* Interoperate with ssh-krb5 << 3.8.1p1-1 servers, which used a slightly

different version of the gssapi authentication method (thanks, Aaron M. Ucko; closes: #328388).
author: Colin Watson <cjwatson@debian.org> 2005-09-15 08:11:55 +0000
committer: Colin Watson <cjwatson@debian.org> 2005-09-15 08:11:55 +0000
commit: 74a432c0606a6068342ece4d5f51cf90f7b4e339 (patch)
tree: 774ea9a5b1a6fb29379905d6e17a22dd310262ef /sshconnect2.c
parent: 8fd6303cb038fe3cffd5a46280adeb22f8a82288 (diff)
1 files changed, 33 insertions, 8 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index e40786f87..601a49429 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -266,6 +266,10 @@ Authmethod authmethods[] = {
                userauth_gssapi,
                &options.gss_authentication,
                NULL},
+        {"gssapi",
+                userauth_gssapi,
+                &options.gss_authentication,
+                NULL},
 #endif
        {"hostbased",
                userauth_hostbased,
@@ -524,6 +528,7 @@ userauth_gssapi(Authctxt *authctxt)
        static u_int mech = 0;
        OM_uint32 min;
        int ok = 0;
+        int old_gssapi_method;
        /* Try one GSSAPI method at a time, rather than sending them all at
         * once. */
@@ -558,13 +563,25 @@ userauth_gssapi(Authctxt *authctxt)
        packet_put_cstring(authctxt->service);
        packet_put_cstring(authctxt->method->name);
-        packet_put_int(1);
+        old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
+        /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
+         * tagged OIDs.  As such we include both tagged and untagged oids
+         * for the old gssapi method.
+         * We only include tagged oids for the new gssapi-with-mic method.
+         */
+        packet_put_int(old_gssapi_method?2:1);
        packet_put_int((gss_supported->elements[mech].length) + 2);
        packet_put_char(SSH_GSS_OIDTYPE);
        packet_put_char(gss_supported->elements[mech].length);
        packet_put_raw(gss_supported->elements[mech].elements,
            gss_supported->elements[mech].length);
+        if (old_gssapi_method) {
+                packet_put_int((gss_supported->elements[mech].length));
+                packet_put_raw(gss_supported->elements[mech].elements,
+                               gss_supported->elements[mech].length);
+        }
        packet_send();
@@ -604,8 +621,10 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
        }
        if (status == GSS_S_COMPLETE) {
+                int old_gssapi_method = !strcmp(authctxt->method->name,
+                                                "gssapi");
                /* send either complete or MIC, depending on mechanism */
-                if (!(flags & GSS_C_INTEG_FLAG)) {
+                if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
                        packet_send();
                } else {
@@ -638,7 +657,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
        int oidlen;
-        char *oidv;
+        char *oidv, *oidv_free;
        if (authctxt == NULL)
                fatal("input_gssapi_response: no authentication context");
@@ -646,22 +665,28 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
        /* Setup our OID */
        oidv = packet_get_string(&oidlen);
+        oidv_free = oidv;
        if (oidlen <= 2 ||
            oidv[0] != SSH_GSS_OIDTYPE ||
            oidv[1] != oidlen - 2) {
-                xfree(oidv);
                debug("Badly encoded mechanism OID received");
-                userauth(authctxt, NULL);
+                if (oidlen < 2) {
-                return;
+                        xfree(oidv_free);
+                        userauth(authctxt, NULL);
+                        return;
+                }
+        } else {
+                oidlen -= 2;
+                oidv += 2;
        }
-        if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
+        if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
                fatal("Server returned different OID than expected");
        packet_check_eom();
-        xfree(oidv);
+        xfree(oidv_free);
        if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
                /* Start again with next method on list */
author	Colin Watson <cjwatson@debian.org>	2005-09-15 08:11:55 +0000
committer	Colin Watson <cjwatson@debian.org>	2005-09-15 08:11:55 +0000
commit	74a432c0606a6068342ece4d5f51cf90f7b4e339 (patch)
tree	774ea9a5b1a6fb29379905d6e17a22dd310262ef /sshconnect2.c
parent	8fd6303cb038fe3cffd5a46280adeb22f8a82288 (diff)