diff options
author | Colin Watson <cjwatson@debian.org> | 2011-01-24 11:40:46 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-01-24 11:40:46 +0000 |
commit | 4e8aa4da57000c7bba8e5c49163bc0c0ca383f78 (patch) | |
tree | 59fb9f54776a02a78ec9c2115051327b25e5c61d | |
parent | 31e30b835fd9695d3b6647cab4867001b092e28f (diff) |
import openssh-5.6p1-gsskex-all-20110101.patch
-rw-r--r-- | ChangeLog.gssapi | 18 | ||||
-rw-r--r-- | Makefile.in | 4 | ||||
-rw-r--r-- | key.c | 2 | ||||
-rw-r--r-- | readconf.c | 7 | ||||
-rw-r--r-- | readconf.h | 1 | ||||
-rw-r--r-- | servconf.c | 7 | ||||
-rw-r--r-- | ssh_config.5 | 5 | ||||
-rw-r--r-- | sshconnect2.c | 10 |
8 files changed, 46 insertions, 8 deletions
diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi index 0c3f5a44f..f117a336a 100644 --- a/ChangeLog.gssapi +++ b/ChangeLog.gssapi | |||
@@ -1,10 +1,20 @@ | |||
1 | 20110101 | ||
2 | - Finally update for OpenSSH 5.6p1 | ||
3 | - Add GSSAPIServerIdentity option from Jim Basney | ||
4 | |||
5 | 20100308 | ||
6 | - [ Makefile.in, key.c, key.h ] | ||
7 | Updates for OpenSSH 5.4p1 | ||
8 | - [ servconf.c ] | ||
9 | Include GSSAPI options in the sshd -T configuration dump, and flag | ||
10 | some older configuration options as being unsupported. Thanks to Colin | ||
11 | Watson. | ||
12 | - | ||
13 | |||
1 | 20100124 | 14 | 20100124 |
2 | - [ sshconnect2.c ] | 15 | - [ sshconnect2.c ] |
3 | Adapt to deal with additional element in Authmethod structure. Thanks to | 16 | Adapt to deal with additional element in Authmethod structure. Thanks to |
4 | Colin Wilson | 17 | Colin Watson |
5 | - [ clientloop.c ] | ||
6 | Protect credentials updated code with suitable #ifdefs. Thanks to Colin | ||
7 | Wilson | ||
8 | 18 | ||
9 | 20090615 | 19 | 20090615 |
10 | - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c | 20 | - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c |
diff --git a/Makefile.in b/Makefile.in index 8678a1dc5..eaf362652 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -73,8 +73,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | |||
73 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | 73 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ |
74 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ | 74 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ |
75 | kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ | 75 | kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ |
76 | entropy.o gss-genr.o umac.o jpake.o schnorr.o \ | 76 | entropy.o gss-genr.o umac.o jpake.o schnorr.o kexgssc.o \ |
77 | ssh-pkcs11.o kexgssc.o | 77 | ssh-pkcs11.o |
78 | 78 | ||
79 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 79 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
80 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ | 80 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ |
@@ -851,6 +851,8 @@ key_ssh_name(const Key *k) | |||
851 | return "ssh-rsa-cert-v01@openssh.com"; | 851 | return "ssh-rsa-cert-v01@openssh.com"; |
852 | case KEY_DSA_CERT: | 852 | case KEY_DSA_CERT: |
853 | return "ssh-dss-cert-v01@openssh.com"; | 853 | return "ssh-dss-cert-v01@openssh.com"; |
854 | case KEY_NULL: | ||
855 | return "null"; | ||
854 | } | 856 | } |
855 | return "ssh-unknown"; | 857 | return "ssh-unknown"; |
856 | } | 858 | } |
diff --git a/readconf.c b/readconf.c index 36750a843..0d551b9ae 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -128,6 +128,7 @@ typedef enum { | |||
128 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 128 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
129 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 129 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
130 | oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, | 130 | oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, |
131 | oGssServerIdentity, | ||
131 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 132 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
132 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 133 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
133 | oHashKnownHosts, | 134 | oHashKnownHosts, |
@@ -171,6 +172,7 @@ static struct { | |||
171 | { "gssapidelegatecredentials", oGssDelegateCreds }, | 172 | { "gssapidelegatecredentials", oGssDelegateCreds }, |
172 | { "gssapitrustdns", oGssTrustDns }, | 173 | { "gssapitrustdns", oGssTrustDns }, |
173 | { "gssapiclientidentity", oGssClientIdentity }, | 174 | { "gssapiclientidentity", oGssClientIdentity }, |
175 | { "gssapiserveridentity", oGssServerIdentity }, | ||
174 | { "gssapirenewalforcesrekey", oGssRenewalRekey }, | 176 | { "gssapirenewalforcesrekey", oGssRenewalRekey }, |
175 | #else | 177 | #else |
176 | { "gssapiauthentication", oUnsupported }, | 178 | { "gssapiauthentication", oUnsupported }, |
@@ -499,6 +501,10 @@ parse_flag: | |||
499 | charptr = &options->gss_client_identity; | 501 | charptr = &options->gss_client_identity; |
500 | goto parse_string; | 502 | goto parse_string; |
501 | 503 | ||
504 | case oGssServerIdentity: | ||
505 | charptr = &options->gss_server_identity; | ||
506 | goto parse_string; | ||
507 | |||
502 | case oGssRenewalRekey: | 508 | case oGssRenewalRekey: |
503 | intptr = &options->gss_renewal_rekey; | 509 | intptr = &options->gss_renewal_rekey; |
504 | goto parse_flag; | 510 | goto parse_flag; |
@@ -1088,6 +1094,7 @@ initialize_options(Options * options) | |||
1088 | options->gss_trust_dns = -1; | 1094 | options->gss_trust_dns = -1; |
1089 | options->gss_renewal_rekey = -1; | 1095 | options->gss_renewal_rekey = -1; |
1090 | options->gss_client_identity = NULL; | 1096 | options->gss_client_identity = NULL; |
1097 | options->gss_server_identity = NULL; | ||
1091 | options->password_authentication = -1; | 1098 | options->password_authentication = -1; |
1092 | options->kbd_interactive_authentication = -1; | 1099 | options->kbd_interactive_authentication = -1; |
1093 | options->kbd_interactive_devices = NULL; | 1100 | options->kbd_interactive_devices = NULL; |
diff --git a/readconf.h b/readconf.h index f81eaff47..bb3ff0481 100644 --- a/readconf.h +++ b/readconf.h | |||
@@ -51,6 +51,7 @@ typedef struct { | |||
51 | int gss_trust_dns; /* Trust DNS for GSS canonicalization */ | 51 | int gss_trust_dns; /* Trust DNS for GSS canonicalization */ |
52 | int gss_renewal_rekey; /* Credential renewal forces rekey */ | 52 | int gss_renewal_rekey; /* Credential renewal forces rekey */ |
53 | char *gss_client_identity; /* Principal to initiate GSSAPI with */ | 53 | char *gss_client_identity; /* Principal to initiate GSSAPI with */ |
54 | char *gss_server_identity; /* GSSAPI target principal */ | ||
54 | int password_authentication; /* Try password | 55 | int password_authentication; /* Try password |
55 | * authentication. */ | 56 | * authentication. */ |
56 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 57 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
diff --git a/servconf.c b/servconf.c index 2aa516b2a..3ce2397c3 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -381,16 +381,20 @@ static struct { | |||
381 | #ifdef GSSAPI | 381 | #ifdef GSSAPI |
382 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 382 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
383 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 383 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
384 | { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
384 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | 385 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, |
385 | { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | 386 | { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, |
386 | { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | 387 | { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, |
387 | #else | 388 | #else |
388 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | 389 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
389 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | 390 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
391 | { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, | ||
390 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | 392 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
391 | { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | 393 | { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, |
392 | { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | 394 | { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, |
393 | #endif | 395 | #endif |
396 | { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, | ||
397 | { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, | ||
394 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 398 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
395 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 399 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
396 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 400 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
@@ -1684,7 +1688,10 @@ dump_config(ServerOptions *o) | |||
1684 | #endif | 1688 | #endif |
1685 | #ifdef GSSAPI | 1689 | #ifdef GSSAPI |
1686 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 1690 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
1691 | dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); | ||
1687 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | 1692 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); |
1693 | dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); | ||
1694 | dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey); | ||
1688 | #endif | 1695 | #endif |
1689 | #ifdef JPAKE | 1696 | #ifdef JPAKE |
1690 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | 1697 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, |
diff --git a/ssh_config.5 b/ssh_config.5 index 91c2cd2c6..321a94db6 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -519,6 +519,11 @@ Note that this option applies to protocol version 2 only. | |||
519 | If set, specifies the GSSAPI client identity that ssh should use when | 519 | If set, specifies the GSSAPI client identity that ssh should use when |
520 | connecting to the server. The default is unset, which means that the default | 520 | connecting to the server. The default is unset, which means that the default |
521 | identity will be used. | 521 | identity will be used. |
522 | .It Cm GSSAPIServerIdentity | ||
523 | If set, specifies the GSSAPI server identity that ssh should expect when | ||
524 | connecting to the server. The default is unset, which means that the | ||
525 | expected GSSAPI server identity will be determined from the target | ||
526 | hostname. | ||
522 | .It Cm GSSAPIDelegateCredentials | 527 | .It Cm GSSAPIDelegateCredentials |
523 | Forward (delegate) credentials to the server. | 528 | Forward (delegate) credentials to the server. |
524 | The default is | 529 | The default is |
diff --git a/sshconnect2.c b/sshconnect2.c index d045365f3..1a03c6bf3 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -197,7 +197,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
197 | kex->gss_deleg_creds = options.gss_deleg_creds; | 197 | kex->gss_deleg_creds = options.gss_deleg_creds; |
198 | kex->gss_trust_dns = options.gss_trust_dns; | 198 | kex->gss_trust_dns = options.gss_trust_dns; |
199 | kex->gss_client = options.gss_client_identity; | 199 | kex->gss_client = options.gss_client_identity; |
200 | kex->gss_host = gss_host; | 200 | if (options.gss_server_identity) { |
201 | kex->gss_host = options.gss_server_identity; | ||
202 | } else { | ||
203 | kex->gss_host = gss_host; | ||
204 | } | ||
201 | } | 205 | } |
202 | #endif | 206 | #endif |
203 | 207 | ||
@@ -624,7 +628,9 @@ userauth_gssapi(Authctxt *authctxt) | |||
624 | int ok = 0; | 628 | int ok = 0; |
625 | const char *gss_host; | 629 | const char *gss_host; |
626 | 630 | ||
627 | if (options.gss_trust_dns) | 631 | if (options.gss_server_identity) |
632 | gss_host = options.gss_server_identity; | ||
633 | else if (options.gss_trust_dns) | ||
628 | gss_host = get_canonical_hostname(1); | 634 | gss_host = get_canonical_hostname(1); |
629 | else | 635 | else |
630 | gss_host = authctxt->host; | 636 | gss_host = authctxt->host; |