summaryrefslogtreecommitdiff
path: root/debian/patches/gssapi.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r--debian/patches/gssapi.patch138
1 files changed, 69 insertions, 69 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 45d131d27..b858f4915 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 7ce79be85036c4b36937f1b1ba85f6094068412c Mon Sep 17 00:00:00 2001 1From 9da806e67101afdc0d3a1d304659927acf18f5c5 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -18,7 +18,7 @@ security history.
18 18
19Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master 19Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
20Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 20Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
21Last-Updated: 2019-06-05 21Last-Updated: 2019-10-09
22 22
23Patch-Name: gssapi.patch 23Patch-Name: gssapi.patch
24--- 24---
@@ -67,7 +67,7 @@ Patch-Name: gssapi.patch
67 create mode 100644 kexgsss.c 67 create mode 100644 kexgsss.c
68 68
69diff --git a/Makefile.in b/Makefile.in 69diff --git a/Makefile.in b/Makefile.in
70index 6f001bb36..c31821acc 100644 70index adb1977e2..ab29e4f05 100644
71--- a/Makefile.in 71--- a/Makefile.in
72+++ b/Makefile.in 72+++ b/Makefile.in
73@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 73@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -85,7 +85,7 @@ index 6f001bb36..c31821acc 100644
85- auth2-gss.o gss-serv.o gss-serv-krb5.o \ 85- auth2-gss.o gss-serv.o gss-serv-krb5.o \
86+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ 86+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
87 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 87 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
88 sftp-server.o sftp-common.o \ 88 sftp-server.o sftp-common.o sftp-realpath.o \
89 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 89 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
90diff --git a/auth-krb5.c b/auth-krb5.c 90diff --git a/auth-krb5.c b/auth-krb5.c
91index 3096f1c8e..204752e1b 100644 91index 3096f1c8e..204752e1b 100644
@@ -139,7 +139,7 @@ index 3096f1c8e..204752e1b 100644
139 return (krb5_cc_resolve(ctx, ccname, ccache)); 139 return (krb5_cc_resolve(ctx, ccname, ccache));
140 } 140 }
141diff --git a/auth.c b/auth.c 141diff --git a/auth.c b/auth.c
142index 8696f258e..f7a23afba 100644 142index ca450f4e4..47c27773c 100644
143--- a/auth.c 143--- a/auth.c
144+++ b/auth.c 144+++ b/auth.c
145@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) 145@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
@@ -179,7 +179,7 @@ index 8696f258e..f7a23afba 100644
179- fromlen = sizeof(from); 179- fromlen = sizeof(from);
180- memset(&from, 0, sizeof(from)); 180- memset(&from, 0, sizeof(from));
181- if (getpeername(ssh_packet_get_connection_in(ssh), 181- if (getpeername(ssh_packet_get_connection_in(ssh),
182- (struct sockaddr *)&from, &fromlen) < 0) { 182- (struct sockaddr *)&from, &fromlen) == -1) {
183- debug("getpeername failed: %.100s", strerror(errno)); 183- debug("getpeername failed: %.100s", strerror(errno));
184- return strdup(ntop); 184- return strdup(ntop);
185- } 185- }
@@ -348,10 +348,10 @@ index 9351e0428..d6446c0cf 100644
348 "gssapi-with-mic", 348 "gssapi-with-mic",
349 userauth_gssapi, 349 userauth_gssapi,
350diff --git a/auth2.c b/auth2.c 350diff --git a/auth2.c b/auth2.c
351index 16ae1a363..7417eafa4 100644 351index 0e7762242..1c217268c 100644
352--- a/auth2.c 352--- a/auth2.c
353+++ b/auth2.c 353+++ b/auth2.c
354@@ -75,6 +75,7 @@ extern Authmethod method_passwd; 354@@ -73,6 +73,7 @@ extern Authmethod method_passwd;
355 extern Authmethod method_kbdint; 355 extern Authmethod method_kbdint;
356 extern Authmethod method_hostbased; 356 extern Authmethod method_hostbased;
357 #ifdef GSSAPI 357 #ifdef GSSAPI
@@ -359,7 +359,7 @@ index 16ae1a363..7417eafa4 100644
359 extern Authmethod method_gssapi; 359 extern Authmethod method_gssapi;
360 #endif 360 #endif
361 361
362@@ -82,6 +83,7 @@ Authmethod *authmethods[] = { 362@@ -80,6 +81,7 @@ Authmethod *authmethods[] = {
363 &method_none, 363 &method_none,
364 &method_pubkey, 364 &method_pubkey,
365 #ifdef GSSAPI 365 #ifdef GSSAPI
@@ -368,7 +368,7 @@ index 16ae1a363..7417eafa4 100644
368 #endif 368 #endif
369 &method_passwd, 369 &method_passwd,
370diff --git a/canohost.c b/canohost.c 370diff --git a/canohost.c b/canohost.c
371index f71a08568..404731d24 100644 371index abea9c6e6..9a00fc2cf 100644
372--- a/canohost.c 372--- a/canohost.c
373+++ b/canohost.c 373+++ b/canohost.c
374@@ -35,6 +35,99 @@ 374@@ -35,6 +35,99 @@
@@ -398,7 +398,7 @@ index f71a08568..404731d24 100644
398+ fromlen = sizeof(from); 398+ fromlen = sizeof(from);
399+ memset(&from, 0, sizeof(from)); 399+ memset(&from, 0, sizeof(from));
400+ if (getpeername(ssh_packet_get_connection_in(ssh), 400+ if (getpeername(ssh_packet_get_connection_in(ssh),
401+ (struct sockaddr *)&from, &fromlen) < 0) { 401+ (struct sockaddr *)&from, &fromlen) == -1) {
402+ debug("getpeername failed: %.100s", strerror(errno)); 402+ debug("getpeername failed: %.100s", strerror(errno));
403+ return strdup(ntop); 403+ return strdup(ntop);
404+ } 404+ }
@@ -486,7 +486,7 @@ index 26d62855a..0cadc9f18 100644
486 int get_peer_port(int); 486 int get_peer_port(int);
487 char *get_local_ipaddr(int); 487 char *get_local_ipaddr(int);
488diff --git a/clientloop.c b/clientloop.c 488diff --git a/clientloop.c b/clientloop.c
489index 086c0dfe8..9b90c64f3 100644 489index b5a1f7038..9def2a1a9 100644
490--- a/clientloop.c 490--- a/clientloop.c
491+++ b/clientloop.c 491+++ b/clientloop.c
492@@ -112,6 +112,10 @@ 492@@ -112,6 +112,10 @@
@@ -500,7 +500,7 @@ index 086c0dfe8..9b90c64f3 100644
500 /* import options */ 500 /* import options */
501 extern Options options; 501 extern Options options;
502 502
503@@ -1374,9 +1378,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, 503@@ -1373,9 +1377,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
504 break; 504 break;
505 505
506 /* Do channel operations unless rekeying in progress. */ 506 /* Do channel operations unless rekeying in progress. */
@@ -521,10 +521,10 @@ index 086c0dfe8..9b90c64f3 100644
521 client_process_net_input(ssh, readset); 521 client_process_net_input(ssh, readset);
522 522
523diff --git a/configure.ac b/configure.ac 523diff --git a/configure.ac b/configure.ac
524index 30be6c182..2869f7042 100644 524index 3e93c0276..1c2512314 100644
525--- a/configure.ac 525--- a/configure.ac
526+++ b/configure.ac 526+++ b/configure.ac
527@@ -665,6 +665,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 527@@ -666,6 +666,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
528 [Use tunnel device compatibility to OpenBSD]) 528 [Use tunnel device compatibility to OpenBSD])
529 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 529 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
530 [Prepend the address family to IP tunnel traffic]) 530 [Prepend the address family to IP tunnel traffic])
@@ -1339,19 +1339,19 @@ index ab3a15f0f..1d47870e7 100644
1339 1339
1340 /* Privileged */ 1340 /* Privileged */
1341diff --git a/hmac.c b/hmac.c 1341diff --git a/hmac.c b/hmac.c
1342index 1c879640c..a29f32c5c 100644 1342index 32688876d..a79e8569c 100644
1343--- a/hmac.c 1343--- a/hmac.c
1344+++ b/hmac.c 1344+++ b/hmac.c
1345@@ -19,6 +19,7 @@ 1345@@ -21,6 +21,7 @@
1346 1346
1347 #include <sys/types.h> 1347 #include <stdlib.h>
1348 #include <string.h> 1348 #include <string.h>
1349+#include <stdlib.h> 1349+#include <stdlib.h>
1350 1350
1351 #include "sshbuf.h" 1351 #include "sshbuf.h"
1352 #include "digest.h" 1352 #include "digest.h"
1353diff --git a/kex.c b/kex.c 1353diff --git a/kex.c b/kex.c
1354index 34808b5c3..a2a4794e8 100644 1354index 49d701568..e09355dbd 100644
1355--- a/kex.c 1355--- a/kex.c
1356+++ b/kex.c 1356+++ b/kex.c
1357@@ -55,11 +55,16 @@ 1357@@ -55,11 +55,16 @@
@@ -1373,7 +1373,7 @@ index 34808b5c3..a2a4794e8 100644
1373 static int kex_input_newkeys(int, u_int32_t, struct ssh *); 1373 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
