giffels/GSSAPITrustDNS.patch

## GSSAPITrustDNS.patch
commit 2d9b2ea3384842cf3f2f2c9c4b5b61540e9a1a53
Author: Manuel Giffels <giffels@gmail.com>
Date:   Tue Sep 27 14:06:05 2016 +0200

    GSSAPITrustDNS Patch

diff --git a/readconf.c b/readconf.c
index c177202..bab01ff 100644
--- a/readconf.c
+++ b/readconf.c
@@ -159,7 +159,7 @@ typedef enum {
 	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
-	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+	oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssTrustDns,
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
 	oHashKnownHosts,
@@ -206,9 +206,11 @@ static struct {
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
 	{ "gssapidelegatecredentials", oGssDelegateCreds },
+    { "gssapitrustdns", oGssTrustDns },
 #else
 	{ "gssapiauthentication", oUnsupported },
 	{ "gssapidelegatecredentials", oUnsupported },
+    { "gssapitrustdns", oUnsupported},
 #endif
 	{ "fallbacktorsh", oDeprecated },
 	{ "usersh", oDeprecated },
@@ -966,6 +968,10 @@ parse_time:
 		intptr = &options->gss_deleg_creds;
 		goto parse_flag;

+    case oGssTrustDns:
+        intptr = &options->gss_trust_dns;
+        goto parse_flag;
+
 	case oBatchMode:
 		intptr = &options->batch_mode;
 		goto parse_flag;
@@ -1778,6 +1784,7 @@ initialize_options(Options * options)
 	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
 	options->gss_deleg_creds = -1;
+    options->gss_trust_dns = -1;
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
@@ -1923,6 +1930,8 @@ fill_default_options(Options * options)
 		options->gss_authentication = 0;
 	if (options->gss_deleg_creds == -1)
 		options->gss_deleg_creds = 0;
+    if (options->gss_trust_dns == -1)
+        options->gss_trust_dns = 0;
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
index cef55f7..de03818 100644
--- a/readconf.h
+++ b/readconf.h
@@ -46,6 +46,7 @@ typedef struct {
 					/* Try S/Key or TIS, authentication. */
 	int     gss_authentication;	/* Try GSS authentication */
 	int     gss_deleg_creds;	/* Delegate GSS credentials */
+    int     gss_trust_dns;      /* Trust DNS for GSS canonicalization */
 	int     password_authentication;	/* Try password
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/ssh_config.5 b/ssh_config.5
index 7630e7b..14c0fad 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -830,6 +830,16 @@ The default is
 Forward (delegate) credentials to the server.
 The default is
 .Dq no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
index fae8b0f..9af7704 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -25,9 +25,9 @@
  */

 #include "includes.h"
-
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <arpa/inet.h>
 #include <sys/wait.h>
 #include <sys/stat.h>

@@ -642,6 +642,24 @@ done:
 }

 #ifdef GSSAPI
+char
+*ip_to_hostname(char *hostname)
+{
+    struct hostent *hent;
+    struct in_addr addr;
+
+    if(!inet_aton(hostname, &addr))
+        return(hostname);
+
+    if((hent = gethostbyaddr((char *)&(addr.s_addr), sizeof(addr.s_addr),
+                             AF_INET)))
+    {
+        strcpy(hostname, hent->h_name);
+    }
+
+    return(hostname);
+}
+
 int
 userauth_gssapi(Authctxt *authctxt)
 {
@@ -651,6 +669,15 @@ userauth_gssapi(Authctxt *authctxt)
 	OM_uint32 min;
 	int ok = 0;

+    struct ssh *ssh = active_state; /* XXX */
+
+    const char *gss_host;
+
+    if (options.gss_trust_dns)
+        gss_host = ip_to_hostname(ssh->remote_ipaddr);
+    else
+        gss_host = authctxt->host;
+
 	/* Try one GSSAPI method at a time, rather than sending them all at
 	 * once. */

@@ -661,8 +688,8 @@ userauth_gssapi(Authctxt *authctxt)
 	while (mech < gss_supported->count && !ok) {
 		/* My DER encoding requires length<128 */
 		if (gss_supported->elements[mech].length < 128 &&
-		    ssh_gssapi_check_mechanism(&gssctxt,
-		    &gss_supported->elements[mech], authctxt->host)) {
+		    ssh_gssapi_check_mechanism(&gssctxt,
+		    &gss_supported->elements[mech], gss_host)) {
 			ok = 1; /* Mechanism works */
 		} else {
 			mech++;
	commit 2d9b2ea3384842cf3f2f2c9c4b5b61540e9a1a53
	Author: Manuel Giffels <giffels@gmail.com>
	Date: Tue Sep 27 14:06:05 2016 +0200

