summaryrefslogtreecommitdiff
path: root/debian/patches/gssapi.patch
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-12-28 20:01:00 +0000
committerColin Watson <cjwatson@debian.org>2016-12-28 20:05:23 +0000
commit31ed1f715e4c1dd986c32b8c5e6687c185258db9 (patch)
tree42c51fb237be95e29bf4dd3b7edf9d77c5426522 /debian/patches/gssapi.patch
parent158b8db3ae5525e6c55368e7baadf4a7527b16be (diff)
parent624433c4fff092e3aaaff6aa8954eb93e0387c44 (diff)
Avoid calling into Kerberos libraries from ssh_gssapi_server_mechanisms in the privsep monitor.
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r--debian/patches/gssapi.patch48
1 files changed, 28 insertions, 20 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index ea56167d7..57def8057 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 9f717de15a8e113f7c6a3db52d75ce0172885f95 Mon Sep 17 00:00:00 2001 1From 40ab38b3f501f3e21662f0294eef06789605c5f8 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate
17security history. 17security history.
18 18
19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
20Last-Updated: 2016-08-07 20Last-Updated: 2016-12-28
21 21
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
@@ -34,7 +34,7 @@ Patch-Name: gssapi.patch
34 configure.ac | 24 ++++ 34 configure.ac | 24 ++++
35 gss-genr.c | 275 +++++++++++++++++++++++++++++++++++++++++++- 35 gss-genr.c | 275 +++++++++++++++++++++++++++++++++++++++++++-
36 gss-serv-krb5.c | 85 ++++++++++++-- 36 gss-serv-krb5.c | 85 ++++++++++++--
37 gss-serv.c | 185 +++++++++++++++++++++++++++--- 37 gss-serv.c | 184 +++++++++++++++++++++++++++---
38 kex.c | 19 ++++ 38 kex.c | 19 ++++
39 kex.h | 14 +++ 39 kex.h | 14 +++
40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -51,12 +51,12 @@ Patch-Name: gssapi.patch
51 ssh_config | 2 + 51 ssh_config | 2 +
52 ssh_config.5 | 32 ++++++ 52 ssh_config.5 | 32 ++++++
53 sshconnect2.c | 122 +++++++++++++++++++- 53 sshconnect2.c | 122 +++++++++++++++++++-
54 sshd.c | 110 ++++++++++++++++++ 54 sshd.c | 112 +++++++++++++++++-
55 sshd_config | 2 + 55 sshd_config | 2 +
56 sshd_config.5 | 10 ++ 56 sshd_config.5 | 10 ++
57 sshkey.c | 3 +- 57 sshkey.c | 3 +-
58 sshkey.h | 1 + 58 sshkey.h | 1 +
59 35 files changed, 2053 insertions(+), 147 deletions(-) 59 35 files changed, 2053 insertions(+), 148 deletions(-)
60 create mode 100644 ChangeLog.gssapi 60 create mode 100644 ChangeLog.gssapi
61 create mode 100644 kexgssc.c 61 create mode 100644 kexgssc.c
62 create mode 100644 kexgsss.c 62 create mode 100644 kexgsss.c
@@ -1162,7 +1162,7 @@ index 795992d9..fd8b3718 100644
1162 1162
1163 #endif /* KRB5 */ 1163 #endif /* KRB5 */
1164diff --git a/gss-serv.c b/gss-serv.c 1164diff --git a/gss-serv.c b/gss-serv.c
1165index 53993d67..2f6baf70 100644 1165index 53993d67..2e27cbf9 100644
1166--- a/gss-serv.c 1166--- a/gss-serv.c
1167+++ b/gss-serv.c 1167+++ b/gss-serv.c
1168@@ -1,7 +1,7 @@ 1168@@ -1,7 +1,7 @@
@@ -1199,17 +1199,16 @@ index 53993d67..2f6baf70 100644
1199 1199
1200 #ifdef KRB5 1200 #ifdef KRB5
1201 extern ssh_gssapi_mech gssapi_kerberos_mech; 1201 extern ssh_gssapi_mech gssapi_kerberos_mech;
1202@@ -142,6 +147,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) 1202@@ -142,6 +147,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
1203 } 1203 }
1204 1204
1205 /* Unprivileged */ 1205 /* Unprivileged */
1206+char * 1206+char *
1207+ssh_gssapi_server_mechanisms(void) { 1207+ssh_gssapi_server_mechanisms(void) {
1208+ gss_OID_set supported; 1208+ if (supported_oids == NULL)
1209+ 1209+ ssh_gssapi_prepare_supported_oids();
1210+ ssh_gssapi_supported_oids(&supported); 1210+ return (ssh_gssapi_kex_mechs(supported_oids,
1211+ return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech, 1211+ &ssh_gssapi_server_check_mech, NULL, NULL));
1212+ NULL, NULL));
1213+} 1212+}
1214+ 1213+
1215+/* Unprivileged */ 1214+/* Unprivileged */
@@ -1229,7 +1228,7 @@ index 53993d67..2f6baf70 100644
1229 void 1228 void
1230 ssh_gssapi_supported_oids(gss_OID_set *oidset) 1229 ssh_gssapi_supported_oids(gss_OID_set *oidset)
1231 { 1230 {
1232@@ -151,7 +179,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) 1231@@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
1233 gss_OID_set supported; 1232 gss_OID_set supported;
1234 1233
1235 gss_create_empty_oid_set(&min_status, oidset); 1234 gss_create_empty_oid_set(&min_status, oidset);
@@ -1240,7 +1239,7 @@ index 53993d67..2f6baf70 100644
1240 1239
1241 while (supported_mechs[i]->name != NULL) { 1240 while (supported_mechs[i]->name != NULL) {
1242 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 1241 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
1243@@ -277,8 +307,48 @@ OM_uint32 1242@@ -277,8 +306,48 @@ OM_uint32
1244 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1243 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1245 { 1244 {
1246 int i = 0; 1245 int i = 0;
@@ -1290,7 +1289,7 @@ index 53993d67..2f6baf70 100644
1290 1289
1291 client->mech = NULL; 1290 client->mech = NULL;
1292 1291
1293@@ -293,6 +363,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1292@@ -293,6 +362,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1294 if (client->mech == NULL) 1293 if (client->mech == NULL)
1295 return GSS_S_FAILURE; 1294 return GSS_S_FAILURE;
1296 1295
@@ -1304,7 +1303,7 @@ index 53993d67..2f6baf70 100644
1304 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1303 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
1305 &client->displayname, NULL))) { 1304 &client->displayname, NULL))) {
1306 ssh_gssapi_error(ctx); 1305 ssh_gssapi_error(ctx);
1307@@ -310,6 +387,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1306@@ -310,6 +386,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1308 return (ctx->major); 1307 return (ctx->major);
1309 } 1308 }
1310 1309
@@ -1313,7 +1312,7 @@ index 53993d67..2f6baf70 100644
1313 /* We can't copy this structure, so we just move the pointer to it */ 1312 /* We can't copy this structure, so we just move the pointer to it */
1314 client->creds = ctx->client_creds; 1313 client->creds = ctx->client_creds;
1315 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1314 ctx->client_creds = GSS_C_NO_CREDENTIAL;
1316@@ -357,7 +436,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) 1315@@ -357,7 +435,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
1317 1316
1318 /* Privileged */ 1317 /* Privileged */
1319 int 1318 int
@@ -1322,7 +1321,7 @@ index 53993d67..2f6baf70 100644
1322 { 1321 {
1323 OM_uint32 lmin; 1322 OM_uint32 lmin;
1324 1323
1325@@ -367,9 +446,11 @@ ssh_gssapi_userok(char *user) 1324@@ -367,9 +445,11 @@ ssh_gssapi_userok(char *user)
1326 return 0; 1325 return 0;
1327 } 1326 }
1328 if (gssapi_client.mech && gssapi_client.mech->userok) 1327 if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1336,7 +1335,7 @@ index 53993d67..2f6baf70 100644
1336 /* Destroy delegated credentials if userok fails */ 1335 /* Destroy delegated credentials if userok fails */
1337 gss_release_buffer(&lmin, &gssapi_client.displayname); 1336 gss_release_buffer(&lmin, &gssapi_client.displayname);
1338 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1337 gss_release_buffer(&lmin, &gssapi_client.exportedname);
1339@@ -383,14 +464,90 @@ ssh_gssapi_userok(char *user) 1338@@ -383,14 +463,90 @@ ssh_gssapi_userok(char *user)
1340 return (0); 1339 return (0);
1341 } 1340 }
1342 1341
@@ -3047,7 +3046,7 @@ index 103a2b36..d534e619 100644
3047 3046
3048 int 3047 int
3049diff --git a/sshd.c b/sshd.c 3048diff --git a/sshd.c b/sshd.c
3050index 1dc4d182..ec2cf976 100644 3049index 1dc4d182..0970f297 100644
3051--- a/sshd.c 3050--- a/sshd.c
3052+++ b/sshd.c 3051+++ b/sshd.c
3053@@ -123,6 +123,10 @@ 3052@@ -123,6 +123,10 @@
@@ -3061,6 +3060,15 @@ index 1dc4d182..ec2cf976 100644
3061 /* Re-exec fds */ 3060 /* Re-exec fds */
3062 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 3061 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
3063 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 3062 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
3063@@ -531,7 +535,7 @@ privsep_preauth_child(void)
3064
3065 #ifdef GSSAPI
3066 /* Cache supported mechanism OIDs for later use */
3067- if (options.gss_authentication)
3068+ if (options.gss_authentication || options.gss_keyex)
3069 ssh_gssapi_prepare_supported_oids();
3070 #endif
3071
3064@@ -1705,10 +1709,13 @@ main(int ac, char **av) 3072@@ -1705,10 +1709,13 @@ main(int ac, char **av)
3065 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); 3073 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
3066 free(fp); 3074 free(fp);
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-11 10:06:35 +0000