summaryrefslogtreecommitdiff
path: root/debian/patches/gssapi.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r--debian/patches/gssapi.patch283
1 files changed, 142 insertions, 141 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index d8439bf03..e8cbc1083 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd Mon Sep 17 00:00:00 2001 1From 1c1b6fa17982eb622e2c4e8f4a279f2113f57413 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate
17security history. 17security history.
18 18
19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
20Last-Updated: 2014-03-19 20Last-Updated: 2014-10-07
21 21
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
@@ -36,9 +36,7 @@ Patch-Name: gssapi.patch
36 kex.c | 16 +++ 36 kex.c | 16 +++
37 kex.h | 14 +++ 37 kex.h | 14 +++
38 kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 38 kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
39 kexgsss.c | 289 ++++++++++++++++++++++++++++++++++++++++++++++++ 39 kexgsss.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++++
40 key.c | 3 +-
41 key.h | 1 +
42 monitor.c | 108 +++++++++++++++++- 40 monitor.c | 108 +++++++++++++++++-
43 monitor.h | 3 + 41 monitor.h | 3 +
44 monitor_wrap.c | 47 +++++++- 42 monitor_wrap.c | 47 +++++++-
@@ -54,7 +52,9 @@ Patch-Name: gssapi.patch
54 sshd.c | 110 ++++++++++++++++++ 52 sshd.c | 110 ++++++++++++++++++
55 sshd_config | 2 + 53 sshd_config | 2 +
56 sshd_config.5 | 28 +++++ 54 sshd_config.5 | 28 +++++
57 33 files changed, 2051 insertions(+), 59 deletions(-) 55 sshkey.c | 3 +-
56 sshkey.h | 1 +
57 33 files changed, 2052 insertions(+), 59 deletions(-)
58 create mode 100644 ChangeLog.gssapi 58 create mode 100644 ChangeLog.gssapi
59 create mode 100644 kexgssc.c 59 create mode 100644 kexgssc.c
60 create mode 100644 kexgsss.c 60 create mode 100644 kexgsss.c
@@ -179,10 +179,10 @@ index 0000000..f117a33
179+ (from jbasney AT ncsa.uiuc.edu) 179+ (from jbasney AT ncsa.uiuc.edu)
180+ <gssapi-with-mic support is Bugzilla #1008> 180+ <gssapi-with-mic support is Bugzilla #1008>
181diff --git a/Makefile.in b/Makefile.in 181diff --git a/Makefile.in b/Makefile.in
182index 28a8ec4..ee1d2c3 100644 182index 06be3d5..086d8dd 100644
183--- a/Makefile.in 183--- a/Makefile.in
184+++ b/Makefile.in 184+++ b/Makefile.in
185@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 185@@ -82,6 +82,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
186 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ 186 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
187 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ 187 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
188 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 188 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@@ -190,7 +190,7 @@ index 28a8ec4..ee1d2c3 100644
190 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ 190 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
191 ssh-pkcs11.o krl.o smult_curve25519_ref.o \ 191 ssh-pkcs11.o krl.o smult_curve25519_ref.o \
192 kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ 192 kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
193@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ 193@@ -101,7 +102,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
194 auth2-none.o auth2-passwd.o auth2-pubkey.o \ 194 auth2-none.o auth2-passwd.o auth2-pubkey.o \
195 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ 195 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
196 kexc25519s.o auth-krb5.o \ 196 kexc25519s.o auth-krb5.o \
@@ -200,10 +200,10 @@ index 28a8ec4..ee1d2c3 100644
200 sftp-server.o sftp-common.o \ 200 sftp-server.o sftp-common.o \
201 roaming_common.o roaming_serv.o \ 201 roaming_common.o roaming_serv.o \
202diff --git a/auth-krb5.c b/auth-krb5.c 202diff --git a/auth-krb5.c b/auth-krb5.c
203index 6c62bdf..69a1a53 100644 203index 0089b18..ec47869 100644
204--- a/auth-krb5.c 204--- a/auth-krb5.c
205+++ b/auth-krb5.c 205+++ b/auth-krb5.c
206@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) 206@@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
207 207
208 len = strlen(authctxt->krb5_ticket_file) + 6; 208 len = strlen(authctxt->krb5_ticket_file) + 6;
209 authctxt->krb5_ccname = xmalloc(len); 209 authctxt->krb5_ccname = xmalloc(len);
@@ -217,7 +217,7 @@ index 6c62bdf..69a1a53 100644
217 217
218 #ifdef USE_PAM 218 #ifdef USE_PAM
219 if (options.use_pam) 219 if (options.use_pam)
220@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt) 220@@ -241,15 +246,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
221 #ifndef HEIMDAL 221 #ifndef HEIMDAL
222 krb5_error_code 222 krb5_error_code
223 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 223 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -242,7 +242,7 @@ index 6c62bdf..69a1a53 100644
242 old_umask = umask(0177); 242 old_umask = umask(0177);
243 tmpfd = mkstemp(ccname + strlen("FILE:")); 243 tmpfd = mkstemp(ccname + strlen("FILE:"));
244 oerrno = errno; 244 oerrno = errno;
245@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 245@@ -266,6 +278,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
246 return oerrno; 246 return oerrno;
247 } 247 }
248 close(tmpfd); 248 close(tmpfd);
@@ -251,7 +251,7 @@ index 6c62bdf..69a1a53 100644
251 return (krb5_cc_resolve(ctx, ccname, ccache)); 251 return (krb5_cc_resolve(ctx, ccname, ccache));
252 } 252 }
253diff --git a/auth2-gss.c b/auth2-gss.c 253diff --git a/auth2-gss.c b/auth2-gss.c
254index c28a705..3ff2d72 100644 254index 447f896..284f364 100644
255--- a/auth2-gss.c 255--- a/auth2-gss.c
256+++ b/auth2-gss.c 256+++ b/auth2-gss.c
257@@ -1,7 +1,7 @@ 257@@ -1,7 +1,7 @@
@@ -263,7 +263,7 @@ index c28a705..3ff2d72 100644
263 * 263 *
264 * Redistribution and use in source and binary forms, with or without 264 * Redistribution and use in source and binary forms, with or without
265 * modification, are permitted provided that the following conditions 265 * modification, are permitted provided that the following conditions
266@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); 266@@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
267 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 267 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
268 static void input_gssapi_errtok(int, u_int32_t, void *); 268 static void input_gssapi_errtok(int, u_int32_t, void *);
269 269
@@ -304,7 +304,7 @@ index c28a705..3ff2d72 100644
304 /* 304 /*
305 * We only support those mechanisms that we know about (ie ones that we know 305 * We only support those mechanisms that we know about (ie ones that we know
306 * how to check local user kuserok and the like) 306 * how to check local user kuserok and the like)
307@@ -235,7 +269,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 307@@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
308 308
309 packet_check_eom(); 309 packet_check_eom();
310 310
@@ -314,7 +314,7 @@ index c28a705..3ff2d72 100644
314 314
315 authctxt->postponed = 0; 315 authctxt->postponed = 0;
316 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 316 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
317@@ -270,7 +305,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 317@@ -271,7 +306,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
318 gssbuf.length = buffer_len(&b); 318 gssbuf.length = buffer_len(&b);
319 319
320 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 320 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -324,7 +324,7 @@ index c28a705..3ff2d72 100644
324 else 324 else
325 logit("GSSAPI MIC check failed"); 325 logit("GSSAPI MIC check failed");
326 326
327@@ -285,6 +321,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 327@@ -286,6 +322,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
328 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 328 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
329 } 329 }
330 330
@@ -338,10 +338,10 @@ index c28a705..3ff2d72 100644
338 "gssapi-with-mic", 338 "gssapi-with-mic",
339 userauth_gssapi, 339 userauth_gssapi,
340diff --git a/auth2.c b/auth2.c 340diff --git a/auth2.c b/auth2.c
341index a5490c0..fbe3e1b 100644 341index d9b440a..2f0d565 100644
342--- a/auth2.c 342--- a/auth2.c
343+++ b/auth2.c 343+++ b/auth2.c
344@@ -69,6 +69,7 @@ extern Authmethod method_passwd; 344@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
345 extern Authmethod method_kbdint; 345 extern Authmethod method_kbdint;
346 extern Authmethod method_hostbased; 346 extern Authmethod method_hostbased;
347 #ifdef GSSAPI 347 #ifdef GSSAPI
@@ -349,7 +349,7 @@ index a5490c0..fbe3e1b 100644
349 extern Authmethod method_gssapi; 349 extern Authmethod method_gssapi;
350 #endif 350 #endif
351 351
352@@ -76,6 +77,7 @@ Authmethod *authmethods[] = { 352@@ -77,6 +78,7 @@ Authmethod *authmethods[] = {
353 &method_none, 353 &method_none,
354 &method_pubkey, 354 &method_pubkey,
355 #ifdef GSSAPI 355 #ifdef GSSAPI
@@ -358,7 +358,7 @@ index a5490c0..fbe3e1b 100644
358 #endif 358 #endif
359 &method_passwd, 359 &method_passwd,
360diff --git a/clientloop.c b/clientloop.c 360diff --git a/clientloop.c b/clientloop.c
361index 59ad3a2..6d8cd7d 100644 361index 397c965..f9175e3 100644
362--- a/clientloop.c 362--- a/clientloop.c
363+++ b/clientloop.c 363+++ b/clientloop.c
364@@ -111,6 +111,10 @@ 364@@ -111,6 +111,10 @@
@@ -372,7 +372,7 @@ index 59ad3a2..6d8cd7d 100644
372 /* import options */ 372 /* import options */
373 extern Options options; 373 extern Options options;
374 374
375@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 375@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
376 /* Do channel operations unless rekeying in progress. */ 376 /* Do channel operations unless rekeying in progress. */
377 if (!rekeying) { 377 if (!rekeying) {
378 channel_after_select(readset, writeset); 378 channel_after_select(readset, writeset);
@@ -389,7 +389,7 @@ index 59ad3a2..6d8cd7d 100644
389 debug("need rekeying"); 389 debug("need rekeying");
390 xxx_kex->done = 0; 390 xxx_kex->done = 0;
391diff --git a/config.h.in b/config.h.in 391diff --git a/config.h.in b/config.h.in
392index 0401ad1..6bc422c 100644 392index 16d6206..a9a8b7a 100644
393--- a/config.h.in 393--- a/config.h.in
394+++ b/config.h.in 394+++ b/config.h.in
395@@ -1622,6 +1622,9 @@ 395@@ -1622,6 +1622,9 @@
@@ -413,10 +413,10 @@ index 0401ad1..6bc422c 100644
413 #undef USE_SOLARIS_PROCESS_CONTRACTS 413 #undef USE_SOLARIS_PROCESS_CONTRACTS
414 414
415diff --git a/configure b/configure 415diff --git a/configure b/configure
416index d690393..b6b5b6d 100755 416index 6815388..ea5f200 100755
417--- a/configure 417--- a/configure
418+++ b/configure 418+++ b/configure
419@@ -7170,6 +7170,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h 419@@ -7168,6 +7168,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
420 420
421 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h 421 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
422 422
@@ -481,7 +481,7 @@ index d690393..b6b5b6d 100755
481 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" 481 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
482 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : 482 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
483diff --git a/configure.ac b/configure.ac 483diff --git a/configure.ac b/configure.ac
484index 7c6ce08..d235fb0 100644 484index 67c4486..90e81e1 100644
485--- a/configure.ac 485--- a/configure.ac
486+++ b/configure.ac 486+++ b/configure.ac
487@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 487@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -866,7 +866,7 @@ index b39281b..1e569ad 100644
866+ 866+
867 #endif /* GSSAPI */ 867 #endif /* GSSAPI */
868diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c 868diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
869index 759fa10..e678a27 100644 869index 795992d..fd8b371 100644
870--- a/gss-serv-krb5.c 870--- a/gss-serv-krb5.c
871+++ b/gss-serv-krb5.c 871+++ b/gss-serv-krb5.c
872@@ -1,7 +1,7 @@ 872@@ -1,7 +1,7 @@
@@ -878,7 +878,7 @@ index 759fa10..e678a27 100644
878 * 878 *
879 * Redistribution and use in source and binary forms, with or without 879 * Redistribution and use in source and binary forms, with or without
880 * modification, are permitted provided that the following conditions 880 * modification, are permitted provided that the following conditions
881@@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) 881@@ -121,8 +121,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
