summaryrefslogtreecommitdiff
path: root/sshconnect2.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2010-03-08 11:26:21 +0000
committerColin Watson <cjwatson@debian.org>2010-03-08 11:26:21 +0000
commitdd79498e0f4086a765cea7757ac023e925b75db2 (patch)
treeaecf8e47f7abe06e86f961eb6fb198c1ca7b5de8 /sshconnect2.c
parentdbf5ed52ce596dcf8c1f151d587f7f1f4c78b4eb (diff)
Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<
3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi mechanism was removed due to a serious security hole, and since these versions of ssh-krb5 are no longer security-supported by Debian I don't think there's any point keeping client compatibility for them.
Diffstat (limited to 'sshconnect2.c')
-rw-r--r--sshconnect2.c42
1 files changed, 8 insertions, 34 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index af322e81c..bc8d206ae 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -314,11 +314,6 @@ Authmethod authmethods[] = {
314 NULL, 314 NULL,
315 &options.gss_authentication, 315 &options.gss_authentication,
316 NULL}, 316 NULL},
317 {"gssapi",
318 userauth_gssapi,
319 NULL,
320 &options.gss_authentication,
321 NULL},
322#endif 317#endif
323 {"hostbased", 318 {"hostbased",
324 userauth_hostbased, 319 userauth_hostbased,
@@ -606,7 +601,6 @@ userauth_gssapi(Authctxt *authctxt)
606 OM_uint32 min; 601 OM_uint32 min;
607 int ok = 0; 602 int ok = 0;
608 const char *gss_host; 603 const char *gss_host;
609 int old_gssapi_method;
610 604
611 if (options.gss_trust_dns) 605 if (options.gss_trust_dns)
612 gss_host = get_canonical_hostname(1); 606 gss_host = get_canonical_hostname(1);
@@ -645,25 +639,13 @@ userauth_gssapi(Authctxt *authctxt)
645 packet_put_cstring(authctxt->service); 639 packet_put_cstring(authctxt->service);
646 packet_put_cstring(authctxt->method->name); 640 packet_put_cstring(authctxt->method->name);
647 641
648 old_gssapi_method = !strcmp(authctxt->method->name, "gssapi"); 642 packet_put_int(1);
649
650 /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
651 * tagged OIDs. As such we include both tagged and untagged oids
652 * for the old gssapi method.
653 * We only include tagged oids for the new gssapi-with-mic method.
654 */
655 packet_put_int(old_gssapi_method ? 2 : 1);
656 643
657 packet_put_int((gss_supported->elements[mech].length) + 2); 644 packet_put_int((gss_supported->elements[mech].length) + 2);
658 packet_put_char(SSH_GSS_OIDTYPE); 645 packet_put_char(SSH_GSS_OIDTYPE);
659 packet_put_char(gss_supported->elements[mech].length); 646 packet_put_char(gss_supported->elements[mech].length);
660 packet_put_raw(gss_supported->elements[mech].elements, 647 packet_put_raw(gss_supported->elements[mech].elements,
661 gss_supported->elements[mech].length); 648 gss_supported->elements[mech].length);
662 if (old_gssapi_method) {
663 packet_put_int(gss_supported->elements[mech].length);
664 packet_put_raw(gss_supported->elements[mech].elements,
665 gss_supported->elements[mech].length);
666 }
667 649
668 packet_send(); 650 packet_send();
669 651
@@ -703,10 +685,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
703 } 685 }
704 686
705 if (status == GSS_S_COMPLETE) { 687 if (status == GSS_S_COMPLETE) {
706 int old_gssapi_method = !strcmp(authctxt->method->name,
707 "gssapi");
708 /* send either complete or MIC, depending on mechanism */ 688 /* send either complete or MIC, depending on mechanism */
709 if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) { 689 if (!(flags & GSS_C_INTEG_FLAG)) {
710 packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); 690 packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
711 packet_send(); 691 packet_send();
712 } else { 692 } else {
@@ -740,7 +720,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
740 Authctxt *authctxt = ctxt; 720 Authctxt *authctxt = ctxt;
741 Gssctxt *gssctxt; 721 Gssctxt *gssctxt;
742 u_int oidlen; 722 u_int oidlen;
743 u_char *oidv, *oidv_free; 723 u_char *oidv;
744 724
745 if (authctxt == NULL) 725 if (authctxt == NULL)
746 fatal("input_gssapi_response: no authentication context"); 726 fatal("input_gssapi_response: no authentication context");
@@ -748,28 +728,22 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
748 728
749 /* Setup our OID */ 729 /* Setup our OID */
750 oidv = packet_get_string(&oidlen); 730 oidv = packet_get_string(&oidlen);
751 oidv_free = oidv;
752 731
753 if (oidlen <= 2 || 732 if (oidlen <= 2 ||
754 oidv[0] != SSH_GSS_OIDTYPE || 733 oidv[0] != SSH_GSS_OIDTYPE ||
755 oidv[1] != oidlen - 2) { 734 oidv[1] != oidlen - 2) {
735 xfree(oidv);
756 debug("Badly encoded mechanism OID received"); 736 debug("Badly encoded mechanism OID received");
757 if (oidlen < 2) { 737 userauth(authctxt, NULL);
758 xfree(oidv_free); 738 return;
759 userauth(authctxt, NULL);
760 return;
761 }
762 } else {
763 oidlen -= 2;
764 oidv += 2;
765 } 739 }
766 740
767 if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen)) 741 if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
768 fatal("Server returned different OID than expected"); 742 fatal("Server returned different OID than expected");
769 743
770 packet_check_eom(); 744 packet_check_eom();
771 745
772 xfree(oidv_free); 746 xfree(oidv);
773 747
774 if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { 748 if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
775 /* Start again with next method on list */ 749 /* Start again with next method on list */
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-28 12:32:42 +0000