Pending OpenSSH release: contains Kerberos/GSSAPI changes

Wachdorf, Daniel R drwachd at sandia.gov
Sat Jan 31 10:57:29 EST 2004 

Here is a patch.  it was based of the 2004-12-24 snapshot (I had trouble
getting todays to compile).

*** ../openssh/gss-serv.c       Mon Nov 17 04:18:22 2003
--- gss-serv.c  Fri Jan 30 16:35:24 2004
***************
*** 117,124 ****
         * we flag the user as also having been authenticated
         */

!       if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
!           (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE))
{
                if (ssh_gssapi_getclient(ctx, &gssapi_client))
                        fatal("Couldn't convert client name");
        }
--- 117,123 ----
         * we flag the user as also having been authenticated
         */

!       if(ctx->major == GSS_S_COMPLETE) {
                if (ssh_gssapi_getclient(ctx, &gssapi_client))
                        fatal("Couldn't convert client name");
        }

-dan

-----Original Message-----
From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] 
Sent: Friday, January 30, 2004 4:11 PM
To: Wachdorf, Daniel R
Cc: 'Sam Hartman'; 'Jeffrey Hutzelman'; krbdev at mit.edu; ietf-ssh at NetBSD.org;
kerberos at mit.edu; heimdal-discuss at sics.se; OpenSSH Devel List
Subject: RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes



On Fri, 30 Jan 2004, Wachdorf, Daniel R wrote:

> Well,
>
> It could be a problem. If someone has implemented a client and doesn't do
								^^^^^^^^^^
> mutual auth (as the standard says they should), they could be broken.
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This right here is the key to me.  If someone is not following the RFC.
Then I say let them complaint to their vendor.

Again I ask.. As the code stands are *WE* in RFC compliance?  If not we
need it fixed.

As for what to base it off of.  Pick a recent snapshot.  Not as if the
GSSAPI-WITH-MIC code has drasticly changed in the last few days.

- Ben


-------------- next part --------------
A non-text attachment was scrubbed...
Name: gss-patch-snap-20040124.diff
Type: application/octet-stream
Size: 647 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040130/222717f7/attachment.obj

More information about the openssh-unix-dev mailing list