From c99d37a7febb1bf6fc3785edfa4a386df0f2c0b2 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Thu, 6 Dec 2018 18:08:56 +0000 Subject: [PATCH] Avoid hanging on GSSAPI acquire_cred failure. If GSSAPI authentication fails because we call the GSS acquire_cred function on the client side and find it doesn't give us anything useful, then that authentication attempt has to terminate - but since _we_ decided to terminate it, on the client side, the server will be sending us neither a formal USERAUTH_FAILURE nor any other kind of packet. So when we go back round to the top of the auth loop, we have to avoid _either_ assuming we're sitting on a USERAUTH_FAILURE we can parse for its method list, _or_ waiting to receive one. Instead we just have to push on and try the next auth method in the list from the last USERAUTH_FAILURE we did see. Hence, a new flag lets us suppress the usual behaviour of waiting until we have a response packet on the queue, and then all references to pktin after that are tested for NULL. --- ssh2userauth.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/ssh2userauth.c b/ssh2userauth.c index c3804a7a..033b0030 100644 --- a/ssh2userauth.c +++ b/ssh2userauth.c @@ -53,6 +53,7 @@ struct ssh2_userauth_state { Ssh_gss_buf gss_rcvtok, gss_sndtok; Ssh_gss_stat gss_stat; #endif + bool suppress_wait_for_response_packet; strbuf *last_methods_string; bool kbd_inter_refused; prompts_t *cur_prompt; @@ -431,9 +432,16 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl) while (1) { /* - * Wait for the result of the last authentication request. + * Wait for the result of the last authentication request, + * unless the request terminated for some reason on our + * own side. */ - crMaybeWaitUntilV((pktin = ssh2_userauth_pop(s)) != NULL); + if (s->suppress_wait_for_response_packet) { + pktin = NULL; + s->suppress_wait_for_response_packet = false; + } else { + crMaybeWaitUntilV((pktin = ssh2_userauth_pop(s)) != NULL); + } /* * Now is a convenient point to spew any banner material @@ -466,12 +474,12 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl) } bufchain_clear(&s->banner); } - if (pktin->type == SSH2_MSG_USERAUTH_SUCCESS) { + if (pktin && pktin->type == SSH2_MSG_USERAUTH_SUCCESS) { ppl_logevent(("Access granted")); goto userauth_success; } - if (pktin->type != SSH2_MSG_USERAUTH_FAILURE && + if (pktin && pktin->type != SSH2_MSG_USERAUTH_FAILURE && s->type != AUTH_TYPE_GSSAPI) { ssh_proto_error(s->ppl.ssh, "Received unexpected packet " "in response to authentication request, " @@ -487,7 +495,7 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl) * we can look at the string in it and know what we can * helpfully try next. */ - if (pktin->type == SSH2_MSG_USERAUTH_FAILURE) { + if (pktin && pktin->type == SSH2_MSG_USERAUTH_FAILURE) { ptrlen methods = get_string(pktin); bool partial_success = get_bool(pktin); @@ -969,6 +977,11 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl) if (s->gss_stat != SSH_GSS_OK) { ppl_logevent(("GSSAPI authentication failed to get " "credentials")); + /* The failure was on our side, so the server + * won't be sending a response packet indicating + * failure. Avoid waiting for it next time round + * the loop. */ + s->suppress_wait_for_response_packet = true; continue; }