| version 1.3.2.2, 2004/08/19 22:37:30 |
version 1.4, 2003/10/21 09:50:06 |
|
|
| extern ServerOptions options; |
extern ServerOptions options; |
| |
|
| static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); |
static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); |
| static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); |
|
| static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
| static void input_gssapi_errtok(int, u_int32_t, void *); |
static void input_gssapi_errtok(int, u_int32_t, void *); |
| |
|
|
|
| static int |
static int |
| userauth_gssapi(Authctxt *authctxt) |
userauth_gssapi(Authctxt *authctxt) |
| { |
{ |
| gss_OID_desc goid = {0, NULL}; |
gss_OID_desc oid = {0, NULL}; |
| Gssctxt *ctxt = NULL; |
Gssctxt *ctxt = NULL; |
| int mechs; |
int mechs; |
| gss_OID_set supported; |
gss_OID_set supported; |
|
|
| if (doid) |
if (doid) |
| xfree(doid); |
xfree(doid); |
| |
|
| present = 0; |
|
| doid = packet_get_string(&len); |
doid = packet_get_string(&len); |
| |
if (len <= 2) |
| |
packet_disconnect("Short OID received"); |
| |
|
| if (len > 2 && |
if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) { |
| doid[0] == SSH_GSS_OIDTYPE && |
logit("Mechanism OID received using the old encoding form"); |
| doid[1] == len - 2) { |
oid.elements = doid; |
| goid.elements = doid + 2; |
oid.length = len; |
| goid.length = len - 2; |
|
| gss_test_oid_set_member(&ms, &goid, supported, |
|
| &present); |
|
| } else { |
} else { |
| logit("Badly formed OID received"); |
oid.elements = doid + 2; |
| |
oid.length = len - 2; |
| } |
} |
| |
gss_test_oid_set_member(&ms, &oid, supported, &present); |
| } while (mechs > 0 && !present); |
} while (mechs > 0 && !present); |
| |
|
| gss_release_oid_set(&ms, &supported); |
gss_release_oid_set(&ms, &supported); |
|
|
| return (0); |
return (0); |
| } |
} |
| |
|
| if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { |
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &oid)))) { |
| xfree(doid); |
xfree(doid); |
| return (0); |
return (0); |
| } |
} |
|
|
| |
|
| packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); |
packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); |
| |
|
| /* Return the OID that we received */ |
/* Return OID in same format as we received it*/ |
| packet_put_string(doid, len); |
packet_put_string(doid, len); |
| |
|
| packet_send(); |
packet_send(); |
|
|
| Gssctxt *gssctxt; |
Gssctxt *gssctxt; |
| gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
| gss_buffer_desc recv_tok; |
gss_buffer_desc recv_tok; |
| OM_uint32 maj_status, min_status, flags; |
OM_uint32 maj_status, min_status; |
| u_int len; |
u_int len; |
| |
|
| if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
|
|
| packet_check_eom(); |
packet_check_eom(); |
| |
|
| maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, |
maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, |
| &send_tok, &flags)); |
&send_tok, NULL)); |
| |
|
| xfree(recv_tok.value); |
xfree(recv_tok.value); |
| |
|
|
|
| } |
} |
| authctxt->postponed = 0; |
authctxt->postponed = 0; |
| dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
| userauth_finish(authctxt, 0, "gssapi-with-mic"); |
userauth_finish(authctxt, 0, "gssapi"); |
| } else { |
} else { |
| if (send_tok.length != 0) { |
if (send_tok.length != 0) { |
| packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); |
packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); |
|
|
| } |
} |
| if (maj_status == GSS_S_COMPLETE) { |
if (maj_status == GSS_S_COMPLETE) { |
| dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
| if (flags & GSS_C_INTEG_FLAG) |
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, |
| dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, |
&input_gssapi_exchange_complete); |
| &input_gssapi_mic); |
|
| else |
|
| dispatch_set( |
|
| SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, |
|
| &input_gssapi_exchange_complete); |
|
| } |
} |
| } |
} |
| |
|
|
|
| gssctxt = authctxt->methoddata; |
gssctxt = authctxt->methoddata; |
| |
|
| /* |
/* |
| * We don't need to check the status, because we're only enabled in |
* We don't need to check the status, because the stored credentials |
| * the dispatcher once the exchange is complete |
* which userok uses are only populated once the context init step |
| |
* has returned complete. |
| */ |
*/ |
| |
|
| packet_check_eom(); |
packet_check_eom(); |
|
|
| authctxt->postponed = 0; |
authctxt->postponed = 0; |
| dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
| dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
| dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); |
|
| dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
| userauth_finish(authctxt, authenticated, "gssapi-with-mic"); |
userauth_finish(authctxt, authenticated, "gssapi"); |
| } |
} |
| |
|
| static void |
|
| input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
|
| { |
|
| Authctxt *authctxt = ctxt; |
|
| Gssctxt *gssctxt; |
|
| int authenticated = 0; |
|
| Buffer b; |
|
| gss_buffer_desc mic, gssbuf; |
|
| u_int len; |
|
| |
|
| if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
|
| fatal("No authentication or GSSAPI context"); |
|
| |
|
| gssctxt = authctxt->methoddata; |
|
| |
|
| mic.value = packet_get_string(&len); |
|
| mic.length = len; |
|
| |
|
| ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, |
|
| "gssapi-with-mic"); |
|
| |
|
| gssbuf.value = buffer_ptr(&b); |
|
| gssbuf.length = buffer_len(&b); |
|
| |
|
| if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |
|
| authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); |
|
| else |
|
| logit("GSSAPI MIC check failed"); |
|
| |
|
| buffer_free(&b); |
|
| xfree(mic.value); |
|
| |
|
| authctxt->postponed = 0; |
|
| dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
|
| dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
|
| dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); |
|
| dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
|
| userauth_finish(authctxt, authenticated, "gssapi-with-mic"); |
|
| } |
|
| |
|
| Authmethod method_gssapi = { |
Authmethod method_gssapi = { |
| "gssapi-with-mic", |
"gssapi", |
| userauth_gssapi, |
userauth_gssapi, |
| &options.gss_authentication |
&options.gss_authentication |
| }; |
}; |
![[BACK]](/icons/back.gif){kind=icon}
Return to auth2-gss.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh