diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
| -rw-r--r-- | debian/patches/gssapi.patch | 218 |
1 files changed, 110 insertions, 108 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index deddbcb80..0726a5020 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | From d51c7ac3328464dec21514fb398ab5c140a0664f Mon Sep 17 00:00:00 2001 | 1 | From 4e70490950e5c5134df48848affaf73685bf0284 Mon Sep 17 00:00:00 2001 |
| 2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
| 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
| 4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
| @@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate | |||
| 17 | security history. | 17 | security history. |
| 18 | 18 | ||
| 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
| 20 | Last-Updated: 2017-01-16 | 20 | Last-Updated: 2017-10-04 |
| 21 | 21 | ||
| 22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
| 23 | --- | 23 | --- |
| @@ -25,7 +25,7 @@ Patch-Name: gssapi.patch | |||
| 25 | Makefile.in | 3 +- | 25 | Makefile.in | 3 +- |
| 26 | auth-krb5.c | 17 ++- | 26 | auth-krb5.c | 17 ++- |
| 27 | auth.c | 96 +--------------- | 27 | auth.c | 96 +--------------- |
| 28 | auth2-gss.c | 48 +++++++- | 28 | auth2-gss.c | 49 +++++++- |
| 29 | auth2.c | 2 + | 29 | auth2.c | 2 + |
| 30 | canohost.c | 93 +++++++++++++++ | 30 | canohost.c | 93 +++++++++++++++ |
| 31 | canohost.h | 3 + | 31 | canohost.h | 3 + |
| @@ -56,7 +56,7 @@ Patch-Name: gssapi.patch | |||
| 56 | sshd_config.5 | 10 ++ | 56 | sshd_config.5 | 10 ++ |
| 57 | sshkey.c | 3 +- | 57 | sshkey.c | 3 +- |
| 58 | sshkey.h | 1 + | 58 | sshkey.h | 1 + |
| 59 | 35 files changed, 2062 insertions(+), 147 deletions(-) | 59 | 35 files changed, 2063 insertions(+), 147 deletions(-) |
| 60 | create mode 100644 ChangeLog.gssapi | 60 | create mode 100644 ChangeLog.gssapi |
| 61 | create mode 100644 kexgssc.c | 61 | create mode 100644 kexgssc.c |
| 62 | create mode 100644 kexgsss.c | 62 | create mode 100644 kexgsss.c |
| @@ -181,7 +181,7 @@ index 00000000..f117a336 | |||
| 181 | + (from jbasney AT ncsa.uiuc.edu) | 181 | + (from jbasney AT ncsa.uiuc.edu) |
| 182 | + <gssapi-with-mic support is Bugzilla #1008> | 182 | + <gssapi-with-mic support is Bugzilla #1008> |
| 183 | diff --git a/Makefile.in b/Makefile.in | 183 | diff --git a/Makefile.in b/Makefile.in |
| 184 | index 5870e9e6..6b774c1a 100644 | 184 | index c52ce191..f6e9fe4c 100644 |
| 185 | --- a/Makefile.in | 185 | --- a/Makefile.in |
| 186 | +++ b/Makefile.in | 186 | +++ b/Makefile.in |
| 187 | @@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 187 | @@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
| @@ -189,7 +189,7 @@ index 5870e9e6..6b774c1a 100644 | |||
| 189 | kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ | 189 | kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ |
| 190 | kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ | 190 | kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ |
| 191 | + kexgssc.o \ | 191 | + kexgssc.o \ |
| 192 | platform-pledge.o platform-tracing.o | 192 | platform-pledge.o platform-tracing.o platform-misc.o |
| 193 | 193 | ||
| 194 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 194 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
| 195 | @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ | 195 | @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ |
| @@ -253,10 +253,10 @@ index a5a81ed2..38e7fee2 100644 | |||
| 253 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 253 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
| 254 | } | 254 | } |
| 255 | diff --git a/auth.c b/auth.c | 255 | diff --git a/auth.c b/auth.c |
| 256 | index 6ee6116d..c6390687 100644 | 256 | index a4490617..6aec3605 100644 |
| 257 | --- a/auth.c | 257 | --- a/auth.c |
| 258 | +++ b/auth.c | 258 | +++ b/auth.c |
| 259 | @@ -372,7 +372,8 @@ auth_root_allowed(const char *method) | 259 | @@ -395,7 +395,8 @@ auth_root_allowed(const char *method) |
| 260 | case PERMIT_NO_PASSWD: | 260 | case PERMIT_NO_PASSWD: |
| 261 | if (strcmp(method, "publickey") == 0 || | 261 | if (strcmp(method, "publickey") == 0 || |
| 262 | strcmp(method, "hostbased") == 0 || | 262 | strcmp(method, "hostbased") == 0 || |
| @@ -266,7 +266,7 @@ index 6ee6116d..c6390687 100644 | |||
| 266 | return 1; | 266 | return 1; |
| 267 | break; | 267 | break; |
| 268 | case PERMIT_FORCED_ONLY: | 268 | case PERMIT_FORCED_ONLY: |
| 269 | @@ -794,99 +795,6 @@ fakepw(void) | 269 | @@ -727,99 +728,6 @@ fakepw(void) |
| 270 | return (&fake); | 270 | return (&fake); |
| 271 | } | 271 | } |
| 272 | 272 | ||
| @@ -367,11 +367,11 @@ index 6ee6116d..c6390687 100644 | |||
| 367 | * Return the canonical name of the host in the other side of the current | 367 | * Return the canonical name of the host in the other side of the current |
| 368 | * connection. The host name is cached, so it is efficient to call this | 368 | * connection. The host name is cached, so it is efficient to call this |
| 369 | diff --git a/auth2-gss.c b/auth2-gss.c | 369 | diff --git a/auth2-gss.c b/auth2-gss.c |
| 370 | index 1ca83577..3b5036df 100644 | 370 | index 589283b7..fd411d3a 100644 |
| 371 | --- a/auth2-gss.c | 371 | --- a/auth2-gss.c |
| 372 | +++ b/auth2-gss.c | 372 | +++ b/auth2-gss.c |
| 373 | @@ -1,7 +1,7 @@ | 373 | @@ -1,7 +1,7 @@ |
| 374 | /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */ | 374 | /* $OpenBSD: auth2-gss.c,v 1.26 2017/06/24 06:34:38 djm Exp $ */ |
| 375 | 375 | ||
| 376 | /* | 376 | /* |
| 377 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 377 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
| @@ -379,16 +379,17 @@ index 1ca83577..3b5036df 100644 | |||
| 379 | * | 379 | * |
| 380 | * Redistribution and use in source and binary forms, with or without | 380 | * Redistribution and use in source and binary forms, with or without |
| 381 | * modification, are permitted provided that the following conditions | 381 | * modification, are permitted provided that the following conditions |
| 382 | @@ -53,6 +53,40 @@ static int input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | 382 | @@ -53,6 +53,41 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh); |
| 383 | static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 383 | static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh); |
| 384 | static int input_gssapi_errtok(int, u_int32_t, void *); | 384 | static int input_gssapi_errtok(int, u_int32_t, struct ssh *); |
| 385 | 385 | ||
| 386 | +/* | 386 | +/* |
| 387 | + * The 'gssapi_keyex' userauth mechanism. | 387 | + * The 'gssapi_keyex' userauth mechanism. |
| 388 | + */ | 388 | + */ |
| 389 | +static int | 389 | +static int |
| 390 | +userauth_gsskeyex(Authctxt *authctxt) | 390 | +userauth_gsskeyex(struct ssh *ssh) |
| 391 | +{ | 391 | +{ |
| 392 | + Authctxt *authctxt = ssh->authctxt; | ||
| 392 | + int authenticated = 0; | 393 | + int authenticated = 0; |
| 393 | + Buffer b; | 394 | + Buffer b; |
| 394 | + gss_buffer_desc mic, gssbuf; | 395 | + gss_buffer_desc mic, gssbuf; |
| @@ -420,7 +421,7 @@ index 1ca83577..3b5036df 100644 | |||
| 420 | /* | 421 | /* |
| 421 | * We only support those mechanisms that we know about (ie ones that we know | 422 | * We only support those mechanisms that we know about (ie ones that we know |
| 422 | * how to check local user kuserok and the like) | 423 | * how to check local user kuserok and the like) |
| 423 | @@ -238,7 +272,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | 424 | @@ -240,7 +275,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) |
| 424 | 425 | ||
| 425 | packet_check_eom(); | 426 | packet_check_eom(); |
| 426 | 427 | ||
| @@ -428,9 +429,9 @@ index 1ca83577..3b5036df 100644 | |||
| 428 | + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, | 429 | + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, |
| 429 | + authctxt->pw)); | 430 | + authctxt->pw)); |
| 430 | 431 | ||
| 431 | authctxt->postponed = 0; | 432 | if ((!use_privsep || mm_is_monitor()) && |
| 432 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 433 | (displayname = ssh_gssapi_displayname()) != NULL) |
| 433 | @@ -274,7 +309,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 434 | @@ -281,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) |
| 434 | gssbuf.length = buffer_len(&b); | 435 | gssbuf.length = buffer_len(&b); |
| 435 | 436 | ||
| 436 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | 437 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |
| @@ -440,7 +441,7 @@ index 1ca83577..3b5036df 100644 | |||
| 440 | else | 441 | else |
| 441 | logit("GSSAPI MIC check failed"); | 442 | logit("GSSAPI MIC check failed"); |
| 442 | 443 | ||
| 443 | @@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 444 | @@ -301,6 +338,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) |
| 444 | return 0; | 445 | return 0; |
| 445 | } | 446 | } |
| 446 | 447 | ||
| @@ -454,10 +455,10 @@ index 1ca83577..3b5036df 100644 | |||
| 454 | "gssapi-with-mic", | 455 | "gssapi-with-mic", |
| 455 | userauth_gssapi, | 456 | userauth_gssapi, |
| 456 | diff --git a/auth2.c b/auth2.c | 457 | diff --git a/auth2.c b/auth2.c |
| 457 | index 97dd2ef0..946e9235 100644 | 458 | index 862e0996..54070e3a 100644 |
| 458 | --- a/auth2.c | 459 | --- a/auth2.c |
| 459 | +++ b/auth2.c | 460 | +++ b/auth2.c |
| 460 | @@ -70,6 +70,7 @@ extern Authmethod method_passwd; | 461 | @@ -72,6 +72,7 @@ extern Authmethod method_passwd; |
| 461 | extern Authmethod method_kbdint; | 462 | extern Authmethod method_kbdint; |
| 462 | extern Authmethod method_hostbased; | 463 | extern Authmethod method_hostbased; |
| 463 | #ifdef GSSAPI | 464 | #ifdef GSSAPI |
| @@ -465,7 +466,7 @@ index 97dd2ef0..946e9235 100644 | |||
| 465 | extern Authmethod method_gssapi; | 466 | extern Authmethod method_gssapi; |
| 466 | #endif | 467 | #endif |
| 467 | 468 | ||
| 468 | @@ -77,6 +78,7 @@ Authmethod *authmethods[] = { | 469 | @@ -79,6 +80,7 @@ Authmethod *authmethods[] = { |
| 469 | &method_none, | 470 | &method_none, |
| 470 | &method_pubkey, | 471 | &method_pubkey, |
| 471 | #ifdef GSSAPI | 472 | #ifdef GSSAPI |
| @@ -592,10 +593,10 @@ index 26d62855..0cadc9f1 100644 | |||
| 592 | int get_peer_port(int); | 593 | int get_peer_port(int); |
| 593 | char *get_local_ipaddr(int); | 594 | char *get_local_ipaddr(int); |
| 594 | diff --git a/clientloop.c b/clientloop.c | 595 | diff --git a/clientloop.c b/clientloop.c |
| 595 | index 06481623..38b0330e 100644 | 596 | index 791d336e..0010b833 100644 |
| 596 | --- a/clientloop.c | 597 | --- a/clientloop.c |
| 597 | +++ b/clientloop.c | 598 | +++ b/clientloop.c |
| 598 | @@ -113,6 +113,10 @@ | 599 | @@ -112,6 +112,10 @@ |
| 599 | #include "ssherr.h" | 600 | #include "ssherr.h" |
| 600 | #include "hostfile.h" | 601 | #include "hostfile.h" |
| 601 | 602 | ||
| @@ -606,13 +607,13 @@ index 06481623..38b0330e 100644 | |||
| 606 | /* import options */ | 607 | /* import options */ |
| 607 | extern Options options; | 608 | extern Options options; |
| 608 | 609 | ||
| 609 | @@ -1664,9 +1668,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 610 | @@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, |
| 610 | break; | 611 | break; |
| 611 | 612 | ||
| 612 | /* Do channel operations unless rekeying in progress. */ | 613 | /* Do channel operations unless rekeying in progress. */ |
| 613 | - if (!ssh_packet_is_rekeying(active_state)) | 614 | - if (!ssh_packet_is_rekeying(ssh)) |
| 614 | + if (!ssh_packet_is_rekeying(active_state)) { | 615 | + if (!ssh_packet_is_rekeying(ssh)) { |
| 615 | channel_after_select(readset, writeset); | 616 | channel_after_select(ssh, readset, writeset); |
| 616 | 617 | ||
| 617 | +#ifdef GSSAPI | 618 | +#ifdef GSSAPI |
| 618 | + if (options.gss_renewal_rekey && | 619 | + if (options.gss_renewal_rekey && |
| @@ -627,10 +628,10 @@ index 06481623..38b0330e 100644 | |||
| 627 | client_process_net_input(readset); | 628 | client_process_net_input(readset); |
| 628 | 629 | ||
| 629 | diff --git a/config.h.in b/config.h.in | 630 | diff --git a/config.h.in b/config.h.in |
| 630 | index b65420e4..fd8a73f1 100644 | 631 | index 63fc548b..0b244fd5 100644 |
| 631 | --- a/config.h.in | 632 | --- a/config.h.in |
| 632 | +++ b/config.h.in | 633 | +++ b/config.h.in |
| 633 | @@ -1670,6 +1670,9 @@ | 634 | @@ -1696,6 +1696,9 @@ |
| 634 | /* Use btmp to log bad logins */ | 635 | /* Use btmp to log bad logins */ |
| 635 | #undef USE_BTMP | 636 | #undef USE_BTMP |
| 636 | 637 | ||
| @@ -640,7 +641,7 @@ index b65420e4..fd8a73f1 100644 | |||
| 640 | /* Use libedit for sftp */ | 641 | /* Use libedit for sftp */ |
| 641 | #undef USE_LIBEDIT | 642 | #undef USE_LIBEDIT |
| 642 | 643 | ||
| 643 | @@ -1685,6 +1688,9 @@ | 644 | @@ -1711,6 +1714,9 @@ |
| 644 | /* Use PIPES instead of a socketpair() */ | 645 | /* Use PIPES instead of a socketpair() */ |
| 645 | #undef USE_PIPES | 646 | #undef USE_PIPES |
| 646 | 647 | ||
| @@ -651,10 +652,10 @@ index b65420e4..fd8a73f1 100644 | |||
| 651 | #undef USE_SOLARIS_PRIVS | 652 | #undef USE_SOLARIS_PRIVS |
| 652 | 653 | ||
| 653 | diff --git a/configure.ac b/configure.ac | 654 | diff --git a/configure.ac b/configure.ac |
| 654 | index c2878e3d..ead34acf 100644 | 655 | index 889f5063..84bfad8c 100644 |
| 655 | --- a/configure.ac | 656 | --- a/configure.ac |
| 656 | +++ b/configure.ac | 657 | +++ b/configure.ac |
| 657 | @@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 658 | @@ -621,6 +621,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
| 658 | [Use tunnel device compatibility to OpenBSD]) | 659 | [Use tunnel device compatibility to OpenBSD]) |
| 659 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 660 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
| 660 | [Prepend the address family to IP tunnel traffic]) | 661 | [Prepend the address family to IP tunnel traffic]) |
| @@ -1163,11 +1164,11 @@ index 795992d9..fd8b3718 100644 | |||
| 1163 | 1164 | ||
| 1164 | #endif /* KRB5 */ | 1165 | #endif /* KRB5 */ |
| 1165 | diff --git a/gss-serv.c b/gss-serv.c | 1166 | diff --git a/gss-serv.c b/gss-serv.c |
| 1166 | index 53993d67..2e27cbf9 100644 | 1167 | index 6cae720e..967c6cfb 100644 |
| 1167 | --- a/gss-serv.c | 1168 | --- a/gss-serv.c |
| 1168 | +++ b/gss-serv.c | 1169 | +++ b/gss-serv.c |
| 1169 | @@ -1,7 +1,7 @@ | 1170 | @@ -1,7 +1,7 @@ |
| 1170 | /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */ | 1171 | /* $OpenBSD: gss-serv.c,v 1.30 2017/06/24 06:34:38 djm Exp $ */ |
| 1171 | 1172 | ||
| 1172 | /* | 1173 | /* |
| 1173 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 1174 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
| @@ -1432,9 +1433,9 @@ index 53993d67..2e27cbf9 100644 | |||
| 1432 | + return ok; | 1433 | + return ok; |
| 1433 | } | 1434 | } |
| 1434 | 1435 | ||
| 1435 | #endif | 1436 | /* Privileged */ |
| 1436 | diff --git a/kex.c b/kex.c | 1437 | diff --git a/kex.c b/kex.c |
| 1437 | index cf4ac0dc..556a32e9 100644 | 1438 | index d5d5a9da..bb1bd661 100644 |
| 1438 | --- a/kex.c | 1439 | --- a/kex.c |
| 1439 | +++ b/kex.c | 1440 | +++ b/kex.c |
| 1440 | @@ -54,6 +54,10 @@ | 1441 | @@ -54,6 +54,10 @@ |
| @@ -1445,10 +1446,10 @@ index cf4ac0dc..556a32e9 100644 | |||
| 1445 | +#include "ssh-gss.h" | 1446 | +#include "ssh-gss.h" |
| 1446 | +#endif | 1447 | +#endif |
| 1447 | + | 1448 | + |
| 1448 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1449 | /* prototype */ |
| 1449 | # if defined(HAVE_EVP_SHA256) | 1450 | static int kex_choose_conf(struct ssh *); |
| 1450 | # define evp_ssh_sha256 EVP_sha256 | 1451 | static int kex_input_newkeys(int, u_int32_t, struct ssh *); |
| 1451 | @@ -113,6 +117,14 @@ static const struct kexalg kexalgs[] = { | 1452 | @@ -105,6 +109,14 @@ static const struct kexalg kexalgs[] = { |
| 1452 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ | 1453 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |
| 1453 | { NULL, -1, -1, -1}, | 1454 | { NULL, -1, -1, -1}, |
| 1454 | }; | 1455 | }; |
| @@ -1463,7 +1464,7 @@ index cf4ac0dc..556a32e9 100644 | |||
| 1463 | 1464 | ||
| 1464 | char * | 1465 | char * |
| 1465 | kex_alg_list(char sep) | 1466 | kex_alg_list(char sep) |
| 1466 | @@ -145,6 +157,10 @@ kex_alg_by_name(const char *name) | 1467 | @@ -137,6 +149,10 @@ kex_alg_by_name(const char *name) |
| 1467 | if (strcmp(k->name, name) == 0) | 1468 | if (strcmp(k->name, name) == 0) |
| 1468 | return k; | 1469 | return k; |
| 1469 | } | 1470 | } |
| @@ -1474,7 +1475,7 @@ index cf4ac0dc..556a32e9 100644 | |||
| 1474 | return NULL; | 1475 | return NULL; |
| 1475 | } | 1476 | } |
| 1476 | 1477 | ||
| 1477 | @@ -605,6 +621,9 @@ kex_free(struct kex *kex) | 1478 | @@ -601,6 +617,9 @@ kex_free(struct kex *kex) |
| 1478 | sshbuf_free(kex->peer); | 1479 | sshbuf_free(kex->peer); |
| 1479 | sshbuf_free(kex->my); | 1480 | sshbuf_free(kex->my); |
| 1480 | free(kex->session_id); | 1481 | free(kex->session_id); |
| @@ -1485,7 +1486,7 @@ index cf4ac0dc..556a32e9 100644 | |||
| 1485 | free(kex->server_version_string); | 1486 | free(kex->server_version_string); |
| 1486 | free(kex->failed_choice); | 1487 | free(kex->failed_choice); |
| 1487 | diff --git a/kex.h b/kex.h | 1488 | diff --git a/kex.h b/kex.h |
| 1488 | index 3794f212..fd56171d 100644 | 1489 | index 01bb3986..a708e486 100644 |
| 1489 | --- a/kex.h | 1490 | --- a/kex.h |
| 1490 | +++ b/kex.h | 1491 | +++ b/kex.h |
| 1491 | @@ -99,6 +99,9 @@ enum kex_exchange { | 1492 | @@ -99,6 +99,9 @@ enum kex_exchange { |
| @@ -2169,7 +2170,7 @@ index 00000000..38ca082b | |||
| 2169 | +} | 2170 | +} |
| 2170 | +#endif /* GSSAPI */ | 2171 | +#endif /* GSSAPI */ |
| 2171 | diff --git a/monitor.c b/monitor.c | 2172 | diff --git a/monitor.c b/monitor.c |
| 2172 | index 96d22b7e..506645c7 100644 | 2173 | index f517da48..cabfeb8a 100644 |
| 2173 | --- a/monitor.c | 2174 | --- a/monitor.c |
| 2174 | +++ b/monitor.c | 2175 | +++ b/monitor.c |
| 2175 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 2176 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
| @@ -2211,7 +2212,7 @@ index 96d22b7e..506645c7 100644 | |||
| 2211 | 2212 | ||
| 2212 | /* The first few requests do not require asynchronous access */ | 2213 | /* The first few requests do not require asynchronous access */ |
| 2213 | while (!authenticated) { | 2214 | while (!authenticated) { |
| 2214 | @@ -402,6 +415,10 @@ monitor_child_postauth(struct monitor *pmonitor) | 2215 | @@ -408,6 +421,10 @@ monitor_child_postauth(struct monitor *pmonitor) |
| 2215 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2216 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
| 2216 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2217 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
| 2217 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2218 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
| @@ -2222,7 +2223,7 @@ index 96d22b7e..506645c7 100644 | |||
| 2222 | 2223 | ||
| 2223 | if (!no_pty_flag) { | 2224 | if (!no_pty_flag) { |
| 2224 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 2225 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
| 2225 | @@ -1606,6 +1623,13 @@ monitor_apply_keystate(struct monitor *pmonitor) | 2226 | @@ -1626,6 +1643,13 @@ monitor_apply_keystate(struct monitor *pmonitor) |
| 2226 | # endif | 2227 | # endif |
| 2227 | #endif /* WITH_OPENSSL */ | 2228 | #endif /* WITH_OPENSSL */ |
| 2228 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2229 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
| @@ -2236,7 +2237,7 @@ index 96d22b7e..506645c7 100644 | |||
| 2236 | kex->load_host_public_key=&get_hostkey_public_by_type; | 2237 | kex->load_host_public_key=&get_hostkey_public_by_type; |
| 2237 | kex->load_host_private_key=&get_hostkey_private_by_type; | 2238 | kex->load_host_private_key=&get_hostkey_private_by_type; |
| 2238 | kex->host_key_index=&get_hostkey_index; | 2239 | kex->host_key_index=&get_hostkey_index; |
| 2239 | @@ -1685,8 +1709,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 2240 | @@ -1714,8 +1738,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
| 2240 | OM_uint32 major; | 2241 | OM_uint32 major; |
| 2241 | u_int len; | 2242 | u_int len; |
| 2242 | 2243 | ||
| @@ -2247,7 +2248,7 @@ index 96d22b7e..506645c7 100644 | |||
| 2247 | 2248 | ||
| 2248 | goid.elements = buffer_get_string(m, &len); | 2249 | goid.elements = buffer_get_string(m, &len); |
| 2249 | goid.length = len; | 2250 | goid.length = len; |
| 2250 | @@ -1715,8 +1739,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2251 | @@ -1744,8 +1768,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
| 2251 | OM_uint32 flags = 0; /* GSI needs this */ | 2252 | OM_uint32 flags = 0; /* GSI needs this */ |
| 2252 | u_int len; | 2253 | u_int len; |
| 2253 | 2254 | ||
| @@ -2258,7 +2259,7 @@ index 96d22b7e..506645c7 100644 | |||
| 2258 | 2259 | ||
| 2259 | in.value = buffer_get_string(m, &len); | 2260 | in.value = buffer_get_string(m, &len); |
| 2260 | in.length = len; | 2261 | in.length = len; |
| 2261 | @@ -1735,6 +1759,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2262 | @@ -1764,6 +1788,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
| 2262 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2263 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
| 2263 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2264 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
| 2264 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2265 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
| @@ -2266,7 +2267,7 @@ index 96d22b7e..506645c7 100644 | |||
| 2266 | } | 2267 | } |
| 2267 | return (0); | 2268 | return (0); |
| 2268 | } | 2269 | } |
| 2269 | @@ -1746,8 +1771,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2270 | @@ -1775,8 +1800,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
| 2270 | OM_uint32 ret; | 2271 | OM_uint32 ret; |
| 2271 | u_int len; | 2272 | u_int len; |
| 2272 | 2273 | ||
| @@ -2277,9 +2278,9 @@ index 96d22b7e..506645c7 100644 | |||
| 2277 | 2278 | ||
| 2278 | gssbuf.value = buffer_get_string(m, &len); | 2279 | gssbuf.value = buffer_get_string(m, &len); |
| 2279 | gssbuf.length = len; | 2280 | gssbuf.length = len; |
| 2280 | @@ -1775,10 +1800,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2281 | @@ -1805,10 +1830,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
| 2281 | { | ||
| 2282 | int authenticated; | 2282 | int authenticated; |
| 2283 | const char *displayname; | ||
| 2283 | 2284 | ||
| 2284 | - if (!options.gss_authentication) | 2285 | - if (!options.gss_authentication) |
| 2285 | - fatal("%s: GSSAPI authentication not enabled", __func__); | 2286 | - fatal("%s: GSSAPI authentication not enabled", __func__); |
| @@ -2292,7 +2293,7 @@ index 96d22b7e..506645c7 100644 | |||
| 2292 | 2293 | ||
| 2293 | buffer_clear(m); | 2294 | buffer_clear(m); |
| 2294 | buffer_put_int(m, authenticated); | 2295 | buffer_put_int(m, authenticated); |
| 2295 | @@ -1791,5 +1817,76 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2296 | @@ -1824,5 +1850,76 @@ mm_answer_gss_userok(int sock, Buffer *m) |
| 2296 | /* Monitor loop will terminate if authenticated */ | 2297 | /* Monitor loop will terminate if authenticated */ |
| 2297 | return (authenticated); | 2298 | return (authenticated); |
| 2298 | } | 2299 | } |
| @@ -2384,10 +2385,10 @@ index d68f6745..ec41404c 100644 | |||
| 2384 | 2385 | ||
| 2385 | struct monitor { | 2386 | struct monitor { |
| 2386 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2387 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
| 2387 | index 64ff9288..d5cb640a 100644 | 2388 | index 69212aaf..0e171a6a 100644 |
| 2388 | --- a/monitor_wrap.c | 2389 | --- a/monitor_wrap.c |
| 2389 | +++ b/monitor_wrap.c | 2390 | +++ b/monitor_wrap.c |
| 2390 | @@ -924,7 +924,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2391 | @@ -937,7 +937,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
| 2391 | } | 2392 | } |
| 2392 | 2393 | ||
| 2393 | int | 2394 | int |
| @@ -2396,7 +2397,7 @@ index 64ff9288..d5cb640a 100644 | |||
| 2396 | { | 2397 | { |
| 2397 | Buffer m; | 2398 | Buffer m; |
| 2398 | int authenticated = 0; | 2399 | int authenticated = 0; |
| 2399 | @@ -941,5 +941,50 @@ mm_ssh_gssapi_userok(char *user) | 2400 | @@ -954,5 +954,50 @@ mm_ssh_gssapi_userok(char *user) |
| 2400 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2401 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
| 2401 | return (authenticated); | 2402 | return (authenticated); |
| 2402 | } | 2403 | } |
| @@ -2448,10 +2449,10 @@ index 64ff9288..d5cb640a 100644 | |||
| 2448 | #endif /* GSSAPI */ | 2449 | #endif /* GSSAPI */ |
| 2449 | 2450 | ||
| 2450 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 2451 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
| 2451 | index db5902f5..8f9dd896 100644 | 2452 | index 9e032d20..7b2e8945 100644 |
| 2452 | --- a/monitor_wrap.h | 2453 | --- a/monitor_wrap.h |
| 2453 | +++ b/monitor_wrap.h | 2454 | +++ b/monitor_wrap.h |
| 2454 | @@ -55,8 +55,10 @@ int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); | 2455 | @@ -57,8 +57,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, |
| 2455 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | 2456 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); |
| 2456 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, | 2457 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, |
| 2457 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); | 2458 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); |
| @@ -2464,7 +2465,7 @@ index db5902f5..8f9dd896 100644 | |||
| 2464 | 2465 | ||
| 2465 | #ifdef USE_PAM | 2466 | #ifdef USE_PAM |
| 2466 | diff --git a/readconf.c b/readconf.c | 2467 | diff --git a/readconf.c b/readconf.c |
| 2467 | index 9d59493f..00d9cc30 100644 | 2468 | index f63894f9..99e03ee1 100644 |
| 2468 | --- a/readconf.c | 2469 | --- a/readconf.c |
| 2469 | +++ b/readconf.c | 2470 | +++ b/readconf.c |
| 2470 | @@ -160,6 +160,8 @@ typedef enum { | 2471 | @@ -160,6 +160,8 @@ typedef enum { |
| @@ -2476,7 +2477,7 @@ index 9d59493f..00d9cc30 100644 | |||
| 2476 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2477 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
| 2477 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2478 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
| 2478 | oHashKnownHosts, | 2479 | oHashKnownHosts, |
| 2479 | @@ -196,10 +198,20 @@ static struct { | 2480 | @@ -199,10 +201,20 @@ static struct { |
| 2480 | /* Sometimes-unsupported options */ | 2481 | /* Sometimes-unsupported options */ |
| 2481 | #if defined(GSSAPI) | 2482 | #if defined(GSSAPI) |
| 2482 | { "gssapiauthentication", oGssAuthentication }, | 2483 | { "gssapiauthentication", oGssAuthentication }, |
| @@ -2497,7 +2498,7 @@ index 9d59493f..00d9cc30 100644 | |||
| 2497 | #endif | 2498 | #endif |
| 2498 | #ifdef ENABLE_PKCS11 | 2499 | #ifdef ENABLE_PKCS11 |
| 2499 | { "smartcarddevice", oPKCS11Provider }, | 2500 | { "smartcarddevice", oPKCS11Provider }, |
| 2500 | @@ -973,10 +985,30 @@ parse_time: | 2501 | @@ -976,10 +988,30 @@ parse_time: |
| 2501 | intptr = &options->gss_authentication; | 2502 | intptr = &options->gss_authentication; |
| 2502 | goto parse_flag; | 2503 | goto parse_flag; |
| 2503 | 2504 | ||
| @@ -2528,7 +2529,7 @@ index 9d59493f..00d9cc30 100644 | |||
| 2528 | case oBatchMode: | 2529 | case oBatchMode: |
| 2529 | intptr = &options->batch_mode; | 2530 | intptr = &options->batch_mode; |
| 2530 | goto parse_flag; | 2531 | goto parse_flag; |
| 2531 | @@ -1798,7 +1830,12 @@ initialize_options(Options * options) | 2532 | @@ -1790,7 +1822,12 @@ initialize_options(Options * options) |
| 2532 | options->pubkey_authentication = -1; | 2533 | options->pubkey_authentication = -1; |
| 2533 | options->challenge_response_authentication = -1; | 2534 | options->challenge_response_authentication = -1; |
| 2534 | options->gss_authentication = -1; | 2535 | options->gss_authentication = -1; |
| @@ -2541,7 +2542,7 @@ index 9d59493f..00d9cc30 100644 | |||
| 2541 | options->password_authentication = -1; | 2542 | options->password_authentication = -1; |
| 2542 | options->kbd_interactive_authentication = -1; | 2543 | options->kbd_interactive_authentication = -1; |
| 2543 | options->kbd_interactive_devices = NULL; | 2544 | options->kbd_interactive_devices = NULL; |
| 2544 | @@ -1942,8 +1979,14 @@ fill_default_options(Options * options) | 2545 | @@ -1930,8 +1967,14 @@ fill_default_options(Options * options) |
| 2545 | options->challenge_response_authentication = 1; | 2546 | options->challenge_response_authentication = 1; |
| 2546 | if (options->gss_authentication == -1) | 2547 | if (options->gss_authentication == -1) |
| 2547 | options->gss_authentication = 0; | 2548 | options->gss_authentication = 0; |
| @@ -2557,10 +2558,10 @@ index 9d59493f..00d9cc30 100644 | |||
| 2557 | options->password_authentication = 1; | 2558 | options->password_authentication = 1; |
| 2558 | if (options->kbd_interactive_authentication == -1) | 2559 | if (options->kbd_interactive_authentication == -1) |
| 2559 | diff --git a/readconf.h b/readconf.h | 2560 | diff --git a/readconf.h b/readconf.h |
| 2560 | index cef55f71..fd3d7c75 100644 | 2561 | index 22fe5c18..d61161a8 100644 |
| 2561 | --- a/readconf.h | 2562 | --- a/readconf.h |
| 2562 | +++ b/readconf.h | 2563 | +++ b/readconf.h |
| 2563 | @@ -45,7 +45,12 @@ typedef struct { | 2564 | @@ -42,7 +42,12 @@ typedef struct { |
| 2564 | int challenge_response_authentication; | 2565 | int challenge_response_authentication; |
| 2565 | /* Try S/Key or TIS, authentication. */ | 2566 | /* Try S/Key or TIS, authentication. */ |
| 2566 | int gss_authentication; /* Try GSS authentication */ | 2567 | int gss_authentication; /* Try GSS authentication */ |
| @@ -2574,7 +2575,7 @@ index cef55f71..fd3d7c75 100644 | |||
| 2574 | * authentication. */ | 2575 | * authentication. */ |
| 2575 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2576 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
| 2576 | diff --git a/servconf.c b/servconf.c | 2577 | diff --git a/servconf.c b/servconf.c |
| 2577 | index 56b83165..d796b7c8 100644 | 2578 | index 2c321a4a..8ba74517 100644 |
| 2578 | --- a/servconf.c | 2579 | --- a/servconf.c |
| 2579 | +++ b/servconf.c | 2580 | +++ b/servconf.c |
| 2580 | @@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options) | 2581 | @@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options) |
| @@ -2588,7 +2589,7 @@ index 56b83165..d796b7c8 100644 | |||
| 2588 | options->password_authentication = -1; | 2589 | options->password_authentication = -1; |
| 2589 | options->kbd_interactive_authentication = -1; | 2590 | options->kbd_interactive_authentication = -1; |
| 2590 | options->challenge_response_authentication = -1; | 2591 | options->challenge_response_authentication = -1; |
| 2591 | @@ -267,10 +269,14 @@ fill_default_server_options(ServerOptions *options) | 2592 | @@ -268,10 +270,14 @@ fill_default_server_options(ServerOptions *options) |
| 2592 | options->kerberos_get_afs_token = 0; | 2593 | options->kerberos_get_afs_token = 0; |
| 2593 | if (options->gss_authentication == -1) | 2594 | if (options->gss_authentication == -1) |
| 2594 | options->gss_authentication = 0; | 2595 | options->gss_authentication = 0; |
| @@ -2603,7 +2604,7 @@ index 56b83165..d796b7c8 100644 | |||
| 2603 | if (options->password_authentication == -1) | 2604 | if (options->password_authentication == -1) |
| 2604 | options->password_authentication = 1; | 2605 | options->password_authentication = 1; |
| 2605 | if (options->kbd_interactive_authentication == -1) | 2606 | if (options->kbd_interactive_authentication == -1) |
| 2606 | @@ -407,6 +413,7 @@ typedef enum { | 2607 | @@ -410,6 +416,7 @@ typedef enum { |
| 2607 | sHostKeyAlgorithms, | 2608 | sHostKeyAlgorithms, |
| 2608 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 2609 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
| 2609 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 2610 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
| @@ -2611,7 +2612,7 @@ index 56b83165..d796b7c8 100644 | |||
| 2611 | sAcceptEnv, sPermitTunnel, | 2612 | sAcceptEnv, sPermitTunnel, |
| 2612 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2613 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
| 2613 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2614 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
| 2614 | @@ -480,12 +487,20 @@ static struct { | 2615 | @@ -484,12 +491,20 @@ static struct { |
| 2615 | #ifdef GSSAPI | 2616 | #ifdef GSSAPI |
| 2616 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2617 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
| 2617 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2618 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
| @@ -2632,7 +2633,7 @@ index 56b83165..d796b7c8 100644 | |||
| 2632 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2633 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
| 2633 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2634 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
| 2634 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2635 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
| 2635 | @@ -1217,6 +1232,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2636 | @@ -1253,6 +1268,10 @@ process_server_config_line(ServerOptions *options, char *line, |
| 2636 | intptr = &options->gss_authentication; | 2637 | intptr = &options->gss_authentication; |
| 2637 | goto parse_flag; | 2638 | goto parse_flag; |
| 2638 | 2639 | ||
| @@ -2643,7 +2644,7 @@ index 56b83165..d796b7c8 100644 | |||
| 2643 | case sGssCleanupCreds: | 2644 | case sGssCleanupCreds: |
| 2644 | intptr = &options->gss_cleanup_creds; | 2645 | intptr = &options->gss_cleanup_creds; |
| 2645 | goto parse_flag; | 2646 | goto parse_flag; |
| 2646 | @@ -1225,6 +1244,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2647 | @@ -1261,6 +1280,10 @@ process_server_config_line(ServerOptions *options, char *line, |
| 2647 | intptr = &options->gss_strict_acceptor; | 2648 | intptr = &options->gss_strict_acceptor; |
| 2648 | goto parse_flag; | 2649 | goto parse_flag; |
| 2649 | 2650 | ||
| @@ -2654,7 +2655,7 @@ index 56b83165..d796b7c8 100644 | |||
| 2654 | case sPasswordAuthentication: | 2655 | case sPasswordAuthentication: |
| 2655 | intptr = &options->password_authentication; | 2656 | intptr = &options->password_authentication; |
| 2656 | goto parse_flag; | 2657 | goto parse_flag; |
| 2657 | @@ -2250,7 +2273,10 @@ dump_config(ServerOptions *o) | 2658 | @@ -2301,7 +2324,10 @@ dump_config(ServerOptions *o) |
| 2658 | #endif | 2659 | #endif |
| 2659 | #ifdef GSSAPI | 2660 | #ifdef GSSAPI |
| 2660 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2661 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
| @@ -2666,10 +2667,10 @@ index 56b83165..d796b7c8 100644 | |||
| 2666 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2667 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
| 2667 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2668 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
| 2668 | diff --git a/servconf.h b/servconf.h | 2669 | diff --git a/servconf.h b/servconf.h |
| 2669 | index 5853a974..90dfa4c2 100644 | 2670 | index 1dca702e..641e93c8 100644 |
| 2670 | --- a/servconf.h | 2671 | --- a/servconf.h |
| 2671 | +++ b/servconf.h | 2672 | +++ b/servconf.h |
| 2672 | @@ -112,8 +112,10 @@ typedef struct { | 2673 | @@ -119,8 +119,10 @@ typedef struct { |
| 2673 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2674 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
| 2674 | * authenticated with Kerberos. */ | 2675 | * authenticated with Kerberos. */ |
| 2675 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2676 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
| @@ -2681,11 +2682,11 @@ index 5853a974..90dfa4c2 100644 | |||
| 2681 | * authentication. */ | 2682 | * authentication. */ |
| 2682 | int kbd_interactive_authentication; /* If true, permit */ | 2683 | int kbd_interactive_authentication; /* If true, permit */ |
| 2683 | diff --git a/ssh-gss.h b/ssh-gss.h | 2684 | diff --git a/ssh-gss.h b/ssh-gss.h |
| 2684 | index a99d7f08..914701bc 100644 | 2685 | index 6593e422..919660a0 100644 |
| 2685 | --- a/ssh-gss.h | 2686 | --- a/ssh-gss.h |
| 2686 | +++ b/ssh-gss.h | 2687 | +++ b/ssh-gss.h |
| 2687 | @@ -1,6 +1,6 @@ | 2688 | @@ -1,6 +1,6 @@ |
| 2688 | /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ | 2689 | /* $OpenBSD: ssh-gss.h,v 1.12 2017/06/24 06:34:38 djm Exp $ */ |
| 2689 | /* | 2690 | /* |
| 2690 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 2691 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
| 2691 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 2692 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
| @@ -2748,7 +2749,7 @@ index a99d7f08..914701bc 100644 | |||
| 2748 | 2749 | ||
| 2749 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); | 2750 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); |
| 2750 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); | 2751 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); |
| 2751 | @@ -119,16 +136,32 @@ void ssh_gssapi_build_ctx(Gssctxt **); | 2752 | @@ -119,17 +136,33 @@ void ssh_gssapi_build_ctx(Gssctxt **); |
| 2752 | void ssh_gssapi_delete_ctx(Gssctxt **); | 2753 | void ssh_gssapi_delete_ctx(Gssctxt **); |
| 2753 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | 2754 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
| 2754 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); | 2755 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); |
| @@ -2773,6 +2774,7 @@ index a99d7f08..914701bc 100644 | |||
| 2773 | void ssh_gssapi_do_child(char ***, u_int *); | 2774 | void ssh_gssapi_do_child(char ***, u_int *); |
| 2774 | void ssh_gssapi_cleanup_creds(void); | 2775 | void ssh_gssapi_cleanup_creds(void); |
| 2775 | void ssh_gssapi_storecreds(void); | 2776 | void ssh_gssapi_storecreds(void); |
| 2777 | const char *ssh_gssapi_displayname(void); | ||
| 2776 | 2778 | ||
| 2777 | +char *ssh_gssapi_server_mechanisms(void); | 2779 | +char *ssh_gssapi_server_mechanisms(void); |
| 2778 | +int ssh_gssapi_oid_table_ok(void); | 2780 | +int ssh_gssapi_oid_table_ok(void); |
| @@ -2784,10 +2786,10 @@ index a99d7f08..914701bc 100644 | |||
| 2784 | 2786 | ||
| 2785 | #endif /* _SSH_GSS_H */ | 2787 | #endif /* _SSH_GSS_H */ |
| 2786 | diff --git a/ssh_config b/ssh_config | 2788 | diff --git a/ssh_config b/ssh_config |
| 2787 | index 90fb63f0..4e879cd2 100644 | 2789 | index c12f5ef5..bcb9f153 100644 |
| 2788 | --- a/ssh_config | 2790 | --- a/ssh_config |
| 2789 | +++ b/ssh_config | 2791 | +++ b/ssh_config |
| 2790 | @@ -26,6 +26,8 @@ | 2792 | @@ -24,6 +24,8 @@ |
| 2791 | # HostbasedAuthentication no | 2793 | # HostbasedAuthentication no |
| 2792 | # GSSAPIAuthentication no | 2794 | # GSSAPIAuthentication no |
| 2793 | # GSSAPIDelegateCredentials no | 2795 | # GSSAPIDelegateCredentials no |
| @@ -2797,10 +2799,10 @@ index 90fb63f0..4e879cd2 100644 | |||
| 2797 | # CheckHostIP yes | 2799 | # CheckHostIP yes |
| 2798 | # AddressFamily any | 2800 | # AddressFamily any |
| 2799 | diff --git a/ssh_config.5 b/ssh_config.5 | 2801 | diff --git a/ssh_config.5 b/ssh_config.5 |
| 2800 | index 532745b2..ec60273e 100644 | 2802 | index eab8dd01..9a06a757 100644 |
| 2801 | --- a/ssh_config.5 | 2803 | --- a/ssh_config.5 |
| 2802 | +++ b/ssh_config.5 | 2804 | +++ b/ssh_config.5 |
| 2803 | @@ -752,10 +752,42 @@ The default is | 2805 | @@ -720,10 +720,42 @@ The default is |
| 2804 | Specifies whether user authentication based on GSSAPI is allowed. | 2806 | Specifies whether user authentication based on GSSAPI is allowed. |
| 2805 | The default is | 2807 | The default is |
| 2806 | .Cm no . | 2808 | .Cm no . |
| @@ -2844,7 +2846,7 @@ index 532745b2..ec60273e 100644 | |||
| 2844 | Indicates that | 2846 | Indicates that |
| 2845 | .Xr ssh 1 | 2847 | .Xr ssh 1 |
| 2846 | diff --git a/sshconnect2.c b/sshconnect2.c | 2848 | diff --git a/sshconnect2.c b/sshconnect2.c |
| 2847 | index f8a54bee..5743c2c4 100644 | 2849 | index be9397e4..c22477f5 100644 |
| 2848 | --- a/sshconnect2.c | 2850 | --- a/sshconnect2.c |
| 2849 | +++ b/sshconnect2.c | 2851 | +++ b/sshconnect2.c |
| 2850 | @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2852 | @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
| @@ -2919,7 +2921,7 @@ index f8a54bee..5743c2c4 100644 | |||
| 2919 | + } | 2921 | + } |
| 2920 | +#endif | 2922 | +#endif |
| 2921 | + | 2923 | + |
| 2922 | dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); | 2924 | ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done); |
| 2923 | 2925 | ||
| 2924 | /* remove ext-info from the KEX proposals for rekeying */ | 2926 | /* remove ext-info from the KEX proposals for rekeying */ |
| 2925 | myproposal[PROPOSAL_KEX_ALGS] = | 2927 | myproposal[PROPOSAL_KEX_ALGS] = |
| @@ -2937,10 +2939,10 @@ index f8a54bee..5743c2c4 100644 | |||
| 2937 | if ((r = kex_prop2buf(kex->my, myproposal)) != 0) | 2939 | if ((r = kex_prop2buf(kex->my, myproposal)) != 0) |
| 2938 | fatal("kex_prop2buf: %s", ssh_err(r)); | 2940 | fatal("kex_prop2buf: %s", ssh_err(r)); |
| 2939 | 2941 | ||
| 2940 | @@ -311,6 +371,7 @@ int input_gssapi_token(int type, u_int32_t, void *); | 2942 | @@ -311,6 +371,7 @@ int input_gssapi_token(int type, u_int32_t, struct ssh *); |
| 2941 | int input_gssapi_hash(int type, u_int32_t, void *); | 2943 | int input_gssapi_hash(int type, u_int32_t, struct ssh *); |
| 2942 | int input_gssapi_error(int, u_int32_t, void *); | 2944 | int input_gssapi_error(int, u_int32_t, struct ssh *); |
| 2943 | int input_gssapi_errtok(int, u_int32_t, void *); | 2945 | int input_gssapi_errtok(int, u_int32_t, struct ssh *); |
| 2944 | +int userauth_gsskeyex(Authctxt *authctxt); | 2946 | +int userauth_gsskeyex(Authctxt *authctxt); |
| 2945 | #endif | 2947 | #endif |
| 2946 | 2948 | ||
| @@ -2957,7 +2959,7 @@ index f8a54bee..5743c2c4 100644 | |||
| 2957 | {"gssapi-with-mic", | 2959 | {"gssapi-with-mic", |
| 2958 | userauth_gssapi, | 2960 | userauth_gssapi, |
| 2959 | NULL, | 2961 | NULL, |
| 2960 | @@ -652,25 +718,40 @@ userauth_gssapi(Authctxt *authctxt) | 2962 | @@ -654,25 +720,40 @@ userauth_gssapi(Authctxt *authctxt) |
| 2961 | static u_int mech = 0; | 2963 | static u_int mech = 0; |
| 2962 | OM_uint32 min; | 2964 | OM_uint32 min; |
| 2963 | int ok = 0; | 2965 | int ok = 0; |
| @@ -3000,9 +3002,9 @@ index f8a54bee..5743c2c4 100644 | |||
| 3000 | if (!ok) | 3002 | if (!ok) |
| 3001 | return 0; | 3003 | return 0; |
| 3002 | 3004 | ||
| 3003 | @@ -761,8 +842,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | 3005 | @@ -763,8 +844,8 @@ input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh) |
| 3004 | { | 3006 | { |
| 3005 | Authctxt *authctxt = ctxt; | 3007 | Authctxt *authctxt = ssh->authctxt; |
| 3006 | Gssctxt *gssctxt; | 3008 | Gssctxt *gssctxt; |
| 3007 | - int oidlen; | 3009 | - int oidlen; |
| 3008 | - char *oidv; | 3010 | - char *oidv; |
| @@ -3011,7 +3013,7 @@ index f8a54bee..5743c2c4 100644 | |||
| 3011 | 3013 | ||
| 3012 | if (authctxt == NULL) | 3014 | if (authctxt == NULL) |
| 3013 | fatal("input_gssapi_response: no authentication context"); | 3015 | fatal("input_gssapi_response: no authentication context"); |
| 3014 | @@ -875,6 +956,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | 3016 | @@ -877,6 +958,48 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) |
| 3015 | free(lang); | 3017 | free(lang); |
| 3016 | return 0; | 3018 | return 0; |
| 3017 | } | 3019 | } |
| @@ -3061,10 +3063,10 @@ index f8a54bee..5743c2c4 100644 | |||
| 3061 | 3063 | ||
| 3062 | int | 3064 | int |
| 3063 | diff --git a/sshd.c b/sshd.c | 3065 | diff --git a/sshd.c b/sshd.c |
| 3064 | index 010a2c38..20a7a5f3 100644 | 3066 | index 51a1aaf6..45e50fac 100644 |
| 3065 | --- a/sshd.c | 3067 | --- a/sshd.c |
| 3066 | +++ b/sshd.c | 3068 | +++ b/sshd.c |
| 3067 | @@ -123,6 +123,10 @@ | 3069 | @@ -122,6 +122,10 @@ |
| 3068 | #include "version.h" | 3070 | #include "version.h" |
| 3069 | #include "ssherr.h" | 3071 | #include "ssherr.h" |
| 3070 | 3072 | ||
| @@ -3075,7 +3077,7 @@ index 010a2c38..20a7a5f3 100644 | |||
| 3075 | /* Re-exec fds */ | 3077 | /* Re-exec fds */ |
| 3076 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 3078 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
| 3077 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 3079 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
| 3078 | @@ -531,7 +535,7 @@ privsep_preauth_child(void) | 3080 | @@ -529,7 +533,7 @@ privsep_preauth_child(void) |
| 3079 | 3081 | ||
| 3080 | #ifdef GSSAPI | 3082 | #ifdef GSSAPI |
| 3081 | /* Cache supported mechanism OIDs for later use */ | 3083 | /* Cache supported mechanism OIDs for later use */ |
| @@ -3084,7 +3086,7 @@ index 010a2c38..20a7a5f3 100644 | |||
| 3084 | ssh_gssapi_prepare_supported_oids(); | 3086 | ssh_gssapi_prepare_supported_oids(); |
| 3085 | #endif | 3087 | #endif |
| 3086 | 3088 | ||
| 3087 | @@ -1719,10 +1723,13 @@ main(int ac, char **av) | 3089 | @@ -1708,10 +1712,13 @@ main(int ac, char **av) |
| 3088 | key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); | 3090 | key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); |
| 3089 | free(fp); | 3091 | free(fp); |
| 3090 | } | 3092 | } |
| @@ -3098,7 +3100,7 @@ index 010a2c38..20a7a5f3 100644 | |||
| 3098 | 3100 | ||
| 3099 | /* | 3101 | /* |
| 3100 | * Load certificates. They are stored in an array at identical | 3102 | * Load certificates. They are stored in an array at identical |
| 3101 | @@ -1992,6 +1999,60 @@ main(int ac, char **av) | 3103 | @@ -1987,6 +1994,60 @@ main(int ac, char **av) |
| 3102 | remote_ip, remote_port, laddr, ssh_local_port(ssh)); | 3104 | remote_ip, remote_port, laddr, ssh_local_port(ssh)); |
| 3103 | free(laddr); | 3105 | free(laddr); |
| 3104 | 3106 | ||
| @@ -3159,7 +3161,7 @@ index 010a2c38..20a7a5f3 100644 | |||
| 3159 | /* | 3161 | /* |
| 3160 | * We don't want to listen forever unless the other side | 3162 | * We don't want to listen forever unless the other side |
| 3161 | * successfully authenticates itself. So we set up an alarm which is | 3163 | * successfully authenticates itself. So we set up an alarm which is |
| 3162 | @@ -2173,6 +2234,48 @@ do_ssh2_kex(void) | 3164 | @@ -2170,6 +2231,48 @@ do_ssh2_kex(void) |
| 3163 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 3165 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
| 3164 | list_hostkey_types()); | 3166 | list_hostkey_types()); |
| 3165 | 3167 | ||
| @@ -3208,7 +3210,7 @@ index 010a2c38..20a7a5f3 100644 | |||
| 3208 | /* start key exchange */ | 3210 | /* start key exchange */ |
| 3209 | if ((r = kex_setup(active_state, myproposal)) != 0) | 3211 | if ((r = kex_setup(active_state, myproposal)) != 0) |
| 3210 | fatal("kex_setup: %s", ssh_err(r)); | 3212 | fatal("kex_setup: %s", ssh_err(r)); |
| 3211 | @@ -2190,6 +2293,13 @@ do_ssh2_kex(void) | 3213 | @@ -2187,6 +2290,13 @@ do_ssh2_kex(void) |
| 3212 | # endif | 3214 | # endif |
| 3213 | #endif | 3215 | #endif |
| 3214 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 3216 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
| @@ -3236,10 +3238,10 @@ index 4eb2e02e..c01dd656 100644 | |||
| 3236 | # Set this to 'yes' to enable PAM authentication, account processing, | 3238 | # Set this to 'yes' to enable PAM authentication, account processing, |
| 3237 | # and session processing. If this is enabled, PAM authentication will | 3239 | # and session processing. If this is enabled, PAM authentication will |
| 3238 | diff --git a/sshd_config.5 b/sshd_config.5 | 3240 | diff --git a/sshd_config.5 b/sshd_config.5 |
| 3239 | index ac6ccc79..3f819c76 100644 | 3241 | index 251b7467..0dbcb8da 100644 |
| 3240 | --- a/sshd_config.5 | 3242 | --- a/sshd_config.5 |
| 3241 | +++ b/sshd_config.5 | 3243 | +++ b/sshd_config.5 |
| 3242 | @@ -627,6 +627,11 @@ The default is | 3244 | @@ -635,6 +635,11 @@ The default is |
| 3243 | Specifies whether user authentication based on GSSAPI is allowed. | 3245 | Specifies whether user authentication based on GSSAPI is allowed. |
| 3244 | The default is | 3246 | The default is |
| 3245 | .Cm no . | 3247 | .Cm no . |
| @@ -3251,7 +3253,7 @@ index ac6ccc79..3f819c76 100644 | |||
| 3251 | .It Cm GSSAPICleanupCredentials | 3253 | .It Cm GSSAPICleanupCredentials |
| 3252 | Specifies whether to automatically destroy the user's credentials cache | 3254 | Specifies whether to automatically destroy the user's credentials cache |
| 3253 | on logout. | 3255 | on logout. |
| 3254 | @@ -646,6 +651,11 @@ machine's default store. | 3256 | @@ -654,6 +659,11 @@ machine's default store. |
| 3255 | This facility is provided to assist with operation on multi homed machines. | 3257 | This facility is provided to assist with operation on multi homed machines. |
| 3256 | The default is | 3258 | The default is |
| 3257 | .Cm yes . | 3259 | .Cm yes . |
| @@ -3264,10 +3266,10 @@ index ac6ccc79..3f819c76 100644 | |||
| 3264 | Specifies the key types that will be accepted for hostbased authentication | 3266 | Specifies the key types that will be accepted for hostbased authentication |
| 3265 | as a comma-separated pattern list. | 3267 | as a comma-separated pattern list. |
| 3266 | diff --git a/sshkey.c b/sshkey.c | 3268 | diff --git a/sshkey.c b/sshkey.c |
| 3267 | index 53a7674b..54001989 100644 | 3269 | index e91c54f5..c2cf0e03 100644 |
| 3268 | --- a/sshkey.c | 3270 | --- a/sshkey.c |
| 3269 | +++ b/sshkey.c | 3271 | +++ b/sshkey.c |
| 3270 | @@ -116,6 +116,7 @@ static const struct keytype keytypes[] = { | 3272 | @@ -112,6 +112,7 @@ static const struct keytype keytypes[] = { |
| 3271 | # endif /* OPENSSL_HAS_NISTP521 */ | 3273 | # endif /* OPENSSL_HAS_NISTP521 */ |
| 3272 | # endif /* OPENSSL_HAS_ECC */ | 3274 | # endif /* OPENSSL_HAS_ECC */ |
| 3273 | #endif /* WITH_OPENSSL */ | 3275 | #endif /* WITH_OPENSSL */ |
| @@ -3275,7 +3277,7 @@ index 53a7674b..54001989 100644 | |||
| 3275 | { NULL, NULL, -1, -1, 0, 0 } | 3277 | { NULL, NULL, -1, -1, 0, 0 } |
| 3276 | }; | 3278 | }; |
| 3277 | 3279 | ||
| 3278 | @@ -204,7 +205,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) | 3280 | @@ -200,7 +201,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) |
| 3279 | const struct keytype *kt; | 3281 | const struct keytype *kt; |
| 3280 | 3282 | ||
| 3281 | for (kt = keytypes; kt->type != -1; kt++) { | 3283 | for (kt = keytypes; kt->type != -1; kt++) { |
| @@ -3285,10 +3287,10 @@ index 53a7674b..54001989 100644 | |||
| 3285 | if (!include_sigonly && kt->sigonly) | 3287 | if (!include_sigonly && kt->sigonly) |
| 3286 | continue; | 3288 | continue; |
| 3287 | diff --git a/sshkey.h b/sshkey.h | 3289 | diff --git a/sshkey.h b/sshkey.h |
| 3288 | index 1b9e42f4..f91e4a08 100644 | 3290 | index 9093eac5..b5d020cb 100644 |
| 3289 | --- a/sshkey.h | 3291 | --- a/sshkey.h |
| 3290 | +++ b/sshkey.h | 3292 | +++ b/sshkey.h |
| 3291 | @@ -62,6 +62,7 @@ enum sshkey_types { | 3293 | @@ -61,6 +61,7 @@ enum sshkey_types { |
| 3292 | KEY_DSA_CERT, | 3294 | KEY_DSA_CERT, |
| 3293 | KEY_ECDSA_CERT, | 3295 | KEY_ECDSA_CERT, |
| 3294 | KEY_ED25519_CERT, | 3296 | KEY_ED25519_CERT, |