gssapi: Add support for GSSAPIDelegateCredentials config option.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

src/config.c

@@ -48,7 +48,8 @@ enum ssh_config_opcode_e {
   SOC_KNOWNHOSTS,
   SOC_PROXYCOMMAND,
   SOC_GSSAPISERVERIDENTITY,
-  SOC_GSSAPICLIENTIDENTITY
+  SOC_GSSAPICLIENTIDENTITY,
+  SOC_GSSAPIDELEGATECREDENTIALS,
 };
 
 struct ssh_config_keyword_table_s {
@@ -71,6 +72,7 @@ static struct ssh_config_keyword_table_s ssh_config_keyword_table[] = {
   { "proxycommand", SOC_PROXYCOMMAND },
   { "gssapiserveridentity", SOC_GSSAPISERVERIDENTITY },
   { "gssapiserveridentity", SOC_GSSAPICLIENTIDENTITY },
+  { "gssapidelegatecredentials", SOC_GSSAPIDELEGATECREDENTIALS },
   { NULL, SOC_UNSUPPORTED }
 };
 
@@ -339,6 +341,12 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
         ssh_options_set(session, SSH_OPTIONS_GSSAPI_CLIENT_IDENTITY, p);
       }
       break;
+    case SOC_GSSAPIDELEGATECREDENTIALS:
+      i = ssh_config_get_yesno(&s, -1);
+      if (i >=0 && *parsing) {
+        ssh_options_set(session, SSH_OPTIONS_GSSAPI_DELEGATE_CREDENTIALS, &i);
+      }
+      break;
     case SOC_UNSUPPORTED:
       SSH_LOG(SSH_LOG_RARE, "Unsupported option: %s, line: %d\n",
               keyword, count);

src/gssapi.c

@@ -805,6 +805,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
     }
 
     session->gssapi->client.flags = GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG;
+    if (session->opts.gss_delegate_creds) {
+        session->gssapi->client.flags |= GSS_C_DELEG_FLAG;
+    }
 
     /* prepare the first TOKEN response */
     maj_stat = gss_init_sec_context(&min_stat,