1 files changed, 46 insertions, 3 deletions
diff --git a/auth2-gss.c b/auth2-gss.c
index 589283b72..fd411d3a7 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: auth2-gss.c,v 1.26 2017/06/24 06:34:38 djm Exp $ */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -53,6 +53,41 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
 static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
 static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
+/* 
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
+userauth_gsskeyex(struct ssh *ssh)
+{
+        Authctxt *authctxt = ssh->authctxt;
+        int authenticated = 0;
+        Buffer b;
+        gss_buffer_desc mic, gssbuf;
+        u_int len;
+        mic.value = packet_get_string(&len);
+        mic.length = len;
+        packet_check_eom();
+        ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+            "gssapi-keyex");
+        gssbuf.value = buffer_ptr(&b);
+        gssbuf.length = buffer_len(&b);
+        /* gss_kex_context is NULL with privsep, so we can't check it here */
+        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
+            &gssbuf, &mic))))
+                authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+                    authctxt->pw));
+        
+        buffer_free(&b);
+        free(mic.value);
+        return (authenticated);
+}
 /*
 * We only support those mechanisms that we know about (ie ones that we know
 * how to check local user kuserok and the like)
@@ -240,7 +275,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
        packet_check_eom();
-        authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+        authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+            authctxt->pw));
        if ((!use_privsep || mm_is_monitor()) &&
            (displayname = ssh_gssapi_displayname()) != NULL)
@@ -281,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
        gssbuf.length = buffer_len(&b);
        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
-                authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+                authenticated = 
+                    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
        else
                logit("GSSAPI MIC check failed");
@@ -301,6 +338,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
        return 0;
 }
+Authmethod method_gsskeyex = {
+        "gssapi-keyex",
+        userauth_gsskeyex,
+        &options.gss_authentication
+};
 Authmethod method_gssapi = {
        "gssapi-with-mic",
        userauth_gssapi,

diff --git a/auth2-gss.c b/auth2-gss.c index 589283b72..fd411d3a7 100644 --- a/auth2-gss.c +++ b/auth2-gss.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: auth2-gss.c,v 1.26 2017/06/24 06:34:38 djm Exp $ */	1	/* $OpenBSD: auth2-gss.c,v 1.26 2017/06/24 06:34:38 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -53,6 +53,41 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
53	static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);	53	static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
54	static int input_gssapi_errtok(int, u_int32_t, struct ssh *);	54	static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
55		55
		56	/*
		57	* The 'gssapi_keyex' userauth mechanism.
		58	*/
		59	static int
		60	userauth_gsskeyex(struct ssh *ssh)
		61	{
		62	Authctxt *authctxt = ssh->authctxt;
		63	int authenticated = 0;
		64	Buffer b;
		65	gss_buffer_desc mic, gssbuf;
		66	u_int len;
		67
		68	mic.value = packet_get_string(&len);
		69	mic.length = len;
		70
		71	packet_check_eom();
		72
		73	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
		74	"gssapi-keyex");
		75
		76	gssbuf.value = buffer_ptr(&b);
		77	gssbuf.length = buffer_len(&b);
		78
		79	/* gss_kex_context is NULL with privsep, so we can't check it here */
		80	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
		81	&gssbuf, &mic))))
		82	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
		83	authctxt->pw));
		84
		85	buffer_free(&b);
		86	free(mic.value);
		87
		88	return (authenticated);
		89	}
		90
56	/*	91	/*
57	* We only support those mechanisms that we know about (ie ones that we know	92	* We only support those mechanisms that we know about (ie ones that we know
58	* how to check local user kuserok and the like)	93	* how to check local user kuserok and the like)
@@ -240,7 +275,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
240		275
241	packet_check_eom();	276	packet_check_eom();
242		277
243	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));	278	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
		279	authctxt->pw));
244		280
245	if ((!use_privsep \|\| mm_is_monitor()) &&	281	if ((!use_privsep \|\| mm_is_monitor()) &&
246	(displayname = ssh_gssapi_displayname()) != NULL)	282	(displayname = ssh_gssapi_displayname()) != NULL)
@@ -281,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
281	gssbuf.length = buffer_len(&b);	317	gssbuf.length = buffer_len(&b);
282		318
283	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))	319	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
284	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));	320	authenticated =
		321	PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
285	else	322	else
286	logit("GSSAPI MIC check failed");	323	logit("GSSAPI MIC check failed");
287		324
@@ -301,6 +338,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
301	return 0;	338	return 0;
302	}	339	}
303		340
		341	Authmethod method_gsskeyex = {
		342	"gssapi-keyex",
		343	userauth_gsskeyex,
		344	&options.gss_authentication
		345	};
		346
304	Authmethod method_gssapi = {	347	Authmethod method_gssapi = {
305	"gssapi-with-mic",	348	"gssapi-with-mic",
306	userauth_gssapi,	349	userauth_gssapi,