2007-01-07 17:26:05 +01:00
|
|
|
The patch below adds support for the deprecated 'gssapi' authentication
|
|
|
|
mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
|
|
|
in this release. The use of 'gssapi' is deprecated due to the presence of
|
|
|
|
potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
|
|
|
|
susceptible to.
|
|
|
|
|
|
|
|
To use the patch apply it to a OpenSSH 3.8p1 source tree. After compiling,
|
|
|
|
backwards compatibility may be obtained by supplying the
|
|
|
|
'GssapiEnableMitmAttack yes' option to either the client or server.
|
|
|
|
|
|
|
|
It should be noted that this patch is being made available purely as a means
|
|
|
|
of easing the process of moving to OpenSSH 3.8p1. Any new installations are
|
|
|
|
recommended to use the 'gssapi-with-mic' mechanism. Existing installations
|
|
|
|
are encouraged to upgrade as soon as possible.
|
|
|
|
|
|
|
|
Index: auth2-gss.c
|
|
|
|
================================================================================
|
|
|
|
--- auth2-gss.c
|
|
|
|
+++ auth2-gss.c
|
|
|
|
@@ -177,6 +177,15 @@
|
|
|
|
dispatch_set(
|
|
|
|
SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
|
|
|
|
&input_gssapi_exchange_complete);
|
|
|
|
+
|
|
|
|
+ /*
|
|
|
|
+ * Old style 'gssapi' didn't have the GSSAPI_MIC
|
|
|
|
+ * and went straight to sending exchange_complete
|
|
|
|
+ */
|
|
|
|
+ if (options.gss_enable_mitm)
|
|
|
|
+ dispatch_set(
|
|
|
|
+ SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
|
|
|
|
+ &input_gssapi_exchange_complete);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
@@ -298,4 +307,10 @@
|
|
|
|
&options.gss_authentication
|
|
|
|
};
|
|
|
|
|
|
|
|
+Authmethod method_gssapi_old = {
|
|
|
|
+ "gssapi",
|
|
|
|
+ userauth_gssapi,
|
|
|
|
+ &options.gss_enable_mitm
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
#endif /* GSSAPI */
|
|
|
|
--- auth2.c
|
|
|
|
+++ auth2.c
|
|
|
|
@@ -65,6 +65,7 @@
|
|
|
|
extern Authmethod method_hostbased;
|
|
|
|
#ifdef GSSAPI
|
|
|
|
extern Authmethod method_gssapi;
|
|
|
|
+extern Authmethod method_gssapi_old;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
Authmethod *authmethods[] = {
|
|
|
|
@@ -72,6 +73,7 @@
|
|
|
|
&method_pubkey,
|
|
|
|
#ifdef GSSAPI
|
|
|
|
&method_gssapi,
|
|
|
|
+ &method_gssapi_old,
|
|
|
|
#endif
|
|
|
|
&method_passwd,
|
|
|
|
&method_kbdint,
|
|
|
|
--- readconf.c
|
|
|
|
+++ readconf.c
|
|
|
|
@@ -126,7 +126,7 @@
|
|
|
|
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
|
|
|
|
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
|
|
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
|
|
|
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
|
|
|
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM,
|
|
|
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
|
|
|
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
|
|
|
|
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
|
|
|
@@ -164,9 +164,11 @@
|
|
|
|
#if defined(GSSAPI)
|
|
|
|
{ "gssapiauthentication", oGssAuthentication },
|
|
|
|
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
|
|
|
+ { "gssapienablemitmattack", oGssEnableMITM },
|
|
|
|
#else
|
|
|
|
{ "gssapiauthentication", oUnsupported },
|
|
|
|
