[Bug 1100] GSSAPI-with-mic doesn't handle empty usernames

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Oct 10 12:24:13 EST 2005


http://bugzilla.mindrot.org/show_bug.cgi?id=1100

           Summary: GSSAPI-with-mic doesn't handle empty usernames
           Product: Portable OpenSSH
           Version: 4.2p1
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: dleonard at vintela.com


A feature of gssapi-with-mic authentication is that the username can be empty
as the server should be able to figure out what username to use from the
established credentials.

   3.2 [...] "The user name may be an empty string if it can be deduced from
the
   results of the GSSAPI authentication."

http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-10.txt

Our modified PuTTY client has support for this; it sends a packet like this

Outgoing packet type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
  00000000  00 00 00 00 00 00 00 0e 73 73 68 2d 63 6f 6e 6e  ........ssh-conn
  00000010  65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 70 69  ection....gssapi
  00000020  2d 77 69 74 68 2d 6d 69 63 00 00 00 01 00 00 00  -with-mic.......
  00000030  0b 06 09 2a 86 48 86 f7 12 01 02 02              ...*.H......

but OpenSSH 4.2p1 server sends back

Incoming packet type 51 / 0x33 (SSH2_MSG_USERAUTH_FAILURE)
  00000000  00 00 00 44 70 75 62 6c 69 63 6b 65 79 2c 67 73  ...Dpublickey,gs
  00000010  73 61 70 69 2d 6b 65 79 65 78 2c 67 73 73 61 70  sapi-keyex,gssap
  00000020  69 2d 77 69 74 68 2d 6d 69 63 2c 70 61 73 73 77  i-with-mic,passw
  00000030  6f 72 64 2c 6b 65 79 62 6f 61 72 64 2d 69 6e 74  ord,keyboard-int
  00000040  65 72 61 63 74 69 76 65 00                       eractive.

I think this can be solved in two parts; first, a credential->user mapping. For
krb5 gssapi, I'd guess the username to use is the non-realm part of the UPN? 

Second, auth2.c calls pwnamallow("") early, before attempting the gssapi
authentication. Untangling this bit of code from the (given) username check so
as to allow empty usernames is not going to be simple. The gss token exchange
has to complete before a username can be determined.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list