diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-10 00:27:24 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-02-10 02:40:28 +0000 |
commit | a2b8818c5d21cfcba443625251f691a2ea3a29c7 (patch) | |
tree | 8fe1fe448cde57eecf71a7bcd57186661b90313f /debian | |
parent | d399ecd8eb7d4aed3b7ba0d2727e619607fb901b (diff) | |
parent | ee8d8b97cc2c6081df3af453a228992b87309ec4 (diff) |
Merge 6.5p1.
* New upstream release (http://www.openssh.com/txt/release-6.5,
LP: #1275068):
- ssh(1): Add support for client-side hostname canonicalisation using a
set of DNS suffixes and rules in ssh_config(5). This allows
unqualified names to be canonicalised to fully-qualified domain names
to eliminate ambiguity when looking up keys in known_hosts or checking
host certificate names (closes: #115286).
Diffstat (limited to 'debian')
30 files changed, 298 insertions, 291 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 0c8685af4..11c6ec01c 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,7 +1,7 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | b65a0ded7a8cfe7d351e28266d7851216d679e05 | 2 | ee8d8b97cc2c6081df3af453a228992b87309ec4 |
3 | b65a0ded7a8cfe7d351e28266d7851216d679e05 | 3 | ee8d8b97cc2c6081df3af453a228992b87309ec4 |
4 | ee196dab7c5f97f0b80c8099343a375bead92010 | 4 | 9a975a9faed7c4f334e8c8490db3e77e102f2b21 |
5 | 9a975a9faed7c4f334e8c8490db3e77e102f2b21 | 5 | 9a975a9faed7c4f334e8c8490db3e77e102f2b21 |
6 | openssh_6.5p1.orig.tar.gz | 6 | openssh_6.5p1.orig.tar.gz |
7 | 3363a72b4fee91b29cf2024ff633c17f6cd2f86d | 7 | 3363a72b4fee91b29cf2024ff633c17f6cd2f86d |
diff --git a/debian/changelog b/debian/changelog index 544aab882..38869d995 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,5 +1,12 @@ | |||
1 | openssh (1:6.4p1-3) UNRELEASED; urgency=medium | 1 | openssh (1:6.5p1-1) UNRELEASED; urgency=medium |
2 | 2 | ||
3 | * New upstream release (http://www.openssh.com/txt/release-6.5, | ||
4 | LP: #1275068): | ||
5 | - ssh(1): Add support for client-side hostname canonicalisation using a | ||
6 | set of DNS suffixes and rules in ssh_config(5). This allows | ||
7 | unqualified names to be canonicalised to fully-qualified domain names | ||
8 | to eliminate ambiguity when looking up keys in known_hosts or checking | ||
9 | host certificate names (closes: #115286). | ||
3 | * Switch to git; adjust Vcs-* fields. | 10 | * Switch to git; adjust Vcs-* fields. |
4 | * Convert to git-dpm, and drop source package documentation associated | 11 | * Convert to git-dpm, and drop source package documentation associated |
5 | with the old bzr/quilt patch handling workflow. | 12 | with the old bzr/quilt patch handling workflow. |
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index f1db2dbdf..c91cdbd68 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 490aadd108dc4bf7f4b5084e3336d88ec23f6b19 Mon Sep 17 00:00:00 2001 | 1 | From 493e37552aa05b38cf69b5f1bc4b717fd4a1a285 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 |
4 | Subject: Quieten logs when multiple from= restrictions are used | 4 | Subject: Quieten logs when multiple from= restrictions are used |
@@ -16,10 +16,10 @@ Patch-Name: auth-log-verbosity.patch | |||
16 | 4 files changed, 32 insertions(+), 9 deletions(-) | 16 | 4 files changed, 32 insertions(+), 9 deletions(-) |
17 | 17 | ||
18 | diff --git a/auth-options.c b/auth-options.c | 18 | diff --git a/auth-options.c b/auth-options.c |
19 | index 12e2e1d..15c00d0 100644 | 19 | index fa209ea..df61330 100644 |
20 | --- a/auth-options.c | 20 | --- a/auth-options.c |
21 | +++ b/auth-options.c | 21 | +++ b/auth-options.c |
22 | @@ -58,9 +58,20 @@ int forced_tun_device = -1; | 22 | @@ -54,9 +54,20 @@ int forced_tun_device = -1; |
23 | /* "principals=" option. */ | 23 | /* "principals=" option. */ |
24 | char *authorized_principals = NULL; | 24 | char *authorized_principals = NULL; |
25 | 25 | ||
@@ -40,7 +40,7 @@ index 12e2e1d..15c00d0 100644 | |||
40 | auth_clear_options(void) | 40 | auth_clear_options(void) |
41 | { | 41 | { |
42 | no_agent_forwarding_flag = 0; | 42 | no_agent_forwarding_flag = 0; |
43 | @@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | 43 | @@ -284,10 +295,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
44 | /* FALLTHROUGH */ | 44 | /* FALLTHROUGH */ |
45 | case 0: | 45 | case 0: |
46 | free(patterns); | 46 | free(patterns); |
@@ -58,7 +58,7 @@ index 12e2e1d..15c00d0 100644 | |||
58 | auth_debug_add("Your host '%.200s' is not " | 58 | auth_debug_add("Your host '%.200s' is not " |
59 | "permitted to use this key for login.", | 59 | "permitted to use this key for login.", |
60 | remote_host); | 60 | remote_host); |
61 | @@ -513,11 +527,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, | 61 | @@ -510,11 +524,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, |
62 | break; | 62 | break; |
63 | case 0: | 63 | case 0: |
64 | /* no match */ | 64 | /* no match */ |
@@ -104,10 +104,10 @@ index 545aa49..4624c15 100644 | |||
104 | * Go though the accepted keys, looking for the current key. If | 104 | * Go though the accepted keys, looking for the current key. If |
105 | * found, perform a challenge-response dialog to verify that the | 105 | * found, perform a challenge-response dialog to verify that the |
106 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c | 106 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c |
107 | index 2b3ecb1..4d87f48 100644 | 107 | index 0fd27bb..7c56927 100644 |
108 | --- a/auth2-pubkey.c | 108 | --- a/auth2-pubkey.c |
109 | +++ b/auth2-pubkey.c | 109 | +++ b/auth2-pubkey.c |
110 | @@ -257,6 +257,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) | 110 | @@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) |
111 | restore_uid(); | 111 | restore_uid(); |
112 | return 0; | 112 | return 0; |
113 | } | 113 | } |
@@ -115,7 +115,7 @@ index 2b3ecb1..4d87f48 100644 | |||
115 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 115 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
116 | /* Skip leading whitespace. */ | 116 | /* Skip leading whitespace. */ |
117 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 117 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
118 | @@ -318,6 +319,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) | 118 | @@ -324,6 +325,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) |
119 | found_key = 0; | 119 | found_key = 0; |
120 | 120 | ||
121 | found = NULL; | 121 | found = NULL; |
@@ -123,7 +123,7 @@ index 2b3ecb1..4d87f48 100644 | |||
123 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 123 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
124 | char *cp, *key_options = NULL; | 124 | char *cp, *key_options = NULL; |
125 | if (found != NULL) | 125 | if (found != NULL) |
126 | @@ -453,6 +455,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | 126 | @@ -459,6 +461,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) |
127 | if (key_cert_check_authority(key, 0, 1, | 127 | if (key_cert_check_authority(key, 0, 1, |
128 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) | 128 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) |
129 | goto fail_reason; | 129 | goto fail_reason; |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index f59df61bd..ce1b72d60 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d5b4a3617c50cbe9526582979797248af5cbd9d5 Mon Sep 17 00:00:00 2001 | 1 | From cf559d6c8b4616022f5bedcf3b3b85387a4d1559 Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch | |||
13 | 1 file changed, 1 insertion(+) | 13 | 1 file changed, 1 insertion(+) |
14 | 14 | ||
15 | diff --git a/Makefile.in b/Makefile.in | 15 | diff --git a/Makefile.in b/Makefile.in |
16 | index b2dbead..7849979 100644 | 16 | index 598d55a..5cf8100 100644 |
17 | --- a/Makefile.in | 17 | --- a/Makefile.in |
18 | +++ b/Makefile.in | 18 | +++ b/Makefile.in |
19 | @@ -283,6 +283,7 @@ install-files: | 19 | @@ -287,6 +287,7 @@ install-files: |
20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 | 20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 |
21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 | 21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 |
22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch index b97bf0cd5..65b6feb71 100644 --- a/debian/patches/consolekit.patch +++ b/debian/patches/consolekit.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 05609b1cb381eafb999214bf4a95138e63abdbf2 Mon Sep 17 00:00:00 2001 | 1 | From efe70e315cfcc70e765ebd070e83528a6be6c125 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:57 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:57 +0000 |
4 | Subject: Add support for registering ConsoleKit sessions on login | 4 | Subject: Add support for registering ConsoleKit sessions on login |
@@ -24,24 +24,24 @@ Patch-Name: consolekit.patch | |||
24 | create mode 100644 consolekit.h | 24 | create mode 100644 consolekit.h |
25 | 25 | ||
26 | diff --git a/Makefile.in b/Makefile.in | 26 | diff --git a/Makefile.in b/Makefile.in |
27 | index f979926..b2dbead 100644 | 27 | index 35c6fd6..598d55a 100644 |
28 | --- a/Makefile.in | 28 | --- a/Makefile.in |
29 | +++ b/Makefile.in | 29 | +++ b/Makefile.in |
30 | @@ -94,7 +94,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 30 | @@ -97,7 +97,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
31 | sftp-server.o sftp-common.o \ | 31 | sftp-server.o sftp-common.o \ |
32 | roaming_common.o roaming_serv.o \ | 32 | roaming_common.o roaming_serv.o \ |
33 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ | 33 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
34 | - sandbox-seccomp-filter.o | 34 | - sandbox-seccomp-filter.o sandbox-capsicum.o |
35 | + sandbox-seccomp-filter.o \ | 35 | + sandbox-seccomp-filter.o sandbox-capsicum.o \ |
36 | + consolekit.o | 36 | + consolekit.o |
37 | 37 | ||
38 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out | 38 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out |
39 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 | 39 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 |
40 | diff --git a/configure b/configure | 40 | diff --git a/configure b/configure |
41 | index ceb1b5d..78bbcd0 100755 | 41 | index 5a9db2d..57b68e2 100755 |
42 | --- a/configure | 42 | --- a/configure |
43 | +++ b/configure | 43 | +++ b/configure |
44 | @@ -738,6 +738,7 @@ with_privsep_user | 44 | @@ -740,6 +740,7 @@ with_privsep_user |
45 | with_sandbox | 45 | with_sandbox |
46 | with_selinux | 46 | with_selinux |
47 | with_kerberos5 | 47 | with_kerberos5 |
@@ -49,15 +49,15 @@ index ceb1b5d..78bbcd0 100755 | |||
49 | with_privsep_path | 49 | with_privsep_path |
50 | with_xauth | 50 | with_xauth |
51 | enable_strip | 51 | enable_strip |
52 | @@ -1428,6 +1429,7 @@ Optional Packages: | 52 | @@ -1432,6 +1433,7 @@ Optional Packages: |
53 | --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter) | 53 | --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum) |
54 | --with-selinux Enable SELinux support | 54 | --with-selinux Enable SELinux support |
55 | --with-kerberos5=PATH Enable Kerberos 5 support | 55 | --with-kerberos5=PATH Enable Kerberos 5 support |
56 | + --with-consolekit Enable ConsoleKit support | 56 | + --with-consolekit Enable ConsoleKit support |
57 | --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) | 57 | --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) |
58 | --with-xauth=PATH Specify path to xauth program | 58 | --with-xauth=PATH Specify path to xauth program |
59 | --with-maildir=/path/to/mail Specify your system mail directory | 59 | --with-maildir=/path/to/mail Specify your system mail directory |
60 | @@ -16375,6 +16377,135 @@ fi | 60 | @@ -17215,6 +17217,135 @@ fi |
61 | 61 | ||
62 | 62 | ||
63 | 63 | ||
@@ -193,7 +193,7 @@ index ceb1b5d..78bbcd0 100755 | |||
193 | # Looking for programs, paths and files | 193 | # Looking for programs, paths and files |
194 | 194 | ||
195 | PRIVSEP_PATH=/var/empty | 195 | PRIVSEP_PATH=/var/empty |
196 | @@ -18902,6 +19033,7 @@ echo " MD5 password support: $MD5_MSG" | 196 | @@ -19744,6 +19875,7 @@ echo " MD5 password support: $MD5_MSG" |
197 | echo " libedit support: $LIBEDIT_MSG" | 197 | echo " libedit support: $LIBEDIT_MSG" |
198 | echo " Solaris process contract support: $SPC_MSG" | 198 | echo " Solaris process contract support: $SPC_MSG" |
199 | echo " Solaris project support: $SP_MSG" | 199 | echo " Solaris project support: $SP_MSG" |
@@ -202,10 +202,10 @@ index ceb1b5d..78bbcd0 100755 | |||
202 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | 202 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" |
203 | echo " BSD Auth support: $BSD_AUTH_MSG" | 203 | echo " BSD Auth support: $BSD_AUTH_MSG" |
204 | diff --git a/configure.ac b/configure.ac | 204 | diff --git a/configure.ac b/configure.ac |
205 | index 4c1a658..d7d500a 100644 | 205 | index 90eebf5..e2289cd 100644 |
206 | --- a/configure.ac | 206 | --- a/configure.ac |
207 | +++ b/configure.ac | 207 | +++ b/configure.ac |
208 | @@ -3841,6 +3841,30 @@ AC_ARG_WITH([kerberos5], | 208 | @@ -4070,6 +4070,30 @@ AC_ARG_WITH([kerberos5], |
209 | AC_SUBST([GSSLIBS]) | 209 | AC_SUBST([GSSLIBS]) |
210 | AC_SUBST([K5LIBS]) | 210 | AC_SUBST([K5LIBS]) |
211 | 211 | ||
@@ -236,7 +236,7 @@ index 4c1a658..d7d500a 100644 | |||
236 | # Looking for programs, paths and files | 236 | # Looking for programs, paths and files |
237 | 237 | ||
238 | PRIVSEP_PATH=/var/empty | 238 | PRIVSEP_PATH=/var/empty |
239 | @@ -4641,6 +4665,7 @@ echo " MD5 password support: $MD5_MSG" | 239 | @@ -4871,6 +4895,7 @@ echo " MD5 password support: $MD5_MSG" |
240 | echo " libedit support: $LIBEDIT_MSG" | 240 | echo " libedit support: $LIBEDIT_MSG" |
241 | echo " Solaris process contract support: $SPC_MSG" | 241 | echo " Solaris process contract support: $SPC_MSG" |
242 | echo " Solaris project support: $SP_MSG" | 242 | echo " Solaris project support: $SP_MSG" |
@@ -521,7 +521,7 @@ index 0000000..8ce3716 | |||
521 | + | 521 | + |
522 | +#endif /* USE_CONSOLEKIT */ | 522 | +#endif /* USE_CONSOLEKIT */ |
523 | diff --git a/monitor.c b/monitor.c | 523 | diff --git a/monitor.c b/monitor.c |
524 | index e8d63eb..9bc4f0b 100644 | 524 | index 88f472e..8ffea4f 100644 |
525 | --- a/monitor.c | 525 | --- a/monitor.c |
526 | +++ b/monitor.c | 526 | +++ b/monitor.c |
527 | @@ -98,6 +98,9 @@ | 527 | @@ -98,6 +98,9 @@ |
@@ -575,7 +575,7 @@ index e8d63eb..9bc4f0b 100644 | |||
575 | 575 | ||
576 | for (;;) | 576 | for (;;) |
577 | monitor_read(pmonitor, mon_dispatch, NULL); | 577 | monitor_read(pmonitor, mon_dispatch, NULL); |
578 | @@ -2492,3 +2508,30 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m) | 578 | @@ -2493,3 +2509,30 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m) |
579 | } | 579 | } |
580 | 580 | ||
581 | #endif /* JPAKE */ | 581 | #endif /* JPAKE */ |
@@ -672,7 +672,7 @@ index 4d12e29..360fb9f 100644 | |||
672 | + | 672 | + |
673 | #endif /* _MM_WRAP_H_ */ | 673 | #endif /* _MM_WRAP_H_ */ |
674 | diff --git a/session.c b/session.c | 674 | diff --git a/session.c b/session.c |
675 | index b4d74d9..15bdb1b 100644 | 675 | index 5ddd82a..14df226 100644 |
676 | --- a/session.c | 676 | --- a/session.c |
677 | +++ b/session.c | 677 | +++ b/session.c |
678 | @@ -92,6 +92,7 @@ | 678 | @@ -92,6 +92,7 @@ |
@@ -683,7 +683,7 @@ index b4d74d9..15bdb1b 100644 | |||
683 | 683 | ||
684 | #if defined(KRB5) && defined(USE_AFS) | 684 | #if defined(KRB5) && defined(USE_AFS) |
685 | #include <kafs.h> | 685 | #include <kafs.h> |
686 | @@ -1132,6 +1133,9 @@ do_setup_env(Session *s, const char *shell) | 686 | @@ -1155,6 +1156,9 @@ do_setup_env(Session *s, const char *shell) |
687 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) | 687 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) |
688 | char *path = NULL; | 688 | char *path = NULL; |
689 | #endif | 689 | #endif |
@@ -693,7 +693,7 @@ index b4d74d9..15bdb1b 100644 | |||
693 | 693 | ||
694 | /* Initialize the environment. */ | 694 | /* Initialize the environment. */ |
695 | envsize = 100; | 695 | envsize = 100; |
696 | @@ -1276,6 +1280,11 @@ do_setup_env(Session *s, const char *shell) | 696 | @@ -1299,6 +1303,11 @@ do_setup_env(Session *s, const char *shell) |
697 | child_set_env(&env, &envsize, "KRB5CCNAME", | 697 | child_set_env(&env, &envsize, "KRB5CCNAME", |
698 | s->authctxt->krb5_ccname); | 698 | s->authctxt->krb5_ccname); |
699 | #endif | 699 | #endif |
@@ -705,7 +705,7 @@ index b4d74d9..15bdb1b 100644 | |||
705 | #ifdef USE_PAM | 705 | #ifdef USE_PAM |
706 | /* | 706 | /* |
707 | * Pull in any environment variables that may have | 707 | * Pull in any environment variables that may have |
708 | @@ -2320,6 +2329,10 @@ session_pty_cleanup2(Session *s) | 708 | @@ -2348,6 +2357,10 @@ session_pty_cleanup2(Session *s) |
709 | 709 | ||
710 | debug("session_pty_cleanup: session %d release %s", s->self, s->tty); | 710 | debug("session_pty_cleanup: session %d release %s", s->self, s->tty); |
711 | 711 | ||
@@ -717,7 +717,7 @@ index b4d74d9..15bdb1b 100644 | |||
717 | if (s->pid != 0) | 717 | if (s->pid != 0) |
718 | record_logout(s->pid, s->tty, s->pw->pw_name); | 718 | record_logout(s->pid, s->tty, s->pw->pw_name); |
719 | diff --git a/session.h b/session.h | 719 | diff --git a/session.h b/session.h |
720 | index cb4f196..7e51b6a 100644 | 720 | index ef6593c..a6b6983 100644 |
721 | --- a/session.h | 721 | --- a/session.h |
722 | +++ b/session.h | 722 | +++ b/session.h |
723 | @@ -26,6 +26,8 @@ | 723 | @@ -26,6 +26,8 @@ |
@@ -729,7 +729,7 @@ index cb4f196..7e51b6a 100644 | |||
729 | #define TTYSZ 64 | 729 | #define TTYSZ 64 |
730 | typedef struct Session Session; | 730 | typedef struct Session Session; |
731 | struct Session { | 731 | struct Session { |
732 | @@ -60,6 +62,10 @@ struct Session { | 732 | @@ -61,6 +63,10 @@ struct Session { |
733 | char *name; | 733 | char *name; |
734 | char *val; | 734 | char *val; |
735 | } *env; | 735 | } *env; |
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 8edc27f70..4cae13961 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e1e1e23ca98c59a031217da0ea50b70de5427683 Mon Sep 17 00:00:00 2001 | 1 | From 68ebfc0e90ceb0f7b24dfb38979df6a80b7ec9e4 Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch | |||
19 | 4 files changed, 18 insertions(+), 1 deletion(-) | 19 | 4 files changed, 18 insertions(+), 1 deletion(-) |
20 | 20 | ||
21 | diff --git a/servconf.c b/servconf.c | 21 | diff --git a/servconf.c b/servconf.c |
22 | index dcb8caf..802db1d 100644 | 22 | index 65f71ad..63ff4ff 100644 |
23 | --- a/servconf.c | 23 | --- a/servconf.c |
24 | +++ b/servconf.c | 24 | +++ b/servconf.c |
25 | @@ -156,6 +156,7 @@ initialize_server_options(ServerOptions *options) | 25 | @@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options) |
26 | options->ip_qos_interactive = -1; | 26 | options->ip_qos_interactive = -1; |
27 | options->ip_qos_bulk = -1; | 27 | options->ip_qos_bulk = -1; |
28 | options->version_addendum = NULL; | 28 | options->version_addendum = NULL; |
@@ -30,7 +30,7 @@ index dcb8caf..802db1d 100644 | |||
30 | } | 30 | } |
31 | 31 | ||
32 | void | 32 | void |
33 | @@ -307,6 +308,8 @@ fill_default_server_options(ServerOptions *options) | 33 | @@ -312,6 +313,8 @@ fill_default_server_options(ServerOptions *options) |
34 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | 34 | options->ip_qos_bulk = IPTOS_THROUGHPUT; |
35 | if (options->version_addendum == NULL) | 35 | if (options->version_addendum == NULL) |
36 | options->version_addendum = xstrdup(""); | 36 | options->version_addendum = xstrdup(""); |
@@ -39,7 +39,7 @@ index dcb8caf..802db1d 100644 | |||
39 | /* Turn privilege separation on by default */ | 39 | /* Turn privilege separation on by default */ |
40 | if (use_privsep == -1) | 40 | if (use_privsep == -1) |
41 | use_privsep = PRIVSEP_NOSANDBOX; | 41 | use_privsep = PRIVSEP_NOSANDBOX; |
42 | @@ -357,6 +360,7 @@ typedef enum { | 42 | @@ -362,6 +365,7 @@ typedef enum { |
43 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 43 | sKexAlgorithms, sIPQoS, sVersionAddendum, |
44 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 44 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
45 | sAuthenticationMethods, sHostKeyAgent, | 45 | sAuthenticationMethods, sHostKeyAgent, |
@@ -47,7 +47,7 @@ index dcb8caf..802db1d 100644 | |||
47 | sDeprecated, sUnsupported | 47 | sDeprecated, sUnsupported |
48 | } ServerOpCodes; | 48 | } ServerOpCodes; |
49 | 49 | ||
50 | @@ -498,6 +502,7 @@ static struct { | 50 | @@ -504,6 +508,7 @@ static struct { |
51 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, | 51 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, |
52 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, | 52 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, |
53 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, | 53 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, |
@@ -55,7 +55,7 @@ index dcb8caf..802db1d 100644 | |||
55 | { NULL, sBadOption, 0 } | 55 | { NULL, sBadOption, 0 } |
56 | }; | 56 | }; |
57 | 57 | ||
58 | @@ -1641,6 +1646,10 @@ process_server_config_line(ServerOptions *options, char *line, | 58 | @@ -1666,6 +1671,10 @@ process_server_config_line(ServerOptions *options, char *line, |
59 | } | 59 | } |
60 | return 0; | 60 | return 0; |
61 | 61 | ||
@@ -67,10 +67,10 @@ index dcb8caf..802db1d 100644 | |||
67 | logit("%s line %d: Deprecated option %s", | 67 | logit("%s line %d: Deprecated option %s", |
68 | filename, linenum, arg); | 68 | filename, linenum, arg); |
69 | diff --git a/servconf.h b/servconf.h | 69 | diff --git a/servconf.h b/servconf.h |
70 | index ab6e346..1891a95 100644 | 70 | index eba76ee..98d68ce 100644 |
71 | --- a/servconf.h | 71 | --- a/servconf.h |
72 | +++ b/servconf.h | 72 | +++ b/servconf.h |
73 | @@ -187,6 +187,8 @@ typedef struct { | 73 | @@ -188,6 +188,8 @@ typedef struct { |
74 | 74 | ||
75 | u_int num_auth_methods; | 75 | u_int num_auth_methods; |
76 | char *auth_methods[MAX_AUTH_METHODS]; | 76 | char *auth_methods[MAX_AUTH_METHODS]; |
@@ -80,7 +80,7 @@ index ab6e346..1891a95 100644 | |||
80 | 80 | ||
81 | /* Information about the incoming connection as used by Match */ | 81 | /* Information about the incoming connection as used by Match */ |
82 | diff --git a/sshd.c b/sshd.c | 82 | diff --git a/sshd.c b/sshd.c |
83 | index 46ec1a7..63b9357 100644 | 83 | index 82168a1..c49a877 100644 |
84 | --- a/sshd.c | 84 | --- a/sshd.c |
85 | +++ b/sshd.c | 85 | +++ b/sshd.c |
86 | @@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out) | 86 | @@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out) |
@@ -94,10 +94,10 @@ index 46ec1a7..63b9357 100644 | |||
94 | options.version_addendum, newline); | 94 | options.version_addendum, newline); |
95 | 95 | ||
96 | diff --git a/sshd_config.5 b/sshd_config.5 | 96 | diff --git a/sshd_config.5 b/sshd_config.5 |
97 | index e29604a..50eec53 100644 | 97 | index 39643de..bdca797 100644 |
98 | --- a/sshd_config.5 | 98 | --- a/sshd_config.5 |
99 | +++ b/sshd_config.5 | 99 | +++ b/sshd_config.5 |
100 | @@ -404,6 +404,11 @@ or | 100 | @@ -413,6 +413,11 @@ or |
101 | .Dq no . | 101 | .Dq no . |
102 | The default is | 102 | The default is |
103 | .Dq delayed . | 103 | .Dq delayed . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 3c5af97c3..5d24b22b8 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b65a0ded7a8cfe7d351e28266d7851216d679e05 Mon Sep 17 00:00:00 2001 | 1 | From ee8d8b97cc2c6081df3af453a228992b87309ec4 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
@@ -34,10 +34,10 @@ Patch-Name: debian-config.patch | |||
34 | 5 files changed, 53 insertions(+), 3 deletions(-) | 34 | 5 files changed, 53 insertions(+), 3 deletions(-) |
35 | 35 | ||
36 | diff --git a/readconf.c b/readconf.c | 36 | diff --git a/readconf.c b/readconf.c |
37 | index c741934..e1e82c5 100644 | 37 | index 273552d..6ac8bea 100644 |
38 | --- a/readconf.c | 38 | --- a/readconf.c |
39 | +++ b/readconf.c | 39 | +++ b/readconf.c |
40 | @@ -1292,7 +1292,7 @@ fill_default_options(Options * options) | 40 | @@ -1618,7 +1618,7 @@ fill_default_options(Options * options) |
41 | if (options->forward_x11 == -1) | 41 | if (options->forward_x11 == -1) |
42 | options->forward_x11 = 0; | 42 | options->forward_x11 = 0; |
43 | if (options->forward_x11_trusted == -1) | 43 | if (options->forward_x11_trusted == -1) |
@@ -47,7 +47,7 @@ index c741934..e1e82c5 100644 | |||
47 | options->forward_x11_timeout = 1200; | 47 | options->forward_x11_timeout = 1200; |
48 | if (options->exit_on_forward_failure == -1) | 48 | if (options->exit_on_forward_failure == -1) |
49 | diff --git a/ssh_config b/ssh_config | 49 | diff --git a/ssh_config b/ssh_config |
50 | index 3234321..064b593 100644 | 50 | index 228e5ab..c9386aa 100644 |
51 | --- a/ssh_config | 51 | --- a/ssh_config |
52 | +++ b/ssh_config | 52 | +++ b/ssh_config |
53 | @@ -17,9 +17,10 @@ | 53 | @@ -17,9 +17,10 @@ |
@@ -71,7 +71,7 @@ index 3234321..064b593 100644 | |||
71 | + GSSAPIAuthentication yes | 71 | + GSSAPIAuthentication yes |
72 | + GSSAPIDelegateCredentials no | 72 | + GSSAPIDelegateCredentials no |
73 | diff --git a/ssh_config.5 b/ssh_config.5 | 73 | diff --git a/ssh_config.5 b/ssh_config.5 |
74 | index 7b05e5f..01e7b6f 100644 | 74 | index 85f306c..cc91a5c 100644 |
75 | --- a/ssh_config.5 | 75 | --- a/ssh_config.5 |
76 | +++ b/ssh_config.5 | 76 | +++ b/ssh_config.5 |
77 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | 77 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more |
@@ -97,7 +97,7 @@ index 7b05e5f..01e7b6f 100644 | |||
97 | The configuration file has the following format: | 97 | The configuration file has the following format: |
98 | .Pp | 98 | .Pp |
99 | Empty lines and lines starting with | 99 | Empty lines and lines starting with |
100 | @@ -501,7 +517,8 @@ token used for the session will be set to expire after 20 minutes. | 100 | @@ -648,7 +664,8 @@ token used for the session will be set to expire after 20 minutes. |
101 | Remote clients will be refused access after this time. | 101 | Remote clients will be refused access after this time. |
102 | .Pp | 102 | .Pp |
103 | The default is | 103 | The default is |
@@ -108,10 +108,10 @@ index 7b05e5f..01e7b6f 100644 | |||
108 | See the X11 SECURITY extension specification for full details on | 108 | See the X11 SECURITY extension specification for full details on |
109 | the restrictions imposed on untrusted clients. | 109 | the restrictions imposed on untrusted clients. |
110 | diff --git a/sshd_config b/sshd_config | 110 | diff --git a/sshd_config b/sshd_config |
111 | index 9450141..9cfe28d 100644 | 111 | index d9b8594..4db32f5 100644 |
112 | --- a/sshd_config | 112 | --- a/sshd_config |
113 | +++ b/sshd_config | 113 | +++ b/sshd_config |
114 | @@ -40,6 +40,7 @@ | 114 | @@ -41,6 +41,7 @@ |
115 | # Authentication: | 115 | # Authentication: |
116 | 116 | ||
117 | #LoginGraceTime 2m | 117 | #LoginGraceTime 2m |
@@ -120,7 +120,7 @@ index 9450141..9cfe28d 100644 | |||
120 | #StrictModes yes | 120 | #StrictModes yes |
121 | #MaxAuthTries 6 | 121 | #MaxAuthTries 6 |
122 | diff --git a/sshd_config.5 b/sshd_config.5 | 122 | diff --git a/sshd_config.5 b/sshd_config.5 |
123 | index 04b5f1a..ca4cb19 100644 | 123 | index 9fa6086..e7ac846 100644 |
124 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
126 | @@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes | 126 | @@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index 4349df707..ccedef08f 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d77a569da1afcb73c6ddfc934092461eeb4edb53 Mon Sep 17 00:00:00 2001 | 1 | From a3e8cef2bae563fe8c87cf9f32511a0808dd47eb Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index a6408c21f..6b21b2e93 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6a3efad36a54be8fa4de750cd7a555fe925f21cc Mon Sep 17 00:00:00 2001 | 1 | From 5e0540a17ace7dbbcec332ad3828d09dfa69dc6f Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch | |||
13 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh_config.5 b/ssh_config.5 | 15 | diff --git a/ssh_config.5 b/ssh_config.5 |
16 | index a1e18d2..7b05e5f 100644 | 16 | index 3c6b9d4..85f306c 100644 |
17 | --- a/ssh_config.5 | 17 | --- a/ssh_config.5 |
18 | +++ b/ssh_config.5 | 18 | +++ b/ssh_config.5 |
19 | @@ -587,6 +587,9 @@ Note that existing names and addresses in known hosts files | 19 | @@ -734,6 +734,9 @@ Note that existing names and addresses in known hosts files |
20 | will not be converted automatically, | 20 | will not be converted automatically, |
21 | but may be manually hashed using | 21 | but may be manually hashed using |
22 | .Xr ssh-keygen 1 . | 22 | .Xr ssh-keygen 1 . |
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch index 0fa00a883..a813eb0ab 100644 --- a/debian/patches/doc-upstart.patch +++ b/debian/patches/doc-upstart.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5093448a615dcbab13bbbd3765ac353b827f21aa Mon Sep 17 00:00:00 2001 | 1 | From 61466f681be917753b4ae82f3b6b16cbb44047ae Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 |
4 | Subject: Refer to ssh's Upstart job as well as its init script | 4 | Subject: Refer to ssh's Upstart job as well as its init script |
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch | |||
12 | 1 file changed, 4 insertions(+), 1 deletion(-) | 12 | 1 file changed, 4 insertions(+), 1 deletion(-) |
13 | 13 | ||
14 | diff --git a/sshd.8 b/sshd.8 | 14 | diff --git a/sshd.8 b/sshd.8 |
15 | index 95c1845..8e4017b 100644 | 15 | index b016e90..cba168a 100644 |
16 | --- a/sshd.8 | 16 | --- a/sshd.8 |
17 | +++ b/sshd.8 | 17 | +++ b/sshd.8 |
18 | @@ -70,7 +70,10 @@ over an insecure network. | 18 | @@ -70,7 +70,10 @@ over an insecure network. |
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index 1cbb93436..c0ee03c3f 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 797d4dfd543b9d3fe96db6396e902a40b868d5c0 Mon Sep 17 00:00:00 2001 | 1 | From 1a6c95a5c5c82664f18bab6159e16cd64b07d870 Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 8a919382e..3f6fccfff 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 950be7e1b1a01ee9b25e2a72726a6370b8acacb6 Mon Sep 17 00:00:00 2001 | 1 | From cd404114ded78fc51d5d9cbd458d55c9b2f67daa Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate | |||
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
20 | Last-Updated: 2013-11-09 | 20 | Last-Updated: 2014-02-10 |
21 | 21 | ||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
@@ -179,7 +179,7 @@ index 0000000..f117a33 | |||
179 | + (from jbasney AT ncsa.uiuc.edu) | 179 | + (from jbasney AT ncsa.uiuc.edu) |
180 | + <gssapi-with-mic support is Bugzilla #1008> | 180 | + <gssapi-with-mic support is Bugzilla #1008> |
181 | diff --git a/Makefile.in b/Makefile.in | 181 | diff --git a/Makefile.in b/Makefile.in |
182 | index 92c95a9..f979926 100644 | 182 | index a8aa127..35c6fd6 100644 |
183 | --- a/Makefile.in | 183 | --- a/Makefile.in |
184 | +++ b/Makefile.in | 184 | +++ b/Makefile.in |
185 | @@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 185 | @@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
@@ -188,22 +188,22 @@ index 92c95a9..f979926 100644 | |||
188 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ | 188 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ |
189 | + kexgssc.o \ | 189 | + kexgssc.o \ |
190 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ | 190 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
191 | jpake.o schnorr.o ssh-pkcs11.o krl.o | 191 | jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ |
192 | 192 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ | |
193 | @@ -88,7 +89,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 193 | @@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
194 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ | 194 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ |
195 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ | 195 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ |
196 | auth-krb5.o \ | 196 | kexc25519s.o auth-krb5.o \ |
197 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ | 197 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ |
198 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ | 198 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ |
199 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 199 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
200 | sftp-server.o sftp-common.o \ | 200 | sftp-server.o sftp-common.o \ |
201 | roaming_common.o roaming_serv.o \ | 201 | roaming_common.o roaming_serv.o \ |
202 | diff --git a/auth-krb5.c b/auth-krb5.c | 202 | diff --git a/auth-krb5.c b/auth-krb5.c |
203 | index 7c83f59..5613b57 100644 | 203 | index 6c62bdf..69a1a53 100644 |
204 | --- a/auth-krb5.c | 204 | --- a/auth-krb5.c |
205 | +++ b/auth-krb5.c | 205 | +++ b/auth-krb5.c |
206 | @@ -181,8 +181,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | 206 | @@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) |
207 | 207 | ||
208 | len = strlen(authctxt->krb5_ticket_file) + 6; | 208 | len = strlen(authctxt->krb5_ticket_file) + 6; |
209 | authctxt->krb5_ccname = xmalloc(len); | 209 | authctxt->krb5_ccname = xmalloc(len); |
@@ -217,7 +217,7 @@ index 7c83f59..5613b57 100644 | |||
217 | 217 | ||
218 | #ifdef USE_PAM | 218 | #ifdef USE_PAM |
219 | if (options.use_pam) | 219 | if (options.use_pam) |
220 | @@ -239,15 +244,22 @@ krb5_cleanup_proc(Authctxt *authctxt) | 220 | @@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt) |
221 | #ifndef HEIMDAL | 221 | #ifndef HEIMDAL |
222 | krb5_error_code | 222 | krb5_error_code |
223 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 223 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
@@ -242,7 +242,7 @@ index 7c83f59..5613b57 100644 | |||
242 | old_umask = umask(0177); | 242 | old_umask = umask(0177); |
243 | tmpfd = mkstemp(ccname + strlen("FILE:")); | 243 | tmpfd = mkstemp(ccname + strlen("FILE:")); |
244 | oerrno = errno; | 244 | oerrno = errno; |
245 | @@ -264,6 +276,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 245 | @@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
246 | return oerrno; | 246 | return oerrno; |
247 | } | 247 | } |
248 | close(tmpfd); | 248 | close(tmpfd); |
@@ -358,7 +358,7 @@ index f0cab8c..6ed8f04 100644 | |||
358 | #endif | 358 | #endif |
359 | #ifdef JPAKE | 359 | #ifdef JPAKE |
360 | diff --git a/clientloop.c b/clientloop.c | 360 | diff --git a/clientloop.c b/clientloop.c |
361 | index 23c2f23..311dc13 100644 | 361 | index f30c8b6..6d02b0b 100644 |
362 | --- a/clientloop.c | 362 | --- a/clientloop.c |
363 | +++ b/clientloop.c | 363 | +++ b/clientloop.c |
364 | @@ -111,6 +111,10 @@ | 364 | @@ -111,6 +111,10 @@ |
@@ -389,10 +389,10 @@ index 23c2f23..311dc13 100644 | |||
389 | debug("need rekeying"); | 389 | debug("need rekeying"); |
390 | xxx_kex->done = 0; | 390 | xxx_kex->done = 0; |
391 | diff --git a/config.h.in b/config.h.in | 391 | diff --git a/config.h.in b/config.h.in |
392 | index b75e501..34f1c9c 100644 | 392 | index 075c619..906e549 100644 |
393 | --- a/config.h.in | 393 | --- a/config.h.in |
394 | +++ b/config.h.in | 394 | +++ b/config.h.in |
395 | @@ -1546,6 +1546,9 @@ | 395 | @@ -1616,6 +1616,9 @@ |
396 | /* Use btmp to log bad logins */ | 396 | /* Use btmp to log bad logins */ |
397 | #undef USE_BTMP | 397 | #undef USE_BTMP |
398 | 398 | ||
@@ -402,7 +402,7 @@ index b75e501..34f1c9c 100644 | |||
402 | /* Use libedit for sftp */ | 402 | /* Use libedit for sftp */ |
403 | #undef USE_LIBEDIT | 403 | #undef USE_LIBEDIT |
404 | 404 | ||
405 | @@ -1561,6 +1564,9 @@ | 405 | @@ -1631,6 +1634,9 @@ |
406 | /* Use PIPES instead of a socketpair() */ | 406 | /* Use PIPES instead of a socketpair() */ |
407 | #undef USE_PIPES | 407 | #undef USE_PIPES |
408 | 408 | ||
@@ -413,10 +413,10 @@ index b75e501..34f1c9c 100644 | |||
413 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 413 | #undef USE_SOLARIS_PROCESS_CONTRACTS |
414 | 414 | ||
415 | diff --git a/configure b/configure | 415 | diff --git a/configure b/configure |
416 | index 0d6fad5..ceb1b5d 100755 | 416 | index 2d714ac..5a9db2d 100755 |
417 | --- a/configure | 417 | --- a/configure |
418 | +++ b/configure | 418 | +++ b/configure |
419 | @@ -6780,6 +6780,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h | 419 | @@ -7170,6 +7170,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h |
420 | 420 | ||
421 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | 421 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h |
422 | 422 | ||
@@ -481,10 +481,10 @@ index 0d6fad5..ceb1b5d 100755 | |||
481 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" | 481 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" |
482 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : | 482 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : |
483 | diff --git a/configure.ac b/configure.ac | 483 | diff --git a/configure.ac b/configure.ac |
484 | index 4a1b503..4c1a658 100644 | 484 | index dfd32cd..90eebf5 100644 |
485 | --- a/configure.ac | 485 | --- a/configure.ac |
486 | +++ b/configure.ac | 486 | +++ b/configure.ac |
487 | @@ -548,6 +548,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 487 | @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
488 | [Use tunnel device compatibility to OpenBSD]) | 488 | [Use tunnel device compatibility to OpenBSD]) |
489 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 489 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
490 | [Prepend the address family to IP tunnel traffic]) | 490 | [Prepend the address family to IP tunnel traffic]) |
@@ -867,7 +867,7 @@ index b39281b..b7d1b7d 100644 | |||
867 | + | 867 | + |
868 | #endif /* GSSAPI */ | 868 | #endif /* GSSAPI */ |
869 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c | 869 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c |
870 | index 87f2683..c55446a 100644 | 870 | index 759fa10..959a77e 100644 |
871 | --- a/gss-serv-krb5.c | 871 | --- a/gss-serv-krb5.c |
872 | +++ b/gss-serv-krb5.c | 872 | +++ b/gss-serv-krb5.c |
873 | @@ -1,7 +1,7 @@ | 873 | @@ -1,7 +1,7 @@ |
@@ -887,7 +887,7 @@ index 87f2683..c55446a 100644 | |||
887 | 887 | ||
888 | if (client->creds == NULL) { | 888 | if (client->creds == NULL) { |
889 | debug("No credentials stored"); | 889 | debug("No credentials stored"); |
890 | @@ -174,11 +175,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 890 | @@ -180,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
891 | return; | 891 | return; |
892 | } | 892 | } |
893 | 893 | ||
@@ -908,7 +908,7 @@ index 87f2683..c55446a 100644 | |||
908 | 908 | ||
909 | #ifdef USE_PAM | 909 | #ifdef USE_PAM |
910 | if (options.use_pam) | 910 | if (options.use_pam) |
911 | @@ -190,6 +196,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 911 | @@ -196,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
912 | return; | 912 | return; |
913 | } | 913 | } |
914 | 914 | ||
@@ -980,7 +980,7 @@ index 87f2683..c55446a 100644 | |||
980 | ssh_gssapi_mech gssapi_kerberos_mech = { | 980 | ssh_gssapi_mech gssapi_kerberos_mech = { |
981 | "toWM5Slw5Ew8Mqkay+al2g==", | 981 | "toWM5Slw5Ew8Mqkay+al2g==", |
982 | "Kerberos", | 982 | "Kerberos", |
983 | @@ -197,7 +268,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { | 983 | @@ -203,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { |
984 | NULL, | 984 | NULL, |
985 | &ssh_gssapi_krb5_userok, | 985 | &ssh_gssapi_krb5_userok, |
986 | NULL, | 986 | NULL, |
@@ -1309,12 +1309,12 @@ index 95348e2..97f366f 100644 | |||
1309 | 1309 | ||
1310 | #endif | 1310 | #endif |
1311 | diff --git a/kex.c b/kex.c | 1311 | diff --git a/kex.c b/kex.c |
1312 | index 54bd1a4..1ec2782 100644 | 1312 | index 616484b..49d0fc8 100644 |
1313 | --- a/kex.c | 1313 | --- a/kex.c |
1314 | +++ b/kex.c | 1314 | +++ b/kex.c |
1315 | @@ -50,6 +50,10 @@ | 1315 | @@ -51,6 +51,10 @@ |
1316 | #include "monitor.h" | ||
1317 | #include "roaming.h" | 1316 | #include "roaming.h" |
1317 | #include "digest.h" | ||
1318 | 1318 | ||
1319 | +#ifdef GSSAPI | 1319 | +#ifdef GSSAPI |
1320 | +#include "ssh-gss.h" | 1320 | +#include "ssh-gss.h" |
@@ -1323,22 +1323,22 @@ index 54bd1a4..1ec2782 100644 | |||
1323 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1323 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1324 | # if defined(HAVE_EVP_SHA256) | 1324 | # if defined(HAVE_EVP_SHA256) |
1325 | # define evp_ssh_sha256 EVP_sha256 | 1325 | # define evp_ssh_sha256 EVP_sha256 |
1326 | @@ -82,6 +86,14 @@ static const struct kexalg kexalgs[] = { | 1326 | @@ -92,6 +96,14 @@ static const struct kexalg kexalgs[] = { |
1327 | #endif | 1327 | #endif |
1328 | { NULL, -1, -1, NULL}, | 1328 | { NULL, -1, -1, -1}, |
1329 | }; | 1329 | }; |
1330 | +static const struct kexalg kexalg_prefixes[] = { | 1330 | +static const struct kexalg kexalg_prefixes[] = { |
1331 | +#ifdef GSSAPI | 1331 | +#ifdef GSSAPI |
1332 | + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 }, | 1332 | + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, |
1333 | + { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 }, | 1333 | + { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, |
1334 | + { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 }, | 1334 | + { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, |
1335 | +#endif | 1335 | +#endif |
1336 | + { NULL, -1, -1, NULL }, | 1336 | + { NULL, -1, -1, -1 }, |
1337 | +}; | 1337 | +}; |
1338 | 1338 | ||
1339 | char * | 1339 | char * |
1340 | kex_alg_list(void) | 1340 | kex_alg_list(char sep) |
1341 | @@ -110,6 +122,10 @@ kex_alg_by_name(const char *name) | 1341 | @@ -120,6 +132,10 @@ kex_alg_by_name(const char *name) |
1342 | if (strcmp(k->name, name) == 0) | 1342 | if (strcmp(k->name, name) == 0) |
1343 | return k; | 1343 | return k; |
1344 | } | 1344 | } |
@@ -1350,22 +1350,22 @@ index 54bd1a4..1ec2782 100644 | |||
1350 | } | 1350 | } |
1351 | 1351 | ||
1352 | diff --git a/kex.h b/kex.h | 1352 | diff --git a/kex.h b/kex.h |
1353 | index 9f1e1ad..d5046c6 100644 | 1353 | index 1aa3ec2..8fbcb2b 100644 |
1354 | --- a/kex.h | 1354 | --- a/kex.h |
1355 | +++ b/kex.h | 1355 | +++ b/kex.h |
1356 | @@ -74,6 +74,9 @@ enum kex_exchange { | 1356 | @@ -76,6 +76,9 @@ enum kex_exchange { |
1357 | KEX_DH_GEX_SHA1, | ||
1358 | KEX_DH_GEX_SHA256, | 1357 | KEX_DH_GEX_SHA256, |
1359 | KEX_ECDH_SHA2, | 1358 | KEX_ECDH_SHA2, |
1359 | KEX_C25519_SHA256, | ||
1360 | + KEX_GSS_GRP1_SHA1, | 1360 | + KEX_GSS_GRP1_SHA1, |
1361 | + KEX_GSS_GRP14_SHA1, | 1361 | + KEX_GSS_GRP14_SHA1, |
1362 | + KEX_GSS_GEX_SHA1, | 1362 | + KEX_GSS_GEX_SHA1, |
1363 | KEX_MAX | 1363 | KEX_MAX |
1364 | }; | 1364 | }; |
1365 | 1365 | ||
1366 | @@ -133,6 +136,12 @@ struct Kex { | 1366 | @@ -136,6 +139,12 @@ struct Kex { |
1367 | int flags; | 1367 | int flags; |
1368 | const EVP_MD *evp_md; | 1368 | int hash_alg; |
1369 | int ec_nid; | 1369 | int ec_nid; |
1370 | +#ifdef GSSAPI | 1370 | +#ifdef GSSAPI |
1371 | + int gss_deleg_creds; | 1371 | + int gss_deleg_creds; |
@@ -1376,9 +1376,9 @@ index 9f1e1ad..d5046c6 100644 | |||
1376 | char *client_version_string; | 1376 | char *client_version_string; |
1377 | char *server_version_string; | 1377 | char *server_version_string; |
1378 | int (*verify_host_key)(Key *); | 1378 | int (*verify_host_key)(Key *); |
1379 | @@ -162,6 +171,11 @@ void kexgex_server(Kex *); | 1379 | @@ -168,6 +177,11 @@ void kexecdh_server(Kex *); |
1380 | void kexecdh_client(Kex *); | 1380 | void kexc25519_client(Kex *); |
1381 | void kexecdh_server(Kex *); | 1381 | void kexc25519_server(Kex *); |
1382 | 1382 | ||
1383 | +#ifdef GSSAPI | 1383 | +#ifdef GSSAPI |
1384 | +void kexgss_client(Kex *); | 1384 | +void kexgss_client(Kex *); |
@@ -1390,7 +1390,7 @@ index 9f1e1ad..d5046c6 100644 | |||
1390 | BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); | 1390 | BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); |
1391 | diff --git a/kexgssc.c b/kexgssc.c | 1391 | diff --git a/kexgssc.c b/kexgssc.c |
1392 | new file mode 100644 | 1392 | new file mode 100644 |
1393 | index 0000000..616893c | 1393 | index 0000000..14f5598 |
1394 | --- /dev/null | 1394 | --- /dev/null |
1395 | +++ b/kexgssc.c | 1395 | +++ b/kexgssc.c |
1396 | @@ -0,0 +1,333 @@ | 1396 | @@ -0,0 +1,333 @@ |
@@ -1675,7 +1675,7 @@ index 0000000..616893c | |||
1675 | + break; | 1675 | + break; |
1676 | + case KEX_GSS_GEX_SHA1: | 1676 | + case KEX_GSS_GEX_SHA1: |
1677 | + kexgex_hash( | 1677 | + kexgex_hash( |
1678 | + kex->evp_md, | 1678 | + kex->hash_alg, |
1679 | + kex->client_version_string, | 1679 | + kex->client_version_string, |
1680 | + kex->server_version_string, | 1680 | + kex->server_version_string, |
1681 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | 1681 | + buffer_ptr(&kex->my), buffer_len(&kex->my), |
@@ -1721,7 +1721,7 @@ index 0000000..616893c | |||
1721 | + else | 1721 | + else |
1722 | + ssh_gssapi_delete_ctx(&ctxt); | 1722 | + ssh_gssapi_delete_ctx(&ctxt); |
1723 | + | 1723 | + |
1724 | + kex_derive_keys(kex, hash, hashlen, shared_secret); | 1724 | + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); |
1725 | + BN_clear_free(shared_secret); | 1725 | + BN_clear_free(shared_secret); |
1726 | + kex_finish(kex); | 1726 | + kex_finish(kex); |
1727 | +} | 1727 | +} |
@@ -1729,7 +1729,7 @@ index 0000000..616893c | |||
1729 | +#endif /* GSSAPI */ | 1729 | +#endif /* GSSAPI */ |
1730 | diff --git a/kexgsss.c b/kexgsss.c | 1730 | diff --git a/kexgsss.c b/kexgsss.c |
1731 | new file mode 100644 | 1731 | new file mode 100644 |
1732 | index 0000000..18b065b | 1732 | index 0000000..8095259 |
1733 | --- /dev/null | 1733 | --- /dev/null |
1734 | +++ b/kexgsss.c | 1734 | +++ b/kexgsss.c |
1735 | @@ -0,0 +1,289 @@ | 1735 | @@ -0,0 +1,289 @@ |
@@ -1959,7 +1959,7 @@ index 0000000..18b065b | |||
1959 | + break; | 1959 | + break; |
1960 | + case KEX_GSS_GEX_SHA1: | 1960 | + case KEX_GSS_GEX_SHA1: |
1961 | + kexgex_hash( | 1961 | + kexgex_hash( |
1962 | + kex->evp_md, | 1962 | + kex->hash_alg, |
1963 | + kex->client_version_string, kex->server_version_string, | 1963 | + kex->client_version_string, kex->server_version_string, |
1964 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | 1964 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), |
1965 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | 1965 | + buffer_ptr(&kex->my), buffer_len(&kex->my), |
@@ -2012,7 +2012,7 @@ index 0000000..18b065b | |||
2012 | + | 2012 | + |
2013 | + DH_free(dh); | 2013 | + DH_free(dh); |
2014 | + | 2014 | + |
2015 | + kex_derive_keys(kex, hash, hashlen, shared_secret); | 2015 | + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); |
2016 | + BN_clear_free(shared_secret); | 2016 | + BN_clear_free(shared_secret); |
2017 | + kex_finish(kex); | 2017 | + kex_finish(kex); |
2018 | + | 2018 | + |
@@ -2023,23 +2023,23 @@ index 0000000..18b065b | |||
2023 | +} | 2023 | +} |
2024 | +#endif /* GSSAPI */ | 2024 | +#endif /* GSSAPI */ |
2025 | diff --git a/key.c b/key.c | 2025 | diff --git a/key.c b/key.c |
2026 | index 55ee789..2591635 100644 | 2026 | index 9142338..3867eb3 100644 |
2027 | --- a/key.c | 2027 | --- a/key.c |
2028 | +++ b/key.c | 2028 | +++ b/key.c |
2029 | @@ -933,6 +933,7 @@ static const struct keytype keytypes[] = { | 2029 | @@ -985,6 +985,7 @@ static const struct keytype keytypes[] = { |
2030 | KEY_RSA_CERT_V00, 0, 1 }, | ||
2031 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", | ||
2032 | KEY_DSA_CERT_V00, 0, 1 }, | 2030 | KEY_DSA_CERT_V00, 0, 1 }, |
2031 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", | ||
2032 | KEY_ED25519_CERT, 0, 1 }, | ||
2033 | + { "null", "null", KEY_NULL, 0, 0 }, | 2033 | + { "null", "null", KEY_NULL, 0, 0 }, |
2034 | { NULL, NULL, -1, -1, 0 } | 2034 | { NULL, NULL, -1, -1, 0 } |
2035 | }; | 2035 | }; |
2036 | 2036 | ||
2037 | diff --git a/key.h b/key.h | 2037 | diff --git a/key.h b/key.h |
2038 | index 17358ae..b57d6a4 100644 | 2038 | index d8ad13d..c8aeba2 100644 |
2039 | --- a/key.h | 2039 | --- a/key.h |
2040 | +++ b/key.h | 2040 | +++ b/key.h |
2041 | @@ -44,6 +44,7 @@ enum types { | 2041 | @@ -46,6 +46,7 @@ enum types { |
2042 | KEY_ECDSA_CERT, | 2042 | KEY_ED25519_CERT, |
2043 | KEY_RSA_CERT_V00, | 2043 | KEY_RSA_CERT_V00, |
2044 | KEY_DSA_CERT_V00, | 2044 | KEY_DSA_CERT_V00, |
2045 | + KEY_NULL, | 2045 | + KEY_NULL, |
@@ -2047,7 +2047,7 @@ index 17358ae..b57d6a4 100644 | |||
2047 | }; | 2047 | }; |
2048 | enum fp_type { | 2048 | enum fp_type { |
2049 | diff --git a/monitor.c b/monitor.c | 2049 | diff --git a/monitor.c b/monitor.c |
2050 | index 44dff98..9079c97 100644 | 2050 | index 03baf1e..a777c4c 100644 |
2051 | --- a/monitor.c | 2051 | --- a/monitor.c |
2052 | +++ b/monitor.c | 2052 | +++ b/monitor.c |
2053 | @@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 2053 | @@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
@@ -2102,10 +2102,10 @@ index 44dff98..9079c97 100644 | |||
2102 | } else { | 2102 | } else { |
2103 | mon_dispatch = mon_dispatch_postauth15; | 2103 | mon_dispatch = mon_dispatch_postauth15; |
2104 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2104 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2105 | @@ -1855,6 +1872,13 @@ mm_get_kex(Buffer *m) | 2105 | @@ -1856,6 +1873,13 @@ mm_get_kex(Buffer *m) |
2106 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | ||
2107 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 2106 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
2108 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2107 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
2108 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | ||
2109 | +#ifdef GSSAPI | 2109 | +#ifdef GSSAPI |
2110 | + if (options.gss_keyex) { | 2110 | + if (options.gss_keyex) { |
2111 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | 2111 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; |
@@ -2116,7 +2116,7 @@ index 44dff98..9079c97 100644 | |||
2116 | kex->server = 1; | 2116 | kex->server = 1; |
2117 | kex->hostkey_type = buffer_get_int(m); | 2117 | kex->hostkey_type = buffer_get_int(m); |
2118 | kex->kex_type = buffer_get_int(m); | 2118 | kex->kex_type = buffer_get_int(m); |
2119 | @@ -2062,6 +2086,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 2119 | @@ -2063,6 +2087,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2120 | OM_uint32 major; | 2120 | OM_uint32 major; |
2121 | u_int len; | 2121 | u_int len; |
2122 | 2122 | ||
@@ -2126,7 +2126,7 @@ index 44dff98..9079c97 100644 | |||
2126 | goid.elements = buffer_get_string(m, &len); | 2126 | goid.elements = buffer_get_string(m, &len); |
2127 | goid.length = len; | 2127 | goid.length = len; |
2128 | 2128 | ||
2129 | @@ -2089,6 +2116,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2129 | @@ -2090,6 +2117,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2130 | OM_uint32 flags = 0; /* GSI needs this */ | 2130 | OM_uint32 flags = 0; /* GSI needs this */ |
2131 | u_int len; | 2131 | u_int len; |
2132 | 2132 | ||
@@ -2136,7 +2136,7 @@ index 44dff98..9079c97 100644 | |||
2136 | in.value = buffer_get_string(m, &len); | 2136 | in.value = buffer_get_string(m, &len); |
2137 | in.length = len; | 2137 | in.length = len; |
2138 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2138 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2139 | @@ -2106,6 +2136,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2139 | @@ -2107,6 +2137,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2140 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2140 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2141 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2141 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2142 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2142 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2144,7 +2144,7 @@ index 44dff98..9079c97 100644 | |||
2144 | } | 2144 | } |
2145 | return (0); | 2145 | return (0); |
2146 | } | 2146 | } |
2147 | @@ -2117,6 +2148,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2147 | @@ -2118,6 +2149,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2148 | OM_uint32 ret; | 2148 | OM_uint32 ret; |
2149 | u_int len; | 2149 | u_int len; |
2150 | 2150 | ||
@@ -2154,7 +2154,7 @@ index 44dff98..9079c97 100644 | |||
2154 | gssbuf.value = buffer_get_string(m, &len); | 2154 | gssbuf.value = buffer_get_string(m, &len); |
2155 | gssbuf.length = len; | 2155 | gssbuf.length = len; |
2156 | mic.value = buffer_get_string(m, &len); | 2156 | mic.value = buffer_get_string(m, &len); |
2157 | @@ -2143,7 +2177,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2157 | @@ -2144,7 +2178,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2158 | { | 2158 | { |
2159 | int authenticated; | 2159 | int authenticated; |
2160 | 2160 | ||
@@ -2167,7 +2167,7 @@ index 44dff98..9079c97 100644 | |||
2167 | 2167 | ||
2168 | buffer_clear(m); | 2168 | buffer_clear(m); |
2169 | buffer_put_int(m, authenticated); | 2169 | buffer_put_int(m, authenticated); |
2170 | @@ -2156,6 +2194,74 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2170 | @@ -2157,6 +2195,74 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2171 | /* Monitor loop will terminate if authenticated */ | 2171 | /* Monitor loop will terminate if authenticated */ |
2172 | return (authenticated); | 2172 | return (authenticated); |
2173 | } | 2173 | } |
@@ -2338,10 +2338,10 @@ index 0c7f2e3..ec9b9b1 100644 | |||
2338 | 2338 | ||
2339 | #ifdef USE_PAM | 2339 | #ifdef USE_PAM |
2340 | diff --git a/readconf.c b/readconf.c | 2340 | diff --git a/readconf.c b/readconf.c |
2341 | index 1464430..2695fd6 100644 | 2341 | index 9c7e73d..cb8bcb2 100644 |
2342 | --- a/readconf.c | 2342 | --- a/readconf.c |
2343 | +++ b/readconf.c | 2343 | +++ b/readconf.c |
2344 | @@ -132,6 +132,8 @@ typedef enum { | 2344 | @@ -140,6 +140,8 @@ typedef enum { |
2345 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 2345 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
2346 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 2346 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
2347 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 2347 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
@@ -2350,7 +2350,7 @@ index 1464430..2695fd6 100644 | |||
2350 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2350 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2351 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2351 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2352 | oHashKnownHosts, | 2352 | oHashKnownHosts, |
2353 | @@ -172,10 +174,19 @@ static struct { | 2353 | @@ -182,10 +184,19 @@ static struct { |
2354 | { "afstokenpassing", oUnsupported }, | 2354 | { "afstokenpassing", oUnsupported }, |
2355 | #if defined(GSSAPI) | 2355 | #if defined(GSSAPI) |
2356 | { "gssapiauthentication", oGssAuthentication }, | 2356 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2370,7 +2370,7 @@ index 1464430..2695fd6 100644 | |||
2370 | #endif | 2370 | #endif |
2371 | { "fallbacktorsh", oDeprecated }, | 2371 | { "fallbacktorsh", oDeprecated }, |
2372 | { "usersh", oDeprecated }, | 2372 | { "usersh", oDeprecated }, |
2373 | @@ -516,10 +527,30 @@ parse_flag: | 2373 | @@ -839,10 +850,30 @@ parse_time: |
2374 | intptr = &options->gss_authentication; | 2374 | intptr = &options->gss_authentication; |
2375 | goto parse_flag; | 2375 | goto parse_flag; |
2376 | 2376 | ||
@@ -2401,7 +2401,7 @@ index 1464430..2695fd6 100644 | |||
2401 | case oBatchMode: | 2401 | case oBatchMode: |
2402 | intptr = &options->batch_mode; | 2402 | intptr = &options->batch_mode; |
2403 | goto parse_flag; | 2403 | goto parse_flag; |
2404 | @@ -1168,7 +1199,12 @@ initialize_options(Options * options) | 2404 | @@ -1488,7 +1519,12 @@ initialize_options(Options * options) |
2405 | options->pubkey_authentication = -1; | 2405 | options->pubkey_authentication = -1; |
2406 | options->challenge_response_authentication = -1; | 2406 | options->challenge_response_authentication = -1; |
2407 | options->gss_authentication = -1; | 2407 | options->gss_authentication = -1; |
@@ -2414,7 +2414,7 @@ index 1464430..2695fd6 100644 | |||
2414 | options->password_authentication = -1; | 2414 | options->password_authentication = -1; |
2415 | options->kbd_interactive_authentication = -1; | 2415 | options->kbd_interactive_authentication = -1; |
2416 | options->kbd_interactive_devices = NULL; | 2416 | options->kbd_interactive_devices = NULL; |
2417 | @@ -1268,8 +1304,14 @@ fill_default_options(Options * options) | 2417 | @@ -1594,8 +1630,14 @@ fill_default_options(Options * options) |
2418 | options->challenge_response_authentication = 1; | 2418 | options->challenge_response_authentication = 1; |
2419 | if (options->gss_authentication == -1) | 2419 | if (options->gss_authentication == -1) |
2420 | options->gss_authentication = 0; | 2420 | options->gss_authentication = 0; |
@@ -2430,10 +2430,10 @@ index 1464430..2695fd6 100644 | |||
2430 | options->password_authentication = 1; | 2430 | options->password_authentication = 1; |
2431 | if (options->kbd_interactive_authentication == -1) | 2431 | if (options->kbd_interactive_authentication == -1) |
2432 | diff --git a/readconf.h b/readconf.h | 2432 | diff --git a/readconf.h b/readconf.h |
2433 | index 23fc500..675b35d 100644 | 2433 | index 2d7ea9f..826c676 100644 |
2434 | --- a/readconf.h | 2434 | --- a/readconf.h |
2435 | +++ b/readconf.h | 2435 | +++ b/readconf.h |
2436 | @@ -48,7 +48,12 @@ typedef struct { | 2436 | @@ -54,7 +54,12 @@ typedef struct { |
2437 | int challenge_response_authentication; | 2437 | int challenge_response_authentication; |
2438 | /* Try S/Key or TIS, authentication. */ | 2438 | /* Try S/Key or TIS, authentication. */ |
2439 | int gss_authentication; /* Try GSS authentication */ | 2439 | int gss_authentication; /* Try GSS authentication */ |
@@ -2447,10 +2447,10 @@ index 23fc500..675b35d 100644 | |||
2447 | * authentication. */ | 2447 | * authentication. */ |
2448 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2448 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2449 | diff --git a/servconf.c b/servconf.c | 2449 | diff --git a/servconf.c b/servconf.c |
2450 | index 747edde..c938ae3 100644 | 2450 | index 9bcd05b..29209e4 100644 |
2451 | --- a/servconf.c | 2451 | --- a/servconf.c |
2452 | +++ b/servconf.c | 2452 | +++ b/servconf.c |
2453 | @@ -107,7 +107,10 @@ initialize_server_options(ServerOptions *options) | 2453 | @@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options) |
2454 | options->kerberos_ticket_cleanup = -1; | 2454 | options->kerberos_ticket_cleanup = -1; |
2455 | options->kerberos_get_afs_token = -1; | 2455 | options->kerberos_get_afs_token = -1; |
2456 | options->gss_authentication=-1; | 2456 | options->gss_authentication=-1; |
@@ -2461,7 +2461,7 @@ index 747edde..c938ae3 100644 | |||
2461 | options->password_authentication = -1; | 2461 | options->password_authentication = -1; |
2462 | options->kbd_interactive_authentication = -1; | 2462 | options->kbd_interactive_authentication = -1; |
2463 | options->challenge_response_authentication = -1; | 2463 | options->challenge_response_authentication = -1; |
2464 | @@ -240,8 +243,14 @@ fill_default_server_options(ServerOptions *options) | 2464 | @@ -245,8 +248,14 @@ fill_default_server_options(ServerOptions *options) |
2465 | options->kerberos_get_afs_token = 0; | 2465 | options->kerberos_get_afs_token = 0; |
2466 | if (options->gss_authentication == -1) | 2466 | if (options->gss_authentication == -1) |
2467 | options->gss_authentication = 0; | 2467 | options->gss_authentication = 0; |
@@ -2476,7 +2476,7 @@ index 747edde..c938ae3 100644 | |||
2476 | if (options->password_authentication == -1) | 2476 | if (options->password_authentication == -1) |
2477 | options->password_authentication = 1; | 2477 | options->password_authentication = 1; |
2478 | if (options->kbd_interactive_authentication == -1) | 2478 | if (options->kbd_interactive_authentication == -1) |
2479 | @@ -338,7 +347,9 @@ typedef enum { | 2479 | @@ -343,7 +352,9 @@ typedef enum { |
2480 | sBanner, sUseDNS, sHostbasedAuthentication, | 2480 | sBanner, sUseDNS, sHostbasedAuthentication, |
2481 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2481 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2482 | sClientAliveCountMax, sAuthorizedKeysFile, | 2482 | sClientAliveCountMax, sAuthorizedKeysFile, |
@@ -2487,7 +2487,7 @@ index 747edde..c938ae3 100644 | |||