1374@@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = { 1374@@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = {
1375 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ 1375 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
1376 { NULL, -1, -1, -1}, 1376 { NULL, 0, -1, -1},
1377 }; 1377 };
1378+static const struct kexalg gss_kexalgs[] = { 1378+static const struct kexalg gss_kexalgs[] = {
1379+#ifdef GSSAPI 1379+#ifdef GSSAPI
@@ -1386,7 +1386,7 @@ index 34808b5c3..a2a4794e8 100644
1386+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, 1386+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
1387+ { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 1387+ { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
1388+#endif 1388+#endif
1389+ { NULL, -1, -1, -1 }, 1389+ { NULL, 0, -1, -1 },
1390+}; 1390+};
1391 1391
1392-char * 1392-char *
@@ -1433,7 +1433,7 @@ index 34808b5c3..a2a4794e8 100644
1433 return NULL; 1433 return NULL;
1434 } 1434 }
1435 1435
1436@@ -301,6 +335,29 @@ kex_assemble_names(char **listp, const char *def, const char *all) 1436@@ -313,6 +347,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
1437 return r; 1437 return r;
1438 } 1438 }
1439 1439
@@ -1463,7 +1463,7 @@ index 34808b5c3..a2a4794e8 100644
1463 /* put algorithm proposal into buffer */ 1463 /* put algorithm proposal into buffer */
1464 int 1464 int
1465 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) 1465 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
1466@@ -657,6 +714,9 @@ kex_free(struct kex *kex) 1466@@ -696,6 +753,9 @@ kex_free(struct kex *kex)
1467 sshbuf_free(kex->server_version); 1467 sshbuf_free(kex->server_version);
1468 sshbuf_free(kex->client_pub); 1468 sshbuf_free(kex->client_pub);
1469 free(kex->session_id); 1469 free(kex->session_id);
@@ -1474,10 +1474,10 @@ index 34808b5c3..a2a4794e8 100644
1474 free(kex->hostkey_alg); 1474 free(kex->hostkey_alg);
1475 free(kex->name); 1475 free(kex->name);
1476diff --git a/kex.h b/kex.h 1476diff --git a/kex.h b/kex.h
1477index 6d446d1cc..2d5f1d4ed 100644 1477index a5ae6ac05..fe7141414 100644
1478--- a/kex.h 1478--- a/kex.h
1479+++ b/kex.h 1479+++ b/kex.h
1480@@ -103,6 +103,15 @@ enum kex_exchange { 1480@@ -102,6 +102,15 @@ enum kex_exchange {
1481 KEX_ECDH_SHA2, 1481 KEX_ECDH_SHA2,
1482 KEX_C25519_SHA256, 1482 KEX_C25519_SHA256,
1483 KEX_KEM_SNTRUP4591761X25519_SHA512, 1483 KEX_KEM_SNTRUP4591761X25519_SHA512,
@@ -1493,7 +1493,7 @@ index 6d446d1cc..2d5f1d4ed 100644
1493 KEX_MAX 1493 KEX_MAX
1494 }; 1494 };
1495 1495
1496@@ -154,6 +163,12 @@ struct kex { 1496@@ -153,6 +162,12 @@ struct kex {
1497 u_int flags; 1497 u_int flags;
1498 int hash_alg; 1498 int hash_alg;
1499 int ec_nid; 1499 int ec_nid;
@@ -1506,7 +1506,7 @@ index 6d446d1cc..2d5f1d4ed 100644
1506 char *failed_choice; 1506 char *failed_choice;
1507 int (*verify_host_key)(struct sshkey *, struct ssh *); 1507 int (*verify_host_key)(struct sshkey *, struct ssh *);
1508 struct sshkey *(*load_host_public_key)(int, int, struct ssh *); 1508 struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
1509@@ -175,8 +190,10 @@ struct kex { 1509@@ -174,8 +189,10 @@ struct kex {
1510 1510
1511 int kex_names_valid(const char *); 1511 int kex_names_valid(const char *);
1512 char *kex_alg_list(char); 1512 char *kex_alg_list(char);
@@ -1517,7 +1517,7 @@ index 6d446d1cc..2d5f1d4ed 100644
1517 1517
1518 int kex_exchange_identification(struct ssh *, int, const char *); 1518 int kex_exchange_identification(struct ssh *, int, const char *);
1519 1519
1520@@ -203,6 +220,12 @@ int kexgex_client(struct ssh *); 1520@@ -202,6 +219,12 @@ int kexgex_client(struct ssh *);
1521 int kexgex_server(struct ssh *); 1521 int kexgex_server(struct ssh *);
1522 int kex_gen_client(struct ssh *); 1522 int kex_gen_client(struct ssh *);
1523 int kex_gen_server(struct ssh *); 1523 int kex_gen_server(struct ssh *);
@@ -1530,7 +1530,7 @@ index 6d446d1cc..2d5f1d4ed 100644
1530 1530
1531 int kex_dh_keypair(struct kex *); 1531 int kex_dh_keypair(struct kex *);
1532 int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, 1532 int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
1533@@ -235,6 +258,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *, 1533@@ -234,6 +257,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
1534 const BIGNUM *, const u_char *, size_t, 1534 const BIGNUM *, const u_char *, size_t,
1535 u_char *, size_t *); 1535 u_char *, size_t *);
1536 1536
@@ -1572,10 +1572,10 @@ index 67133e339..edaa46762 100644
1572 break; 1572 break;
1573 case KEX_DH_GRP18_SHA512: 1573 case KEX_DH_GRP18_SHA512:
1574diff --git a/kexgen.c b/kexgen.c 1574diff --git a/kexgen.c b/kexgen.c
1575index 2abbb9ef6..569dc83f3 100644 1575index bb996b504..d353ed8b0 100644
1576--- a/kexgen.c 1576--- a/kexgen.c
1577+++ b/kexgen.c 1577+++ b/kexgen.c
1578@@ -43,7 +43,7 @@ 1578@@ -44,7 +44,7 @@
1579 static int input_kex_gen_init(int, u_int32_t, struct ssh *); 1579 static int input_kex_gen_init(int, u_int32_t, struct ssh *);
1580 static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh); 1580 static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh);
1581 1581
@@ -2677,11 +2677,11 @@ index 000000000..60bc02deb
2677+} 2677+}
2678+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ 2678+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
2679diff --git a/mac.c b/mac.c 2679diff --git a/mac.c b/mac.c
2680index 51dc11d76..3d11eba62 100644 2680index f3dda6692..de346ed20 100644
2681--- a/mac.c 2681--- a/mac.c
2682+++ b/mac.c 2682+++ b/mac.c
2683@@ -29,6 +29,7 @@ 2683@@ -30,6 +30,7 @@
2684 2684 #include <stdlib.h>
2685 #include <string.h> 2685 #include <string.h>
2686 #include <stdio.h> 2686 #include <stdio.h>
2687+#include <stdlib.h> 2687+#include <stdlib.h>
@@ -2689,7 +2689,7 @@ index 51dc11d76..3d11eba62 100644
2689 #include "digest.h" 2689 #include "digest.h"
2690 #include "hmac.h" 2690 #include "hmac.h"
2691diff --git a/monitor.c b/monitor.c 2691diff --git a/monitor.c b/monitor.c
2692index 60e529444..0766d6ef5 100644 2692index 00af44f98..bead9e204 100644
2693--- a/monitor.c 2693--- a/monitor.c
2694+++ b/monitor.c 2694+++ b/monitor.c
2695@@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); 2695@@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
@@ -2936,7 +2936,7 @@ index 683e5e071..2b1a2d590 100644
2936 2936
2937 struct ssh; 2937 struct ssh;
2938diff --git a/monitor_wrap.c b/monitor_wrap.c 2938diff --git a/monitor_wrap.c b/monitor_wrap.c
2939index 186e8f022..8e4c1c1f8 100644 2939index 4169b7604..fdca39a6a 100644
2940--- a/monitor_wrap.c 2940--- a/monitor_wrap.c
2941+++ b/monitor_wrap.c 2941+++ b/monitor_wrap.c
2942@@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2942@@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
@@ -3015,10 +3015,10 @@ index 186e8f022..8e4c1c1f8 100644
3015+ 3015+
3016 #endif /* GSSAPI */ 3016 #endif /* GSSAPI */
3017diff --git a/monitor_wrap.h b/monitor_wrap.h 3017diff --git a/monitor_wrap.h b/monitor_wrap.h
3018index fdebb3aa4..69164a8c0 100644 3018index 191277f3a..92dda574b 100644
3019--- a/monitor_wrap.h 3019--- a/monitor_wrap.h
3020+++ b/monitor_wrap.h 3020+++ b/monitor_wrap.h
3021@@ -61,8 +61,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, 3021@@ -63,8 +63,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
3022 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 3022 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
3023 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, 3023 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
3024 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); 3024 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -3031,7 +3031,7 @@ index fdebb3aa4..69164a8c0 100644
3031 3031
3032 #ifdef USE_PAM 3032 #ifdef USE_PAM
3033diff --git a/readconf.c b/readconf.c 3033diff --git a/readconf.c b/readconf.c
3034index ec497e79f..4d699e5f1 100644 3034index f78b4d6fe..3c68d1a88 100644
3035--- a/readconf.c 3035--- a/readconf.c
3036+++ b/readconf.c 3036+++ b/readconf.c
3037@@ -67,6 +67,7 @@ 3037@@ -67,6 +67,7 @@
@@ -3074,7 +3074,7 @@ index ec497e79f..4d699e5f1 100644
3074 #endif 3074 #endif
3075 #ifdef ENABLE_PKCS11 3075 #ifdef ENABLE_PKCS11
3076 { "pkcs11provider", oPKCS11Provider }, 3076 { "pkcs11provider", oPKCS11Provider },
3077@@ -983,10 +998,42 @@ parse_time: 3077@@ -988,10 +1003,42 @@ parse_time:
3078 intptr = &options->gss_authentication; 3078 intptr = &options->gss_authentication;
3079 goto parse_flag; 3079 goto parse_flag;
3080 3080
@@ -3117,7 +3117,7 @@ index ec497e79f..4d699e5f1 100644
3117 case oBatchMode: 3117 case oBatchMode:
3118 intptr = &options->batch_mode; 3118 intptr = &options->batch_mode;
3119 goto parse_flag; 3119 goto parse_flag;
3120@@ -1854,7 +1901,13 @@ initialize_options(Options * options) 3120@@ -1863,7 +1910,13 @@ initialize_options(Options * options)
3121 options->pubkey_authentication = -1; 3121 options->pubkey_authentication = -1;
3122 options->challenge_response_authentication = -1; 3122 options->challenge_response_authentication = -1;
3123 options->gss_authentication = -1; 3123 options->gss_authentication = -1;
@@ -3131,7 +3131,7 @@ index ec497e79f..4d699e5f1 100644
3131 options->password_authentication = -1; 3131 options->password_authentication = -1;
3132 options->kbd_interactive_authentication = -1; 3132 options->kbd_interactive_authentication = -1;
3133 options->kbd_interactive_devices = NULL; 3133 options->kbd_interactive_devices = NULL;
3134@@ -2000,8 +2053,18 @@ fill_default_options(Options * options) 3134@@ -2009,8 +2062,18 @@ fill_default_options(Options * options)
3135 options->challenge_response_authentication = 1; 3135 options->challenge_response_authentication = 1;
3136 if (options->gss_authentication == -1) 3136 if (options->gss_authentication == -1)
3137 options->gss_authentication = 0; 3137 options->gss_authentication = 0;
@@ -3150,7 +3150,7 @@ index ec497e79f..4d699e5f1 100644
3150 if (options->password_authentication == -1) 3150 if (options->password_authentication == -1)
3151 options->password_authentication = 1; 3151 options->password_authentication = 1;
3152 if (options->kbd_interactive_authentication == -1) 3152 if (options->kbd_interactive_authentication == -1)
3153@@ -2616,7 +2679,14 @@ dump_client_config(Options *o, const char *host) 3153@@ -2625,7 +2688,14 @@ dump_client_config(Options *o, const char *host)
3154 dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); 3154 dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
3155 #ifdef GSSAPI 3155 #ifdef GSSAPI
3156 dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); 3156 dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3184,7 +3184,7 @@ index 8e36bf32a..0bff6d80a 100644
3184 * authentication. */ 3184 * authentication. */
3185 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 3185 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
3186diff --git a/servconf.c b/servconf.c 3186diff --git a/servconf.c b/servconf.c
3187index ffac5d2c7..ffdad31e7 100644 3187index e76f9c39e..f63eb0b94 100644
3188--- a/servconf.c 3188--- a/servconf.c
3189+++ b/servconf.c 3189+++ b/servconf.c
3190@@ -64,6 +64,7 @@ 3190@@ -64,6 +64,7 @@
@@ -3257,7 +3257,7 @@ index ffac5d2c7..ffdad31e7 100644
3257 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 3257 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
3258 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 3258 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
3259 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 3259 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
3260@@ -1485,6 +1508,10 @@ process_server_config_line(ServerOptions *options, char *line, 3260@@ -1488,6 +1511,10 @@ process_server_config_line(ServerOptions *options, char *line,
3261 intptr = &options->gss_authentication; 3261 intptr = &options->gss_authentication;
3262 goto parse_flag; 3262 goto parse_flag;
3263 3263
@@ -3268,7 +3268,7 @@ index ffac5d2c7..ffdad31e7 100644
3268 case sGssCleanupCreds: 3268 case sGssCleanupCreds:
3269 intptr = &options->gss_cleanup_creds; 3269 intptr = &options->gss_cleanup_creds;
3270 goto parse_flag; 3270 goto parse_flag;
3271@@ -1493,6 +1520,22 @@ process_server_config_line(ServerOptions *options, char *line, 3271@@ -1496,6 +1523,22 @@ process_server_config_line(ServerOptions *options, char *line,
3272 intptr = &options->gss_strict_acceptor; 3272 intptr = &options->gss_strict_acceptor;
3273 goto parse_flag; 3273 goto parse_flag;
3274 3274
@@ -3291,7 +3291,7 @@ index ffac5d2c7..ffdad31e7 100644
3291 case sPasswordAuthentication: 3291 case sPasswordAuthentication:
3292 intptr = &options->password_authentication; 3292 intptr = &options->password_authentication;
3293 goto parse_flag; 3293 goto parse_flag;
3294@@ -2579,6 +2622,10 @@ dump_config(ServerOptions *o) 3294@@ -2585,6 +2628,10 @@ dump_config(ServerOptions *o)
3295 #ifdef GSSAPI 3295 #ifdef GSSAPI
3296 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 3296 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
3297 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 3297 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3303,7 +3303,7 @@ index ffac5d2c7..ffdad31e7 100644
3303 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 3303 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
3304 dump_cfg_fmtint(sKbdInteractiveAuthentication, 3304 dump_cfg_fmtint(sKbdInteractiveAuthentication,
3305diff --git a/servconf.h b/servconf.h 3305diff --git a/servconf.h b/servconf.h
3306index 54e0a8d8d..a476d5220 100644 3306index 5483da051..29329ba1f 100644
3307--- a/servconf.h 3307--- a/servconf.h
3308+++ b/servconf.h 3308+++ b/servconf.h
3309@@ -126,8 +126,11 @@ typedef struct { 3309@@ -126,8 +126,11 @@ typedef struct {
@@ -3319,7 +3319,7 @@ index 54e0a8d8d..a476d5220 100644
3319 * authentication. */ 3319 * authentication. */
3320 int kbd_interactive_authentication; /* If true, permit */ 3320 int kbd_interactive_authentication; /* If true, permit */
3321diff --git a/session.c b/session.c 3321diff --git a/session.c b/session.c
3322index ac06b08e9..ac3d9d19d 100644 3322index 8f5d7e0a4..f1a47f766 100644
3323--- a/session.c 3323--- a/session.c
3324+++ b/session.c 3324+++ b/session.c
3325@@ -2674,13 +2674,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) 3325@@ -2674,13 +2674,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
@@ -3465,7 +3465,7 @@ index 36180d07a..70dd36658 100644
3465 3465
3466 #endif /* _SSH_GSS_H */ 3466 #endif /* _SSH_GSS_H */
3467diff --git a/ssh.1 b/ssh.1 3467diff --git a/ssh.1 b/ssh.1
3468index 9480eba8d..a1c7d2305 100644 3468index 424d6c3e8..26940ad55 100644
3469--- a/ssh.1 3469--- a/ssh.1
3470+++ b/ssh.1 3470+++ b/ssh.1
3471@@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see 3471@@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see
@@ -3492,7 +3492,7 @@ index 9480eba8d..a1c7d2305 100644
3492 (key types), 3492 (key types),
3493 .Ar key-cert 3493 .Ar key-cert
3494diff --git a/ssh.c b/ssh.c 3494diff --git a/ssh.c b/ssh.c
3495index 91e7c3511..42be7d88f 100644 3495index ee51823cd..2da9f5d0d 100644
3496--- a/ssh.c 3496--- a/ssh.c
3497+++ b/ssh.c 3497+++ b/ssh.c
3498@@ -736,6 +736,8 @@ main(int ac, char **av) 3498@@ -736,6 +736,8 @@ main(int ac, char **av)
@@ -3527,10 +3527,10 @@ index 5e8ef548b..1ff999b68 100644
3527 # CheckHostIP yes 3527 # CheckHostIP yes
3528 # AddressFamily any 3528 # AddressFamily any
3529diff --git a/ssh_config.5 b/ssh_config.5 3529diff --git a/ssh_config.5 b/ssh_config.5
3530index 412629637..c3c8b274a 100644 3530index 02a87892d..f4668673b 100644
3531--- a/ssh_config.5 3531--- a/ssh_config.5
3532+++ b/ssh_config.5 3532+++ b/ssh_config.5
3533@@ -754,10 +754,67 @@ The default is 3533@@ -758,10 +758,67 @@ The default is
3534 Specifies whether user authentication based on GSSAPI is allowed. 3534 Specifies whether user authentication based on GSSAPI is allowed.
3535 The default is 3535 The default is
3536 .Cm no . 3536 .Cm no .
@@ -3599,7 +3599,7 @@ index 412629637..c3c8b274a 100644
3599 Indicates that 3599 Indicates that
3600 .Xr ssh 1 3600 .Xr ssh 1
3601diff --git a/sshconnect2.c b/sshconnect2.c 3601diff --git a/sshconnect2.c b/sshconnect2.c
3602index dffee90b1..4020371ae 100644 3602index 87fa70a40..a4ec75ca1 100644
3603--- a/sshconnect2.c 3603--- a/sshconnect2.c
3604+++ b/sshconnect2.c 3604+++ b/sshconnect2.c
3605@@ -78,8 +78,6 @@ 3605@@ -78,8 +78,6 @@
@@ -3726,7 +3726,7 @@ index dffee90b1..4020371ae 100644
3726 {"gssapi-with-mic", 3726 {"gssapi-with-mic",
3727 userauth_gssapi, 3727 userauth_gssapi,
3728 userauth_gssapi_cleanup, 3728 userauth_gssapi_cleanup,
3729@@ -698,12 +766,25 @@ userauth_gssapi(struct ssh *ssh) 3729@@ -697,12 +765,25 @@ userauth_gssapi(struct ssh *ssh)
3730 OM_uint32 min; 3730 OM_uint32 min;
3731 int r, ok = 0; 3731 int r, ok = 0;
3732 gss_OID mech = NULL; 3732 gss_OID mech = NULL;
@@ -3753,7 +3753,7 @@ index dffee90b1..4020371ae 100644
3753 3753
3754 /* Check to see whether the mechanism is usable before we offer it */ 3754 /* Check to see whether the mechanism is usable before we offer it */
3755 while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && 3755 while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
3756@@ -712,13 +793,15 @@ userauth_gssapi(struct ssh *ssh) 3756@@ -711,13 +792,15 @@ userauth_gssapi(struct ssh *ssh)
3757 elements[authctxt->mech_tried]; 3757 elements[authctxt->mech_tried];
3758 /* My DER encoding requires length<128 */ 3758 /* My DER encoding requires length<128 */
3759 if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, 3759 if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3770,7 +3770,7 @@ index dffee90b1..4020371ae 100644
3770 if (!ok || mech == NULL) 3770 if (!ok || mech == NULL)
3771 return 0; 3771 return 0;
3772 3772
3773@@ -958,6 +1041,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) 3773@@ -957,6 +1040,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
3774 free(lang); 3774 free(lang);
3775 return r; 3775 return r;
3776 } 3776 }
@@ -3827,7 +3827,7 @@ index dffee90b1..4020371ae 100644
3827 3827
3828 static int 3828 static int
3829diff --git a/sshd.c b/sshd.c 3829diff --git a/sshd.c b/sshd.c
3830index cbd3bce91..98680721b 100644 3830index 11571c010..3a5c1ea78 100644
3831--- a/sshd.c 3831--- a/sshd.c
3832+++ b/sshd.c 3832+++ b/sshd.c
3833@@ -123,6 +123,10 @@ 3833@@ -123,6 +123,10 @@
@@ -3852,7 +3852,7 @@ index cbd3bce91..98680721b 100644
3852 sshpkt_fatal(ssh, r, "%s: send", __func__); 3852 sshpkt_fatal(ssh, r, "%s: send", __func__);
3853 sshbuf_free(buf); 3853 sshbuf_free(buf);
3854 } 3854 }
3855@@ -1769,7 +1773,8 @@ main(int ac, char **av) 3855@@ -1773,7 +1777,8 @@ main(int ac, char **av)
3856 free(fp); 3856 free(fp);
3857 } 3857 }
3858 accumulate_host_timing_secret(cfg, NULL); 3858 accumulate_host_timing_secret(cfg, NULL);
@@ -3862,7 +3862,7 @@ index cbd3bce91..98680721b 100644
3862 logit("sshd: no hostkeys available -- exiting."); 3862 logit("sshd: no hostkeys available -- exiting.");
3863 exit(1); 3863 exit(1);
3864 } 3864 }
3865@@ -2064,6 +2069,60 @@ main(int ac, char **av) 3865@@ -2069,6 +2074,60 @@ main(int ac, char **av)
3866 rdomain == NULL ? "" : "\""); 3866 rdomain == NULL ? "" : "\"");
3867 free(laddr); 3867 free(laddr);
3868 3868
@@ -3923,7 +3923,7 @@ index cbd3bce91..98680721b 100644
3923 /* 3923 /*
3924 * We don't want to listen forever unless the other side 3924 * We don't want to listen forever unless the other side
3925 * successfully authenticates itself. So we set up an alarm which is 3925 * successfully authenticates itself. So we set up an alarm which is
3926@@ -2260,6 +2319,48 @@ do_ssh2_kex(struct ssh *ssh) 3926@@ -2265,6 +2324,48 @@ do_ssh2_kex(struct ssh *ssh)
3927 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3927 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3928 list_hostkey_types()); 3928 list_hostkey_types());
3929 3929
@@ -3972,7 +3972,7 @@ index cbd3bce91..98680721b 100644
3972 /* start key exchange */ 3972 /* start key exchange */
3973 if ((r = kex_setup(ssh, myproposal)) != 0) 3973 if ((r = kex_setup(ssh, myproposal)) != 0)
3974 fatal("kex_setup: %s", ssh_err(r)); 3974 fatal("kex_setup: %s", ssh_err(r));
3975@@ -2275,7 +2376,18 @@ do_ssh2_kex(struct ssh *ssh) 3975@@ -2280,7 +2381,18 @@ do_ssh2_kex(struct ssh *ssh)
3976 # ifdef OPENSSL_HAS_ECC 3976 # ifdef OPENSSL_HAS_ECC
3977 kex->kex[KEX_ECDH_SHA2] = kex_gen_server; 3977 kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
3978 # endif 3978 # endif
@@ -4006,10 +4006,10 @@ index 19b7c91a1..2c48105f8 100644
4006 # Set this to 'yes' to enable PAM authentication, account processing, 4006 # Set this to 'yes' to enable PAM authentication, account processing,
4007 # and session processing. If this is enabled, PAM authentication will 4007 # and session processing. If this is enabled, PAM authentication will
4008diff --git a/sshd_config.5 b/sshd_config.5 4008diff --git a/sshd_config.5 b/sshd_config.5
4009index b224f2929..2baa6622b 100644 4009index 9486f2a1c..cec3c3c4e 100644
4010--- a/sshd_config.5 4010--- a/sshd_config.5
4011+++ b/sshd_config.5 4011+++ b/sshd_config.5
4012@@ -653,6 +653,11 @@ Specifies whether to automatically destroy the user's credentials cache 4012@@ -655,6 +655,11 @@ Specifies whether to automatically destroy the user's credentials cache
4013 on logout. 4013 on logout.
4014 The default is 4014 The default is
4015 .Cm yes . 4015 .Cm yes .
@@ -4021,7 +4021,7 @@ index b224f2929..2baa6622b 100644
4021 .It Cm GSSAPIStrictAcceptorCheck 4021 .It Cm GSSAPIStrictAcceptorCheck
4022 Determines whether to be strict about the identity of the GSSAPI acceptor 4022 Determines whether to be strict about the identity of the GSSAPI acceptor
4023 a client authenticates against. 4023 a client authenticates against.
4024@@ -667,6 +672,31 @@ machine's default store. 4024@@ -669,6 +674,31 @@ machine's default store.
4025 This facility is provided to assist with operation on multi homed machines. 4025 This facility is provided to assist with operation on multi homed machines.
4026 The default is 4026 The default is
4027 .Cm yes . 4027 .Cm yes .
@@ -4054,10 +4054,10 @@ index b224f2929..2baa6622b 100644
4054 Specifies the key types that will be accepted for hostbased authentication 4054 Specifies the key types that will be accepted for hostbased authentication
4055 as a list of comma-separated patterns. 4055 as a list of comma-separated patterns.
4056diff --git a/sshkey.c b/sshkey.c 4056diff --git a/sshkey.c b/sshkey.c
4057index ad1957762..789cd61ef 100644 4057index ef90563b3..4d2048b6a 100644
4058--- a/sshkey.c 4058--- a/sshkey.c
4059+++ b/sshkey.c 4059+++ b/sshkey.c
4060@@ -135,6 +135,7 @@ static const struct keytype keytypes[] = { 4060@@ -145,6 +145,7 @@ static const struct keytype keytypes[] = {
4061 # endif /* OPENSSL_HAS_NISTP521 */ 4061 # endif /* OPENSSL_HAS_NISTP521 */
4062 # endif /* OPENSSL_HAS_ECC */ 4062 # endif /* OPENSSL_HAS_ECC */
4063 #endif /* WITH_OPENSSL */ 4063 #endif /* WITH_OPENSSL */
@@ -4065,7 +4065,7 @@ index ad1957762..789cd61ef 100644
4065 { NULL, NULL, NULL, -1, -1, 0, 0 } 4065 { NULL, NULL, NULL, -1, -1, 0, 0 }
4066 }; 4066 };
4067 4067
4068@@ -223,7 +224,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 4068@@ -233,7 +234,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
4069 const struct keytype *kt; 4069 const struct keytype *kt;
4070 4070
4071 for (kt = keytypes; kt->type != -1; kt++) { 4071 for (kt = keytypes; kt->type != -1; kt++) {
@@ -4075,7 +4075,7 @@ index ad1957762..789cd61ef 100644
4075 if (!include_sigonly && kt->sigonly) 4075 if (!include_sigonly && kt->sigonly)
4076 continue; 4076 continue;
4077diff --git a/sshkey.h b/sshkey.h 4077diff --git a/sshkey.h b/sshkey.h
4078index a91e60436..c11106c93 100644 4078index 1119a7b07..1bf30d055 100644
4079--- a/sshkey.h 4079--- a/sshkey.h
4080+++ b/sshkey.h 4080+++ b/sshkey.h
4081@@ -65,6 +65,7 @@ enum sshkey_types { 4081@@ -65,6 +65,7 @@ enum sshkey_types {
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-11 11:32:03 +0000