Hi everyone, I created a patch for CVE-2018-15919, "user enumeration via auth2-gss.c" (even though it is not user enumeration). While this patch appears to fix the problem, at least from my small amount of testing, I can't be sure that I am not introducing a new bug or a new security hole. Hopefully some people who are more knowledgeable can take a look. The fix is two parts: 1) When a valid username is presented, sshd responds with SSH_MSG_USERAUTH_INFO_REQUEST. Otherwise, sshd responds with SSH_MSG_USERAUTH_FAILURE. My solution to this is to remove the code that presents the SSH_MSG_USERAUTH_FAILURE when an invalid username is presented. The expectation is that the login will be invalidated if/when the gssapi credentials are presented later. 2) The failure count is not incremented when a valid username is presented, but credentials are not. I created an interim value, was_postponed, that records the value of postponed so that when postponed is reset and the authentication is checked it can be used to determine whether the failure count can be increased. I hope that you will find this useful. --Thanks, --Jason Sikes
Index: openssh-7.6p1/auth2-gss.c =================================================================== --- openssh-7.6p1.orig/auth2-gss.c +++ openssh-7.6p1/auth2-gss.c @@ -135,12 +135,6 @@ userauth_gssapi(struct ssh *ssh) return (0); } - if (!authctxt->valid || authctxt->user == NULL) { - debug2("%s: disabled because of invalid user", __func__); - free(doid); - return (0); - } - if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { if (ctxt != NULL) ssh_gssapi_delete_ctx(&ctxt); Index: openssh-7.6p1/auth2.c =================================================================== --- openssh-7.6p1.orig/auth2.c +++ openssh-7.6p1/auth2.c @@ -223,6 +223,7 @@ input_userauth_request(int type, u_int32 Authmethod *m = NULL; char *user, *service, *method, *style = NULL; int authenticated = 0; + int was_postponed = authctxt->postponed; if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); @@ -287,6 +288,8 @@ input_userauth_request(int type, u_int32 if (m != NULL && authctxt->failures < options.max_authtries) { debug2("input_userauth_request: try method %s", method); authenticated = m->userauth(ssh); + if (!authenticated && was_postponed) + authctxt->failures++; } userauth_finish(ssh, authenticated, method, NULL);
Attachment:
pEpkey.asc
Description: application/pgp-keys
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev