From dd79498e0f4086a765cea7757ac023e925b75db2 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 8 Mar 2010 11:26:21 +0000 Subject: Drop compatibility with the old gssapi mechanism used in ssh-krb5 << 3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi mechanism was removed due to a serious security hole, and since these versions of ssh-krb5 are no longer security-supported by Debian I don't think there's any point keeping client compatibility for them. --- debian/patches/banner-noslash.patch | 2 +- debian/patches/old-gssapi.patch | 115 ------------------------------------ debian/patches/series | 1 - debian/patches/ssh-vulnkey.patch | 4 +- 4 files changed, 3 insertions(+), 119 deletions(-) delete mode 100644 debian/patches/old-gssapi.patch (limited to 'debian/patches') diff --git a/debian/patches/banner-noslash.patch b/debian/patches/banner-noslash.patch index af5f4213c..fa7b08f23 100644 --- a/debian/patches/banner-noslash.patch +++ b/debian/patches/banner-noslash.patch @@ -11,7 +11,7 @@ Index: b/sshconnect2.c =================================================================== --- a/sshconnect2.c +++ b/sshconnect2.c -@@ -477,7 +477,7 @@ +@@ -472,7 +472,7 @@ if (len > 65536) len = 65536; msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch deleted file mode 100644 index 1ef689331..000000000 --- a/debian/patches/old-gssapi.patch +++ /dev/null @@ -1,115 +0,0 @@ -Description: Interoperate with old GSSAPI authentication method - ssh-krb5 << 3.8.1p1-1 servers used a slightly different version. - . - Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch. -Author: "Aaron M. Ucko" -Bug-Debian: http://bugs.debian.org/328388 -Forwarded: yes -Last-Updated: 2010-03-01 - -Index: b/sshconnect2.c -=================================================================== ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -314,6 +314,11 @@ - NULL, - &options.gss_authentication, - NULL}, -+ {"gssapi", -+ userauth_gssapi, -+ NULL, -+ &options.gss_authentication, -+ NULL}, - #endif - {"hostbased", - userauth_hostbased, -@@ -601,6 +606,7 @@ - OM_uint32 min; - int ok = 0; - const char *gss_host; -+ int old_gssapi_method; - - if (options.gss_trust_dns) - gss_host = get_canonical_hostname(1); -@@ -639,13 +645,25 @@ - packet_put_cstring(authctxt->service); - packet_put_cstring(authctxt->method->name); - -- packet_put_int(1); -+ old_gssapi_method = !strcmp(authctxt->method->name, "gssapi"); -+ -+ /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect -+ * tagged OIDs. As such we include both tagged and untagged oids -+ * for the old gssapi method. -+ * We only include tagged oids for the new gssapi-with-mic method. -+ */ -+ packet_put_int(old_gssapi_method ? 2 : 1); - - packet_put_int((gss_supported->elements[mech].length) + 2); - packet_put_char(SSH_GSS_OIDTYPE); - packet_put_char(gss_supported->elements[mech].length); - packet_put_raw(gss_supported->elements[mech].elements, - gss_supported->elements[mech].length); -+ if (old_gssapi_method) { -+ packet_put_int(gss_supported->elements[mech].length); -+ packet_put_raw(gss_supported->elements[mech].elements, -+ gss_supported->elements[mech].length); -+ } - - packet_send(); - -@@ -685,8 +703,10 @@ - } - - if (status == GSS_S_COMPLETE) { -+ int old_gssapi_method = !strcmp(authctxt->method->name, -+ "gssapi"); - /* send either complete or MIC, depending on mechanism */ -- if (!(flags & GSS_C_INTEG_FLAG)) { -+ if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) { - packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); - packet_send(); - } else { -@@ -720,7 +740,7 @@ - Authctxt *authctxt = ctxt; - Gssctxt *gssctxt; - u_int oidlen; -- u_char *oidv; -+ u_char *oidv, *oidv_free; - - if (authctxt == NULL) - fatal("input_gssapi_response: no authentication context"); -@@ -728,22 +748,28 @@ - - /* Setup our OID */ - oidv = packet_get_string(&oidlen); -+ oidv_free = oidv; - - if (oidlen <= 2 || - oidv[0] != SSH_GSS_OIDTYPE || - oidv[1] != oidlen - 2) { -- xfree(oidv); - debug("Badly encoded mechanism OID received"); -- userauth(authctxt, NULL); -- return; -+ if (oidlen < 2) { -+ xfree(oidv_free); -+ userauth(authctxt, NULL); -+ return; -+ } -+ } else { -+ oidlen -= 2; -+ oidv += 2; - } - -- if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2)) -+ if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen)) - fatal("Server returned different OID than expected"); - - packet_check_eom(); - -- xfree(oidv); -+ xfree(oidv_free); - - if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { - /* Start again with next method on list */ diff --git a/debian/patches/series b/debian/patches/series index fd6f569d0..7f410e363 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,7 +3,6 @@ gssapi.patch gssapi-autoconf.patch gssapi-compat.patch gssapi-dump.patch -old-gssapi.patch # Autotools config-guess-sub.patch diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index c1df3b7f4..a0396a6eb 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch @@ -1315,7 +1315,7 @@ Index: b/sshconnect2.c =================================================================== --- a/sshconnect2.c +++ b/sshconnect2.c -@@ -1418,6 +1418,8 @@ +@@ -1392,6 +1392,8 @@ /* list of keys stored in the filesystem */ for (i = 0; i < options.num_identity_files; i++) { @@ -1324,7 +1324,7 @@ Index: b/sshconnect2.c key = options.identity_keys[i]; if (key && key->type == KEY_RSA1) continue; -@@ -1508,7 +1510,7 @@ +@@ -1482,7 +1484,7 @@ if (id->key && id->key->type != KEY_RSA1) { debug("Offering public key: %s", id->filename); sent = send_pubkey_test(authctxt, id); -- cgit v1.2.3