diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 152 |
1 files changed, 76 insertions, 76 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 0726a5020..a67ebced0 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4e70490950e5c5134df48848affaf73685bf0284 Mon Sep 17 00:00:00 2001 | 1 | From cb427e23bf78d65407c78d868c4ef525dbfaa68f Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -181,10 +181,10 @@ index 00000000..f117a336 | |||
181 | + (from jbasney AT ncsa.uiuc.edu) | 181 | + (from jbasney AT ncsa.uiuc.edu) |
182 | + <gssapi-with-mic support is Bugzilla #1008> | 182 | + <gssapi-with-mic support is Bugzilla #1008> |
183 | diff --git a/Makefile.in b/Makefile.in | 183 | diff --git a/Makefile.in b/Makefile.in |
184 | index c52ce191..f6e9fe4c 100644 | 184 | index 04e1c8e5..6f3f042b 100644 |
185 | --- a/Makefile.in | 185 | --- a/Makefile.in |
186 | +++ b/Makefile.in | 186 | +++ b/Makefile.in |
187 | @@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 187 | @@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
188 | kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ | 188 | kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ |
189 | kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ | 189 | kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ |
190 | kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ | 190 | kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ |
@@ -192,7 +192,7 @@ index c52ce191..f6e9fe4c 100644 | |||
192 | platform-pledge.o platform-tracing.o platform-misc.o | 192 | platform-pledge.o platform-tracing.o platform-misc.o |
193 | 193 | ||
194 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 194 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
195 | @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ | 195 | @@ -113,7 +114,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ |
196 | auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ | 196 | auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ |
197 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ | 197 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
198 | monitor.o monitor_wrap.o auth-krb5.o \ | 198 | monitor.o monitor_wrap.o auth-krb5.o \ |
@@ -253,10 +253,10 @@ index a5a81ed2..38e7fee2 100644 | |||
253 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 253 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
254 | } | 254 | } |
255 | diff --git a/auth.c b/auth.c | 255 | diff --git a/auth.c b/auth.c |
256 | index a4490617..6aec3605 100644 | 256 | index 63366768..76d586e3 100644 |
257 | --- a/auth.c | 257 | --- a/auth.c |
258 | +++ b/auth.c | 258 | +++ b/auth.c |
259 | @@ -395,7 +395,8 @@ auth_root_allowed(const char *method) | 259 | @@ -396,7 +396,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) |
260 | case PERMIT_NO_PASSWD: | 260 | case PERMIT_NO_PASSWD: |
261 | if (strcmp(method, "publickey") == 0 || | 261 | if (strcmp(method, "publickey") == 0 || |
262 | strcmp(method, "hostbased") == 0 || | 262 | strcmp(method, "hostbased") == 0 || |
@@ -266,7 +266,7 @@ index a4490617..6aec3605 100644 | |||
266 | return 1; | 266 | return 1; |
267 | break; | 267 | break; |
268 | case PERMIT_FORCED_ONLY: | 268 | case PERMIT_FORCED_ONLY: |
269 | @@ -727,99 +728,6 @@ fakepw(void) | 269 | @@ -728,99 +729,6 @@ fakepw(void) |
270 | return (&fake); | 270 | return (&fake); |
271 | } | 271 | } |
272 | 272 | ||
@@ -455,7 +455,7 @@ index 589283b7..fd411d3a 100644 | |||
455 | "gssapi-with-mic", | 455 | "gssapi-with-mic", |
456 | userauth_gssapi, | 456 | userauth_gssapi, |
457 | diff --git a/auth2.c b/auth2.c | 457 | diff --git a/auth2.c b/auth2.c |
458 | index 862e0996..54070e3a 100644 | 458 | index e0034229..c34f58c4 100644 |
459 | --- a/auth2.c | 459 | --- a/auth2.c |
460 | +++ b/auth2.c | 460 | +++ b/auth2.c |
461 | @@ -72,6 +72,7 @@ extern Authmethod method_passwd; | 461 | @@ -72,6 +72,7 @@ extern Authmethod method_passwd; |
@@ -593,7 +593,7 @@ index 26d62855..0cadc9f1 100644 | |||
593 | int get_peer_port(int); | 593 | int get_peer_port(int); |
594 | char *get_local_ipaddr(int); | 594 | char *get_local_ipaddr(int); |
595 | diff --git a/clientloop.c b/clientloop.c | 595 | diff --git a/clientloop.c b/clientloop.c |
596 | index 791d336e..0010b833 100644 | 596 | index 7bcf22e3..ef803e98 100644 |
597 | --- a/clientloop.c | 597 | --- a/clientloop.c |
598 | +++ b/clientloop.c | 598 | +++ b/clientloop.c |
599 | @@ -112,6 +112,10 @@ | 599 | @@ -112,6 +112,10 @@ |
@@ -607,7 +607,7 @@ index 791d336e..0010b833 100644 | |||
607 | /* import options */ | 607 | /* import options */ |
608 | extern Options options; | 608 | extern Options options; |
609 | 609 | ||
610 | @@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, | 610 | @@ -1335,9 +1339,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, |
611 | break; | 611 | break; |
612 | 612 | ||
613 | /* Do channel operations unless rekeying in progress. */ | 613 | /* Do channel operations unless rekeying in progress. */ |
@@ -628,10 +628,10 @@ index 791d336e..0010b833 100644 | |||
628 | client_process_net_input(readset); | 628 | client_process_net_input(readset); |
629 | 629 | ||
630 | diff --git a/config.h.in b/config.h.in | 630 | diff --git a/config.h.in b/config.h.in |
631 | index 63fc548b..0b244fd5 100644 | 631 | index 57208740..4c9545c7 100644 |
632 | --- a/config.h.in | 632 | --- a/config.h.in |
633 | +++ b/config.h.in | 633 | +++ b/config.h.in |
634 | @@ -1696,6 +1696,9 @@ | 634 | @@ -1746,6 +1746,9 @@ |
635 | /* Use btmp to log bad logins */ | 635 | /* Use btmp to log bad logins */ |
636 | #undef USE_BTMP | 636 | #undef USE_BTMP |
637 | 637 | ||
@@ -641,7 +641,7 @@ index 63fc548b..0b244fd5 100644 | |||
641 | /* Use libedit for sftp */ | 641 | /* Use libedit for sftp */ |
642 | #undef USE_LIBEDIT | 642 | #undef USE_LIBEDIT |
643 | 643 | ||
644 | @@ -1711,6 +1714,9 @@ | 644 | @@ -1761,6 +1764,9 @@ |
645 | /* Use PIPES instead of a socketpair() */ | 645 | /* Use PIPES instead of a socketpair() */ |
646 | #undef USE_PIPES | 646 | #undef USE_PIPES |
647 | 647 | ||
@@ -652,10 +652,10 @@ index 63fc548b..0b244fd5 100644 | |||
652 | #undef USE_SOLARIS_PRIVS | 652 | #undef USE_SOLARIS_PRIVS |
653 | 653 | ||
654 | diff --git a/configure.ac b/configure.ac | 654 | diff --git a/configure.ac b/configure.ac |
655 | index 889f5063..84bfad8c 100644 | 655 | index 663062be..1cd5eab6 100644 |
656 | --- a/configure.ac | 656 | --- a/configure.ac |
657 | +++ b/configure.ac | 657 | +++ b/configure.ac |
658 | @@ -621,6 +621,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 658 | @@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
659 | [Use tunnel device compatibility to OpenBSD]) | 659 | [Use tunnel device compatibility to OpenBSD]) |
660 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 660 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
661 | [Prepend the address family to IP tunnel traffic]) | 661 | [Prepend the address family to IP tunnel traffic]) |
@@ -1435,7 +1435,7 @@ index 6cae720e..967c6cfb 100644 | |||
1435 | 1435 | ||
1436 | /* Privileged */ | 1436 | /* Privileged */ |
1437 | diff --git a/kex.c b/kex.c | 1437 | diff --git a/kex.c b/kex.c |
1438 | index d5d5a9da..bb1bd661 100644 | 1438 | index 15ea28b0..6cc2935f 100644 |
1439 | --- a/kex.c | 1439 | --- a/kex.c |
1440 | +++ b/kex.c | 1440 | +++ b/kex.c |
1441 | @@ -54,6 +54,10 @@ | 1441 | @@ -54,6 +54,10 @@ |
@@ -1475,7 +1475,7 @@ index d5d5a9da..bb1bd661 100644 | |||
1475 | return NULL; | 1475 | return NULL; |
1476 | } | 1476 | } |
1477 | 1477 | ||
1478 | @@ -601,6 +617,9 @@ kex_free(struct kex *kex) | 1478 | @@ -599,6 +615,9 @@ kex_free(struct kex *kex) |
1479 | sshbuf_free(kex->peer); | 1479 | sshbuf_free(kex->peer); |
1480 | sshbuf_free(kex->my); | 1480 | sshbuf_free(kex->my); |
1481 | free(kex->session_id); | 1481 | free(kex->session_id); |
@@ -2170,10 +2170,10 @@ index 00000000..38ca082b | |||
2170 | +} | 2170 | +} |
2171 | +#endif /* GSSAPI */ | 2171 | +#endif /* GSSAPI */ |
2172 | diff --git a/monitor.c b/monitor.c | 2172 | diff --git a/monitor.c b/monitor.c |
2173 | index f517da48..cabfeb8a 100644 | 2173 | index c68e1b0d..868fb0d2 100644 |
2174 | --- a/monitor.c | 2174 | --- a/monitor.c |
2175 | +++ b/monitor.c | 2175 | +++ b/monitor.c |
2176 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 2176 | @@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
2177 | int mm_answer_gss_accept_ctx(int, Buffer *); | 2177 | int mm_answer_gss_accept_ctx(int, Buffer *); |
2178 | int mm_answer_gss_userok(int, Buffer *); | 2178 | int mm_answer_gss_userok(int, Buffer *); |
2179 | int mm_answer_gss_checkmic(int, Buffer *); | 2179 | int mm_answer_gss_checkmic(int, Buffer *); |
@@ -2182,7 +2182,7 @@ index f517da48..cabfeb8a 100644 | |||
2182 | #endif | 2182 | #endif |
2183 | 2183 | ||
2184 | #ifdef SSH_AUDIT_EVENTS | 2184 | #ifdef SSH_AUDIT_EVENTS |
2185 | @@ -230,11 +232,18 @@ struct mon_table mon_dispatch_proto20[] = { | 2185 | @@ -232,11 +234,18 @@ struct mon_table mon_dispatch_proto20[] = { |
2186 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | 2186 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, |
2187 | {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, | 2187 | {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, |
2188 | {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, | 2188 | {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, |
@@ -2201,7 +2201,7 @@ index f517da48..cabfeb8a 100644 | |||
2201 | #ifdef WITH_OPENSSL | 2201 | #ifdef WITH_OPENSSL |
2202 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 2202 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2203 | #endif | 2203 | #endif |
2204 | @@ -302,6 +311,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 2204 | @@ -306,6 +315,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
2205 | /* Permit requests for moduli and signatures */ | 2205 | /* Permit requests for moduli and signatures */ |
2206 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2206 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2207 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2207 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2212,7 +2212,7 @@ index f517da48..cabfeb8a 100644 | |||
2212 | 2212 | ||
2213 | /* The first few requests do not require asynchronous access */ | 2213 | /* The first few requests do not require asynchronous access */ |
2214 | while (!authenticated) { | 2214 | while (!authenticated) { |
2215 | @@ -408,6 +421,10 @@ monitor_child_postauth(struct monitor *pmonitor) | 2215 | @@ -415,6 +428,10 @@ monitor_child_postauth(struct monitor *pmonitor) |
2216 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2216 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2217 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2217 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2218 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2218 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -2221,9 +2221,9 @@ index f517da48..cabfeb8a 100644 | |||
2221 | + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | 2221 | + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); |
2222 | +#endif | 2222 | +#endif |
2223 | 2223 | ||
2224 | if (!no_pty_flag) { | 2224 | if (auth_opts->permit_pty_flag) { |
2225 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 2225 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
2226 | @@ -1626,6 +1643,13 @@ monitor_apply_keystate(struct monitor *pmonitor) | 2226 | @@ -1652,6 +1669,13 @@ monitor_apply_keystate(struct monitor *pmonitor) |
2227 | # endif | 2227 | # endif |
2228 | #endif /* WITH_OPENSSL */ | 2228 | #endif /* WITH_OPENSSL */ |
2229 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2229 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -2237,7 +2237,7 @@ index f517da48..cabfeb8a 100644 | |||
2237 | kex->load_host_public_key=&get_hostkey_public_by_type; | 2237 | kex->load_host_public_key=&get_hostkey_public_by_type; |
2238 | kex->load_host_private_key=&get_hostkey_private_by_type; | 2238 | kex->load_host_private_key=&get_hostkey_private_by_type; |
2239 | kex->host_key_index=&get_hostkey_index; | 2239 | kex->host_key_index=&get_hostkey_index; |
2240 | @@ -1714,8 +1738,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 2240 | @@ -1740,8 +1764,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2241 | OM_uint32 major; | 2241 | OM_uint32 major; |
2242 | u_int len; | 2242 | u_int len; |
2243 | 2243 | ||
@@ -2248,7 +2248,7 @@ index f517da48..cabfeb8a 100644 | |||
2248 | 2248 | ||
2249 | goid.elements = buffer_get_string(m, &len); | 2249 | goid.elements = buffer_get_string(m, &len); |
2250 | goid.length = len; | 2250 | goid.length = len; |
2251 | @@ -1744,8 +1768,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2251 | @@ -1770,8 +1794,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2252 | OM_uint32 flags = 0; /* GSI needs this */ | 2252 | OM_uint32 flags = 0; /* GSI needs this */ |
2253 | u_int len; | 2253 | u_int len; |
2254 | 2254 | ||
@@ -2259,7 +2259,7 @@ index f517da48..cabfeb8a 100644 | |||
2259 | 2259 | ||
2260 | in.value = buffer_get_string(m, &len); | 2260 | in.value = buffer_get_string(m, &len); |
2261 | in.length = len; | 2261 | in.length = len; |
2262 | @@ -1764,6 +1788,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2262 | @@ -1790,6 +1814,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2263 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2263 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2264 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2264 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2265 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2265 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2267,7 +2267,7 @@ index f517da48..cabfeb8a 100644 | |||
2267 | } | 2267 | } |
2268 | return (0); | 2268 | return (0); |
2269 | } | 2269 | } |
2270 | @@ -1775,8 +1800,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2270 | @@ -1801,8 +1826,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2271 | OM_uint32 ret; | 2271 | OM_uint32 ret; |
2272 | u_int len; | 2272 | u_int len; |
2273 | 2273 | ||
@@ -2278,7 +2278,7 @@ index f517da48..cabfeb8a 100644 | |||
2278 | 2278 | ||
2279 | gssbuf.value = buffer_get_string(m, &len); | 2279 | gssbuf.value = buffer_get_string(m, &len); |