{ "gssapidelegatecredentials", oUnsupported },
|
|
|
|
+ { "gssapienablemitmattack", oUnsupported },
|
|
|
|
#endif
|
|
|
|
{ "fallbacktorsh", oDeprecated },
|
|
|
|
{ "usersh", oDeprecated },
|
|
|
|
@@ -445,6 +447,10 @@
|
|
|
|
case oGssDelegateCreds:
|
|
|
|
intptr = &options->gss_deleg_creds;
|
|
|
|
goto parse_flag;
|
|
|
|
+
|
|
|
|
+ case oGssEnableMITM:
|
|
|
|
+ intptr = &options->gss_enable_mitm;
|
|
|
|
+ goto parse_flag;
|
|
|
|
|
|
|
|
case oBatchMode:
|
|
|
|
intptr = &options->batch_mode;
|
|
|
|
@@ -1012,6 +1018,7 @@
|
|
|
|
options->challenge_response_authentication = -1;
|
|
|
|
options->gss_authentication = -1;
|
|
|
|
options->gss_deleg_creds = -1;
|
|
|
|
+ options->gss_enable_mitm = -1;
|
|
|
|
options->password_authentication = -1;
|
|
|
|
options->kbd_interactive_authentication = -1;
|
|
|
|
options->kbd_interactive_devices = NULL;
|
|
|
|
@@ -1102,6 +1109,8 @@
|
|
|
|
options->gss_authentication = 0;
|
|
|
|
if (options->gss_deleg_creds == -1)
|
|
|
|
options->gss_deleg_creds = 0;
|
|
|
|
+ if (options->gss_enable_mitm == -1)
|
|
|
|
+ options->gss_enable_mitm = 0;
|
|
|
|
if (options->password_authentication == -1)
|
|
|
|
options->password_authentication = 1;
|
|
|
|
if (options->kbd_interactive_authentication == -1)
|
|
|
|
--- readconf.h
|
|
|
|
+++ readconf.h
|
|
|
|
@@ -45,6 +45,7 @@
|
|
|
|
/* Try S/Key or TIS, authentication. */
|
|
|
|
int gss_authentication; /* Try GSS authentication */
|
|
|
|
int gss_deleg_creds; /* Delegate GSS credentials */
|
|
|
|
+ int gss_enable_mitm; /* Enable old style gssapi auth */
|
|
|
|
int password_authentication; /* Try password
|
|
|
|
* authentication. */
|
|
|
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
|
|
|
--- servconf.c
|
|
|
|
+++ servconf.c
|
|
|
|
@@ -91,6 +91,7 @@
|
|
|
|
options->kerberos_get_afs_token = -1;
|
|
|
|
options->gss_authentication=-1;
|
|
|
|
options->gss_cleanup_creds = -1;
|
|
|
|
+ options->gss_enable_mitm = -1;
|
|
|
|
options->password_authentication = -1;
|
|
|
|
options->kbd_interactive_authentication = -1;
|
|
|
|
options->challenge_response_authentication = -1;
|
|
|
|
@@ -206,6 +207,8 @@
|
|
|
|
options->gss_authentication = 0;
|
|
|
|
if (options->gss_cleanup_creds == -1)
|
|
|
|
options->gss_cleanup_creds = 1;
|
|
|
|
+ if (options->gss_enable_mitm == -1)
|
|
|
|
+ options->gss_enable_mitm = 0;
|
|
|
|
if (options->password_authentication == -1)
|
|
|
|
options->password_authentication = 1;
|
|
|
|
if (options->kbd_interactive_authentication == -1)
|
|
|
|
@@ -290,7 +293,7 @@
|
|
|
|
sBanner, sUseDNS, sHostbasedAuthentication,
|
|
|
|
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
|
|
|
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
|
|
|
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
|
|
|
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
|
|
|
|
sMatch, sPermitOpen, sForceCommand,
|
|
|
|
sUsePrivilegeSeparation,
|
|
|
|
sDeprecated, sUnsupported
|
|
|
|
@@ -351,9 +354,11 @@
|
|
|
|
#ifdef GSSAPI
|
2007-03-15 01:56:27 +01:00
|
|
|
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
2007-01-07 17:26:05 +01:00
|
|
|
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
|
|
|
+ { "gssapienablemitmattack", sGssEnableMITM },