882 krb5_error_code problem; 882 krb5_error_code problem;
883 krb5_principal princ; 883 krb5_principal princ;
884 OM_uint32 maj_status, min_status; 884 OM_uint32 maj_status, min_status;
@@ -888,7 +888,7 @@ index 759fa10..e678a27 100644
888 888
889 if (client->creds == NULL) { 889 if (client->creds == NULL) {
890 debug("No credentials stored"); 890 debug("No credentials stored");
891@@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) 891@@ -181,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
892 return; 892 return;
893 } 893 }
894 894
@@ -909,7 +909,7 @@ index 759fa10..e678a27 100644
909 909
910 #ifdef USE_PAM 910 #ifdef USE_PAM
911 if (options.use_pam) 911 if (options.use_pam)
912@@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) 912@@ -197,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
913 return; 913 return;
914 } 914 }
915 915
@@ -981,7 +981,7 @@ index 759fa10..e678a27 100644
981 ssh_gssapi_mech gssapi_kerberos_mech = { 981 ssh_gssapi_mech gssapi_kerberos_mech = {
982 "toWM5Slw5Ew8Mqkay+al2g==", 982 "toWM5Slw5Ew8Mqkay+al2g==",
983 "Kerberos", 983 "Kerberos",
984@@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { 984@@ -204,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
985 NULL, 985 NULL,
986 &ssh_gssapi_krb5_userok, 986 &ssh_gssapi_krb5_userok,
987 NULL, 987 NULL,
@@ -992,11 +992,11 @@ index 759fa10..e678a27 100644
992 992
993 #endif /* KRB5 */ 993 #endif /* KRB5 */
994diff --git a/gss-serv.c b/gss-serv.c 994diff --git a/gss-serv.c b/gss-serv.c
995index e61b37b..c33463b 100644 995index 5c59924..50fa438 100644
996--- a/gss-serv.c 996--- a/gss-serv.c
997+++ b/gss-serv.c 997+++ b/gss-serv.c
998@@ -1,7 +1,7 @@ 998@@ -1,7 +1,7 @@
999 /* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */ 999 /* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */
1000 1000
1001 /* 1001 /*
1002- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 1002- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1029,7 +1029,7 @@ index e61b37b..c33463b 100644
1029 #ifdef KRB5 1029 #ifdef KRB5
1030 extern ssh_gssapi_mech gssapi_kerberos_mech; 1030 extern ssh_gssapi_mech gssapi_kerberos_mech;
1031@@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) 1031@@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
1032 char lname[MAXHOSTNAMELEN]; 1032 char lname[NI_MAXHOST];
1033 gss_OID_set oidset; 1033 gss_OID_set oidset;
1034 1034
1035- gss_create_empty_oid_set(&status, &oidset); 1035- gss_create_empty_oid_set(&status, &oidset);
@@ -1038,11 +1038,11 @@ index e61b37b..c33463b 100644
1038+ gss_create_empty_oid_set(&status, &oidset); 1038+ gss_create_empty_oid_set(&status, &oidset);
1039+ gss_add_oid_set_member(&status, ctx->oid, &oidset); 1039+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
1040 1040
1041- if (gethostname(lname, MAXHOSTNAMELEN)) { 1041- if (gethostname(lname, sizeof(lname))) {
1042- gss_release_oid_set(&status, &oidset); 1042- gss_release_oid_set(&status, &oidset);
1043- return (-1); 1043- return (-1);
1044- } 1044- }
1045+ if (gethostname(lname, MAXHOSTNAMELEN)) { 1045+ if (gethostname(lname, sizeof(lname))) {
1046+ gss_release_oid_set(&status, &oidset); 1046+ gss_release_oid_set(&status, &oidset);
1047+ return (-1); 1047+ return (-1);
1048+ } 1048+ }
@@ -1310,10 +1310,10 @@ index e61b37b..c33463b 100644
1310 1310
1311 #endif 1311 #endif
1312diff --git a/kex.c b/kex.c 1312diff --git a/kex.c b/kex.c
1313index 74e2b86..d114ee3 100644 1313index a173e70..891852b 100644
1314--- a/kex.c 1314--- a/kex.c
1315+++ b/kex.c 1315+++ b/kex.c
1316@@ -51,6 +51,10 @@ 1316@@ -53,6 +53,10 @@
1317 #include "roaming.h" 1317 #include "roaming.h"
1318 #include "digest.h" 1318 #include "digest.h"
1319 1319
@@ -1324,8 +1324,8 @@ index 74e2b86..d114ee3 100644
1324 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1324 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1325 # if defined(HAVE_EVP_SHA256) 1325 # if defined(HAVE_EVP_SHA256)
1326 # define evp_ssh_sha256 EVP_sha256 1326 # define evp_ssh_sha256 EVP_sha256
1327@@ -92,6 +96,14 @@ static const struct kexalg kexalgs[] = { 1327@@ -96,6 +100,14 @@ static const struct kexalg kexalgs[] = {
1328 #endif 1328 #endif /* HAVE_EVP_SHA256 */
1329 { NULL, -1, -1, -1}, 1329 { NULL, -1, -1, -1},
1330 }; 1330 };
1331+static const struct kexalg kexalg_prefixes[] = { 1331+static const struct kexalg kexalg_prefixes[] = {
@@ -1339,7 +1339,7 @@ index 74e2b86..d114ee3 100644
1339 1339
1340 char * 1340 char *
1341 kex_alg_list(char sep) 1341 kex_alg_list(char sep)
1342@@ -120,6 +132,10 @@ kex_alg_by_name(const char *name) 1342@@ -124,6 +136,10 @@ kex_alg_by_name(const char *name)
1343 if (strcmp(k->name, name) == 0) 1343 if (strcmp(k->name, name) == 0)
1344 return k; 1344 return k;
1345 } 1345 }
@@ -1351,7 +1351,7 @@ index 74e2b86..d114ee3 100644
1351 } 1351 }
1352 1352
1353diff --git a/kex.h b/kex.h 1353diff --git a/kex.h b/kex.h
1354index c85680e..ea698c4 100644 1354index 4c40ec8..c179a4d 100644
1355--- a/kex.h 1355--- a/kex.h
1356+++ b/kex.h 1356+++ b/kex.h
1357@@ -76,6 +76,9 @@ enum kex_exchange { 1357@@ -76,6 +76,9 @@ enum kex_exchange {
@@ -1729,10 +1729,10 @@ index 0000000..92a31c5
1729+#endif /* GSSAPI */ 1729+#endif /* GSSAPI */
1730diff --git a/kexgsss.c b/kexgsss.c 1730diff --git a/kexgsss.c b/kexgsss.c
1731new file mode 100644 1731new file mode 100644
1732index 0000000..8095259 1732index 0000000..6a0ece8
1733--- /dev/null 1733--- /dev/null
1734+++ b/kexgsss.c 1734+++ b/kexgsss.c
1735@@ -0,0 +1,289 @@ 1735@@ -0,0 +1,290 @@
1736+/* 1736+/*
1737+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1737+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1738+ * 1738+ *
@@ -1777,6 +1777,7 @@ index 0000000..8095259
1777+#include "dh.h" 1777+#include "dh.h"
1778+#include "ssh-gss.h" 1778+#include "ssh-gss.h"
1779+#include "monitor_wrap.h" 1779+#include "monitor_wrap.h"
1780+#include "misc.h"
1780+#include "servconf.h" 1781+#include "servconf.h"
1781+ 1782+
1782+extern ServerOptions options; 1783+extern ServerOptions options;
@@ -2022,44 +2023,11 @@ index 0000000..8095259
2022+ ssh_gssapi_rekey_creds(); 2023+ ssh_gssapi_rekey_creds();
2023+} 2024+}
2024+#endif /* GSSAPI */ 2025+#endif /* GSSAPI */
2025diff --git a/key.c b/key.c
2026index 168e1b7..3d640e7 100644
2027--- a/key.c
2028+++ b/key.c
