Dump missing GSS options from client configuration

This commit is contained in:
Jakub Jelen 2018-11-14 09:44:48 +01:00
parent 03264b16f7
commit 3ae9c1b0c1
2 changed files with 47 additions and 38 deletions

View File

@ -223,10 +223,19 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff -up openssh-7.0p1/readconf.h.gsskexalg openssh-7.0p1/readconf.h
--- openssh-7.0p1/readconf.h.gsskexalg 2015-08-19 12:28:38.026518955 +0200
+++ openssh-7.0p1/readconf.h 2015-08-19 12:28:38.079518836 +0200
@@ -51,6 +51,7 @@ typedef struct {
@@ -2651,6 +2671,8 @@ dump_client_config(Options *o, const cha
dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
dump_cfg_string(oGssServerIdentity, o->gss_client_identity);
dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
+ dump_cfg_string(oKexAlgorithms, o->gss_kex_algorithms ?
+ o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
#endif /* GSSAPI */
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
diff -up openssh-7.9p1/readconf.h.gsskexalg openssh-7.9p1/readconf.h
--- openssh-7.9p1/readconf.h.gsskexalg 2018-11-14 09:20:06.616350574 +0100
+++ openssh-7.9p1/readconf.h 2018-11-14 09:20:06.647350828 +0100
@@ -46,6 +46,7 @@ typedef struct {
int gss_renewal_rekey; /* Credential renewal forces rekey */
char *gss_client_identity; /* Principal to initiate GSSAPI with */
char *gss_server_identity; /* GSSAPI target principal */

View File

@ -2069,9 +2069,22 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff -up openssh/readconf.h.gsskex openssh/readconf.h
--- openssh/readconf.h.gsskex 2018-08-20 07:57:29.000000000 +0200
+++ openssh/readconf.h 2018-08-22 11:47:33.314216481 +0200
@@ -2603,7 +2645,12 @@ dump_client_config(Options *o, const cha
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
#ifdef GSSAPI
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
+ dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
+ dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
+ dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
+ dump_cfg_string(oGssServerIdentity, o->gss_client_identity);
+ dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
#endif /* GSSAPI */
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
diff -up openssh-7.9p1/readconf.h.gsskex openssh-7.9p1/readconf.h
--- openssh-7.9p1/readconf.h.gsskex 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/readconf.h 2018-11-14 09:14:06.277379857 +0100
@@ -40,7 +40,12 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@ -2468,7 +2481,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
fatal("%s: kex_names_cat", __func__);
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
@@ -194,6 +337,17 @@ ssh_kex2(char *host, struct sockaddr *ho
@@ -194,6 +339,16 @@ ssh_kex2(char *host, struct sockaddr *ho
order_hostkeyalgs(host, hostaddr, port));
}
@ -2479,14 +2492,13 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
+ "%s,null", orig);
+ free(gss);
+ }
+#endif
+
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits(options.rekey_limit,
options.rekey_interval);
@@ -214,11 +368,31 @@ ssh_kex2(char *host, struct sockaddr *ho
@@ -214,16 +369,46 @@ ssh_kex2(char *host, struct sockaddr *ho
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
# endif
#endif
@ -2518,7 +2530,22 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done);
/* remove ext-info from the KEX proposals for rekeying */
@@ -314,6 +488,7 @@ int input_gssapi_token(int type, u_int32
myproposal[PROPOSAL_KEX_ALGS] =
compat_kex_proposal(options.kex_algorithms);
+#ifdef GSSAPI
+ /* repair myproposal after it was crumpled by the */
+ /* ext-info removal above */
+ if (gss) {
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
+ "%s,%s", gss, orig);
+ free(gss);
+ }
+#endif
if ((r = kex_prop2buf(kex->my, myproposal)) != 0)
fatal("kex_prop2buf: %s", ssh_err(r));
@@ -314,6 +499,7 @@ int input_gssapi_token(int type, u_int32
int input_gssapi_hash(int type, u_int32_t, struct ssh *);
int input_gssapi_error(int, u_int32_t, struct ssh *);
int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@ -2875,31 +2902,4 @@ diff -up openssh/sshkey.h.gsskex openssh/sshkey.h
+ KEY_NULL,
KEY_UNSPEC
};
--- openssh/sshconnect2.c.orig 2017-01-04 19:47:10.000000000 +0100
+++ openssh/sshconnect2.c 2017-01-05 04:13:08.977425272 +0100
@@ -344,7 +344,6 @@
orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
"%s,null", orig);
- free(gss);
}
#endif
@@ -398,6 +397,16 @@
/* remove ext-info from the KEX proposals for rekeying */
myproposal[PROPOSAL_KEX_ALGS] =
compat_kex_proposal(options.kex_algorithms);
+#ifdef GSSAPI
+ /* repair myproposal after it was crumpled by the */
+ /* ext-info removal above */
+ if (gss) {
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
+ "%s,%s", gss, orig);
+ free(gss);
+ }
+#endif
if ((r = kex_prop2buf(kex->my, myproposal)) != 0)
fatal("kex_prop2buf: %s", ssh_err(r));