summaryrefslogtreecommitdiff
path: root/debian/patches/old-gssapi.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/old-gssapi.patch')
-rw-r--r--debian/patches/old-gssapi.patch141
1 files changed, 141 insertions, 0 deletions
diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch
new file mode 100644
index 000000000..272654fd8
--- /dev/null
+++ b/debian/patches/old-gssapi.patch
@@ -0,0 +1,141 @@
1Index: b/servconf.c
2===================================================================
3--- a/servconf.c
4+++ b/servconf.c
5@@ -375,16 +375,20 @@
6 #ifdef GSSAPI
7 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
8 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
9+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
10 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
11 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
12 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
13 #else
14 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
15 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
16+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
17 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
18 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
19 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
20 #endif
21+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
22+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
23 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
24 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
25 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
26@@ -1620,7 +1624,9 @@
27 #endif
28 #ifdef GSSAPI
29 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
30+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
31 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
32+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
33 #endif
34 #ifdef JPAKE
35 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
36Index: b/sshconnect2.c
37===================================================================
38--- a/sshconnect2.c
39+++ b/sshconnect2.c
40@@ -314,6 +314,11 @@
41 NULL,
42 &options.gss_authentication,
43 NULL},
44+ {"gssapi",
45+ userauth_gssapi,
46+ NULL,
47+ &options.gss_authentication,
48+ NULL},
49 #endif
50 {"hostbased",
51 userauth_hostbased,
52@@ -601,6 +606,7 @@
53 OM_uint32 min;
54 int ok = 0;
55 const char *gss_host;
56+ int old_gssapi_method;
57
58 if (options.gss_trust_dns)
59 gss_host = get_canonical_hostname(1);
60@@ -639,13 +645,25 @@
61 packet_put_cstring(authctxt->service);
62 packet_put_cstring(authctxt->method->name);
63
64- packet_put_int(1);
65+ old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
66+
67+ /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
68+ * tagged OIDs. As such we include both tagged and untagged oids
69+ * for the old gssapi method.
70+ * We only include tagged oids for the new gssapi-with-mic method.
71+ */
72+ packet_put_int(old_gssapi_method ? 2 : 1);
73
74 packet_put_int((gss_supported->elements[mech].length) + 2);
75 packet_put_char(SSH_GSS_OIDTYPE);
76 packet_put_char(gss_supported->elements[mech].length);
77 packet_put_raw(gss_supported->elements[mech].elements,
78 gss_supported->elements[mech].length);
79+ if (old_gssapi_method) {
80+ packet_put_int(gss_supported->elements[mech].length);
81+ packet_put_raw(gss_supported->elements[mech].elements,
82+ gss_supported->elements[mech].length);
83+ }
84
85 packet_send();
86
87@@ -685,8 +703,10 @@
88 }
89
90 if (status == GSS_S_COMPLETE) {
91+ int old_gssapi_method = !strcmp(authctxt->method->name,
92+ "gssapi");
93 /* send either complete or MIC, depending on mechanism */
94- if (!(flags & GSS_C_INTEG_FLAG)) {
95+ if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
96 packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
97 packet_send();
98 } else {
99@@ -720,7 +740,7 @@
100 Authctxt *authctxt = ctxt;
101 Gssctxt *gssctxt;
102 u_int oidlen;
103- u_char *oidv;
104+ u_char *oidv, *oidv_free;
105
106 if (authctxt == NULL)
107 fatal("input_gssapi_response: no authentication context");
108@@ -728,22 +748,28 @@
109
110 /* Setup our OID */
111 oidv = packet_get_string(&oidlen);
112+ oidv_free = oidv;
113
114 if (oidlen <= 2 ||
115 oidv[0] != SSH_GSS_OIDTYPE ||
116 oidv[1] != oidlen - 2) {
117- xfree(oidv);
118 debug("Badly encoded mechanism OID received");
119- userauth(authctxt, NULL);
120- return;
121+ if (oidlen < 2) {
122+ xfree(oidv_free);
123+ userauth(authctxt, NULL);
124+ return;
125+ }
126+ } else {
127+ oidlen -= 2;
128+ oidv += 2;
129 }
130
131- if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
132+ if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
133 fatal("Server returned different OID than expected");
134
135 packet_check_eom();
136
137- xfree(oidv);
138+ xfree(oidv_free);
139
140 if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
141 /* Start again with next method on list */