diff -urN openssh-4.3p2.orig/auth2.c openssh-4.3p2/auth2.c --- openssh-4.3p2.orig/auth2.c 2006-05-30 10:36:56.000000000 +0100 +++ openssh-4.3p2/auth2.c 2006-05-30 10:37:25.000000000 +0100 @@ -57,6 +57,7 @@ #ifdef GSSAPI extern Authmethod method_gsskeyex; extern Authmethod method_gssapi; +extern Authmethod method_gssapi_old; #endif Authmethod *authmethods[] = { @@ -65,6 +66,7 @@ #ifdef GSSAPI &method_gsskeyex, &method_gssapi, + &method_gssapi_old, #endif &method_passwd, &method_kbdint, diff -urN openssh-4.3p2.orig/auth2-gss.c openssh-4.3p2/auth2-gss.c --- openssh-4.3p2.orig/auth2-gss.c 2006-05-30 10:36:56.000000000 +0100 +++ openssh-4.3p2/auth2-gss.c 2006-05-30 10:37:25.000000000 +0100 @@ -204,6 +204,13 @@ dispatch_set( SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, &input_gssapi_exchange_complete); + /* Old style 'gssapi' didn't have GSSAPI_MIC + * and went straight to sending 'exchange_complete' + */ + if (options.gss_enable_mitm) + dispatch_set( + SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, + &input_gssapi_exchange_complete); } } @@ -331,4 +338,10 @@ &options.gss_authentication }; +Authmethod method_gssapi_old = { + "gssapi", + userauth_gssapi, + &options.gss_enable_mitm +}; + #endif /* GSSAPI */ diff -urN openssh-4.3p2.orig/servconf.c openssh-4.3p2/servconf.c --- openssh-4.3p2.orig/servconf.c 2006-05-30 10:36:56.000000000 +0100 +++ openssh-4.3p2/servconf.c 2006-05-30 10:38:06.000000000 +0100 @@ -74,6 +74,7 @@ options->gss_authentication=-1; options->gss_keyex = -1; options->gss_cleanup_creds = -1; + options->gss_enable_mitm = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; @@ -192,6 +193,8 @@ options->gss_keyex = 0; if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; + if (options->gss_enable_mitm == -1) + options->gss_enable_mitm = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -276,7 +279,7 @@ sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, - sGssAuthentication, sGssKeyEx, sGssCleanupCreds, + sGssAuthentication, sGssKeyEx, sGssCleanupCreds, sGssEnableMITM sAcceptEnv, sPermitTunnel, sUsePrivilegeSeparation, sDeprecated, sUnsupported @@ -333,10 +336,12 @@ { "gssapiauthentication", sGssAuthentication }, { "gssapikeyexchange", sGssKeyEx }, { "gssapicleanupcredentials", sGssCleanupCreds }, + { "gssapienablemitmattack", sGssEnableMITM }, #else { "gssapiauthentication", sUnsupported }, { "gssapikeyexchange", sUnsupported }, { "gssapicleanupcredentials", sUnsupported }, + { "gssapienablemitmattack", sUnsupported }, #endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, @@ -687,6 +692,10 @@ intptr = &options->gss_cleanup_creds; goto parse_flag; + case sGssEnableMITM: + intptr = &options->gss_enable_mitm; + goto parse_flag; + case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; diff -urN openssh-4.3p2.orig/servconf.h openssh-4.3p2/servconf.h --- openssh-4.3p2.orig/servconf.h 2006-05-30 10:36:56.000000000 +0100 +++ openssh-4.3p2/servconf.h 2006-05-30 10:37:25.000000000 +0100 @@ -90,6 +90,7 @@ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_keyex; /* If true, permit GSSAPI key exchange */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ + int gss_enable_mitm; /* If true, enable old style GSSAPI */ int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */