Bug#328388: marked as done (openssh-client: please support servers running old GSSAPI code)

To: Colin Watson <cjwatson@debian.org>
Cc: Matthew Vernon <matthew@debian.org>
Subject: Bug#328388: marked as done (openssh-client: please support servers running old GSSAPI code)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 15 Sep 2005 02:48:18 -0700
Message-id: <[🔎] handler.328388.D328388.112677722826346.ackdone@bugs.debian.org>
In-reply-to: <E1EFq6B-0004HX-00@spohr.debian.org>
References: <E1EFq6B-0004HX-00@spohr.debian.org> <[🔎] E1EFiRl-0001jZ-CW@tux64.internal.ucko.debian.net>
Your message dated Thu, 15 Sep 2005 02:32:07 -0700
with message-id <E1EFq6B-0004HX-00@spohr.debian.org>
and subject line Bug#328388: fixed in openssh 1:4.2p1-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Sep 2005 01:21:57 +0000
>From ucko@debian.org Wed Sep 14 18:21:57 2005
Return-path: <ucko@debian.org>
Received: from smtp02.mrf.mail.rcn.net [207.172.4.62] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EFiRp-0001Tq-00; Wed, 14 Sep 2005 18:21:57 -0700
Received: from 208-58-77-33.c3-0.grg-ubr3.lnh-grg.md.cable.rcn.com (HELO tux64.internal.ucko.debian.net) ([208.58.77.33])
  by smtp02.mrf.mail.rcn.net with ESMTP; 14 Sep 2005 21:21:54 -0400
X-IronPort-AV: i="3.97,111,1125892800"; 
   d="scan'208"; a="85428753:sNHT23731856"
Received: from amu by tux64.internal.ucko.debian.net with local (Exim 4.52)
	id 1EFiRl-0001jZ-CW
	for submit@bugs.debian.org; Wed, 14 Sep 2005 21:21:53 -0400
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Aaron M. Ucko" <ucko@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh-client: please support servers running old GSSAPI code
X-Mailer: reportbug 3.17
Date: Wed, 14 Sep 2005 21:21:53 -0400
X-Debbugs-Cc: ucko@debian.org
Message-Id: <[🔎] E1EFiRl-0001jZ-CW@tux64.internal.ucko.debian.net>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: ucko@debian.org
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: openssh-client
Version: 1:4.2p1-2
Severity: normal
Tags: patch

Given that openssh-krb5 is frequently several upstream versions
behind, I am glad to see that the "vanilla" openssh packages now have
sxw's patch applied and GSSAPI enabled; thanks for going ahead with
that!

However, I have found that ssh needs a small additional patch
(attached) in order to work properly with servers sporting older
versions of the GSSAPI patch, which deal in untagged OIDs and use a
slightly different name for the authentication method.  I suspect that
an analogous patch would be necessary to allow newer servers to
support older clients, but I can't test that combination so readily,
and I'd argue that that's less important on the grounds that it's no
harder for users to deploy newer clients than for them to get their
sysadmins to deploy newer servers.

Anyway, here's the patch, lifted from openssh-krb5:

diff -u openssh-4.2p1/sshconnect2.c openssh-4.2p1/sshconnect2.c
--- openssh-4.2p1/sshconnect2.c
+++ openssh-4.2p1/sshconnect2.c
@@ -266,6 +266,10 @@
 		userauth_gssapi,
 		&options.gss_authentication,
 		NULL},
+	{"gssapi",
+		userauth_gssapi,
+		&options.gss_authentication,
+		NULL},
 #endif
 	{"hostbased",
 		userauth_hostbased,
@@ -524,6 +528,7 @@
 	static u_int mech = 0;
 	OM_uint32 min;
 	int ok = 0;
+	int old_gssapi_method;
 
 	/* Try one GSSAPI method at a time, rather than sending them all at
 	 * once. */
@@ -558,13 +563,25 @@
 	packet_put_cstring(authctxt->service);
 	packet_put_cstring(authctxt->method->name);
 
-	packet_put_int(1);
+	old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
+
+	/* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
+	 * tagged OIDs.  As such we include both tagged and untagged oids
+	 * for the old gssapi method.
+	 * We only include tagged oids for the new gssapi-with-mic method.
+	 */
+	packet_put_int(old_gssapi_method?2:1);
 
 	packet_put_int((gss_supported->elements[mech].length) + 2);
 	packet_put_char(SSH_GSS_OIDTYPE);
 	packet_put_char(gss_supported->elements[mech].length);
 	packet_put_raw(gss_supported->elements[mech].elements,
 	    gss_supported->elements[mech].length);
+	if (old_gssapi_method) {
+		packet_put_int((gss_supported->elements[mech].length));
+		packet_put_raw(gss_supported->elements[mech].elements,
+			       gss_supported->elements[mech].length);
+	}
 
 	packet_send();
 
