diff options
-rw-r--r-- | debian/changelog | 5 | ||||
-rw-r--r-- | debian/patches/banner-noslash.patch | 2 | ||||
-rw-r--r-- | debian/patches/old-gssapi.patch | 115 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | debian/patches/ssh-vulnkey.patch | 4 | ||||
-rw-r--r-- | sshconnect2.c | 42 |
6 files changed, 16 insertions, 153 deletions
diff --git a/debian/changelog b/debian/changelog index 2b75de5a1..8ce7bbae4 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -5,6 +5,11 @@ openssh (1:5.3p1-4) UNRELEASED; urgency=low | |||
5 | * Include debian/ssh-askpass-gnome.png in the Debian tarball now that | 5 | * Include debian/ssh-askpass-gnome.png in the Debian tarball now that |
6 | we're using a source format that permits this, rather than messing | 6 | we're using a source format that permits this, rather than messing |
7 | around with uudecode. | 7 | around with uudecode. |
8 | * Drop compatibility with the old gssapi mechanism used in ssh-krb5 << | ||
9 | 3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi | ||
10 | mechanism was removed due to a serious security hole, and since these | ||
11 | versions of ssh-krb5 are no longer security-supported by Debian I don't | ||
12 | think there's any point keeping client compatibility for them. | ||
8 | 13 | ||
9 | -- Colin Watson <cjwatson@debian.org> Mon, 01 Mar 2010 12:24:41 +0000 | 14 | -- Colin Watson <cjwatson@debian.org> Mon, 01 Mar 2010 12:24:41 +0000 |
10 | 15 | ||
diff --git a/debian/patches/banner-noslash.patch b/debian/patches/banner-noslash.patch index af5f4213c..fa7b08f23 100644 --- a/debian/patches/banner-noslash.patch +++ b/debian/patches/banner-noslash.patch | |||
@@ -11,7 +11,7 @@ Index: b/sshconnect2.c | |||
11 | =================================================================== | 11 | =================================================================== |
12 | --- a/sshconnect2.c | 12 | --- a/sshconnect2.c |
13 | +++ b/sshconnect2.c | 13 | +++ b/sshconnect2.c |
14 | @@ -477,7 +477,7 @@ | 14 | @@ -472,7 +472,7 @@ |
15 | if (len > 65536) | 15 | if (len > 65536) |
16 | len = 65536; | 16 | len = 65536; |
17 | msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ | 17 | msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ |
diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch deleted file mode 100644 index 1ef689331..000000000 --- a/debian/patches/old-gssapi.patch +++ /dev/null | |||
@@ -1,115 +0,0 @@ | |||
1 | Description: Interoperate with old GSSAPI authentication method | ||
2 | ssh-krb5 << 3.8.1p1-1 servers used a slightly different version. | ||
3 | . | ||
4 | Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch. | ||
5 | Author: "Aaron M. Ucko" <ucko@debian.org> | ||
6 | Bug-Debian: http://bugs.debian.org/328388 | ||
7 | Forwarded: yes | ||
8 | Last-Updated: 2010-03-01 | ||
9 | |||
10 | Index: b/sshconnect2.c | ||
11 | =================================================================== | ||
12 | --- a/sshconnect2.c | ||
13 | +++ b/sshconnect2.c | ||
14 | @@ -314,6 +314,11 @@ | ||
15 | NULL, | ||
16 | &options.gss_authentication, | ||
17 | NULL}, | ||
18 | + {"gssapi", | ||
19 | + userauth_gssapi, | ||
20 | + NULL, | ||
21 | + &options.gss_authentication, | ||
22 | + NULL}, | ||
23 | #endif | ||
24 | {"hostbased", | ||
25 | userauth_hostbased, | ||
26 | @@ -601,6 +606,7 @@ | ||
27 | OM_uint32 min; | ||
28 | int ok = 0; | ||
29 | const char *gss_host; | ||
30 | + int old_gssapi_method; | ||
31 | |||
32 | if (options.gss_trust_dns) | ||
33 | gss_host = get_canonical_hostname(1); | ||
34 | @@ -639,13 +645,25 @@ | ||
35 | packet_put_cstring(authctxt->service); | ||
36 | packet_put_cstring(authctxt->method->name); | ||
37 | |||
38 | - packet_put_int(1); | ||
39 | + old_gssapi_method = !strcmp(authctxt->method->name, "gssapi"); | ||
40 | + | ||
41 | + /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect | ||
42 | + * tagged OIDs. As such we include both tagged and untagged oids | ||
43 | + * for the old gssapi method. | ||
44 | + * We only include tagged oids for the new gssapi-with-mic method. | ||
45 | + */ | ||
46 | + packet_put_int(old_gssapi_method ? 2 : 1); | ||
47 | |||
48 | packet_put_int((gss_supported->elements[mech].length) + 2); | ||
49 | packet_put_char(SSH_GSS_OIDTYPE); | ||
50 | packet_put_char(gss_supported->elements[mech].length); | ||
51 | packet_put_raw(gss_supported->elements[mech].elements, | ||
52 | gss_supported->elements[mech].length); | ||
53 | + if (old_gssapi_method) { | ||
54 | + packet_put_int(gss_supported->elements[mech].length); | ||
55 | + packet_put_raw(gss_supported->elements[mech].elements, | ||
56 | + gss_supported->elements[mech].length); | ||
57 | + } | ||
58 | |||
59 | packet_send(); | ||
60 | |||
61 | @@ -685,8 +703,10 @@ | ||
62 | } | ||
63 | |||
64 | if (status == GSS_S_COMPLETE) { | ||
65 | + int old_gssapi_method = !strcmp(authctxt->method->name, | ||
66 | + "gssapi"); | ||
67 | /* send either complete or MIC, depending on mechanism */ | ||
68 | - if (!(flags & GSS_C_INTEG_FLAG)) { | ||
69 | + if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) { | ||
70 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); | ||
71 | packet_send(); | ||
72 | } else { | ||
73 | @@ -720,7 +740,7 @@ | ||
74 | Authctxt *authctxt = ctxt; | ||
75 | Gssctxt *gssctxt; | ||
76 | u_int oidlen; | ||
77 | - u_char *oidv; | ||
78 | + u_char *oidv, *oidv_free; | ||
79 | |||
80 | if (authctxt == NULL) | ||
81 | fatal("input_gssapi_response: no authentication context"); | ||
82 | @@ -728,22 +748,28 @@ | ||
83 | |||
84 | /* Setup our OID */ | ||
85 | oidv = packet_get_string(&oidlen); | ||
86 | + oidv_free = oidv; | ||
87 | |||
88 | if (oidlen <= 2 || | ||
89 | oidv[0] != SSH_GSS_OIDTYPE || | ||
90 | oidv[1] != oidlen - 2) { | ||
91 | - xfree(oidv); | ||
92 | debug("Badly encoded mechanism OID received"); | ||
93 | - userauth(authctxt, NULL); | ||
94 | - return; | ||
95 | + if (oidlen < 2) { | ||
96 | + xfree(oidv_free); | ||
97 | + userauth(authctxt, NULL); | ||
98 | + return; | ||
99 | + } | ||
100 | + } else { | ||
101 | + oidlen -= 2; | ||
102 | + oidv += 2; | ||
103 | } | ||
104 | |||
105 | - if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2)) | ||
106 | + if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen)) | ||
107 | fatal("Server returned different OID than expected"); | ||
108 | |||
109 | packet_check_eom(); | ||
110 | |||
111 | - xfree(oidv); | ||
112 | + xfree(oidv_free); | ||
113 | |||
114 | if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { | ||
115 | /* Start again with next method on list */ | ||
diff --git a/debian/patches/series b/debian/patches/series index fd6f569d0..7f410e363 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -3,7 +3,6 @@ gssapi.patch | |||
3 | gssapi-autoconf.patch | 3 | gssapi-autoconf.patch |
4 | gssapi-compat.patch | 4 | gssapi-compat.patch |
5 | gssapi-dump.patch | 5 | gssapi-dump.patch |
6 | old-gssapi.patch | ||
7 | 6 | ||
8 | # Autotools | 7 | # Autotools |
9 | config-guess-sub.patch | 8 | config-guess-sub.patch |
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index c1df3b7f4..a0396a6eb 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch | |||
@@ -1315,7 +1315,7 @@ Index: b/sshconnect2.c | |||
1315 | =================================================================== | 1315 | =================================================================== |
1316 | --- a/sshconnect2.c | 1316 | --- a/sshconnect2.c |
1317 | +++ b/sshconnect2.c | 1317 | +++ b/sshconnect2.c |
1318 | @@ -1418,6 +1418,8 @@ | 1318 | @@ -1392,6 +1392,8 @@ |
1319 | 1319 | ||
1320 | /* list of keys stored in the filesystem */ | 1320 | /* list of keys stored in the filesystem */ |
1321 | for (i = 0; i < options.num_identity_files; i++) { | 1321 | for (i = 0; i < options.num_identity_files; i++) { |
@@ -1324,7 +1324,7 @@ Index: b/sshconnect2.c | |||
1324 | key = options.identity_keys[i]; | 1324 | key = options.identity_keys[i]; |
1325 | if (key && key->type == KEY_RSA1) | 1325 | if (key && key->type == KEY_RSA1) |
1326 | continue; | 1326 | continue; |
1327 | @@ -1508,7 +1510,7 @@ | 1327 | @@ -1482,7 +1484,7 @@ |
1328 | if (id->key && id->key->type != KEY_RSA1) { | 1328 | if (id->key && id->key->type != KEY_RSA1) { |
1329 | debug("Offering public key: %s", id->filename); | 1329 | debug("Offering public key: %s", id->filename); |
1330 | sent = send_pubkey_test(authctxt, id); | 1330 | sent = send_pubkey_test(authctxt, id); |
diff --git a/sshconnect2.c b/sshconnect2.c index af322e81c..bc8d206ae 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -314,11 +314,6 @@ Authmethod authmethods[] = { | |||
314 | NULL, | 314 | NULL, |
315 | &options.gss_authentication, | 315 | &options.gss_authentication, |
316 | NULL}, | 316 | NULL}, |
317 | {"gssapi", | ||
318 | userauth_gssapi, | ||
319 | NULL, | ||
320 | &options.gss_authentication, | ||
321 | NULL}, | ||
322 | #endif | 317 | #endif |
323 | {"hostbased", | 318 | {"hostbased", |
324 | userauth_hostbased, | 319 | userauth_hostbased, |
@@ -606,7 +601,6 @@ userauth_gssapi(Authctxt *authctxt) | |||
606 | OM_uint32 min; | 601 | OM_uint32 min; |
607 | int ok = 0; | 602 | int ok = 0; |
608 | const char *gss_host; | 603 | const char *gss_host; |
609 | int old_gssapi_method; | ||
610 | 604 | ||
611 | if (options.gss_trust_dns) | 605 | if (options.gss_trust_dns) |
612 | gss_host = get_canonical_hostname(1); | 606 | gss_host = get_canonical_hostname(1); |
@@ -645,25 +639,13 @@ userauth_gssapi(Authctxt *authctxt) | |||
645 | packet_put_cstring(authctxt->service); | 639 | packet_put_cstring(authctxt->service); |
646 | packet_put_cstring(authctxt->method->name); | 640 | packet_put_cstring(authctxt->method->name); |
647 | 641 | ||
648 | old_gssapi_method = !strcmp(authctxt->method->name, "gssapi"); | 642 | packet_put_int(1); |
649 | |||
650 | /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect | ||
651 | * tagged OIDs. As such we include both tagged and untagged oids | ||
652 | * for the old gssapi method. | ||
653 | * We only include tagged oids for the new gssapi-with-mic method. | ||
654 | */ | ||
655 | packet_put_int(old_gssapi_method ? 2 : 1); | ||
656 | 643 | ||
657 | packet_put_int((gss_supported->elements[mech].length) + 2); | 644 | packet_put_int((gss_supported->elements[mech].length) + 2); |
658 | packet_put_char(SSH_GSS_OIDTYPE); | 645 | packet_put_char(SSH_GSS_OIDTYPE); |
