Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<

3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi mechanism was removed due to a serious security hole, and since these versions of ssh-krb5 are no longer security-supported by Debian I don't think there's any point keeping client compatibility for them.
author: Colin Watson <cjwatson@debian.org> 2010-03-08 11:26:21 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-03-08 11:26:21 +0000
commit: dd79498e0f4086a765cea7757ac023e925b75db2 (patch)
tree: aecf8e47f7abe06e86f961eb6fb198c1ca7b5de8 /debian/patches
parent: dbf5ed52ce596dcf8c1f151d587f7f1f4c78b4eb (diff)
4 files changed, 3 insertions, 119 deletions
diff --git a/debian/patches/banner-noslash.patch b/debian/patches/banner-noslash.patch
index af5f4213c..fa7b08f23 100644
--- a/debian/patches/banner-noslash.patch
+++ b/debian/patches/banner-noslash.patch
@@ -11,7 +11,7 @@ Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -477,7 +477,7 @@
+@@ -472,7 +472,7 @@
                if (len > 65536)
                        len = 65536;
                msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch
deleted file mode 100644
index 1ef689331..000000000
--- a/debian/patches/old-gssapi.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-Description: Interoperate with old GSSAPI authentication method
- ssh-krb5 << 3.8.1p1-1 servers used a slightly different version.
- .
- Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch.
-Author: "Aaron M. Ucko" <ucko@debian.org>
-Bug-Debian: http://bugs.debian.org/328388
-Forwarded: yes
-Last-Updated: 2010-03-01
-Index: b/sshconnect2.c
-===================================================================
--- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -314,6 +314,11 @@
-                NULL,
-                &options.gss_authentication,
-                NULL},
-+       {"gssapi",
-+               userauth_gssapi,
-+               NULL,
-+               &options.gss_authentication,
-+               NULL},
- #endif
-        {"hostbased",
-                userauth_hostbased,
-@@ -601,6 +606,7 @@
-        OM_uint32 min;
-        int ok = 0;
-        const char *gss_host;
-+       int old_gssapi_method;
- 
-        if (options.gss_trust_dns)
-                gss_host = get_canonical_hostname(1);
-@@ -639,13 +645,25 @@
-        packet_put_cstring(authctxt->service);
-        packet_put_cstring(authctxt->method->name);
- 
-       packet_put_int(1);
-+       old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
-+
-+       /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
-+        * tagged OIDs.  As such we include both tagged and untagged oids
-+        * for the old gssapi method.
-+        * We only include tagged oids for the new gssapi-with-mic method.
-+        */
-+       packet_put_int(old_gssapi_method ? 2 : 1);
- 
-        packet_put_int((gss_supported->elements[mech].length) + 2);
-        packet_put_char(SSH_GSS_OIDTYPE);
-        packet_put_char(gss_supported->elements[mech].length);
-        packet_put_raw(gss_supported->elements[mech].elements,
-            gss_supported->elements[mech].length);
-+       if (old_gssapi_method) {
-+               packet_put_int(gss_supported->elements[mech].length);
-+               packet_put_raw(gss_supported->elements[mech].elements,
-+                              gss_supported->elements[mech].length);
-+       }
- 
-        packet_send();
- 
-@@ -685,8 +703,10 @@
-        }
- 
-        if (status == GSS_S_COMPLETE) {
-+               int old_gssapi_method = !strcmp(authctxt->method->name,
-+                                               "gssapi");
-                /* send either complete or MIC, depending on mechanism */
-               if (!(flags & GSS_C_INTEG_FLAG)) {
-+               if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
-                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
-                        packet_send();
-                } else {
-@@ -720,7 +740,7 @@
-        Authctxt *authctxt = ctxt;
-        Gssctxt *gssctxt;
-        u_int oidlen;
-       u_char *oidv;
-+       u_char *oidv, *oidv_free;
- 
-        if (authctxt == NULL)
-                fatal("input_gssapi_response: no authentication context");
-@@ -728,22 +748,28 @@
- 
-        /* Setup our OID */
-        oidv = packet_get_string(&oidlen);
-+       oidv_free = oidv;
- 
-        if (oidlen <= 2 ||
-            oidv[0] != SSH_GSS_OIDTYPE ||
-            oidv[1] != oidlen - 2) {
-               xfree(oidv);
-                debug("Badly encoded mechanism OID received");
-               userauth(authctxt, NULL);
-               return;
-+               if (oidlen < 2) {
-+                       xfree(oidv_free);
-+                       userauth(authctxt, NULL);
-+                       return;
-+               }
-+       } else {
-+               oidlen -= 2;
-+               oidv += 2;
-        }
- 
-       if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
-+       if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
-                fatal("Server returned different OID than expected");
- 
-        packet_check_eom();
- 
-       xfree(oidv);
-+       xfree(oidv_free);
- 
-        if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
-                /* Start again with next method on list */
diff --git a/debian/patches/series b/debian/patches/series
index fd6f569d0..7f410e363 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,7 +3,6 @@ gssapi.patch
 gssapi-autoconf.patch
 gssapi-compat.patch
 gssapi-dump.patch
-old-gssapi.patch
 # Autotools
 config-guess-sub.patch
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index c1df3b7f4..a0396a6eb 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -1315,7 +1315,7 @@ Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -1418,6 +1418,8 @@
+@@ -1392,6 +1392,8 @@
 
