1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 09:58:01 +00:00

Make GSS kex and GSS userauth separately configurable.

The former has advantages in terms of keeping Kerberos credentials up
to date, but it also does something sufficiently weird to the usual
SSH host key system that I think it's worth making sure users have a
means of turning it off separately from the less intrusive GSS
userauth.
This commit is contained in:
Simon Tatham 2018-04-26 19:15:15 +01:00
parent c32ce29b6d
commit 223ea4d1e6
5 changed files with 42 additions and 16 deletions

View File

@ -2403,6 +2403,10 @@ void setup_config_box(struct controlbox *b, int midsession,
HELPCTX(ssh_kexlist), HELPCTX(ssh_kexlist),
kexlist_handler, P(NULL)); kexlist_handler, P(NULL));
c->listbox.height = KEX_MAX_CONF; c->listbox.height = KEX_MAX_CONF;
ctrl_checkbox(s, "Attempt GSSAPI key exchange",
'k', HELPCTX(ssh_gssapi),
conf_checkbox_handler,
I(CONF_try_gssapi_kex));
s = ctrl_getset(b, "Connection/SSH/Kex", "repeat", s = ctrl_getset(b, "Connection/SSH/Kex", "repeat",
"Options controlling key re-exchange"); "Options controlling key re-exchange");
@ -2565,6 +2569,11 @@ void setup_config_box(struct controlbox *b, int midsession,
conf_checkbox_handler, conf_checkbox_handler,
I(CONF_try_gssapi_auth)); I(CONF_try_gssapi_auth));
ctrl_checkbox(s, "Attempt GSSAPI key exchange (SSH-2 only)",
'k', HELPCTX(ssh_gssapi),
conf_checkbox_handler,
I(CONF_try_gssapi_kex));
ctrl_checkbox(s, "Allow GSSAPI credential delegation", 'l', ctrl_checkbox(s, "Allow GSSAPI credential delegation", 'l',
HELPCTX(ssh_gssapi_delegation), HELPCTX(ssh_gssapi_delegation),
conf_checkbox_handler, conf_checkbox_handler,

View File

@ -2581,6 +2581,13 @@ you to delegate the credentials that are active at the beginning of
the session; they can't be refreshed automatically later, in a the session; they can't be refreshed automatically later, in a
long-running session. long-running session.
Another effect of GSSAPI key exchange is that it replaces the usual
SSH mechanism of permanent host keys. So if you use this method, then
you won't be asked any interactive questions about whether to accept
the server's host key. Instead, the Kerberos exchange will verify the
identity of the host you connect to, at the same time as verifying
your identity to it.
\S{config-ssh-kex-rekey} \ii{Repeat key exchange} \S{config-ssh-kex-rekey} \ii{Repeat key exchange}
\cfg{winhelp-topic}{ssh.kex.repeat} \cfg{winhelp-topic}{ssh.kex.repeat}
@ -2988,19 +2995,23 @@ GSSAPI authentication is only available in the SSH-2 protocol.
PuTTY supports two forms of GSSAPI-based authentication. In one of PuTTY supports two forms of GSSAPI-based authentication. In one of
them, the SSH key exchange happens in the normal way, and GSSAPI is them, the SSH key exchange happens in the normal way, and GSSAPI is
only involved in authenticating the user. In the other, GSSAPI-based only involved in authenticating the user. The checkbox labelled
authentication is combined with the key exchange phase, and the SSH \q{Attempt GSSAPI authentication} controls this form.
authentication step has nothing left to do. If you enable GSSAPI
authentication, PuTTY will attempt both of these methods, and use
whichever the server supports.
The topmost control on the GSSAPI subpanel is the checkbox labelled In the other method, GSSAPI-based authentication is combined with the
\q{Attempt GSSAPI authentication}. If this is disabled, GSSAPI will SSH key exchange phase. If this succeeds, then the SSH authentication
not be attempted at all and the rest of this panel is unused. If it step has nothing left to do. See \k{config-ssh-gssapi-kex} for more
is enabled, GSSAPI authentication will be attempted, and (typically) information about this method. The checkbox labelled \q{Attempt GSSAPI
if your client machine has valid Kerberos credentials loaded, then key exchange} controls this form.
PuTTY should be able to authenticate automatically to servers that
support Kerberos logins. If one or both of these controls is enabled, then GSSAPI
authentication will be attempted in one form or the other, and
(typically) if your client machine has valid Kerberos credentials
loaded, then PuTTY should be able to authenticate automatically to
servers that support Kerberos logins.
If both of those checkboxes are disabled, PuTTY will not try any form
of GSSAPI at all, and the rest of this panel will be unused.
\S{config-ssh-auth-gssapi-delegation} \q{Allow GSSAPI credential \S{config-ssh-auth-gssapi-delegation} \q{Allow GSSAPI credential
delegation} delegation}

View File

@ -802,7 +802,8 @@ void cleanup_exit(int);
X(INT, NONE, ssh_show_banner) /* show USERAUTH_BANNERs (SSH-2 only) */ \ X(INT, NONE, ssh_show_banner) /* show USERAUTH_BANNERs (SSH-2 only) */ \
X(INT, NONE, try_tis_auth) \ X(INT, NONE, try_tis_auth) \
X(INT, NONE, try_ki_auth) \ X(INT, NONE, try_ki_auth) \
X(INT, NONE, try_gssapi_auth) /* attempt gssapi auth */ \ X(INT, NONE, try_gssapi_auth) /* attempt gssapi auth via ssh userauth */ \
X(INT, NONE, try_gssapi_kex) /* attempt gssapi auth via ssh kex */ \
X(INT, NONE, gssapifwd) /* forward tgt via gss */ \ X(INT, NONE, gssapifwd) /* forward tgt via gss */ \
X(INT, NONE, gssapirekey) /* KEXGSS refresh interval (mins) */ \ X(INT, NONE, gssapirekey) /* KEXGSS refresh interval (mins) */ \
X(INT, INT, ssh_gsslist) /* preference order for local GSS libs */ \ X(INT, INT, ssh_gsslist) /* preference order for local GSS libs */ \

View File

@ -581,6 +581,7 @@ void save_open_settings(void *sesskey, Conf *conf)
write_setting_i(sesskey, "AuthTIS", conf_get_int(conf, CONF_try_tis_auth)); write_setting_i(sesskey, "AuthTIS", conf_get_int(conf, CONF_try_tis_auth));
write_setting_i(sesskey, "AuthKI", conf_get_int(conf, CONF_try_ki_auth)); write_setting_i(sesskey, "AuthKI", conf_get_int(conf, CONF_try_ki_auth));
write_setting_i(sesskey, "AuthGSSAPI", conf_get_int(conf, CONF_try_gssapi_auth)); write_setting_i(sesskey, "AuthGSSAPI", conf_get_int(conf, CONF_try_gssapi_auth));
write_setting_i(sesskey, "AuthGSSAPIKEX", conf_get_int(conf, CONF_try_gssapi_kex));
#ifndef NO_GSSAPI #ifndef NO_GSSAPI
wprefs(sesskey, "GSSLibs", gsslibkeywords, ngsslibs, conf, CONF_ssh_gsslist); wprefs(sesskey, "GSSLibs", gsslibkeywords, ngsslibs, conf, CONF_ssh_gsslist);
write_setting_filename(sesskey, "GSSCustom", conf_get_filename(conf, CONF_ssh_gss_custom)); write_setting_filename(sesskey, "GSSCustom", conf_get_filename(conf, CONF_ssh_gss_custom));
@ -970,6 +971,7 @@ void load_open_settings(void *sesskey, Conf *conf)
gppi(sesskey, "AuthTIS", 0, conf, CONF_try_tis_auth); gppi(sesskey, "AuthTIS", 0, conf, CONF_try_tis_auth);
gppi(sesskey, "AuthKI", 1, conf, CONF_try_ki_auth); gppi(sesskey, "AuthKI", 1, conf, CONF_try_ki_auth);
gppi(sesskey, "AuthGSSAPI", 1, conf, CONF_try_gssapi_auth); gppi(sesskey, "AuthGSSAPI", 1, conf, CONF_try_gssapi_auth);
gppi(sesskey, "AuthGSSAPIKEX", 1, conf, CONF_try_gssapi_kex);
#ifndef NO_GSSAPI #ifndef NO_GSSAPI
gprefs(sesskey, "GSSLibs", "\0", gprefs(sesskey, "GSSLibs", "\0",
gsslibkeywords, ngsslibs, conf, CONF_ssh_gsslist); gsslibkeywords, ngsslibs, conf, CONF_ssh_gsslist);

9
ssh.c
View File

@ -6595,7 +6595,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen,
* where the flag was set on the previous key exchange.) * where the flag was set on the previous key exchange.)
*/ */
s->can_gssapi_keyex = FALSE; s->can_gssapi_keyex = FALSE;
} else { } else if (conf_get_int(ssh->conf, CONF_try_gssapi_kex)) {
/* /*
* We always check if we have GSS creds before we come up with * We always check if we have GSS creds before we come up with
* the kex algorithm list, otherwise future rekeys will fail * the kex algorithm list, otherwise future rekeys will fail
@ -6629,6 +6629,8 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen,
if (!s->got_session_id && (ssh->gss_status & GSS_CTXT_MAYFAIL) != 0) if (!s->got_session_id && (ssh->gss_status & GSS_CTXT_MAYFAIL) != 0)
s->can_gssapi_keyex = 0; s->can_gssapi_keyex = 0;
s->gss_delegate = conf_get_int(ssh->conf, CONF_gssapifwd); s->gss_delegate = conf_get_int(ssh->conf, CONF_gssapifwd);
} else {
s->can_gssapi_keyex = FALSE;
} }
#endif #endif
@ -10429,7 +10431,7 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen,
in_commasep_string("gssapi-with-mic", methods, methlen) && in_commasep_string("gssapi-with-mic", methods, methlen) &&
ssh->gsslibs->nlibraries > 0; ssh->gsslibs->nlibraries > 0;
s->can_gssapi_keyex_auth = s->can_gssapi_keyex_auth =
conf_get_int(ssh->conf, CONF_try_gssapi_auth) && conf_get_int(ssh->conf, CONF_try_gssapi_kex) &&
in_commasep_string("gssapi-keyex", methods, methlen) && in_commasep_string("gssapi-keyex", methods, methlen) &&
ssh->gsslibs->nlibraries > 0 && ssh->gsslibs->nlibraries > 0 &&
ssh->gss_ctx; ssh->gss_ctx;
@ -11903,7 +11905,8 @@ static void ssh2_gss_update(Ssh ssh)
*/ */
if (ssh->gsslibs->nlibraries == 0) if (ssh->gsslibs->nlibraries == 0)
return; return;
if (!conf_get_int(ssh->conf, CONF_try_gssapi_auth)) if (!conf_get_int(ssh->conf, CONF_try_gssapi_auth) &&
!conf_get_int(ssh->conf, CONF_try_gssapi_kex))
return; return;
/* Import server name and cache it */ /* Import server name and cache it */