summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-12-28 20:01:00 +0000
committerColin Watson <cjwatson@debian.org>2016-12-28 20:05:23 +0000
commit31ed1f715e4c1dd986c32b8c5e6687c185258db9 (patch)
tree42c51fb237be95e29bf4dd3b7edf9d77c5426522
parent158b8db3ae5525e6c55368e7baadf4a7527b16be (diff)
parent624433c4fff092e3aaaff6aa8954eb93e0387c44 (diff)
Avoid calling into Kerberos libraries from ssh_gssapi_server_mechanisms in the privsep monitor.
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog2
-rw-r--r--debian/patches/auth-log-verbosity.patch2
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch2
-rw-r--r--debian/patches/debian-banner.patch4
-rw-r--r--debian/patches/debian-config.patch2
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch2
-rw-r--r--debian/patches/doc-upstart.patch2
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch48
-rw-r--r--debian/patches/keepalive-extensions.patch2
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch2
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch2
-rw-r--r--debian/patches/package-versioning.patch4
-rw-r--r--debian/patches/quieter-signals.patch2
-rw-r--r--debian/patches/restore-tcp-wrappers.patch4
-rw-r--r--debian/patches/scp-quoting.patch2
-rw-r--r--debian/patches/selinux-role.patch4
-rw-r--r--debian/patches/shell-path.patch2
-rw-r--r--debian/patches/sigstop.patch4
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch2
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch2
-rw-r--r--debian/patches/syslog-level-silent.patch2
-rw-r--r--debian/patches/systemd-readiness.patch4
-rw-r--r--debian/patches/user-group-modes.patch2
-rw-r--r--gss-serv.c9
-rw-r--r--sshd.c2
30 files changed, 68 insertions, 59 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 7a3e2e900..252076632 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
241265d4fa6f5946719155a08a19717a4ca229454 2624433c4fff092e3aaaff6aa8954eb93e0387c44
341265d4fa6f5946719155a08a19717a4ca229454 3624433c4fff092e3aaaff6aa8954eb93e0387c44
4971a7653746a6972b907dfe0ce139c06e4a6f482 4971a7653746a6972b907dfe0ce139c06e4a6f482
5971a7653746a6972b907dfe0ce139c06e4a6f482 5971a7653746a6972b907dfe0ce139c06e4a6f482
6openssh_7.4p1.orig.tar.gz 6openssh_7.4p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 3e93967b2..1752adb3d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ openssh (1:7.4p1-2) UNRELEASED; urgency=medium
2 2
3 * Attempt to hack around regress/forwarding.sh test failure in some 3 * Attempt to hack around regress/forwarding.sh test failure in some
4 environments. 4 environments.
5 * Avoid calling into Kerberos libraries from ssh_gssapi_server_mechanisms
6 in the privsep monitor.
5 7
6 -- Colin Watson <cjwatson@debian.org> Wed, 28 Dec 2016 19:46:57 +0000 8 -- Colin Watson <cjwatson@debian.org> Wed, 28 Dec 2016 19:46:57 +0000
7 9
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index d025cf7eb..0f46b253b 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
1From f7088f0a3d04473cfdcf11fe6b084b81beb7041c Mon Sep 17 00:00:00 2001 1From 46602f789c947e6af524d0b4c9774faf3dd073d0 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000 3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used 4Subject: Quieten logs when multiple from= restrictions are used
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index dcfd8b403..2bee50ff1 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 0290fd6980eaefa222cc39b6a4871be0a8c72a7d Mon Sep 17 00:00:00 2001 1From 300ba52e4888c6ee488eb8d4cd8fcb9936c420be Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 20ceefe9c..afca1f120 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 541f4f5664934bccc96a9b7a2a7e957ce2cff6af Mon Sep 17 00:00:00 2001 1From c32eb5bc49794211d9c093694b960480d0f9c6cf Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -80,7 +80,7 @@ index 90dfa4c2..913a21b3 100644
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index 39e4699c..747beec8 100644 83index 49f3a2e5..eebf1984 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 86@@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 9b46e1392..e1555494a 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From 41265d4fa6f5946719155a08a19717a4ca229454 Mon Sep 17 00:00:00 2001 1From 624433c4fff092e3aaaff6aa8954eb93e0387c44 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 18a16fb6d..9bf19dcf8 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From de4a8d3eaf773015b6d725c9c682430325a14b0e Mon Sep 17 00:00:00 2001 1From 6ba1a4137b4cf1418e2b756f1abae3cc549961ea Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 76f9ae4f9..2ab099d96 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From 934c9a5c1689c7ce4b78dee3f65c30f53e41ec81 Mon Sep 17 00:00:00 2001 1From b812c38deda716bc94de2aaa99d6e61a2719c822 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 54f99e662..7d053e8ef 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
1From c8d763aeef5f450e55172ff2374e0b9abb3f08a9 Mon Sep 17 00:00:00 2001 1From 1bf9a6bfb80250544b8ff1d50c94a4c851d9fb2e Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:12 +0000 3Date: Sun, 9 Feb 2014 16:10:12 +0000
4Subject: Refer to ssh's Upstart job as well as its init script 4Subject: Refer to ssh's Upstart job as well as its init script
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index ec7647c6d..f36a851a0 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From 7e6bb45ce4ead0e3256d1741e0020bc5d4e6a09b Mon Sep 17 00:00:00 2001 1From c5aacd35abd57633871aa81af2e089deb5f72aab Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index ea56167d7..57def8057 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 9f717de15a8e113f7c6a3db52d75ce0172885f95 Mon Sep 17 00:00:00 2001 1From 40ab38b3f501f3e21662f0294eef06789605c5f8 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate
17security history. 17security history.
18 18
19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
20Last-Updated: 2016-08-07 20Last-Updated: 2016-12-28
21 21
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
@@ -34,7 +34,7 @@ Patch-Name: gssapi.patch
34 configure.ac | 24 ++++ 34 configure.ac | 24 ++++
35 gss-genr.c | 275 +++++++++++++++++++++++++++++++++++++++++++- 35 gss-genr.c | 275 +++++++++++++++++++++++++++++++++++++++++++-
36 gss-serv-krb5.c | 85 ++++++++++++-- 36 gss-serv-krb5.c | 85 ++++++++++++--
37 gss-serv.c | 185 +++++++++++++++++++++++++++--- 37 gss-serv.c | 184 +++++++++++++++++++++++++++---
38 kex.c | 19 ++++ 38 kex.c | 19 ++++
39 kex.h | 14 +++ 39 kex.h | 14 +++
40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -51,12 +51,12 @@ Patch-Name: gssapi.patch
51 ssh_config | 2 + 51 ssh_config | 2 +
52 ssh_config.5 | 32 ++++++ 52 ssh_config.5 | 32 ++++++
53 sshconnect2.c | 122 +++++++++++++++++++- 53 sshconnect2.c | 122 +++++++++++++++++++-
54 sshd.c | 110 ++++++++++++++++++ 54 sshd.c | 112 +++++++++++++++++-
55 sshd_config | 2 + 55 sshd_config | 2 +
56 sshd_config.5 | 10 ++ 56 sshd_config.5 | 10 ++
57 sshkey.c | 3 +- 57 sshkey.c | 3 +-
58 sshkey.h | 1 + 58 sshkey.h | 1 +
59 35 files changed, 2053 insertions(+), 147 deletions(-) 59 35 files changed, 2053 insertions(+), 148 deletions(-)
60 create mode 100644 ChangeLog.gssapi 60 create mode 100644 ChangeLog.gssapi
61 create mode 100644 kexgssc.c 61 create mode 100644 kexgssc.c
62 create mode 100644 kexgsss.c 62 create mode 100644 kexgsss.c
@@ -1162,7 +1162,7 @@ index 795992d9..fd8b3718 100644
1162 1162
1163 #endif /* KRB5 */ 1163 #endif /* KRB5 */
1164diff --git a/gss-serv.c b/gss-serv.c 1164diff --git a/gss-serv.c b/gss-serv.c
1165index 53993d67..2f6baf70 100644 1165index 53993d67..2e27cbf9 100644
1166--- a/gss-serv.c 1166--- a/gss-serv.c
1167+++ b/gss-serv.c 1167+++ b/gss-serv.c
1168@@ -1,7 +1,7 @@ 1168@@ -1,7 +1,7 @@
@@ -1199,17 +1199,16 @@ index 53993d67..2f6baf70 100644
1199 1199
1200 #ifdef KRB5 1200 #ifdef KRB5
1201 extern ssh_gssapi_mech gssapi_kerberos_mech; 1201 extern ssh_gssapi_mech gssapi_kerberos_mech;
1202@@ -142,6 +147,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) 1202@@ -142,6 +147,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
1203 } 1203 }
1204 1204
1205 /* Unprivileged */ 1205 /* Unprivileged */
1206+char * 1206+char *
1207+ssh_gssapi_server_mechanisms(void) { 1207+ssh_gssapi_server_mechanisms(void) {
1208+ gss_OID_set supported; 1208+ if (supported_oids == NULL)
1209+ 1209+ ssh_gssapi_prepare_supported_oids();
1210+ ssh_gssapi_supported_oids(&supported); 1210+ return (ssh_gssapi_kex_mechs(supported_oids,
1211+ return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech, 1211+ &ssh_gssapi_server_check_mech, NULL, NULL));
1212+ NULL, NULL));
1213+} 1212+}
1214+ 1213+
1215+/* Unprivileged */ 1214+/* Unprivileged */
@@ -1229,7 +1228,7 @@ index 53993d67..2f6baf70 100644
1229 void 1228 void
1230 ssh_gssapi_supported_oids(gss_OID_set *oidset) 1229 ssh_gssapi_supported_oids(gss_OID_set *oidset)
1231 { 1230 {
1232@@ -151,7 +179,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) 1231@@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
1233 gss_OID_set supported; 1232 gss_OID_set supported;
1234 1233
1235 gss_create_empty_oid_set(&min_status, oidset); 1234 gss_create_empty_oid_set(&min_status, oidset);
@@ -1240,7 +1239,7 @@ index 53993d67..2f6baf70 100644
1240 1239
1241 while (supported_mechs[i]->name != NULL) { 1240 while (supported_mechs[i]->name != NULL) {
1242 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 1241 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
1243@@ -277,8 +307,48 @@ OM_uint32 1242@@ -277,8 +306,48 @@ OM_uint32
1244 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1243 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1245 { 1244 {
1246 int i = 0; 1245 int i = 0;
@@ -1290,7 +1289,7 @@ index 53993d67..2f6baf70 100644
1290 1289
1291 client->mech = NULL; 1290 client->mech = NULL;
1292 1291
1293@@ -293,6 +363,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1292@@ -293,6 +362,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1294 if (client->mech == NULL) 1293 if (client->mech == NULL)
1295 return GSS_S_FAILURE; 1294 return GSS_S_FAILURE;
1296 1295
@@ -1304,7 +1303,7 @@ index 53993d67..2f6baf70 100644
1304 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1303 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
1305 &client->displayname, NULL))) { 1304 &client->displayname, NULL))) {
1306 ssh_gssapi_error(ctx); 1305 ssh_gssapi_error(ctx);
1307@@ -310,6 +387,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1306@@ -310,6 +386,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1308 return (ctx->major); 1307 return (ctx->major);
1309 } 1308 }
1310 1309
@@ -1313,7 +1312,7 @@ index 53993d67..2f6baf70 100644
1313 /* We can't copy this structure, so we just move the pointer to it */ 1312 /* We can't copy this structure, so we just move the pointer to it */
1314 client->creds = ctx->client_creds; 1313 client->creds = ctx->client_creds;
1315 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1314 ctx->client_creds = GSS_C_NO_CREDENTIAL;
1316@@ -357,7 +436,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) 1315@@ -357,7 +435,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
1317 1316
1318 /* Privileged */ 1317 /* Privileged */
1319 int 1318 int
@@ -1322,7 +1321,7 @@ index 53993d67..2f6baf70 100644
1322 { 1321 {
1323 OM_uint32 lmin; 1322 OM_uint32 lmin;
1324 1323
1325@@ -367,9 +446,11 @@ ssh_gssapi_userok(char *user) 1324@@ -367,9 +445,11 @@ ssh_gssapi_userok(char *user)
1326 return 0; 1325 return 0;
1327 } 1326 }
1328 if (gssapi_client.mech && gssapi_client.mech->userok) 1327 if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1336,7 +1335,7 @@ index 53993d67..2f6baf70 100644
1336 /* Destroy delegated credentials if userok fails */ 1335 /* Destroy delegated credentials if userok fails */
1337 gss_release_buffer(&lmin, &gssapi_client.displayname); 1336 gss_release_buffer(&lmin, &gssapi_client.displayname);
1338 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1337 gss_release_buffer(&lmin, &gssapi_client.exportedname);
1339@@ -383,14 +464,90 @@ ssh_gssapi_userok(char *user) 1338@@ -383,14 +463,90 @@ ssh_gssapi_userok(char *user)
1340 return (0); 1339 return (0);
1341 } 1340 }
1342 1341
@@ -3047,7 +3046,7 @@ index 103a2b36..d534e619 100644
3047 3046
3048 int 3047 int
3049diff --git a/sshd.c b/sshd.c 3048diff --git a/sshd.c b/sshd.c
3050index 1dc4d182..ec2cf976 100644 3049index 1dc4d182..0970f297 100644
3051--- a/sshd.c 3050--- a/sshd.c
3052+++ b/sshd.c 3051+++ b/sshd.c
3053@@ -123,6 +123,10 @@ 3052@@ -123,6 +123,10 @@
@@ -3061,6 +3060,15 @@ index 1dc4d182..ec2cf976 100644
3061 /* Re-exec fds */ 3060 /* Re-exec fds */
3062 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 3061 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
3063 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 3062 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
3063@@ -531,7 +535,7 @@ privsep_preauth_child(void)
3064
3065 #ifdef GSSAPI
3066 /* Cache supported mechanism OIDs for later use */
3067- if (options.gss_authentication)
3068+ if (options.gss_authentication || options.gss_keyex)
3069 ssh_gssapi_prepare_supported_oids();
3070 #endif
3071
3064@@ -1705,10 +1709,13 @@ main(int ac, char **av) 3072@@ -1705,10 +1709,13 @@ main(int ac, char **av)
3065 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); 3073 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
3066 free(fp); 3074 free(fp);
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 4db3caa5a..36497da1d 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From 0bdc6351d8a32c33e65542617c71da8ddcdeb331 Mon Sep 17 00:00:00 2001 1From 2336e779d7f90c0574ae8632584d3f9c3e06c4b1 Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 0cfee84e5..b097627b8 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 04923a79cca487e1295685638a6113dbe5ec54bd Mon Sep 17 00:00:00 2001 1From 432a9b5cd1f63c4c1dc678cc0916819bc57280bc Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index af5caaa99..495da970f 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From 85a592345eb1c86e918f08643b8b48aee69aec63 Mon Sep 17 00:00:00 2001 1From 3dc476595ed1850596f833153fde8ce166ff13f8 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 50f5db1ae..f4cef1af6 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From f16966d39a328b5f6461343d088f863c8cf2a2d4 Mon Sep 17 00:00:00 2001 1From 807a8417d6f3c3203024ed8c026a1f79ace12ecb Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 0b46869c9..678fb551d 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From bfc81c7380b71bd5c0e841e8bd16bfc726a43603 Mon Sep 17 00:00:00 2001 1From 9d2f9a1fb49b3d3c73a654e1b4aae6e26ad23075 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -36,7 +36,7 @@ index 1cc556e8..c64c51bb 100644
36 if (atomicio(vwrite, connection_out, client_version_string, 36 if (atomicio(vwrite, connection_out, client_version_string,
37 strlen(client_version_string)) != strlen(client_version_string)) 37 strlen(client_version_string)) != strlen(client_version_string))
38diff --git a/sshd.c b/sshd.c 38diff --git a/sshd.c b/sshd.c
39index 5a3f796d..39e4699c 100644 39index 9aab36c3..49f3a2e5 100644
40--- a/sshd.c 40--- a/sshd.c
41+++ b/sshd.c 41+++ b/sshd.c
42@@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 42@@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index ab94faecc..89c47e308 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
1From 68d399525871ecd1a2837f04045581a2774ba4bb Mon Sep 17 00:00:00 2001 1From 466cba7557bc735e09e9b362582ebbc7785cbcd0 Mon Sep 17 00:00:00 2001
2From: Peter Samuelson <peter@p12n.org> 2From: Peter Samuelson <peter@p12n.org>
3Date: Sun, 9 Feb 2014 16:09:55 +0000 3Date: Sun, 9 Feb 2014 16:09:55 +0000
4Subject: Reduce severity of "Killed by signal %d" 4Subject: Reduce severity of "Killed by signal %d"
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index e41b99d6e..dc9fec5fd 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From 6a15c9b672c5833f21ed7e0cea3a25dd8de966c4 Mon Sep 17 00:00:00 2001 1From 10d7583287f2d589da0786819e62a0be5ec9847f Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -128,7 +128,7 @@ index 41fc5051..c6784602 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index ec2cf976..4f791b92 100644 131index 0970f297..72d85de1 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -127,6 +127,13 @@ 134@@ -127,6 +127,13 @@
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index aad0e6b50..7aa44ac8f 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From 630c67159398218379b51112ce708fc4f208f903 Mon Sep 17 00:00:00 2001 1From 5362ffb871dbb4ca9f19f25756eee0a88cd177e8 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 9ab9394b3..a09f8c82d 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 5e4ebd6472d995738a2c67d618c4bd1ee2c00968 Mon Sep 17 00:00:00 2001 1From ef3ee35a1061c563f2c32ab13f77324b6372e8be Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -426,7 +426,7 @@ index 98e1dafe..0a31dce4 100644
426 const char *value); 426 const char *value);
427 427
428diff --git a/sshd.c b/sshd.c 428diff --git a/sshd.c b/sshd.c
429index 4f791b92..5a3f796d 100644 429index 72d85de1..9aab36c3 100644
430--- a/sshd.c 430--- a/sshd.c
431+++ b/sshd.c 431+++ b/sshd.c
432@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt) 432@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt)
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 5c609f373..7e522ff17 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From 62a564b1f2f9cb086a3618c6df4113a4d9dbe273 Mon Sep 17 00:00:00 2001 1From fa35a4226bf7f9e4c3fa6b6be06d1a38a58bd162 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index b82b21afe..7a62bce5e 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
1From e6e10c563bbe69426d5074b0b97e2a9b0b4b3b49 Mon Sep 17 00:00:00 2001 1From 78a2f42f1ae8a81e2a229405273b2c1369667b5c Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:17 +0000 3Date: Sun, 9 Feb 2014 16:10:17 +0000
4Subject: Support synchronisation with service supervisor using SIGSTOP 4Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,7 +13,7 @@ Patch-Name: sigstop.patch
13 1 file changed, 10 insertions(+) 13 1 file changed, 10 insertions(+)
14 14
15diff --git a/sshd.c b/sshd.c 15diff --git a/sshd.c b/sshd.c
16index 747beec8..414e19ee 100644 16index eebf1984..b6826c84 100644
17--- a/sshd.c 17--- a/sshd.c
18+++ b/sshd.c 18+++ b/sshd.c
19@@ -1878,6 +1878,16 @@ main(int ac, char **av) 19@@ -1878,6 +1878,16 @@ main(int ac, char **av)
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 73d48641f..f61725049 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From 135f35985c55d9734dcd61cf159d3e7916b95b60 Mon Sep 17 00:00:00 2001 1From 76b2e45116ded18137a30406cf5f22b11b9feeab Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 983a4fc67..5ea2fb243 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From 4476fe4e30c33c250ddd6bd01e644979f10acd25 Mon Sep 17 00:00:00 2001 1From e11b941efd85f5b55c055eb11511c7bbb6464b5f Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 29a876cd8..2398598f5 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From 01e8999cc86a0b2ffed5f98abed624b0e7c2707f Mon Sep 17 00:00:00 2001 1From 8bdb2e6f613ad62c3aa781ba6cb7088ee16a6dfd Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index d6a5707d4..a8eeb7ebc 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From bdc8262449eefe39f2dc4ddcbb44b84ddade4cd3 Mon Sep 17 00:00:00 2001 1From ed3f2695800c03da18c36191aefd27d554bf052e Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 0a8ff5d9c..a5a543596 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From c95bb2c6a018688e44481bf1d199607db567fd9e Mon Sep 17 00:00:00 2001 1From a7e11f49e8d6dfe6b44b24960af5e112cd953ae7 Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -56,7 +56,7 @@ index 4747ce4a..9f59794b 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index 414e19ee..8b793480 100644 59index b6826c84..027daa9d 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 1a6194544..ee5c38c23 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From 47c946434c6e99ff9da531cfcafb051e38e79ff8 Mon Sep 17 00:00:00 2001 1From 5ba9e0eff0a725c4d616f296c6449fe3dbe0bdcf Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
diff --git a/gss-serv.c b/gss-serv.c
index 2f6baf70d..2e27cbf9c 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -149,11 +149,10 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
149/* Unprivileged */ 149/* Unprivileged */
150char * 150char *
151ssh_gssapi_server_mechanisms(void) { 151ssh_gssapi_server_mechanisms(void) {
152 gss_OID_set supported; 152 if (supported_oids == NULL)
153 153 ssh_gssapi_prepare_supported_oids();
154 ssh_gssapi_supported_oids(&supported); 154 return (ssh_gssapi_kex_mechs(supported_oids,
155 return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech, 155 &ssh_gssapi_server_check_mech, NULL, NULL));
156 NULL, NULL));
157} 156}
158 157
159/* Unprivileged */ 158/* Unprivileged */
diff --git a/sshd.c b/sshd.c
index 8b793480e..027daa9d8 100644
--- a/sshd.c
+++ b/sshd.c
@@ -547,7 +547,7 @@ privsep_preauth_child(void)
547 547
548#ifdef GSSAPI 548#ifdef GSSAPI
549 /* Cache supported mechanism OIDs for later use */ 549 /* Cache supported mechanism OIDs for later use */
550 if (options.gss_authentication) 550 if (options.gss_authentication || options.gss_keyex)
551 ssh_gssapi_prepare_supported_oids(); 551 ssh_gssapi_prepare_supported_oids();
552#endif 552#endif
553 553