diff options
author | Colin Watson <cjwatson@debian.org> | 2020-06-07 10:19:24 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2020-06-07 11:03:12 +0100 |
commit | 30337f8b66c66af6b368d1e3c789e75f1247176c (patch) | |
tree | 17e0b8652fea31c04faa19ffc4cd088552ee473a /debian/patches/gssapi.patch | |
parent | aef2be11c5ea90bc66e774923e6570213e54c195 (diff) | |
parent | 39b8d128ef980a410bb1ea0ee80e95ac9fff59c3 (diff) |
New upstream release (8.3p1)
Also update GSSAPI key exchange patch from
https://github.com/openssh-gsskex/openssh-gsskex.
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 181 |
1 files changed, 100 insertions, 81 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 4bf1d3f73..685923e47 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 34aff3aa136e5a65f441b25811dd466488fda087 Mon Sep 17 00:00:00 2001 | 1 | From 79f9d21b406c172878896ef41cdc2502fc2f84a7 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -16,9 +16,12 @@ have it merged into the main openssh package rather than having separate | |||
16 | -krb5 packages (as we used to have). It seems to have a generally good | 16 | -krb5 packages (as we used to have). It seems to have a generally good |
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Author: Simon Wilkinson <simon@sxw.org.uk> | ||
20 | Author: Colin Watson <cjwatson@debian.org> | ||
21 | Author: Jakub Jelen <jjelen@redhat.com> | ||
19 | Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master | 22 | Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master |
20 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 23 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
21 | Last-Updated: 2020-02-21 | 24 | Last-Updated: 2020-06-07 |
22 | 25 | ||
23 | Patch-Name: gssapi.patch | 26 | Patch-Name: gssapi.patch |
24 | --- | 27 | --- |
@@ -49,23 +52,23 @@ Patch-Name: gssapi.patch | |||
49 | servconf.c | 47 ++++ | 52 | servconf.c | 47 ++++ |
50 | servconf.h | 3 + | 53 | servconf.h | 3 + |
51 | session.c | 10 +- | 54 | session.c | 10 +- |
52 | ssh-gss.h | 50 +++- | 55 | ssh-gss.h | 54 ++++- |
53 | ssh.1 | 8 + | 56 | ssh.1 | 8 + |
54 | ssh.c | 6 +- | 57 | ssh.c | 6 +- |
55 | ssh_config | 2 + | 58 | ssh_config | 2 + |
56 | ssh_config.5 | 57 +++++ | 59 | ssh_config.5 | 57 +++++ |
57 | sshconnect2.c | 142 +++++++++++- | 60 | sshconnect2.c | 154 +++++++++++- |
58 | sshd.c | 62 ++++- | 61 | sshd.c | 62 ++++- |
59 | sshd_config | 2 + | 62 | sshd_config | 2 + |
60 | sshd_config.5 | 30 +++ | 63 | sshd_config.5 | 30 +++ |
61 | sshkey.c | 3 +- | 64 | sshkey.c | 3 +- |
62 | sshkey.h | 1 + | 65 | sshkey.h | 1 + |
63 | 38 files changed, 2624 insertions(+), 160 deletions(-) | 66 | 38 files changed, 2640 insertions(+), 160 deletions(-) |
64 | create mode 100644 kexgssc.c | 67 | create mode 100644 kexgssc.c |
65 | create mode 100644 kexgsss.c | 68 | create mode 100644 kexgsss.c |
66 | 69 | ||
67 | diff --git a/Makefile.in b/Makefile.in | 70 | diff --git a/Makefile.in b/Makefile.in |
68 | index e7549470c..b68c1710f 100644 | 71 | index c9e4294d3..bf1e1de47 100644 |
69 | --- a/Makefile.in | 72 | --- a/Makefile.in |
70 | +++ b/Makefile.in | 73 | +++ b/Makefile.in |
71 | @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 74 | @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
@@ -336,7 +339,7 @@ index 9351e0428..d6446c0cf 100644 | |||
336 | "gssapi-with-mic", | 339 | "gssapi-with-mic", |
337 | userauth_gssapi, | 340 | userauth_gssapi, |
338 | diff --git a/auth2.c b/auth2.c | 341 | diff --git a/auth2.c b/auth2.c |
339 | index 0e7762242..1c217268c 100644 | 342 | index 91aaf34a6..a4a5e0069 100644 |
340 | --- a/auth2.c | 343 | --- a/auth2.c |
341 | +++ b/auth2.c | 344 | +++ b/auth2.c |
342 | @@ -73,6 +73,7 @@ extern Authmethod method_passwd; | 345 | @@ -73,6 +73,7 @@ extern Authmethod method_passwd; |
@@ -474,7 +477,7 @@ index 26d62855a..0cadc9f18 100644 | |||
474 | int get_peer_port(int); | 477 | int get_peer_port(int); |
475 | char *get_local_ipaddr(int); | 478 | char *get_local_ipaddr(int); |
476 | diff --git a/clientloop.c b/clientloop.c | 479 | diff --git a/clientloop.c b/clientloop.c |
477 | index ebd0dbca1..1bdac6a46 100644 | 480 | index da396c72a..42ace7789 100644 |
478 | --- a/clientloop.c | 481 | --- a/clientloop.c |
479 | +++ b/clientloop.c | 482 | +++ b/clientloop.c |
480 | @@ -112,6 +112,10 @@ | 483 | @@ -112,6 +112,10 @@ |
@@ -488,7 +491,7 @@ index ebd0dbca1..1bdac6a46 100644 | |||
488 | /* import options */ | 491 | /* import options */ |
489 | extern Options options; | 492 | extern Options options; |
490 | 493 | ||
491 | @@ -1379,9 +1383,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, | 494 | @@ -1361,9 +1365,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, |
492 | break; | 495 | break; |
493 | 496 | ||
494 | /* Do channel operations unless rekeying in progress. */ | 497 | /* Do channel operations unless rekeying in progress. */ |
@@ -509,10 +512,10 @@ index ebd0dbca1..1bdac6a46 100644 | |||
509 | client_process_net_input(ssh, readset); | 512 | client_process_net_input(ssh, readset); |
510 | 513 | ||
511 | diff --git a/configure.ac b/configure.ac | 514 | diff --git a/configure.ac b/configure.ac |
512 | index b689db4b5..efafb6bd8 100644 | 515 | index 460383757..d98e6f74a 100644 |
513 | --- a/configure.ac | 516 | --- a/configure.ac |
514 | +++ b/configure.ac | 517 | +++ b/configure.ac |
515 | @@ -674,6 +674,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 518 | @@ -676,6 +676,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
516 | [Use tunnel device compatibility to OpenBSD]) | 519 | [Use tunnel device compatibility to OpenBSD]) |
517 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 520 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
518 | [Prepend the address family to IP tunnel traffic]) | 521 | [Prepend the address family to IP tunnel traffic]) |
@@ -1053,11 +1056,11 @@ index a151bc1e4..ef9beb67c 100644 | |||
1053 | 1056 | ||
1054 | #endif /* KRB5 */ | 1057 | #endif /* KRB5 */ |
1055 | diff --git a/gss-serv.c b/gss-serv.c | 1058 | diff --git a/gss-serv.c b/gss-serv.c |
1056 | index ab3a15f0f..1d47870e7 100644 | 1059 | index b5d4bb2d1..55f4d4bda 100644 |
1057 | --- a/gss-serv.c | 1060 | --- a/gss-serv.c |
1058 | +++ b/gss-serv.c | 1061 | +++ b/gss-serv.c |
1059 | @@ -1,7 +1,7 @@ | 1062 | @@ -1,7 +1,7 @@ |
1060 | /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */ | 1063 | /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */ |
1061 | 1064 | ||
1062 | /* | 1065 | /* |
1063 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 1066 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -1327,7 +1330,7 @@ index ab3a15f0f..1d47870e7 100644 | |||
1327 | 1330 | ||
1328 | /* Privileged */ | 1331 | /* Privileged */ |
1329 | diff --git a/kex.c b/kex.c | 1332 | diff --git a/kex.c b/kex.c |
1330 | index ce85f0439..574c76093 100644 | 1333 | index 09c7258e0..144dee512 100644 |
1331 | --- a/kex.c | 1334 | --- a/kex.c |
1332 | +++ b/kex.c | 1335 | +++ b/kex.c |
1333 | @@ -57,11 +57,16 @@ | 1336 | @@ -57,11 +57,16 @@ |
@@ -1439,7 +1442,7 @@ index ce85f0439..574c76093 100644 | |||
1439 | /* put algorithm proposal into buffer */ | 1442 | /* put algorithm proposal into buffer */ |
1440 | int | 1443 | int |
1441 | kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) | 1444 | kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) |
1442 | @@ -698,6 +755,9 @@ kex_free(struct kex *kex) | 1445 | @@ -697,6 +754,9 @@ kex_free(struct kex *kex) |
1443 | sshbuf_free(kex->server_version); | 1446 | sshbuf_free(kex->server_version); |
1444 | sshbuf_free(kex->client_pub); | 1447 | sshbuf_free(kex->client_pub); |
1445 | free(kex->session_id); | 1448 | free(kex->session_id); |
@@ -2653,7 +2656,7 @@ index 000000000..60bc02deb | |||
2653 | +} | 2656 | +} |
2654 | +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ | 2657 | +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ |
2655 | diff --git a/monitor.c b/monitor.c | 2658 | diff --git a/monitor.c b/monitor.c |
2656 | index 2ce89fe90..ebf76c7f9 100644 | 2659 | index b6e855d5d..5347e900d 100644 |
2657 | --- a/monitor.c | 2660 | --- a/monitor.c |
2658 | +++ b/monitor.c | 2661 | +++ b/monitor.c |
2659 | @@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); | 2662 | @@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); |
@@ -2706,7 +2709,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2706 | 2709 | ||
2707 | if (auth_opts->permit_pty_flag) { | 2710 | if (auth_opts->permit_pty_flag) { |
2708 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 2711 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
2709 | @@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) | 2712 | @@ -1712,6 +1729,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) |
2710 | # ifdef OPENSSL_HAS_ECC | 2713 | # ifdef OPENSSL_HAS_ECC |
2711 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; | 2714 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
2712 | # endif | 2715 | # endif |
@@ -2724,7 +2727,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2724 | #endif /* WITH_OPENSSL */ | 2727 | #endif /* WITH_OPENSSL */ |
2725 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; | 2728 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; |
2726 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; | 2729 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; |
2727 | @@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | 2730 | @@ -1805,8 +1833,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
2728 | u_char *p; | 2731 | u_char *p; |
2729 | int r; | 2732 | int r; |
2730 | 2733 | ||
@@ -2735,7 +2738,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2735 | 2738 | ||
2736 | if ((r = sshbuf_get_string(m, &p, &len)) != 0) | 2739 | if ((r = sshbuf_get_string(m, &p, &len)) != 0) |
2737 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 2740 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
2738 | @@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | 2741 | @@ -1838,8 +1866,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
2739 | OM_uint32 flags = 0; /* GSI needs this */ | 2742 | OM_uint32 flags = 0; /* GSI needs this */ |
2740 | int r; | 2743 | int r; |
2741 | 2744 | ||
@@ -2746,7 +2749,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2746 | 2749 | ||
2747 | if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) | 2750 | if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) |
2748 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 2751 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
2749 | @@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | 2752 | @@ -1859,6 +1887,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
2750 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2753 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2751 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2754 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2752 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2755 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2754,7 +2757,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2754 | } | 2757 | } |
2755 | return (0); | 2758 | return (0); |
2756 | } | 2759 | } |
2757 | @@ -1871,8 +1900,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) | 2760 | @@ -1870,8 +1899,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) |
2758 | OM_uint32 ret; | 2761 | OM_uint32 ret; |
2759 | int r; | 2762 | int r; |
2760 | 2763 | ||
@@ -2765,7 +2768,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2765 | 2768 | ||
2766 | if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || | 2769 | if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || |
2767 | (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) | 2770 | (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) |
2768 | @@ -1898,13 +1927,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) | 2771 | @@ -1897,13 +1926,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) |
2769 | int | 2772 | int |
2770 | mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | 2773 | mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
2771 | { | 2774 | { |
@@ -2787,7 +2790,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2787 | 2790 | ||
2788 | sshbuf_reset(m); | 2791 | sshbuf_reset(m); |
2789 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) | 2792 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) |
2790 | @@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | 2793 | @@ -1912,7 +1945,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
2791 | debug3("%s: sending result %d", __func__, authenticated); | 2794 | debug3("%s: sending result %d", __func__, authenticated); |
2792 | mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); | 2795 | mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); |
2793 | 2796 | ||
@@ -2800,7 +2803,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2800 | 2803 | ||
2801 | if ((displayname = ssh_gssapi_displayname()) != NULL) | 2804 | if ((displayname = ssh_gssapi_displayname()) != NULL) |
2802 | auth2_record_info(authctxt, "%s", displayname); | 2805 | auth2_record_info(authctxt, "%s", displayname); |
2803 | @@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | 2806 | @@ -1920,5 +1957,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
2804 | /* Monitor loop will terminate if authenticated */ | 2807 | /* Monitor loop will terminate if authenticated */ |
2805 | return (authenticated); | 2808 | return (authenticated); |
2806 | } | 2809 | } |
@@ -2995,7 +2998,7 @@ index 23ab096aa..485590c18 100644 | |||
2995 | 2998 | ||
2996 | #ifdef USE_PAM | 2999 | #ifdef USE_PAM |
2997 | diff --git a/readconf.c b/readconf.c | 3000 | diff --git a/readconf.c b/readconf.c |
2998 | index f3cac6b3a..da8022dd0 100644 | 3001 | index 2afcbaeca..fb585e248 100644 |
2999 | --- a/readconf.c | 3002 | --- a/readconf.c |
3000 | +++ b/readconf.c | 3003 | +++ b/readconf.c |
3001 | @@ -67,6 +67,7 @@ | 3004 | @@ -67,6 +67,7 @@ |
@@ -3038,7 +3041,7 @@ index f3cac6b3a..da8022dd0 100644 | |||
3038 | #endif | 3041 | #endif |
3039 | #ifdef ENABLE_PKCS11 | 3042 | #ifdef ENABLE_PKCS11 |
3040 | { "pkcs11provider", oPKCS11Provider }, | 3043 | { "pkcs11provider", oPKCS11Provider }, |
3041 | @@ -1029,10 +1044,42 @@ parse_time: | 3044 | @@ -1053,10 +1068,42 @@ parse_time: |
3042 | intptr = &options->gss_authentication; | 3045 | intptr = &options->gss_authentication; |
3043 | goto parse_flag; | 3046 | goto parse_flag; |
3044 | 3047 | ||
@@ -3081,7 +3084,7 @@ index f3cac6b3a..da8022dd0 100644 | |||
3081 | case oBatchMode: | 3084 | case oBatchMode: |
3082 | intptr = &options->batch_mode; | 3085 | intptr = &options->batch_mode; |
3083 | goto parse_flag; | 3086 | goto parse_flag; |
3084 | @@ -1911,7 +1958,13 @@ initialize_options(Options * options) | 3087 | @@ -1935,7 +1982,13 @@ initialize_options(Options * options) |
3085 | options->pubkey_authentication = -1; | 3088 | options->pubkey_authentication = -1; |
3086 | options->challenge_response_authentication = -1; | 3089 | options->challenge_response_authentication = -1; |
3087 | options->gss_authentication = -1; | 3090 | options->gss_authentication = -1; |
@@ -3095,7 +3098,7 @@ index f3cac6b3a..da8022dd0 100644 | |||
3095 | options->password_authentication = -1; | 3098 | options->password_authentication = -1; |
3096 | options->kbd_interactive_authentication = -1; | 3099 | options->kbd_interactive_authentication = -1; |
3097 | options->kbd_interactive_devices = NULL; | 3100 | options->kbd_interactive_devices = NULL; |
3098 | @@ -2059,8 +2112,18 @@ fill_default_options(Options * options) | 3101 | @@ -2083,8 +2136,18 @@ fill_default_options(Options * options) |
3099 | options->challenge_response_authentication = 1; | 3102 | options->challenge_response_authentication = 1; |
3100 | if (options->gss_authentication == -1) | 3103 | if (options->gss_authentication == -1) |
3101 | options->gss_authentication = 0; | 3104 | options->gss_authentication = 0; |
@@ -3114,7 +3117,7 @@ index f3cac6b3a..da8022dd0 100644 | |||
3114 | if (options->password_authentication == -1) | 3117 | if (options->password_authentication == -1) |
3115 | options->password_authentication = 1; | 3118 | options->password_authentication = 1; |
3116 | if (options->kbd_interactive_authentication == -1) | 3119 | if (options->kbd_interactive_authentication == -1) |
3117 | @@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host) | 3120 | @@ -2726,7 +2789,14 @@ dump_client_config(Options *o, const char *host) |
3118 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); | 3121 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); |
3119 | #ifdef GSSAPI | 3122 | #ifdef GSSAPI |
3120 | dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); | 3123 | dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); |
@@ -3130,7 +3133,7 @@ index f3cac6b3a..da8022dd0 100644 | |||
3130 | dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); | 3133 | dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); |
3131 | dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); | 3134 | dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); |
3132 | diff --git a/readconf.h b/readconf.h | 3135 | diff --git a/readconf.h b/readconf.h |
3133 | index feedb3d20..a8a8870d7 100644 | 3136 | index e143a1082..c405b837f 100644 |
3134 | --- a/readconf.h | 3137 | --- a/readconf.h |
3135 | +++ b/readconf.h | 3138 | +++ b/readconf.h |
3136 | @@ -41,7 +41,13 @@ typedef struct { | 3139 | @@ -41,7 +41,13 @@ typedef struct { |
@@ -3148,7 +3151,7 @@ index feedb3d20..a8a8870d7 100644 | |||
3148 | * authentication. */ | 3151 | * authentication. */ |
3149 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 3152 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
3150 | diff --git a/servconf.c b/servconf.c | 3153 | diff --git a/servconf.c b/servconf.c |
3151 | index 70f5f73f0..191575a16 100644 | 3154 | index ba0a92c7b..f38ba9e44 100644 |
3152 | --- a/servconf.c | 3155 | --- a/servconf.c |
3153 | +++ b/servconf.c | 3156 | +++ b/servconf.c |
3154 | @@ -69,6 +69,7 @@ | 3157 | @@ -69,6 +69,7 @@ |
@@ -3221,7 +3224,7 @@ index 70f5f73f0..191575a16 100644 | |||
3221 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 3224 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
3222 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 3225 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
3223 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 3226 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
3224 | @@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, | 3227 | @@ -1555,6 +1578,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, |
3225 | intptr = &options->gss_authentication; | 3228 | intptr = &options->gss_authentication; |
3226 | goto parse_flag; | 3229 | goto parse_flag; |
3227 | 3230 | ||
@@ -3232,7 +3235,7 @@ index 70f5f73f0..191575a16 100644 | |||
3232 | case sGssCleanupCreds: | 3235 | case sGssCleanupCreds: |
3233 | intptr = &options->gss_cleanup_creds; | 3236 | intptr = &options->gss_cleanup_creds; |
3234 | goto parse_flag; | 3237 | goto parse_flag; |
3235 | @@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, | 3238 | @@ -1563,6 +1590,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, |
3236 | intptr = &options->gss_strict_acceptor; | 3239 | intptr = &options->gss_strict_acceptor; |
3237 | goto parse_flag; | 3240 | goto parse_flag; |
3238 | 3241 | ||
@@ -3255,7 +3258,7 @@ index 70f5f73f0..191575a16 100644 | |||
3255 | case sPasswordAuthentication: | 3258 | case sPasswordAuthentication: |
3256 | intptr = &options->password_authentication; | 3259 | intptr = &options->password_authentication; |
3257 | goto parse_flag; | 3260 | goto parse_flag; |
3258 | @@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o) | 3261 | @@ -2791,6 +2834,10 @@ dump_config(ServerOptions *o) |
3259 | #ifdef GSSAPI | 3262 | #ifdef GSSAPI |
3260 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 3263 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
3261 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | 3264 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); |
@@ -3267,10 +3270,10 @@ index 70f5f73f0..191575a16 100644 | |||
3267 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 3270 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
3268 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 3271 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
3269 | diff --git a/servconf.h b/servconf.h | 3272 | diff --git a/servconf.h b/servconf.h |
3270 | index 4202a2d02..3f47ea25e 100644 | 3273 | index a420f398d..253cad97e 100644 |
3271 | --- a/servconf.h | 3274 | --- a/servconf.h |
3272 | +++ b/servconf.h | 3275 | +++ b/servconf.h |
3273 | @@ -132,8 +132,11 @@ typedef struct { | 3276 | @@ -137,8 +137,11 @@ typedef struct { |
3274 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 3277 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
3275 | * authenticated with Kerberos. */ | 3278 | * authenticated with Kerberos. */ |
3276 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 3279 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -3283,7 +3286,7 @@ index 4202a2d02..3f47ea25e 100644 | |||
3283 | * authentication. */ | 3286 | * authentication. */ |
3284 | int kbd_interactive_authentication; /* If true, permit */ | 3287 | int kbd_interactive_authentication; /* If true, permit */ |
3285 | diff --git a/session.c b/session.c | 3288 | diff --git a/session.c b/session.c |
3286 | index 8c0e54f79..06a33442a 100644 | 3289 | index 18cdfa8cf..f9c2c866e 100644 |
3287 | --- a/session.c | 3290 | --- a/session.c |
3288 | +++ b/session.c | 3291 | +++ b/session.c |
3289 | @@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) | 3292 | @@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) |
@@ -3309,7 +3312,7 @@ index 8c0e54f79..06a33442a 100644 | |||
3309 | 3312 | ||
3310 | /* remove agent socket */ | 3313 | /* remove agent socket */ |
3311 | diff --git a/ssh-gss.h b/ssh-gss.h | 3314 | diff --git a/ssh-gss.h b/ssh-gss.h |
3312 | index 36180d07a..70dd36658 100644 | 3315 | index 36180d07a..50d80bbca 100644 |
3313 | --- a/ssh-gss.h | 3316 | --- a/ssh-gss.h |
3314 | +++ b/ssh-gss.h | 3317 | +++ b/ssh-gss.h |
3315 | @@ -1,6 +1,6 @@ | 3318 | @@ -1,6 +1,6 @@ |
@@ -3320,7 +3323,7 @@ index 36180d07a..70dd36658 100644 | |||
3320 | * | 3323 | * |
3321 | * Redistribution and use in source and binary forms, with or without | 3324 | * Redistribution and use in source and binary forms, with or without |
3322 | * modification, are permitted provided that the following conditions | 3325 | * modification, are permitted provided that the following conditions |
3323 | @@ -61,10 +61,30 @@ | 3326 | @@ -61,10 +61,34 @@ |
3324 | 3327 | ||
3325 | #define SSH_GSS_OIDTYPE 0x06 | 3328 | #define SSH_GSS_OIDTYPE 0x06 |
3326 | 3329 | ||
@@ -3340,8 +3343,12 @@ index 36180d07a..70dd36658 100644 | |||
3340 | +#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-" | 3343 | +#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-" |
3341 | + | 3344 | + |
3342 | +#define GSS_KEX_DEFAULT_KEX \ | 3345 | +#define GSS_KEX_DEFAULT_KEX \ |
3343 | + KEX_GSS_GEX_SHA1_ID "," \ | 3346 | + KEX_GSS_GRP14_SHA256_ID "," \ |
3344 | + KEX_GSS_GRP14_SHA1_ID | 3347 | + KEX_GSS_GRP16_SHA512_ID "," \ |
3348 | + KEX_GSS_NISTP256_SHA256_ID "," \ | ||
3349 | + KEX_GSS_C25519_SHA256_ID "," \ | ||
3350 | + KEX_GSS_GRP14_SHA1_ID "," \ | ||
3351 | + KEX_GSS_GEX_SHA1_ID | ||
3345 | + | 3352 | + |
3346 | typedef struct { | 3353 | typedef struct { |
3347 | char *filename; | 3354 | char *filename; |
@@ -3351,7 +3358,7 @@ index 36180d07a..70dd36658 100644 | |||
3351 | void *data; | 3358 | void *data; |
3352 | } ssh_gssapi_ccache; | 3359 | } ssh_gssapi_ccache; |
3353 | 3360 | ||
3354 | @@ -72,8 +92,11 @@ typedef struct { | 3361 | @@ -72,8 +96,11 @@ typedef struct { |
3355 | gss_buffer_desc displayname; | 3362 | gss_buffer_desc displayname; |
3356 | gss_buffer_desc exportedname; | 3363 | gss_buffer_desc exportedname; |
3357 | gss_cred_id_t creds; | 3364 | gss_cred_id_t creds; |
@@ -3363,7 +3370,7 @@ index 36180d07a..70dd36658 100644 | |||
3363 | } ssh_gssapi_client; | 3370 | } ssh_gssapi_client; |
3364 | 3371 | ||
3365 | typedef struct ssh_gssapi_mech_struct { | 3372 | typedef struct ssh_gssapi_mech_struct { |
3366 | @@ -84,6 +107,7 @@ typedef struct ssh_gssapi_mech_struct { | 3373 | @@ -84,6 +111,7 @@ typedef struct ssh_gssapi_mech_struct { |
3367 | int (*userok) (ssh_gssapi_client *, char *); | 3374 | int (*userok) (ssh_gssapi_client *, char *); |
3368 | int (*localname) (ssh_gssapi_client *, char **); | 3375 | int (*localname) (ssh_gssapi_client *, char **); |
3369 | void (*storecreds) (ssh_gssapi_client *); | 3376 | void (*storecreds) (ssh_gssapi_client *); |
@@ -3371,7 +3378,7 @@ index 36180d07a..70dd36658 100644 | |||
3371 | } ssh_gssapi_mech; | 3378 | } ssh_gssapi_mech; |
3372 | 3379 | ||
3373 | typedef struct { | 3380 | typedef struct { |
3374 | @@ -94,10 +118,11 @@ typedef struct { | 3381 | @@ -94,10 +122,11 @@ typedef struct { |
3375 | gss_OID oid; /* client */ | 3382 | gss_OID oid; /* client */ |
3376 | gss_cred_id_t creds; /* server */ | 3383 | gss_cred_id_t creds; /* server */ |
3377 | gss_name_t client; /* server */ | 3384 | gss_name_t client; /* server */ |
@@ -3384,7 +3391,7 @@ index 36180d07a..70dd36658 100644 | |||
3384 | 3391 | ||
3385 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); | 3392 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); |
3386 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); | 3393 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); |
3387 | @@ -109,6 +134,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *); | 3394 | @@ -109,6 +138,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *); |
3388 | 3395 | ||
3389 | struct sshbuf; | 3396 | struct sshbuf; |
3390 | int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *); | 3397 | int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *); |
@@ -3392,7 +3399,7 @@ index 36180d07a..70dd36658 100644 | |||
3392 | 3399 | ||
3393 | OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); | 3400 | OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); |
3394 | OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int, | 3401 | OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int, |
3395 | @@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **); | 3402 | @@ -123,17 +153,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **); |
3396 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | 3403 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
3397 | void ssh_gssapi_buildmic(struct sshbuf *, const char *, | 3404 | void ssh_gssapi_buildmic(struct sshbuf *, const char *, |
3398 | const char *, const char *); | 3405 | const char *, const char *); |
@@ -3429,10 +3436,10 @@ index 36180d07a..70dd36658 100644 | |||
3429 | 3436 | ||
3430 | #endif /* _SSH_GSS_H */ | 3437 | #endif /* _SSH_GSS_H */ |
3431 | diff --git a/ssh.1 b/ssh.1 | 3438 | diff --git a/ssh.1 b/ssh.1 |
3432 | index 60de6087a..db5c65bc7 100644 | 3439 | index dce5f404b..7a3ba31ab 100644 |
3433 | --- a/ssh.1 | 3440 | --- a/ssh.1 |
3434 | +++ b/ssh.1 | 3441 | +++ b/ssh.1 |
3435 | @@ -503,7 +503,13 @@ For full details of the options listed below, and their possible values, see | 3442 | @@ -506,7 +506,13 @@ For full details of the options listed below, and their possible values, see |
3436 | .It GatewayPorts | 3443 | .It GatewayPorts |
3437 | .It GlobalKnownHostsFile | 3444 | .It GlobalKnownHostsFile |
3438 | .It GSSAPIAuthentication | 3445 | .It GSSAPIAuthentication |
@@ -3446,7 +3453,7 @@ index 60de6087a..db5c65bc7 100644 | |||
3446 | .It HashKnownHosts | 3453 | .It HashKnownHosts |
3447 | .It Host | 3454 | .It Host |
3448 | .It HostbasedAuthentication | 3455 | .It HostbasedAuthentication |
3449 | @@ -579,6 +585,8 @@ flag), | 3456 | @@ -582,6 +588,8 @@ flag), |
3450 | (supported message integrity codes), | 3457 | (supported message integrity codes), |
3451 | .Ar kex | 3458 | .Ar kex |
3452 | (key exchange algorithms), | 3459 | (key exchange algorithms), |
@@ -3456,10 +3463,10 @@ index 60de6087a..db5c65bc7 100644 | |||
3456 | (key types), | 3463 | (key types), |
3457 | .Ar key-cert | 3464 | .Ar key-cert |
3458 | diff --git a/ssh.c b/ssh.c | 3465 | diff --git a/ssh.c b/ssh.c |
3459 | index 15aee569e..110cf9c19 100644 | 3466 | index 98b6ce788..4a81ef810 100644 |
3460 | --- a/ssh.c | 3467 | --- a/ssh.c |
3461 | +++ b/ssh.c | 3468 | +++ b/ssh.c |
3462 | @@ -747,6 +747,8 @@ main(int ac, char **av) | 3469 | @@ -773,6 +773,8 @@ main(int ac, char **av) |
3463 | else if (strcmp(optarg, "kex") == 0 || | 3470 | else if (strcmp(optarg, "kex") == 0 || |
3464 | strcasecmp(optarg, "KexAlgorithms") == 0) | 3471 | strcasecmp(optarg, "KexAlgorithms") == 0) |
3465 | cp = kex_alg_list('\n'); | 3472 | cp = kex_alg_list('\n'); |
@@ -3468,7 +3475,7 @@ index 15aee569e..110cf9c19 100644 | |||
3468 | else if (strcmp(optarg, "key") == 0) | 3475 | else if (strcmp(optarg, "key") == 0) |
3469 | cp = sshkey_alg_list(0, 0, 0, '\n'); | 3476 | cp = sshkey_alg_list(0, 0, 0, '\n'); |
3470 | else if (strcmp(optarg, "key-cert") == 0) | 3477 | else if (strcmp(optarg, "key-cert") == 0) |
3471 | @@ -772,8 +774,8 @@ main(int ac, char **av) | 3478 | @@ -798,8 +800,8 @@ main(int ac, char **av) |
3472 | } else if (strcmp(optarg, "help") == 0) { | 3479 | } else if (strcmp(optarg, "help") == 0) { |
3473 | cp = xstrdup( | 3480 | cp = xstrdup( |
3474 | "cipher\ncipher-auth\ncompression\nkex\n" | 3481 | "cipher\ncipher-auth\ncompression\nkex\n" |
@@ -3493,7 +3500,7 @@ index 5e8ef548b..1ff999b68 100644 | |||
3493 | # CheckHostIP yes | 3500 | # CheckHostIP yes |
3494 | # AddressFamily any | 3501 | # AddressFamily any |
3495 | diff --git a/ssh_config.5 b/ssh_config.5 | 3502 | diff --git a/ssh_config.5 b/ssh_config.5 |
3496 | index 06a32d314..3f4906972 100644 | 3503 | index dc010ccbd..e2a2359f9 100644 |
3497 | --- a/ssh_config.5 | 3504 | --- a/ssh_config.5 |
3498 | +++ b/ssh_config.5 | 3505 | +++ b/ssh_config.5 |
3499 | @@ -766,10 +766,67 @@ The default is | 3506 | @@ -766,10 +766,67 @@ The default is |
@@ -3559,13 +3566,13 @@ index 06a32d314..3f4906972 100644 | |||
3559 | +.Ed | 3566 | +.Ed |
3560 | +.Pp | 3567 | +.Pp |
3561 | +The default is | 3568 | +The default is |
3562 | +.Dq gss-gex-sha1-,gss-group14-sha1- . | 3569 | +.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- . |
3563 | +This option only applies to protocol version 2 connections using GSSAPI. | 3570 | +This option only applies to connections using GSSAPI. |
3564 | .It Cm HashKnownHosts | 3571 | .It Cm HashKnownHosts |
3565 | Indicates that | 3572 | Indicates that |
3566 | .Xr ssh 1 | 3573 | .Xr ssh 1 |
3567 | diff --git a/sshconnect2.c b/sshconnect2.c | 3574 | diff --git a/sshconnect2.c b/sshconnect2.c |
3568 | index af00fb30c..03bc87eb4 100644 | 3575 | index 1a6545edf..79a22e600 100644 |
3569 | --- a/sshconnect2.c | 3576 | --- a/sshconnect2.c |
3570 | +++ b/sshconnect2.c | 3577 | +++ b/sshconnect2.c |
3571 | @@ -80,8 +80,6 @@ | 3578 | @@ -80,8 +80,6 @@ |
@@ -3589,7 +3596,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3589 | xxx_host = host; | 3596 | xxx_host = host; |
3590 | xxx_hostaddr = hostaddr; | 3597 | xxx_hostaddr = hostaddr; |
3591 | 3598 | ||
3592 | @@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) | 3599 | @@ -206,6 +209,41 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) |
3593 | compat_pkalg_proposal(options.hostkeyalgorithms); | 3600 | compat_pkalg_proposal(options.hostkeyalgorithms); |
3594 | } | 3601 | } |
3595 | 3602 | ||
@@ -3599,12 +3606,18 @@ index af00fb30c..03bc87eb4 100644 | |||
3599 | + * client to the key exchange algorithm proposal */ | 3606 | + * client to the key exchange algorithm proposal */ |
3600 | + orig = myproposal[PROPOSAL_KEX_ALGS]; | 3607 | + orig = myproposal[PROPOSAL_KEX_ALGS]; |
3601 | + | 3608 | + |
3602 | + if (options.gss_server_identity) | 3609 | + if (options.gss_server_identity) { |
3603 | + gss_host = xstrdup(options.gss_server_identity); | 3610 | + gss_host = xstrdup(options.gss_server_identity); |
3604 | + else if (options.gss_trust_dns) | 3611 | + } else if (options.gss_trust_dns) { |
3605 | + gss_host = remote_hostname(ssh); | 3612 | + gss_host = remote_hostname(ssh); |
3606 | + else | 3613 | + /* Fall back to specified host if we are using proxy command |
3614 | + * and can not use DNS on that socket */ | ||
3615 | + if (strcmp(gss_host, "UNKNOWN") == 0) { | ||
3616 | + gss_host = xstrdup(host); | ||
3617 | + } | ||
3618 | + } else { | ||
3607 | + gss_host = xstrdup(host); | 3619 | + gss_host = xstrdup(host); |
3620 | + } | ||
3608 | + | 3621 | + |
3609 | + gss = ssh_gssapi_client_mechanisms(gss_host, | 3622 | + gss = ssh_gssapi_client_mechanisms(gss_host, |
3610 | + options.gss_client_identity, options.gss_kex_algorithms); | 3623 | + options.gss_client_identity, options.gss_kex_algorithms); |
@@ -3625,7 +3638,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3625 | if (options.rekey_limit || options.rekey_interval) | 3638 | if (options.rekey_limit || options.rekey_interval) |
3626 | ssh_packet_set_rekey_limits(ssh, options.rekey_limit, | 3639 | ssh_packet_set_rekey_limits(ssh, options.rekey_limit, |
3627 | options.rekey_interval); | 3640 | options.rekey_interval); |
3628 | @@ -224,16 +256,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) | 3641 | @@ -224,16 +262,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) |
3629 | # ifdef OPENSSL_HAS_ECC | 3642 | # ifdef OPENSSL_HAS_ECC |
3630 | ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; | 3643 | ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; |
3631 | # endif | 3644 | # endif |
@@ -3673,7 +3686,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3673 | if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) | 3686 | if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) |
3674 | fatal("kex_prop2buf: %s", ssh_err(r)); | 3687 | fatal("kex_prop2buf: %s", ssh_err(r)); |
3675 | 3688 | ||
3676 | @@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); | 3689 | @@ -330,6 +398,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); |
3677 | static int input_gssapi_token(int type, u_int32_t, struct ssh *); | 3690 | static int input_gssapi_token(int type, u_int32_t, struct ssh *); |
3678 | static int input_gssapi_error(int, u_int32_t, struct ssh *); | 3691 | static int input_gssapi_error(int, u_int32_t, struct ssh *); |
3679 | static int input_gssapi_errtok(int, u_int32_t, struct ssh *); | 3692 | static int input_gssapi_errtok(int, u_int32_t, struct ssh *); |
@@ -3681,7 +3694,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3681 | #endif | 3694 | #endif |
3682 | 3695 | ||
3683 | void userauth(struct ssh *, char *); | 3696 | void userauth(struct ssh *, char *); |
3684 | @@ -346,6 +409,11 @@ static char *authmethods_get(void); | 3697 | @@ -346,6 +415,11 @@ static char *authmethods_get(void); |
3685 | 3698 | ||
3686 | Authmethod authmethods[] = { | 3699 | Authmethod authmethods[] = { |
3687 | #ifdef GSSAPI | 3700 | #ifdef GSSAPI |
@@ -3693,18 +3706,24 @@ index af00fb30c..03bc87eb4 100644 | |||
3693 | {"gssapi-with-mic", | 3706 | {"gssapi-with-mic", |
3694 | userauth_gssapi, | 3707 | userauth_gssapi, |
3695 | userauth_gssapi_cleanup, | 3708 | userauth_gssapi_cleanup, |
3696 | @@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh) | 3709 | @@ -716,12 +790,31 @@ userauth_gssapi(struct ssh *ssh) |
3697 | OM_uint32 min; | 3710 | OM_uint32 min; |
3698 | int r, ok = 0; | 3711 | int r, ok = 0; |
3699 | gss_OID mech = NULL; | 3712 | gss_OID mech = NULL; |
3700 | + char *gss_host; | 3713 | + char *gss_host; |
3701 | + | 3714 | + |
3702 | + if (options.gss_server_identity) | 3715 | + if (options.gss_server_identity) { |
3703 | + gss_host = xstrdup(options.gss_server_identity); | 3716 | + gss_host = xstrdup(options.gss_server_identity); |
3704 | + else if (options.gss_trust_dns) | 3717 | + } else if (options.gss_trust_dns) { |
3705 | + gss_host = remote_hostname(ssh); | 3718 | + gss_host = remote_hostname(ssh); |
3706 | + else | 3719 | + /* Fall back to specified host if we are using proxy command |
3720 | + * and can not use DNS on that socket */ | ||
3721 | + if (strcmp(gss_host, "UNKNOWN") == 0) { | ||
3722 | + gss_host = authctxt->host; | ||
3723 | + } | ||
3724 | + } else { | ||
3707 | + gss_host = xstrdup(authctxt->host); | 3725 | + gss_host = xstrdup(authctxt->host); |
3726 | + } | ||
3708 | 3727 | ||
3709 | /* Try one GSSAPI method at a time, rather than sending them all at | 3728 | /* Try one GSSAPI method at a time, rather than sending them all at |
3710 | * once. */ | 3729 | * once. */ |
@@ -3720,7 +3739,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3720 | 3739 | ||
3721 | /* Check to see whether the mechanism is usable before we offer it */ | 3740 | /* Check to see whether the mechanism is usable before we offer it */ |
3722 | while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && | 3741 | while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && |
3723 | @@ -730,13 +811,15 @@ userauth_gssapi(struct ssh *ssh) | 3742 | @@ -730,13 +823,15 @@ userauth_gssapi(struct ssh *ssh) |
3724 | elements[authctxt->mech_tried]; | 3743 | elements[authctxt->mech_tried]; |
3725 | /* My DER encoding requires length<128 */ | 3744 | /* My DER encoding requires length<128 */ |
3726 | if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, | 3745 | if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, |
@@ -3737,7 +3756,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3737 | if (!ok || mech == NULL) | 3756 | if (!ok || mech == NULL) |
3738 | return 0; | 3757 | return 0; |
3739 | 3758 | ||
3740 | @@ -976,6 +1059,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) | 3759 | @@ -976,6 +1071,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) |
3741 | free(lang); | 3760 | free(lang); |
3742 | return r; | 3761 | return r; |
3743 | } | 3762 | } |
@@ -3794,10 +3813,10 @@ index af00fb30c..03bc87eb4 100644 | |||
3794 | 3813 | ||
3795 | static int | 3814 | static int |
3796 | diff --git a/sshd.c b/sshd.c | 3815 | diff --git a/sshd.c b/sshd.c |
3797 | index 60b2aaf73..d92f03aaf 100644 | 3816 | index 6f8f11a3b..02fca5c28 100644 |
3798 | --- a/sshd.c | 3817 | --- a/sshd.c |
3799 | +++ b/sshd.c | 3818 | +++ b/sshd.c |
3800 | @@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh) | 3819 | @@ -816,8 +816,8 @@ notify_hostkeys(struct ssh *ssh) |
3801 | } | 3820 | } |
3802 | debug3("%s: sent %u hostkeys", __func__, nkeys); | 3821 | debug3("%s: sent %u hostkeys", __func__, nkeys); |
3803 | if (nkeys == 0) | 3822 | if (nkeys == 0) |
@@ -3808,7 +3827,7 @@ index 60b2aaf73..d92f03aaf 100644 | |||
3808 | sshpkt_fatal(ssh, r, "%s: send", __func__); | 3827 | sshpkt_fatal(ssh, r, "%s: send", __func__); |
3809 | sshbuf_free(buf); | 3828 | sshbuf_free(buf); |
3810 | } | 3829 | } |
3811 | @@ -1852,7 +1852,8 @@ main(int ac, char **av) | 3830 | @@ -1851,7 +1851,8 @@ main(int ac, char **av) |
3812 | free(fp); | 3831 | free(fp); |
3813 | } | 3832 | } |
3814 | accumulate_host_timing_secret(cfg, NULL); | 3833 | accumulate_host_timing_secret(cfg, NULL); |
@@ -3818,7 +3837,7 @@ index 60b2aaf73..d92f03aaf 100644 | |||
3818 | logit("sshd: no hostkeys available -- exiting."); | 3837 | logit("sshd: no hostkeys available -- exiting."); |
3819 | exit(1); | 3838 | exit(1); |
3820 | } | 3839 | } |
3821 | @@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh) | 3840 | @@ -2342,6 +2343,48 @@ do_ssh2_kex(struct ssh *ssh) |
3822 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 3841 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
3823 | list_hostkey_types()); | 3842 | list_hostkey_types()); |
3824 | 3843 | ||
@@ -3867,7 +3886,7 @@ index 60b2aaf73..d92f03aaf 100644 | |||
3867 | /* start key exchange */ | 3886 | /* start key exchange */ |
3868 | if ((r = kex_setup(ssh, myproposal)) != 0) | 3887 | if ((r = kex_setup(ssh, myproposal)) != 0) |
3869 | fatal("kex_setup: %s", ssh_err(r)); | 3888 | fatal("kex_setup: %s", ssh_err(r)); |
3870 | @@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh) | 3889 | @@ -2357,7 +2400,18 @@ do_ssh2_kex(struct ssh *ssh) |
3871 | # ifdef OPENSSL_HAS_ECC | 3890 | # ifdef OPENSSL_HAS_ECC |
3872 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; | 3891 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
3873 | # endif | 3892 | # endif |
@@ -3901,10 +3920,10 @@ index 19b7c91a1..2c48105f8 100644 | |||
3901 | # Set this to 'yes' to enable PAM authentication, account processing, | 3920 | # Set this to 'yes' to enable PAM authentication, account processing, |
3902 | # and session processing. If this is enabled, PAM authentication will | 3921 | # and session processing. If this is enabled, PAM authentication will |
3903 | diff --git a/sshd_config.5 b/sshd_config.5 | 3922 | diff --git a/sshd_config.5 b/sshd_config.5 |
3904 | index 70ccea449..f6b41a2f8 100644 | 3923 | index b294efc2d..360e5fb1a 100644 |
3905 | --- a/sshd_config.5 | 3924 | --- a/sshd_config.5 |
3906 | +++ b/sshd_config.5 | 3925 | +++ b/sshd_config.5 |
3907 | @@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache | 3926 | @@ -644,6 +644,11 @@ Specifies whether to automatically destroy the user's credentials cache |
3908 | on logout. | 3927 | on logout. |
3909 | The default is | 3928 | The default is |
3910 | .Cm yes . | 3929 | .Cm yes . |
@@ -3916,7 +3935,7 @@ index 70ccea449..f6b41a2f8 100644 | |||
3916 | .It Cm GSSAPIStrictAcceptorCheck | 3935 | .It Cm GSSAPIStrictAcceptorCheck |
3917 | Determines whether to be strict about the identity of the GSSAPI acceptor | 3936 | Determines whether to be strict about the identity of the GSSAPI acceptor |
3918 | a client authenticates against. | 3937 | a client authenticates against. |
3919 | @@ -660,6 +665,31 @@ machine's default store. | 3938 | @@ -658,6 +663,31 @@ machine's default store. |
3920 | This facility is provided to assist with operation on multi homed machines. | 3939 | This facility is provided to assist with operation on multi homed machines. |
3921 | The default is | 3940 | The default is |
3922 | .Cm yes . | 3941 | .Cm yes . |
@@ -3943,13 +3962,13 @@ index 70ccea449..f6b41a2f8 100644 | |||
3943 | +.Ed | 3962 | +.Ed |
3944 | +.Pp | 3963 | +.Pp |
3945 | +The default is | 3964 | +The default is |
3946 | +.Dq gss-gex-sha1-,gss-group14-sha1- . | 3965 | +.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- . |
3947 | +This option only applies to protocol version 2 connections using GSSAPI. | 3966 | +This option only applies to connections using GSSAPI. |
3948 | .It Cm HostbasedAcceptedKeyTypes | 3967 | .It Cm HostbasedAcceptedKeyTypes |
3949 | Specifies the key types that will be accepted for hostbased authentication | 3968 | Specifies the key types that will be accepted for hostbased authentication |
3950 | as a list of comma-separated patterns. | 3969 | as a list of comma-separated patterns. |
3951 | diff --git a/sshkey.c b/sshkey.c | 3970 | diff --git a/sshkey.c b/sshkey.c |
3952 | index 57995ee68..fd5b77246 100644 | 3971 | index 1571e3d93..1ac32a0ec 100644 |
3953 | --- a/sshkey.c | 3972 | --- a/sshkey.c |
3954 | +++ b/sshkey.c | 3973 | +++ b/sshkey.c |
3955 | @@ -154,6 +154,7 @@ static const struct keytype keytypes[] = { | 3974 | @@ -154,6 +154,7 @@ static const struct keytype keytypes[] = { |
@@ -3970,7 +3989,7 @@ index 57995ee68..fd5b77246 100644 | |||
3970 | if (!include_sigonly && kt->sigonly) | 3989 | if (!include_sigonly && kt->sigonly) |
3971 | continue; | 3990 | continue; |
3972 | diff --git a/sshkey.h b/sshkey.h | 3991 | diff --git a/sshkey.h b/sshkey.h |
3973 | index 71a3fddcb..37a43a67a 100644 | 3992 | index 9c1d4f637..f586e8967 100644 |
3974 | --- a/sshkey.h | 3993 | --- a/sshkey.h |
3975 | +++ b/sshkey.h | 3994 | +++ b/sshkey.h |
3976 | @@ -69,6 +69,7 @@ enum sshkey_types { | 3995 | @@ -69,6 +69,7 @@ enum sshkey_types { |