Thanks Sam and Scott for the consideration/discussion of this patch.
Here's an updated patch that adds a GSSAPIRequireMIC sshd_config option
to enable the "site policy decision for the server whether or not to
permit authentication using GSS-API mechanisms and/or contexts that do
not support per-message integrity protection." The default is "yes" to
require integrity protection, and our mech_saml_ec implementation
currently requires this option to be set to "no".
-Jim
diff --git a/gss-serv.c b/gss-serv.c
index 2a6bfbf..459cecc 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -175,10 +175,13 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
* we flag the user as also having been authenticated
*/
- if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
- (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
- if (ssh_gssapi_getclient(ctx, &gssapi_client))
+ if (ctx->major == GSS_S_COMPLETE) {
+ if (options.gss_require_mic &&
+ ((flags == NULL) || !(*flags & GSS_C_INTEG_FLAG))) {
+ debug("GSSAPIRequireMIC true and integrity protection not supported so gssapi-with-mic fails.");
+ } else if (ssh_gssapi_getclient(ctx, &gssapi_client)) {
fatal("Couldn't convert client name");
+ }
}
return (status);
diff --git a/servconf.c b/servconf.c
index 6a4afa0..5987aae 100644
--- a/servconf.c
+++ b/servconf.c
@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions *options)
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
options->gss_keyex = -1;
+ options->gss_require_mic = -1;
options->gss_cleanup_creds = -1;
options->gss_strict_acceptor = -1;
options->password_authentication = -1;
@@ -230,6 +231,8 @@ fill_default_server_options(ServerOptions *options)
options->gss_authentication = 0;
if (options->gss_keyex == -1)
options->gss_keyex = 0;
+ if (options->gss_require_mic == -1)
+ options->gss_require_mic = 1;
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->gss_strict_acceptor == -1)
@@ -329,7 +332,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
- sGssKeyEx,
+ sGssKeyEx, sGssReqMIC,
sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -397,12 +400,14 @@ static struct {
{ "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ { "gssapirequiremic", sGssReqMIC, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapirequiremic", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -964,6 +969,10 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->gss_keyex;
goto parse_flag;
+ case sGssReqMIC:
+ intptr = &options->gss_require_mic;
+ goto parse_flag;
+
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
@@ -1729,6 +1738,7 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+ dump_cfg_fmtint(sGssReqMIC, o->gss_require_mic);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
#endif
diff --git a/servconf.h b/servconf.h
index 801a54f..0b37081 100644
--- a/servconf.h
+++ b/servconf.h
@@ -98,6 +98,7 @@ typedef struct {
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_keyex; /* If true, permit GSSAPI key exchange */
+ int gss_require_mic; /* If true, require GSS_C_INTEG_FLAG for gssapi-with-mic */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
int password_authentication; /* If true, permit password
diff --git a/sshd_config b/sshd_config
index 3576260..f8ed68a 100644
--- a/sshd_config
+++ b/sshd_config
@@ -74,6 +74,7 @@
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
+#GSSAPIRequireMIC yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff --git a/sshd_config.5 b/sshd_config.5
index 449afb3..302b13c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -435,6 +435,16 @@ on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIRequireMIC
+Specifies whether to permit authentication using GSS-API mechanisms
+and/or contexts that do not support per-message integrity protection.
+If
+.Dq yes
+then the server will fail an otherwise valid gssapi-with-mic authentication
+if per-message integrity protection is not supported.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against. If
|