import openssh-5.6p1-gsskex-all-20110101.patch

8 files changed, 46 insertions, 8 deletions

diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi
index 0c3f5a44f..f117a336a 100644
--- a/ChangeLog.gssapi
+++ b/ChangeLog.gssapi
@@ -1,10 +1,20 @@
+20110101
+  - Finally update for OpenSSH 5.6p1
+  - Add GSSAPIServerIdentity option from Jim Basney
+ 
+20100308
+  - [ Makefile.in, key.c, key.h ]
+    Updates for OpenSSH 5.4p1
+  - [ servconf.c ]
+    Include GSSAPI options in the sshd -T configuration dump, and flag
+    some older configuration options as being unsupported. Thanks to Colin 
+    Watson.
+  -
+
 20100124
   - [ sshconnect2.c ]
     Adapt to deal with additional element in Authmethod structure. Thanks to
-    Colin Wilson
-  - [ clientloop.c ]
-    Protect credentials updated code with suitable #ifdefs. Thanks to Colin
-    Wilson
+    Colin Watson
 
 20090615
   - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
diff --git a/Makefile.in b/Makefile.in
index 8678a1dc5..eaf362652 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -73,8 +73,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
         atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
         monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
         kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
-        entropy.o gss-genr.o umac.o jpake.o schnorr.o \
-        ssh-pkcs11.o kexgssc.o
+        entropy.o gss-genr.o umac.o jpake.o schnorr.o kexgssc.o \
+        ssh-pkcs11.o
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
         sshconnect.o sshconnect1.o sshconnect2.o mux.o \
diff --git a/key.c b/key.c
index 57ad9fd02..020f503b6 100644
--- a/key.c
+++ b/key.c
@@ -851,6 +851,8 @@ key_ssh_name(const Key *k)
                 return "ssh-rsa-cert-v01@openssh.com";
         case KEY_DSA_CERT:
                 return "ssh-dss-cert-v01@openssh.com";
+        case KEY_NULL:
+                return "null";
         }
         return "ssh-unknown";
 }
diff --git a/readconf.c b/readconf.c
index 36750a843..0d551b9ae 100644
--- a/readconf.c
+++ b/readconf.c
@@ -128,6 +128,7 @@ typedef enum {
         oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
         oAddressFamily, oGssAuthentication, oGssDelegateCreds,
         oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, 
         oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
         oSendEnv, oControlPath, oControlMaster, oControlPersist,
         oHashKnownHosts,
@@ -171,6 +172,7 @@ static struct {
         { "gssapidelegatecredentials", oGssDelegateCreds },
         { "gssapitrustdns", oGssTrustDns },
         { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
         { "gssapirenewalforcesrekey", oGssRenewalRekey },
 #else
         { "gssapiauthentication", oUnsupported },
@@ -499,6 +501,10 @@ parse_flag:
                 charptr = &options->gss_client_identity;
                 goto parse_string;
 
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+
         case oGssRenewalRekey:
                 intptr = &options->gss_renewal_rekey;
                 goto parse_flag;
@@ -1088,6 +1094,7 @@ initialize_options(Options * options)
         options->gss_trust_dns = -1;
         options->gss_renewal_rekey = -1;
         options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->kbd_interactive_devices = NULL;
diff --git a/readconf.h b/readconf.h
index f81eaff47..bb3ff0481 100644
--- a/readconf.h
+++ b/readconf.h
@@ -51,6 +51,7 @@ typedef struct {
         int     gss_trust_dns;          /* Trust DNS for GSS canonicalization */
         int     gss_renewal_rekey;      /* Credential renewal forces rekey */
         char    *gss_client_identity;   /* Principal to initiate GSSAPI with */
+        char    *gss_server_identity;   /* GSSAPI target principal */
         int     password_authentication;        /* Try password
                                                  * authentication. */
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/servconf.c b/servconf.c
index 2aa516b2a..3ce2397c3 100644
--- a/servconf.c
+++ b/servconf.c
@@ -381,16 +381,20 @@ static struct {
 #ifdef GSSAPI
         { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
         { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+        { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
         { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
         { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
         { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
 #else
         { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
         { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
         { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
         { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
         { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
 #endif
+        { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1684,7 +1688,10 @@ dump_config(ServerOptions *o)
 #endif
 #ifdef GSSAPI
         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
+        dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
         dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
+        dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+        dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
 #endif
 #ifdef JPAKE
         dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
diff --git a/ssh_config.5 b/ssh_config.5
index 91c2cd2c6..321a94db6 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -519,6 +519,11 @@ Note that this option applies to protocol version 2 only.
 If set, specifies the GSSAPI client identity that ssh should use when 
 connecting to the server. The default is unset, which means that the default 
 identity will be used.
+.It Cm GSSAPIServerIdentity
+If set, specifies the GSSAPI server identity that ssh should expect when 
+connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
diff --git a/sshconnect2.c b/sshconnect2.c
index d045365f3..1a03c6bf3 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -197,7 +197,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
                 kex->gss_deleg_creds = options.gss_deleg_creds;
                 kex->gss_trust_dns = options.gss_trust_dns;
                 kex->gss_client = options.gss_client_identity;
-                kex->gss_host = gss_host;
+                if (options.gss_server_identity) {
+                        kex->gss_host = options.gss_server_identity;
+                } else {
+                        kex->gss_host = gss_host;
+        }
         }
 #endif
 
@@ -624,7 +628,9 @@ userauth_gssapi(Authctxt *authctxt)
         int ok = 0;
         const char *gss_host;
 
-        if (options.gss_trust_dns)
+        if (options.gss_server_identity)
+                gss_host = options.gss_server_identity;
+        else if (options.gss_trust_dns)
                 gss_host = get_canonical_hostname(1);
         else
                 gss_host = authctxt->host;