -p -r1.89 servconf.h |
| --- servconf.h 9 Jan 2010 23:04:13 -0000 1.89 |
| +++ servconf.h 11 Jan 2010 05:32:28 -0000 |
| @@ -92,6 +92,7 @@ typedef struct { |
| * authenticated with Kerberos. */ |
| int gss_authentication; /* If true, permit GSSAPI authentication */ |
| int gss_cleanup_creds; /* If true, destroy cred cache on logout */ |
| + int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ |
| int password_authentication; /* If true, permit password |
| * authentication. */ |
| int kbd_interactive_authentication; /* If true, permit */ |
| Index: sshd_config |
| =================================================================== |
| RCS file: /cvs/src/usr.bin/ssh/sshd_config,v |
| retrieving revision 1.81 |
| diff -u -p -r1.81 sshd_config |
| --- sshd_config 8 Oct 2009 14:03:41 -0000 1.81 |
| +++ sshd_config 11 Jan 2010 05:32:28 -0000 |
| @@ -69,6 +69,7 @@ |
| # GSSAPI options |
| #GSSAPIAuthentication no |
| #GSSAPICleanupCredentials yes |
| +#GSSAPIStrictAcceptorCheck yes |
| |
| # Set this to 'yes' to enable PAM authentication, account processing, |
| # and session processing. If this is enabled, PAM authentication will |
| Index: sshd_config.5 |
| =================================================================== |
| RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v |
| retrieving revision 1.116 |
| diff -u -p -r1.116 sshd_config.5 |
| --- sshd_config.5 9 Jan 2010 23:04:13 -0000 1.116 |
| +++ sshd_config.5 11 Jan 2010 05:37:20 -0000 |
| @@ -386,6 +386,21 @@ on logout. |
| The default is |
| .Dq yes . |
| Note that this option applies to protocol version 2 only. |
| +.It Cm GSSAPIStrictAcceptorCheck |
| +Determines whether to be strict about the identity of the GSSAPI acceptor |
| +a client authenticates against. |
| +If set to |
| +.Dq yes |
| +then the client must authenticate against the |
| +.Pa host |
| +service on the current hostname. |
| +If set to |
| +.Dq no |
| +then the client may authenticate against any service key stored in the |
| +machine's default store. |
| +This facility is provided to assist with operation on multi homed machines. |
| +The default is |
| +.Dq yes . |
| .It Cm HostbasedAuthentication |
| Specifies whether rhosts or /etc/hosts.equiv authentication together |
| with successful public key client host authentication is allowed |