        /* list of keys stored in the filesystem */
        for (i = 0; i < options.num_identity_files; i++) {
@@ -1324,7 +1324,7 @@ Index: b/sshconnect2.c
                key = options.identity_keys[i];
                if (key && key->type == KEY_RSA1)
                        continue;
-@@ -1508,7 +1510,7 @@
+@@ -1482,7 +1484,7 @@
                if (id->key && id->key->type != KEY_RSA1) {
                        debug("Offering public key: %s", id->filename);
                        sent = send_pubkey_test(authctxt, id);
author	Colin Watson <cjwatson@debian.org>	2010-03-08 11:26:21 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-03-08 11:26:21 +0000
commit	dd79498e0f4086a765cea7757ac023e925b75db2 (patch)
tree	aecf8e47f7abe06e86f961eb6fb198c1ca7b5de8 /debian/patches
parent	dbf5ed52ce596dcf8c1f151d587f7f1f4c78b4eb (diff)

diff --git a/debian/patches/banner-noslash.patch b/debian/patches/banner-noslash.patch index af5f4213c..fa7b08f23 100644 --- a/debian/patches/banner-noslash.patch +++ b/debian/patches/banner-noslash.patch
@@ -11,7 +11,7 @@ Index: b/sshconnect2.c
11	===================================================================	11	===================================================================
12	--- a/sshconnect2.c	12	--- a/sshconnect2.c
13	+++ b/sshconnect2.c	13	+++ b/sshconnect2.c
14	@@ -477,7 +477,7 @@	14	@@ -472,7 +472,7 @@
15	if (len > 65536)	15	if (len > 65536)
16	len = 65536;	16	len = 65536;
17	msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */	17	msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */


diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch deleted file mode 100644 index 1ef689331..000000000 --- a/debian/patches/old-gssapi.patch +++ /dev/null
@@ -1,115 +0,0 @@
1	Description: Interoperate with old GSSAPI authentication method
2	ssh-krb5 << 3.8.1p1-1 servers used a slightly different version.
3	.
4	Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch.
5	Author: "Aaron M. Ucko" <ucko@debian.org>
6	Bug-Debian: http://bugs.debian.org/328388
7	Forwarded: yes
8	Last-Updated: 2010-03-01
9
10	Index: b/sshconnect2.c
11	===================================================================
12	--- a/sshconnect2.c
13	+++ b/sshconnect2.c
14	@@ -314,6 +314,11 @@
15	NULL,
16	&options.gss_authentication,
17	NULL},
18	+ {"gssapi",
19	+ userauth_gssapi,
20	+ NULL,
21	+ &options.gss_authentication,
22	+ NULL},
23	#endif
24	{"hostbased",
25	userauth_hostbased,
26	@@ -601,6 +606,7 @@
27	OM_uint32 min;
28	int ok = 0;
29	const char *gss_host;
30	+ int old_gssapi_method;
31
32	if (options.gss_trust_dns)
33	gss_host = get_canonical_hostname(1);
34	@@ -639,13 +645,25 @@
35	packet_put_cstring(authctxt->service);
36	packet_put_cstring(authctxt->method->name);
37
38	- packet_put_int(1);
39	+ old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
40	+
41	+ /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
42	+ * tagged OIDs. As such we include both tagged and untagged oids
43	+ * for the old gssapi method.
44	+ * We only include tagged oids for the new gssapi-with-mic method.
45	+ */
46	+ packet_put_int(old_gssapi_method ? 2 : 1);
47
48	packet_put_int((gss_supported->elements[mech].length) + 2);
49	packet_put_char(SSH_GSS_OIDTYPE);
50	packet_put_char(gss_supported->elements[mech].length);
51	packet_put_raw(gss_supported->elements[mech].elements,
52	gss_supported->elements[mech].length);
53	+ if (old_gssapi_method) {
54	+ packet_put_int(gss_supported->elements[mech].length);
55	+ packet_put_raw(gss_supported->elements[mech].elements,
56	+ gss_supported->elements[mech].length);
57	+ }
58
59	packet_send();
60
61	@@ -685,8 +703,10 @@
62	}
63
64	if (status == GSS_S_COMPLETE) {
65	+ int old_gssapi_method = !strcmp(authctxt->method->name,
66	+ "gssapi");
67	/* send either complete or MIC, depending on mechanism */
68	- if (!(flags & GSS_C_INTEG_FLAG)) {
69	+ if (old_gssapi_method \|\| !(flags & GSS_C_INTEG_FLAG)) {
70	packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
71	packet_send();
72	} else {
73	@@ -720,7 +740,7 @@
74	Authctxt *authctxt = ctxt;
75	Gssctxt *gssctxt;
76	u_int oidlen;
77	- u_char *oidv;
78	+ u_char oidv, oidv_free;
79
80	if (authctxt == NULL)
81	fatal("input_gssapi_response: no authentication context");
82	@@ -728,22 +748,28 @@
83
84	/* Setup our OID */
85	oidv = packet_get_string(&oidlen);
86	+ oidv_free = oidv;
87
88	if (oidlen <= 2 \|\|
89	oidv[0] != SSH_GSS_OIDTYPE \|\|
90	oidv[1] != oidlen - 2) {
91	- xfree(oidv);
92	debug("Badly encoded mechanism OID received");
93	- userauth(authctxt, NULL);
94	- return;
95	+ if (oidlen < 2) {
96	+ xfree(oidv_free);
97	+ userauth(authctxt, NULL);
98	+ return;
99	+ }
100	+ } else {
101	+ oidlen -= 2;
102	+ oidv += 2;
103	}
104
105	- if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
106	+ if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
107	fatal("Server returned different OID than expected");
108
109	packet_check_eom();
110
111	- xfree(oidv);
112	+ xfree(oidv_free);
113
114	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
115	/* Start again with next method on list */


diff --git a/debian/patches/series b/debian/patches/series index fd6f569d0..7f410e363 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -3,7 +3,6 @@ gssapi.patch
3	gssapi-autoconf.patch	3	gssapi-autoconf.patch
4	gssapi-compat.patch	4	gssapi-compat.patch
5	gssapi-dump.patch	5	gssapi-dump.patch
6	old-gssapi.patch
7		6
8	# Autotools	7	# Autotools
9	config-guess-sub.patch	8	config-guess-sub.patch


diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index c1df3b7f4..a0396a6eb 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch
@@ -1315,7 +1315,7 @@ Index: b/sshconnect2.c
1315	===================================================================	1315	===================================================================
1316	--- a/sshconnect2.c	1316	--- a/sshconnect2.c
1317	+++ b/sshconnect2.c	1317	+++ b/sshconnect2.c
1318	@@ -1418,6 +1418,8 @@	1318	@@ -1392,6 +1392,8 @@
1319		1319
1320	/* list of keys stored in the filesystem */	1320	/* list of keys stored in the filesystem */
1321	for (i = 0; i < options.num_identity_files; i++) {	1321	for (i = 0; i < options.num_identity_files; i++) {
@@ -1324,7 +1324,7 @@ Index: b/sshconnect2.c
1324	key = options.identity_keys[i];	1324	key = options.identity_keys[i];
1325	if (key && key->type == KEY_RSA1)	1325	if (key && key->type == KEY_RSA1)
1326	continue;	1326	continue;
1327	@@ -1508,7 +1510,7 @@	1327	@@ -1482,7 +1484,7 @@
1328	if (id->key && id->key->type != KEY_RSA1) {	1328	if (id->key && id->key->type != KEY_RSA1) {
1329	debug("Offering public key: %s", id->filename);	1329	debug("Offering public key: %s", id->filename);
1330	sent = send_pubkey_test(authctxt, id);	1330	sent = send_pubkey_test(authctxt, id);