diff options
-rw-r--r-- | debian/changelog | 3 | ||||
-rw-r--r-- | sshconnect2.c | 41 |
2 files changed, 36 insertions, 8 deletions
diff --git a/debian/changelog b/debian/changelog index 9cce4de4f..f91f1e96b 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,6 +1,9 @@ | |||
1 | openssh (1:4.2p1-3) UNRELEASED; urgency=low | 1 | openssh (1:4.2p1-3) UNRELEASED; urgency=low |
2 | 2 | ||
3 | * Add prototype for ssh_gssapi_server_mechanisms (closes: #328372). | 3 | * Add prototype for ssh_gssapi_server_mechanisms (closes: #328372). |
4 | * Interoperate with ssh-krb5 << 3.8.1p1-1 servers, which used a slightly | ||
5 | different version of the gssapi authentication method (thanks, Aaron M. | ||
6 | Ucko; closes: #328388). | ||
4 | 7 | ||
5 | -- Colin Watson <cjwatson@debian.org> Thu, 15 Sep 2005 09:01:57 +0100 | 8 | -- Colin Watson <cjwatson@debian.org> Thu, 15 Sep 2005 09:01:57 +0100 |
6 | 9 | ||
diff --git a/sshconnect2.c b/sshconnect2.c index e40786f87..601a49429 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -266,6 +266,10 @@ Authmethod authmethods[] = { | |||
266 | userauth_gssapi, | 266 | userauth_gssapi, |
267 | &options.gss_authentication, | 267 | &options.gss_authentication, |
268 | NULL}, | 268 | NULL}, |
269 | {"gssapi", | ||
270 | userauth_gssapi, | ||
271 | &options.gss_authentication, | ||
272 | NULL}, | ||
269 | #endif | 273 | #endif |
270 | {"hostbased", | 274 | {"hostbased", |
271 | userauth_hostbased, | 275 | userauth_hostbased, |
@@ -524,6 +528,7 @@ userauth_gssapi(Authctxt *authctxt) | |||
524 | static u_int mech = 0; | 528 | static u_int mech = 0; |
525 | OM_uint32 min; | 529 | OM_uint32 min; |
526 | int ok = 0; | 530 | int ok = 0; |
531 | int old_gssapi_method; | ||
527 | 532 | ||
528 | /* Try one GSSAPI method at a time, rather than sending them all at | 533 | /* Try one GSSAPI method at a time, rather than sending them all at |
529 | * once. */ | 534 | * once. */ |
@@ -558,13 +563,25 @@ userauth_gssapi(Authctxt *authctxt) | |||
558 | packet_put_cstring(authctxt->service); | 563 | packet_put_cstring(authctxt->service); |
559 | packet_put_cstring(authctxt->method->name); | 564 | packet_put_cstring(authctxt->method->name); |
560 | 565 | ||
561 | packet_put_int(1); | 566 | old_gssapi_method = !strcmp(authctxt->method->name, "gssapi"); |
567 | |||
568 | /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect | ||
569 | * tagged OIDs. As such we include both tagged and untagged oids | ||
570 | * for the old gssapi method. | ||
571 | * We only include tagged oids for the new gssapi-with-mic method. | ||
572 | */ | ||
573 | packet_put_int(old_gssapi_method?2:1); | ||
562 | 574 | ||
563 | packet_put_int((gss_supported->elements[mech].length) + 2); | 575 | packet_put_int((gss_supported->elements[mech].length) + 2); |
564 | packet_put_char(SSH_GSS_OIDTYPE); | 576 | packet_put_char(SSH_GSS_OIDTYPE); |
565 | packet_put_char(gss_supported->elements[mech].length); | 577 | packet_put_char(gss_supported->elements[mech].length); |
566 | packet_put_raw(gss_supported->elements[mech].elements, | 578 | packet_put_raw(gss_supported->elements[mech].elements, |
567 | gss_supported->elements[mech].length); | 579 | gss_supported->elements[mech].length); |
580 | if (old_gssapi_method) { | ||
581 | packet_put_int((gss_supported->elements[mech].length)); | ||
582 | packet_put_raw(gss_supported->elements[mech].elements, | ||
583 | gss_supported->elements[mech].length); | ||
584 | } | ||
568 | 585 | ||
569 | packet_send(); | 586 | packet_send(); |
570 | 587 | ||
@@ -604,8 +621,10 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) | |||
604 | } | 621 | } |
605 | 622 | ||
606 | if (status == GSS_S_COMPLETE) { | 623 | if (status == GSS_S_COMPLETE) { |
624 | int old_gssapi_method = !strcmp(authctxt->method->name, | ||
625 | "gssapi"); | ||
607 | /* send either complete or MIC, depending on mechanism */ | 626 | /* send either complete or MIC, depending on mechanism */ |
608 | if (!(flags & GSS_C_INTEG_FLAG)) { | 627 | if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) { |
609 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); | 628 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); |
610 | packet_send(); | 629 | packet_send(); |
611 | } else { | 630 | } else { |
@@ -638,7 +657,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | |||
638 | Authctxt *authctxt = ctxt; | 657 | Authctxt *authctxt = ctxt; |
639 | Gssctxt *gssctxt; | 658 | Gssctxt *gssctxt; |
640 | int oidlen; | 659 | int oidlen; |
641 | char *oidv; | 660 | char *oidv, *oidv_free; |
642 | 661 | ||
643 | if (authctxt == NULL) | 662 | if (authctxt == NULL) |
644 | fatal("input_gssapi_response: no authentication context"); | 663 | fatal("input_gssapi_response: no authentication context"); |
@@ -646,22 +665,28 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | |||
646 | 665 | ||
647 | /* Setup our OID */ | 666 | /* Setup our OID */ |
648 | oidv = packet_get_string(&oidlen); | 667 | oidv = packet_get_string(&oidlen); |
668 | oidv_free = oidv; | ||
649 | 669 | ||
650 | if (oidlen <= 2 || | 670 | if (oidlen <= 2 || |
651 | oidv[0] != SSH_GSS_OIDTYPE || | 671 | oidv[0] != SSH_GSS_OIDTYPE || |
652 | oidv[1] != oidlen - 2) { | 672 | oidv[1] != oidlen - 2) { |
653 | xfree(oidv); | ||
654 | debug("Badly encoded mechanism OID received"); | 673 | debug("Badly encoded mechanism OID received"); |
655 | userauth(authctxt, NULL); | 674 | if (oidlen < 2) { |
656 | return; | 675 | xfree(oidv_free); |
676 | userauth(authctxt, NULL); | ||
677 | return; | ||
678 | } | ||
679 | } else { | ||
680 | oidlen -= 2; | ||
681 | oidv += 2; | ||
657 | } | 682 | } |
658 | 683 | ||
659 | if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2)) | 684 | if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen)) |
660 | fatal("Server returned different OID than expected"); | 685 | fatal("Server returned different OID than expected"); |
661 | 686 | ||
662 | packet_check_eom(); | 687 | packet_check_eom(); |
663 | 688 | ||
664 | xfree(oidv); | 689 | xfree(oidv_free); |
665 | 690 | ||
666 | if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { | 691 | if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { |
667 | /* Start again with next method on list */ | 692 | /* Start again with next method on list */ |