1100 – GSSAPI-with-mic doesn't handle empty usernames

Bug 1100 - GSSAPI-with-mic doesn't handle empty usernames

Summary: GSSAPI-with-mic doesn't handle empty usernames

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Kerberos support (show other bugs)
Version:	4.2p1
Hardware:	Other All

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-10-10 12:24 AEST by David Leonard
Modified:	2021-03-04 09:51 AEDT (History)
CC List:	3 users (show)

See Also:

Attachments
patch to support empty usernames with gssapi-with-mic (12.49 KB, patch) 2006-11-15 11:17 AEDT, Jim Basney	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Leonard 2005-10-10 12:24:10 AEST

A feature of gssapi-with-mic authentication is that the username can be empty as the server should be able to figure out what username to use from the established credentials.

   3.2 [...] "The user name may be an empty string if it can be deduced from the
   results of the GSSAPI authentication."

http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-10.txt

Our modified PuTTY client has support for this; it sends a packet like this

Outgoing packet type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
  00000000  00 00 00 00 00 00 00 0e 73 73 68 2d 63 6f 6e 6e  ........ssh-conn
  00000010  65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 70 69  ection....gssapi
  00000020  2d 77 69 74 68 2d 6d 69 63 00 00 00 01 00 00 00  -with-mic.......
  00000030  0b 06 09 2a 86 48 86 f7 12 01 02 02              ...*.H......

but OpenSSH 4.2p1 server sends back

Incoming packet type 51 / 0x33 (SSH2_MSG_USERAUTH_FAILURE)
  00000000  00 00 00 44 70 75 62 6c 69 63 6b 65 79 2c 67 73  ...Dpublickey,gs
  00000010  73 61 70 69 2d 6b 65 79 65 78 2c 67 73 73 61 70  sapi-keyex,gssap
  00000020  69 2d 77 69 74 68 2d 6d 69 63 2c 70 61 73 73 77  i-with-mic,passw
  00000030  6f 72 64 2c 6b 65 79 62 6f 61 72 64 2d 69 6e 74  ord,keyboard-int
  00000040  65 72 61 63 74 69 76 65 00                       eractive.

I think this can be solved in two parts; first, a credential->user mapping. For krb5 gssapi, I'd guess the username to use is the non-realm part of the UPN? 

Second, auth2.c calls pwnamallow("") early, before attempting the gssapi authentication. Untangling this bit of code from the (given) username check so as to allow empty usernames is not going to be simple. The gss token exchange has to complete before a username can be determined.

Comment 1 Darren Tucker 2006-08-18 21:12:44 AEST

(In reply to comment #0)
> Second, auth2.c calls pwnamallow("") early, before attempting the
> gssapi authentication. Untangling this bit of code from the (given)
> username check so as to allow empty usernames is not going to be
> simple. The gss token exchange has to complete before a username can be
> determined.

There's an example of how to work around this for PAM in bug #1215 although it may not be the best way.

Comment 2 Jim Basney 2006-11-15 11:17:46 AEDT

Created attachment 1207 [details]
patch to support empty usernames with gssapi-with-mic

This patch (against CVS tag V_4_5_P1) works for me.  Hope it's useful.

Comment 3 Damien Miller 2020-01-26 00:28:46 AEDT

Similar to bug #1215 - we do not wish to support user-renaming in at authentication time in OpenSSH. It makes many things more confusing to reason about, sorry.

Comment 4 Damien Miller 2021-03-04 09:51:40 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle