Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Generic GSS-API Mechanisms #1

Open
wants to merge 3 commits into
base: draft
Choose a base branch
from

Conversation

jbasney
Copy link

@jbasney jbasney commented Aug 14, 2015

This pull request combines SimonWilkinson/gss-openssh#2 with painless-security/gss-openssh#1. @hartmans requested I submit it here.

Previously, OpenSSH required that mechanisms be registered in a static table within the ssh server. There are three reasons for this:

  • To meet requirements from RFC 4462 about which mechanisms are used
  • To have mechanism-specific code to determine whether a user is authorized
  • A mechanism-specific implementation of localname

Since then the GSS-API vendors have added support for gss_localname and gss_userok. In addition, mechanism attributes allow sshd to probe for which mechanisms meet the requirements from RFC 4462.

Add support for arbitrary GSS-API mechanisms using gss_localname and gss_userok. Filter out negotiation mechanisms.

Also includes fixes for compiling against GSSAPI that doesn't (yet) have gss_userok() or gss_indicate_mechs_by_attrs().

hartmans and others added 3 commits August 14, 2015 13:05
Previously, OpenSSH required that mechanisms be registered in a static
table within the ssh server.  There are three reasons for this:

* To meet requirements from RFC 4462 about which mechanisms are used

* To have mechanism-specific code to determine whether a user is authorized

* A mechanism-specific implementation of localname

Since then the GSS-API vendors have added support for gss_localname
and gss_userok.  In addition, mechanism attributes allow sshd to probe
for which mechanisms meet the requirements from RFC 4462.

Add support for arbitrary GSS-API mechanisms using gss_localname and
gss_userok.  Filter out negotiation mechanisms.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants