ssh: disallow gssapi-with-mic if GSSAPIWithMICConfig is not set

The ability to trigger the 'gssapi-with-mic' authentication method is
not properly gated by the presence of the GSSAPIWithMICConfig field of
the ServerConfig type. If this field is not set and a client sends a
'gssapi-with-mic' request, regardless of if the server advertises it,
the server will panic.

This issue was discovered and reported by Joern Schneewesiz, GitLab
Security Research Team.

Fixes CVE-2020-29652

Change-Id: Ie25de2766e442c8ab46680aae3ac89b0823cdeed
Trust: Roland Shoemaker <>
Run-TryBot: Roland Shoemaker <>
Reviewed-by: Filippo Valsorda <>
TryBot-Result: Go Bot <>
diff --git a/ssh/server.go b/ssh/server.go
index 7d42a8c..b6911e8 100644
--- a/ssh/server.go
+++ b/ssh/server.go
@@ -572,6 +572,10 @@
 				perms = candidate.perms
 		case "gssapi-with-mic":
+			if config.GSSAPIWithMICConfig == nil {
+				authErr = errors.New("ssh: gssapi-with-mic auth not configured")
+				break
+			}
 			gssapiConfig := config.GSSAPIWithMICConfig
 			userAuthRequestGSSAPI, err := parseGSSAPIPayload(userAuthReq.Payload)
 			if err != nil {