From 6666c194143fe32e39a6e0e1db4f9c6db9257731 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Oct 19 2018 09:41:34 +0000 Subject: Do not break gssapi-kex authentication method --- diff --git a/openssh-7.9p1-gsskex-method.patch b/openssh-7.9p1-gsskex-method.patch new file mode 100644 index 0000000..b06620d --- /dev/null +++ b/openssh-7.9p1-gsskex-method.patch @@ -0,0 +1,150 @@ +From bc74944ce7a2eabd228d47051f277ce108914c96 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 16 Oct 2018 16:44:40 +0200 +Subject: [PATCH] Unbreak authentication using gssapi-keyex (#1625366) + +--- + auth2-gss.c | 6 +++--- + gss-serv.c | 4 +++- + monitor.c | 13 ++++++++++--- + monitor_wrap.c | 4 +++- + monitor_wrap.h | 2 +- + ssh-gss.h | 2 +- + 6 files changed, 21 insertions(+), 10 deletions(-) + +diff --git a/auth2-gss.c b/auth2-gss.c +index 3f2ad21d..a61ac089 100644 +--- a/auth2-gss.c ++++ b/auth2-gss.c +@@ -84,7 +84,7 @@ userauth_gsskeyex(Authctxt *authctxt) + if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, + &gssbuf, &mic)))) + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, +- authctxt->pw)); ++ authctxt->pw, 1)); + + sshbuf_free(b); + free(mic.value); +@@ -299,7 +299,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) + fatal("%s: %s", __func__, ssh_err(r)); + + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, +- authctxt->pw)); ++ authctxt->pw, 1)); + + if ((!use_privsep || mm_is_monitor()) && + (displayname = ssh_gssapi_displayname()) != NULL) +@@ -347,7 +347,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) + + if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) + authenticated = +- PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)); ++ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw, 0)); + else + logit("GSSAPI MIC check failed"); + +diff --git a/gss-serv.c b/gss-serv.c +index 786ac95c..87de2baa 100644 +--- a/gss-serv.c ++++ b/gss-serv.c +@@ -493,10 +493,12 @@ verify_authentication_indicators(Gssctxt *gssctxt) + + /* Privileged */ + int +-ssh_gssapi_userok(char *user, struct passwd *pw) ++ssh_gssapi_userok(char *user, struct passwd *pw, int kex) + { + OM_uint32 lmin; + ++ (void) kex; /* used in privilege separation */ ++ + if (gssapi_client.exportedname.length == 0 || + gssapi_client.exportedname.value == NULL) { + debug("No suitable client data"); +diff --git a/monitor.c b/monitor.c +index 9bbe8cc4..7b1903af 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -1877,14 +1877,17 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m) + int + mm_answer_gss_userok(int sock, struct sshbuf *m) + { +- int r, authenticated; ++ int r, authenticated, kex; + const char *displayname; + + if (!options.gss_authentication && !options.gss_keyex) + fatal("%s: GSSAPI authentication not enabled", __func__); + ++ if ((r = sshbuf_get_u32(m, &kex)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ + authenticated = authctxt->valid && +- ssh_gssapi_userok(authctxt->user, authctxt->pw); ++ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex); + + sshbuf_reset(m); + if ((r = sshbuf_put_u32(m, authenticated)) != 0) +@@ -1893,7 +1896,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m) + debug3("%s: sending result %d", __func__, authenticated); + mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); + +- auth_method = "gssapi-with-mic"; ++ if (kex) { ++ auth_method = "gssapi-keyex"; ++ } else { ++ auth_method = "gssapi-with-mic"; ++ } + + if ((displayname = ssh_gssapi_displayname()) != NULL) + auth2_record_info(authctxt, "%s", displayname); +diff --git a/monitor_wrap.c b/monitor_wrap.c +index fb52a530..508d926d 100644 +--- a/monitor_wrap.c ++++ b/monitor_wrap.c +@@ -984,13 +984,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) + } + + int +-mm_ssh_gssapi_userok(char *user, struct passwd *pw) ++mm_ssh_gssapi_userok(char *user, struct passwd *pw, int kex) + { + struct sshbuf *m; + int r, authenticated = 0; + + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); ++ if ((r = sshbuf_put_u32(m, kex)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m); + mm_request_receive_expect(pmonitor->m_recvfd, +diff --git a/monitor_wrap.h b/monitor_wrap.h +index 494760dd..5eba5ecc 100644 +--- a/monitor_wrap.h ++++ b/monitor_wrap.h +@@ -60,7 +60,7 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, + OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); + OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, + gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); +-int mm_ssh_gssapi_userok(char *user, struct passwd *); ++int mm_ssh_gssapi_userok(char *user, struct passwd *, int kex); + OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); + OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); + int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *); +diff --git a/ssh-gss.h b/ssh-gss.h +index 39b6ce69..98262837 100644 +--- a/ssh-gss.h ++++ b/ssh-gss.h +@@ -162,7 +162,7 @@ gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int); + int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, + const char *); + OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); +-int ssh_gssapi_userok(char *name, struct passwd *); ++int ssh_gssapi_userok(char *name, struct passwd *, int kex); + OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); + void ssh_gssapi_do_child(char ***, u_int *); + void ssh_gssapi_cleanup_creds(void); +-- +2.17.2 + diff --git a/openssh.spec b/openssh.spec index 2ec7712..6938196 100644 --- a/openssh.spec +++ b/openssh.spec @@ -183,6 +183,8 @@ Patch804: openssh-7.7p1-gssapi-new-unique.patch Patch805: openssh-7.2p2-k5login_directory.patch # Support SHA2 in GSS key exchanges from draft-ssorce-gss-keyex-sha2-02 Patch807: openssh-7.5p1-gssapi-kex-with-ec.patch +# Do not break when using AuthenticationMethods with gssapi-keyex auth method (#1625366) +Patch808: openssh-7.9p1-gsskex-method.patch Patch900: openssh-6.1p1-gssapi-canohost.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1780 @@ -443,6 +445,7 @@ popd %patch951 -p1 -b .pkcs11-uri %patch952 -p1 -b .pkcs11-ecdsa %patch953 -p1 -b .scp-ipv6 +%patch808 -p1 -b .gsskex-method %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race