From 6666c194143fe32e39a6e0e1db4f9c6db9257731 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Oct 19 2018 09:41:34 +0000
Subject: Do not break gssapi-kex authentication method


---

diff --git a/openssh-7.9p1-gsskex-method.patch b/openssh-7.9p1-gsskex-method.patch
new file mode 100644
index 0000000..b06620d
--- /dev/null
+++ b/openssh-7.9p1-gsskex-method.patch
@@ -0,0 +1,150 @@
+From bc74944ce7a2eabd228d47051f277ce108914c96 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 16 Oct 2018 16:44:40 +0200
+Subject: [PATCH] Unbreak authentication using gssapi-keyex (#1625366)
+
+---
+ auth2-gss.c    |  6 +++---
+ gss-serv.c     |  4 +++-
+ monitor.c      | 13 ++++++++++---
+ monitor_wrap.c |  4 +++-
+ monitor_wrap.h |  2 +-
+ ssh-gss.h      |  2 +-
+ 6 files changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/auth2-gss.c b/auth2-gss.c
+index 3f2ad21d..a61ac089 100644
+--- a/auth2-gss.c
++++ b/auth2-gss.c
+@@ -84,7 +84,7 @@ userauth_gsskeyex(Authctxt *authctxt)
+ 	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
+ 	    &gssbuf, &mic))))
+ 		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+-		    authctxt->pw));
++		    authctxt->pw, 1));
+ 	
+ 	sshbuf_free(b);
+ 	free(mic.value);
+@@ -299,7 +299,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
+ 		fatal("%s: %s", __func__, ssh_err(r));
+ 
+ 	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+-	    authctxt->pw));
++	    authctxt->pw, 1));
+ 
+ 	if ((!use_privsep || mm_is_monitor()) &&
+ 	    (displayname = ssh_gssapi_displayname()) != NULL)
+@@ -347,7 +347,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
+ 
+ 	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
+ 		authenticated = 
+-		    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
++		    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw, 0));
+ 	else
+ 		logit("GSSAPI MIC check failed");
+ 
+diff --git a/gss-serv.c b/gss-serv.c
+index 786ac95c..87de2baa 100644
+--- a/gss-serv.c
++++ b/gss-serv.c
+@@ -493,10 +493,12 @@ verify_authentication_indicators(Gssctxt *gssctxt)
+ 
+ /* Privileged */
+ int
+-ssh_gssapi_userok(char *user, struct passwd *pw)
++ssh_gssapi_userok(char *user, struct passwd *pw, int kex)
+ {
+ 	OM_uint32 lmin;
+ 
++	(void) kex; /* used in privilege separation */
++
+ 	if (gssapi_client.exportedname.length == 0 ||
+ 	    gssapi_client.exportedname.value == NULL) {
+ 		debug("No suitable client data");
+diff --git a/monitor.c b/monitor.c
+index 9bbe8cc4..7b1903af 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -1877,14 +1877,17 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m)
+ int
+ mm_answer_gss_userok(int sock, struct sshbuf *m)
+ {
+-	int r, authenticated;
++	int r, authenticated, kex;
+ 	const char *displayname;
+ 
+ 	if (!options.gss_authentication && !options.gss_keyex)
+ 		fatal("%s: GSSAPI authentication not enabled", __func__);
+ 
++	if ((r = sshbuf_get_u32(m, &kex)) != 0)
++		fatal("%s: buffer error: %s", __func__, ssh_err(r));
++
+ 	authenticated = authctxt->valid &&
+-	    ssh_gssapi_userok(authctxt->user, authctxt->pw);
++	    ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
+ 
+ 	sshbuf_reset(m);
+ 	if ((r = sshbuf_put_u32(m, authenticated)) != 0)
+@@ -1893,7 +1896,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
+ 	debug3("%s: sending result %d", __func__, authenticated);
+ 	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
+ 
+-	auth_method = "gssapi-with-mic";
++	if (kex) {
++		auth_method = "gssapi-keyex";
++	} else {
++		auth_method = "gssapi-with-mic";
++	}
+ 
+ 	if ((displayname = ssh_gssapi_displayname()) != NULL)
+ 		auth2_record_info(authctxt, "%s", displayname);
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index fb52a530..508d926d 100644
+--- a/monitor_wrap.c
++++ b/monitor_wrap.c
+@@ -984,13 +984,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+ }
+ 
+ int
+-mm_ssh_gssapi_userok(char *user, struct passwd *pw)
++mm_ssh_gssapi_userok(char *user, struct passwd *pw, int kex)
+ {
+ 	struct sshbuf *m;
+ 	int r, authenticated = 0;
+ 
+ 	if ((m = sshbuf_new()) == NULL)
+ 		fatal("%s: sshbuf_new failed", __func__);
++	if ((r = sshbuf_put_u32(m, kex)) != 0)
++		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 
+ 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
+ 	mm_request_receive_expect(pmonitor->m_recvfd,
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index 494760dd..5eba5ecc 100644
+--- a/monitor_wrap.h
++++ b/monitor_wrap.h
+@@ -60,7 +60,7 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
+ OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
+ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
+    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
+-int mm_ssh_gssapi_userok(char *user, struct passwd *);
++int mm_ssh_gssapi_userok(char *user, struct passwd *, int kex);
+ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
+ OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
+ int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *);
+diff --git a/ssh-gss.h b/ssh-gss.h
+index 39b6ce69..98262837 100644
+--- a/ssh-gss.h
++++ b/ssh-gss.h
+@@ -162,7 +162,7 @@ gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
+ int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, 
+     const char *);
+ OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
+-int ssh_gssapi_userok(char *name, struct passwd *);
++int ssh_gssapi_userok(char *name, struct passwd *, int kex);
+ OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
+ void ssh_gssapi_do_child(char ***, u_int *);
+ void ssh_gssapi_cleanup_creds(void);
+-- 
+2.17.2
+
diff --git a/openssh.spec b/openssh.spec
index 2ec7712..6938196 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -183,6 +183,8 @@ Patch804: openssh-7.7p1-gssapi-new-unique.patch
 Patch805: openssh-7.2p2-k5login_directory.patch
 # Support SHA2 in GSS key exchanges from draft-ssorce-gss-keyex-sha2-02
 Patch807: openssh-7.5p1-gssapi-kex-with-ec.patch
+# Do not break when using AuthenticationMethods with gssapi-keyex auth method (#1625366)
+Patch808: openssh-7.9p1-gsskex-method.patch
 
 Patch900: openssh-6.1p1-gssapi-canohost.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
@@ -443,6 +445,7 @@ popd
 %patch951 -p1 -b .pkcs11-uri
 %patch952 -p1 -b .pkcs11-ecdsa
 %patch953 -p1 -b .scp-ipv6
+%patch808 -p1 -b .gsskex-method
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race