diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 393 |
1 files changed, 220 insertions, 173 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index b9221f94f..8a919382e 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,22 +1,67 @@ | |||
1 | Description: GSSAPI key exchange support | 1 | From 950be7e1b1a01ee9b25e2a72726a6370b8acacb6 Mon Sep 17 00:00:00 2001 |
2 | This patch has been rejected upstream: "None of the OpenSSH developers are | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | in favour of adding this, and this situation has not changed for several | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | years. This is not a slight on Simon's patch, which is of fine quality, | 4 | Subject: GSSAPI key exchange support |
5 | but just that a) we don't trust GSSAPI implementations that much and b) we | 5 | |
6 | don't like adding new KEX since they are pre-auth attack surface. This one | 6 | This patch has been rejected upstream: "None of the OpenSSH developers are |
7 | is particularly scary, since it requires hooks out to typically root-owned | 7 | in favour of adding this, and this situation has not changed for several |
8 | system resources." | 8 | years. This is not a slight on Simon's patch, which is of fine quality, but |
9 | . | 9 | just that a) we don't trust GSSAPI implementations that much and b) we don't |
10 | However, quite a lot of people rely on this in Debian, and it's better to | 10 | like adding new KEX since they are pre-auth attack surface. This one is |
11 | have it merged into the main openssh package rather than having separate | 11 | particularly scary, since it requires hooks out to typically root-owned |
12 | -krb5 packages (as we used to have). It seems to have a generally good | 12 | system resources." |
13 | security history. | 13 | |
14 | Author: Simon Wilkinson <simon@sxw.org.uk> | 14 | However, quite a lot of people rely on this in Debian, and it's better to |
15 | have it merged into the main openssh package rather than having separate | ||
16 | -krb5 packages (as we used to have). It seems to have a generally good | ||
17 | security history. | ||
18 | |||
15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
16 | Last-Updated: 2013-11-09 | 20 | Last-Updated: 2013-11-09 |
17 | 21 | ||
18 | Index: b/ChangeLog.gssapi | 22 | Patch-Name: gssapi.patch |
19 | =================================================================== | 23 | --- |
24 | ChangeLog.gssapi | 113 +++++++++++++++++++ | ||
25 | Makefile.in | 3 +- | ||
26 | auth-krb5.c | 17 ++- | ||
27 | auth2-gss.c | 48 +++++++- | ||
28 | auth2.c | 2 + | ||
29 | clientloop.c | 13 +++ | ||
30 | config.h.in | 6 + | ||
31 | configure | 57 ++++++++++ | ||
32 | configure.ac | 24 ++++ | ||
33 | gss-genr.c | 276 ++++++++++++++++++++++++++++++++++++++++++++- | ||
34 | gss-serv-krb5.c | 84 +++++++++++++- | ||
35 | gss-serv.c | 221 +++++++++++++++++++++++++++++++----- | ||
36 | kex.c | 16 +++ | ||
37 | kex.h | 14 +++ | ||
38 | kexgssc.c | 333 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
39 | kexgsss.c | 289 +++++++++++++++++++++++++++++++++++++++++++++++ | ||
40 | key.c | 1 + | ||
41 | key.h | 1 + | ||
42 | monitor.c | 108 +++++++++++++++++- | ||
43 | monitor.h | 3 + | ||
44 | monitor_wrap.c | 47 +++++++- | ||
45 | monitor_wrap.h | 4 +- | ||
46 | readconf.c | 42 +++++++ | ||
47 | readconf.h | 5 + | ||
48 | servconf.c | 38 ++++++- | ||
49 | servconf.h | 3 + | ||
50 | ssh-gss.h | 39 ++++++- | ||
51 | ssh_config | 2 + | ||
52 | ssh_config.5 | 34 +++++- | ||
53 | sshconnect2.c | 124 ++++++++++++++++++++- | ||
54 | sshd.c | 110 ++++++++++++++++++ | ||
55 | sshd_config | 2 + | ||
56 | sshd_config.5 | 28 +++++ | ||
57 | 33 files changed, 2050 insertions(+), 57 deletions(-) | ||
58 | create mode 100644 ChangeLog.gssapi | ||
59 | create mode 100644 kexgssc.c | ||
60 | create mode 100644 kexgsss.c | ||
61 | |||
62 | diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi | ||
63 | new file mode 100644 | ||
64 | index 0000000..f117a33 | ||
20 | --- /dev/null | 65 | --- /dev/null |
21 | +++ b/ChangeLog.gssapi | 66 | +++ b/ChangeLog.gssapi |
22 | @@ -0,0 +1,113 @@ | 67 | @@ -0,0 +1,113 @@ |
@@ -133,11 +178,11 @@ Index: b/ChangeLog.gssapi | |||
133 | + add support for GssapiTrustDns option for gssapi-with-mic | 178 | + add support for GssapiTrustDns option for gssapi-with-mic |
134 | + (from jbasney AT ncsa.uiuc.edu) | 179 | + (from jbasney AT ncsa.uiuc.edu) |
135 | + <gssapi-with-mic support is Bugzilla #1008> | 180 | + <gssapi-with-mic support is Bugzilla #1008> |
136 | Index: b/Makefile.in | 181 | diff --git a/Makefile.in b/Makefile.in |
137 | =================================================================== | 182 | index 92c95a9..f979926 100644 |
138 | --- a/Makefile.in | 183 | --- a/Makefile.in |
139 | +++ b/Makefile.in | 184 | +++ b/Makefile.in |
140 | @@ -72,6 +72,7 @@ | 185 | @@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
141 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | 186 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ |
142 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ | 187 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
