summaryrefslogtreecommitdiff
path: root/debian/patches/gssapi.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r--debian/patches/gssapi.patch201
1 files changed, 128 insertions, 73 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 778c23023..692437142 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -19,14 +19,24 @@ Index: b/ChangeLog.gssapi
19=================================================================== 19===================================================================
20--- /dev/null 20--- /dev/null
21+++ b/ChangeLog.gssapi 21+++ b/ChangeLog.gssapi
22@@ -0,0 +1,103 @@ 22@@ -0,0 +1,113 @@
23+20110101
24+ - Finally update for OpenSSH 5.6p1
25+ - Add GSSAPIServerIdentity option from Jim Basney
26+
27+20100308
28+ - [ Makefile.in, key.c, key.h ]
29+ Updates for OpenSSH 5.4p1
30+ - [ servconf.c ]
31+ Include GSSAPI options in the sshd -T configuration dump, and flag
32+ some older configuration options as being unsupported. Thanks to Colin
33+ Watson.
34+ -
35+
23+20100124 36+20100124
24+ - [ sshconnect2.c ] 37+ - [ sshconnect2.c ]
25+ Adapt to deal with additional element in Authmethod structure. Thanks to 38+ Adapt to deal with additional element in Authmethod structure. Thanks to
26+ Colin Wilson 39+ Colin Watson
27+ - [ clientloop.c ]
28+ Protect credentials updated code with suitable #ifdefs. Thanks to Colin
29+ Wilson
30+ 40+
31+20090615 41+20090615
32+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c 42+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
@@ -127,23 +137,23 @@ Index: b/Makefile.in
127=================================================================== 137===================================================================
128--- a/Makefile.in 138--- a/Makefile.in
129+++ b/Makefile.in 139+++ b/Makefile.in
130@@ -74,7 +74,7 @@ 140@@ -75,7 +75,7 @@
131 monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ 141 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
132 kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ 142 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
133 entropy.o gss-genr.o umac.o jpake.o schnorr.o \ 143 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
134- ssh-pkcs11.o 144- schnorr.o ssh-pkcs11.o
135+ ssh-pkcs11.o kexgssc.o 145+ schnorr.o kexgssc.o ssh-pkcs11.o
136 146
137 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 147 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
138 sshconnect.o sshconnect1.o sshconnect2.o mux.o \ 148 sshconnect.o sshconnect1.o sshconnect2.o mux.o \
139@@ -88,7 +88,7 @@ 149@@ -90,7 +90,7 @@
140 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ 150 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
141 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ 151 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
142 auth-krb5.o \ 152 auth-krb5.o \
143- auth2-gss.o gss-serv.o gss-serv-krb5.o \ 153- auth2-gss.o gss-serv.o gss-serv-krb5.o \
144+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ 154+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
145 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 155 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
146 audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ 156 sftp-server.o sftp-common.o \
147 roaming_common.o roaming_serv.o 157 roaming_common.o roaming_serv.o
148Index: b/auth-krb5.c 158Index: b/auth-krb5.c
149=================================================================== 159===================================================================
@@ -384,7 +394,7 @@ Index: b/configure.ac
384=================================================================== 394===================================================================
385--- a/configure.ac 395--- a/configure.ac
386+++ b/configure.ac 396+++ b/configure.ac
387@@ -477,6 +477,30 @@ 397@@ -514,6 +514,30 @@
388 [Use tunnel device compatibility to OpenBSD]) 398 [Use tunnel device compatibility to OpenBSD])
389 AC_DEFINE(SSH_TUN_PREPEND_AF, 1, 399 AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
390 [Prepend the address family to IP tunnel traffic]) 400 [Prepend the address family to IP tunnel traffic])