2487 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2487 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2488 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2488 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2489 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 2489 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
2490 | @@ -405,10 +416,20 @@ static struct { | 2490 | @@ -410,10 +421,20 @@ static struct { |
2491 | #ifdef GSSAPI | 2491 | #ifdef GSSAPI |
2492 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2492 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2493 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2493 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2508,7 +2508,7 @@ index 747edde..c938ae3 100644 | |||
2508 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2508 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2509 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2509 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2510 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2510 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2511 | @@ -1073,10 +1094,22 @@ process_server_config_line(ServerOptions *options, char *line, | 2511 | @@ -1094,10 +1115,22 @@ process_server_config_line(ServerOptions *options, char *line, |
2512 | intptr = &options->gss_authentication; | 2512 | intptr = &options->gss_authentication; |
2513 | goto parse_flag; | 2513 | goto parse_flag; |
2514 | 2514 | ||
@@ -2531,7 +2531,7 @@ index 747edde..c938ae3 100644 | |||
2531 | case sPasswordAuthentication: | 2531 | case sPasswordAuthentication: |
2532 | intptr = &options->password_authentication; | 2532 | intptr = &options->password_authentication; |
2533 | goto parse_flag; | 2533 | goto parse_flag; |
2534 | @@ -1983,7 +2016,10 @@ dump_config(ServerOptions *o) | 2534 | @@ -2008,7 +2041,10 @@ dump_config(ServerOptions *o) |
2535 | #endif | 2535 | #endif |
2536 | #ifdef GSSAPI | 2536 | #ifdef GSSAPI |
2537 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2537 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2543,10 +2543,10 @@ index 747edde..c938ae3 100644 | |||
2543 | #ifdef JPAKE | 2543 | #ifdef JPAKE |
2544 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | 2544 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, |
2545 | diff --git a/servconf.h b/servconf.h | 2545 | diff --git a/servconf.h b/servconf.h |
2546 | index 98aad8b..ab6e346 100644 | 2546 | index 8812c5a..eba76ee 100644 |
2547 | --- a/servconf.h | 2547 | --- a/servconf.h |
2548 | +++ b/servconf.h | 2548 | +++ b/servconf.h |
2549 | @@ -111,7 +111,10 @@ typedef struct { | 2549 | @@ -112,7 +112,10 @@ typedef struct { |
2550 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2550 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2551 | * authenticated with Kerberos. */ | 2551 | * authenticated with Kerberos. */ |
2552 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2552 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2659,7 +2659,7 @@ index 077e13c..bc6e8f9 100644 | |||
2659 | 2659 | ||
2660 | #endif /* _SSH_GSS_H */ | 2660 | #endif /* _SSH_GSS_H */ |
2661 | diff --git a/ssh_config b/ssh_config | 2661 | diff --git a/ssh_config b/ssh_config |
2662 | index bb40819..3234321 100644 | 2662 | index 03a228f..228e5ab 100644 |
2663 | --- a/ssh_config | 2663 | --- a/ssh_config |
2664 | +++ b/ssh_config | 2664 | +++ b/ssh_config |
2665 | @@ -26,6 +26,8 @@ | 2665 | @@ -26,6 +26,8 @@ |
@@ -2672,10 +2672,10 @@ index bb40819..3234321 100644 | |||
2672 | # CheckHostIP yes | 2672 | # CheckHostIP yes |
2673 | # AddressFamily any | 2673 | # AddressFamily any |
2674 | diff --git a/ssh_config.5 b/ssh_config.5 | 2674 | diff --git a/ssh_config.5 b/ssh_config.5 |
2675 | index 5d76c6d..e72919a 100644 | 2675 | index 3cadcd7..49505ae 100644 |
2676 | --- a/ssh_config.5 | 2676 | --- a/ssh_config.5 |
2677 | +++ b/ssh_config.5 | 2677 | +++ b/ssh_config.5 |
2678 | @@ -529,11 +529,43 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2678 | @@ -676,11 +676,43 @@ Specifies whether user authentication based on GSSAPI is allowed. |
2679 | The default is | 2679 | The default is |
2680 | .Dq no . | 2680 | .Dq no . |
2681 | Note that this option applies to protocol version 2 only. | 2681 | Note that this option applies to protocol version 2 only. |
@@ -2721,7 +2721,7 @@ index 5d76c6d..e72919a 100644 | |||
2721 | Indicates that | 2721 | Indicates that |
2722 | .Xr ssh 1 | 2722 | .Xr ssh 1 |
2723 | diff --git a/sshconnect2.c b/sshconnect2.c | 2723 | diff --git a/sshconnect2.c b/sshconnect2.c |
2724 | index 70e3cd8..0b13530 100644 | 2724 | index 8acffc5..21a269d 100644 |
2725 | --- a/sshconnect2.c | 2725 | --- a/sshconnect2.c |
2726 | +++ b/sshconnect2.c | 2726 | +++ b/sshconnect2.c |
2727 | @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2727 | @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
@@ -2759,7 +2759,7 @@ index 70e3cd8..0b13530 100644 | |||
2759 | if (options.ciphers == (char *)-1) { | 2759 | if (options.ciphers == (char *)-1) { |
2760 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 2760 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
2761 | options.ciphers = NULL; | 2761 | options.ciphers = NULL; |
2762 | @@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2762 | @@ -198,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2763 | if (options.kex_algorithms != NULL) | 2763 | if (options.kex_algorithms != NULL) |
2764 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 2764 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
2765 | 2765 | ||
@@ -2777,10 +2777,10 @@ index 70e3cd8..0b13530 100644 | |||
2777 | if (options.rekey_limit || options.rekey_interval) | 2777 | if (options.rekey_limit || options.rekey_interval) |
2778 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2778 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2779 | (time_t)options.rekey_interval); | 2779 | (time_t)options.rekey_interval); |
2780 | @@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2780 | @@ -210,10 +246,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2781 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | ||
2782 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | 2781 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; |
2783 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | 2782 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; |
2783 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; | ||
2784 | +#ifdef GSSAPI | 2784 | +#ifdef GSSAPI |
2785 | + if (options.gss_keyex) { | 2785 | + if (options.gss_keyex) { |
2786 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; | 2786 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; |
@@ -2808,7 +2808,7 @@ index 70e3cd8..0b13530 100644 | |||
2808 | xxx_kex = kex; | 2808 | xxx_kex = kex; |
2809 | 2809 | ||
2810 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2810 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
2811 | @@ -307,6 +363,7 @@ void input_gssapi_token(int type, u_int32_t, void *); | 2811 | @@ -309,6 +365,7 @@ void input_gssapi_token(int type, u_int32_t, void *); |
2812 | void input_gssapi_hash(int type, u_int32_t, void *); | 2812 | void input_gssapi_hash(int type, u_int32_t, void *); |
2813 | void input_gssapi_error(int, u_int32_t, void *); | 2813 | void input_gssapi_error(int, u_int32_t, void *); |
2814 | void input_gssapi_errtok(int, u_int32_t, void *); | 2814 | void input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2816,7 +2816,7 @@ index 70e3cd8..0b13530 100644 | |||
2816 | #endif | 2816 | #endif |
2817 | 2817 | ||
2818 | void userauth(Authctxt *, char *); | 2818 | void userauth(Authctxt *, char *); |
2819 | @@ -322,6 +379,11 @@ static char *authmethods_get(void); | 2819 | @@ -324,6 +381,11 @@ static char *authmethods_get(void); |
2820 | 2820 | ||
2821 | Authmethod authmethods[] = { | 2821 | Authmethod authmethods[] = { |
2822 | #ifdef GSSAPI | 2822 | #ifdef GSSAPI |
@@ -2828,7 +2828,7 @@ index 70e3cd8..0b13530 100644 | |||
2828 | {"gssapi-with-mic", | 2828 | {"gssapi-with-mic", |
2829 | userauth_gssapi, | 2829 | userauth_gssapi, |
2830 | NULL, | 2830 | NULL, |
2831 | @@ -625,19 +687,31 @@ userauth_gssapi(Authctxt *authctxt) | 2831 | @@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt) |
2832 | static u_int mech = 0; | 2832 | static u_int mech = 0; |
2833 | OM_uint32 min; | 2833 | OM_uint32 min; |
2834 | int ok = 0; | 2834 | int ok = 0; |
@@ -2862,7 +2862,7 @@ index 70e3cd8..0b13530 100644 | |||
2862 | ok = 1; /* Mechanism works */ | 2862 | ok = 1; /* Mechanism works */ |
2863 | } else { | 2863 | } else { |
2864 | mech++; | 2864 | mech++; |
2865 | @@ -734,8 +808,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | 2865 | @@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) |
2866 | { | 2866 | { |
2867 | Authctxt *authctxt = ctxt; | 2867 | Authctxt *authctxt = ctxt; |
2868 | Gssctxt *gssctxt; | 2868 | Gssctxt *gssctxt; |
@@ -2873,7 +2873,7 @@ index 70e3cd8..0b13530 100644 | |||
2873 | 2873 | ||
2874 | if (authctxt == NULL) | 2874 | if (authctxt == NULL) |
2875 | fatal("input_gssapi_response: no authentication context"); | 2875 | fatal("input_gssapi_response: no authentication context"); |
2876 | @@ -844,6 +918,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | 2876 | @@ -846,6 +920,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) |
2877 | free(msg); | 2877 | free(msg); |
2878 | free(lang); | 2878 | free(lang); |
2879 | } | 2879 | } |
@@ -2923,7 +2923,7 @@ index 70e3cd8..0b13530 100644 | |||
2923 | 2923 | ||
2924 | int | 2924 | int |
2925 | diff --git a/sshd.c b/sshd.c | 2925 | diff --git a/sshd.c b/sshd.c |
2926 | index 174cc7a..4eddeb8 100644 | 2926 | index 25380c9..fe65132 100644 |
2927 | --- a/sshd.c | 2927 | --- a/sshd.c |
2928 | +++ b/sshd.c | 2928 | +++ b/sshd.c |
2929 | @@ -122,6 +122,10 @@ | 2929 | @@ -122,6 +122,10 @@ |
@@ -2937,7 +2937,7 @@ index 174cc7a..4eddeb8 100644 | |||
2937 | #ifdef LIBWRAP | 2937 | #ifdef LIBWRAP |
2938 | #include <tcpd.h> | 2938 | #include <tcpd.h> |
2939 | #include <syslog.h> | 2939 | #include <syslog.h> |
2940 | @@ -1703,10 +1707,13 @@ main(int ac, char **av) | 2940 | @@ -1721,10 +1725,13 @@ main(int ac, char **av) |
2941 | logit("Disabling protocol version 1. Could not load host key"); | 2941 | logit("Disabling protocol version 1. Could not load host key"); |
2942 | options.protocol &= ~SSH_PROTO_1; | 2942 | options.protocol &= ~SSH_PROTO_1; |
2943 | } | 2943 | } |
@@ -2951,9 +2951,9 @@ index 174cc7a..4eddeb8 100644 | |||
2951 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2951 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2952 | logit("sshd: no hostkeys available -- exiting."); | 2952 | logit("sshd: no hostkeys available -- exiting."); |
2953 | exit(1); | 2953 | exit(1); |
2954 | @@ -2035,6 +2042,60 @@ main(int ac, char **av) | 2954 | @@ -2051,6 +2058,60 @@ main(int ac, char **av) |
2955 | /* Log the connection. */ | 2955 | remote_ip, remote_port, |
2956 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | 2956 | get_local_ipaddr(sock_in), get_local_port()); |
2957 | 2957 | ||
2958 | +#ifdef USE_SECURITY_SESSION_API | 2958 | +#ifdef USE_SECURITY_SESSION_API |
2959 | + /* | 2959 | + /* |
@@ -3012,9 +3012,9 @@ index 174cc7a..4eddeb8 100644 | |||
3012 | /* | 3012 | /* |
3013 | * We don't want to listen forever unless the other side | 3013 | * We don't want to listen forever unless the other side |
3014 | * successfully authenticates itself. So we set up an alarm which is | 3014 | * successfully authenticates itself. So we set up an alarm which is |
3015 | @@ -2439,6 +2500,48 @@ do_ssh2_kex(void) | 3015 | @@ -2456,6 +2517,48 @@ do_ssh2_kex(void) |
3016 | 3016 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | |
3017 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 3017 | list_hostkey_types()); |
3018 | 3018 | ||
3019 | +#ifdef GSSAPI | 3019 | +#ifdef GSSAPI |
3020 | + { | 3020 | + { |
@@ -3061,10 +3061,10 @@ index 174cc7a..4eddeb8 100644 | |||
3061 | /* start key exchange */ | 3061 | /* start key exchange */ |
3062 | kex = kex_setup(myproposal); | 3062 | kex = kex_setup(myproposal); |
3063 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 3063 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
3064 | @@ -2446,6 +2549,13 @@ do_ssh2_kex(void) | 3064 | @@ -2464,6 +2567,13 @@ do_ssh2_kex(void) |
3065 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | ||
3066 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 3065 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
3067 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 3066 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
3067 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | ||
3068 | +#ifdef GSSAPI | 3068 | +#ifdef GSSAPI |
3069 | + if (options.gss_keyex) { | 3069 | + if (options.gss_keyex) { |
3070 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | 3070 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; |
@@ -3076,23 +3076,23 @@ index 174cc7a..4eddeb8 100644 | |||
3076 | kex->client_version_string=client_version_string; | 3076 | kex->client_version_string=client_version_string; |
3077 | kex->server_version_string=server_version_string; | 3077 | kex->server_version_string=server_version_string; |
3078 | diff --git a/sshd_config b/sshd_config | 3078 | diff --git a/sshd_config b/sshd_config |
3079 | index b786361..9450141 100644 | 3079 | index e9045bc..d9b8594 100644 |
3080 | --- a/sshd_config | 3080 | --- a/sshd_config |
3081 | +++ b/sshd_config | 3081 | +++ b/sshd_config |
3082 | @@ -83,6 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys | 3082 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
3083 | # GSSAPI options | 3083 | # GSSAPI options |
3084 | #GSSAPIAuthentication no | 3084 | #GSSAPIAuthentication no |
3085 | #GSSAPICleanupCredentials yes | 3085 | #GSSAPICleanupCredentials yes |
3086 | +#GSSAPIStrictAcceptorCheck yes | 3086 | +#GSSAPIStrictAcceptorCheck yes |
3087 | +#GSSAPIKeyExchange no | 3087 | +#GSSAPIKeyExchange no |
3088 | 3088 | ||
3089 | # Set this to 'yes' to enable PAM authentication, account processing, | 3089 | # Set this to 'yes' to enable PAM authentication, account processing, |
3090 | # and session processing. If this is enabled, PAM authentication will | 3090 | # and session processing. If this is enabled, PAM authentication will |
3091 | diff --git a/sshd_config.5 b/sshd_config.5 | 3091 | diff --git a/sshd_config.5 b/sshd_config.5 |
3092 | index 3abac6c..525d9c8 100644 | 3092 | index 3b21ea6..9aa9eba 100644 |
3093 | --- a/sshd_config.5 | 3093 | --- a/sshd_config.5 |
3094 | +++ b/sshd_config.5 | 3094 | +++ b/sshd_config.5 |
3095 | @@ -484,12 +484,40 @@ Specifies whether user authentication based on GSSAPI is allowed. | 3095 | @@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed. |
3096 | The default is | 3096 | The default is |
3097 | .Dq no . | 3097 | .Dq no . |
3098 | Note that this option applies to protocol version 2 only. | 3098 | Note that this option applies to protocol version 2 only. |
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch index 23afe3be9..ca90ba124 100644 --- a/debian/patches/helpful-wait-terminate.patch +++ b/debian/patches/helpful-wait-terminate.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 84589dc348c43ec22b50ede0c2946cf6afd0980d Mon Sep 17 00:00:00 2001 | 1 | From 71003a35537df521296408d9f6bd0a200ed2a854 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 |
4 | Subject: Mention ~& when waiting for forwarded connections to terminate | 4 | Subject: Mention ~& when waiting for forwarded connections to terminate |
@@ -12,10 +12,10 @@ Patch-Name: helpful-wait-terminate.patch | |||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | 12 | 1 file changed, 1 insertion(+), 1 deletion(-) |
13 | 13 | ||
14 | diff --git a/serverloop.c b/serverloop.c | 14 | diff --git a/serverloop.c b/serverloop.c |
15 | index ccbad61..5f22df3 100644 | 15 | index 5b2f802..d3079d2 100644 |
16 | --- a/serverloop.c | 16 | --- a/serverloop.c |
17 | +++ b/serverloop.c | 17 | +++ b/serverloop.c |
18 | @@ -686,7 +686,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) | 18 | @@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) |
19 | if (!channel_still_open()) | 19 | if (!channel_still_open()) |
20 | break; | 20 | break; |
21 | if (!waiting_termination) { | 21 | if (!waiting_termination) { |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index e22410298..84da73ae0 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bd3d91c378d549aed56246ad4535aea29db04150 Mon Sep 17 00:00:00 2001 | 1 | From 043f937820e1152df2c8416f37e6c8d923fc1811 Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
@@ -26,27 +26,27 @@ Patch-Name: keepalive-extensions.patch | |||
26 | 3 files changed, 34 insertions(+), 4 deletions(-) | 26 | 3 files changed, 34 insertions(+), 4 deletions(-) |
27 | 27 | ||
28 | diff --git a/readconf.c b/readconf.c | 28 | diff --git a/readconf.c b/readconf.c |
29 | index 915a0f7..dab7963 100644 | 29 | index 2a1fe8e..e79e355 100644 |
30 | --- a/readconf.c | 30 | --- a/readconf.c |
31 | +++ b/readconf.c | 31 | +++ b/readconf.c |
32 | @@ -140,6 +140,7 @@ typedef enum { | 32 | @@ -150,6 +150,7 @@ typedef enum { |
33 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | 33 | oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, |
34 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, | 34 | oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, |
35 | oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, | 35 | oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, |
36 | + oProtocolKeepAlives, oSetupTimeOut, | 36 | + oProtocolKeepAlives, oSetupTimeOut, |
37 | oIgnoredUnknownOption, oDeprecated, oUnsupported | 37 | oIgnoredUnknownOption, oDeprecated, oUnsupported |
38 | } OpCodes; | 38 | } OpCodes; |
39 | 39 | ||
40 | @@ -262,6 +263,8 @@ static struct { | 40 | @@ -279,6 +280,8 @@ static struct { |
41 | { "ipqos", oIPQoS }, | 41 | { "canonicalizemaxdots", oCanonicalizeMaxDots }, |
42 | { "requesttty", oRequestTTY }, | 42 | { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, |
43 | { "ignoreunknown", oIgnoreUnknown }, | 43 | { "ignoreunknown", oIgnoreUnknown }, |
44 | + { "protocolkeepalives", oProtocolKeepAlives }, | 44 | + { "protocolkeepalives", oProtocolKeepAlives }, |
45 | + { "setuptimeout", oSetupTimeOut }, | 45 | + { "setuptimeout", oSetupTimeOut }, |
46 | 46 | ||
47 | { NULL, oBadOption } | 47 | { NULL, oBadOption } |
48 | }; | 48 | }; |
49 | @@ -934,6 +937,8 @@ parse_int: | 49 | @@ -1245,6 +1248,8 @@ parse_int: |
50 | goto parse_flag; | 50 | goto parse_flag; |
51 | 51 | ||
52 | case oServerAliveInterval: | 52 | case oServerAliveInterval: |
@@ -55,7 +55,7 @@ index 915a0f7..dab7963 100644 | |||
55 | intptr = &options->server_alive_interval; | 55 | intptr = &options->server_alive_interval; |
56 | goto parse_time; | 56 | goto parse_time; |
57 | 57 | ||
58 | @@ -1396,8 +1401,13 @@ fill_default_options(Options * options) | 58 | @@ -1724,8 +1729,13 @@ fill_default_options(Options * options) |
59 | options->rekey_interval = 0; | 59 | options->rekey_interval = 0; |
60 | if (options->verify_host_key_dns == -1) | 60 | if (options->verify_host_key_dns == -1) |
61 | options->verify_host_key_dns = 0; | 61 | options->verify_host_key_dns = 0; |
@@ -72,10 +72,10 @@ index 915a0f7..dab7963 100644 | |||
72 | options->server_alive_count_max = 3; | 72 | options->server_alive_count_max = 3; |
73 | if (options->control_master == -1) | 73 | if (options->control_master == -1) |
74 | diff --git a/ssh_config.5 b/ssh_config.5 | 74 | diff --git a/ssh_config.5 b/ssh_config.5 |
75 | index 1fc0a6b..6948680 100644 | 75 | index 617a312..b3c5dc6 100644 |
76 | --- a/ssh_config.5 | 76 | --- a/ssh_config.5 |
77 | +++ b/ssh_config.5 | 77 | +++ b/ssh_config.5 |
78 | @@ -136,8 +136,12 @@ Valid arguments are | 78 | @@ -205,8 +205,12 @@ Valid arguments are |
79 | If set to | 79 | If set to |
80 | .Dq yes , | 80 | .Dq yes , |
81 | passphrase/password querying will be disabled. | 81 | passphrase/password querying will be disabled. |
@@ -89,7 +89,7 @@ index 1fc0a6b..6948680 100644 | |||
89 | The argument must be | 89 | The argument must be |
90 | .Dq yes | 90 | .Dq yes |
91 | or | 91 | or |
92 | @@ -1141,8 +1145,15 @@ from the server, | 92 | @@ -1299,8 +1303,15 @@ from the server, |
93 | will send a message through the encrypted | 93 | will send a message through the encrypted |
94 | channel to request a response from the server. | 94 | channel to request a response from the server. |
95 | The default | 95 | The default |
@@ -106,7 +106,7 @@ index 1fc0a6b..6948680 100644 | |||
106 | .It Cm StrictHostKeyChecking | 106 | .It Cm StrictHostKeyChecking |
107 | If this flag is set to | 107 | If this flag is set to |
108 | .Dq yes , | 108 | .Dq yes , |
109 | @@ -1181,6 +1192,12 @@ Specifies whether the system should send TCP keepalive messages to the | 109 | @@ -1339,6 +1350,12 @@ Specifies whether the system should send TCP keepalive messages to the |
110 | other side. | 110 | other side. |
111 | If they are sent, death of the connection or crash of one | 111 | If they are sent, death of the connection or crash of one |
112 | of the machines will be properly noticed. | 112 | of the machines will be properly noticed. |
@@ -120,10 +120,10 @@ index 1fc0a6b..6948680 100644 | |||
120 | connections will die if the route is down temporarily, and some people | 120 | connections will die if the route is down temporarily, and some people |
121 | find it annoying. | 121 | find it annoying. |
122 | diff --git a/sshd_config.5 b/sshd_config.5 | 122 | diff --git a/sshd_config.5 b/sshd_config.5 |
123 | index 525d9c8..e29604a 100644 | 123 | index 9aa9eba..39643de 100644 |
124 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
126 | @@ -1147,6 +1147,9 @@ This avoids infinitely hanging sessions. | 126 | @@ -1168,6 +1168,9 @@ This avoids infinitely hanging sessions. |
127 | .Pp | 127 | .Pp |
128 | To disable TCP keepalive messages, the value should be set to | 128 | To disable TCP keepalive messages, the value should be set to |
129 | .Dq no . | 129 | .Dq no . |
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch index e1073e4ac..588834b5a 100644 --- a/debian/patches/lintian-symlink-pickiness.patch +++ b/debian/patches/lintian-symlink-pickiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9ffc99332ff1bac6be9f0af430268e7981bd3dd2 Mon Sep 17 00:00:00 2001 | 1 | From cf359c36be95e478071cb0dc4491aba88a5bae70 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 |
4 | Subject: Fix picky lintian errors about slogin symlinks | 4 | Subject: Fix picky lintian errors about slogin symlinks |
@@ -15,10 +15,10 @@ Patch-Name: lintian-symlink-pickiness.patch | |||
15 | 1 file changed, 2 insertions(+), 2 deletions(-) | 15 | 1 file changed, 2 insertions(+), 2 deletions(-) |
16 | 16 | ||
17 | diff --git a/Makefile.in b/Makefile.in | 17 | diff --git a/Makefile.in b/Makefile.in |
18 | index 7849979..095f4ff 100644 | 18 | index 5cf8100..b7de26f 100644 |
19 | --- a/Makefile.in | 19 | --- a/Makefile.in |
20 | +++ b/Makefile.in | 20 | +++ b/Makefile.in |
21 | @@ -289,9 +289,9 @@ install-files: | 21 | @@ -293,9 +293,9 @@ install-files: |
22 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | 22 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
23 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 23 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
24 | -rm -f $(DESTDIR)$(bindir)/slogin | 24 | -rm -f $(DESTDIR)$(bindir)/slogin |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index 08e1a2f3e..637d438b9 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6a137c3718ea1afab92b25a018e393cfede4d6a8 Mon Sep 17 00:00:00 2001 | 1 | From 9c6deb4e89ad1ac2c2046b1371f378a80b0b4dec Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch | |||
13 | 1 file changed, 6 insertions(+), 1 deletion(-) | 13 | 1 file changed, 6 insertions(+), 1 deletion(-) |
14 | 14 | ||
15 | diff --git a/sshconnect.c b/sshconnect.c | 15 | diff --git a/sshconnect.c b/sshconnect.c |
16 | index 91fd59a..bda83b2 100644 | 16 | index ef4d9e0..4ff5c73 100644 |
17 | --- a/sshconnect.c | 17 | --- a/sshconnect.c |
18 | +++ b/sshconnect.c | 18 | +++ b/sshconnect.c |
19 | @@ -981,9 +981,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 19 | @@ -1062,9 +1062,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
20 | error("%s. This could either mean that", key_msg); | 20 | error("%s. This could either mean that", key_msg); |
21 | error("DNS SPOOFING is happening or the IP address for the host"); | 21 | error("DNS SPOOFING is happening or the IP address for the host"); |
22 | error("and its host key have changed at the same time."); | 22 | error("and its host key have changed at the same time."); |
@@ -30,7 +30,7 @@ index 91fd59a..bda83b2 100644 | |||
30 | } | 30 | } |
31 | /* The host key has changed. */ | 31 | /* The host key has changed. */ |
32 | warn_changed_key(host_key); | 32 | warn_changed_key(host_key); |
33 | @@ -991,6 +994,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 33 | @@ -1072,6 +1075,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
34 | user_hostfiles[0]); | 34 | user_hostfiles[0]); |
35 | error("Offending %s key in %s:%lu", key_type(host_found->key), | 35 | error("Offending %s key in %s:%lu", key_type(host_found->key), |
36 | host_found->file, host_found->line); | 36 | host_found->file, host_found->line); |
diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch index 6e41d2ed9..ca2a83473 100644 --- a/debian/patches/no-openssl-version-check.patch +++ b/debian/patches/no-openssl-version-check.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 3e3f5462b563ab0f2b4ba67590e5a5735fa17bec Mon Sep 17 00:00:00 2001 | 1 | From db27c81d3de93a0df6cb0f01e9b8b6bf4bb17d06 Mon Sep 17 00:00:00 2001 |
2 | From: Philip Hands <phil@hands.com> | 2 | From: Philip Hands <phil@hands.com> |
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 |
4 | Subject: Disable OpenSSL version check | 4 | Subject: Disable OpenSSL version check |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index 670eea421..2dbfd31b7 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d087ec8cf190df54fa8cb77c6ffd55a819dd1777 Mon Sep 17 00:00:00 2001 | 1 | From 1c4af29874fe7bd1cec92ee90fc613c3cf83f571 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
@@ -44,11 +44,11 @@ index ef0de08..149846c 100644 | |||
44 | .Sh SEE ALSO | 44 | .Sh SEE ALSO |
45 | .Xr ssh-keygen 1 , | 45 | .Xr ssh-keygen 1 , |
46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 | 46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 |
47 | index 0d55854..151cab0 100644 | 47 | index 0e0ed98..299ccf8 100644 |
48 | --- a/ssh-keygen.1 | 48 | --- a/ssh-keygen.1 |
49 | +++ b/ssh-keygen.1 | 49 | +++ b/ssh-keygen.1 |
50 | @@ -171,9 +171,7 @@ key in | 50 | @@ -172,9 +172,7 @@ key in |
51 | .Pa ~/.ssh/id_dsa | 51 | .Pa ~/.ssh/id_ed25519 |
52 | or | 52 | or |
53 | .Pa ~/.ssh/id_rsa . | 53 | .Pa ~/.ssh/id_rsa . |
54 | -Additionally, the system administrator may use this to generate host keys, | 54 | -Additionally, the system administrator may use this to generate host keys, |
@@ -58,18 +58,18 @@ index 0d55854..151cab0 100644 | |||
58 | .Pp | 58 | .Pp |
59 | Normally this program generates the key and asks for a file in which | 59 | Normally this program generates the key and asks for a file in which |
60 | to store the private key. | 60 | to store the private key. |
61 | @@ -219,9 +217,7 @@ The options are as follows: | 61 | @@ -221,9 +219,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) |
62 | For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys | 62 | for which host keys |
63 | do not exist, generate the host keys with the default key file path, | 63 | do not exist, generate the host keys with the default key file path, |
64 | an empty passphrase, default bits for the key type, and default comment. | 64 | an empty passphrase, default bits for the key type, and default comment. |
65 | -This is used by | 65 | -This is used by |
66 | -.Pa /etc/rc | 66 | -.Pa /etc/rc |
67 | -to generate new host keys. | 67 | -to generate new host keys. |
68 | +This is used by system administration scripts to generate new host keys. | 68 | +This is used by system administration scripts to generate new host keys. |
69 | .It Fl a Ar trials | 69 | .It Fl a Ar rounds |
70 | Specifies the number of primality tests to perform when screening DH-GEX | 70 | When saving a new-format private key (i.e. an ed25519 key or any SSH protocol |
71 | candidates using the | 71 | 2 key when the |
72 | @@ -605,7 +601,7 @@ option. | 72 | @@ -628,7 +624,7 @@ option. |
73 | Valid generator values are 2, 3, and 5. | 73 | Valid generator values are 2, 3, and 5. |
74 | .Pp | 74 | .Pp |
75 | Screened DH groups may be installed in | 75 | Screened DH groups may be installed in |
@@ -78,7 +78,7 @@ index 0d55854..151cab0 100644 | |||
78 | It is important that this file contains moduli of a range of bit lengths and | 78 | It is important that this file contains moduli of a range of bit lengths and |
79 | that both ends of a connection share common moduli. | 79 | that both ends of a connection share common moduli. |
80 | .Sh CERTIFICATES | 80 | .Sh CERTIFICATES |
81 | @@ -800,7 +796,7 @@ on all machines | 81 | @@ -827,7 +823,7 @@ on all machines |
82 | where the user wishes to log in using public key authentication. | 82 | where the user wishes to log in using public key authentication. |
83 | There is no need to keep the contents of this file secret. | 83 | There is no need to keep the contents of this file secret. |
84 | .Pp | 84 | .Pp |
@@ -88,10 +88,10 @@ index 0d55854..151cab0 100644 | |||
88 | The file format is described in | 88 | The file format is described in |
89 | .Xr moduli 5 . | 89 | .Xr moduli 5 . |
90 | diff --git a/ssh.1 b/ssh.1 | 90 | diff --git a/ssh.1 b/ssh.1 |
91 | index 05ae6ad..6e2e03b 100644 | 91 | index ff5e6ac..67b4f44 100644 |
92 | --- a/ssh.1 | 92 | --- a/ssh.1 |
93 | +++ b/ssh.1 | 93 | +++ b/ssh.1 |
94 | @@ -756,6 +756,10 @@ Protocol 1 is restricted to using only RSA keys, | 94 | @@ -763,6 +763,10 @@ Protocol 1 is restricted to using only RSA keys, |
95 | but protocol 2 may use any. | 95 | but protocol 2 may use any. |
96 | The HISTORY section of | 96 | The HISTORY section of |
97 | .Xr ssl 8 | 97 | .Xr ssl 8 |
@@ -103,7 +103,7 @@ index 05ae6ad..6e2e03b 100644 | |||
103 | .Pp | 103 | .Pp |
104 | The file | 104 | The file |
105 | diff --git a/sshd.8 b/sshd.8 | 105 | diff --git a/sshd.8 b/sshd.8 |
106 | index b0c7ab6..95c1845 100644 | 106 | index e6a900b..b016e90 100644 |
107 | --- a/sshd.8 | 107 | --- a/sshd.8 |
108 | +++ b/sshd.8 | 108 | +++ b/sshd.8 |
109 | @@ -70,7 +70,7 @@ over an insecure network. | 109 | @@ -70,7 +70,7 @@ over an insecure network. |
@@ -115,7 +115,7 @@ index b0c7ab6..95c1845 100644 | |||
115 | It forks a new | 115 | It forks a new |
116 | daemon for each incoming connection. | 116 | daemon for each incoming connection. |
117 | The forked daemons handle | 117 | The forked daemons handle |
118 | @@ -859,7 +859,7 @@ This file is for host-based authentication (see | 118 | @@ -862,7 +862,7 @@ This file is for host-based authentication (see |
119 | .Xr ssh 1 ) . | 119 | .Xr ssh 1 ) . |
120 | It should only be writable by root. | 120 | It should only be writable by root. |
121 | .Pp | 121 | .Pp |
@@ -124,7 +124,7 @@ index b0c7ab6..95c1845 100644 | |||
124 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | 124 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
125 | The file format is described in | 125 | The file format is described in |
126 | .Xr moduli 5 . | 126 | .Xr moduli 5 . |
127 | @@ -956,7 +956,6 @@ The content of this file is not sensitive; it can be world-readable. | 127 | @@ -961,7 +961,6 @@ The content of this file is not sensitive; it can be world-readable. |
128 | .Xr ssh-keyscan 1 , | 128 | .Xr ssh-keyscan 1 , |
129 | .Xr chroot 2 , | 129 | .Xr chroot 2 , |
130 | .Xr hosts_access 5 , | 130 | .Xr hosts_access 5 , |
@@ -133,7 +133,7 @@ index b0c7ab6..95c1845 100644 | |||
133 | .Xr sshd_config 5 , | 133 | .Xr sshd_config 5 , |
134 | .Xr inetd 8 , | 134 | .Xr inetd 8 , |
135 | diff --git a/sshd_config.5 b/sshd_config.5 | 135 | diff --git a/sshd_config.5 b/sshd_config.5 |
136 | index 50eec53..04b5f1a 100644 | 136 | index bdca797..9fa6086 100644 |
137 | --- a/sshd_config.5 | 137 | --- a/sshd_config.5 |
138 | +++ b/sshd_config.5 | 138 | +++ b/sshd_config.5 |
139 | @@ -283,8 +283,7 @@ This option is only available for protocol version 2. | 139 | @@ -283,8 +283,7 @@ This option is only available for protocol version 2. |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index f6d793751..99a2167b3 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 893bd5a6f70b58e1ed98d496c4f465d8c1df71a7 Mon Sep 17 00:00:00 2001 | 1 | From 03b1ae877da1db4c517747bee89f1a494cce8566 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch | |||
19 | 3 files changed, 9 insertions(+), 4 deletions(-) | 19 | 3 files changed, 9 insertions(+), 4 deletions(-) |
20 | 20 | ||
21 | diff --git a/sshconnect.c b/sshconnect.c | 21 | diff --git a/sshconnect.c b/sshconnect.c |
22 | index bda83b2..ad960fd 100644 | 22 | index 4ff5c73..a2fbf9e 100644 |
23 | --- a/sshconnect.c | 23 | --- a/sshconnect.c |
24 | +++ b/sshconnect.c | 24 | +++ b/sshconnect.c |
25 | @@ -442,10 +442,10 @@ send_client_banner(int connection_out, int minor1) | 25 | @@ -517,10 +517,10 @@ send_client_banner(int connection_out, int minor1) |
26 | /* Send our own protocol version identification. */ | 26 | /* Send our own protocol version identification. */ |
27 | if (compat20) { | 27 | if (compat20) { |
28 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", | 28 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", |
@@ -36,7 +36,7 @@ index bda83b2..ad960fd 100644 | |||
36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, | 36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, |
37 | strlen(client_version_string)) != strlen(client_version_string)) | 37 | strlen(client_version_string)) != strlen(client_version_string)) |
38 | diff --git a/sshd.c b/sshd.c | 38 | diff --git a/sshd.c b/sshd.c |
39 | index e5c9835..46ec1a7 100644 | 39 | index 0a30101..82168a1 100644 |
40 | --- a/sshd.c | 40 | --- a/sshd.c |
41 | +++ b/sshd.c | 41 | +++ b/sshd.c |
42 | @@ -440,7 +440,7 @@ sshd_exchange_identification(int sock_in, int sock_out) | 42 | @@ -440,7 +440,7 @@ sshd_exchange_identification(int sock_in, int sock_out) |
@@ -49,11 +49,11 @@ index e5c9835..46ec1a7 100644 | |||
49 | options.version_addendum, newline); | 49 | options.version_addendum, newline); |
50 | 50 | ||
51 | diff --git a/version.h b/version.h | 51 | diff --git a/version.h b/version.h |
52 | index 39033ed..036277d 100644 | 52 | index 83d70c6..0c6ea0f 100644 |
53 | --- a/version.h | 53 | --- a/version.h |
54 | +++ b/version.h | 54 | +++ b/version.h |
55 | @@ -3,4 +3,9 @@ | 55 | @@ -3,4 +3,9 @@ |
56 | #define SSH_VERSION "OpenSSH_6.4" | 56 | #define SSH_VERSION "OpenSSH_6.5" |
57 | 57 | ||
58 | #define SSH_PORTABLE "p1" | 58 | #define SSH_PORTABLE "p1" |
59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index 664abf0ff..18489cabe 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 360257b8a56798d507123ff770f2def408464f00 Mon Sep 17 00:00:00 2001 | 1 | From 32e3aad13edff8c03c524105e2c4d4194995573b Mon Sep 17 00:00:00 2001 |
2 | From: Peter Samuelson <peter@p12n.org> | 2 | From: Peter Samuelson <peter@p12n.org> |
3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 |
4 | Subject: Reduce severity of "Killed by signal %d" | 4 | Subject: Reduce severity of "Killed by signal %d" |
@@ -22,7 +22,7 @@ Patch-Name: quieter-signals.patch | |||
22 | 1 file changed, 4 insertions(+), 2 deletions(-) | 22 | 1 file changed, 4 insertions(+), 2 deletions(-) |
23 | 23 | ||
24 | diff --git a/clientloop.c b/clientloop.c | 24 | diff --git a/clientloop.c b/clientloop.c |
25 | index dc76d69..f2f474e 100644 | 25 | index 37b3a04..60c9e87 100644 |
26 | --- a/clientloop.c | 26 | --- a/clientloop.c |
27 | +++ b/clientloop.c | 27 | +++ b/clientloop.c |
28 | @@ -1717,8 +1717,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 28 | @@ -1717,8 +1717,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index 71dcecc9c..a2df78d10 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bb3ea9f222f7f0fe9b449b75bfae93513f7ca3e2 Mon Sep 17 00:00:00 2001 | 1 | From 52d571e95114cd6d63b5dc4829f87fd55213c828 Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch | |||
17 | 1 file changed, 10 insertions(+), 2 deletions(-) | 17 | 1 file changed, 10 insertions(+), 2 deletions(-) |
18 | 18 | ||
19 | diff --git a/scp.c b/scp.c | 19 | diff --git a/scp.c b/scp.c |
20 | index 28ded5e..b7a17ab 100644 | 20 | index 18d3b1d..0669d02 100644 |
21 | --- a/scp.c | 21 | --- a/scp.c |
22 | +++ b/scp.c | 22 | +++ b/scp.c |
23 | @@ -189,8 +189,16 @@ do_local_cmd(arglist *a) | 23 | @@ -189,8 +189,16 @@ do_local_cmd(arglist *a) |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 8aa8f614e..dc0ffa300 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 07f2a771c490bd68cd5c5ea9c535705e93bd94f3 Mon Sep 17 00:00:00 2001 | 1 | From cc5ecb35ae6572d13ed523d143439a8559d1fee2 Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -113,7 +113,7 @@ index 6ed8f04..b55bbcd 100644 | |||
113 | if (auth2_setup_methods_lists(authctxt) != 0) | 113 | if (auth2_setup_methods_lists(authctxt) != 0) |
114 | packet_disconnect("no authentication methods enabled"); | 114 | packet_disconnect("no authentication methods enabled"); |
115 | diff --git a/monitor.c b/monitor.c | 115 | diff --git a/monitor.c b/monitor.c |
116 | index 9079c97..e8d63eb 100644 | 116 | index a777c4c..88f472e 100644 |
117 | --- a/monitor.c | 117 | --- a/monitor.c |
118 | +++ b/monitor.c | 118 | +++ b/monitor.c |
119 | @@ -146,6 +146,7 @@ int mm_answer_sign(int, Buffer *); | 119 | @@ -146,6 +146,7 @@ int mm_answer_sign(int, Buffer *); |
@@ -361,10 +361,10 @@ index e3d1004..80ce13a 100644 | |||
361 | void ssh_selinux_setfscreatecon(const char *); | 361 | void ssh_selinux_setfscreatecon(const char *); |
362 | #endif | 362 | #endif |
363 | diff --git a/platform.c b/platform.c | 363 | diff --git a/platform.c b/platform.c |
364 | index 3262b24..a962f15 100644 | 364 | index 30fc609..4aab9a9 100644 |
365 | --- a/platform.c | 365 | --- a/platform.c |
366 | +++ b/platform.c | 366 | +++ b/platform.c |
367 | @@ -134,7 +134,7 @@ platform_setusercontext(struct passwd *pw) | 367 | @@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw) |
368 | * called if sshd is running as root. | 368 | * called if sshd is running as root. |
369 | */ | 369 | */ |
370 | void | 370 | void |
@@ -373,7 +373,7 @@ index 3262b24..a962f15 100644 | |||
373 | { | 373 | { |
374 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) | 374 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) |
375 | /* | 375 | /* |
376 | @@ -181,7 +181,7 @@ platform_setusercontext_post_groups(struct passwd *pw) | 376 | @@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) |
377 | } | 377 | } |
378 | #endif /* HAVE_SETPCRED */ | 378 | #endif /* HAVE_SETPCRED */ |
379 | #ifdef WITH_SELINUX | 379 | #ifdef WITH_SELINUX |
@@ -383,10 +383,10 @@ index 3262b24..a962f15 100644 | |||
383 | } | 383 | } |
384 | 384 | ||
385 | diff --git a/platform.h b/platform.h | 385 | diff --git a/platform.h b/platform.h |
386 | index 19f6bfd..3188a3d 100644 | 386 | index 1c7a45d..436ae7c 100644 |
387 | --- a/platform.h | 387 | --- a/platform.h |
388 | +++ b/platform.h | 388 | +++ b/platform.h |
389 | @@ -26,7 +26,7 @@ void platform_post_fork_parent(pid_t child_pid); | 389 | @@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid); |
390 | void platform_post_fork_child(void); | 390 | void platform_post_fork_child(void); |
391 | int platform_privileged_uidswap(void); | 391 | int platform_privileged_uidswap(void); |
392 | void platform_setusercontext(struct passwd *); | 392 | void platform_setusercontext(struct passwd *); |
@@ -396,10 +396,10 @@ index 19f6bfd..3188a3d 100644 | |||
396 | char *platform_krb5_get_principal_name(const char *); | 396 | char *platform_krb5_get_principal_name(const char *); |
397 | int platform_sys_dir_uid(uid_t); | 397 | int platform_sys_dir_uid(uid_t); |
398 | diff --git a/session.c b/session.c | 398 | diff --git a/session.c b/session.c |
399 | index d4b57bd..b4d74d9 100644 | 399 | index 12dd9ab..5ddd82a 100644 |
400 | --- a/session.c | 400 | --- a/session.c |
401 | +++ b/session.c | 401 | +++ b/session.c |
402 | @@ -1474,7 +1474,7 @@ safely_chroot(const char *path, uid_t uid) | 402 | @@ -1497,7 +1497,7 @@ safely_chroot(const char *path, uid_t uid) |
403 | 403 | ||
404 | /* Set login name, uid, gid, and groups. */ | 404 | /* Set login name, uid, gid, and groups. */ |
405 | void | 405 | void |
@@ -408,7 +408,7 @@ index d4b57bd..b4d74d9 100644 | |||
408 | { | 408 | { |
409 | char *chroot_path, *tmp; | 409 | char *chroot_path, *tmp; |
410 | 410 | ||
411 | @@ -1502,7 +1502,7 @@ do_setusercontext(struct passwd *pw) | 411 | @@ -1525,7 +1525,7 @@ do_setusercontext(struct passwd *pw) |
412 | endgrent(); | 412 | endgrent(); |
413 | #endif | 413 | #endif |
414 | 414 | ||
@@ -417,7 +417,7 @@ index d4b57bd..b4d74d9 100644 | |||
417 | 417 | ||
418 | if (options.chroot_directory != NULL && | 418 | if (options.chroot_directory != NULL && |
419 | strcasecmp(options.chroot_directory, "none") != 0) { | 419 | strcasecmp(options.chroot_directory, "none") != 0) { |
420 | @@ -1646,7 +1646,7 @@ do_child(Session *s, const char *command) | 420 | @@ -1674,7 +1674,7 @@ do_child(Session *s, const char *command) |
421 | 421 | ||
422 | /* Force a password change */ | 422 | /* Force a password change */ |
423 | if (s->authctxt->force_pwchange) { | 423 | if (s->authctxt->force_pwchange) { |
@@ -426,7 +426,7 @@ index d4b57bd..b4d74d9 100644 | |||
426 | child_close_fds(); | 426 | child_close_fds(); |
427 | do_pwchange(s); | 427 | do_pwchange(s); |
428 | exit(1); | 428 | exit(1); |
429 | @@ -1673,7 +1673,7 @@ do_child(Session *s, const char *command) | 429 | @@ -1701,7 +1701,7 @@ do_child(Session *s, const char *command) |
430 | /* When PAM is enabled we rely on it to do the nologin check */ | 430 | /* When PAM is enabled we rely on it to do the nologin check */ |
431 | if (!options.use_pam) | 431 | if (!options.use_pam) |
432 | do_nologin(pw); | 432 | do_nologin(pw); |
@@ -435,7 +435,7 @@ index d4b57bd..b4d74d9 100644 | |||
435 | /* | 435 | /* |
436 | * PAM session modules in do_setusercontext may have | 436 | * PAM session modules in do_setusercontext may have |
437 | * generated messages, so if this in an interactive | 437 | * generated messages, so if this in an interactive |
438 | @@ -2084,7 +2084,7 @@ session_pty_req(Session *s) | 438 | @@ -2112,7 +2112,7 @@ session_pty_req(Session *s) |
439 | tty_parse_modes(s->ttyfd, &n_bytes); | 439 | tty_parse_modes(s->ttyfd, &n_bytes); |
440 | 440 | ||
441 | if (!use_privsep) | 441 | if (!use_privsep) |
@@ -445,10 +445,10 @@ index d4b57bd..b4d74d9 100644 | |||
445 | /* Set window size from the packet. */ | 445 | /* Set window size from the packet. */ |
446 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); | 446 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); |
447 | diff --git a/session.h b/session.h | 447 | diff --git a/session.h b/session.h |
448 | index cbb8e3a..cb4f196 100644 | 448 | index 6a2f35e..ef6593c 100644 |
449 | --- a/session.h | 449 | --- a/session.h |
450 | +++ b/session.h | 450 | +++ b/session.h |
451 | @@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *); | 451 | @@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *); |
452 | Session *session_new(void); | 452 | Session *session_new(void); |
453 | Session *session_by_tty(char *); | 453 | Session *session_by_tty(char *); |
454 | void session_close(Session *); | 454 | void session_close(Session *); |
@@ -458,11 +458,11 @@ index cbb8e3a..cb4f196 100644 | |||
458 | const char *value); | 458 | const char *value); |
459 | 459 | ||
460 | diff --git a/sshd.c b/sshd.c | 460 | diff --git a/sshd.c b/sshd.c |
461 | index 4eddeb8..e5c9835 100644 | 461 | index fe65132..0a30101 100644 |
462 | --- a/sshd.c | 462 | --- a/sshd.c |
463 | +++ b/sshd.c | 463 | +++ b/sshd.c |
464 | @@ -753,7 +753,7 @@ privsep_postauth(Authctxt *authctxt) | 464 | @@ -763,7 +763,7 @@ privsep_postauth(Authctxt *authctxt) |
465 | RAND_seed(rnd, sizeof(rnd)); | 465 | bzero(rnd, sizeof(rnd)); |
466 | 466 | ||
467 | /* Drop privileges */ | 467 | /* Drop privileges */ |
468 | - do_setusercontext(authctxt->pw); | 468 | - do_setusercontext(authctxt->pw); |
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index a7540eb34..8f716f8de 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7231af57ca3efb451ace1b8e056fa0e52c67654e Mon Sep 17 00:00:00 2001 | 1 | From 95e6f7afe0ca1c16c31845d6fa30453b45b73e0e Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch | |||
16 | 1 file changed, 2 insertions(+), 2 deletions(-) | 16 | 1 file changed, 2 insertions(+), 2 deletions(-) |
17 | 17 | ||
18 | diff --git a/sshconnect.c b/sshconnect.c | 18 | diff --git a/sshconnect.c b/sshconnect.c |
19 | index 483eb85..91fd59a 100644 | 19 | index d21781e..ef4d9e0 100644 |
20 | --- a/sshconnect.c | 20 | --- a/sshconnect.c |
21 | +++ b/sshconnect.c | 21 | +++ b/sshconnect.c |
22 | @@ -151,7 +151,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) | 22 | @@ -227,7 +227,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) |
23 | /* Execute the proxy command. Note that we gave up any | 23 | /* Execute the proxy command. Note that we gave up any |
24 | extra privileges above. */ | 24 | extra privileges above. */ |
25 | signal(SIGPIPE, SIG_DFL); | 25 | signal(SIGPIPE, SIG_DFL); |
@@ -28,7 +28,7 @@ index 483eb85..91fd59a 100644 | |||
28 | perror(argv[0]); | 28 | perror(argv[0]); |
29 | exit(1); | 29 | exit(1); |
30 | } | 30 | } |
31 | @@ -1298,7 +1298,7 @@ ssh_local_cmd(const char *args) | 31 | @@ -1384,7 +1384,7 @@ ssh_local_cmd(const char *args) |
32 | if (pid == 0) { | 32 | if (pid == 0) { |
33 | signal(SIGPIPE, SIG_DFL); | 33 | signal(SIGPIPE, SIG_DFL); |
34 | debug3("Executing %s -c \"%s\"", shell, args); | 34 | debug3("Executing %s -c \"%s\"", shell, args); |
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch index 7776b6d11..0abebb664 100644 --- a/debian/patches/sigstop.patch +++ b/debian/patches/sigstop.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 727d51f30918f6635f06694f71f4318a6038296d Mon Sep 17 00:00:00 2001 | 1 | From 6b7aca6f112d216f321466cc7301b5183e772513 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 |
4 | Subject: Support synchronisation with service supervisor using SIGSTOP | 4 | Subject: Support synchronisation with service supervisor using SIGSTOP |
@@ -12,10 +12,10 @@ Patch-Name: sigstop.patch | |||
12 | 1 file changed, 4 insertions(+) | 12 | 1 file changed, 4 insertions(+) |
13 | 13 | ||
14 | diff --git a/sshd.c b/sshd.c | 14 | diff --git a/sshd.c b/sshd.c |
15 | index 63b9357..fd7f182 100644 | 15 | index c49a877..23e8c2d 100644 |
16 | --- a/sshd.c | 16 | --- a/sshd.c |
17 | +++ b/sshd.c | 17 | +++ b/sshd.c |
18 | @@ -1909,6 +1909,10 @@ main(int ac, char **av) | 18 | @@ -1924,6 +1924,10 @@ main(int ac, char **av) |
19 | } | 19 | } |
20 | } | 20 | } |
21 | 21 | ||
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index 9ae105960..78047d30c 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ad4f5086a0f0c47daf04be484ff310101551e48a Mon Sep 17 00:00:00 2001 | 1 | From 0b9347201e50bd518c09babde3e7650c2b2e9228 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch | |||
13 | 1 file changed, 15 insertions(+) | 13 | 1 file changed, 15 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh-agent.1 b/ssh-agent.1 | 15 | diff --git a/ssh-agent.1 b/ssh-agent.1 |
16 | index bb801c9..d370531 100644 | 16 | index 281ecbd..38fd540 100644 |
17 | --- a/ssh-agent.1 | 17 | --- a/ssh-agent.1 |
18 | +++ b/ssh-agent.1 | 18 | +++ b/ssh-agent.1 |
19 | @@ -182,6 +182,21 @@ environment variable holds the agent's process ID. | 19 | @@ -183,6 +183,21 @@ environment variable holds the agent's process ID. |
20 | .Pp | 20 | .Pp |
21 | The agent exits automatically when the command given on the command | 21 | The agent exits automatically when the command given on the command |
22 | line terminates. | 22 | line terminates. |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 138a3632a..53f7d6641 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 901a9e09f92a72c4a627af9feffdd39fb805e95d Mon Sep 17 00:00:00 2001 | 1 | From 4e249feb183e35e32cbc0f68cfdfb6bbe09576a9 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch | |||
18 | 1 file changed, 1 insertion(+) | 18 | 1 file changed, 1 insertion(+) |
19 | 19 | ||
20 | diff --git a/ssh.1 b/ssh.1 | 20 | diff --git a/ssh.1 b/ssh.1 |
21 | index 6e2e03b..63b0573 100644 | 21 | index 67b4f44..9868025 100644 |
22 | --- a/ssh.1 | 22 | --- a/ssh.1 |
23 | +++ b/ssh.1 | 23 | +++ b/ssh.1 |
24 | @@ -1451,6 +1451,7 @@ if an error occurred. | 24 | @@ -1468,6 +1468,7 @@ if an error occurred. |
25 | .Xr sftp 1 , | 25 | .Xr sftp 1 , |
26 | .Xr ssh-add 1 , | 26 | .Xr ssh-add 1 , |
27 | .Xr ssh-agent 1 , | 27 | .Xr ssh-agent 1 , |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index 50d500f6d..a14f7ae06 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bdc94de85ed7dbafb949c239d7c3eff23ea4aa28 Mon Sep 17 00:00:00 2001 | 1 | From 889e217b88a7848e6c997f7f87d07b9d1a35fb49 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch | |||
17 | 2 files changed, 2 insertions(+) | 17 | 2 files changed, 2 insertions(+) |
18 | 18 | ||
19 | diff --git a/readconf.c b/readconf.c | 19 | diff --git a/readconf.c b/readconf.c |
20 | index 2695fd6..915a0f7 100644 | 20 | index cb8bcb2..2a1fe8e 100644 |
21 | --- a/readconf.c | 21 | --- a/readconf.c |
22 | +++ b/readconf.c | 22 | +++ b/readconf.c |
23 | @@ -161,6 +161,7 @@ static struct { | 23 | @@ -171,6 +171,7 @@ static struct { |
24 | { "passwordauthentication", oPasswordAuthentication }, | 24 | { "passwordauthentication", oPasswordAuthentication }, |
25 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 25 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
26 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 26 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
@@ -29,10 +29,10 @@ index 2695fd6..915a0f7 100644 | |||
29 | { "pubkeyauthentication", oPubkeyAuthentication }, | 29 | { "pubkeyauthentication", oPubkeyAuthentication }, |
30 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 30 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
31 | diff --git a/servconf.c b/servconf.c | 31 | diff --git a/servconf.c b/servconf.c |
32 | index c938ae3..dcb8caf 100644 | 32 | index 29209e4..65f71ad 100644 |
33 | --- a/servconf.c | 33 | --- a/servconf.c |
34 | +++ b/servconf.c | 34 | +++ b/servconf.c |
35 | @@ -451,6 +451,7 @@ static struct { | 35 | @@ -456,6 +456,7 @@ static struct { |
36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch index 1ab818a37..4eab486fe 100644 --- a/debian/patches/ssh1-keepalive.patch +++ b/debian/patches/ssh1-keepalive.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 3d498ae4180b8338db5f960865882b3f781aec2a Mon Sep 17 00:00:00 2001 | 1 | From 9f42d3b964854aecfed2fff64ac375c0c4805fa5 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:51 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:51 +0000 |
4 | Subject: Partial server keep-alive implementation for SSH1 | 4 | Subject: Partial server keep-alive implementation for SSH1 |
@@ -13,7 +13,7 @@ Patch-Name: ssh1-keepalive.patch | |||
13 | 2 files changed, 19 insertions(+), 11 deletions(-) | 13 | 2 files changed, 19 insertions(+), 11 deletions(-) |
14 | 14 | ||
15 | diff --git a/clientloop.c b/clientloop.c | 15 | diff --git a/clientloop.c b/clientloop.c |
16 | index 311dc13..dc76d69 100644 | 16 | index 6d02b0b..37b3a04 100644 |
17 | --- a/clientloop.c | 17 | --- a/clientloop.c |
18 | +++ b/clientloop.c | 18 | +++ b/clientloop.c |
19 | @@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) | 19 | @@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) |
@@ -57,10 +57,10 @@ index 311dc13..dc76d69 100644 | |||
57 | server_alive_time = now + options.server_alive_interval; | 57 | server_alive_time = now + options.server_alive_interval; |
58 | } | 58 | } |
59 | diff --git a/ssh_config.5 b/ssh_config.5 | 59 | diff --git a/ssh_config.5 b/ssh_config.5 |
60 | index e72919a..1fc0a6b 100644 | 60 | index 49505ae..617a312 100644 |
61 | --- a/ssh_config.5 | 61 | --- a/ssh_config.5 |
62 | +++ b/ssh_config.5 | 62 | +++ b/ssh_config.5 |
63 | @@ -1130,7 +1130,10 @@ If, for example, | 63 | @@ -1288,7 +1288,10 @@ If, for example, |
64 | .Cm ServerAliveCountMax | 64 | .Cm ServerAliveCountMax |
65 | is left at the default, if the server becomes unresponsive, | 65 | is left at the default, if the server becomes unresponsive, |
66 | ssh will disconnect after approximately 45 seconds. | 66 | ssh will disconnect after approximately 45 seconds. |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index 40b26d002..682ec3657 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b8a355b5db58dc489fca181e333dacf5e14f4f1d Mon Sep 17 00:00:00 2001 | 1 | From 36c21f10bd09ee15eb7f5bd7448309bf9a5cd466 Mon Sep 17 00:00:00 2001 |
2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> | 2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644 | |||
33 | { "FATAL", SYSLOG_LEVEL_FATAL }, | 33 | { "FATAL", SYSLOG_LEVEL_FATAL }, |
34 | { "ERROR", SYSLOG_LEVEL_ERROR }, | 34 | { "ERROR", SYSLOG_LEVEL_ERROR }, |
35 | diff --git a/ssh.c b/ssh.c | 35 | diff --git a/ssh.c b/ssh.c |
36 | index 87233bc..5502889 100644 | 36 | index 5de8fcf..0cea713 100644 |
37 | --- a/ssh.c | 37 | --- a/ssh.c |
38 | +++ b/ssh.c | 38 | +++ b/ssh.c |
39 | @@ -740,7 +740,7 @@ main(int ac, char **av) | 39 | @@ -889,7 +889,7 @@ main(int ac, char **av) |
40 | /* Do not allocate a tty if stdin is not a tty. */ | 40 | /* Do not allocate a tty if stdin is not a tty. */ |
41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && | 41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && |
42 | options.request_tty != REQUEST_TTY_FORCE) { | 42 | options.request_tty != REQUEST_TTY_FORCE) { |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index cfc14523a..0bc245ab1 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2bb37315c1e077bc176e703fbf0028a1f6315d37 Mon Sep 17 00:00:00 2001 | 1 | From b63620615d5c8af09e350608233f69191ad6c275 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
@@ -86,10 +86,10 @@ index 9a36f1d..0c45f09 100644 | |||
86 | "bad ownership or modes for directory %s", buf); | 86 | "bad ownership or modes for directory %s", buf); |
87 | return -1; | 87 | return -1; |
88 | diff --git a/misc.c b/misc.c | 88 | diff --git a/misc.c b/misc.c |
89 | index c3c8099..eb57bfc 100644 | 89 | index e4c8c32..4e756b0 100644 |
90 | --- a/misc.c | 90 | --- a/misc.c |
91 | +++ b/misc.c | 91 | +++ b/misc.c |
92 | @@ -48,8 +48,9 @@ | 92 | @@ -49,8 +49,9 @@ |
93 | #include <netdb.h> | 93 | #include <netdb.h> |
94 | #ifdef HAVE_PATHS_H | 94 | #ifdef HAVE_PATHS_H |
95 | # include <paths.h> | 95 | # include <paths.h> |
@@ -100,7 +100,7 @@ index c3c8099..eb57bfc 100644 | |||
100 | #ifdef SSH_TUN_OPENBSD | 100 | #ifdef SSH_TUN_OPENBSD |
101 | #include <net/if.h> | 101 | #include <net/if.h> |
102 | #endif | 102 | #endif |
103 | @@ -58,6 +59,7 @@ | 103 | @@ -59,6 +60,7 @@ |
104 | #include "misc.h" | 104 | #include "misc.h" |
105 | #include "log.h" | 105 | #include "log.h" |
106 | #include "ssh.h" | 106 | #include "ssh.h" |
@@ -108,7 +108,7 @@ index c3c8099..eb57bfc 100644 | |||
108 | 108 | ||
109 | /* remove newline at end of string */ | 109 | /* remove newline at end of string */ |
110 | char * | 110 | char * |
111 | @@ -642,6 +644,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, | 111 | @@ -643,6 +645,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, |
112 | return -1; | 112 | return -1; |
113 | } | 113 | } |
114 | 114 | ||
@@ -181,10 +181,10 @@ index c3c8099..eb57bfc 100644 | |||
181 | tun_open(int tun, int mode) | 181 | tun_open(int tun, int mode) |
182 | { | 182 | { |
183 | diff --git a/misc.h b/misc.h | 183 | diff --git a/misc.h b/misc.h |
184 | index fceb306..51ba182 100644 | 184 | index d4df619..ceb173b 100644 |
185 | --- a/misc.h | 185 | --- a/misc.h |
186 | +++ b/misc.h | 186 | +++ b/misc.h |
187 | @@ -104,4 +104,6 @@ char *read_passphrase(const char *, int); | 187 | @@ -106,4 +106,6 @@ char *read_passphrase(const char *, int); |
188 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | 188 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); |
189 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); | 189 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); |
190 | 190 | ||
@@ -192,10 +192,10 @@ index fceb306..51ba182 100644 | |||
192 | + | 192 | + |
193 | #endif /* _MISC_H */ | 193 | #endif /* _MISC_H */ |
194 | diff --git a/platform.c b/platform.c | 194 | diff --git a/platform.c b/platform.c |
195 | index a962f15..0b3bee1 100644 | 195 | index 4aab9a9..f99de7f 100644 |
196 | --- a/platform.c | 196 | --- a/platform.c |
197 | +++ b/platform.c | 197 | +++ b/platform.c |
198 | @@ -194,19 +194,3 @@ platform_krb5_get_principal_name(const char *pw_name) | 198 | @@ -196,19 +196,3 @@ platform_krb5_get_principal_name(const char *pw_name) |
199 | return NULL; | 199 | return NULL; |
200 | #endif | 200 | #endif |
201 | } | 201 | } |
@@ -216,10 +216,10 @@ index a962f15..0b3bee1 100644 | |||
216 | - return 0; | 216 | - return 0; |
217 | -} | 217 | -} |
218 | diff --git a/readconf.c b/readconf.c | 218 | diff --git a/readconf.c b/readconf.c |
219 | index dab7963..c741934 100644 | 219 | index e79e355..273552d 100644 |
220 | --- a/readconf.c | 220 | --- a/readconf.c |
221 | +++ b/readconf.c | 221 | +++ b/readconf.c |
222 | @@ -30,6 +30,8 @@ | 222 | @@ -36,6 +36,8 @@ |
223 | #include <stdio.h> | 223 | #include <stdio.h> |
224 | #include <string.h> | 224 | #include <string.h> |
225 | #include <unistd.h> | 225 | #include <unistd.h> |
@@ -228,7 +228,7 @@ index dab7963..c741934 100644 | |||
228 | #ifdef HAVE_UTIL_H | 228 | #ifdef HAVE_UTIL_H |
229 | #include <util.h> | 229 | #include <util.h> |
230 | #endif | 230 | #endif |
231 | @@ -1155,8 +1157,7 @@ read_config_file(const char *filename, const char *host, Options *options, | 231 | @@ -1475,8 +1477,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, |
232 | 232 | ||
233 | if (fstat(fileno(f), &sb) == -1) | 233 | if (fstat(fileno(f), &sb) == -1) |
234 | fatal("fstat %s: %s", filename, strerror(errno)); | 234 | fatal("fstat %s: %s", filename, strerror(errno)); |
@@ -239,10 +239,10 @@ index dab7963..c741934 100644 | |||
239 | } | 239 | } |
240 | 240 | ||
241 | diff --git a/ssh.1 b/ssh.1 | 241 | diff --git a/ssh.1 b/ssh.1 |
242 | index 62292cc..05ae6ad 100644 | 242 | index 27794e2..ff5e6ac 100644 |
243 | --- a/ssh.1 | 243 | --- a/ssh.1 |
244 | +++ b/ssh.1 | 244 | +++ b/ssh.1 |
245 | @@ -1338,6 +1338,8 @@ The file format and configuration options are described in | 245 | @@ -1352,6 +1352,8 @@ The file format and configuration options are described in |
246 | .Xr ssh_config 5 . | 246 | .Xr ssh_config 5 . |
247 | Because of the potential for abuse, this file must have strict permissions: | 247 | Because of the potential for abuse, this file must have strict permissions: |
248 | read/write for the user, and not writable by others. | 248 | read/write for the user, and not writable by others. |
@@ -252,10 +252,10 @@ index 62292cc..05ae6ad 100644 | |||
252 | .It Pa ~/.ssh/environment | 252 | .It Pa ~/.ssh/environment |
253 | Contains additional definitions for environment variables; see | 253 | Contains additional definitions for environment variables; see |
254 | diff --git a/ssh_config.5 b/ssh_config.5 | 254 | diff --git a/ssh_config.5 b/ssh_config.5 |
255 | index 6948680..a1e18d2 100644 | 255 | index b3c5dc6..3c6b9d4 100644 |
256 | --- a/ssh_config.5 | 256 | --- a/ssh_config.5 |
257 | +++ b/ssh_config.5 | 257 | +++ b/ssh_config.5 |
258 | @@ -1365,6 +1365,8 @@ The format of this file is described above. | 258 | @@ -1523,6 +1523,8 @@ The format of this file is described above. |
259 | This file is used by the SSH client. | 259 | This file is used by the SSH client. |
260 | Because of the potential for abuse, this file must have strict permissions: | 260 | Because of the potential for abuse, this file must have strict permissions: |
261 | read/write for the user, and not accessible by others. | 261 | read/write for the user, and not accessible by others. |