2280 | gssbuf.length = len; | 2280 | gssbuf.length = len; |
2281 | @@ -1805,10 +1830,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2281 | @@ -1831,10 +1856,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2282 | int authenticated; | 2282 | int authenticated; |
2283 | const char *displayname; | 2283 | const char *displayname; |
2284 | 2284 | ||
@@ -2293,7 +2293,7 @@ index f517da48..cabfeb8a 100644 | |||
2293 | 2293 | ||
2294 | buffer_clear(m); | 2294 | buffer_clear(m); |
2295 | buffer_put_int(m, authenticated); | 2295 | buffer_put_int(m, authenticated); |
2296 | @@ -1824,5 +1850,76 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2296 | @@ -1850,5 +1876,76 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2297 | /* Monitor loop will terminate if authenticated */ | 2297 | /* Monitor loop will terminate if authenticated */ |
2298 | return (authenticated); | 2298 | return (authenticated); |
2299 | } | 2299 | } |
@@ -2385,10 +2385,10 @@ index d68f6745..ec41404c 100644 | |||
2385 | 2385 | ||
2386 | struct monitor { | 2386 | struct monitor { |
2387 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2387 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2388 | index 69212aaf..0e171a6a 100644 | 2388 | index 9666bda4..e749efc1 100644 |
2389 | --- a/monitor_wrap.c | 2389 | --- a/monitor_wrap.c |
2390 | +++ b/monitor_wrap.c | 2390 | +++ b/monitor_wrap.c |
2391 | @@ -937,7 +937,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2391 | @@ -943,7 +943,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
2392 | } | 2392 | } |
2393 | 2393 | ||
2394 | int | 2394 | int |
@@ -2397,7 +2397,7 @@ index 69212aaf..0e171a6a 100644 | |||
2397 | { | 2397 | { |
2398 | Buffer m; | 2398 | Buffer m; |
2399 | int authenticated = 0; | 2399 | int authenticated = 0; |
2400 | @@ -954,5 +954,50 @@ mm_ssh_gssapi_userok(char *user) | 2400 | @@ -960,5 +960,50 @@ mm_ssh_gssapi_userok(char *user) |
2401 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2401 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2402 | return (authenticated); | 2402 | return (authenticated); |
2403 | } | 2403 | } |
@@ -2449,10 +2449,10 @@ index 69212aaf..0e171a6a 100644 | |||
2449 | #endif /* GSSAPI */ | 2449 | #endif /* GSSAPI */ |
2450 | 2450 | ||
2451 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 2451 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
2452 | index 9e032d20..7b2e8945 100644 | 2452 | index 76233270..0970d1f8 100644 |
2453 | --- a/monitor_wrap.h | 2453 | --- a/monitor_wrap.h |
2454 | +++ b/monitor_wrap.h | 2454 | +++ b/monitor_wrap.h |
2455 | @@ -57,8 +57,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, | 2455 | @@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, |
2456 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | 2456 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); |
2457 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, | 2457 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, |
2458 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); | 2458 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); |
@@ -2465,7 +2465,7 @@ index 9e032d20..7b2e8945 100644 | |||
2465 | 2465 | ||
2466 | #ifdef USE_PAM | 2466 | #ifdef USE_PAM |
2467 | diff --git a/readconf.c b/readconf.c | 2467 | diff --git a/readconf.c b/readconf.c |
2468 | index f63894f9..99e03ee1 100644 | 2468 | index 88051db5..c8e79299 100644 |
2469 | --- a/readconf.c | 2469 | --- a/readconf.c |
2470 | +++ b/readconf.c | 2470 | +++ b/readconf.c |
2471 | @@ -160,6 +160,8 @@ typedef enum { | 2471 | @@ -160,6 +160,8 @@ typedef enum { |
@@ -2498,7 +2498,7 @@ index f63894f9..99e03ee1 100644 | |||
2498 | #endif | 2498 | #endif |
2499 | #ifdef ENABLE_PKCS11 | 2499 | #ifdef ENABLE_PKCS11 |
2500 | { "smartcarddevice", oPKCS11Provider }, | 2500 | { "smartcarddevice", oPKCS11Provider }, |
2501 | @@ -976,10 +988,30 @@ parse_time: | 2501 | @@ -950,10 +962,30 @@ parse_time: |
2502 | intptr = &options->gss_authentication; | 2502 | intptr = &options->gss_authentication; |
2503 | goto parse_flag; | 2503 | goto parse_flag; |
2504 | 2504 | ||
@@ -2529,7 +2529,7 @@ index f63894f9..99e03ee1 100644 | |||
2529 | case oBatchMode: | 2529 | case oBatchMode: |
2530 | intptr = &options->batch_mode; | 2530 | intptr = &options->batch_mode; |
2531 | goto parse_flag; | 2531 | goto parse_flag; |
2532 | @@ -1790,7 +1822,12 @@ initialize_options(Options * options) | 2532 | @@ -1765,7 +1797,12 @@ initialize_options(Options * options) |
2533 | options->pubkey_authentication = -1; | 2533 | options->pubkey_authentication = -1; |
2534 | options->challenge_response_authentication = -1; | 2534 | options->challenge_response_authentication = -1; |
2535 | options->gss_authentication = -1; | 2535 | options->gss_authentication = -1; |
