Bug 1100

Summary: GSSAPI-with-mic doesn't handle empty usernames
Product: Portable OpenSSH Reporter: David Leonard <David.Leonard>
Component: Kerberos supportAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: normal CC: djm, jbasney, simon
Priority: P2    
Version: 4.2p1   
Hardware: Other   
OS: All   
Attachments:
Description Flags
patch to support empty usernames with gssapi-with-mic none

Description David Leonard 2005-10-10 12:24:10 AEST 
A feature of gssapi-with-mic authentication is that the username can be empty as the server should be able to figure out what username to use from the established credentials.

   3.2 [...] "The user name may be an empty string if it can be deduced from the
   results of the GSSAPI authentication."

http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-10.txt

Our modified PuTTY client has support for this; it sends a packet like this

Outgoing packet type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
  00000000  00 00 00 00 00 00 00 0e 73 73 68 2d 63 6f 6e 6e  ........ssh-conn
  00000010  65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 70 69  ection....gssapi
  00000020  2d 77 69 74 68 2d 6d 69 63 00 00 00 01 00 00 00  -with-mic.......
  00000030  0b 06 09 2a 86 48 86 f7 12 01 02 02              ...*.H......

but OpenSSH 4.2p1 server sends back

Incoming packet type 51 / 0x33 (SSH2_MSG_USERAUTH_FAILURE)
  00000000  00 00 00 44 70 75 62 6c 69 63 6b 65 79 2c 67 73  ...Dpublickey,gs
  00000010  73 61 70 69 2d 6b 65 79 65 78 2c 67 73 73 61 70  sapi-keyex,gssap
  00000020  69 2d 77 69 74 68 2d 6d 69 63 2c 70 61 73 73 77  i-with-mic,passw
  00000030  6f 72 64 2c 6b 65 79 62 6f 61 72 64 2d 69 6e 74  ord,keyboard-int
  00000040  65 72 61 63 74 69 76 65 00                       eractive.

I think this can be solved in two parts; first, a credential->user mapping. For krb5 gssapi, I'd guess the username to use is the non-realm part of the UPN? 

Second, auth2.c calls pwnamallow("") early, before attempting the gssapi authentication. Untangling this bit of code from the (given) username check so as to allow empty usernames is not going to be simple. The gss token exchange has to complete before a username can be determined.
Comment 1 Darren Tucker 2006-08-18 21:12:44 AEST 
(In reply to comment #0)
> Second, auth2.c calls pwnamallow("") early, before attempting the
> gssapi authentication. Untangling this bit of code from the (given)
> username check so as to allow empty usernames is not going to be
> simple. The gss token exchange has to complete before a username can be
> determined.

There's an example of how to work around this for PAM in bug #1215 although it may not be the best way.
Comment 2 Jim Basney 2006-11-15 11:17:46 AEDT 
Created attachment 1207 [details]
patch to support empty usernames with gssapi-with-mic

This patch (against CVS tag V_4_5_P1) works for me.  Hope it's useful.
Comment 3 Damien Miller 2020-01-26 00:28:46 AEDT 
Similar to bug #1215 - we do not wish to support user-renaming in at authentication time in OpenSSH. It makes many things more confusing to reason about, sorry.
Comment 4 Damien Miller 2021-03-04 09:51:40 AEDT 
close bugs that were resolved in OpenSSH 8.5 release cycle