drop support for old external-keyx and gssapi methods

https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=6911

diff --git a/openssh/auth2-gss.c b/openssh/auth2-gss.c
index 1db62c438bad6e035735e5522ccb8ae31ce9ed82..08fcf72cca7e95f4adee1b1d20048ff8928c41ec 100644 (file)
--- a/openssh/auth2-gss.c
+++ b/openssh/auth2-gss.c
@@ -53,20 +53,6 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_errtok(int, u_int32_t, void *);
 
-static int gssapi_with_mic = 1;        /* flag to toggle "gssapi-with-mic" vs.
-                                  "gssapi" */
-
-static int
-userauth_external(Authctxt *authctxt)
-{
-        packet_check_eom();
-
-       if (authctxt->valid && authctxt->user && authctxt->user[0]) {
-               return(PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)));
-       }
-       return 0;
-}
-
 /* 
  * The 'gssapi_keyex' userauth mechanism.
  */
@@ -229,9 +215,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
                }
                authctxt->postponed = 0;
                dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-               userauth_finish(authctxt, 0,
-                               gssapi_with_mic ? "gssapi-with-mic" :
-                                                 "gssapi");
+               userauth_finish(authctxt, 0, "gssapi-with-mic");
        } else {
                if (send_tok.length != 0) {
                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
@@ -240,7 +224,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
                }
                if (maj_status == GSS_S_COMPLETE) {
                        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-                       if (flags & GSS_C_INTEG_FLAG && gssapi_with_mic)
+                       if (flags & GSS_C_INTEG_FLAG)
                                dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
                                    &input_gssapi_mic);
                        else
@@ -353,22 +337,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
-       userauth_finish(authctxt, authenticated,
-                       gssapi_with_mic ? "gssapi-with-mic" : "gssapi");
-}
-
-static int
-userauth_gssapi_with_mic(Authctxt *authctxt)
-{
-    gssapi_with_mic = 1;
-    return userauth_gssapi(authctxt);
-}
-
-static int
-userauth_gssapi_without_mic(Authctxt *authctxt)
-{
-    gssapi_with_mic = 0;
-    return userauth_gssapi(authctxt);
+       userauth_finish(authctxt, authenticated, "gssapi-with-mic");
 }
 
 static void
@@ -435,12 +404,6 @@ static void ssh_gssapi_userauth_error(Gssctxt *ctxt) {
        }
 }
 
-Authmethod method_external = {
-       "external-keyx",
-       userauth_external,
-       &options.gss_authentication
-};
-       
 Authmethod method_gsskeyex = {
        "gssapi-keyex",
        userauth_gsskeyex,
@@ -449,13 +412,7 @@ Authmethod method_gsskeyex = {
 
 Authmethod method_gssapi = {
        "gssapi-with-mic",
-       userauth_gssapi_with_mic,
-       &options.gss_authentication
-};
-
-Authmethod method_gssapi_compat = {
-       "gssapi",
-       userauth_gssapi_without_mic,
+       userauth_gssapi,
        &options.gss_authentication
 };
 

diff --git a/openssh/auth2.c b/openssh/auth2.c
index 25166b4f47404e743c00b236a40d6f555e2d0a81..f4ab7f4413ec8e2d23c286856e2e961215caac14 100644 (file)
--- a/openssh/auth2.c
+++ b/openssh/auth2.c
@@ -70,10 +70,8 @@ extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
 #ifdef GSSAPI
-extern Authmethod method_external;
 extern Authmethod method_gsskeyex;
 extern Authmethod method_gssapi;
-extern Authmethod method_gssapi_compat;
 #endif
 #ifdef JPAKE
 extern Authmethod method_jpake;
@@ -87,9 +85,7 @@ Authmethod *authmethods[] = {
        &method_pubkey,
 #ifdef GSSAPI
        &method_gsskeyex,
-       &method_external,
        &method_gssapi,
-       &method_gssapi_compat,
 #endif
 #ifdef JPAKE
        &method_jpake,
@@ -238,8 +234,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 #ifdef GSSAPI
        if (user[0] == '\0') {
            debug("received empty username for %s", method);
-           if (strcmp(method, "external-keyx") == 0 ||
-               strcmp(method, "gssapi-keyex") == 0) {
+           if (strcmp(method, "gssapi-keyex") == 0) {
                char *lname = NULL;
                PRIVSEP(ssh_gssapi_localname(&lname));
                if (lname && lname[0] != '\0') {

diff --git a/openssh/ssh_config.5 b/openssh/ssh_config.5
index a72a35b2114b8328746577bfa439a3dee0283cc9..7f4f1dda93fe4d1401407570f3636b64a3ad2469 100644 (file)
--- a/openssh/ssh_config.5
+++ b/openssh/ssh_config.5
@@ -749,7 +749,6 @@ over another method (e.g.\&
 .Cm password )
 The default for this option is:
 .Do gssapi-keyex ,
-external-keyx,
 gssapi-with-mic,
 hostbased,
 publickey,

diff --git a/openssh/sshconnect2.c b/openssh/sshconnect2.c
index 4744e377dc891ff54d5133b31d64e75fe4aef846..c4136d532e3ee2cfc7b447eb7feb47e7405dedbe 100644 (file)
--- a/openssh/sshconnect2.c
+++ b/openssh/sshconnect2.c
@@ -298,10 +298,7 @@ int        userauth_jpake(Authctxt *);
 void   userauth_jpake_cleanup(Authctxt *);
 
 #ifdef GSSAPI
-int    userauth_external(Authctxt *authctxt);
 int    userauth_gssapi(Authctxt *authctxt);
-int    userauth_gssapi_with_mic(Authctxt *authctxt);
-int    userauth_gssapi_without_mic(Authctxt *authctxt);
 void   input_gssapi_response(int type, u_int32_t, void *);
 void   input_gssapi_token(int type, u_int32_t, void *);
 void   input_gssapi_hash(int type, u_int32_t, void *);
@@ -328,21 +325,11 @@ Authmethod authmethods[] = {
                NULL,
                &options.gss_authentication,
                NULL},
-       {"external-keyx",
-               userauth_external,
-               NULL,
-               &options.gss_authentication,
-               NULL},
        {"gssapi-with-mic",
                userauth_gssapi,
                NULL,
                &options.gss_authentication,
                NULL},
-       {"gssapi",
-               userauth_gssapi,
-               NULL,
-               &options.gss_authentication,
-               NULL},
 #endif
        {"hostbased",
                userauth_hostbased,
@@ -897,39 +884,6 @@ const gss_OID_desc * const              gss_mech_globus_gssapi_openssl;
           oid->length) == 0))
 #endif
 
-int
-userauth_external(Authctxt *authctxt)
-{
-    static int attempt = 0;
-        
-    if (attempt++ >= 1)
-        return 0;
-                                
-       /* The client MUST NOT try this method if initial key exchange
-          was not performed using a GSSAPI-based key exchange
-          method. */
-       if (gss_kex_context == NULL) {
-               debug2("gsskex not performed, skipping external-keyx");
-               return 0;
-       }
-
-    debug2("userauth_external");
-    packet_start(SSH2_MSG_USERAUTH_REQUEST);
-#ifdef GSI
-    if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
-        packet_put_cstring("");
-       } else {
-#endif
-    packet_put_cstring(authctxt->server_user);
-#ifdef GSI
-       }
-#endif
-    packet_put_cstring(authctxt->service);
-    packet_put_cstring(authctxt->method->name);
-    packet_send();
-    packet_write_wait();
-    return 1;
-}                                                                                                
 int
 userauth_gsskeyex(Authctxt *authctxt)
 {

diff --git a/openssh/version.h b/openssh/version.h
index 4c6935ba6076c6f52254fc9ca1b11fac72a6a496..171d2a6cd38de99fa79928930310b46961d9be86 100644 (file)
--- a/openssh/version.h
+++ b/openssh/version.h
@@ -18,7 +18,7 @@
 #define MGLUE_VERSION  ""
 #endif
 
-#define NCSA_VERSION   " GLOBUS_GSSAPI_20091020"
+#define NCSA_VERSION   " GLOBUS_GSSAPI_20100106"
 
 #define SSH_VERSION    "OpenSSH_5.3"