@@ -1222,9 +1232,9 @@ Index: b/kex.c
1222 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1232 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1223 # if defined(HAVE_EVP_SHA256) 1233 # if defined(HAVE_EVP_SHA256)
1224 # define evp_ssh_sha256 EVP_sha256 1234 # define evp_ssh_sha256 EVP_sha256
1225@@ -326,6 +330,20 @@ 1235@@ -358,6 +362,20 @@
1226 k->kex_type = KEX_DH_GEX_SHA256; 1236 k->kex_type = KEX_ECDH_SHA2;
1227 k->evp_md = evp_ssh_sha256(); 1237 k->evp_md = kex_ecdh_name_to_evpmd(k->name);
1228 #endif 1238 #endif
1229+#ifdef GSSAPI 1239+#ifdef GSSAPI
1230+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, 1240+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
@@ -1247,17 +1257,17 @@ Index: b/kex.h
1247=================================================================== 1257===================================================================
1248--- a/kex.h 1258--- a/kex.h
1249+++ b/kex.h 1259+++ b/kex.h
1250@@ -67,6 +67,9 @@ 1260@@ -73,6 +73,9 @@
1251 KEX_DH_GRP14_SHA1,
1252 KEX_DH_GEX_SHA1, 1261 KEX_DH_GEX_SHA1,
1253 KEX_DH_GEX_SHA256, 1262 KEX_DH_GEX_SHA256,
1263 KEX_ECDH_SHA2,
1254+ KEX_GSS_GRP1_SHA1, 1264+ KEX_GSS_GRP1_SHA1,
1255+ KEX_GSS_GRP14_SHA1, 1265+ KEX_GSS_GRP14_SHA1,
1256+ KEX_GSS_GEX_SHA1, 1266+ KEX_GSS_GEX_SHA1,
1257 KEX_MAX 1267 KEX_MAX
1258 }; 1268 };
1259 1269
1260@@ -123,6 +126,12 @@ 1270@@ -129,6 +132,12 @@
1261 sig_atomic_t done; 1271 sig_atomic_t done;
1262 int flags; 1272 int flags;
1263 const EVP_MD *evp_md; 1273 const EVP_MD *evp_md;
@@ -1270,9 +1280,9 @@ Index: b/kex.h
1270 char *client_version_string; 1280 char *client_version_string;
1271 char *server_version_string; 1281 char *server_version_string;
1272 int (*verify_host_key)(Key *); 1282 int (*verify_host_key)(Key *);
1273@@ -146,6 +155,11 @@ 1283@@ -156,6 +165,11 @@
1274 void kexgex_client(Kex *); 1284 void kexecdh_client(Kex *);
1275 void kexgex_server(Kex *); 1285 void kexecdh_server(Kex *);
1276 1286
1277+#ifdef GSSAPI 1287+#ifdef GSSAPI
1278+void kexgss_client(Kex *); 1288+void kexgss_client(Kex *);
@@ -1918,21 +1928,30 @@ Index: b/key.c
1918=================================================================== 1928===================================================================
1919--- a/key.c 1929--- a/key.c
1920+++ b/key.c 1930+++ b/key.c
1921@@ -1020,6 +1020,8 @@ 1931@@ -971,6 +971,8 @@
1922 return KEY_RSA_CERT; 1932 }
1923 } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { 1933 break;
1924 return KEY_DSA_CERT; 1934 #endif /* OPENSSL_HAS_ECC */
1935+ case KEY_NULL:
1936+ return "null";
1937 }
1938 return "ssh-unknown";
1939 }
1940@@ -1276,6 +1278,8 @@
1941 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
1942 return KEY_ECDSA_CERT;
1943 #endif
1925+ } else if (strcmp(name, "null") == 0) { 1944+ } else if (strcmp(name, "null") == 0) {
1926+ return KEY_NULL; 1945+ return KEY_NULL;
1927 } 1946 }
1947
1928 debug2("key_type_from_name: unknown key type '%s'", name); 1948 debug2("key_type_from_name: unknown key type '%s'", name);
1929 return KEY_UNSPEC;
1930Index: b/key.h 1949Index: b/key.h
1931=================================================================== 1950===================================================================
1932--- a/key.h 1951--- a/key.h
1933+++ b/key.h 1952+++ b/key.h
1934@@ -39,6 +39,7 @@ 1953@@ -44,6 +44,7 @@
1935 KEY_DSA_CERT, 1954 KEY_ECDSA_CERT,
1936 KEY_RSA_CERT_V00, 1955 KEY_RSA_CERT_V00,
1937 KEY_DSA_CERT_V00, 1956 KEY_DSA_CERT_V00,
1938+ KEY_NULL, 1957+ KEY_NULL,
@@ -1995,10 +2014,10 @@ Index: b/monitor.c
1995 } else { 2014 } else {
1996 mon_dispatch = mon_dispatch_postauth15; 2015 mon_dispatch = mon_dispatch_postauth15;
1997 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2016 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
1998@@ -1691,6 +1708,13 @@ 2017@@ -1692,6 +1709,13 @@
1999 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
2000 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2018 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2001 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2019 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2020 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
2002+#ifdef GSSAPI 2021+#ifdef GSSAPI
2003+ if (options.gss_keyex) { 2022+ if (options.gss_keyex) {
2004+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; 2023+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -2009,7 +2028,7 @@ Index: b/monitor.c
2009 kex->server = 1; 2028 kex->server = 1;
2010 kex->hostkey_type = buffer_get_int(m); 2029 kex->hostkey_type = buffer_get_int(m);
2011 kex->kex_type = buffer_get_int(m); 2030 kex->kex_type = buffer_get_int(m);
2012@@ -1897,6 +1921,9 @@ 2031@@ -1898,6 +1922,9 @@
2013 OM_uint32 major; 2032 OM_uint32 major;
2014 u_int len; 2033 u_int len;
2015 2034
@@ -2019,7 +2038,7 @@ Index: b/monitor.c
2019 goid.elements = buffer_get_string(m, &len); 2038 goid.elements = buffer_get_string(m, &len);
2020 goid.length = len; 2039 goid.length = len;
2021 2040
2022@@ -1924,6 +1951,9 @@ 2041@@ -1925,6 +1952,9 @@
2023 OM_uint32 flags = 0; /* GSI needs this */ 2042 OM_uint32 flags = 0; /* GSI needs this */
2024 u_int len; 2043 u_int len;
2025 2044
@@ -2029,7 +2048,7 @@ Index: b/monitor.c
2029 in.value = buffer_get_string(m, &len); 2048 in.value = buffer_get_string(m, &len);
2030 in.length = len; 2049 in.length = len;
2031 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2050 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2032@@ -1941,6 +1971,7 @@ 2051@@ -1942,6 +1972,7 @@
2033 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2052 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2034 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2053 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2035 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2054 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2037,7 +2056,7 @@ Index: b/monitor.c
2037 } 2056 }
2038 return (0); 2057 return (0);
2039 } 2058 }
2040@@ -1952,6 +1983,9 @@ 2059@@ -1953,6 +1984,9 @@
2041 OM_uint32 ret; 2060 OM_uint32 ret;
2042 u_int len; 2061 u_int len;
2043 2062
@@ -2047,7 +2066,7 @@ Index: b/monitor.c
2047 gssbuf.value = buffer_get_string(m, &len); 2066 gssbuf.value = buffer_get_string(m, &len);
2048 gssbuf.length = len; 2067 gssbuf.length = len;
2049 mic.value = buffer_get_string(m, &len); 2068 mic.value = buffer_get_string(m, &len);
2050@@ -1978,7 +2012,11 @@ 2069@@ -1979,7 +2013,11 @@
2051 { 2070 {
2052 int authenticated; 2071 int authenticated;
2053 2072
@@ -2060,7 +2079,7 @@ Index: b/monitor.c
2060 2079
2061 buffer_clear(m); 2080 buffer_clear(m);
2062 buffer_put_int(m, authenticated); 2081 buffer_put_int(m, authenticated);
2063@@ -1991,6 +2029,74 @@ 2082@@ -1992,6 +2030,74 @@
2064 /* Monitor loop will terminate if authenticated */ 2083 /* Monitor loop will terminate if authenticated */
2065 return (authenticated); 2084 return (authenticated);
2066 } 2085 }
@@ -2152,7 +2171,7 @@ Index: b/monitor_wrap.c
2152=================================================================== 2171===================================================================
2153--- a/monitor_wrap.c 2172--- a/monitor_wrap.c
2154+++ b/monitor_wrap.c 2173+++ b/monitor_wrap.c
2155@@ -1231,7 +1231,7 @@ 2174@@ -1232,7 +1232,7 @@
2156 } 2175 }
2157 2176
2158 int 2177 int
@@ -2161,7 +2180,7 @@ Index: b/monitor_wrap.c
2161 { 2180 {
2162 Buffer m; 2181 Buffer m;
2163 int authenticated = 0; 2182 int authenticated = 0;
2164@@ -1248,6 +1248,51 @@ 2183@@ -1249,6 +1249,51 @@
2165 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2184 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2166 return (authenticated); 2185 return (authenticated);
2167 } 2186 }
@@ -2233,15 +2252,16 @@ Index: b/readconf.c
2233=================================================================== 2252===================================================================
2234--- a/readconf.c 2253--- a/readconf.c
2235+++ b/readconf.c 2254+++ b/readconf.c
2236@@ -127,6 +127,7 @@ 2255@@ -129,6 +129,8 @@
2237 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2256 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2238 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2257 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2239 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2258 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
2240+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, 2259+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
2260+ oGssServerIdentity,
2241 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2261 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2242 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2262 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2243 oHashKnownHosts, 2263 oHashKnownHosts,
2244@@ -166,10 +167,18 @@ 2264@@ -169,10 +171,19 @@
2245 { "afstokenpassing", oUnsupported }, 2265 { "afstokenpassing", oUnsupported },
2246 #if defined(GSSAPI) 2266 #if defined(GSSAPI)
2247 { "gssapiauthentication", oGssAuthentication }, 2267 { "gssapiauthentication", oGssAuthentication },
@@ -2249,6 +2269,7 @@ Index: b/readconf.c
2249 { "gssapidelegatecredentials", oGssDelegateCreds }, 2269 { "gssapidelegatecredentials", oGssDelegateCreds },
2250+ { "gssapitrustdns", oGssTrustDns }, 2270+ { "gssapitrustdns", oGssTrustDns },
2251+ { "gssapiclientidentity", oGssClientIdentity }, 2271+ { "gssapiclientidentity", oGssClientIdentity },
2272+ { "gssapiserveridentity", oGssServerIdentity },
2252+ { "gssapirenewalforcesrekey", oGssRenewalRekey }, 2273+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
2253 #else 2274 #else
2254 { "gssapiauthentication", oUnsupported }, 2275 { "gssapiauthentication", oUnsupported },
@@ -2260,7 +2281,7 @@ Index: b/readconf.c
2260 #endif 2281 #endif
2261 { "fallbacktorsh", oDeprecated }, 2282 { "fallbacktorsh", oDeprecated },
2262 { "usersh", oDeprecated }, 2283 { "usersh", oDeprecated },
2263@@ -474,10 +483,26 @@ 2284@@ -479,10 +490,30 @@
2264 intptr = &options->gss_authentication; 2285 intptr = &options->gss_authentication;
2265 goto parse_flag; 2286 goto parse_flag;
2266 2287
@@ -2280,6 +2301,10 @@ Index: b/readconf.c
2280+ charptr = &options->gss_client_identity; 2301+ charptr = &options->gss_client_identity;
2281+ goto parse_string; 2302+ goto parse_string;
2282+ 2303+
2304+ case oGssServerIdentity:
2305+ charptr = &options->gss_server_identity;
2306+ goto parse_string;
2307+
2283+ case oGssRenewalRekey: 2308+ case oGssRenewalRekey:
2284+ intptr = &options->gss_renewal_rekey; 2309+ intptr = &options->gss_renewal_rekey;
2285+ goto parse_flag; 2310+ goto parse_flag;
@@ -2287,7 +2312,7 @@ Index: b/readconf.c
2287 case oBatchMode: 2312 case oBatchMode:
2288 intptr = &options->batch_mode; 2313 intptr = &options->batch_mode;
2289 goto parse_flag; 2314 goto parse_flag;
2290@@ -1058,7 +1083,11 @@ 2315@@ -1092,7 +1123,12 @@
2291 options->pubkey_authentication = -1; 2316 options->pubkey_authentication = -1;
2292 options->challenge_response_authentication = -1; 2317 options->challenge_response_authentication = -1;
2293 options->gss_authentication = -1; 2318 options->gss_authentication = -1;
@@ -2296,10 +2321,11 @@ Index: b/readconf.c
2296+ options->gss_trust_dns = -1; 2321+ options->gss_trust_dns = -1;
2297+ options->gss_renewal_rekey = -1; 2322+ options->gss_renewal_rekey = -1;
2298+ options->gss_client_identity = NULL; 2323+ options->gss_client_identity = NULL;
2324+ options->gss_server_identity = NULL;
2299 options->password_authentication = -1; 2325 options->password_authentication = -1;
2300 options->kbd_interactive_authentication = -1; 2326 options->kbd_interactive_authentication = -1;
2301 options->kbd_interactive_devices = NULL; 2327 options->kbd_interactive_devices = NULL;
2302@@ -1156,8 +1185,14 @@ 2328@@ -1193,8 +1229,14 @@
2303 options->challenge_response_authentication = 1; 2329 options->challenge_response_authentication = 1;
2304 if (options->gss_authentication == -1) 2330 if (options->gss_authentication == -1)
2305 options->gss_authentication = 0; 2331 options->gss_authentication = 0;
@@ -2318,7 +2344,7 @@ Index: b/readconf.h
2318=================================================================== 2344===================================================================
