From 22ce3a3becb01f9487f7fa12b859100c162e231c Mon Sep 17 00:00:00 2001 From: jbasney Date: Wed, 6 Jan 2010 18:45:18 +0000 Subject: [PATCH] drop support for old external-keyx and gssapi methods https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=6911 --- openssh/auth2-gss.c | 51 ++++--------------------------------------- openssh/auth2.c | 7 +----- openssh/ssh_config.5 | 1 - openssh/sshconnect2.c | 46 -------------------------------------- openssh/version.h | 2 +- 5 files changed, 6 insertions(+), 101 deletions(-) diff --git a/openssh/auth2-gss.c b/openssh/auth2-gss.c index 1db62c4..08fcf72 100644 --- a/openssh/auth2-gss.c +++ b/openssh/auth2-gss.c @@ -53,20 +53,6 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); static void input_gssapi_errtok(int, u_int32_t, void *); -static int gssapi_with_mic = 1; /* flag to toggle "gssapi-with-mic" vs. - "gssapi" */ - -static int -userauth_external(Authctxt *authctxt) -{ - packet_check_eom(); - - if (authctxt->valid && authctxt->user && authctxt->user[0]) { - return(PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw))); - } - return 0; -} - /* * The 'gssapi_keyex' userauth mechanism. */ @@ -229,9 +215,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) } authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); - userauth_finish(authctxt, 0, - gssapi_with_mic ? "gssapi-with-mic" : - "gssapi"); + userauth_finish(authctxt, 0, "gssapi-with-mic"); } else { if (send_tok.length != 0) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); @@ -240,7 +224,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) } if (maj_status == GSS_S_COMPLETE) { dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); - if (flags & GSS_C_INTEG_FLAG && gssapi_with_mic) + if (flags & GSS_C_INTEG_FLAG) dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, &input_gssapi_mic); else @@ -353,22 +337,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); - userauth_finish(authctxt, authenticated, - gssapi_with_mic ? "gssapi-with-mic" : "gssapi"); -} - -static int -userauth_gssapi_with_mic(Authctxt *authctxt) -{ - gssapi_with_mic = 1; - return userauth_gssapi(authctxt); -} - -static int -userauth_gssapi_without_mic(Authctxt *authctxt) -{ - gssapi_with_mic = 0; - return userauth_gssapi(authctxt); + userauth_finish(authctxt, authenticated, "gssapi-with-mic"); } static void @@ -435,12 +404,6 @@ static void ssh_gssapi_userauth_error(Gssctxt *ctxt) { } } -Authmethod method_external = { - "external-keyx", - userauth_external, - &options.gss_authentication -}; - Authmethod method_gsskeyex = { "gssapi-keyex", userauth_gsskeyex, @@ -449,13 +412,7 @@ Authmethod method_gsskeyex = { Authmethod method_gssapi = { "gssapi-with-mic", - userauth_gssapi_with_mic, - &options.gss_authentication -}; - -Authmethod method_gssapi_compat = { - "gssapi", - userauth_gssapi_without_mic, + userauth_gssapi, &options.gss_authentication }; diff --git a/openssh/auth2.c b/openssh/auth2.c index 25166b4..f4ab7f4 100644 --- a/openssh/auth2.c +++ b/openssh/auth2.c @@ -70,10 +70,8 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; #ifdef GSSAPI -extern Authmethod method_external; extern Authmethod method_gsskeyex; extern Authmethod method_gssapi; -extern Authmethod method_gssapi_compat; #endif #ifdef JPAKE extern Authmethod method_jpake; @@ -87,9 +85,7 @@ Authmethod *authmethods[] = { &method_pubkey, #ifdef GSSAPI &method_gsskeyex, - &method_external, &method_gssapi, - &method_gssapi_compat, #endif #ifdef JPAKE &method_jpake, @@ -238,8 +234,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) #ifdef GSSAPI if (user[0] == '\0') { debug("received empty username for %s", method); - if (strcmp(method, "external-keyx") == 0 || - strcmp(method, "gssapi-keyex") == 0) { + if (strcmp(method, "gssapi-keyex") == 0) { char *lname = NULL; PRIVSEP(ssh_gssapi_localname(&lname)); if (lname && lname[0] != '\0') { diff --git a/openssh/ssh_config.5 b/openssh/ssh_config.5 index a72a35b..7f4f1dd 100644 --- a/openssh/ssh_config.5 +++ b/openssh/ssh_config.5 @@ -749,7 +749,6 @@ over another method (e.g.\& .Cm password ) The default for this option is: .Do gssapi-keyex , -external-keyx, gssapi-with-mic, hostbased, publickey, diff --git a/openssh/sshconnect2.c b/openssh/sshconnect2.c index 4744e37..c4136d5 100644 --- a/openssh/sshconnect2.c +++ b/openssh/sshconnect2.c @@ -298,10 +298,7 @@ int userauth_jpake(Authctxt *); void userauth_jpake_cleanup(Authctxt *); #ifdef GSSAPI -int userauth_external(Authctxt *authctxt); int userauth_gssapi(Authctxt *authctxt); -int userauth_gssapi_with_mic(Authctxt *authctxt); -int userauth_gssapi_without_mic(Authctxt *authctxt); void input_gssapi_response(int type, u_int32_t, void *); void input_gssapi_token(int type, u_int32_t, void *); void input_gssapi_hash(int type, u_int32_t, void *); @@ -328,21 +325,11 @@ Authmethod authmethods[] = { NULL, &options.gss_authentication, NULL}, - {"external-keyx", - userauth_external, - NULL, - &options.gss_authentication, - NULL}, {"gssapi-with-mic", userauth_gssapi, NULL, &options.gss_authentication, NULL}, - {"gssapi", - userauth_gssapi, - NULL, - &options.gss_authentication, - NULL}, #endif {"hostbased", userauth_hostbased, @@ -897,39 +884,6 @@ const gss_OID_desc * const gss_mech_globus_gssapi_openssl; oid->length) == 0)) #endif -int -userauth_external(Authctxt *authctxt) -{ - static int attempt = 0; - - if (attempt++ >= 1) - return 0; - - /* The client MUST NOT try this method if initial key exchange - was not performed using a GSSAPI-based key exchange - method. */ - if (gss_kex_context == NULL) { - debug2("gsskex not performed, skipping external-keyx"); - return 0; - } - - debug2("userauth_external"); - packet_start(SSH2_MSG_USERAUTH_REQUEST); -#ifdef GSI - if (options.implicit && is_gsi_oid(gss_kex_context->oid)) { - packet_put_cstring(""); - } else { -#endif - packet_put_cstring(authctxt->server_user); -#ifdef GSI - } -#endif - packet_put_cstring(authctxt->service); - packet_put_cstring(authctxt->method->name); - packet_send(); - packet_write_wait(); - return 1; -} int userauth_gsskeyex(Authctxt *authctxt) { diff --git a/openssh/version.h b/openssh/version.h index 4c6935b..171d2a6 100644 --- a/openssh/version.h +++ b/openssh/version.h @@ -18,7 +18,7 @@ #define MGLUE_VERSION "" #endif -#define NCSA_VERSION " GLOBUS_GSSAPI_20091020" +#define NCSA_VERSION " GLOBUS_GSSAPI_20100106" #define SSH_VERSION "OpenSSH_5.3" -- 2.45.1