Here is a patch. it was based of the 2004-12-24 snapshot (I had trouble
getting todays to compile).
*** ../openssh/gss-serv.c Mon Nov 17 04:18:22 2003
--- gss-serv.c Fri Jan 30 16:35:24 2004
***************
*** 117,124 ****
* we flag the user as also having been authenticated
*/
! if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
! (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE))
{
if (ssh_gssapi_getclient(ctx, &gssapi_client))
fatal("Couldn't convert client name");
}
--- 117,123 ----
* we flag the user as also having been authenticated
*/
! if(ctx->major == GSS_S_COMPLETE) {
if (ssh_gssapi_getclient(ctx, &gssapi_client))
fatal("Couldn't convert client name");
}
-dan
-----Original Message-----
From: Ben Lindstrom [mailto:mouring%etoh.eviladmin.org@localhost]
Sent: Friday, January 30, 2004 4:11 PM
To: Wachdorf, Daniel R
Cc: 'Sam Hartman'; 'Jeffrey Hutzelman'; krbdev%mit.edu@localhost; ietf-ssh%NetBSD.org@localhost;
kerberos%mit.edu@localhost; heimdal-discuss%sics.se@localhost; OpenSSH Devel List
Subject: RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes
On Fri, 30 Jan 2004, Wachdorf, Daniel R wrote:
> Well,
>
> It could be a problem. If someone has implemented a client and doesn't do
^^^^^^^^^^
> mutual auth (as the standard says they should), they could be broken.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This right here is the key to me. If someone is not following the RFC.
Then I say let them complaint to their vendor.
Again I ask.. As the code stands are *WE* in RFC compliance? If not we
need it fixed.
As for what to base it off of. Pick a recent snapshot. Not as if the
GSSAPI-WITH-MIC code has drasticly changed in the last few days.
- Ben
Attachment:
gss-patch-snap-20040124.diff
Description: Binary data