1 files changed, 141 insertions, 0 deletions

diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch
new file mode 100644
index 000000000..272654fd8
--- /dev/null
+++ b/debian/patches/old-gssapi.patch
@@ -0,0 +1,141 @@
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
++++ b/servconf.c
+@@ -375,16 +375,20 @@
+ #ifdef GSSAPI
+        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
++       { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+        { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+        { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
+ #else
+        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
++       { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
+ #endif
++       { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
++       { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
+        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
+        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
+        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
+@@ -1620,7 +1624,9 @@
+ #endif
+ #ifdef GSSAPI
+        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
++       dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
++       dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+ #endif
+ #ifdef JPAKE
+        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
+Index: b/sshconnect2.c
+===================================================================
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -314,6 +314,11 @@
+                NULL,
+                &options.gss_authentication,
+                NULL},
++       {"gssapi",
++               userauth_gssapi,
++               NULL,
++               &options.gss_authentication,
++               NULL},
+ #endif
+        {"hostbased",
+                userauth_hostbased,
+@@ -601,6 +606,7 @@
+        OM_uint32 min;
+        int ok = 0;
+        const char *gss_host;
++       int old_gssapi_method;
+ 
+        if (options.gss_trust_dns)
+                gss_host = get_canonical_hostname(1);
+@@ -639,13 +645,25 @@
+        packet_put_cstring(authctxt->service);
+        packet_put_cstring(authctxt->method->name);
+ 
+-       packet_put_int(1);
++       old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
++
++       /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
++        * tagged OIDs.  As such we include both tagged and untagged oids
++        * for the old gssapi method.
++        * We only include tagged oids for the new gssapi-with-mic method.
++        */
++       packet_put_int(old_gssapi_method ? 2 : 1);
+ 
+        packet_put_int((gss_supported->elements[mech].length) + 2);
+        packet_put_char(SSH_GSS_OIDTYPE);
+        packet_put_char(gss_supported->elements[mech].length);
+        packet_put_raw(gss_supported->elements[mech].elements,
+            gss_supported->elements[mech].length);
++       if (old_gssapi_method) {
++               packet_put_int(gss_supported->elements[mech].length);
++               packet_put_raw(gss_supported->elements[mech].elements,
++                              gss_supported->elements[mech].length);
++       }
+ 
+        packet_send();
+ 
+@@ -685,8 +703,10 @@
+        }
+ 
+        if (status == GSS_S_COMPLETE) {
++               int old_gssapi_method = !strcmp(authctxt->method->name,
++                                               "gssapi");
+                /* send either complete or MIC, depending on mechanism */
+-               if (!(flags & GSS_C_INTEG_FLAG)) {
++               if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
+                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
+                        packet_send();
+                } else {
+@@ -720,7 +740,7 @@
+        Authctxt *authctxt = ctxt;
+        Gssctxt *gssctxt;
+        u_int oidlen;
+-       u_char *oidv;
++       u_char *oidv, *oidv_free;
+ 
+        if (authctxt == NULL)
+                fatal("input_gssapi_response: no authentication context");
+@@ -728,22 +748,28 @@
+ 
+        /* Setup our OID */
+        oidv = packet_get_string(&oidlen);
++       oidv_free = oidv;
+ 
+        if (oidlen <= 2 ||
+            oidv[0] != SSH_GSS_OIDTYPE ||
+            oidv[1] != oidlen - 2) {
+-               xfree(oidv);
+                debug("Badly encoded mechanism OID received");
+-               userauth(authctxt, NULL);
+-               return;
++               if (oidlen < 2) {
++                       xfree(oidv_free);
++                       userauth(authctxt, NULL);
++                       return;
++               }
++       } else {
++               oidlen -= 2;
++               oidv += 2;
+        }
+ 
+-       if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
++       if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
+                fatal("Server returned different OID than expected");
+ 
+        packet_check_eom();
+ 
+-       xfree(oidv);
++       xfree(oidv_free);
+ 
+        if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
+                /* Start again with next method on list */