upstream: add a GssDelegateCreds option for the server, controlling

whether it accepts delgated credentials offered by the client. This option
mirrors GssDelegateCreds in ssh_config.

From Dmitry Belyavskiy via GHPR614; ok dtucker@

OpenBSD-Commit-ID: ac419354edb26cef9ad15692e0bed17a03997786

diff --git a/gss-serv.c b/gss-serv.c
index b0e9c3b49fe049f615fe97389dbeb871c1d82ed7..05c347ea058b062f6357f87572888a2a9135b82d 100644 (file)
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.33 2025/09/29 21:30:15 dtucker Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.34 2025/12/08 03:55:22 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -332,6 +332,11 @@ ssh_gssapi_cleanup_creds(void)
 void
 ssh_gssapi_storecreds(void)
 {
+       if (options.gss_deleg_creds == 0) {
+               debug_f("delegate credential is disabled, doing nothing");
+               return 0;
+       }
+
        if (gssapi_client.mech && gssapi_client.mech->storecreds) {
                (*gssapi_client.mech->storecreds)(&gssapi_client);
        } else

diff --git a/servconf.c b/servconf.c
index e1e84db84845d92e2cc7087fd1f37d152d5ad8ac..e74e3ecfbb120acc6d5183a7e6a5299df5065e21 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.438 2025/12/05 07:49:45 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.439 2025/12/08 03:55:22 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -137,6 +137,7 @@ initialize_server_options(ServerOptions *options)
        options->kerberos_get_afs_token = -1;
        options->gss_authentication=-1;
        options->gss_cleanup_creds = -1;
+       options->gss_deleg_creds = -1;
        options->gss_strict_acceptor = -1;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
@@ -376,6 +377,8 @@ fill_default_server_options(ServerOptions *options)
                options->gss_authentication = 0;
        if (options->gss_cleanup_creds == -1)
                options->gss_cleanup_creds = 1;
+       if (options->gss_deleg_creds == -1)
+               options->gss_deleg_creds = 1;
        if (options->gss_strict_acceptor == -1)
                options->gss_strict_acceptor = 1;
        if (options->password_authentication == -1)
@@ -561,7 +564,7 @@ typedef enum {
        sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
        sPerSourcePenalties, sPerSourcePenaltyExemptList,
        sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
-       sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+       sGssAuthentication, sGssCleanupCreds, sGssDelegateCreds, sGssStrictAcceptor,
        sAcceptEnv, sSetEnv, sPermitTunnel,
        sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -647,10 +650,12 @@ static struct {
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+       { "gssapidelegatecredentials", sGssDelegateCreds, SSHCFG_GLOBAL },
        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
 #else
        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+       { "gssapidelegatecredentials", sUnsupported, SSHCFG_GLOBAL },
        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
 #endif
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
@@ -1649,6 +1654,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                intptr = &options->gss_cleanup_creds;
                goto parse_flag;
 
+       case sGssDelegateCreds:
+               intptr = &options->gss_deleg_creds;
+               goto parse_flag;
+
        case sGssStrictAcceptor:
                intptr = &options->gss_strict_acceptor;
                goto parse_flag;
@@ -3270,6 +3279,7 @@ dump_config(ServerOptions *o)
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
+       dump_cfg_fmtint(sGssDelegateCreds, o->gss_deleg_creds);
        dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
 #endif
        dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);

diff --git a/servconf.h b/servconf.h
index 885d102fc3c47daf0d085fba988847181d14eee3..1005b0070b982c6b8e9db175a0f320693b868f65 100644 (file)
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.170 2025/12/05 07:49:45 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.171 2025/12/08 03:55:22 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -151,6 +151,7 @@ typedef struct {
                                                 * authenticated with Kerberos. */
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
        int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
+       int     gss_deleg_creds;        /* If true, accept delegated GSS credentials */
        int     gss_strict_acceptor;    /* If true, restrict the GSSAPI acceptor name */
        int     password_authentication;        /* If true, permit password
                                                 * authentication. */

diff --git a/sshd_config.5 b/sshd_config.5
index 480b756c802eebdb23e0aac8f0a194dbc42129e9..4b6955a3b19edb435a8ad24c8af44bf166ae5ae5 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.388 2025/12/08 00:45:00 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.389 2025/12/08 03:55:22 djm Exp $
 .Dd $Mdocdate: December 8 2025 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -747,6 +747,9 @@ Specifies whether to automatically destroy the user's credentials cache
 on logout.
 The default is
 .Cm yes .
+.It Cm GSSAPIDelegateCredentials
+Accept delegated credentials on the server side.  The default is
+.CM yes .
 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor
 a client authenticates against.