@@ -2542,7 +2542,7 @@ index f63894f9..99e03ee1 100644 | |||
2542 | options->password_authentication = -1; | 2542 | options->password_authentication = -1; |
2543 | options->kbd_interactive_authentication = -1; | 2543 | options->kbd_interactive_authentication = -1; |
2544 | options->kbd_interactive_devices = NULL; | 2544 | options->kbd_interactive_devices = NULL; |
2545 | @@ -1930,8 +1967,14 @@ fill_default_options(Options * options) | 2545 | @@ -1906,8 +1943,14 @@ fill_default_options(Options * options) |
2546 | options->challenge_response_authentication = 1; | 2546 | options->challenge_response_authentication = 1; |
2547 | if (options->gss_authentication == -1) | 2547 | if (options->gss_authentication == -1) |
2548 | options->gss_authentication = 0; | 2548 | options->gss_authentication = 0; |
@@ -2558,7 +2558,7 @@ index f63894f9..99e03ee1 100644 | |||
2558 | options->password_authentication = 1; | 2558 | options->password_authentication = 1; |
2559 | if (options->kbd_interactive_authentication == -1) | 2559 | if (options->kbd_interactive_authentication == -1) |
2560 | diff --git a/readconf.h b/readconf.h | 2560 | diff --git a/readconf.h b/readconf.h |
2561 | index 22fe5c18..d61161a8 100644 | 2561 | index f4d9e2b2..f469daaf 100644 |
2562 | --- a/readconf.h | 2562 | --- a/readconf.h |
2563 | +++ b/readconf.h | 2563 | +++ b/readconf.h |
2564 | @@ -42,7 +42,12 @@ typedef struct { | 2564 | @@ -42,7 +42,12 @@ typedef struct { |
@@ -2575,10 +2575,10 @@ index 22fe5c18..d61161a8 100644 | |||
2575 | * authentication. */ | 2575 | * authentication. */ |
2576 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2576 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2577 | diff --git a/servconf.c b/servconf.c | 2577 | diff --git a/servconf.c b/servconf.c |
2578 | index 2c321a4a..8ba74517 100644 | 2578 | index 0f0d0906..cbbea05b 100644 |
2579 | --- a/servconf.c | 2579 | --- a/servconf.c |
2580 | +++ b/servconf.c | 2580 | +++ b/servconf.c |
2581 | @@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options) | 2581 | @@ -123,8 +123,10 @@ initialize_server_options(ServerOptions *options) |
2582 | options->kerberos_ticket_cleanup = -1; | 2582 | options->kerberos_ticket_cleanup = -1; |
2583 | options->kerberos_get_afs_token = -1; | 2583 | options->kerberos_get_afs_token = -1; |
2584 | options->gss_authentication=-1; | 2584 | options->gss_authentication=-1; |
@@ -2589,7 +2589,7 @@ index 2c321a4a..8ba74517 100644 | |||
2589 | options->password_authentication = -1; | 2589 | options->password_authentication = -1; |
2590 | options->kbd_interactive_authentication = -1; | 2590 | options->kbd_interactive_authentication = -1; |
2591 | options->challenge_response_authentication = -1; | 2591 | options->challenge_response_authentication = -1; |
2592 | @@ -268,10 +270,14 @@ fill_default_server_options(ServerOptions *options) | 2592 | @@ -315,10 +317,14 @@ fill_default_server_options(ServerOptions *options) |
2593 | options->kerberos_get_afs_token = 0; | 2593 | options->kerberos_get_afs_token = 0; |
2594 | if (options->gss_authentication == -1) | 2594 | if (options->gss_authentication == -1) |
2595 | options->gss_authentication = 0; | 2595 | options->gss_authentication = 0; |
@@ -2604,7 +2604,7 @@ index 2c321a4a..8ba74517 100644 | |||
2604 | if (options->password_authentication == -1) | 2604 | if (options->password_authentication == -1) |
2605 | options->password_authentication = 1; | 2605 | options->password_authentication = 1; |
2606 | if (options->kbd_interactive_authentication == -1) | 2606 | if (options->kbd_interactive_authentication == -1) |
2607 | @@ -410,6 +416,7 @@ typedef enum { | 2607 | @@ -461,6 +467,7 @@ typedef enum { |
2608 | sHostKeyAlgorithms, | 2608 | sHostKeyAlgorithms, |
2609 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 2609 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
2610 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 2610 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
@@ -2612,7 +2612,7 @@ index 2c321a4a..8ba74517 100644 | |||
2612 | sAcceptEnv, sPermitTunnel, | 2612 | sAcceptEnv, sPermitTunnel, |
2613 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2613 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2614 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2614 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2615 | @@ -484,12 +491,20 @@ static struct { | 2615 | @@ -535,12 +542,20 @@ static struct { |
2616 | #ifdef GSSAPI | 2616 | #ifdef GSSAPI |
2617 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2617 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2618 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2618 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2633,7 +2633,7 @@ index 2c321a4a..8ba74517 100644 | |||
