From: Jim Basney <jbasney@ILLINOIS.EDU>
Date: Sat, 27 Oct 2012 00:45:03 +0000 (-0400)
Subject: Add support for mechanisms with no integrity
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=openssh.git;a=commitdiff_plain;h=c58af0369df352cd2bfddf972c0a43713cda1233

Add support for mechanisms with no integrity
---

diff --git a/gss-serv.c b/gss-serv.c
index 2a6bfbf..459cecc 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -175,10 +175,13 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
 	 * we flag the user as also having been authenticated
 	 */
 
-	if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
-	    (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
-		if (ssh_gssapi_getclient(ctx, &gssapi_client))
+	if (ctx->major == GSS_S_COMPLETE) {
+		if (options.gss_require_mic &&
+		    ((flags == NULL) || !(*flags & GSS_C_INTEG_FLAG))) {
+			debug("GSSAPIRequireMIC true and integrity protection not supported so gssapi-with-mic fails.");
+		} else if (ssh_gssapi_getclient(ctx, &gssapi_client)) {
 			fatal("Couldn't convert client name");
+		}
 	}
 
 	return (status);
diff --git a/servconf.c b/servconf.c
index 6a4afa0..5987aae 100644
--- a/servconf.c
+++ b/servconf.c
@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions *options)
 	options->kerberos_get_afs_token = -1;
 	options->gss_authentication=-1;
 	options->gss_keyex = -1;
+	options->gss_require_mic = -1;
 	options->gss_cleanup_creds = -1;
 	options->gss_strict_acceptor = -1;
 	options->password_authentication = -1;
@@ -230,6 +231,8 @@ fill_default_server_options(ServerOptions *options)
 		options->gss_authentication = 0;
 	if (options->gss_keyex == -1)
 		options->gss_keyex = 0;
+	if (options->gss_require_mic == -1)
+		options->gss_require_mic = 1;
 	if (options->gss_cleanup_creds == -1)
 		options->gss_cleanup_creds = 1;
 	if (options->gss_strict_acceptor == -1)
@@ -329,7 +332,7 @@ typedef enum {
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
-	sGssKeyEx,
+	sGssKeyEx, sGssReqMIC,
 	sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -397,12 +400,14 @@ static struct {
 	{ "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+	{ "gssapirequiremic", sGssReqMIC, SSHCFG_GLOBAL },
 #else
 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
 	{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+	{ "gssapirequiremic", sUnsupported, SSHCFG_GLOBAL },
 #endif
 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -964,6 +969,10 @@ process_server_config_line(ServerOptions *options, char *line,
 		intptr = &options->gss_keyex;
 		goto parse_flag;
 
+	case sGssReqMIC:
+		intptr = &options->gss_require_mic;
+		goto parse_flag;
+
 	case sGssCleanupCreds:
 		intptr = &options->gss_cleanup_creds;
 		goto parse_flag;
@@ -1729,6 +1738,7 @@ dump_config(ServerOptions *o)
 #ifdef GSSAPI
 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
 	dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+	dump_cfg_fmtint(sGssReqMIC, o->gss_require_mic);
 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
 	dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
 #endif
diff --git a/servconf.h b/servconf.h
index 801a54f..0b37081 100644
--- a/servconf.h
+++ b/servconf.h
@@ -98,6 +98,7 @@ typedef struct {
 						 * authenticated with Kerberos. */
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
+	int     gss_require_mic;	/* If true, require GSS_C_INTEG_FLAG for gssapi-with-mic */
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
 	int 	gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
 	int     password_authentication;	/* If true, permit password
diff --git a/sshd_config b/sshd_config
index 3576260..f8ed68a 100644
--- a/sshd_config
+++ b/sshd_config
@@ -74,6 +74,7 @@
 #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
+#GSSAPIRequireMIC yes
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
diff --git a/sshd_config.5 b/sshd_config.5
index 449afb3..01a949a 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -435,6 +435,16 @@ on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIRequireMIC
+Specifies whether to permit authentication using GSS-API mechanisms
+and/or contexts that do not support per-message integrity protection.
+If
+.Dq yes
+then the server will fail an otherwise valid gssapi-with-mic authentication
+if per-message integrity protection is not supported.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor 
 a client authenticates against. If