diff options
author | Colin Watson <cjwatson@debian.org> | 2012-05-18 12:16:05 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2012-05-18 12:16:05 +0100 |
commit | dabbdfacc9f6995b0739772a47704186dcf34ea5 (patch) | |
tree | 0a0b306a637bc85eb719261b74884f0b9573ec41 /debian/patches/gssapi.patch | |
parent | 1e0d51b642cac9a6bfb719e6320905625aa5f943 (diff) | |
parent | dd5ed53e20d218607260916a6b04d1c8c5b3d88f (diff) |
* New upstream release (http://www.openssh.org/txt/release-6.0).
- Fix IPQoS not being set on non-mapped v4-in-v6 addressed connections
(closes: #643312, #650512).
- Add a new privilege separation sandbox implementation for Linux's new
seccomp sandbox, automatically enabled on platforms that support it.
(Note: privilege separation sandboxing is still experimental.)
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index dc293683e..d78835bd6 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -327,7 +327,7 @@ Index: b/clientloop.c | |||
327 | /* import options */ | 327 | /* import options */ |
328 | extern Options options; | 328 | extern Options options; |
329 | 329 | ||
330 | @@ -1508,6 +1512,15 @@ | 330 | @@ -1540,6 +1544,15 @@ |
331 | /* Do channel operations unless rekeying in progress. */ | 331 | /* Do channel operations unless rekeying in progress. */ |
332 | if (!rekeying) { | 332 | if (!rekeying) { |
333 | channel_after_select(readset, writeset); | 333 | channel_after_select(readset, writeset); |
@@ -347,7 +347,7 @@ Index: b/config.h.in | |||
347 | =================================================================== | 347 | =================================================================== |
348 | --- a/config.h.in | 348 | --- a/config.h.in |
349 | +++ b/config.h.in | 349 | +++ b/config.h.in |
350 | @@ -1441,6 +1441,9 @@ | 350 | @@ -1465,6 +1465,9 @@ |
351 | /* Use btmp to log bad logins */ | 351 | /* Use btmp to log bad logins */ |
352 | #undef USE_BTMP | 352 | #undef USE_BTMP |
353 | 353 | ||
@@ -357,7 +357,7 @@ Index: b/config.h.in | |||
357 | /* Use libedit for sftp */ | 357 | /* Use libedit for sftp */ |
358 | #undef USE_LIBEDIT | 358 | #undef USE_LIBEDIT |
359 | 359 | ||
360 | @@ -1456,6 +1459,9 @@ | 360 | @@ -1480,6 +1483,9 @@ |
361 | /* Use PIPES instead of a socketpair() */ | 361 | /* Use PIPES instead of a socketpair() */ |
362 | #undef USE_PIPES | 362 | #undef USE_PIPES |
363 | 363 | ||
@@ -371,7 +371,7 @@ Index: b/configure | |||
371 | =================================================================== | 371 | =================================================================== |
372 | --- a/configure | 372 | --- a/configure |
373 | +++ b/configure | 373 | +++ b/configure |
374 | @@ -6521,6 +6521,63 @@ | 374 | @@ -6608,6 +6608,63 @@ |
375 | 375 | ||
376 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | 376 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h |
377 | 377 | ||
@@ -439,7 +439,7 @@ Index: b/configure.ac | |||
439 | =================================================================== | 439 | =================================================================== |
440 | --- a/configure.ac | 440 | --- a/configure.ac |
441 | +++ b/configure.ac | 441 | +++ b/configure.ac |
442 | @@ -515,6 +515,30 @@ | 442 | @@ -545,6 +545,30 @@ |
443 | [Use tunnel device compatibility to OpenBSD]) | 443 | [Use tunnel device compatibility to OpenBSD]) |
444 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 444 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
445 | [Prepend the address family to IP tunnel traffic]) | 445 | [Prepend the address family to IP tunnel traffic]) |
@@ -2059,7 +2059,7 @@ Index: b/monitor.c | |||
2059 | } else { | 2059 | } else { |
2060 | mon_dispatch = mon_dispatch_postauth15; | 2060 | mon_dispatch = mon_dispatch_postauth15; |
2061 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2061 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2062 | @@ -1802,6 +1819,13 @@ | 2062 | @@ -1803,6 +1820,13 @@ |
2063 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 2063 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
2064 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 2064 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
2065 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2065 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
@@ -2073,7 +2073,7 @@ Index: b/monitor.c | |||
2073 | kex->server = 1; | 2073 | kex->server = 1; |
2074 | kex->hostkey_type = buffer_get_int(m); | 2074 | kex->hostkey_type = buffer_get_int(m); |
2075 | kex->kex_type = buffer_get_int(m); | 2075 | kex->kex_type = buffer_get_int(m); |
2076 | @@ -2008,6 +2032,9 @@ | 2076 | @@ -2009,6 +2033,9 @@ |
2077 | OM_uint32 major; | 2077 | OM_uint32 major; |
2078 | u_int len; | 2078 | u_int len; |
2079 | 2079 | ||
@@ -2083,7 +2083,7 @@ Index: b/monitor.c | |||
2083 | goid.elements = buffer_get_string(m, &len); | 2083 | goid.elements = buffer_get_string(m, &len); |
2084 | goid.length = len; | 2084 | goid.length = len; |
2085 | 2085 | ||
2086 | @@ -2035,6 +2062,9 @@ | 2086 | @@ -2036,6 +2063,9 @@ |
2087 | OM_uint32 flags = 0; /* GSI needs this */ | 2087 | OM_uint32 flags = 0; /* GSI needs this */ |
2088 | u_int len; | 2088 | u_int len; |
2089 | 2089 | ||
@@ -2093,7 +2093,7 @@ Index: b/monitor.c | |||
2093 | in.value = buffer_get_string(m, &len); | 2093 | in.value = buffer_get_string(m, &len); |
2094 | in.length = len; | 2094 | in.length = len; |
2095 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2095 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2096 | @@ -2052,6 +2082,7 @@ | 2096 | @@ -2053,6 +2083,7 @@ |
2097 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2097 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2098 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2098 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2099 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2099 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2101,7 +2101,7 @@ Index: b/monitor.c | |||
2101 | } | 2101 | } |
2102 | return (0); | 2102 | return (0); |
2103 | } | 2103 | } |
2104 | @@ -2063,6 +2094,9 @@ | 2104 | @@ -2064,6 +2095,9 @@ |
2105 | OM_uint32 ret; | 2105 | OM_uint32 ret; |
2106 | u_int len; | 2106 | u_int len; |
2107 | 2107 | ||
@@ -2111,7 +2111,7 @@ Index: b/monitor.c | |||
2111 | gssbuf.value = buffer_get_string(m, &len); | 2111 | gssbuf.value = buffer_get_string(m, &len); |
2112 | gssbuf.length = len; | 2112 | gssbuf.length = len; |
2113 | mic.value = buffer_get_string(m, &len); | 2113 | mic.value = buffer_get_string(m, &len); |
2114 | @@ -2089,7 +2123,11 @@ | 2114 | @@ -2090,7 +2124,11 @@ |
2115 | { | 2115 | { |
2116 | int authenticated; | 2116 | int authenticated; |
2117 | 2117 | ||
@@ -2124,7 +2124,7 @@ Index: b/monitor.c | |||
2124 | 2124 | ||
2125 | buffer_clear(m); | 2125 | buffer_clear(m); |
2126 | buffer_put_int(m, authenticated); | 2126 | buffer_put_int(m, authenticated); |
2127 | @@ -2102,6 +2140,74 @@ | 2127 | @@ -2103,6 +2141,74 @@ |
2128 | /* Monitor loop will terminate if authenticated */ | 2128 | /* Monitor loop will terminate if authenticated */ |
2129 | return (authenticated); | 2129 | return (authenticated); |
2130 | } | 2130 | } |
@@ -2326,7 +2326,7 @@ Index: b/readconf.c | |||
2326 | #endif | 2326 | #endif |
2327 | { "fallbacktorsh", oDeprecated }, | 2327 | { "fallbacktorsh", oDeprecated }, |
2328 | { "usersh", oDeprecated }, | 2328 | { "usersh", oDeprecated }, |
2329 | @@ -482,10 +493,30 @@ | 2329 | @@ -483,10 +494,30 @@ |
2330 | intptr = &options->gss_authentication; | 2330 | intptr = &options->gss_authentication; |
2331 | goto parse_flag; | 2331 | goto parse_flag; |
2332 | 2332 | ||
@@ -2357,7 +2357,7 @@ Index: b/readconf.c | |||
2357 | case oBatchMode: | 2357 | case oBatchMode: |
2358 | intptr = &options->batch_mode; | 2358 | intptr = &options->batch_mode; |
2359 | goto parse_flag; | 2359 | goto parse_flag; |
2360 | @@ -1138,7 +1169,12 @@ | 2360 | @@ -1139,7 +1170,12 @@ |
2361 | options->pubkey_authentication = -1; | 2361 | options->pubkey_authentication = -1; |
2362 | options->challenge_response_authentication = -1; | 2362 | options->challenge_response_authentication = -1; |
2363 | options->gss_authentication = -1; | 2363 | options->gss_authentication = -1; |
@@ -2370,7 +2370,7 @@ Index: b/readconf.c | |||
2370 | options->password_authentication = -1; | 2370 | options->password_authentication = -1; |
2371 | options->kbd_interactive_authentication = -1; | 2371 | options->kbd_interactive_authentication = -1; |
2372 | options->kbd_interactive_devices = NULL; | 2372 | options->kbd_interactive_devices = NULL; |
2373 | @@ -1238,8 +1274,14 @@ | 2373 | @@ -1239,8 +1275,14 @@ |
2374 | options->challenge_response_authentication = 1; | 2374 | options->challenge_response_authentication = 1; |
2375 | if (options->gss_authentication == -1) | 2375 | if (options->gss_authentication == -1) |
2376 | options->gss_authentication = 0; | 2376 | options->gss_authentication = 0; |
@@ -2389,7 +2389,7 @@ Index: b/readconf.h | |||
2389 | =================================================================== | 2389 | =================================================================== |
2390 | --- a/readconf.h | 2390 | --- a/readconf.h |
2391 | +++ b/readconf.h | 2391 | +++ b/readconf.h |
2392 | @@ -47,7 +47,12 @@ | 2392 | @@ -48,7 +48,12 @@ |
2393 | int challenge_response_authentication; | 2393 | int challenge_response_authentication; |
2394 | /* Try S/Key or TIS, authentication. */ | 2394 | /* Try S/Key or TIS, authentication. */ |
2395 | int gss_authentication; /* Try GSS authentication */ | 2395 | int gss_authentication; /* Try GSS authentication */ |
@@ -2893,7 +2893,7 @@ Index: b/sshd.c | |||
2893 | #ifdef LIBWRAP | 2893 | #ifdef LIBWRAP |
2894 | #include <tcpd.h> | 2894 | #include <tcpd.h> |
2895 | #include <syslog.h> | 2895 | #include <syslog.h> |
2896 | @@ -1612,10 +1616,13 @@ | 2896 | @@ -1616,10 +1620,13 @@ |
2897 | logit("Disabling protocol version 1. Could not load host key"); | 2897 | logit("Disabling protocol version 1. Could not load host key"); |
2898 | options.protocol &= ~SSH_PROTO_1; | 2898 | options.protocol &= ~SSH_PROTO_1; |
2899 | } | 2899 | } |
@@ -2907,7 +2907,7 @@ Index: b/sshd.c | |||
2907 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2907 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2908 | logit("sshd: no hostkeys available -- exiting."); | 2908 | logit("sshd: no hostkeys available -- exiting."); |
2909 | exit(1); | 2909 | exit(1); |
2910 | @@ -1944,6 +1951,60 @@ | 2910 | @@ -1948,6 +1955,60 @@ |
2911 | /* Log the connection. */ | 2911 | /* Log the connection. */ |
2912 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | 2912 | verbose("Connection from %.500s port %d", remote_ip, remote_port); |
2913 | 2913 | ||
@@ -2968,7 +2968,7 @@ Index: b/sshd.c | |||
2968 | /* | 2968 | /* |
2969 | * We don't want to listen forever unless the other side | 2969 | * We don't want to listen forever unless the other side |
2970 | * successfully authenticates itself. So we set up an alarm which is | 2970 | * successfully authenticates itself. So we set up an alarm which is |
2971 | @@ -2325,6 +2386,48 @@ | 2971 | @@ -2329,6 +2390,48 @@ |
2972 | 2972 | ||
2973 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2973 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
2974 | 2974 | ||
@@ -3017,7 +3017,7 @@ Index: b/sshd.c | |||
3017 | /* start key exchange */ | 3017 | /* start key exchange */ |
3018 | kex = kex_setup(myproposal); | 3018 | kex = kex_setup(myproposal); |
3019 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 3019 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
3020 | @@ -2332,6 +2435,13 @@ | 3020 | @@ -2336,6 +2439,13 @@ |
3021 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 3021 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
3022 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 3022 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
3023 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 3023 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |