summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2019-06-05 07:06:44 +0100
commit7ce79be85036c4b36937f1b1ba85f6094068412c (patch)
treec964917d8395ef5605cff9513aad4458b222beae /session.c
parent102062f825fb26a74295a1c089c00c4c4c76b68a (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2019-06-05 Patch-Name: gssapi.patch
Diffstat (limited to 'session.c')
-rw-r--r--session.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/session.c b/session.c
index ac06b08e9..ac3d9d19d 100644
--- a/session.c
+++ b/session.c
@@ -2674,13 +2674,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
2674 2674
2675#ifdef KRB5 2675#ifdef KRB5
2676 if (options.kerberos_ticket_cleanup && 2676 if (options.kerberos_ticket_cleanup &&
2677 authctxt->krb5_ctx) 2677 authctxt->krb5_ctx) {
2678 temporarily_use_uid(authctxt->pw);
2678 krb5_cleanup_proc(authctxt); 2679 krb5_cleanup_proc(authctxt);
2680 restore_uid();
2681 }
2679#endif 2682#endif
2680 2683
2681#ifdef GSSAPI 2684#ifdef GSSAPI
2682 if (options.gss_cleanup_creds) 2685 if (options.gss_cleanup_creds) {
2686 temporarily_use_uid(authctxt->pw);
2683 ssh_gssapi_cleanup_creds(); 2687 ssh_gssapi_cleanup_creds();
2688 restore_uid();
2689 }
2684#endif 2690#endif
2685 2691
2686 /* remove agent socket */ 2692 /* remove agent socket */