Bug#328388: openssh-client: please support servers running old GSSAPI code
Package: openssh-client
Version: 1:4.2p1-2
Severity: normal
Tags: patch
Given that openssh-krb5 is frequently several upstream versions
behind, I am glad to see that the "vanilla" openssh packages now have
sxw's patch applied and GSSAPI enabled; thanks for going ahead with
that!
However, I have found that ssh needs a small additional patch
(attached) in order to work properly with servers sporting older
versions of the GSSAPI patch, which deal in untagged OIDs and use a
slightly different name for the authentication method. I suspect that
an analogous patch would be necessary to allow newer servers to
support older clients, but I can't test that combination so readily,
and I'd argue that that's less important on the grounds that it's no
harder for users to deploy newer clients than for them to get their
sysadmins to deploy newer servers.
Anyway, here's the patch, lifted from openssh-krb5:
diff -u openssh-4.2p1/sshconnect2.c openssh-4.2p1/sshconnect2.c
--- openssh-4.2p1/sshconnect2.c
+++ openssh-4.2p1/sshconnect2.c
@@ -266,6 +266,10 @@
userauth_gssapi,
&options.gss_authentication,
NULL},
+ {"gssapi",
+ userauth_gssapi,
+ &options.gss_authentication,
+ NULL},
#endif
{"hostbased",
userauth_hostbased,
@@ -524,6 +528,7 @@
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ int old_gssapi_method;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -558,13 +563,25 @@
packet_put_cstring(authctxt->service);
packet_put_cstring(authctxt->method->name);
- packet_put_int(1);
+ old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
+
+ /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
+ * tagged OIDs. As such we include both tagged and untagged oids
+ * for the old gssapi method.
+ * We only include tagged oids for the new gssapi-with-mic method.
+ */
+ packet_put_int(old_gssapi_method?2:1);
packet_put_int((gss_supported->elements[mech].length) + 2);
packet_put_char(SSH_GSS_OIDTYPE);
packet_put_char(gss_supported->elements[mech].length);
packet_put_raw(gss_supported->elements[mech].elements,
gss_supported->elements[mech].length);
+ if (old_gssapi_method) {
+ packet_put_int((gss_supported->elements[mech].length));
+ packet_put_raw(gss_supported->elements[mech].elements,
+ gss_supported->elements[mech].length);
+ }
packet_send();
@@ -604,8 +621,10 @@
}
if (status == GSS_S_COMPLETE) {
+ int old_gssapi_method = !strcmp(authctxt->method->name,
+ "gssapi");
/* send either complete or MIC, depending on mechanism */
- if (!(flags & GSS_C_INTEG_FLAG)) {
+ if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
packet_send();
} else {
@@ -638,7 +657,7 @@
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int oidlen;
- char *oidv;
+ char *oidv, *oidv_free;
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
@@ -650,18 +669,23 @@
if (oidlen <= 2 ||
oidv[0] != SSH_GSS_OIDTYPE ||
oidv[1] != oidlen - 2) {
- xfree(oidv);
debug("Badly encoded mechanism OID received");
- userauth(authctxt, NULL);
- return;
+ if (oidlen < 2) {
+ xfree(oidv_free);
+ userauth(authctxt, NULL);
+ return;
+ }
+ } else {
+ oidlen -= 2;
+ oidv += 2;
}
- if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
+ if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
fatal("Server returned different OID than expected");
packet_check_eom();
- xfree(oidv);
+ xfree(oidv_free);
if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
/* Start again with next method on list */
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.6
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Reply to: