summaryrefslogtreecommitdiff
path: root/debian/patches/gssapi.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r--debian/patches/gssapi.patch282
1 files changed, 164 insertions, 118 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index c123bf7b9..dc293683e 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -137,7 +137,7 @@ Index: b/Makefile.in
137=================================================================== 137===================================================================
138--- a/Makefile.in 138--- a/Makefile.in
139+++ b/Makefile.in 139+++ b/Makefile.in
140@@ -75,6 +75,7 @@ 140@@ -70,6 +70,7 @@
141 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ 141 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
142 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ 142 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
143 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 143 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@@ -145,7 +145,7 @@ Index: b/Makefile.in
145 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ 145 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
146 schnorr.o ssh-pkcs11.o 146 schnorr.o ssh-pkcs11.o
147 147
148@@ -91,7 +92,7 @@ 148@@ -86,7 +87,7 @@
149 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ 149 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
150 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ 150 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
151 auth-krb5.o \ 151 auth-krb5.o \
@@ -153,7 +153,7 @@ Index: b/Makefile.in
153+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ 153+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
154 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 154 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
155 sftp-server.o sftp-common.o \ 155 sftp-server.o sftp-common.o \
156 roaming_common.o roaming_serv.o 156 roaming_common.o roaming_serv.o \
157Index: b/auth-krb5.c 157Index: b/auth-krb5.c
158=================================================================== 158===================================================================
159--- a/auth-krb5.c 159--- a/auth-krb5.c
@@ -205,24 +205,12 @@ Index: b/auth-krb5.c
205 205
206 return (krb5_cc_resolve(ctx, ccname, ccache)); 206 return (krb5_cc_resolve(ctx, ccname, ccache));
207 } 207 }
208Index: b/auth.h
209===================================================================
210--- a/auth.h
211+++ b/auth.h
212@@ -53,6 +53,7 @@
213 int valid; /* user exists and is allowed to login */
214 int attempt;
215 int failures;
216+ int server_caused_failure;
217 int force_pwchange;
218 char *user; /* username sent by the client */
219 char *service;
220Index: b/auth2-gss.c 208Index: b/auth2-gss.c
221=================================================================== 209===================================================================
222--- a/auth2-gss.c 210--- a/auth2-gss.c
223+++ b/auth2-gss.c 211+++ b/auth2-gss.c
224@@ -1,7 +1,7 @@ 212@@ -1,7 +1,7 @@
225 /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ 213 /* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */
226 214
227 /* 215 /*
228- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -271,23 +259,7 @@ Index: b/auth2-gss.c
271 /* 259 /*
272 * We only support those mechanisms that we know about (ie ones that we know 260 * We only support those mechanisms that we know about (ie ones that we know
273 * how to check local user kuserok and the like) 261 * how to check local user kuserok and the like)
274@@ -102,6 +136,7 @@ 262@@ -244,7 +278,8 @@
275
276 if (!present) {
277 xfree(doid);
278+ authctxt->server_caused_failure = 1;
279 return (0);
280 }
281
282@@ -109,6 +144,7 @@
283 if (ctxt != NULL)
284 ssh_gssapi_delete_ctx(&ctxt);
285 xfree(doid);
286+ authctxt->server_caused_failure = 1;
287 return (0);
288 }
289
290@@ -242,7 +278,8 @@
291 263
292 packet_check_eom(); 264 packet_check_eom();
293 265
@@ -297,7 +269,7 @@ Index: b/auth2-gss.c
297 269
298 authctxt->postponed = 0; 270 authctxt->postponed = 0;
299 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 271 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
300@@ -277,7 +314,8 @@ 272@@ -279,7 +314,8 @@
301 gssbuf.length = buffer_len(&b); 273 gssbuf.length = buffer_len(&b);
302 274
303 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 275 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -307,7 +279,7 @@ Index: b/auth2-gss.c
307 else 279 else
308 logit("GSSAPI MIC check failed"); 280 logit("GSSAPI MIC check failed");
309 281
310@@ -292,6 +330,12 @@ 282@@ -294,6 +330,12 @@
311 userauth_finish(authctxt, authenticated, "gssapi-with-mic"); 283 userauth_finish(authctxt, authenticated, "gssapi-with-mic");
312 } 284 }
313 285
@@ -340,24 +312,6 @@ Index: b/auth2.c
340 &method_gssapi, 312 &method_gssapi,
341 #endif 313 #endif
342 #ifdef JPAKE 314 #ifdef JPAKE
343@@ -274,6 +276,7 @@
344 #endif
345
346 authctxt->postponed = 0;
347+ authctxt->server_caused_failure = 0;
348
349 /* try to authenticate user */
350 m = authmethod_lookup(method);
351@@ -346,7 +349,8 @@
352 } else {
353
354 /* Allow initial try of "none" auth without failure penalty */
355- if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
356+ if (!authctxt->server_caused_failure &&
357+ (authctxt->attempt > 1 || strcmp(method, "none") != 0))
358 authctxt->failures++;
359 if (authctxt->failures >= options.max_authtries) {
360 #ifdef SSH_AUDIT_EVENTS
361Index: b/clientloop.c 315Index: b/clientloop.c
362=================================================================== 316===================================================================
363--- a/clientloop.c 317--- a/clientloop.c
@@ -373,7 +327,7 @@ Index: b/clientloop.c
373 /* import options */ 327 /* import options */
374 extern Options options; 328 extern Options options;
375 329
376@@ -1483,6 +1487,15 @@ 330@@ -1508,6 +1512,15 @@
377 /* Do channel operations unless rekeying in progress. */ 331 /* Do channel operations unless rekeying in progress. */
378 if (!rekeying) { 332 if (!rekeying) {
379 channel_after_select(readset, writeset); 333 channel_after_select(readset, writeset);
@@ -389,41 +343,133 @@ Index: b/clientloop.c
389 if (need_rekeying || packet_need_rekeying()) { 343 if (need_rekeying || packet_need_rekeying()) {
390 debug("need rekeying"); 344 debug("need rekeying");
391 xxx_kex->done = 0; 345 xxx_kex->done = 0;
346Index: b/config.h.in
347===================================================================
348--- a/config.h.in
349+++ b/config.h.in
350@@ -1441,6 +1441,9 @@
351 /* Use btmp to log bad logins */
352 #undef USE_BTMP
353
354+/* platform uses an in-memory credentials cache */
355+#undef USE_CCAPI
356+
357 /* Use libedit for sftp */
358 #undef USE_LIBEDIT
359
360@@ -1456,6 +1459,9 @@
361 /* Use PIPES instead of a socketpair() */
362 #undef USE_PIPES
363
364+/* platform has the Security Authorization Session API */
365+#undef USE_SECURITY_SESSION_API
366+
367 /* Define if you have Solaris process contracts */
368 #undef USE_SOLARIS_PROCESS_CONTRACTS
369
370Index: b/configure
371===================================================================
372--- a/configure
373+++ b/configure
374@@ -6521,6 +6521,63 @@
375
376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
377
378+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have the Security Authorization Session API" >&5
379+$as_echo_n "checking if we have the Security Authorization Session API... " >&6; }
380+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
381+/* end confdefs.h. */
382+#include <Security/AuthSession.h>
383+int
384+main ()
385+{
386+SessionCreate(0, 0);
387+ ;
388+ return 0;
389+}
390+_ACEOF
391+if ac_fn_c_try_compile "$LINENO"; then :
392+ ac_cv_use_security_session_api="yes"
393+
394+$as_echo "#define USE_SECURITY_SESSION_API 1" >>confdefs.h
395+
396+ LIBS="$LIBS -framework Security"
397+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
398+$as_echo "yes" >&6; }
399+else
400+ ac_cv_use_security_session_api="no"
401+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
402+$as_echo "no" >&6; }
403+fi
404+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
405+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have an in-memory credentials cache" >&5
406+$as_echo_n "checking if we have an in-memory credentials cache... " >&6; }
407+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
408+/* end confdefs.h. */
409+#include <Kerberos/Kerberos.h>
410+int
411+main ()
412+{
413+cc_context_t c;
414+ (void) cc_initialize (&c, 0, NULL, NULL);
415+ ;
416+ return 0;
417+}
418+_ACEOF
419+if ac_fn_c_try_compile "$LINENO"; then :
420+
421+$as_echo "#define USE_CCAPI 1" >>confdefs.h
422+
423+ LIBS="$LIBS -framework Security"
424+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
425+$as_echo "yes" >&6; }
426+ if test "x$ac_cv_use_security_session_api" = "xno"; then
427+ as_fn_error $? "*** Need a security framework to use the credentials cache API ***" "$LINENO" 5
428+ fi
429+else
430+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
431+$as_echo "no" >&6; }
432+
433+fi
434+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
435
436 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
437 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
392Index: b/configure.ac 438Index: b/configure.ac
393=================================================================== 439===================================================================
394--- a/configure.ac 440--- a/configure.ac
395+++ b/configure.ac 441+++ b/configure.ac
396@@ -514,6 +514,30 @@ 442@@ -515,6 +515,30 @@
397 [Use tunnel device compatibility to OpenBSD]) 443 [Use tunnel device compatibility to OpenBSD])
398 AC_DEFINE(SSH_TUN_PREPEND_AF, 1, 444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
399 [Prepend the address family to IP tunnel traffic]) 445 [Prepend the address family to IP tunnel traffic])
400+ AC_MSG_CHECKING(if we have the Security Authorization Session API) 446+ AC_MSG_CHECKING([if we have the Security Authorization Session API])
401+ AC_TRY_COMPILE([#include <Security/AuthSession.h>], 447+ AC_TRY_COMPILE([#include <Security/AuthSession.h>],
402+ [SessionCreate(0, 0);], 448+ [SessionCreate(0, 0);],
403+ [ac_cv_use_security_session_api="yes" 449+ [ac_cv_use_security_session_api="yes"
404+ AC_DEFINE(USE_SECURITY_SESSION_API, 1, 450+ AC_DEFINE([USE_SECURITY_SESSION_API], [1],
405+ [platform has the Security Authorization Session API]) 451+ [platform has the Security Authorization Session API])
406+ LIBS="$LIBS -framework Security" 452+ LIBS="$LIBS -framework Security"
407+ AC_MSG_RESULT(yes)], 453+ AC_MSG_RESULT([yes])],
408+ [ac_cv_use_security_session_api="no" 454+ [ac_cv_use_security_session_api="no"
409+ AC_MSG_RESULT(no)]) 455+ AC_MSG_RESULT([no])])
410+ AC_MSG_CHECKING(if we have an in-memory credentials cache) 456+ AC_MSG_CHECKING([if we have an in-memory credentials cache])
411+ AC_TRY_COMPILE( 457+ AC_TRY_COMPILE(
412+ [#include <Kerberos/Kerberos.h>], 458+ [#include <Kerberos/Kerberos.h>],
413+ [cc_context_t c; 459+ [cc_context_t c;
414+ (void) cc_initialize (&c, 0, NULL, NULL);], 460+ (void) cc_initialize (&c, 0, NULL, NULL);],
415+ [AC_DEFINE(USE_CCAPI, 1, 461+ [AC_DEFINE([USE_CCAPI], [1],
416+ [platform uses an in-memory credentials cache]) 462+ [platform uses an in-memory credentials cache])
417+ LIBS="$LIBS -framework Security" 463+ LIBS="$LIBS -framework Security"
418+ AC_MSG_RESULT(yes) 464+ AC_MSG_RESULT([yes])
419+ if test "x$ac_cv_use_security_session_api" = "xno"; then 465+ if test "x$ac_cv_use_security_session_api" = "xno"; then
420+ AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***) 466+ AC_MSG_ERROR([*** Need a security framework to use the credentials cache API ***])
421+ fi], 467+ fi],
422+ [AC_MSG_RESULT(no)] 468+ [AC_MSG_RESULT([no])]
423+ ) 469+ )
424 m4_pattern_allow(AU_IPv) 470 m4_pattern_allow([AU_IPv])
425 AC_CHECK_DECL(AU_IPv4, [], 471 AC_CHECK_DECL([AU_IPv4], [],
426 AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) 472 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
427Index: b/gss-genr.c 473Index: b/gss-genr.c
428=================================================================== 474===================================================================
429--- a/gss-genr.c 475--- a/gss-genr.c
@@ -904,7 +950,7 @@ Index: b/gss-serv.c
904--- a/gss-serv.c 950--- a/gss-serv.c
905+++ b/gss-serv.c 951+++ b/gss-serv.c
906@@ -1,7 +1,7 @@ 952@@ -1,7 +1,7 @@
907 /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ 953 /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
908 954
909 /* 955 /*
910- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 956- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1023,7 +1069,7 @@ Index: b/gss-serv.c
1023 1069
1024 while (supported_mechs[i]->name != NULL) { 1070 while (supported_mechs[i]->name != NULL) {
1025 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 1071 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
1026@@ -247,8 +284,48 @@ 1072@@ -249,8 +286,48 @@
1027 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1073 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1028 { 1074 {
1029 int i = 0; 1075 int i = 0;
@@ -1073,7 +1119,7 @@ Index: b/gss-serv.c
1073 1119
1074 client->mech = NULL; 1120 client->mech = NULL;
1075 1121
1076@@ -263,6 +340,13 @@ 1122@@ -265,6 +342,13 @@
1077 if (client->mech == NULL) 1123 if (client->mech == NULL)
1078 return GSS_S_FAILURE; 1124 return GSS_S_FAILURE;
1079 1125
@@ -1087,7 +1133,7 @@ Index: b/gss-serv.c
1087 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1133 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
1088 &client->displayname, NULL))) { 1134 &client->displayname, NULL))) {
1089 ssh_gssapi_error(ctx); 1135 ssh_gssapi_error(ctx);
1090@@ -280,6 +364,8 @@ 1136@@ -282,6 +366,8 @@
1091 return (ctx->major); 1137 return (ctx->major);
1092 } 1138 }
1093 1139
@@ -1096,7 +1142,7 @@ Index: b/gss-serv.c
1096 /* We can't copy this structure, so we just move the pointer to it */ 1142 /* We can't copy this structure, so we just move the pointer to it */
1097 client->creds = ctx->client_creds; 1143 client->creds = ctx->client_creds;
1098 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1144 ctx->client_creds = GSS_C_NO_CREDENTIAL;
1099@@ -327,7 +413,7 @@ 1145@@ -329,7 +415,7 @@
1100 1146
1101 /* Privileged */ 1147 /* Privileged */
1102 int 1148 int
@@ -1105,7 +1151,7 @@ Index: b/gss-serv.c
1105 { 1151 {
1106 OM_uint32 lmin; 1152 OM_uint32 lmin;
1107 1153
1108@@ -337,9 +423,11 @@ 1154@@ -339,9 +425,11 @@
1109 return 0; 1155 return 0;
1110 } 1156 }
1111 if (gssapi_client.mech && gssapi_client.mech->userok) 1157 if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1119,7 +1165,7 @@ Index: b/gss-serv.c
1119 /* Destroy delegated credentials if userok fails */ 1165 /* Destroy delegated credentials if userok fails */
1120 gss_release_buffer(&lmin, &gssapi_client.displayname); 1166 gss_release_buffer(&lmin, &gssapi_client.displayname);
1121 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1167 gss_release_buffer(&lmin, &gssapi_client.exportedname);
1122@@ -352,14 +440,90 @@ 1168@@ -354,14 +442,90 @@
1123 return (0); 1169 return (0);
1124 } 1170 }
1125 1171
@@ -1961,7 +2007,7 @@ Index: b/monitor.c
1961=================================================================== 2007===================================================================
1962--- a/monitor.c 2008--- a/monitor.c
1963+++ b/monitor.c 2009+++ b/monitor.c
1964@@ -172,6 +172,8 @@ 2010@@ -180,6 +180,8 @@
1965 int mm_answer_gss_accept_ctx(int, Buffer *); 2011 int mm_answer_gss_accept_ctx(int, Buffer *);
1966 int mm_answer_gss_userok(int, Buffer *); 2012 int mm_answer_gss_userok(int, Buffer *);
1967 int mm_answer_gss_checkmic(int, Buffer *); 2013 int mm_answer_gss_checkmic(int, Buffer *);
@@ -1970,7 +2016,7 @@ Index: b/monitor.c
1970 #endif 2016 #endif
1971 2017
1972 #ifdef SSH_AUDIT_EVENTS 2018 #ifdef SSH_AUDIT_EVENTS
1973@@ -241,6 +243,7 @@ 2019@@ -251,6 +253,7 @@
1974 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2020 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
1975 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2021 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
1976 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2022 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -1978,7 +2024,7 @@ Index: b/monitor.c
1978 #endif 2024 #endif
1979 #ifdef JPAKE 2025 #ifdef JPAKE
1980 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, 2026 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
1981@@ -253,6 +256,12 @@ 2027@@ -263,6 +266,12 @@
1982 }; 2028 };
1983 2029
1984 struct mon_table mon_dispatch_postauth20[] = { 2030 struct mon_table mon_dispatch_postauth20[] = {
@@ -1991,7 +2037,7 @@ Index: b/monitor.c
1991 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2037 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
1992 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 2038 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
1993 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 2039 {MONITOR_REQ_PTY, 0, mm_answer_pty},
1994@@ -357,6 +366,10 @@ 2040@@ -371,6 +380,10 @@
1995 /* Permit requests for moduli and signatures */ 2041 /* Permit requests for moduli and signatures */
1996 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2042 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
1997 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2043 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2002,7 +2048,7 @@ Index: b/monitor.c
2002 } else { 2048 } else {
2003 mon_dispatch = mon_dispatch_proto15; 2049 mon_dispatch = mon_dispatch_proto15;
2004 2050
2005@@ -443,6 +456,10 @@ 2051@@ -468,6 +481,10 @@
2006 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2052 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2007 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2053 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2008 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2054 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2013,7 +2059,7 @@ Index: b/monitor.c
2013 } else { 2059 } else {
2014 mon_dispatch = mon_dispatch_postauth15; 2060 mon_dispatch = mon_dispatch_postauth15;
2015 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2061 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2016@@ -1692,6 +1709,13 @@ 2062@@ -1802,6 +1819,13 @@
2017 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2063 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2018 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2064 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2019 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2065 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2027,7 +2073,7 @@ Index: b/monitor.c
2027 kex->server = 1; 2073 kex->server = 1;
2028 kex->hostkey_type = buffer_get_int(m); 2074 kex->hostkey_type = buffer_get_int(m);
2029 kex->kex_type = buffer_get_int(m); 2075 kex->kex_type = buffer_get_int(m);
2030@@ -1898,6 +1922,9 @@ 2076@@ -2008,6 +2032,9 @@
2031 OM_uint32 major; 2077 OM_uint32 major;
2032 u_int len; 2078 u_int len;
2033 2079
@@ -2037,7 +2083,7 @@ Index: b/monitor.c
2037 goid.elements = buffer_get_string(m, &len); 2083 goid.elements = buffer_get_string(m, &len);
2038 goid.length = len; 2084 goid.length = len;
2039 2085
2040@@ -1925,6 +1952,9 @@ 2086@@ -2035,6 +2062,9 @@
2041 OM_uint32 flags = 0; /* GSI needs this */ 2087 OM_uint32 flags = 0; /* GSI needs this */
2042 u_int len; 2088 u_int len;
2043 2089
@@ -2047,7 +2093,7 @@ Index: b/monitor.c
2047 in.value = buffer_get_string(m, &len); 2093 in.value = buffer_get_string(m, &len);
2048 in.length = len; 2094 in.length = len;
2049 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2095 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2050@@ -1942,6 +1972,7 @@ 2096@@ -2052,6 +2082,7 @@
2051 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2097 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2052 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2098 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2053 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2099 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2055,7 +2101,7 @@ Index: b/monitor.c
2055 } 2101 }
2056 return (0); 2102 return (0);
2057 } 2103 }
2058@@ -1953,6 +1984,9 @@ 2104@@ -2063,6 +2094,9 @@
2059 OM_uint32 ret; 2105 OM_uint32 ret;
2060 u_int len; 2106 u_int len;
2061 2107
@@ -2065,7 +2111,7 @@ Index: b/monitor.c
2065 gssbuf.value = buffer_get_string(m, &len); 2111 gssbuf.value = buffer_get_string(m, &len);
2066 gssbuf.length = len; 2112 gssbuf.length = len;
2067 mic.value = buffer_get_string(m, &len); 2113 mic.value = buffer_get_string(m, &len);
2068@@ -1979,7 +2013,11 @@ 2114@@ -2089,7 +2123,11 @@
2069 { 2115 {
2070 int authenticated; 2116 int authenticated;
2071 2117
@@ -2078,7 +2124,7 @@ Index: b/monitor.c
2078 2124
2079 buffer_clear(m); 2125 buffer_clear(m);
2080 buffer_put_int(m, authenticated); 2126 buffer_put_int(m, authenticated);
2081@@ -1992,6 +2030,74 @@ 2127@@ -2102,6 +2140,74 @@
2082 /* Monitor loop will terminate if authenticated */ 2128 /* Monitor loop will terminate if authenticated */
2083 return (authenticated); 2129 return (authenticated);
2084 } 2130 }
@@ -2170,7 +2216,7 @@ Index: b/monitor_wrap.c
2170=================================================================== 2216===================================================================
2171--- a/monitor_wrap.c 2217--- a/monitor_wrap.c
2172+++ b/monitor_wrap.c 2218+++ b/monitor_wrap.c
2173@@ -1232,7 +1232,7 @@ 2219@@ -1270,7 +1270,7 @@
2174 } 2220 }
2175 2221
2176 int 2222 int
@@ -2179,7 +2225,7 @@ Index: b/monitor_wrap.c
2179 { 2225 {
2180 Buffer m; 2226 Buffer m;
2181 int authenticated = 0; 2227 int authenticated = 0;
2182@@ -1249,6 +1249,51 @@ 2228@@ -1287,6 +1287,51 @@
2183 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2229 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2184 return (authenticated); 2230 return (authenticated);
2185 } 2231 }
@@ -2235,7 +2281,7 @@ Index: b/monitor_wrap.h
2235=================================================================== 2281===================================================================
2236--- a/monitor_wrap.h 2282--- a/monitor_wrap.h
2237+++ b/monitor_wrap.h 2283+++ b/monitor_wrap.h
2238@@ -57,8 +57,10 @@ 2284@@ -58,8 +58,10 @@
2239 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 2285 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
2240 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, 2286 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
2241 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); 2287 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2280,7 +2326,7 @@ Index: b/readconf.c
2280 #endif 2326 #endif
2281 { "fallbacktorsh", oDeprecated }, 2327 { "fallbacktorsh", oDeprecated },
2282 { "usersh", oDeprecated }, 2328 { "usersh", oDeprecated },
2283@@ -479,10 +490,30 @@ 2329@@ -482,10 +493,30 @@
2284 intptr = &options->gss_authentication; 2330 intptr = &options->gss_authentication;
2285 goto parse_flag; 2331 goto parse_flag;
2286 2332
@@ -2311,7 +2357,7 @@ Index: b/readconf.c
2311 case oBatchMode: 2357 case oBatchMode:
2312 intptr = &options->batch_mode; 2358 intptr = &options->batch_mode;
2313 goto parse_flag; 2359 goto parse_flag;
2314@@ -1092,7 +1123,12 @@ 2360@@ -1138,7 +1169,12 @@
2315 options->pubkey_authentication = -1; 2361 options->pubkey_authentication = -1;
2316 options->challenge_response_authentication = -1; 2362 options->challenge_response_authentication = -1;
2317 options->gss_authentication = -1; 2363 options->gss_authentication = -1;
@@ -2324,7 +2370,7 @@ Index: b/readconf.c
2324 options->password_authentication = -1; 2370 options->password_authentication = -1;
2325 options->kbd_interactive_authentication = -1; 2371 options->kbd_interactive_authentication = -1;
2326 options->kbd_interactive_devices = NULL; 2372 options->kbd_interactive_devices = NULL;
2327@@ -1193,8 +1229,14 @@ 2373@@ -1238,8 +1274,14 @@
2328 options->challenge_response_authentication = 1; 2374 options->challenge_response_authentication = 1;
2329 if (options->gss_authentication == -1) 2375 if (options->gss_authentication == -1)
2330 options->gss_authentication = 0; 2376 options->gss_authentication = 0;
@@ -2343,7 +2389,7 @@ Index: b/readconf.h
2343=================================================================== 2389===================================================================
2344--- a/readconf.h 2390--- a/readconf.h
2345+++ b/readconf.h 2391+++ b/readconf.h
2346@@ -46,7 +46,12 @@ 2392@@ -47,7 +47,12 @@
2347 int challenge_response_authentication; 2393 int challenge_response_authentication;
2348 /* Try S/Key or TIS, authentication. */ 2394 /* Try S/Key or TIS, authentication. */
2349 int gss_authentication; /* Try GSS authentication */ 2395 int gss_authentication; /* Try GSS authentication */
@@ -2371,7 +2417,7 @@ Index: b/servconf.c
2371 options->password_authentication = -1; 2417 options->password_authentication = -1;
2372 options->kbd_interactive_authentication = -1; 2418 options->kbd_interactive_authentication = -1;
2373 options->challenge_response_authentication = -1; 2419 options->challenge_response_authentication = -1;
2374@@ -226,8 +229,14 @@ 2420@@ -225,8 +228,14 @@
2375 options->kerberos_get_afs_token = 0; 2421 options->kerberos_get_afs_token = 0;
2376 if (options->gss_authentication == -1) 2422 if (options->gss_authentication == -1)
2377 options->gss_authentication = 0; 2423 options->gss_authentication = 0;
@@ -2386,10 +2432,10 @@ Index: b/servconf.c
2386 if (options->password_authentication == -1) 2432 if (options->password_authentication == -1)
2387 options->password_authentication = 1; 2433 options->password_authentication = 1;
2388 if (options->kbd_interactive_authentication == -1) 2434 if (options->kbd_interactive_authentication == -1)
2389@@ -322,7 +331,9 @@ 2435@@ -318,7 +327,9 @@
2390 sBanner, sUseDNS, sHostbasedAuthentication, 2436 sBanner, sUseDNS, sHostbasedAuthentication,
2391 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2437 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2392 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 2438 sClientAliveCountMax, sAuthorizedKeysFile,
2393- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 2439- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
2394+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 2440+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
2395+ sGssKeyEx, sGssStoreRekey, 2441+ sGssKeyEx, sGssStoreRekey,
@@ -2397,7 +2443,7 @@ Index: b/servconf.c
2397 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2443 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2398 sUsePrivilegeSeparation, sAllowAgentForwarding, 2444 sUsePrivilegeSeparation, sAllowAgentForwarding,
2399 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2445 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2400@@ -386,10 +397,20 @@ 2446@@ -382,10 +393,20 @@
2401 #ifdef GSSAPI 2447 #ifdef GSSAPI
2402 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2448 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2403 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2449 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2418,7 +2464,7 @@ Index: b/servconf.c
2418 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2464 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2419 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2465 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2420 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2466 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2421@@ -944,10 +965,22 @@ 2467@@ -962,10 +983,22 @@
2422 intptr = &options->gss_authentication; 2468 intptr = &options->gss_authentication;
2423 goto parse_flag; 2469 goto parse_flag;
2424 2470
@@ -2441,7 +2487,7 @@ Index: b/servconf.c
2441 case sPasswordAuthentication: 2487 case sPasswordAuthentication:
2442 intptr = &options->password_authentication; 2488 intptr = &options->password_authentication;
2443 goto parse_flag; 2489 goto parse_flag;
2444@@ -1704,7 +1737,10 @@ 2490@@ -1720,7 +1753,10 @@
2445 #endif 2491 #endif
2446 #ifdef GSSAPI 2492 #ifdef GSSAPI
2447 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2493 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2456,7 +2502,7 @@ Index: b/servconf.h
2456=================================================================== 2502===================================================================
2457--- a/servconf.h 2503--- a/servconf.h
2458+++ b/servconf.h 2504+++ b/servconf.h
2459@@ -97,7 +97,10 @@ 2505@@ -103,7 +103,10 @@
2460 int kerberos_get_afs_token; /* If true, try to get AFS token if 2506 int kerberos_get_afs_token; /* If true, try to get AFS token if
2461 * authenticated with Kerberos. */ 2507 * authenticated with Kerberos. */
2462 int gss_authentication; /* If true, permit GSSAPI authentication */ 2508 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2585,7 +2631,7 @@ Index: b/ssh_config.5
2585=================================================================== 2631===================================================================
2586--- a/ssh_config.5 2632--- a/ssh_config.5
2587+++ b/ssh_config.5 2633+++ b/ssh_config.5
2588@@ -508,11 +508,43 @@ 2634@@ -527,11 +527,43 @@
2589 The default is 2635 The default is
2590 .Dq no . 2636 .Dq no .
2591 Note that this option applies to protocol version 2 only. 2637 Note that this option applies to protocol version 2 only.
@@ -2634,7 +2680,7 @@ Index: b/sshconnect2.c
2634=================================================================== 2680===================================================================
2635--- a/sshconnect2.c 2681--- a/sshconnect2.c
2636+++ b/sshconnect2.c 2682+++ b/sshconnect2.c
2637@@ -159,9 +159,34 @@ 2683@@ -160,9 +160,34 @@
2638 { 2684 {
2639 Kex *kex; 2685 Kex *kex;
2640 2686
@@ -2669,7 +2715,7 @@ Index: b/sshconnect2.c
2669 if (options.ciphers == (char *)-1) { 2715 if (options.ciphers == (char *)-1) {
2670 logit("No valid ciphers for protocol version 2 given, using defaults."); 2716 logit("No valid ciphers for protocol version 2 given, using defaults.");
2671 options.ciphers = NULL; 2717 options.ciphers = NULL;
2672@@ -196,6 +221,17 @@ 2718@@ -197,6 +222,17 @@
2673 if (options.kex_algorithms != NULL) 2719 if (options.kex_algorithms != NULL)
2674 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; 2720 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
2675 2721
@@ -2687,7 +2733,7 @@ Index: b/sshconnect2.c
2687 if (options.rekey_limit) 2733 if (options.rekey_limit)
2688 packet_set_rekey_limit((u_int32_t)options.rekey_limit); 2734 packet_set_rekey_limit((u_int32_t)options.rekey_limit);
2689 2735
2690@@ -206,10 +242,30 @@ 2736@@ -207,10 +243,30 @@
2691 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 2737 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
2692 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 2738 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2693 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; 2739 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
@@ -2718,7 +2764,7 @@ Index: b/sshconnect2.c
2718 xxx_kex = kex; 2764 xxx_kex = kex;
2719 2765
2720 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2766 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2721@@ -304,6 +360,7 @@ 2767@@ -305,6 +361,7 @@
2722 void input_gssapi_hash(int type, u_int32_t, void *); 2768 void input_gssapi_hash(int type, u_int32_t, void *);
2723 void input_gssapi_error(int, u_int32_t, void *); 2769 void input_gssapi_error(int, u_int32_t, void *);
2724 void input_gssapi_errtok(int, u_int32_t, void *); 2770 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2726,7 +2772,7 @@ Index: b/sshconnect2.c
2726 #endif 2772 #endif
2727 2773
2728 void userauth(Authctxt *, char *); 2774 void userauth(Authctxt *, char *);
2729@@ -319,6 +376,11 @@ 2775@@ -320,6 +377,11 @@
2730 2776
2731 Authmethod authmethods[] = { 2777 Authmethod authmethods[] = {
2732 #ifdef GSSAPI 2778 #ifdef GSSAPI
@@ -2738,7 +2784,7 @@ Index: b/sshconnect2.c
2738 {"gssapi-with-mic", 2784 {"gssapi-with-mic",
2739 userauth_gssapi, 2785 userauth_gssapi,
2740 NULL, 2786 NULL,
2741@@ -625,19 +687,31 @@ 2787@@ -626,19 +688,31 @@
2742 static u_int mech = 0; 2788 static u_int mech = 0;
2743 OM_uint32 min; 2789 OM_uint32 min;
2744 int ok = 0; 2790 int ok = 0;
@@ -2772,7 +2818,7 @@ Index: b/sshconnect2.c
2772 ok = 1; /* Mechanism works */ 2818 ok = 1; /* Mechanism works */
2773 } else { 2819 } else {
2774 mech++; 2820 mech++;
2775@@ -734,8 +808,8 @@ 2821@@ -735,8 +809,8 @@
2776 { 2822 {
2777 Authctxt *authctxt = ctxt; 2823 Authctxt *authctxt = ctxt;
2778 Gssctxt *gssctxt; 2824 Gssctxt *gssctxt;
@@ -2783,7 +2829,7 @@ Index: b/sshconnect2.c
2783 2829
2784 if (authctxt == NULL) 2830 if (authctxt == NULL)
2785 fatal("input_gssapi_response: no authentication context"); 2831 fatal("input_gssapi_response: no authentication context");
2786@@ -845,6 +919,48 @@ 2832@@ -846,6 +920,48 @@
2787 xfree(msg); 2833 xfree(msg);
2788 xfree(lang); 2834 xfree(lang);
2789 } 2835 }
@@ -2836,8 +2882,8 @@ Index: b/sshd.c
2836=================================================================== 2882===================================================================
2837--- a/sshd.c 2883--- a/sshd.c
2838+++ b/sshd.c 2884+++ b/sshd.c
2839@@ -120,6 +120,10 @@ 2885@@ -121,6 +121,10 @@
2840 #include "roaming.h" 2886 #include "ssh-sandbox.h"
2841 #include "version.h" 2887 #include "version.h"
2842 2888
2843+#ifdef USE_SECURITY_SESSION_API 2889+#ifdef USE_SECURITY_SESSION_API
@@ -2847,7 +2893,7 @@ Index: b/sshd.c
2847 #ifdef LIBWRAP 2893 #ifdef LIBWRAP
2848 #include <tcpd.h> 2894 #include <tcpd.h>
2849 #include <syslog.h> 2895 #include <syslog.h>
2850@@ -1590,10 +1594,13 @@ 2896@@ -1612,10 +1616,13 @@
2851 logit("Disabling protocol version 1. Could not load host key"); 2897 logit("Disabling protocol version 1. Could not load host key");
2852 options.protocol &= ~SSH_PROTO_1; 2898 options.protocol &= ~SSH_PROTO_1;
2853 } 2899 }
@@ -2861,7 +2907,7 @@ Index: b/sshd.c
2861 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2907 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2862 logit("sshd: no hostkeys available -- exiting."); 2908 logit("sshd: no hostkeys available -- exiting.");
2863 exit(1); 2909 exit(1);
2864@@ -1922,6 +1929,60 @@ 2910@@ -1944,6 +1951,60 @@
2865 /* Log the connection. */ 2911 /* Log the connection. */
2866 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2912 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2867 2913
@@ -2922,7 +2968,7 @@ Index: b/sshd.c
2922 /* 2968 /*
2923 * We don't want to listen forever unless the other side 2969 * We don't want to listen forever unless the other side
2924 * successfully authenticates itself. So we set up an alarm which is 2970 * successfully authenticates itself. So we set up an alarm which is
2925@@ -2303,6 +2364,48 @@ 2971@@ -2325,6 +2386,48 @@
2926 2972
2927 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2973 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2928 2974
@@ -2971,7 +3017,7 @@ Index: b/sshd.c
2971 /* start key exchange */ 3017 /* start key exchange */
2972 kex = kex_setup(myproposal); 3018 kex = kex_setup(myproposal);
2973 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3019 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
2974@@ -2310,6 +2413,13 @@ 3020@@ -2332,6 +2435,13 @@
2975 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 3021 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2976 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 3022 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2977 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3023 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2989,7 +3035,7 @@ Index: b/sshd_config
2989=================================================================== 3035===================================================================
2990--- a/sshd_config 3036--- a/sshd_config
2991+++ b/sshd_config 3037+++ b/sshd_config
2992@@ -72,6 +72,8 @@ 3038@@ -75,6 +75,8 @@
2993 # GSSAPI options 3039 # GSSAPI options
2994 #GSSAPIAuthentication no 3040 #GSSAPIAuthentication no
2995 #GSSAPICleanupCredentials yes 3041 #GSSAPICleanupCredentials yes
@@ -3002,7 +3048,7 @@ Index: b/sshd_config.5
3002=================================================================== 3048===================================================================
3003--- a/sshd_config.5 3049--- a/sshd_config.5
3004+++ b/sshd_config.5 3050+++ b/sshd_config.5
3005@@ -423,12 +423,40 @@ 3051@@ -424,12 +424,40 @@
3006 The default is 3052 The default is
3007 .Dq no . 3053 .Dq no .
3008 Note that this option applies to protocol version 2 only. 3054 Note that this option applies to protocol version 2 only.