* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out

for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958).
author: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
commit: df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree: 1aab079441dff9615274769b19f2d734ddf508dd /gss-serv-krb5.c
parent: 6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent: 99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)
1 files changed, 68 insertions, 2 deletions
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index b400081f6..e7170ee41 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -190,6 +190,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
        return;
 }
+int
+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, 
+    ssh_gssapi_client *client)
+{
+        krb5_ccache ccache = NULL;
+        krb5_principal principal = NULL;
+        char *name = NULL;
+        krb5_error_code problem;
+        OM_uint32 maj_status, min_status;
+        if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
+                logit("krb5_cc_resolve(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                return 0;
+        }
+        
+        /* Find out who the principal in this cache is */
+        if ((problem = krb5_cc_get_principal(krb_context, ccache, 
+            &principal))) {
+                logit("krb5_cc_get_principal(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
+                logit("krb5_unparse_name(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        if (strcmp(name,client->exportedname.value)!=0) {
+                debug("Name in local credentials cache differs. Not storing");
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                krb5_free_unparsed_name(krb_context, name);
+                return 0;
+        }
+        krb5_free_unparsed_name(krb_context, name);
+        /* Name matches, so lets get on with it! */
+        if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
+                logit("krb5_cc_initialize(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        krb5_free_principal(krb_context, principal);
+        if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
+            ccache))) {
+                logit("gss_krb5_copy_ccache() failed. Sorry!");
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        return 1;
+}
 ssh_gssapi_mech gssapi_kerberos_mech = {
        "toWM5Slw5Ew8Mqkay+al2g==",
        "Kerberos",
@@ -197,7 +262,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
        NULL,
        &ssh_gssapi_krb5_userok,
        NULL,
-        &ssh_gssapi_krb5_storecreds
+        &ssh_gssapi_krb5_storecreds,
+        &ssh_gssapi_krb5_updatecreds
 };
 #endif /* KRB5 */
author	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
commit	df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree	1aab079441dff9615274769b19f2d734ddf508dd /gss-serv-krb5.c
parent	6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent	99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)

diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index b400081f6..e7170ee41 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */	1	/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -190,6 +190,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
190	return;	190	return;
191	}	191	}
192		192
		193	int
		194	ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
		195	ssh_gssapi_client *client)
		196	{
		197	krb5_ccache ccache = NULL;
		198	krb5_principal principal = NULL;
		199	char *name = NULL;
		200	krb5_error_code problem;
		201	OM_uint32 maj_status, min_status;
		202
		203	if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
		204	logit("krb5_cc_resolve(): %.100s",
		205	krb5_get_err_text(krb_context, problem));
		206	return 0;
		207	}
		208
		209	/* Find out who the principal in this cache is */
		210	if ((problem = krb5_cc_get_principal(krb_context, ccache,
		211	&principal))) {
		212	logit("krb5_cc_get_principal(): %.100s",
		213	krb5_get_err_text(krb_context, problem));
		214	krb5_cc_close(krb_context, ccache);
		215	return 0;
		216	}
		217
		218	if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
		219	logit("krb5_unparse_name(): %.100s",
		220	krb5_get_err_text(krb_context, problem));
		221	krb5_free_principal(krb_context, principal);
		222	krb5_cc_close(krb_context, ccache);
		223	return 0;
		224	}
		225
		226
		227	if (strcmp(name,client->exportedname.value)!=0) {
		228	debug("Name in local credentials cache differs. Not storing");
		229	krb5_free_principal(krb_context, principal);
		230	krb5_cc_close(krb_context, ccache);
		231	krb5_free_unparsed_name(krb_context, name);
		232	return 0;
		233	}
		234	krb5_free_unparsed_name(krb_context, name);
		235
		236	/* Name matches, so lets get on with it! */
		237
		238	if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
		239	logit("krb5_cc_initialize(): %.100s",
		240	krb5_get_err_text(krb_context, problem));
		241	krb5_free_principal(krb_context, principal);
		242	krb5_cc_close(krb_context, ccache);
		243	return 0;
		244	}
		245
		246	krb5_free_principal(krb_context, principal);
		247
		248	if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
		249	ccache))) {
		250	logit("gss_krb5_copy_ccache() failed. Sorry!");
		251	krb5_cc_close(krb_context, ccache);
		252	return 0;
		253	}
		254
		255	return 1;
		256	}
		257
193	ssh_gssapi_mech gssapi_kerberos_mech = {	258	ssh_gssapi_mech gssapi_kerberos_mech = {
194	"toWM5Slw5Ew8Mqkay+al2g==",	259	"toWM5Slw5Ew8Mqkay+al2g==",
195	"Kerberos",	260	"Kerberos",
@@ -197,7 +262,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
197	NULL,	262	NULL,
198	&ssh_gssapi_krb5_userok,	263	&ssh_gssapi_krb5_userok,
199	NULL,	264	NULL,
200	&ssh_gssapi_krb5_storecreds	265	&ssh_gssapi_krb5_storecreds,
		266	&ssh_gssapi_krb5_updatecreds
201	};	267	};
202		268
203	#endif /* KRB5 */	269	#endif /* KRB5 */