diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 123 |
1 files changed, 62 insertions, 61 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 786500feb..7690e5824 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support | |||
13 | security history. | 13 | security history. |
14 | Author: Simon Wilkinson <simon@sxw.org.uk> | 14 | Author: Simon Wilkinson <simon@sxw.org.uk> |
15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
16 | Last-Updated: 2012-09-07 | 16 | Last-Updated: 2013-05-07 |
17 | 17 | ||
18 | Index: b/ChangeLog.gssapi | 18 | Index: b/ChangeLog.gssapi |
19 | =================================================================== | 19 | =================================================================== |
@@ -137,15 +137,15 @@ Index: b/Makefile.in | |||
137 | =================================================================== | 137 | =================================================================== |
138 | --- a/Makefile.in | 138 | --- a/Makefile.in |
139 | +++ b/Makefile.in | 139 | +++ b/Makefile.in |
140 | @@ -70,6 +70,7 @@ | 140 | @@ -72,6 +72,7 @@ |
141 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | 141 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ |
142 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ | 142 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
143 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ | 143 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ |
144 | + kexgssc.o \ | 144 | + kexgssc.o \ |
145 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ | 145 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
146 | schnorr.o ssh-pkcs11.o | 146 | jpake.o schnorr.o ssh-pkcs11.o krl.o |
147 | 147 | ||
148 | @@ -86,7 +87,7 @@ | 148 | @@ -88,7 +89,7 @@ |
149 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ | 149 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ |
150 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ | 150 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ |
151 | auth-krb5.o \ | 151 | auth-krb5.o \ |
@@ -210,7 +210,7 @@ Index: b/auth2-gss.c | |||
210 | --- a/auth2-gss.c | 210 | --- a/auth2-gss.c |
211 | +++ b/auth2-gss.c | 211 | +++ b/auth2-gss.c |
212 | @@ -1,7 +1,7 @@ | 212 | @@ -1,7 +1,7 @@ |
213 | /* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ | 213 | /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ |
214 | 214 | ||
215 | /* | 215 | /* |
216 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 216 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -280,7 +280,7 @@ Index: b/auth2-gss.c | |||
280 | logit("GSSAPI MIC check failed"); | 280 | logit("GSSAPI MIC check failed"); |
281 | 281 | ||
282 | @@ -294,6 +330,12 @@ | 282 | @@ -294,6 +330,12 @@ |
283 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | 283 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); |
284 | } | 284 | } |
285 | 285 | ||
286 | +Authmethod method_gsskeyex = { | 286 | +Authmethod method_gsskeyex = { |
@@ -327,7 +327,7 @@ Index: b/clientloop.c | |||
327 | /* import options */ | 327 | /* import options */ |
328 | extern Options options; | 328 | extern Options options; |
329 | 329 | ||
330 | @@ -1544,6 +1548,15 @@ | 330 | @@ -1599,6 +1603,15 @@ |
331 | /* Do channel operations unless rekeying in progress. */ | 331 | /* Do channel operations unless rekeying in progress. */ |
332 | if (!rekeying) { | 332 | if (!rekeying) { |
333 | channel_after_select(readset, writeset); | 333 | channel_after_select(readset, writeset); |
@@ -347,7 +347,7 @@ Index: b/config.h.in | |||
347 | =================================================================== | 347 | =================================================================== |
348 | --- a/config.h.in | 348 | --- a/config.h.in |
349 | +++ b/config.h.in | 349 | +++ b/config.h.in |
350 | @@ -1471,6 +1471,9 @@ | 350 | @@ -1511,6 +1511,9 @@ |
351 | /* Use btmp to log bad logins */ | 351 | /* Use btmp to log bad logins */ |
352 | #undef USE_BTMP | 352 | #undef USE_BTMP |
353 | 353 | ||
@@ -357,7 +357,7 @@ Index: b/config.h.in | |||
357 | /* Use libedit for sftp */ | 357 | /* Use libedit for sftp */ |
358 | #undef USE_LIBEDIT | 358 | #undef USE_LIBEDIT |
359 | 359 | ||
360 | @@ -1486,6 +1489,9 @@ | 360 | @@ -1526,6 +1529,9 @@ |
361 | /* Use PIPES instead of a socketpair() */ | 361 | /* Use PIPES instead of a socketpair() */ |
362 | #undef USE_PIPES | 362 | #undef USE_PIPES |
363 | 363 | ||
@@ -371,7 +371,7 @@ Index: b/configure | |||
371 | =================================================================== | 371 | =================================================================== |
372 | --- a/configure | 372 | --- a/configure |
373 | +++ b/configure | 373 | +++ b/configure |
374 | @@ -6608,6 +6608,63 @@ | 374 | @@ -6588,6 +6588,63 @@ |
375 | 375 | ||
376 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | 376 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h |
377 | 377 | ||
@@ -439,7 +439,7 @@ Index: b/configure.ac | |||
439 | =================================================================== | 439 | =================================================================== |
440 | --- a/configure.ac | 440 | --- a/configure.ac |
441 | +++ b/configure.ac | 441 | +++ b/configure.ac |
442 | @@ -545,6 +545,30 @@ | 442 | @@ -533,6 +533,30 @@ |
443 | [Use tunnel device compatibility to OpenBSD]) | 443 | [Use tunnel device compatibility to OpenBSD]) |
444 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 444 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
445 | [Prepend the address family to IP tunnel traffic]) | 445 | [Prepend the address family to IP tunnel traffic]) |
@@ -1277,7 +1277,7 @@ Index: b/kex.c | |||
1277 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1277 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1278 | # if defined(HAVE_EVP_SHA256) | 1278 | # if defined(HAVE_EVP_SHA256) |
1279 | # define evp_ssh_sha256 EVP_sha256 | 1279 | # define evp_ssh_sha256 EVP_sha256 |
1280 | @@ -358,6 +362,20 @@ | 1280 | @@ -369,6 +373,20 @@ |
1281 | k->kex_type = KEX_ECDH_SHA2; | 1281 | k->kex_type = KEX_ECDH_SHA2; |
1282 | k->evp_md = kex_ecdh_name_to_evpmd(k->name); | 1282 | k->evp_md = kex_ecdh_name_to_evpmd(k->name); |
1283 | #endif | 1283 | #endif |
@@ -1312,7 +1312,7 @@ Index: b/kex.h | |||
1312 | KEX_MAX | 1312 | KEX_MAX |
1313 | }; | 1313 | }; |
1314 | 1314 | ||
1315 | @@ -129,6 +132,12 @@ | 1315 | @@ -131,6 +134,12 @@ |
1316 | sig_atomic_t done; | 1316 | sig_atomic_t done; |
1317 | int flags; | 1317 | int flags; |
1318 | const EVP_MD *evp_md; | 1318 | const EVP_MD *evp_md; |
@@ -1325,7 +1325,7 @@ Index: b/kex.h | |||
1325 | char *client_version_string; | 1325 | char *client_version_string; |
1326 | char *server_version_string; | 1326 | char *server_version_string; |
1327 | int (*verify_host_key)(Key *); | 1327 | int (*verify_host_key)(Key *); |
1328 | @@ -156,6 +165,11 @@ | 1328 | @@ -158,6 +167,11 @@ |
1329 | void kexecdh_client(Kex *); | 1329 | void kexecdh_client(Kex *); |
1330 | void kexecdh_server(Kex *); | 1330 | void kexecdh_server(Kex *); |
1331 | 1331 | ||
@@ -2016,7 +2016,7 @@ Index: b/monitor.c | |||
2016 | #endif | 2016 | #endif |
2017 | 2017 | ||
2018 | #ifdef SSH_AUDIT_EVENTS | 2018 | #ifdef SSH_AUDIT_EVENTS |
2019 | @@ -251,6 +253,7 @@ | 2019 | @@ -252,6 +254,7 @@ |
2020 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 2020 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
2021 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 2021 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
2022 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 2022 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
@@ -2024,7 +2024,7 @@ Index: b/monitor.c | |||
2024 | #endif | 2024 | #endif |
2025 | #ifdef JPAKE | 2025 | #ifdef JPAKE |
2026 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, | 2026 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, |
2027 | @@ -263,6 +266,12 @@ | 2027 | @@ -264,6 +267,12 @@ |
2028 | }; | 2028 | }; |
2029 | 2029 | ||
2030 | struct mon_table mon_dispatch_postauth20[] = { | 2030 | struct mon_table mon_dispatch_postauth20[] = { |
@@ -2037,7 +2037,7 @@ Index: b/monitor.c | |||
2037 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 2037 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2038 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 2038 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
2039 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 2039 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
2040 | @@ -371,6 +380,10 @@ | 2040 | @@ -372,6 +381,10 @@ |
2041 | /* Permit requests for moduli and signatures */ | 2041 | /* Permit requests for moduli and signatures */ |
2042 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2042 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2043 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2043 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2048,7 +2048,7 @@ Index: b/monitor.c | |||
2048 | } else { | 2048 | } else { |
2049 | mon_dispatch = mon_dispatch_proto15; | 2049 | mon_dispatch = mon_dispatch_proto15; |
2050 | 2050 | ||
2051 | @@ -468,6 +481,10 @@ | 2051 | @@ -487,6 +500,10 @@ |
2052 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2052 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2053 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2053 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2054 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2054 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -2059,7 +2059,7 @@ Index: b/monitor.c | |||
2059 | } else { | 2059 | } else { |
2060 | mon_dispatch = mon_dispatch_postauth15; | 2060 | mon_dispatch = mon_dispatch_postauth15; |
2061 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2061 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2062 | @@ -1800,6 +1817,13 @@ | 2062 | @@ -1836,6 +1853,13 @@ |
2063 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 2063 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
2064 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 2064 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
2065 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2065 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
@@ -2073,7 +2073,7 @@ Index: b/monitor.c | |||
2073 | kex->server = 1; | 2073 | kex->server = 1; |
2074 | kex->hostkey_type = buffer_get_int(m); | 2074 | kex->hostkey_type = buffer_get_int(m); |
2075 | kex->kex_type = buffer_get_int(m); | 2075 | kex->kex_type = buffer_get_int(m); |
2076 | @@ -2006,6 +2030,9 @@ | 2076 | @@ -2042,6 +2066,9 @@ |
2077 | OM_uint32 major; | 2077 | OM_uint32 major; |
2078 | u_int len; | 2078 | u_int len; |
2079 | 2079 | ||
@@ -2083,7 +2083,7 @@ Index: b/monitor.c | |||
2083 | goid.elements = buffer_get_string(m, &len); | 2083 | goid.elements = buffer_get_string(m, &len); |
2084 | goid.length = len; | 2084 | goid.length = len; |
2085 | 2085 | ||
2086 | @@ -2033,6 +2060,9 @@ | 2086 | @@ -2069,6 +2096,9 @@ |
2087 | OM_uint32 flags = 0; /* GSI needs this */ | 2087 | OM_uint32 flags = 0; /* GSI needs this */ |
2088 | u_int len; | 2088 | u_int len; |
2089 | 2089 | ||
@@ -2093,7 +2093,7 @@ Index: b/monitor.c | |||
2093 | in.value = buffer_get_string(m, &len); | 2093 | in.value = buffer_get_string(m, &len); |
2094 | in.length = len; | 2094 | in.length = len; |
2095 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2095 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2096 | @@ -2050,6 +2080,7 @@ | 2096 | @@ -2086,6 +2116,7 @@ |
2097 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2097 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2098 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2098 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2099 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2099 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2101,7 +2101,7 @@ Index: b/monitor.c | |||
2101 | } | 2101 | } |
2102 | return (0); | 2102 | return (0); |
2103 | } | 2103 | } |
2104 | @@ -2061,6 +2092,9 @@ | 2104 | @@ -2097,6 +2128,9 @@ |
2105 | OM_uint32 ret; | 2105 | OM_uint32 ret; |
2106 | u_int len; | 2106 | u_int len; |
2107 | 2107 | ||
@@ -2111,7 +2111,7 @@ Index: b/monitor.c | |||
2111 | gssbuf.value = buffer_get_string(m, &len); | 2111 | gssbuf.value = buffer_get_string(m, &len); |
2112 | gssbuf.length = len; | 2112 | gssbuf.length = len; |
2113 | mic.value = buffer_get_string(m, &len); | 2113 | mic.value = buffer_get_string(m, &len); |
2114 | @@ -2087,7 +2121,11 @@ | 2114 | @@ -2123,7 +2157,11 @@ |
2115 | { | 2115 | { |
2116 | int authenticated; | 2116 | int authenticated; |
2117 | 2117 | ||
@@ -2124,7 +2124,7 @@ Index: b/monitor.c | |||
2124 | 2124 | ||
2125 | buffer_clear(m); | 2125 | buffer_clear(m); |
2126 | buffer_put_int(m, authenticated); | 2126 | buffer_put_int(m, authenticated); |
2127 | @@ -2100,6 +2138,74 @@ | 2127 | @@ -2136,6 +2174,74 @@ |
2128 | /* Monitor loop will terminate if authenticated */ | 2128 | /* Monitor loop will terminate if authenticated */ |
2129 | return (authenticated); | 2129 | return (authenticated); |
2130 | } | 2130 | } |
@@ -2203,20 +2203,21 @@ Index: b/monitor.h | |||
2203 | =================================================================== | 2203 | =================================================================== |
2204 | --- a/monitor.h | 2204 | --- a/monitor.h |
2205 | +++ b/monitor.h | 2205 | +++ b/monitor.h |
2206 | @@ -53,6 +53,8 @@ | 2206 | @@ -70,6 +70,9 @@ |
2207 | MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, | 2207 | MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, |
2208 | MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, | 2208 | MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, |
2209 | MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, | 2209 | |
2210 | + MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN, | 2210 | + MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201, |
2211 | + MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS, | 2211 | + MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203, |
2212 | MONITOR_REQ_PAM_START, | 2212 | + |
2213 | MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, | 2213 | }; |
2214 | MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, | 2214 | |
2215 | struct mm_master; | ||
2215 | Index: b/monitor_wrap.c | 2216 | Index: b/monitor_wrap.c |
2216 | =================================================================== | 2217 | =================================================================== |
2217 | --- a/monitor_wrap.c | 2218 | --- a/monitor_wrap.c |
2218 | +++ b/monitor_wrap.c | 2219 | +++ b/monitor_wrap.c |
2219 | @@ -1270,7 +1270,7 @@ | 2220 | @@ -1271,7 +1271,7 @@ |
2220 | } | 2221 | } |
2221 | 2222 | ||
2222 | int | 2223 | int |
@@ -2225,7 +2226,7 @@ Index: b/monitor_wrap.c | |||
2225 | { | 2226 | { |
2226 | Buffer m; | 2227 | Buffer m; |
2227 | int authenticated = 0; | 2228 | int authenticated = 0; |
2228 | @@ -1287,6 +1287,51 @@ | 2229 | @@ -1288,6 +1288,51 @@ |
2229 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2230 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2230 | return (authenticated); | 2231 | return (authenticated); |
2231 | } | 2232 | } |
@@ -2406,7 +2407,7 @@ Index: b/servconf.c | |||
2406 | =================================================================== | 2407 | =================================================================== |
2407 | --- a/servconf.c | 2408 | --- a/servconf.c |
2408 | +++ b/servconf.c | 2409 | +++ b/servconf.c |
2409 | @@ -100,7 +100,10 @@ | 2410 | @@ -102,7 +102,10 @@ |
2410 | options->kerberos_ticket_cleanup = -1; | 2411 | options->kerberos_ticket_cleanup = -1; |
2411 | options->kerberos_get_afs_token = -1; | 2412 | options->kerberos_get_afs_token = -1; |
2412 | options->gss_authentication=-1; | 2413 | options->gss_authentication=-1; |
@@ -2417,7 +2418,7 @@ Index: b/servconf.c | |||
2417 | options->password_authentication = -1; | 2418 | options->password_authentication = -1; |
2418 | options->kbd_interactive_authentication = -1; | 2419 | options->kbd_interactive_authentication = -1; |
2419 | options->challenge_response_authentication = -1; | 2420 | options->challenge_response_authentication = -1; |
2420 | @@ -229,8 +232,14 @@ | 2421 | @@ -233,8 +236,14 @@ |
2421 | options->kerberos_get_afs_token = 0; | 2422 | options->kerberos_get_afs_token = 0; |
2422 | if (options->gss_authentication == -1) | 2423 | if (options->gss_authentication == -1) |
2423 | options->gss_authentication = 0; | 2424 | options->gss_authentication = 0; |
@@ -2432,7 +2433,7 @@ Index: b/servconf.c | |||
2432 | if (options->password_authentication == -1) | 2433 | if (options->password_authentication == -1) |
2433 | options->password_authentication = 1; | 2434 | options->password_authentication = 1; |
2434 | if (options->kbd_interactive_authentication == -1) | 2435 | if (options->kbd_interactive_authentication == -1) |
2435 | @@ -323,7 +332,9 @@ | 2436 | @@ -327,7 +336,9 @@ |
2436 | sBanner, sUseDNS, sHostbasedAuthentication, | 2437 | sBanner, sUseDNS, sHostbasedAuthentication, |
2437 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2438 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2438 | sClientAliveCountMax, sAuthorizedKeysFile, | 2439 | sClientAliveCountMax, sAuthorizedKeysFile, |
@@ -2443,7 +2444,7 @@ Index: b/servconf.c | |||
2443 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2444 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2444 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2445 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2445 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 2446 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
2446 | @@ -387,10 +398,20 @@ | 2447 | @@ -393,10 +404,20 @@ |
2447 | #ifdef GSSAPI | 2448 | #ifdef GSSAPI |
2448 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2449 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2449 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2450 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2464,7 +2465,7 @@ Index: b/servconf.c | |||
2464 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2465 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2465 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2466 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2466 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2467 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2467 | @@ -1031,10 +1052,22 @@ | 2468 | @@ -1049,10 +1070,22 @@ |
2468 | intptr = &options->gss_authentication; | 2469 | intptr = &options->gss_authentication; |
2469 | goto parse_flag; | 2470 | goto parse_flag; |
2470 | 2471 | ||
@@ -2487,7 +2488,7 @@ Index: b/servconf.c | |||
2487 | case sPasswordAuthentication: | 2488 | case sPasswordAuthentication: |
2488 | intptr = &options->password_authentication; | 2489 | intptr = &options->password_authentication; |
2489 | goto parse_flag; | 2490 | goto parse_flag; |
2490 | @@ -1868,7 +1901,10 @@ | 2491 | @@ -1927,7 +1960,10 @@ |
2491 | #endif | 2492 | #endif |
2492 | #ifdef GSSAPI | 2493 | #ifdef GSSAPI |
2493 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2494 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2502,7 +2503,7 @@ Index: b/servconf.h | |||
2502 | =================================================================== | 2503 | =================================================================== |
2503 | --- a/servconf.h | 2504 | --- a/servconf.h |
2504 | +++ b/servconf.h | 2505 | +++ b/servconf.h |
2505 | @@ -103,7 +103,10 @@ | 2506 | @@ -110,7 +110,10 @@ |
2506 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2507 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2507 | * authenticated with Kerberos. */ | 2508 | * authenticated with Kerberos. */ |
2508 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2509 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2525,7 +2526,7 @@ Index: b/ssh-gss.h | |||
2525 | * | 2526 | * |
2526 | * Redistribution and use in source and binary forms, with or without | 2527 | * Redistribution and use in source and binary forms, with or without |
2527 | * modification, are permitted provided that the following conditions | 2528 | * modification, are permitted provided that the following conditions |
2528 | @@ -60,10 +60,22 @@ | 2529 | @@ -61,10 +61,22 @@ |
2529 | 2530 | ||
2530 | #define SSH_GSS_OIDTYPE 0x06 | 2531 | #define SSH_GSS_OIDTYPE 0x06 |
2531 | 2532 | ||
@@ -2548,7 +2549,7 @@ Index: b/ssh-gss.h | |||
2548 | void *data; | 2549 | void *data; |
2549 | } ssh_gssapi_ccache; | 2550 | } ssh_gssapi_ccache; |
2550 | 2551 | ||
2551 | @@ -71,8 +83,11 @@ | 2552 | @@ -72,8 +84,11 @@ |
2552 | gss_buffer_desc displayname; | 2553 | gss_buffer_desc displayname; |
2553 | gss_buffer_desc exportedname; | 2554 | gss_buffer_desc exportedname; |
2554 | gss_cred_id_t creds; | 2555 | gss_cred_id_t creds; |
@@ -2560,7 +2561,7 @@ Index: b/ssh-gss.h | |||
2560 | } ssh_gssapi_client; | 2561 | } ssh_gssapi_client; |
2561 | 2562 | ||
2562 | typedef struct ssh_gssapi_mech_struct { | 2563 | typedef struct ssh_gssapi_mech_struct { |
2563 | @@ -83,6 +98,7 @@ | 2564 | @@ -84,6 +99,7 @@ |
2564 | int (*userok) (ssh_gssapi_client *, char *); | 2565 | int (*userok) (ssh_gssapi_client *, char *); |
2565 | int (*localname) (ssh_gssapi_client *, char **); | 2566 | int (*localname) (ssh_gssapi_client *, char **); |
2566 | void (*storecreds) (ssh_gssapi_client *); | 2567 | void (*storecreds) (ssh_gssapi_client *); |
@@ -2568,7 +2569,7 @@ Index: b/ssh-gss.h | |||
2568 | } ssh_gssapi_mech; | 2569 | } ssh_gssapi_mech; |
2569 | 2570 | ||
2570 | typedef struct { | 2571 | typedef struct { |
2571 | @@ -93,10 +109,11 @@ | 2572 | @@ -94,10 +110,11 @@ |
2572 | gss_OID oid; /* client */ | 2573 | gss_OID oid; /* client */ |
2573 | gss_cred_id_t creds; /* server */ | 2574 | gss_cred_id_t creds; /* server */ |
2574 | gss_name_t client; /* server */ | 2575 | gss_name_t client; /* server */ |
@@ -2581,7 +2582,7 @@ Index: b/ssh-gss.h | |||
2581 | 2582 | ||
2582 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); | 2583 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); |
2583 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); | 2584 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); |
2584 | @@ -116,16 +133,30 @@ | 2585 | @@ -117,16 +134,30 @@ |
2585 | void ssh_gssapi_delete_ctx(Gssctxt **); | 2586 | void ssh_gssapi_delete_ctx(Gssctxt **); |
2586 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | 2587 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
2587 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); | 2588 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); |
@@ -2631,7 +2632,7 @@ Index: b/ssh_config.5 | |||
2631 | =================================================================== | 2632 | =================================================================== |
2632 | --- a/ssh_config.5 | 2633 | --- a/ssh_config.5 |
2633 | +++ b/ssh_config.5 | 2634 | +++ b/ssh_config.5 |
2634 | @@ -527,11 +527,43 @@ | 2635 | @@ -530,11 +530,43 @@ |
2635 | The default is | 2636 | The default is |
2636 | .Dq no . | 2637 | .Dq no . |
2637 | Note that this option applies to protocol version 2 only. | 2638 | Note that this option applies to protocol version 2 only. |
@@ -2764,7 +2765,7 @@ Index: b/sshconnect2.c | |||
2764 | xxx_kex = kex; | 2765 | xxx_kex = kex; |
2765 | 2766 | ||
2766 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2767 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
2767 | @@ -305,6 +361,7 @@ | 2768 | @@ -306,6 +362,7 @@ |
2768 | void input_gssapi_hash(int type, u_int32_t, void *); | 2769 | void input_gssapi_hash(int type, u_int32_t, void *); |
2769 | void input_gssapi_error(int, u_int32_t, void *); | 2770 | void input_gssapi_error(int, u_int32_t, void *); |
2770 | void input_gssapi_errtok(int, u_int32_t, void *); | 2771 | void input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2772,7 +2773,7 @@ Index: b/sshconnect2.c | |||
2772 | #endif | 2773 | #endif |
2773 | 2774 | ||
2774 | void userauth(Authctxt *, char *); | 2775 | void userauth(Authctxt *, char *); |
2775 | @@ -320,6 +377,11 @@ | 2776 | @@ -321,6 +378,11 @@ |
2776 | 2777 | ||
2777 | Authmethod authmethods[] = { | 2778 | Authmethod authmethods[] = { |
2778 | #ifdef GSSAPI | 2779 | #ifdef GSSAPI |
@@ -2784,7 +2785,7 @@ Index: b/sshconnect2.c | |||
2784 | {"gssapi-with-mic", | 2785 | {"gssapi-with-mic", |
2785 | userauth_gssapi, | 2786 | userauth_gssapi, |
2786 | NULL, | 2787 | NULL, |
2787 | @@ -626,19 +688,31 @@ | 2788 | @@ -627,19 +689,31 @@ |
2788 | static u_int mech = 0; | 2789 | static u_int mech = 0; |
2789 | OM_uint32 min; | 2790 | OM_uint32 min; |
2790 | int ok = 0; | 2791 | int ok = 0; |
@@ -2818,7 +2819,7 @@ Index: b/sshconnect2.c | |||
2818 | ok = 1; /* Mechanism works */ | 2819 | ok = 1; /* Mechanism works */ |
2819 | } else { | 2820 | } else { |
2820 | mech++; | 2821 | mech++; |
2821 | @@ -735,8 +809,8 @@ | 2822 | @@ -736,8 +810,8 @@ |
