From 09dcbb73d661c6366f40e769a038ef72a7395988 Mon Sep 17 00:00:00 2001 From: ysvenkat Date: Wed, 13 Jan 2010 22:06:13 +0000 Subject: [PATCH] This fixes an issue with determining the auth method, for reporting purposes, when using PRIVSEP. Specifically, the monitor was determining, for reporting purposes, the auth method to be "gssapi-with-mic" even when the method being used is "gssapi-keyex". --- openssh/auth2-gss.c | 8 +++++--- openssh/gss-serv.c | 2 +- openssh/monitor.c | 10 ++++++++-- openssh/monitor_wrap.c | 3 ++- openssh/monitor_wrap.h | 2 +- openssh/ssh-gss.h | 2 +- 6 files changed, 18 insertions(+), 9 deletions(-) diff --git a/openssh/auth2-gss.c b/openssh/auth2-gss.c index 08fcf72..c8f28ac 100644 --- a/openssh/auth2-gss.c +++ b/openssh/auth2-gss.c @@ -89,7 +89,8 @@ userauth_gsskeyex(Authctxt *authctxt) &gssbuf2, &mic)))) { if (authctxt->valid && authctxt->user && authctxt->user[0]) { authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, - authctxt->pw)); + authctxt->pw, + 1 /* gssapi-keyex */)); } } @@ -327,7 +328,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) /* user should be set if valid but we double-check here */ if (authctxt->valid && authctxt->user && authctxt->user[0]) { authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, - authctxt->pw)); + authctxt->pw, 0 /* !gssapi-keyex */)); } else { authenticated = 0; } @@ -369,7 +370,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) if (authctxt->valid && authctxt->user && authctxt->user[0]) { authenticated = - PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)); + PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw, + 0 /* !gssapi-keyex */)); } else { authenticated = 0; } diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c index 6fbc09d..9a21de3 100644 --- a/openssh/gss-serv.c +++ b/openssh/gss-serv.c @@ -455,7 +455,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) /* Privileged */ int -ssh_gssapi_userok(char *user, struct passwd *pw) +ssh_gssapi_userok(char *user, struct passwd *pw, int gssapi_keyex) { OM_uint32 lmin; diff --git a/openssh/monitor.c b/openssh/monitor.c index 5f3b801..1528127 100644 --- a/openssh/monitor.c +++ b/openssh/monitor.c @@ -2053,12 +2053,15 @@ int mm_answer_gss_userok(int sock, Buffer *m) { int authenticated; + int gssapi_keyex; if (!options.gss_authentication && !options.gss_keyex) fatal("In GSSAPI monitor when GSSAPI is disabled"); + gssapi_keyex = buffer_get_int(m); + authenticated = authctxt->valid && - ssh_gssapi_userok(authctxt->user, authctxt->pw); + ssh_gssapi_userok(authctxt->user, authctxt->pw, gssapi_keyex); buffer_clear(m); buffer_put_int(m, authenticated); @@ -2066,7 +2069,10 @@ mm_answer_gss_userok(int sock, Buffer *m) debug3("%s: sending result %d", __func__, authenticated); mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); - auth_method = "gssapi-with-mic"; + if (gssapi_keyex) + auth_method = "gssapi-keyex"; + else + auth_method = "gssapi-with-mic"; /* Monitor loop will terminate if authenticated */ return (authenticated); diff --git a/openssh/monitor_wrap.c b/openssh/monitor_wrap.c index 9017cc4..46ddce0 100644 --- a/openssh/monitor_wrap.c +++ b/openssh/monitor_wrap.c @@ -1248,12 +1248,13 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) } int -mm_ssh_gssapi_userok(char *user, struct passwd *pw) +mm_ssh_gssapi_userok(char *user, struct passwd *pw, int gssapi_keyex) { Buffer m; int authenticated = 0; buffer_init(&m); + buffer_put_int(&m, gssapi_keyex); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK, diff --git a/openssh/monitor_wrap.h b/openssh/monitor_wrap.h index a52de61..cb4d607 100644 --- a/openssh/monitor_wrap.h +++ b/openssh/monitor_wrap.h @@ -57,7 +57,7 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); -int mm_ssh_gssapi_userok(char *user, struct passwd *); +int mm_ssh_gssapi_userok(char *user, struct passwd *, int gssapi_keyex); OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); int mm_ssh_gssapi_localname(char **user); diff --git a/openssh/ssh-gss.h b/openssh/ssh-gss.h index 8ff6869..c5eb773 100644 --- a/openssh/ssh-gss.h +++ b/openssh/ssh-gss.h @@ -153,7 +153,7 @@ gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int); int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, const char *); OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); -int ssh_gssapi_userok(char *name, struct passwd *); +int ssh_gssapi_userok(char *name, struct passwd *, int gssapi_keyex); OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); void ssh_gssapi_do_child(char ***, u_int *); void ssh_gssapi_cleanup_creds(void); -- 2.45.1