@@ -604,8 +621,10 @@
 	}
 
 	if (status == GSS_S_COMPLETE) {
+		int old_gssapi_method = !strcmp(authctxt->method->name,
+						"gssapi");
 		/* send either complete or MIC, depending on mechanism */
-		if (!(flags & GSS_C_INTEG_FLAG)) {
+		if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
 			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
 			packet_send();
 		} else {
@@ -638,7 +657,7 @@
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
 	int oidlen;
-	char *oidv;
+	char *oidv, *oidv_free;
 
 	if (authctxt == NULL)
 		fatal("input_gssapi_response: no authentication context");
@@ -650,18 +669,23 @@
 	if (oidlen <= 2 ||
 	    oidv[0] != SSH_GSS_OIDTYPE ||
 	    oidv[1] != oidlen - 2) {
-		xfree(oidv);
 		debug("Badly encoded mechanism OID received");
-		userauth(authctxt, NULL);
-		return;
+		if (oidlen < 2) {
+			xfree(oidv_free);
+			userauth(authctxt, NULL);
+			return;
+		}
+	} else {
+		oidlen -= 2;
+		oidv += 2;
 	}
 
-	if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
+	if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
 		fatal("Server returned different OID than expected");
 
 	packet_check_eom();
 
-	xfree(oidv);
+	xfree(oidv_free);
 
 	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
 		/* Start again with next method on list */

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.6
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

---------------------------------------
Received: (at 328388-close) by bugs.debian.org; 15 Sep 2005 09:40:28 +0000
>From katie@spohr.debian.org Thu Sep 15 02:40:28 2005
Return-path: <katie@spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1EFq6B-0004HX-00; Thu, 15 Sep 2005 02:32:07 -0700
From: Colin Watson <cjwatson@debian.org>
To: 328388-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#328388: fixed in openssh 1:4.2p1-3
Message-Id: <E1EFq6B-0004HX-00@spohr.debian.org>
Sender: Archive Administrator <katie@spohr.debian.org>
Date: Thu, 15 Sep 2005 02:32:07 -0700
Delivered-To: 328388-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2

Source: openssh
Source-Version: 1:4.2p1-3

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.2p1-3_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.2p1-3_powerpc.udeb
openssh-client_4.2p1-3_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.2p1-3_powerpc.deb
openssh-server-udeb_4.2p1-3_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.2p1-3_powerpc.udeb
openssh-server_4.2p1-3_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.2p1-3_powerpc.deb
openssh_4.2p1-3.diff.gz
  to pool/main/o/openssh/openssh_4.2p1-3.diff.gz
openssh_4.2p1-3.dsc
  to pool/main/o/openssh/openssh_4.2p1-3.dsc
ssh-askpass-gnome_4.2p1-3_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.2p1-3_powerpc.deb
ssh_4.2p1-3_all.deb
  to pool/main/o/openssh/ssh_4.2p1-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 328388@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 15 Sep 2005 09:28:21 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.2p1-3
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server - Secure shell server, an rshd replacement
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh        - Secure shell client and server (transitional package)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 328372 328388
Changes: 
 openssh (1:4.2p1-3) unstable; urgency=low
 .
   * Add prototype for ssh_gssapi_server_mechanisms (closes: #328372).
   * Interoperate with ssh-krb5 << 3.8.1p1-1 servers, which used a slightly
     different version of the gssapi authentication method (thanks, Aaron M.
     Ucko; closes: #328388).
   * Explicitly tell po2debconf to use the 'popular' output encoding, so that
     the woody-compatibility hack works even with po-debconf 0.9.0.
Files: 
 c2ad47bc3fdb0bbe1e5efb22806e847f 966 net standard openssh_4.2p1-3.dsc
 d566b8de008d430c0a94bd974d4805b7 163134 net standard openssh_4.2p1-3.diff.gz
 03b57be0bb94170eacee657408e203c5 1056 net extra ssh_4.2p1-3_all.deb
 cfcf78334c751c4674d8a69fee6095b0 588378 net standard openssh-client_4.2p1-3_powerpc.deb
 77a9b1c42a4dcfea621998bb4f6ef576 224516 net optional openssh-server_4.2p1-3_powerpc.deb
 d7e8c8488c9eeab9786afbb2739fbfec 85924 gnome optional ssh-askpass-gnome_4.2p1-3_powerpc.deb
 8811e5b08640c4d7fee177f5438c3b1b 157570 debian-installer optional openssh-client-udeb_4.2p1-3_powerpc.udeb
 4cf6869b9b9a3a0e5dbff907bfe4d10b 165216 debian-installer optional openssh-server-udeb_4.2p1-3_powerpc.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDKT1b9t0zAhD6TNERAmqUAJ9i2HxayMu+wsvyNhznM/pR/gnAHwCffIBN
xbG0fSGgsYqoE5jQ3B8/WYg=
=XIDI
-----END PGP SIGNATURE-----
Reply to:
References:
- Bug#328388: openssh-client: please support servers running old GSSAPI code
  - From: "Aaron M. Ucko" <ucko@debian.org>
Prev by Date: Bug#328606: marked as done (SEGFAULT on ssh login)
Next by Date: Bug#328568: ssh 4.2p1-3 crash
Previous by thread: Bug#328388: openssh-client: please support servers running old GSSAPI code
Next by thread: Accepted openssh 1:4.2p1-3 (source all powerpc)
Index(es):
- Date
- Thread