2319--- a/readconf.h 2345--- a/readconf.h
2320+++ b/readconf.h 2346+++ b/readconf.h
2321@@ -46,7 +46,11 @@ 2347@@ -46,7 +46,12 @@
2322 int challenge_response_authentication; 2348 int challenge_response_authentication;
2323 /* Try S/Key or TIS, authentication. */ 2349 /* Try S/Key or TIS, authentication. */
2324 int gss_authentication; /* Try GSS authentication */ 2350 int gss_authentication; /* Try GSS authentication */
@@ -2327,6 +2353,7 @@ Index: b/readconf.h
2327+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ 2353+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
2328+ int gss_renewal_rekey; /* Credential renewal forces rekey */ 2354+ int gss_renewal_rekey; /* Credential renewal forces rekey */
2329+ char *gss_client_identity; /* Principal to initiate GSSAPI with */ 2355+ char *gss_client_identity; /* Principal to initiate GSSAPI with */
2356+ char *gss_server_identity; /* GSSAPI target principal */
2330 int password_authentication; /* Try password 2357 int password_authentication; /* Try password
2331 * authentication. */ 2358 * authentication. */
2332 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2359 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
@@ -2334,7 +2361,7 @@ Index: b/servconf.c
2334=================================================================== 2361===================================================================
2335--- a/servconf.c 2362--- a/servconf.c
2336+++ b/servconf.c 2363+++ b/servconf.c
2337@@ -93,7 +93,10 @@ 2364@@ -97,7 +97,10 @@
2338 options->kerberos_ticket_cleanup = -1; 2365 options->kerberos_ticket_cleanup = -1;
2339 options->kerberos_get_afs_token = -1; 2366 options->kerberos_get_afs_token = -1;
2340 options->gss_authentication=-1; 2367 options->gss_authentication=-1;
@@ -2345,7 +2372,7 @@ Index: b/servconf.c
2345 options->password_authentication = -1; 2372 options->password_authentication = -1;
2346 options->kbd_interactive_authentication = -1; 2373 options->kbd_interactive_authentication = -1;
2347 options->challenge_response_authentication = -1; 2374 options->challenge_response_authentication = -1;
2348@@ -215,8 +218,14 @@ 2375@@ -226,8 +229,14 @@
2349 options->kerberos_get_afs_token = 0; 2376 options->kerberos_get_afs_token = 0;
2350 if (options->gss_authentication == -1) 2377 if (options->gss_authentication == -1)
2351 options->gss_authentication = 0; 2378 options->gss_authentication = 0;
@@ -2360,7 +2387,7 @@ Index: b/servconf.c
2360 if (options->password_authentication == -1) 2387 if (options->password_authentication == -1)
2361 options->password_authentication = 1; 2388 options->password_authentication = 1;
2362 if (options->kbd_interactive_authentication == -1) 2389 if (options->kbd_interactive_authentication == -1)
2363@@ -307,7 +316,9 @@ 2390@@ -322,7 +331,9 @@
2364 sBanner, sUseDNS, sHostbasedAuthentication, 2391 sBanner, sUseDNS, sHostbasedAuthentication,
2365 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2392 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2366 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 2393 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -2371,23 +2398,28 @@ Index: b/servconf.c
2371 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2398 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2372 sUsePrivilegeSeparation, sAllowAgentForwarding, 2399 sUsePrivilegeSeparation, sAllowAgentForwarding,
2373 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2400 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2374@@ -370,9 +381,15 @@ 2401@@ -386,10 +397,20 @@
2375 #ifdef GSSAPI 2402 #ifdef GSSAPI
2376 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2403 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2377 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2404 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
2405+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
2378+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 2406+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
2379+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, 2407+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
2380+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, 2408+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
2381 #else 2409 #else
2382 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 2410 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
2383 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 2411 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
2412+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
2384+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 2413+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
2385+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, 2414+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
2386+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, 2415+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
2387 #endif 2416 #endif
2417+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
2418+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
2388 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2419 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2389 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2420 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2390@@ -926,10 +943,22 @@ 2421 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2422@@ -944,10 +965,22 @@
2391 intptr = &options->gss_authentication; 2423 intptr = &options->gss_authentication;
2392 goto parse_flag; 2424 goto parse_flag;
2393 2425
@@ -2410,11 +2442,22 @@ Index: b/servconf.c
2410 case sPasswordAuthentication: 2442 case sPasswordAuthentication:
2411 intptr = &options->password_authentication; 2443 intptr = &options->password_authentication;
2412 goto parse_flag; 2444 goto parse_flag;
2445@@ -1704,7 +1737,10 @@
2446 #endif
2447 #ifdef GSSAPI
2448 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2449+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2450 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2451+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2452+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2453 #endif
2454 #ifdef JPAKE
2455 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
2413Index: b/servconf.h 2456Index: b/servconf.h
2414=================================================================== 2457===================================================================
2415--- a/servconf.h 2458--- a/servconf.h
2416+++ b/servconf.h 2459+++ b/servconf.h
2417@@ -94,7 +94,10 @@ 2460@@ -97,7 +97,10 @@
2418 int kerberos_get_afs_token; /* If true, try to get AFS token if 2461 int kerberos_get_afs_token; /* If true, try to get AFS token if
2419 * authenticated with Kerberos. */ 2462 * authenticated with Kerberos. */
2420 int gss_authentication; /* If true, permit GSSAPI authentication */ 2463 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2543,7 +2586,7 @@ Index: b/ssh_config.5
2543=================================================================== 2586===================================================================
2544--- a/ssh_config.5 2587--- a/ssh_config.5
2545+++ b/ssh_config.5 2588+++ b/ssh_config.5
2546@@ -509,11 +509,38 @@ 2589@@ -508,11 +508,43 @@
2547 The default is 2590 The default is
2548 .Dq no . 2591 .Dq no .
2549 Note that this option applies to protocol version 2 only. 2592 Note that this option applies to protocol version 2 only.
@@ -2557,6 +2600,11 @@ Index: b/ssh_config.5
2557+If set, specifies the GSSAPI client identity that ssh should use when 2600+If set, specifies the GSSAPI client identity that ssh should use when
2558+connecting to the server. The default is unset, which means that the default 2601+connecting to the server. The default is unset, which means that the default
2559+identity will be used. 2602+identity will be used.
2603+.It Cm GSSAPIServerIdentity
2604+If set, specifies the GSSAPI server identity that ssh should expect when
2605+connecting to the server. The default is unset, which means that the
2606+expected GSSAPI server identity will be determined from the target
2607+hostname.
