Re: Question about sshbuf

Ron Frederick <ronf@xxxxxxxxxxxxx> · Mon, 23 May 2022 21:04:16 -0700

On May 23, 2022, at 5:01 PM, Ron Frederick <ronf@xxxxxxxxxxxxx> wrote:
> The only remaining issue I’m seeing is around getting this patched OpenSSH to offer gssapi-keyex as an auth method when running it as a server. Even when it correctly negotiates GSS key exchange, it doesn’t offer gssapi-keyex as a valid auth method to clients, so they end up falling back to gssapi-with-mic instead. This only happens when running it as a server — if another server offers gssapi-keyex, this patched OpenSSH client has no problem completing gssapi-keyex auth. I’ll take a closer look at that next.


I found this issue tonight as well. It turns out that the Authmethod type recently added a “synonym” member, but the definition for the GSS keyex auth method was not updated to include this field when the Debian patch was put together, causing the members after it to be initiated with the wrong values. Thankfully, the fix is very simple:

--- auth2-gss.c.orig	2022-05-23 19:49:36.000000000 -0700
+++ auth2-gss.c	2022-05-23 20:46:17.000000000 -0700
@@ -373,6 +373,7 @@

 Authmethod method_gsskeyex = {
 	"gssapi-keyex",
+	NULL,
 	userauth_gsskeyex,
 	&options.gss_authentication
 };

It looks like this change was made in https://github.com/openssh/openssh-portable/commit/dbb339f <https://github.com/openssh/openssh-portable/commit/dbb339f> and also includes adding a second argument to the userauth functions, so really the diff should probably be:

--- auth2-gss.c.orig	2022-05-23 19:49:36.000000000 -0700
+++ auth2-gss.c	2022-05-23 20:57:45.000000000 -0700
@@ -59,7 +59,7 @@
  * The 'gssapi_keyex' userauth mechanism.
  */
 static int
-userauth_gsskeyex(struct ssh *ssh)
+userauth_gsskeyex(struct ssh *ssh, const char *method)
 {
 	Authctxt *authctxt = ssh->authctxt;
 	int r, authenticated = 0;
@@ -373,6 +373,7 @@

 Authmethod method_gsskeyex = {
 	"gssapi-keyex",
+	NULL,
 	userauth_gsskeyex,
 	&options.gss_authentication
 };

The commit which added this was from December of 2021, so it probably didn’t show up until 8.9p1. As a result, this change wouldn’t apply to the version at https://github.com/openssh-gsskex/openssh-gsskex/ <https://github.com/openssh-gsskex/openssh-gsskex/> yet.

With this fix, gssapi-keyex authentication is now properly enabled and functional for both the client and server.
-- 
Ron Frederick
ronf@xxxxxxxxxxxxx



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev







