Created attachment 3254 [details] free 'supported mechs' through gss_release_oid_set() call Attached is a small patch that should be applied before the 8.0 release. It fixes a problem with a recent patch (authored by me), where gssapi_cleanup was introduced and gssapi resources are freed. It turns out that the supported_mechs should not be just freed but instead freed through gss_release_oid_set. The error is probably irrelevant in the *ix/bsd environments, but turned out to be an error under Windows if a dynamic lib (gssapi.dll) from MIT Kerbereros is used.
Created attachment 3269 [details] better version It turns out that the mechs should not only be freed via gss_release_oid_set. I also found that that it would be better to do this at the end of the userauth2() function because gss_cleanup is called multiple times when more than one method is reported/tried.
Created attachment 3299 [details] use existing cleanup mechanism I think we should reuse the existing cleanup mechanism here. I don't have a working krb/gssapi installation ATM so I can't really test this though.
> I think we should reuse the existing cleanup mechanism here. I don't > have a working krb/gssapi installation ATM so I can't really test > this though. I have debugged this and found that in some circumstances, gssapi_cleanup() is called multiple times (see comment1). If the gssapi system reports multiple mechs it goes through the cycle init/cleanup for each mech. So the supported-mechs-list is on sort of a higher level than a single gssapi auth attempt. Hence, releasing the mechs-list itself should not be done in the gssapi_cleanup function but at the very end of authentication.
(If you are not comfortable with this change, please go back to the old behavior (I think in 7.8 before gssapi_cleanup was introducted) and let the supported-mechs list leak instead.)
Retarget these bugs to 8.2 release
Prepare for 8.2 release; retarget bugs
Retarget bugs to 8.4 release
retarget to 8.6
retarget after 8.6p1 release
Created attachment 3533 [details] cleanup GSSAPI mechanisms at end of authentication
This has been committed and will be in openssh-9.6, due around the end of the year. Thanks!