search for: gss_c_mutual_flag

...machine when I send the final message from the client. The issue may be the way the code is structured: /* Now, if we're complete and we have the right flags, then * we flag the user as also having been authenticated */ if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) && (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) { if (ssh_gssapi_getclient(ctx, &gssapi_client)) fatal("Couldn't convert client name"); } return (status); The fatal()...

(I hope this message is appropriate for these lists. If not, please tell me and I won't do it again.) Hi All. There will be a new release of OpenSSH in a couple of weeks. This release contains Kerberos and GSSAPI related changes that we would like to get some feedback about (and hopefully address any issues with) before the release. I encourage anyone with an interest in

...it always unconditionally enables mutual authentication in the client contexts it allocates. In ssh_gssapi_init_ctx, it does the following: ctx->major = gss_init_sec_context(&ctx->minor, GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 0, NULL, recv_tok, NULL, send_tok, flags, NULL); I don?t see anything in the RFC 4462 errata about this recommendation having changed. Does anyone know why OpenSSH enables this? It makes sense for GSSAPI key exchange (which OpenSSH doesn?t seem to imple...

...d one instance where OpenSSH cause the GSS library to follow a dangling pointer and write to likely unallocated memory (see patch), and several constructs that aren't likely to work with generic GSS mechanisms (e.g., the flags to gss_accept_sec_context() are set to 0 by OpenSSH, better would be GSS_C_MUTUAL_FLAG|GSS_C_INTEG_FLAG since that is what the code later check for), etc. Another, more egoistic, purpose is to get people to look at an alternative GSSAPI and Kerberos 5 implementation. Caveats: Only client mode is supported; the GSS server code in OpenSSH require too much non-GSS code that I didn'...

...evious OPEN exists with ???? NoOplock. ?? * BUG 15651: Durable handle is granted but reconnect fails. ?? * BUG 15708: Disconnected durable handles with RH lease should not be purged ???? by a new non conflicting open. ?? * BUG 15740: gss_accept_sec_context() from Heimdal does not imply ???? GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE. ?? * BUG 15749: winbindd should call process_set_title() for locator child. o? Christof Schmitt <cs at samba.org> ?? * BUG 15730: VFS_OPEN_HOW_WITH_BACKUP_INTENT? breaks shadow_copy2. o? Jones Syue <jonessyue at qnap.com> ?? * BUG 15706: Consistent log level f...

...evious OPEN exists with ???? NoOplock. ?? * BUG 15651: Durable handle is granted but reconnect fails. ?? * BUG 15708: Disconnected durable handles with RH lease should not be purged ???? by a new non conflicting open. ?? * BUG 15740: gss_accept_sec_context() from Heimdal does not imply ???? GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE. ?? * BUG 15749: winbindd should call process_set_title() for locator child. o? Christof Schmitt <cs at samba.org> ?? * BUG 15730: VFS_OPEN_HOW_WITH_BACKUP_INTENT? breaks shadow_copy2. o? Jones Syue <jonessyue at qnap.com> ?? * BUG 15706: Consistent log level f...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...d_tok, OM_uint32 *flags) +{ + int deleg_flag = 0; + + if (deleg_creds) { + deleg_flag = GSS_C_DELEG_FLAG; + debug("Delegating credentials"); + } + + ctx->major = gss_init_sec_context(&ctx->minor, + GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, + GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, + 0, NULL, recv_tok, NULL, send_tok, flags, NULL); + + if (GSS_ERROR(ctx->major)) + ssh_gssapi_error(ctx); + + return (ctx->major); +} + +/* Create a service name for the given host */ +OM_uint32 +ssh_gssapi_import_name(Gssctxt *ctx, const char *host) +{...