This fixes an issue with determining the auth method, for reporting

purposes, when using PRIVSEP. Specifically, the monitor was determining,
for reporting purposes, the auth method to be "gssapi-with-mic" even
when the method being used is "gssapi-keyex".

diff --git a/openssh/auth2-gss.c b/openssh/auth2-gss.c
index 08fcf72cca7e95f4adee1b1d20048ff8928c41ec..c8f28acef0bc7668b82b3684cdbcb8d5e1d3a6ce 100644 (file)
--- a/openssh/auth2-gss.c
+++ b/openssh/auth2-gss.c
@@ -89,7 +89,8 @@ userauth_gsskeyex(Authctxt *authctxt)
                                                   &gssbuf2, &mic)))) {
            if (authctxt->valid && authctxt->user && authctxt->user[0]) {
             authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
-                                                      authctxt->pw));
+                                                      authctxt->pw,
+                                                      1 /* gssapi-keyex */));
            }
        }
        
@@ -327,7 +328,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
        /* user should be set if valid but we double-check here */
        if (authctxt->valid && authctxt->user && authctxt->user[0]) {
            authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
-                                                  authctxt->pw));
+                                       authctxt->pw, 0 /* !gssapi-keyex */));
        } else {
            authenticated = 0;
        }
@@ -369,7 +370,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
            if (authctxt->valid && authctxt->user && authctxt->user[0]) {
             authenticated =
-                PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
+                PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw,
+                                              0 /* !gssapi-keyex */));
            } else {
             authenticated = 0;
            }

diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c
index 6fbc09db4d27958200c95f54b5f75dbc4fb0580c..9a21de37c89f0ec2640eed66a42bde7336a7af9a 100644 (file)
--- a/openssh/gss-serv.c
+++ b/openssh/gss-serv.c
@@ -455,7 +455,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
 
 /* Privileged */
 int
-ssh_gssapi_userok(char *user, struct passwd *pw)
+ssh_gssapi_userok(char *user, struct passwd *pw, int gssapi_keyex)
 {
        OM_uint32 lmin;
 

diff --git a/openssh/monitor.c b/openssh/monitor.c
index 5f3b801580246adfec7e1604450195e9b33c8632..1528127fde1b7327af88471167cf69d8bdc4ab17 100644 (file)
--- a/openssh/monitor.c
+++ b/openssh/monitor.c
@@ -2053,12 +2053,15 @@ int
 mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
+       int gssapi_keyex;
 
        if (!options.gss_authentication && !options.gss_keyex)
                fatal("In GSSAPI monitor when GSSAPI is disabled");
 
+       gssapi_keyex = buffer_get_int(m);
+
        authenticated = authctxt->valid && 
-           ssh_gssapi_userok(authctxt->user, authctxt->pw);
+           ssh_gssapi_userok(authctxt->user, authctxt->pw, gssapi_keyex);
 
        buffer_clear(m);
        buffer_put_int(m, authenticated);
@@ -2066,7 +2069,10 @@ mm_answer_gss_userok(int sock, Buffer *m)
        debug3("%s: sending result %d", __func__, authenticated);
        mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
 
-       auth_method = "gssapi-with-mic";
+       if (gssapi_keyex)
+               auth_method = "gssapi-keyex";
+       else
+               auth_method = "gssapi-with-mic";
 
        /* Monitor loop will terminate if authenticated */
        return (authenticated);

diff --git a/openssh/monitor_wrap.c b/openssh/monitor_wrap.c
index 9017cc43359fe5dad6247499d62c2bac69bac4a4..46ddce01b8e78e01c2f9d7dacc1464515181dd3a 100644 (file)
--- a/openssh/monitor_wrap.c
+++ b/openssh/monitor_wrap.c
@@ -1248,12 +1248,13 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
 }
 
 int
-mm_ssh_gssapi_userok(char *user, struct passwd *pw)
+mm_ssh_gssapi_userok(char *user, struct passwd *pw, int gssapi_keyex)
 {
        Buffer m;
        int authenticated = 0;
 
        buffer_init(&m);
+       buffer_put_int(&m, gssapi_keyex);
 
        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m);
        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK,

diff --git a/openssh/monitor_wrap.h b/openssh/monitor_wrap.h
index a52de618c331fcc3920103d484e87749ed46ab50..cb4d6074cd024d7104def93d1d89d798c8ceff97 100644 (file)
--- a/openssh/monitor_wrap.h
+++ b/openssh/monitor_wrap.h
@@ -57,7 +57,7 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
-int mm_ssh_gssapi_userok(char *user, struct passwd *);
+int mm_ssh_gssapi_userok(char *user, struct passwd *, int gssapi_keyex);
 OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
 int mm_ssh_gssapi_localname(char **user);

diff --git a/openssh/ssh-gss.h b/openssh/ssh-gss.h
index 8ff6869a3054e1e9a5db3acffe17194ff924111a..c5eb773a4c166de59a12cdc67ec3653260cbff42 100644 (file)
--- a/openssh/ssh-gss.h
+++ b/openssh/ssh-gss.h
@@ -153,7 +153,7 @@ gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
 int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, 
     const char *);
 OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
-int ssh_gssapi_userok(char *name, struct passwd *);
+int ssh_gssapi_userok(char *name, struct passwd *, int gssapi_keyex);
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_do_child(char ***, u_int *);
 void ssh_gssapi_cleanup_creds(void);