From: djm@openbsd.org Date: Mon, 8 Dec 2025 03:55:22 +0000 (+0000) Subject: upstream: add a GssDelegateCreds option for the server, controlling X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94bf1154b4132727114f222a587daeac101f1f5b;p=thirdparty%2Fopenssh-portable.git upstream: add a GssDelegateCreds option for the server, controlling whether it accepts delgated credentials offered by the client. This option mirrors GssDelegateCreds in ssh_config. From Dmitry Belyavskiy via GHPR614; ok dtucker@ OpenBSD-Commit-ID: ac419354edb26cef9ad15692e0bed17a03997786 --- diff --git a/gss-serv.c b/gss-serv.c index b0e9c3b49..05c347ea0 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.33 2025/09/29 21:30:15 dtucker Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.34 2025/12/08 03:55:22 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -332,6 +332,11 @@ ssh_gssapi_cleanup_creds(void) void ssh_gssapi_storecreds(void) { + if (options.gss_deleg_creds == 0) { + debug_f("delegate credential is disabled, doing nothing"); + return 0; + } + if (gssapi_client.mech && gssapi_client.mech->storecreds) { (*gssapi_client.mech->storecreds)(&gssapi_client); } else diff --git a/servconf.c b/servconf.c index e1e84db84..e74e3ecfb 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.438 2025/12/05 07:49:45 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.439 2025/12/08 03:55:22 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -137,6 +137,7 @@ initialize_server_options(ServerOptions *options) options->kerberos_get_afs_token = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; + options->gss_deleg_creds = -1; options->gss_strict_acceptor = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; @@ -376,6 +377,8 @@ fill_default_server_options(ServerOptions *options) options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 1; if (options->gss_strict_acceptor == -1) options->gss_strict_acceptor = 1; if (options->password_authentication == -1) @@ -561,7 +564,7 @@ typedef enum { sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sPerSourcePenalties, sPerSourcePenaltyExemptList, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, - sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, + sGssAuthentication, sGssCleanupCreds, sGssDelegateCreds, sGssStrictAcceptor, sAcceptEnv, sSetEnv, sPermitTunnel, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, @@ -647,10 +650,12 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, + { "gssapidelegatecredentials", sGssDelegateCreds, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, #else { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, + { "gssapidelegatecredentials", sUnsupported, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, @@ -1649,6 +1654,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, intptr = &options->gss_cleanup_creds; goto parse_flag; + case sGssDelegateCreds: + intptr = &options->gss_deleg_creds; + goto parse_flag; + case sGssStrictAcceptor: intptr = &options->gss_strict_acceptor; goto parse_flag; @@ -3270,6 +3279,7 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); + dump_cfg_fmtint(sGssDelegateCreds, o->gss_deleg_creds); dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); #endif dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); diff --git a/servconf.h b/servconf.h index 885d102fc..1005b0070 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.170 2025/12/05 07:49:45 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.171 2025/12/08 03:55:22 djm Exp $ */ /* * Author: Tatu Ylonen @@ -151,6 +151,7 @@ typedef struct { * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ + int gss_deleg_creds; /* If true, accept delegated GSS credentials */ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ int password_authentication; /* If true, permit password * authentication. */ diff --git a/sshd_config.5 b/sshd_config.5 index 480b756c8..4b6955a3b 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.388 2025/12/08 00:45:00 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.389 2025/12/08 03:55:22 djm Exp $ .Dd $Mdocdate: December 8 2025 $ .Dt SSHD_CONFIG 5 .Os @@ -747,6 +747,9 @@ Specifies whether to automatically destroy the user's credentials cache on logout. The default is .Cm yes . +.It Cm GSSAPIDelegateCredentials +Accept delegated credentials on the server side. The default is +.CM yes . .It Cm GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against.