Pending OpenSSH release: contains Kerberos/GSSAPI changes
Wachdorf, Daniel R
drwachd at sandia.gov
Fri Jan 30 17:53:21 EST 2004
Ben,
This will break GSSAPI_WITH_MIC if clients don't do GSS_C_MUTUAL as outlined
by the standard. Ie - follow the standard and it wont work. So I guess
that means it's broke.
I can get a patch to you, what version of the source should I patch, a
nightly snapshot?
-dan
-----Original Message-----
From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org]
Sent: Friday, January 30, 2004 3:47 PM
To: Wachdorf, Daniel R
Cc: 'Jeffrey Hutzelman'; kerberos at mit.edu; krbdev at mit.edu;
heimdal-discuss at sics.se; ietf-ssh at NetBSD.org; OpenSSH Devel List
Subject: RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes
I need someone to look at this and get back to us ASAP in regards to if
this will break GSSAPI-WITH-MIC.
If this does break something. GET US A PATCH NOW or live with broke
GSSAPI-WITH-MIC support for 6 months.
If it is just a "clean up" thing that can be handled after 3.9 release.
Fine, but I don't want to listen to 6 months of whining if it is. <weak
smile>
- Ben
On Fri, 30 Jan 2004, Wachdorf, Daniel R wrote:
> No, there is another place in the code where GSS_C_INTEG_FLAG is checked.
> It then either verifies the MIC or processes an EXCHANGE_COMPLETE message.
>
> -dan
>
>
> -----Original Message-----
> From: Jeffrey Hutzelman [mailto:jhutz at cmu.edu]
> Sent: Friday, January 30, 2004 2:44 PM
> To: Wachdorf, Daniel R; 'Darren Tucker'; kerberos at mit.edu; krbdev at mit.edu;
> heimdal-discuss at sics.se
> Cc: OpenSSH Devel List; ietf-ssh at NetBSD.org
> Subject: RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes
>
> On Friday, January 30, 2004 09:41:26 -0700 "Wachdorf, Daniel R"
> <drwachd at sandia.gov> wrote:
>
> > The client sets this to true, not really a problem. Our modified
f-secure
> > client does the same thing. However, if GSS_C_MUTUAL_FLAG is not set,
> > then the open ssh server rejects the connection. The following line of
> > code (from gss-serv.c):
> >
> > /* Now, if we're complete and we have the right flags, then
> > * we flag the user as also having been authenticated
> > */
> >
> > if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
> > (*flags & GSS_C_INTEG_FLAG))) && (ctx->major ==
> > GSS_S_COMPLETE)) {
> > if (ssh_gssapi_getclient(ctx, &gssapi_client))
> > fatal("Couldn't convert client name");
> > }
> >
> >
> > This requires the client to set GSS_C_MUTUAL, which conflicts with the
> > draft.
>
> Indeed, it does. The server is not supposed to check the state of the
> mutual_flag of a context accepted for gssapi-with-mic user auth. I know
> the draft is not entirely clear on this point; would it help if there were
> text indicating the server MUST NOT do this?
>
>
> Also, I've not actually read this code, other than what's quoted above,
but
> I hope that's not the only place that flags are checked. I'm assuming the
> openssh code actually implements -07 and 'gssapi-with-mic'. In the new
> method, the client's final message is either SSM_MSG_USERAUTH_GSSAPI_MIC
or
> SSH_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, depending entirely on whether
> GSS_C_INTEG_FLAG is set. The server is REQUIRED to fail the
authentication
> if the client sends the wrong message; this means the value of
> GSS_C_INTEG_FLAG must be tested.
>
>
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
> Sr. Research Systems Programmer
> School of Computer Science - Research Computing Facility
> Carnegie Mellon University - Pittsburgh, PA
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the Kerberos
mailing list