Last active
September 29, 2016 08:18
-
-
Save giffels/adf16e08d007a4d633d5f1874e48a76b to your computer and use it in GitHub Desktop.
Patch for openssh version 7.3p1 to enable GSSAPITrustDNS option
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 2d9b2ea3384842cf3f2f2c9c4b5b61540e9a1a53 | |
Author: Manuel Giffels <giffels@gmail.com> | |
Date: Tue Sep 27 14:06:05 2016 +0200 | |
GSSAPITrustDNS Patch | |
diff --git a/readconf.c b/readconf.c | |
index c177202..bab01ff 100644 | |
--- a/readconf.c | |
+++ b/readconf.c | |
@@ -159,7 +159,7 @@ typedef enum { | |
oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, | |
oClearAllForwardings, oNoHostAuthenticationForLocalhost, | |
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | |
- oAddressFamily, oGssAuthentication, oGssDelegateCreds, | |
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssTrustDns, | |
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | |
oSendEnv, oControlPath, oControlMaster, oControlPersist, | |
oHashKnownHosts, | |
@@ -206,9 +206,11 @@ static struct { | |
#if defined(GSSAPI) | |
{ "gssapiauthentication", oGssAuthentication }, | |
{ "gssapidelegatecredentials", oGssDelegateCreds }, | |
+ { "gssapitrustdns", oGssTrustDns }, | |
#else | |
{ "gssapiauthentication", oUnsupported }, | |
{ "gssapidelegatecredentials", oUnsupported }, | |
+ { "gssapitrustdns", oUnsupported}, | |
#endif | |
{ "fallbacktorsh", oDeprecated }, | |
{ "usersh", oDeprecated }, | |
@@ -966,6 +968,10 @@ parse_time: | |
intptr = &options->gss_deleg_creds; | |
goto parse_flag; | |
+ case oGssTrustDns: | |
+ intptr = &options->gss_trust_dns; | |
+ goto parse_flag; | |
+ | |
case oBatchMode: | |
intptr = &options->batch_mode; | |
goto parse_flag; | |
@@ -1778,6 +1784,7 @@ initialize_options(Options * options) | |
options->challenge_response_authentication = -1; | |
options->gss_authentication = -1; | |
options->gss_deleg_creds = -1; | |
+ options->gss_trust_dns = -1; | |
options->password_authentication = -1; | |
options->kbd_interactive_authentication = -1; | |
options->kbd_interactive_devices = NULL; | |
@@ -1923,6 +1930,8 @@ fill_default_options(Options * options) | |
options->gss_authentication = 0; | |
if (options->gss_deleg_creds == -1) | |
options->gss_deleg_creds = 0; | |
+ if (options->gss_trust_dns == -1) | |
+ options->gss_trust_dns = 0; | |
if (options->password_authentication == -1) | |
options->password_authentication = 1; | |
if (options->kbd_interactive_authentication == -1) | |
diff --git a/readconf.h b/readconf.h | |
index cef55f7..de03818 100644 | |
--- a/readconf.h | |
+++ b/readconf.h | |
@@ -46,6 +46,7 @@ typedef struct { | |
/* Try S/Key or TIS, authentication. */ | |
int gss_authentication; /* Try GSS authentication */ | |
int gss_deleg_creds; /* Delegate GSS credentials */ | |
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ | |
int password_authentication; /* Try password | |
* authentication. */ | |
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | |
diff --git a/ssh_config.5 b/ssh_config.5 | |
index 7630e7b..14c0fad 100644 | |
--- a/ssh_config.5 | |
+++ b/ssh_config.5 | |
@@ -830,6 +830,16 @@ The default is | |
Forward (delegate) credentials to the server. | |
The default is | |
.Dq no . | |
+Note that this option applies to protocol version 2 connections using GSSAPI. | |
+.It Cm GSSAPITrustDns | |
+Set to | |
+.Dq yes to indicate that the DNS is trusted to securely canonicalize | |
+the name of the host being connected to. If | |
+.Dq no, the hostname entered on the | |
+command line will be passed untouched to the GSSAPI library. | |
+The default is | |
+.Dq no . | |
+This option only applies to protocol version 2 connections using GSSAPI. | |
.It Cm HashKnownHosts | |
Indicates that | |
.Xr ssh 1 | |
diff --git a/sshconnect2.c b/sshconnect2.c | |
index fae8b0f..9af7704 100644 | |
--- a/sshconnect2.c | |
+++ b/sshconnect2.c | |
@@ -25,9 +25,9 @@ | |
*/ | |
#include "includes.h" | |
- | |
#include <sys/types.h> | |
#include <sys/socket.h> | |
+#include <arpa/inet.h> | |
#include <sys/wait.h> | |
#include <sys/stat.h> | |
@@ -642,6 +642,24 @@ done: | |
} | |
#ifdef GSSAPI | |
+char | |
+*ip_to_hostname(char *hostname) | |
+{ | |
+ struct hostent *hent; | |
+ struct in_addr addr; | |
+ | |
+ if(!inet_aton(hostname, &addr)) | |
+ return(hostname); | |
+ | |
+ if((hent = gethostbyaddr((char *)&(addr.s_addr), sizeof(addr.s_addr), | |
+ AF_INET))) | |
+ { | |
+ strcpy(hostname, hent->h_name); | |
+ } | |
+ | |
+ return(hostname); | |
+} | |
+ | |
int | |
userauth_gssapi(Authctxt *authctxt) | |
{ | |
@@ -651,6 +669,15 @@ userauth_gssapi(Authctxt *authctxt) | |
OM_uint32 min; | |
int ok = 0; | |
+ struct ssh *ssh = active_state; /* XXX */ | |
+ | |
+ const char *gss_host; | |
+ | |
+ if (options.gss_trust_dns) | |
+ gss_host = ip_to_hostname(ssh->remote_ipaddr); | |
+ else | |
+ gss_host = authctxt->host; | |
+ | |
/* Try one GSSAPI method at a time, rather than sending them all at | |
* once. */ | |
@@ -661,8 +688,8 @@ userauth_gssapi(Authctxt *authctxt) | |
while (mech < gss_supported->count && !ok) { | |
/* My DER encoding requires length<128 */ | |
if (gss_supported->elements[mech].length < 128 && | |
- ssh_gssapi_check_mechanism(&gssctxt, | |
- &gss_supported->elements[mech], authctxt->host)) { | |
+ ssh_gssapi_check_mechanism(&gssctxt, | |
+ &gss_supported->elements[mech], gss_host)) { | |
ok = 1; /* Mechanism works */ | |
} else { | |
mech++; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment