New upstream release (7.2).

author: Colin Watson <cjwatson@debian.org> 2016-02-29 12:15:15 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-03-08 11:51:22 +0000
commit: 46961f5704f8e86cea3e99253faad55aef4d8f35 (patch)
tree: 0dd97fa4fb649a62b4639fe2674380872b1f3e98 /debian/patches/gssapi.patch
parent: c753fe267efb1b027424fa8706cf0385fc3d14c1 (diff)
parent: 85e40e87a75fb80a0bf893ac05a417d6c353537d (diff)
1 files changed, 99 insertions, 102 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 8bc83cace..aa9f25848 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 6a0a4b2f79889c9b0d5e2478a6ee5f51be38dcc9 Mon Sep 17 00:00:00 2001
+From 374db1757fc18bd6647539b80977e6907a2cecd4 Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -22,12 +22,12 @@ Last-Updated: 2016-01-04
 Patch-Name: gssapi.patch
 ---
 ChangeLog.gssapi | 113 +++++++++++++++++++
- Makefile.in      |   5 +-
+ Makefile.in      |   3 +-
 auth-krb5.c      |  17 ++-
 auth.c           |   3 +-
 auth2-gss.c      |  48 +++++++-
 auth2.c          |   2 +
- clientloop.c     |  13 +++
+ clientloop.c     |  15 ++-
 config.h.in      |   6 +
 configure.ac     |  24 ++++
 gss-genr.c       | 275 ++++++++++++++++++++++++++++++++++++++++++++-
@@ -47,14 +47,14 @@ Patch-Name: gssapi.patch
 servconf.h       |   2 +
 ssh-gss.h        |  41 ++++++-
 ssh_config       |   2 +
- ssh_config.5     |  36 +++++-
+ ssh_config.5     |  32 ++++++
 sshconnect2.c    | 120 +++++++++++++++++++-
 sshd.c           | 110 ++++++++++++++++++
 sshd_config      |   2 +
- sshd_config.5    |  11 ++
+ sshd_config.5    |  10 ++
 sshkey.c         |   3 +-
 sshkey.h         |   1 +
- 33 files changed, 1955 insertions(+), 47 deletions(-)
+ 33 files changed, 1951 insertions(+), 46 deletions(-)
 create mode 100644 ChangeLog.gssapi
 create mode 100644 kexgssc.c
 create mode 100644 kexgsss.c
@@ -179,19 +179,17 @@ index 0000000..f117a33
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
 diff --git a/Makefile.in b/Makefile.in
-index 40cc7aa..3d2a328 100644
+index d401787..0954c63 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -91,7 +91,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
-        sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
        kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
        kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
-       kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o
+        kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
-+       kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
+       kexgssc.o \
-+       kexgssc.o
+        platform-pledge.o
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-        sshconnect.o sshconnect1.o sshconnect2.o mux.o \
 @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
        auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
        auth2-none.o auth2-passwd.o auth2-pubkey.o \
@@ -200,9 +198,9 @@ index 40cc7aa..3d2a328 100644
 +       auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
        loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
        sftp-server.o sftp-common.o \
-        roaming_common.o roaming_serv.o \
+        sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
 diff --git a/auth-krb5.c b/auth-krb5.c
-index 0089b18..ec47869 100644
+index d1c5a2f..f019fb1 100644
 --- a/auth-krb5.c
 +++ b/auth-krb5.c
 @@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
@@ -374,10 +372,10 @@ index 7177962..3f49bdc 100644
 #endif
        &method_passwd,
 diff --git a/clientloop.c b/clientloop.c
-index 87ceb3d..fba1b54 100644
+index 9820455..1567e4a 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -115,6 +115,10 @@
+@@ -114,6 +114,10 @@
 #include "ssherr.h"
 #include "hostfile.h"
 
@@ -388,11 +386,14 @@ index 87ceb3d..fba1b54 100644
 /* import options */
 extern Options options;
 
-@@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+@@ -1662,9 +1666,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+                        break;
+ 
                /* Do channel operations unless rekeying in progress. */
-                if (!rekeying) {
+-               if (!ssh_packet_is_rekeying(active_state))
+               if (!ssh_packet_is_rekeying(active_state)) {
                        channel_after_select(readset, writeset);
-+
+ 
 +#ifdef GSSAPI
 +                       if (options.gss_renewal_rekey &&
 +                           ssh_gssapi_credentials_updated(NULL)) {
@@ -400,15 +401,16 @@ index 87ceb3d..fba1b54 100644
 +                               need_rekeying = 1;
 +                       }
 +#endif
+               }
 +
-                        if (need_rekeying || packet_need_rekeying()) {
+                /* Buffer input from the connection.  */
-                                debug("need rekeying");
+                client_process_net_input(readset);
-                                active_state->kex->done = 0;
+ 
 diff --git a/config.h.in b/config.h.in
-index 7500df5..97accd8 100644
+index 89bf1b0..621c139 100644
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1623,6 +1623,9 @@
+@@ -1641,6 +1641,9 @@
 /* Use btmp to log bad logins */
 #undef USE_BTMP
 
@@ -418,21 +420,21 @@ index 7500df5..97accd8 100644
 /* Use libedit for sftp */
 #undef USE_LIBEDIT
 
-@@ -1638,6 +1641,9 @@
+@@ -1656,6 +1659,9 @@
 /* Use PIPES instead of a socketpair() */
 #undef USE_PIPES
 
 +/* platform has the Security Authorization Session API */
 +#undef USE_SECURITY_SESSION_API
 +
- /* Define if you have Solaris process contracts */
+ /* Define if you have Solaris privileges */
- #undef USE_SOLARIS_PROCESS_CONTRACTS
+ #undef USE_SOLARIS_PRIVS
 
 diff --git a/configure.ac b/configure.ac
-index 9b05c30..7a25603 100644
+index 7258cc0..5f1ff74 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
            [Use tunnel device compatibility to OpenBSD])
        AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
            [Prepend the address family to IP tunnel traffic])
@@ -1212,10 +1214,10 @@ index 53993d6..2f6baf7 100644
 
 #endif
 diff --git a/kex.c b/kex.c
-index b777b7d..390bb69 100644
+index d371f47..913e923 100644
 --- a/kex.c
 +++ b/kex.c
-@@ -55,6 +55,10 @@
+@@ -54,6 +54,10 @@
 #include "sshbuf.h"
 #include "digest.h"
 
@@ -1226,7 +1228,7 @@ index b777b7d..390bb69 100644
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 # if defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
-@@ -97,6 +101,14 @@ static const struct kexalg kexalgs[] = {
+@@ -109,6 +113,14 @@ static const struct kexalg kexalgs[] = {
 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
        { NULL, -1, -1, -1},
 };
@@ -1241,7 +1243,7 @@ index b777b7d..390bb69 100644
 
 char *
 kex_alg_list(char sep)
-@@ -129,6 +141,10 @@ kex_alg_by_name(const char *name)
+@@ -141,6 +153,10 @@ kex_alg_by_name(const char *name)
                if (strcmp(k->name, name) == 0)
                        return k;
        }
@@ -1253,10 +1255,10 @@ index b777b7d..390bb69 100644
 }
 
 diff --git a/kex.h b/kex.h
-index d71b532..ee46815 100644
+index 1c58966..123ef83 100644
 --- a/kex.h
 +++ b/kex.h
-@@ -93,6 +93,9 @@ enum kex_exchange {
+@@ -92,6 +92,9 @@ enum kex_exchange {
        KEX_DH_GEX_SHA256,
        KEX_ECDH_SHA2,
        KEX_C25519_SHA256,
@@ -1266,7 +1268,7 @@ index d71b532..ee46815 100644
        KEX_MAX
 };
 
-@@ -139,6 +142,12 @@ struct kex {
+@@ -140,6 +143,12 @@ struct kex {
        u_int   flags;
        int     hash_alg;
        int     ec_nid;
@@ -1279,7 +1281,7 @@ index d71b532..ee46815 100644
        char    *client_version_string;
        char    *server_version_string;
        char    *failed_choice;
-@@ -187,6 +196,11 @@ int         kexecdh_server(struct ssh *);
+@@ -190,6 +199,11 @@ int         kexecdh_server(struct ssh *);
 int     kexc25519_client(struct ssh *);
 int     kexc25519_server(struct ssh *);
 
@@ -1935,10 +1937,10 @@ index 0000000..0847469
 +}
 +#endif /* GSSAPI */
 diff --git a/monitor.c b/monitor.c
-index a914209..2658aaa 100644
+index ac7dd30..6c82023 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
+@@ -156,6 +156,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
@@ -1947,7 +1949,7 @@ index a914209..2658aaa 100644
 #endif
 
 #ifdef SSH_AUDIT_EVENTS
-@@ -234,11 +236,18 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -233,11 +235,18 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
     {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
     {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -1966,7 +1968,7 @@ index a914209..2658aaa 100644
 #ifdef WITH_OPENSSL
     {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
 #endif
-@@ -353,6 +362,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+@@ -352,6 +361,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -1977,7 +1979,7 @@ index a914209..2658aaa 100644
        } else {
                mon_dispatch = mon_dispatch_proto15;
 
-@@ -461,6 +474,10 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -460,6 +473,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1988,7 +1990,7 @@ index a914209..2658aaa 100644
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1864,6 +1881,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
+@@ -1861,6 +1878,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
 # endif
 #endif /* WITH_OPENSSL */
                kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2002,7 +2004,7 @@ index a914209..2658aaa 100644
                kex->load_host_public_key=&get_hostkey_public_by_type;
                kex->load_host_private_key=&get_hostkey_private_by_type;
                kex->host_key_index=&get_hostkey_index;
-@@ -1963,6 +1987,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
+@@ -1960,6 +1984,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
 
@@ -2012,7 +2014,7 @@ index a914209..2658aaa 100644
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
 
-@@ -1990,6 +2017,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -1987,6 +2014,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
 
@@ -2022,7 +2024,7 @@ index a914209..2658aaa 100644
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2007,6 +2037,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2004,6 +2034,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2030,7 +2032,7 @@ index a914209..2658aaa 100644
        }
        return (0);
 }
-@@ -2018,6 +2049,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
+@@ -2015,6 +2046,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
 
@@ -2040,7 +2042,7 @@ index a914209..2658aaa 100644
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
-@@ -2044,7 +2078,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2041,7 +2075,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
 
@@ -2053,7 +2055,7 @@ index a914209..2658aaa 100644
 
        buffer_clear(m);
        buffer_put_int(m, authenticated);
-@@ -2057,5 +2095,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2054,5 +2092,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
@@ -2142,7 +2144,7 @@ index 93b8b66..bc50ade 100644
 
 struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index eac421b..81ceddb 100644
+index c5db6df..74fbd2e 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
 @@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
@@ -2206,7 +2208,7 @@ index eac421b..81ceddb 100644
 #endif /* GSSAPI */
 
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index de4a08f..9758290 100644
+index eb820ae..403f8d0 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
 @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
@@ -2222,10 +2224,10 @@ index de4a08f..9758290 100644
 
 #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index cd01482..56e0f44 100644
+index 69d4553..d2a3d4b 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -147,6 +147,8 @@ typedef enum {
+@@ -148,6 +148,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2234,7 +2236,7 @@ index cd01482..56e0f44 100644
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
-@@ -192,10 +194,19 @@ static struct {
+@@ -193,10 +195,19 @@ static struct {
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
@@ -2254,7 +2256,7 @@ index cd01482..56e0f44 100644
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
-@@ -894,10 +905,30 @@ parse_time:
+@@ -926,10 +937,30 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2285,7 +2287,7 @@ index cd01482..56e0f44 100644
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
-@@ -1601,7 +1632,12 @@ initialize_options(Options * options)
+@@ -1648,7 +1679,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
@@ -2298,7 +2300,7 @@ index cd01482..56e0f44 100644
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
-@@ -1729,8 +1765,14 @@ fill_default_options(Options * options)
+@@ -1777,8 +1813,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2314,7 +2316,7 @@ index cd01482..56e0f44 100644
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
 diff --git a/readconf.h b/readconf.h
-index bb2d552..e7e80c3 100644
+index c84d068..37a0555 100644
 --- a/readconf.h
 +++ b/readconf.h
 @@ -45,7 +45,12 @@ typedef struct {
@@ -2331,7 +2333,7 @@ index bb2d552..e7e80c3 100644
                                                 * authentication. */
        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index 6c7a91e..cfe7029 100644
+index b19d30e..b8af6dd 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options)
@@ -2345,7 +2347,7 @@ index 6c7a91e..cfe7029 100644
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
-@@ -275,10 +277,14 @@ fill_default_server_options(ServerOptions *options)
+@@ -287,10 +289,14 @@ fill_default_server_options(ServerOptions *options)
                options->kerberos_get_afs_token = 0;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2361,7 +2363,7 @@ index 6c7a91e..cfe7029 100644
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -412,6 +418,7 @@ typedef enum {
+@@ -419,6 +425,7 @@ typedef enum {
        sHostKeyAlgorithms,
        sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
        sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -2369,7 +2371,7 @@ index 6c7a91e..cfe7029 100644
        sAcceptEnv, sPermitTunnel,
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -485,12 +492,20 @@ static struct {
+@@ -492,12 +499,20 @@ static struct {
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2390,7 +2392,7 @@ index 6c7a91e..cfe7029 100644
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1231,6 +1246,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1242,6 +1257,10 @@ process_server_config_line(ServerOptions *options, char *line,
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2401,7 +2403,7 @@ index 6c7a91e..cfe7029 100644
        case sGssCleanupCreds:
                intptr = &options->gss_cleanup_creds;
                goto parse_flag;
-@@ -1239,6 +1258,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1250,6 +1269,10 @@ process_server_config_line(ServerOptions *options, char *line,
                intptr = &options->gss_strict_acceptor;
                goto parse_flag;
 
@@ -2412,7 +2414,7 @@ index 6c7a91e..cfe7029 100644
        case sPasswordAuthentication:
                intptr = &options->password_authentication;
                goto parse_flag;
-@@ -2246,7 +2269,10 @@ dump_config(ServerOptions *o)
+@@ -2265,7 +2288,10 @@ dump_config(ServerOptions *o)
 #endif
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2542,7 +2544,7 @@ index a99d7f0..914701b 100644
 
 #endif /* _SSH_GSS_H */
 diff --git a/ssh_config b/ssh_config
-index 03a228f..228e5ab 100644
+index 90fb63f..4e879cd 100644
 --- a/ssh_config
 +++ b/ssh_config
 @@ -26,6 +26,8 @@
@@ -2555,19 +2557,18 @@ index 03a228f..228e5ab 100644
 #   CheckHostIP yes
 #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index a47f3ca..cac8cda 100644
+index caf13a6..9060d5b 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -749,11 +749,45 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -826,10 +826,42 @@ The default is
+ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
- Note that this option applies to protocol version 2 only.
 +.It Cm GSSAPIKeyExchange
 +Specifies whether key exchange based on GSSAPI may be used. When using
 +GSSAPI key exchange the server need not have a host key.
 +The default is
 +.Dq no .
-+Note that this option applies to protocol version 2 only.
 +.It Cm GSSAPIClientIdentity
 +If set, specifies the GSSAPI client identity that ssh should use when 
 +connecting to the server. The default is unset, which means that the default 
@@ -2581,8 +2582,6 @@ index a47f3ca..cac8cda 100644
 Forward (delegate) credentials to the server.
 The default is
 .Dq no .
-Note that this option applies to protocol version 2 only.
-+Note that this option applies to protocol version 2 connections using GSSAPI.
 +.It Cm GSSAPIRenewalForcesRekey
 +If set to 
 +.Dq yes
@@ -2601,15 +2600,14 @@ index a47f3ca..cac8cda 100644
 +command line will be passed untouched to the GSSAPI library.
 +The default is
 +.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index 7751031..32e9b0d 100644
+index f79c96b..b452eae 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -160,6 +160,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -161,6 +161,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
        struct kex *kex;
        int r;
 
@@ -2621,7 +2619,7 @@ index 7751031..32e9b0d 100644
        xxx_host = host;
        xxx_hostaddr = hostaddr;
 
-@@ -193,6 +198,33 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -195,6 +200,33 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
                    order_hostkeyalgs(host, hostaddr, port));
        }
 
@@ -2655,7 +2653,7 @@ index 7751031..32e9b0d 100644
        if (options.rekey_limit || options.rekey_interval)
                packet_set_rekey_limits((u_int32_t)options.rekey_limit,
                    (time_t)options.rekey_interval);
-@@ -211,10 +243,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -213,10 +245,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
 # endif
 #endif
        kex->kex[KEX_C25519_SHA256] = kexc25519_client;
@@ -2685,8 +2683,8 @@ index 7751031..32e9b0d 100644
 +
        dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
 
-        if (options.use_roaming && !kex->roaming) {
+        /* remove ext-info from the KEX proposals for rekeying */
-@@ -306,6 +358,7 @@ int input_gssapi_token(int type, u_int32_t, void *);
+@@ -311,6 +363,7 @@ int input_gssapi_token(int type, u_int32_t, void *);
 int    input_gssapi_hash(int type, u_int32_t, void *);
 int    input_gssapi_error(int, u_int32_t, void *);
 int    input_gssapi_errtok(int, u_int32_t, void *);
@@ -2694,7 +2692,7 @@ index 7751031..32e9b0d 100644
 #endif
 
 void   userauth(Authctxt *, char *);
-@@ -321,6 +374,11 @@ static char *authmethods_get(void);
+@@ -326,6 +379,11 @@ static char *authmethods_get(void);
 
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@@ -2706,7 +2704,7 @@ index 7751031..32e9b0d 100644
        {"gssapi-with-mic",
                userauth_gssapi,
                NULL,
-@@ -627,19 +685,31 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -656,19 +714,31 @@ userauth_gssapi(Authctxt *authctxt)
        static u_int mech = 0;
        OM_uint32 min;
        int ok = 0;
@@ -2740,7 +2738,7 @@ index 7751031..32e9b0d 100644
                        ok = 1; /* Mechanism works */
                } else {
                        mech++;
-@@ -736,8 +806,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
+@@ -765,8 +835,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 {
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
@@ -2751,7 +2749,7 @@ index 7751031..32e9b0d 100644
 
        if (authctxt == NULL)
                fatal("input_gssapi_response: no authentication context");
-@@ -850,6 +920,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
+@@ -879,6 +949,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
        free(lang);
        return 0;
 }
@@ -2801,10 +2799,10 @@ index 7751031..32e9b0d 100644
 
 int
 diff --git a/sshd.c b/sshd.c
-index 43d4650..d659a68 100644
+index 430569c..5cd9129 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -126,6 +126,10 @@
+@@ -125,6 +125,10 @@
 #include "version.h"
 #include "ssherr.h"
 
@@ -2890,7 +2888,7 @@ index 43d4650..d659a68 100644
        /*
         * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
-@@ -2569,6 +2630,48 @@ do_ssh2_kex(void)
+@@ -2571,6 +2632,48 @@ do_ssh2_kex(void)
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
            list_hostkey_types());
 
@@ -2939,7 +2937,7 @@ index 43d4650..d659a68 100644
        /* start key exchange */
        if ((r = kex_setup(active_state, myproposal)) != 0)
                fatal("kex_setup: %s", ssh_err(r));
-@@ -2583,6 +2686,13 @@ do_ssh2_kex(void)
+@@ -2585,6 +2688,13 @@ do_ssh2_kex(void)
 # endif
 #endif
        kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2954,7 +2952,7 @@ index 43d4650..d659a68 100644
        kex->client_version_string=client_version_string;
        kex->server_version_string=server_version_string;
 diff --git a/sshd_config b/sshd_config
-index 4d77f05..64786c9 100644
+index a848d73..f103298 100644
 --- a/sshd_config
 +++ b/sshd_config
 @@ -84,6 +84,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
@@ -2967,23 +2965,22 @@ index 4d77f05..64786c9 100644
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index b18d340..5491c89 100644
+index a37a3ac..c6d6858 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -621,6 +621,12 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -623,6 +623,11 @@ The default is
+ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
- Note that this option applies to protocol version 2 only.
 +.It Cm GSSAPIKeyExchange
 +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
 +doesn't rely on ssh keys to verify host identity.
 +The default is
 +.Dq no .
-+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPICleanupCredentials
 Specifies whether to automatically destroy the user's credentials cache
 on logout.
-@@ -642,6 +648,11 @@ machine's default store.
+@@ -643,6 +648,11 @@ machine's default store.
 This facility is provided to assist with operation on multi homed machines.
 The default is
 .Dq yes .
@@ -2996,28 +2993,28 @@ index b18d340..5491c89 100644
 Specifies the key types that will be accepted for hostbased authentication
 as a comma-separated pattern list.
 diff --git a/sshkey.c b/sshkey.c
-index 32dd8f2..5368e7c 100644
+index 87b093e..e595b11 100644
 --- a/sshkey.c
 +++ b/sshkey.c
-@@ -112,6 +112,7 @@ static const struct keytype keytypes[] = {
+@@ -115,6 +115,7 @@ static const struct keytype keytypes[] = {
 #  endif /* OPENSSL_HAS_NISTP521 */
 # endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
-+       { "null", "null", KEY_NULL, 0, 0 },
+       { "null", "null", KEY_NULL, 0, 0, 0 },
-        { NULL, NULL, -1, -1, 0 }
+        { NULL, NULL, -1, -1, 0, 0 }
 };
 
-@@ -200,7 +201,7 @@ key_alg_list(int certs_only, int plain_only)
+@@ -203,7 +204,7 @@ key_alg_list(int certs_only, int plain_only)
        const struct keytype *kt;
 
        for (kt = keytypes; kt->type != -1; kt++) {
-               if (kt->name == NULL)
+-               if (kt->name == NULL || kt->sigonly)
-+               if (kt->name == NULL || kt->type == KEY_NULL)
+               if (kt->name == NULL || kt->sigonly || kt->type == KEY_NULL)
                        continue;
                if ((certs_only && !kt->cert) || (plain_only && kt->cert))
                        continue;
 diff --git a/sshkey.h b/sshkey.h
-index c8d3cdd..5cf4e5d 100644
+index a20a14f..2259cbb 100644
 --- a/sshkey.h
 +++ b/sshkey.h
 @@ -62,6 +62,7 @@ enum sshkey_types {
author	Colin Watson <cjwatson@debian.org>	2016-02-29 12:15:15 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-03-08 11:51:22 +0000
commit	46961f5704f8e86cea3e99253faad55aef4d8f35 (patch)
tree	0dd97fa4fb649a62b4639fe2674380872b1f3e98 /debian/patches/gssapi.patch
parent	c753fe267efb1b027424fa8706cf0385fc3d14c1 (diff)
parent	85e40e87a75fb80a0bf893ac05a417d6c353537d (diff)