diff options
| author |   djm <djm@openbsd.org> | 2015-05-22 03:50:02 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2015-05-22 03:50:02 +0000 |
| commit | 31ac6ab23fefb113ffff194975f5da386c4fd95f (patch) | |
| tree | b674db19f084a81385f9796c820c45a9c390479f /usr.bin/ssh/gss-serv.c | |
| parent | Update DH groups (diff) | |
| download | wireguard-openbsd-31ac6ab23fefb113ffff194975f5da386c4fd95f.tar.xz wireguard-openbsd-31ac6ab23fefb113ffff194975f5da386c4fd95f.zip | |
add knob to relax GSSAPI host credential check for multihomed hosts
bz#928, patch by Simon Wilkinson; ok dtucker
(kerberos/GSSAPI is not compiled by default on OpenBSD)
Diffstat (limited to 'usr.bin/ssh/gss-serv.c')
| -rw-r--r-- | usr.bin/ssh/gss-serv.c | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/usr.bin/ssh/gss-serv.c b/usr.bin/ssh/gss-serv.c index ffe41c8d6d0..f26db425964 100644 --- a/usr.bin/ssh/gss-serv.c +++ b/usr.bin/ssh/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -40,9 +40,12 @@ #include "channels.h" #include "session.h" #include "misc.h" +#include "servconf.h" #include "ssh-gss.h" +extern ServerOptions options; + static ssh_gssapi_client gssapi_client = { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; @@ -95,25 +98,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) char lname[NI_MAXHOST]; gss_OID_set oidset; - gss_create_empty_oid_set(&status, &oidset); - gss_add_oid_set_member(&status, ctx->oid, &oidset); + if (options.gss_strict_acceptor) { + gss_create_empty_oid_set(&status, &oidset); + gss_add_oid_set_member(&status, ctx->oid, &oidset); - if (gethostname(lname, sizeof(lname))) { - gss_release_oid_set(&status, &oidset); - return (-1); - } + if (gethostname(lname, MAXHOSTNAMELEN)) { + gss_release_oid_set(&status, &oidset); + return (-1); + } + + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { + gss_release_oid_set(&status, &oidset); + return (ctx->major); + } + + if ((ctx->major = gss_acquire_cred(&ctx->minor, + ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, + NULL, NULL))) + ssh_gssapi_error(ctx); - if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { gss_release_oid_set(&status, &oidset); return (ctx->major); + } else { + ctx->name = GSS_C_NO_NAME; + ctx->creds = GSS_C_NO_CREDENTIAL; } - - if ((ctx->major = gss_acquire_cred(&ctx->minor, - ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) - ssh_gssapi_error(ctx); - - gss_release_oid_set(&status, &oidset); - return (ctx->major); + return GSS_S_COMPLETE; } /* Privileged */ |