	GSSAPITrustDNS Patch

	diff --git a/readconf.c b/readconf.c
	index c177202..bab01ff 100644
	--- a/readconf.c
	+++ b/readconf.c
	@@ -159,7 +159,7 @@ typedef enum {
	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
	- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
	+ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssTrustDns,
	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
	oSendEnv, oControlPath, oControlMaster, oControlPersist,
	oHashKnownHosts,
	@@ -206,9 +206,11 @@ static struct {
	#if defined(GSSAPI)
	{ "gssapiauthentication", oGssAuthentication },
	{ "gssapidelegatecredentials", oGssDelegateCreds },
	+ { "gssapitrustdns", oGssTrustDns },
	#else
	{ "gssapiauthentication", oUnsupported },
	{ "gssapidelegatecredentials", oUnsupported },
	+ { "gssapitrustdns", oUnsupported},
	#endif
	{ "fallbacktorsh", oDeprecated },
	{ "usersh", oDeprecated },
	@@ -966,6 +968,10 @@ parse_time:
	intptr = &options->gss_deleg_creds;
	goto parse_flag;

	+ case oGssTrustDns:
	+ intptr = &options->gss_trust_dns;
	+ goto parse_flag;
	+
	case oBatchMode:
	intptr = &options->batch_mode;
	goto parse_flag;
	@@ -1778,6 +1784,7 @@ initialize_options(Options * options)
	options->challenge_response_authentication = -1;
	options->gss_authentication = -1;
	options->gss_deleg_creds = -1;
	+ options->gss_trust_dns = -1;
	options->password_authentication = -1;
	options->kbd_interactive_authentication = -1;
	options->kbd_interactive_devices = NULL;
	@@ -1923,6 +1930,8 @@ fill_default_options(Options * options)
	options->gss_authentication = 0;
	if (options->gss_deleg_creds == -1)
	options->gss_deleg_creds = 0;
	+ if (options->gss_trust_dns == -1)
	+ options->gss_trust_dns = 0;
	if (options->password_authentication == -1)
	options->password_authentication = 1;
	if (options->kbd_interactive_authentication == -1)
	diff --git a/readconf.h b/readconf.h
	index cef55f7..de03818 100644
	--- a/readconf.h
	+++ b/readconf.h
	@@ -46,6 +46,7 @@ typedef struct {
	/* Try S/Key or TIS, authentication. */
	int gss_authentication; /* Try GSS authentication */
	int gss_deleg_creds; /* Delegate GSS credentials */
	+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
	int password_authentication; /* Try password
	* authentication. */
	int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
	diff --git a/ssh_config.5 b/ssh_config.5
	index 7630e7b..14c0fad 100644
	--- a/ssh_config.5
	+++ b/ssh_config.5
	@@ -830,6 +830,16 @@ The default is
	Forward (delegate) credentials to the server.
	The default is
	.Dq no .
	+Note that this option applies to protocol version 2 connections using GSSAPI.
	+.It Cm GSSAPITrustDns
	+Set to
	+.Dq yes to indicate that the DNS is trusted to securely canonicalize
	+the name of the host being connected to. If
	+.Dq no, the hostname entered on the
	+command line will be passed untouched to the GSSAPI library.
	+The default is
	+.Dq no .
	+This option only applies to protocol version 2 connections using GSSAPI.
	.It Cm HashKnownHosts
	Indicates that
	.Xr ssh 1
	diff --git a/sshconnect2.c b/sshconnect2.c
	index fae8b0f..9af7704 100644
	--- a/sshconnect2.c
	+++ b/sshconnect2.c
	@@ -25,9 +25,9 @@
	*/

	#include "includes.h"
	-
	#include <sys/types.h>
	#include <sys/socket.h>
	+#include <arpa/inet.h>
	#include <sys/wait.h>
	#include <sys/stat.h>

	@@ -642,6 +642,24 @@ done:
	}

	#ifdef GSSAPI
	+char
	+ip_to_hostname(char hostname)
	+{
	+ struct hostent *hent;
	+ struct in_addr addr;
	+
	+ if(!inet_aton(hostname, &addr))
	+ return(hostname);
	+
	+ if((hent = gethostbyaddr((char *)&(addr.s_addr), sizeof(addr.s_addr),
	+ AF_INET)))
	+ {
	+ strcpy(hostname, hent->h_name);
	+ }
	+
	+ return(hostname);
	+}
	+
	int
	userauth_gssapi(Authctxt *authctxt)
	{
	@@ -651,6 +669,15 @@ userauth_gssapi(Authctxt *authctxt)
	OM_uint32 min;
	int ok = 0;

	+ struct ssh ssh = active_state; / XXX */
	+
	+ const char *gss_host;
	+
	+ if (options.gss_trust_dns)
	+ gss_host = ip_to_hostname(ssh->remote_ipaddr);
	+ else
	+ gss_host = authctxt->host;
	+
	/* Try one GSSAPI method at a time, rather than sending them all at
	* once. */

	@@ -661,8 +688,8 @@ userauth_gssapi(Authctxt *authctxt)
	while (mech < gss_supported->count && !ok) {
	/* My DER encoding requires length<128 */
	if (gss_supported->elements[mech].length < 128 &&
	- ssh_gssapi_check_mechanism(&gssctxt,
	- &gss_supported->elements[mech], authctxt->host)) {
	+ ssh_gssapi_check_mechanism(&gssctxt,
	+ &gss_supported->elements[mech], gss_host)) {
	ok = 1; /* Mechanism works */
	} else {
	mech++;