summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2015-05-22 03:50:03 +0000
committerDamien Miller <djm@cvs.openbsd.org>2015-05-22 03:50:03 +0000
commit455fc6dd5ea91424947a57d7aa5a894be1335c80 (patch)
treeef2a20cce600ff7fb3911d9316122020fde2473f /usr.bin
parent7f4ef076ce321d1a89e624489073645fe11fa385 (diff)
add knob to relax GSSAPI host credential check for multihomed hosts
bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD)
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/gss-serv.c40
-rw-r--r--usr.bin/ssh/servconf.c14
-rw-r--r--usr.bin/ssh/servconf.h3
-rw-r--r--usr.bin/ssh/sshd_config.519
4 files changed, 56 insertions, 20 deletions
diff --git a/usr.bin/ssh/gss-serv.c b/usr.bin/ssh/gss-serv.c
index ffe41c8d6d0..f26db425964 100644
--- a/usr.bin/ssh/gss-serv.c
+++ b/usr.bin/ssh/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -40,9 +40,12 @@
#include "channels.h"
#include "session.h"
#include "misc.h"
+#include "servconf.h"
#include "ssh-gss.h"
+extern ServerOptions options;
+
static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
@@ -95,25 +98,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
char lname[NI_MAXHOST];
gss_OID_set oidset;
- gss_create_empty_oid_set(&status, &oidset);
- gss_add_oid_set_member(&status, ctx->oid, &oidset);
+ if (options.gss_strict_acceptor) {
+ gss_create_empty_oid_set(&status, &oidset);
+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
- if (gethostname(lname, sizeof(lname))) {
- gss_release_oid_set(&status, &oidset);
- return (-1);
- }
+ if (gethostname(lname, MAXHOSTNAMELEN)) {
+ gss_release_oid_set(&status, &oidset);
+ return (-1);
+ }
+
+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+ gss_release_oid_set(&status, &oidset);
+ return (ctx->major);
+ }
+
+ if ((ctx->major = gss_acquire_cred(&ctx->minor,
+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
+ NULL, NULL)))
+ ssh_gssapi_error(ctx);
- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
gss_release_oid_set(&status, &oidset);
return (ctx->major);
+ } else {
+ ctx->name = GSS_C_NO_NAME;
+ ctx->creds = GSS_C_NO_CREDENTIAL;
}
-
- if ((ctx->major = gss_acquire_cred(&ctx->minor,
- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
- ssh_gssapi_error(ctx);
-
- gss_release_oid_set(&status, &oidset);
- return (ctx->major);
+ return GSS_S_COMPLETE;
}
/* Privileged */
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index d64ba6b7533..ea254b06e60 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.270 2015/05/21 06:43:30 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.271 2015/05/22 03:50:02 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -107,6 +107,7 @@ initialize_server_options(ServerOptions *options)
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
options->gss_cleanup_creds = -1;
+ options->gss_strict_acceptor = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -260,6 +261,8 @@ fill_default_server_options(ServerOptions *options)
options->gss_authentication = 0;
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
+ if (options->gss_strict_acceptor == -1)
+ options->gss_strict_acceptor = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -368,7 +371,8 @@ typedef enum {
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
@@ -428,9 +432,11 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -1165,6 +1171,10 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->gss_cleanup_creds;
goto parse_flag;
+ case sGssStrictAcceptor:
+ intptr = &options->gss_strict_acceptor;
+ goto parse_flag;
+
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 4c4867b010e..0b72d492ae2 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.118 2015/05/21 06:43:31 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.119 2015/05/22 03:50:02 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -118,6 +118,7 @@ typedef struct {
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index 507a8bf3354..72403e53e8d 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.202 2015/05/21 06:43:31 djm Exp $
-.Dd $Mdocdate: May 21 2015 $
+.\" $OpenBSD: sshd_config.5,v 1.203 2015/05/22 03:50:02 djm Exp $
+.Dd $Mdocdate: May 22 2015 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -623,6 +623,21 @@ on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor
+a client authenticates against.
+If set to
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname.
+If set to
+.Dq no
+then the client may authenticate against any service key stored in the
+machine's default store.
+This facility is provided to assist with operation on multi homed machines.
+The default is
+.Dq yes .
.It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
as a comma-separated pattern list.