openssh/openssh-7.9p1-gsskex-method.patch

From bc74944ce7a2eabd228d47051f277ce108914c96 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 16 Oct 2018 16:44:40 +0200
Subject: [PATCH] Unbreak authentication using gssapi-keyex (#1625366)

---
 auth2-gss.c    |  6 +++---
 gss-serv.c     |  4 +++-
 monitor.c      | 13 ++++++++++---
 monitor_wrap.c |  4 +++-
 monitor_wrap.h |  2 +-
 ssh-gss.h      |  2 +-
 6 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/auth2-gss.c b/auth2-gss.c
index 3f2ad21d..a61ac089 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -84,7 +84,7 @@ userauth_gsskeyex(Authctxt *authctxt)
 	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
 	    &gssbuf, &mic))))
 		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
-		    authctxt->pw));
+		    authctxt->pw, 1));
 	
 	sshbuf_free(b);
 	free(mic.value);
@@ -299,7 +299,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
 		fatal("%s: %s", __func__, ssh_err(r));
 
 	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
-	    authctxt->pw));
+	    authctxt->pw, 1));
 
 	if ((!use_privsep || mm_is_monitor()) &&
 	    (displayname = ssh_gssapi_displayname()) != NULL)
@@ -347,7 +347,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
 
 	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
 		authenticated = 
-		    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
+		    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw, 0));
 	else
 		logit("GSSAPI MIC check failed");
 
diff --git a/gss-serv.c b/gss-serv.c
index 786ac95c..87de2baa 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -493,10 +493,12 @@ verify_authentication_indicators(Gssctxt *gssctxt)
 
 /* Privileged */
 int
-ssh_gssapi_userok(char *user, struct passwd *pw)
+ssh_gssapi_userok(char *user, struct passwd *pw, int kex)
 {
 	OM_uint32 lmin;
 
+	(void) kex; /* used in privilege separation */
+
 	if (gssapi_client.exportedname.length == 0 ||
 	    gssapi_client.exportedname.value == NULL) {
 		debug("No suitable client data");
diff --git a/monitor.c b/monitor.c
index 9bbe8cc4..7b1903af 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1877,14 +1877,17 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m)
 int
 mm_answer_gss_userok(int sock, struct sshbuf *m)
 {
-	int r, authenticated;
+	int r, authenticated, kex;
 	const char *displayname;
 
 	if (!options.gss_authentication && !options.gss_keyex)
 		fatal("%s: GSSAPI authentication not enabled", __func__);
 
+	if ((r = sshbuf_get_u32(m, &kex)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
 	authenticated = authctxt->valid &&
-	    ssh_gssapi_userok(authctxt->user, authctxt->pw);
+	    ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
 
 	sshbuf_reset(m);
 	if ((r = sshbuf_put_u32(m, authenticated)) != 0)
@@ -1893,7 +1896,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
 	debug3("%s: sending result %d", __func__, authenticated);
 	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
 
-	auth_method = "gssapi-with-mic";
+	if (kex) {
+		auth_method = "gssapi-keyex";
+	} else {
+		auth_method = "gssapi-with-mic";
+	}
 
 	if ((displayname = ssh_gssapi_displayname()) != NULL)
 		auth2_record_info(authctxt, "%s", displayname);
diff --git a/monitor_wrap.c b/monitor_wrap.c
index fb52a530..508d926d 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -984,13 +984,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
 }
 
 int
-mm_ssh_gssapi_userok(char *user, struct passwd *pw)
+mm_ssh_gssapi_userok(char *user, struct passwd *pw, int kex)
 {
 	struct sshbuf *m;
 	int r, authenticated = 0;
 
 	if ((m = sshbuf_new()) == NULL)
 		fatal("%s: sshbuf_new failed", __func__);
+	if ((r = sshbuf_put_u32(m, kex)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
 	mm_request_receive_expect(pmonitor->m_recvfd,
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 494760dd..5eba5ecc 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -60,7 +60,7 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
-int mm_ssh_gssapi_userok(char *user, struct passwd *);
+int mm_ssh_gssapi_userok(char *user, struct passwd *, int kex);
 OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
 int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *);
diff --git a/ssh-gss.h b/ssh-gss.h
index 39b6ce69..98262837 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -162,7 +162,7 @@ gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
 int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, 
     const char *);
 OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
-int ssh_gssapi_userok(char *name, struct passwd *);
+int ssh_gssapi_userok(char *name, struct passwd *, int kex);
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_do_child(char ***, u_int *);
 void ssh_gssapi_cleanup_creds(void);
-- 
2.17.2
Do not break gssapi-kex authentication method 2018-10-16 18:07:43 +00:00			`From bc74944ce7a2eabd228d47051f277ce108914c96 Mon Sep 17 00:00:00 2001`
			`From: Jakub Jelen <jjelen@redhat.com>`
			`Date: Tue, 16 Oct 2018 16:44:40 +0200`
			`Subject: [PATCH] Unbreak authentication using gssapi-keyex (#1625366)`

			`---`
			`auth2-gss.c \| 6 +++---`
			`gss-serv.c \| 4 +++-`
			`monitor.c \| 13 ++++++++++---`
			`monitor_wrap.c \| 4 +++-`
			`monitor_wrap.h \| 2 +-`
			`ssh-gss.h \| 2 +-`
			`6 files changed, 21 insertions(+), 10 deletions(-)`

