diff options
author | Colin Watson <cjwatson@debian.org> | 2020-10-20 14:12:31 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2020-10-20 14:12:31 +0100 |
commit | e371906fbbbbc11b0dced8fd4e0d258eb489d7c1 (patch) | |
tree | 4d0d8d2afd52572deb7910e29ff5a334b2bcf702 /debian/patches/gssapi.patch | |
parent | e429009cde648a41479cd1b60ce972760a2bdabc (diff) | |
parent | 3728919292c05983372954d27426f7d966813139 (diff) |
New upstream release (8.4p1)
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 138 |
1 files changed, 69 insertions, 69 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 685923e47..d779eacb6 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 79f9d21b406c172878896ef41cdc2502fc2f84a7 Mon Sep 17 00:00:00 2001 | 1 | From d1b7918f9bce6e997c7952ac795e18d09192b2a6 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -68,10 +68,10 @@ Patch-Name: gssapi.patch | |||
68 | create mode 100644 kexgsss.c | 68 | create mode 100644 kexgsss.c |
69 | 69 | ||
70 | diff --git a/Makefile.in b/Makefile.in | 70 | diff --git a/Makefile.in b/Makefile.in |
71 | index c9e4294d3..bf1e1de47 100644 | 71 | index acfb919da..56759c388 100644 |
72 | --- a/Makefile.in | 72 | --- a/Makefile.in |
73 | +++ b/Makefile.in | 73 | +++ b/Makefile.in |
74 | @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 74 | @@ -107,6 +107,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
75 | kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ | 75 | kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ |
76 | kexgexc.o kexgexs.o \ | 76 | kexgexc.o kexgexs.o \ |
77 | sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ | 77 | sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ |
@@ -79,7 +79,7 @@ index c9e4294d3..bf1e1de47 100644 | |||
79 | sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ | 79 | sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ |
80 | sshbuf-io.o | 80 | sshbuf-io.o |
81 | 81 | ||
82 | @@ -125,7 +126,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ | 82 | @@ -123,7 +124,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ |
83 | auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ | 83 | auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ |
84 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ | 84 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
85 | monitor.o monitor_wrap.o auth-krb5.o \ | 85 | monitor.o monitor_wrap.o auth-krb5.o \ |
@@ -130,7 +130,7 @@ index 28fb43d2a..5b73d24c0 100644 | |||
130 | 130 | ||
131 | [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh) | 131 | [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh) |
132 | diff --git a/auth.c b/auth.c | 132 | diff --git a/auth.c b/auth.c |
133 | index 086b8ebb1..687c57b42 100644 | 133 | index 9a5498b66..3d31ec860 100644 |
134 | --- a/auth.c | 134 | --- a/auth.c |
135 | +++ b/auth.c | 135 | +++ b/auth.c |
136 | @@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) | 136 | @@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) |
@@ -339,7 +339,7 @@ index 9351e0428..d6446c0cf 100644 | |||
339 | "gssapi-with-mic", | 339 | "gssapi-with-mic", |
340 | userauth_gssapi, | 340 | userauth_gssapi, |
341 | diff --git a/auth2.c b/auth2.c | 341 | diff --git a/auth2.c b/auth2.c |
342 | index 91aaf34a6..a4a5e0069 100644 | 342 | index 242a7adbe..9fa1404b3 100644 |
343 | --- a/auth2.c | 343 | --- a/auth2.c |
344 | +++ b/auth2.c | 344 | +++ b/auth2.c |
345 | @@ -73,6 +73,7 @@ extern Authmethod method_passwd; | 345 | @@ -73,6 +73,7 @@ extern Authmethod method_passwd; |
@@ -477,7 +477,7 @@ index 26d62855a..0cadc9f18 100644 | |||
477 | int get_peer_port(int); | 477 | int get_peer_port(int); |
478 | char *get_local_ipaddr(int); | 478 | char *get_local_ipaddr(int); |
479 | diff --git a/clientloop.c b/clientloop.c | 479 | diff --git a/clientloop.c b/clientloop.c |
480 | index da396c72a..42ace7789 100644 | 480 | index 60b46d161..2cebea29f 100644 |
481 | --- a/clientloop.c | 481 | --- a/clientloop.c |
482 | +++ b/clientloop.c | 482 | +++ b/clientloop.c |
483 | @@ -112,6 +112,10 @@ | 483 | @@ -112,6 +112,10 @@ |
@@ -491,7 +491,7 @@ index da396c72a..42ace7789 100644 | |||
491 | /* import options */ | 491 | /* import options */ |
492 | extern Options options; | 492 | extern Options options; |
493 | 493 | ||
494 | @@ -1361,9 +1365,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, | 494 | @@ -1368,9 +1372,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, |
495 | break; | 495 | break; |
496 | 496 | ||
497 | /* Do channel operations unless rekeying in progress. */ | 497 | /* Do channel operations unless rekeying in progress. */ |
@@ -512,10 +512,10 @@ index da396c72a..42ace7789 100644 | |||
512 | client_process_net_input(ssh, readset); | 512 | client_process_net_input(ssh, readset); |
513 | 513 | ||
514 | diff --git a/configure.ac b/configure.ac | 514 | diff --git a/configure.ac b/configure.ac |
515 | index 460383757..d98e6f74a 100644 | 515 | index 7005a503e..c8a96deb4 100644 |
516 | --- a/configure.ac | 516 | --- a/configure.ac |
517 | +++ b/configure.ac | 517 | +++ b/configure.ac |
518 | @@ -676,6 +676,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 518 | @@ -679,6 +679,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
519 | [Use tunnel device compatibility to OpenBSD]) | 519 | [Use tunnel device compatibility to OpenBSD]) |
520 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 520 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
521 | [Prepend the address family to IP tunnel traffic]) | 521 | [Prepend the address family to IP tunnel traffic]) |
@@ -1330,7 +1330,7 @@ index b5d4bb2d1..55f4d4bda 100644 | |||
1330 | 1330 | ||
1331 | /* Privileged */ | 1331 | /* Privileged */ |
1332 | diff --git a/kex.c b/kex.c | 1332 | diff --git a/kex.c b/kex.c |
1333 | index 09c7258e0..144dee512 100644 | 1333 | index aecb9394d..751cfc710 100644 |
1334 | --- a/kex.c | 1334 | --- a/kex.c |
1335 | +++ b/kex.c | 1335 | +++ b/kex.c |
1336 | @@ -57,11 +57,16 @@ | 1336 | @@ -57,11 +57,16 @@ |
@@ -1523,10 +1523,10 @@ index a5ae6ac05..fe7141414 100644 | |||
1523 | __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) | 1523 | __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) |
1524 | __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); | 1524 | __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); |
1525 | diff --git a/kexdh.c b/kexdh.c | 1525 | diff --git a/kexdh.c b/kexdh.c |
1526 | index 67133e339..edaa46762 100644 | 1526 | index 6e0159f9f..d024a8b9a 100644 |
1527 | --- a/kexdh.c | 1527 | --- a/kexdh.c |
1528 | +++ b/kexdh.c | 1528 | +++ b/kexdh.c |
1529 | @@ -48,13 +48,23 @@ kex_dh_keygen(struct kex *kex) | 1529 | @@ -49,13 +49,23 @@ kex_dh_keygen(struct kex *kex) |
1530 | { | 1530 | { |
1531 | switch (kex->kex_type) { | 1531 | switch (kex->kex_type) { |
1532 | case KEX_DH_GRP1_SHA1: | 1532 | case KEX_DH_GRP1_SHA1: |
@@ -2656,7 +2656,7 @@ index 000000000..60bc02deb | |||
2656 | +} | 2656 | +} |
2657 | +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ | 2657 | +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ |
2658 | diff --git a/monitor.c b/monitor.c | 2658 | diff --git a/monitor.c b/monitor.c |
2659 | index b6e855d5d..5347e900d 100644 | 2659 | index 4cf79dfc9..11868952b 100644 |
2660 | --- a/monitor.c | 2660 | --- a/monitor.c |
2661 | +++ b/monitor.c | 2661 | +++ b/monitor.c |
2662 | @@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); | 2662 | @@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); |
@@ -2709,7 +2709,7 @@ index b6e855d5d..5347e900d 100644 | |||
2709 | 2709 | ||
2710 | if (auth_opts->permit_pty_flag) { | 2710 | if (auth_opts->permit_pty_flag) { |
2711 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 2711 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
2712 | @@ -1712,6 +1729,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) | 2712 | @@ -1725,6 +1742,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) |
2713 | # ifdef OPENSSL_HAS_ECC | 2713 | # ifdef OPENSSL_HAS_ECC |
2714 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; | 2714 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
2715 | # endif | 2715 | # endif |
@@ -2727,7 +2727,7 @@ index b6e855d5d..5347e900d 100644 | |||
2727 | #endif /* WITH_OPENSSL */ | 2727 | #endif /* WITH_OPENSSL */ |
2728 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; | 2728 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; |
2729 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; | 2729 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; |
2730 | @@ -1805,8 +1833,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | 2730 | @@ -1818,8 +1846,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
2731 | u_char *p; | 2731 | u_char *p; |
2732 | int r; | 2732 | int r; |
2733 | 2733 | ||
@@ -2738,7 +2738,7 @@ index b6e855d5d..5347e900d 100644 | |||
2738 | 2738 | ||
2739 | if ((r = sshbuf_get_string(m, &p, &len)) != 0) | 2739 | if ((r = sshbuf_get_string(m, &p, &len)) != 0) |
2740 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 2740 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
2741 | @@ -1838,8 +1866,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | 2741 | @@ -1851,8 +1879,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
2742 | OM_uint32 flags = 0; /* GSI needs this */ | 2742 | OM_uint32 flags = 0; /* GSI needs this */ |
2743 | int r; | 2743 | int r; |
2744 | 2744 | ||
@@ -2749,7 +2749,7 @@ index b6e855d5d..5347e900d 100644 | |||
2749 | 2749 | ||
2750 | if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) | 2750 | if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) |
2751 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 2751 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
2752 | @@ -1859,6 +1887,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | 2752 | @@ -1872,6 +1900,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
2753 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2753 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2754 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2754 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2755 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2755 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2757,7 +2757,7 @@ index b6e855d5d..5347e900d 100644 | |||
2757 | } | 2757 | } |
2758 | return (0); | 2758 | return (0); |
2759 | } | 2759 | } |
2760 | @@ -1870,8 +1899,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) | 2760 | @@ -1883,8 +1912,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) |
2761 | OM_uint32 ret; | 2761 | OM_uint32 ret; |
2762 | int r; | 2762 | int r; |
2763 | 2763 | ||
@@ -2768,7 +2768,7 @@ index b6e855d5d..5347e900d 100644 | |||
2768 | 2768 | ||
2769 | if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || | 2769 | if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || |
2770 | (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) | 2770 | (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) |
2771 | @@ -1897,13 +1926,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) | 2771 | @@ -1910,13 +1939,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) |
2772 | int | 2772 | int |
2773 | mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | 2773 | mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
2774 | { | 2774 | { |
@@ -2790,7 +2790,7 @@ index b6e855d5d..5347e900d 100644 | |||
2790 | 2790 | ||
2791 | sshbuf_reset(m); | 2791 | sshbuf_reset(m); |
2792 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) | 2792 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) |
2793 | @@ -1912,7 +1945,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | 2793 | @@ -1925,7 +1958,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
2794 | debug3("%s: sending result %d", __func__, authenticated); | 2794 | debug3("%s: sending result %d", __func__, authenticated); |
2795 | mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); | 2795 | mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); |
2796 | 2796 | ||
@@ -2803,7 +2803,7 @@ index b6e855d5d..5347e900d 100644 | |||
2803 | 2803 | ||
2804 | if ((displayname = ssh_gssapi_displayname()) != NULL) | 2804 | if ((displayname = ssh_gssapi_displayname()) != NULL) |
2805 | auth2_record_info(authctxt, "%s", displayname); | 2805 | auth2_record_info(authctxt, "%s", displayname); |
2806 | @@ -1920,5 +1957,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | 2806 | @@ -1933,5 +1970,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
2807 | /* Monitor loop will terminate if authenticated */ | 2807 | /* Monitor loop will terminate if authenticated */ |
2808 | return (authenticated); | 2808 | return (authenticated); |
2809 | } | 2809 | } |
@@ -2903,7 +2903,7 @@ index 683e5e071..2b1a2d590 100644 | |||
2903 | 2903 | ||
2904 | struct ssh; | 2904 | struct ssh; |
2905 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2905 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2906 | index 001a8fa1c..6edb509a3 100644 | 2906 | index 5e38d83eb..0e78cd006 100644 |
2907 | --- a/monitor_wrap.c | 2907 | --- a/monitor_wrap.c |
2908 | +++ b/monitor_wrap.c | 2908 | +++ b/monitor_wrap.c |
2909 | @@ -993,13 +993,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2909 | @@ -993,13 +993,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
@@ -2982,10 +2982,10 @@ index 001a8fa1c..6edb509a3 100644 | |||
2982 | + | 2982 | + |
2983 | #endif /* GSSAPI */ | 2983 | #endif /* GSSAPI */ |
2984 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 2984 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
2985 | index 23ab096aa..485590c18 100644 | 2985 | index 0db38c206..75aef1c74 100644 |
2986 | --- a/monitor_wrap.h | 2986 | --- a/monitor_wrap.h |
2987 | +++ b/monitor_wrap.h | 2987 | +++ b/monitor_wrap.h |
2988 | @@ -64,8 +64,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, | 2988 | @@ -65,8 +65,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, |
2989 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | 2989 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); |
2990 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, | 2990 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, |
2991 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); | 2991 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); |
@@ -2998,7 +2998,7 @@ index 23ab096aa..485590c18 100644 | |||
2998 | 2998 | ||
2999 | #ifdef USE_PAM | 2999 | #ifdef USE_PAM |
3000 | diff --git a/readconf.c b/readconf.c | 3000 | diff --git a/readconf.c b/readconf.c |
3001 | index 2afcbaeca..fb585e248 100644 | 3001 | index 554efd7c9..57dae55d1 100644 |
3002 | --- a/readconf.c | 3002 | --- a/readconf.c |
3003 | +++ b/readconf.c | 3003 | +++ b/readconf.c |
3004 | @@ -67,6 +67,7 @@ | 3004 | @@ -67,6 +67,7 @@ |
@@ -3041,7 +3041,7 @@ index 2afcbaeca..fb585e248 100644 | |||
3041 | #endif | 3041 | #endif |
3042 | #ifdef ENABLE_PKCS11 | 3042 | #ifdef ENABLE_PKCS11 |
3043 | { "pkcs11provider", oPKCS11Provider }, | 3043 | { "pkcs11provider", oPKCS11Provider }, |
3044 | @@ -1053,10 +1068,42 @@ parse_time: | 3044 | @@ -1068,10 +1083,42 @@ parse_time: |
3045 | intptr = &options->gss_authentication; | 3045 | intptr = &options->gss_authentication; |
3046 | goto parse_flag; | 3046 | goto parse_flag; |
3047 | 3047 | ||
@@ -3084,7 +3084,7 @@ index 2afcbaeca..fb585e248 100644 | |||
3084 | case oBatchMode: | 3084 | case oBatchMode: |
3085 | intptr = &options->batch_mode; | 3085 | intptr = &options->batch_mode; |
3086 | goto parse_flag; | 3086 | goto parse_flag; |
3087 | @@ -1935,7 +1982,13 @@ initialize_options(Options * options) | 3087 | @@ -1976,7 +2023,13 @@ initialize_options(Options * options) |
3088 | options->pubkey_authentication = -1; | 3088 | options->pubkey_authentication = -1; |
3089 | options->challenge_response_authentication = -1; | 3089 | options->challenge_response_authentication = -1; |
3090 | options->gss_authentication = -1; | 3090 | options->gss_authentication = -1; |
@@ -3098,7 +3098,7 @@ index 2afcbaeca..fb585e248 100644 | |||
3098 | options->password_authentication = -1; | 3098 | options->password_authentication = -1; |
3099 | options->kbd_interactive_authentication = -1; | 3099 | options->kbd_interactive_authentication = -1; |
3100 | options->kbd_interactive_devices = NULL; | 3100 | options->kbd_interactive_devices = NULL; |
3101 | @@ -2083,8 +2136,18 @@ fill_default_options(Options * options) | 3101 | @@ -2125,8 +2178,18 @@ fill_default_options(Options * options) |
3102 | options->challenge_response_authentication = 1; | 3102 | options->challenge_response_authentication = 1; |
3103 | if (options->gss_authentication == -1) | 3103 | if (options->gss_authentication == -1) |
3104 | options->gss_authentication = 0; | 3104 | options->gss_authentication = 0; |
@@ -3117,7 +3117,7 @@ index 2afcbaeca..fb585e248 100644 | |||
3117 | if (options->password_authentication == -1) | 3117 | if (options->password_authentication == -1) |
3118 | options->password_authentication = 1; | 3118 | options->password_authentication = 1; |
3119 | if (options->kbd_interactive_authentication == -1) | 3119 | if (options->kbd_interactive_authentication == -1) |
3120 | @@ -2726,7 +2789,14 @@ dump_client_config(Options *o, const char *host) | 3120 | @@ -2776,7 +2839,14 @@ dump_client_config(Options *o, const char *host) |
3121 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); | 3121 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); |
3122 | #ifdef GSSAPI | 3122 | #ifdef GSSAPI |
3123 | dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); | 3123 | dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); |
@@ -3133,7 +3133,7 @@ index 2afcbaeca..fb585e248 100644 | |||
3133 | dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); | 3133 | dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); |
3134 | dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); | 3134 | dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); |
3135 | diff --git a/readconf.h b/readconf.h | 3135 | diff --git a/readconf.h b/readconf.h |
3136 | index e143a1082..c405b837f 100644 | 3136 | index d6a15550d..3803eeddf 100644 |
3137 | --- a/readconf.h | 3137 | --- a/readconf.h |
3138 | +++ b/readconf.h | 3138 | +++ b/readconf.h |
3139 | @@ -41,7 +41,13 @@ typedef struct { | 3139 | @@ -41,7 +41,13 @@ typedef struct { |
@@ -3151,10 +3151,10 @@ index e143a1082..c405b837f 100644 | |||
3151 | * authentication. */ | 3151 | * authentication. */ |
3152 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 3152 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
3153 | diff --git a/servconf.c b/servconf.c | 3153 | diff --git a/servconf.c b/servconf.c |
3154 | index ba0a92c7b..f38ba9e44 100644 | 3154 | index f08e37477..ded8f4a87 100644 |
3155 | --- a/servconf.c | 3155 | --- a/servconf.c |
3156 | +++ b/servconf.c | 3156 | +++ b/servconf.c |
3157 | @@ -69,6 +69,7 @@ | 3157 | @@ -70,6 +70,7 @@ |
3158 | #include "auth.h" | 3158 | #include "auth.h" |
3159 | #include "myproposal.h" | 3159 | #include "myproposal.h" |
3160 | #include "digest.h" | 3160 | #include "digest.h" |
@@ -3162,7 +3162,7 @@ index ba0a92c7b..f38ba9e44 100644 | |||
3162 | 3162 | ||
3163 | static void add_listen_addr(ServerOptions *, const char *, | 3163 | static void add_listen_addr(ServerOptions *, const char *, |
3164 | const char *, int); | 3164 | const char *, int); |
3165 | @@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options) | 3165 | @@ -134,8 +135,11 @@ initialize_server_options(ServerOptions *options) |
3166 | options->kerberos_ticket_cleanup = -1; | 3166 | options->kerberos_ticket_cleanup = -1; |
3167 | options->kerberos_get_afs_token = -1; | 3167 | options->kerberos_get_afs_token = -1; |
3168 | options->gss_authentication=-1; | 3168 | options->gss_authentication=-1; |
@@ -3174,7 +3174,7 @@ index ba0a92c7b..f38ba9e44 100644 | |||
3174 | options->password_authentication = -1; | 3174 | options->password_authentication = -1; |
3175 | options->kbd_interactive_authentication = -1; | 3175 | options->kbd_interactive_authentication = -1; |
3176 | options->challenge_response_authentication = -1; | 3176 | options->challenge_response_authentication = -1; |
3177 | @@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options) | 3177 | @@ -376,10 +380,18 @@ fill_default_server_options(ServerOptions *options) |
3178 | options->kerberos_get_afs_token = 0; | 3178 | options->kerberos_get_afs_token = 0; |
3179 | if (options->gss_authentication == -1) | 3179 | if (options->gss_authentication == -1) |
3180 | options->gss_authentication = 0; | 3180 | options->gss_authentication = 0; |
@@ -3193,7 +3193,7 @@ index ba0a92c7b..f38ba9e44 100644 | |||
3193 | if (options->password_authentication == -1) | 3193 | if (options->password_authentication == -1) |
3194 | options->password_authentication = 1; | 3194 | options->password_authentication = 1; |
3195 | if (options->kbd_interactive_authentication == -1) | 3195 | if (options->kbd_interactive_authentication == -1) |
3196 | @@ -531,6 +543,7 @@ typedef enum { | 3196 | @@ -523,6 +535,7 @@ typedef enum { |
3197 | sHostKeyAlgorithms, | 3197 | sHostKeyAlgorithms, |
3198 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 3198 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
3199 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 3199 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
@@ -3201,7 +3201,7 @@ index ba0a92c7b..f38ba9e44 100644 | |||
3201 | sAcceptEnv, sSetEnv, sPermitTunnel, | 3201 | sAcceptEnv, sSetEnv, sPermitTunnel, |
3202 | sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, | 3202 | sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, |
3203 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 3203 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
3204 | @@ -607,12 +620,22 @@ static struct { | 3204 | @@ -600,12 +613,22 @@ static struct { |
3205 | #ifdef GSSAPI | 3205 | #ifdef GSSAPI |
3206 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 3206 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
3207 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 3207 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -3224,7 +3224,7 @@ index ba0a92c7b..f38ba9e44 100644 | |||
3224 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 3224 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
3225 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 3225 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
3226 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 3226 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
3227 | @@ -1555,6 +1578,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, | 3227 | @@ -1557,6 +1580,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, |
3228 | intptr = &options->gss_authentication; | 3228 | intptr = &options->gss_authentication; |
3229 | goto parse_flag; | 3229 | goto parse_flag; |
3230 | 3230 | ||
@@ -3235,7 +3235,7 @@ index ba0a92c7b..f38ba9e44 100644 | |||
3235 | case sGssCleanupCreds: | 3235 | case sGssCleanupCreds: |
3236 | intptr = &options->gss_cleanup_creds; | 3236 | intptr = &options->gss_cleanup_creds; |
3237 | goto parse_flag; | 3237 | goto parse_flag; |
3238 | @@ -1563,6 +1590,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, | 3238 | @@ -1565,6 +1592,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, |
3239 | intptr = &options->gss_strict_acceptor; | 3239 | intptr = &options->gss_strict_acceptor; |
3240 | goto parse_flag; | 3240 | goto parse_flag; |
3241 | 3241 | ||
@@ -3258,7 +3258,7 @@ index ba0a92c7b..f38ba9e44 100644 | |||
3258 | case sPasswordAuthentication: | 3258 | case sPasswordAuthentication: |
3259 | intptr = &options->password_authentication; | 3259 | intptr = &options->password_authentication; |
3260 | goto parse_flag; | 3260 | goto parse_flag; |
3261 | @@ -2791,6 +2834,10 @@ dump_config(ServerOptions *o) | 3261 | @@ -2808,6 +2851,10 @@ dump_config(ServerOptions *o) |
3262 | #ifdef GSSAPI | 3262 | #ifdef GSSAPI |
3263 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 3263 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
3264 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | 3264 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); |
@@ -3270,10 +3270,10 @@ index ba0a92c7b..f38ba9e44 100644 | |||
3270 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 3270 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
3271 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 3271 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
3272 | diff --git a/servconf.h b/servconf.h | 3272 | diff --git a/servconf.h b/servconf.h |
3273 | index a420f398d..253cad97e 100644 | 3273 | index 1df8f3db8..f10908e5b 100644 |
3274 | --- a/servconf.h | 3274 | --- a/servconf.h |
3275 | +++ b/servconf.h | 3275 | +++ b/servconf.h |
3276 | @@ -137,8 +137,11 @@ typedef struct { | 3276 | @@ -138,8 +138,11 @@ typedef struct { |
3277 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 3277 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
3278 | * authenticated with Kerberos. */ | 3278 | * authenticated with Kerberos. */ |
3279 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 3279 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -3286,10 +3286,10 @@ index a420f398d..253cad97e 100644 | |||
3286 | * authentication. */ | 3286 | * authentication. */ |
3287 | int kbd_interactive_authentication; /* If true, permit */ | 3287 | int kbd_interactive_authentication; /* If true, permit */ |
3288 | diff --git a/session.c b/session.c | 3288 | diff --git a/session.c b/session.c |
3289 | index 18cdfa8cf..f9c2c866e 100644 | 3289 | index 27ca8a104..857f17b3c 100644 |
3290 | --- a/session.c | 3290 | --- a/session.c |
3291 | +++ b/session.c | 3291 | +++ b/session.c |
3292 | @@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) | 3292 | @@ -2685,13 +2685,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) |
3293 | 3293 | ||
3294 | #ifdef KRB5 | 3294 | #ifdef KRB5 |
3295 | if (options.kerberos_ticket_cleanup && | 3295 | if (options.kerberos_ticket_cleanup && |
@@ -3436,7 +3436,7 @@ index 36180d07a..50d80bbca 100644 | |||
3436 | 3436 | ||
3437 | #endif /* _SSH_GSS_H */ | 3437 | #endif /* _SSH_GSS_H */ |
3438 | diff --git a/ssh.1 b/ssh.1 | 3438 | diff --git a/ssh.1 b/ssh.1 |
3439 | index dce5f404b..7a3ba31ab 100644 | 3439 | index 555317887..be8e964f0 100644 |
3440 | --- a/ssh.1 | 3440 | --- a/ssh.1 |
3441 | +++ b/ssh.1 | 3441 | +++ b/ssh.1 |
3442 | @@ -506,7 +506,13 @@ For full details of the options listed below, and their possible values, see | 3442 | @@ -506,7 +506,13 @@ For full details of the options listed below, and their possible values, see |
@@ -3463,10 +3463,10 @@ index dce5f404b..7a3ba31ab 100644 | |||
3463 | (key types), | 3463 | (key types), |
3464 | .Ar key-cert | 3464 | .Ar key-cert |
3465 | diff --git a/ssh.c b/ssh.c | 3465 | diff --git a/ssh.c b/ssh.c |
3466 | index 98b6ce788..4a81ef810 100644 | 3466 | index f34ca0d71..bb98a7e2d 100644 |
3467 | --- a/ssh.c | 3467 | --- a/ssh.c |
3468 | +++ b/ssh.c | 3468 | +++ b/ssh.c |
3469 | @@ -773,6 +773,8 @@ main(int ac, char **av) | 3469 | @@ -801,6 +801,8 @@ main(int ac, char **av) |
3470 | else if (strcmp(optarg, "kex") == 0 || | 3470 | else if (strcmp(optarg, "kex") == 0 || |
3471 | strcasecmp(optarg, "KexAlgorithms") == 0) | 3471 | strcasecmp(optarg, "KexAlgorithms") == 0) |
3472 | cp = kex_alg_list('\n'); | 3472 | cp = kex_alg_list('\n'); |
@@ -3475,7 +3475,7 @@ index 98b6ce788..4a81ef810 100644 | |||
3475 | else if (strcmp(optarg, "key") == 0) | 3475 | else if (strcmp(optarg, "key") == 0) |
3476 | cp = sshkey_alg_list(0, 0, 0, '\n'); | 3476 | cp = sshkey_alg_list(0, 0, 0, '\n'); |
3477 | else if (strcmp(optarg, "key-cert") == 0) | 3477 | else if (strcmp(optarg, "key-cert") == 0) |
3478 | @@ -798,8 +800,8 @@ main(int ac, char **av) | 3478 | @@ -826,8 +828,8 @@ main(int ac, char **av) |
3479 | } else if (strcmp(optarg, "help") == 0) { | 3479 | } else if (strcmp(optarg, "help") == 0) { |
3480 | cp = xstrdup( | 3480 | cp = xstrdup( |
3481 | "cipher\ncipher-auth\ncompression\nkex\n" | 3481 | "cipher\ncipher-auth\ncompression\nkex\n" |
@@ -3487,7 +3487,7 @@ index 98b6ce788..4a81ef810 100644 | |||
3487 | if (cp == NULL) | 3487 | if (cp == NULL) |
3488 | fatal("Unsupported query \"%s\"", optarg); | 3488 | fatal("Unsupported query \"%s\"", optarg); |
3489 | diff --git a/ssh_config b/ssh_config | 3489 | diff --git a/ssh_config b/ssh_config |
3490 | index 5e8ef548b..1ff999b68 100644 | 3490 | index 842ea866c..52aae8692 100644 |
3491 | --- a/ssh_config | 3491 | --- a/ssh_config |
3492 | +++ b/ssh_config | 3492 | +++ b/ssh_config |
3493 | @@ -24,6 +24,8 @@ | 3493 | @@ -24,6 +24,8 @@ |
@@ -3500,10 +3500,10 @@ index 5e8ef548b..1ff999b68 100644 | |||
3500 | # CheckHostIP yes | 3500 | # CheckHostIP yes |
3501 | # AddressFamily any | 3501 | # AddressFamily any |
3502 | diff --git a/ssh_config.5 b/ssh_config.5 | 3502 | diff --git a/ssh_config.5 b/ssh_config.5 |
3503 | index dc010ccbd..e2a2359f9 100644 | 3503 | index 6be1f1aa2..bd86d000c 100644 |
3504 | --- a/ssh_config.5 | 3504 | --- a/ssh_config.5 |
3505 | +++ b/ssh_config.5 | 3505 | +++ b/ssh_config.5 |
3506 | @@ -766,10 +766,67 @@ The default is | 3506 | @@ -779,10 +779,67 @@ The default is |
3507 | Specifies whether user authentication based on GSSAPI is allowed. | 3507 | Specifies whether user authentication based on GSSAPI is allowed. |
3508 | The default is | 3508 | The default is |
3509 | .Cm no . | 3509 | .Cm no . |
@@ -3572,7 +3572,7 @@ index dc010ccbd..e2a2359f9 100644 | |||
3572 | Indicates that | 3572 | Indicates that |
3573 | .Xr ssh 1 | 3573 | .Xr ssh 1 |
3574 | diff --git a/sshconnect2.c b/sshconnect2.c | 3574 | diff --git a/sshconnect2.c b/sshconnect2.c |
3575 | index 1a6545edf..79a22e600 100644 | 3575 | index f64aae66a..c47fc31a6 100644 |
3576 | --- a/sshconnect2.c | 3576 | --- a/sshconnect2.c |
3577 | +++ b/sshconnect2.c | 3577 | +++ b/sshconnect2.c |
3578 | @@ -80,8 +80,6 @@ | 3578 | @@ -80,8 +80,6 @@ |
@@ -3584,7 +3584,7 @@ index 1a6545edf..79a22e600 100644 | |||
3584 | extern Options options; | 3584 | extern Options options; |
3585 | 3585 | ||
3586 | /* | 3586 | /* |
3587 | @@ -163,6 +161,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) | 3587 | @@ -210,6 +208,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) |
3588 | char *s, *all_key; | 3588 | char *s, *all_key; |
3589 | int r, use_known_hosts_order = 0; | 3589 | int r, use_known_hosts_order = 0; |
3590 | 3590 | ||
@@ -3596,7 +3596,7 @@ index 1a6545edf..79a22e600 100644 | |||
3596 | xxx_host = host; | 3596 | xxx_host = host; |
3597 | xxx_hostaddr = hostaddr; | 3597 | xxx_hostaddr = hostaddr; |
3598 | 3598 | ||
3599 | @@ -206,6 +209,41 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) | 3599 | @@ -253,6 +256,41 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) |
3600 | compat_pkalg_proposal(options.hostkeyalgorithms); | 3600 | compat_pkalg_proposal(options.hostkeyalgorithms); |
3601 | } | 3601 | } |
3602 | 3602 | ||
@@ -3638,7 +3638,7 @@ index 1a6545edf..79a22e600 100644 | |||
3638 | if (options.rekey_limit || options.rekey_interval) | 3638 | if (options.rekey_limit || options.rekey_interval) |
3639 | ssh_packet_set_rekey_limits(ssh, options.rekey_limit, | 3639 | ssh_packet_set_rekey_limits(ssh, options.rekey_limit, |
3640 | options.rekey_interval); | 3640 | options.rekey_interval); |
3641 | @@ -224,16 +262,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) | 3641 | @@ -271,16 +309,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) |
3642 | # ifdef OPENSSL_HAS_ECC | 3642 | # ifdef OPENSSL_HAS_ECC |
3643 | ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; | 3643 | ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; |
3644 | # endif | 3644 | # endif |
@@ -3686,7 +3686,7 @@ index 1a6545edf..79a22e600 100644 | |||
3686 | if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) | 3686 | if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) |
3687 | fatal("kex_prop2buf: %s", ssh_err(r)); | 3687 | fatal("kex_prop2buf: %s", ssh_err(r)); |
3688 | 3688 | ||
3689 | @@ -330,6 +398,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); | 3689 | @@ -377,6 +445,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); |
3690 | static int input_gssapi_token(int type, u_int32_t, struct ssh *); | 3690 | static int input_gssapi_token(int type, u_int32_t, struct ssh *); |
3691 | static int input_gssapi_error(int, u_int32_t, struct ssh *); | 3691 | static int input_gssapi_error(int, u_int32_t, struct ssh *); |
3692 | static int input_gssapi_errtok(int, u_int32_t, struct ssh *); | 3692 | static int input_gssapi_errtok(int, u_int32_t, struct ssh *); |
@@ -3694,7 +3694,7 @@ index 1a6545edf..79a22e600 100644 | |||
3694 | #endif | 3694 | #endif |
3695 | 3695 | ||
3696 | void userauth(struct ssh *, char *); | 3696 | void userauth(struct ssh *, char *); |
3697 | @@ -346,6 +415,11 @@ static char *authmethods_get(void); | 3697 | @@ -393,6 +462,11 @@ static char *authmethods_get(void); |
3698 | 3698 | ||
3699 | Authmethod authmethods[] = { | 3699 | Authmethod authmethods[] = { |
3700 | #ifdef GSSAPI | 3700 | #ifdef GSSAPI |
@@ -3706,7 +3706,7 @@ index 1a6545edf..79a22e600 100644 | |||
3706 | {"gssapi-with-mic", | 3706 | {"gssapi-with-mic", |
3707 | userauth_gssapi, | 3707 | userauth_gssapi, |
3708 | userauth_gssapi_cleanup, | 3708 | userauth_gssapi_cleanup, |
3709 | @@ -716,12 +790,31 @@ userauth_gssapi(struct ssh *ssh) | 3709 | @@ -763,12 +837,31 @@ userauth_gssapi(struct ssh *ssh) |
3710 | OM_uint32 min; | 3710 | OM_uint32 min; |
3711 | int r, ok = 0; | 3711 | int r, ok = 0; |
3712 | gss_OID mech = NULL; | 3712 | gss_OID mech = NULL; |
@@ -3739,7 +3739,7 @@ index 1a6545edf..79a22e600 100644 | |||
3739 | 3739 | ||
3740 | /* Check to see whether the mechanism is usable before we offer it */ | 3740 | /* Check to see whether the mechanism is usable before we offer it */ |
3741 | while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && | 3741 | while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && |
3742 | @@ -730,13 +823,15 @@ userauth_gssapi(struct ssh *ssh) | 3742 | @@ -777,13 +870,15 @@ userauth_gssapi(struct ssh *ssh) |
3743 | elements[authctxt->mech_tried]; | 3743 | elements[authctxt->mech_tried]; |
3744 | /* My DER encoding requires length<128 */ | 3744 | /* My DER encoding requires length<128 */ |
3745 | if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, | 3745 | if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, |
@@ -3756,7 +3756,7 @@ index 1a6545edf..79a22e600 100644 | |||
3756 | if (!ok || mech == NULL) | 3756 | if (!ok || mech == NULL) |
3757 | return 0; | 3757 | return 0; |
3758 | 3758 | ||
3759 | @@ -976,6 +1071,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) | 3759 | @@ -1023,6 +1118,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) |
3760 | free(lang); | 3760 | free(lang); |
3761 | return r; | 3761 | return r; |
3762 | } | 3762 | } |
@@ -3813,7 +3813,7 @@ index 1a6545edf..79a22e600 100644 | |||
3813 | 3813 | ||
3814 | static int | 3814 | static int |
3815 | diff --git a/sshd.c b/sshd.c | 3815 | diff --git a/sshd.c b/sshd.c |
3816 | index 6f8f11a3b..02fca5c28 100644 | 3816 | index 8aa7f3df6..8c5d5822e 100644 |
3817 | --- a/sshd.c | 3817 | --- a/sshd.c |
3818 | +++ b/sshd.c | 3818 | +++ b/sshd.c |
3819 | @@ -816,8 +816,8 @@ notify_hostkeys(struct ssh *ssh) | 3819 | @@ -816,8 +816,8 @@ notify_hostkeys(struct ssh *ssh) |
@@ -3827,7 +3827,7 @@ index 6f8f11a3b..02fca5c28 100644 | |||
3827 | sshpkt_fatal(ssh, r, "%s: send", __func__); | 3827 | sshpkt_fatal(ssh, r, "%s: send", __func__); |
3828 | sshbuf_free(buf); | 3828 | sshbuf_free(buf); |
3829 | } | 3829 | } |
3830 | @@ -1851,7 +1851,8 @@ main(int ac, char **av) | 3830 | @@ -1901,7 +1901,8 @@ main(int ac, char **av) |
3831 | free(fp); | 3831 | free(fp); |
3832 | } | 3832 | } |
3833 | accumulate_host_timing_secret(cfg, NULL); | 3833 | accumulate_host_timing_secret(cfg, NULL); |
@@ -3837,7 +3837,7 @@ index 6f8f11a3b..02fca5c28 100644 | |||
3837 | logit("sshd: no hostkeys available -- exiting."); | 3837 | logit("sshd: no hostkeys available -- exiting."); |
3838 | exit(1); | 3838 | exit(1); |
3839 | } | 3839 | } |
3840 | @@ -2342,6 +2343,48 @@ do_ssh2_kex(struct ssh *ssh) | 3840 | @@ -2393,6 +2394,48 @@ do_ssh2_kex(struct ssh *ssh) |
3841 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 3841 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
3842 | list_hostkey_types()); | 3842 | list_hostkey_types()); |
3843 | 3843 | ||
@@ -3886,7 +3886,7 @@ index 6f8f11a3b..02fca5c28 100644 | |||
3886 | /* start key exchange */ | 3886 | /* start key exchange */ |
3887 | if ((r = kex_setup(ssh, myproposal)) != 0) | 3887 | if ((r = kex_setup(ssh, myproposal)) != 0) |
3888 | fatal("kex_setup: %s", ssh_err(r)); | 3888 | fatal("kex_setup: %s", ssh_err(r)); |
3889 | @@ -2357,7 +2400,18 @@ do_ssh2_kex(struct ssh *ssh) | 3889 | @@ -2408,7 +2451,18 @@ do_ssh2_kex(struct ssh *ssh) |
3890 | # ifdef OPENSSL_HAS_ECC | 3890 | # ifdef OPENSSL_HAS_ECC |
3891 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; | 3891 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
3892 | # endif | 3892 | # endif |
@@ -3920,7 +3920,7 @@ index 19b7c91a1..2c48105f8 100644 | |||
3920 | # Set this to 'yes' to enable PAM authentication, account processing, | 3920 | # Set this to 'yes' to enable PAM authentication, account processing, |
3921 | # and session processing. If this is enabled, PAM authentication will | 3921 | # and session processing. If this is enabled, PAM authentication will |
3922 | diff --git a/sshd_config.5 b/sshd_config.5 | 3922 | diff --git a/sshd_config.5 b/sshd_config.5 |
3923 | index b294efc2d..360e5fb1a 100644 | 3923 | index 6fa421cae..eabbe9e73 100644 |
3924 | --- a/sshd_config.5 | 3924 | --- a/sshd_config.5 |
3925 | +++ b/sshd_config.5 | 3925 | +++ b/sshd_config.5 |
3926 | @@ -644,6 +644,11 @@ Specifies whether to automatically destroy the user's credentials cache | 3926 | @@ -644,6 +644,11 @@ Specifies whether to automatically destroy the user's credentials cache |
@@ -3968,10 +3968,10 @@ index b294efc2d..360e5fb1a 100644 | |||
3968 | Specifies the key types that will be accepted for hostbased authentication | 3968 | Specifies the key types that will be accepted for hostbased authentication |
3969 | as a list of comma-separated patterns. | 3969 | as a list of comma-separated patterns. |
3970 | diff --git a/sshkey.c b/sshkey.c | 3970 | diff --git a/sshkey.c b/sshkey.c |
3971 | index 1571e3d93..1ac32a0ec 100644 | 3971 | index ac451f1a8..b88282e19 100644 |
3972 | --- a/sshkey.c | 3972 | --- a/sshkey.c |
3973 | +++ b/sshkey.c | 3973 | +++ b/sshkey.c |
3974 | @@ -154,6 +154,7 @@ static const struct keytype keytypes[] = { | 3974 | @@ -156,6 +156,7 @@ static const struct keytype keytypes[] = { |
3975 | KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 }, | 3975 | KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 }, |
3976 | # endif /* OPENSSL_HAS_ECC */ | 3976 | # endif /* OPENSSL_HAS_ECC */ |
3977 | #endif /* WITH_OPENSSL */ | 3977 | #endif /* WITH_OPENSSL */ |
@@ -3979,7 +3979,7 @@ index 1571e3d93..1ac32a0ec 100644 | |||
3979 | { NULL, NULL, NULL, -1, -1, 0, 0 } | 3979 | { NULL, NULL, NULL, -1, -1, 0, 0 } |
3980 | }; | 3980 | }; |
3981 | 3981 | ||
3982 | @@ -255,7 +256,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) | 3982 | @@ -257,7 +258,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) |
3983 | const struct keytype *kt; | 3983 | const struct keytype *kt; |
3984 | 3984 | ||
3985 | for (kt = keytypes; kt->type != -1; kt++) { | 3985 | for (kt = keytypes; kt->type != -1; kt++) { |
@@ -3989,7 +3989,7 @@ index 1571e3d93..1ac32a0ec 100644 | |||
3989 | if (!include_sigonly && kt->sigonly) | 3989 | if (!include_sigonly && kt->sigonly) |
3990 | continue; | 3990 | continue; |
3991 | diff --git a/sshkey.h b/sshkey.h | 3991 | diff --git a/sshkey.h b/sshkey.h |
3992 | index 9c1d4f637..f586e8967 100644 | 3992 | index 2d8b62497..dc1c10597 100644 |
3993 | --- a/sshkey.h | 3993 | --- a/sshkey.h |
3994 | +++ b/sshkey.h | 3994 | +++ b/sshkey.h |
3995 | @@ -69,6 +69,7 @@ enum sshkey_types { | 3995 | @@ -69,6 +69,7 @@ enum sshkey_types { |