1 files changed, 47 insertions, 3 deletions

diff --git a/auth2-gss.c b/auth2-gss.c
index 0e08d889c..a192d282f 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
 
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_errtok(int, u_int32_t, void *);
 
+/* 
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
+userauth_gsskeyex(Authctxt *authctxt)
+{
+        int authenticated = 0;
+        Buffer b;
+        gss_buffer_desc mic, gssbuf;
+        u_int len;
+
+        mic.value = packet_get_string(&len);
+        mic.length = len;
+
+        packet_check_eom();
+
+        ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+            "gssapi-keyex");
+
+        gssbuf.value = buffer_ptr(&b);
+        gssbuf.length = buffer_len(&b);
+
+        /* gss_kex_context is NULL with privsep, so we can't check it here */
+        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
+            &gssbuf, &mic))))
+                authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+                    authctxt->pw));
+        
+        buffer_free(&b);
+        xfree(mic.value);
+
+        return (authenticated);
+}
+
 /*
  * We only support those mechanisms that we know about (ie ones that we know
  * how to check local user kuserok and the like)
@@ -102,6 +136,7 @@ userauth_gssapi(Authctxt *authctxt)
 
         if (!present) {
                 xfree(doid);
+                authctxt->server_caused_failure = 1;
                 return (0);
         }
 
@@ -109,6 +144,7 @@ userauth_gssapi(Authctxt *authctxt)
                 if (ctxt != NULL)
                         ssh_gssapi_delete_ctx(&ctxt);
                 xfree(doid);
+                authctxt->server_caused_failure = 1;
                 return (0);
         }
 
@@ -242,7 +278,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
 
         packet_check_eom();
 
-        authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+        authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+            authctxt->pw));
 
         authctxt->postponed = 0;
         dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -277,7 +314,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
         gssbuf.length = buffer_len(&b);
 
         if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
-                authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+                authenticated = 
+                    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
         else
                 logit("GSSAPI MIC check failed");
 
@@ -292,6 +330,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
         userauth_finish(authctxt, authenticated, "gssapi-with-mic");
 }
 
+Authmethod method_gsskeyex = {
+        "gssapi-keyex",
+        userauth_gsskeyex,
+        &options.gss_authentication
+};
+
 Authmethod method_gssapi = {
         "gssapi-with-mic",
         userauth_gssapi,