summaryrefslogtreecommitdiff
path: root/configure.ac
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2015-11-29 17:26:06 +0000
commit233e78235070e871b658c8f289e600bd52a99711 (patch)
tree38c49e39e2a61ef635ce70062d8830d09fc963ff /configure.ac
parent58ddb8ad21f21f5358db0204c4ba9abf94a1ca11 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2015-11-29 Patch-Name: gssapi.patch
Diffstat (limited to 'configure.ac')
-rw-r--r--configure.ac24
1 files changed, 24 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 9b05c30f8..7a256034d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
625 [Use tunnel device compatibility to OpenBSD]) 625 [Use tunnel device compatibility to OpenBSD])
626 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 626 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
627 [Prepend the address family to IP tunnel traffic]) 627 [Prepend the address family to IP tunnel traffic])
628 AC_MSG_CHECKING([if we have the Security Authorization Session API])
629 AC_TRY_COMPILE([#include <Security/AuthSession.h>],
630 [SessionCreate(0, 0);],
631 [ac_cv_use_security_session_api="yes"
632 AC_DEFINE([USE_SECURITY_SESSION_API], [1],
633 [platform has the Security Authorization Session API])
634 LIBS="$LIBS -framework Security"
635 AC_MSG_RESULT([yes])],
636 [ac_cv_use_security_session_api="no"
637 AC_MSG_RESULT([no])])
638 AC_MSG_CHECKING([if we have an in-memory credentials cache])
639 AC_TRY_COMPILE(
640 [#include <Kerberos/Kerberos.h>],
641 [cc_context_t c;
642 (void) cc_initialize (&c, 0, NULL, NULL);],
643 [AC_DEFINE([USE_CCAPI], [1],
644 [platform uses an in-memory credentials cache])
645 LIBS="$LIBS -framework Security"
646 AC_MSG_RESULT([yes])
647 if test "x$ac_cv_use_security_session_api" = "xno"; then
648 AC_MSG_ERROR([*** Need a security framework to use the credentials cache API ***])
649 fi],
650 [AC_MSG_RESULT([no])]
651 )
628 m4_pattern_allow([AU_IPv]) 652 m4_pattern_allow([AU_IPv])
629 AC_CHECK_DECL([AU_IPv4], [], 653 AC_CHECK_DECL([AU_IPv4], [],
630 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) 654 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])