Patch for CVE-2018-15919

[Jason Sikes]

Hi everyone,

I created a patch for CVE-2018-15919, "user enumeration via auth2-gss.c" (even though it is not user enumeration).

While this patch appears to fix the problem, at least from my small amount of testing, I can't be sure that I am not introducing a new bug or a new security hole. Hopefully some people who are more knowledgeable can take a look.

The fix is two parts:

1) When a valid username is presented, sshd responds with SSH_MSG_USERAUTH_INFO_REQUEST. Otherwise, sshd responds with SSH_MSG_USERAUTH_FAILURE.

My solution to this is to remove the code that presents the SSH_MSG_USERAUTH_FAILURE when an invalid username is presented. The expectation is that the login will be invalidated if/when the gssapi credentials are presented later.

2) The failure count is not incremented when a valid username is presented, but credentials are not.

I created an interim value, was_postponed, that records the value of postponed so that when postponed is reset and the authentication is checked it can be used to determine whether the failure count can be increased.

I hope that you will find this useful.

--Thanks,

--Jason Sikes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-7.6p1-prevent_gssapi_username_oracle.patch
Type: text/x-patch
Size: 1288 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190228/9c16f863/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1753 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190228/9c16f863/attachment-0001.bin>