openssh bugs - Aug 2006 - [Bug 1218] GSSAPI client code permits SPNEGO usage

http://bugzilla.mindrot.org/show_bug.cgi?id=1218

           Summary: GSSAPI client code permits SPNEGO usage
           Product: Portable OpenSSH
           Version: 4.3p2
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Kerberos support
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: simon at sxw.org.uk


RFC4462 states that "mechanisms conforming to this document MUST NOT
use SPNEGO as the underlying GSS-API mechanism".

Unfortunately, the check in the GSSAPI client code has disappeared
somewhere in the midsts
of time. The attached patch reinstates this check, as well as tidying
up the mechanism checking
code.

I hope its in suitable KNF.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1218





------- Comment #1 from simon at sxw.org.uk  2006-08-18 04:33 -------
Created an attachment (id=1174)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1174&action=view)
Fix to prevent OpenSSH offering SPENGO to a server

Patch against latest portable CVS.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1218


djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED
OtherBugsDependingO|                            |1155
              nThis|                            |




------- Comment #2 from djm at mindrot.org  2006-08-18 23:55 -------
fix applied - thanks




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1218


simon at sxw.org.uk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |




------- Comment #3 from simon at sxw.org.uk  2006-08-19 03:24 -------
Sorry for the trouble. I've just realised I've got the return code in
the SPNEGO case. Instead
of returning (-1) - TRUE, we should return 0 - FALSE. The -1 was left
from a previous version
that returned error codes, rather than a true/false value.

Trivial patch is about to be attached. 

Sorry once again!

Simon.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1218





------- Comment #4 from simon at sxw.org.uk  2006-08-19 03:27 -------
Created an attachment (id=1175)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1175&action=view)
Fix to incorrect return code in patch




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1218


djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED




------- Comment #5 from djm at mindrot.org  2006-08-19 08:45 -------
applied - thanks




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.