|
|
|
|
#else
|
2007-03-15 01:56:27 +01:00
|
|
|
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
2007-01-07 17:26:05 +01:00
|
|
|
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
|
|
|
+ { "gssapienablemitmattack", sUnsupported },
|
|
|
|
#endif
|
2007-03-15 01:56:27 +01:00
|
|
|
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
|
|
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
2007-01-07 17:26:05 +01:00
|
|
|
@@ -877,6 +882,10 @@
|
|
|
|
case sGssCleanupCreds:
|
|
|
|
intptr = &options->gss_cleanup_creds;
|
|
|
|
goto parse_flag;
|
|
|
|
+
|
|
|
|
+ case sGssEnableMITM:
|
|
|
|
+ intptr = &options->gss_enable_mitm;
|
|
|
|
+ goto parse_flag;
|
|
|
|
|
|
|
|
case sPasswordAuthentication:
|
|
|
|
intptr = &options->password_authentication;
|
|
|
|
--- servconf.h
|
|
|
|
+++ servconf.h
|
|
|
|
@@ -88,6 +88,7 @@
|
|
|
|
* authenticated with Kerberos. */
|
|
|
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
|
|
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
|
|
|
+ int gss_enable_mitm; /* If true, enable old style GSSAPI */
|
|
|
|
int password_authentication; /* If true, permit password
|
|
|
|
* authentication. */
|
|
|
|
int kbd_interactive_authentication; /* If true, permit */
|
|
|
|
--- ssh_config
|
|
|
|
+++ ssh_config
|
|
|
|
@@ -53,3 +53,13 @@
|
|
|
|
# Tunnel no
|
|
|
|
# TunnelDevice any:any
|
|
|
|
# PermitLocalCommand no
|
|
|
|
+# GSSAPIAuthentication no
|
|
|
|
+# GSSAPIDelegateCredentials no
|
|
|
|
+
|
|
|
|
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
|
|
|
|
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
|
|
|
+# in this release. The use of 'gssapi' is deprecated due to the presence of
|
|
|
|
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
|
|
|
+# GSSAPIEnableMITMAttack no
|
|
|
|
+
|
|
|
|
+>>>>>>>
|
|
|
|
--- sshconnect2.c
|
|
|
|
+++ sshconnect2.c
|
|
|
|
@@ -242,6 +242,10 @@
|
|
|
|
userauth_gssapi,
|
|
|
|
&options.gss_authentication,
|
|
|
|
NULL},
|
|
|
|
+ {"gssapi",
|
|
|
|
+ userauth_gssapi,
|
|
|
|
+ &options.gss_enable_mitm,
|
|
|
|
+ NULL},
|
|
|
|
#endif
|
|
|
|
{"hostbased",
|
|
|
|
userauth_hostbased,
|
|
|
|
@@ -576,7 +580,9 @@
|
|
|
|
|
|
|
|
if (status == GSS_S_COMPLETE) {
|
|
|
|
/* send either complete or MIC, depending on mechanism */
|
|
|
|
- if (!(flags & GSS_C_INTEG_FLAG)) {
|
|
|
|
+
|
|
|
|
+ if (strcmp(authctxt->method->name,"gssapi")==0 ||
|
|
|
|
+ (!(flags & GSS_C_INTEG_FLAG))) {
|
|
|
|
packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
|
|
|
|
packet_send();
|
|
|
|
} else {
|
|
|
|
--- sshd_config
|
|
|
|
+++ sshd_config
|
|
|
|
@@ -69,6 +69,13 @@
|
|
|
|
#GSSAPIAuthentication no
|
|
|
|
#GSSAPICleanupCredentials yes
|
|
|
|
|
|
|
|
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
|
|
|
|
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
|
|
|
+# in this release. The use of 'gssapi' is deprecated due to the presence of
|
|
|
|
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
|
|
|
+#GSSAPIEnableMITMAttack no
|
|
|
|
+
|
|
|
|
+
|
|
|
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
|
|
# and session processing. If this is enabled, PAM authentication will
|
|
|
|
# be allowed through the ChallengeResponseAuthentication and
|