diff options
author | Colin Watson <cjwatson@debian.org> | 2014-10-07 13:33:15 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-10-07 14:27:30 +0100 |
commit | f0b009aea83e9ff3a50be30f51012099a5143c16 (patch) | |
tree | 3825e6f7e3b7ea4481d06ed89aba9a7a95150df5 /debian/patches/gssapi.patch | |
parent | 47f0bad4330b16ec3bad870fcf9839c196e42c12 (diff) | |
parent | 762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (diff) |
Merge 6.7p1.
* New upstream release (http://www.openssh.com/txt/release-6.7):
- sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour* are
disabled by default. The full set of algorithms remains available if
configured explicitly via the Ciphers and MACs sshd_config options.
- ssh(1), sshd(8): Add support for Unix domain socket forwarding. A
remote TCP port may be forwarded to a local Unix domain socket and
vice versa or both ends may be a Unix domain socket (closes: #236718).
- ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519
key types.
- sftp(1): Allow resumption of interrupted uploads.
- ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is
the same as the one sent during initial key exchange.
- sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses
when GatewayPorts=no; allows client to choose address family.
- sshd(8): Add a sshd_config PermitUserRC option to control whether
~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
option.
- ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that
expands to a unique identifer based on a hash of the tuple of (local
host, remote user, hostname, port). Helps avoid exceeding miserly
pathname limits for Unix domain sockets in multiplexing control paths.
- sshd(8): Make the "Too many authentication failures" message include
the user, source address, port and protocol in a format similar to the
authentication success / failure messages.
- Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
available. It considers time spent suspended, thereby ensuring
timeouts (e.g. for expiring agent keys) fire correctly (closes:
#734553).
- Use prctl() to prevent sftp-server from accessing
/proc/self/{mem,maps}.
* Restore TCP wrappers support, removed upstream in 6.7. It is true that
dropping this reduces preauth attack surface in sshd. On the other
hand, this support seems to be quite widely used, and abruptly dropping
it (from the perspective of users who don't read openssh-unix-dev) could
easily cause more serious problems in practice. It's not entirely clear
what the right long-term answer for Debian is, but it at least probably
doesn't involve dropping this feature shortly before a freeze.
* Replace patch to disable OpenSSL version check with an updated version
of Kurt Roeckx's patch from #732940 to just avoid checking the status
field.
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 283 |
1 files changed, 142 insertions, 141 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index d8439bf03..e8cbc1083 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd Mon Sep 17 00:00:00 2001 | 1 | From 1c1b6fa17982eb622e2c4e8f4a279f2113f57413 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate | |||
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
20 | Last-Updated: 2014-03-19 | 20 | Last-Updated: 2014-10-07 |
21 | 21 | ||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
@@ -36,9 +36,7 @@ Patch-Name: gssapi.patch | |||
36 | kex.c | 16 +++ | 36 | kex.c | 16 +++ |
37 | kex.h | 14 +++ | 37 | kex.h | 14 +++ |
38 | kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 38 | kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
39 | kexgsss.c | 289 ++++++++++++++++++++++++++++++++++++++++++++++++ | 39 | kexgsss.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++++ |
40 | key.c | 3 +- | ||
41 | key.h | 1 + | ||
42 | monitor.c | 108 +++++++++++++++++- | 40 | monitor.c | 108 +++++++++++++++++- |
43 | monitor.h | 3 + | 41 | monitor.h | 3 + |
44 | monitor_wrap.c | 47 +++++++- | 42 | monitor_wrap.c | 47 +++++++- |
@@ -54,7 +52,9 @@ Patch-Name: gssapi.patch | |||
54 | sshd.c | 110 ++++++++++++++++++ | 52 | sshd.c | 110 ++++++++++++++++++ |
55 | sshd_config | 2 + | 53 | sshd_config | 2 + |
56 | sshd_config.5 | 28 +++++ | 54 | sshd_config.5 | 28 +++++ |
57 | 33 files changed, 2051 insertions(+), 59 deletions(-) | 55 | sshkey.c | 3 +- |
56 | sshkey.h | 1 + | ||
57 | 33 files changed, 2052 insertions(+), 59 deletions(-) | ||
58 | create mode 100644 ChangeLog.gssapi | 58 | create mode 100644 ChangeLog.gssapi |
59 | create mode 100644 kexgssc.c | 59 | create mode 100644 kexgssc.c |
60 | create mode 100644 kexgsss.c | 60 | create mode 100644 kexgsss.c |
@@ -179,10 +179,10 @@ index 0000000..f117a33 | |||
179 | + (from jbasney AT ncsa.uiuc.edu) | 179 | + (from jbasney AT ncsa.uiuc.edu) |
180 | + <gssapi-with-mic support is Bugzilla #1008> | 180 | + <gssapi-with-mic support is Bugzilla #1008> |
181 | diff --git a/Makefile.in b/Makefile.in | 181 | diff --git a/Makefile.in b/Makefile.in |
182 | index 28a8ec4..ee1d2c3 100644 | 182 | index 06be3d5..086d8dd 100644 |
183 | --- a/Makefile.in | 183 | --- a/Makefile.in |
184 | +++ b/Makefile.in | 184 | +++ b/Makefile.in |
185 | @@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 185 | @@ -82,6 +82,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
186 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | 186 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ |
187 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ | 187 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
188 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ | 188 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ |
@@ -190,7 +190,7 @@ index 28a8ec4..ee1d2c3 100644 | |||
190 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ | 190 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
191 | ssh-pkcs11.o krl.o smult_curve25519_ref.o \ | 191 | ssh-pkcs11.o krl.o smult_curve25519_ref.o \ |
192 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ | 192 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ |
193 | @@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 193 | @@ -101,7 +102,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
194 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ | 194 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
195 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ | 195 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ |
196 | kexc25519s.o auth-krb5.o \ | 196 | kexc25519s.o auth-krb5.o \ |
@@ -200,10 +200,10 @@ index 28a8ec4..ee1d2c3 100644 | |||
200 | sftp-server.o sftp-common.o \ | 200 | sftp-server.o sftp-common.o \ |
201 | roaming_common.o roaming_serv.o \ | 201 | roaming_common.o roaming_serv.o \ |
202 | diff --git a/auth-krb5.c b/auth-krb5.c | 202 | diff --git a/auth-krb5.c b/auth-krb5.c |
203 | index 6c62bdf..69a1a53 100644 | 203 | index 0089b18..ec47869 100644 |
204 | --- a/auth-krb5.c | 204 | --- a/auth-krb5.c |
205 | +++ b/auth-krb5.c | 205 | +++ b/auth-krb5.c |
206 | @@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | 206 | @@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) |
207 | 207 | ||
208 | len = strlen(authctxt->krb5_ticket_file) + 6; | 208 | len = strlen(authctxt->krb5_ticket_file) + 6; |
209 | authctxt->krb5_ccname = xmalloc(len); | 209 | authctxt->krb5_ccname = xmalloc(len); |
@@ -217,7 +217,7 @@ index 6c62bdf..69a1a53 100644 | |||
217 | 217 | ||
218 | #ifdef USE_PAM | 218 | #ifdef USE_PAM |
219 | if (options.use_pam) | 219 | if (options.use_pam) |
220 | @@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt) | 220 | @@ -241,15 +246,22 @@ krb5_cleanup_proc(Authctxt *authctxt) |
221 | #ifndef HEIMDAL | 221 | #ifndef HEIMDAL |
222 | krb5_error_code | 222 | krb5_error_code |
223 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 223 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
@@ -242,7 +242,7 @@ index 6c62bdf..69a1a53 100644 | |||
242 | old_umask = umask(0177); | 242 | old_umask = umask(0177); |
243 | tmpfd = mkstemp(ccname + strlen("FILE:")); | 243 | tmpfd = mkstemp(ccname + strlen("FILE:")); |
244 | oerrno = errno; | 244 | oerrno = errno; |
245 | @@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 245 | @@ -266,6 +278,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
246 | return oerrno; | 246 | return oerrno; |
247 | } | 247 | } |
248 | close(tmpfd); | 248 | close(tmpfd); |
@@ -251,7 +251,7 @@ index 6c62bdf..69a1a53 100644 | |||
251 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 251 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
252 | } | 252 | } |
253 | diff --git a/auth2-gss.c b/auth2-gss.c | 253 | diff --git a/auth2-gss.c b/auth2-gss.c |
254 | index c28a705..3ff2d72 100644 | 254 | index 447f896..284f364 100644 |
255 | --- a/auth2-gss.c | 255 | --- a/auth2-gss.c |
256 | +++ b/auth2-gss.c | 256 | +++ b/auth2-gss.c |
257 | @@ -1,7 +1,7 @@ | 257 | @@ -1,7 +1,7 @@ |
@@ -263,7 +263,7 @@ index c28a705..3ff2d72 100644 | |||
263 | * | 263 | * |
264 | * Redistribution and use in source and binary forms, with or without | 264 | * Redistribution and use in source and binary forms, with or without |
265 | * modification, are permitted provided that the following conditions | 265 | * modification, are permitted provided that the following conditions |
266 | @@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | 266 | @@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); |
267 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 267 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
268 | static void input_gssapi_errtok(int, u_int32_t, void *); | 268 | static void input_gssapi_errtok(int, u_int32_t, void *); |
269 | 269 | ||
@@ -304,7 +304,7 @@ index c28a705..3ff2d72 100644 | |||
304 | /* | 304 | /* |
305 | * We only support those mechanisms that we know about (ie ones that we know | 305 | * We only support those mechanisms that we know about (ie ones that we know |
306 | * how to check local user kuserok and the like) | 306 | * how to check local user kuserok and the like) |
307 | @@ -235,7 +269,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | 307 | @@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) |
308 | 308 | ||
309 | packet_check_eom(); | 309 | packet_check_eom(); |
310 | 310 | ||
@@ -314,7 +314,7 @@ index c28a705..3ff2d72 100644 | |||
314 | 314 | ||
315 | authctxt->postponed = 0; | 315 | authctxt->postponed = 0; |
316 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 316 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
317 | @@ -270,7 +305,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 317 | @@ -271,7 +306,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
318 | gssbuf.length = buffer_len(&b); | 318 | gssbuf.length = buffer_len(&b); |
319 | 319 | ||
320 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | 320 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |
@@ -324,7 +324,7 @@ index c28a705..3ff2d72 100644 | |||
324 | else | 324 | else |
325 | logit("GSSAPI MIC check failed"); | 325 | logit("GSSAPI MIC check failed"); |
326 | 326 | ||
327 | @@ -285,6 +321,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 327 | @@ -286,6 +322,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
328 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); | 328 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); |
329 | } | 329 | } |
330 | 330 | ||
@@ -338,10 +338,10 @@ index c28a705..3ff2d72 100644 | |||
338 | "gssapi-with-mic", | 338 | "gssapi-with-mic", |
339 | userauth_gssapi, | 339 | userauth_gssapi, |
340 | diff --git a/auth2.c b/auth2.c | 340 | diff --git a/auth2.c b/auth2.c |
341 | index a5490c0..fbe3e1b 100644 | 341 | index d9b440a..2f0d565 100644 |
342 | --- a/auth2.c | 342 | --- a/auth2.c |
343 | +++ b/auth2.c | 343 | +++ b/auth2.c |
344 | @@ -69,6 +69,7 @@ extern Authmethod method_passwd; | 344 | @@ -70,6 +70,7 @@ extern Authmethod method_passwd; |
345 | extern Authmethod method_kbdint; | 345 | extern Authmethod method_kbdint; |
346 | extern Authmethod method_hostbased; | 346 | extern Authmethod method_hostbased; |
347 | #ifdef GSSAPI | 347 | #ifdef GSSAPI |
@@ -349,7 +349,7 @@ index a5490c0..fbe3e1b 100644 | |||
349 | extern Authmethod method_gssapi; | 349 | extern Authmethod method_gssapi; |
350 | #endif | 350 | #endif |
351 | 351 | ||
352 | @@ -76,6 +77,7 @@ Authmethod *authmethods[] = { | 352 | @@ -77,6 +78,7 @@ Authmethod *authmethods[] = { |
353 | &method_none, | 353 | &method_none, |
354 | &method_pubkey, | 354 | &method_pubkey, |
355 | #ifdef GSSAPI | 355 | #ifdef GSSAPI |
@@ -358,7 +358,7 @@ index a5490c0..fbe3e1b 100644 | |||
358 | #endif | 358 | #endif |
359 | &method_passwd, | 359 | &method_passwd, |
360 | diff --git a/clientloop.c b/clientloop.c | 360 | diff --git a/clientloop.c b/clientloop.c |
361 | index 59ad3a2..6d8cd7d 100644 | 361 | index 397c965..f9175e3 100644 |
362 | --- a/clientloop.c | 362 | --- a/clientloop.c |
363 | +++ b/clientloop.c | 363 | +++ b/clientloop.c |
364 | @@ -111,6 +111,10 @@ | 364 | @@ -111,6 +111,10 @@ |
@@ -372,7 +372,7 @@ index 59ad3a2..6d8cd7d 100644 | |||
372 | /* import options */ | 372 | /* import options */ |
373 | extern Options options; | 373 | extern Options options; |
374 | 374 | ||
375 | @@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 375 | @@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
376 | /* Do channel operations unless rekeying in progress. */ | 376 | /* Do channel operations unless rekeying in progress. */ |
377 | if (!rekeying) { | 377 | if (!rekeying) { |
378 | channel_after_select(readset, writeset); | 378 | channel_after_select(readset, writeset); |
@@ -389,7 +389,7 @@ index 59ad3a2..6d8cd7d 100644 | |||
389 | debug("need rekeying"); | 389 | debug("need rekeying"); |
390 | xxx_kex->done = 0; | 390 | xxx_kex->done = 0; |
391 | diff --git a/config.h.in b/config.h.in | 391 | diff --git a/config.h.in b/config.h.in |
392 | index 0401ad1..6bc422c 100644 | 392 | index 16d6206..a9a8b7a 100644 |
393 | --- a/config.h.in | 393 | --- a/config.h.in |
394 | +++ b/config.h.in | 394 | +++ b/config.h.in |
395 | @@ -1622,6 +1622,9 @@ | 395 | @@ -1622,6 +1622,9 @@ |
@@ -413,10 +413,10 @@ index 0401ad1..6bc422c 100644 | |||
413 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 413 | #undef USE_SOLARIS_PROCESS_CONTRACTS |
414 | 414 | ||
415 | diff --git a/configure b/configure | 415 | diff --git a/configure b/configure |
416 | index d690393..b6b5b6d 100755 | 416 | index 6815388..ea5f200 100755 |
417 | --- a/configure | 417 | --- a/configure |
418 | +++ b/configure | 418 | +++ b/configure |
419 | @@ -7170,6 +7170,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h | 419 | @@ -7168,6 +7168,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h |
420 | 420 | ||
421 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | 421 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h |
422 | 422 | ||
@@ -481,7 +481,7 @@ index d690393..b6b5b6d 100755 | |||
481 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" | 481 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" |
482 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : | 482 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : |
483 | diff --git a/configure.ac b/configure.ac | 483 | diff --git a/configure.ac b/configure.ac |
484 | index 7c6ce08..d235fb0 100644 | 484 | index 67c4486..90e81e1 100644 |
485 | --- a/configure.ac | 485 | --- a/configure.ac |
486 | +++ b/configure.ac | 486 | +++ b/configure.ac |
487 | @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 487 | @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
@@ -866,7 +866,7 @@ index b39281b..1e569ad 100644 | |||
866 | + | 866 | + |
867 | #endif /* GSSAPI */ | 867 | #endif /* GSSAPI */ |
868 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c | 868 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c |
869 | index 759fa10..e678a27 100644 | 869 | index 795992d..fd8b371 100644 |
870 | --- a/gss-serv-krb5.c | 870 | --- a/gss-serv-krb5.c |
871 | +++ b/gss-serv-krb5.c | 871 | +++ b/gss-serv-krb5.c |
872 | @@ -1,7 +1,7 @@ | 872 | @@ -1,7 +1,7 @@ |
@@ -878,7 +878,7 @@ index 759fa10..e678a27 100644 | |||
878 | * | 878 | * |
879 | * Redistribution and use in source and binary forms, with or without | 879 | * Redistribution and use in source and binary forms, with or without |
880 | * modification, are permitted provided that the following conditions | 880 | * modification, are permitted provided that the following conditions |
881 | @@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 881 | @@ -121,8 +121,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
882 | krb5_error_code problem; | 882 | krb5_error_code problem; |
883 | krb5_principal princ; | 883 | krb5_principal princ; |
884 | OM_uint32 maj_status, min_status; | 884 | OM_uint32 maj_status, min_status; |
@@ -888,7 +888,7 @@ index 759fa10..e678a27 100644 | |||
888 | 888 | ||
889 | if (client->creds == NULL) { | 889 | if (client->creds == NULL) { |
890 | debug("No credentials stored"); | 890 | debug("No credentials stored"); |
891 | @@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 891 | @@ -181,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
892 | return; | 892 | return; |
893 | } | 893 | } |
894 | 894 | ||
@@ -909,7 +909,7 @@ index 759fa10..e678a27 100644 | |||
909 | 909 | ||
910 | #ifdef USE_PAM | 910 | #ifdef USE_PAM |
911 | if (options.use_pam) | 911 | if (options.use_pam) |
912 | @@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 912 | @@ -197,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
913 | return; | 913 | return; |
914 | } | 914 | } |
915 | 915 | ||
@@ -981,7 +981,7 @@ index 759fa10..e678a27 100644 | |||
981 | ssh_gssapi_mech gssapi_kerberos_mech = { | 981 | ssh_gssapi_mech gssapi_kerberos_mech = { |
982 | "toWM5Slw5Ew8Mqkay+al2g==", | 982 | "toWM5Slw5Ew8Mqkay+al2g==", |
983 | "Kerberos", | 983 | "Kerberos", |
984 | @@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { | 984 | @@ -204,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { |
985 | NULL, | 985 | NULL, |
986 | &ssh_gssapi_krb5_userok, | 986 | &ssh_gssapi_krb5_userok, |
987 | NULL, | 987 | NULL, |
@@ -992,11 +992,11 @@ index 759fa10..e678a27 100644 | |||
992 | 992 | ||
993 | #endif /* KRB5 */ | 993 | #endif /* KRB5 */ |
994 | diff --git a/gss-serv.c b/gss-serv.c | 994 | diff --git a/gss-serv.c b/gss-serv.c |
995 | index e61b37b..c33463b 100644 | 995 | index 5c59924..50fa438 100644 |
996 | --- a/gss-serv.c | 996 | --- a/gss-serv.c |
997 | +++ b/gss-serv.c | 997 | +++ b/gss-serv.c |
998 | @@ -1,7 +1,7 @@ | 998 | @@ -1,7 +1,7 @@ |
999 | /* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */ | 999 | /* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */ |
1000 | 1000 | ||
1001 | /* | 1001 | /* |
1002 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 1002 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -1029,7 +1029,7 @@ index e61b37b..c33463b 100644 | |||
1029 | #ifdef KRB5 | 1029 | #ifdef KRB5 |
1030 | extern ssh_gssapi_mech gssapi_kerberos_mech; | 1030 | extern ssh_gssapi_mech gssapi_kerberos_mech; |
1031 | @@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | 1031 | @@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) |
1032 | char lname[MAXHOSTNAMELEN]; | 1032 | char lname[NI_MAXHOST]; |
1033 | gss_OID_set oidset; | 1033 | gss_OID_set oidset; |
1034 | 1034 | ||
1035 | - gss_create_empty_oid_set(&status, &oidset); | 1035 | - gss_create_empty_oid_set(&status, &oidset); |
@@ -1038,11 +1038,11 @@ index e61b37b..c33463b 100644 | |||
1038 | + gss_create_empty_oid_set(&status, &oidset); | 1038 | + gss_create_empty_oid_set(&status, &oidset); |
1039 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); | 1039 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); |
1040 | 1040 | ||
1041 | - if (gethostname(lname, MAXHOSTNAMELEN)) { | 1041 | - if (gethostname(lname, sizeof(lname))) { |
1042 | - gss_release_oid_set(&status, &oidset); | 1042 | - gss_release_oid_set(&status, &oidset); |
1043 | - return (-1); | 1043 | - return (-1); |
1044 | - } | 1044 | - } |
1045 | + if (gethostname(lname, MAXHOSTNAMELEN)) { | 1045 | + if (gethostname(lname, sizeof(lname))) { |
1046 | + gss_release_oid_set(&status, &oidset); | 1046 | + gss_release_oid_set(&status, &oidset); |
1047 | + return (-1); | 1047 | + return (-1); |
1048 | + } | 1048 | + } |
@@ -1310,10 +1310,10 @@ index e61b37b..c33463b 100644 | |||
1310 | 1310 | ||
1311 | #endif | 1311 | #endif |
1312 | diff --git a/kex.c b/kex.c | 1312 | diff --git a/kex.c b/kex.c |
1313 | index 74e2b86..d114ee3 100644 | 1313 | index a173e70..891852b 100644 |
1314 | --- a/kex.c | 1314 | --- a/kex.c |
1315 | +++ b/kex.c | 1315 | +++ b/kex.c |
1316 | @@ -51,6 +51,10 @@ | 1316 | @@ -53,6 +53,10 @@ |
1317 | #include "roaming.h" | 1317 | #include "roaming.h" |
1318 | #include "digest.h" | 1318 | #include "digest.h" |
1319 | 1319 | ||
@@ -1324,8 +1324,8 @@ index 74e2b86..d114ee3 100644 | |||
1324 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1324 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1325 | # if defined(HAVE_EVP_SHA256) | 1325 | # if defined(HAVE_EVP_SHA256) |
1326 | # define evp_ssh_sha256 EVP_sha256 | 1326 | # define evp_ssh_sha256 EVP_sha256 |
1327 | @@ -92,6 +96,14 @@ static const struct kexalg kexalgs[] = { | 1327 | @@ -96,6 +100,14 @@ static const struct kexalg kexalgs[] = { |
1328 | #endif | 1328 | #endif /* HAVE_EVP_SHA256 */ |
1329 | { NULL, -1, -1, -1}, | 1329 | { NULL, -1, -1, -1}, |
1330 | }; | 1330 | }; |
1331 | +static const struct kexalg kexalg_prefixes[] = { | 1331 | +static const struct kexalg kexalg_prefixes[] = { |
@@ -1339,7 +1339,7 @@ index 74e2b86..d114ee3 100644 | |||
1339 | 1339 | ||
1340 | char * | 1340 | char * |
1341 | kex_alg_list(char sep) | 1341 | kex_alg_list(char sep) |
1342 | @@ -120,6 +132,10 @@ kex_alg_by_name(const char *name) | 1342 | @@ -124,6 +136,10 @@ kex_alg_by_name(const char *name) |
1343 | if (strcmp(k->name, name) == 0) | 1343 | if (strcmp(k->name, name) == 0) |
1344 | return k; | 1344 | return k; |
1345 | } | 1345 | } |
@@ -1351,7 +1351,7 @@ index 74e2b86..d114ee3 100644 | |||
1351 | } | 1351 | } |
1352 | 1352 | ||
1353 | diff --git a/kex.h b/kex.h | 1353 | diff --git a/kex.h b/kex.h |
1354 | index c85680e..ea698c4 100644 | 1354 | index 4c40ec8..c179a4d 100644 |
1355 | --- a/kex.h | 1355 | --- a/kex.h |
1356 | +++ b/kex.h | 1356 | +++ b/kex.h |
1357 | @@ -76,6 +76,9 @@ enum kex_exchange { | 1357 | @@ -76,6 +76,9 @@ enum kex_exchange { |
@@ -1729,10 +1729,10 @@ index 0000000..92a31c5 | |||
1729 | +#endif /* GSSAPI */ | 1729 | +#endif /* GSSAPI */ |
1730 | diff --git a/kexgsss.c b/kexgsss.c | 1730 | diff --git a/kexgsss.c b/kexgsss.c |
1731 | new file mode 100644 | 1731 | new file mode 100644 |
1732 | index 0000000..8095259 | 1732 | index 0000000..6a0ece8 |
1733 | --- /dev/null | 1733 | --- /dev/null |
1734 | +++ b/kexgsss.c | 1734 | +++ b/kexgsss.c |
1735 | @@ -0,0 +1,289 @@ | 1735 | @@ -0,0 +1,290 @@ |
1736 | +/* | 1736 | +/* |
1737 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1737 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1738 | + * | 1738 | + * |
@@ -1777,6 +1777,7 @@ index 0000000..8095259 | |||
1777 | +#include "dh.h" | 1777 | +#include "dh.h" |
1778 | +#include "ssh-gss.h" | 1778 | +#include "ssh-gss.h" |
1779 | +#include "monitor_wrap.h" | 1779 | +#include "monitor_wrap.h" |
1780 | +#include "misc.h" | ||
1780 | +#include "servconf.h" | 1781 | +#include "servconf.h" |
1781 | + | 1782 | + |
1782 | +extern ServerOptions options; | 1783 | +extern ServerOptions options; |
@@ -2022,44 +2023,11 @@ index 0000000..8095259 | |||
2022 | + ssh_gssapi_rekey_creds(); | 2023 | + ssh_gssapi_rekey_creds(); |
2023 | +} | 2024 | +} |
2024 | +#endif /* GSSAPI */ | 2025 | +#endif /* GSSAPI */ |
2025 | diff --git a/key.c b/key.c | ||
2026 | index 168e1b7..3d640e7 100644 | ||
2027 | --- a/key.c | ||
2028 | +++ b/key.c | ||
2029 | @@ -985,6 +985,7 @@ static const struct keytype keytypes[] = { | ||
2030 | KEY_DSA_CERT_V00, 0, 1 }, | ||
2031 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", | ||
2032 | KEY_ED25519_CERT, 0, 1 }, | ||
2033 | + { "null", "null", KEY_NULL, 0, 0 }, | ||
2034 | { NULL, NULL, -1, -1, 0 } | ||
2035 | }; | ||
2036 | |||
2037 | @@ -1063,7 +1064,7 @@ key_alg_list(int certs_only, int plain_only) | ||
2038 | const struct keytype *kt; | ||
2039 | |||
2040 | for (kt = keytypes; kt->type != -1; kt++) { | ||
2041 | - if (kt->name == NULL) | ||
2042 | + if (kt->name == NULL || kt->type == KEY_NULL) | ||
2043 | continue; | ||
2044 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | ||
2045 | continue; | ||
2046 | diff --git a/key.h b/key.h | ||
2047 | index d8ad13d..c8aeba2 100644 | ||
2048 | --- a/key.h | ||
2049 | +++ b/key.h | ||
2050 | @@ -46,6 +46,7 @@ enum types { | ||
2051 | KEY_ED25519_CERT, | ||
2052 | KEY_RSA_CERT_V00, | ||
2053 | KEY_DSA_CERT_V00, | ||
2054 | + KEY_NULL, | ||
2055 | KEY_UNSPEC | ||
2056 | }; | ||
2057 | enum fp_type { | ||
2058 | diff --git a/monitor.c b/monitor.c | 2026 | diff --git a/monitor.c b/monitor.c |
2059 | index 531c4f9..2918814 100644 | 2027 | index dbe29f1..b0896ef 100644 |
2060 | --- a/monitor.c | 2028 | --- a/monitor.c |
2061 | +++ b/monitor.c | 2029 | +++ b/monitor.c |
2062 | @@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 2030 | @@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
2063 | int mm_answer_gss_accept_ctx(int, Buffer *); | 2031 | int mm_answer_gss_accept_ctx(int, Buffer *); |
2064 | int mm_answer_gss_userok(int, Buffer *); | 2032 | int mm_answer_gss_userok(int, Buffer *); |
2065 | int mm_answer_gss_checkmic(int, Buffer *); | 2033 | int mm_answer_gss_checkmic(int, Buffer *); |
@@ -2068,7 +2036,7 @@ index 531c4f9..2918814 100644 | |||
2068 | #endif | 2036 | #endif |
2069 | 2037 | ||
2070 | #ifdef SSH_AUDIT_EVENTS | 2038 | #ifdef SSH_AUDIT_EVENTS |
2071 | @@ -247,11 +249,18 @@ struct mon_table mon_dispatch_proto20[] = { | 2039 | @@ -255,11 +257,18 @@ struct mon_table mon_dispatch_proto20[] = { |
2072 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 2040 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
2073 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 2041 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
2074 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 2042 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
@@ -2084,10 +2052,10 @@ index 531c4f9..2918814 100644 | |||
2084 | + {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | 2052 | + {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, |
2085 | + {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, | 2053 | + {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, |
2086 | +#endif | 2054 | +#endif |
2055 | #ifdef WITH_OPENSSL | ||
2087 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 2056 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2088 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 2057 | #endif |
2089 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 2058 | @@ -374,6 +383,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
2090 | @@ -360,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | ||
2091 | /* Permit requests for moduli and signatures */ | 2059 | /* Permit requests for moduli and signatures */ |
2092 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2060 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2093 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2061 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2098,7 +2066,7 @@ index 531c4f9..2918814 100644 | |||
2098 | } else { | 2066 | } else { |
2099 | mon_dispatch = mon_dispatch_proto15; | 2067 | mon_dispatch = mon_dispatch_proto15; |
2100 | 2068 | ||
2101 | @@ -465,6 +478,10 @@ monitor_child_postauth(struct monitor *pmonitor) | 2069 | @@ -482,6 +495,10 @@ monitor_child_postauth(struct monitor *pmonitor) |
2102 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2070 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2103 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2071 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2104 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2072 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -2109,9 +2077,9 @@ index 531c4f9..2918814 100644 | |||
2109 | } else { | 2077 | } else { |
2110 | mon_dispatch = mon_dispatch_postauth15; | 2078 | mon_dispatch = mon_dispatch_postauth15; |
2111 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2079 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2112 | @@ -1834,6 +1851,13 @@ mm_get_kex(Buffer *m) | 2080 | @@ -1861,6 +1878,13 @@ mm_get_kex(Buffer *m) |
2113 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | ||
2114 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2081 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
2082 | #endif | ||
2115 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2083 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
2116 | +#ifdef GSSAPI | 2084 | +#ifdef GSSAPI |
2117 | + if (options.gss_keyex) { | 2085 | + if (options.gss_keyex) { |
@@ -2123,7 +2091,7 @@ index 531c4f9..2918814 100644 | |||
2123 | kex->server = 1; | 2091 | kex->server = 1; |
2124 | kex->hostkey_type = buffer_get_int(m); | 2092 | kex->hostkey_type = buffer_get_int(m); |
2125 | kex->kex_type = buffer_get_int(m); | 2093 | kex->kex_type = buffer_get_int(m); |
2126 | @@ -2041,6 +2065,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 2094 | @@ -2068,6 +2092,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2127 | OM_uint32 major; | 2095 | OM_uint32 major; |
2128 | u_int len; | 2096 | u_int len; |
2129 | 2097 | ||
@@ -2133,7 +2101,7 @@ index 531c4f9..2918814 100644 | |||
2133 | goid.elements = buffer_get_string(m, &len); | 2101 | goid.elements = buffer_get_string(m, &len); |
2134 | goid.length = len; | 2102 | goid.length = len; |
2135 | 2103 | ||
2136 | @@ -2068,6 +2095,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2104 | @@ -2095,6 +2122,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2137 | OM_uint32 flags = 0; /* GSI needs this */ | 2105 | OM_uint32 flags = 0; /* GSI needs this */ |
2138 | u_int len; | 2106 | u_int len; |
2139 | 2107 | ||
@@ -2143,7 +2111,7 @@ index 531c4f9..2918814 100644 | |||
2143 | in.value = buffer_get_string(m, &len); | 2111 | in.value = buffer_get_string(m, &len); |
2144 | in.length = len; | 2112 | in.length = len; |
2145 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2113 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2146 | @@ -2085,6 +2115,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2114 | @@ -2112,6 +2142,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2147 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2115 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2148 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2116 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2149 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2117 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2151,7 +2119,7 @@ index 531c4f9..2918814 100644 | |||
2151 | } | 2119 | } |
2152 | return (0); | 2120 | return (0); |
2153 | } | 2121 | } |
2154 | @@ -2096,6 +2127,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2122 | @@ -2123,6 +2154,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2155 | OM_uint32 ret; | 2123 | OM_uint32 ret; |
2156 | u_int len; | 2124 | u_int len; |
2157 | 2125 | ||
@@ -2161,7 +2129,7 @@ index 531c4f9..2918814 100644 | |||
2161 | gssbuf.value = buffer_get_string(m, &len); | 2129 | gssbuf.value = buffer_get_string(m, &len); |
2162 | gssbuf.length = len; | 2130 | gssbuf.length = len; |
2163 | mic.value = buffer_get_string(m, &len); | 2131 | mic.value = buffer_get_string(m, &len); |
2164 | @@ -2122,7 +2156,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2132 | @@ -2149,7 +2183,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2165 | { | 2133 | { |
2166 | int authenticated; | 2134 | int authenticated; |
2167 | 2135 | ||
@@ -2174,7 +2142,7 @@ index 531c4f9..2918814 100644 | |||
2174 | 2142 | ||
2175 | buffer_clear(m); | 2143 | buffer_clear(m); |
2176 | buffer_put_int(m, authenticated); | 2144 | buffer_put_int(m, authenticated); |
2177 | @@ -2135,5 +2173,73 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2145 | @@ -2162,5 +2200,73 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2178 | /* Monitor loop will terminate if authenticated */ | 2146 | /* Monitor loop will terminate if authenticated */ |
2179 | return (authenticated); | 2147 | return (authenticated); |
2180 | } | 2148 | } |
@@ -2263,10 +2231,10 @@ index 5bc41b5..7f32b0c 100644 | |||
2263 | 2231 | ||
2264 | struct mm_master; | 2232 | struct mm_master; |
2265 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2233 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2266 | index 1a47e41..60b987d 100644 | 2234 | index 45dc169..e476f0d 100644 |
2267 | --- a/monitor_wrap.c | 2235 | --- a/monitor_wrap.c |
2268 | +++ b/monitor_wrap.c | 2236 | +++ b/monitor_wrap.c |
2269 | @@ -1271,7 +1271,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2237 | @@ -1281,7 +1281,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
2270 | } | 2238 | } |
2271 | 2239 | ||
2272 | int | 2240 | int |
@@ -2275,7 +2243,7 @@ index 1a47e41..60b987d 100644 | |||
2275 | { | 2243 | { |
2276 | Buffer m; | 2244 | Buffer m; |
2277 | int authenticated = 0; | 2245 | int authenticated = 0; |
2278 | @@ -1288,5 +1288,50 @@ mm_ssh_gssapi_userok(char *user) | 2246 | @@ -1298,5 +1298,50 @@ mm_ssh_gssapi_userok(char *user) |
2279 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2247 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2280 | return (authenticated); | 2248 | return (authenticated); |
2281 | } | 2249 | } |
@@ -2343,10 +2311,10 @@ index 18c2501..a4e9d24 100644 | |||
2343 | 2311 | ||
2344 | #ifdef USE_PAM | 2312 | #ifdef USE_PAM |
2345 | diff --git a/readconf.c b/readconf.c | 2313 | diff --git a/readconf.c b/readconf.c |
2346 | index dc884c9..7613ff2 100644 | 2314 | index 7948ce1..9127e93 100644 |
2347 | --- a/readconf.c | 2315 | --- a/readconf.c |
2348 | +++ b/readconf.c | 2316 | +++ b/readconf.c |
2349 | @@ -141,6 +141,8 @@ typedef enum { | 2317 | @@ -142,6 +142,8 @@ typedef enum { |
2350 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 2318 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
2351 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 2319 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
2352 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 2320 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
@@ -2355,7 +2323,7 @@ index dc884c9..7613ff2 100644 | |||
2355 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2323 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2356 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2324 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2357 | oHashKnownHosts, | 2325 | oHashKnownHosts, |
2358 | @@ -183,10 +185,19 @@ static struct { | 2326 | @@ -185,10 +187,19 @@ static struct { |
2359 | { "afstokenpassing", oUnsupported }, | 2327 | { "afstokenpassing", oUnsupported }, |
2360 | #if defined(GSSAPI) | 2328 | #if defined(GSSAPI) |
2361 | { "gssapiauthentication", oGssAuthentication }, | 2329 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2375,7 +2343,7 @@ index dc884c9..7613ff2 100644 | |||
2375 | #endif | 2343 | #endif |
2376 | { "fallbacktorsh", oDeprecated }, | 2344 | { "fallbacktorsh", oDeprecated }, |
2377 | { "usersh", oDeprecated }, | 2345 | { "usersh", oDeprecated }, |
2378 | @@ -841,10 +852,30 @@ parse_time: | 2346 | @@ -865,10 +876,30 @@ parse_time: |
2379 | intptr = &options->gss_authentication; | 2347 | intptr = &options->gss_authentication; |
2380 | goto parse_flag; | 2348 | goto parse_flag; |
2381 | 2349 | ||
@@ -2406,7 +2374,7 @@ index dc884c9..7613ff2 100644 | |||
2406 | case oBatchMode: | 2374 | case oBatchMode: |
2407 | intptr = &options->batch_mode; | 2375 | intptr = &options->batch_mode; |
2408 | goto parse_flag; | 2376 | goto parse_flag; |
2409 | @@ -1497,7 +1528,12 @@ initialize_options(Options * options) | 2377 | @@ -1538,7 +1569,12 @@ initialize_options(Options * options) |
2410 | options->pubkey_authentication = -1; | 2378 | options->pubkey_authentication = -1; |
2411 | options->challenge_response_authentication = -1; | 2379 | options->challenge_response_authentication = -1; |
2412 | options->gss_authentication = -1; | 2380 | options->gss_authentication = -1; |
@@ -2419,7 +2387,7 @@ index dc884c9..7613ff2 100644 | |||
2419 | options->password_authentication = -1; | 2387 | options->password_authentication = -1; |
2420 | options->kbd_interactive_authentication = -1; | 2388 | options->kbd_interactive_authentication = -1; |
2421 | options->kbd_interactive_devices = NULL; | 2389 | options->kbd_interactive_devices = NULL; |
2422 | @@ -1616,8 +1652,14 @@ fill_default_options(Options * options) | 2390 | @@ -1661,8 +1697,14 @@ fill_default_options(Options * options) |
2423 | options->challenge_response_authentication = 1; | 2391 | options->challenge_response_authentication = 1; |
2424 | if (options->gss_authentication == -1) | 2392 | if (options->gss_authentication == -1) |
2425 | options->gss_authentication = 0; | 2393 | options->gss_authentication = 0; |
@@ -2435,10 +2403,10 @@ index dc884c9..7613ff2 100644 | |||
2435 | options->password_authentication = 1; | 2403 | options->password_authentication = 1; |
2436 | if (options->kbd_interactive_authentication == -1) | 2404 | if (options->kbd_interactive_authentication == -1) |
2437 | diff --git a/readconf.h b/readconf.h | 2405 | diff --git a/readconf.h b/readconf.h |
2438 | index 75e3f8f..5cc97f0 100644 | 2406 | index 0b9cb77..0e29889 100644 |
2439 | --- a/readconf.h | 2407 | --- a/readconf.h |
2440 | +++ b/readconf.h | 2408 | +++ b/readconf.h |
2441 | @@ -54,7 +54,12 @@ typedef struct { | 2409 | @@ -45,7 +45,12 @@ typedef struct { |
2442 | int challenge_response_authentication; | 2410 | int challenge_response_authentication; |
2443 | /* Try S/Key or TIS, authentication. */ | 2411 | /* Try S/Key or TIS, authentication. */ |
2444 | int gss_authentication; /* Try GSS authentication */ | 2412 | int gss_authentication; /* Try GSS authentication */ |
@@ -2452,10 +2420,10 @@ index 75e3f8f..5cc97f0 100644 | |||
2452 | * authentication. */ | 2420 | * authentication. */ |
2453 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2421 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2454 | diff --git a/servconf.c b/servconf.c | 2422 | diff --git a/servconf.c b/servconf.c |
2455 | index 7ba65d5..0083cf8 100644 | 2423 | index b7f3294..cb3c831 100644 |
2456 | --- a/servconf.c | 2424 | --- a/servconf.c |
2457 | +++ b/servconf.c | 2425 | +++ b/servconf.c |
2458 | @@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options) | 2426 | @@ -109,7 +109,10 @@ initialize_server_options(ServerOptions *options) |
2459 | options->kerberos_ticket_cleanup = -1; | 2427 | options->kerberos_ticket_cleanup = -1; |
2460 | options->kerberos_get_afs_token = -1; | 2428 | options->kerberos_get_afs_token = -1; |
2461 | options->gss_authentication=-1; | 2429 | options->gss_authentication=-1; |
@@ -2466,7 +2434,7 @@ index 7ba65d5..0083cf8 100644 | |||
2466 | options->password_authentication = -1; | 2434 | options->password_authentication = -1; |
2467 | options->kbd_interactive_authentication = -1; | 2435 | options->kbd_interactive_authentication = -1; |
2468 | options->challenge_response_authentication = -1; | 2436 | options->challenge_response_authentication = -1; |
2469 | @@ -244,8 +247,14 @@ fill_default_server_options(ServerOptions *options) | 2437 | @@ -250,8 +253,14 @@ fill_default_server_options(ServerOptions *options) |
2470 | options->kerberos_get_afs_token = 0; | 2438 | options->kerberos_get_afs_token = 0; |
2471 | if (options->gss_authentication == -1) | 2439 | if (options->gss_authentication == -1) |
2472 | options->gss_authentication = 0; | 2440 | options->gss_authentication = 0; |
@@ -2481,7 +2449,7 @@ index 7ba65d5..0083cf8 100644 | |||
2481 | if (options->password_authentication == -1) | 2449 | if (options->password_authentication == -1) |
2482 | options->password_authentication = 1; | 2450 | options->password_authentication = 1; |
2483 | if (options->kbd_interactive_authentication == -1) | 2451 | if (options->kbd_interactive_authentication == -1) |
2484 | @@ -340,7 +349,9 @@ typedef enum { | 2452 | @@ -352,7 +361,9 @@ typedef enum { |
2485 | sBanner, sUseDNS, sHostbasedAuthentication, | 2453 | sBanner, sUseDNS, sHostbasedAuthentication, |
2486 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2454 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2487 | sClientAliveCountMax, sAuthorizedKeysFile, | 2455 | sClientAliveCountMax, sAuthorizedKeysFile, |
@@ -2492,7 +2460,7 @@ index 7ba65d5..0083cf8 100644 | |||
2492 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2460 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2493 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2461 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2494 | sHostCertificate, | 2462 | sHostCertificate, |
2495 | @@ -407,10 +418,20 @@ static struct { | 2463 | @@ -421,10 +432,20 @@ static struct { |
2496 | #ifdef GSSAPI | 2464 | #ifdef GSSAPI |
2497 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2465 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2498 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2466 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2513,7 +2481,7 @@ index 7ba65d5..0083cf8 100644 | |||
2513 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2481 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2514 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2482 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2515 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2483 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2516 | @@ -1086,10 +1107,22 @@ process_server_config_line(ServerOptions *options, char *line, | 2484 | @@ -1104,10 +1125,22 @@ process_server_config_line(ServerOptions *options, char *line, |
2517 | intptr = &options->gss_authentication; | 2485 | intptr = &options->gss_authentication; |
2518 | goto parse_flag; | 2486 | goto parse_flag; |
2519 | 2487 | ||
@@ -2536,7 +2504,7 @@ index 7ba65d5..0083cf8 100644 | |||
2536 | case sPasswordAuthentication: | 2504 | case sPasswordAuthentication: |
2537 | intptr = &options->password_authentication; | 2505 | intptr = &options->password_authentication; |
2538 | goto parse_flag; | 2506 | goto parse_flag; |
2539 | @@ -1995,7 +2028,10 @@ dump_config(ServerOptions *o) | 2507 | @@ -2042,7 +2075,10 @@ dump_config(ServerOptions *o) |
2540 | #endif | 2508 | #endif |
2541 | #ifdef GSSAPI | 2509 | #ifdef GSSAPI |
2542 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2510 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2548,10 +2516,10 @@ index 7ba65d5..0083cf8 100644 | |||
2548 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2516 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
2549 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2517 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
2550 | diff --git a/servconf.h b/servconf.h | 2518 | diff --git a/servconf.h b/servconf.h |
2551 | index 752d1c5..c922eb5 100644 | 2519 | index 766db3a..f8265a8 100644 |
2552 | --- a/servconf.h | 2520 | --- a/servconf.h |
2553 | +++ b/servconf.h | 2521 | +++ b/servconf.h |
2554 | @@ -112,7 +112,10 @@ typedef struct { | 2522 | @@ -113,7 +113,10 @@ typedef struct { |
2555 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2523 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2556 | * authenticated with Kerberos. */ | 2524 | * authenticated with Kerberos. */ |
2557 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2525 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2679,10 +2647,10 @@ index 03a228f..228e5ab 100644 | |||
2679 | # CheckHostIP yes | 2647 | # CheckHostIP yes |
2680 | # AddressFamily any | 2648 | # AddressFamily any |
2681 | diff --git a/ssh_config.5 b/ssh_config.5 | 2649 | diff --git a/ssh_config.5 b/ssh_config.5 |
2682 | index b580392..e7accd6 100644 | 2650 | index f9ede7a..e6649ac 100644 |
2683 | --- a/ssh_config.5 | 2651 | --- a/ssh_config.5 |
2684 | +++ b/ssh_config.5 | 2652 | +++ b/ssh_config.5 |
2685 | @@ -682,11 +682,43 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2653 | @@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed. |
2686 | The default is | 2654 | The default is |
2687 | .Dq no . | 2655 | .Dq no . |
2688 | Note that this option applies to protocol version 2 only. | 2656 | Note that this option applies to protocol version 2 only. |
@@ -2728,11 +2696,11 @@ index b580392..e7accd6 100644 | |||
2728 | Indicates that | 2696 | Indicates that |
2729 | .Xr ssh 1 | 2697 | .Xr ssh 1 |
2730 | diff --git a/sshconnect2.c b/sshconnect2.c | 2698 | diff --git a/sshconnect2.c b/sshconnect2.c |
2731 | index 7f4ff41..66cb035 100644 | 2699 | index 68f7f4f..7b478f1 100644 |
2732 | --- a/sshconnect2.c | 2700 | --- a/sshconnect2.c |
2733 | +++ b/sshconnect2.c | 2701 | +++ b/sshconnect2.c |
2734 | @@ -158,9 +158,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2702 | @@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2735 | { | 2703 | char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; |
2736 | Kex *kex; | 2704 | Kex *kex; |
2737 | 2705 | ||
2738 | +#ifdef GSSAPI | 2706 | +#ifdef GSSAPI |
@@ -2766,9 +2734,9 @@ index 7f4ff41..66cb035 100644 | |||
2766 | if (options.ciphers == (char *)-1) { | 2734 | if (options.ciphers == (char *)-1) { |
2767 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 2735 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
2768 | options.ciphers = NULL; | 2736 | options.ciphers = NULL; |
2769 | @@ -196,6 +221,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2737 | @@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2770 | if (options.kex_algorithms != NULL) | 2738 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
2771 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 2739 | myproposal[PROPOSAL_KEX_ALGS]); |
2772 | 2740 | ||
2773 | +#ifdef GSSAPI | 2741 | +#ifdef GSSAPI |
2774 | + /* If we've got GSSAPI algorithms, then we also support the | 2742 | + /* If we've got GSSAPI algorithms, then we also support the |
@@ -2784,9 +2752,9 @@ index 7f4ff41..66cb035 100644 | |||
2784 | if (options.rekey_limit || options.rekey_interval) | 2752 | if (options.rekey_limit || options.rekey_interval) |
2785 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2753 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2786 | (time_t)options.rekey_interval); | 2754 | (time_t)options.rekey_interval); |
2787 | @@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2755 | @@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2788 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | ||
2789 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | 2756 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; |
2757 | #endif | ||
2790 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; | 2758 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; |
2791 | +#ifdef GSSAPI | 2759 | +#ifdef GSSAPI |
2792 | + if (options.gss_keyex) { | 2760 | + if (options.gss_keyex) { |
@@ -2815,7 +2783,7 @@ index 7f4ff41..66cb035 100644 | |||
2815 | xxx_kex = kex; | 2783 | xxx_kex = kex; |
2816 | 2784 | ||
2817 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2785 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
2818 | @@ -301,6 +357,7 @@ void input_gssapi_token(int type, u_int32_t, void *); | 2786 | @@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *); |
2819 | void input_gssapi_hash(int type, u_int32_t, void *); | 2787 | void input_gssapi_hash(int type, u_int32_t, void *); |
2820 | void input_gssapi_error(int, u_int32_t, void *); | 2788 | void input_gssapi_error(int, u_int32_t, void *); |
2821 | void input_gssapi_errtok(int, u_int32_t, void *); | 2789 | void input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2823,7 +2791,7 @@ index 7f4ff41..66cb035 100644 | |||
2823 | #endif | 2791 | #endif |
2824 | 2792 | ||
2825 | void userauth(Authctxt *, char *); | 2793 | void userauth(Authctxt *, char *); |
2826 | @@ -316,6 +373,11 @@ static char *authmethods_get(void); | 2794 | @@ -321,6 +378,11 @@ static char *authmethods_get(void); |
2827 | 2795 | ||
2828 | Authmethod authmethods[] = { | 2796 | Authmethod authmethods[] = { |
2829 | #ifdef GSSAPI | 2797 | #ifdef GSSAPI |
@@ -2835,7 +2803,7 @@ index 7f4ff41..66cb035 100644 | |||
2835 | {"gssapi-with-mic", | 2803 | {"gssapi-with-mic", |
2836 | userauth_gssapi, | 2804 | userauth_gssapi, |
2837 | NULL, | 2805 | NULL, |
2838 | @@ -612,19 +674,31 @@ userauth_gssapi(Authctxt *authctxt) | 2806 | @@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt) |
2839 | static u_int mech = 0; | 2807 | static u_int mech = 0; |
2840 | OM_uint32 min; | 2808 | OM_uint32 min; |
2841 | int ok = 0; | 2809 | int ok = 0; |
@@ -2869,7 +2837,7 @@ index 7f4ff41..66cb035 100644 | |||
2869 | ok = 1; /* Mechanism works */ | 2837 | ok = 1; /* Mechanism works */ |
2870 | } else { | 2838 | } else { |
2871 | mech++; | 2839 | mech++; |
2872 | @@ -721,8 +795,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | 2840 | @@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) |
2873 | { | 2841 | { |
2874 | Authctxt *authctxt = ctxt; | 2842 | Authctxt *authctxt = ctxt; |
2875 | Gssctxt *gssctxt; | 2843 | Gssctxt *gssctxt; |
@@ -2880,7 +2848,7 @@ index 7f4ff41..66cb035 100644 | |||
2880 | 2848 | ||
2881 | if (authctxt == NULL) | 2849 | if (authctxt == NULL) |
2882 | fatal("input_gssapi_response: no authentication context"); | 2850 | fatal("input_gssapi_response: no authentication context"); |
2883 | @@ -831,6 +905,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | 2851 | @@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) |
2884 | free(msg); | 2852 | free(msg); |
2885 | free(lang); | 2853 | free(lang); |
2886 | } | 2854 | } |
@@ -2930,10 +2898,10 @@ index 7f4ff41..66cb035 100644 | |||
2930 | 2898 | ||
2931 | int | 2899 | int |
2932 | diff --git a/sshd.c b/sshd.c | 2900 | diff --git a/sshd.c b/sshd.c |
2933 | index 7523de9..d787fea 100644 | 2901 | index 481d001..e6706a8 100644 |
2934 | --- a/sshd.c | 2902 | --- a/sshd.c |
2935 | +++ b/sshd.c | 2903 | +++ b/sshd.c |
2936 | @@ -122,6 +122,10 @@ | 2904 | @@ -123,6 +123,10 @@ |
2937 | #include "ssh-sandbox.h" | 2905 | #include "ssh-sandbox.h" |
2938 | #include "version.h" | 2906 | #include "version.h" |
2939 | 2907 | ||
@@ -2941,10 +2909,10 @@ index 7523de9..d787fea 100644 | |||
2941 | +#include <Security/AuthSession.h> | 2909 | +#include <Security/AuthSession.h> |
2942 | +#endif | 2910 | +#endif |
2943 | + | 2911 | + |
2944 | #ifdef LIBWRAP | 2912 | #ifndef O_NOCTTY |
2945 | #include <tcpd.h> | 2913 | #define O_NOCTTY 0 |
2946 | #include <syslog.h> | 2914 | #endif |
2947 | @@ -1728,10 +1732,13 @@ main(int ac, char **av) | 2915 | @@ -1745,10 +1749,13 @@ main(int ac, char **av) |
2948 | logit("Disabling protocol version 1. Could not load host key"); | 2916 | logit("Disabling protocol version 1. Could not load host key"); |
2949 | options.protocol &= ~SSH_PROTO_1; | 2917 | options.protocol &= ~SSH_PROTO_1; |
2950 | } | 2918 | } |
@@ -2958,7 +2926,7 @@ index 7523de9..d787fea 100644 | |||
2958 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2926 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2959 | logit("sshd: no hostkeys available -- exiting."); | 2927 | logit("sshd: no hostkeys available -- exiting."); |
2960 | exit(1); | 2928 | exit(1); |
2961 | @@ -2058,6 +2065,60 @@ main(int ac, char **av) | 2929 | @@ -2060,6 +2067,60 @@ main(int ac, char **av) |
2962 | remote_ip, remote_port, | 2930 | remote_ip, remote_port, |
2963 | get_local_ipaddr(sock_in), get_local_port()); | 2931 | get_local_ipaddr(sock_in), get_local_port()); |
2964 | 2932 | ||
@@ -3019,7 +2987,7 @@ index 7523de9..d787fea 100644 | |||
3019 | /* | 2987 | /* |
3020 | * We don't want to listen forever unless the other side | 2988 | * We don't want to listen forever unless the other side |
3021 | * successfully authenticates itself. So we set up an alarm which is | 2989 | * successfully authenticates itself. So we set up an alarm which is |
3022 | @@ -2469,6 +2530,48 @@ do_ssh2_kex(void) | 2990 | @@ -2482,6 +2543,48 @@ do_ssh2_kex(void) |
3023 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2991 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
3024 | list_hostkey_types()); | 2992 | list_hostkey_types()); |
3025 | 2993 | ||
@@ -3067,10 +3035,10 @@ index 7523de9..d787fea 100644 | |||
3067 | + | 3035 | + |
3068 | /* start key exchange */ | 3036 | /* start key exchange */ |
3069 | kex = kex_setup(myproposal); | 3037 | kex = kex_setup(myproposal); |
3070 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 3038 | #ifdef WITH_OPENSSL |
3071 | @@ -2477,6 +2580,13 @@ do_ssh2_kex(void) | 3039 | @@ -2492,6 +2595,13 @@ do_ssh2_kex(void) |
3072 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | ||
3073 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 3040 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
3041 | #endif | ||
3074 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 3042 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
3075 | +#ifdef GSSAPI | 3043 | +#ifdef GSSAPI |
3076 | + if (options.gss_keyex) { | 3044 | + if (options.gss_keyex) { |
@@ -3096,10 +3064,10 @@ index e9045bc..d9b8594 100644 | |||
3096 | # Set this to 'yes' to enable PAM authentication, account processing, | 3064 | # Set this to 'yes' to enable PAM authentication, account processing, |
3097 | # and session processing. If this is enabled, PAM authentication will | 3065 | # and session processing. If this is enabled, PAM authentication will |
3098 | diff --git a/sshd_config.5 b/sshd_config.5 | 3066 | diff --git a/sshd_config.5 b/sshd_config.5 |
3099 | index ce71efe..ceed88a 100644 | 3067 | index fd44abe..c8b43da 100644 |
3100 | --- a/sshd_config.5 | 3068 | --- a/sshd_config.5 |
3101 | +++ b/sshd_config.5 | 3069 | +++ b/sshd_config.5 |
3102 | @@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed. | 3070 | @@ -527,12 +527,40 @@ Specifies whether user authentication based on GSSAPI is allowed. |
3103 | The default is | 3071 | The default is |
3104 | .Dq no . | 3072 | .Dq no . |
3105 | Note that this option applies to protocol version 2 only. | 3073 | Note that this option applies to protocol version 2 only. |
@@ -3140,3 +3108,36 @@ index ce71efe..ceed88a 100644 | |||
3140 | .It Cm HostbasedAuthentication | 3108 | .It Cm HostbasedAuthentication |
3141 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 3109 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
3142 | with successful public key client host authentication is allowed | 3110 | with successful public key client host authentication is allowed |
3111 | diff --git a/sshkey.c b/sshkey.c | ||
3112 | index fdd0c8a..1a96eae 100644 | ||
3113 | --- a/sshkey.c | ||
3114 | +++ b/sshkey.c | ||
3115 | @@ -110,6 +110,7 @@ static const struct keytype keytypes[] = { | ||
3116 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", | ||
3117 | KEY_DSA_CERT_V00, 0, 1 }, | ||
3118 | #endif /* WITH_OPENSSL */ | ||
3119 | + { "null", "null", KEY_NULL, 0, 0 }, | ||
3120 | { NULL, NULL, -1, -1, 0 } | ||
3121 | }; | ||
3122 | |||
3123 | @@ -198,7 +199,7 @@ key_alg_list(int certs_only, int plain_only) | ||
3124 | const struct keytype *kt; | ||
3125 | |||
3126 | for (kt = keytypes; kt->type != -1; kt++) { | ||
3127 | - if (kt->name == NULL) | ||
3128 | + if (kt->name == NULL || kt->type == KEY_NULL) | ||
3129 | continue; | ||
3130 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | ||
3131 | continue; | ||
3132 | diff --git a/sshkey.h b/sshkey.h | ||
3133 | index 450b30c..b573e7f 100644 | ||
3134 | --- a/sshkey.h | ||
3135 | +++ b/sshkey.h | ||
3136 | @@ -64,6 +64,7 @@ enum sshkey_types { | ||
3137 | KEY_ED25519_CERT, | ||
3138 | KEY_RSA_CERT_V00, | ||
3139 | KEY_DSA_CERT_V00, | ||
3140 | + KEY_NULL, | ||
3141 | KEY_UNSPEC | ||
3142 | }; | ||
3143 | |||