[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More GSSAPI on Windows: user auth hangs?

Subject: Re: More GSSAPI on Windows: user auth hangs?
From: Jakub Jelen <jjelen@xxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Tue, 24 Aug 2021 09:08:17 +0200
To: libssh@xxxxxxxxxx

On 8/23/21 6:10 PM, Kerrison, Adam wrote:

I’ve spent a while trying to test the GSSAPI support on Windows and Ican’t make it work ☹I’ve attached a simple program which just tries toconnect and authenticate with a server. It assumes you have a validKerberos configuration and a ticket.
If I run this on Linux is just works. On Windows, it hangs inssh_userauth_gssapi(). The program enables packet level logging and onWindows I see this before it hangs:
[2021/08/23 17:01:39.112369, 4] ssh_socket_pollcallback: Poll callbackon socket 756 (POLLIN ), out buffer 0
[2021/08/23 17:01:39.112369, 3] ssh_packet_socket_callback: packet:read type 61 [len=176,padding=15,comp=160,payload=160]
[2021/08/23 17:01:39.113484, 3] ssh_packet_process: Dispatching handlerfor packet type 61
Packet type 61 -> SSH2_MSG_USERAUTH_GSSAPI_TOKEN

On Linux, I see the same message sequence but immediately followed by:
[2021/08/23 17:05:07.856296, 3]ssh_packet_userauth_gssapi_token_client: ReceivedSSH_MSG_USERAUTH_GSSAPI_TOKEN
I think this must be something about how I’ve built libssh but its oddas the first part of the GSSAPI auth definitely works (I see the GSSAPI:sending token message for example). I’d also expect things to crash ifthe function was missing (i.e. a NULL pointer)
I’m not holding out a lot of hope that anyone will have a clue aboutwhat is going on here but I thought I’d ask anyway …

Hi,

my guess is that on Linux you built libssh with server and on Windowswithout.

The packet number SSH2_MSG_USERAUTH_GSSAPI_TOKEN is shared withSSH2_MSG_USERAUTH_INFO_RESPONSE, which is implemented only if built withserver, which is indeed wrong and should be fixed. See the followingpart of the code:

https://gitlab.com/libssh/libssh-mirror/-/blob/master/src/messages.c#L1018

This would explain the hang, as the packet is correctly accepted, but noresponse is sent to peer.

Feel free to test my theory and propose a fix.

Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.

References:
More GSSAPI on Windows: user auth hangs?	"Kerrison, Adam" <Adam_Kerrison@xxxxxxx>

Archive administrator: postmaster@lists.cynapses.org