659 | packet_put_char(gss_supported->elements[mech].length); | 646 | packet_put_char(gss_supported->elements[mech].length); |
660 | packet_put_raw(gss_supported->elements[mech].elements, | 647 | packet_put_raw(gss_supported->elements[mech].elements, |
661 | gss_supported->elements[mech].length); | 648 | gss_supported->elements[mech].length); |
662 | if (old_gssapi_method) { | ||
663 | packet_put_int(gss_supported->elements[mech].length); | ||
664 | packet_put_raw(gss_supported->elements[mech].elements, | ||
665 | gss_supported->elements[mech].length); | ||
666 | } | ||
667 | 649 | ||
668 | packet_send(); | 650 | packet_send(); |
669 | 651 | ||
@@ -703,10 +685,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) | |||
703 | } | 685 | } |
704 | 686 | ||
705 | if (status == GSS_S_COMPLETE) { | 687 | if (status == GSS_S_COMPLETE) { |
706 | int old_gssapi_method = !strcmp(authctxt->method->name, | ||
707 | "gssapi"); | ||
708 | /* send either complete or MIC, depending on mechanism */ | 688 | /* send either complete or MIC, depending on mechanism */ |
709 | if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) { | 689 | if (!(flags & GSS_C_INTEG_FLAG)) { |
710 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); | 690 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); |
711 | packet_send(); | 691 | packet_send(); |
712 | } else { | 692 | } else { |
@@ -740,7 +720,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | |||
740 | Authctxt *authctxt = ctxt; | 720 | Authctxt *authctxt = ctxt; |
741 | Gssctxt *gssctxt; | 721 | Gssctxt *gssctxt; |
742 | u_int oidlen; | 722 | u_int oidlen; |
743 | u_char *oidv, *oidv_free; | 723 | u_char *oidv; |
744 | 724 | ||
745 | if (authctxt == NULL) | 725 | if (authctxt == NULL) |
746 | fatal("input_gssapi_response: no authentication context"); | 726 | fatal("input_gssapi_response: no authentication context"); |
@@ -748,28 +728,22 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | |||
748 | 728 | ||
749 | /* Setup our OID */ | 729 | /* Setup our OID */ |
750 | oidv = packet_get_string(&oidlen); | 730 | oidv = packet_get_string(&oidlen); |
751 | oidv_free = oidv; | ||
752 | 731 | ||
753 | if (oidlen <= 2 || | 732 | if (oidlen <= 2 || |
754 | oidv[0] != SSH_GSS_OIDTYPE || | 733 | oidv[0] != SSH_GSS_OIDTYPE || |
755 | oidv[1] != oidlen - 2) { | 734 | oidv[1] != oidlen - 2) { |
735 | xfree(oidv); | ||
756 | debug("Badly encoded mechanism OID received"); | 736 | debug("Badly encoded mechanism OID received"); |
757 | if (oidlen < 2) { | 737 | userauth(authctxt, NULL); |
758 | xfree(oidv_free); | 738 | return; |
759 | userauth(authctxt, NULL); | ||
760 | return; | ||
761 | } | ||
762 | } else { | ||
763 | oidlen -= 2; | ||
764 | oidv += 2; | ||
765 | } | 739 | } |
766 | 740 | ||
767 | if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen)) | 741 | if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2)) |
768 | fatal("Server returned different OID than expected"); | 742 | fatal("Server returned different OID than expected"); |
769 | 743 | ||
770 | packet_check_eom(); | 744 | packet_check_eom(); |
771 | 745 | ||
772 | xfree(oidv_free); | 746 | xfree(oidv); |
773 | 747 | ||
774 | if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { | 748 | if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { |
775 | /* Start again with next method on list */ | 749 | /* Start again with next method on list */ |