2007-01-07 17:26:05 +01:00
|
|
|
The patch below adds support for the deprecated 'gssapi' authentication
|
|
|
|
mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
|
|
|
in this release. The use of 'gssapi' is deprecated due to the presence of
|
|
|
|
potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
|
|
|
|
susceptible to.
|
|
|
|
|
|
|
|
To use the patch apply it to a OpenSSH 3.8p1 source tree. After compiling,
|
|
|
|
backwards compatibility may be obtained by supplying the
|
|
|
|
'GssapiEnableMitmAttack yes' option to either the client or server.
|
|
|
|
|
|
|
|
It should be noted that this patch is being made available purely as a means
|
|
|
|
of easing the process of moving to OpenSSH 3.8p1. Any new installations are
|
|
|
|
recommended to use the 'gssapi-with-mic' mechanism. Existing installations
|
|
|
|
are encouraged to upgrade as soon as possible.
|
|
|
|
|
|
|
|
Index: auth2-gss.c
|
2010-03-26 16:29:14 +01:00
|
|
|
===================================================================
|
|
|
|
--- auth2-gss.c.orig
|
2007-01-07 17:26:05 +01:00
|
|
|
+++ auth2-gss.c
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -177,6 +177,15 @@ input_gssapi_token(int type, u_int32_t p
|
2007-01-07 17:26:05 +01:00
|
|
|
dispatch_set(
|
|
|
|
SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
|
|
|
|
&input_gssapi_exchange_complete);
|
|
|
|
+
|
|
|
|
+ /*
|
|
|
|
+ * Old style 'gssapi' didn't have the GSSAPI_MIC
|
|
|
|
+ * and went straight to sending exchange_complete
|
|
|
|
+ */
|
|
|
|
+ if (options.gss_enable_mitm)
|
|
|
|
+ dispatch_set(
|
|
|
|
+ SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
|
|
|
|
+ &input_gssapi_exchange_complete);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -298,4 +307,10 @@ Authmethod method_gssapi = {
|
2007-01-07 17:26:05 +01:00
|
|
|
&options.gss_authentication
|
|
|
|
};
|
|
|
|
|
|
|
|
+Authmethod method_gssapi_old = {
|
|
|
|
+ "gssapi",
|
|
|
|
+ userauth_gssapi,
|
|
|
|
+ &options.gss_enable_mitm
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
#endif /* GSSAPI */
|
2010-03-26 16:29:14 +01:00
|
|
|
Index: auth2.c
|
|
|
|
===================================================================
|
|
|
|
--- auth2.c.orig
|
2007-01-07 17:26:05 +01:00
|
|
|
+++ auth2.c
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -70,6 +70,7 @@ extern Authmethod method_kbdint;
|
2007-01-07 17:26:05 +01:00
|
|
|
extern Authmethod method_hostbased;
|
|
|
|
#ifdef GSSAPI
|
|
|
|
extern Authmethod method_gssapi;
|
|
|
|
+extern Authmethod method_gssapi_old;
|
|
|
|
#endif
|
2009-03-03 22:42:45 +01:00
|
|
|
#ifdef JPAKE
|
|
|
|
extern Authmethod method_jpake;
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -80,6 +81,7 @@ Authmethod *authmethods[] = {
|
2007-01-07 17:26:05 +01:00
|
|
|
&method_pubkey,
|
|
|
|
#ifdef GSSAPI
|
|
|
|
&method_gssapi,
|
|
|
|
+ &method_gssapi_old,
|
|
|
|
#endif
|
2009-03-03 22:42:45 +01:00
|
|
|
#ifdef JPAKE
|
|
|
|
&method_jpake,
|
2010-03-26 16:29:14 +01:00
|
|
|
Index: readconf.c
|
|
|
|
===================================================================
|
|
|
|
--- readconf.c.orig
|
2007-01-07 17:26:05 +01:00
|
|
|
+++ readconf.c
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -126,7 +126,7 @@ typedef enum {
|
|
|
|
oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
|
2007-01-07 17:26:05 +01:00
|
|
|
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
|
|
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
|
|
|
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
|
|
|
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM,
|
|
|
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
|
|
|
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
|
|
|
|
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -165,9 +165,11 @@ static struct {
|
2007-01-07 17:26:05 +01:00
|
|
|
#if defined(GSSAPI)
|
|
|
|
{ "gssapiauthentication", oGssAuthentication },
|
|
|
|
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
|
|
|
+ { "gssapienablemitmattack", oGssEnableMITM },
|
|
|
|
#else
|
|
|
|
{ "gssapiauthentication", oUnsupported },
|
|
|
|
{ "gssapidelegatecredentials", oUnsupported },
|
|
|
|
+ { "gssapienablemitmattack", oUnsupported },
|
|
|
|
#endif
|
|
|
|
{ "fallbacktorsh", oDeprecated },
|
|
|
|
{ "usersh", oDeprecated },
