Hello,
Here's a patch related to changes from CVE-2018-10933: Kerberos Authentication (GSSAPI) as server always fails (on new packet filtering) because SSH_AUTH_STATE_GSSAPI_TOKEN is not correctly set on sending SSH_MSG_USERAUTH_GSSAPI_RESPONSE (containing selected mechanism OID). After this response, the client will send a SSH_MSG_USERAUTH_GSSAPI_TOKEN packet (see rfc4462 3.3-3.4) so the packet filter will check the SSH_AUTH_STATE_GSSAPI_TOKEN auth state. This patch set correct state on sending gssapi response (selected mechanism OID) Regards, Meng
From eb6f2efe8c8995a8d687b108d0a9478b7e9991f1 Mon Sep 17 00:00:00 2001 From: Meng Tan <[email protected]> Date: Thu, 25 Oct 2018 17:06:06 +0200 Subject: [PATCH] gssapi: Set correct state after sending GSSAPI_RESPONSE (select mechanism OID) Signed-off-by: Meng Tan <[email protected]> --- src/gssapi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/gssapi.c b/src/gssapi.c index 77df0b59..e1b37c76 100644 --- a/src/gssapi.c +++ b/src/gssapi.c @@ -120,6 +120,7 @@ static int ssh_gssapi_send_response(ssh_session session, ssh_string oid){ ssh_set_error_oom(session); return SSH_ERROR; } + session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN; ssh_packet_send(session); SSH_LOG(SSH_LOG_PACKET, -- 2.11.0
