forked from pool/openssh
ceda754f5a
reviewed ok. OBS-URL: https://build.opensuse.org/request/show/60057 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=7
260 lines
9.5 KiB
Diff
260 lines
9.5 KiB
Diff
The patch below adds support for the deprecated 'gssapi' authentication
|
|
mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
|
in this release. The use of 'gssapi' is deprecated due to the presence of
|
|
potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
|
|
susceptible to.
|
|
|
|
To use the patch apply it to a OpenSSH 3.8p1 source tree. After compiling,
|
|
backwards compatibility may be obtained by supplying the
|
|
'GssapiEnableMitmAttack yes' option to either the client or server.
|
|
|
|
It should be noted that this patch is being made available purely as a means
|
|
of easing the process of moving to OpenSSH 3.8p1. Any new installations are
|
|
recommended to use the 'gssapi-with-mic' mechanism. Existing installations
|
|
are encouraged to upgrade as soon as possible.
|
|
|
|
Index: auth2-gss.c
|
|
===================================================================
|
|
--- auth2-gss.c.orig
|
|
+++ auth2-gss.c
|
|
@@ -177,6 +177,15 @@ input_gssapi_token(int type, u_int32_t p
|
|
dispatch_set(
|
|
SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
|
|
&input_gssapi_exchange_complete);
|
|
+
|
|
+ /*
|
|
+ * Old style 'gssapi' didn't have the GSSAPI_MIC
|
|
+ * and went straight to sending exchange_complete
|
|
+ */
|
|
+ if (options.gss_enable_mitm)
|
|
+ dispatch_set(
|
|
+ SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
|
|
+ &input_gssapi_exchange_complete);
|
|
}
|
|
}
|
|
|
|
@@ -298,4 +307,10 @@ Authmethod method_gssapi = {
|
|
&options.gss_authentication
|
|
};
|
|
|
|
+Authmethod method_gssapi_old = {
|
|
+ "gssapi",
|
|
+ userauth_gssapi,
|
|
+ &options.gss_enable_mitm
|
|
+};
|
|
+
|
|
#endif /* GSSAPI */
|
|
Index: auth2.c
|
|
===================================================================
|
|
--- auth2.c.orig
|
|
+++ auth2.c
|
|
@@ -70,6 +70,7 @@ extern Authmethod method_kbdint;
|
|
extern Authmethod method_hostbased;
|
|
#ifdef GSSAPI
|
|
extern Authmethod method_gssapi;
|
|
+extern Authmethod method_gssapi_old;
|
|
#endif
|
|
#ifdef JPAKE
|
|
extern Authmethod method_jpake;
|
|
@@ -80,6 +81,7 @@ Authmethod *authmethods[] = {
|
|
&method_pubkey,
|
|
#ifdef GSSAPI
|
|
&method_gssapi,
|
|
+ &method_gssapi_old,
|
|
#endif
|
|
#ifdef JPAKE
|
|
&method_jpake,
|
|
Index: readconf.c
|
|
===================================================================
|
|
--- readconf.c.orig
|
|
+++ readconf.c
|
|
@@ -128,7 +128,7 @@ typedef enum {
|
|
oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
|
|
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
|
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
|
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM,
|
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
|
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
|
oHashKnownHosts,
|
|
@@ -170,9 +170,11 @@ static struct {
|
|
#if defined(GSSAPI)
|
|
{ "gssapiauthentication", oGssAuthentication },
|
|
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
|
+ { "gssapienablemitmattack", oGssEnableMITM },
|
|
#else
|
|
{ "gssapiauthentication", oUnsupported },
|
|
{ "gssapidelegatecredentials", oUnsupported },
|
|
+ { "gssapienablemitmattack", oUnsupported },
|
|
#endif
|
|
{ "fallbacktorsh", oDeprecated },
|
|
{ "usersh", oDeprecated },
|
|
@@ -483,6 +485,10 @@ parse_flag:
|
|
intptr = &options->gss_deleg_creds;
|
|
goto parse_flag;
|
|
|
|
+ case oGssEnableMITM:
|
|
+ intptr = &options->gss_enable_mitm;
|
|
+ goto parse_flag;
|
|
+
|
|
case oBatchMode:
|
|
intptr = &options->batch_mode;
|
|
goto parse_flag;
|
|
@@ -1093,6 +1099,7 @@ initialize_options(Options * options)
|
|
options->challenge_response_authentication = -1;
|
|
options->gss_authentication = -1;
|
|
options->gss_deleg_creds = -1;
|
|
+ options->gss_enable_mitm = -1;
|
|
options->password_authentication = -1;
|
|
options->kbd_interactive_authentication = -1;
|
|
options->kbd_interactive_devices = NULL;
|
|
@@ -1195,6 +1202,8 @@ fill_default_options(Options * options)
|
|
options->gss_authentication = 0;
|
|
if (options->gss_deleg_creds == -1)
|
|
options->gss_deleg_creds = 0;
|
|
+ if (options->gss_enable_mitm == -1)
|
|
+ options->gss_enable_mitm = 0;
|
|
if (options->password_authentication == -1)
|
|
options->password_authentication = 1;
|
|
if (options->kbd_interactive_authentication == -1)
|
|
Index: readconf.h
|
|
===================================================================
|
|
--- readconf.h.orig
|
|
+++ readconf.h
|
|
@@ -47,6 +47,7 @@ typedef struct {
|
|
/* Try S/Key or TIS, authentication. */
|
|
int gss_authentication; /* Try GSS authentication */
|
|
int gss_deleg_creds; /* Delegate GSS credentials */
|
|
+ int gss_enable_mitm; /* Enable old style gssapi auth */
|
|
int password_authentication; /* Try password
