File openssh-5.8p1-gssapimitm.patch of Package openssh

Overview Repositories Revisions Requests Users Attributes Meta

File openssh-5.8p1-gssapimitm.patch of Package openssh

The patch below adds support for the deprecated 'gssapi' authentication
mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
in this release. The use of 'gssapi' is deprecated due to the presence of 
potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
susceptible to.

To use the patch apply it to a OpenSSH 3.8p1 source tree. After compiling,
backwards compatibility may be obtained by supplying the 
'GssapiEnableMitmAttack yes' option to either the client or server.

It should be noted that this patch is being made available purely as a means
of easing the process of moving to OpenSSH 3.8p1. Any new installations are
recommended to use the 'gssapi-with-mic' mechanism. Existing installations 
are encouraged to upgrade as soon as possible.

Index: auth2-gss.c
===================================================================
--- auth2-gss.c.orig
+++ auth2-gss.c
@@ -177,6 +177,15 @@ input_gssapi_token(int type, u_int32_t p
 				dispatch_set(
 				    SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
 				    &input_gssapi_exchange_complete);
+
+			/*
+			 * Old style 'gssapi' didn't have the GSSAPI_MIC
+			 * and went straight to sending exchange_complete
+			 */
+			if (options.gss_enable_mitm)
+				dispatch_set(
+				    SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
+				    &input_gssapi_exchange_complete);
 		}
 	}
 
@@ -298,4 +307,10 @@ Authmethod method_gssapi = {
 	&options.gss_authentication
 };
 
+Authmethod method_gssapi_old = {
+	"gssapi",
+	userauth_gssapi,
+	&options.gss_enable_mitm
+};
+
 #endif /* GSSAPI */
Index: auth2.c
===================================================================
--- auth2.c.orig
+++ auth2.c
@@ -70,6 +70,7 @@ extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
 #ifdef GSSAPI
 extern Authmethod method_gssapi;
+extern Authmethod method_gssapi_old;
 #endif
 #ifdef JPAKE
 extern Authmethod method_jpake;
@@ -80,6 +81,7 @@ Authmethod *authmethods[] = {
 	&method_pubkey,
 #ifdef GSSAPI
 	&method_gssapi,
+	&method_gssapi_old,
 #endif
 #ifdef JPAKE
 	&method_jpake,
Index: readconf.c
===================================================================
--- readconf.c.orig
+++ readconf.c
@@ -128,7 +128,7 @@ typedef enum {
 	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
-	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+	oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM,
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
 	oHashKnownHosts,
@@ -170,9 +170,11 @@ static struct {
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
 	{ "gssapidelegatecredentials", oGssDelegateCreds },
+	{ "gssapienablemitmattack", oGssEnableMITM },
 #else
 	{ "gssapiauthentication", oUnsupported },
 	{ "gssapidelegatecredentials", oUnsupported },
+	{ "gssapienablemitmattack", oUnsupported },
 #endif
 	{ "fallbacktorsh", oDeprecated },
 	{ "usersh", oDeprecated },
@@ -483,6 +485,10 @@ parse_flag:
 		intptr = &options->gss_deleg_creds;
 		goto parse_flag;
 
