* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out

  for a while, but there's no GSSAPI patch available for it yet.
  - Change the default cipher order to prefer the AES CTR modes and the
    revised "arcfour256" mode to CBC mode ciphers that are susceptible to
    CPNI-957037 "Plaintext Recovery Attack Against SSH".
  - Add countermeasures to mitigate CPNI-957037-style attacks against the
    SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid
    packet length or Message Authentication Code, ssh/sshd will continue
    reading up to the maximum supported packet length rather than
    immediately terminating the connection. This eliminates most of the
    known differences in behaviour that leaked information about the
    plaintext of injected data which formed the basis of this attack
    (closes: #506115, LP: #379329).
  - ForceCommand directive now accepts commandline arguments for the
    internal-sftp server (closes: #524423, LP: #362511).
  - Add AllowAgentForwarding to available Match keywords list (closes:
    #540623).
  - Make ssh(1) send the correct channel number for
    SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
    avoid triggering 'Non-public channel' error messages on sshd(8) in
    openssh-5.1.
  - Avoid printing 'Non-public channel' warnings in sshd(8), since the
    ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a
    behaviour introduced in openssh-5.1; closes: #496017).
* Update to GSSAPI patch from
  http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch,
  including cascading credentials support (LP: #416958).

1 files changed, 8 insertions, 5 deletions

diff --git a/servconf.h b/servconf.h
index cb91b7629..3852b1bae 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.85 2008/06/10 04:50:25 dtucker Exp $ */
+/* $OpenBSD: servconf.h,v 1.87 2009/01/22 10:02:34 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -41,9 +41,9 @@
 #define INTERNAL_SFTP_NAME      "internal-sftp"
 
 typedef struct {
-        u_int num_ports;
-        u_int ports_from_cmdline;
-        u_short ports[MAX_PORTS];       /* Port number to listen on. */
+        u_int   num_ports;
+        u_int   ports_from_cmdline;
+        int     ports[MAX_PORTS];       /* Port number to listen on. */
         char   *listen_addr;            /* Address on which the server listens. */
         struct addrinfo *listen_addrs;  /* Addresses on which the server listens. */
         int     address_family;         /* Address family used by the server. */
@@ -91,13 +91,16 @@ typedef struct {
         int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                  * authenticated with Kerberos. */
         int     gss_authentication;     /* If true, permit GSSAPI authentication */
-        int     gss_keyex;              /* If true, permit GSSAPI key exchange */
+        int     gss_keyex;              /* If true, permit GSSAPI key exchange */
         int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
         int     gss_strict_acceptor;    /* If true, restrict the GSSAPI acceptor name */
+        int     gss_store_rekey;
         int     password_authentication;        /* If true, permit password
                                                  * authentication. */
         int     kbd_interactive_authentication; /* If true, permit */
         int     challenge_response_authentication;
+        int     zero_knowledge_password_authentication;
+                                        /* If true, permit jpake auth */
         int     permit_blacklisted_keys;        /* If true, permit */
         int     permit_empty_passwd;    /* If false, do not permit empty
                                          * passwords. */