summaryrefslogtreecommitdiff
path: root/debian/patches/gssapi.patch
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-03-20 00:32:39 +0000
committerColin Watson <cjwatson@debian.org>2014-03-20 00:34:16 +0000
commit2ee2de47fd0f684f54218d31b4ec83930e69c18e (patch)
tree86848a7668424b392d48791a0e41e05f9df7b62b /debian/patches/gssapi.patch
parentc9947303ad3c432b1cadfbeb1d95a7cd38662d66 (diff)
parent9cbb60f5e4932634db04c330c88abc49cc5567bd (diff)
Merge 6.6p1.
* New upstream release (http://www.openssh.com/txt/release-6.6).
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r--debian/patches/gssapi.patch186
1 files changed, 91 insertions, 95 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 90a21db99..d8439bf03 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 429c595dbaff7f7c2b3a53fe4235211f6d788025 Mon Sep 17 00:00:00 2001 1From 9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -179,7 +179,7 @@ index 0000000..f117a33
179+ (from jbasney AT ncsa.uiuc.edu) 179+ (from jbasney AT ncsa.uiuc.edu)
180+ <gssapi-with-mic support is Bugzilla #1008> 180+ <gssapi-with-mic support is Bugzilla #1008>
181diff --git a/Makefile.in b/Makefile.in 181diff --git a/Makefile.in b/Makefile.in
182index a8aa127..35c6fd6 100644 182index 28a8ec4..ee1d2c3 100644
183--- a/Makefile.in 183--- a/Makefile.in
184+++ b/Makefile.in 184+++ b/Makefile.in
185@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 185@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
@@ -188,10 +188,10 @@ index a8aa127..35c6fd6 100644
188 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 188 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
189+ kexgssc.o \ 189+ kexgssc.o \
190 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ 190 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
191 jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ 191 ssh-pkcs11.o krl.o smult_curve25519_ref.o \
192 kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ 192 kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
193@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ 193@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
194 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ 194 auth2-none.o auth2-passwd.o auth2-pubkey.o \
195 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ 195 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
196 kexc25519s.o auth-krb5.o \ 196 kexc25519s.o auth-krb5.o \
197- auth2-gss.o gss-serv.o gss-serv-krb5.o \ 197- auth2-gss.o gss-serv.o gss-serv-krb5.o \
@@ -251,11 +251,11 @@ index 6c62bdf..69a1a53 100644
251 return (krb5_cc_resolve(ctx, ccname, ccache)); 251 return (krb5_cc_resolve(ctx, ccname, ccache));
252 } 252 }
253diff --git a/auth2-gss.c b/auth2-gss.c 253diff --git a/auth2-gss.c b/auth2-gss.c
254index 638d8f8..b8db820 100644 254index c28a705..3ff2d72 100644
255--- a/auth2-gss.c 255--- a/auth2-gss.c
256+++ b/auth2-gss.c 256+++ b/auth2-gss.c
257@@ -1,7 +1,7 @@ 257@@ -1,7 +1,7 @@
258 /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */ 258 /* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */
259 259
260 /* 260 /*
261- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 261- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -304,7 +304,7 @@ index 638d8f8..b8db820 100644
304 /* 304 /*
305 * We only support those mechanisms that we know about (ie ones that we know 305 * We only support those mechanisms that we know about (ie ones that we know
306 * how to check local user kuserok and the like) 306 * how to check local user kuserok and the like)
307@@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 307@@ -235,7 +269,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
308 308
309 packet_check_eom(); 309 packet_check_eom();
310 310
@@ -314,7 +314,7 @@ index 638d8f8..b8db820 100644
314 314
315 authctxt->postponed = 0; 315 authctxt->postponed = 0;
316 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 316 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
317@@ -275,7 +310,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 317@@ -270,7 +305,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
318 gssbuf.length = buffer_len(&b); 318 gssbuf.length = buffer_len(&b);
319 319
320 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 320 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -324,7 +324,7 @@ index 638d8f8..b8db820 100644
324 else 324 else
325 logit("GSSAPI MIC check failed"); 325 logit("GSSAPI MIC check failed");
326 326
327@@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 327@@ -285,6 +321,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
328 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 328 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
329 } 329 }
330 330
@@ -338,7 +338,7 @@ index 638d8f8..b8db820 100644
338 "gssapi-with-mic", 338 "gssapi-with-mic",
339 userauth_gssapi, 339 userauth_gssapi,
340diff --git a/auth2.c b/auth2.c 340diff --git a/auth2.c b/auth2.c
341index f0cab8c..6ed8f04 100644 341index a5490c0..fbe3e1b 100644
342--- a/auth2.c 342--- a/auth2.c
343+++ b/auth2.c 343+++ b/auth2.c
344@@ -69,6 +69,7 @@ extern Authmethod method_passwd; 344@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
@@ -348,17 +348,17 @@ index f0cab8c..6ed8f04 100644
348+extern Authmethod method_gsskeyex; 348+extern Authmethod method_gsskeyex;
349 extern Authmethod method_gssapi; 349 extern Authmethod method_gssapi;
350 #endif 350 #endif
351 #ifdef JPAKE 351
352@@ -79,6 +80,7 @@ Authmethod *authmethods[] = { 352@@ -76,6 +77,7 @@ Authmethod *authmethods[] = {
353 &method_none, 353 &method_none,
354 &method_pubkey, 354 &method_pubkey,
355 #ifdef GSSAPI 355 #ifdef GSSAPI
356+ &method_gsskeyex, 356+ &method_gsskeyex,
357 &method_gssapi, 357 &method_gssapi,
358 #endif 358 #endif
359 #ifdef JPAKE 359 &method_passwd,
360diff --git a/clientloop.c b/clientloop.c 360diff --git a/clientloop.c b/clientloop.c
361index f30c8b6..cc23e35 100644 361index 59ad3a2..6d8cd7d 100644
362--- a/clientloop.c 362--- a/clientloop.c
363+++ b/clientloop.c 363+++ b/clientloop.c
364@@ -111,6 +111,10 @@ 364@@ -111,6 +111,10 @@
@@ -389,10 +389,10 @@ index f30c8b6..cc23e35 100644
389 debug("need rekeying"); 389 debug("need rekeying");
390 xxx_kex->done = 0; 390 xxx_kex->done = 0;
391diff --git a/config.h.in b/config.h.in 391diff --git a/config.h.in b/config.h.in
392index 075c619..906e549 100644 392index 0401ad1..6bc422c 100644
393--- a/config.h.in 393--- a/config.h.in
394+++ b/config.h.in 394+++ b/config.h.in
395@@ -1616,6 +1616,9 @@ 395@@ -1622,6 +1622,9 @@
396 /* Use btmp to log bad logins */ 396 /* Use btmp to log bad logins */
397 #undef USE_BTMP 397 #undef USE_BTMP
398 398
@@ -402,7 +402,7 @@ index 075c619..906e549 100644
402 /* Use libedit for sftp */ 402 /* Use libedit for sftp */
403 #undef USE_LIBEDIT 403 #undef USE_LIBEDIT
404 404
405@@ -1631,6 +1634,9 @@ 405@@ -1637,6 +1640,9 @@
406 /* Use PIPES instead of a socketpair() */ 406 /* Use PIPES instead of a socketpair() */
407 #undef USE_PIPES 407 #undef USE_PIPES
408 408
@@ -413,7 +413,7 @@ index 075c619..906e549 100644
413 #undef USE_SOLARIS_PROCESS_CONTRACTS 413 #undef USE_SOLARIS_PROCESS_CONTRACTS
414 414
415diff --git a/configure b/configure 415diff --git a/configure b/configure
416index 2d714ac..5a9db2d 100755 416index d690393..b6b5b6d 100755
417--- a/configure 417--- a/configure
418+++ b/configure 418+++ b/configure
419@@ -7170,6 +7170,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h 419@@ -7170,6 +7170,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
@@ -481,7 +481,7 @@ index 2d714ac..5a9db2d 100755
481 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" 481 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
482 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : 482 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
483diff --git a/configure.ac b/configure.ac 483diff --git a/configure.ac b/configure.ac
484index dfd32cd..90eebf5 100644 484index 7c6ce08..d235fb0 100644
485--- a/configure.ac 485--- a/configure.ac
486+++ b/configure.ac 486+++ b/configure.ac
487@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 487@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -992,11 +992,11 @@ index 759fa10..e678a27 100644
992 992
993 #endif /* KRB5 */ 993 #endif /* KRB5 */
994diff --git a/gss-serv.c b/gss-serv.c 994diff --git a/gss-serv.c b/gss-serv.c
995index 95348e2..feb1ed7 100644 995index e61b37b..c33463b 100644
996--- a/gss-serv.c 996--- a/gss-serv.c
997+++ b/gss-serv.c 997+++ b/gss-serv.c
998@@ -1,7 +1,7 @@ 998@@ -1,7 +1,7 @@
999 /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */ 999 /* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
1000 1000
1001 /* 1001 /*
1002- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 1002- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1028,7 +1028,7 @@ index 95348e2..feb1ed7 100644
1028 1028
1029 #ifdef KRB5 1029 #ifdef KRB5
1030 extern ssh_gssapi_mech gssapi_kerberos_mech; 1030 extern ssh_gssapi_mech gssapi_kerberos_mech;
1031@@ -81,25 +87,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) 1031@@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
1032 char lname[MAXHOSTNAMELEN]; 1032 char lname[MAXHOSTNAMELEN];
1033 gss_OID_set oidset; 1033 gss_OID_set oidset;
1034 1034
@@ -1075,7 +1075,7 @@ index 95348e2..feb1ed7 100644
1075 } 1075 }
1076 1076
1077 /* Privileged */ 1077 /* Privileged */
1078@@ -114,6 +127,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) 1078@@ -133,6 +146,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
1079 } 1079 }
1080 1080
1081 /* Unprivileged */ 1081 /* Unprivileged */
@@ -1105,7 +1105,7 @@ index 95348e2..feb1ed7 100644
1105 void 1105 void
1106 ssh_gssapi_supported_oids(gss_OID_set *oidset) 1106 ssh_gssapi_supported_oids(gss_OID_set *oidset)
1107 { 1107 {
1108@@ -123,7 +159,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) 1108@@ -142,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
1109 gss_OID_set supported; 1109 gss_OID_set supported;
1110 1110
1111 gss_create_empty_oid_set(&min_status, oidset); 1111 gss_create_empty_oid_set(&min_status, oidset);
@@ -1116,7 +1116,7 @@ index 95348e2..feb1ed7 100644
1116 1116
1117 while (supported_mechs[i]->name != NULL) { 1117 while (supported_mechs[i]->name != NULL) {
1118 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 1118 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
1119@@ -249,8 +287,48 @@ OM_uint32 1119@@ -268,8 +306,48 @@ OM_uint32
1120 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1120 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1121 { 1121 {
1122 int i = 0; 1122 int i = 0;
@@ -1166,7 +1166,7 @@ index 95348e2..feb1ed7 100644
1166 1166
1167 client->mech = NULL; 1167 client->mech = NULL;
1168 1168
1169@@ -265,6 +343,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1169@@ -284,6 +362,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1170 if (client->mech == NULL) 1170 if (client->mech == NULL)
1171 return GSS_S_FAILURE; 1171 return GSS_S_FAILURE;
1172 1172
@@ -1180,7 +1180,7 @@ index 95348e2..feb1ed7 100644
1180 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1180 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
1181 &client->displayname, NULL))) { 1181 &client->displayname, NULL))) {
1182 ssh_gssapi_error(ctx); 1182 ssh_gssapi_error(ctx);
1183@@ -282,6 +367,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1183@@ -301,6 +386,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1184 return (ctx->major); 1184 return (ctx->major);
1185 } 1185 }
1186 1186
@@ -1189,7 +1189,7 @@ index 95348e2..feb1ed7 100644
1189 /* We can't copy this structure, so we just move the pointer to it */ 1189 /* We can't copy this structure, so we just move the pointer to it */
1190 client->creds = ctx->client_creds; 1190 client->creds = ctx->client_creds;
1191 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1191 ctx->client_creds = GSS_C_NO_CREDENTIAL;
1192@@ -329,7 +416,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) 1192@@ -348,7 +435,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
1193 1193
1194 /* Privileged */ 1194 /* Privileged */
1195 int 1195 int
@@ -1198,7 +1198,7 @@ index 95348e2..feb1ed7 100644
1198 { 1198 {
1199 OM_uint32 lmin; 1199 OM_uint32 lmin;
1200 1200
1201@@ -339,9 +426,11 @@ ssh_gssapi_userok(char *user) 1201@@ -358,9 +445,11 @@ ssh_gssapi_userok(char *user)
1202 return 0; 1202 return 0;
1203 } 1203 }
1204 if (gssapi_client.mech && gssapi_client.mech->userok) 1204 if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1212,7 +1212,7 @@ index 95348e2..feb1ed7 100644
1212 /* Destroy delegated credentials if userok fails */ 1212 /* Destroy delegated credentials if userok fails */
1213 gss_release_buffer(&lmin, &gssapi_client.displayname); 1213 gss_release_buffer(&lmin, &gssapi_client.displayname);
1214 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1214 gss_release_buffer(&lmin, &gssapi_client.exportedname);
1215@@ -354,14 +443,90 @@ ssh_gssapi_userok(char *user) 1215@@ -374,14 +463,90 @@ ssh_gssapi_userok(char *user)
1216 return (0); 1216 return (0);
1217 } 1217 }
1218 1218
@@ -1310,7 +1310,7 @@ index 95348e2..feb1ed7 100644
1310 1310
1311 #endif 1311 #endif
1312diff --git a/kex.c b/kex.c 1312diff --git a/kex.c b/kex.c
1313index 616484b..49d0fc8 100644 1313index 74e2b86..d114ee3 100644
1314--- a/kex.c 1314--- a/kex.c
1315+++ b/kex.c 1315+++ b/kex.c
1316@@ -51,6 +51,10 @@ 1316@@ -51,6 +51,10 @@
@@ -1351,7 +1351,7 @@ index 616484b..49d0fc8 100644
1351 } 1351 }
1352 1352
1353diff --git a/kex.h b/kex.h 1353diff --git a/kex.h b/kex.h
1354index 1aa3ec2..8fbcb2b 100644 1354index c85680e..ea698c4 100644
1355--- a/kex.h 1355--- a/kex.h
1356+++ b/kex.h 1356+++ b/kex.h
1357@@ -76,6 +76,9 @@ enum kex_exchange { 1357@@ -76,6 +76,9 @@ enum kex_exchange {
@@ -1364,7 +1364,7 @@ index 1aa3ec2..8fbcb2b 100644
1364 KEX_MAX 1364 KEX_MAX
1365 }; 1365 };
1366 1366
1367@@ -136,6 +139,12 @@ struct Kex { 1367@@ -135,6 +138,12 @@ struct Kex {
1368 int flags; 1368 int flags;
1369 int hash_alg; 1369 int hash_alg;
1370 int ec_nid; 1370 int ec_nid;
@@ -1377,7 +1377,7 @@ index 1aa3ec2..8fbcb2b 100644
1377 char *client_version_string; 1377 char *client_version_string;
1378 char *server_version_string; 1378 char *server_version_string;
1379 int (*verify_host_key)(Key *); 1379 int (*verify_host_key)(Key *);
1380@@ -168,6 +177,11 @@ void kexecdh_server(Kex *); 1380@@ -167,6 +176,11 @@ void kexecdh_server(Kex *);
1381 void kexc25519_client(Kex *); 1381 void kexc25519_client(Kex *);
1382 void kexc25519_server(Kex *); 1382 void kexc25519_server(Kex *);
1383 1383
@@ -2023,7 +2023,7 @@ index 0000000..8095259
2023+} 2023+}
2024+#endif /* GSSAPI */ 2024+#endif /* GSSAPI */
2025diff --git a/key.c b/key.c 2025diff --git a/key.c b/key.c
2026index 9142338..7ac844c 100644 2026index 168e1b7..3d640e7 100644
2027--- a/key.c 2027--- a/key.c
2028+++ b/key.c 2028+++ b/key.c
2029@@ -985,6 +985,7 @@ static const struct keytype keytypes[] = { 2029@@ -985,6 +985,7 @@ static const struct keytype keytypes[] = {
@@ -2056,10 +2056,10 @@ index d8ad13d..c8aeba2 100644
2056 }; 2056 };
2057 enum fp_type { 2057 enum fp_type {
2058diff --git a/monitor.c b/monitor.c 2058diff --git a/monitor.c b/monitor.c
2059index 03baf1e..a777c4c 100644 2059index 531c4f9..2918814 100644
2060--- a/monitor.c 2060--- a/monitor.c
2061+++ b/monitor.c 2061+++ b/monitor.c
2062@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2062@@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
2063 int mm_answer_gss_accept_ctx(int, Buffer *); 2063 int mm_answer_gss_accept_ctx(int, Buffer *);
2064 int mm_answer_gss_userok(int, Buffer *); 2064 int mm_answer_gss_userok(int, Buffer *);
2065 int mm_answer_gss_checkmic(int, Buffer *); 2065 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2068,15 +2068,13 @@ index 03baf1e..a777c4c 100644
2068 #endif 2068 #endif
2069 2069
2070 #ifdef SSH_AUDIT_EVENTS 2070 #ifdef SSH_AUDIT_EVENTS
2071@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[] = { 2071@@ -247,11 +249,18 @@ struct mon_table mon_dispatch_proto20[] = {
2072 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2072 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
2073 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2073 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
2074 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2074 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
2075+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, 2075+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
2076 #endif 2076 #endif
2077 #ifdef JPAKE 2077 {0, 0, NULL}
2078 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
2079@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[] = {
2080 }; 2078 };
2081 2079
2082 struct mon_table mon_dispatch_postauth20[] = { 2080 struct mon_table mon_dispatch_postauth20[] = {
@@ -2089,7 +2087,7 @@ index 03baf1e..a777c4c 100644
2089 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2087 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2090 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 2088 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
2091 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 2089 {MONITOR_REQ_PTY, 0, mm_answer_pty},
2092@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 2090@@ -360,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2093 /* Permit requests for moduli and signatures */ 2091 /* Permit requests for moduli and signatures */
2094 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2092 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2095 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2093 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2100,7 +2098,7 @@ index 03baf1e..a777c4c 100644
2100 } else { 2098 } else {
2101 mon_dispatch = mon_dispatch_proto15; 2099 mon_dispatch = mon_dispatch_proto15;
2102 2100
2103@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2101@@ -465,6 +478,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2104 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2102 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2105 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2103 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2106 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2104 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2111,7 +2109,7 @@ index 03baf1e..a777c4c 100644
2111 } else { 2109 } else {
2112 mon_dispatch = mon_dispatch_postauth15; 2110 mon_dispatch = mon_dispatch_postauth15;
2113 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2111 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2114@@ -1856,6 +1873,13 @@ mm_get_kex(Buffer *m) 2112@@ -1834,6 +1851,13 @@ mm_get_kex(Buffer *m)
2115 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2113 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2116 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2114 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
2117 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2115 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2125,7 +2123,7 @@ index 03baf1e..a777c4c 100644
2125 kex->server = 1; 2123 kex->server = 1;
2126 kex->hostkey_type = buffer_get_int(m); 2124 kex->hostkey_type = buffer_get_int(m);
2127 kex->kex_type = buffer_get_int(m); 2125 kex->kex_type = buffer_get_int(m);
2128@@ -2063,6 +2087,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2126@@ -2041,6 +2065,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2129 OM_uint32 major; 2127 OM_uint32 major;
2130 u_int len; 2128 u_int len;
2131 2129
@@ -2135,7 +2133,7 @@ index 03baf1e..a777c4c 100644
2135 goid.elements = buffer_get_string(m, &len); 2133 goid.elements = buffer_get_string(m, &len);
2136 goid.length = len; 2134 goid.length = len;
2137 2135
2138@@ -2090,6 +2117,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2136@@ -2068,6 +2095,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2139 OM_uint32 flags = 0; /* GSI needs this */ 2137 OM_uint32 flags = 0; /* GSI needs this */
2140 u_int len; 2138 u_int len;
2141 2139
@@ -2145,7 +2143,7 @@ index 03baf1e..a777c4c 100644
2145 in.value = buffer_get_string(m, &len); 2143 in.value = buffer_get_string(m, &len);
2146 in.length = len; 2144 in.length = len;
2147 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2145 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2148@@ -2107,6 +2137,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2146@@ -2085,6 +2115,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2149 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2147 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2150 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2148 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2151 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2149 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2153,7 +2151,7 @@ index 03baf1e..a777c4c 100644
2153 } 2151 }
2154 return (0); 2152 return (0);
2155 } 2153 }
2156@@ -2118,6 +2149,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2154@@ -2096,6 +2127,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2157 OM_uint32 ret; 2155 OM_uint32 ret;
2158 u_int len; 2156 u_int len;
2159 2157
@@ -2163,7 +2161,7 @@ index 03baf1e..a777c4c 100644
2163 gssbuf.value = buffer_get_string(m, &len); 2161 gssbuf.value = buffer_get_string(m, &len);
2164 gssbuf.length = len; 2162 gssbuf.length = len;
2165 mic.value = buffer_get_string(m, &len); 2163 mic.value = buffer_get_string(m, &len);
2166@@ -2144,7 +2178,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2164@@ -2122,7 +2156,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2167 { 2165 {
2168 int authenticated; 2166 int authenticated;
2169 2167
@@ -2176,7 +2174,7 @@ index 03baf1e..a777c4c 100644
2176 2174
2177 buffer_clear(m); 2175 buffer_clear(m);
2178 buffer_put_int(m, authenticated); 2176 buffer_put_int(m, authenticated);
2179@@ -2157,6 +2195,74 @@ mm_answer_gss_userok(int sock, Buffer *m) 2177@@ -2135,5 +2173,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
2180 /* Monitor loop will terminate if authenticated */ 2178 /* Monitor loop will terminate if authenticated */
2181 return (authenticated); 2179 return (authenticated);
2182 } 2180 }
@@ -2250,12 +2248,11 @@ index 03baf1e..a777c4c 100644
2250+ 2248+
2251 #endif /* GSSAPI */ 2249 #endif /* GSSAPI */
2252 2250
2253 #ifdef JPAKE
2254diff --git a/monitor.h b/monitor.h 2251diff --git a/monitor.h b/monitor.h
2255index 2caa469..315ef99 100644 2252index 5bc41b5..7f32b0c 100644
2256--- a/monitor.h 2253--- a/monitor.h
2257+++ b/monitor.h 2254+++ b/monitor.h
2258@@ -70,6 +70,9 @@ enum monitor_reqtype { 2255@@ -65,6 +65,9 @@ enum monitor_reqtype {
2259 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, 2256 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
2260 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, 2257 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
2261 2258
@@ -2266,10 +2263,10 @@ index 2caa469..315ef99 100644
2266 2263
2267 struct mm_master; 2264 struct mm_master;
2268diff --git a/monitor_wrap.c b/monitor_wrap.c 2265diff --git a/monitor_wrap.c b/monitor_wrap.c
2269index 4ce4696..44019f3 100644 2266index 1a47e41..60b987d 100644
2270--- a/monitor_wrap.c 2267--- a/monitor_wrap.c
2271+++ b/monitor_wrap.c 2268+++ b/monitor_wrap.c
2272@@ -1273,7 +1273,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2269@@ -1271,7 +1271,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
2273 } 2270 }
2274 2271
2275 int 2272 int
@@ -2278,7 +2275,7 @@ index 4ce4696..44019f3 100644
2278 { 2275 {
2279 Buffer m; 2276 Buffer m;
2280 int authenticated = 0; 2277 int authenticated = 0;
2281@@ -1290,6 +1290,51 @@ mm_ssh_gssapi_userok(char *user) 2278@@ -1288,5 +1288,50 @@ mm_ssh_gssapi_userok(char *user)
2282 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2279 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2283 return (authenticated); 2280 return (authenticated);
2284 } 2281 }
@@ -2329,9 +2326,8 @@ index 4ce4696..44019f3 100644
2329+ 2326+
2330 #endif /* GSSAPI */ 2327 #endif /* GSSAPI */
2331 2328
2332 #ifdef JPAKE
2333diff --git a/monitor_wrap.h b/monitor_wrap.h 2329diff --git a/monitor_wrap.h b/monitor_wrap.h
2334index 0c7f2e3..ec9b9b1 100644 2330index 18c2501..a4e9d24 100644
2335--- a/monitor_wrap.h 2331--- a/monitor_wrap.h
2336+++ b/monitor_wrap.h 2332+++ b/monitor_wrap.h
2337@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); 2333@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
@@ -2347,10 +2343,10 @@ index 0c7f2e3..ec9b9b1 100644
2347 2343
2348 #ifdef USE_PAM 2344 #ifdef USE_PAM
2349diff --git a/readconf.c b/readconf.c 2345diff --git a/readconf.c b/readconf.c
2350index 9c7e73d..cb8bcb2 100644 2346index dc884c9..7613ff2 100644
2351--- a/readconf.c 2347--- a/readconf.c
2352+++ b/readconf.c 2348+++ b/readconf.c
2353@@ -140,6 +140,8 @@ typedef enum { 2349@@ -141,6 +141,8 @@ typedef enum {
2354 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2350 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2355 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2351 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2356 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2352 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2359,7 +2355,7 @@ index 9c7e73d..cb8bcb2 100644
2359 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2355 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2360 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2356 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2361 oHashKnownHosts, 2357 oHashKnownHosts,
2362@@ -182,10 +184,19 @@ static struct { 2358@@ -183,10 +185,19 @@ static struct {
2363 { "afstokenpassing", oUnsupported }, 2359 { "afstokenpassing", oUnsupported },
2364 #if defined(GSSAPI) 2360 #if defined(GSSAPI)
2365 { "gssapiauthentication", oGssAuthentication }, 2361 { "gssapiauthentication", oGssAuthentication },
@@ -2379,7 +2375,7 @@ index 9c7e73d..cb8bcb2 100644
2379 #endif 2375 #endif
2380 { "fallbacktorsh", oDeprecated }, 2376 { "fallbacktorsh", oDeprecated },
2381 { "usersh", oDeprecated }, 2377 { "usersh", oDeprecated },
2382@@ -839,10 +850,30 @@ parse_time: 2378@@ -841,10 +852,30 @@ parse_time:
2383 intptr = &options->gss_authentication; 2379 intptr = &options->gss_authentication;
2384 goto parse_flag; 2380 goto parse_flag;
2385 2381
@@ -2410,7 +2406,7 @@ index 9c7e73d..cb8bcb2 100644
2410 case oBatchMode: 2406 case oBatchMode:
2411 intptr = &options->batch_mode; 2407 intptr = &options->batch_mode;
2412 goto parse_flag; 2408 goto parse_flag;
2413@@ -1488,7 +1519,12 @@ initialize_options(Options * options) 2409@@ -1497,7 +1528,12 @@ initialize_options(Options * options)
2414 options->pubkey_authentication = -1; 2410 options->pubkey_authentication = -1;
2415 options->challenge_response_authentication = -1; 2411 options->challenge_response_authentication = -1;
2416 options->gss_authentication = -1; 2412 options->gss_authentication = -1;
@@ -2423,7 +2419,7 @@ index 9c7e73d..cb8bcb2 100644
2423 options->password_authentication = -1; 2419 options->password_authentication = -1;
2424 options->kbd_interactive_authentication = -1; 2420 options->kbd_interactive_authentication = -1;
2425 options->kbd_interactive_devices = NULL; 2421 options->kbd_interactive_devices = NULL;
2426@@ -1594,8 +1630,14 @@ fill_default_options(Options * options) 2422@@ -1616,8 +1652,14 @@ fill_default_options(Options * options)
2427 options->challenge_response_authentication = 1; 2423 options->challenge_response_authentication = 1;
2428 if (options->gss_authentication == -1) 2424 if (options->gss_authentication == -1)
2429 options->gss_authentication = 0; 2425 options->gss_authentication = 0;
@@ -2439,7 +2435,7 @@ index 9c7e73d..cb8bcb2 100644
2439 options->password_authentication = 1; 2435 options->password_authentication = 1;
2440 if (options->kbd_interactive_authentication == -1) 2436 if (options->kbd_interactive_authentication == -1)
2441diff --git a/readconf.h b/readconf.h 2437diff --git a/readconf.h b/readconf.h
2442index 2d7ea9f..826c676 100644 2438index 75e3f8f..5cc97f0 100644
2443--- a/readconf.h 2439--- a/readconf.h
2444+++ b/readconf.h 2440+++ b/readconf.h
2445@@ -54,7 +54,12 @@ typedef struct { 2441@@ -54,7 +54,12 @@ typedef struct {
@@ -2456,7 +2452,7 @@ index 2d7ea9f..826c676 100644
2456 * authentication. */ 2452 * authentication. */
2457 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2453 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2458diff --git a/servconf.c b/servconf.c 2454diff --git a/servconf.c b/servconf.c
2459index 9bcd05b..29209e4 100644 2455index 7ba65d5..0083cf8 100644
2460--- a/servconf.c 2456--- a/servconf.c
2461+++ b/servconf.c 2457+++ b/servconf.c
2462@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options) 2458@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options)
@@ -2470,7 +2466,7 @@ index 9bcd05b..29209e4 100644
2470 options->password_authentication = -1; 2466 options->password_authentication = -1;
2471 options->kbd_interactive_authentication = -1; 2467 options->kbd_interactive_authentication = -1;
2472 options->challenge_response_authentication = -1; 2468 options->challenge_response_authentication = -1;
2473@@ -245,8 +248,14 @@ fill_default_server_options(ServerOptions *options) 2469@@ -244,8 +247,14 @@ fill_default_server_options(ServerOptions *options)
2474 options->kerberos_get_afs_token = 0; 2470 options->kerberos_get_afs_token = 0;
2475 if (options->gss_authentication == -1) 2471 if (options->gss_authentication == -1)
2476 options->gss_authentication = 0; 2472 options->gss_authentication = 0;
@@ -2485,7 +2481,7 @@ index 9bcd05b..29209e4 100644
2485 if (options->password_authentication == -1) 2481 if (options->password_authentication == -1)
2486 options->password_authentication = 1; 2482 options->password_authentication = 1;
2487 if (options->kbd_interactive_authentication == -1) 2483 if (options->kbd_interactive_authentication == -1)
2488@@ -343,7 +352,9 @@ typedef enum { 2484@@ -340,7 +349,9 @@ typedef enum {
2489 sBanner, sUseDNS, sHostbasedAuthentication, 2485 sBanner, sUseDNS, sHostbasedAuthentication,
2490 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2486 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2491 sClientAliveCountMax, sAuthorizedKeysFile, 2487 sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2495,8 +2491,8 @@ index 9bcd05b..29209e4 100644
2495+ sAcceptEnv, sPermitTunnel, 2491+ sAcceptEnv, sPermitTunnel,
2496 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2492 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2497 sUsePrivilegeSeparation, sAllowAgentForwarding, 2493 sUsePrivilegeSeparation, sAllowAgentForwarding,
2498 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2494 sHostCertificate,
2499@@ -410,10 +421,20 @@ static struct { 2495@@ -407,10 +418,20 @@ static struct {
2500 #ifdef GSSAPI 2496 #ifdef GSSAPI
2501 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2497 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2502 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2498 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2517,7 +2513,7 @@ index 9bcd05b..29209e4 100644
2517 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2513 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2518 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2514 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2519 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2515 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2520@@ -1094,10 +1115,22 @@ process_server_config_line(ServerOptions *options, char *line, 2516@@ -1086,10 +1107,22 @@ process_server_config_line(ServerOptions *options, char *line,
2521 intptr = &options->gss_authentication; 2517 intptr = &options->gss_authentication;
2522 goto parse_flag; 2518 goto parse_flag;
2523 2519
@@ -2540,7 +2536,7 @@ index 9bcd05b..29209e4 100644
2540 case sPasswordAuthentication: 2536 case sPasswordAuthentication:
2541 intptr = &options->password_authentication; 2537 intptr = &options->password_authentication;
2542 goto parse_flag; 2538 goto parse_flag;
2543@@ -2008,7 +2041,10 @@ dump_config(ServerOptions *o) 2539@@ -1995,7 +2028,10 @@ dump_config(ServerOptions *o)
2544 #endif 2540 #endif
2545 #ifdef GSSAPI 2541 #ifdef GSSAPI
2546 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2542 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2549,10 +2545,10 @@ index 9bcd05b..29209e4 100644
2549+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); 2545+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2550+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey); 2546+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2551 #endif 2547 #endif
2552 #ifdef JPAKE 2548 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2553 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, 2549 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2554diff --git a/servconf.h b/servconf.h 2550diff --git a/servconf.h b/servconf.h
2555index 8812c5a..eba76ee 100644 2551index 752d1c5..c922eb5 100644
2556--- a/servconf.h 2552--- a/servconf.h
2557+++ b/servconf.h 2553+++ b/servconf.h
2558@@ -112,7 +112,10 @@ typedef struct { 2554@@ -112,7 +112,10 @@ typedef struct {
@@ -2567,11 +2563,11 @@ index 8812c5a..eba76ee 100644
2567 * authentication. */ 2563 * authentication. */
2568 int kbd_interactive_authentication; /* If true, permit */ 2564 int kbd_interactive_authentication; /* If true, permit */
2569diff --git a/ssh-gss.h b/ssh-gss.h 2565diff --git a/ssh-gss.h b/ssh-gss.h
2570index 077e13c..885e481 100644 2566index a99d7f0..914701b 100644
2571--- a/ssh-gss.h 2567--- a/ssh-gss.h
2572+++ b/ssh-gss.h 2568+++ b/ssh-gss.h
2573@@ -1,6 +1,6 @@ 2569@@ -1,6 +1,6 @@
2574 /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ 2570 /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
2575 /* 2571 /*
2576- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 2572- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
2577+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 2573+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -2634,7 +2630,7 @@ index 077e13c..885e481 100644
2634 2630
2635 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); 2631 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
2636 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); 2632 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
2637@@ -117,16 +134,32 @@ void ssh_gssapi_build_ctx(Gssctxt **); 2633@@ -119,16 +136,32 @@ void ssh_gssapi_build_ctx(Gssctxt **);
2638 void ssh_gssapi_delete_ctx(Gssctxt **); 2634 void ssh_gssapi_delete_ctx(Gssctxt **);
2639 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); 2635 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
2640 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); 2636 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
@@ -2683,10 +2679,10 @@ index 03a228f..228e5ab 100644
2683 # CheckHostIP yes 2679 # CheckHostIP yes
2684 # AddressFamily any 2680 # AddressFamily any
2685diff --git a/ssh_config.5 b/ssh_config.5 2681diff --git a/ssh_config.5 b/ssh_config.5
2686index 3cadcd7..49505ae 100644 2682index b580392..e7accd6 100644
2687--- a/ssh_config.5 2683--- a/ssh_config.5
2688+++ b/ssh_config.5 2684+++ b/ssh_config.5
2689@@ -676,11 +676,43 @@ Specifies whether user authentication based on GSSAPI is allowed. 2685@@ -682,11 +682,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
2690 The default is 2686 The default is
2691 .Dq no . 2687 .Dq no .
2692 Note that this option applies to protocol version 2 only. 2688 Note that this option applies to protocol version 2 only.
@@ -2732,10 +2728,10 @@ index 3cadcd7..49505ae 100644
2732 Indicates that 2728 Indicates that
2733 .Xr ssh 1 2729 .Xr ssh 1
2734diff --git a/sshconnect2.c b/sshconnect2.c 2730diff --git a/sshconnect2.c b/sshconnect2.c
2735index 8acffc5..21a269d 100644 2731index 7f4ff41..66cb035 100644
2736--- a/sshconnect2.c 2732--- a/sshconnect2.c
2737+++ b/sshconnect2.c 2733+++ b/sshconnect2.c
2738@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2734@@ -158,9 +158,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2739 { 2735 {
2740 Kex *kex; 2736 Kex *kex;
2741 2737
@@ -2770,7 +2766,7 @@ index 8acffc5..21a269d 100644
2770 if (options.ciphers == (char *)-1) { 2766 if (options.ciphers == (char *)-1) {
2771 logit("No valid ciphers for protocol version 2 given, using defaults."); 2767 logit("No valid ciphers for protocol version 2 given, using defaults.");
2772 options.ciphers = NULL; 2768 options.ciphers = NULL;
2773@@ -198,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2769@@ -196,6 +221,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2774 if (options.kex_algorithms != NULL) 2770 if (options.kex_algorithms != NULL)
2775 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; 2771 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
2776 2772
@@ -2788,7 +2784,7 @@ index 8acffc5..21a269d 100644
2788 if (options.rekey_limit || options.rekey_interval) 2784 if (options.rekey_limit || options.rekey_interval)
2789 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2785 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2790 (time_t)options.rekey_interval); 2786 (time_t)options.rekey_interval);
2791@@ -210,10 +246,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2787@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2792 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 2788 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2793 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; 2789 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
2794 kex->kex[KEX_C25519_SHA256] = kexc25519_client; 2790 kex->kex[KEX_C25519_SHA256] = kexc25519_client;
@@ -2819,7 +2815,7 @@ index 8acffc5..21a269d 100644
2819 xxx_kex = kex; 2815 xxx_kex = kex;
2820 2816
2821 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2817 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2822@@ -309,6 +365,7 @@ void input_gssapi_token(int type, u_int32_t, void *); 2818@@ -301,6 +357,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
2823 void input_gssapi_hash(int type, u_int32_t, void *); 2819 void input_gssapi_hash(int type, u_int32_t, void *);
2824 void input_gssapi_error(int, u_int32_t, void *); 2820 void input_gssapi_error(int, u_int32_t, void *);
2825 void input_gssapi_errtok(int, u_int32_t, void *); 2821 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2827,7 +2823,7 @@ index 8acffc5..21a269d 100644
2827 #endif 2823 #endif
2828 2824
2829 void userauth(Authctxt *, char *); 2825 void userauth(Authctxt *, char *);
2830@@ -324,6 +381,11 @@ static char *authmethods_get(void); 2826@@ -316,6 +373,11 @@ static char *authmethods_get(void);
2831 2827
2832 Authmethod authmethods[] = { 2828 Authmethod authmethods[] = {
2833 #ifdef GSSAPI 2829 #ifdef GSSAPI
@@ -2839,7 +2835,7 @@ index 8acffc5..21a269d 100644
2839 {"gssapi-with-mic", 2835 {"gssapi-with-mic",
2840 userauth_gssapi, 2836 userauth_gssapi,
2841 NULL, 2837 NULL,
2842@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt) 2838@@ -612,19 +674,31 @@ userauth_gssapi(Authctxt *authctxt)
2843 static u_int mech = 0; 2839 static u_int mech = 0;
2844 OM_uint32 min; 2840 OM_uint32 min;
2845 int ok = 0; 2841 int ok = 0;
@@ -2873,7 +2869,7 @@ index 8acffc5..21a269d 100644
2873 ok = 1; /* Mechanism works */ 2869 ok = 1; /* Mechanism works */
2874 } else { 2870 } else {
2875 mech++; 2871 mech++;
2876@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) 2872@@ -721,8 +795,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
2877 { 2873 {
2878 Authctxt *authctxt = ctxt; 2874 Authctxt *authctxt = ctxt;
2879 Gssctxt *gssctxt; 2875 Gssctxt *gssctxt;
@@ -2884,7 +2880,7 @@ index 8acffc5..21a269d 100644
2884 2880
2885 if (authctxt == NULL) 2881 if (authctxt == NULL)
2886 fatal("input_gssapi_response: no authentication context"); 2882 fatal("input_gssapi_response: no authentication context");
2887@@ -846,6 +920,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) 2883@@ -831,6 +905,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
2888 free(msg); 2884 free(msg);
2889 free(lang); 2885 free(lang);
2890 } 2886 }
@@ -2934,7 +2930,7 @@ index 8acffc5..21a269d 100644
2934 2930
2935 int 2931 int
2936diff --git a/sshd.c b/sshd.c 2932diff --git a/sshd.c b/sshd.c
2937index 25380c9..fe65132 100644 2933index 7523de9..d787fea 100644
2938--- a/sshd.c 2934--- a/sshd.c
2939+++ b/sshd.c 2935+++ b/sshd.c
2940@@ -122,6 +122,10 @@ 2936@@ -122,6 +122,10 @@
@@ -2948,7 +2944,7 @@ index 25380c9..fe65132 100644
2948 #ifdef LIBWRAP 2944 #ifdef LIBWRAP
2949 #include <tcpd.h> 2945 #include <tcpd.h>
2950 #include <syslog.h> 2946 #include <syslog.h>
2951@@ -1721,10 +1725,13 @@ main(int ac, char **av) 2947@@ -1728,10 +1732,13 @@ main(int ac, char **av)
2952 logit("Disabling protocol version 1. Could not load host key"); 2948 logit("Disabling protocol version 1. Could not load host key");
2953 options.protocol &= ~SSH_PROTO_1; 2949 options.protocol &= ~SSH_PROTO_1;
2954 } 2950 }
@@ -2962,7 +2958,7 @@ index 25380c9..fe65132 100644
2962 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2958 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2963 logit("sshd: no hostkeys available -- exiting."); 2959 logit("sshd: no hostkeys available -- exiting.");
2964 exit(1); 2960 exit(1);
2965@@ -2051,6 +2058,60 @@ main(int ac, char **av) 2961@@ -2058,6 +2065,60 @@ main(int ac, char **av)
2966 remote_ip, remote_port, 2962 remote_ip, remote_port,
2967 get_local_ipaddr(sock_in), get_local_port()); 2963 get_local_ipaddr(sock_in), get_local_port());
2968 2964
@@ -3023,7 +3019,7 @@ index 25380c9..fe65132 100644
3023 /* 3019 /*
3024 * We don't want to listen forever unless the other side 3020 * We don't want to listen forever unless the other side
3025 * successfully authenticates itself. So we set up an alarm which is 3021 * successfully authenticates itself. So we set up an alarm which is
3026@@ -2456,6 +2517,48 @@ do_ssh2_kex(void) 3022@@ -2469,6 +2530,48 @@ do_ssh2_kex(void)
3027 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3023 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3028 list_hostkey_types()); 3024 list_hostkey_types());
3029 3025
@@ -3072,7 +3068,7 @@ index 25380c9..fe65132 100644
3072 /* start key exchange */ 3068 /* start key exchange */
3073 kex = kex_setup(myproposal); 3069 kex = kex_setup(myproposal);
3074 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3070 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
3075@@ -2464,6 +2567,13 @@ do_ssh2_kex(void) 3071@@ -2477,6 +2580,13 @@ do_ssh2_kex(void)
3076 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 3072 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3077 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3073 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
3078 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 3074 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -3100,7 +3096,7 @@ index e9045bc..d9b8594 100644
3100 # Set this to 'yes' to enable PAM authentication, account processing, 3096 # Set this to 'yes' to enable PAM authentication, account processing,
3101 # and session processing. If this is enabled, PAM authentication will 3097 # and session processing. If this is enabled, PAM authentication will
3102diff --git a/sshd_config.5 b/sshd_config.5 3098diff --git a/sshd_config.5 b/sshd_config.5
3103index 3b21ea6..9aa9eba 100644 3099index ce71efe..ceed88a 100644
3104--- a/sshd_config.5 3100--- a/sshd_config.5
3105+++ b/sshd_config.5 3101+++ b/sshd_config.5
3106@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed. 3102@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 09:33:32 +0000