2822 | { | 2823 | { |
2823 | Authctxt *authctxt = ctxt; | 2824 | Authctxt *authctxt = ctxt; |
2824 | Gssctxt *gssctxt; | 2825 | Gssctxt *gssctxt; |
@@ -2829,7 +2830,7 @@ Index: b/sshconnect2.c | |||
2829 | 2830 | ||
2830 | if (authctxt == NULL) | 2831 | if (authctxt == NULL) |
2831 | fatal("input_gssapi_response: no authentication context"); | 2832 | fatal("input_gssapi_response: no authentication context"); |
2832 | @@ -846,6 +920,48 @@ | 2833 | @@ -847,6 +921,48 @@ |
2833 | xfree(msg); | 2834 | xfree(msg); |
2834 | xfree(lang); | 2835 | xfree(lang); |
2835 | } | 2836 | } |
@@ -2893,7 +2894,7 @@ Index: b/sshd.c | |||
2893 | #ifdef LIBWRAP | 2894 | #ifdef LIBWRAP |
2894 | #include <tcpd.h> | 2895 | #include <tcpd.h> |
2895 | #include <syslog.h> | 2896 | #include <syslog.h> |
2896 | @@ -1607,10 +1611,13 @@ | 2897 | @@ -1645,10 +1649,13 @@ |
2897 | logit("Disabling protocol version 1. Could not load host key"); | 2898 | logit("Disabling protocol version 1. Could not load host key"); |
2898 | options.protocol &= ~SSH_PROTO_1; | 2899 | options.protocol &= ~SSH_PROTO_1; |
2899 | } | 2900 | } |
@@ -2907,7 +2908,7 @@ Index: b/sshd.c | |||
2907 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2908 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2908 | logit("sshd: no hostkeys available -- exiting."); | 2909 | logit("sshd: no hostkeys available -- exiting."); |
2909 | exit(1); | 2910 | exit(1); |
2910 | @@ -1938,6 +1945,60 @@ | 2911 | @@ -1976,6 +1983,60 @@ |
2911 | /* Log the connection. */ | 2912 | /* Log the connection. */ |
2912 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | 2913 | verbose("Connection from %.500s port %d", remote_ip, remote_port); |
2913 | 2914 | ||
@@ -2968,7 +2969,7 @@ Index: b/sshd.c | |||
2968 | /* | 2969 | /* |
2969 | * We don't want to listen forever unless the other side | 2970 | * We don't want to listen forever unless the other side |
2970 | * successfully authenticates itself. So we set up an alarm which is | 2971 | * successfully authenticates itself. So we set up an alarm which is |
2971 | @@ -2319,6 +2380,48 @@ | 2972 | @@ -2357,6 +2418,48 @@ |
2972 | 2973 | ||
2973 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2974 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
2974 | 2975 | ||
@@ -3017,7 +3018,7 @@ Index: b/sshd.c | |||
3017 | /* start key exchange */ | 3018 | /* start key exchange */ |
3018 | kex = kex_setup(myproposal); | 3019 | kex = kex_setup(myproposal); |
3019 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 3020 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
3020 | @@ -2326,6 +2429,13 @@ | 3021 | @@ -2364,6 +2467,13 @@ |
3021 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 3022 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
3022 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 3023 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
3023 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 3024 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
@@ -3035,7 +3036,7 @@ Index: b/sshd_config | |||
3035 | =================================================================== | 3036 | =================================================================== |
3036 | --- a/sshd_config | 3037 | --- a/sshd_config |
3037 | +++ b/sshd_config | 3038 | +++ b/sshd_config |
3038 | @@ -77,6 +77,8 @@ | 3039 | @@ -80,6 +80,8 @@ |
3039 | # GSSAPI options | 3040 | # GSSAPI options |
3040 | #GSSAPIAuthentication no | 3041 | #GSSAPIAuthentication no |
3041 | #GSSAPICleanupCredentials yes | 3042 | #GSSAPICleanupCredentials yes |
@@ -3048,7 +3049,7 @@ Index: b/sshd_config.5 | |||
3048 | =================================================================== | 3049 | =================================================================== |
3049 | --- a/sshd_config.5 | 3050 | --- a/sshd_config.5 |
3050 | +++ b/sshd_config.5 | 3051 | +++ b/sshd_config.5 |
3051 | @@ -426,12 +426,40 @@ | 3052 | @@ -481,12 +481,40 @@ |
3052 | The default is | 3053 | The default is |
3053 | .Dq no . | 3054 | .Dq no . |
3054 | Note that this option applies to protocol version 2 only. | 3055 | Note that this option applies to protocol version 2 only. |