diff options
Diffstat (limited to 'debian/patches/old-gssapi.patch')
-rw-r--r-- | debian/patches/old-gssapi.patch | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch new file mode 100644 index 000000000..272654fd8 --- /dev/null +++ b/debian/patches/old-gssapi.patch | |||
@@ -0,0 +1,141 @@ | |||
1 | Index: b/servconf.c | ||
2 | =================================================================== | ||
3 | --- a/servconf.c | ||
4 | +++ b/servconf.c | ||
5 | @@ -375,16 +375,20 @@ | ||
6 | #ifdef GSSAPI | ||
7 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | ||
8 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
9 | + { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
10 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | ||
11 | { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | ||
12 | { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | ||
13 | #else | ||
14 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | ||
15 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | ||
16 | + { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, | ||
17 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | ||
18 | { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | ||
19 | { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | ||
20 | #endif | ||
21 | + { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, | ||
22 | + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, | ||
23 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | ||
24 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | ||
25 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | ||
26 | @@ -1620,7 +1624,9 @@ | ||
27 | #endif | ||
28 | #ifdef GSSAPI | ||
29 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | ||
30 | + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); | ||
31 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | ||
32 | + dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); | ||
33 | #endif | ||
34 | #ifdef JPAKE | ||
35 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | ||
36 | Index: b/sshconnect2.c | ||
37 | =================================================================== | ||
38 | --- a/sshconnect2.c | ||
39 | +++ b/sshconnect2.c | ||
40 | @@ -314,6 +314,11 @@ | ||
41 | NULL, | ||
42 | &options.gss_authentication, | ||
43 | NULL}, | ||
44 | + {"gssapi", | ||
45 | + userauth_gssapi, | ||
46 | + NULL, | ||
47 | + &options.gss_authentication, | ||
48 | + NULL}, | ||
49 | #endif | ||
50 | {"hostbased", | ||
51 | userauth_hostbased, | ||
52 | @@ -601,6 +606,7 @@ | ||
53 | OM_uint32 min; | ||
54 | int ok = 0; | ||
55 | const char *gss_host; | ||
56 | + int old_gssapi_method; | ||
57 | |||
58 | if (options.gss_trust_dns) | ||
59 | gss_host = get_canonical_hostname(1); | ||
60 | @@ -639,13 +645,25 @@ | ||
61 | packet_put_cstring(authctxt->service); | ||
62 | packet_put_cstring(authctxt->method->name); | ||
63 | |||
64 | - packet_put_int(1); | ||
65 | + old_gssapi_method = !strcmp(authctxt->method->name, "gssapi"); | ||
66 | + | ||
67 | + /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect | ||
68 | + * tagged OIDs. As such we include both tagged and untagged oids | ||
69 | + * for the old gssapi method. | ||
70 | + * We only include tagged oids for the new gssapi-with-mic method. | ||
71 | + */ | ||
72 | + packet_put_int(old_gssapi_method ? 2 : 1); | ||
73 | |||
74 | packet_put_int((gss_supported->elements[mech].length) + 2); | ||
75 | packet_put_char(SSH_GSS_OIDTYPE); | ||
76 | packet_put_char(gss_supported->elements[mech].length); | ||
77 | packet_put_raw(gss_supported->elements[mech].elements, | ||
78 | gss_supported->elements[mech].length); | ||
79 | + if (old_gssapi_method) { | ||
80 | + packet_put_int(gss_supported->elements[mech].length); | ||
81 | + packet_put_raw(gss_supported->elements[mech].elements, | ||
82 | + gss_supported->elements[mech].length); | ||
83 | + } | ||
84 | |||
85 | packet_send(); | ||
86 | |||
87 | @@ -685,8 +703,10 @@ | ||
88 | } | ||
89 | |||
90 | if (status == GSS_S_COMPLETE) { | ||
91 | + int old_gssapi_method = !strcmp(authctxt->method->name, | ||
92 | + "gssapi"); | ||
93 | /* send either complete or MIC, depending on mechanism */ | ||
94 | - if (!(flags & GSS_C_INTEG_FLAG)) { | ||
95 | + if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) { | ||
96 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); | ||
97 | packet_send(); | ||
98 | } else { | ||
99 | @@ -720,7 +740,7 @@ | ||
100 | Authctxt *authctxt = ctxt; | ||
101 | Gssctxt *gssctxt; | ||
102 | u_int oidlen; | ||
103 | - u_char *oidv; | ||
104 | + u_char *oidv, *oidv_free; | ||
105 | |||
106 | if (authctxt == NULL) | ||
107 | fatal("input_gssapi_response: no authentication context"); | ||
108 | @@ -728,22 +748,28 @@ | ||
109 | |||
110 | /* Setup our OID */ | ||
111 | oidv = packet_get_string(&oidlen); | ||
112 | + oidv_free = oidv; | ||
113 | |||
114 | if (oidlen <= 2 || | ||
115 | oidv[0] != SSH_GSS_OIDTYPE || | ||
116 | oidv[1] != oidlen - 2) { | ||
117 | - xfree(oidv); | ||
118 | debug("Badly encoded mechanism OID received"); | ||
119 | - userauth(authctxt, NULL); | ||
120 | - return; | ||
121 | + if (oidlen < 2) { | ||
122 | + xfree(oidv_free); | ||
123 | + userauth(authctxt, NULL); | ||
124 | + return; | ||
125 | + } | ||
126 | + } else { | ||
127 | + oidlen -= 2; | ||
128 | + oidv += 2; | ||
129 | } | ||
130 | |||
131 | - if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2)) | ||
132 | + if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen)) | ||
133 | fatal("Server returned different OID than expected"); | ||
134 | |||
135 | packet_check_eom(); | ||
136 | |||
137 | - xfree(oidv); | ||
138 | + xfree(oidv_free); | ||
139 | |||
140 | if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { | ||
141 | /* Start again with next method on list */ | ||