+	case oGssEnableMITM:
+		intptr = &options->gss_enable_mitm;
+		goto parse_flag;
+
 	case oBatchMode:
 		intptr = &options->batch_mode;
 		goto parse_flag;
@@ -1093,6 +1099,7 @@ initialize_options(Options * options)
 	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
 	options->gss_deleg_creds = -1;
+	options->gss_enable_mitm = -1;
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
@@ -1195,6 +1202,8 @@ fill_default_options(Options * options)
 		options->gss_authentication = 0;
 	if (options->gss_deleg_creds == -1)
 		options->gss_deleg_creds = 0;
+	if (options->gss_enable_mitm == -1)
+		options->gss_enable_mitm = 0;
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
Index: readconf.h
===================================================================
--- readconf.h.orig
+++ readconf.h
@@ -47,6 +47,7 @@ typedef struct {
 					/* Try S/Key or TIS, authentication. */
 	int     gss_authentication;	/* Try GSS authentication */
 	int     gss_deleg_creds;	/* Delegate GSS credentials */
+	int 	gss_enable_mitm;	/* Enable old style gssapi auth */
 	int     password_authentication;	/* Try password
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
Index: servconf.c
===================================================================
--- servconf.c.orig
+++ servconf.c
@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions
 	options->kerberos_get_afs_token = -1;
 	options->gss_authentication=-1;
 	options->gss_cleanup_creds = -1;
+	options->gss_enable_mitm = -1;
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
@@ -228,6 +229,8 @@ fill_default_server_options(ServerOption
 		options->gss_authentication = 0;
 	if (options->gss_cleanup_creds == -1)
 		options->gss_cleanup_creds = 1;
+	if (options->gss_enable_mitm == -1)
+		options->gss_enable_mitm = 0;
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
@@ -322,7 +325,7 @@ typedef enum {
 	sBanner, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
-	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -386,9 +389,11 @@ static struct {
 #ifdef GSSAPI
 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+	{ "gssapienablemitmattack", sGssEnableMITM },
 #else
 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+	{ "gssapienablemitmattack", sUnsupported },
 #endif
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -948,6 +953,10 @@ process_server_config_line(ServerOptions
 		intptr = &options->gss_cleanup_creds;
 		goto parse_flag;
 
+	case sGssEnableMITM:
+		intptr = &options->gss_enable_mitm;
+		goto parse_flag;
+
 	case sPasswordAuthentication:
 		intptr = &options->password_authentication;
 		goto parse_flag;
Index: servconf.h
===================================================================
--- servconf.h.orig
+++ servconf.h
@@ -98,6 +98,7 @@ typedef struct {
 						 * authenticated with Kerberos. */
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
+	int	gss_enable_mitm;	/* If true, enable old style GSSAPI */
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
 	int     kbd_interactive_authentication;	/* If true, permit */
Index: ssh_config
===================================================================
--- ssh_config.orig
+++ ssh_config
@@ -54,5 +54,15 @@ ForwardX11Trusted yes
 #   Tunnel no
 #   TunnelDevice any:any
 #   PermitLocalCommand no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
+# in this release. The use of 'gssapi' is deprecated due to the presence of
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
+#   GSSAPIEnableMITMAttack no
+
+>>>>>>>
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
Index: sshconnect2.c
===================================================================
--- sshconnect2.c.orig
+++ sshconnect2.c
@@ -324,6 +324,10 @@ Authmethod authmethods[] = {
 		NULL,
 		&options.gss_authentication,
 		NULL},
+	{"gssapi",
+		userauth_gssapi,
+		&options.gss_enable_mitm,
+		NULL},
 #endif
 	{"hostbased",
 		userauth_hostbased,
@@ -701,7 +705,9 @@ process_gssapi_token(void *ctxt, gss_buf
 
 	if (status == GSS_S_COMPLETE) {
 		/* send either complete or MIC, depending on mechanism */
-		if (!(flags & GSS_C_INTEG_FLAG)) {
+
+		if (strcmp(authctxt->method->name,"gssapi")==0 ||
+		    (!(flags & GSS_C_INTEG_FLAG))) {
 			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
 			packet_send();
 		} else {
Index: sshd_config
===================================================================
--- sshd_config.orig
+++ sshd_config
@@ -73,6 +73,12 @@ PasswordAuthentication no
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
+# in this release. The use of 'gssapi' is deprecated due to the presence of
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
+#GSSAPIEnableMITMAttack no
+
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
 # be allowed through the ChallengeResponseAuthentication and

Places

File openssh-5.8p1-gssapimitm.patch of Package openssh

Places