From 86a22a0a7eda4bbef1e9d7157145cf6b7f42f1a1 Mon Sep 17 00:00:00 2001 From: jbasney Date: Mon, 19 Feb 2007 02:36:41 +0000 Subject: [PATCH] update to match patch in http://bugzilla.mindrot.org/show_bug.cgi?id=1100 and fix bug in empty usernames for gssapi-with-mic --- openssh/auth.c | 4 ++-- openssh/auth2-gss.c | 41 ++++++++++++++++++++--------------------- openssh/auth2.c | 24 +++++++++++------------- 3 files changed, 33 insertions(+), 36 deletions(-) diff --git a/openssh/auth.c b/openssh/auth.c index c745098..8ed27b9 100644 --- a/openssh/auth.c +++ b/openssh/auth.c @@ -269,7 +269,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) method, authctxt->valid ? "" : "invalid user ", (authctxt->user && authctxt->user[0]) ? - authctxt->user : "", + authctxt->user : "unknown", get_remote_ipaddr(), get_remote_port(), info); @@ -488,7 +488,7 @@ getpwnamallow(const char *user) pw = getpwnam(user); if (pw == NULL) { logit("Invalid user %.100s from %.100s", - (user && user[0]) ? user : "", + (user && user[0]) ? user : "unknown", get_remote_ipaddr()); #ifdef CUSTOM_FAILED_LOGIN record_failed_login(user, diff --git a/openssh/auth2-gss.c b/openssh/auth2-gss.c index fab7cc2..afb2745 100644 --- a/openssh/auth2-gss.c +++ b/openssh/auth2-gss.c @@ -287,29 +287,28 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) } static void -gssapi_set_implicit_username(Authctxt *authctxt) +gssapi_set_username(Authctxt *authctxt) { + char *lname = NULL; + if ((authctxt->user == NULL) || (authctxt->user[0] == '\0')) { - char *lname = NULL; - PRIVSEP(ssh_gssapi_localname(&lname)); - if (lname && lname[0] != '\0') { - if (authctxt->user) xfree(authctxt->user); - authctxt->user = lname; - debug("set username to %s from gssapi context", lname); - authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user)); - if (authctxt->pw) { - authctxt->valid = 1; - } - } else { - debug("failed to set username from gssapi context"); - packet_send_debug("failed to set username from gssapi context"); - } - } - if (authctxt->pw) { + PRIVSEP(ssh_gssapi_localname(&lname)); + if (lname && lname[0] != '\0') { + if (authctxt->user) xfree(authctxt->user); + authctxt->user = lname; + debug("set username to %s from gssapi context", lname); + authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user)); + if (authctxt->pw) { + authctxt->valid = 1; #ifdef USE_PAM - if (options.use_pam) - PRIVSEP(start_pam(authctxt)); + if (options.use_pam) + PRIVSEP(start_pam(authctxt)); #endif + } + } else { + debug("failed to set username from gssapi context"); + packet_send_debug("failed to set username from gssapi context"); + } } } @@ -383,8 +382,6 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) fatal("No authentication or GSSAPI context"); - gssapi_set_implicit_username(authctxt); - gssctxt = authctxt->methoddata; mic.value = packet_get_string(&len); @@ -396,6 +393,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) gssbuf.value = buffer_ptr(&b); gssbuf.length = buffer_len(&b); + gssapi_set_username(authctxt); + if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) if (authctxt->valid && authctxt->user && authctxt->user[0]) { authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); diff --git a/openssh/auth2.c b/openssh/auth2.c index a660c83..8e9b544 100644 --- a/openssh/auth2.c +++ b/openssh/auth2.c @@ -187,7 +187,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if ((style = strchr(user, ':')) != NULL) *style++ = 0; - /* If first time or username changed or implicit username, + /* If first time or username changed or empty username, setup/reset authentication context. */ if ((authctxt->attempt++ == 0) || (strcmp(user, authctxt->user) != 0) || @@ -197,6 +197,10 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) authctxt->user = NULL; } authctxt->valid = 0; + authctxt->user = xstrdup(user); + if (strcmp(service, "ssh-connection") != 0) { + packet_disconnect("Unsupported service %s", service); + } #ifdef GSSAPI /* If we're going to set the username based on the GSSAPI context later, then wait until then to @@ -205,12 +209,10 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) ((strcmp(method, "gssapi") == 0) || (strcmp(method, "gssapi-with-mic") == 0))) { authctxt->pw = fakepw(); - authctxt->user = xstrdup(user); } else { #endif authctxt->pw = PRIVSEP(getpwnamallow(user)); - authctxt->user = xstrdup(user); - if (authctxt->pw && strcmp(service, "ssh-connection")==0) { + if (authctxt->pw) { authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); } else { @@ -229,16 +231,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) #endif setproctitle("%s%s", authctxt->valid ? user : "unknown", use_privsep ? " [net]" : ""); -#ifdef GSSAPI if (authctxt->attempt == 1) { -#endif - authctxt->service = xstrdup(service); - authctxt->style = style ? xstrdup(style) : NULL; - if (use_privsep) - mm_inform_authserv(service, style); -#ifdef GSSAPI - } /* if (authctxt->attempt == 1) */ -#endif + authctxt->service = xstrdup(service); + authctxt->style = style ? xstrdup(style) : NULL; + if (use_privsep) + mm_inform_authserv(service, style); + } } if (strcmp(service, authctxt->service) != 0) { packet_disconnect("Change of service not allowed: " -- 2.45.1