Originally adjusted from: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107826289602763&w=2 The patch below adds support for the deprecated 'gssapi' authentication mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included in this release. The use of 'gssapi' is deprecated due to the presence of potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. To use the patch apply it to a OpenSSH 3.8p1 source tree. After compiling, backwards compatibility may be obtained by supplying the 'GssapiEnableMitmAttack yes' option to either the client or server. It should be noted that this patch is being made available purely as a means of easing the process of moving to OpenSSH 3.8p1. Any new installations are recommended to use the 'gssapi-with-mic' mechanism. Existing installations are encouraged to upgrade as soon as possible. Further modified to apply correctly in openssh-3.9p1-10 and later. Index: auth2-gss.c =================================================================== RCS file: /cvs/openssh/auth2-gss.c,v retrieving revision 1.8 diff -u -r1.8 auth2-gss.c --- auth2-gss.c 21 Nov 2003 12:56:47 -0000 1.8 +++ auth2-gss.c 2 Mar 2004 20:47:28 -0000 @@ -171,6 +171,15 @@ dispatch_set( SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, &input_gssapi_exchange_complete); + + /* + * Old style 'gssapi' didn't have the GSSAPI_MIC + * and went straight to sending exchange_complete + */ + if (options.gss_enable_mitm) + dispatch_set( + SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, + &input_gssapi_exchange_complete); } } @@ -290,6 +299,12 @@ "gssapi-with-mic", userauth_gssapi, &options.gss_authentication +}; + +Authmethod method_gssapi_old = { + "gssapi", + userauth_gssapi, + &options.gss_enable_mitm }; #endif /* GSSAPI */ Index: auth2.c =================================================================== RCS file: /cvs/openssh/auth2.c,v retrieving revision 1.126 diff -u -r1.126 auth2.c --- auth2.c 17 Nov 2003 10:13:41 -0000 1.126 +++ auth2.c 2 Mar 2004 20:47:28 -0000 @@ -54,6 +54,7 @@ extern Authmethod method_hostbased; #ifdef GSSAPI extern Authmethod method_gssapi; +extern Authmethod method_gssapi_old; #endif Authmethod *authmethods[] = { @@ -61,6 +62,7 @@ &method_pubkey, #ifdef GSSAPI &method_gssapi, + &method_gssapi_old, #endif &method_passwd, &method_kbdint, Index: readconf.c =================================================================== RCS file: /cvs/openssh/readconf.c,v retrieving revision 1.102 diff -u -r1.102 readconf.c --- readconf.c 17 Dec 2003 05:33:11 -0000 1.102 +++ readconf.c 2 Mar 2004 20:47:28 -0000 @@ -104,7 +104,7 @@ oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oShowPatchLevel, oDeprecated, oUnsupported @@ -139,9 +139,11 @@ #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, + { "gssapienablemitmattack", oGssEnableMITM }, #else { "gssapiauthentication", oUnsupported }, { "gssapidelegatecredentials", oUnsupported }, + { "gssapienablemitmattack", oUnsupported }, #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, @@ -394,6 +396,10 @@ case oGssDelegateCreds: intptr = &options->gss_deleg_creds; goto parse_flag; + + case oGssEnableMITM: + intptr = &options->gss_enable_mitm; + goto parse_flag; case oBatchMode: intptr = &options->batch_mode; @@ -829,6 +835,7 @@ options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; + options->gss_enable_mitm = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -907,6 +914,8 @@ options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; + if (options->gss_enable_mitm == -1) + options->gss_enable_mitm = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) Index: readconf.h =================================================================== RCS file: /cvs/openssh/readconf.h,v retrieving revision 1.51 diff -u -r1.51 readconf.h --- readconf.h 17 Dec 2003 05:33:11 -0000 1.51 +++ readconf.h 2 Mar 2004 20:47:28 -0000 @@ -43,6 +43,7 @@ /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ + int gss_enable_mitm; /* Enable old style gssapi auth */ int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ Index: servconf.c =================================================================== RCS file: /cvs/openssh/servconf.c,v retrieving revision 1.120 diff -u -r1.120 servconf.c --- servconf.c 23 Jan 2004 11:03:10 -0000 1.120 +++ servconf.c 2 Mar 2004 20:47:28 -0000 @@ -75,6 +75,7 @@ options->kerberos_get_afs_token = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; + options->gss_enable_mitm = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; @@ -188,6 +189,8 @@ options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; + if (options->gss_enable_mitm == -1) + options->gss_enable_mitm = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -266,7 +269,7 @@ sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, + sGssAuthentication, sGssCleanupCreds, sGssEnableMITM, sAcceptEnv, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; @@ -321,9 +324,11 @@ #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication }, { "gssapicleanupcredentials", sGssCleanupCreds }, + { "gssapienablemitmattack", sGssEnableMITM }, #else { "gssapiauthentication", sUnsupported }, { "gssapicleanupcredentials", sUnsupported }, + { "gssapienablemitmattack", sUnsupported }, #endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, @@ -650,6 +655,10 @@ case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; + goto parse_flag; + + case sGssEnableMITM: + intptr = &options->gss_enable_mitm; goto parse_flag; case sPasswordAuthentication: Index: servconf.h =================================================================== RCS file: /cvs/openssh/servconf.h,v retrieving revision 1.59 diff -u -r1.59 servconf.h --- servconf.h 31 Dec 2003 00:37:34 -0000 1.59 +++ servconf.h 2 Mar 2004 20:47:28 -0000 @@ -84,6 +84,7 @@ * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ + int gss_enable_mitm; /* If true, enable old style GSSAPI */ int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ Index: sshconnect2.c =================================================================== RCS file: /cvs/openssh/sshconnect2.c,v retrieving revision 1.123 diff -u -r1.123 sshconnect2.c --- sshconnect2.c 21 Jan 2004 00:02:50 -0000 1.123 +++ sshconnect2.c 2 Mar 2004 20:47:28 -0000 @@ -226,6 +226,10 @@ userauth_gssapi, &options.gss_authentication, NULL}, + {"gssapi", + userauth_gssapi, + &options.gss_enable_mitm, + NULL}, #endif {"hostbased", userauth_hostbased, @@ -563,7 +567,9 @@ if (status == GSS_S_COMPLETE) { /* send either complete or MIC, depending on mechanism */ - if (!(flags & GSS_C_INTEG_FLAG)) { + + if (strcmp(authctxt->method->name,"gssapi")==0 || + (!(flags & GSS_C_INTEG_FLAG))) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); packet_send(); } else {