mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-07-09 23:33:46 -05:00
Support GSS key exchange, for Kerberos 5 only.
This is a heavily edited (by me) version of a patch originally due to Nico Williams and Viktor Dukhovni. Their comments: * Don't delegate credentials when rekeying unless there's a new TGT or the old service ticket is nearly expired. * Check for the above conditions more frequently (every two minutes by default) and rekey when we would delegate credentials. * Do not rekey with very short service ticket lifetimes; some GSSAPI libraries may lose the race to use an almost expired ticket. Adjust the timing of rekey checks to try to avoid this possibility. My further comments: The most interesting thing about this patch to me is that the use of GSS key exchange causes a switch over to a completely different model of what host keys are for. This comes from RFC 4462 section 2.1: the basic idea is that when your session is mostly bidirectionally authenticated by the GSSAPI exchanges happening in initial kex and every rekey, host keys become more or less vestigial, and their remaining purpose is to allow a rekey to happen if the requirements of the SSH protocol demand it at an awkward moment when the GSS credentials are not currently available (e.g. timed out and haven't been renewed yet). As such, there's no need for host keys to be _permanent_ or to be a reliable identifier of a particular host, and RFC 4462 allows for the possibility that they might be purely transient and only for this kind of emergency fallback purpose. Therefore, once PuTTY has done a GSS key exchange, it disconnects itself completely from the permanent host key cache functions in storage.h, and instead switches to a _transient_ host key cache stored in memory with the lifetime of just that SSH session. That cache is populated with keys received from the server as a side effect of GSS kex (via the optional SSH2_MSG_KEXGSS_HOSTKEY message), and used if later in the session we have to fall back to a non-GSS key exchange. However, in practice servers we've tested against do not send a host key in that way, so we also have a fallback method of populating the transient cache by triggering an immediate non-GSS rekey straight after userauth (reusing the code path we also use to turn on OpenSSH delayed encryption without the race condition).
This commit is contained in:
10
ssh.h
10
ssh.h
@ -381,7 +381,7 @@ struct ssh_hash {
|
||||
|
||||
struct ssh_kex {
|
||||
const char *name, *groupname;
|
||||
enum { KEXTYPE_DH, KEXTYPE_RSA, KEXTYPE_ECDH } main_type;
|
||||
enum { KEXTYPE_DH, KEXTYPE_RSA, KEXTYPE_ECDH, KEXTYPE_GSS } main_type;
|
||||
const struct ssh_hash *hash;
|
||||
const void *extra; /* private to the kex methods */
|
||||
};
|
||||
@ -466,6 +466,7 @@ extern const struct ssh_hash ssh_sha512;
|
||||
extern const struct ssh_kexes ssh_diffiehellman_group1;
|
||||
extern const struct ssh_kexes ssh_diffiehellman_group14;
|
||||
extern const struct ssh_kexes ssh_diffiehellman_gex;
|
||||
extern const struct ssh_kexes ssh_gssk5_sha1_kex;
|
||||
extern const struct ssh_kexes ssh_rsa_kex;
|
||||
extern const struct ssh_kexes ssh_ecdh_kex;
|
||||
extern const struct ssh_signkey ssh_dss;
|
||||
@ -952,6 +953,13 @@ void platform_ssh_share_cleanup(const char *name);
|
||||
#define SSH2_MSG_KEX_DH_GEX_GROUP 31 /* 0x1f */
|
||||
#define SSH2_MSG_KEX_DH_GEX_INIT 32 /* 0x20 */
|
||||
#define SSH2_MSG_KEX_DH_GEX_REPLY 33 /* 0x21 */
|
||||
#define SSH2_MSG_KEXGSS_INIT 30 /* 0x1e */
|
||||
#define SSH2_MSG_KEXGSS_CONTINUE 31 /* 0x1f */
|
||||
#define SSH2_MSG_KEXGSS_COMPLETE 32 /* 0x20 */
|
||||
#define SSH2_MSG_KEXGSS_HOSTKEY 33 /* 0x21 */
|
||||
#define SSH2_MSG_KEXGSS_ERROR 34 /* 0x22 */
|
||||
#define SSH2_MSG_KEXGSS_GROUPREQ 40 /* 0x28 */
|
||||
#define SSH2_MSG_KEXGSS_GROUP 41 /* 0x29 */
|
||||
#define SSH2_MSG_KEXRSA_PUBKEY 30 /* 0x1e */
|
||||
#define SSH2_MSG_KEXRSA_SECRET 31 /* 0x1f */
|
||||
#define SSH2_MSG_KEXRSA_DONE 32 /* 0x20 */
|
||||
|
Reference in New Issue
Block a user