Bug 1218

Summary:

GSSAPI client code permits SPNEGO usage

Product:

Portable OpenSSH

Reporter:

Simon Wilkinson <simon>

Component:

Kerberos support

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

Priority:

Version:

4.3p2

Hardware:

Other

OS:

All

Bug Depends on:

Bug Blocks:

1155

Attachments:

Description	Flags
Fix to prevent OpenSSH offering SPENGO to a server	none
Fix to incorrect return code in patch	none

Description Simon Wilkinson 2006-08-18 00:51:26 AEST

RFC4462 states that "mechanisms conforming to this document MUST NOT use SPNEGO as the underlying GSS-API mechanism".

Unfortunately, the check in the GSSAPI client code has disappeared somewhere in the midsts
of time. The attached patch reinstates this check, as well as tidying up the mechanism checking
code.

I hope its in suitable KNF.

Comment 1 Simon Wilkinson 2006-08-18 04:33:16 AEST

Created attachment 1174 [details]
Fix to prevent OpenSSH offering SPENGO to a server

Patch against latest portable CVS.

Comment 2 Damien Miller 2006-08-18 23:55:44 AEST

fix applied - thanks

Comment 3 Simon Wilkinson 2006-08-19 03:24:12 AEST

Sorry for the trouble. I've just realised I've got the return code in the SPNEGO case. Instead
of returning (-1) - TRUE, we should return 0 - FALSE. The -1 was left from a previous version
that returned error codes, rather than a true/false value.

Trivial patch is about to be attached. 

Sorry once again!

Simon.

Comment 4 Simon Wilkinson 2006-08-19 03:27:00 AEST

Created attachment 1175 [details]
Fix to incorrect return code in patch

Comment 5 Damien Miller 2006-08-19 08:45:06 AEST

applied - thanks

Comment 6 Darren Tucker 2006-09-28 19:26:28 AEST

With the release of 4.4, we believe that this bug is now closed.  For information about the release please see http://www.openssh.com/txt/release-4.4 .