summaryrefslogtreecommitdiff
path: root/debian/patches/gssapi.patch
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-09-14 23:42:11 +0100
committerColin Watson <cjwatson@debian.org>2013-09-14 23:42:11 +0100
commit327155e6824b3ee13837bdde04e4eb47e147ff46 (patch)
tree8f8743122403c7a2e6ed919156711fb1520c657f /debian/patches/gssapi.patch
parent0334ce32304e9ba2a10ee5ca49ca6e8ff3ba6cf4 (diff)
parent74e339b8f8936bc0d985e053a076d0c9b5e9ea51 (diff)
* New upstream release (http://www.openssh.com/txt/release-6.3).
- sftp(1): add support for resuming partial downloads using the "reget" command and on the sftp commandline or on the "get" commandline using the "-a" (append) option (closes: #158590). - ssh(1): add an "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives (closes: #436052). - sftp(1): update progressmeter when data is acknowledged, not when it's sent (partially addresses #708372). - ssh(1): do not fatally exit when attempting to cleanup multiplexing- created channels that are incompletely opened (closes: #651357).
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r--debian/patches/gssapi.patch268
1 files changed, 132 insertions, 136 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 416e2f16c..85c6722f0 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
13 security history. 13 security history.
14Author: Simon Wilkinson <simon@sxw.org.uk> 14Author: Simon Wilkinson <simon@sxw.org.uk>
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
16Last-Updated: 2013-05-16 16Last-Updated: 2013-09-14
17 17
18Index: b/ChangeLog.gssapi 18Index: b/ChangeLog.gssapi
19=================================================================== 19===================================================================
@@ -158,7 +158,7 @@ Index: b/auth-krb5.c
158=================================================================== 158===================================================================
159--- a/auth-krb5.c 159--- a/auth-krb5.c
160+++ b/auth-krb5.c 160+++ b/auth-krb5.c
161@@ -170,8 +170,13 @@ 161@@ -181,8 +181,13 @@
162 162
163 len = strlen(authctxt->krb5_ticket_file) + 6; 163 len = strlen(authctxt->krb5_ticket_file) + 6;
164 authctxt->krb5_ccname = xmalloc(len); 164 authctxt->krb5_ccname = xmalloc(len);
@@ -172,7 +172,7 @@ Index: b/auth-krb5.c
172 172
173 #ifdef USE_PAM 173 #ifdef USE_PAM
174 if (options.use_pam) 174 if (options.use_pam)
175@@ -226,15 +231,22 @@ 175@@ -239,15 +244,22 @@
176 #ifndef HEIMDAL 176 #ifndef HEIMDAL
177 krb5_error_code 177 krb5_error_code
178 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 178 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -197,7 +197,7 @@ Index: b/auth-krb5.c
197 old_umask = umask(0177); 197 old_umask = umask(0177);
198 tmpfd = mkstemp(ccname + strlen("FILE:")); 198 tmpfd = mkstemp(ccname + strlen("FILE:"));
199 oerrno = errno; 199 oerrno = errno;
200@@ -251,6 +263,7 @@ 200@@ -264,6 +276,7 @@
201 return oerrno; 201 return oerrno;
202 } 202 }
203 close(tmpfd); 203 close(tmpfd);
@@ -210,7 +210,7 @@ Index: b/auth2-gss.c
210--- a/auth2-gss.c 210--- a/auth2-gss.c
211+++ b/auth2-gss.c 211+++ b/auth2-gss.c
212@@ -1,7 +1,7 @@ 212@@ -1,7 +1,7 @@
213 /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ 213 /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
214 214
215 /* 215 /*
216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -251,7 +251,7 @@ Index: b/auth2-gss.c
251+ authctxt->pw)); 251+ authctxt->pw));
252+ 252+
253+ buffer_free(&b); 253+ buffer_free(&b);
254+ xfree(mic.value); 254+ free(mic.value);
255+ 255+
256+ return (authenticated); 256+ return (authenticated);
257+} 257+}
@@ -259,7 +259,7 @@ Index: b/auth2-gss.c
259 /* 259 /*
260 * We only support those mechanisms that we know about (ie ones that we know 260 * We only support those mechanisms that we know about (ie ones that we know
261 * how to check local user kuserok and the like) 261 * how to check local user kuserok and the like)
262@@ -244,7 +278,8 @@ 262@@ -240,7 +274,8 @@
263 263
264 packet_check_eom(); 264 packet_check_eom();
265 265
@@ -269,7 +269,7 @@ Index: b/auth2-gss.c
269 269
270 authctxt->postponed = 0; 270 authctxt->postponed = 0;
271 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 271 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
272@@ -279,7 +314,8 @@ 272@@ -275,7 +310,8 @@
273 gssbuf.length = buffer_len(&b); 273 gssbuf.length = buffer_len(&b);
274 274
275 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 275 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -279,7 +279,7 @@ Index: b/auth2-gss.c
279 else 279 else
280 logit("GSSAPI MIC check failed"); 280 logit("GSSAPI MIC check failed");
281 281
282@@ -294,6 +330,12 @@ 282@@ -290,6 +326,12 @@
283 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 283 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
284 } 284 }
285 285
@@ -327,7 +327,7 @@ Index: b/clientloop.c
327 /* import options */ 327 /* import options */
328 extern Options options; 328 extern Options options;
329 329
330@@ -1599,6 +1603,15 @@ 330@@ -1608,6 +1612,15 @@
331 /* Do channel operations unless rekeying in progress. */ 331 /* Do channel operations unless rekeying in progress. */
332 if (!rekeying) { 332 if (!rekeying) {
333 channel_after_select(readset, writeset); 333 channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
347=================================================================== 347===================================================================
348--- a/config.h.in 348--- a/config.h.in
349+++ b/config.h.in 349+++ b/config.h.in
350@@ -1511,6 +1511,9 @@ 350@@ -1546,6 +1546,9 @@
351 /* Use btmp to log bad logins */ 351 /* Use btmp to log bad logins */
352 #undef USE_BTMP 352 #undef USE_BTMP
353 353
@@ -357,7 +357,7 @@ Index: b/config.h.in
357 /* Use libedit for sftp */ 357 /* Use libedit for sftp */
358 #undef USE_LIBEDIT 358 #undef USE_LIBEDIT
359 359
360@@ -1526,6 +1529,9 @@ 360@@ -1561,6 +1564,9 @@
361 /* Use PIPES instead of a socketpair() */ 361 /* Use PIPES instead of a socketpair() */
362 #undef USE_PIPES 362 #undef USE_PIPES
363 363
@@ -371,7 +371,7 @@ Index: b/configure
371=================================================================== 371===================================================================
372--- a/configure 372--- a/configure
373+++ b/configure 373+++ b/configure
374@@ -6588,6 +6588,63 @@ 374@@ -6780,6 +6780,63 @@
375 375
376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h 376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
377 377
@@ -439,7 +439,7 @@ Index: b/configure.ac
439=================================================================== 439===================================================================
440--- a/configure.ac 440--- a/configure.ac
441+++ b/configure.ac 441+++ b/configure.ac
442@@ -533,6 +533,30 @@ 442@@ -548,6 +548,30 @@
443 [Use tunnel device compatibility to OpenBSD]) 443 [Use tunnel device compatibility to OpenBSD])
444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
445 [Prepend the address family to IP tunnel traffic]) 445 [Prepend the address family to IP tunnel traffic])
@@ -475,7 +475,7 @@ Index: b/gss-genr.c
475--- a/gss-genr.c 475--- a/gss-genr.c
476+++ b/gss-genr.c 476+++ b/gss-genr.c
477@@ -1,7 +1,7 @@ 477@@ -1,7 +1,7 @@
478 /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ 478 /* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */
479 479
480 /* 480 /*
481- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 481- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -549,8 +549,8 @@ Index: b/gss-genr.c
549+ 549+
550+ if (gss_enc2oid != NULL) { 550+ if (gss_enc2oid != NULL) {
551+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++) 551+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
552+ xfree(gss_enc2oid[i].encoded); 552+ free(gss_enc2oid[i].encoded);
553+ xfree(gss_enc2oid); 553+ free(gss_enc2oid);
554+ } 554+ }
555+ 555+
556+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * 556+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
@@ -607,7 +607,7 @@ Index: b/gss-genr.c
607+ buffer_free(&buf); 607+ buffer_free(&buf);
608+ 608+
609+ if (strlen(mechs) == 0) { 609+ if (strlen(mechs) == 0) {
610+ xfree(mechs); 610+ free(mechs);
611+ mechs = NULL; 611+ mechs = NULL;
612+ } 612+ }
613+ 613+
@@ -826,7 +826,7 @@ Index: b/gss-serv-krb5.c
826--- a/gss-serv-krb5.c 826--- a/gss-serv-krb5.c
827+++ b/gss-serv-krb5.c 827+++ b/gss-serv-krb5.c
828@@ -1,7 +1,7 @@ 828@@ -1,7 +1,7 @@
829 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ 829 /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
830 830
831 /* 831 /*
832- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 832- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -834,15 +834,15 @@ Index: b/gss-serv-krb5.c
834 * 834 *
835 * Redistribution and use in source and binary forms, with or without 835 * Redistribution and use in source and binary forms, with or without
836 * modification, are permitted provided that the following conditions 836 * modification, are permitted provided that the following conditions
837@@ -120,6 +120,7 @@ 837@@ -122,6 +122,7 @@
838 krb5_principal princ;
839 OM_uint32 maj_status, min_status; 838 OM_uint32 maj_status, min_status;
840 int len; 839 int len;
840 const char *errmsg;
841+ const char *new_ccname; 841+ const char *new_ccname;
842 842
843 if (client->creds == NULL) { 843 if (client->creds == NULL) {
844 debug("No credentials stored"); 844 debug("No credentials stored");
845@@ -168,11 +169,16 @@ 845@@ -174,11 +175,16 @@
846 return; 846 return;
847 } 847 }
848 848
@@ -863,7 +863,7 @@ Index: b/gss-serv-krb5.c
863 863
864 #ifdef USE_PAM 864 #ifdef USE_PAM
865 if (options.use_pam) 865 if (options.use_pam)
866@@ -184,6 +190,71 @@ 866@@ -190,6 +196,71 @@
867 return; 867 return;
868 } 868 }
869 869
@@ -935,7 +935,7 @@ Index: b/gss-serv-krb5.c
935 ssh_gssapi_mech gssapi_kerberos_mech = { 935 ssh_gssapi_mech gssapi_kerberos_mech = {
936 "toWM5Slw5Ew8Mqkay+al2g==", 936 "toWM5Slw5Ew8Mqkay+al2g==",
937 "Kerberos", 937 "Kerberos",
938@@ -191,7 +262,8 @@ 938@@ -197,7 +268,8 @@
939 NULL, 939 NULL,
940 &ssh_gssapi_krb5_userok, 940 &ssh_gssapi_krb5_userok,
941 NULL, 941 NULL,
@@ -950,7 +950,7 @@ Index: b/gss-serv.c
950--- a/gss-serv.c 950--- a/gss-serv.c
951+++ b/gss-serv.c 951+++ b/gss-serv.c
952@@ -1,7 +1,7 @@ 952@@ -1,7 +1,7 @@
953 /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ 953 /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
954 954
955 /* 955 /*
956- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 956- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -958,7 +958,7 @@ Index: b/gss-serv.c
958 * 958 *
959 * Redistribution and use in source and binary forms, with or without 959 * Redistribution and use in source and binary forms, with or without
960 * modification, are permitted provided that the following conditions 960 * modification, are permitted provided that the following conditions
961@@ -45,15 +45,20 @@ 961@@ -45,15 +45,21 @@
962 #include "channels.h" 962 #include "channels.h"
963 #include "session.h" 963 #include "session.h"
964 #include "misc.h" 964 #include "misc.h"
@@ -972,8 +972,9 @@ Index: b/gss-serv.c
972 972
973 static ssh_gssapi_client gssapi_client = 973 static ssh_gssapi_client gssapi_client =
974 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, 974 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
975- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; 975- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
976+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0}; 976+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL,
977+ {NULL, NULL, NULL, NULL, NULL}, 0, 0};
977 978
978 ssh_gssapi_mech gssapi_null_mech = 979 ssh_gssapi_mech gssapi_null_mech =
979- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; 980- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
@@ -981,7 +982,7 @@ Index: b/gss-serv.c
981 982
982 #ifdef KRB5 983 #ifdef KRB5
983 extern ssh_gssapi_mech gssapi_kerberos_mech; 984 extern ssh_gssapi_mech gssapi_kerberos_mech;
984@@ -81,25 +86,32 @@ 985@@ -81,25 +87,32 @@
985 char lname[MAXHOSTNAMELEN]; 986 char lname[MAXHOSTNAMELEN];
986 gss_OID_set oidset; 987 gss_OID_set oidset;
987 988
@@ -1028,7 +1029,7 @@ Index: b/gss-serv.c
1028 } 1029 }
1029 1030
1030 /* Privileged */ 1031 /* Privileged */
1031@@ -114,6 +126,29 @@ 1032@@ -114,6 +127,29 @@
1032 } 1033 }
1033 1034
1034 /* Unprivileged */ 1035 /* Unprivileged */
@@ -1058,7 +1059,7 @@ Index: b/gss-serv.c
1058 void 1059 void
1059 ssh_gssapi_supported_oids(gss_OID_set *oidset) 1060 ssh_gssapi_supported_oids(gss_OID_set *oidset)
1060 { 1061 {
1061@@ -123,7 +158,9 @@ 1062@@ -123,7 +159,9 @@
1062 gss_OID_set supported; 1063 gss_OID_set supported;
1063 1064
1064 gss_create_empty_oid_set(&min_status, oidset); 1065 gss_create_empty_oid_set(&min_status, oidset);
@@ -1069,7 +1070,7 @@ Index: b/gss-serv.c
1069 1070
1070 while (supported_mechs[i]->name != NULL) { 1071 while (supported_mechs[i]->name != NULL) {
1071 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 1072 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
1072@@ -249,8 +286,48 @@ 1073@@ -249,8 +287,48 @@
1073 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1074 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1074 { 1075 {
1075 int i = 0; 1076 int i = 0;
@@ -1119,7 +1120,7 @@ Index: b/gss-serv.c
1119 1120
1120 client->mech = NULL; 1121 client->mech = NULL;
1121 1122
1122@@ -265,6 +342,13 @@ 1123@@ -265,6 +343,13 @@
1123 if (client->mech == NULL) 1124 if (client->mech == NULL)
1124 return GSS_S_FAILURE; 1125 return GSS_S_FAILURE;
1125 1126
@@ -1133,7 +1134,7 @@ Index: b/gss-serv.c
1133 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1134 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
1134 &client->displayname, NULL))) { 1135 &client->displayname, NULL))) {
1135 ssh_gssapi_error(ctx); 1136 ssh_gssapi_error(ctx);
1136@@ -282,6 +366,8 @@ 1137@@ -282,6 +367,8 @@
1137 return (ctx->major); 1138 return (ctx->major);
1138 } 1139 }
1139 1140
@@ -1142,7 +1143,7 @@ Index: b/gss-serv.c
1142 /* We can't copy this structure, so we just move the pointer to it */ 1143 /* We can't copy this structure, so we just move the pointer to it */
1143 client->creds = ctx->client_creds; 1144 client->creds = ctx->client_creds;
1144 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1145 ctx->client_creds = GSS_C_NO_CREDENTIAL;
1145@@ -329,7 +415,7 @@ 1146@@ -329,7 +416,7 @@
1146 1147
1147 /* Privileged */ 1148 /* Privileged */
1148 int 1149 int
@@ -1151,7 +1152,7 @@ Index: b/gss-serv.c
1151 { 1152 {
1152 OM_uint32 lmin; 1153 OM_uint32 lmin;
1153 1154
1154@@ -339,9 +425,11 @@ 1155@@ -339,9 +426,11 @@
1155 return 0; 1156 return 0;
1156 } 1157 }
1157 if (gssapi_client.mech && gssapi_client.mech->userok) 1158 if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1165,7 +1166,7 @@ Index: b/gss-serv.c
1165 /* Destroy delegated credentials if userok fails */ 1166 /* Destroy delegated credentials if userok fails */
1166 gss_release_buffer(&lmin, &gssapi_client.displayname); 1167 gss_release_buffer(&lmin, &gssapi_client.displayname);
1167 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1168 gss_release_buffer(&lmin, &gssapi_client.exportedname);
1168@@ -354,14 +442,90 @@ 1169@@ -354,14 +443,90 @@
1169 return (0); 1170 return (0);
1170 } 1171 }
1171 1172
@@ -1277,32 +1278,37 @@ Index: b/kex.c
1277 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1278 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1278 # if defined(HAVE_EVP_SHA256) 1279 # if defined(HAVE_EVP_SHA256)
1279 # define evp_ssh_sha256 EVP_sha256 1280 # define evp_ssh_sha256 EVP_sha256
1280@@ -369,6 +373,20 @@ 1281@@ -82,6 +86,14 @@
1281 k->kex_type = KEX_ECDH_SHA2;
1282 k->evp_md = kex_ecdh_name_to_evpmd(k->name);
1283 #endif 1282 #endif
1283 { NULL, -1, -1, NULL},
1284 };
1285+static const struct kexalg kexalg_prefixes[] = {
1284+#ifdef GSSAPI 1286+#ifdef GSSAPI
1285+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, 1287+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
1286+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) { 1288+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
1287+ k->kex_type = KEX_GSS_GEX_SHA1; 1289+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
1288+ k->evp_md = EVP_sha1();
1289+ } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
1290+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
1291+ k->kex_type = KEX_GSS_GRP1_SHA1;
1292+ k->evp_md = EVP_sha1();
1293+ } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
1294+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
1295+ k->kex_type = KEX_GSS_GRP14_SHA1;
1296+ k->evp_md = EVP_sha1();
1297+#endif 1290+#endif
1298 } else 1291+ { NULL, -1, -1, NULL },
1299 fatal("bad kex alg %s", k->name); 1292+};
1293
1294 char *
1295 kex_alg_list(void)
1296@@ -110,6 +122,10 @@
1297 if (strcmp(k->name, name) == 0)
1298 return k;
1299 }
1300+ for (k = kexalg_prefixes; k->name != NULL; k++) {
1301+ if (strncmp(k->name, name, strlen(k->name)) == 0)
1302+ return k;
1303+ }
1304 return NULL;
1300 } 1305 }
1306
1301Index: b/kex.h 1307Index: b/kex.h
1302=================================================================== 1308===================================================================
1303--- a/kex.h 1309--- a/kex.h
1304+++ b/kex.h 1310+++ b/kex.h
1305@@ -73,6 +73,9 @@ 1311@@ -74,6 +74,9 @@
1306 KEX_DH_GEX_SHA1, 1312 KEX_DH_GEX_SHA1,
1307 KEX_DH_GEX_SHA256, 1313 KEX_DH_GEX_SHA256,
1308 KEX_ECDH_SHA2, 1314 KEX_ECDH_SHA2,
@@ -1312,10 +1318,10 @@ Index: b/kex.h
1312 KEX_MAX 1318 KEX_MAX
1313 }; 1319 };
1314 1320
1315@@ -131,6 +134,12 @@ 1321@@ -133,6 +136,12 @@
1316 sig_atomic_t done;
1317 int flags; 1322 int flags;
1318 const EVP_MD *evp_md; 1323 const EVP_MD *evp_md;
1324 int ec_nid;
1319+#ifdef GSSAPI 1325+#ifdef GSSAPI
1320+ int gss_deleg_creds; 1326+ int gss_deleg_creds;
1321+ int gss_trust_dns; 1327+ int gss_trust_dns;
@@ -1325,7 +1331,7 @@ Index: b/kex.h
1325 char *client_version_string; 1331 char *client_version_string;
1326 char *server_version_string; 1332 char *server_version_string;
1327 int (*verify_host_key)(Key *); 1333 int (*verify_host_key)(Key *);
1328@@ -158,6 +167,11 @@ 1334@@ -162,6 +171,11 @@
1329 void kexecdh_client(Kex *); 1335 void kexecdh_client(Kex *);
1330 void kexecdh_server(Kex *); 1336 void kexecdh_server(Kex *);
1331 1337
@@ -1341,7 +1347,7 @@ Index: b/kexgssc.c
1341=================================================================== 1347===================================================================
1342--- /dev/null 1348--- /dev/null
1343+++ b/kexgssc.c 1349+++ b/kexgssc.c
1344@@ -0,0 +1,334 @@ 1350@@ -0,0 +1,333 @@
1345+/* 1351+/*
1346+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1352+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1347+ * 1353+ *
@@ -1488,7 +1494,7 @@ Index: b/kexgssc.c
1488+ 1494+
1489+ /* If we've got an old receive buffer get rid of it */ 1495+ /* If we've got an old receive buffer get rid of it */
1490+ if (token_ptr != GSS_C_NO_BUFFER) 1496+ if (token_ptr != GSS_C_NO_BUFFER)
1491+ xfree(recv_tok.value); 1497+ free(recv_tok.value);
1492+ 1498+
1493+ if (maj_status == GSS_S_COMPLETE) { 1499+ if (maj_status == GSS_S_COMPLETE) {
1494+ /* If mutual state flag is not true, kex fails */ 1500+ /* If mutual state flag is not true, kex fails */
@@ -1605,7 +1611,7 @@ Index: b/kexgssc.c
1605+ fatal("kexdh_client: BN_bin2bn failed"); 1611+ fatal("kexdh_client: BN_bin2bn failed");
1606+ 1612+
1607+ memset(kbuf, 0, klen); 1613+ memset(kbuf, 0, klen);
1608+ xfree(kbuf); 1614+ free(kbuf);
1609+ 1615+
1610+ switch (kex->kex_type) { 1616+ switch (kex->kex_type) {
1611+ case KEX_GSS_GRP1_SHA1: 1617+ case KEX_GSS_GRP1_SHA1:
@@ -1648,11 +1654,10 @@ Index: b/kexgssc.c
1648+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) 1654+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
1649+ packet_disconnect("Hash's MIC didn't verify"); 1655+ packet_disconnect("Hash's MIC didn't verify");
1650+ 1656+
1651+ xfree(msg_tok.value); 1657+ free(msg_tok.value);
1652+ 1658+
1653+ DH_free(dh); 1659+ DH_free(dh);
1654+ if (serverhostkey) 1660+ free(serverhostkey);
1655+ xfree(serverhostkey);
1656+ BN_clear_free(dh_server_pub); 1661+ BN_clear_free(dh_server_pub);
1657+ 1662+
1658+ /* save session id */ 1663+ /* save session id */
@@ -1680,7 +1685,7 @@ Index: b/kexgsss.c
1680=================================================================== 1685===================================================================
1681--- /dev/null 1686--- /dev/null
1682+++ b/kexgsss.c 1687+++ b/kexgsss.c
1683@@ -0,0 +1,288 @@ 1688@@ -0,0 +1,289 @@
1684+/* 1689+/*
1685+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1690+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1686+ * 1691+ *
@@ -1761,9 +1766,10 @@ Index: b/kexgsss.c
1761+ * in the GSSAPI code are no longer available. This kludges them back 1766+ * in the GSSAPI code are no longer available. This kludges them back
1762+ * into life 1767+ * into life
1763+ */ 1768+ */
1764+ if (!ssh_gssapi_oid_table_ok()) 1769+ if (!ssh_gssapi_oid_table_ok()) {
1765+ if ((mechs = ssh_gssapi_server_mechanisms())) 1770+ mechs = ssh_gssapi_server_mechanisms();
1766+ xfree(mechs); 1771+ free(mechs);
1772+ }
1767+ 1773+
1768+ debug2("%s: Identifying %s", __func__, kex->name); 1774+ debug2("%s: Identifying %s", __func__, kex->name);
1769+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); 1775+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
@@ -1841,7 +1847,7 @@ Index: b/kexgsss.c
1841+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, 1847+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
1842+ &send_tok, &ret_flags)); 1848+ &send_tok, &ret_flags));
1843+ 1849+
1844+ xfree(recv_tok.value); 1850+ free(recv_tok.value);
1845+ 1851+
1846+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) 1852+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
1847+ fatal("Zero length token output when incomplete"); 1853+ fatal("Zero length token output when incomplete");
@@ -1890,7 +1896,7 @@ Index: b/kexgsss.c
1890+ fatal("kexgss_server: BN_bin2bn failed"); 1896+ fatal("kexgss_server: BN_bin2bn failed");
1891+ 1897+
1892+ memset(kbuf, 0, klen); 1898+ memset(kbuf, 0, klen);
1893+ xfree(kbuf); 1899+ free(kbuf);
1894+ 1900+
1895+ switch (kex->kex_type) { 1901+ switch (kex->kex_type) {
1896+ case KEX_GSS_GRP1_SHA1: 1902+ case KEX_GSS_GRP1_SHA1:
@@ -1973,24 +1979,14 @@ Index: b/key.c
1973=================================================================== 1979===================================================================
1974--- a/key.c 1980--- a/key.c
1975+++ b/key.c 1981+++ b/key.c
1976@@ -976,6 +976,8 @@ 1982@@ -933,6 +933,7 @@
1977 } 1983 KEY_RSA_CERT_V00, 0, 1 },
1978 break; 1984 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
1979 #endif /* OPENSSL_HAS_ECC */ 1985 KEY_DSA_CERT_V00, 0, 1 },
1980+ case KEY_NULL: 1986+ { "null", "null", KEY_NULL, 0, 0 },
1981+ return "null"; 1987 { NULL, NULL, -1, -1, 0 }
1982 } 1988 };
1983 return "ssh-unknown";
1984 }
1985@@ -1281,6 +1283,8 @@
1986 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
1987 return KEY_ECDSA_CERT;
1988 #endif
1989+ } else if (strcmp(name, "null") == 0) {
1990+ return KEY_NULL;
1991 }
1992 1989
1993 debug2("key_type_from_name: unknown key type '%s'", name);
1994Index: b/key.h 1990Index: b/key.h
1995=================================================================== 1991===================================================================
1996--- a/key.h 1992--- a/key.h
@@ -2007,7 +2003,7 @@ Index: b/monitor.c
2007=================================================================== 2003===================================================================
2008--- a/monitor.c 2004--- a/monitor.c
2009+++ b/monitor.c 2005+++ b/monitor.c
2010@@ -180,6 +180,8 @@ 2006@@ -181,6 +181,8 @@
2011 int mm_answer_gss_accept_ctx(int, Buffer *); 2007 int mm_answer_gss_accept_ctx(int, Buffer *);
2012 int mm_answer_gss_userok(int, Buffer *); 2008 int mm_answer_gss_userok(int, Buffer *);
2013 int mm_answer_gss_checkmic(int, Buffer *); 2009 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2016,7 +2012,7 @@ Index: b/monitor.c
2016 #endif 2012 #endif
2017 2013
2018 #ifdef SSH_AUDIT_EVENTS 2014 #ifdef SSH_AUDIT_EVENTS
2019@@ -252,6 +254,7 @@ 2015@@ -253,6 +255,7 @@
2020 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2016 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
2021 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2017 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
2022 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2018 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2024,7 +2020,7 @@ Index: b/monitor.c
2024 #endif 2020 #endif
2025 #ifdef JPAKE 2021 #ifdef JPAKE
2026 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, 2022 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
2027@@ -264,6 +267,12 @@ 2023@@ -265,6 +268,12 @@
2028 }; 2024 };
2029 2025
2030 struct mon_table mon_dispatch_postauth20[] = { 2026 struct mon_table mon_dispatch_postauth20[] = {
@@ -2037,7 +2033,7 @@ Index: b/monitor.c
2037 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2033 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2038 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 2034 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
2039 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 2035 {MONITOR_REQ_PTY, 0, mm_answer_pty},
2040@@ -372,6 +381,10 @@ 2036@@ -373,6 +382,10 @@
2041 /* Permit requests for moduli and signatures */ 2037 /* Permit requests for moduli and signatures */
2042 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2038 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2043 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2039 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2059,7 +2055,7 @@ Index: b/monitor.c
2059 } else { 2055 } else {
2060 mon_dispatch = mon_dispatch_postauth15; 2056 mon_dispatch = mon_dispatch_postauth15;
2061 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2057 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2062@@ -1836,6 +1853,13 @@ 2058@@ -1855,6 +1872,13 @@
2063 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2059 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2064 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2060 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2065 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2061 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2069,7 @@ Index: b/monitor.c
2073 kex->server = 1; 2069 kex->server = 1;
2074 kex->hostkey_type = buffer_get_int(m); 2070 kex->hostkey_type = buffer_get_int(m);
2075 kex->kex_type = buffer_get_int(m); 2071 kex->kex_type = buffer_get_int(m);
2076@@ -2042,6 +2066,9 @@ 2072@@ -2062,6 +2086,9 @@
2077 OM_uint32 major; 2073 OM_uint32 major;
2078 u_int len; 2074 u_int len;
2079 2075
@@ -2083,7 +2079,7 @@ Index: b/monitor.c
2083 goid.elements = buffer_get_string(m, &len); 2079 goid.elements = buffer_get_string(m, &len);
2084 goid.length = len; 2080 goid.length = len;
2085 2081
2086@@ -2069,6 +2096,9 @@ 2082@@ -2089,6 +2116,9 @@
2087 OM_uint32 flags = 0; /* GSI needs this */ 2083 OM_uint32 flags = 0; /* GSI needs this */
2088 u_int len; 2084 u_int len;
2089 2085
@@ -2093,7 +2089,7 @@ Index: b/monitor.c
2093 in.value = buffer_get_string(m, &len); 2089 in.value = buffer_get_string(m, &len);
2094 in.length = len; 2090 in.length = len;
2095 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2091 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2096@@ -2086,6 +2116,7 @@ 2092@@ -2106,6 +2136,7 @@
2097 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2093 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2098 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2094 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2099 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2095 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2097,7 @@ Index: b/monitor.c
2101 } 2097 }
2102 return (0); 2098 return (0);
2103 } 2099 }
2104@@ -2097,6 +2128,9 @@ 2100@@ -2117,6 +2148,9 @@
2105 OM_uint32 ret; 2101 OM_uint32 ret;
2106 u_int len; 2102 u_int len;
2107 2103
@@ -2111,7 +2107,7 @@ Index: b/monitor.c
2111 gssbuf.value = buffer_get_string(m, &len); 2107 gssbuf.value = buffer_get_string(m, &len);
2112 gssbuf.length = len; 2108 gssbuf.length = len;
2113 mic.value = buffer_get_string(m, &len); 2109 mic.value = buffer_get_string(m, &len);
2114@@ -2123,7 +2157,11 @@ 2110@@ -2143,7 +2177,11 @@
2115 { 2111 {
2116 int authenticated; 2112 int authenticated;
2117 2113
@@ -2124,7 +2120,7 @@ Index: b/monitor.c
2124 2120
2125 buffer_clear(m); 2121 buffer_clear(m);
2126 buffer_put_int(m, authenticated); 2122 buffer_put_int(m, authenticated);
2127@@ -2136,6 +2174,74 @@ 2123@@ -2156,6 +2194,74 @@
2128 /* Monitor loop will terminate if authenticated */ 2124 /* Monitor loop will terminate if authenticated */
2129 return (authenticated); 2125 return (authenticated);
2130 } 2126 }
@@ -2154,7 +2150,7 @@ Index: b/monitor.c
2154+ } 2150+ }
2155+ major = ssh_gssapi_sign(gsscontext, &data, &hash); 2151+ major = ssh_gssapi_sign(gsscontext, &data, &hash);
2156+ 2152+
2157+ xfree(data.value); 2153+ free(data.value);
2158+ 2154+
2159+ buffer_clear(m); 2155+ buffer_clear(m);
2160+ buffer_put_int(m, major); 2156+ buffer_put_int(m, major);
@@ -2184,9 +2180,9 @@ Index: b/monitor.c
2184+ 2180+
2185+ ok = ssh_gssapi_update_creds(&store); 2181+ ok = ssh_gssapi_update_creds(&store);
2186+ 2182+
2187+ xfree(store.filename); 2183+ free(store.filename);
2188+ xfree(store.envvar); 2184+ free(store.envvar);
2189+ xfree(store.envval); 2185+ free(store.envval);
2190+ 2186+
2191+ buffer_clear(m); 2187+ buffer_clear(m);
2192+ buffer_put_int(m, ok); 2188+ buffer_put_int(m, ok);
@@ -2217,7 +2213,7 @@ Index: b/monitor_wrap.c
2217=================================================================== 2213===================================================================
2218--- a/monitor_wrap.c 2214--- a/monitor_wrap.c
2219+++ b/monitor_wrap.c 2215+++ b/monitor_wrap.c
2220@@ -1271,7 +1271,7 @@ 2216@@ -1273,7 +1273,7 @@
2221 } 2217 }
2222 2218
2223 int 2219 int
@@ -2226,7 +2222,7 @@ Index: b/monitor_wrap.c
2226 { 2222 {
2227 Buffer m; 2223 Buffer m;
2228 int authenticated = 0; 2224 int authenticated = 0;
2229@@ -1288,6 +1288,51 @@ 2225@@ -1290,6 +1290,51 @@
2230 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2226 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2231 return (authenticated); 2227 return (authenticated);
2232 } 2228 }
@@ -2298,7 +2294,7 @@ Index: b/readconf.c
2298=================================================================== 2294===================================================================
2299--- a/readconf.c 2295--- a/readconf.c
2300+++ b/readconf.c 2296+++ b/readconf.c
2301@@ -129,6 +129,8 @@ 2297@@ -132,6 +132,8 @@
2302 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2298 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2303 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2299 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2304 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2300 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2307,7 +2303,7 @@ Index: b/readconf.c
2307 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2303 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2308 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2304 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2309 oHashKnownHosts, 2305 oHashKnownHosts,
2310@@ -169,10 +171,19 @@ 2306@@ -172,10 +174,19 @@
2311 { "afstokenpassing", oUnsupported }, 2307 { "afstokenpassing", oUnsupported },
2312 #if defined(GSSAPI) 2308 #if defined(GSSAPI)
2313 { "gssapiauthentication", oGssAuthentication }, 2309 { "gssapiauthentication", oGssAuthentication },
@@ -2327,7 +2323,7 @@ Index: b/readconf.c
2327 #endif 2323 #endif
2328 { "fallbacktorsh", oDeprecated }, 2324 { "fallbacktorsh", oDeprecated },
2329 { "usersh", oDeprecated }, 2325 { "usersh", oDeprecated },
2330@@ -503,10 +514,30 @@ 2326@@ -516,10 +527,30 @@
2331 intptr = &options->gss_authentication; 2327 intptr = &options->gss_authentication;
2332 goto parse_flag; 2328 goto parse_flag;
2333 2329
@@ -2358,7 +2354,7 @@ Index: b/readconf.c
2358 case oBatchMode: 2354 case oBatchMode:
2359 intptr = &options->batch_mode; 2355 intptr = &options->batch_mode;
2360 goto parse_flag; 2356 goto parse_flag;
2361@@ -1158,7 +1189,12 @@ 2357@@ -1168,7 +1199,12 @@
2362 options->pubkey_authentication = -1; 2358 options->pubkey_authentication = -1;
2363 options->challenge_response_authentication = -1; 2359 options->challenge_response_authentication = -1;
2364 options->gss_authentication = -1; 2360 options->gss_authentication = -1;
@@ -2371,7 +2367,7 @@ Index: b/readconf.c
2371 options->password_authentication = -1; 2367 options->password_authentication = -1;
2372 options->kbd_interactive_authentication = -1; 2368 options->kbd_interactive_authentication = -1;
2373 options->kbd_interactive_devices = NULL; 2369 options->kbd_interactive_devices = NULL;
2374@@ -1258,8 +1294,14 @@ 2370@@ -1268,8 +1304,14 @@
2375 options->challenge_response_authentication = 1; 2371 options->challenge_response_authentication = 1;
2376 if (options->gss_authentication == -1) 2372 if (options->gss_authentication == -1)
2377 options->gss_authentication = 0; 2373 options->gss_authentication = 0;
@@ -2407,7 +2403,7 @@ Index: b/servconf.c
2407=================================================================== 2403===================================================================
2408--- a/servconf.c 2404--- a/servconf.c
2409+++ b/servconf.c 2405+++ b/servconf.c
2410@@ -102,7 +102,10 @@ 2406@@ -107,7 +107,10 @@
2411 options->kerberos_ticket_cleanup = -1; 2407 options->kerberos_ticket_cleanup = -1;
2412 options->kerberos_get_afs_token = -1; 2408 options->kerberos_get_afs_token = -1;
2413 options->gss_authentication=-1; 2409 options->gss_authentication=-1;
@@ -2418,7 +2414,7 @@ Index: b/servconf.c
2418 options->password_authentication = -1; 2414 options->password_authentication = -1;
2419 options->kbd_interactive_authentication = -1; 2415 options->kbd_interactive_authentication = -1;
2420 options->challenge_response_authentication = -1; 2416 options->challenge_response_authentication = -1;
2421@@ -233,8 +236,14 @@ 2417@@ -240,8 +243,14 @@
2422 options->kerberos_get_afs_token = 0; 2418 options->kerberos_get_afs_token = 0;
2423 if (options->gss_authentication == -1) 2419 if (options->gss_authentication == -1)
2424 options->gss_authentication = 0; 2420 options->gss_authentication = 0;
@@ -2433,7 +2429,7 @@ Index: b/servconf.c
2433 if (options->password_authentication == -1) 2429 if (options->password_authentication == -1)
2434 options->password_authentication = 1; 2430 options->password_authentication = 1;
2435 if (options->kbd_interactive_authentication == -1) 2431 if (options->kbd_interactive_authentication == -1)
2436@@ -327,7 +336,9 @@ 2432@@ -338,7 +347,9 @@
2437 sBanner, sUseDNS, sHostbasedAuthentication, 2433 sBanner, sUseDNS, sHostbasedAuthentication,
2438 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2434 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2439 sClientAliveCountMax, sAuthorizedKeysFile, 2435 sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2444,7 +2440,7 @@ Index: b/servconf.c
2444 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2440 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2445 sUsePrivilegeSeparation, sAllowAgentForwarding, 2441 sUsePrivilegeSeparation, sAllowAgentForwarding,
2446 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2442 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2447@@ -393,10 +404,20 @@ 2443@@ -405,10 +416,20 @@
2448 #ifdef GSSAPI 2444 #ifdef GSSAPI
2449 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2445 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2450 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2446 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2465,7 +2461,7 @@ Index: b/servconf.c
2465 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2461 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2466 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2462 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2467 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2463 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2468@@ -1049,10 +1070,22 @@ 2464@@ -1073,10 +1094,22 @@
2469 intptr = &options->gss_authentication; 2465 intptr = &options->gss_authentication;
2470 goto parse_flag; 2466 goto parse_flag;
2471 2467
@@ -2488,7 +2484,7 @@ Index: b/servconf.c
2488 case sPasswordAuthentication: 2484 case sPasswordAuthentication:
2489 intptr = &options->password_authentication; 2485 intptr = &options->password_authentication;
2490 goto parse_flag; 2486 goto parse_flag;
2491@@ -1927,7 +1960,10 @@ 2487@@ -1983,7 +2016,10 @@
2492 #endif 2488 #endif
2493 #ifdef GSSAPI 2489 #ifdef GSSAPI
2494 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2490 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2503,7 +2499,7 @@ Index: b/servconf.h
2503=================================================================== 2499===================================================================
2504--- a/servconf.h 2500--- a/servconf.h
2505+++ b/servconf.h 2501+++ b/servconf.h
2506@@ -110,7 +110,10 @@ 2502@@ -111,7 +111,10 @@
2507 int kerberos_get_afs_token; /* If true, try to get AFS token if 2503 int kerberos_get_afs_token; /* If true, try to get AFS token if
2508 * authenticated with Kerberos. */ 2504 * authenticated with Kerberos. */
2509 int gss_authentication; /* If true, permit GSSAPI authentication */ 2505 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2632,7 +2628,7 @@ Index: b/ssh_config.5
2632=================================================================== 2628===================================================================
2633--- a/ssh_config.5 2629--- a/ssh_config.5
2634+++ b/ssh_config.5 2630+++ b/ssh_config.5
2635@@ -530,11 +530,43 @@ 2631@@ -529,11 +529,43 @@
2636 The default is 2632 The default is
2637 .Dq no . 2633 .Dq no .
2638 Note that this option applies to protocol version 2 only. 2634 Note that this option applies to protocol version 2 only.
@@ -2727,14 +2723,14 @@ Index: b/sshconnect2.c
2727+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; 2723+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
2728+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], 2724+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
2729+ "%s,null", orig); 2725+ "%s,null", orig);
2730+ xfree(gss); 2726+ free(gss);
2731+ } 2727+ }
2732+#endif 2728+#endif
2733+ 2729+
2734 if (options.rekey_limit) 2730 if (options.rekey_limit || options.rekey_interval)
2735 packet_set_rekey_limit((u_int32_t)options.rekey_limit); 2731 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2736 2732 (time_t)options.rekey_interval);
2737@@ -207,10 +243,30 @@ 2733@@ -208,10 +244,30 @@
2738 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 2734 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
2739 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 2735 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2740 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; 2736 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
@@ -2765,7 +2761,7 @@ Index: b/sshconnect2.c
2765 xxx_kex = kex; 2761 xxx_kex = kex;
2766 2762
2767 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2763 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2768@@ -306,6 +362,7 @@ 2764@@ -307,6 +363,7 @@
2769 void input_gssapi_hash(int type, u_int32_t, void *); 2765 void input_gssapi_hash(int type, u_int32_t, void *);
2770 void input_gssapi_error(int, u_int32_t, void *); 2766 void input_gssapi_error(int, u_int32_t, void *);
2771 void input_gssapi_errtok(int, u_int32_t, void *); 2767 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2773,7 +2769,7 @@ Index: b/sshconnect2.c
2773 #endif 2769 #endif
2774 2770
2775 void userauth(Authctxt *, char *); 2771 void userauth(Authctxt *, char *);
2776@@ -321,6 +378,11 @@ 2772@@ -322,6 +379,11 @@
2777 2773
2778 Authmethod authmethods[] = { 2774 Authmethod authmethods[] = {
2779 #ifdef GSSAPI 2775 #ifdef GSSAPI
@@ -2785,7 +2781,7 @@ Index: b/sshconnect2.c
2785 {"gssapi-with-mic", 2781 {"gssapi-with-mic",
2786 userauth_gssapi, 2782 userauth_gssapi,
2787 NULL, 2783 NULL,
2788@@ -627,19 +689,31 @@ 2784@@ -625,19 +687,31 @@
2789 static u_int mech = 0; 2785 static u_int mech = 0;
2790 OM_uint32 min; 2786 OM_uint32 min;
2791 int ok = 0; 2787 int ok = 0;
@@ -2819,7 +2815,7 @@ Index: b/sshconnect2.c
2819 ok = 1; /* Mechanism works */ 2815 ok = 1; /* Mechanism works */
2820 } else { 2816 } else {
2821 mech++; 2817 mech++;
2822@@ -736,8 +810,8 @@ 2818@@ -734,8 +808,8 @@
2823 { 2819 {
2824 Authctxt *authctxt = ctxt; 2820 Authctxt *authctxt = ctxt;
2825 Gssctxt *gssctxt; 2821 Gssctxt *gssctxt;
@@ -2830,9 +2826,9 @@ Index: b/sshconnect2.c
2830 2826
2831 if (authctxt == NULL) 2827 if (authctxt == NULL)
2832 fatal("input_gssapi_response: no authentication context"); 2828 fatal("input_gssapi_response: no authentication context");
2833@@ -847,6 +921,48 @@ 2829@@ -844,6 +918,48 @@
2834 xfree(msg); 2830 free(msg);
2835 xfree(lang); 2831 free(lang);
2836 } 2832 }
2837+ 2833+
2838+int 2834+int
@@ -2883,7 +2879,7 @@ Index: b/sshd.c
2883=================================================================== 2879===================================================================
2884--- a/sshd.c 2880--- a/sshd.c
2885+++ b/sshd.c 2881+++ b/sshd.c
2886@@ -121,6 +121,10 @@ 2882@@ -122,6 +122,10 @@
2887 #include "ssh-sandbox.h" 2883 #include "ssh-sandbox.h"
2888 #include "version.h" 2884 #include "version.h"
2889 2885
@@ -2894,7 +2890,7 @@ Index: b/sshd.c
2894 #ifdef LIBWRAP 2890 #ifdef LIBWRAP
2895 #include <tcpd.h> 2891 #include <tcpd.h>
2896 #include <syslog.h> 2892 #include <syslog.h>
2897@@ -1645,10 +1649,13 @@ 2893@@ -1703,10 +1707,13 @@
2898 logit("Disabling protocol version 1. Could not load host key"); 2894 logit("Disabling protocol version 1. Could not load host key");
2899 options.protocol &= ~SSH_PROTO_1; 2895 options.protocol &= ~SSH_PROTO_1;
2900 } 2896 }
@@ -2908,7 +2904,7 @@ Index: b/sshd.c
2908 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2904 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2909 logit("sshd: no hostkeys available -- exiting."); 2905 logit("sshd: no hostkeys available -- exiting.");
2910 exit(1); 2906 exit(1);
2911@@ -1976,6 +1983,60 @@ 2907@@ -2035,6 +2042,60 @@
2912 /* Log the connection. */ 2908 /* Log the connection. */
2913 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2909 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2914 2910
@@ -2969,7 +2965,7 @@ Index: b/sshd.c
2969 /* 2965 /*
2970 * We don't want to listen forever unless the other side 2966 * We don't want to listen forever unless the other side
2971 * successfully authenticates itself. So we set up an alarm which is 2967 * successfully authenticates itself. So we set up an alarm which is
2972@@ -2357,6 +2418,48 @@ 2968@@ -2439,6 +2500,48 @@
2973 2969
2974 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2970 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2975 2971
@@ -3018,7 +3014,7 @@ Index: b/sshd.c
3018 /* start key exchange */ 3014 /* start key exchange */
3019 kex = kex_setup(myproposal); 3015 kex = kex_setup(myproposal);
3020 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3016 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
3021@@ -2364,6 +2467,13 @@ 3017@@ -2446,6 +2549,13 @@
3022 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 3018 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
3023 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 3019 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3024 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3020 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3036,7 +3032,7 @@ Index: b/sshd_config
3036=================================================================== 3032===================================================================
3037--- a/sshd_config 3033--- a/sshd_config
3038+++ b/sshd_config 3034+++ b/sshd_config
3039@@ -80,6 +80,8 @@ 3035@@ -83,6 +83,8 @@
3040 # GSSAPI options 3036 # GSSAPI options
3041 #GSSAPIAuthentication no 3037 #GSSAPIAuthentication no
3042 #GSSAPICleanupCredentials yes 3038 #GSSAPICleanupCredentials yes
@@ -3049,7 +3045,7 @@ Index: b/sshd_config.5
3049=================================================================== 3045===================================================================
3050--- a/sshd_config.5 3046--- a/sshd_config.5
3051+++ b/sshd_config.5 3047+++ b/sshd_config.5
3052@@ -481,12 +481,40 @@ 3048@@ -484,12 +484,40 @@
3053 The default is 3049 The default is
3054 .Dq no . 3050 .Dq no .
3055 Note that this option applies to protocol version 2 only. 3051 Note that this option applies to protocol version 2 only.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 09:03:43 +0000