nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-06-30 19:12:48 -05:00
Code Issues Projects Releases Wiki Activity

Make GSS kex and GSS userauth separately configurable.

Browse Source 
The former has advantages in terms of keeping Kerberos credentials up
to date, but it also does something sufficiently weird to the usual
SSH host key system that I think it's worth making sure users have a
means of turning it off separately from the less intrusive GSS
userauth.
This commit is contained in:
Simon Tatham
2018-04-26 19:15:15 +01:00
parent c32ce29b6d
commit 223ea4d1e6
5 changed files with 42 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ssh.c
View File

@ -6595,7 +6595,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen,
* where the flag was set on the previous key exchange.)
*/
s->can_gssapi_keyex = FALSE;
} else {
} else if (conf_get_int(ssh->conf, CONF_try_gssapi_kex)) {
/*
* We always check if we have GSS creds before we come up with
* the kex algorithm list, otherwise future rekeys will fail
@ -6629,6 +6629,8 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen,
if (!s->got_session_id && (ssh->gss_status & GSS_CTXT_MAYFAIL) != 0)
s->can_gssapi_keyex = 0;
s->gss_delegate = conf_get_int(ssh->conf, CONF_gssapifwd);
} else {
s->can_gssapi_keyex = FALSE;
}
#endif
@ -10429,7 +10431,7 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen,
in_commasep_string("gssapi-with-mic", methods, methlen) &&
ssh->gsslibs->nlibraries > 0;
s->can_gssapi_keyex_auth =
conf_get_int(ssh->conf, CONF_try_gssapi_auth) &&
conf_get_int(ssh->conf, CONF_try_gssapi_kex) &&
in_commasep_string("gssapi-keyex", methods, methlen) &&
ssh->gsslibs->nlibraries > 0 &&
ssh->gss_ctx;
@ -11903,7 +11905,8 @@ static void ssh2_gss_update(Ssh ssh)
*/
if (ssh->gsslibs->nlibraries == 0)
return;
if (!conf_get_int(ssh->conf, CONF_try_gssapi_auth))
if (!conf_get_int(ssh->conf, CONF_try_gssapi_auth) &&
!conf_get_int(ssh->conf, CONF_try_gssapi_kex))
return;
/* Import server name and cache it */