			`diff --git a/auth2-gss.c b/auth2-gss.c`
			`index 3f2ad21d..a61ac089 100644`
			`--- a/auth2-gss.c`
			`+++ b/auth2-gss.c`
			`@@ -84,7 +84,7 @@ userauth_gsskeyex(Authctxt *authctxt)`
			`if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,`
			`&gssbuf, &mic))))`
			`authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,`
			`- authctxt->pw));`
			`+ authctxt->pw, 1));`

			`sshbuf_free(b);`
			`free(mic.value);`
			`@@ -299,7 +299,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)`
			`fatal("%s: %s", __func__, ssh_err(r));`

			`authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,`
			`- authctxt->pw));`
			`+ authctxt->pw, 1));`

			`if ((!use_privsep \|\| mm_is_monitor()) &&`
			`(displayname = ssh_gssapi_displayname()) != NULL)`
			`@@ -347,7 +347,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)`

			`if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))`
			`authenticated =`
			`- PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));`
			`+ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw, 0));`
			`else`
			`logit("GSSAPI MIC check failed");`

			`diff --git a/gss-serv.c b/gss-serv.c`
			`index 786ac95c..87de2baa 100644`
			`--- a/gss-serv.c`
			`+++ b/gss-serv.c`
			`@@ -493,10 +493,12 @@ verify_authentication_indicators(Gssctxt *gssctxt)`

			`/* Privileged */`
			`int`
			`-ssh_gssapi_userok(char user, struct passwd pw)`
			`+ssh_gssapi_userok(char user, struct passwd pw, int kex)`
			`{`
			`OM_uint32 lmin;`

			`+ (void) kex; /* used in privilege separation */`
			`+`
			`if (gssapi_client.exportedname.length == 0 \|\|`
			`gssapi_client.exportedname.value == NULL) {`
			`debug("No suitable client data");`
			`diff --git a/monitor.c b/monitor.c`
			`index 9bbe8cc4..7b1903af 100644`
			`--- a/monitor.c`
			`+++ b/monitor.c`
			`@@ -1877,14 +1877,17 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m)`
			`int`
			`mm_answer_gss_userok(int sock, struct sshbuf *m)`
			`{`
			`- int r, authenticated;`
			`+ int r, authenticated, kex;`
			`const char *displayname;`

			`if (!options.gss_authentication && !options.gss_keyex)`
			`fatal("%s: GSSAPI authentication not enabled", __func__);`

			`+ if ((r = sshbuf_get_u32(m, &kex)) != 0)`
			`+ fatal("%s: buffer error: %s", __func__, ssh_err(r));`
			`+`
			`authenticated = authctxt->valid &&`
			`- ssh_gssapi_userok(authctxt->user, authctxt->pw);`
			`+ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);`

			`sshbuf_reset(m);`
			`if ((r = sshbuf_put_u32(m, authenticated)) != 0)`
			`@@ -1893,7 +1896,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)`
			`debug3("%s: sending result %d", __func__, authenticated);`
			`mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);`

			`- auth_method = "gssapi-with-mic";`
			`+ if (kex) {`
			`+ auth_method = "gssapi-keyex";`
			`+ } else {`
			`+ auth_method = "gssapi-with-mic";`
			`+ }`

			`if ((displayname = ssh_gssapi_displayname()) != NULL)`
			`auth2_record_info(authctxt, "%s", displayname);`
			`diff --git a/monitor_wrap.c b/monitor_wrap.c`
			`index fb52a530..508d926d 100644`
			`--- a/monitor_wrap.c`
			`+++ b/monitor_wrap.c`
			`@@ -984,13 +984,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)`
			`}`

			`int`
			`-mm_ssh_gssapi_userok(char user, struct passwd pw)`
			`+mm_ssh_gssapi_userok(char user, struct passwd pw, int kex)`
			`{`
			`struct sshbuf *m;`
			`int r, authenticated = 0;`

			`if ((m = sshbuf_new()) == NULL)`
			`fatal("%s: sshbuf_new failed", __func__);`
			`+ if ((r = sshbuf_put_u32(m, kex)) != 0)`
			`+ fatal("%s: buffer error: %s", __func__, ssh_err(r));`

			`mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);`
			`mm_request_receive_expect(pmonitor->m_recvfd,`
			`diff --git a/monitor_wrap.h b/monitor_wrap.h`
			`index 494760dd..5eba5ecc 100644`
			`--- a/monitor_wrap.h`
			`+++ b/monitor_wrap.h`
			`@@ -60,7 +60,7 @@ int mm_sshkey_verify(const struct sshkey , const u_char , size_t,`
			`OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);`
			`OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,`
			`gss_buffer_desc , gss_buffer_desc , OM_uint32 *);`
			`-int mm_ssh_gssapi_userok(char user, struct passwd );`
			`+int mm_ssh_gssapi_userok(char user, struct passwd , int kex);`
			`OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);`
			`OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);`
			`int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *);`
			`diff --git a/ssh-gss.h b/ssh-gss.h`
			`index 39b6ce69..98262837 100644`
			`--- a/ssh-gss.h`
			`+++ b/ssh-gss.h`
			`@@ -162,7 +162,7 @@ gss_OID ssh_gssapi_id_kex(Gssctxt , char , int);`
			`int ssh_gssapi_server_check_mech(Gssctxt *,gss_OID, const char ,`
			`const char *);`
			`OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);`
			`-int ssh_gssapi_userok(char name, struct passwd );`
			`+int ssh_gssapi_userok(char name, struct passwd , int kex);`
			`OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);`
			`void ssh_gssapi_do_child(char **, u_int );`
			`void ssh_gssapi_cleanup_creds(void);`
			`--`
			`2.17.2`