|
|
* authentication. */
|
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
|
Index: servconf.c
|
|
===================================================================
|
|
--- servconf.c.orig
|
|
+++ servconf.c
|
|
@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions
|
|
options->kerberos_get_afs_token = -1;
|
|
options->gss_authentication=-1;
|
|
options->gss_cleanup_creds = -1;
|
|
+ options->gss_enable_mitm = -1;
|
|
options->password_authentication = -1;
|
|
options->kbd_interactive_authentication = -1;
|
|
options->challenge_response_authentication = -1;
|
|
@@ -228,6 +229,8 @@ fill_default_server_options(ServerOption
|
|
options->gss_authentication = 0;
|
|
if (options->gss_cleanup_creds == -1)
|
|
options->gss_cleanup_creds = 1;
|
|
+ if (options->gss_enable_mitm == -1)
|
|
+ options->gss_enable_mitm = 0;
|
|
if (options->password_authentication == -1)
|
|
options->password_authentication = 1;
|
|
if (options->kbd_interactive_authentication == -1)
|
|
@@ -322,7 +325,7 @@ typedef enum {
|
|
sBanner, sUseDNS, sHostbasedAuthentication,
|
|
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
|
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
|
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
|
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
|
|
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
|
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
|
@@ -386,9 +389,11 @@ static struct {
|
|
#ifdef GSSAPI
|
|
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
|
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
|
+ { "gssapienablemitmattack", sGssEnableMITM },
|
|
#else
|
|
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
|
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
|
+ { "gssapienablemitmattack", sUnsupported },
|
|
#endif
|
|
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
|
@@ -948,6 +953,10 @@ process_server_config_line(ServerOptions
|
|
intptr = &options->gss_cleanup_creds;
|
|
goto parse_flag;
|
|
|
|
+ case sGssEnableMITM:
|
|
+ intptr = &options->gss_enable_mitm;
|
|
+ goto parse_flag;
|
|
+
|
|
case sPasswordAuthentication:
|
|
intptr = &options->password_authentication;
|
|
goto parse_flag;
|
|
Index: servconf.h
|
|
===================================================================
|
|
--- servconf.h.orig
|
|
+++ servconf.h
|
|
@@ -98,6 +98,7 @@ typedef struct {
|
|
* authenticated with Kerberos. */
|
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
|
+ int gss_enable_mitm; /* If true, enable old style GSSAPI */
|
|
int password_authentication; /* If true, permit password
|
|
* authentication. */
|
|
int kbd_interactive_authentication; /* If true, permit */
|
|
Index: ssh_config
|
|
===================================================================
|
|
--- ssh_config.orig
|
|
+++ ssh_config
|
|
@@ -54,5 +54,15 @@ ForwardX11Trusted yes
|
|
# Tunnel no
|
|
# TunnelDevice any:any
|
|
# PermitLocalCommand no
|
|
+# GSSAPIAuthentication no
|
|
+# GSSAPIDelegateCredentials no
|
|
+
|
|
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
|
|
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
|
+# in this release. The use of 'gssapi' is deprecated due to the presence of
|
|
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
|
+# GSSAPIEnableMITMAttack no
|
|
+
|
|
+>>>>>>>
|
|
# VisualHostKey no
|
|
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
|
Index: sshconnect2.c
|
|
===================================================================
|
|
--- sshconnect2.c.orig
|
|
+++ sshconnect2.c
|
|
@@ -324,6 +324,10 @@ Authmethod authmethods[] = {
|
|
NULL,
|
|
&options.gss_authentication,
|
|
NULL},
|
|
+ {"gssapi",
|
|
+ userauth_gssapi,
|
|
+ &options.gss_enable_mitm,
|
|
+ NULL},
|
|
#endif
|
|
{"hostbased",
|
|
userauth_hostbased,
|
|
@@ -701,7 +705,9 @@ process_gssapi_token(void *ctxt, gss_buf
|
|
|
|
if (status == GSS_S_COMPLETE) {
|
|
/* send either complete or MIC, depending on mechanism */
|
|
- if (!(flags & GSS_C_INTEG_FLAG)) {
|
|
+
|
|
+ if (strcmp(authctxt->method->name,"gssapi")==0 ||
|
|
+ (!(flags & GSS_C_INTEG_FLAG))) {
|
|
packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
|
|
packet_send();
|
|
} else {
|
|
Index: sshd_config
|
|
===================================================================
|
|
--- sshd_config.orig
|
|
+++ sshd_config
|
|
@@ -73,6 +73,12 @@ PasswordAuthentication no
|
|
#GSSAPIAuthentication no
|
|
#GSSAPICleanupCredentials yes
|
|
|
|
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
|
|
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
|
+# in this release. The use of 'gssapi' is deprecated due to the presence of
|
|
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
|
+#GSSAPIEnableMITMAttack no
|
|
+
|
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
# and session processing. If this is enabled, PAM authentication will
|
|
# be allowed through the ChallengeResponseAuthentication and
|