jbasney [Tue, 7 Jun 2005 21:42:15 +0000 (21:42 +0000)]
bugfix for revision 1.5: if GSS_S_COMPLETE is returned, we should send
SSH2_MSG_KEXGSS_COMPLETE as before, not SSH2_MSG_KEXGSS_CONTINUE.
the other change in revision 1.5 is still good and is a complete fix
for the previous problem.
jbasney [Wed, 11 May 2005 14:50:38 +0000 (14:50 +0000)]
fix for handling gss_accept_sec_context() return values:
- draft-ietf-secsh-gsskeyex-08.txt says we should send the token if
GSS_S_CONTINUE_NEEDED is returned *or* if GSS_S_COMPLETE is returned
and we have a token of non-zero length
- remove fatal() on GSS_ERRORs with send_tok.length==0. we should send
back the error message before aborting.
jbasney [Thu, 19 Aug 2004 04:20:13 +0000 (04:20 +0000)]
clean up code to set authctxt->service and authctxt->style only once.
using 'if (authctxt->attempt == 1)' is clearer than testing for
(authctxt->service == NULL).
jbasney [Wed, 18 Aug 2004 21:59:30 +0000 (21:59 +0000)]
call ssh_gssapi_check_mechanism() before attempting gssapi userauth.
no need to even try if the mechanism doesn't pass checks, i.e., we
don't have a credential.
jbasney [Wed, 18 Aug 2004 14:54:18 +0000 (14:54 +0000)]
fix for bug 244 (https://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=244):
setting authctxt->pw and authctxt->user to NULL is not a good idea.
other code assumes they will be set. so put in placeholders if we
don't have the implicit username yet.
don't include "external-keyx" in case for setting username from GSSAPI
context later. if we don't set the username from the GSSAPI context
here for "external-keyx", we're not going to do it later either,
because the context should already be established from the key
exchange. only the "gssapi" userauth methods need to postpone setting
the username, as the GSSAPI context hasn't been established yet.
fix for http://grid.ncsa.uiuc.edu/ssh/implicitlogin.adv vulnerability:
- don't return success from userauth if authctxt->valid == 0
as that flag is set after important checks for disabled accounts
- proceed with userauth_gssapi() even if authctxt->valid == 0,
because we might set it based on GSSAPI context later, and we
check it before returning success
- set authctxt->valid = 1 only if getpwnamallow() checks succeed
other:
- pass in authctxt to start_pam(), as the signature changed
fix for http://grid.ncsa.uiuc.edu/ssh/implicitlogin.adv vulnerability:
- set authctxt->value = 0 until we actually verify it via
getpwnamallow(user), which checks for disabled accounts
other code cleanup:
- remove unneeded check for authctxt->valid before printing a debug
msg, leftover from old logic
- remove spurious ';'
- added a comment on end brace for implicit username block
jbasney [Tue, 29 Jun 2004 02:57:29 +0000 (02:57 +0000)]
- initialize ret_flags before calling gss_accept_sec_context()
because GSI treats ret_flags as both input and output parameters
- only call start_pam() if UsePAM=yes
jbasney [Tue, 29 Jun 2004 01:08:51 +0000 (01:08 +0000)]
in addition to passing LD_LIBRARY_PATH to child's environment to
local GSI shared libraries, also pass LIBPATH, SHLIB_PATH,
LD_LIBRARYN32_PATH, and LD_LIBRARY64_PATH for odd platforms
re-fix old bug, re-introduced on re-merge of Simon's code:
gss_indicate_mechs() needs to be in PRIVSEP() because we need the list
of mechanisms supported by the privileged process; the unprivileged
process can't load gssapi mech libraries