Fix gssapi authentication failures

Resolves: rhbz#2091023 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2022-07-11 15:34:23 +02:00 · 2022-07-11 15:34:23 +02:00 · 9bf7b4f39d
commit 9bf7b4f39d
parent 585620b0f1
2 changed files with 27 additions and 0 deletions
--- a/openssh-8.7p1-gssapi-auth.patch
+++ b/openssh-8.7p1-gssapi-auth.patch
@ -0,0 +1,20 @@
+diff --color -rup a/monitor.c b/monitor.c
+--- a/monitor.c	2022-07-11 15:11:28.146863144 +0200
+++ b/monitor.c	2022-07-11 15:15:35.726655877 +0200
+@@ -376,8 +376,15 @@ monitor_child_preauth(struct ssh *ssh, s
+ 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
+ 			auth_log(ssh, authenticated, partial,
+ 			    auth_method, auth_submethod);
+-			if (!partial && !authenticated)
+			if (!partial && !authenticated) {
+#ifdef GSSAPI
+				/* If gssapi-with-mic failed, MONITOR_REQ_GSSCHECKMIC is disabled.
+				 * We have to reenable it to try again for gssapi-keyex */
+				if (strcmp(auth_method, "gssapi-with-mic") == 0 && options.gss_keyex)
+					monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+#endif
+ 				authctxt->failures++;
+			}
+ 			if (authenticated || partial) {
+ 				auth2_update_session_info(authctxt,
+ 				    auth_method, auth_submethod);
--- a/openssh.spec
+++ b/openssh.spec
@ -236,6 +236,10 @@ Patch1002: openssh-8.7p1-ssh-manpage.patch
 # 6c31ba10e97b6953c4f325f526f3e846dfea647a
 # 322964f8f2e9c321e77ebae1e4d2cd0ccc5c5a0b
 Patch1003: openssh-8.7p1-mem-leak.patch
+# Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
+# upstream MR:
+# https://github.com/openssh-gsskex/openssh-gsskex/pull/21
+Patch1004: openssh-8.7p1-gssapi-auth.patch

 License: BSD
 Requires: /sbin/nologin
@ -428,6 +432,7 @@ popd
 %patch1001 -p1 -b .scp-clears-file
 %patch1002 -p1 -b .ssh-manpage
 %patch1003 -p1 -b .mem-leak
+%patch1004 -p1 -b .gssapi-auth

 %patch100 -p1 -b .coverity

@ -715,6 +720,8 @@ test -f %{sysconfig_anaconda} && \
  Resolves: rhbz#2033372
 - Fix several memory leaks
  Related: rhbz#2068423
+- Fix gssapi authentication failures
+  Resolves: rhbz#2091023

 * Wed Jun 29 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-10
 - Set minimal value of RSA key length via configuration option