2633 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2633 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2634 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2634 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2635 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2635 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2636 | @@ -1253,6 +1268,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2636 | @@ -1407,6 +1422,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2637 | intptr = &options->gss_authentication; | 2637 | intptr = &options->gss_authentication; |
2638 | goto parse_flag; | 2638 | goto parse_flag; |
2639 | 2639 | ||
@@ -2644,7 +2644,7 @@ index 2c321a4a..8ba74517 100644 | |||
2644 | case sGssCleanupCreds: | 2644 | case sGssCleanupCreds: |
2645 | intptr = &options->gss_cleanup_creds; | 2645 | intptr = &options->gss_cleanup_creds; |
2646 | goto parse_flag; | 2646 | goto parse_flag; |
2647 | @@ -1261,6 +1280,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2647 | @@ -1415,6 +1434,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2648 | intptr = &options->gss_strict_acceptor; | 2648 | intptr = &options->gss_strict_acceptor; |
2649 | goto parse_flag; | 2649 | goto parse_flag; |
2650 | 2650 | ||
@@ -2655,7 +2655,7 @@ index 2c321a4a..8ba74517 100644 | |||
2655 | case sPasswordAuthentication: | 2655 | case sPasswordAuthentication: |
2656 | intptr = &options->password_authentication; | 2656 | intptr = &options->password_authentication; |
2657 | goto parse_flag; | 2657 | goto parse_flag; |
2658 | @@ -2301,7 +2324,10 @@ dump_config(ServerOptions *o) | 2658 | @@ -2453,7 +2476,10 @@ dump_config(ServerOptions *o) |
2659 | #endif | 2659 | #endif |
2660 | #ifdef GSSAPI | 2660 | #ifdef GSSAPI |
2661 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2661 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2667,10 +2667,10 @@ index 2c321a4a..8ba74517 100644 | |||
2667 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2667 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
2668 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2668 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
2669 | diff --git a/servconf.h b/servconf.h | 2669 | diff --git a/servconf.h b/servconf.h |
2670 | index 1dca702e..641e93c8 100644 | 2670 | index 37a0fb1a..5dfc9bc0 100644 |
2671 | --- a/servconf.h | 2671 | --- a/servconf.h |
2672 | +++ b/servconf.h | 2672 | +++ b/servconf.h |
2673 | @@ -119,8 +119,10 @@ typedef struct { | 2673 | @@ -130,8 +130,10 @@ typedef struct { |
2674 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2674 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2675 | * authenticated with Kerberos. */ | 2675 | * authenticated with Kerberos. */ |
2676 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2676 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2799,10 +2799,10 @@ index c12f5ef5..bcb9f153 100644 | |||
2799 | # CheckHostIP yes | 2799 | # CheckHostIP yes |
2800 | # AddressFamily any | 2800 | # AddressFamily any |
2801 | diff --git a/ssh_config.5 b/ssh_config.5 | 2801 | diff --git a/ssh_config.5 b/ssh_config.5 |
2802 | index eab8dd01..9a06a757 100644 | 2802 | index 71705cab..66826aa7 100644 |
2803 | --- a/ssh_config.5 | 2803 | --- a/ssh_config.5 |
2804 | +++ b/ssh_config.5 | 2804 | +++ b/ssh_config.5 |
2805 | @@ -720,10 +720,42 @@ The default is | 2805 | @@ -727,10 +727,42 @@ The default is |
2806 | Specifies whether user authentication based on GSSAPI is allowed. | 2806 | Specifies whether user authentication based on GSSAPI is allowed. |
2807 | The default is | 2807 | The default is |
2808 | .Cm no . | 2808 | .Cm no . |
@@ -2846,7 +2846,7 @@ index eab8dd01..9a06a757 100644 | |||
2846 | Indicates that | 2846 | Indicates that |
2847 | .Xr ssh 1 | 2847 | .Xr ssh 1 |
2848 | diff --git a/sshconnect2.c b/sshconnect2.c | 2848 | diff --git a/sshconnect2.c b/sshconnect2.c |
2849 | index be9397e4..c22477f5 100644 | 2849 | index 1f4a74cf..83562c68 100644 |
2850 | --- a/sshconnect2.c | 2850 | --- a/sshconnect2.c |
2851 | +++ b/sshconnect2.c | 2851 | +++ b/sshconnect2.c |
2852 | @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2852 | @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
@@ -2959,7 +2959,7 @@ index be9397e4..c22477f5 100644 | |||
2959 | {"gssapi-with-mic", | 2959 | {"gssapi-with-mic", |
2960 | userauth_gssapi, | 2960 | userauth_gssapi, |
2961 | NULL, | 2961 | NULL, |
2962 | @@ -654,25 +720,40 @@ userauth_gssapi(Authctxt *authctxt) | 2962 | @@ -643,25 +709,40 @@ userauth_gssapi(Authctxt *authctxt) |
2963 | static u_int mech = 0; | 2963 | static u_int mech = 0; |
2964 | OM_uint32 min; | 2964 | OM_uint32 min; |
2965 | int ok = 0; | 2965 | int ok = 0; |
@@ -3002,7 +3002,7 @@ index be9397e4..c22477f5 100644 | |||
