diff options
| author | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
| commit | efd3d4522636ae029488c2e9730b60c88e257d2e (patch) | |
| tree | 31e02ac3f16090ce8c53448677356b2b7f423683 /debian/patches/gssapi.patch | |
| parent | bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff) | |
| parent | d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff) | |
* New upstream release (LP: #535029).
- After a transition period of about 10 years, this release disables SSH
protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
- Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is enabled by default in the Debian
packaging, since it now doesn't involve additional library
dependencies (closes: #231472, LP: #16918).
- Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (closes: #482806).
- Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
- Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
package, this overlaps with the key blacklisting facility added in
openssh 1:4.7p1-9, but with different file formats and slightly
different scopes; for the moment, I've roughly merged the two.)
- Various multiplexing improvements, including support for requesting
port-forwardings via the multiplex protocol (closes: #360151).
- Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has (closes: #496843).
- Many sftp client improvements, including tab-completion, more options,
and recursive transfer support for get/put (LP: #33378). The old
mget/mput commands never worked properly and have been removed
(closes: #270399, #428082).
- Do not prompt for a passphrase if we fail to open a keyfile, and log
the reason why the open failed to debug (closes: #431538).
- Prevent sftp from crashing when given a "-" without a command. Also,
allow whitespace to follow a "-" (closes: #531561).
Diffstat (limited to 'debian/patches/gssapi.patch')
| -rw-r--r-- | debian/patches/gssapi.patch | 111 |
1 files changed, 55 insertions, 56 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 6550ba60b..5c1b83415 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
| @@ -127,17 +127,16 @@ Index: b/Makefile.in | |||
| 127 | =================================================================== | 127 | =================================================================== |
| 128 | --- a/Makefile.in | 128 | --- a/Makefile.in |
| 129 | +++ b/Makefile.in | 129 | +++ b/Makefile.in |
| 130 | @@ -71,7 +71,8 @@ | 130 | @@ -74,7 +74,7 @@ |
| 131 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | ||
| 132 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ | 131 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ |
| 133 | kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ | 132 | kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ |
| 134 | - entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o | 133 | entropy.o gss-genr.o umac.o jpake.o schnorr.o \ |
| 135 | + entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o \ | 134 | - ssh-pkcs11.o |
| 136 | + kexgssc.o | 135 | + ssh-pkcs11.o kexgssc.o |
| 137 | 136 | ||
| 138 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 137 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
| 139 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ | 138 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ |
| 140 | @@ -85,7 +86,7 @@ | 139 | @@ -88,7 +88,7 @@ |
| 141 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ | 140 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ |
| 142 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ | 141 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ |
| 143 | auth-krb5.o \ | 142 | auth-krb5.o \ |
| @@ -145,12 +144,12 @@ Index: b/Makefile.in | |||
| 145 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ | 144 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ |
| 146 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 145 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
| 147 | audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ | 146 | audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ |
| 148 | roaming_common.o | 147 | roaming_common.o roaming_serv.o |
| 149 | Index: b/auth-krb5.c | 148 | Index: b/auth-krb5.c |
| 150 | =================================================================== | 149 | =================================================================== |
| 151 | --- a/auth-krb5.c | 150 | --- a/auth-krb5.c |
| 152 | +++ b/auth-krb5.c | 151 | +++ b/auth-krb5.c |
| 153 | @@ -166,8 +166,13 @@ | 152 | @@ -170,8 +170,13 @@ |
| 154 | 153 | ||
| 155 | len = strlen(authctxt->krb5_ticket_file) + 6; | 154 | len = strlen(authctxt->krb5_ticket_file) + 6; |
| 156 | authctxt->krb5_ccname = xmalloc(len); | 155 | authctxt->krb5_ccname = xmalloc(len); |
| @@ -164,7 +163,7 @@ Index: b/auth-krb5.c | |||
| 164 | 163 | ||
| 165 | #ifdef USE_PAM | 164 | #ifdef USE_PAM |
| 166 | if (options.use_pam) | 165 | if (options.use_pam) |
| 167 | @@ -219,15 +224,22 @@ | 166 | @@ -226,15 +231,22 @@ |
| 168 | #ifndef HEIMDAL | 167 | #ifndef HEIMDAL |
| 169 | krb5_error_code | 168 | krb5_error_code |
| 170 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 169 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
| @@ -189,7 +188,7 @@ Index: b/auth-krb5.c | |||
| 189 | old_umask = umask(0177); | 188 | old_umask = umask(0177); |
| 190 | tmpfd = mkstemp(ccname + strlen("FILE:")); | 189 | tmpfd = mkstemp(ccname + strlen("FILE:")); |
| 191 | umask(old_umask); | 190 | umask(old_umask); |
| 192 | @@ -242,6 +254,7 @@ | 191 | @@ -249,6 +261,7 @@ |
| 193 | return errno; | 192 | return errno; |
| 194 | } | 193 | } |
| 195 | close(tmpfd); | 194 | close(tmpfd); |
| @@ -365,7 +364,7 @@ Index: b/clientloop.c | |||
| 365 | /* import options */ | 364 | /* import options */ |
| 366 | extern Options options; | 365 | extern Options options; |
| 367 | 366 | ||
| 368 | @@ -1430,6 +1434,15 @@ | 367 | @@ -1431,6 +1435,15 @@ |
| 369 | /* Do channel operations unless rekeying in progress. */ | 368 | /* Do channel operations unless rekeying in progress. */ |
| 370 | if (!rekeying) { | 369 | if (!rekeying) { |
| 371 | channel_after_select(readset, writeset); | 370 | channel_after_select(readset, writeset); |
| @@ -1212,9 +1211,9 @@ Index: b/kex.c | |||
| 1212 | =================================================================== | 1211 | =================================================================== |
| 1213 | --- a/kex.c | 1212 | --- a/kex.c |
| 1214 | +++ b/kex.c | 1213 | +++ b/kex.c |
| 1215 | @@ -49,6 +49,10 @@ | 1214 | @@ -50,6 +50,10 @@ |
| 1216 | #include "dispatch.h" | ||
| 1217 | #include "monitor.h" | 1215 | #include "monitor.h" |
| 1216 | #include "roaming.h" | ||
| 1218 | 1217 | ||
| 1219 | +#ifdef GSSAPI | 1218 | +#ifdef GSSAPI |
| 1220 | +#include "ssh-gss.h" | 1219 | +#include "ssh-gss.h" |
| @@ -1223,7 +1222,7 @@ Index: b/kex.c | |||
| 1223 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1222 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
| 1224 | # if defined(HAVE_EVP_SHA256) | 1223 | # if defined(HAVE_EVP_SHA256) |
| 1225 | # define evp_ssh_sha256 EVP_sha256 | 1224 | # define evp_ssh_sha256 EVP_sha256 |
| 1226 | @@ -325,6 +329,20 @@ | 1225 | @@ -326,6 +330,20 @@ |
| 1227 | k->kex_type = KEX_DH_GEX_SHA256; | 1226 | k->kex_type = KEX_DH_GEX_SHA256; |
| 1228 | k->evp_md = evp_ssh_sha256(); | 1227 | k->evp_md = evp_ssh_sha256(); |
| 1229 | #endif | 1228 | #endif |
| @@ -1248,7 +1247,7 @@ Index: b/kex.h | |||
| 1248 | =================================================================== | 1247 | =================================================================== |
| 1249 | --- a/kex.h | 1248 | --- a/kex.h |
| 1250 | +++ b/kex.h | 1249 | +++ b/kex.h |
| 1251 | @@ -66,6 +66,9 @@ | 1250 | @@ -67,6 +67,9 @@ |
| 1252 | KEX_DH_GRP14_SHA1, | 1251 | KEX_DH_GRP14_SHA1, |
| 1253 | KEX_DH_GEX_SHA1, | 1252 | KEX_DH_GEX_SHA1, |
| 1254 | KEX_DH_GEX_SHA256, | 1253 | KEX_DH_GEX_SHA256, |
| @@ -1258,7 +1257,7 @@ Index: b/kex.h | |||
| 1258 | KEX_MAX | 1257 | KEX_MAX |
| 1259 | }; | 1258 | }; |
| 1260 | 1259 | ||
| 1261 | @@ -121,6 +124,12 @@ | 1260 | @@ -123,6 +126,12 @@ |
| 1262 | sig_atomic_t done; | 1261 | sig_atomic_t done; |
| 1263 | int flags; | 1262 | int flags; |
| 1264 | const EVP_MD *evp_md; | 1263 | const EVP_MD *evp_md; |
| @@ -1271,7 +1270,7 @@ Index: b/kex.h | |||
| 1271 | char *client_version_string; | 1270 | char *client_version_string; |
| 1272 | char *server_version_string; | 1271 | char *server_version_string; |
| 1273 | int (*verify_host_key)(Key *); | 1272 | int (*verify_host_key)(Key *); |
| 1274 | @@ -143,6 +152,11 @@ | 1273 | @@ -146,6 +155,11 @@ |
| 1275 | void kexgex_client(Kex *); | 1274 | void kexgex_client(Kex *); |
| 1276 | void kexgex_server(Kex *); | 1275 | void kexgex_server(Kex *); |
| 1277 | 1276 | ||
| @@ -1919,10 +1918,10 @@ Index: b/key.c | |||
| 1919 | =================================================================== | 1918 | =================================================================== |
| 1920 | --- a/key.c | 1919 | --- a/key.c |
| 1921 | +++ b/key.c | 1920 | +++ b/key.c |
| 1922 | @@ -764,6 +764,8 @@ | 1921 | @@ -969,6 +969,8 @@ |
| 1923 | return KEY_RSA; | 1922 | return KEY_RSA_CERT; |
| 1924 | } else if (strcmp(name, "ssh-dss") == 0) { | 1923 | } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { |
| 1925 | return KEY_DSA; | 1924 | return KEY_DSA_CERT; |
| 1926 | + } else if (strcmp(name, "null") == 0) { | 1925 | + } else if (strcmp(name, "null") == 0) { |
| 1927 | + return KEY_NULL; | 1926 | + return KEY_NULL; |
| 1928 | } | 1927 | } |
| @@ -1932,10 +1931,10 @@ Index: b/key.h | |||
| 1932 | =================================================================== | 1931 | =================================================================== |
| 1933 | --- a/key.h | 1932 | --- a/key.h |
| 1934 | +++ b/key.h | 1933 | +++ b/key.h |
| 1935 | @@ -34,6 +34,7 @@ | 1934 | @@ -37,6 +37,7 @@ |
| 1936 | KEY_RSA1, | ||
| 1937 | KEY_RSA, | ||
| 1938 | KEY_DSA, | 1935 | KEY_DSA, |
| 1936 | KEY_RSA_CERT, | ||
| 1937 | KEY_DSA_CERT, | ||
| 1939 | + KEY_NULL, | 1938 | + KEY_NULL, |
| 1940 | KEY_UNSPEC | 1939 | KEY_UNSPEC |
| 1941 | }; | 1940 | }; |
| @@ -1996,7 +1995,7 @@ Index: b/monitor.c | |||
| 1996 | } else { | 1995 | } else { |
| 1997 | mon_dispatch = mon_dispatch_postauth15; | 1996 | mon_dispatch = mon_dispatch_postauth15; |
| 1998 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 1997 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
| 1999 | @@ -1706,6 +1723,13 @@ | 1998 | @@ -1691,6 +1708,13 @@ |
| 2000 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1999 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; |
| 2001 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 2000 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
| 2002 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 2001 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
| @@ -2010,7 +2009,7 @@ Index: b/monitor.c | |||
| 2010 | kex->server = 1; | 2009 | kex->server = 1; |
| 2011 | kex->hostkey_type = buffer_get_int(m); | 2010 | kex->hostkey_type = buffer_get_int(m); |
| 2012 | kex->kex_type = buffer_get_int(m); | 2011 | kex->kex_type = buffer_get_int(m); |
| 2013 | @@ -1911,6 +1935,9 @@ | 2012 | @@ -1897,6 +1921,9 @@ |
| 2014 | OM_uint32 major; | 2013 | OM_uint32 major; |
| 2015 | u_int len; | 2014 | u_int len; |
| 2016 | 2015 | ||
| @@ -2020,7 +2019,7 @@ Index: b/monitor.c | |||
| 2020 | goid.elements = buffer_get_string(m, &len); | 2019 | goid.elements = buffer_get_string(m, &len); |
| 2021 | goid.length = len; | 2020 | goid.length = len; |
| 2022 | 2021 | ||
| 2023 | @@ -1938,6 +1965,9 @@ | 2022 | @@ -1924,6 +1951,9 @@ |
| 2024 | OM_uint32 flags = 0; /* GSI needs this */ | 2023 | OM_uint32 flags = 0; /* GSI needs this */ |
| 2025 | u_int len; | 2024 | u_int len; |
| 2026 | 2025 | ||
| @@ -2030,7 +2029,7 @@ Index: b/monitor.c | |||
| 2030 | in.value = buffer_get_string(m, &len); | 2029 | in.value = buffer_get_string(m, &len); |
| 2031 | in.length = len; | 2030 | in.length = len; |
| 2032 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2031 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
| 2033 | @@ -1955,6 +1985,7 @@ | 2032 | @@ -1941,6 +1971,7 @@ |
| 2034 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2033 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
| 2035 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2034 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
| 2036 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2035 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
| @@ -2038,7 +2037,7 @@ Index: b/monitor.c | |||
| 2038 | } | 2037 | } |
| 2039 | return (0); | 2038 | return (0); |
| 2040 | } | 2039 | } |
| 2041 | @@ -1966,6 +1997,9 @@ | 2040 | @@ -1952,6 +1983,9 @@ |
| 2042 | OM_uint32 ret; | 2041 | OM_uint32 ret; |
| 2043 | u_int len; | 2042 | u_int len; |
| 2044 | 2043 | ||
| @@ -2048,7 +2047,7 @@ Index: b/monitor.c | |||
| 2048 | gssbuf.value = buffer_get_string(m, &len); | 2047 | gssbuf.value = buffer_get_string(m, &len); |
| 2049 | gssbuf.length = len; | 2048 | gssbuf.length = len; |
| 2050 | mic.value = buffer_get_string(m, &len); | 2049 | mic.value = buffer_get_string(m, &len); |
| 2051 | @@ -1992,7 +2026,11 @@ | 2050 | @@ -1978,7 +2012,11 @@ |
| 2052 | { | 2051 | { |
| 2053 | int authenticated; | 2052 | int authenticated; |
| 2054 | 2053 | ||
| @@ -2061,7 +2060,7 @@ Index: b/monitor.c | |||
| 2061 | 2060 | ||
| 2062 | buffer_clear(m); | 2061 | buffer_clear(m); |
| 2063 | buffer_put_int(m, authenticated); | 2062 | buffer_put_int(m, authenticated); |
| 2064 | @@ -2005,6 +2043,74 @@ | 2063 | @@ -1991,6 +2029,74 @@ |
| 2065 | /* Monitor loop will terminate if authenticated */ | 2064 | /* Monitor loop will terminate if authenticated */ |
| 2066 | return (authenticated); | 2065 | return (authenticated); |
| 2067 | } | 2066 | } |
| @@ -2153,7 +2152,7 @@ Index: b/monitor_wrap.c | |||
| 2153 | =================================================================== | 2152 | =================================================================== |
| 2154 | --- a/monitor_wrap.c | 2153 | --- a/monitor_wrap.c |
| 2155 | +++ b/monitor_wrap.c | 2154 | +++ b/monitor_wrap.c |
| 2156 | @@ -1248,7 +1248,7 @@ | 2155 | @@ -1231,7 +1231,7 @@ |
| 2157 | } | 2156 | } |
| 2158 | 2157 | ||
| 2159 | int | 2158 | int |
| @@ -2162,7 +2161,7 @@ Index: b/monitor_wrap.c | |||
| 2162 | { | 2161 | { |
| 2163 | Buffer m; | 2162 | Buffer m; |
| 2164 | int authenticated = 0; | 2163 | int authenticated = 0; |
| 2165 | @@ -1265,6 +1265,51 @@ | 2164 | @@ -1248,6 +1248,51 @@ |
| 2166 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2165 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
| 2167 | return (authenticated); | 2166 | return (authenticated); |
| 2168 | } | 2167 | } |
| @@ -2261,7 +2260,7 @@ Index: b/readconf.c | |||
| 2261 | #endif | 2260 | #endif |
| 2262 | { "fallbacktorsh", oDeprecated }, | 2261 | { "fallbacktorsh", oDeprecated }, |
| 2263 | { "usersh", oDeprecated }, | 2262 | { "usersh", oDeprecated }, |
| 2264 | @@ -454,10 +463,26 @@ | 2263 | @@ -456,10 +465,26 @@ |
| 2265 | intptr = &options->gss_authentication; | 2264 | intptr = &options->gss_authentication; |
| 2266 | goto parse_flag; | 2265 | goto parse_flag; |
| 2267 | 2266 | ||
| @@ -2288,7 +2287,7 @@ Index: b/readconf.c | |||
| 2288 | case oBatchMode: | 2287 | case oBatchMode: |
| 2289 | intptr = &options->batch_mode; | 2288 | intptr = &options->batch_mode; |
| 2290 | goto parse_flag; | 2289 | goto parse_flag; |
| 2291 | @@ -1013,7 +1038,11 @@ | 2290 | @@ -1015,7 +1040,11 @@ |
| 2292 | options->pubkey_authentication = -1; | 2291 | options->pubkey_authentication = -1; |
| 2293 | options->challenge_response_authentication = -1; | 2292 | options->challenge_response_authentication = -1; |
| 2294 | options->gss_authentication = -1; | 2293 | options->gss_authentication = -1; |
| @@ -2300,7 +2299,7 @@ Index: b/readconf.c | |||
| 2300 | options->password_authentication = -1; | 2299 | options->password_authentication = -1; |
| 2301 | options->kbd_interactive_authentication = -1; | 2300 | options->kbd_interactive_authentication = -1; |
| 2302 | options->kbd_interactive_devices = NULL; | 2301 | options->kbd_interactive_devices = NULL; |
| 2303 | @@ -1105,8 +1134,14 @@ | 2302 | @@ -1107,8 +1136,14 @@ |
| 2304 | options->challenge_response_authentication = 1; | 2303 | options->challenge_response_authentication = 1; |
| 2305 | if (options->gss_authentication == -1) | 2304 | if (options->gss_authentication == -1) |
| 2306 | options->gss_authentication = 0; | 2305 | options->gss_authentication = 0; |
| @@ -2335,7 +2334,7 @@ Index: b/servconf.c | |||
| 2335 | =================================================================== | 2334 | =================================================================== |
| 2336 | --- a/servconf.c | 2335 | --- a/servconf.c |
| 2337 | +++ b/servconf.c | 2336 | +++ b/servconf.c |
| 2338 | @@ -92,7 +92,10 @@ | 2337 | @@ -93,7 +93,10 @@ |
| 2339 | options->kerberos_ticket_cleanup = -1; | 2338 | options->kerberos_ticket_cleanup = -1; |
| 2340 | options->kerberos_get_afs_token = -1; | 2339 | options->kerberos_get_afs_token = -1; |
| 2341 | options->gss_authentication=-1; | 2340 | options->gss_authentication=-1; |
| @@ -2346,7 +2345,7 @@ Index: b/servconf.c | |||
| 2346 | options->password_authentication = -1; | 2345 | options->password_authentication = -1; |
| 2347 | options->kbd_interactive_authentication = -1; | 2346 | options->kbd_interactive_authentication = -1; |
| 2348 | options->challenge_response_authentication = -1; | 2347 | options->challenge_response_authentication = -1; |
| 2349 | @@ -210,8 +213,14 @@ | 2348 | @@ -214,8 +217,14 @@ |
| 2350 | options->kerberos_get_afs_token = 0; | 2349 | options->kerberos_get_afs_token = 0; |
| 2351 | if (options->gss_authentication == -1) | 2350 | if (options->gss_authentication == -1) |
| 2352 | options->gss_authentication = 0; | 2351 | options->gss_authentication = 0; |
| @@ -2361,7 +2360,7 @@ Index: b/servconf.c | |||
| 2361 | if (options->password_authentication == -1) | 2360 | if (options->password_authentication == -1) |
| 2362 | options->password_authentication = 1; | 2361 | options->password_authentication = 1; |
| 2363 | if (options->kbd_interactive_authentication == -1) | 2362 | if (options->kbd_interactive_authentication == -1) |
| 2364 | @@ -302,7 +311,9 @@ | 2363 | @@ -306,7 +315,9 @@ |
| 2365 | sBanner, sUseDNS, sHostbasedAuthentication, | 2364 | sBanner, sUseDNS, sHostbasedAuthentication, |
| 2366 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2365 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
| 2367 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, | 2366 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
| @@ -2371,8 +2370,8 @@ Index: b/servconf.c | |||
| 2371 | + sAcceptEnv, sPermitTunnel, | 2370 | + sAcceptEnv, sPermitTunnel, |
| 2372 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2371 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
| 2373 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2372 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
| 2374 | sZeroKnowledgePasswordAuthentication, | 2373 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
| 2375 | @@ -364,9 +375,15 @@ | 2374 | @@ -369,9 +380,15 @@ |
| 2376 | #ifdef GSSAPI | 2375 | #ifdef GSSAPI |
| 2377 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2376 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
| 2378 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2377 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
| @@ -2388,7 +2387,7 @@ Index: b/servconf.c | |||
| 2388 | #endif | 2387 | #endif |
| 2389 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2388 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
| 2390 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2389 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
| 2391 | @@ -891,10 +908,22 @@ | 2390 | @@ -925,10 +942,22 @@ |
| 2392 | intptr = &options->gss_authentication; | 2391 | intptr = &options->gss_authentication; |
| 2393 | goto parse_flag; | 2392 | goto parse_flag; |
| 2394 | 2393 | ||
| @@ -2415,7 +2414,7 @@ Index: b/servconf.h | |||
| 2415 | =================================================================== | 2414 | =================================================================== |
| 2416 | --- a/servconf.h | 2415 | --- a/servconf.h |
| 2417 | +++ b/servconf.h | 2416 | +++ b/servconf.h |
| 2418 | @@ -91,7 +91,10 @@ | 2417 | @@ -94,7 +94,10 @@ |
| 2419 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2418 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
| 2420 | * authenticated with Kerberos. */ | 2419 | * authenticated with Kerberos. */ |
| 2421 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2420 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
| @@ -2588,7 +2587,7 @@ Index: b/sshconnect2.c | |||
| 2588 | =================================================================== | 2587 | =================================================================== |
| 2589 | --- a/sshconnect2.c | 2588 | --- a/sshconnect2.c |
| 2590 | +++ b/sshconnect2.c | 2589 | +++ b/sshconnect2.c |
| 2591 | @@ -105,9 +105,34 @@ | 2590 | @@ -106,9 +106,34 @@ |
| 2592 | { | 2591 | { |
| 2593 | Kex *kex; | 2592 | Kex *kex; |
| 2594 | 2593 | ||
| @@ -2623,7 +2622,7 @@ Index: b/sshconnect2.c | |||
| 2623 | if (options.ciphers == (char *)-1) { | 2622 | if (options.ciphers == (char *)-1) { |
| 2624 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 2623 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
| 2625 | options.ciphers = NULL; | 2624 | options.ciphers = NULL; |
| 2626 | @@ -135,6 +160,17 @@ | 2625 | @@ -136,6 +161,17 @@ |
| 2627 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 2626 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
| 2628 | options.hostkeyalgorithms; | 2627 | options.hostkeyalgorithms; |
| 2629 | 2628 | ||
| @@ -2641,7 +2640,7 @@ Index: b/sshconnect2.c | |||
| 2641 | if (options.rekey_limit) | 2640 | if (options.rekey_limit) |
| 2642 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); | 2641 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); |
| 2643 | 2642 | ||
| 2644 | @@ -144,10 +180,26 @@ | 2643 | @@ -145,10 +181,26 @@ |
| 2645 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; | 2644 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; |
| 2646 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 2645 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
| 2647 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | 2646 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; |
| @@ -2668,7 +2667,7 @@ Index: b/sshconnect2.c | |||
| 2668 | xxx_kex = kex; | 2667 | xxx_kex = kex; |
| 2669 | 2668 | ||
| 2670 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2669 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
| 2671 | @@ -236,6 +288,7 @@ | 2670 | @@ -243,6 +295,7 @@ |
| 2672 | void input_gssapi_hash(int type, u_int32_t, void *); | 2671 | void input_gssapi_hash(int type, u_int32_t, void *); |
| 2673 | void input_gssapi_error(int, u_int32_t, void *); | 2672 | void input_gssapi_error(int, u_int32_t, void *); |
| 2674 | void input_gssapi_errtok(int, u_int32_t, void *); | 2673 | void input_gssapi_errtok(int, u_int32_t, void *); |
| @@ -2676,7 +2675,7 @@ Index: b/sshconnect2.c | |||
| 2676 | #endif | 2675 | #endif |
| 2677 | 2676 | ||
| 2678 | void userauth(Authctxt *, char *); | 2677 | void userauth(Authctxt *, char *); |
| 2679 | @@ -251,6 +304,11 @@ | 2678 | @@ -258,6 +311,11 @@ |
| 2680 | 2679 | ||
| 2681 | Authmethod authmethods[] = { | 2680 | Authmethod authmethods[] = { |
| 2682 | #ifdef GSSAPI | 2681 | #ifdef GSSAPI |
| @@ -2688,7 +2687,7 @@ Index: b/sshconnect2.c | |||
| 2688 | {"gssapi-with-mic", | 2687 | {"gssapi-with-mic", |
| 2689 | userauth_gssapi, | 2688 | userauth_gssapi, |
| 2690 | NULL, | 2689 | NULL, |
| 2691 | @@ -542,19 +600,29 @@ | 2690 | @@ -564,19 +622,29 @@ |
| 2692 | static u_int mech = 0; | 2691 | static u_int mech = 0; |
| 2693 | OM_uint32 min; | 2692 | OM_uint32 min; |
| 2694 | int ok = 0; | 2693 | int ok = 0; |
| @@ -2720,7 +2719,7 @@ Index: b/sshconnect2.c | |||
| 2720 | ok = 1; /* Mechanism works */ | 2719 | ok = 1; /* Mechanism works */ |
| 2721 | } else { | 2720 | } else { |
| 2722 | mech++; | 2721 | mech++; |
| 2723 | @@ -651,8 +719,8 @@ | 2722 | @@ -673,8 +741,8 @@ |
| 2724 | { | 2723 | { |
| 2725 | Authctxt *authctxt = ctxt; | 2724 | Authctxt *authctxt = ctxt; |
| 2726 | Gssctxt *gssctxt; | 2725 | Gssctxt *gssctxt; |
| @@ -2731,7 +2730,7 @@ Index: b/sshconnect2.c | |||
| 2731 | 2730 | ||
| 2732 | if (authctxt == NULL) | 2731 | if (authctxt == NULL) |
| 2733 | fatal("input_gssapi_response: no authentication context"); | 2732 | fatal("input_gssapi_response: no authentication context"); |
| 2734 | @@ -762,6 +830,48 @@ | 2733 | @@ -784,6 +852,48 @@ |
| 2735 | xfree(msg); | 2734 | xfree(msg); |
| 2736 | xfree(lang); | 2735 | xfree(lang); |
| 2737 | } | 2736 | } |
| @@ -2795,7 +2794,7 @@ Index: b/sshd.c | |||
| 2795 | #ifdef LIBWRAP | 2794 | #ifdef LIBWRAP |
| 2796 | #include <tcpd.h> | 2795 | #include <tcpd.h> |
| 2797 | #include <syslog.h> | 2796 | #include <syslog.h> |
| 2798 | @@ -1531,10 +1535,13 @@ | 2797 | @@ -1577,10 +1581,13 @@ |
| 2799 | logit("Disabling protocol version 1. Could not load host key"); | 2798 | logit("Disabling protocol version 1. Could not load host key"); |
| 2800 | options.protocol &= ~SSH_PROTO_1; | 2799 | options.protocol &= ~SSH_PROTO_1; |
| 2801 | } | 2800 | } |
| @@ -2809,7 +2808,7 @@ Index: b/sshd.c | |||
| 2809 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2808 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
| 2810 | logit("sshd: no hostkeys available -- exiting."); | 2809 | logit("sshd: no hostkeys available -- exiting."); |
| 2811 | exit(1); | 2810 | exit(1); |
| 2812 | @@ -1818,6 +1825,60 @@ | 2811 | @@ -1909,6 +1916,60 @@ |
| 2813 | /* Log the connection. */ | 2812 | /* Log the connection. */ |
| 2814 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | 2813 | verbose("Connection from %.500s port %d", remote_ip, remote_port); |
| 2815 | 2814 | ||
| @@ -2870,7 +2869,7 @@ Index: b/sshd.c | |||
| 2870 | /* | 2869 | /* |
| 2871 | * We don't want to listen forever unless the other side | 2870 | * We don't want to listen forever unless the other side |
| 2872 | * successfully authenticates itself. So we set up an alarm which is | 2871 | * successfully authenticates itself. So we set up an alarm which is |
| 2873 | @@ -2195,12 +2256,61 @@ | 2872 | @@ -2287,12 +2348,61 @@ |
| 2874 | 2873 | ||
| 2875 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2874 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
| 2876 | 2875 | ||
| @@ -2936,7 +2935,7 @@ Index: b/sshd_config | |||
| 2936 | =================================================================== | 2935 | =================================================================== |
| 2937 | --- a/sshd_config | 2936 | --- a/sshd_config |
| 2938 | +++ b/sshd_config | 2937 | +++ b/sshd_config |
| 2939 | @@ -73,6 +73,8 @@ | 2938 | @@ -71,6 +71,8 @@ |
| 2940 | # GSSAPI options | 2939 | # GSSAPI options |
| 2941 | #GSSAPIAuthentication no | 2940 | #GSSAPIAuthentication no |
| 2942 | #GSSAPICleanupCredentials yes | 2941 | #GSSAPICleanupCredentials yes |