search for: gss_c_integ_flag

(I hope this message is appropriate for these lists. If not, please tell me and I won't do it again.) Hi All. There will be a new release of OpenSSH in a couple of weeks. This release contains Kerberos and GSSAPI related changes that we would like to get some feedback about (and hopefully address any issues with) before the release. I encourage anyone with an interest in

...The issue may be the way the code is structured: /* Now, if we're complete and we have the right flags, then * we flag the user as also having been authenticated */ if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) && (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) { if (ssh_gssapi_getclient(ctx, &gssapi_client)) fatal("Couldn't convert client name"); } return (status); The fatal() call there only happens when ssh_gssapi_getclient() fai...

...nally enables mutual authentication in the client contexts it allocates. In ssh_gssapi_init_ctx, it does the following: ctx->major = gss_init_sec_context(&ctx->minor, GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 0, NULL, recv_tok, NULL, send_tok, flags, NULL); I don?t see anything in the RFC 4462 errata about this recommendation having changed. Does anyone know why OpenSSH enables this? It makes sense for GSSAPI key exchange (which OpenSSH doesn?t seem to implement), but not for...

...re OpenSSH cause the GSS library to follow a dangling pointer and write to likely unallocated memory (see patch), and several constructs that aren't likely to work with generic GSS mechanisms (e.g., the flags to gss_accept_sec_context() are set to 0 by OpenSSH, better would be GSS_C_MUTUAL_FLAG|GSS_C_INTEG_FLAG since that is what the code later check for), etc. Another, more egoistic, purpose is to get people to look at an alternative GSSAPI and Kerberos 5 implementation. Caveats: Only client mode is supported; the GSS server code in OpenSSH require too much non-GSS code that I didn't bother finish...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...ags) +{ + int deleg_flag = 0; + + if (deleg_creds) { + deleg_flag = GSS_C_DELEG_FLAG; + debug("Delegating credentials"); + } + + ctx->major = gss_init_sec_context(&ctx->minor, + GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, + GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, + 0, NULL, recv_tok, NULL, send_tok, flags, NULL); + + if (GSS_ERROR(ctx->major)) + ssh_gssapi_error(ctx); + + return (ctx->major); +} + +/* Create a service name for the given host */ +OM_uint32 +ssh_gssapi_import_name(Gssctxt *ctx, const char *host) +{ + gss_buffer_desc g...