Initialize git-dpm

author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:19 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-02-09 16:25:52 +0000
commit: d26565af8589d88f824b26f31da493f1056efcf4 (patch)
tree: ff5e3b9c0fbb553f4f4c6e8836070659f266108e /debian/patches/gssapi.patch
parent: 16fb149cbb42efe0cb13f3edbafcb1a21ecfe574 (diff)
parent: bb5616c94d6d6b97890e90dd01a7ad07c663dc0b (diff)
1 files changed, 220 insertions, 173 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index b9221f94f..8a919382e 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,22 +1,67 @@
-Description: GSSAPI key exchange support
+From 950be7e1b1a01ee9b25e2a72726a6370b8acacb6 Mon Sep 17 00:00:00 2001
- This patch has been rejected upstream: "None of the OpenSSH developers are
+From: Simon Wilkinson <simon@sxw.org.uk>
- in favour of adding this, and this situation has not changed for several
+Date: Sun, 9 Feb 2014 16:09:48 +0000
- years.  This is not a slight on Simon's patch, which is of fine quality,
+Subject: GSSAPI key exchange support
- but just that a) we don't trust GSSAPI implementations that much and b) we
- don't like adding new KEX since they are pre-auth attack surface.  This one
+This patch has been rejected upstream: "None of the OpenSSH developers are
- is particularly scary, since it requires hooks out to typically root-owned
+in favour of adding this, and this situation has not changed for several
- system resources."
+years.  This is not a slight on Simon's patch, which is of fine quality, but
- .
+just that a) we don't trust GSSAPI implementations that much and b) we don't
- However, quite a lot of people rely on this in Debian, and it's better to
+like adding new KEX since they are pre-auth attack surface.  This one is
- have it merged into the main openssh package rather than having separate
+particularly scary, since it requires hooks out to typically root-owned
- -krb5 packages (as we used to have).  It seems to have a generally good
+system resources."
- security history.
-Author: Simon Wilkinson <simon@sxw.org.uk>
+However, quite a lot of people rely on this in Debian, and it's better to
+have it merged into the main openssh package rather than having separate
+-krb5 packages (as we used to have).  It seems to have a generally good
+security history.
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
 Last-Updated: 2013-11-09
-Index: b/ChangeLog.gssapi
+Patch-Name: gssapi.patch
-===================================================================
+---
+ ChangeLog.gssapi | 113 +++++++++++++++++++
+ Makefile.in      |   3 +-
+ auth-krb5.c      |  17 ++-
+ auth2-gss.c      |  48 +++++++-
+ auth2.c          |   2 +
+ clientloop.c     |  13 +++
+ config.h.in      |   6 +
+ configure        |  57 ++++++++++
+ configure.ac     |  24 ++++
+ gss-genr.c       | 276 ++++++++++++++++++++++++++++++++++++++++++++-
+ gss-serv-krb5.c  |  84 +++++++++++++-
+ gss-serv.c       | 221 +++++++++++++++++++++++++++++++-----
+ kex.c            |  16 +++
+ kex.h            |  14 +++
+ kexgssc.c        | 333 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ kexgsss.c        | 289 +++++++++++++++++++++++++++++++++++++++++++++++
+ key.c            |   1 +
+ key.h            |   1 +
+ monitor.c        | 108 +++++++++++++++++-
+ monitor.h        |   3 +
+ monitor_wrap.c   |  47 +++++++-
+ monitor_wrap.h   |   4 +-
+ readconf.c       |  42 +++++++
+ readconf.h       |   5 +
+ servconf.c       |  38 ++++++-
+ servconf.h       |   3 +
+ ssh-gss.h        |  39 ++++++-
+ ssh_config       |   2 +
+ ssh_config.5     |  34 +++++-
+ sshconnect2.c    | 124 ++++++++++++++++++++-
+ sshd.c           | 110 ++++++++++++++++++
+ sshd_config      |   2 +
+ sshd_config.5    |  28 +++++
+ 33 files changed, 2050 insertions(+), 57 deletions(-)
+ create mode 100644 ChangeLog.gssapi
+ create mode 100644 kexgssc.c
+ create mode 100644 kexgsss.c
+diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi
+new file mode 100644
+index 0000000..f117a33
 --- /dev/null
 +++ b/ChangeLog.gssapi
 @@ -0,0 +1,113 @@
@@ -133,11 +178,11 @@ Index: b/ChangeLog.gssapi
 +    add support for GssapiTrustDns option for gssapi-with-mic
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
-Index: b/Makefile.in
+diff --git a/Makefile.in b/Makefile.in
-===================================================================
+index 92c95a9..f979926 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -72,6 +72,7 @@
+@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
        atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
        monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
        kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@@ -145,7 +190,7 @@ Index: b/Makefile.in
        msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
        jpake.o schnorr.o ssh-pkcs11.o krl.o
 
-@@ -88,7 +89,7 @@
+@@ -88,7 +89,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
        auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
        monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
        auth-krb5.o \
@@ -154,11 +199,11 @@ Index: b/Makefile.in
        loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
        sftp-server.o sftp-common.o \
        roaming_common.o roaming_serv.o \
-Index: b/auth-krb5.c
+diff --git a/auth-krb5.c b/auth-krb5.c
-===================================================================
+index 7c83f59..5613b57 100644
 --- a/auth-krb5.c
 +++ b/auth-krb5.c
-@@ -181,8 +181,13 @@
+@@ -181,8 +181,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 
        len = strlen(authctxt->krb5_ticket_file) + 6;
        authctxt->krb5_ccname = xmalloc(len);
@@ -172,7 +217,7 @@ Index: b/auth-krb5.c
 
 #ifdef USE_PAM
        if (options.use_pam)
-@@ -239,15 +244,22 @@
+@@ -239,15 +244,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
 #ifndef HEIMDAL
 krb5_error_code
 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -197,7 +242,7 @@ Index: b/auth-krb5.c
        old_umask = umask(0177);
        tmpfd = mkstemp(ccname + strlen("FILE:"));
        oerrno = errno;
-@@ -264,6 +276,7 @@
+@@ -264,6 +276,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
                return oerrno;
        }
        close(tmpfd);
@@ -205,8 +250,8 @@ Index: b/auth-krb5.c
 
        return (krb5_cc_resolve(ctx, ccname, ccache));
 }
-Index: b/auth2-gss.c
+diff --git a/auth2-gss.c b/auth2-gss.c
-===================================================================
+index 638d8f8..b8db820 100644
 --- a/auth2-gss.c
 +++ b/auth2-gss.c
 @@ -1,7 +1,7 @@
@@ -218,7 +263,7 @@ Index: b/auth2-gss.c
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
-@@ -52,6 +52,40 @@
+@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_errtok(int, u_int32_t, void *);
 
@@ -259,7 +304,7 @@ Index: b/auth2-gss.c
 /*
  * We only support those mechanisms that we know about (ie ones that we know
  * how to check local user kuserok and the like)
-@@ -240,7 +274,8 @@
+@@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
 
        packet_check_eom();
 
@@ -269,7 +314,7 @@ Index: b/auth2-gss.c
 
        authctxt->postponed = 0;
        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-@@ -275,7 +310,8 @@
+@@ -275,7 +310,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
        gssbuf.length = buffer_len(&b);
 
        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -279,7 +324,7 @@ Index: b/auth2-gss.c
        else
                logit("GSSAPI MIC check failed");
 
-@@ -290,6 +326,12 @@
+@@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
        userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
 }
 
@@ -292,11 +337,11 @@ Index: b/auth2-gss.c
 Authmethod method_gssapi = {
        "gssapi-with-mic",
        userauth_gssapi,
-Index: b/auth2.c
+diff --git a/auth2.c b/auth2.c
-===================================================================
+index f0cab8c..6ed8f04 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -69,6 +69,7 @@
+@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
 #ifdef GSSAPI
@@ -304,7 +349,7 @@ Index: b/auth2.c
 extern Authmethod method_gssapi;
 #endif
 #ifdef JPAKE
-@@ -79,6 +80,7 @@
+@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
        &method_none,
        &method_pubkey,
 #ifdef GSSAPI
@@ -312,8 +357,8 @@ Index: b/auth2.c
        &method_gssapi,
 #endif
 #ifdef JPAKE
-Index: b/clientloop.c
+diff --git a/clientloop.c b/clientloop.c
-===================================================================
+index 23c2f23..311dc13 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -111,6 +111,10 @@
@@ -327,7 +372,7 @@ Index: b/clientloop.c
 /* import options */
 extern Options options;
 
-@@ -1608,6 +1612,15 @@
+@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                /* Do channel operations unless rekeying in progress. */
                if (!rekeying) {
                        channel_after_select(readset, writeset);
@@ -343,8 +388,8 @@ Index: b/clientloop.c
                        if (need_rekeying || packet_need_rekeying()) {
                                debug("need rekeying");
                                xxx_kex->done = 0;
-Index: b/config.h.in
+diff --git a/config.h.in b/config.h.in
-===================================================================
+index b75e501..34f1c9c 100644
 --- a/config.h.in
 +++ b/config.h.in
 @@ -1546,6 +1546,9 @@
@@ -367,11 +412,11 @@ Index: b/config.h.in
 /* Define if you have Solaris process contracts */
 #undef USE_SOLARIS_PROCESS_CONTRACTS
 
-Index: b/configure
+diff --git a/configure b/configure
-===================================================================
+index 0d6fad5..ceb1b5d 100755
 --- a/configure
 +++ b/configure
-@@ -6780,6 +6780,63 @@
+@@ -6780,6 +6780,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
 
 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
 
@@ -435,11 +480,11 @@ Index: b/configure
 
        ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
-Index: b/configure.ac
+diff --git a/configure.ac b/configure.ac
-===================================================================
+index 4a1b503..4c1a658 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -548,6 +548,30 @@
+@@ -548,6 +548,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
            [Use tunnel device compatibility to OpenBSD])
        AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
            [Prepend the address family to IP tunnel traffic])
@@ -470,8 +515,8 @@ Index: b/configure.ac
        m4_pattern_allow([AU_IPv])
        AC_CHECK_DECL([AU_IPv4], [], 
            AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
-Index: b/gss-genr.c
+diff --git a/gss-genr.c b/gss-genr.c
-===================================================================
+index b39281b..b7d1b7d 100644
 --- a/gss-genr.c
 +++ b/gss-genr.c
 @@ -1,7 +1,7 @@
@@ -651,7 +696,7 @@ Index: b/gss-genr.c
 /* Check that the OID in a data stream matches that in the context */
 int
 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
-@@ -197,7 +352,7 @@
+@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
        }
 
        ctx->major = gss_init_sec_context(&ctx->minor,
@@ -660,7 +705,7 @@ Index: b/gss-genr.c
            GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
            0, NULL, recv_tok, NULL, send_tok, flags, NULL);
 
-@@ -227,8 +382,42 @@
+@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
 }
 
 OM_uint32
@@ -703,7 +748,7 @@ Index: b/gss-genr.c
        if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
            GSS_C_QOP_DEFAULT, buffer, hash)))
                ssh_gssapi_error(ctx);
-@@ -236,6 +425,19 @@
+@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
        return (ctx->major);
 }
 
@@ -723,7 +768,7 @@ Index: b/gss-genr.c
 void
 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
     const char *context)
-@@ -249,11 +451,16 @@
+@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
 }
 
 int
@@ -741,7 +786,7 @@ Index: b/gss-genr.c
 
        /* RFC 4462 says we MUST NOT do SPNEGO */
        if (oid->length == spnego_oid.length && 
-@@ -263,6 +470,10 @@
+@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
        ssh_gssapi_build_ctx(ctx);
        ssh_gssapi_set_oid(*ctx, oid);
        major = ssh_gssapi_import_name(*ctx, host);
@@ -752,7 +797,7 @@ Index: b/gss-genr.c
        if (!GSS_ERROR(major)) {
                major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
                    NULL);
-@@ -272,10 +483,67 @@
+@@ -272,10 +483,67 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
                            GSS_C_NO_BUFFER);
        }
 
@@ -821,8 +866,8 @@ Index: b/gss-genr.c
 +}
 +
 #endif /* GSSAPI */
-Index: b/gss-serv-krb5.c
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
-===================================================================
+index 87f2683..c55446a 100644
 --- a/gss-serv-krb5.c
 +++ b/gss-serv-krb5.c
 @@ -1,7 +1,7 @@
@@ -834,7 +879,7 @@ Index: b/gss-serv-krb5.c
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
-@@ -122,6 +122,7 @@
+@@ -122,6 +122,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
        OM_uint32 maj_status, min_status;
        int len;
        const char *errmsg;
@@ -842,7 +887,7 @@ Index: b/gss-serv-krb5.c
 
        if (client->creds == NULL) {
                debug("No credentials stored");
-@@ -174,11 +175,16 @@
+@@ -174,11 +175,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
                return;
        }
 
@@ -863,7 +908,7 @@ Index: b/gss-serv-krb5.c
 
 #ifdef USE_PAM
        if (options.use_pam)
-@@ -190,6 +196,71 @@
+@@ -190,6 +196,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
        return;
 }
 
@@ -935,7 +980,7 @@ Index: b/gss-serv-krb5.c
 ssh_gssapi_mech gssapi_kerberos_mech = {
        "toWM5Slw5Ew8Mqkay+al2g==",
        "Kerberos",
-@@ -197,7 +268,8 @@
+@@ -197,7 +268,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
        NULL,
        &ssh_gssapi_krb5_userok,
        NULL,
@@ -945,8 +990,8 @@ Index: b/gss-serv-krb5.c
 };
 
 #endif /* KRB5 */
-Index: b/gss-serv.c
+diff --git a/gss-serv.c b/gss-serv.c
-===================================================================
+index 95348e2..97f366f 100644
 --- a/gss-serv.c
 +++ b/gss-serv.c
 @@ -1,7 +1,7 @@
@@ -982,7 +1027,7 @@ Index: b/gss-serv.c
 
 #ifdef KRB5
 extern ssh_gssapi_mech gssapi_kerberos_mech;
-@@ -81,25 +87,32 @@
+@@ -81,25 +87,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
        char lname[MAXHOSTNAMELEN];
        gss_OID_set oidset;
 
@@ -991,16 +1036,16 @@ Index: b/gss-serv.c
 +       if (options.gss_strict_acceptor) {
 +               gss_create_empty_oid_set(&status, &oidset);
 +               gss_add_oid_set_member(&status, ctx->oid, &oidset);
-+
-+               if (gethostname(lname, MAXHOSTNAMELEN)) {
-+                       gss_release_oid_set(&status, &oidset);
-+                       return (-1);
-+               }
 
 -       if (gethostname(lname, MAXHOSTNAMELEN)) {
 -               gss_release_oid_set(&status, &oidset);
 -               return (-1);
 -       }
+               if (gethostname(lname, MAXHOSTNAMELEN)) {
+                       gss_release_oid_set(&status, &oidset);
+                       return (-1);
+               }
+
 +               if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
 +                       gss_release_oid_set(&status, &oidset);
 +                       return (ctx->major);
@@ -1029,7 +1074,7 @@ Index: b/gss-serv.c
 }
 
 /* Privileged */
-@@ -114,6 +127,29 @@
+@@ -114,6 +127,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
 }
 
 /* Unprivileged */
@@ -1059,7 +1104,7 @@ Index: b/gss-serv.c
 void
 ssh_gssapi_supported_oids(gss_OID_set *oidset)
 {
-@@ -123,7 +159,9 @@
+@@ -123,7 +159,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
        gss_OID_set supported;
 
        gss_create_empty_oid_set(&min_status, oidset);
@@ -1070,7 +1115,7 @@ Index: b/gss-serv.c
 
        while (supported_mechs[i]->name != NULL) {
                if (GSS_ERROR(gss_test_oid_set_member(&min_status,
-@@ -249,8 +287,48 @@
+@@ -249,8 +287,48 @@ OM_uint32
 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
 {
        int i = 0;
@@ -1120,7 +1165,7 @@ Index: b/gss-serv.c
 
        client->mech = NULL;
 
-@@ -265,6 +343,13 @@
+@@ -265,6 +343,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
        if (client->mech == NULL)
                return GSS_S_FAILURE;
 
@@ -1134,7 +1179,7 @@ Index: b/gss-serv.c
        if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
            &client->displayname, NULL))) {
                ssh_gssapi_error(ctx);
-@@ -282,6 +367,8 @@
+@@ -282,6 +367,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
                return (ctx->major);
        }
 
@@ -1143,7 +1188,7 @@ Index: b/gss-serv.c
        /* We can't copy this structure, so we just move the pointer to it */
        client->creds = ctx->client_creds;
        ctx->client_creds = GSS_C_NO_CREDENTIAL;
-@@ -329,7 +416,7 @@
+@@ -329,7 +416,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
 
 /* Privileged */
 int
@@ -1152,7 +1197,7 @@ Index: b/gss-serv.c
 {
        OM_uint32 lmin;
 
-@@ -339,9 +426,11 @@
+@@ -339,9 +426,11 @@ ssh_gssapi_userok(char *user)
                return 0;
        }
        if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1166,7 +1211,7 @@ Index: b/gss-serv.c
                        /* Destroy delegated credentials if userok fails */
                        gss_release_buffer(&lmin, &gssapi_client.displayname);
                        gss_release_buffer(&lmin, &gssapi_client.exportedname);
-@@ -354,14 +443,90 @@
+@@ -354,14 +443,90 @@ ssh_gssapi_userok(char *user)
        return (0);
 }
 
@@ -1263,8 +1308,8 @@ Index: b/gss-serv.c
 }
 
 #endif
-Index: b/kex.c
+diff --git a/kex.c b/kex.c
-===================================================================
+index 54bd1a4..1ec2782 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -50,6 +50,10 @@
@@ -1278,7 +1323,7 @@ Index: b/kex.c
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 # if defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
-@@ -82,6 +86,14 @@
+@@ -82,6 +86,14 @@ static const struct kexalg kexalgs[] = {
 #endif
        { NULL, -1, -1, NULL},
 };
@@ -1293,7 +1338,7 @@ Index: b/kex.c
 
 char *
 kex_alg_list(void)
-@@ -110,6 +122,10 @@
+@@ -110,6 +122,10 @@ kex_alg_by_name(const char *name)
                if (strcmp(k->name, name) == 0)
                        return k;
        }
@@ -1304,11 +1349,11 @@ Index: b/kex.c
        return NULL;
 }
 
-Index: b/kex.h
+diff --git a/kex.h b/kex.h
-===================================================================
+index 9f1e1ad..d5046c6 100644
 --- a/kex.h
 +++ b/kex.h
-@@ -74,6 +74,9 @@
+@@ -74,6 +74,9 @@ enum kex_exchange {
        KEX_DH_GEX_SHA1,
        KEX_DH_GEX_SHA256,
        KEX_ECDH_SHA2,
@@ -1318,7 +1363,7 @@ Index: b/kex.h
        KEX_MAX
 };
 
-@@ -133,6 +136,12 @@
+@@ -133,6 +136,12 @@ struct Kex {
        int     flags;
        const EVP_MD *evp_md;
        int     ec_nid;
@@ -1331,7 +1376,7 @@ Index: b/kex.h
        char    *client_version_string;
        char    *server_version_string;
        int     (*verify_host_key)(Key *);
-@@ -162,6 +171,11 @@
+@@ -162,6 +171,11 @@ void        kexgex_server(Kex *);
 void    kexecdh_client(Kex *);
 void    kexecdh_server(Kex *);
 
@@ -1343,8 +1388,9 @@ Index: b/kex.h
 void
 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
-Index: b/kexgssc.c
+diff --git a/kexgssc.c b/kexgssc.c
-===================================================================
+new file mode 100644
+index 0000000..616893c
 --- /dev/null
 +++ b/kexgssc.c
 @@ -0,0 +1,333 @@
@@ -1681,8 +1727,9 @@ Index: b/kexgssc.c
 +}
 +
 +#endif /* GSSAPI */
-Index: b/kexgsss.c
+diff --git a/kexgsss.c b/kexgsss.c
-===================================================================
+new file mode 100644
+index 0000000..18b065b
 --- /dev/null
 +++ b/kexgsss.c
 @@ -0,0 +1,289 @@
@@ -1975,11 +2022,11 @@ Index: b/kexgsss.c
 +               ssh_gssapi_rekey_creds();
 +}
 +#endif /* GSSAPI */
-Index: b/key.c
+diff --git a/key.c b/key.c
-===================================================================
+index 55ee789..2591635 100644
 --- a/key.c
 +++ b/key.c
-@@ -933,6 +933,7 @@
+@@ -933,6 +933,7 @@ static const struct keytype keytypes[] = {
            KEY_RSA_CERT_V00, 0, 1 },
        { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
            KEY_DSA_CERT_V00, 0, 1 },
@@ -1987,11 +2034,11 @@ Index: b/key.c
        { NULL, NULL, -1, -1, 0 }
 };
 
-Index: b/key.h
+diff --git a/key.h b/key.h
-===================================================================
+index 17358ae..b57d6a4 100644
 --- a/key.h
 +++ b/key.h
-@@ -44,6 +44,7 @@
+@@ -44,6 +44,7 @@ enum types {
        KEY_ECDSA_CERT,
        KEY_RSA_CERT_V00,
        KEY_DSA_CERT_V00,
@@ -1999,11 +2046,11 @@ Index: b/key.h
        KEY_UNSPEC
 };
 enum fp_type {
-Index: b/monitor.c
+diff --git a/monitor.c b/monitor.c
-===================================================================
+index 44dff98..9079c97 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -181,6 +181,8 @@
+@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2012,7 +2059,7 @@ Index: b/monitor.c
 #endif
 
 #ifdef SSH_AUDIT_EVENTS
-@@ -253,6 +255,7 @@
+@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
     {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
     {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2020,7 +2067,7 @@ Index: b/monitor.c
 #endif
 #ifdef JPAKE
     {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
-@@ -265,6 +268,12 @@
+@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[] = {
 };
 
 struct mon_table mon_dispatch_postauth20[] = {
@@ -2033,7 +2080,7 @@ Index: b/monitor.c
     {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
     {MONITOR_REQ_SIGN, 0, mm_answer_sign},
     {MONITOR_REQ_PTY, 0, mm_answer_pty},
-@@ -373,6 +382,10 @@
+@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2044,7 +2091,7 @@ Index: b/monitor.c
        } else {
                mon_dispatch = mon_dispatch_proto15;
 
-@@ -487,6 +500,10 @@
+@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2055,7 +2102,7 @@ Index: b/monitor.c
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1855,6 +1872,13 @@
+@@ -1855,6 +1872,13 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2069,7 +2116,7 @@ Index: b/monitor.c
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
-@@ -2062,6 +2086,9 @@
+@@ -2062,6 +2086,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
 
@@ -2079,7 +2126,7 @@ Index: b/monitor.c
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
 
-@@ -2089,6 +2116,9 @@
+@@ -2089,6 +2116,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
 
@@ -2089,7 +2136,7 @@ Index: b/monitor.c
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2106,6 +2136,7 @@
+@@ -2106,6 +2136,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2097,7 +2144,7 @@ Index: b/monitor.c
        }
        return (0);
 }
-@@ -2117,6 +2148,9 @@
+@@ -2117,6 +2148,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
 
@@ -2107,7 +2154,7 @@ Index: b/monitor.c
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
-@@ -2143,7 +2177,11 @@
+@@ -2143,7 +2177,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
 
@@ -2120,7 +2167,7 @@ Index: b/monitor.c
 
        buffer_clear(m);
        buffer_put_int(m, authenticated);
-@@ -2156,6 +2194,74 @@
+@@ -2156,6 +2194,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
@@ -2195,11 +2242,11 @@ Index: b/monitor.c
 #endif /* GSSAPI */
 
 #ifdef JPAKE
-Index: b/monitor.h
+diff --git a/monitor.h b/monitor.h
-===================================================================
+index 2caa469..315ef99 100644
 --- a/monitor.h
 +++ b/monitor.h
-@@ -70,6 +70,9 @@
+@@ -70,6 +70,9 @@ enum monitor_reqtype {
        MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
        MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
 
@@ -2209,11 +2256,11 @@ Index: b/monitor.h
 };
 
 struct mm_master;
-Index: b/monitor_wrap.c
+diff --git a/monitor_wrap.c b/monitor_wrap.c
-===================================================================
+index 4ce4696..44019f3 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1273,7 +1273,7 @@
+@@ -1273,7 +1273,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
 }
 
 int
@@ -2222,7 +2269,7 @@ Index: b/monitor_wrap.c
 {
        Buffer m;
        int authenticated = 0;
-@@ -1290,6 +1290,51 @@
+@@ -1290,6 +1290,51 @@ mm_ssh_gssapi_userok(char *user)
        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
        return (authenticated);
 }
@@ -2274,11 +2321,11 @@ Index: b/monitor_wrap.c
 #endif /* GSSAPI */
 
 #ifdef JPAKE
-Index: b/monitor_wrap.h
+diff --git a/monitor_wrap.h b/monitor_wrap.h
-===================================================================
+index 0c7f2e3..ec9b9b1 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -58,8 +58,10 @@
+@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2290,11 +2337,11 @@ Index: b/monitor_wrap.h
 #endif
 
 #ifdef USE_PAM
-Index: b/readconf.c
+diff --git a/readconf.c b/readconf.c
-===================================================================
+index 1464430..2695fd6 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -132,6 +132,8 @@
+@@ -132,6 +132,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2303,7 +2350,7 @@ Index: b/readconf.c
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
-@@ -172,10 +174,19 @@
+@@ -172,10 +174,19 @@ static struct {
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
@@ -2323,7 +2370,7 @@ Index: b/readconf.c
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
-@@ -516,10 +527,30 @@
+@@ -516,10 +527,30 @@ parse_flag:
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2354,7 +2401,7 @@ Index: b/readconf.c
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
-@@ -1168,7 +1199,12 @@
+@@ -1168,7 +1199,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
@@ -2367,7 +2414,7 @@ Index: b/readconf.c
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
-@@ -1268,8 +1304,14 @@
+@@ -1268,8 +1304,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2382,11 +2429,11 @@ Index: b/readconf.c
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-Index: b/readconf.h
+diff --git a/readconf.h b/readconf.h
-===================================================================
+index 23fc500..675b35d 100644
 --- a/readconf.h
 +++ b/readconf.h
-@@ -48,7 +48,12 @@
+@@ -48,7 +48,12 @@ typedef struct {
        int     challenge_response_authentication;
                                        /* Try S/Key or TIS, authentication. */
        int     gss_authentication;     /* Try GSS authentication */
@@ -2399,11 +2446,11 @@ Index: b/readconf.h
        int     password_authentication;        /* Try password
                                                 * authentication. */
        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-Index: b/servconf.c
+diff --git a/servconf.c b/servconf.c
-===================================================================
+index 747edde..c938ae3 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -107,7 +107,10 @@
+@@ -107,7 +107,10 @@ initialize_server_options(ServerOptions *options)
        options->kerberos_ticket_cleanup = -1;
        options->kerberos_get_afs_token = -1;
        options->gss_authentication=-1;
@@ -2414,7 +2461,7 @@ Index: b/servconf.c
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
-@@ -240,8 +243,14 @@
+@@ -240,8 +243,14 @@ fill_default_server_options(ServerOptions *options)
                options->kerberos_get_afs_token = 0;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2429,7 +2476,7 @@ Index: b/servconf.c
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -338,7 +347,9 @@
+@@ -338,7 +347,9 @@ typedef enum {
        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2440,7 +2487,7 @@ Index: b/servconf.c
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -405,10 +416,20 @@
+@@ -405,10 +416,20 @@ static struct {
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2461,7 +2508,7 @@ Index: b/servconf.c
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1073,10 +1094,22 @@
+@@ -1073,10 +1094,22 @@ process_server_config_line(ServerOptions *options, char *line,
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2484,7 +2531,7 @@ Index: b/servconf.c
        case sPasswordAuthentication:
                intptr = &options->password_authentication;
                goto parse_flag;
-@@ -1983,7 +2016,10 @@
+@@ -1983,7 +2016,10 @@ dump_config(ServerOptions *o)
 #endif
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2495,11 +2542,11 @@ Index: b/servconf.c
 #endif
 #ifdef JPAKE
        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
-Index: b/servconf.h
+diff --git a/servconf.h b/servconf.h
-===================================================================
+index 98aad8b..ab6e346 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -111,7 +111,10 @@
+@@ -111,7 +111,10 @@ typedef struct {
        int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                 * authenticated with Kerberos. */
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
@@ -2510,8 +2557,8 @@ Index: b/servconf.h
        int     password_authentication;        /* If true, permit password
                                                 * authentication. */
        int     kbd_interactive_authentication; /* If true, permit */
-Index: b/ssh-gss.h
+diff --git a/ssh-gss.h b/ssh-gss.h
-===================================================================
+index 077e13c..bc6e8f9 100644
 --- a/ssh-gss.h
 +++ b/ssh-gss.h
 @@ -1,6 +1,6 @@
@@ -2545,7 +2592,7 @@ Index: b/ssh-gss.h
        void *data;
 } ssh_gssapi_ccache;
 
-@@ -72,8 +84,11 @@
+@@ -72,8 +84,11 @@ typedef struct {
        gss_buffer_desc displayname;
        gss_buffer_desc exportedname;
        gss_cred_id_t creds;
@@ -2557,7 +2604,7 @@ Index: b/ssh-gss.h
 } ssh_gssapi_client;
 
 typedef struct ssh_gssapi_mech_struct {
-@@ -84,6 +99,7 @@
+@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
        int (*userok) (ssh_gssapi_client *, char *);
        int (*localname) (ssh_gssapi_client *, char **);
        void (*storecreds) (ssh_gssapi_client *);
@@ -2565,7 +2612,7 @@ Index: b/ssh-gss.h
 } ssh_gssapi_mech;
 
 typedef struct {
-@@ -94,10 +110,11 @@
+@@ -94,10 +110,11 @@ typedef struct {
        gss_OID         oid; /* client */
        gss_cred_id_t   creds; /* server */
        gss_name_t      client; /* server */
@@ -2578,7 +2625,7 @@ Index: b/ssh-gss.h
 
 int  ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
-@@ -117,16 +134,30 @@
+@@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **);
 void ssh_gssapi_delete_ctx(Gssctxt **);
 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
@@ -2611,8 +2658,8 @@ Index: b/ssh-gss.h
 #endif /* GSSAPI */
 
 #endif /* _SSH_GSS_H */
-Index: b/ssh_config
+diff --git a/ssh_config b/ssh_config
-===================================================================
+index bb40819..3234321 100644
 --- a/ssh_config
 +++ b/ssh_config
 @@ -26,6 +26,8 @@
@@ -2624,11 +2671,11 @@ Index: b/ssh_config
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
-Index: b/ssh_config.5
+diff --git a/ssh_config.5 b/ssh_config.5
-===================================================================
+index 5d76c6d..e72919a 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -529,11 +529,43 @@
+@@ -529,11 +529,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@@ -2673,11 +2720,11 @@ Index: b/ssh_config.5
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
-Index: b/sshconnect2.c
+diff --git a/sshconnect2.c b/sshconnect2.c
-===================================================================
+index 70e3cd8..0b13530 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -160,9 +160,34 @@
+@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
 {
        Kex *kex;
 
@@ -2712,7 +2759,7 @@ Index: b/sshconnect2.c
        if (options.ciphers == (char *)-1) {
                logit("No valid ciphers for protocol version 2 given, using defaults.");
                options.ciphers = NULL;
-@@ -197,6 +222,17 @@
+@@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
        if (options.kex_algorithms != NULL)
                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 
@@ -2730,7 +2777,7 @@ Index: b/sshconnect2.c
        if (options.rekey_limit || options.rekey_interval)
                packet_set_rekey_limits((u_int32_t)options.rekey_limit,
                    (time_t)options.rekey_interval);
-@@ -208,10 +244,30 @@
+@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
@@ -2761,7 +2808,7 @@ Index: b/sshconnect2.c
        xxx_kex = kex;
 
        dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -307,6 +363,7 @@
+@@ -307,6 +363,7 @@ void        input_gssapi_token(int type, u_int32_t, void *);
 void   input_gssapi_hash(int type, u_int32_t, void *);
 void   input_gssapi_error(int, u_int32_t, void *);
 void   input_gssapi_errtok(int, u_int32_t, void *);
@@ -2769,7 +2816,7 @@ Index: b/sshconnect2.c
 #endif
 
 void   userauth(Authctxt *, char *);
-@@ -322,6 +379,11 @@
+@@ -322,6 +379,11 @@ static char *authmethods_get(void);
 
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@@ -2781,7 +2828,7 @@ Index: b/sshconnect2.c
        {"gssapi-with-mic",
                userauth_gssapi,
                NULL,
-@@ -625,19 +687,31 @@
+@@ -625,19 +687,31 @@ userauth_gssapi(Authctxt *authctxt)
        static u_int mech = 0;
        OM_uint32 min;
        int ok = 0;
@@ -2815,7 +2862,7 @@ Index: b/sshconnect2.c
                        ok = 1; /* Mechanism works */
                } else {
                        mech++;
-@@ -734,8 +808,8 @@
+@@ -734,8 +808,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 {
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
@@ -2826,7 +2873,7 @@ Index: b/sshconnect2.c
 
        if (authctxt == NULL)
                fatal("input_gssapi_response: no authentication context");
-@@ -844,6 +918,48 @@
+@@ -844,6 +918,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
        free(msg);
        free(lang);
 }
@@ -2875,8 +2922,8 @@ Index: b/sshconnect2.c
 #endif /* GSSAPI */
 
 int
-Index: b/sshd.c
+diff --git a/sshd.c b/sshd.c
-===================================================================
+index 174cc7a..4eddeb8 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -122,6 +122,10 @@
@@ -2890,7 +2937,7 @@ Index: b/sshd.c
 #ifdef LIBWRAP
 #include <tcpd.h>
 #include <syslog.h>
-@@ -1703,10 +1707,13 @@
+@@ -1703,10 +1707,13 @@ main(int ac, char **av)
                logit("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
@@ -2904,7 +2951,7 @@ Index: b/sshd.c
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
-@@ -2035,6 +2042,60 @@
+@@ -2035,6 +2042,60 @@ main(int ac, char **av)
        /* Log the connection. */
        verbose("Connection from %.500s port %d", remote_ip, remote_port);
 
@@ -2965,7 +3012,7 @@ Index: b/sshd.c
        /*
         * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
-@@ -2439,6 +2500,48 @@
+@@ -2439,6 +2500,48 @@ do_ssh2_kex(void)
 
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
@@ -3014,7 +3061,7 @@ Index: b/sshd.c
        /* start key exchange */
        kex = kex_setup(myproposal);
        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2446,6 +2549,13 @@
+@@ -2446,6 +2549,13 @@ do_ssh2_kex(void)
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3028,11 +3075,11 @@ Index: b/sshd.c
        kex->server = 1;
        kex->client_version_string=client_version_string;
        kex->server_version_string=server_version_string;
-Index: b/sshd_config
+diff --git a/sshd_config b/sshd_config
-===================================================================
+index b786361..9450141 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -83,6 +83,8 @@
+@@ -83,6 +83,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
@@ -3041,11 +3088,11 @@ Index: b/sshd_config
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
-Index: b/sshd_config.5
+diff --git a/sshd_config.5 b/sshd_config.5
-===================================================================
+index 3abac6c..525d9c8 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -484,12 +484,40 @@
+@@ -484,12 +484,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:19 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-02-09 16:25:52 +0000
commit	d26565af8589d88f824b26f31da493f1056efcf4 (patch)
tree	ff5e3b9c0fbb553f4f4c6e8836070659f266108e /debian/patches/gssapi.patch
parent	16fb149cbb42efe0cb13f3edbafcb1a21ecfe574 (diff)
parent	bb5616c94d6d6b97890e90dd01a7ad07c663dc0b (diff)