diff options
author | Colin Watson <cjwatson@debian.org> | 2017-01-16 15:03:00 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-01-16 15:08:12 +0000 |
commit | 1d74e62af7a8efa073474667b3974cc0e494cc5d (patch) | |
tree | 5c3f91dc61457a83393bab068e8b3b9b9215abe5 | |
parent | d85ee41ea27ccceb97f1fb042f8efc94514e0948 (diff) | |
parent | 3f1016b4535faf6e48aa71e21569aa714a25193f (diff) |
Fix rekeying failure with GSSAPI key exchange (thanks, Harald Barth; closes: #819361).
34 files changed, 71 insertions, 46 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 6f9925b66..a923bac35 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,6 +1,6 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 79d4110c92f82de854b10b2d96df9daaaaeaec3a | 2 | 3f1016b4535faf6e48aa71e21569aa714a25193f |
3 | 79d4110c92f82de854b10b2d96df9daaaaeaec3a | 3 | 3f1016b4535faf6e48aa71e21569aa714a25193f |
4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
6 | openssh_7.4p1.orig.tar.gz | 6 | openssh_7.4p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index a65e90c78..b0e752529 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -6,6 +6,8 @@ openssh (1:7.4p1-6) UNRELEASED; urgency=medium | |||
6 | * Document sshd_config changes that may be needed following the removal of | 6 | * Document sshd_config changes that may be needed following the removal of |
7 | protocol 1 support from sshd (closes: #851573). | 7 | protocol 1 support from sshd (closes: #851573). |
8 | * Remove ssh_host_dsa_key from HostKey default (closes: #850614). | 8 | * Remove ssh_host_dsa_key from HostKey default (closes: #850614). |
9 | * Fix rekeying failure with GSSAPI key exchange (thanks, Harald Barth; | ||
10 | closes: #819361). | ||
9 | 11 | ||
10 | -- Colin Watson <cjwatson@debian.org> Fri, 06 Jan 2017 08:40:14 +0000 | 12 | -- Colin Watson <cjwatson@debian.org> Fri, 06 Jan 2017 08:40:14 +0000 |
11 | 13 | ||
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index 0f46b253b..cf6febf31 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 46602f789c947e6af524d0b4c9774faf3dd073d0 Mon Sep 17 00:00:00 2001 | 1 | From b2b04daa38b264f346acd81e08d224dbf33bac5b Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 |
4 | Subject: Quieten logs when multiple from= restrictions are used | 4 | Subject: Quieten logs when multiple from= restrictions are used |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index 2bee50ff1..a3306e339 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 300ba52e4888c6ee488eb8d4cd8fcb9936c420be Mon Sep 17 00:00:00 2001 | 1 | From 7ad6dd01af3f4531ccc8e918bc857738e195fd3d Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index afca1f120..874728b02 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c32eb5bc49794211d9c093694b960480d0f9c6cf Mon Sep 17 00:00:00 2001 | 1 | From 2a1aeb898e4214f98acc210c992d33334e6710dd Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index e1555494a..ff3f5f42d 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 624433c4fff092e3aaaff6aa8954eb93e0387c44 Mon Sep 17 00:00:00 2001 | 1 | From 2b53482aec037f0747198f19e449f51d921acd30 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index 9bf19dcf8..2e2f9610d 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6ba1a4137b4cf1418e2b756f1abae3cc549961ea Mon Sep 17 00:00:00 2001 | 1 | From c1248ea6dcbbf5702d65efc1750763f66a97ba19 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 2ab099d96..814d8ad7b 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b812c38deda716bc94de2aaa99d6e61a2719c822 Mon Sep 17 00:00:00 2001 | 1 | From 87e480b4f405f3249d7f8a912849eb6263456353 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch index 7d053e8ef..14d6ff88d 100644 --- a/debian/patches/doc-upstart.patch +++ b/debian/patches/doc-upstart.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1bf9a6bfb80250544b8ff1d50c94a4c851d9fb2e Mon Sep 17 00:00:00 2001 | 1 | From 7ea8a3c1e0c2ff4998b3fe3caaaba8ff42e513ff Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 |
4 | Subject: Refer to ssh's Upstart job as well as its init script | 4 | Subject: Refer to ssh's Upstart job as well as its init script |
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index f36a851a0..1558dbd8f 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c5aacd35abd57633871aa81af2e089deb5f72aab Mon Sep 17 00:00:00 2001 | 1 | From 0327e9b3a5f6d1e945f1f028e742e14cf5823962 Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 57def8057..7196d16b6 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 40ab38b3f501f3e21662f0294eef06789605c5f8 Mon Sep 17 00:00:00 2001 | 1 | From 48fbb156bdc676fb6ba6817770e4e971fbf85b1f Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate | |||
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
20 | Last-Updated: 2016-12-28 | 20 | Last-Updated: 2017-01-16 |
21 | 21 | ||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
@@ -50,13 +50,13 @@ Patch-Name: gssapi.patch | |||
50 | ssh-gss.h | 41 ++++++- | 50 | ssh-gss.h | 41 ++++++- |
51 | ssh_config | 2 + | 51 | ssh_config | 2 + |
52 | ssh_config.5 | 32 ++++++ | 52 | ssh_config.5 | 32 ++++++ |
53 | sshconnect2.c | 122 +++++++++++++++++++- | 53 | sshconnect2.c | 131 ++++++++++++++++++++- |
54 | sshd.c | 112 +++++++++++++++++- | 54 | sshd.c | 112 +++++++++++++++++- |
55 | sshd_config | 2 + | 55 | sshd_config | 2 + |
56 | sshd_config.5 | 10 ++ | 56 | sshd_config.5 | 10 ++ |
57 | sshkey.c | 3 +- | 57 | sshkey.c | 3 +- |
58 | sshkey.h | 1 + | 58 | sshkey.h | 1 + |
59 | 35 files changed, 2053 insertions(+), 148 deletions(-) | 59 | 35 files changed, 2062 insertions(+), 148 deletions(-) |
60 | create mode 100644 ChangeLog.gssapi | 60 | create mode 100644 ChangeLog.gssapi |
61 | create mode 100644 kexgssc.c | 61 | create mode 100644 kexgssc.c |
62 | create mode 100644 kexgsss.c | 62 | create mode 100644 kexgsss.c |
@@ -2843,7 +2843,7 @@ index 591365f3..a7703fc7 100644 | |||
2843 | Indicates that | 2843 | Indicates that |
2844 | .Xr ssh 1 | 2844 | .Xr ssh 1 |
2845 | diff --git a/sshconnect2.c b/sshconnect2.c | 2845 | diff --git a/sshconnect2.c b/sshconnect2.c |
2846 | index 103a2b36..d534e619 100644 | 2846 | index 103a2b36..c35a0bd5 100644 |
2847 | --- a/sshconnect2.c | 2847 | --- a/sshconnect2.c |
2848 | +++ b/sshconnect2.c | 2848 | +++ b/sshconnect2.c |
2849 | @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2849 | @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
@@ -2858,7 +2858,7 @@ index 103a2b36..d534e619 100644 | |||
2858 | xxx_host = host; | 2858 | xxx_host = host; |
2859 | xxx_hostaddr = hostaddr; | 2859 | xxx_hostaddr = hostaddr; |
2860 | 2860 | ||
2861 | @@ -192,6 +197,36 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2861 | @@ -192,6 +197,35 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2862 | order_hostkeyalgs(host, hostaddr, port)); | 2862 | order_hostkeyalgs(host, hostaddr, port)); |
2863 | } | 2863 | } |
2864 | 2864 | ||
@@ -2887,7 +2887,6 @@ index 103a2b36..d534e619 100644 | |||
2887 | + orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; | 2887 | + orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; |
2888 | + xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], | 2888 | + xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], |
2889 | + "%s,null", orig); | 2889 | + "%s,null", orig); |
2890 | + free(gss); | ||
2891 | + } | 2890 | + } |
2892 | + } | 2891 | + } |
2893 | +#endif | 2892 | +#endif |
@@ -2895,7 +2894,7 @@ index 103a2b36..d534e619 100644 | |||
2895 | if (options.rekey_limit || options.rekey_interval) | 2894 | if (options.rekey_limit || options.rekey_interval) |
2896 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2895 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2897 | (time_t)options.rekey_interval); | 2896 | (time_t)options.rekey_interval); |
2898 | @@ -213,10 +248,26 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2897 | @@ -213,15 +247,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2899 | # endif | 2898 | # endif |
2900 | #endif | 2899 | #endif |
2901 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; | 2900 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; |
@@ -2922,7 +2921,22 @@ index 103a2b36..d534e619 100644 | |||
2922 | dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); | 2921 | dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); |
2923 | 2922 | ||
2924 | /* remove ext-info from the KEX proposals for rekeying */ | 2923 | /* remove ext-info from the KEX proposals for rekeying */ |
2925 | @@ -311,6 +362,7 @@ int input_gssapi_token(int type, u_int32_t, void *); | 2924 | myproposal[PROPOSAL_KEX_ALGS] = |
2925 | compat_kex_proposal(options.kex_algorithms); | ||
2926 | +#ifdef GSSAPI | ||
2927 | + /* repair myproposal after it was crumpled by the */ | ||
2928 | + /* ext-info removal above */ | ||
2929 | + if (gss) { | ||
2930 | + orig = myproposal[PROPOSAL_KEX_ALGS]; | ||
2931 | + xasprintf(&myproposal[PROPOSAL_KEX_ALGS], | ||
2932 | + "%s,%s", gss, orig); | ||
2933 | + free(gss); | ||
2934 | + } | ||
2935 | +#endif | ||
2936 | if ((r = kex_prop2buf(kex->my, myproposal)) != 0) | ||
2937 | fatal("kex_prop2buf: %s", ssh_err(r)); | ||
2938 | |||
2939 | @@ -311,6 +371,7 @@ int input_gssapi_token(int type, u_int32_t, void *); | ||
2926 | int input_gssapi_hash(int type, u_int32_t, void *); | 2940 | int input_gssapi_hash(int type, u_int32_t, void *); |
2927 | int input_gssapi_error(int, u_int32_t, void *); | 2941 | int input_gssapi_error(int, u_int32_t, void *); |
2928 | int input_gssapi_errtok(int, u_int32_t, void *); | 2942 | int input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2930,7 +2944,7 @@ index 103a2b36..d534e619 100644 | |||
2930 | #endif | 2944 | #endif |
2931 | 2945 | ||
2932 | void userauth(Authctxt *, char *); | 2946 | void userauth(Authctxt *, char *); |
2933 | @@ -327,6 +379,11 @@ static char *authmethods_get(void); | 2947 | @@ -327,6 +388,11 @@ static char *authmethods_get(void); |
2934 | 2948 | ||
2935 | Authmethod authmethods[] = { | 2949 | Authmethod authmethods[] = { |
2936 | #ifdef GSSAPI | 2950 | #ifdef GSSAPI |
@@ -2942,7 +2956,7 @@ index 103a2b36..d534e619 100644 | |||
2942 | {"gssapi-with-mic", | 2956 | {"gssapi-with-mic", |
2943 | userauth_gssapi, | 2957 | userauth_gssapi, |
2944 | NULL, | 2958 | NULL, |
2945 | @@ -652,25 +709,40 @@ userauth_gssapi(Authctxt *authctxt) | 2959 | @@ -652,25 +718,40 @@ userauth_gssapi(Authctxt *authctxt) |
2946 | static u_int mech = 0; | 2960 | static u_int mech = 0; |
2947 | OM_uint32 min; | 2961 | OM_uint32 min; |
2948 | int ok = 0; | 2962 | int ok = 0; |
@@ -2985,7 +2999,7 @@ index 103a2b36..d534e619 100644 | |||
2985 | if (!ok) | 2999 | if (!ok) |
2986 | return 0; | 3000 | return 0; |
2987 | 3001 | ||
2988 | @@ -761,8 +833,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | 3002 | @@ -761,8 +842,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) |
2989 | { | 3003 | { |
2990 | Authctxt *authctxt = ctxt; | 3004 | Authctxt *authctxt = ctxt; |
2991 | Gssctxt *gssctxt; | 3005 | Gssctxt *gssctxt; |
@@ -2996,7 +3010,7 @@ index 103a2b36..d534e619 100644 | |||
2996 | 3010 | ||
2997 | if (authctxt == NULL) | 3011 | if (authctxt == NULL) |
2998 | fatal("input_gssapi_response: no authentication context"); | 3012 | fatal("input_gssapi_response: no authentication context"); |
2999 | @@ -875,6 +947,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | 3013 | @@ -875,6 +956,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) |
3000 | free(lang); | 3014 | free(lang); |
3001 | return 0; | 3015 | return 0; |
3002 | } | 3016 | } |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index 36497da1d..59b39cd84 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2336e779d7f90c0574ae8632584d3f9c3e06c4b1 Mon Sep 17 00:00:00 2001 | 1 | From 9078d9722d24a42b8f86621d20a6a6b42ba18d37 Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index b097627b8..4d27c68ab 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 432a9b5cd1f63c4c1dc678cc0916819bc57280bc Mon Sep 17 00:00:00 2001 | 1 | From 360c4ebd14706887879f1c6d542cd092afffb07b Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch index cd5bd34a4..bfe6033b1 100644 --- a/debian/patches/no-dsa-host-key-by-default.patch +++ b/debian/patches/no-dsa-host-key-by-default.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 79d4110c92f82de854b10b2d96df9daaaaeaec3a Mon Sep 17 00:00:00 2001 | 1 | From 3f1016b4535faf6e48aa71e21569aa714a25193f Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Mon, 16 Jan 2017 13:53:04 +0000 | 3 | Date: Mon, 16 Jan 2017 13:53:04 +0000 |
4 | Subject: Remove ssh_host_dsa_key from HostKey default | 4 | Subject: Remove ssh_host_dsa_key from HostKey default |
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch index 495da970f..b1c045643 100644 --- a/debian/patches/no-openssl-version-status.patch +++ b/debian/patches/no-openssl-version-status.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 3dc476595ed1850596f833153fde8ce166ff13f8 Mon Sep 17 00:00:00 2001 | 1 | From 48c127fe8f40037d0f33efa8da19cb32514b440e Mon Sep 17 00:00:00 2001 |
2 | From: Kurt Roeckx <kurt@roeckx.be> | 2 | From: Kurt Roeckx <kurt@roeckx.be> |
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 |
4 | Subject: Don't check the status field of the OpenSSL version | 4 | Subject: Don't check the status field of the OpenSSL version |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index f4cef1af6..9a7edf949 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 807a8417d6f3c3203024ed8c026a1f79ace12ecb Mon Sep 17 00:00:00 2001 | 1 | From 4badfe75ad62ee50394afa9aaac62b3465fd384e Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index 678fb551d..fcc231fc9 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9d2f9a1fb49b3d3c73a654e1b4aae6e26ad23075 Mon Sep 17 00:00:00 2001 | 1 | From c89c88a0bcada4616262e3d7d9b165aca709927b Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index 89c47e308..c19fc46fe 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 466cba7557bc735e09e9b362582ebbc7785cbcd0 Mon Sep 17 00:00:00 2001 | 1 | From 71809791262478c78d1db2ca1004604c39db8150 Mon Sep 17 00:00:00 2001 |
2 | From: Peter Samuelson <peter@p12n.org> | 2 | From: Peter Samuelson <peter@p12n.org> |
3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 |
4 | Subject: Reduce severity of "Killed by signal %d" | 4 | Subject: Reduce severity of "Killed by signal %d" |
diff --git a/debian/patches/regress-forwarding-race.patch b/debian/patches/regress-forwarding-race.patch index 92d13c82c..f1a535fb2 100644 --- a/debian/patches/regress-forwarding-race.patch +++ b/debian/patches/regress-forwarding-race.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d225c4fe44ad94a30a5033e58594f2bebaa674f2 Mon Sep 17 00:00:00 2001 | 1 | From 166f04046035ffca27c820649df360eaa5dd1b99 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Mon, 2 Jan 2017 14:55:16 +0000 | 3 | Date: Mon, 2 Jan 2017 14:55:16 +0000 |
4 | Subject: Fix race conditions in forwarding tests | 4 | Subject: Fix race conditions in forwarding tests |
diff --git a/debian/patches/regress-integrity-robust.patch b/debian/patches/regress-integrity-robust.patch index 92b5ae5fc..651a7a88e 100644 --- a/debian/patches/regress-integrity-robust.patch +++ b/debian/patches/regress-integrity-robust.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ada7edd8b4ec246a0c1c283c5e5956f09d503fbd Mon Sep 17 00:00:00 2001 | 1 | From 7ce93c802065cd926e7cbfd10e629f3a2d352301 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 1 Jan 2017 15:21:10 +0000 | 3 | Date: Sun, 1 Jan 2017 15:21:10 +0000 |
4 | Subject: Make integrity tests more robust against timeouts | 4 | Subject: Make integrity tests more robust against timeouts |
diff --git a/debian/patches/regress-mktemp.patch b/debian/patches/regress-mktemp.patch index 2d9b436f5..f5cfde1e8 100644 --- a/debian/patches/regress-mktemp.patch +++ b/debian/patches/regress-mktemp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From cc50ca70e3b438577c33a85147e2a68666deaad9 Mon Sep 17 00:00:00 2001 | 1 | From 6ca09916439a58f0789deb79960ee5defc05a946 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Tue, 3 Jan 2017 12:09:42 +0000 | 3 | Date: Tue, 3 Jan 2017 12:09:42 +0000 |
4 | Subject: Create mux socket for regress in temp directory | 4 | Subject: Create mux socket for regress in temp directory |
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch index dc9fec5fd..ec958d3ab 100644 --- a/debian/patches/restore-tcp-wrappers.patch +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 10d7583287f2d589da0786819e62a0be5ec9847f Mon Sep 17 00:00:00 2001 | 1 | From 5488e924267d7a845fb86a0b6b4db1e340799a5a Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | 3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 |
4 | Subject: Restore TCP wrappers support | 4 | Subject: Restore TCP wrappers support |
diff --git a/debian/patches/sandbox-x32-workaround.patch b/debian/patches/sandbox-x32-workaround.patch index 9fabaecfa..340363de9 100644 --- a/debian/patches/sandbox-x32-workaround.patch +++ b/debian/patches/sandbox-x32-workaround.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e346421ca6852fbf9f95cf0e764ecc345e5ce21d Mon Sep 17 00:00:00 2001 | 1 | From 8c1a0893f0e55a793071af9734d2fa2eb1f3a2a6 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Tue, 3 Jan 2017 14:01:56 +0000 | 3 | Date: Tue, 3 Jan 2017 14:01:56 +0000 |
4 | Subject: Work around clock_gettime kernel bug on Linux x32 | 4 | Subject: Work around clock_gettime kernel bug on Linux x32 |
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index 7aa44ac8f..f318c49fb 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5362ffb871dbb4ca9f19f25756eee0a88cd177e8 Mon Sep 17 00:00:00 2001 | 1 | From cfc11fb9604f8049957a409ff0835f642a047496 Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index a09f8c82d..98be50fad 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ef3ee35a1061c563f2c32ab13f77324b6372e8be Mon Sep 17 00:00:00 2001 | 1 | From a01822fe1c50668ef7918dfd28b1c7e88ff16254 Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 7e522ff17..c263dd7f1 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From fa35a4226bf7f9e4c3fa6b6be06d1a38a58bd162 Mon Sep 17 00:00:00 2001 | 1 | From 5ec0d5f79166a7e2aeab5c7f13d64bb08c4621bd Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch index 7a62bce5e..fa4d0a8cc 100644 --- a/debian/patches/sigstop.patch +++ b/debian/patches/sigstop.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 78a2f42f1ae8a81e2a229405273b2c1369667b5c Mon Sep 17 00:00:00 2001 | 1 | From 218ecbc433b69b8584000380626a9d9aa31c095b Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 |
4 | Subject: Support synchronisation with service supervisor using SIGSTOP | 4 | Subject: Support synchronisation with service supervisor using SIGSTOP |
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index f61725049..b14ec01d4 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 76b2e45116ded18137a30406cf5f22b11b9feeab Mon Sep 17 00:00:00 2001 | 1 | From 0ae30d0171b789953318670ac8679127ddfb3cd1 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 5ea2fb243..7fbaa25dd 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e11b941efd85f5b55c055eb11511c7bbb6464b5f Mon Sep 17 00:00:00 2001 | 1 | From e39339d49d1b05e1db45c6420d7e6da29cf483dc Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index 2398598f5..fbe64336b 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8bdb2e6f613ad62c3aa781ba6cb7088ee16a6dfd Mon Sep 17 00:00:00 2001 | 1 | From ffecece153b7caedf997dccf17747633675631fd Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index a8eeb7ebc..7a4839c03 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ed3f2695800c03da18c36191aefd27d554bf052e Mon Sep 17 00:00:00 2001 | 1 | From f4d9efefeae948e1e00212bf9702245c3c51c8c5 Mon Sep 17 00:00:00 2001 |
2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> | 2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch index a5a543596..6c8cf9b6d 100644 --- a/debian/patches/systemd-readiness.patch +++ b/debian/patches/systemd-readiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a7e11f49e8d6dfe6b44b24960af5e112cd953ae7 Mon Sep 17 00:00:00 2001 | 1 | From 0fd4134a3ef467e1e69db5b19b7903cf306ec64b Mon Sep 17 00:00:00 2001 |
2 | From: Michael Biebl <biebl@debian.org> | 2 | From: Michael Biebl <biebl@debian.org> |
3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 | 3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 |
4 | Subject: Add systemd readiness notification support | 4 | Subject: Add systemd readiness notification support |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index ee5c38c23..2e32f9d76 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5ba9e0eff0a725c4d616f296c6449fe3dbe0bdcf Mon Sep 17 00:00:00 2001 | 1 | From c20ad02ad58a523c6f4974e1ca124e71b7b801b1 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
diff --git a/sshconnect2.c b/sshconnect2.c index d534e6190..c35a0bd50 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -222,7 +222,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
222 | orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; | 222 | orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; |
223 | xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], | 223 | xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], |
224 | "%s,null", orig); | 224 | "%s,null", orig); |
225 | free(gss); | ||
226 | } | 225 | } |
227 | } | 226 | } |
228 | #endif | 227 | #endif |
@@ -273,6 +272,16 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
273 | /* remove ext-info from the KEX proposals for rekeying */ | 272 | /* remove ext-info from the KEX proposals for rekeying */ |
274 | myproposal[PROPOSAL_KEX_ALGS] = | 273 | myproposal[PROPOSAL_KEX_ALGS] = |
275 | compat_kex_proposal(options.kex_algorithms); | 274 | compat_kex_proposal(options.kex_algorithms); |
275 | #ifdef GSSAPI | ||
276 | /* repair myproposal after it was crumpled by the */ | ||
277 | /* ext-info removal above */ | ||
278 | if (gss) { | ||
279 | orig = myproposal[PROPOSAL_KEX_ALGS]; | ||
280 | xasprintf(&myproposal[PROPOSAL_KEX_ALGS], | ||
281 | "%s,%s", gss, orig); | ||
282 | free(gss); | ||
283 | } | ||
284 | #endif | ||
276 | if ((r = kex_prop2buf(kex->my, myproposal)) != 0) | 285 | if ((r = kex_prop2buf(kex->my, myproposal)) != 0) |
277 | fatal("kex_prop2buf: %s", ssh_err(r)); | 286 | fatal("kex_prop2buf: %s", ssh_err(r)); |
278 | 287 | ||