DEP-3 tagging of GSSAPI patches; split old-gssapi.patch more appropriately

author: Colin Watson <cjwatson@debian.org> 2010-02-27 18:08:33 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-02-27 18:08:33 +0000
commit: 56276d29ea829cd4c92cd881b496388d93c23dee (patch)
tree: 29ed53c0e3740b2fc2c138cb5b2a145412564b3b /debian/patches
parent: 8dcc7c5ef45cf5032dca7a308ffe17d3935e62d5 (diff)
6 files changed, 80 insertions, 35 deletions
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch
index 1e7949116..0ae7d0129 100644
--- a/debian/patches/gssapi-autoconf.patch
+++ b/debian/patches/gssapi-autoconf.patch
@@ -1,3 +1,8 @@
+Description: Update config.h.in following GSSAPI patch
+Author: Colin Watson <cjwatson@debian.org>
+Forwarded: not-needed
+Last-Updated: 2010-02-27
 Index: b/config.h.in
 ===================================================================
 --- a/config.h.in
diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch
new file mode 100644
index 000000000..773a10895
--- /dev/null
+++ b/debian/patches/gssapi-compat.patch
@@ -0,0 +1,30 @@
+Description: Compatibility with old GSSAPI option names
+ These options were supported by the old ssh-krb5 package in Debian.
+Author: Colin Watson <cjwatson@debian.org>
+Last-Updated: 2010-02-27
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
+++ b/servconf.c
+@@ -375,16 +375,20 @@
+ #ifdef GSSAPI
+        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+       { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+        { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+        { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
+ #else
+        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+       { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
+ #endif
+       { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+       { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
+        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
+        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
+        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch
new file mode 100644
index 000000000..7292ac08d
--- /dev/null
+++ b/debian/patches/gssapi-dump.patch
@@ -0,0 +1,20 @@
+Description: GSSAPI configuration dump fixes
+ Add GSSAPIKeyExchange and GSSAPIStrictAcceptorCheck to sshd -T
+ configuration dump.
+Author: Colin Watson <cjwatson@debian.org>
+Last-Updated: 2010-02-27
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
+++ b/servconf.c
+@@ -1624,7 +1624,9 @@
+ #endif
+ #ifdef GSSAPI
+        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
+       dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
+       dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+ #endif
+ #ifdef JPAKE
+        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index a60a8b4e1..6550ba60b 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,3 +1,20 @@
+Description: GSSAPI key exchange support
+ This patch has been rejected upstream: "None of the OpenSSH developers are
+ in favour of adding this, and this situation has not changed for several
+ years.  This is not a slight on Simon's patch, which is of fine quality,
+ but just that a) we don't trust GSSAPI implementations that much and b) we
+ don't like adding new KEX since they are pre-auth attack surface.  This one
+ is particularly scary, since it requires hooks out to typically root-owned
+ system resources."
+ .
+ However, quite a lot of people rely on this in Debian, and it's better to
+ have it merged into the main openssh package rather than having separate
+ -krb5 packages (as we used to have).  It seems to have a generally good
+ security history.
+Author: Simon Wilkinson <simon@sxw.org.uk>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
+Last-Updated: 2010-02-27
 Index: b/ChangeLog.gssapi
 ===================================================================
 --- /dev/null
diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch
index 272654fd8..e2c4baa49 100644
--- a/debian/patches/old-gssapi.patch
+++ b/debian/patches/old-gssapi.patch
@@ -1,38 +1,9 @@
-Index: b/servconf.c
+Description: Interoperate with old GSSAPI authentication method
-===================================================================
+ ssh-krb5 << 3.8.1p1-1 servers used a slightly different version.
--- a/servconf.c
+Author: "Aaron M. Ucko" <ucko@debian.org>
-+++ b/servconf.c
+Bug-Debian: http://bugs.debian.org/328388
-@@ -375,16 +375,20 @@
+Last-Updated: 2010-02-27
- #ifdef GSSAPI
-        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
-        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
-+       { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
-        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
-        { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
-        { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
- #else
-        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
-        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-+       { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
-        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
-        { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
-        { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
- #endif
-+       { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
-+       { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
-        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
-        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1620,7 +1624,9 @@
- #endif
- #ifdef GSSAPI
-        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
-+       dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
-        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
-+       dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
- #endif
- #ifdef JPAKE
-        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
 Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
diff --git a/debian/patches/series b/debian/patches/series
index fa74a5ee6..18758bf51 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,6 +1,8 @@
 # GSSAPI
 gssapi.patch
 gssapi-autoconf.patch
+gssapi-compat.patch
+gssapi-dump.patch
 old-gssapi.patch
 # Autotools
author	Colin Watson <cjwatson@debian.org>	2010-02-27 18:08:33 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-02-27 18:08:33 +0000
commit	56276d29ea829cd4c92cd881b496388d93c23dee (patch)
tree	29ed53c0e3740b2fc2c138cb5b2a145412564b3b /debian/patches
parent	8dcc7c5ef45cf5032dca7a308ffe17d3935e62d5 (diff)

diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch index 1e7949116..0ae7d0129 100644 --- a/debian/patches/gssapi-autoconf.patch +++ b/debian/patches/gssapi-autoconf.patch
@@ -1,3 +1,8 @@
		1	Description: Update config.h.in following GSSAPI patch
		2	Author: Colin Watson <cjwatson@debian.org>
		3	Forwarded: not-needed
		4	Last-Updated: 2010-02-27
		5
1	Index: b/config.h.in	6	Index: b/config.h.in
2	===================================================================	7	===================================================================
3	--- a/config.h.in	8	--- a/config.h.in


diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch new file mode 100644 index 000000000..773a10895 --- /dev/null +++ b/debian/patches/gssapi-compat.patch
@@ -0,0 +1,30 @@
		1	Description: Compatibility with old GSSAPI option names
		2	These options were supported by the old ssh-krb5 package in Debian.
		3	Author: Colin Watson <cjwatson@debian.org>
		4	Last-Updated: 2010-02-27
		5
		6	Index: b/servconf.c
		7	===================================================================
		8	--- a/servconf.c
		9	+++ b/servconf.c
		10	@@ -375,16 +375,20 @@
		11	#ifdef GSSAPI
		12	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
		13	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
		14	+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
		15	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
		16	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
		17	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
		18	#else
		19	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
		20	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
		21	+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
		22	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
		23	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
		24	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
		25	#endif
		26	+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
		27	+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
		28	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
		29	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
		30	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },


diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch new file mode 100644 index 000000000..7292ac08d --- /dev/null +++ b/debian/patches/gssapi-dump.patch
@@ -0,0 +1,20 @@
		1	Description: GSSAPI configuration dump fixes
		2	Add GSSAPIKeyExchange and GSSAPIStrictAcceptorCheck to sshd -T
		3	configuration dump.
		4	Author: Colin Watson <cjwatson@debian.org>
		5	Last-Updated: 2010-02-27
		6
		7	Index: b/servconf.c
		8	===================================================================
		9	--- a/servconf.c
		10	+++ b/servconf.c
		11	@@ -1624,7 +1624,9 @@
		12	#endif
		13	#ifdef GSSAPI
		14	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
		15	+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
		16	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
		17	+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
		18	#endif
		19	#ifdef JPAKE
		20	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,


diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index a60a8b4e1..6550ba60b 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch
@@ -1,3 +1,20 @@
		1	Description: GSSAPI key exchange support
		2	This patch has been rejected upstream: "None of the OpenSSH developers are
		3	in favour of adding this, and this situation has not changed for several
		4	years. This is not a slight on Simon's patch, which is of fine quality,
		5	but just that a) we don't trust GSSAPI implementations that much and b) we
		6	don't like adding new KEX since they are pre-auth attack surface. This one
		7	is particularly scary, since it requires hooks out to typically root-owned
		8	system resources."
		9	.
		10	However, quite a lot of people rely on this in Debian, and it's better to
		11	have it merged into the main openssh package rather than having separate
		12	-krb5 packages (as we used to have). It seems to have a generally good
		13	security history.
		14	Author: Simon Wilkinson <simon@sxw.org.uk>
		15	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
		16	Last-Updated: 2010-02-27
		17
1	Index: b/ChangeLog.gssapi	18	Index: b/ChangeLog.gssapi
2	===================================================================	19	===================================================================
3	--- /dev/null	20	--- /dev/null


diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch index 272654fd8..e2c4baa49 100644 --- a/debian/patches/old-gssapi.patch +++ b/debian/patches/old-gssapi.patch
@@ -1,38 +1,9 @@
1	Index: b/servconf.c	1	Description: Interoperate with old GSSAPI authentication method
2	===================================================================	2	ssh-krb5 << 3.8.1p1-1 servers used a slightly different version.
3	--- a/servconf.c	3	Author: "Aaron M. Ucko" <ucko@debian.org>
4	+++ b/servconf.c	4	Bug-Debian: http://bugs.debian.org/328388
5	@@ -375,16 +375,20 @@	5	Last-Updated: 2010-02-27
6	#ifdef GSSAPI	6
7	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
8	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
9	+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
10	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
11	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
12	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
13	#else
14	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
15	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
16	+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
17	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
18	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
19	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
20	#endif
21	+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
22	+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
23	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
24	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
25	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
26	@@ -1620,7 +1624,9 @@
27	#endif
28	#ifdef GSSAPI
29	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
30	+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
31	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
32	+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
33	#endif
34	#ifdef JPAKE
35	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
36	Index: b/sshconnect2.c	7	Index: b/sshconnect2.c
37	===================================================================	8	===================================================================
38	--- a/sshconnect2.c	9	--- a/sshconnect2.c


diff --git a/debian/patches/series b/debian/patches/series index fa74a5ee6..18758bf51 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -1,6 +1,8 @@
1	# GSSAPI	1	# GSSAPI
2	gssapi.patch	2	gssapi.patch
3	gssapi-autoconf.patch	3	gssapi-autoconf.patch
		4	gssapi-compat.patch
		5	gssapi-dump.patch
4	old-gssapi.patch	6	old-gssapi.patch
5		7
6	# Autotools	8	# Autotools