summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog4
-rw-r--r--gss-serv.c37
2 files changed, 26 insertions, 15 deletions
diff --git a/debian/changelog b/debian/changelog
index 3b2d9a47e..536da9b28 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,10 @@ openssh (1:4.7p1-8) UNRELEASED; urgency=low
10 http://www.securityfocus.com/bid/28531/info). 10 http://www.securityfocus.com/bid/28531/info).
11 - Add no-user-rc authorized_keys option to disable execution of 11 - Add no-user-rc authorized_keys option to disable execution of
12 ~/.ssh/rc. 12 ~/.ssh/rc.
13 * Backport from Simon Wilkinson's GSSAPI key exchange patch for 5.0p1:
14 - Add code to actually implement GSSAPIStrictAcceptorCheck, which had
15 somehow been omitted from a previous version of this patch (closes:
16 #474246).
13 17
14 -- Colin Watson <cjwatson@debian.org> Tue, 01 Apr 2008 14:12:43 +0100 18 -- Colin Watson <cjwatson@debian.org> Tue, 01 Apr 2008 14:12:43 +0100
15 19
diff --git a/gss-serv.c b/gss-serv.c
index e157ec515..3908d6378 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,7 +1,7 @@
1/* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */ 1/* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2008 Simon Wilkinson. All rights reserved.
5 * 5 *
6 * Redistribution and use in source and binary forms, with or without 6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions 7 * modification, are permitted provided that the following conditions
@@ -84,25 +84,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
84 char lname[MAXHOSTNAMELEN]; 84 char lname[MAXHOSTNAMELEN];
85 gss_OID_set oidset; 85 gss_OID_set oidset;
86 86
87 gss_create_empty_oid_set(&status, &oidset); 87 if (options.gss_strict_acceptor) {
88 gss_add_oid_set_member(&status, ctx->oid, &oidset); 88 gss_create_empty_oid_set(&status, &oidset);
89 gss_add_oid_set_member(&status, ctx->oid, &oidset);
89 90
90 if (gethostname(lname, MAXHOSTNAMELEN)) { 91 if (gethostname(lname, MAXHOSTNAMELEN)) {
91 gss_release_oid_set(&status, &oidset); 92 gss_release_oid_set(&status, &oidset);
92 return (-1); 93 return (-1);
93 } 94 }
95
96 if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
97 gss_release_oid_set(&status, &oidset);
98 return (ctx->major);
99 }
100
101 if ((ctx->major = gss_acquire_cred(&ctx->minor,
102 ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
103 NULL, NULL)))
104 ssh_gssapi_error(ctx);
94 105
95 if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
96 gss_release_oid_set(&status, &oidset); 106 gss_release_oid_set(&status, &oidset);
97 return (ctx->major); 107 return (ctx->major);
108 } else {
109 ctx->name = GSS_C_NO_NAME;
110 ctx->creds = GSS_C_NO_CREDENTIAL;
98 } 111 }
99 112 return GSS_S_COMPLETE;
100 if ((ctx->major = gss_acquire_cred(&ctx->minor,
101 ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
102 ssh_gssapi_error(ctx);
103
104 gss_release_oid_set(&status, &oidset);
105 return (ctx->major);
106} 113}
107 114
108/* Privileged */ 115/* Privileged */