gssapi: Add support for GSSAPIDelegateCredentials config option.

Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2025-08-08 19:02:06 +03:00 · 2013-11-15 15:59:26 -05:00
parent 68b996bdbf
commit 4a3934da48
2 changed files with 12 additions and 1 deletions
--- a/src/config.c
+++ b/src/config.c
@@ -48,7 +48,8 @@ enum ssh_config_opcode_e {
  SOC_KNOWNHOSTS,
  SOC_PROXYCOMMAND,
  SOC_GSSAPISERVERIDENTITY,
-  SOC_GSSAPICLIENTIDENTITY
+  SOC_GSSAPICLIENTIDENTITY,
+  SOC_GSSAPIDELEGATECREDENTIALS,
 };

 struct ssh_config_keyword_table_s {
@@ -71,6 +72,7 @@ static struct ssh_config_keyword_table_s ssh_config_keyword_table[] = {
  { "proxycommand", SOC_PROXYCOMMAND },
  { "gssapiserveridentity", SOC_GSSAPISERVERIDENTITY },
  { "gssapiserveridentity", SOC_GSSAPICLIENTIDENTITY },
+  { "gssapidelegatecredentials", SOC_GSSAPIDELEGATECREDENTIALS },
  { NULL, SOC_UNSUPPORTED }
 };

@@ -339,6 +341,12 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
        ssh_options_set(session, SSH_OPTIONS_GSSAPI_CLIENT_IDENTITY, p);
      }
      break;
+    case SOC_GSSAPIDELEGATECREDENTIALS:
+      i = ssh_config_get_yesno(&s, -1);
+      if (i >=0 && *parsing) {
+        ssh_options_set(session, SSH_OPTIONS_GSSAPI_DELEGATE_CREDENTIALS, &i);
+      }
+      break;
    case SOC_UNSUPPORTED:
      SSH_LOG(SSH_LOG_RARE, "Unsupported option: %s, line: %d\n",
              keyword, count);
--- a/src/gssapi.c
+++ b/src/gssapi.c
@@ -805,6 +805,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
    }

    session->gssapi->client.flags = GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG;
+    if (session->opts.gss_delegate_creds) {
+        session->gssapi->client.flags |= GSS_C_DELEG_FLAG;
+    }

    /* prepare the first TOKEN response */
    maj_stat = gss_init_sec_context(&min_stat,