diff options
-rw-r--r-- | debian/changelog | 4 | ||||
-rw-r--r-- | gss-serv.c | 37 |
2 files changed, 26 insertions, 15 deletions
diff --git a/debian/changelog b/debian/changelog index 3b2d9a47e..536da9b28 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -10,6 +10,10 @@ openssh (1:4.7p1-8) UNRELEASED; urgency=low | |||
10 | http://www.securityfocus.com/bid/28531/info). | 10 | http://www.securityfocus.com/bid/28531/info). |
11 | - Add no-user-rc authorized_keys option to disable execution of | 11 | - Add no-user-rc authorized_keys option to disable execution of |
12 | ~/.ssh/rc. | 12 | ~/.ssh/rc. |
13 | * Backport from Simon Wilkinson's GSSAPI key exchange patch for 5.0p1: | ||
14 | - Add code to actually implement GSSAPIStrictAcceptorCheck, which had | ||
15 | somehow been omitted from a previous version of this patch (closes: | ||
16 | #474246). | ||
13 | 17 | ||
14 | -- Colin Watson <cjwatson@debian.org> Tue, 01 Apr 2008 14:12:43 +0100 | 18 | -- Colin Watson <cjwatson@debian.org> Tue, 01 Apr 2008 14:12:43 +0100 |
15 | 19 | ||
diff --git a/gss-serv.c b/gss-serv.c index e157ec515..3908d6378 100644 --- a/gss-serv.c +++ b/gss-serv.c | |||
@@ -1,7 +1,7 @@ | |||
1 | /* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */ | 1 | /* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2008 Simon Wilkinson. All rights reserved. |
5 | * | 5 | * |
6 | * Redistribution and use in source and binary forms, with or without | 6 | * Redistribution and use in source and binary forms, with or without |
7 | * modification, are permitted provided that the following conditions | 7 | * modification, are permitted provided that the following conditions |
@@ -84,25 +84,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | |||
84 | char lname[MAXHOSTNAMELEN]; | 84 | char lname[MAXHOSTNAMELEN]; |
85 | gss_OID_set oidset; | 85 | gss_OID_set oidset; |
86 | 86 | ||
87 | gss_create_empty_oid_set(&status, &oidset); | 87 | if (options.gss_strict_acceptor) { |
88 | gss_add_oid_set_member(&status, ctx->oid, &oidset); | 88 | gss_create_empty_oid_set(&status, &oidset); |
89 | gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
89 | 90 | ||
90 | if (gethostname(lname, MAXHOSTNAMELEN)) { | 91 | if (gethostname(lname, MAXHOSTNAMELEN)) { |
91 | gss_release_oid_set(&status, &oidset); | 92 | gss_release_oid_set(&status, &oidset); |
92 | return (-1); | 93 | return (-1); |
93 | } | 94 | } |
95 | |||
96 | if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
97 | gss_release_oid_set(&status, &oidset); | ||
98 | return (ctx->major); | ||
99 | } | ||
100 | |||
101 | if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
102 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, | ||
103 | NULL, NULL))) | ||
104 | ssh_gssapi_error(ctx); | ||
94 | 105 | ||
95 | if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
96 | gss_release_oid_set(&status, &oidset); | 106 | gss_release_oid_set(&status, &oidset); |
97 | return (ctx->major); | 107 | return (ctx->major); |
108 | } else { | ||
109 | ctx->name = GSS_C_NO_NAME; | ||
110 | ctx->creds = GSS_C_NO_CREDENTIAL; | ||
98 | } | 111 | } |
99 | 112 | return GSS_S_COMPLETE; | |
100 | if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
101 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) | ||
102 | ssh_gssapi_error(ctx); | ||
103 | |||
104 | gss_release_oid_set(&status, &oidset); | ||
105 | return (ctx->major); | ||
106 | } | 113 | } |
107 | 114 | ||
108 | /* Privileged */ | 115 | /* Privileged */ |