2029@@ -985,6 +985,7 @@ static const struct keytype keytypes[] = {
2030 KEY_DSA_CERT_V00, 0, 1 },
2031 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
2032 KEY_ED25519_CERT, 0, 1 },
2033+ { "null", "null", KEY_NULL, 0, 0 },
2034 { NULL, NULL, -1, -1, 0 }
2035 };
2036
2037@@ -1063,7 +1064,7 @@ key_alg_list(int certs_only, int plain_only)
2038 const struct keytype *kt;
2039
2040 for (kt = keytypes; kt->type != -1; kt++) {
2041- if (kt->name == NULL)
2042+ if (kt->name == NULL || kt->type == KEY_NULL)
2043 continue;
2044 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
2045 continue;
2046diff --git a/key.h b/key.h
2047index d8ad13d..c8aeba2 100644
2048--- a/key.h
2049+++ b/key.h
2050@@ -46,6 +46,7 @@ enum types {
2051 KEY_ED25519_CERT,
2052 KEY_RSA_CERT_V00,
2053 KEY_DSA_CERT_V00,
2054+ KEY_NULL,
2055 KEY_UNSPEC
2056 };
2057 enum fp_type {
2058diff --git a/monitor.c b/monitor.c 2026diff --git a/monitor.c b/monitor.c
2059index 531c4f9..2918814 100644 2027index dbe29f1..b0896ef 100644
2060--- a/monitor.c 2028--- a/monitor.c
2061+++ b/monitor.c 2029+++ b/monitor.c
2062@@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2030@@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
2063 int mm_answer_gss_accept_ctx(int, Buffer *); 2031 int mm_answer_gss_accept_ctx(int, Buffer *);
2064 int mm_answer_gss_userok(int, Buffer *); 2032 int mm_answer_gss_userok(int, Buffer *);
2065 int mm_answer_gss_checkmic(int, Buffer *); 2033 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2068,7 +2036,7 @@ index 531c4f9..2918814 100644
2068 #endif 2036 #endif
2069 2037
2070 #ifdef SSH_AUDIT_EVENTS 2038 #ifdef SSH_AUDIT_EVENTS
2071@@ -247,11 +249,18 @@ struct mon_table mon_dispatch_proto20[] = { 2039@@ -255,11 +257,18 @@ struct mon_table mon_dispatch_proto20[] = {
2072 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2040 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
2073 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2041 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
2074 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2042 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2084,10 +2052,10 @@ index 531c4f9..2918814 100644
2084+ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, 2052+ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
2085+ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, 2053+ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
2086+#endif 2054+#endif
2055 #ifdef WITH_OPENSSL
2087 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2056 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2088 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 2057 #endif
2089 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 2058@@ -374,6 +383,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2090@@ -360,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2091 /* Permit requests for moduli and signatures */ 2059 /* Permit requests for moduli and signatures */
2092 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2060 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2093 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2061 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2098,7 +2066,7 @@ index 531c4f9..2918814 100644
2098 } else { 2066 } else {
2099 mon_dispatch = mon_dispatch_proto15; 2067 mon_dispatch = mon_dispatch_proto15;
2100 2068
2101@@ -465,6 +478,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2069@@ -482,6 +495,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2102 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2070 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2103 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2071 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2104 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2072 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2109,9 +2077,9 @@ index 531c4f9..2918814 100644
2109 } else { 2077 } else {
2110 mon_dispatch = mon_dispatch_postauth15; 2078 mon_dispatch = mon_dispatch_postauth15;
2111 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2079 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2112@@ -1834,6 +1851,13 @@ mm_get_kex(Buffer *m) 2080@@ -1861,6 +1878,13 @@ mm_get_kex(Buffer *m)
2113 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2114 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2081 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
2082 #endif
2115 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2083 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
2116+#ifdef GSSAPI 2084+#ifdef GSSAPI
2117+ if (options.gss_keyex) { 2085+ if (options.gss_keyex) {
@@ -2123,7 +2091,7 @@ index 531c4f9..2918814 100644
2123 kex->server = 1; 2091 kex->server = 1;
2124 kex->hostkey_type = buffer_get_int(m); 2092 kex->hostkey_type = buffer_get_int(m);
2125 kex->kex_type = buffer_get_int(m); 2093 kex->kex_type = buffer_get_int(m);
2126@@ -2041,6 +2065,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2094@@ -2068,6 +2092,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2127 OM_uint32 major; 2095 OM_uint32 major;
2128 u_int len; 2096 u_int len;
2129 2097
@@ -2133,7 +2101,7 @@ index 531c4f9..2918814 100644
2133 goid.elements = buffer_get_string(m, &len); 2101 goid.elements = buffer_get_string(m, &len);
2134 goid.length = len; 2102 goid.length = len;
2135 2103
2136@@ -2068,6 +2095,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2104@@ -2095,6 +2122,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2137 OM_uint32 flags = 0; /* GSI needs this */ 2105 OM_uint32 flags = 0; /* GSI needs this */
2138 u_int len; 2106 u_int len;
2139 2107
@@ -2143,7 +2111,7 @@ index 531c4f9..2918814 100644
2143 in.value = buffer_get_string(m, &len); 2111 in.value = buffer_get_string(m, &len);
2144 in.length = len; 2112 in.length = len;
2145 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2113 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2146@@ -2085,6 +2115,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2114@@ -2112,6 +2142,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2147 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2115 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2148 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2116 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2149 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2117 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2151,7 +2119,7 @@ index 531c4f9..2918814 100644