2560 .It Cm GSSAPIDelegateCredentials 2608 .It Cm GSSAPIDelegateCredentials
2561 Forward (delegate) credentials to the server. 2609 Forward (delegate) credentials to the server.
2562 The default is 2610 The default is
@@ -2587,7 +2635,7 @@ Index: b/sshconnect2.c
2587=================================================================== 2635===================================================================
2588--- a/sshconnect2.c 2636--- a/sshconnect2.c
2589+++ b/sshconnect2.c 2637+++ b/sshconnect2.c
2590@@ -106,9 +106,34 @@ 2638@@ -159,9 +159,34 @@
2591 { 2639 {
2592 Kex *kex; 2640 Kex *kex;
2593 2641
@@ -2622,9 +2670,9 @@ Index: b/sshconnect2.c
2622 if (options.ciphers == (char *)-1) { 2670 if (options.ciphers == (char *)-1) {
2623 logit("No valid ciphers for protocol version 2 given, using defaults."); 2671 logit("No valid ciphers for protocol version 2 given, using defaults.");
2624 options.ciphers = NULL; 2672 options.ciphers = NULL;
2625@@ -136,6 +161,17 @@ 2673@@ -196,6 +221,17 @@
2626 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 2674 if (options.kex_algorithms != NULL)
2627 options.hostkeyalgorithms; 2675 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
2628 2676
2629+#ifdef GSSAPI 2677+#ifdef GSSAPI
2630+ /* If we've got GSSAPI algorithms, then we also support the 2678+ /* If we've got GSSAPI algorithms, then we also support the
@@ -2640,10 +2688,10 @@ Index: b/sshconnect2.c
2640 if (options.rekey_limit) 2688 if (options.rekey_limit)
2641 packet_set_rekey_limit((u_int32_t)options.rekey_limit); 2689 packet_set_rekey_limit((u_int32_t)options.rekey_limit);
2642 2690
2643@@ -145,10 +181,26 @@ 2691@@ -206,10 +242,30 @@
2644 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
2645 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 2692 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
2646 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 2693 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2694 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
2647+#ifdef GSSAPI 2695+#ifdef GSSAPI
2648+ if (options.gss_keyex) { 2696+ if (options.gss_keyex) {
2649+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; 2697+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@@ -2660,14 +2708,18 @@ Index: b/sshconnect2.c
2660+ kex->gss_deleg_creds = options.gss_deleg_creds; 2708+ kex->gss_deleg_creds = options.gss_deleg_creds;
2661+ kex->gss_trust_dns = options.gss_trust_dns; 2709+ kex->gss_trust_dns = options.gss_trust_dns;
2662+ kex->gss_client = options.gss_client_identity; 2710+ kex->gss_client = options.gss_client_identity;
2663+ kex->gss_host = gss_host; 2711+ if (options.gss_server_identity) {
2712+ kex->gss_host = options.gss_server_identity;
2713+ } else {
2714+ kex->gss_host = gss_host;
2715+ }
2664+ } 2716+ }
2665+#endif 2717+#endif
2666+ 2718+
2667 xxx_kex = kex; 2719 xxx_kex = kex;
2668 2720
2669 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2721 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2670@@ -243,6 +295,7 @@ 2722@@ -304,6 +360,7 @@
2671 void input_gssapi_hash(int type, u_int32_t, void *); 2723 void input_gssapi_hash(int type, u_int32_t, void *);
2672 void input_gssapi_error(int, u_int32_t, void *); 2724 void input_gssapi_error(int, u_int32_t, void *);
2673 void input_gssapi_errtok(int, u_int32_t, void *); 2725 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2675,7 +2727,7 @@ Index: b/sshconnect2.c
2675 #endif 2727 #endif
2676 2728
2677 void userauth(Authctxt *, char *); 2729 void userauth(Authctxt *, char *);
2678@@ -258,6 +311,11 @@ 2730@@ -319,6 +376,11 @@
2679 2731
2680 Authmethod authmethods[] = { 2732 Authmethod authmethods[] = {
2681 #ifdef GSSAPI 2733 #ifdef GSSAPI
@@ -2687,13 +2739,15 @@ Index: b/sshconnect2.c
2687 {"gssapi-with-mic", 2739 {"gssapi-with-mic",
2688 userauth_gssapi, 2740 userauth_gssapi,
2689 NULL, 2741 NULL,
2690@@ -564,19 +622,29 @@ 2742@@ -625,19 +687,31 @@
2691 static u_int mech = 0; 2743 static u_int mech = 0;
2692 OM_uint32 min; 2744 OM_uint32 min;
2693 int ok = 0; 2745 int ok = 0;
2694+ const char *gss_host; 2746+ const char *gss_host;
2695+ 2747+
2696+ if (options.gss_trust_dns) 2748+ if (options.gss_server_identity)
2749+ gss_host = options.gss_server_identity;
2750+ else if (options.gss_trust_dns)
2697+ gss_host = get_canonical_hostname(1); 2751+ gss_host = get_canonical_hostname(1);
2698+ else 2752+ else
2699+ gss_host = authctxt->host; 2753+ gss_host = authctxt->host;
@@ -2719,7 +2773,7 @@ Index: b/sshconnect2.c
2719 ok = 1; /* Mechanism works */ 2773 ok = 1; /* Mechanism works */
2720 } else { 2774 } else {
2721 mech++; 2775 mech++;
2722@@ -673,8 +741,8 @@ 2776@@ -734,8 +808,8 @@
2723 { 2777 {
2724 Authctxt *authctxt = ctxt; 2778 Authctxt *authctxt = ctxt;
2725 Gssctxt *gssctxt; 2779 Gssctxt *gssctxt;
@@ -2730,7 +2784,7 @@ Index: b/sshconnect2.c
2730 2784
2731 if (authctxt == NULL) 2785 if (authctxt == NULL)
2732 fatal("input_gssapi_response: no authentication context"); 2786 fatal("input_gssapi_response: no authentication context");
2733@@ -784,6 +852,48 @@ 2787@@ -845,6 +919,48 @@
2734 xfree(msg); 2788 xfree(msg);
2735 xfree(lang); 2789 xfree(lang);
2736 } 2790 }
@@ -2794,7 +2848,7 @@ Index: b/sshd.c
2794 #ifdef LIBWRAP 2848 #ifdef LIBWRAP
2795 #include <tcpd.h> 2849 #include <tcpd.h>
2796 #include <syslog.h> 2850 #include <syslog.h>
2797@@ -1586,10 +1590,13 @@ 2851@@ -1590,10 +1594,13 @@
2798 logit("Disabling protocol version 1. Could not load host key"); 2852 logit("Disabling protocol version 1. Could not load host key");
2799 options.protocol &= ~SSH_PROTO_1; 2853 options.protocol &= ~SSH_PROTO_1;
2800 } 2854 }
@@ -2808,7 +2862,7 @@ Index: b/sshd.c
2808 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2862 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2809 logit("sshd: no hostkeys available -- exiting."); 2863 logit("sshd: no hostkeys available -- exiting.");
2810 exit(1); 2864 exit(1);
2811@@ -1918,6 +1925,60 @@ 2865@@ -1922,6 +1929,60 @@
2812 /* Log the connection. */ 2866 /* Log the connection. */
2813 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2867 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2814 2868
@@ -2869,7 +2923,7 @@ Index: b/sshd.c
2869 /* 2923 /*
2870 * We don't want to listen forever unless the other side 2924 * We don't want to listen forever unless the other side
2871 * successfully authenticates itself. So we set up an alarm which is 2925 * successfully authenticates itself. So we set up an alarm which is
2872@@ -2296,12 +2357,61 @@ 2926@@ -2303,6 +2364,48 @@
2873 2927
2874 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2928 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2875 2929
@@ -2918,9 +2972,10 @@ Index: b/sshd.c
2918 /* start key exchange */ 2972 /* start key exchange */
2919 kex = kex_setup(myproposal); 2973 kex = kex_setup(myproposal);
2920 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 2974 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
2921 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; 2975@@ -2310,6 +2413,13 @@
2922 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2976 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2923 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2977 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2978 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
2924+#ifdef GSSAPI 2979+#ifdef GSSAPI
2925+ if (options.gss_keyex) { 2980+ if (options.gss_keyex) {
2926+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; 2981+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -2935,7 +2990,7 @@ Index: b/sshd_config
2935=================================================================== 2990===================================================================
2936--- a/sshd_config 2991--- a/sshd_config
2937+++ b/sshd_config 2992+++ b/sshd_config
2938@@ -71,6 +71,8 @@ 2993@@ -72,6 +72,8 @@
2939 # GSSAPI options 2994 # GSSAPI options
2940 #GSSAPIAuthentication no 2995 #GSSAPIAuthentication no
2941 #GSSAPICleanupCredentials yes 2996 #GSSAPICleanupCredentials yes
@@ -2948,7 +3003,7 @@ Index: b/sshd_config.5
2948=================================================================== 3003===================================================================
2949--- a/sshd_config.5 3004--- a/sshd_config.5
2950+++ b/sshd_config.5 3005+++ b/sshd_config.5
2951@@ -424,12 +424,40 @@ 3006@@ -423,12 +423,40 @@
2952 The default is 3007 The default is
2953 .Dq no . 3008 .Dq no .
2954 Note that this option applies to protocol version 2 only. 3009 Note that this option applies to protocol version 2 only.
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-28 15:30:16 +0000