* we flag the user as also having been authenticated
*/
- if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
- (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
- if (ssh_gssapi_getclient(ctx, &gssapi_client))
+ if (ctx->major == GSS_S_COMPLETE) {
+ if (options.gss_require_mic &&
+ ((flags == NULL) || !(*flags & GSS_C_INTEG_FLAG))) {
+ debug("GSSAPIRequireMIC true and integrity protection not supported so gssapi-with-mic fails.");
+ } else if (ssh_gssapi_getclient(ctx, &gssapi_client)) {
fatal("Couldn't convert client name");
+ }
}
return (status);
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
options->gss_keyex = -1;
+ options->gss_require_mic = -1;
options->gss_cleanup_creds = -1;
options->gss_strict_acceptor = -1;
options->password_authentication = -1;
options->gss_authentication = 0;
if (options->gss_keyex == -1)
options->gss_keyex = 0;
+ if (options->gss_require_mic == -1)
+ options->gss_require_mic = 1;
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->gss_strict_acceptor == -1)
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
- sGssKeyEx,
+ sGssKeyEx, sGssReqMIC,
sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
{ "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ { "gssapirequiremic", sGssReqMIC, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapirequiremic", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
intptr = &options->gss_keyex;
goto parse_flag;
+ case sGssReqMIC:
+ intptr = &options->gss_require_mic;
+ goto parse_flag;
+
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+ dump_cfg_fmtint(sGssReqMIC, o->gss_require_mic);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
#endif