2151 } 2119 }
2152 return (0); 2120 return (0);
2153 } 2121 }
2154@@ -2096,6 +2127,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2122@@ -2123,6 +2154,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2155 OM_uint32 ret; 2123 OM_uint32 ret;
2156 u_int len; 2124 u_int len;
2157 2125
@@ -2161,7 +2129,7 @@ index 531c4f9..2918814 100644
2161 gssbuf.value = buffer_get_string(m, &len); 2129 gssbuf.value = buffer_get_string(m, &len);
2162 gssbuf.length = len; 2130 gssbuf.length = len;
2163 mic.value = buffer_get_string(m, &len); 2131 mic.value = buffer_get_string(m, &len);
2164@@ -2122,7 +2156,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2132@@ -2149,7 +2183,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2165 { 2133 {
2166 int authenticated; 2134 int authenticated;
2167 2135
@@ -2174,7 +2142,7 @@ index 531c4f9..2918814 100644
2174 2142
2175 buffer_clear(m); 2143 buffer_clear(m);
2176 buffer_put_int(m, authenticated); 2144 buffer_put_int(m, authenticated);
2177@@ -2135,5 +2173,73 @@ mm_answer_gss_userok(int sock, Buffer *m) 2145@@ -2162,5 +2200,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
2178 /* Monitor loop will terminate if authenticated */ 2146 /* Monitor loop will terminate if authenticated */
2179 return (authenticated); 2147 return (authenticated);
2180 } 2148 }
@@ -2263,10 +2231,10 @@ index 5bc41b5..7f32b0c 100644
2263 2231
2264 struct mm_master; 2232 struct mm_master;
2265diff --git a/monitor_wrap.c b/monitor_wrap.c 2233diff --git a/monitor_wrap.c b/monitor_wrap.c
2266index 1a47e41..60b987d 100644 2234index 45dc169..e476f0d 100644
2267--- a/monitor_wrap.c 2235--- a/monitor_wrap.c
2268+++ b/monitor_wrap.c 2236+++ b/monitor_wrap.c
2269@@ -1271,7 +1271,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2237@@ -1281,7 +1281,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
2270 } 2238 }
2271 2239
2272 int 2240 int
@@ -2275,7 +2243,7 @@ index 1a47e41..60b987d 100644
2275 { 2243 {
2276 Buffer m; 2244 Buffer m;
2277 int authenticated = 0; 2245 int authenticated = 0;
2278@@ -1288,5 +1288,50 @@ mm_ssh_gssapi_userok(char *user) 2246@@ -1298,5 +1298,50 @@ mm_ssh_gssapi_userok(char *user)
2279 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2247 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2280 return (authenticated); 2248 return (authenticated);
2281 } 2249 }
@@ -2343,10 +2311,10 @@ index 18c2501..a4e9d24 100644
2343 2311
2344 #ifdef USE_PAM 2312 #ifdef USE_PAM
2345diff --git a/readconf.c b/readconf.c 2313diff --git a/readconf.c b/readconf.c
2346index dc884c9..7613ff2 100644 2314index 7948ce1..9127e93 100644
2347--- a/readconf.c 2315--- a/readconf.c
2348+++ b/readconf.c 2316+++ b/readconf.c
2349@@ -141,6 +141,8 @@ typedef enum { 2317@@ -142,6 +142,8 @@ typedef enum {
2350 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2318 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2351 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2319 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2352 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2320 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2355,7 +2323,7 @@ index dc884c9..7613ff2 100644
2355 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2323 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2356 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2324 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2357 oHashKnownHosts, 2325 oHashKnownHosts,
2358@@ -183,10 +185,19 @@ static struct { 2326@@ -185,10 +187,19 @@ static struct {
2359 { "afstokenpassing", oUnsupported }, 2327 { "afstokenpassing", oUnsupported },
2360 #if defined(GSSAPI) 2328 #if defined(GSSAPI)
2361 { "gssapiauthentication", oGssAuthentication }, 2329 { "gssapiauthentication", oGssAuthentication },
@@ -2375,7 +2343,7 @@ index dc884c9..7613ff2 100644
2375 #endif 2343 #endif
2376 { "fallbacktorsh", oDeprecated }, 2344 { "fallbacktorsh", oDeprecated },
2377 { "usersh", oDeprecated }, 2345 { "usersh", oDeprecated },
2378@@ -841,10 +852,30 @@ parse_time: 2346@@ -865,10 +876,30 @@ parse_time:
2379 intptr = &options->gss_authentication; 2347 intptr = &options->gss_authentication;
2380 goto parse_flag; 2348 goto parse_flag;
2381 2349
@@ -2406,7 +2374,7 @@ index dc884c9..7613ff2 100644
2406 case oBatchMode: 2374 case oBatchMode:
2407 intptr = &options->batch_mode; 2375 intptr = &options->batch_mode;
2408 goto parse_flag; 2376 goto parse_flag;
2409@@ -1497,7 +1528,12 @@ initialize_options(Options * options) 2377@@ -1538,7 +1569,12 @@ initialize_options(Options * options)
2410 options->pubkey_authentication = -1; 2378 options->pubkey_authentication = -1;
2411 options->challenge_response_authentication = -1; 2379 options->challenge_response_authentication = -1;
2412 options->gss_authentication = -1; 2380 options->gss_authentication = -1;
@@ -2419,7 +2387,7 @@ index dc884c9..7613ff2 100644
2419 options->password_authentication = -1; 2387 options->password_authentication = -1;
2420 options->kbd_interactive_authentication = -1; 2388 options->kbd_interactive_authentication = -1;
2421 options->kbd_interactive_devices = NULL; 2389 options->kbd_interactive_devices = NULL;
2422@@ -1616,8 +1652,14 @@ fill_default_options(Options * options) 2390@@ -1661,8 +1697,14 @@ fill_default_options(Options * options)
2423 options->challenge_response_authentication = 1; 2391 options->challenge_response_authentication = 1;
2424 if (options->gss_authentication == -1) 2392 if (options->gss_authentication == -1)
2425 options->gss_authentication = 0; 2393 options->gss_authentication = 0;
@@ -2435,10 +2403,10 @@ index dc884c9..7613ff2 100644
2435 options->password_authentication = 1; 2403 options->password_authentication = 1;
2436 if (options->kbd_interactive_authentication == -1) 2404 if (options->kbd_interactive_authentication == -1)
2437diff --git a/readconf.h b/readconf.h 2405diff --git a/readconf.h b/readconf.h
2438index 75e3f8f..5cc97f0 100644 2406index 0b9cb77..0e29889 100644
2439--- a/readconf.h 2407--- a/readconf.h
2440+++ b/readconf.h 2408+++ b/readconf.h
2441@@ -54,7 +54,12 @@ typedef struct { 2409@@ -45,7 +45,12 @@ typedef struct {
2442 int challenge_response_authentication; 2410 int challenge_response_authentication;
2443 /* Try S/Key or TIS, authentication. */ 2411 /* Try S/Key or TIS, authentication. */
2444 int gss_authentication; /* Try GSS authentication */ 2412 int gss_authentication; /* Try GSS authentication */
@@ -2452,10 +2420,10 @@ index 75e3f8f..5cc97f0 100644
2452 * authentication. */ 2420 * authentication. */
2453 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2421 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2454diff --git a/servconf.c b/servconf.c 2422diff --git a/servconf.c b/servconf.c
2455index 7ba65d5..0083cf8 100644 2423index b7f3294..cb3c831 100644
2456--- a/servconf.c 2424--- a/servconf.c
2457+++ b/servconf.c 2425+++ b/servconf.c
2458@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options) 2426@@ -109,7 +109,10 @@ initialize_server_options(ServerOptions *options)
2459 options->kerberos_ticket_cleanup = -1; 2427 options->kerberos_ticket_cleanup = -1;
2460 options->kerberos_get_afs_token = -1; 2428 options->kerberos_get_afs_token = -1;
2461 options->gss_authentication=-1; 2429 options->gss_authentication=-1;
@@ -2466,7 +2434,7 @@ index 7ba65d5..0083cf8 100644
2466 options->password_authentication = -1; 2434 options->password_authentication = -1;
2467 options->kbd_interactive_authentication = -1; 2435 options->kbd_interactive_authentication = -1;
2468 options->challenge_response_authentication = -1; 2436 options->challenge_response_authentication = -1;
2469@@ -244,8 +247,14 @@ fill_default_server_options(ServerOptions *options) 2437@@ -250,8 +253,14 @@ fill_default_server_options(ServerOptions *options)
2470 options->kerberos_get_afs_token = 0; 2438 options->kerberos_get_afs_token = 0;
2471 if (options->gss_authentication == -1) 2439 if (options->gss_authentication == -1)
2472 options->gss_authentication = 0; 2440 options->gss_authentication = 0;
@@ -2481,7 +2449,7 @@ index 7ba65d5..0083cf8 100644
2481 if (options->password_authentication == -1) 2449 if (options->password_authentication == -1)
2482 options->password_authentication = 1; 2450 options->password_authentication = 1;
2483 if (options->kbd_interactive_authentication == -1) 2451 if (options->kbd_interactive_authentication == -1)
2484@@ -340,7 +349,9 @@ typedef enum { 2452@@ -352,7 +361,9 @@ typedef enum {
2485 sBanner, sUseDNS, sHostbasedAuthentication, 2453 sBanner, sUseDNS, sHostbasedAuthentication,
2486 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2454 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2487 sClientAliveCountMax, sAuthorizedKeysFile, 2455 sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2492,7 +2460,7 @@ index 7ba65d5..0083cf8 100644
2492 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2460 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2493 sUsePrivilegeSeparation, sAllowAgentForwarding, 2461 sUsePrivilegeSeparation, sAllowAgentForwarding,
2494 sHostCertificate, 2462 sHostCertificate,
2495@@ -407,10 +418,20 @@ static struct { 2463@@ -421,10 +432,20 @@ static struct {
2496 #ifdef GSSAPI 2464 #ifdef GSSAPI
2497 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2465 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2498 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2466 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2513,7 +2481,7 @@ index 7ba65d5..0083cf8 100644
2513 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2481 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2514 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2482 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2515 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2483 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2516@@ -1086,10 +1107,22 @@ process_server_config_line(ServerOptions *options, char *line, 2484@@ -1104,10 +1125,22 @@ process_server_config_line(ServerOptions *options, char *line,
2517 intptr = &options->gss_authentication; 2485 intptr = &options->gss_authentication;
2518 goto parse_flag; 2486 goto parse_flag;
2519 2487
@@ -2536,7 +2504,7 @@ index 7ba65d5..0083cf8 100644
2536 case sPasswordAuthentication: 2504 case sPasswordAuthentication:
2537 intptr = &options->password_authentication; 2505 intptr = &options->password_authentication;
2538 goto parse_flag; 2506 goto parse_flag;
2539@@ -1995,7 +2028,10 @@ dump_config(ServerOptions *o) 2507@@ -2042,7 +2075,10 @@ dump_config(ServerOptions *o)
2540 #endif 2508 #endif
2541 #ifdef GSSAPI 2509 #ifdef GSSAPI
2542 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2510 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2548,10 +2516,10 @@ index 7ba65d5..0083cf8 100644
2548 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2516 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2549 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2517 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2550diff --git a/servconf.h b/servconf.h 2518diff --git a/servconf.h b/servconf.h
2551index 752d1c5..c922eb5 100644 2519index 766db3a..f8265a8 100644
2552--- a/servconf.h 2520--- a/servconf.h
2553+++ b/servconf.h 2521+++ b/servconf.h
2554@@ -112,7 +112,10 @@ typedef struct { 2522@@ -113,7 +113,10 @@ typedef struct {
2555 int kerberos_get_afs_token; /* If true, try to get AFS token if 2523 int kerberos_get_afs_token; /* If true, try to get AFS token if
2556 * authenticated with Kerberos. */ 2524 * authenticated with Kerberos. */
2557 int gss_authentication; /* If true, permit GSSAPI authentication */ 2525 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2679,10 +2647,10 @@ index 03a228f..228e5ab 100644
2679 # CheckHostIP yes 2647 # CheckHostIP yes
2680 # AddressFamily any 2648 # AddressFamily any
2681diff --git a/ssh_config.5 b/ssh_config.5 2649diff --git a/ssh_config.5 b/ssh_config.5
2682index b580392..e7accd6 100644 2650index f9ede7a..e6649ac 100644
2683--- a/ssh_config.5 2651--- a/ssh_config.5
2684+++ b/ssh_config.5 2652+++ b/ssh_config.5
2685@@ -682,11 +682,43 @@ Specifies whether user authentication based on GSSAPI is allowed. 2653@@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
2686 The default is 2654 The default is
2687 .Dq no . 2655 .Dq no .
2688 Note that this option applies to protocol version 2 only. 2656 Note that this option applies to protocol version 2 only.
@@ -2728,11 +2696,11 @@ index b580392..e7accd6 100644
2728 Indicates that 2696 Indicates that
2729 .Xr ssh 1 2697 .Xr ssh 1
2730diff --git a/sshconnect2.c b/sshconnect2.c 2698diff --git a/sshconnect2.c b/sshconnect2.c
2731index 7f4ff41..66cb035 100644 2699index 68f7f4f..7b478f1 100644
2732--- a/sshconnect2.c 2700--- a/sshconnect2.c
2733+++ b/sshconnect2.c 2701+++ b/sshconnect2.c
2734@@ -158,9 +158,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2702@@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2735 { 2703 char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
2736 Kex *kex; 2704 Kex *kex;
2737 2705
2738+#ifdef GSSAPI 2706+#ifdef GSSAPI
@@ -2766,9 +2734,9 @@ index 7f4ff41..66cb035 100644
2766 if (options.ciphers == (char *)-1) { 2734 if (options.ciphers == (char *)-1) {
2767 logit("No valid ciphers for protocol version 2 given, using defaults."); 2735 logit("No valid ciphers for protocol version 2 given, using defaults.");
2768 options.ciphers = NULL; 2736 options.ciphers = NULL;
2769@@ -196,6 +221,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2737@@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2770 if (options.kex_algorithms != NULL) 2738 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
2771 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; 2739 myproposal[PROPOSAL_KEX_ALGS]);
2772 2740
2773+#ifdef GSSAPI 2741+#ifdef GSSAPI
2774+ /* If we've got GSSAPI algorithms, then we also support the 2742+ /* If we've got GSSAPI algorithms, then we also support the
@@ -2784,9 +2752,9 @@ index 7f4ff41..66cb035 100644
2784 if (options.rekey_limit || options.rekey_interval) 2752 if (options.rekey_limit || options.rekey_interval)
2785 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2753 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2786 (time_t)options.rekey_interval); 2754 (time_t)options.rekey_interval);
2787@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2755@@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2788 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2789 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; 2756 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
2757 #endif
2790 kex->kex[KEX_C25519_SHA256] = kexc25519_client; 2758 kex->kex[KEX_C25519_SHA256] = kexc25519_client;
2791+#ifdef GSSAPI 2759+#ifdef GSSAPI
2792+ if (options.gss_keyex) { 2760+ if (options.gss_keyex) {
@@ -2815,7 +2783,7 @@ index 7f4ff41..66cb035 100644
2815 xxx_kex = kex; 2783 xxx_kex = kex;
2816 2784
2817 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2785 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2818@@ -301,6 +357,7 @@ void input_gssapi_token(int type, u_int32_t, void *); 2786@@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
2819 void input_gssapi_hash(int type, u_int32_t, void *); 2787 void input_gssapi_hash(int type, u_int32_t, void *);
2820 void input_gssapi_error(int, u_int32_t, void *); 2788 void input_gssapi_error(int, u_int32_t, void *);
2821 void input_gssapi_errtok(int, u_int32_t, void *); 2789 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2823,7 +2791,7 @@ index 7f4ff41..66cb035 100644
2823 #endif 2791 #endif
2824 2792
2825 void userauth(Authctxt *, char *); 2793 void userauth(Authctxt *, char *);
2826@@ -316,6 +373,11 @@ static char *authmethods_get(void); 2794@@ -321,6 +378,11 @@ static char *authmethods_get(void);
2827 2795
2828 Authmethod authmethods[] = { 2796 Authmethod authmethods[] = {
2829 #ifdef GSSAPI 2797 #ifdef GSSAPI
@@ -2835,7 +2803,7 @@ index 7f4ff41..66cb035 100644
2835 {"gssapi-with-mic", 2803 {"gssapi-with-mic",
2836 userauth_gssapi, 2804 userauth_gssapi,
2837 NULL, 2805 NULL,
2838@@ -612,19 +674,31 @@ userauth_gssapi(Authctxt *authctxt) 2806@@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt)
2839 static u_int mech = 0; 2807 static u_int mech = 0;
2840 OM_uint32 min; 2808 OM_uint32 min;
2841 int ok = 0; 2809 int ok = 0;
@@ -2869,7 +2837,7 @@ index 7f4ff41..66cb035 100644
2869 ok = 1; /* Mechanism works */ 2837 ok = 1; /* Mechanism works */
2870 } else { 2838 } else {
2871 mech++; 2839 mech++;
2872@@ -721,8 +795,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) 2840@@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
2873 { 2841 {
2874 Authctxt *authctxt = ctxt; 2842 Authctxt *authctxt = ctxt;
2875 Gssctxt *gssctxt; 2843 Gssctxt *gssctxt;
@@ -2880,7 +2848,7 @@ index 7f4ff41..66cb035 100644
2880 2848
2881 if (authctxt == NULL) 2849 if (authctxt == NULL)
2882 fatal("input_gssapi_response: no authentication context"); 2850 fatal("input_gssapi_response: no authentication context");
2883@@ -831,6 +905,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) 2851@@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
2884 free(msg); 2852 free(msg);
2885 free(lang); 2853 free(lang);
2886 } 2854 }
@@ -2930,10 +2898,10 @@ index 7f4ff41..66cb035 100644
2930 2898
2931 int 2899 int
2932diff --git a/sshd.c b/sshd.c 2900diff --git a/sshd.c b/sshd.c
2933index 7523de9..d787fea 100644 2901index 481d001..e6706a8 100644