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -459,6 +461,10 @@ parse_flag:
|
2007-01-07 17:26:05 +01:00
|
|
|
case oGssDelegateCreds:
|
|
|
|
intptr = &options->gss_deleg_creds;
|
|
|
|
goto parse_flag;
|
|
|
|
+
|
|
|
|
+ case oGssEnableMITM:
|
|
|
|
+ intptr = &options->gss_enable_mitm;
|
|
|
|
+ goto parse_flag;
|
|
|
|
|
|
|
|
case oBatchMode:
|
|
|
|
intptr = &options->batch_mode;
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -1016,6 +1022,7 @@ initialize_options(Options * options)
|
2007-01-07 17:26:05 +01:00
|
|
|
options->challenge_response_authentication = -1;
|
|
|
|
options->gss_authentication = -1;
|
|
|
|
options->gss_deleg_creds = -1;
|
|
|
|
+ options->gss_enable_mitm = -1;
|
|
|
|
options->password_authentication = -1;
|
|
|
|
options->kbd_interactive_authentication = -1;
|
|
|
|
options->kbd_interactive_devices = NULL;
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -1109,6 +1116,8 @@ fill_default_options(Options * options)
|
2007-01-07 17:26:05 +01:00
|
|
|
options->gss_authentication = 0;
|
|
|
|
if (options->gss_deleg_creds == -1)
|
|
|
|
options->gss_deleg_creds = 0;
|
|
|
|
+ if (options->gss_enable_mitm == -1)
|
|
|
|
+ options->gss_enable_mitm = 0;
|
|
|
|
if (options->password_authentication == -1)
|
|
|
|
options->password_authentication = 1;
|
|
|
|
if (options->kbd_interactive_authentication == -1)
|
2010-03-26 16:29:14 +01:00
|
|
|
Index: readconf.h
|
|
|
|
===================================================================
|
|
|
|
--- readconf.h.orig
|
2007-01-07 17:26:05 +01:00
|
|
|
+++ readconf.h
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -45,6 +45,7 @@ typedef struct {
|
2007-01-07 17:26:05 +01:00
|
|
|
/* Try S/Key or TIS, authentication. */
|
|
|
|
int gss_authentication; /* Try GSS authentication */
|
|
|
|
int gss_deleg_creds; /* Delegate GSS credentials */
|
|
|
|
+ int gss_enable_mitm; /* Enable old style gssapi auth */
|
|
|
|
int password_authentication; /* Try password
|
|
|
|
* authentication. */
|
|
|
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
2010-03-26 16:29:14 +01:00
|
|
|
Index: servconf.c
|
|
|
|
===================================================================
|
|
|
|
--- servconf.c.orig
|
2007-01-07 17:26:05 +01:00
|
|
|
+++ servconf.c
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions
|
2007-01-07 17:26:05 +01:00
|
|
|
options->kerberos_get_afs_token = -1;
|
|
|
|
options->gss_authentication=-1;
|
|
|
|
options->gss_cleanup_creds = -1;
|
|
|
|
+ options->gss_enable_mitm = -1;
|
|
|
|
options->password_authentication = -1;
|
|
|
|
options->kbd_interactive_authentication = -1;
|
|
|
|
options->challenge_response_authentication = -1;
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -216,6 +217,8 @@ fill_default_server_options(ServerOption
|
2007-01-07 17:26:05 +01:00
|
|
|
options->gss_authentication = 0;
|
|
|
|
if (options->gss_cleanup_creds == -1)
|
|
|
|
options->gss_cleanup_creds = 1;
|
|
|
|
+ if (options->gss_enable_mitm == -1)
|
|
|
|
+ options->gss_enable_mitm = 0;
|
|
|
|
if (options->password_authentication == -1)
|
|
|
|
options->password_authentication = 1;
|
|
|
|
if (options->kbd_interactive_authentication == -1)
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -306,7 +309,7 @@ typedef enum {
|
2007-01-07 17:26:05 +01:00
|
|
|
sBanner, sUseDNS, sHostbasedAuthentication,
|
|
|
|
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
|
|
|
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
|
|
|
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
|
|
|
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
|
2008-04-09 22:21:23 +02:00
|
|
|
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
2008-07-25 04:29:14 +02:00
|
|
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
2010-03-26 16:29:14 +01:00
|
|
|
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
|
|
|
@@ -369,9 +372,11 @@ static struct {
|
2007-01-07 17:26:05 +01:00
|
|
|
#ifdef GSSAPI
|
2007-03-15 01:56:27 +01:00
|
|
|
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
2007-01-07 17:26:05 +01:00
|
|
|
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
|
|
|
+ { "gssapienablemitmattack", sGssEnableMITM },
|
|
|
|
#else
|
2007-03-15 01:56:27 +01:00
|
|
|
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
2007-01-07 17:26:05 +01:00
|
|
|
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
|
|
|
+ { "gssapienablemitmattack", sUnsupported },
|
|
|
|
#endif
|
2007-03-15 01:56:27 +01:00
|
|
|
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
|
|
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -928,6 +933,10 @@ process_server_config_line(ServerOptions
|
2007-01-07 17:26:05 +01:00
|
|
|
case sGssCleanupCreds:
|
|
|
|
intptr = &options->gss_cleanup_creds;
|
|
|
|
goto parse_flag;
|
|
|
|
+
|
|
|
|
+ case sGssEnableMITM:
|
|
|
|
+ intptr = &options->gss_enable_mitm;
|
|
|
|
+ goto parse_flag;
|
|
|
|
|
|
|
|
case sPasswordAuthentication:
|
|
|
|
intptr = &options->password_authentication;
|
2010-03-26 16:29:14 +01:00
|
|
|
Index: servconf.h
|
|
|
|
===================================================================
|
|
|
|
--- servconf.h.orig
|
2007-01-07 17:26:05 +01:00
|
|
|
+++ servconf.h
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -95,6 +95,7 @@ typedef struct {
|
2007-01-07 17:26:05 +01:00
|
|
|
* authenticated with Kerberos. */
|
|
|
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
|
|
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
|
|
|
+ int gss_enable_mitm; /* If true, enable old style GSSAPI */
|
|
|
|
int password_authentication; /* If true, permit password
|
|
|
|
* authentication. */
|
|
|
|
int kbd_interactive_authentication; /* If true, permit */
|
2010-03-26 16:29:14 +01:00
|
|
|
Index: ssh_config
|
|
|
|
===================================================================
|
|
|
|
--- ssh_config.orig
|
2007-01-07 17:26:05 +01:00
|
|
|
+++ ssh_config
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -54,5 +54,15 @@ ForwardX11Trusted yes
|
2007-01-07 17:26:05 +01:00
|
|
|
# Tunnel no
|
|
|
|
# TunnelDevice any:any
|
|
|
|
# PermitLocalCommand no
|
|
|
|
+# GSSAPIAuthentication no
|
|
|
|
+# GSSAPIDelegateCredentials no
|
|
|
|
+
|
|
|
|
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
|
|
|
|
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
|
|
|
+# in this release. The use of 'gssapi' is deprecated due to the presence of
|
|
|
|
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
|
|
|
+# GSSAPIEnableMITMAttack no
|
|
|
|
+
|
|
|
|
+>>>>>>>
|
2009-03-03 22:42:45 +01:00
|
|
|
# VisualHostKey no
|
2010-03-26 16:29:14 +01:00
|
|
|
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
|
|
|
Index: sshconnect2.c
|
|
|
|
===================================================================
|
|
|
|
--- sshconnect2.c.orig
|
2007-01-07 17:26:05 +01:00
|
|
|
+++ sshconnect2.c
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -263,6 +263,10 @@ Authmethod authmethods[] = {
|
2009-03-03 22:42:45 +01:00
|
|
|
NULL,
|
2007-01-07 17:26:05 +01:00
|
|
|
&options.gss_authentication,
|
|
|
|
NULL},
|
|
|
|
+ {"gssapi",
|
|
|
|
+ userauth_gssapi,
|
|
|
|
+ &options.gss_enable_mitm,
|
|
|
|
+ NULL},
|
|
|
|
#endif
|
|
|
|
{"hostbased",
|
|
|
|
userauth_hostbased,
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -640,7 +644,9 @@ process_gssapi_token(void *ctxt, gss_buf
|
2007-01-07 17:26:05 +01:00
|
|
|
|
|
|
|
if (status == GSS_S_COMPLETE) {
|
|
|
|
/* send either complete or MIC, depending on mechanism */
|
|
|
|
- if (!(flags & GSS_C_INTEG_FLAG)) {
|
|
|
|
+
|
|
|
|
+ if (strcmp(authctxt->method->name,"gssapi")==0 ||
|
|
|
|
+ (!(flags & GSS_C_INTEG_FLAG))) {
|
|
|
|
packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
|
|
|
|
packet_send();
|
|
|
|
} else {
|
2010-03-26 16:29:14 +01:00
|
|
|
Index: sshd_config
|
|
|
|
===================================================================
|
|
|
|
--- sshd_config.orig
|
2007-01-07 17:26:05 +01:00
|
|
|
+++ sshd_config
|
2010-03-26 16:29:14 +01:00
|
|
|
@@ -72,6 +72,13 @@ PasswordAuthentication no
|
2007-01-07 17:26:05 +01:00
|
|
|
#GSSAPIAuthentication no
|
|
|
|
#GSSAPICleanupCredentials yes
|
|
|
|
|
|
|
|
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
|
|
|
|
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
|
|
|
+# in this release. The use of 'gssapi' is deprecated due to the presence of
|
|
|
|
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
|
|
|
+#GSSAPIEnableMITMAttack no
|
|
|
|
+
|
|
|
|
+
|
|
|
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
|
|
# and session processing. If this is enabled, PAM authentication will
|
|
|
|
# be allowed through the ChallengeResponseAuthentication and
|