Add support for mechanisms with no integrity

diff --git a/gss-serv.c b/gss-serv.c
index 2a6bfbf..459cecc 100644 (file)
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -175,10 +175,13 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
         * we flag the user as also having been authenticated
         */
 
-       if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
-           (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
-               if (ssh_gssapi_getclient(ctx, &gssapi_client))
+       if (ctx->major == GSS_S_COMPLETE) {
+               if (options.gss_require_mic &&
+                   ((flags == NULL) || !(*flags & GSS_C_INTEG_FLAG))) {
+                       debug("GSSAPIRequireMIC true and integrity protection not supported so gssapi-with-mic fails.");
+               } else if (ssh_gssapi_getclient(ctx, &gssapi_client)) {
                        fatal("Couldn't convert client name");
+               }
        }
 
        return (status);

diff --git a/servconf.c b/servconf.c
index 6a4afa0..5987aae 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions *options)
        options->kerberos_get_afs_token = -1;
        options->gss_authentication=-1;
        options->gss_keyex = -1;
+       options->gss_require_mic = -1;
        options->gss_cleanup_creds = -1;
        options->gss_strict_acceptor = -1;
        options->password_authentication = -1;
@@ -230,6 +231,8 @@ fill_default_server_options(ServerOptions *options)
                options->gss_authentication = 0;
        if (options->gss_keyex == -1)
                options->gss_keyex = 0;
+       if (options->gss_require_mic == -1)
+               options->gss_require_mic = 1;
        if (options->gss_cleanup_creds == -1)
                options->gss_cleanup_creds = 1;
        if (options->gss_strict_acceptor == -1)
@@ -329,7 +332,7 @@ typedef enum {
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
        sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
-       sGssKeyEx,
+       sGssKeyEx, sGssReqMIC,
        sAcceptEnv, sPermitTunnel,
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -397,12 +400,14 @@ static struct {
        { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
        { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+       { "gssapirequiremic", sGssReqMIC, SSHCFG_GLOBAL },
 #else
        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
        { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
        { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+       { "gssapirequiremic", sUnsupported, SSHCFG_GLOBAL },
 #endif
        { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
        { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -964,6 +969,10 @@ process_server_config_line(ServerOptions *options, char *line,
                intptr = &options->gss_keyex;
                goto parse_flag;
 
+       case sGssReqMIC:
+               intptr = &options->gss_require_mic;
+               goto parse_flag;
+
        case sGssCleanupCreds:
                intptr = &options->gss_cleanup_creds;
                goto parse_flag;
@@ -1729,6 +1738,7 @@ dump_config(ServerOptions *o)
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
        dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+       dump_cfg_fmtint(sGssReqMIC, o->gss_require_mic);
        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
        dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
 #endif

diff --git a/servconf.h b/servconf.h
index 801a54f..0b37081 100644 (file)
--- a/servconf.h
+++ b/servconf.h
@@ -98,6 +98,7 @@ typedef struct {
                                                 * authenticated with Kerberos. */
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
        int     gss_keyex;              /* If true, permit GSSAPI key exchange */
+       int     gss_require_mic;        /* If true, require GSS_C_INTEG_FLAG for gssapi-with-mic */
        int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
        int     gss_strict_acceptor;    /* If true, restrict the GSSAPI acceptor name */
        int     password_authentication;        /* If true, permit password

diff --git a/sshd_config b/sshd_config
index 3576260..f8ed68a 100644 (file)
--- a/sshd_config
+++ b/sshd_config
@@ -74,6 +74,7 @@
 #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
+#GSSAPIRequireMIC yes
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 

diff --git a/sshd_config.5 b/sshd_config.5
index 449afb3..01a949a 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -435,6 +435,16 @@ on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIRequireMIC
+Specifies whether to permit authentication using GSS-API mechanisms
+and/or contexts that do not support per-message integrity protection.
+If
+.Dq yes
+then the server will fail an otherwise valid gssapi-with-mic authentication
+if per-message integrity protection is not supported.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor 
 a client authenticates against. If