2934--- a/sshd.c 2902--- a/sshd.c
2935+++ b/sshd.c 2903+++ b/sshd.c
2936@@ -122,6 +122,10 @@ 2904@@ -123,6 +123,10 @@
2937 #include "ssh-sandbox.h" 2905 #include "ssh-sandbox.h"
2938 #include "version.h" 2906 #include "version.h"
2939 2907
@@ -2941,10 +2909,10 @@ index 7523de9..d787fea 100644
2941+#include <Security/AuthSession.h> 2909+#include <Security/AuthSession.h>
2942+#endif 2910+#endif
2943+ 2911+
2944 #ifdef LIBWRAP 2912 #ifndef O_NOCTTY
2945 #include <tcpd.h> 2913 #define O_NOCTTY 0
2946 #include <syslog.h> 2914 #endif
2947@@ -1728,10 +1732,13 @@ main(int ac, char **av) 2915@@ -1745,10 +1749,13 @@ main(int ac, char **av)
2948 logit("Disabling protocol version 1. Could not load host key"); 2916 logit("Disabling protocol version 1. Could not load host key");
2949 options.protocol &= ~SSH_PROTO_1; 2917 options.protocol &= ~SSH_PROTO_1;
2950 } 2918 }
@@ -2958,7 +2926,7 @@ index 7523de9..d787fea 100644
2958 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2926 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2959 logit("sshd: no hostkeys available -- exiting."); 2927 logit("sshd: no hostkeys available -- exiting.");
2960 exit(1); 2928 exit(1);
2961@@ -2058,6 +2065,60 @@ main(int ac, char **av) 2929@@ -2060,6 +2067,60 @@ main(int ac, char **av)
2962 remote_ip, remote_port, 2930 remote_ip, remote_port,
2963 get_local_ipaddr(sock_in), get_local_port()); 2931 get_local_ipaddr(sock_in), get_local_port());
2964 2932
@@ -3019,7 +2987,7 @@ index 7523de9..d787fea 100644
3019 /* 2987 /*
3020 * We don't want to listen forever unless the other side 2988 * We don't want to listen forever unless the other side
3021 * successfully authenticates itself. So we set up an alarm which is 2989 * successfully authenticates itself. So we set up an alarm which is
3022@@ -2469,6 +2530,48 @@ do_ssh2_kex(void) 2990@@ -2482,6 +2543,48 @@ do_ssh2_kex(void)
3023 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 2991 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3024 list_hostkey_types()); 2992 list_hostkey_types());
3025 2993
@@ -3067,10 +3035,10 @@ index 7523de9..d787fea 100644
3067+ 3035+
3068 /* start key exchange */ 3036 /* start key exchange */
3069 kex = kex_setup(myproposal); 3037 kex = kex_setup(myproposal);
3070 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3038 #ifdef WITH_OPENSSL
3071@@ -2477,6 +2580,13 @@ do_ssh2_kex(void) 3039@@ -2492,6 +2595,13 @@ do_ssh2_kex(void)
3072 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3073 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3040 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
3041 #endif
3074 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 3042 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
3075+#ifdef GSSAPI 3043+#ifdef GSSAPI
3076+ if (options.gss_keyex) { 3044+ if (options.gss_keyex) {
@@ -3096,10 +3064,10 @@ index e9045bc..d9b8594 100644
3096 # Set this to 'yes' to enable PAM authentication, account processing, 3064 # Set this to 'yes' to enable PAM authentication, account processing,
3097 # and session processing. If this is enabled, PAM authentication will 3065 # and session processing. If this is enabled, PAM authentication will
3098diff --git a/sshd_config.5 b/sshd_config.5 3066diff --git a/sshd_config.5 b/sshd_config.5
3099index ce71efe..ceed88a 100644 3067index fd44abe..c8b43da 100644
3100--- a/sshd_config.5 3068--- a/sshd_config.5
3101+++ b/sshd_config.5 3069+++ b/sshd_config.5
3102@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed. 3070@@ -527,12 +527,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
3103 The default is 3071 The default is
3104 .Dq no . 3072 .Dq no .
3105 Note that this option applies to protocol version 2 only. 3073 Note that this option applies to protocol version 2 only.
@@ -3140,3 +3108,36 @@ index ce71efe..ceed88a 100644
3140 .It Cm HostbasedAuthentication 3108 .It Cm HostbasedAuthentication
3141 Specifies whether rhosts or /etc/hosts.equiv authentication together 3109 Specifies whether rhosts or /etc/hosts.equiv authentication together
3142 with successful public key client host authentication is allowed 3110 with successful public key client host authentication is allowed
3111diff --git a/sshkey.c b/sshkey.c
3112index fdd0c8a..1a96eae 100644
3113--- a/sshkey.c
3114+++ b/sshkey.c
3115@@ -110,6 +110,7 @@ static const struct keytype keytypes[] = {
3116 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
3117 KEY_DSA_CERT_V00, 0, 1 },
3118 #endif /* WITH_OPENSSL */
3119+ { "null", "null", KEY_NULL, 0, 0 },
3120 { NULL, NULL, -1, -1, 0 }
3121 };
3122
3123@@ -198,7 +199,7 @@ key_alg_list(int certs_only, int plain_only)
3124 const struct keytype *kt;
3125
3126 for (kt = keytypes; kt->type != -1; kt++) {
3127- if (kt->name == NULL)
3128+ if (kt->name == NULL || kt->type == KEY_NULL)
3129 continue;
3130 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
3131 continue;
3132diff --git a/sshkey.h b/sshkey.h
3133index 450b30c..b573e7f 100644
3134--- a/sshkey.h
3135+++ b/sshkey.h
3136@@ -64,6 +64,7 @@ enum sshkey_types {
3137 KEY_ED25519_CERT,
3138 KEY_RSA_CERT_V00,
3139 KEY_DSA_CERT_V00,
3140+ KEY_NULL,
3141 KEY_UNSPEC
3142 };
3143