1 files changed, 53 insertions, 3 deletions
diff --git a/auth2-gss.c b/auth2-gss.c
index 9351e0428..d6446c0cf 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -55,6 +55,48 @@ static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *
 static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
 /*
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
+userauth_gsskeyex(struct ssh *ssh)
+{
+        Authctxt *authctxt = ssh->authctxt;
+        int r, authenticated = 0;
+        struct sshbuf *b = NULL;
+        gss_buffer_desc mic, gssbuf;
+        u_char *p;
+        size_t len;
+        if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
+            (r = sshpkt_get_end(ssh)) != 0)
+                fatal("%s: %s", __func__, ssh_err(r));
+        if ((b = sshbuf_new()) == NULL)
+                fatal("%s: sshbuf_new failed", __func__);
+        mic.value = p;
+        mic.length = len;
+        ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
+            "gssapi-keyex");
+        if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
+                fatal("%s: sshbuf_mutable_ptr failed", __func__);
+        gssbuf.length = sshbuf_len(b);
+        /* gss_kex_context is NULL with privsep, so we can't check it here */
+        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
+            &gssbuf, &mic))))
+                authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+                    authctxt->pw, 1));
+        sshbuf_free(b);
+        free(mic.value);
+        return (authenticated);
+}
+/*
 * We only support those mechanisms that we know about (ie ones that we know
 * how to check local user kuserok and the like)
 */
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
        if ((r = sshpkt_get_end(ssh)) != 0)
                fatal("%s: %s", __func__, ssh_err(r));
-        authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+        authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+            authctxt->pw, 1));
        if ((!use_privsep || mm_is_monitor()) &&
            (displayname = ssh_gssapi_displayname()) != NULL)
@@ -306,7 +349,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
        gssbuf.length = sshbuf_len(b);
        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
-                authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+                authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+                    authctxt->pw, 0));
        else
                logit("GSSAPI MIC check failed");
@@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
        return 0;
 }
+Authmethod method_gsskeyex = {
+        "gssapi-keyex",
+        userauth_gsskeyex,
+        &options.gss_authentication
+};
 Authmethod method_gssapi = {
        "gssapi-with-mic",
        userauth_gssapi,

diff --git a/auth2-gss.c b/auth2-gss.c index 9351e0428..d6446c0cf 100644 --- a/auth2-gss.c +++ b/auth2-gss.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */	1	/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -55,6 +55,48 @@ static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *
55	static int input_gssapi_errtok(int, u_int32_t, struct ssh *);	55	static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
56		56
57	/*	57	/*
		58	* The 'gssapi_keyex' userauth mechanism.
		59	*/
		60	static int
		61	userauth_gsskeyex(struct ssh *ssh)
		62	{
		63	Authctxt *authctxt = ssh->authctxt;
		64	int r, authenticated = 0;
		65	struct sshbuf *b = NULL;
		66	gss_buffer_desc mic, gssbuf;
		67	u_char *p;
		68	size_t len;
		69
		70	if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 \|\|
		71	(r = sshpkt_get_end(ssh)) != 0)
		72	fatal("%s: %s", __func__, ssh_err(r));
		73
		74	if ((b = sshbuf_new()) == NULL)
		75	fatal("%s: sshbuf_new failed", __func__);
		76
		77	mic.value = p;
		78	mic.length = len;
		79
		80	ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
		81	"gssapi-keyex");
		82
		83	if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
		84	fatal("%s: sshbuf_mutable_ptr failed", __func__);
		85	gssbuf.length = sshbuf_len(b);
		86
		87	/* gss_kex_context is NULL with privsep, so we can't check it here */
		88	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
		89	&gssbuf, &mic))))
		90	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
		91	authctxt->pw, 1));
		92
		93	sshbuf_free(b);
		94	free(mic.value);
		95
		96	return (authenticated);
		97	}
		98
		99	/*
58	* We only support those mechanisms that we know about (ie ones that we know	100	* We only support those mechanisms that we know about (ie ones that we know
59	* how to check local user kuserok and the like)	101	* how to check local user kuserok and the like)
60	*/	102	*/
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
260	if ((r = sshpkt_get_end(ssh)) != 0)	302	if ((r = sshpkt_get_end(ssh)) != 0)
261	fatal("%s: %s", __func__, ssh_err(r));	303	fatal("%s: %s", __func__, ssh_err(r));
262		304
263	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));	305	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
		306	authctxt->pw, 1));
264		307
265	if ((!use_privsep \|\| mm_is_monitor()) &&	308	if ((!use_privsep \|\| mm_is_monitor()) &&
266	(displayname = ssh_gssapi_displayname()) != NULL)	309	(displayname = ssh_gssapi_displayname()) != NULL)
@@ -306,7 +349,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
306	gssbuf.length = sshbuf_len(b);	349	gssbuf.length = sshbuf_len(b);
307		350
308	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))	351	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
309	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));	352	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
		353	authctxt->pw, 0));
310	else	354	else
311	logit("GSSAPI MIC check failed");	355	logit("GSSAPI MIC check failed");
312		356
@@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
326	return 0;	370	return 0;
327	}	371	}
328		372
		373	Authmethod method_gsskeyex = {
		374	"gssapi-keyex",
		375	userauth_gsskeyex,
		376	&options.gss_authentication
		377	};
		378
329	Authmethod method_gssapi = {	379	Authmethod method_gssapi = {
330	"gssapi-with-mic",	380	"gssapi-with-mic",
331	userauth_gssapi,	381	userauth_gssapi,