summaryrefslogtreecommitdiff
path: root/configure
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2014-02-09 16:16:58 +0000
commit950be7e1b1a01ee9b25e2a72726a6370b8acacb6 (patch)
tree64829a84f903d7e2d3270c43e3f80df7db2a6a10 /configure
parentee196dab7c5f97f0b80c8099343a375bead92010 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2013-11-09 Patch-Name: gssapi.patch
Diffstat (limited to 'configure')
-rwxr-xr-xconfigure57
1 files changed, 57 insertions, 0 deletions
diff --git a/configure b/configure
index 0d6fad5f4..ceb1b5d6d 100755
--- a/configure
+++ b/configure
@@ -6780,6 +6780,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
6780 6780
6781$as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h 6781$as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
6782 6782
6783 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have the Security Authorization Session API" >&5
6784$as_echo_n "checking if we have the Security Authorization Session API... " >&6; }
6785 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
6786/* end confdefs.h. */
6787#include <Security/AuthSession.h>
6788int
6789main ()
6790{
6791SessionCreate(0, 0);
6792 ;
6793 return 0;
6794}
6795_ACEOF
6796if ac_fn_c_try_compile "$LINENO"; then :
6797 ac_cv_use_security_session_api="yes"
6798
6799$as_echo "#define USE_SECURITY_SESSION_API 1" >>confdefs.h
6800
6801 LIBS="$LIBS -framework Security"
6802 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
6803$as_echo "yes" >&6; }
6804else
6805 ac_cv_use_security_session_api="no"
6806 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
6807$as_echo "no" >&6; }
6808fi
6809rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
6810 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have an in-memory credentials cache" >&5
6811$as_echo_n "checking if we have an in-memory credentials cache... " >&6; }
6812 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
6813/* end confdefs.h. */
6814#include <Kerberos/Kerberos.h>
6815int
6816main ()
6817{
6818cc_context_t c;
6819 (void) cc_initialize (&c, 0, NULL, NULL);
6820 ;
6821 return 0;
6822}
6823_ACEOF
6824if ac_fn_c_try_compile "$LINENO"; then :
6825
6826$as_echo "#define USE_CCAPI 1" >>confdefs.h
6827
6828 LIBS="$LIBS -framework Security"
6829 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
6830$as_echo "yes" >&6; }
6831 if test "x$ac_cv_use_security_session_api" = "xno"; then
6832 as_fn_error $? "*** Need a security framework to use the credentials cache API ***" "$LINENO" 5
6833 fi
6834else
6835 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
6836$as_echo "no" >&6; }
6837
6838fi
6839rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
6783 6840
6784 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" 6841 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
6785if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : 6842if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :