diff options
author | Colin Watson <cjwatson@debian.org> | 2016-12-28 20:01:00 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-12-28 20:05:23 +0000 |
commit | 31ed1f715e4c1dd986c32b8c5e6687c185258db9 (patch) | |
tree | 42c51fb237be95e29bf4dd3b7edf9d77c5426522 | |
parent | 158b8db3ae5525e6c55368e7baadf4a7527b16be (diff) | |
parent | 624433c4fff092e3aaaff6aa8954eb93e0387c44 (diff) |
Avoid calling into Kerberos libraries from ssh_gssapi_server_mechanisms in the privsep monitor.
30 files changed, 68 insertions, 59 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 7a3e2e900..252076632 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,6 +1,6 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 41265d4fa6f5946719155a08a19717a4ca229454 | 2 | 624433c4fff092e3aaaff6aa8954eb93e0387c44 |
3 | 41265d4fa6f5946719155a08a19717a4ca229454 | 3 | 624433c4fff092e3aaaff6aa8954eb93e0387c44 |
4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
6 | openssh_7.4p1.orig.tar.gz | 6 | openssh_7.4p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index 3e93967b2..1752adb3d 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -2,6 +2,8 @@ openssh (1:7.4p1-2) UNRELEASED; urgency=medium | |||
2 | 2 | ||
3 | * Attempt to hack around regress/forwarding.sh test failure in some | 3 | * Attempt to hack around regress/forwarding.sh test failure in some |
4 | environments. | 4 | environments. |
5 | * Avoid calling into Kerberos libraries from ssh_gssapi_server_mechanisms | ||
6 | in the privsep monitor. | ||
5 | 7 | ||
6 | -- Colin Watson <cjwatson@debian.org> Wed, 28 Dec 2016 19:46:57 +0000 | 8 | -- Colin Watson <cjwatson@debian.org> Wed, 28 Dec 2016 19:46:57 +0000 |
7 | 9 | ||
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index d025cf7eb..0f46b253b 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f7088f0a3d04473cfdcf11fe6b084b81beb7041c Mon Sep 17 00:00:00 2001 | 1 | From 46602f789c947e6af524d0b4c9774faf3dd073d0 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 |
4 | Subject: Quieten logs when multiple from= restrictions are used | 4 | Subject: Quieten logs when multiple from= restrictions are used |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index dcfd8b403..2bee50ff1 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0290fd6980eaefa222cc39b6a4871be0a8c72a7d Mon Sep 17 00:00:00 2001 | 1 | From 300ba52e4888c6ee488eb8d4cd8fcb9936c420be Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 20ceefe9c..afca1f120 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 541f4f5664934bccc96a9b7a2a7e957ce2cff6af Mon Sep 17 00:00:00 2001 | 1 | From c32eb5bc49794211d9c093694b960480d0f9c6cf Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
@@ -80,7 +80,7 @@ index 90dfa4c2..913a21b3 100644 | |||
80 | 80 | ||
81 | /* Information about the incoming connection as used by Match */ | 81 | /* Information about the incoming connection as used by Match */ |
82 | diff --git a/sshd.c b/sshd.c | 82 | diff --git a/sshd.c b/sshd.c |
83 | index 39e4699c..747beec8 100644 | 83 | index 49f3a2e5..eebf1984 100644 |
84 | --- a/sshd.c | 84 | --- a/sshd.c |
85 | +++ b/sshd.c | 85 | +++ b/sshd.c |
86 | @@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) | 86 | @@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 9b46e1392..e1555494a 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 41265d4fa6f5946719155a08a19717a4ca229454 Mon Sep 17 00:00:00 2001 | 1 | From 624433c4fff092e3aaaff6aa8954eb93e0387c44 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index 18a16fb6d..9bf19dcf8 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From de4a8d3eaf773015b6d725c9c682430325a14b0e Mon Sep 17 00:00:00 2001 | 1 | From 6ba1a4137b4cf1418e2b756f1abae3cc549961ea Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 76f9ae4f9..2ab099d96 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 934c9a5c1689c7ce4b78dee3f65c30f53e41ec81 Mon Sep 17 00:00:00 2001 | 1 | From b812c38deda716bc94de2aaa99d6e61a2719c822 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch index 54f99e662..7d053e8ef 100644 --- a/debian/patches/doc-upstart.patch +++ b/debian/patches/doc-upstart.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c8d763aeef5f450e55172ff2374e0b9abb3f08a9 Mon Sep 17 00:00:00 2001 | 1 | From 1bf9a6bfb80250544b8ff1d50c94a4c851d9fb2e Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 |
4 | Subject: Refer to ssh's Upstart job as well as its init script | 4 | Subject: Refer to ssh's Upstart job as well as its init script |
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index ec7647c6d..f36a851a0 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7e6bb45ce4ead0e3256d1741e0020bc5d4e6a09b Mon Sep 17 00:00:00 2001 | 1 | From c5aacd35abd57633871aa81af2e089deb5f72aab Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index ea56167d7..57def8057 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9f717de15a8e113f7c6a3db52d75ce0172885f95 Mon Sep 17 00:00:00 2001 | 1 | From 40ab38b3f501f3e21662f0294eef06789605c5f8 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate | |||
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
20 | Last-Updated: 2016-08-07 | 20 | Last-Updated: 2016-12-28 |
21 | 21 | ||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
@@ -34,7 +34,7 @@ Patch-Name: gssapi.patch | |||
34 | configure.ac | 24 ++++ | 34 | configure.ac | 24 ++++ |
35 | gss-genr.c | 275 +++++++++++++++++++++++++++++++++++++++++++- | 35 | gss-genr.c | 275 +++++++++++++++++++++++++++++++++++++++++++- |
36 | gss-serv-krb5.c | 85 ++++++++++++-- | 36 | gss-serv-krb5.c | 85 ++++++++++++-- |
37 | gss-serv.c | 185 +++++++++++++++++++++++++++--- | 37 | gss-serv.c | 184 +++++++++++++++++++++++++++--- |
38 | kex.c | 19 ++++ | 38 | kex.c | 19 ++++ |
39 | kex.h | 14 +++ | 39 | kex.h | 14 +++ |
40 | kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 40 | kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
@@ -51,12 +51,12 @@ Patch-Name: gssapi.patch | |||
51 | ssh_config | 2 + | 51 | ssh_config | 2 + |
52 | ssh_config.5 | 32 ++++++ | 52 | ssh_config.5 | 32 ++++++ |
53 | sshconnect2.c | 122 +++++++++++++++++++- | 53 | sshconnect2.c | 122 +++++++++++++++++++- |
54 | sshd.c | 110 ++++++++++++++++++ | 54 | sshd.c | 112 +++++++++++++++++- |
55 | sshd_config | 2 + | 55 | sshd_config | 2 + |
56 | sshd_config.5 | 10 ++ | 56 | sshd_config.5 | 10 ++ |
57 | sshkey.c | 3 +- | 57 | sshkey.c | 3 +- |
58 | sshkey.h | 1 + | 58 | sshkey.h | 1 + |
59 | 35 files changed, 2053 insertions(+), 147 deletions(-) | 59 | 35 files changed, 2053 insertions(+), 148 deletions(-) |
60 | create mode 100644 ChangeLog.gssapi | 60 | create mode 100644 ChangeLog.gssapi |
61 | create mode 100644 kexgssc.c | 61 | create mode 100644 kexgssc.c |
62 | create mode 100644 kexgsss.c | 62 | create mode 100644 kexgsss.c |
@@ -1162,7 +1162,7 @@ index 795992d9..fd8b3718 100644 | |||
1162 | 1162 | ||
1163 | #endif /* KRB5 */ | 1163 | #endif /* KRB5 */ |
1164 | diff --git a/gss-serv.c b/gss-serv.c | 1164 | diff --git a/gss-serv.c b/gss-serv.c |
1165 | index 53993d67..2f6baf70 100644 | 1165 | index 53993d67..2e27cbf9 100644 |
1166 | --- a/gss-serv.c | 1166 | --- a/gss-serv.c |
1167 | +++ b/gss-serv.c | 1167 | +++ b/gss-serv.c |
1168 | @@ -1,7 +1,7 @@ | 1168 | @@ -1,7 +1,7 @@ |
@@ -1199,17 +1199,16 @@ index 53993d67..2f6baf70 100644 | |||
1199 | 1199 | ||
1200 | #ifdef KRB5 | 1200 | #ifdef KRB5 |
1201 | extern ssh_gssapi_mech gssapi_kerberos_mech; | 1201 | extern ssh_gssapi_mech gssapi_kerberos_mech; |
1202 | @@ -142,6 +147,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | 1202 | @@ -142,6 +147,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) |
1203 | } | 1203 | } |
1204 | 1204 | ||
1205 | /* Unprivileged */ | 1205 | /* Unprivileged */ |
1206 | +char * | 1206 | +char * |
1207 | +ssh_gssapi_server_mechanisms(void) { | 1207 | +ssh_gssapi_server_mechanisms(void) { |
1208 | + gss_OID_set supported; | 1208 | + if (supported_oids == NULL) |
1209 | + | 1209 | + ssh_gssapi_prepare_supported_oids(); |
1210 | + ssh_gssapi_supported_oids(&supported); | 1210 | + return (ssh_gssapi_kex_mechs(supported_oids, |
1211 | + return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech, | 1211 | + &ssh_gssapi_server_check_mech, NULL, NULL)); |
1212 | + NULL, NULL)); | ||
1213 | +} | 1212 | +} |
1214 | + | 1213 | + |
1215 | +/* Unprivileged */ | 1214 | +/* Unprivileged */ |
@@ -1229,7 +1228,7 @@ index 53993d67..2f6baf70 100644 | |||
1229 | void | 1228 | void |
1230 | ssh_gssapi_supported_oids(gss_OID_set *oidset) | 1229 | ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1231 | { | 1230 | { |
1232 | @@ -151,7 +179,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) | 1231 | @@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1233 | gss_OID_set supported; | 1232 | gss_OID_set supported; |
1234 | 1233 | ||
1235 | gss_create_empty_oid_set(&min_status, oidset); | 1234 | gss_create_empty_oid_set(&min_status, oidset); |
@@ -1240,7 +1239,7 @@ index 53993d67..2f6baf70 100644 | |||
1240 | 1239 | ||
1241 | while (supported_mechs[i]->name != NULL) { | 1240 | while (supported_mechs[i]->name != NULL) { |
1242 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, | 1241 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, |
1243 | @@ -277,8 +307,48 @@ OM_uint32 | 1242 | @@ -277,8 +306,48 @@ OM_uint32 |
1244 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1243 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1245 | { | 1244 | { |
1246 | int i = 0; | 1245 | int i = 0; |
@@ -1290,7 +1289,7 @@ index 53993d67..2f6baf70 100644 | |||
1290 | 1289 | ||
1291 | client->mech = NULL; | 1290 | client->mech = NULL; |
1292 | 1291 | ||
1293 | @@ -293,6 +363,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1292 | @@ -293,6 +362,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1294 | if (client->mech == NULL) | 1293 | if (client->mech == NULL) |
1295 | return GSS_S_FAILURE; | 1294 | return GSS_S_FAILURE; |
1296 | 1295 | ||
@@ -1304,7 +1303,7 @@ index 53993d67..2f6baf70 100644 | |||
1304 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, | 1303 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, |
1305 | &client->displayname, NULL))) { | 1304 | &client->displayname, NULL))) { |
1306 | ssh_gssapi_error(ctx); | 1305 | ssh_gssapi_error(ctx); |
1307 | @@ -310,6 +387,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1306 | @@ -310,6 +386,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1308 | return (ctx->major); | 1307 | return (ctx->major); |
1309 | } | 1308 | } |
1310 | 1309 | ||
@@ -1313,7 +1312,7 @@ index 53993d67..2f6baf70 100644 | |||
1313 | /* We can't copy this structure, so we just move the pointer to it */ | 1312 | /* We can't copy this structure, so we just move the pointer to it */ |
1314 | client->creds = ctx->client_creds; | 1313 | client->creds = ctx->client_creds; |
1315 | ctx->client_creds = GSS_C_NO_CREDENTIAL; | 1314 | ctx->client_creds = GSS_C_NO_CREDENTIAL; |
1316 | @@ -357,7 +436,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) | 1315 | @@ -357,7 +435,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) |
1317 | 1316 | ||
1318 | /* Privileged */ | 1317 | /* Privileged */ |
1319 | int | 1318 | int |
@@ -1322,7 +1321,7 @@ index 53993d67..2f6baf70 100644 | |||
1322 | { | 1321 | { |
1323 | OM_uint32 lmin; | 1322 | OM_uint32 lmin; |
1324 | 1323 | ||
1325 | @@ -367,9 +446,11 @@ ssh_gssapi_userok(char *user) | 1324 | @@ -367,9 +445,11 @@ ssh_gssapi_userok(char *user) |
1326 | return 0; | 1325 | return 0; |
1327 | } | 1326 | } |
1328 | if (gssapi_client.mech && gssapi_client.mech->userok) | 1327 | if (gssapi_client.mech && gssapi_client.mech->userok) |
@@ -1336,7 +1335,7 @@ index 53993d67..2f6baf70 100644 | |||
1336 | /* Destroy delegated credentials if userok fails */ | 1335 | /* Destroy delegated credentials if userok fails */ |
1337 | gss_release_buffer(&lmin, &gssapi_client.displayname); | 1336 | gss_release_buffer(&lmin, &gssapi_client.displayname); |
1338 | gss_release_buffer(&lmin, &gssapi_client.exportedname); | 1337 | gss_release_buffer(&lmin, &gssapi_client.exportedname); |
1339 | @@ -383,14 +464,90 @@ ssh_gssapi_userok(char *user) | 1338 | @@ -383,14 +463,90 @@ ssh_gssapi_userok(char *user) |
1340 | return (0); | 1339 | return (0); |
1341 | } | 1340 | } |
1342 | 1341 | ||
@@ -3047,7 +3046,7 @@ index 103a2b36..d534e619 100644 | |||
3047 | 3046 | ||
3048 | int | 3047 | int |
3049 | diff --git a/sshd.c b/sshd.c | 3048 | diff --git a/sshd.c b/sshd.c |
3050 | index 1dc4d182..ec2cf976 100644 | 3049 | index 1dc4d182..0970f297 100644 |
3051 | --- a/sshd.c | 3050 | --- a/sshd.c |
3052 | +++ b/sshd.c | 3051 | +++ b/sshd.c |
3053 | @@ -123,6 +123,10 @@ | 3052 | @@ -123,6 +123,10 @@ |
@@ -3061,6 +3060,15 @@ index 1dc4d182..ec2cf976 100644 | |||
3061 | /* Re-exec fds */ | 3060 | /* Re-exec fds */ |
3062 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 3061 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
3063 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 3062 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
3063 | @@ -531,7 +535,7 @@ privsep_preauth_child(void) | ||
3064 | |||
3065 | #ifdef GSSAPI | ||
3066 | /* Cache supported mechanism OIDs for later use */ | ||
3067 | - if (options.gss_authentication) | ||
3068 | + if (options.gss_authentication || options.gss_keyex) | ||
3069 | ssh_gssapi_prepare_supported_oids(); | ||
3070 | #endif | ||
3071 | |||
3064 | @@ -1705,10 +1709,13 @@ main(int ac, char **av) | 3072 | @@ -1705,10 +1709,13 @@ main(int ac, char **av) |
3065 | key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); | 3073 | key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); |
3066 | free(fp); | 3074 | free(fp); |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index 4db3caa5a..36497da1d 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0bdc6351d8a32c33e65542617c71da8ddcdeb331 Mon Sep 17 00:00:00 2001 | 1 | From 2336e779d7f90c0574ae8632584d3f9c3e06c4b1 Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index 0cfee84e5..b097627b8 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 04923a79cca487e1295685638a6113dbe5ec54bd Mon Sep 17 00:00:00 2001 | 1 | From 432a9b5cd1f63c4c1dc678cc0916819bc57280bc Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch index af5caaa99..495da970f 100644 --- a/debian/patches/no-openssl-version-status.patch +++ b/debian/patches/no-openssl-version-status.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 85a592345eb1c86e918f08643b8b48aee69aec63 Mon Sep 17 00:00:00 2001 | 1 | From 3dc476595ed1850596f833153fde8ce166ff13f8 Mon Sep 17 00:00:00 2001 |
2 | From: Kurt Roeckx <kurt@roeckx.be> | 2 | From: Kurt Roeckx <kurt@roeckx.be> |
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 |
4 | Subject: Don't check the status field of the OpenSSL version | 4 | Subject: Don't check the status field of the OpenSSL version |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index 50f5db1ae..f4cef1af6 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f16966d39a328b5f6461343d088f863c8cf2a2d4 Mon Sep 17 00:00:00 2001 | 1 | From 807a8417d6f3c3203024ed8c026a1f79ace12ecb Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index 0b46869c9..678fb551d 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bfc81c7380b71bd5c0e841e8bd16bfc726a43603 Mon Sep 17 00:00:00 2001 | 1 | From 9d2f9a1fb49b3d3c73a654e1b4aae6e26ad23075 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
@@ -36,7 +36,7 @@ index 1cc556e8..c64c51bb 100644 | |||
36 | if (atomicio(vwrite, connection_out, client_version_string, | 36 | if (atomicio(vwrite, connection_out, client_version_string, |
37 | strlen(client_version_string)) != strlen(client_version_string)) | 37 | strlen(client_version_string)) != strlen(client_version_string)) |
38 | diff --git a/sshd.c b/sshd.c | 38 | diff --git a/sshd.c b/sshd.c |
39 | index 5a3f796d..39e4699c 100644 | 39 | index 9aab36c3..49f3a2e5 100644 |
40 | --- a/sshd.c | 40 | --- a/sshd.c |
41 | +++ b/sshd.c | 41 | +++ b/sshd.c |
42 | @@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) | 42 | @@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index ab94faecc..89c47e308 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 68d399525871ecd1a2837f04045581a2774ba4bb Mon Sep 17 00:00:00 2001 | 1 | From 466cba7557bc735e09e9b362582ebbc7785cbcd0 Mon Sep 17 00:00:00 2001 |
2 | From: Peter Samuelson <peter@p12n.org> | 2 | From: Peter Samuelson <peter@p12n.org> |
3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 |
4 | Subject: Reduce severity of "Killed by signal %d" | 4 | Subject: Reduce severity of "Killed by signal %d" |
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch index e41b99d6e..dc9fec5fd 100644 --- a/debian/patches/restore-tcp-wrappers.patch +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6a15c9b672c5833f21ed7e0cea3a25dd8de966c4 Mon Sep 17 00:00:00 2001 | 1 | From 10d7583287f2d589da0786819e62a0be5ec9847f Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | 3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 |
4 | Subject: Restore TCP wrappers support | 4 | Subject: Restore TCP wrappers support |
@@ -128,7 +128,7 @@ index 41fc5051..c6784602 100644 | |||
128 | .Xr moduli 5 , | 128 | .Xr moduli 5 , |
129 | .Xr sshd_config 5 , | 129 | .Xr sshd_config 5 , |
130 | diff --git a/sshd.c b/sshd.c | 130 | diff --git a/sshd.c b/sshd.c |
131 | index ec2cf976..4f791b92 100644 | 131 | index 0970f297..72d85de1 100644 |
132 | --- a/sshd.c | 132 | --- a/sshd.c |
133 | +++ b/sshd.c | 133 | +++ b/sshd.c |
134 | @@ -127,6 +127,13 @@ | 134 | @@ -127,6 +127,13 @@ |
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index aad0e6b50..7aa44ac8f 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 630c67159398218379b51112ce708fc4f208f903 Mon Sep 17 00:00:00 2001 | 1 | From 5362ffb871dbb4ca9f19f25756eee0a88cd177e8 Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 9ab9394b3..a09f8c82d 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5e4ebd6472d995738a2c67d618c4bd1ee2c00968 Mon Sep 17 00:00:00 2001 | 1 | From ef3ee35a1061c563f2c32ab13f77324b6372e8be Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -426,7 +426,7 @@ index 98e1dafe..0a31dce4 100644 | |||
426 | const char *value); | 426 | const char *value); |
427 | 427 | ||
428 | diff --git a/sshd.c b/sshd.c | 428 | diff --git a/sshd.c b/sshd.c |
429 | index 4f791b92..5a3f796d 100644 | 429 | index 72d85de1..9aab36c3 100644 |
430 | --- a/sshd.c | 430 | --- a/sshd.c |
431 | +++ b/sshd.c | 431 | +++ b/sshd.c |
432 | @@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt) | 432 | @@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt) |
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 5c609f373..7e522ff17 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 62a564b1f2f9cb086a3618c6df4113a4d9dbe273 Mon Sep 17 00:00:00 2001 | 1 | From fa35a4226bf7f9e4c3fa6b6be06d1a38a58bd162 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch index b82b21afe..7a62bce5e 100644 --- a/debian/patches/sigstop.patch +++ b/debian/patches/sigstop.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e6e10c563bbe69426d5074b0b97e2a9b0b4b3b49 Mon Sep 17 00:00:00 2001 | 1 | From 78a2f42f1ae8a81e2a229405273b2c1369667b5c Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 |
4 | Subject: Support synchronisation with service supervisor using SIGSTOP | 4 | Subject: Support synchronisation with service supervisor using SIGSTOP |
@@ -13,7 +13,7 @@ Patch-Name: sigstop.patch | |||
13 | 1 file changed, 10 insertions(+) | 13 | 1 file changed, 10 insertions(+) |
14 | 14 | ||
15 | diff --git a/sshd.c b/sshd.c | 15 | diff --git a/sshd.c b/sshd.c |
16 | index 747beec8..414e19ee 100644 | 16 | index eebf1984..b6826c84 100644 |
17 | --- a/sshd.c | 17 | --- a/sshd.c |
18 | +++ b/sshd.c | 18 | +++ b/sshd.c |
19 | @@ -1878,6 +1878,16 @@ main(int ac, char **av) | 19 | @@ -1878,6 +1878,16 @@ main(int ac, char **av) |
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index 73d48641f..f61725049 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 135f35985c55d9734dcd61cf159d3e7916b95b60 Mon Sep 17 00:00:00 2001 | 1 | From 76b2e45116ded18137a30406cf5f22b11b9feeab Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 983a4fc67..5ea2fb243 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4476fe4e30c33c250ddd6bd01e644979f10acd25 Mon Sep 17 00:00:00 2001 | 1 | From e11b941efd85f5b55c055eb11511c7bbb6464b5f Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index 29a876cd8..2398598f5 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 01e8999cc86a0b2ffed5f98abed624b0e7c2707f Mon Sep 17 00:00:00 2001 | 1 | From 8bdb2e6f613ad62c3aa781ba6cb7088ee16a6dfd Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index d6a5707d4..a8eeb7ebc 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bdc8262449eefe39f2dc4ddcbb44b84ddade4cd3 Mon Sep 17 00:00:00 2001 | 1 | From ed3f2695800c03da18c36191aefd27d554bf052e Mon Sep 17 00:00:00 2001 |
2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> | 2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch index 0a8ff5d9c..a5a543596 100644 --- a/debian/patches/systemd-readiness.patch +++ b/debian/patches/systemd-readiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c95bb2c6a018688e44481bf1d199607db567fd9e Mon Sep 17 00:00:00 2001 | 1 | From a7e11f49e8d6dfe6b44b24960af5e112cd953ae7 Mon Sep 17 00:00:00 2001 |
2 | From: Michael Biebl <biebl@debian.org> | 2 | From: Michael Biebl <biebl@debian.org> |
3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 | 3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 |
4 | Subject: Add systemd readiness notification support | 4 | Subject: Add systemd readiness notification support |
@@ -56,7 +56,7 @@ index 4747ce4a..9f59794b 100644 | |||
56 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | 56 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" |
57 | echo " BSD Auth support: $BSD_AUTH_MSG" | 57 | echo " BSD Auth support: $BSD_AUTH_MSG" |
58 | diff --git a/sshd.c b/sshd.c | 58 | diff --git a/sshd.c b/sshd.c |
59 | index 414e19ee..8b793480 100644 | 59 | index b6826c84..027daa9d 100644 |
60 | --- a/sshd.c | 60 | --- a/sshd.c |
61 | +++ b/sshd.c | 61 | +++ b/sshd.c |
62 | @@ -85,6 +85,10 @@ | 62 | @@ -85,6 +85,10 @@ |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 1a6194544..ee5c38c23 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 47c946434c6e99ff9da531cfcafb051e38e79ff8 Mon Sep 17 00:00:00 2001 | 1 | From 5ba9e0eff0a725c4d616f296c6449fe3dbe0bdcf Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
diff --git a/gss-serv.c b/gss-serv.c index 2f6baf70d..2e27cbf9c 100644 --- a/gss-serv.c +++ b/gss-serv.c | |||
@@ -149,11 +149,10 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | |||
149 | /* Unprivileged */ | 149 | /* Unprivileged */ |
150 | char * | 150 | char * |
151 | ssh_gssapi_server_mechanisms(void) { | 151 | ssh_gssapi_server_mechanisms(void) { |
152 | gss_OID_set supported; | 152 | if (supported_oids == NULL) |
153 | 153 | ssh_gssapi_prepare_supported_oids(); | |
154 | ssh_gssapi_supported_oids(&supported); | 154 | return (ssh_gssapi_kex_mechs(supported_oids, |
155 | return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech, | 155 | &ssh_gssapi_server_check_mech, NULL, NULL)); |
156 | NULL, NULL)); | ||
157 | } | 156 | } |
158 | 157 | ||
159 | /* Unprivileged */ | 158 | /* Unprivileged */ |
@@ -547,7 +547,7 @@ privsep_preauth_child(void) | |||
547 | 547 | ||
548 | #ifdef GSSAPI | 548 | #ifdef GSSAPI |
549 | /* Cache supported mechanism OIDs for later use */ | 549 | /* Cache supported mechanism OIDs for later use */ |
550 | if (options.gss_authentication) | 550 | if (options.gss_authentication || options.gss_keyex) |
551 | ssh_gssapi_prepare_supported_oids(); | 551 | ssh_gssapi_prepare_supported_oids(); |
552 | #endif | 552 | #endif |
553 | 553 | ||