23227315 sshd offers GSS-API key exchange despite having no keytab
authorTomas Kuthan <tomas.kuthan@oracle.com>
Wed, 11 Jan 2017 12:12:15 -0800
changeset 7560 9732971b7855
parent 7557 d7e607817552
child 7561 64cbdac1f406
23227315 sshd offers GSS-API key exchange despite having no keytab 25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless
components/openssh/patches/023-gsskex.patch
components/openssh/patches/051-GSSAPIStrictAcceptorCheck_yes.patch
--- a/components/openssh/patches/023-gsskex.patch	Wed Jan 11 10:37:16 2017 -0800
+++ b/components/openssh/patches/023-gsskex.patch	Wed Jan 11 12:12:15 2017 -0800
@@ -42,7 +42,15 @@
 diff -pur old/auth.c new/auth.c
 --- old/auth.c
 +++ new/auth.c
[email protected]@ -786,99 +786,6 @@ fakepw(void)
[email protected]@ -363,6 +363,7 @@ auth_root_allowed(const char *method)
+ 	case PERMIT_NO_PASSWD:
+ 		if (strcmp(method, "publickey") == 0 ||
+ 		    strcmp(method, "hostbased") == 0 ||
++		    strcmp(method, "gssapi-keyex") == 0 ||
+ 		    strcmp(method, "gssapi-with-mic") == 0)
+ 			return 1;
+ 		break;
[email protected]@ -786,99 +787,6 @@ fakepw(void)
  }
  
  /*
@@ -1404,7 +1412,7 @@
 diff -pur old/sshd_config.5 new/sshd_config.5
 --- old/sshd_config.5
 +++ new/sshd_config.5
[email protected]@ -632,6 +632,11 @@ The default is
[email protected]@ -632,6 +632,22 @@ The default is
  Specifies whether user authentication based on GSSAPI is allowed.
  The default on Solaris is
  .Dq yes .
@@ -1413,6 +1421,17 @@
 +doesn't rely on ssh keys to verify host identity.
 +The default on Solaris is
 +.Dq yes .
++.Pp
++By default the server only offers the GSSAPI key exchange, if it can acquire
++acceptor credentials for 
++.Pa host
++service on the current hostname. But when 
++.Cm GSSAPIStrictAcceptorCheck
++is set to 
++.Dq no ,
++the server will always offer GSSAPI key
++exchange, although it may not be able to accept security context (which will
++cause the key exchange to fail).
  .It Cm GSSAPICleanupCredentials
  Specifies whether to automatically destroy the user's credentials cache
  on logout.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/051-GSSAPIStrictAcceptorCheck_yes.patch	Wed Jan 11 12:12:15 2017 -0800
@@ -0,0 +1,27 @@
+#
+# GSSAPIStrictAcceptorCheck should default to yes as documented
+#
+# When GSSAPIStrictAcceptorCheck is not explicitely specified in sshd_config,
+# the default value should be yes. It is documented in sshd_config(5) this
+# way and it preserves original behavior.
+#
+# Also GSSAPIStrictAcceptorCheck=no interacts poorly with GSSAPIKeyExchange,
+# where it make the server willing to negotiate GSS-API key exchange, although
+# no keytab was provided.
+#
+# Patch source: in-house
+# Reported upstream:
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2637
+#
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
[email protected]@ -323,7 +323,7 @@ fill_default_server_options(ServerOption
+ 	if (options->gss_cleanup_creds == -1)
+ 		options->gss_cleanup_creds = 1;
+ 	if (options->gss_strict_acceptor == -1)
+-		options->gss_strict_acceptor = 0;
++		options->gss_strict_acceptor = 1;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)