3002 | if (!ok) | 3002 | if (!ok) |
3003 | return 0; | 3003 | return 0; |
3004 | 3004 | ||
3005 | @@ -763,8 +844,8 @@ input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh) | 3005 | @@ -752,8 +833,8 @@ input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh) |
3006 | { | 3006 | { |
3007 | Authctxt *authctxt = ssh->authctxt; | 3007 | Authctxt *authctxt = ssh->authctxt; |
3008 | Gssctxt *gssctxt; | 3008 | Gssctxt *gssctxt; |
@@ -3013,7 +3013,7 @@ index be9397e4..c22477f5 100644 | |||
3013 | 3013 | ||
3014 | if (authctxt == NULL) | 3014 | if (authctxt == NULL) |
3015 | fatal("input_gssapi_response: no authentication context"); | 3015 | fatal("input_gssapi_response: no authentication context"); |
3016 | @@ -877,6 +958,48 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) | 3016 | @@ -866,6 +947,48 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) |
3017 | free(lang); | 3017 | free(lang); |
3018 | return 0; | 3018 | return 0; |
3019 | } | 3019 | } |
@@ -3063,10 +3063,10 @@ index be9397e4..c22477f5 100644 | |||
3063 | 3063 | ||
3064 | int | 3064 | int |
3065 | diff --git a/sshd.c b/sshd.c | 3065 | diff --git a/sshd.c b/sshd.c |
3066 | index 51a1aaf6..45e50fac 100644 | 3066 | index fd95b681..e88185ef 100644 |
3067 | --- a/sshd.c | 3067 | --- a/sshd.c |
3068 | +++ b/sshd.c | 3068 | +++ b/sshd.c |
3069 | @@ -122,6 +122,10 @@ | 3069 | @@ -123,6 +123,10 @@ |
3070 | #include "version.h" | 3070 | #include "version.h" |
3071 | #include "ssherr.h" | 3071 | #include "ssherr.h" |
3072 | 3072 | ||
@@ -3077,7 +3077,7 @@ index 51a1aaf6..45e50fac 100644 | |||
3077 | /* Re-exec fds */ | 3077 | /* Re-exec fds */ |
3078 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 3078 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
3079 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 3079 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
3080 | @@ -529,7 +533,7 @@ privsep_preauth_child(void) | 3080 | @@ -531,7 +535,7 @@ privsep_preauth_child(void) |
3081 | 3081 | ||
3082 | #ifdef GSSAPI | 3082 | #ifdef GSSAPI |
3083 | /* Cache supported mechanism OIDs for later use */ | 3083 | /* Cache supported mechanism OIDs for later use */ |
@@ -3086,7 +3086,7 @@ index 51a1aaf6..45e50fac 100644 | |||
3086 | ssh_gssapi_prepare_supported_oids(); | 3086 | ssh_gssapi_prepare_supported_oids(); |
3087 | #endif | 3087 | #endif |
3088 | 3088 | ||
3089 | @@ -1708,10 +1712,13 @@ main(int ac, char **av) | 3089 | @@ -1753,10 +1757,13 @@ main(int ac, char **av) |
3090 | key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); | 3090 | key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); |
3091 | free(fp); | 3091 | free(fp); |
3092 | } | 3092 | } |
@@ -3100,8 +3100,8 @@ index 51a1aaf6..45e50fac 100644 | |||
3100 | 3100 | ||
3101 | /* | 3101 | /* |
3102 | * Load certificates. They are stored in an array at identical | 3102 | * Load certificates. They are stored in an array at identical |
3103 | @@ -1987,6 +1994,60 @@ main(int ac, char **av) | 3103 | @@ -2047,6 +2054,60 @@ main(int ac, char **av) |
3104 | remote_ip, remote_port, laddr, ssh_local_port(ssh)); | 3104 | rdomain == NULL ? "" : "\""); |
3105 | free(laddr); | 3105 | free(laddr); |
3106 | 3106 | ||
3107 | +#ifdef USE_SECURITY_SESSION_API | 3107 | +#ifdef USE_SECURITY_SESSION_API |
@@ -3161,7 +3161,7 @@ index 51a1aaf6..45e50fac 100644 | |||
3161 | /* | 3161 | /* |
3162 | * We don't want to listen forever unless the other side | 3162 | * We don't want to listen forever unless the other side |
3163 | * successfully authenticates itself. So we set up an alarm which is | 3163 | * successfully authenticates itself. So we set up an alarm which is |
3164 | @@ -2170,6 +2231,48 @@ do_ssh2_kex(void) | 3164 | @@ -2234,6 +2295,48 @@ do_ssh2_kex(void) |
3165 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 3165 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
3166 | list_hostkey_types()); | 3166 | list_hostkey_types()); |
3167 | 3167 | ||
@@ -3210,7 +3210,7 @@ index 51a1aaf6..45e50fac 100644 | |||
3210 | /* start key exchange */ | 3210 | /* start key exchange */ |
3211 | if ((r = kex_setup(active_state, myproposal)) != 0) | 3211 | if ((r = kex_setup(active_state, myproposal)) != 0) |
3212 | fatal("kex_setup: %s", ssh_err(r)); | 3212 | fatal("kex_setup: %s", ssh_err(r)); |
3213 | @@ -2187,6 +2290,13 @@ do_ssh2_kex(void) | 3213 | @@ -2251,6 +2354,13 @@ do_ssh2_kex(void) |
3214 | # endif | 3214 | # endif |
3215 | #endif | 3215 | #endif |
3216 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 3216 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -3225,10 +3225,10 @@ index 51a1aaf6..45e50fac 100644 | |||
3225 | kex->client_version_string=client_version_string; | 3225 | kex->client_version_string=client_version_string; |
