123 lines
5.1 KiB
Diff
123 lines
5.1 KiB
Diff
diff --git a/gss-serv.c b/gss-serv.c
|
|
index 5c0491cf1..e2c501d0c 100644
|
|
--- a/gss-serv.c
|
|
+++ b/gss-serv.c
|
|
@@ -509,6 +509,11 @@ ssh_gssapi_cleanup_creds(void)
|
|
int
|
|
ssh_gssapi_storecreds(void)
|
|
{
|
|
+ if (options.gss_deleg_creds == 0) {
|
|
+ debug_f("delegate credential is disabled, doing nothing");
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
|
|
return (*gssapi_client.mech->storecreds)(&gssapi_client);
|
|
} else
|
|
diff --git a/servconf.c b/servconf.c
|
|
index aab653244..02a9888c9 100644
|
|
--- a/servconf.c
|
|
+++ b/servconf.c
|
|
@@ -144,6 +144,7 @@ initialize_server_options(ServerOptions *options)
|
|
options->gss_authentication=-1;
|
|
options->gss_keyex = -1;
|
|
options->gss_cleanup_creds = -1;
|
|
+ options->gss_deleg_creds = -1;
|
|
options->gss_strict_acceptor = -1;
|
|
options->gss_store_rekey = -1;
|
|
options->gss_kex_algorithms = NULL;
|
|
@@ -403,6 +404,8 @@ fill_default_server_options(ServerOptions *options)
|
|
options->gss_keyex = 0;
|
|
if (options->gss_cleanup_creds == -1)
|
|
options->gss_cleanup_creds = 1;
|
|
+ if (options->gss_deleg_creds == -1)
|
|
+ options->gss_deleg_creds = 1;
|
|
if (options->gss_strict_acceptor == -1)
|
|
options->gss_strict_acceptor = 1;
|
|
if (options->gss_store_rekey == -1)
|
|
@@ -598,7 +601,8 @@ typedef enum {
|
|
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
|
sPerSourcePenalties, sPerSourcePenaltyExemptList,
|
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
|
- sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
|
+ sGssAuthentication, sGssCleanupCreds, sGssDelegateCreds,
|
|
+ sGssEnablek5users, sGssStrictAcceptor,
|
|
sGssKeyEx, sGssIndicators, sGssKexAlgorithms, sGssStoreRekey,
|
|
sAcceptEnv, sSetEnv, sPermitTunnel,
|
|
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
|
@@ -690,6 +694,7 @@ static struct {
|
|
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
|
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
|
{ "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
|
|
+ { "gssapidelegatecredentials", sGssDelegateCreds, SSHCFG_GLOBAL },
|
|
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
|
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
|
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
|
@@ -700,6 +705,7 @@ static struct {
|
|
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
|
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
|
{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
|
|
+ { "gssapidelegatecredentials", sUnsupported, SSHCFG_GLOBAL },
|
|
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
|
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
|
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
|
@@ -1713,6 +1719,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|
intptr = &options->gss_cleanup_creds;
|
|
goto parse_flag;
|
|
|
|
+ case sGssDelegateCreds:
|
|
+ intptr = &options->gss_deleg_creds;
|
|
+ goto parse_flag;
|
|
+
|
|
case sGssStrictAcceptor:
|
|
intptr = &options->gss_strict_acceptor;
|
|
goto parse_flag;
|
|
@@ -3359,6 +3369,7 @@ dump_config(ServerOptions *o)
|
|
#ifdef GSSAPI
|
|
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
|
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
|
+ dump_cfg_fmtint(sGssDelegateCreds, o->gss_deleg_creds);
|
|
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
|
|
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
|
|
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
|
|
diff --git a/servconf.h b/servconf.h
|
|
index 7c41df417..6bfdf6305 100644
|
|
--- a/servconf.h
|
|
+++ b/servconf.h
|
|
@@ -158,6 +158,7 @@ typedef struct {
|
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
|
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
|
+ int gss_deleg_creds; /* If true, accept delegated GSS credentials */
|
|
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
|
|
int gss_store_rekey;
|
|
char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
|
diff --git a/sshd_config.0 b/sshd_config.0
|
|
index 49349bb30..e798f4df5 100644
|
|
--- a/sshd_config.0
|
|
+++ b/sshd_config.0
|
|
@@ -453,6 +453,9 @@ DESCRIPTION
|
|
Specifies whether to automatically destroy the user's credentials
|
|
cache on logout. The default is yes.
|
|
|
|
+ GSSAPIDelegateCredentials
|
|
+ Accept delegated credentials on the server side. The default is yes.
|
|
+
|
|
GSSAPIStrictAcceptorCheck
|
|
Determines whether to be strict about the identity of the GSSAPI
|
|
acceptor a client authenticates against. If set to yes then the
|
|
diff --git a/sshd_config.5 b/sshd_config.5
|
|
index 90ab87edd..8c677bfd0 100644
|
|
--- a/sshd_config.5
|
|
+++ b/sshd_config.5
|
|
@@ -733,6 +733,9 @@ Specifies whether to automatically destroy the user's credentials cache
|
|
on logout.
|
|
The default is
|
|
.Cm yes .
|
|
+.It Cm GSSAPIDelegateCredentials
|
|
+Accept delegated credentials on the server side. The default is
|
|
+.CM yes .
|
|
.It Cm GSSAPIEnablek5users
|
|
Specifies whether to look at .k5users file for GSSAPI authentication
|
|
access control. Further details are described in
|