updated gssapi diff

Steven Michaud smichaud at pobox.com
Wed Aug 20 04:51:02 EST 2003 

I've been testing the code posted by Jakob Schlyter (2003-08-10
14:43:52), as amended by Frank Cusack (2003-08-12 18:05:11) and
Douglas Engert (2003-08-12 18:55:30).  The code worked fine, but
raised some issues that people who are used to Simon Wilkinson's patch
will need to be aware of.

(I didn't bother to test without Douglas Engert's patch.  Without it
MIT support is broken and the code won't even compile
(krb5_cc_gen_new() has a different number of parameters in the MIT
libraries than in the Heimdal ones).  And it just adds support for
per-session caches that's already provided for those who use the
Heimdal libraries.)

(I tested on Solaris 8, so I ended up patching against one of the
portable snapshots -- openssh-SNAP-20030814.tar.gz.  To make sure all
the code went to the right place, I did my patch by hand.  I also
patched in a few other places (notably configure.ac) that aren't,
strictly speaking, relevant to the code posted by Jakob Schlyter.  In
all my tests I linked against either the MIT 1.3.1 libraries (the
shared ones) or the Heimdal 0.6 libraries.  None of my tests used
PAM.  My KDC is MIT 1.3.1, also running on Solaris 8.)

Basically, I tested that the ssh client compiled with Jakob Schlyter's
code (as described above) and linked against either the MIT libraries
or the Heimdal libraries, worked with sshd from each of the following
"packages", linked against either the MIT libraries or the Heimdal
libraries:

1) openssh-SNAP-20030814, patched as I have described
2) OpenSSH 3.6.1p2 patched with Simon Wilkinson's patch
3) OpenSSH 3.5p1 patched with Simon Wilkinson's patch (to make this
   I'd hand-upgraded Simon's patch from 3.4p1)

And I tested that the ssh client from each of these packages (linked
against either the MIT libraries or the Heimdal libraries) worked with
the sshd from the first of them (linked against either the MIT
libraries or the Heimdal libraries).

The functionality I tested was the following:

1) GSSAPI authentication
2) "Kerberos password" authentication
3) "Unix password" authentication

As I've said, everything worked fine -- including (where applicable)
credential forwarding and per-session caches.  But I lost a couple
hours discovering that GSSAPIAuthentication (in sshd_config) and
GSSAPIDelegateCredentials (in ssh_config) are no longer on by default.
And I noticed that you need a host key even when doing GSSAPI
authentication -- I guess the ability to do without one was lost with
the GSSAPI key exchange code.

The other things I noticed aren't really relevant to a test of Jakob
Schlyter's code, but I think two are worth mentioning.

I had to make the following change to get the snapshot to link against
the Heimdal libraries:

diff -u -r -N --exclude configure --exclude config.h.in src.old/openbsd-compat/bsd-misc.h src/openbsd-compat/bsd-misc.h
--- src.old/openbsd-compat/bsd-misc.h	    Mon Aug 18 19:53:59 2003
+++ src/openbsd-compat/bsd-misc.h	    Mon Aug 18 19:53:51 2003
@@ -29,6 +29,11 @@

 #include "config.h"

+/* Resolve name conflict with libroken */
+#ifdef HEIMDAL
+#define get_progname get_progname_x
+#endif
+
 char *get_progname(char *);

 #ifndef HAVE_SETSID

And I discovered that part of the SSH2 KRB5 auth code is badly broken.
(I experienced crashes when KerberosAuthentication was enabled, no
Kerberos credentials were present, and I used the snapshot's ssh.
Apparently this ssh falls back to KRB5 auth when GSSAPI auth fails.)
Jakob's message says that the KRB5 auth code will be removed if the
GSSAPI code goes in.  But perhaps it's still worth mentioning how I
fixed this problem:

diff -u -r -N --exclude configure --exclude config.h.in src.old/sshconnect2.c src/sshconnect2.c
--- src.old/sshconnect2.c	  Mon Aug 18 19:55:19 2003
+++ src/sshconnect2.c		  Mon Aug 18 19:55:10 2003
@@ -1378,7 +1378,6 @@
 static int
 ssh_krb5_helper(krb5_data *ap, krb5_context *context)
 {
-	krb5_context xcontext = NULL;	/* XXX share with ssh1 */
	krb5_auth_context xauth_context = NULL;
	krb5_auth_context *auth_context;
	krb5_error_code problem;
@@ -1389,8 +1388,8 @@
   int ret;

	memset(ap, 0, sizeof(*ap));
+	*context = NULL;

-	context = &xcontext;
	auth_context = &xauth_context;

	problem = krb5_init_context(context);
@@ -1401,13 +1400,13 @@
   }

	tkfile = krb5_cc_default_name(*context);
-	if (strncmp(tkfile, "FILE:", 5) == 0)
+	if (strncmp(tkfile, "FILE:", 5) == 0) {
	   tkfile += 5;
-
-	if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
-	   debug("Kerberos v5: could not get default ccache (permission denied).");
-			   ret = 0;
-			       goto out;
+				    if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
+						     debug("Kerberos v5: could not get default ccache (permission denied).");
+									 ret = 0;
+									       goto out;
+										    }
										    }

	problem = krb5_cc_default(*context, &ccache);
@@ -1442,10 +1441,10 @@
 userauth_kerberos(Authctxt *authctxt)
 {
	krb5_data ap;
-	krb5_context *context;
+	krb5_context context;
	int ret = 0;

-	if (ssh_krb5_helper(&ap, context) == 0)
+	if (ssh_krb5_helper(&ap, &context) == 0)
	   goto out;

	packet_start(SSH2_MSG_USERAUTH_REQUEST);
@@ -1458,13 +1457,13 @@
 #ifdef HEIMDAL
	krb5_data_free(&ap);
 #else
-	krb5_free_data_contents(*context, &ap);
+	krb5_free_data_contents(context, &ap);
 #endif
	ret = 1;

 out:
-	if (*context)
-	   krb5_free_context(*context);
+	   if (context)
+	      krb5_free_context(context);
	      return ret;
 }
 #endif

More information about the openssh-unix-dev mailing list