3226 | kex->server_version_string=server_version_string; | 3226 | kex->server_version_string=server_version_string; |
3227 | diff --git a/sshd_config b/sshd_config | 3227 | diff --git a/sshd_config b/sshd_config |
3228 | index 4eb2e02e..c01dd656 100644 | 3228 | index 3109d5d7..86263d71 100644 |
3229 | --- a/sshd_config | 3229 | --- a/sshd_config |
3230 | +++ b/sshd_config | 3230 | +++ b/sshd_config |
3231 | @@ -70,6 +70,8 @@ AuthorizedKeysFile .ssh/authorized_keys | 3231 | @@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
3232 | # GSSAPI options | 3232 | # GSSAPI options |
3233 | #GSSAPIAuthentication no | 3233 | #GSSAPIAuthentication no |
3234 | #GSSAPICleanupCredentials yes | 3234 | #GSSAPICleanupCredentials yes |
@@ -3238,10 +3238,10 @@ index 4eb2e02e..c01dd656 100644 | |||
3238 | # Set this to 'yes' to enable PAM authentication, account processing, | 3238 | # Set this to 'yes' to enable PAM authentication, account processing, |
3239 | # and session processing. If this is enabled, PAM authentication will | 3239 | # and session processing. If this is enabled, PAM authentication will |
3240 | diff --git a/sshd_config.5 b/sshd_config.5 | 3240 | diff --git a/sshd_config.5 b/sshd_config.5 |
3241 | index 251b7467..0dbcb8da 100644 | 3241 | index e3c7c393..c4a3f3cb 100644 |
3242 | --- a/sshd_config.5 | 3242 | --- a/sshd_config.5 |
3243 | +++ b/sshd_config.5 | 3243 | +++ b/sshd_config.5 |
3244 | @@ -635,6 +635,11 @@ The default is | 3244 | @@ -636,6 +636,11 @@ The default is |
3245 | Specifies whether user authentication based on GSSAPI is allowed. | 3245 | Specifies whether user authentication based on GSSAPI is allowed. |
3246 | The default is | 3246 | The default is |
3247 | .Cm no . | 3247 | .Cm no . |
@@ -3253,7 +3253,7 @@ index 251b7467..0dbcb8da 100644 | |||
3253 | .It Cm GSSAPICleanupCredentials | 3253 | .It Cm GSSAPICleanupCredentials |
3254 | Specifies whether to automatically destroy the user's credentials cache | 3254 | Specifies whether to automatically destroy the user's credentials cache |
3255 | on logout. | 3255 | on logout. |
3256 | @@ -654,6 +659,11 @@ machine's default store. | 3256 | @@ -655,6 +660,11 @@ machine's default store. |
3257 | This facility is provided to assist with operation on multi homed machines. | 3257 | This facility is provided to assist with operation on multi homed machines. |
3258 | The default is | 3258 | The default is |
3259 | .Cm yes . | 3259 | .Cm yes . |
@@ -3266,10 +3266,10 @@ index 251b7467..0dbcb8da 100644 | |||
3266 | Specifies the key types that will be accepted for hostbased authentication | 3266 | Specifies the key types that will be accepted for hostbased authentication |
3267 | as a comma-separated pattern list. | 3267 | as a comma-separated pattern list. |
3268 | diff --git a/sshkey.c b/sshkey.c | 3268 | diff --git a/sshkey.c b/sshkey.c |
3269 | index e91c54f5..c2cf0e03 100644 | 3269 | index 7712fba2..08887286 100644 |
3270 | --- a/sshkey.c | 3270 | --- a/sshkey.c |
3271 | +++ b/sshkey.c | 3271 | +++ b/sshkey.c |
3272 | @@ -112,6 +112,7 @@ static const struct keytype keytypes[] = { | 3272 | @@ -122,6 +122,7 @@ static const struct keytype keytypes[] = { |
3273 | # endif /* OPENSSL_HAS_NISTP521 */ | 3273 | # endif /* OPENSSL_HAS_NISTP521 */ |
3274 | # endif /* OPENSSL_HAS_ECC */ | 3274 | # endif /* OPENSSL_HAS_ECC */ |
3275 | #endif /* WITH_OPENSSL */ | 3275 | #endif /* WITH_OPENSSL */ |
@@ -3277,7 +3277,7 @@ index e91c54f5..c2cf0e03 100644 | |||
3277 | { NULL, NULL, -1, -1, 0, 0 } | 3277 | { NULL, NULL, -1, -1, 0, 0 } |
3278 | }; | 3278 | }; |
3279 | 3279 | ||
3280 | @@ -200,7 +201,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) | 3280 | @@ -210,7 +211,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) |
3281 | const struct keytype *kt; | 3281 | const struct keytype *kt; |
3282 | 3282 | ||
3283 | for (kt = keytypes; kt->type != -1; kt++) { | 3283 | for (kt = keytypes; kt->type != -1; kt++) { |
@@ -3287,13 +3287,13 @@ index e91c54f5..c2cf0e03 100644 | |||
3287 | if (!include_sigonly && kt->sigonly) | 3287 | if (!include_sigonly && kt->sigonly) |
3288 | continue; | 3288 | continue; |
3289 | diff --git a/sshkey.h b/sshkey.h | 3289 | diff --git a/sshkey.h b/sshkey.h |
3290 | index 9093eac5..b5d020cb 100644 | 3290 | index 155cd45a..4e89049f 100644 |
3291 | --- a/sshkey.h | 3291 | --- a/sshkey.h |
3292 | +++ b/sshkey.h | 3292 | +++ b/sshkey.h |
3293 | @@ -61,6 +61,7 @@ enum sshkey_types { | 3293 | @@ -63,6 +63,7 @@ enum sshkey_types { |
3294 | KEY_DSA_CERT, | ||
3295 | KEY_ECDSA_CERT, | ||
3296 | KEY_ED25519_CERT, | 3294 | KEY_ED25519_CERT, |
3295 | KEY_XMSS, | ||
3296 | KEY_XMSS_CERT, | ||
3297 | + KEY_NULL, | 3297 | + KEY_NULL, |
3298 | KEY_UNSPEC | 3298 | KEY_UNSPEC |
3299 | }; | 3299 | }; |