summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2018-08-24 12:49:36 +0100
committerColin Watson <cjwatson@debian.org>2018-08-30 00:57:27 +0100
commit816386e17654ca36834bebbf351419e460fad8f6 (patch)
tree3dc79d831cb73bc25b92f5a4d18f8e328c0c570a /debian/patches
parent3e6f76c7039d3df22b1d0a3a5f30150efb09b69d (diff)
parent16a47fc4b04977a14f44dd433c8da1499fa80671 (diff)
New upstream release (7.8p1)
Closes: #907534
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/debian-banner.patch26
-rw-r--r--debian/patches/debian-config.patch24
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch565
-rw-r--r--debian/patches/keepalive-extensions.patch28
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch8
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch26
-rw-r--r--debian/patches/package-versioning.patch12
-rw-r--r--debian/patches/restore-authorized_keys2.patch4
-rw-r--r--debian/patches/restore-tcp-wrappers.patch26
-rw-r--r--debian/patches/scp-quoting.patch4
-rw-r--r--debian/patches/seccomp-getuid-geteuid.patch44
-rw-r--r--debian/patches/seccomp-s390-flock-ipc.patch16
-rw-r--r--debian/patches/seccomp-s390-ioctl-ep11-crypto.patch6
-rw-r--r--debian/patches/selinux-role.patch177
-rw-r--r--debian/patches/series3
-rw-r--r--debian/patches/shell-path.patch8
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch10
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/systemd-readiness.patch12
-rw-r--r--debian/patches/upstream-delay-bailout-for-invalid-authenticating-user.patch153
-rw-r--r--debian/patches/upstream-relax-checking-of-authorized_keys-environme.patch40
-rw-r--r--debian/patches/user-group-modes.patch36
29 files changed, 520 insertions, 740 deletions
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index b5a1ea191..ad2890400 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 66488db1ed04b4ca150ec530ed212fa46a653c1a Mon Sep 17 00:00:00 2001 1From 153278a21da639b5ad965632485f79ea4ac5e705 Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index 6f3f042b1..1afb4f798 100644 16index 6175c6063..0ee0285f6 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -352,6 +352,7 @@ install-files: 19@@ -356,6 +356,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 9062918f6..98d97dce8 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 9ec4db016a0510c449f9cefeb3299c2e755698c7 Mon Sep 17 00:00:00 2001 1From 905ffae23105d59b013aac809da6195d231b0395 Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch.
8 8
9Bug-Debian: http://bugs.debian.org/562048 9Bug-Debian: http://bugs.debian.org/562048
10Forwarded: not-needed 10Forwarded: not-needed
11Last-Update: 2018-04-03 11Last-Update: 2018-08-24
12 12
13Patch-Name: debian-banner.patch 13Patch-Name: debian-banner.patch
14--- 14---
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index 3fff3d531..0a8f6fd62 100644 22index e49984a81..bb43a649c 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -177,6 +177,7 @@ initialize_server_options(ServerOptions *options) 25@@ -181,6 +181,7 @@ initialize_server_options(ServerOptions *options)
26 options->fingerprint_hash = -1; 26 options->fingerprint_hash = -1;
27 options->disable_forwarding = -1; 27 options->disable_forwarding = -1;
28 options->expose_userauth_info = -1; 28 options->expose_userauth_info = -1;
@@ -30,7 +30,7 @@ index 3fff3d531..0a8f6fd62 100644
30 } 30 }
31 31
32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
33@@ -393,6 +394,8 @@ fill_default_server_options(ServerOptions *options) 33@@ -413,6 +414,8 @@ fill_default_server_options(ServerOptions *options)
34 options->disable_forwarding = 0; 34 options->disable_forwarding = 0;
35 if (options->expose_userauth_info == -1) 35 if (options->expose_userauth_info == -1)
36 options->expose_userauth_info = 0; 36 options->expose_userauth_info = 0;
@@ -39,7 +39,7 @@ index 3fff3d531..0a8f6fd62 100644
39 39
40 assemble_algorithms(options); 40 assemble_algorithms(options);
41 41
42@@ -480,6 +483,7 @@ typedef enum { 42@@ -500,6 +503,7 @@ typedef enum {
43 sStreamLocalBindMask, sStreamLocalBindUnlink, 43 sStreamLocalBindMask, sStreamLocalBindUnlink,
44 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 44 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
45 sExposeAuthInfo, sRDomain, 45 sExposeAuthInfo, sRDomain,
@@ -47,7 +47,7 @@ index 3fff3d531..0a8f6fd62 100644
47 sDeprecated, sIgnore, sUnsupported 47 sDeprecated, sIgnore, sUnsupported
48 } ServerOpCodes; 48 } ServerOpCodes;
49 49
50@@ -634,6 +638,7 @@ static struct { 50@@ -656,6 +660,7 @@ static struct {
51 { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, 51 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
52 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, 52 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
53 { "rdomain", sRDomain, SSHCFG_ALL }, 53 { "rdomain", sRDomain, SSHCFG_ALL },
@@ -55,7 +55,7 @@ index 3fff3d531..0a8f6fd62 100644
55 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
56 }; 56 };
57 57
58@@ -2056,6 +2061,10 @@ process_server_config_line(ServerOptions *options, char *line, 58@@ -2164,6 +2169,10 @@ process_server_config_line(ServerOptions *options, char *line,
59 *charptr = xstrdup(arg); 59 *charptr = xstrdup(arg);
60 break; 60 break;
61 61
@@ -67,20 +67,20 @@ index 3fff3d531..0a8f6fd62 100644
67 case sIgnore: 67 case sIgnore:
68 case sUnsupported: 68 case sUnsupported:
69diff --git a/servconf.h b/servconf.h 69diff --git a/servconf.h b/servconf.h
70index 5dfc9bc02..b0fa70455 100644 70index 9b117fe27..76098119b 100644
71--- a/servconf.h 71--- a/servconf.h
72+++ b/servconf.h 72+++ b/servconf.h
73@@ -211,6 +211,8 @@ typedef struct { 73@@ -211,6 +211,8 @@ typedef struct {
74
75 int fingerprint_hash; 74 int fingerprint_hash;
76 int expose_userauth_info; 75 int expose_userauth_info;
76 u_int64_t timing_secret;
77+ 77+
78+ int debian_banner; 78+ int debian_banner;
79 } ServerOptions; 79 } ServerOptions;
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index 9a7f5495c..1d645a170 100644 83index ffd3dad6a..698593605 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 86@@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
@@ -94,10 +94,10 @@ index 9a7f5495c..1d645a170 100644
94 options.version_addendum); 94 options.version_addendum);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index 1a1c6dd09..45044a70f 100644 97index 0fbbccbde..96a69ab55 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -531,6 +531,11 @@ or 100@@ -532,6 +532,11 @@ or
101 .Cm no . 101 .Cm no .
102 The default is 102 The default is
103 .Cm yes . 103 .Cm yes .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index be6d7df30..fd86d5a4d 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From e8e09061f8168f6f105f56fca10b6cd61b9f587a Mon Sep 17 00:00:00 2001 1From 157278376c0eb6e4de3d47e8573684095a230685 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch
39 6 files changed, 77 insertions(+), 9 deletions(-) 39 6 files changed, 77 insertions(+), 9 deletions(-)
40 40
41diff --git a/readconf.c b/readconf.c 41diff --git a/readconf.c b/readconf.c
42index 50349e238..efcf2d628 100644 42index 3ed6dfb54..a3d42f2ae 100644
43--- a/readconf.c 43--- a/readconf.c
44+++ b/readconf.c 44+++ b/readconf.c
45@@ -1916,7 +1916,7 @@ fill_default_options(Options * options) 45@@ -1974,7 +1974,7 @@ fill_default_options(Options * options)
46 if (options->forward_x11 == -1) 46 if (options->forward_x11 == -1)
47 options->forward_x11 = 0; 47 options->forward_x11 = 0;
48 if (options->forward_x11_trusted == -1) 48 if (options->forward_x11_trusted == -1)
@@ -52,10 +52,10 @@ index 50349e238..efcf2d628 100644
52 options->forward_x11_timeout = 1200; 52 options->forward_x11_timeout = 1200;
53 /* 53 /*
54diff --git a/ssh.1 b/ssh.1 54diff --git a/ssh.1 b/ssh.1
55index f8fc26d2a..8a03db952 100644 55index 0a8e63f51..ba55aa665 100644
56--- a/ssh.1 56--- a/ssh.1
57+++ b/ssh.1 57+++ b/ssh.1
58@@ -768,6 +768,16 @@ directive in 58@@ -772,6 +772,16 @@ directive in
59 .Xr ssh_config 5 59 .Xr ssh_config 5
60 for more information. 60 for more information.
61 .Pp 61 .Pp
@@ -72,7 +72,7 @@ index f8fc26d2a..8a03db952 100644
72 .It Fl x 72 .It Fl x
73 Disables X11 forwarding. 73 Disables X11 forwarding.
74 .Pp 74 .Pp
75@@ -776,6 +786,17 @@ Enables trusted X11 forwarding. 75@@ -780,6 +790,17 @@ Enables trusted X11 forwarding.
76 Trusted X11 forwardings are not subjected to the X11 SECURITY extension 76 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
77 controls. 77 controls.
78 .Pp 78 .Pp
@@ -114,7 +114,7 @@ index bcb9f153d..1b676fb2c 100644
114+ HashKnownHosts yes 114+ HashKnownHosts yes
115+ GSSAPIAuthentication yes 115+ GSSAPIAuthentication yes
116diff --git a/ssh_config.5 b/ssh_config.5 116diff --git a/ssh_config.5 b/ssh_config.5
117index ca0528842..ed6e5d026 100644 117index cb68f51a6..35c578c3b 100644
118--- a/ssh_config.5 118--- a/ssh_config.5
119+++ b/ssh_config.5 119+++ b/ssh_config.5
120@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more 120@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -140,7 +140,7 @@ index ca0528842..ed6e5d026 100644
140 The file contains keyword-argument pairs, one per line. 140 The file contains keyword-argument pairs, one per line.
141 Lines starting with 141 Lines starting with
142 .Ql # 142 .Ql #
143@@ -690,11 +706,12 @@ elapsed. 143@@ -681,11 +697,12 @@ elapsed.
144 .It Cm ForwardX11Trusted 144 .It Cm ForwardX11Trusted
145 If this option is set to 145 If this option is set to
146 .Cm yes , 146 .Cm yes ,
@@ -155,7 +155,7 @@ index ca0528842..ed6e5d026 100644
155 from stealing or tampering with data belonging to trusted X11 155 from stealing or tampering with data belonging to trusted X11
156 clients. 156 clients.
157diff --git a/sshd_config b/sshd_config 157diff --git a/sshd_config b/sshd_config
158index 86263d713..de9cc9fe2 100644 158index 2c48105f8..ed8272f6d 100644
159--- a/sshd_config 159--- a/sshd_config
160+++ b/sshd_config 160+++ b/sshd_config
161@@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys 161@@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -189,8 +189,8 @@ index 86263d713..de9cc9fe2 100644
189+PrintMotd no 189+PrintMotd no
190 #PrintLastLog yes 190 #PrintLastLog yes
191 #TCPKeepAlive yes 191 #TCPKeepAlive yes
192 #UseLogin no 192 #PermitUserEnvironment no
193@@ -108,8 +109,11 @@ AuthorizedKeysFile .ssh/authorized_keys 193@@ -107,8 +108,11 @@ AuthorizedKeysFile .ssh/authorized_keys
194 # no default banner path 194 # no default banner path
195 #Banner none 195 #Banner none
196 196
@@ -204,7 +204,7 @@ index 86263d713..de9cc9fe2 100644
204 # Example of overriding settings on a per-user basis 204 # Example of overriding settings on a per-user basis
205 #Match User anoncvs 205 #Match User anoncvs
206diff --git a/sshd_config.5 b/sshd_config.5 206diff --git a/sshd_config.5 b/sshd_config.5
207index 44b918463..4c7ee4254 100644 207index 9774831fe..15b82e84d 100644
208--- a/sshd_config.5 208--- a/sshd_config.5
209+++ b/sshd_config.5 209+++ b/sshd_config.5
210@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes 210@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 6c2ebf173..6e90d402c 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From 8c11a03efd47de883b52838735d6890ca8d4d9f8 Mon Sep 17 00:00:00 2001 1From 298716354cedb77d8e3672a2157d63e15a778d64 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 599b8c0f6..2b7936a5d 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From 6765f629a8f5416b133d26e023a201193c33d8b5 Mon Sep 17 00:00:00 2001 1From c1af61a47620c9f50efb53774139c308410f9296 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index 84dcd52cc..ca0528842 100644 16index 03341a229..cb68f51a6 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -784,6 +784,9 @@ Note that existing names and addresses in known hosts files 19@@ -775,6 +775,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 3a4a5c896..eb212da29 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From 4ccb07d2ebea1b01b56a455790224ce97a0b36e8 Mon Sep 17 00:00:00 2001 1From cae89cd0edc9d656661ea05b7ecca4c9a9ba4d77 Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index d47b0a796..25edd5cbe 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From cb427e23bf78d65407c78d868c4ef525dbfaa68f Mon Sep 17 00:00:00 2001 1From e6c7c11ac2576ac62334616bd4408bf64140bba7 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate
17security history. 17security history.
18 18
19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
20Last-Updated: 2017-10-04 20Last-Updated: 2018-08-24
21 21
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
@@ -25,23 +25,23 @@ Patch-Name: gssapi.patch
25 Makefile.in | 3 +- 25 Makefile.in | 3 +-
26 auth-krb5.c | 17 ++- 26 auth-krb5.c | 17 ++-
27 auth.c | 96 +------------- 27 auth.c | 96 +-------------
28 auth2-gss.c | 49 ++++++- 28 auth2-gss.c | 54 +++++++-
29 auth2.c | 2 + 29 auth2.c | 2 +
30 canohost.c | 93 +++++++++++++ 30 canohost.c | 93 +++++++++++++
31 canohost.h | 3 + 31 canohost.h | 3 +
32 clientloop.c | 15 ++- 32 clientloop.c | 15 ++-
33 config.h.in | 6 + 33 config.h.in | 6 +
34 configure.ac | 24 ++++ 34 configure.ac | 24 ++++
35 gss-genr.c | 275 +++++++++++++++++++++++++++++++++++++- 35 gss-genr.c | 277 +++++++++++++++++++++++++++++++++++++-
36 gss-serv-krb5.c | 85 +++++++++++- 36 gss-serv-krb5.c | 85 +++++++++++-
37 gss-serv.c | 184 ++++++++++++++++++++++++-- 37 gss-serv.c | 184 ++++++++++++++++++++++++--
38 kex.c | 19 +++ 38 kex.c | 19 +++
39 kex.h | 14 ++ 39 kex.h | 14 ++
40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++ 40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++
41 kexgsss.c | 295 +++++++++++++++++++++++++++++++++++++++++ 41 kexgsss.c | 295 +++++++++++++++++++++++++++++++++++++++++
42 monitor.c | 115 ++++++++++++++-- 42 monitor.c | 122 +++++++++++++++--
43 monitor.h | 3 + 43 monitor.h | 3 +
44 monitor_wrap.c | 47 ++++++- 44 monitor_wrap.c | 53 +++++++-
45 monitor_wrap.h | 4 +- 45 monitor_wrap.h | 4 +-
46 readconf.c | 43 ++++++ 46 readconf.c | 43 ++++++
47 readconf.h | 5 + 47 readconf.h | 5 +
@@ -50,13 +50,13 @@ Patch-Name: gssapi.patch
50 ssh-gss.h | 41 +++++- 50 ssh-gss.h | 41 +++++-
51 ssh_config | 2 + 51 ssh_config | 2 +
52 ssh_config.5 | 32 +++++ 52 ssh_config.5 | 32 +++++
53 sshconnect2.c | 131 +++++++++++++++++- 53 sshconnect2.c | 133 ++++++++++++++++++-
54 sshd.c | 112 +++++++++++++++- 54 sshd.c | 112 +++++++++++++++-
55 sshd_config | 2 + 55 sshd_config | 2 +
56 sshd_config.5 | 10 ++ 56 sshd_config.5 | 10 ++
57 sshkey.c | 3 +- 57 sshkey.c | 3 +-
58 sshkey.h | 1 + 58 sshkey.h | 1 +
59 35 files changed, 2063 insertions(+), 147 deletions(-) 59 35 files changed, 2087 insertions(+), 145 deletions(-)
60 create mode 100644 ChangeLog.gssapi 60 create mode 100644 ChangeLog.gssapi
61 create mode 100644 kexgssc.c 61 create mode 100644 kexgssc.c
62 create mode 100644 kexgsss.c 62 create mode 100644 kexgsss.c
@@ -181,7 +181,7 @@ index 000000000..f117a336a
181+ (from jbasney AT ncsa.uiuc.edu) 181+ (from jbasney AT ncsa.uiuc.edu)
182+ <gssapi-with-mic support is Bugzilla #1008> 182+ <gssapi-with-mic support is Bugzilla #1008>
183diff --git a/Makefile.in b/Makefile.in 183diff --git a/Makefile.in b/Makefile.in
184index 04e1c8e53..6f3f042b1 100644 184index 2385c62a8..6175c6063 100644
185--- a/Makefile.in 185--- a/Makefile.in
186+++ b/Makefile.in 186+++ b/Makefile.in
187@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 187@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -193,7 +193,7 @@ index 04e1c8e53..6f3f042b1 100644
193 193
194 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 194 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
195@@ -113,7 +114,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ 195@@ -113,7 +114,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
196 auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ 196 auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
197 auth2-none.o auth2-passwd.o auth2-pubkey.o \ 197 auth2-none.o auth2-passwd.o auth2-pubkey.o \
198 monitor.o monitor_wrap.o auth-krb5.o \ 198 monitor.o monitor_wrap.o auth-krb5.o \
199- auth2-gss.o gss-serv.o gss-serv-krb5.o \ 199- auth2-gss.o gss-serv.o gss-serv-krb5.o \
@@ -202,7 +202,7 @@ index 04e1c8e53..6f3f042b1 100644
202 sftp-server.o sftp-common.o \ 202 sftp-server.o sftp-common.o \
203 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 203 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
204diff --git a/auth-krb5.c b/auth-krb5.c 204diff --git a/auth-krb5.c b/auth-krb5.c
205index a5a81ed2e..38e7fee21 100644 205index 3096f1c8e..204752e1b 100644
206--- a/auth-krb5.c 206--- a/auth-krb5.c
207+++ b/auth-krb5.c 207+++ b/auth-krb5.c
208@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) 208@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
@@ -253,10 +253,10 @@ index a5a81ed2e..38e7fee21 100644
253 return (krb5_cc_resolve(ctx, ccname, ccache)); 253 return (krb5_cc_resolve(ctx, ccname, ccache));
254 } 254 }
255diff --git a/auth.c b/auth.c 255diff --git a/auth.c b/auth.c
256index 63366768a..76d586e31 100644 256index 9a3bc96f1..80eb78c48 100644
257--- a/auth.c 257--- a/auth.c
258+++ b/auth.c 258+++ b/auth.c
259@@ -396,7 +396,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) 259@@ -395,7 +395,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
260 case PERMIT_NO_PASSWD: 260 case PERMIT_NO_PASSWD:
261 if (strcmp(method, "publickey") == 0 || 261 if (strcmp(method, "publickey") == 0 ||
262 strcmp(method, "hostbased") == 0 || 262 strcmp(method, "hostbased") == 0 ||
@@ -266,7 +266,7 @@ index 63366768a..76d586e31 100644
266 return 1; 266 return 1;
267 break; 267 break;
268 case PERMIT_FORCED_ONLY: 268 case PERMIT_FORCED_ONLY:
269@@ -728,99 +729,6 @@ fakepw(void) 269@@ -733,99 +734,6 @@ fakepw(void)
270 return (&fake); 270 return (&fake);
271 } 271 }
272 272
@@ -367,11 +367,11 @@ index 63366768a..76d586e31 100644
367 * Return the canonical name of the host in the other side of the current 367 * Return the canonical name of the host in the other side of the current
368 * connection. The host name is cached, so it is efficient to call this 368 * connection. The host name is cached, so it is efficient to call this
369diff --git a/auth2-gss.c b/auth2-gss.c 369diff --git a/auth2-gss.c b/auth2-gss.c
370index 589283b72..fd411d3a7 100644 370index 9351e0428..1f12bb113 100644
371--- a/auth2-gss.c 371--- a/auth2-gss.c
372+++ b/auth2-gss.c 372+++ b/auth2-gss.c
373@@ -1,7 +1,7 @@ 373@@ -1,7 +1,7 @@
374 /* $OpenBSD: auth2-gss.c,v 1.26 2017/06/24 06:34:38 djm Exp $ */ 374 /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
375 375
376 /* 376 /*
377- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 377- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -379,7 +379,7 @@ index 589283b72..fd411d3a7 100644
379 * 379 *
380 * Redistribution and use in source and binary forms, with or without 380 * Redistribution and use in source and binary forms, with or without
381 * modification, are permitted provided that the following conditions 381 * modification, are permitted provided that the following conditions
382@@ -53,6 +53,41 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh); 382@@ -54,6 +54,46 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
383 static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh); 383 static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
384 static int input_gssapi_errtok(int, u_int32_t, struct ssh *); 384 static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
385 385
@@ -390,21 +390,26 @@ index 589283b72..fd411d3a7 100644
390+userauth_gsskeyex(struct ssh *ssh) 390+userauth_gsskeyex(struct ssh *ssh)
391+{ 391+{
392+ Authctxt *authctxt = ssh->authctxt; 392+ Authctxt *authctxt = ssh->authctxt;
393+ int authenticated = 0; 393+ int r, authenticated = 0;
394+ Buffer b; 394+ struct sshbuf *b;
395+ gss_buffer_desc mic, gssbuf; 395+ gss_buffer_desc mic, gssbuf;
396+ u_int len; 396+ u_char *p;
397+ 397+ size_t len;
398+ mic.value = packet_get_string(&len); 398+
399+ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
400+ (r = sshpkt_get_end(ssh)) != 0)
401+ fatal("%s: %s", __func__, ssh_err(r));
402+ if ((b = sshbuf_new()) == NULL)
403+ fatal("%s: sshbuf_new failed", __func__);
404+ mic.value = p;
399+ mic.length = len; 405+ mic.length = len;
400+ 406+
401+ packet_check_eom(); 407+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
402+
403+ ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
404+ "gssapi-keyex"); 408+ "gssapi-keyex");
405+ 409+
406+ gssbuf.value = buffer_ptr(&b); 410+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
407+ gssbuf.length = buffer_len(&b); 411+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
412+ gssbuf.length = sshbuf_len(b);
408+ 413+
409+ /* gss_kex_context is NULL with privsep, so we can't check it here */ 414+ /* gss_kex_context is NULL with privsep, so we can't check it here */
410+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 415+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
@@ -412,7 +417,7 @@ index 589283b72..fd411d3a7 100644
412+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, 417+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
413+ authctxt->pw)); 418+ authctxt->pw));
414+ 419+
415+ buffer_free(&b); 420+ sshbuf_free(b);
416+ free(mic.value); 421+ free(mic.value);
417+ 422+
418+ return (authenticated); 423+ return (authenticated);
@@ -421,9 +426,9 @@ index 589283b72..fd411d3a7 100644
421 /* 426 /*
422 * We only support those mechanisms that we know about (ie ones that we know 427 * We only support those mechanisms that we know about (ie ones that we know
423 * how to check local user kuserok and the like) 428 * how to check local user kuserok and the like)
424@@ -240,7 +275,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) 429@@ -260,7 +300,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
425 430 if ((r = sshpkt_get_end(ssh)) != 0)
426 packet_check_eom(); 431 fatal("%s: %s", __func__, ssh_err(r));
427 432
428- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); 433- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
429+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, 434+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
@@ -431,8 +436,8 @@ index 589283b72..fd411d3a7 100644
431 436
432 if ((!use_privsep || mm_is_monitor()) && 437 if ((!use_privsep || mm_is_monitor()) &&
433 (displayname = ssh_gssapi_displayname()) != NULL) 438 (displayname = ssh_gssapi_displayname()) != NULL)
434@@ -281,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) 439@@ -306,7 +347,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
435 gssbuf.length = buffer_len(&b); 440 gssbuf.length = sshbuf_len(b);
436 441
437 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 442 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
438- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); 443- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
@@ -441,7 +446,7 @@ index 589283b72..fd411d3a7 100644
441 else 446 else
442 logit("GSSAPI MIC check failed"); 447 logit("GSSAPI MIC check failed");
443 448
444@@ -301,6 +338,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) 449@@ -326,6 +368,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
445 return 0; 450 return 0;
446 } 451 }
447 452
@@ -455,10 +460,10 @@ index 589283b72..fd411d3a7 100644
455 "gssapi-with-mic", 460 "gssapi-with-mic",
456 userauth_gssapi, 461 userauth_gssapi,
457diff --git a/auth2.c b/auth2.c 462diff --git a/auth2.c b/auth2.c
458index e0034229a..c34f58c45 100644 463index ab8795895..96efe164c 100644
459--- a/auth2.c 464--- a/auth2.c
460+++ b/auth2.c 465+++ b/auth2.c
461@@ -72,6 +72,7 @@ extern Authmethod method_passwd; 466@@ -74,6 +74,7 @@ extern Authmethod method_passwd;
462 extern Authmethod method_kbdint; 467 extern Authmethod method_kbdint;
463 extern Authmethod method_hostbased; 468 extern Authmethod method_hostbased;
464 #ifdef GSSAPI 469 #ifdef GSSAPI
@@ -466,7 +471,7 @@ index e0034229a..c34f58c45 100644
466 extern Authmethod method_gssapi; 471 extern Authmethod method_gssapi;
467 #endif 472 #endif
468 473
469@@ -79,6 +80,7 @@ Authmethod *authmethods[] = { 474@@ -81,6 +82,7 @@ Authmethod *authmethods[] = {
470 &method_none, 475 &method_none,
471 &method_pubkey, 476 &method_pubkey,
472 #ifdef GSSAPI 477 #ifdef GSSAPI
@@ -593,7 +598,7 @@ index 26d62855a..0cadc9f18 100644
593 int get_peer_port(int); 598 int get_peer_port(int);
594 char *get_local_ipaddr(int); 599 char *get_local_ipaddr(int);
595diff --git a/clientloop.c b/clientloop.c 600diff --git a/clientloop.c b/clientloop.c
596index 7bcf22e38..ef803e985 100644 601index ad35cb7ba..e69c5141f 100644
597--- a/clientloop.c 602--- a/clientloop.c
598+++ b/clientloop.c 603+++ b/clientloop.c
599@@ -112,6 +112,10 @@ 604@@ -112,6 +112,10 @@
@@ -607,7 +612,7 @@ index 7bcf22e38..ef803e985 100644
607 /* import options */ 612 /* import options */
608 extern Options options; 613 extern Options options;
609 614
610@@ -1335,9 +1339,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, 615@@ -1357,9 +1361,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
611 break; 616 break;
612 617
613 /* Do channel operations unless rekeying in progress. */ 618 /* Do channel operations unless rekeying in progress. */
@@ -628,10 +633,10 @@ index 7bcf22e38..ef803e985 100644
628 client_process_net_input(readset); 633 client_process_net_input(readset);
629 634
630diff --git a/config.h.in b/config.h.in 635diff --git a/config.h.in b/config.h.in
631index 572087407..4c9545c78 100644 636index 7940b4c86..93295da07 100644
632--- a/config.h.in 637--- a/config.h.in
633+++ b/config.h.in 638+++ b/config.h.in
634@@ -1746,6 +1746,9 @@ 639@@ -1749,6 +1749,9 @@
635 /* Use btmp to log bad logins */ 640 /* Use btmp to log bad logins */
636 #undef USE_BTMP 641 #undef USE_BTMP
637 642
@@ -641,7 +646,7 @@ index 572087407..4c9545c78 100644
641 /* Use libedit for sftp */ 646 /* Use libedit for sftp */
642 #undef USE_LIBEDIT 647 #undef USE_LIBEDIT
643 648
644@@ -1761,6 +1764,9 @@ 649@@ -1764,6 +1767,9 @@
645 /* Use PIPES instead of a socketpair() */ 650 /* Use PIPES instead of a socketpair() */
646 #undef USE_PIPES 651 #undef USE_PIPES
647 652
@@ -652,10 +657,10 @@ index 572087407..4c9545c78 100644
652 #undef USE_SOLARIS_PRIVS 657 #undef USE_SOLARIS_PRIVS
653 658
654diff --git a/configure.ac b/configure.ac 659diff --git a/configure.ac b/configure.ac
655index 663062bef..1cd5eab6c 100644 660index 83e530750..82428b241 100644
656--- a/configure.ac 661--- a/configure.ac
657+++ b/configure.ac 662+++ b/configure.ac
658@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 663@@ -673,6 +673,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
659 [Use tunnel device compatibility to OpenBSD]) 664 [Use tunnel device compatibility to OpenBSD])
660 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 665 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
661 [Prepend the address family to IP tunnel traffic]) 666 [Prepend the address family to IP tunnel traffic])
@@ -687,11 +692,11 @@ index 663062bef..1cd5eab6c 100644
687 AC_CHECK_DECL([AU_IPv4], [], 692 AC_CHECK_DECL([AU_IPv4], [],
688 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) 693 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
689diff --git a/gss-genr.c b/gss-genr.c 694diff --git a/gss-genr.c b/gss-genr.c
690index 62559ed9e..0b3ae073c 100644 695index d56257b4a..285fc29a5 100644
691--- a/gss-genr.c 696--- a/gss-genr.c
692+++ b/gss-genr.c 697+++ b/gss-genr.c
693@@ -1,7 +1,7 @@ 698@@ -1,7 +1,7 @@
694 /* $OpenBSD: gss-genr.c,v 1.24 2016/09/12 01:22:38 deraadt Exp $ */ 699 /* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
695 700
696 /* 701 /*
697- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 702- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -699,12 +704,11 @@ index 62559ed9e..0b3ae073c 100644
699 * 704 *
700 * Redistribution and use in source and binary forms, with or without 705 * Redistribution and use in source and binary forms, with or without
701 * modification, are permitted provided that the following conditions 706 * modification, are permitted provided that the following conditions
702@@ -40,12 +40,167 @@ 707@@ -41,12 +41,34 @@
703 #include "buffer.h" 708 #include "sshbuf.h"
704 #include "log.h" 709 #include "log.h"
705 #include "ssh2.h" 710 #include "ssh2.h"
706+#include "cipher.h" 711+#include "cipher.h"
707+#include "key.h"
708+#include "kex.h" 712+#include "kex.h"
709+#include <openssl/evp.h> 713+#include <openssl/evp.h>
710 714
@@ -732,6 +736,13 @@ index 62559ed9e..0b3ae073c 100644
732+ return (gss_enc2oid != NULL); 736+ return (gss_enc2oid != NULL);
733+} 737+}
734+ 738+
739 /* sshbuf_get for gss_buffer_desc */
740 int
741 ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
742@@ -62,6 +84,141 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
743 return 0;
744 }
745
735+/* 746+/*
736+ * Return a list of the gss-group1-sha1 mechanisms supported by this program 747+ * Return a list of the gss-group1-sha1 mechanisms supported by this program
737+ * 748+ *
@@ -754,9 +765,9 @@ index 62559ed9e..0b3ae073c 100644
754+char * 765+char *
755+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check, 766+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
756+ const char *host, const char *client) { 767+ const char *host, const char *client) {
757+ Buffer buf; 768+ struct sshbuf *buf;
758+ size_t i; 769+ size_t i;
759+ int oidpos, enclen; 770+ int r, oidpos, enclen;
760+ char *mechs, *encoded; 771+ char *mechs, *encoded;
761+ u_char digest[EVP_MAX_MD_SIZE]; 772+ u_char digest[EVP_MAX_MD_SIZE];
762+ char deroid[2]; 773+ char deroid[2];
@@ -772,7 +783,8 @@ index 62559ed9e..0b3ae073c 100644
772+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * 783+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
773+ (gss_supported->count + 1)); 784+ (gss_supported->count + 1));
774+ 785+
775+ buffer_init(&buf); 786+ if ((buf = sshbuf_new()) == NULL)
787+ fatal("%s: sshbuf_new failed", __func__);
776+ 788+
777+ oidpos = 0; 789+ oidpos = 0;
778+ for (i = 0; i < gss_supported->count; i++) { 790+ for (i = 0; i < gss_supported->count; i++) {
@@ -793,20 +805,25 @@ index 62559ed9e..0b3ae073c 100644
793+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md), 805+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
794+ encoded, EVP_MD_size(evp_md) * 2); 806+ encoded, EVP_MD_size(evp_md) * 2);
795+ 807+
796+ if (oidpos != 0) 808+ if (oidpos != 0) {
797+ buffer_put_char(&buf, ','); 809+ if ((r = sshbuf_put_u8(buf, ',')) != 0)
798+ 810+ fatal("%s: buffer error: %s",
799+ buffer_append(&buf, KEX_GSS_GEX_SHA1_ID, 811+ __func__, ssh_err(r));
800+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1); 812+ }
801+ buffer_append(&buf, encoded, enclen); 813+
802+ buffer_put_char(&buf, ','); 814+ if ((r = sshbuf_put(buf, KEX_GSS_GEX_SHA1_ID,
803+ buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 815+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1)) != 0 ||
804+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1); 816+ (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
805+ buffer_append(&buf, encoded, enclen); 817+ (r = sshbuf_put_u8(buf, ',')) != 0 ||
806+ buffer_put_char(&buf, ','); 818+ (r = sshbuf_put(buf, KEX_GSS_GRP1_SHA1_ID,
807+ buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID, 819+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1)) != 0 ||
808+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1); 820+ (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
809+ buffer_append(&buf, encoded, enclen); 821+ (r = sshbuf_put_u8(buf, ',')) != 0 ||
822+ (r = sshbuf_put(buf, KEX_GSS_GRP14_SHA1_ID,
823+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1)) != 0 ||
824+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
825+ fatal("%s: buffer error: %s",
826+ __func__, ssh_err(r));
810+ 827+
811+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); 828+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
812+ gss_enc2oid[oidpos].encoded = encoded; 829+ gss_enc2oid[oidpos].encoded = encoded;
@@ -816,11 +833,8 @@ index 62559ed9e..0b3ae073c 100644
816+ gss_enc2oid[oidpos].oid = NULL; 833+ gss_enc2oid[oidpos].oid = NULL;
817+ gss_enc2oid[oidpos].encoded = NULL; 834+ gss_enc2oid[oidpos].encoded = NULL;
818+ 835+
819+ buffer_put_char(&buf, '\0'); 836+ if ((mechs = sshbuf_dup_string(buf)) == NULL)
820+ 837+ fatal("%s: sshbuf_dup_string failed", __func__);
821+ mechs = xmalloc(buffer_len(&buf));
822+ buffer_get(&buf, mechs, buffer_len(&buf));
823+ buffer_free(&buf);
824+ 838+
825+ if (strlen(mechs) == 0) { 839+ if (strlen(mechs) == 0) {
826+ free(mechs); 840+ free(mechs);
@@ -867,7 +881,7 @@ index 62559ed9e..0b3ae073c 100644
867 /* Check that the OID in a data stream matches that in the context */ 881 /* Check that the OID in a data stream matches that in the context */
868 int 882 int
869 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) 883 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
870@@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, 884@@ -218,7 +375,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
871 } 885 }
872 886
873 ctx->major = gss_init_sec_context(&ctx->minor, 887 ctx->major = gss_init_sec_context(&ctx->minor,
@@ -876,7 +890,7 @@ index 62559ed9e..0b3ae073c 100644
876 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 890 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
877 0, NULL, recv_tok, NULL, send_tok, flags, NULL); 891 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
878 892
879@@ -227,9 +382,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) 893@@ -247,9 +404,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
880 return (ctx->major); 894 return (ctx->major);
881 } 895 }
882 896
@@ -920,7 +934,7 @@ index 62559ed9e..0b3ae073c 100644
920 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, 934 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
921 GSS_C_QOP_DEFAULT, buffer, hash))) 935 GSS_C_QOP_DEFAULT, buffer, hash)))
922 ssh_gssapi_error(ctx); 936 ssh_gssapi_error(ctx);
923@@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) 937@@ -257,6 +448,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
924 return (ctx->major); 938 return (ctx->major);
925 } 939 }
926 940
@@ -938,9 +952,9 @@ index 62559ed9e..0b3ae073c 100644
938+} 952+}
939+ 953+
940 void 954 void
941 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, 955 ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
942 const char *context) 956 const char *context)
943@@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, 957@@ -273,11 +477,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
944 } 958 }
945 959
946 int 960 int
@@ -958,7 +972,7 @@ index 62559ed9e..0b3ae073c 100644
958 972
959 /* RFC 4462 says we MUST NOT do SPNEGO */ 973 /* RFC 4462 says we MUST NOT do SPNEGO */
960 if (oid->length == spnego_oid.length && 974 if (oid->length == spnego_oid.length &&
961@@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) 975@@ -287,6 +496,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
962 ssh_gssapi_build_ctx(ctx); 976 ssh_gssapi_build_ctx(ctx);
963 ssh_gssapi_set_oid(*ctx, oid); 977 ssh_gssapi_set_oid(*ctx, oid);
964 major = ssh_gssapi_import_name(*ctx, host); 978 major = ssh_gssapi_import_name(*ctx, host);
@@ -969,7 +983,7 @@ index 62559ed9e..0b3ae073c 100644
969 if (!GSS_ERROR(major)) { 983 if (!GSS_ERROR(major)) {
970 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 984 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
971 NULL); 985 NULL);
972@@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) 986@@ -296,10 +509,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
973 GSS_C_NO_BUFFER); 987 GSS_C_NO_BUFFER);
974 } 988 }
975 989
@@ -1038,11 +1052,11 @@ index 62559ed9e..0b3ae073c 100644
1038+ 1052+
1039 #endif /* GSSAPI */ 1053 #endif /* GSSAPI */
1040diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c 1054diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
1041index 795992d9f..fd8b37183 100644 1055index a151bc1e4..90f8692f5 100644
1042--- a/gss-serv-krb5.c 1056--- a/gss-serv-krb5.c
1043+++ b/gss-serv-krb5.c 1057+++ b/gss-serv-krb5.c
1044@@ -1,7 +1,7 @@ 1058@@ -1,7 +1,7 @@
1045 /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */ 1059 /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */
1046 1060
1047 /* 1061 /*
1048- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 1062- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1050,7 +1064,7 @@ index 795992d9f..fd8b37183 100644
1050 * 1064 *
1051 * Redistribution and use in source and binary forms, with or without 1065 * Redistribution and use in source and binary forms, with or without
1052 * modification, are permitted provided that the following conditions 1066 * modification, are permitted provided that the following conditions
1053@@ -121,8 +121,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) 1067@@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
1054 krb5_error_code problem; 1068 krb5_error_code problem;
1055 krb5_principal princ; 1069 krb5_principal princ;
1056 OM_uint32 maj_status, min_status; 1070 OM_uint32 maj_status, min_status;
@@ -1060,7 +1074,7 @@ index 795992d9f..fd8b37183 100644
1060 1074
1061 if (client->creds == NULL) { 1075 if (client->creds == NULL) {
1062 debug("No credentials stored"); 1076 debug("No credentials stored");
1063@@ -181,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) 1077@@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
1064 return; 1078 return;
1065 } 1079 }
1066 1080
@@ -1081,7 +1095,7 @@ index 795992d9f..fd8b37183 100644
1081 1095
1082 #ifdef USE_PAM 1096 #ifdef USE_PAM
1083 if (options.use_pam) 1097 if (options.use_pam)
1084@@ -197,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) 1098@@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
1085 return; 1099 return;
1086 } 1100 }
1087 1101
@@ -1153,7 +1167,7 @@ index 795992d9f..fd8b37183 100644
1153 ssh_gssapi_mech gssapi_kerberos_mech = { 1167 ssh_gssapi_mech gssapi_kerberos_mech = {
1154 "toWM5Slw5Ew8Mqkay+al2g==", 1168 "toWM5Slw5Ew8Mqkay+al2g==",
1155 "Kerberos", 1169 "Kerberos",
1156@@ -204,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { 1170@@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
1157 NULL, 1171 NULL,
1158 &ssh_gssapi_krb5_userok, 1172 &ssh_gssapi_krb5_userok,
1159 NULL, 1173 NULL,
@@ -1164,11 +1178,11 @@ index 795992d9f..fd8b37183 100644
1164 1178
1165 #endif /* KRB5 */ 1179 #endif /* KRB5 */
1166diff --git a/gss-serv.c b/gss-serv.c 1180diff --git a/gss-serv.c b/gss-serv.c
1167index 6cae720e5..967c6cfbc 100644 1181index ab3a15f0f..6c087a1b1 100644
1168--- a/gss-serv.c 1182--- a/gss-serv.c
1169+++ b/gss-serv.c 1183+++ b/gss-serv.c
1170@@ -1,7 +1,7 @@ 1184@@ -1,7 +1,7 @@
1171 /* $OpenBSD: gss-serv.c,v 1.30 2017/06/24 06:34:38 djm Exp $ */ 1185 /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
1172 1186
1173 /* 1187 /*
1174- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 1188- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1176,7 +1190,7 @@ index 6cae720e5..967c6cfbc 100644
1176 * 1190 *
1177 * Redistribution and use in source and binary forms, with or without 1191 * Redistribution and use in source and binary forms, with or without
1178 * modification, are permitted provided that the following conditions 1192 * modification, are permitted provided that the following conditions
1179@@ -45,17 +45,22 @@ 1193@@ -44,17 +44,22 @@
1180 #include "session.h" 1194 #include "session.h"
1181 #include "misc.h" 1195 #include "misc.h"
1182 #include "servconf.h" 1196 #include "servconf.h"
@@ -1201,7 +1215,7 @@ index 6cae720e5..967c6cfbc 100644
1201 1215
1202 #ifdef KRB5 1216 #ifdef KRB5
1203 extern ssh_gssapi_mech gssapi_kerberos_mech; 1217 extern ssh_gssapi_mech gssapi_kerberos_mech;
1204@@ -141,6 +146,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) 1218@@ -140,6 +145,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
1205 return (ssh_gssapi_acquire_cred(*ctx)); 1219 return (ssh_gssapi_acquire_cred(*ctx));
1206 } 1220 }
1207 1221
@@ -1230,7 +1244,7 @@ index 6cae720e5..967c6cfbc 100644
1230 /* Unprivileged */ 1244 /* Unprivileged */
1231 void 1245 void
1232 ssh_gssapi_supported_oids(gss_OID_set *oidset) 1246 ssh_gssapi_supported_oids(gss_OID_set *oidset)
1233@@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) 1247@@ -150,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
1234 gss_OID_set supported; 1248 gss_OID_set supported;
1235 1249
1236 gss_create_empty_oid_set(&min_status, oidset); 1250 gss_create_empty_oid_set(&min_status, oidset);
@@ -1241,7 +1255,7 @@ index 6cae720e5..967c6cfbc 100644
1241 1255
1242 while (supported_mechs[i]->name != NULL) { 1256 while (supported_mechs[i]->name != NULL) {
1243 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 1257 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
1244@@ -277,8 +306,48 @@ OM_uint32 1258@@ -276,8 +305,48 @@ OM_uint32
1245 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1259 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1246 { 1260 {
1247 int i = 0; 1261 int i = 0;
@@ -1291,7 +1305,7 @@ index 6cae720e5..967c6cfbc 100644
1291 1305
1292 client->mech = NULL; 1306 client->mech = NULL;
1293 1307
1294@@ -293,6 +362,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1308@@ -292,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1295 if (client->mech == NULL) 1309 if (client->mech == NULL)
1296 return GSS_S_FAILURE; 1310 return GSS_S_FAILURE;
1297 1311
@@ -1305,7 +1319,7 @@ index 6cae720e5..967c6cfbc 100644
1305 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1319 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
1306 &client->displayname, NULL))) { 1320 &client->displayname, NULL))) {
1307 ssh_gssapi_error(ctx); 1321 ssh_gssapi_error(ctx);
1308@@ -310,6 +386,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1322@@ -309,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1309 return (ctx->major); 1323 return (ctx->major);
1310 } 1324 }
1311 1325
@@ -1314,7 +1328,7 @@ index 6cae720e5..967c6cfbc 100644
1314 /* We can't copy this structure, so we just move the pointer to it */ 1328 /* We can't copy this structure, so we just move the pointer to it */
1315 client->creds = ctx->client_creds; 1329 client->creds = ctx->client_creds;
1316 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1330 ctx->client_creds = GSS_C_NO_CREDENTIAL;
1317@@ -357,7 +435,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) 1331@@ -356,7 +434,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
1318 1332
1319 /* Privileged */ 1333 /* Privileged */
1320 int 1334 int
@@ -1323,7 +1337,7 @@ index 6cae720e5..967c6cfbc 100644
1323 { 1337 {
1324 OM_uint32 lmin; 1338 OM_uint32 lmin;
1325 1339
1326@@ -367,9 +445,11 @@ ssh_gssapi_userok(char *user) 1340@@ -366,9 +444,11 @@ ssh_gssapi_userok(char *user)
1327 return 0; 1341 return 0;
1328 } 1342 }
1329 if (gssapi_client.mech && gssapi_client.mech->userok) 1343 if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1337,7 +1351,7 @@ index 6cae720e5..967c6cfbc 100644
1337 /* Destroy delegated credentials if userok fails */ 1351 /* Destroy delegated credentials if userok fails */
1338 gss_release_buffer(&lmin, &gssapi_client.displayname); 1352 gss_release_buffer(&lmin, &gssapi_client.displayname);
1339 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1353 gss_release_buffer(&lmin, &gssapi_client.exportedname);
1340@@ -383,14 +463,90 @@ ssh_gssapi_userok(char *user) 1354@@ -382,14 +462,90 @@ ssh_gssapi_userok(char *user)
1341 return (0); 1355 return (0);
1342 } 1356 }
1343 1357
@@ -1435,7 +1449,7 @@ index 6cae720e5..967c6cfbc 100644
1435 1449
1436 /* Privileged */ 1450 /* Privileged */
1437diff --git a/kex.c b/kex.c 1451diff --git a/kex.c b/kex.c
1438index 15ea28b07..6cc2935fe 100644 1452index 25f9f66f6..fb5bfaea5 100644
1439--- a/kex.c 1453--- a/kex.c
1440+++ b/kex.c 1454+++ b/kex.c
1441@@ -54,6 +54,10 @@ 1455@@ -54,6 +54,10 @@
@@ -1475,7 +1489,7 @@ index 15ea28b07..6cc2935fe 100644
1475 return NULL; 1489 return NULL;
1476 } 1490 }
1477 1491
1478@@ -599,6 +615,9 @@ kex_free(struct kex *kex) 1492@@ -653,6 +669,9 @@ kex_free(struct kex *kex)
1479 sshbuf_free(kex->peer); 1493 sshbuf_free(kex->peer);
1480 sshbuf_free(kex->my); 1494 sshbuf_free(kex->my);
1481 free(kex->session_id); 1495 free(kex->session_id);
@@ -1486,10 +1500,10 @@ index 15ea28b07..6cc2935fe 100644
1486 free(kex->server_version_string); 1500 free(kex->server_version_string);
1487 free(kex->failed_choice); 1501 free(kex->failed_choice);
1488diff --git a/kex.h b/kex.h 1502diff --git a/kex.h b/kex.h
1489index 01bb3986a..a708e4868 100644 1503index 593de1208..4e5ead839 100644
1490--- a/kex.h 1504--- a/kex.h
1491+++ b/kex.h 1505+++ b/kex.h
1492@@ -99,6 +99,9 @@ enum kex_exchange { 1506@@ -100,6 +100,9 @@ enum kex_exchange {
1493 KEX_DH_GEX_SHA256, 1507 KEX_DH_GEX_SHA256,
1494 KEX_ECDH_SHA2, 1508 KEX_ECDH_SHA2,
1495 KEX_C25519_SHA256, 1509 KEX_C25519_SHA256,
@@ -1499,7 +1513,7 @@ index 01bb3986a..a708e4868 100644
1499 KEX_MAX 1513 KEX_MAX
1500 }; 1514 };
1501 1515
1502@@ -147,6 +150,12 @@ struct kex { 1516@@ -148,6 +151,12 @@ struct kex {
1503 u_int flags; 1517 u_int flags;
1504 int hash_alg; 1518 int hash_alg;
1505 int ec_nid; 1519 int ec_nid;
@@ -1512,7 +1526,7 @@ index 01bb3986a..a708e4868 100644
1512 char *client_version_string; 1526 char *client_version_string;
1513 char *server_version_string; 1527 char *server_version_string;
1514 char *failed_choice; 1528 char *failed_choice;
1515@@ -197,6 +206,11 @@ int kexecdh_server(struct ssh *); 1529@@ -198,6 +207,11 @@ int kexecdh_server(struct ssh *);
1516 int kexc25519_client(struct ssh *); 1530 int kexc25519_client(struct ssh *);
1517 int kexc25519_server(struct ssh *); 1531 int kexc25519_server(struct ssh *);
1518 1532
@@ -1526,7 +1540,7 @@ index 01bb3986a..a708e4868 100644
1526 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); 1540 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
1527diff --git a/kexgssc.c b/kexgssc.c 1541diff --git a/kexgssc.c b/kexgssc.c
1528new file mode 100644 1542new file mode 100644
1529index 000000000..10447f2b0 1543index 000000000..953c0a248
1530--- /dev/null 1544--- /dev/null
1531+++ b/kexgssc.c 1545+++ b/kexgssc.c
1532@@ -0,0 +1,338 @@ 1546@@ -0,0 +1,338 @@
@@ -1566,9 +1580,9 @@ index 000000000..10447f2b0
1566+#include <string.h> 1580+#include <string.h>
1567+ 1581+
1568+#include "xmalloc.h" 1582+#include "xmalloc.h"
1569+#include "buffer.h" 1583+#include "sshbuf.h"
1570+#include "ssh2.h" 1584+#include "ssh2.h"
1571+#include "key.h" 1585+#include "sshkey.h"
1572+#include "cipher.h" 1586+#include "cipher.h"
1573+#include "kex.h" 1587+#include "kex.h"
1574+#include "log.h" 1588+#include "log.h"
@@ -1805,8 +1819,8 @@ index 000000000..10447f2b0
1805+ ssh->kex->hash_alg, 1819+ ssh->kex->hash_alg,
1806+ ssh->kex->client_version_string, 1820+ ssh->kex->client_version_string,
1807+ ssh->kex->server_version_string, 1821+ ssh->kex->server_version_string,
1808+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), 1822+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
1809+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), 1823+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
1810+ (serverhostkey ? serverhostkey : empty), slen, 1824+ (serverhostkey ? serverhostkey : empty), slen,
1811+ dh->pub_key, /* e */ 1825+ dh->pub_key, /* e */
1812+ dh_server_pub, /* f */ 1826+ dh_server_pub, /* f */
@@ -1819,8 +1833,8 @@ index 000000000..10447f2b0
1819+ ssh->kex->hash_alg, 1833+ ssh->kex->hash_alg,
1820+ ssh->kex->client_version_string, 1834+ ssh->kex->client_version_string,
1821+ ssh->kex->server_version_string, 1835+ ssh->kex->server_version_string,
1822+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), 1836+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
1823+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), 1837+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
1824+ (serverhostkey ? serverhostkey : empty), slen, 1838+ (serverhostkey ? serverhostkey : empty), slen,
1825+ min, nbits, max, 1839+ min, nbits, max,
1826+ dh->p, dh->g, 1840+ dh->p, dh->g,
@@ -1870,7 +1884,7 @@ index 000000000..10447f2b0
1870+#endif /* GSSAPI */ 1884+#endif /* GSSAPI */
1871diff --git a/kexgsss.c b/kexgsss.c 1885diff --git a/kexgsss.c b/kexgsss.c
1872new file mode 100644 1886new file mode 100644
1873index 000000000..38ca082ba 1887index 000000000..31ec6a890
1874--- /dev/null 1888--- /dev/null
1875+++ b/kexgsss.c 1889+++ b/kexgsss.c
1876@@ -0,0 +1,295 @@ 1890@@ -0,0 +1,295 @@
@@ -1908,9 +1922,9 @@ index 000000000..38ca082ba
1908+#include <openssl/bn.h> 1922+#include <openssl/bn.h>
1909+ 1923+
1910+#include "xmalloc.h" 1924+#include "xmalloc.h"
1911+#include "buffer.h" 1925+#include "sshbuf.h"
1912+#include "ssh2.h" 1926+#include "ssh2.h"
1913+#include "key.h" 1927+#include "sshkey.h"
1914+#include "cipher.h" 1928+#include "cipher.h"
1915+#include "kex.h" 1929+#include "kex.h"
1916+#include "log.h" 1930+#include "log.h"
@@ -2096,8 +2110,8 @@ index 000000000..38ca082ba
2096+ kex_dh_hash( 2110+ kex_dh_hash(
2097+ ssh->kex->hash_alg, 2111+ ssh->kex->hash_alg,
2098+ ssh->kex->client_version_string, ssh->kex->server_version_string, 2112+ ssh->kex->client_version_string, ssh->kex->server_version_string,
2099+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), 2113+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
2100+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), 2114+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
2101+ NULL, 0, /* Change this if we start sending host keys */ 2115+ NULL, 0, /* Change this if we start sending host keys */
2102+ dh_client_pub, dh->pub_key, shared_secret, 2116+ dh_client_pub, dh->pub_key, shared_secret,
2103+ hash, &hashlen 2117+ hash, &hashlen
@@ -2107,8 +2121,8 @@ index 000000000..38ca082ba
2107+ kexgex_hash( 2121+ kexgex_hash(
2108+ ssh->kex->hash_alg, 2122+ ssh->kex->hash_alg,
2109+ ssh->kex->client_version_string, ssh->kex->server_version_string, 2123+ ssh->kex->client_version_string, ssh->kex->server_version_string,
2110+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), 2124+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
2111+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), 2125+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
2112+ NULL, 0, 2126+ NULL, 0,
2113+ min, nbits, max, 2127+ min, nbits, max,
2114+ dh->p, dh->g, 2128+ dh->p, dh->g,
@@ -2170,19 +2184,19 @@ index 000000000..38ca082ba
2170+} 2184+}
2171+#endif /* GSSAPI */ 2185+#endif /* GSSAPI */
2172diff --git a/monitor.c b/monitor.c 2186diff --git a/monitor.c b/monitor.c
2173index c68e1b0d9..868fb0d2d 100644 2187index d4b4b0471..4e574a2ae 100644
2174--- a/monitor.c 2188--- a/monitor.c
2175+++ b/monitor.c 2189+++ b/monitor.c
2176@@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2190@@ -143,6 +143,8 @@ int mm_answer_gss_setup_ctx(int, struct sshbuf *);
2177 int mm_answer_gss_accept_ctx(int, Buffer *); 2191 int mm_answer_gss_accept_ctx(int, struct sshbuf *);
2178 int mm_answer_gss_userok(int, Buffer *); 2192 int mm_answer_gss_userok(int, struct sshbuf *);
2179 int mm_answer_gss_checkmic(int, Buffer *); 2193 int mm_answer_gss_checkmic(int, struct sshbuf *);
2180+int mm_answer_gss_sign(int, Buffer *); 2194+int mm_answer_gss_sign(int, struct sshbuf *);
2181+int mm_answer_gss_updatecreds(int, Buffer *); 2195+int mm_answer_gss_updatecreds(int, struct sshbuf *);
2182 #endif 2196 #endif
2183 2197
2184 #ifdef SSH_AUDIT_EVENTS 2198 #ifdef SSH_AUDIT_EVENTS
2185@@ -232,11 +234,18 @@ struct mon_table mon_dispatch_proto20[] = { 2199@@ -213,11 +215,18 @@ struct mon_table mon_dispatch_proto20[] = {
2186 {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, 2200 {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
2187 {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, 2201 {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
2188 {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, 2202 {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
@@ -2201,7 +2215,7 @@ index c68e1b0d9..868fb0d2d 100644
2201 #ifdef WITH_OPENSSL 2215 #ifdef WITH_OPENSSL
2202 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2216 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2203 #endif 2217 #endif
2204@@ -306,6 +315,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 2218@@ -287,6 +296,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2205 /* Permit requests for moduli and signatures */ 2219 /* Permit requests for moduli and signatures */
2206 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2220 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2207 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2221 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2212,7 +2226,7 @@ index c68e1b0d9..868fb0d2d 100644
2212 2226
2213 /* The first few requests do not require asynchronous access */ 2227 /* The first few requests do not require asynchronous access */
2214 while (!authenticated) { 2228 while (!authenticated) {
2215@@ -415,6 +428,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2229@@ -399,6 +412,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2216 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2230 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2217 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2231 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2218 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2232 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2223,7 +2237,7 @@ index c68e1b0d9..868fb0d2d 100644
2223 2237
2224 if (auth_opts->permit_pty_flag) { 2238 if (auth_opts->permit_pty_flag) {
2225 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 2239 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
2226@@ -1652,6 +1669,13 @@ monitor_apply_keystate(struct monitor *pmonitor) 2240@@ -1662,6 +1679,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
2227 # endif 2241 # endif
2228 #endif /* WITH_OPENSSL */ 2242 #endif /* WITH_OPENSSL */
2229 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2243 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2237,29 +2251,29 @@ index c68e1b0d9..868fb0d2d 100644
2237 kex->load_host_public_key=&get_hostkey_public_by_type; 2251 kex->load_host_public_key=&get_hostkey_public_by_type;
2238 kex->load_host_private_key=&get_hostkey_private_by_type; 2252 kex->load_host_private_key=&get_hostkey_private_by_type;
2239 kex->host_key_index=&get_hostkey_index; 2253 kex->host_key_index=&get_hostkey_index;
2240@@ -1740,8 +1764,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2254@@ -1752,8 +1776,8 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m)
2241 OM_uint32 major; 2255 u_char *p;
2242 u_int len; 2256 int r;
2243 2257
2244- if (!options.gss_authentication) 2258- if (!options.gss_authentication)
2245- fatal("%s: GSSAPI authentication not enabled", __func__); 2259- fatal("%s: GSSAPI authentication not enabled", __func__);
2246+ if (!options.gss_authentication && !options.gss_keyex) 2260+ if (!options.gss_authentication && !options.gss_keyex)
2247+ fatal("%s: GSSAPI not enabled", __func__); 2261+ fatal("%s: GSSAPI not enabled", __func__);
2248 2262
2249 goid.elements = buffer_get_string(m, &len); 2263 if ((r = sshbuf_get_string(m, &p, &len)) != 0)
2250 goid.length = len; 2264 fatal("%s: buffer error: %s", __func__, ssh_err(r));
2251@@ -1770,8 +1794,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2265@@ -1785,8 +1809,8 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
2252 OM_uint32 flags = 0; /* GSI needs this */ 2266 OM_uint32 flags = 0; /* GSI needs this */
2253 u_int len; 2267 int r;
2254 2268
2255- if (!options.gss_authentication) 2269- if (!options.gss_authentication)
2256- fatal("%s: GSSAPI authentication not enabled", __func__); 2270- fatal("%s: GSSAPI authentication not enabled", __func__);
2257+ if (!options.gss_authentication && !options.gss_keyex) 2271+ if (!options.gss_authentication && !options.gss_keyex)
2258+ fatal("%s: GSSAPI not enabled", __func__); 2272+ fatal("%s: GSSAPI not enabled", __func__);
2259 2273
2260 in.value = buffer_get_string(m, &len); 2274 if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
2261 in.length = len; 2275 fatal("%s: buffer error: %s", __func__, ssh_err(r));
2262@@ -1790,6 +1814,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2276@@ -1806,6 +1830,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
2263 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2277 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2264 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2278 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2265 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2279 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2267,19 +2281,19 @@ index c68e1b0d9..868fb0d2d 100644
2267 } 2281 }
2268 return (0); 2282 return (0);
2269 } 2283 }
2270@@ -1801,8 +1826,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2284@@ -1817,8 +1842,8 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m)
2271 OM_uint32 ret; 2285 OM_uint32 ret;
2272 u_int len; 2286 int r;
2273 2287
2274- if (!options.gss_authentication) 2288- if (!options.gss_authentication)
2275- fatal("%s: GSSAPI authentication not enabled", __func__); 2289- fatal("%s: GSSAPI authentication not enabled", __func__);
2276+ if (!options.gss_authentication && !options.gss_keyex) 2290+ if (!options.gss_authentication && !options.gss_keyex)
2277+ fatal("%s: GSSAPI not enabled", __func__); 2291+ fatal("%s: GSSAPI not enabled", __func__);
2278 2292
2279 gssbuf.value = buffer_get_string(m, &len); 2293 if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
2280 gssbuf.length = len; 2294 (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
2281@@ -1831,10 +1856,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2295@@ -1847,10 +1872,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
2282 int authenticated; 2296 int r, authenticated;
2283 const char *displayname; 2297 const char *displayname;
2284 2298
2285- if (!options.gss_authentication) 2299- if (!options.gss_authentication)
@@ -2291,25 +2305,29 @@ index c68e1b0d9..868fb0d2d 100644
2291+ authenticated = authctxt->valid && 2305+ authenticated = authctxt->valid &&
2292+ ssh_gssapi_userok(authctxt->user, authctxt->pw); 2306+ ssh_gssapi_userok(authctxt->user, authctxt->pw);
2293 2307
2294 buffer_clear(m); 2308 sshbuf_reset(m);
2295 buffer_put_int(m, authenticated); 2309 if ((r = sshbuf_put_u32(m, authenticated)) != 0)
2296@@ -1850,5 +1876,76 @@ mm_answer_gss_userok(int sock, Buffer *m) 2310@@ -1867,5 +1893,83 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
2297 /* Monitor loop will terminate if authenticated */ 2311 /* Monitor loop will terminate if authenticated */
2298 return (authenticated); 2312 return (authenticated);
2299 } 2313 }
2300+ 2314+
2301+int 2315+int
2302+mm_answer_gss_sign(int socket, Buffer *m) 2316+mm_answer_gss_sign(int socket, struct sshbuf *m)
2303+{ 2317+{
2304+ gss_buffer_desc data; 2318+ gss_buffer_desc data;
2305+ gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; 2319+ gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
2306+ OM_uint32 major, minor; 2320+ OM_uint32 major, minor;
2307+ u_int len; 2321+ size_t len;
2322+ u_char *p;
2323+ int r;
2308+ 2324+
2309+ if (!options.gss_authentication && !options.gss_keyex) 2325+ if (!options.gss_authentication && !options.gss_keyex)
2310+ fatal("%s: GSSAPI not enabled", __func__); 2326+ fatal("%s: GSSAPI not enabled", __func__);
2311+ 2327+
2312+ data.value = buffer_get_string(m, &len); 2328+ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
2329+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
2330+ data.value = p;
2313+ data.length = len; 2331+ data.length = len;
2314+ if (data.length != 20) 2332+ if (data.length != 20)
2315+ fatal("%s: data length incorrect: %d", __func__, 2333+ fatal("%s: data length incorrect: %d", __func__,
@@ -2325,9 +2343,10 @@ index c68e1b0d9..868fb0d2d 100644
2325+ 2343+
2326+ free(data.value); 2344+ free(data.value);
2327+ 2345+
2328+ buffer_clear(m); 2346+ sshbuf_reset(m);
2329+ buffer_put_int(m, major); 2347+ if ((r = sshbuf_put_u32(m, major)) != 0 ||
2330+ buffer_put_string(m, hash.value, hash.length); 2348+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
2349+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
2331+ 2350+
2332+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); 2351+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
2333+ 2352+
@@ -2343,16 +2362,17 @@ index c68e1b0d9..868fb0d2d 100644
2343+} 2362+}
2344+ 2363+
2345+int 2364+int
2346+mm_answer_gss_updatecreds(int socket, Buffer *m) { 2365+mm_answer_gss_updatecreds(int socket, struct sshbuf *m) {
2347+ ssh_gssapi_ccache store; 2366+ ssh_gssapi_ccache store;
2348+ int ok; 2367+ int r, ok;
2349+ 2368+
2350+ if (!options.gss_authentication && !options.gss_keyex) 2369+ if (!options.gss_authentication && !options.gss_keyex)
2351+ fatal("%s: GSSAPI not enabled", __func__); 2370+ fatal("%s: GSSAPI not enabled", __func__);
2352+ 2371+
2353+ store.filename = buffer_get_string(m, NULL); 2372+ if ((r = sshbuf_get_cstring(m, &store.filename, NULL)) != 0 ||
2354+ store.envvar = buffer_get_string(m, NULL); 2373+ (r = sshbuf_get_cstring(m, &store.envvar, NULL)) != 0 ||
2355+ store.envval = buffer_get_string(m, NULL); 2374+ (r = sshbuf_get_cstring(m, &store.envval, NULL)) != 0)
2375+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
2356+ 2376+
2357+ ok = ssh_gssapi_update_creds(&store); 2377+ ok = ssh_gssapi_update_creds(&store);
2358+ 2378+
@@ -2360,8 +2380,9 @@ index c68e1b0d9..868fb0d2d 100644
2360+ free(store.envvar); 2380+ free(store.envvar);
2361+ free(store.envval); 2381+ free(store.envval);
2362+ 2382+
2363+ buffer_clear(m); 2383+ sshbuf_reset(m);
2364+ buffer_put_int(m, ok); 2384+ if ((r = sshbuf_put_u32(m, ok)) != 0)
2385+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
2365+ 2386+
2366+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); 2387+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
2367+ 2388+
@@ -2371,10 +2392,10 @@ index c68e1b0d9..868fb0d2d 100644
2371 #endif /* GSSAPI */ 2392 #endif /* GSSAPI */
2372 2393
2373diff --git a/monitor.h b/monitor.h 2394diff --git a/monitor.h b/monitor.h
2374index d68f67458..ec41404c7 100644 2395index 16047299f..44fbed589 100644
2375--- a/monitor.h 2396--- a/monitor.h
2376+++ b/monitor.h 2397+++ b/monitor.h
2377@@ -65,6 +65,9 @@ enum monitor_reqtype { 2398@@ -63,6 +63,9 @@ enum monitor_reqtype {
2378 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, 2399 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
2379 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, 2400 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
2380 2401
@@ -2385,19 +2406,19 @@ index d68f67458..ec41404c7 100644
2385 2406
2386 struct monitor { 2407 struct monitor {
2387diff --git a/monitor_wrap.c b/monitor_wrap.c 2408diff --git a/monitor_wrap.c b/monitor_wrap.c
2388index 9666bda4b..e749efc18 100644 2409index 732fb3476..1865a122a 100644
2389--- a/monitor_wrap.c 2410--- a/monitor_wrap.c
2390+++ b/monitor_wrap.c 2411+++ b/monitor_wrap.c
2391@@ -943,7 +943,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2412@@ -984,7 +984,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
2392 } 2413 }
2393 2414
2394 int 2415 int
2395-mm_ssh_gssapi_userok(char *user) 2416-mm_ssh_gssapi_userok(char *user)
2396+mm_ssh_gssapi_userok(char *user, struct passwd *pw) 2417+mm_ssh_gssapi_userok(char *user, struct passwd *pw)
2397 { 2418 {
2398 Buffer m; 2419 struct sshbuf *m;
2399 int authenticated = 0; 2420 int r, authenticated = 0;
2400@@ -960,5 +960,50 @@ mm_ssh_gssapi_userok(char *user) 2421@@ -1003,4 +1003,55 @@ mm_ssh_gssapi_userok(char *user)
2401 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2422 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2402 return (authenticated); 2423 return (authenticated);
2403 } 2424 }
@@ -2405,21 +2426,23 @@ index 9666bda4b..e749efc18 100644
2405+OM_uint32 2426+OM_uint32
2406+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) 2427+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
2407+{ 2428+{
2408+ Buffer m; 2429+ struct sshbuf *m;
2409+ OM_uint32 major; 2430+ OM_uint32 major;
2410+ u_int len; 2431+ int r;
2411+ 2432+
2412+ buffer_init(&m); 2433+ if ((m = sshbuf_new()) == NULL)
2413+ buffer_put_string(&m, data->value, data->length); 2434+ fatal("%s: sshbuf_new failed", __func__);
2435+ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
2436+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
2414+ 2437+
2415+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m); 2438+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
2416+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m); 2439+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
2417+ 2440+
2418+ major = buffer_get_int(&m); 2441+ if ((r = sshbuf_get_u32(m, &major)) != 0 ||
2419+ hash->value = buffer_get_string(&m, &len); 2442+ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
2420+ hash->length = len; 2443+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
2421+ 2444+
2422+ buffer_free(&m); 2445+ sshbuf_free(m);
2423+ 2446+
2424+ return(major); 2447+ return(major);
2425+} 2448+}
@@ -2427,29 +2450,32 @@ index 9666bda4b..e749efc18 100644
2427+int 2450+int
2428+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) 2451+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
2429+{ 2452+{
2430+ Buffer m; 2453+ struct sshbuf *m;
2431+ int ok; 2454+ int r, ok;
2432+ 2455+
2433+ buffer_init(&m); 2456+ if ((m = sshbuf_new()) == NULL)
2434+ 2457+ fatal("%s: sshbuf_new failed", __func__);
2435+ buffer_put_cstring(&m, store->filename ? store->filename : ""); 2458+ if ((r = sshbuf_put_cstring(m,
2436+ buffer_put_cstring(&m, store->envvar ? store->envvar : ""); 2459+ store->filename ? store->filename : "")) != 0 ||
2437+ buffer_put_cstring(&m, store->envval ? store->envval : ""); 2460+ (r = sshbuf_put_cstring(m,
2438+ 2461+ store->envvar ? store->envvar : "")) != 0 ||
2439+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m); 2462+ (r = sshbuf_put_cstring(m,
2440+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m); 2463+ store->envval ? store->envval : "")) != 0)
2464+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
2465+
2466+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
2467+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
2468+
2469+ if ((r = sshbuf_get_u32(m, &ok)) != 0)
2470+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
2471+ sshbuf_free(m);
2441+ 2472+
2442+ ok = buffer_get_int(&m);
2443+
2444+ buffer_free(&m);
2445+
2446+ return (ok); 2473+ return (ok);
2447+} 2474+}
2448+ 2475+
2449 #endif /* GSSAPI */ 2476 #endif /* GSSAPI */
2450
2451diff --git a/monitor_wrap.h b/monitor_wrap.h 2477diff --git a/monitor_wrap.h b/monitor_wrap.h
2452index 762332704..0970d1f87 100644 2478index 644da081d..7f93144ff 100644
2453--- a/monitor_wrap.h 2479--- a/monitor_wrap.h
2454+++ b/monitor_wrap.h 2480+++ b/monitor_wrap.h
2455@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, 2481@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
@@ -2465,19 +2491,19 @@ index 762332704..0970d1f87 100644
2465 2491
2466 #ifdef USE_PAM 2492 #ifdef USE_PAM
2467diff --git a/readconf.c b/readconf.c 2493diff --git a/readconf.c b/readconf.c
2468index 88051db57..c8e792991 100644 2494index db5f2d547..4ad3c75fe 100644
2469--- a/readconf.c 2495--- a/readconf.c
2470+++ b/readconf.c 2496+++ b/readconf.c
2471@@ -160,6 +160,8 @@ typedef enum { 2497@@ -161,6 +161,8 @@ typedef enum {
2472 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2498 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2473 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2499 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2474 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2500 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
2475+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, 2501+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
2476+ oGssServerIdentity, 2502+ oGssServerIdentity,
2477 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2503 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2478 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2504 oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
2479 oHashKnownHosts, 2505 oHashKnownHosts,
2480@@ -199,10 +201,20 @@ static struct { 2506@@ -201,10 +203,20 @@ static struct {
2481 /* Sometimes-unsupported options */ 2507 /* Sometimes-unsupported options */
2482 #if defined(GSSAPI) 2508 #if defined(GSSAPI)
2483 { "gssapiauthentication", oGssAuthentication }, 2509 { "gssapiauthentication", oGssAuthentication },
@@ -2498,7 +2524,7 @@ index 88051db57..c8e792991 100644
2498 #endif 2524 #endif
2499 #ifdef ENABLE_PKCS11 2525 #ifdef ENABLE_PKCS11
2500 { "smartcarddevice", oPKCS11Provider }, 2526 { "smartcarddevice", oPKCS11Provider },
2501@@ -950,10 +962,30 @@ parse_time: 2527@@ -973,10 +985,30 @@ parse_time:
2502 intptr = &options->gss_authentication; 2528 intptr = &options->gss_authentication;
2503 goto parse_flag; 2529 goto parse_flag;
2504 2530
@@ -2529,7 +2555,7 @@ index 88051db57..c8e792991 100644
2529 case oBatchMode: 2555 case oBatchMode:
2530 intptr = &options->batch_mode; 2556 intptr = &options->batch_mode;
2531 goto parse_flag; 2557 goto parse_flag;
2532@@ -1765,7 +1797,12 @@ initialize_options(Options * options) 2558@@ -1817,7 +1849,12 @@ initialize_options(Options * options)
2533 options->pubkey_authentication = -1; 2559 options->pubkey_authentication = -1;
2534 options->challenge_response_authentication = -1; 2560 options->challenge_response_authentication = -1;
2535 options->gss_authentication = -1; 2561 options->gss_authentication = -1;
@@ -2542,7 +2568,7 @@ index 88051db57..c8e792991 100644
2542 options->password_authentication = -1; 2568 options->password_authentication = -1;
2543 options->kbd_interactive_authentication = -1; 2569 options->kbd_interactive_authentication = -1;
2544 options->kbd_interactive_devices = NULL; 2570 options->kbd_interactive_devices = NULL;
2545@@ -1906,8 +1943,14 @@ fill_default_options(Options * options) 2571@@ -1962,8 +1999,14 @@ fill_default_options(Options * options)
2546 options->challenge_response_authentication = 1; 2572 options->challenge_response_authentication = 1;
2547 if (options->gss_authentication == -1) 2573 if (options->gss_authentication == -1)
2548 options->gss_authentication = 0; 2574 options->gss_authentication = 0;
@@ -2558,10 +2584,10 @@ index 88051db57..c8e792991 100644
2558 options->password_authentication = 1; 2584 options->password_authentication = 1;
2559 if (options->kbd_interactive_authentication == -1) 2585 if (options->kbd_interactive_authentication == -1)
2560diff --git a/readconf.h b/readconf.h 2586diff --git a/readconf.h b/readconf.h
2561index f4d9e2b26..f469daaff 100644 2587index c56887816..5ea0c296b 100644
2562--- a/readconf.h 2588--- a/readconf.h
2563+++ b/readconf.h 2589+++ b/readconf.h
2564@@ -42,7 +42,12 @@ typedef struct { 2590@@ -40,7 +40,12 @@ typedef struct {
2565 int challenge_response_authentication; 2591 int challenge_response_authentication;
2566 /* Try S/Key or TIS, authentication. */ 2592 /* Try S/Key or TIS, authentication. */
2567 int gss_authentication; /* Try GSS authentication */ 2593 int gss_authentication; /* Try GSS authentication */
@@ -2575,10 +2601,10 @@ index f4d9e2b26..f469daaff 100644
2575 * authentication. */ 2601 * authentication. */
2576 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2602 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2577diff --git a/servconf.c b/servconf.c 2603diff --git a/servconf.c b/servconf.c
2578index 0f0d09068..cbbea05bf 100644 2604index c0f6af0be..e1ae07fb7 100644
2579--- a/servconf.c 2605--- a/servconf.c
2580+++ b/servconf.c 2606+++ b/servconf.c
2581@@ -123,8 +123,10 @@ initialize_server_options(ServerOptions *options) 2607@@ -124,8 +124,10 @@ initialize_server_options(ServerOptions *options)
2582 options->kerberos_ticket_cleanup = -1; 2608 options->kerberos_ticket_cleanup = -1;
2583 options->kerberos_get_afs_token = -1; 2609 options->kerberos_get_afs_token = -1;
2584 options->gss_authentication=-1; 2610 options->gss_authentication=-1;
@@ -2589,7 +2615,7 @@ index 0f0d09068..cbbea05bf 100644
2589 options->password_authentication = -1; 2615 options->password_authentication = -1;
2590 options->kbd_interactive_authentication = -1; 2616 options->kbd_interactive_authentication = -1;
2591 options->challenge_response_authentication = -1; 2617 options->challenge_response_authentication = -1;
2592@@ -315,10 +317,14 @@ fill_default_server_options(ServerOptions *options) 2618@@ -333,10 +335,14 @@ fill_default_server_options(ServerOptions *options)
2593 options->kerberos_get_afs_token = 0; 2619 options->kerberos_get_afs_token = 0;
2594 if (options->gss_authentication == -1) 2620 if (options->gss_authentication == -1)
2595 options->gss_authentication = 0; 2621 options->gss_authentication = 0;
@@ -2604,15 +2630,15 @@ index 0f0d09068..cbbea05bf 100644
2604 if (options->password_authentication == -1) 2630 if (options->password_authentication == -1)
2605 options->password_authentication = 1; 2631 options->password_authentication = 1;
2606 if (options->kbd_interactive_authentication == -1) 2632 if (options->kbd_interactive_authentication == -1)
2607@@ -461,6 +467,7 @@ typedef enum { 2633@@ -481,6 +487,7 @@ typedef enum {
2608 sHostKeyAlgorithms, 2634 sHostKeyAlgorithms,
2609 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 2635 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
2610 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 2636 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
2611+ sGssKeyEx, sGssStoreRekey, 2637+ sGssKeyEx, sGssStoreRekey,
2612 sAcceptEnv, sPermitTunnel, 2638 sAcceptEnv, sSetEnv, sPermitTunnel,
2613 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2639 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
2614 sUsePrivilegeSeparation, sAllowAgentForwarding, 2640 sUsePrivilegeSeparation, sAllowAgentForwarding,
2615@@ -535,12 +542,20 @@ static struct { 2641@@ -555,12 +562,20 @@ static struct {
2616 #ifdef GSSAPI 2642 #ifdef GSSAPI
2617 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2643 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2618 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2644 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2633,7 +2659,7 @@ index 0f0d09068..cbbea05bf 100644
2633 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2659 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2634 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2660 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2635 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2661 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2636@@ -1407,6 +1422,10 @@ process_server_config_line(ServerOptions *options, char *line, 2662@@ -1459,6 +1474,10 @@ process_server_config_line(ServerOptions *options, char *line,
2637 intptr = &options->gss_authentication; 2663 intptr = &options->gss_authentication;
2638 goto parse_flag; 2664 goto parse_flag;
2639 2665
@@ -2644,7 +2670,7 @@ index 0f0d09068..cbbea05bf 100644
2644 case sGssCleanupCreds: 2670 case sGssCleanupCreds:
2645 intptr = &options->gss_cleanup_creds; 2671 intptr = &options->gss_cleanup_creds;
2646 goto parse_flag; 2672 goto parse_flag;
2647@@ -1415,6 +1434,10 @@ process_server_config_line(ServerOptions *options, char *line, 2673@@ -1467,6 +1486,10 @@ process_server_config_line(ServerOptions *options, char *line,
2648 intptr = &options->gss_strict_acceptor; 2674 intptr = &options->gss_strict_acceptor;
2649 goto parse_flag; 2675 goto parse_flag;
2650 2676
@@ -2655,7 +2681,7 @@ index 0f0d09068..cbbea05bf 100644
2655 case sPasswordAuthentication: 2681 case sPasswordAuthentication:
2656 intptr = &options->password_authentication; 2682 intptr = &options->password_authentication;
2657 goto parse_flag; 2683 goto parse_flag;
2658@@ -2453,7 +2476,10 @@ dump_config(ServerOptions *o) 2684@@ -2551,7 +2574,10 @@ dump_config(ServerOptions *o)
2659 #endif 2685 #endif
2660 #ifdef GSSAPI 2686 #ifdef GSSAPI
2661 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2687 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2667,10 +2693,10 @@ index 0f0d09068..cbbea05bf 100644
2667 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2693 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2668 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2694 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2669diff --git a/servconf.h b/servconf.h 2695diff --git a/servconf.h b/servconf.h
2670index 37a0fb1a3..5dfc9bc02 100644 2696index 557521d73..9b117fe27 100644
2671--- a/servconf.h 2697--- a/servconf.h
2672+++ b/servconf.h 2698+++ b/servconf.h
2673@@ -130,8 +130,10 @@ typedef struct { 2699@@ -124,8 +124,10 @@ typedef struct {
2674 int kerberos_get_afs_token; /* If true, try to get AFS token if 2700 int kerberos_get_afs_token; /* If true, try to get AFS token if
2675 * authenticated with Kerberos. */ 2701 * authenticated with Kerberos. */
2676 int gss_authentication; /* If true, permit GSSAPI authentication */ 2702 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2682,11 +2708,11 @@ index 37a0fb1a3..5dfc9bc02 100644
2682 * authentication. */ 2708 * authentication. */
2683 int kbd_interactive_authentication; /* If true, permit */ 2709 int kbd_interactive_authentication; /* If true, permit */
2684diff --git a/ssh-gss.h b/ssh-gss.h 2710diff --git a/ssh-gss.h b/ssh-gss.h
2685index 6593e422d..919660a03 100644 2711index 36180d07a..350ce7882 100644
2686--- a/ssh-gss.h 2712--- a/ssh-gss.h
2687+++ b/ssh-gss.h 2713+++ b/ssh-gss.h
2688@@ -1,6 +1,6 @@ 2714@@ -1,6 +1,6 @@
2689 /* $OpenBSD: ssh-gss.h,v 1.12 2017/06/24 06:34:38 djm Exp $ */ 2715 /* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
2690 /* 2716 /*
2691- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 2717- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
2692+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 2718+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -2749,10 +2775,10 @@ index 6593e422d..919660a03 100644
2749 2775
2750 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); 2776 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
2751 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); 2777 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
2752@@ -119,17 +136,33 @@ void ssh_gssapi_build_ctx(Gssctxt **); 2778@@ -123,17 +140,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
2753 void ssh_gssapi_delete_ctx(Gssctxt **);
2754 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); 2779 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
2755 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); 2780 void ssh_gssapi_buildmic(struct sshbuf *, const char *,
2781 const char *, const char *);
2756-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); 2782-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
2757+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *); 2783+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
2758+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *); 2784+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
@@ -2799,10 +2825,10 @@ index c12f5ef52..bcb9f153d 100644
2799 # CheckHostIP yes 2825 # CheckHostIP yes
2800 # AddressFamily any 2826 # AddressFamily any
2801diff --git a/ssh_config.5 b/ssh_config.5 2827diff --git a/ssh_config.5 b/ssh_config.5
2802index 71705cabd..66826aa70 100644 2828index f499396a3..5b99921b4 100644
2803--- a/ssh_config.5 2829--- a/ssh_config.5
2804+++ b/ssh_config.5 2830+++ b/ssh_config.5
2805@@ -727,10 +727,42 @@ The default is 2831@@ -718,10 +718,42 @@ The default is
2806 Specifies whether user authentication based on GSSAPI is allowed. 2832 Specifies whether user authentication based on GSSAPI is allowed.
2807 The default is 2833 The default is
2808 .Cm no . 2834 .Cm no .
@@ -2846,7 +2872,7 @@ index 71705cabd..66826aa70 100644
2846 Indicates that 2872 Indicates that
2847 .Xr ssh 1 2873 .Xr ssh 1
2848diff --git a/sshconnect2.c b/sshconnect2.c 2874diff --git a/sshconnect2.c b/sshconnect2.c
2849index 1f4a74cf4..83562c688 100644 2875index 10e4f0a08..c6a1b1271 100644
2850--- a/sshconnect2.c 2876--- a/sshconnect2.c
2851+++ b/sshconnect2.c 2877+++ b/sshconnect2.c
2852@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2878@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2861,7 +2887,7 @@ index 1f4a74cf4..83562c688 100644
2861 xxx_host = host; 2887 xxx_host = host;
2862 xxx_hostaddr = hostaddr; 2888 xxx_hostaddr = hostaddr;
2863 2889
2864@@ -192,6 +197,35 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2890@@ -194,6 +199,35 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2865 order_hostkeyalgs(host, hostaddr, port)); 2891 order_hostkeyalgs(host, hostaddr, port));
2866 } 2892 }
2867 2893
@@ -2897,7 +2923,7 @@ index 1f4a74cf4..83562c688 100644
2897 if (options.rekey_limit || options.rekey_interval) 2923 if (options.rekey_limit || options.rekey_interval)
2898 packet_set_rekey_limits(options.rekey_limit, 2924 packet_set_rekey_limits(options.rekey_limit,
2899 options.rekey_interval); 2925 options.rekey_interval);
2900@@ -213,15 +247,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2926@@ -215,15 +249,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2901 # endif 2927 # endif
2902 #endif 2928 #endif
2903 kex->kex[KEX_C25519_SHA256] = kexc25519_client; 2929 kex->kex[KEX_C25519_SHA256] = kexc25519_client;
@@ -2939,7 +2965,7 @@ index 1f4a74cf4..83562c688 100644
2939 if ((r = kex_prop2buf(kex->my, myproposal)) != 0) 2965 if ((r = kex_prop2buf(kex->my, myproposal)) != 0)
2940 fatal("kex_prop2buf: %s", ssh_err(r)); 2966 fatal("kex_prop2buf: %s", ssh_err(r));
2941 2967
2942@@ -311,6 +371,7 @@ int input_gssapi_token(int type, u_int32_t, struct ssh *); 2968@@ -314,6 +374,7 @@ int input_gssapi_token(int type, u_int32_t, struct ssh *);
2943 int input_gssapi_hash(int type, u_int32_t, struct ssh *); 2969 int input_gssapi_hash(int type, u_int32_t, struct ssh *);
2944 int input_gssapi_error(int, u_int32_t, struct ssh *); 2970 int input_gssapi_error(int, u_int32_t, struct ssh *);
2945 int input_gssapi_errtok(int, u_int32_t, struct ssh *); 2971 int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@@ -2947,7 +2973,7 @@ index 1f4a74cf4..83562c688 100644
2947 #endif 2973 #endif
2948 2974
2949 void userauth(Authctxt *, char *); 2975 void userauth(Authctxt *, char *);
2950@@ -327,6 +388,11 @@ static char *authmethods_get(void); 2976@@ -330,6 +391,11 @@ static char *authmethods_get(void);
2951 2977
2952 Authmethod authmethods[] = { 2978 Authmethod authmethods[] = {
2953 #ifdef GSSAPI 2979 #ifdef GSSAPI
@@ -2959,10 +2985,10 @@ index 1f4a74cf4..83562c688 100644
2959 {"gssapi-with-mic", 2985 {"gssapi-with-mic",
2960 userauth_gssapi, 2986 userauth_gssapi,
2961 NULL, 2987 NULL,
2962@@ -643,25 +709,40 @@ userauth_gssapi(Authctxt *authctxt) 2988@@ -657,25 +723,40 @@ userauth_gssapi(Authctxt *authctxt)
2963 static u_int mech = 0; 2989 static u_int mech = 0;
2964 OM_uint32 min; 2990 OM_uint32 min;
2965 int ok = 0; 2991 int r, ok = 0;
2966+ char *gss_host; 2992+ char *gss_host;
2967+ 2993+
2968+ if (options.gss_server_identity) 2994+ if (options.gss_server_identity)
@@ -2987,9 +3013,9 @@ index 1f4a74cf4..83562c688 100644
2987 while (mech < gss_supported->count && !ok) { 3013 while (mech < gss_supported->count && !ok) {
2988 /* My DER encoding requires length<128 */ 3014 /* My DER encoding requires length<128 */
2989 if (gss_supported->elements[mech].length < 128 && 3015 if (gss_supported->elements[mech].length < 128 &&
2990 ssh_gssapi_check_mechanism(&gssctxt, 3016 ssh_gssapi_check_mechanism(&gssctxt,
2991- &gss_supported->elements[mech], authctxt->host)) { 3017- &gss_supported->elements[mech], authctxt->host)) {
2992+ &gss_supported->elements[mech], gss_host, 3018+ &gss_supported->elements[mech], gss_host,
2993+ options.gss_client_identity)) { 3019+ options.gss_client_identity)) {
2994 ok = 1; /* Mechanism works */ 3020 ok = 1; /* Mechanism works */
2995 } else { 3021 } else {
@@ -3002,29 +3028,20 @@ index 1f4a74cf4..83562c688 100644
3002 if (!ok) 3028 if (!ok)
3003 return 0; 3029 return 0;
3004 3030
3005@@ -752,8 +833,8 @@ input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh) 3031@@ -906,6 +987,54 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
3006 {
3007 Authctxt *authctxt = ssh->authctxt;
3008 Gssctxt *gssctxt;
3009- int oidlen;
3010- char *oidv;
3011+ u_int oidlen;
3012+ u_char *oidv;
3013
3014 if (authctxt == NULL)
3015 fatal("input_gssapi_response: no authentication context");
3016@@ -866,6 +947,48 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
3017 free(lang); 3032 free(lang);
3018 return 0; 3033 return r;
3019 } 3034 }
3020+ 3035+
3021+int 3036+int
3022+userauth_gsskeyex(Authctxt *authctxt) 3037+userauth_gsskeyex(Authctxt *authctxt)
3023+{ 3038+{
3024+ Buffer b; 3039+ struct ssh *ssh = active_state; /* XXX */
3040+ struct sshbuf *b;
3025+ gss_buffer_desc gssbuf; 3041+ gss_buffer_desc gssbuf;
3026+ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; 3042+ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
3027+ OM_uint32 ms; 3043+ OM_uint32 ms;
3044+ int r;
3028+ 3045+
3029+ static int attempt = 0; 3046+ static int attempt = 0;
3030+ if (attempt++ >= 1) 3047+ if (attempt++ >= 1)
@@ -3035,25 +3052,29 @@ index 1f4a74cf4..83562c688 100644
3035+ return (0); 3052+ return (0);
3036+ } 3053+ }
3037+ 3054+
3038+ ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service, 3055+ if ((b = sshbuf_new()) == NULL)
3056+ fatal("%s: sshbuf_new failed", __func__);
3057+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
3039+ "gssapi-keyex"); 3058+ "gssapi-keyex");
3040+ 3059+
3041+ gssbuf.value = buffer_ptr(&b); 3060+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
3042+ gssbuf.length = buffer_len(&b); 3061+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
3062+ gssbuf.length = sshbuf_len(b);
3043+ 3063+
3044+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) { 3064+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
3045+ buffer_free(&b); 3065+ sshbuf_free(b);
3046+ return (0); 3066+ return (0);
3047+ } 3067+ }
3048+ 3068+
3049+ packet_start(SSH2_MSG_USERAUTH_REQUEST); 3069+ if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
3050+ packet_put_cstring(authctxt->server_user); 3070+ (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
3051+ packet_put_cstring(authctxt->service); 3071+ (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
3052+ packet_put_cstring(authctxt->method->name); 3072+ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
3053+ packet_put_string(mic.value, mic.length); 3073+ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
3054+ packet_send(); 3074+ (r = sshpkt_send(ssh)) != 0)
3075+ fatal("%s: %s", __func__, ssh_err(r));
3055+ 3076+
3056+ buffer_free(&b); 3077+ sshbuf_free(b);
3057+ gss_release_buffer(&ms, &mic); 3078+ gss_release_buffer(&ms, &mic);
3058+ 3079+
3059+ return (1); 3080+ return (1);
@@ -3063,7 +3084,7 @@ index 1f4a74cf4..83562c688 100644
3063 3084
3064 int 3085 int
3065diff --git a/sshd.c b/sshd.c 3086diff --git a/sshd.c b/sshd.c
3066index fd95b681b..e88185efa 100644 3087index a738c3ab6..2e453cdf8 100644
3067--- a/sshd.c 3088--- a/sshd.c
3068+++ b/sshd.c 3089+++ b/sshd.c
3069@@ -123,6 +123,10 @@ 3090@@ -123,6 +123,10 @@
@@ -3077,7 +3098,7 @@ index fd95b681b..e88185efa 100644
3077 /* Re-exec fds */ 3098 /* Re-exec fds */
3078 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 3099 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
3079 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 3100 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
3080@@ -531,7 +535,7 @@ privsep_preauth_child(void) 3101@@ -536,7 +540,7 @@ privsep_preauth_child(void)
3081 3102
3082 #ifdef GSSAPI 3103 #ifdef GSSAPI
3083 /* Cache supported mechanism OIDs for later use */ 3104 /* Cache supported mechanism OIDs for later use */
@@ -3086,10 +3107,10 @@ index fd95b681b..e88185efa 100644
3086 ssh_gssapi_prepare_supported_oids(); 3107 ssh_gssapi_prepare_supported_oids();
3087 #endif 3108 #endif
3088 3109
3089@@ -1753,10 +1757,13 @@ main(int ac, char **av) 3110@@ -1811,10 +1815,13 @@ main(int ac, char **av)
3090 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
3091 free(fp); 3111 free(fp);
3092 } 3112 }
3113 accumulate_host_timing_secret(cfg, NULL);
3093+#ifndef GSSAPI 3114+#ifndef GSSAPI
3094+ /* The GSSAPI key exchange can run without a host key */ 3115+ /* The GSSAPI key exchange can run without a host key */
3095 if (!sensitive_data.have_ssh2_key) { 3116 if (!sensitive_data.have_ssh2_key) {
@@ -3100,7 +3121,7 @@ index fd95b681b..e88185efa 100644
3100 3121
3101 /* 3122 /*
3102 * Load certificates. They are stored in an array at identical 3123 * Load certificates. They are stored in an array at identical
3103@@ -2047,6 +2054,60 @@ main(int ac, char **av) 3124@@ -2105,6 +2112,60 @@ main(int ac, char **av)
3104 rdomain == NULL ? "" : "\""); 3125 rdomain == NULL ? "" : "\"");
3105 free(laddr); 3126 free(laddr);
3106 3127
@@ -3161,7 +3182,7 @@ index fd95b681b..e88185efa 100644
3161 /* 3182 /*
3162 * We don't want to listen forever unless the other side 3183 * We don't want to listen forever unless the other side
3163 * successfully authenticates itself. So we set up an alarm which is 3184 * successfully authenticates itself. So we set up an alarm which is
3164@@ -2234,6 +2295,48 @@ do_ssh2_kex(void) 3185@@ -2288,6 +2349,48 @@ do_ssh2_kex(void)
3165 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3186 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3166 list_hostkey_types()); 3187 list_hostkey_types());
3167 3188
@@ -3210,7 +3231,7 @@ index fd95b681b..e88185efa 100644
3210 /* start key exchange */ 3231 /* start key exchange */
3211 if ((r = kex_setup(active_state, myproposal)) != 0) 3232 if ((r = kex_setup(active_state, myproposal)) != 0)
3212 fatal("kex_setup: %s", ssh_err(r)); 3233 fatal("kex_setup: %s", ssh_err(r));
3213@@ -2251,6 +2354,13 @@ do_ssh2_kex(void) 3234@@ -2305,6 +2408,13 @@ do_ssh2_kex(void)
3214 # endif 3235 # endif
3215 #endif 3236 #endif
3216 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 3237 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -3225,7 +3246,7 @@ index fd95b681b..e88185efa 100644
3225 kex->client_version_string=client_version_string; 3246 kex->client_version_string=client_version_string;
3226 kex->server_version_string=server_version_string; 3247 kex->server_version_string=server_version_string;
3227diff --git a/sshd_config b/sshd_config 3248diff --git a/sshd_config b/sshd_config
3228index 3109d5d73..86263d713 100644 3249index 19b7c91a1..2c48105f8 100644
3229--- a/sshd_config 3250--- a/sshd_config
3230+++ b/sshd_config 3251+++ b/sshd_config
3231@@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys 3252@@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -3238,10 +3259,10 @@ index 3109d5d73..86263d713 100644
3238 # Set this to 'yes' to enable PAM authentication, account processing, 3259 # Set this to 'yes' to enable PAM authentication, account processing,
3239 # and session processing. If this is enabled, PAM authentication will 3260 # and session processing. If this is enabled, PAM authentication will
3240diff --git a/sshd_config.5 b/sshd_config.5 3261diff --git a/sshd_config.5 b/sshd_config.5
3241index e3c7c3936..c4a3f3cb2 100644 3262index e1b54ba20..a0ac717c7 100644
3242--- a/sshd_config.5 3263--- a/sshd_config.5
3243+++ b/sshd_config.5 3264+++ b/sshd_config.5
3244@@ -636,6 +636,11 @@ The default is 3265@@ -637,6 +637,11 @@ The default is
3245 Specifies whether user authentication based on GSSAPI is allowed. 3266 Specifies whether user authentication based on GSSAPI is allowed.
3246 The default is 3267 The default is
3247 .Cm no . 3268 .Cm no .
@@ -3253,7 +3274,7 @@ index e3c7c3936..c4a3f3cb2 100644
3253 .It Cm GSSAPICleanupCredentials 3274 .It Cm GSSAPICleanupCredentials
3254 Specifies whether to automatically destroy the user's credentials cache 3275 Specifies whether to automatically destroy the user's credentials cache
3255 on logout. 3276 on logout.
3256@@ -655,6 +660,11 @@ machine's default store. 3277@@ -656,6 +661,11 @@ machine's default store.
3257 This facility is provided to assist with operation on multi homed machines. 3278 This facility is provided to assist with operation on multi homed machines.
3258 The default is 3279 The default is
3259 .Cm yes . 3280 .Cm yes .
@@ -3264,20 +3285,20 @@ index e3c7c3936..c4a3f3cb2 100644
3264+.Cm no . 3285+.Cm no .
3265 .It Cm HostbasedAcceptedKeyTypes 3286 .It Cm HostbasedAcceptedKeyTypes
3266 Specifies the key types that will be accepted for hostbased authentication 3287 Specifies the key types that will be accepted for hostbased authentication
3267 as a comma-separated pattern list. 3288 as a list of comma-separated patterns.
3268diff --git a/sshkey.c b/sshkey.c 3289diff --git a/sshkey.c b/sshkey.c
3269index 7712fba23..088872860 100644 3290index 72c08c7e0..91e99a262 100644
3270--- a/sshkey.c 3291--- a/sshkey.c
3271+++ b/sshkey.c 3292+++ b/sshkey.c
3272@@ -122,6 +122,7 @@ static const struct keytype keytypes[] = { 3293@@ -140,6 +140,7 @@ static const struct keytype keytypes[] = {
3273 # endif /* OPENSSL_HAS_NISTP521 */ 3294 # endif /* OPENSSL_HAS_NISTP521 */
3274 # endif /* OPENSSL_HAS_ECC */ 3295 # endif /* OPENSSL_HAS_ECC */
3275 #endif /* WITH_OPENSSL */ 3296 #endif /* WITH_OPENSSL */
3276+ { "null", "null", KEY_NULL, 0, 0, 0 }, 3297+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
3277 { NULL, NULL, -1, -1, 0, 0 } 3298 { NULL, NULL, NULL, -1, -1, 0, 0 }
3278 }; 3299 };
3279 3300
3280@@ -210,7 +211,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 3301@@ -228,7 +229,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
3281 const struct keytype *kt; 3302 const struct keytype *kt;
3282 3303
3283 for (kt = keytypes; kt->type != -1; kt++) { 3304 for (kt = keytypes; kt->type != -1; kt++) {
@@ -3287,7 +3308,7 @@ index 7712fba23..088872860 100644
3287 if (!include_sigonly && kt->sigonly) 3308 if (!include_sigonly && kt->sigonly)
3288 continue; 3309 continue;
3289diff --git a/sshkey.h b/sshkey.h 3310diff --git a/sshkey.h b/sshkey.h
3290index 155cd45ae..4e89049f1 100644 3311index 9060b2ecb..0cbdcfd74 100644
3291--- a/sshkey.h 3312--- a/sshkey.h
3292+++ b/sshkey.h 3313+++ b/sshkey.h
3293@@ -63,6 +63,7 @@ enum sshkey_types { 3314@@ -63,6 +63,7 @@ enum sshkey_types {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index b75b82068..fc052ea73 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From a7045c36e6e072c8f9250fbe11cf2f9db9f51a08 Mon Sep 17 00:00:00 2001 1From 2c0a1fef2aaf16c5b97694139239797f0ea33d27 Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -16,7 +16,7 @@ keepalives.
16Author: Ian Jackson <ian@chiark.greenend.org.uk> 16Author: Ian Jackson <ian@chiark.greenend.org.uk>
17Author: Matthew Vernon <matthew@debian.org> 17Author: Matthew Vernon <matthew@debian.org>
18Author: Colin Watson <cjwatson@debian.org> 18Author: Colin Watson <cjwatson@debian.org>
19Last-Update: 2017-10-04 19Last-Update: 2018-08-24
20 20
21Patch-Name: keepalive-extensions.patch 21Patch-Name: keepalive-extensions.patch
22--- 22---
@@ -26,10 +26,10 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index 1f1be7789..7f2b5c172 100644 29index 6e26ba32d..3fd0fe7b7 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -174,6 +174,7 @@ typedef enum { 32@@ -175,6 +175,7 @@ typedef enum {
33 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 33 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
34 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 34 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
35 oPubkeyAcceptedKeyTypes, oProxyJump, 35 oPubkeyAcceptedKeyTypes, oProxyJump,
@@ -37,7 +37,7 @@ index 1f1be7789..7f2b5c172 100644
37 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
38 } OpCodes; 38 } OpCodes;
39 39
40@@ -319,6 +320,8 @@ static struct { 40@@ -321,6 +322,8 @@ static struct {
41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
42 { "ignoreunknown", oIgnoreUnknown }, 42 { "ignoreunknown", oIgnoreUnknown },
43 { "proxyjump", oProxyJump }, 43 { "proxyjump", oProxyJump },
@@ -46,7 +46,7 @@ index 1f1be7789..7f2b5c172 100644
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1378,6 +1381,8 @@ parse_keytypes: 49@@ -1401,6 +1404,8 @@ parse_keytypes:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 1f1be7789..7f2b5c172 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -2019,8 +2024,13 @@ fill_default_options(Options * options) 58@@ -2075,8 +2080,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index 1f1be7789..7f2b5c172 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index 66826aa70..32c3632c7 100644 75index 5b99921b4..86ada128e 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -247,8 +247,12 @@ Valid arguments are 78@@ -247,8 +247,12 @@ Valid arguments are
@@ -102,10 +102,10 @@ index 66826aa70..32c3632c7 100644
102+and 102+and
103+.Cm SetupTimeOut 103+.Cm SetupTimeOut
104+are Debian-specific compatibility aliases for this option. 104+are Debian-specific compatibility aliases for this option.
105 .It Cm StreamLocalBindMask 105 .It Cm SetEnv
106 Sets the octal file creation mode mask 106 Directly specify one or more environment variables and their contents to
107 .Pq umask 107 be sent to the server.
108@@ -1537,6 +1548,12 @@ Specifies whether the system should send TCP keepalive messages to the 108@@ -1543,6 +1554,12 @@ Specifies whether the system should send TCP keepalive messages to the
109 other side. 109 other side.
110 If they are sent, death of the connection or crash of one 110 If they are sent, death of the connection or crash of one
111 of the machines will be properly noticed. 111 of the machines will be properly noticed.
@@ -119,10 +119,10 @@ index 66826aa70..32c3632c7 100644
119 connections will die if the route is down temporarily, and some people 119 connections will die if the route is down temporarily, and some people
120 find it annoying. 120 find it annoying.
121diff --git a/sshd_config.5 b/sshd_config.5 121diff --git a/sshd_config.5 b/sshd_config.5
122index c4a3f3cb2..1a1c6dd09 100644 122index a0ac717c7..0fbbccbde 100644
123--- a/sshd_config.5 123--- a/sshd_config.5
124+++ b/sshd_config.5 124+++ b/sshd_config.5
125@@ -1495,6 +1495,9 @@ This avoids infinitely hanging sessions. 125@@ -1566,6 +1566,9 @@ This avoids infinitely hanging sessions.
126 .Pp 126 .Pp
127 To disable TCP keepalive messages, the value should be set to 127 To disable TCP keepalive messages, the value should be set to
128 .Cm no . 128 .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 95c235b32..3f0d5fba3 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 76ab788bcf265360e1b88f8ced6085198c320fdd Mon Sep 17 00:00:00 2001 1From 0e0121b6dc0ffc2ec6a171328fea530378df2b3b Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
14 1 file changed, 8 insertions(+), 1 deletion(-) 14 1 file changed, 8 insertions(+), 1 deletion(-)
15 15
16diff --git a/sshconnect.c b/sshconnect.c 16diff --git a/sshconnect.c b/sshconnect.c
17index 8ab01c0ef..58f9eac8a 100644 17index a2efe6d15..ab5966066 100644
18--- a/sshconnect.c 18--- a/sshconnect.c
19+++ b/sshconnect.c 19+++ b/sshconnect.c
20@@ -1141,9 +1141,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 20@@ -1112,9 +1112,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
21 error("%s. This could either mean that", key_msg); 21 error("%s. This could either mean that", key_msg);
22 error("DNS SPOOFING is happening or the IP address for the host"); 22 error("DNS SPOOFING is happening or the IP address for the host");
23 error("and its host key have changed at the same time."); 23 error("and its host key have changed at the same time.");
@@ -32,7 +32,7 @@ index 8ab01c0ef..58f9eac8a 100644
32 } 32 }
33 /* The host key has changed. */ 33 /* The host key has changed. */
34 warn_changed_key(host_key); 34 warn_changed_key(host_key);
35@@ -1152,6 +1156,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 35@@ -1123,6 +1127,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
36 error("Offending %s key in %s:%lu", 36 error("Offending %s key in %s:%lu",
37 sshkey_type(host_found->key), 37 sshkey_type(host_found->key),
38 host_found->file, host_found->line); 38 host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index c7b57a428..9c9c664d4 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From 7cdc2be2d56f5f49c9f2557d056bf2c15a141a79 Mon Sep 17 00:00:00 2001 1From 4d75300bdb447824c974febd3d04331755dde3ca Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 89bd0a3bd..dacff74c3 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From c3d9231e598560dfe63a56a422439d263a2c3ebe Mon Sep 17 00:00:00 2001 1From f48c4fd12f8ecd275226e357454e45f10c20ac92 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,7 +44,7 @@ index ef0de0850..149846c8c 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index 3525d7d17..39767e621 100644 47index dd6e7e5a8..33e0bbcc1 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -176,9 +176,7 @@ key in 50@@ -176,9 +176,7 @@ key in
@@ -67,9 +67,9 @@ index 3525d7d17..39767e621 100644
67-to generate new host keys. 67-to generate new host keys.
68+This is used by system administration scripts to generate new host keys. 68+This is used by system administration scripts to generate new host keys.
69 .It Fl a Ar rounds 69 .It Fl a Ar rounds
70 When saving a new-format private key (i.e. an ed25519 key or when the 70 When saving a private key this option specifies the number of KDF
71 .Fl o 71 (key derivation function) rounds used.
72@@ -685,7 +681,7 @@ option. 72@@ -677,7 +673,7 @@ option.
73 Valid generator values are 2, 3, and 5. 73 Valid generator values are 2, 3, and 5.
74 .Pp 74 .Pp
75 Screened DH groups may be installed in 75 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index 3525d7d17..39767e621 100644
78 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
79 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
80 .Sh CERTIFICATES 80 .Sh CERTIFICATES
81@@ -872,7 +868,7 @@ on all machines 81@@ -864,7 +860,7 @@ on all machines
82 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
83 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
84 .Pp 84 .Pp
@@ -88,10 +88,10 @@ index 3525d7d17..39767e621 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index 0ef7c1709..54e21d88a 100644 91index cb0fdd50e..d41426781 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -846,6 +846,10 @@ implements public key authentication protocol automatically, 94@@ -850,6 +850,10 @@ implements public key authentication protocol automatically,
95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms. 95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
96 The HISTORY section of 96 The HISTORY section of
97 .Xr ssl 8 97 .Xr ssl 8
@@ -103,7 +103,7 @@ index 0ef7c1709..54e21d88a 100644
103 .Pp 103 .Pp
104 The file 104 The file
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index c8299d5e5..378aeb9f5 100644 106index 57a7fd66b..4abc01d66 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -65,7 +65,7 @@ over an insecure network. 109@@ -65,7 +65,7 @@ over an insecure network.
@@ -115,7 +115,7 @@ index c8299d5e5..378aeb9f5 100644
115 It forks a new 115 It forks a new
116 daemon for each incoming connection. 116 daemon for each incoming connection.
117 The forked daemons handle 117 The forked daemons handle
118@@ -856,7 +856,7 @@ This file is for host-based authentication (see 118@@ -884,7 +884,7 @@ This file is for host-based authentication (see
119 .Xr ssh 1 ) . 119 .Xr ssh 1 ) .
120 It should only be writable by root. 120 It should only be writable by root.
121 .Pp 121 .Pp
@@ -124,7 +124,7 @@ index c8299d5e5..378aeb9f5 100644
124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" 124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
125 key exchange method. 125 key exchange method.
126 The file format is described in 126 The file format is described in
127@@ -954,7 +954,6 @@ The content of this file is not sensitive; it can be world-readable. 127@@ -982,7 +982,6 @@ The content of this file is not sensitive; it can be world-readable.
128 .Xr ssh-keyscan 1 , 128 .Xr ssh-keyscan 1 ,
129 .Xr chroot 2 , 129 .Xr chroot 2 ,
130 .Xr hosts_access 5 , 130 .Xr hosts_access 5 ,
@@ -133,10 +133,10 @@ index c8299d5e5..378aeb9f5 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index 45044a70f..44b918463 100644 136index 96a69ab55..9774831fe 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -383,8 +383,7 @@ then no banner is displayed. 139@@ -384,8 +384,7 @@ then no banner is displayed.
140 By default, no banner is displayed. 140 By default, no banner is displayed.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index c95f06568..470d057b2 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 52359fc0d6ee73ee6e24332b2777dc8abdaed652 Mon Sep 17 00:00:00 2001 1From 97c5d99b8d1957d5a29ca34157a9bfe2ed5c7003 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch
19 3 files changed, 8 insertions(+), 3 deletions(-) 19 3 files changed, 8 insertions(+), 3 deletions(-)
20 20
21diff --git a/sshconnect.c b/sshconnect.c 21diff --git a/sshconnect.c b/sshconnect.c
22index 58f9eac8a..15d8b807e 100644 22index ab5966066..d3656e47a 100644
23--- a/sshconnect.c 23--- a/sshconnect.c
24+++ b/sshconnect.c 24+++ b/sshconnect.c
25@@ -638,7 +638,7 @@ send_client_banner(int connection_out, int minor1) 25@@ -609,7 +609,7 @@ send_client_banner(int connection_out, int minor1)
26 { 26 {
27 /* Send our own protocol version identification. */ 27 /* Send our own protocol version identification. */
28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", 28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -32,7 +32,7 @@ index 58f9eac8a..15d8b807e 100644
32 strlen(client_version_string)) != strlen(client_version_string)) 32 strlen(client_version_string)) != strlen(client_version_string))
33 fatal("write: %.100s", strerror(errno)); 33 fatal("write: %.100s", strerror(errno));
34diff --git a/sshd.c b/sshd.c 34diff --git a/sshd.c b/sshd.c
35index 6d911c19a..9a7f5495c 100644 35index 92d15c82d..ffd3dad6a 100644
36--- a/sshd.c 36--- a/sshd.c
37+++ b/sshd.c 37+++ b/sshd.c
38@@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 38@@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
@@ -45,11 +45,11 @@ index 6d911c19a..9a7f5495c 100644
45 options.version_addendum); 45 options.version_addendum);
46 46
47diff --git a/version.h b/version.h 47diff --git a/version.h b/version.h
48index ea52b26f5..a3fa6e0b9 100644 48index f1bbf00f3..e7df751e1 100644
49--- a/version.h 49--- a/version.h
50+++ b/version.h 50+++ b/version.h
51@@ -3,4 +3,9 @@ 51@@ -3,4 +3,9 @@
52 #define SSH_VERSION "OpenSSH_7.7" 52 #define SSH_VERSION "OpenSSH_7.8"
53 53
54 #define SSH_PORTABLE "p1" 54 #define SSH_PORTABLE "p1"
55-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 55-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 366c41655..6f0abc35f 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
1From 1e4b9d8e6cee1e15edfc12aa0294fa78639496b9 Mon Sep 17 00:00:00 2001 1From 2bc71f46ab96ec8af88a5b86786fb0835d9b65bc Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 5 Mar 2017 02:02:11 +0000 3Date: Sun, 5 Mar 2017 02:02:11 +0000
4Subject: Restore reading authorized_keys2 by default 4Subject: Restore reading authorized_keys2 by default
@@ -18,7 +18,7 @@ Patch-Name: restore-authorized_keys2.patch
18 1 file changed, 2 insertions(+), 3 deletions(-) 18 1 file changed, 2 insertions(+), 3 deletions(-)
19 19
20diff --git a/sshd_config b/sshd_config 20diff --git a/sshd_config b/sshd_config
21index de9cc9fe2..31e14a4f0 100644 21index ed8272f6d..ee9629102 100644
22--- a/sshd_config 22--- a/sshd_config
23+++ b/sshd_config 23+++ b/sshd_config
24@@ -36,9 +36,8 @@ 24@@ -36,9 +36,8 @@
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index fccd130b8..91f3377b1 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From 398af3d66bfe8dc7d436570026571e522a0a13a0 Mon Sep 17 00:00:00 2001 1From 84a7a1b1c767056c80add9f0e15c9f9ec23ec94d Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -18,7 +18,7 @@ but it at least probably doesn't involve dropping this feature shortly
18before a freeze. 18before a freeze.
19 19
20Forwarded: not-needed 20Forwarded: not-needed
21Last-Update: 2014-10-07 21Last-Update: 2018-08-24
22 22
23Patch-Name: restore-tcp-wrappers.patch 23Patch-Name: restore-tcp-wrappers.patch
24--- 24---
@@ -28,12 +28,12 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index 1cd5eab6c..3e23e60d6 100644 31index 82428b241..ebc10f51e 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1566,6 +1566,62 @@ AC_ARG_WITH([skey], 34@@ -1526,6 +1526,62 @@ else
35 ] 35 AC_MSG_RESULT([no])
36 ) 36 fi
37 37
38+# Check whether user wants TCP wrappers support 38+# Check whether user wants TCP wrappers support
39+TCPW_MSG="no" 39+TCPW_MSG="no"
@@ -94,19 +94,19 @@ index 1cd5eab6c..3e23e60d6 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -5240,6 +5296,7 @@ echo " OSF SIA support: $SIA_MSG" 97@@ -5201,6 +5257,7 @@ echo " PAM support: $PAM_MSG"
98 echo " OSF SIA support: $SIA_MSG"
98 echo " KerberosV support: $KRB5_MSG" 99 echo " KerberosV support: $KRB5_MSG"
99 echo " SELinux support: $SELINUX_MSG" 100 echo " SELinux support: $SELINUX_MSG"
100 echo " S/KEY support: $SKEY_MSG"
101+echo " TCP Wrappers support: $TCPW_MSG" 101+echo " TCP Wrappers support: $TCPW_MSG"
102 echo " MD5 password support: $MD5_MSG" 102 echo " MD5 password support: $MD5_MSG"
103 echo " libedit support: $LIBEDIT_MSG" 103 echo " libedit support: $LIBEDIT_MSG"
104 echo " libldns support: $LDNS_MSG" 104 echo " libldns support: $LDNS_MSG"
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 968ba66bb..c8299d5e5 100644 106index fb133c14b..57a7fd66b 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -845,6 +845,12 @@ the user's home directory becomes accessible. 109@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
110 This file should be writable only by the user, and need not be 110 This file should be writable only by the user, and need not be
111 readable by anyone else. 111 readable by anyone else.
112 .Pp 112 .Pp
@@ -119,7 +119,7 @@ index 968ba66bb..c8299d5e5 100644
119 .It Pa /etc/hosts.equiv 119 .It Pa /etc/hosts.equiv
120 This file is for host-based authentication (see 120 This file is for host-based authentication (see
121 .Xr ssh 1 ) . 121 .Xr ssh 1 ) .
122@@ -947,6 +953,7 @@ The content of this file is not sensitive; it can be world-readable. 122@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
123 .Xr ssh-keygen 1 , 123 .Xr ssh-keygen 1 ,
124 .Xr ssh-keyscan 1 , 124 .Xr ssh-keyscan 1 ,
125 .Xr chroot 2 , 125 .Xr chroot 2 ,
@@ -128,7 +128,7 @@ index 968ba66bb..c8299d5e5 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index e88185efa..4ed0364f2 100644 131index 2e453cdf8..71c360da0 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -127,6 +127,13 @@ 134@@ -127,6 +127,13 @@
@@ -145,7 +145,7 @@ index e88185efa..4ed0364f2 100644
145 /* Re-exec fds */ 145 /* Re-exec fds */
146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
148@@ -2042,6 +2049,24 @@ main(int ac, char **av) 148@@ -2100,6 +2107,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 18c7155e4..c52632134 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From e800454207f4d7a0c402f129029b8282209cdf74 Mon Sep 17 00:00:00 2001 1From f14447b774639c6de52f452e5a0e012939832855 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index 31e6709fb..2bbf6938e 100644 20index 60682c687..ed2864250 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -198,8 +198,16 @@ do_local_cmd(arglist *a) 23@@ -198,8 +198,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/seccomp-getuid-geteuid.patch b/debian/patches/seccomp-getuid-geteuid.patch
deleted file mode 100644
index be4921ae4..000000000
--- a/debian/patches/seccomp-getuid-geteuid.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From 5b35741e661c6a95e39f5f897ae62c0f3686ca4f Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:31:05 -0300
4Subject: Allow getuid and geteuid calls
5
6getuid and geteuid are needed when using an openssl engine that calls a
7crypto card, e.g. ICA (libica).
8Those syscalls are also needed by the distros for audit code.
9
10Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
11
12Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
13Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
14Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
15Last-Update: 2017-08-28
16
17Patch-Name: seccomp-getuid-geteuid.patch
18---
19 sandbox-seccomp-filter.c | 12 ++++++++++++
20 1 file changed, 12 insertions(+)
21
22diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
23index 6e7de3114..e86aa2c91 100644
24--- a/sandbox-seccomp-filter.c
25+++ b/sandbox-seccomp-filter.c
26@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
27 #ifdef __NR_getpid
28 SC_ALLOW(__NR_getpid),
29 #endif
30+#ifdef __NR_getuid
31+ SC_ALLOW(__NR_getuid),
32+#endif
33+#ifdef __NR_getuid32
34+ SC_ALLOW(__NR_getuid32),
35+#endif
36+#ifdef __NR_geteuid
37+ SC_ALLOW(__NR_geteuid),
38+#endif
39+#ifdef __NR_geteuid32
40+ SC_ALLOW(__NR_geteuid32),
41+#endif
42 #ifdef __NR_getrandom
43 SC_ALLOW(__NR_getrandom),
44 #endif
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
index b62d0195c..2febc4e38 100644
--- a/debian/patches/seccomp-s390-flock-ipc.patch
+++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -1,4 +1,4 @@
1From 8435aa5e322a4899dcb9bc68d5f0551e93d3f5a5 Mon Sep 17 00:00:00 2001 1From 04910479f7869c27065950b7deb0d69d85230927 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 10:53:04 -0300 3Date: Tue, 9 May 2017 10:53:04 -0300
4Subject: Allow flock and ipc syscall for s390 architecture 4Subject: Allow flock and ipc syscall for s390 architecture
@@ -14,7 +14,7 @@ Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
14Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 14Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
16Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 16Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
17Last-Update: 2017-08-28 17Last-Update: 2018-08-24
18 18
19Patch-Name: seccomp-s390-flock-ipc.patch 19Patch-Name: seccomp-s390-flock-ipc.patch
20--- 20---
@@ -22,7 +22,7 @@ Patch-Name: seccomp-s390-flock-ipc.patch
22 1 file changed, 6 insertions(+) 22 1 file changed, 6 insertions(+)
23 23
24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
25index ca75cc719..6e7de3114 100644 25index 12c4ee130..bcea77997 100644
26--- a/sandbox-seccomp-filter.c 26--- a/sandbox-seccomp-filter.c
27+++ b/sandbox-seccomp-filter.c 27+++ b/sandbox-seccomp-filter.c
28@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { 28@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
@@ -32,12 +32,12 @@ index ca75cc719..6e7de3114 100644
32+#if defined(__NR_flock) && defined(__s390__) 32+#if defined(__NR_flock) && defined(__s390__)
33+ SC_ALLOW(__NR_flock), 33+ SC_ALLOW(__NR_flock),
34+#endif 34+#endif
35 #ifdef __NR_getpgid 35 #ifdef __NR_geteuid
36 SC_ALLOW(__NR_getpgid), 36 SC_ALLOW(__NR_geteuid),
37 #endif 37 #endif
38@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = { 38@@ -190,6 +193,9 @@ static const struct sock_filter preauth_insns[] = {
39 #ifdef __NR_gettimeofday 39 #ifdef __NR_getuid32
40 SC_ALLOW(__NR_gettimeofday), 40 SC_ALLOW(__NR_getuid32),
41 #endif 41 #endif
42+#if defined(__NR_ipc) && defined(__s390__) 42+#if defined(__NR_ipc) && defined(__s390__)
43+ SC_ALLOW(__NR_ipc), 43+ SC_ALLOW(__NR_ipc),
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
index dd0f6510c..fc3af3e64 100644
--- a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
+++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
@@ -1,4 +1,4 @@
1From ea67bc97339c9a507343e4a1f5fb867f678fbe1d Mon Sep 17 00:00:00 2001 1From 16a47fc4b04977a14f44dd433c8da1499fa80671 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:33:30 -0300 3Date: Tue, 9 May 2017 13:33:30 -0300
4Subject: Enable specific ioctl call for EP11 crypto card (s390) 4Subject: Enable specific ioctl call for EP11 crypto card (s390)
@@ -19,10 +19,10 @@ Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
19 1 file changed, 2 insertions(+) 19 1 file changed, 2 insertions(+)
20 20
21diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 21diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
22index e86aa2c91..98062f152 100644 22index bcea77997..f216ba353 100644
23--- a/sandbox-seccomp-filter.c 23--- a/sandbox-seccomp-filter.c
24+++ b/sandbox-seccomp-filter.c 24+++ b/sandbox-seccomp-filter.c
25@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = { 25@@ -253,6 +253,8 @@ static const struct sock_filter preauth_insns[] = {
26 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), 26 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
27 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), 27 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
28 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), 28 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 5c0bad093..95d582067 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 7da968d97beba5fb80a5488516563ea1376db907 Mon Sep 17 00:00:00 2001 1From 03979f2e0768e146d179c66f2d2e33afe61c1be3 Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -9,17 +9,17 @@ SELinux maintainer, so we'll keep it until we have something better.
9 9
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
11Bug-Debian: http://bugs.debian.org/394795 11Bug-Debian: http://bugs.debian.org/394795
12Last-Update: 2017-10-04 12Last-Update: 2018-08-24
13 13
14Patch-Name: selinux-role.patch 14Patch-Name: selinux-role.patch
15--- 15---
16 auth.h | 1 + 16 auth.h | 1 +
17 auth2.c | 10 ++++++++-- 17 auth2.c | 10 ++++++++--
18 monitor.c | 32 +++++++++++++++++++++++++++++--- 18 monitor.c | 37 +++++++++++++++++++++++++++++++++----
19 monitor.h | 2 ++ 19 monitor.h | 2 ++
20 monitor_wrap.c | 22 ++++++++++++++++++++-- 20 monitor_wrap.c | 27 ++++++++++++++++++++++++---
21 monitor_wrap.h | 3 ++- 21 monitor_wrap.h | 3 ++-
22 openbsd-compat/port-linux.c | 27 ++++++++++++++++++++------- 22 openbsd-compat/port-linux.c | 21 ++++++++++++++-------
23 openbsd-compat/port-linux.h | 4 ++-- 23 openbsd-compat/port-linux.h | 4 ++--
24 platform.c | 4 ++-- 24 platform.c | 4 ++--
25 platform.h | 2 +- 25 platform.h | 2 +-
@@ -28,10 +28,10 @@ Patch-Name: selinux-role.patch
28 sshd.c | 2 +- 28 sshd.c | 2 +-
29 sshpty.c | 4 ++-- 29 sshpty.c | 4 ++--
30 sshpty.h | 2 +- 30 sshpty.h | 2 +-
31 15 files changed, 97 insertions(+), 30 deletions(-) 31 15 files changed, 99 insertions(+), 32 deletions(-)
32 32
33diff --git a/auth.h b/auth.h 33diff --git a/auth.h b/auth.h
34index 23ce67caf..15ba7073e 100644 34index 977562f0a..90802a5eb 100644
35--- a/auth.h 35--- a/auth.h
36+++ b/auth.h 36+++ b/auth.h
37@@ -65,6 +65,7 @@ struct Authctxt { 37@@ -65,6 +65,7 @@ struct Authctxt {
@@ -43,19 +43,19 @@ index 23ce67caf..15ba7073e 100644
43 /* Method lists for multiple authentication */ 43 /* Method lists for multiple authentication */
44 char **auth_methods; /* modified from server config */ 44 char **auth_methods; /* modified from server config */
45diff --git a/auth2.c b/auth2.c 45diff --git a/auth2.c b/auth2.c
46index c34f58c45..be5e9f15f 100644 46index 96efe164c..90a247c1c 100644
47--- a/auth2.c 47--- a/auth2.c
48+++ b/auth2.c 48+++ b/auth2.c
49@@ -218,7 +218,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) 49@@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
50 { 50 {
51 Authctxt *authctxt = ssh->authctxt; 51 Authctxt *authctxt = ssh->authctxt;
52 Authmethod *m = NULL; 52 Authmethod *m = NULL;
53- char *user, *service, *method, *style = NULL; 53- char *user, *service, *method, *style = NULL;
54+ char *user, *service, *method, *style = NULL, *role = NULL; 54+ char *user, *service, *method, *style = NULL, *role = NULL;
55 int authenticated = 0; 55 int authenticated = 0;
56 double tstart = monotime_double();
56 57
57 if (authctxt == NULL) 58@@ -270,8 +270,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
58@@ -230,8 +230,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
59 debug("userauth-request for user %s service %s method %s", user, service, method); 59 debug("userauth-request for user %s service %s method %s", user, service, method);
60 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 60 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
61 61
@@ -69,7 +69,7 @@ index c34f58c45..be5e9f15f 100644
69 69
70 if (authctxt->attempt++ == 0) { 70 if (authctxt->attempt++ == 0) {
71 /* setup auth context */ 71 /* setup auth context */
72@@ -258,8 +263,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) 72@@ -298,8 +303,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
73 use_privsep ? " [net]" : ""); 73 use_privsep ? " [net]" : "");
74 authctxt->service = xstrdup(service); 74 authctxt->service = xstrdup(service);
75 authctxt->style = style ? xstrdup(style) : NULL; 75 authctxt->style = style ? xstrdup(style) : NULL;
@@ -81,18 +81,18 @@ index c34f58c45..be5e9f15f 100644
81 if (auth2_setup_methods_lists(authctxt) != 0) 81 if (auth2_setup_methods_lists(authctxt) != 0)
82 packet_disconnect("no authentication methods enabled"); 82 packet_disconnect("no authentication methods enabled");
83diff --git a/monitor.c b/monitor.c 83diff --git a/monitor.c b/monitor.c
84index 868fb0d2d..ed37458fb 100644 84index 4e574a2ae..c1e7e9b80 100644
85--- a/monitor.c 85--- a/monitor.c
86+++ b/monitor.c 86+++ b/monitor.c
87@@ -128,6 +128,7 @@ int mm_answer_sign(int, Buffer *); 87@@ -115,6 +115,7 @@ int mm_answer_sign(int, struct sshbuf *);
88 int mm_answer_pwnamallow(int, Buffer *); 88 int mm_answer_pwnamallow(int, struct sshbuf *);
89 int mm_answer_auth2_read_banner(int, Buffer *); 89 int mm_answer_auth2_read_banner(int, struct sshbuf *);
90 int mm_answer_authserv(int, Buffer *); 90 int mm_answer_authserv(int, struct sshbuf *);
91+int mm_answer_authrole(int, Buffer *); 91+int mm_answer_authrole(int, struct sshbuf *);
92 int mm_answer_authpassword(int, Buffer *); 92 int mm_answer_authpassword(int, struct sshbuf *);
93 int mm_answer_bsdauthquery(int, Buffer *); 93 int mm_answer_bsdauthquery(int, struct sshbuf *);
94 int mm_answer_bsdauthrespond(int, Buffer *); 94 int mm_answer_bsdauthrespond(int, struct sshbuf *);
95@@ -206,6 +207,7 @@ struct mon_table mon_dispatch_proto20[] = { 95@@ -191,6 +192,7 @@ struct mon_table mon_dispatch_proto20[] = {
96 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 96 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
97 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 97 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
98 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 98 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -100,7 +100,7 @@ index 868fb0d2d..ed37458fb 100644
100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
102 #ifdef USE_PAM 102 #ifdef USE_PAM
103@@ -806,6 +808,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) 103@@ -813,6 +815,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m)
104 104
105 /* Allow service/style information on the auth context */ 105 /* Allow service/style information on the auth context */
106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,13 +108,16 @@ index 868fb0d2d..ed37458fb 100644
108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
109 109
110 #ifdef USE_PAM 110 #ifdef USE_PAM
111@@ -836,14 +839,37 @@ mm_answer_authserv(int sock, Buffer *m) 111@@ -846,16 +849,42 @@ mm_answer_authserv(int sock, struct sshbuf *m)
112 112 monitor_permit_authentications(1);
113 authctxt->service = buffer_get_string(m, NULL); 113
114 authctxt->style = buffer_get_string(m, NULL); 114 if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
115- (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0)
116+ (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0 ||
117+ (r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
118 fatal("%s: buffer error: %s", __func__, ssh_err(r));
115- debug3("%s: service=%s, style=%s", 119- debug3("%s: service=%s, style=%s",
116- __func__, authctxt->service, authctxt->style); 120- __func__, authctxt->service, authctxt->style);
117+ authctxt->role = buffer_get_string(m, NULL);
118+ debug3("%s: service=%s, style=%s, role=%s", 121+ debug3("%s: service=%s, style=%s, role=%s",
119+ __func__, authctxt->service, authctxt->style, authctxt->role); 122+ __func__, authctxt->service, authctxt->style, authctxt->role);
120 123
@@ -132,11 +135,14 @@ index 868fb0d2d..ed37458fb 100644
132+} 135+}
133+ 136+
134+int 137+int
135+mm_answer_authrole(int sock, Buffer *m) 138+mm_answer_authrole(int sock, struct sshbuf *m)
136+{ 139+{
140+ int r;
141+
137+ monitor_permit_authentications(1); 142+ monitor_permit_authentications(1);
138+ 143+
139+ authctxt->role = buffer_get_string(m, NULL); 144+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
145+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
140+ debug3("%s: role=%s", 146+ debug3("%s: role=%s",
141+ __func__, authctxt->role); 147+ __func__, authctxt->role);
142+ 148+
@@ -148,20 +154,20 @@ index 868fb0d2d..ed37458fb 100644
148 return (0); 154 return (0);
149 } 155 }
150 156
151@@ -1497,7 +1523,7 @@ mm_answer_pty(int sock, Buffer *m) 157@@ -1497,7 +1526,7 @@ mm_answer_pty(int sock, struct sshbuf *m)
152 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 158 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
153 if (res == 0) 159 if (res == 0)
154 goto error; 160 goto error;
155- pty_setowner(authctxt->pw, s->tty); 161- pty_setowner(authctxt->pw, s->tty);
156+ pty_setowner(authctxt->pw, s->tty, authctxt->role); 162+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
157 163
158 buffer_put_int(m, 1); 164 if ((r = sshbuf_put_u32(m, 1)) != 0 ||
159 buffer_put_cstring(m, s->tty); 165 (r = sshbuf_put_cstring(m, s->tty)) != 0)
160diff --git a/monitor.h b/monitor.h 166diff --git a/monitor.h b/monitor.h
161index ec41404c7..4c7955d7a 100644 167index 44fbed589..8f65e684d 100644
162--- a/monitor.h 168--- a/monitor.h
163+++ b/monitor.h 169+++ b/monitor.h
164@@ -68,6 +68,8 @@ enum monitor_reqtype { 170@@ -66,6 +66,8 @@ enum monitor_reqtype {
165 MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, 171 MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
166 MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, 172 MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
167 173
@@ -171,10 +177,10 @@ index ec41404c7..4c7955d7a 100644
171 177
172 struct monitor { 178 struct monitor {
173diff --git a/monitor_wrap.c b/monitor_wrap.c 179diff --git a/monitor_wrap.c b/monitor_wrap.c
174index e749efc18..7b2d06c65 100644 180index 1865a122a..fd4d7eb3b 100644
175--- a/monitor_wrap.c 181--- a/monitor_wrap.c
176+++ b/monitor_wrap.c 182+++ b/monitor_wrap.c
177@@ -331,10 +331,10 @@ mm_auth2_read_banner(void) 183@@ -369,10 +369,10 @@ mm_auth2_read_banner(void)
178 return (banner); 184 return (banner);
179 } 185 }
180 186
@@ -185,17 +191,20 @@ index e749efc18..7b2d06c65 100644
185-mm_inform_authserv(char *service, char *style) 191-mm_inform_authserv(char *service, char *style)
186+mm_inform_authserv(char *service, char *style, char *role) 192+mm_inform_authserv(char *service, char *style, char *role)
187 { 193 {
188 Buffer m; 194 struct sshbuf *m;
189 195 int r;
190@@ -343,12 +343,30 @@ mm_inform_authserv(char *service, char *style) 196@@ -382,7 +382,8 @@ mm_inform_authserv(char *service, char *style)
191 buffer_init(&m); 197 if ((m = sshbuf_new()) == NULL)
192 buffer_put_cstring(&m, service); 198 fatal("%s: sshbuf_new failed", __func__);
193 buffer_put_cstring(&m, style ? style : ""); 199 if ((r = sshbuf_put_cstring(m, service)) != 0 ||
194+ buffer_put_cstring(&m, role ? role : ""); 200- (r = sshbuf_put_cstring(m, style ? style : "")) != 0)
195 201+ (r = sshbuf_put_cstring(m, style ? style : "")) != 0 ||
196 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); 202+ (r = sshbuf_put_cstring(m, role ? role : "")) != 0)
197 203 fatal("%s: buffer error: %s", __func__, ssh_err(r));
198 buffer_free(&m); 204
205 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
206@@ -390,6 +391,26 @@ mm_inform_authserv(char *service, char *style)
207 sshbuf_free(m);
199 } 208 }
200 209
201+/* Inform the privileged process about role */ 210+/* Inform the privileged process about role */
@@ -203,29 +212,32 @@ index e749efc18..7b2d06c65 100644
203+void 212+void
204+mm_inform_authrole(char *role) 213+mm_inform_authrole(char *role)
205+{ 214+{
206+ Buffer m; 215+ struct sshbuf *m;
216+ int r;
207+ 217+
208+ debug3("%s entering", __func__); 218+ debug3("%s entering", __func__);
209+ 219+
210+ buffer_init(&m); 220+ if ((m = sshbuf_new()) == NULL)
211+ buffer_put_cstring(&m, role ? role : ""); 221+ fatal("%s: sshbuf_new failed", __func__);
222+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
223+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
212+ 224+
213+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); 225+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
214+ 226+
215+ buffer_free(&m); 227+ sshbuf_free(m);
216+} 228+}
217+ 229+
218 /* Do the password authentication */ 230 /* Do the password authentication */
219 int 231 int
220 mm_auth_password(struct ssh *ssh, char *password) 232 mm_auth_password(struct ssh *ssh, char *password)
221diff --git a/monitor_wrap.h b/monitor_wrap.h 233diff --git a/monitor_wrap.h b/monitor_wrap.h
222index 0970d1f87..492de5c85 100644 234index 7f93144ff..79e78cc90 100644
223--- a/monitor_wrap.h 235--- a/monitor_wrap.h
224+++ b/monitor_wrap.h 236+++ b/monitor_wrap.h
225@@ -43,7 +43,8 @@ int mm_is_monitor(void); 237@@ -43,7 +43,8 @@ int mm_is_monitor(void);
226 DH *mm_choose_dh(int, int, int); 238 DH *mm_choose_dh(int, int, int);
227 int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int, 239 int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
228 const char *); 240 const char *, u_int compat);
229-void mm_inform_authserv(char *, char *); 241-void mm_inform_authserv(char *, char *);
230+void mm_inform_authserv(char *, char *, char *); 242+void mm_inform_authserv(char *, char *, char *);
231+void mm_inform_authrole(char *); 243+void mm_inform_authrole(char *);
@@ -233,23 +245,10 @@ index 0970d1f87..492de5c85 100644
233 char *mm_auth2_read_banner(void); 245 char *mm_auth2_read_banner(void);
234 int mm_auth_password(struct ssh *, char *); 246 int mm_auth_password(struct ssh *, char *);
235diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c 247diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
236index 8c5325cc3..8a3e5c68d 100644 248index 8c5325cc3..9fdda664f 100644
237--- a/openbsd-compat/port-linux.c 249--- a/openbsd-compat/port-linux.c
238+++ b/openbsd-compat/port-linux.c 250+++ b/openbsd-compat/port-linux.c
239@@ -27,6 +27,12 @@ 251@@ -55,7 +55,7 @@ ssh_selinux_enabled(void)
240 #include <string.h>
241 #include <stdio.h>
242
243+#ifdef WITH_SELINUX
244+#include "key.h"
245+#include "hostfile.h"
246+#include "auth.h"
247+#endif
248+
249 #include "log.h"
250 #include "xmalloc.h"
251 #include "port-linux.h"
252@@ -55,7 +61,7 @@ ssh_selinux_enabled(void)
253 252
254 /* Return the default security context for the given username */ 253 /* Return the default security context for the given username */
255 static security_context_t 254 static security_context_t
@@ -258,7 +257,7 @@ index 8c5325cc3..8a3e5c68d 100644
258 { 257 {
259 security_context_t sc = NULL; 258 security_context_t sc = NULL;
260 char *sename = NULL, *lvl = NULL; 259 char *sename = NULL, *lvl = NULL;
261@@ -70,9 +76,16 @@ ssh_selinux_getctxbyname(char *pwname) 260@@ -70,9 +70,16 @@ ssh_selinux_getctxbyname(char *pwname)
262 #endif 261 #endif
263 262
264 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 263 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -277,7 +276,7 @@ index 8c5325cc3..8a3e5c68d 100644
277 #endif 276 #endif
278 277
279 if (r != 0) { 278 if (r != 0) {
280@@ -102,7 +115,7 @@ ssh_selinux_getctxbyname(char *pwname) 279@@ -102,7 +109,7 @@ ssh_selinux_getctxbyname(char *pwname)
281 280
282 /* Set the execution context to the default for the specified user */ 281 /* Set the execution context to the default for the specified user */
283 void 282 void
@@ -286,7 +285,7 @@ index 8c5325cc3..8a3e5c68d 100644
286 { 285 {
287 security_context_t user_ctx = NULL; 286 security_context_t user_ctx = NULL;
288 287
289@@ -111,7 +124,7 @@ ssh_selinux_setup_exec_context(char *pwname) 288@@ -111,7 +118,7 @@ ssh_selinux_setup_exec_context(char *pwname)
290 289
291 debug3("%s: setting execution context", __func__); 290 debug3("%s: setting execution context", __func__);
292 291
@@ -295,7 +294,7 @@ index 8c5325cc3..8a3e5c68d 100644
295 if (setexeccon(user_ctx) != 0) { 294 if (setexeccon(user_ctx) != 0) {
296 switch (security_getenforce()) { 295 switch (security_getenforce()) {
297 case -1: 296 case -1:
298@@ -133,7 +146,7 @@ ssh_selinux_setup_exec_context(char *pwname) 297@@ -133,7 +140,7 @@ ssh_selinux_setup_exec_context(char *pwname)
299 298
300 /* Set the TTY context for the specified user */ 299 /* Set the TTY context for the specified user */
301 void 300 void
@@ -304,7 +303,7 @@ index 8c5325cc3..8a3e5c68d 100644
304 { 303 {
305 security_context_t new_tty_ctx = NULL; 304 security_context_t new_tty_ctx = NULL;
306 security_context_t user_ctx = NULL; 305 security_context_t user_ctx = NULL;
307@@ -145,7 +158,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) 306@@ -145,7 +152,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
308 307
309 debug3("%s: setting TTY context on %s", __func__, tty); 308 debug3("%s: setting TTY context on %s", __func__, tty);
310 309
@@ -329,10 +328,10 @@ index 3c22a854d..c88129428 100644
329 void ssh_selinux_setfscreatecon(const char *); 328 void ssh_selinux_setfscreatecon(const char *);
330 #endif 329 #endif
331diff --git a/platform.c b/platform.c 330diff --git a/platform.c b/platform.c
332index 18c7751de..380ee3a41 100644 331index 41acc9370..35654ea51 100644
333--- a/platform.c 332--- a/platform.c
334+++ b/platform.c 333+++ b/platform.c
335@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw) 334@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw)
336 * called if sshd is running as root. 335 * called if sshd is running as root.
337 */ 336 */
338 void 337 void
@@ -341,7 +340,7 @@ index 18c7751de..380ee3a41 100644
341 { 340 {
342 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 341 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
343 /* 342 /*
344@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw) 343@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
345 } 344 }
346 #endif /* HAVE_SETPCRED */ 345 #endif /* HAVE_SETPCRED */
347 #ifdef WITH_SELINUX 346 #ifdef WITH_SELINUX
@@ -364,19 +363,19 @@ index ea4f9c584..60d72ffe7 100644
364 char *platform_krb5_get_principal_name(const char *); 363 char *platform_krb5_get_principal_name(const char *);
365 int platform_sys_dir_uid(uid_t); 364 int platform_sys_dir_uid(uid_t);
366diff --git a/session.c b/session.c 365diff --git a/session.c b/session.c
367index 58826db16..ff301c983 100644 366index f2cf52006..d5d2e94b0 100644
368--- a/session.c 367--- a/session.c
369+++ b/session.c 368+++ b/session.c
370@@ -1322,7 +1322,7 @@ safely_chroot(const char *path, uid_t uid) 369@@ -1378,7 +1378,7 @@ safely_chroot(const char *path, uid_t uid)
371 370
372 /* Set login name, uid, gid, and groups. */ 371 /* Set login name, uid, gid, and groups. */
373 void 372 void
374-do_setusercontext(struct passwd *pw) 373-do_setusercontext(struct passwd *pw)
375+do_setusercontext(struct passwd *pw, const char *role) 374+do_setusercontext(struct passwd *pw, const char *role)
376 { 375 {
377 char *chroot_path, *tmp; 376 char uidstr[32], *chroot_path, *tmp;
378 377
379@@ -1350,7 +1350,7 @@ do_setusercontext(struct passwd *pw) 378@@ -1406,7 +1406,7 @@ do_setusercontext(struct passwd *pw)
380 endgrent(); 379 endgrent();
381 #endif 380 #endif
382 381
@@ -385,7 +384,7 @@ index 58826db16..ff301c983 100644
385 384
386 if (!in_chroot && options.chroot_directory != NULL && 385 if (!in_chroot && options.chroot_directory != NULL &&
387 strcasecmp(options.chroot_directory, "none") != 0) { 386 strcasecmp(options.chroot_directory, "none") != 0) {
388@@ -1487,7 +1487,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) 387@@ -1545,7 +1545,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
389 388
390 /* Force a password change */ 389 /* Force a password change */
391 if (s->authctxt->force_pwchange) { 390 if (s->authctxt->force_pwchange) {
@@ -394,7 +393,7 @@ index 58826db16..ff301c983 100644
394 child_close_fds(ssh); 393 child_close_fds(ssh);
395 do_pwchange(s); 394 do_pwchange(s);
396 exit(1); 395 exit(1);
397@@ -1505,7 +1505,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) 396@@ -1563,7 +1563,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
398 /* When PAM is enabled we rely on it to do the nologin check */ 397 /* When PAM is enabled we rely on it to do the nologin check */
399 if (!options.use_pam) 398 if (!options.use_pam)
400 do_nologin(pw); 399 do_nologin(pw);
@@ -403,8 +402,8 @@ index 58826db16..ff301c983 100644
403 /* 402 /*
404 * PAM session modules in do_setusercontext may have 403 * PAM session modules in do_setusercontext may have
405 * generated messages, so if this in an interactive 404 * generated messages, so if this in an interactive
406@@ -1897,7 +1897,7 @@ session_pty_req(struct ssh *ssh, Session *s) 405@@ -1953,7 +1953,7 @@ session_pty_req(struct ssh *ssh, Session *s)
407 tty_parse_modes(s->ttyfd, &n_bytes); 406 ssh_tty_parse_modes(ssh, s->ttyfd);
408 407
409 if (!use_privsep) 408 if (!use_privsep)
410- pty_setowner(s->pw, s->tty); 409- pty_setowner(s->pw, s->tty);
@@ -426,10 +425,10 @@ index 54dd1f0ca..8535ebcef 100644
426 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); 425 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
427 426
428diff --git a/sshd.c b/sshd.c 427diff --git a/sshd.c b/sshd.c
429index 4ed0364f2..6d911c19a 100644 428index 71c360da0..92d15c82d 100644
430--- a/sshd.c 429--- a/sshd.c
431+++ b/sshd.c 430+++ b/sshd.c
432@@ -679,7 +679,7 @@ privsep_postauth(Authctxt *authctxt) 431@@ -684,7 +684,7 @@ privsep_postauth(Authctxt *authctxt)
433 reseed_prngs(); 432 reseed_prngs();
434 433
435 /* Drop privileges */ 434 /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index e1eb16773..1f82bea11 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,7 +22,4 @@ systemd-readiness.patch
22debian-config.patch 22debian-config.patch
23restore-authorized_keys2.patch 23restore-authorized_keys2.patch
24seccomp-s390-flock-ipc.patch 24seccomp-s390-flock-ipc.patch
25seccomp-getuid-geteuid.patch
26seccomp-s390-ioctl-ep11-crypto.patch 25seccomp-s390-ioctl-ep11-crypto.patch
27upstream-relax-checking-of-authorized_keys-environme.patch
28upstream-delay-bailout-for-invalid-authenticating-user.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 92fc0026a..7e91b9b14 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From 72fead7f622b074c9b92dbdb8ae745faf2702b3d Mon Sep 17 00:00:00 2001 1From 0e7d3495f758a4ecccc14eda31845ea0efc89251 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index 3805d35d9..8ab01c0ef 100644 19index 78813c164..a2efe6d15 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -239,7 +239,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, 22@@ -229,7 +229,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port,
23 /* Execute the proxy command. Note that we gave up any 23 /* Execute the proxy command. Note that we gave up any
24 extra privileges above. */ 24 extra privileges above. */
25 signal(SIGPIPE, SIG_DFL); 25 signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index 3805d35d9..8ab01c0ef 100644
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1554,7 +1554,7 @@ ssh_local_cmd(const char *args) 31@@ -1525,7 +1525,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 signal(SIGPIPE, SIG_DFL); 33 signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index add4d5115..ae29c2afb 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From 9155e0368189860345a5f4b52a756266704447af Mon Sep 17 00:00:00 2001 1From 67414e1884f4ac0eb391988b932af2dd9b2ab5ae Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index eb830e4cb..5f9e9bbc8 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From 77113aa5aacb35d773268411edbe3bca4255703d Mon Sep 17 00:00:00 2001 1From 0d0221146dc61545ca1dba099f669d5d6a37504e Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index 54e21d88a..f8fc26d2a 100644 21index d41426781..0a8e63f51 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1571,6 +1571,7 @@ if an error occurred. 24@@ -1575,6 +1575,7 @@ if an error occurred.
25 .Xr sftp 1 , 25 .Xr sftp 1 ,
26 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
27 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 4d6f3e151..da0f358d8 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From 4fb99d4eb8936b6ffae3749717abfc2dccbaa162 Mon Sep 17 00:00:00 2001 1From 80ef33d2e2559a2fcb71940f0ef0de18f426dab4 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index c8e792991..1f1be7789 100644 20index 4ad3c75fe..6e26ba32d 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -189,6 +189,7 @@ static struct { 23@@ -190,6 +190,7 @@ static struct {
24 { "fallbacktorsh", oDeprecated }, 24 { "fallbacktorsh", oDeprecated },
25 { "globalknownhostsfile2", oDeprecated }, 25 { "globalknownhostsfile2", oDeprecated },
26 { "rhostsauthentication", oDeprecated }, 26 { "rhostsauthentication", oDeprecated },
@@ -29,10 +29,10 @@ index c8e792991..1f1be7789 100644
29 { "useroaming", oDeprecated }, 29 { "useroaming", oDeprecated },
30 { "usersh", oDeprecated }, 30 { "usersh", oDeprecated },
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index cbbea05bf..3fff3d531 100644 32index e1ae07fb7..e49984a81 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -576,6 +576,7 @@ static struct { 35@@ -596,6 +596,7 @@ static struct {
36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 1b41b0801..1610d40d1 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From 027619c6b05713e3f08a51e7232389383900e5d8 Mon Sep 17 00:00:00 2001 1From d47fa6fefb418c6d8f5a6d3dd49fd9dc7fce0c74 Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -21,7 +21,7 @@ Patch-Name: syslog-level-silent.patch
21 2 files changed, 2 insertions(+), 1 deletion(-) 21 2 files changed, 2 insertions(+), 1 deletion(-)
22 22
23diff --git a/log.c b/log.c 23diff --git a/log.c b/log.c
24index 99450dd12..1559091da 100644 24index d9c2d136c..1749af6d1 100644
25--- a/log.c 25--- a/log.c
26+++ b/log.c 26+++ b/log.c
27@@ -93,6 +93,7 @@ static struct { 27@@ -93,6 +93,7 @@ static struct {
@@ -33,7 +33,7 @@ index 99450dd12..1559091da 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index d3619fe29..e36debf6a 100644 36index ce628848c..6ee0f8c68 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1252,7 +1252,7 @@ main(int ac, char **av) 39@@ -1252,7 +1252,7 @@ main(int ac, char **av)
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 982085c4c..95753542e 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From 4acdde3e5b206718774fa162763058155fe572bf Mon Sep 17 00:00:00 2001 1From ba2be368348f9f411377f494e209faedf53903de Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index 3e23e60d6..eac143b4d 100644 17index ebc10f51e..dab138640 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4496,6 +4496,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4458,6 +4458,29 @@ AC_ARG_WITH([kerberos5],
21 AC_SUBST([GSSLIBS]) 21 AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS]) 22 AC_SUBST([K5LIBS])
23 23
@@ -47,7 +47,7 @@ index 3e23e60d6..eac143b4d 100644
47 # Looking for programs, paths and files 47 # Looking for programs, paths and files
48 48
49 PRIVSEP_PATH=/var/empty 49 PRIVSEP_PATH=/var/empty
50@@ -5303,6 +5326,7 @@ echo " libldns support: $LDNS_MSG" 50@@ -5264,6 +5287,7 @@ echo " libldns support: $LDNS_MSG"
51 echo " Solaris process contract support: $SPC_MSG" 51 echo " Solaris process contract support: $SPC_MSG"
52 echo " Solaris project support: $SP_MSG" 52 echo " Solaris project support: $SP_MSG"
53 echo " Solaris privilege support: $SPP_MSG" 53 echo " Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index 3e23e60d6..eac143b4d 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index 1d645a170..3a86e66e7 100644 59index 698593605..7ff109175 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index 1d645a170..3a86e66e7 100644
70 #include "xmalloc.h" 70 #include "xmalloc.h"
71 #include "ssh.h" 71 #include "ssh.h"
72 #include "ssh2.h" 72 #include "ssh2.h"
73@@ -1933,6 +1937,11 @@ main(int ac, char **av) 73@@ -1991,6 +1995,11 @@ main(int ac, char **av)
74 } 74 }
75 } 75 }
76 76
diff --git a/debian/patches/upstream-delay-bailout-for-invalid-authenticating-user.patch b/debian/patches/upstream-delay-bailout-for-invalid-authenticating-user.patch
deleted file mode 100644
index 737a9f48d..000000000
--- a/debian/patches/upstream-delay-bailout-for-invalid-authenticating-user.patch
+++ /dev/null
@@ -1,153 +0,0 @@
1From c4ca1497658e0508e8595ad74978c07bc92a18e3 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Tue, 31 Jul 2018 03:10:27 +0000
4Subject: upstream: delay bailout for invalid authenticating user
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9... until after the packet containing the request has been fully parsed.
10Reported by Dariusz Tytko and Michał Sajdak; ok deraadt
11
12OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
13
14Origin: backport, http://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8
15Bug-Debian: https://bugs.debian.org/906236
16Last-Update: 2018-08-17
17
18Patch-Name: upstream-delay-bailout-for-invalid-authenticating-user.patch
19---
20 auth2-gss.c | 9 ++++++---
21 auth2-hostbased.c | 9 +++++----
22 auth2-pubkey.c | 23 ++++++++++++++---------
23 3 files changed, 25 insertions(+), 16 deletions(-)
24
25diff --git a/auth2-gss.c b/auth2-gss.c
26index fd411d3a7..88bc3ae7b 100644
27--- a/auth2-gss.c
28+++ b/auth2-gss.c
29@@ -104,9 +104,6 @@ userauth_gssapi(struct ssh *ssh)
30 u_int len;
31 u_char *doid = NULL;
32
33- if (!authctxt->valid || authctxt->user == NULL)
34- return (0);
35-
36 mechs = packet_get_int();
37 if (mechs == 0) {
38 debug("Mechanism negotiation is not supported");
39@@ -137,6 +134,12 @@ userauth_gssapi(struct ssh *ssh)
40 return (0);
41 }
42
43+ if (!authctxt->valid || authctxt->user == NULL) {
44+ debug2("%s: disabled because of invalid user", __func__);
45+ free(doid);
46+ return (0);
47+ }
48+
49 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
50 if (ctxt != NULL)
51 ssh_gssapi_delete_ctx(&ctxt);
52diff --git a/auth2-hostbased.c b/auth2-hostbased.c
53index 8996f7e05..82a7dcdae 100644
54--- a/auth2-hostbased.c
55+++ b/auth2-hostbased.c
56@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
57 size_t alen, blen, slen;
58 int r, pktype, authenticated = 0;
59
60- if (!authctxt->valid) {
61- debug2("%s: disabled because of invalid user", __func__);
62- return 0;
63- }
64 /* XXX use sshkey_froms() */
65 if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
66 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
67@@ -118,6 +114,11 @@ userauth_hostbased(struct ssh *ssh)
68 goto done;
69 }
70
71+ if (!authctxt->valid || authctxt->user == NULL) {
72+ debug2("%s: disabled because of invalid user", __func__);
73+ goto done;
74+ }
75+
76 if ((b = sshbuf_new()) == NULL)
77 fatal("%s: sshbuf_new failed", __func__);
78 /* reconstruct packet */
79diff --git a/auth2-pubkey.c b/auth2-pubkey.c
80index 8024b1d6a..a9272b97f 100644
81--- a/auth2-pubkey.c
82+++ b/auth2-pubkey.c
83@@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh)
84 {
85 Authctxt *authctxt = ssh->authctxt;
86 struct passwd *pw = authctxt->pw;
87- struct sshbuf *b;
88+ struct sshbuf *b = NULL;
89 struct sshkey *key = NULL;
90- char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
91- u_char *pkblob, *sig, have_sig;
92+ char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
93+ u_char *pkblob = NULL, *sig = NULL, have_sig;
94 size_t blen, slen;
95 int r, pktype;
96 int authenticated = 0;
97 struct sshauthopt *authopts = NULL;
98
99- if (!authctxt->valid) {
100- debug2("%s: disabled because of invalid user", __func__);
101- return 0;
102- }
103 if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
104 (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
105 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
106@@ -168,6 +164,11 @@ userauth_pubkey(struct ssh *ssh)
107 fatal("%s: sshbuf_put_string session id: %s",
108 __func__, ssh_err(r));
109 }
110+ if (!authctxt->valid || authctxt->user == NULL) {
111+ debug2("%s: disabled because of invalid user",
112+ __func__);
113+ goto done;
114+ }
115 /* reconstruct packet */
116 xasprintf(&userstyle, "%s%s%s", authctxt->user,
117 authctxt->style ? ":" : "",
118@@ -184,7 +185,6 @@ userauth_pubkey(struct ssh *ssh)
119 #ifdef DEBUG_PK
120 sshbuf_dump(b, stderr);
121 #endif
122-
123 /* test for correct signature */
124 authenticated = 0;
125 if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
126@@ -193,7 +193,6 @@ userauth_pubkey(struct ssh *ssh)
127 authenticated = 1;
128 }
129 sshbuf_free(b);
130- free(sig);
131 auth2_record_key(authctxt, authenticated, key);
132 } else {
133 debug("%s: test pkalg %s pkblob %s%s%s",
134@@ -204,6 +203,11 @@ userauth_pubkey(struct ssh *ssh)
135 if ((r = sshpkt_get_end(ssh)) != 0)
136 fatal("%s: %s", __func__, ssh_err(r));
137
138+ if (!authctxt->valid || authctxt->user == NULL) {
139+ debug2("%s: disabled because of invalid user",
140+ __func__);
141+ goto done;
142+ }
143 /* XXX fake reply and always send PK_OK ? */
144 /*
145 * XXX this allows testing whether a user is allowed
146@@ -237,6 +241,7 @@ done:
147 free(pkblob);
148 free(key_s);
149 free(ca_s);
150+ free(sig);
151 return authenticated;
152 }
153
diff --git a/debian/patches/upstream-relax-checking-of-authorized_keys-environme.patch b/debian/patches/upstream-relax-checking-of-authorized_keys-environme.patch
deleted file mode 100644
index 251b9a3ca..000000000
--- a/debian/patches/upstream-relax-checking-of-authorized_keys-environme.patch
+++ /dev/null
@@ -1,40 +0,0 @@
1From 60256f28189c3d0650a78e737eb0ca4753478a4b Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 6 Apr 2018 04:15:45 +0000
4Subject: upstream: relax checking of authorized_keys environment="..."
5
6options to allow underscores in variable names (regression introduced in
77.7). bz2851, ok deraadt@
8
9OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c
10
11Original-Author: Damien Miller <djm@mindrot.org>
12Origin: backport, http://anongit.mindrot.org/openssh.git/commit/?id=40f5f03544a07ebd2003b443d42e85cb51d94d59
13Bug-Ubuntu: https://bugs.launchpad.net/bugs/1771011
14Last-Update: 2018-06-28
15Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
16
17Patch-Name: upstream-relax-checking-of-authorized_keys-environme.patch
18---
19 auth-options.c | 4 ++--
20 1 file changed, 2 insertions(+), 2 deletions(-)
21
22diff --git a/auth-options.c b/auth-options.c
23index b528c197a..ef57ebf43 100644
24--- a/auth-options.c
25+++ b/auth-options.c
26@@ -1,4 +1,4 @@
27-/* $OpenBSD: auth-options.c,v 1.78 2018/03/14 05:35:40 djm Exp $ */
28+/* $OpenBSD: auth-options.c,v 1.79 2018/04/06 04:15:45 djm Exp $ */
29 /*
30 * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
31 *
32@@ -394,7 +394,7 @@ sshauthopt_parse(const char *opts, const char **errstrp)
33 goto fail;
34 }
35 for (cp = opt; cp < tmp; cp++) {
36- if (!isalnum((u_char)*cp)) {
37+ if (!isalnum((u_char)*cp) && *cp != '_') {
38 free(opt);
39 errstr = "invalid environment string";
40 goto fail;
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 712620843..cc9cbacad 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From 9e45701c5d6105444cc2f4f5d6c44b0f69969479 Mon Sep 17 00:00:00 2001 1From 840f43066f9cdf5f6bb07992aca1c5f43be8eb80 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -27,7 +27,7 @@ Patch-Name: user-group-modes.patch
27 7 files changed, 63 insertions(+), 13 deletions(-) 27 7 files changed, 63 insertions(+), 13 deletions(-)
28 28
29diff --git a/auth-rhosts.c b/auth-rhosts.c 29diff --git a/auth-rhosts.c b/auth-rhosts.c
30index ecf956f06..4dccd5e6a 100644 30index 57296e1f6..546aa0495 100644
31--- a/auth-rhosts.c 31--- a/auth-rhosts.c
32+++ b/auth-rhosts.c 32+++ b/auth-rhosts.c
33@@ -261,8 +261,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, 33@@ -261,8 +261,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
@@ -51,10 +51,10 @@ index ecf956f06..4dccd5e6a 100644
51 pw->pw_name, buf); 51 pw->pw_name, buf);
52 auth_debug_add("Bad file modes for %.200s", buf); 52 auth_debug_add("Bad file modes for %.200s", buf);
53diff --git a/auth.c b/auth.c 53diff --git a/auth.c b/auth.c
54index 76d586e31..68b9fe795 100644 54index 80eb78c48..ad25631a5 100644
55--- a/auth.c 55--- a/auth.c
56+++ b/auth.c 56+++ b/auth.c
57@@ -468,8 +468,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, 57@@ -469,8 +469,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
58 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 58 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
59 if (options.strict_modes && 59 if (options.strict_modes &&
60 (stat(user_hostfile, &st) == 0) && 60 (stat(user_hostfile, &st) == 0) &&
@@ -65,7 +65,7 @@ index 76d586e31..68b9fe795 100644
65 "bad owner or modes for %.200s", 65 "bad owner or modes for %.200s",
66 pw->pw_name, user_hostfile); 66 pw->pw_name, user_hostfile);
67diff --git a/misc.c b/misc.c 67diff --git a/misc.c b/misc.c
68index 874dcc8a2..75c4113f0 100644 68index ae4d29b84..2f3dbda0c 100644
69--- a/misc.c 69--- a/misc.c
70+++ b/misc.c 70+++ b/misc.c
71@@ -57,8 +57,9 @@ 71@@ -57,8 +57,9 @@
@@ -79,8 +79,8 @@ index 874dcc8a2..75c4113f0 100644
79 #ifdef SSH_TUN_OPENBSD 79 #ifdef SSH_TUN_OPENBSD
80 #include <net/if.h> 80 #include <net/if.h>
81 #endif 81 #endif
82@@ -1030,6 +1031,55 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, 82@@ -1024,6 +1025,55 @@ percent_expand(const char *string, ...)
83 return -1; 83 #undef EXPAND_MAX_KEYS
84 } 84 }
85 85
86+int 86+int
@@ -135,7 +135,7 @@ index 874dcc8a2..75c4113f0 100644
135 int 135 int
136 tun_open(int tun, int mode, char **ifname) 136 tun_open(int tun, int mode, char **ifname)
137 { 137 {
138@@ -1797,8 +1847,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, 138@@ -1782,8 +1832,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
139 snprintf(err, errlen, "%s is not a regular file", buf); 139 snprintf(err, errlen, "%s is not a regular file", buf);
140 return -1; 140 return -1;
141 } 141 }
@@ -145,7 +145,7 @@ index 874dcc8a2..75c4113f0 100644
145 snprintf(err, errlen, "bad ownership or modes for file %s", 145 snprintf(err, errlen, "bad ownership or modes for file %s",
146 buf); 146 buf);
147 return -1; 147 return -1;
148@@ -1813,8 +1862,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, 148@@ -1798,8 +1847,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
149 strlcpy(buf, cp, sizeof(buf)); 149 strlcpy(buf, cp, sizeof(buf));
150 150
151 if (stat(buf, &st) < 0 || 151 if (stat(buf, &st) < 0 ||
@@ -156,12 +156,12 @@ index 874dcc8a2..75c4113f0 100644
156 "bad ownership or modes for directory %s", buf); 156 "bad ownership or modes for directory %s", buf);
157 return -1; 157 return -1;
158diff --git a/misc.h b/misc.h 158diff --git a/misc.h b/misc.h
159index cdafea735..51943db90 100644 159index 6be289fd2..213c3abb7 100644
160--- a/misc.h 160--- a/misc.h
161+++ b/misc.h 161+++ b/misc.h
162@@ -168,6 +168,8 @@ char *read_passphrase(const char *, int); 162@@ -167,6 +167,8 @@ int safe_path_fd(int, const char *, struct passwd *,
163 char *read_passphrase(const char *, int);
163 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 164 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
164 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
165 165
166+int secure_permissions(struct stat *st, uid_t uid); 166+int secure_permissions(struct stat *st, uid_t uid);
167+ 167+
@@ -169,10 +169,10 @@ index cdafea735..51943db90 100644
169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) 170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
171diff --git a/readconf.c b/readconf.c 171diff --git a/readconf.c b/readconf.c
172index 7f2b5c172..50349e238 100644 172index 3fd0fe7b7..3ed6dfb54 100644
173--- a/readconf.c 173--- a/readconf.c
174+++ b/readconf.c 174+++ b/readconf.c
175@@ -1741,8 +1741,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, 175@@ -1795,8 +1795,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
176 176
177 if (fstat(fileno(f), &sb) == -1) 177 if (fstat(fileno(f), &sb) == -1)
178 fatal("fstat %s: %s", filename, strerror(errno)); 178 fatal("fstat %s: %s", filename, strerror(errno));
@@ -183,10 +183,10 @@ index 7f2b5c172..50349e238 100644
183 } 183 }
184 184
185diff --git a/ssh.1 b/ssh.1 185diff --git a/ssh.1 b/ssh.1
186index b4078525b..0ef7c1709 100644 186index b20908a5e..cb0fdd50e 100644
187--- a/ssh.1 187--- a/ssh.1
188+++ b/ssh.1 188+++ b/ssh.1
189@@ -1471,6 +1471,8 @@ The file format and configuration options are described in 189@@ -1475,6 +1475,8 @@ The file format and configuration options are described in
190 .Xr ssh_config 5 . 190 .Xr ssh_config 5 .
191 Because of the potential for abuse, this file must have strict permissions: 191 Because of the potential for abuse, this file must have strict permissions:
192 read/write for the user, and not writable by others. 192 read/write for the user, and not writable by others.
@@ -196,10 +196,10 @@ index b4078525b..0ef7c1709 100644
196 .It Pa ~/.ssh/environment 196 .It Pa ~/.ssh/environment
197 Contains additional definitions for environment variables; see 197 Contains additional definitions for environment variables; see
198diff --git a/ssh_config.5 b/ssh_config.5 198diff --git a/ssh_config.5 b/ssh_config.5
199index 32c3632c7..84dcd52cc 100644 199index 86ada128e..03341a229 100644
200--- a/ssh_config.5 200--- a/ssh_config.5
201+++ b/ssh_config.5 201+++ b/ssh_config.5
202@@ -1818,6 +1818,8 @@ The format of this file is described above. 202@@ -1813,6 +1813,8 @@ The format of this file is described above.
203 This file is used by the SSH client. 203 This file is used by the SSH client.
204 Because of the potential for abuse, this file must have strict permissions: 204 Because of the potential for abuse, this file must have strict permissions:
205 read/write for the user, and not accessible by others. 205 read/write for the user, and not accessible by others.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-26 14:40:44 +0000