[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong

ake sandgren 2053146 at bugs.launchpad.net
Thu Feb 15 12:20:16 UTC 2024 

Verifying this should be fairly simple.

Look at the definition of Authmethod in auth.h and compare to how
method_gssapi is initialized compared to method_gsskeyex.

As for it being the only report it is only "AuthenticationMethods gssapi-keyex" that is not working.
We have "AuthenticationMethods gssapi-keyex gssapi-with-mic" so on Jammy it still works but we get complaints in the log, like this:
===
error: Disabled method "gssapi-keyex" in AuthenticationMethods list "gssapi-keyex"
Authentication methods list "gssapi-keyex" contains disabled method, skipping
===

Regarding Noble, the patch for this in
openssh_9.6p1-3ubuntu1.debian.tar.xz is still having the same problem
with the initialization of method_gsskeyex.


===
@@ -333,6 +377,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
        return 0;
 }
 
+Authmethod method_gsskeyex = {
+       "gssapi-keyex",
+       userauth_gsskeyex,
+       &options.gss_authentication
+};
+
 Authmethod method_gssapi = {
        "gssapi-with-mic",
        NULL,
===

Note that there is still only three arguments in the init of
method_gsskeyex vs the required four.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2053146

Title:
  openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is
  slightly wrong

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  The Authmethod struct now have 4 entries but the initialization of the
  method_gsskeyex in the debian/patches/gssapi.patch only have 3
  entries.

  The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as
  ===
  @@ -104,7 +104,8 @@ struct Authctxt {
   
   struct Authmethod {
          char    *name;
  -       int     (*userauth)(struct ssh *);
  +       char    *synonym;
  +       int     (*userauth)(struct ssh *, const char *);
          int     *enabled;
   };

  ===

  The incorrect code does
  ===
  +Authmethod method_gsskeyex = {
  +       "gssapi-keyex",
  +       userauth_gsskeyex,
  +       &options.gss_authentication
  +};
  ===
  but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex

  
  This is now (change from Focal) causing gssapi-keyex to be disabled.

  
  ===
  lsb_release -rd
  Description:	Ubuntu 22.04.3 LTS
  Release:	22.04

  ===
  apt-cache policy openssh-server
  openssh-server:
    Installed: 1:8.9p1-3ubuntu0.6
    Candidate: 1:8.9p1-3ubuntu0.6
    Version table:
   *** 1:8.9p1-3ubuntu0.6 500
          500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages
          500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages
          100 /var/lib/dpkg/status
       1:8.9p1-3 500
          500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages

  ===

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions

More information about the foundations-bugs mailing list