143 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ | 188 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ |
@@ -145,7 +190,7 @@ Index: b/Makefile.in | |||
145 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ | 190 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
146 | jpake.o schnorr.o ssh-pkcs11.o krl.o | 191 | jpake.o schnorr.o ssh-pkcs11.o krl.o |
147 | 192 | ||
148 | @@ -88,7 +89,7 @@ | 193 | @@ -88,7 +89,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
149 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ | 194 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ |
150 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ | 195 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ |
151 | auth-krb5.o \ | 196 | auth-krb5.o \ |
@@ -154,11 +199,11 @@ Index: b/Makefile.in | |||
154 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 199 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
155 | sftp-server.o sftp-common.o \ | 200 | sftp-server.o sftp-common.o \ |
156 | roaming_common.o roaming_serv.o \ | 201 | roaming_common.o roaming_serv.o \ |
157 | Index: b/auth-krb5.c | 202 | diff --git a/auth-krb5.c b/auth-krb5.c |
158 | =================================================================== | 203 | index 7c83f59..5613b57 100644 |
159 | --- a/auth-krb5.c | 204 | --- a/auth-krb5.c |
160 | +++ b/auth-krb5.c | 205 | +++ b/auth-krb5.c |
161 | @@ -181,8 +181,13 @@ | 206 | @@ -181,8 +181,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) |
162 | 207 | ||
163 | len = strlen(authctxt->krb5_ticket_file) + 6; | 208 | len = strlen(authctxt->krb5_ticket_file) + 6; |
164 | authctxt->krb5_ccname = xmalloc(len); | 209 | authctxt->krb5_ccname = xmalloc(len); |
@@ -172,7 +217,7 @@ Index: b/auth-krb5.c | |||
172 | 217 | ||
173 | #ifdef USE_PAM | 218 | #ifdef USE_PAM |
174 | if (options.use_pam) | 219 | if (options.use_pam) |
175 | @@ -239,15 +244,22 @@ | 220 | @@ -239,15 +244,22 @@ krb5_cleanup_proc(Authctxt *authctxt) |
176 | #ifndef HEIMDAL | 221 | #ifndef HEIMDAL |
177 | krb5_error_code | 222 | krb5_error_code |
178 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 223 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
@@ -197,7 +242,7 @@ Index: b/auth-krb5.c | |||
197 | old_umask = umask(0177); | 242 | old_umask = umask(0177); |
198 | tmpfd = mkstemp(ccname + strlen("FILE:")); | 243 | tmpfd = mkstemp(ccname + strlen("FILE:")); |
199 | oerrno = errno; | 244 | oerrno = errno; |
200 | @@ -264,6 +276,7 @@ | 245 | @@ -264,6 +276,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
201 | return oerrno; | 246 | return oerrno; |
202 | } | 247 | } |
203 | close(tmpfd); | 248 | close(tmpfd); |
@@ -205,8 +250,8 @@ Index: b/auth-krb5.c | |||
205 | 250 | ||
206 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 251 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
207 | } | 252 | } |
208 | Index: b/auth2-gss.c | 253 | diff --git a/auth2-gss.c b/auth2-gss.c |
209 | =================================================================== | 254 | index 638d8f8..b8db820 100644 |
210 | --- a/auth2-gss.c | 255 | --- a/auth2-gss.c |
211 | +++ b/auth2-gss.c | 256 | +++ b/auth2-gss.c |
212 | @@ -1,7 +1,7 @@ | 257 | @@ -1,7 +1,7 @@ |
@@ -218,7 +263,7 @@ Index: b/auth2-gss.c | |||
218 | * | 263 | * |
219 | * Redistribution and use in source and binary forms, with or without | 264 | * Redistribution and use in source and binary forms, with or without |
220 | * modification, are permitted provided that the following conditions | 265 | * modification, are permitted provided that the following conditions |
221 | @@ -52,6 +52,40 @@ | 266 | @@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); |
222 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 267 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
223 | static void input_gssapi_errtok(int, u_int32_t, void *); | 268 | static void input_gssapi_errtok(int, u_int32_t, void *); |
224 | 269 | ||
@@ -259,7 +304,7 @@ Index: b/auth2-gss.c | |||
259 | /* | 304 | /* |
260 | * We only support those mechanisms that we know about (ie ones that we know | 305 | * We only support those mechanisms that we know about (ie ones that we know |
261 | * how to check local user kuserok and the like) | 306 | * how to check local user kuserok and the like) |
262 | @@ -240,7 +274,8 @@ | 307 | @@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) |
263 | 308 | ||
264 | packet_check_eom(); | 309 | packet_check_eom(); |
265 | 310 | ||
@@ -269,7 +314,7 @@ Index: b/auth2-gss.c | |||
269 | 314 | ||
270 | authctxt->postponed = 0; | 315 | authctxt->postponed = 0; |
271 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 316 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
272 | @@ -275,7 +310,8 @@ | 317 | @@ -275,7 +310,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
273 | gssbuf.length = buffer_len(&b); | 318 | gssbuf.length = buffer_len(&b); |
274 | 319 | ||
275 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | 320 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |
@@ -279,7 +324,7 @@ Index: b/auth2-gss.c | |||
279 | else | 324 | else |
280 | logit("GSSAPI MIC check failed"); | 325 | logit("GSSAPI MIC check failed"); |
281 | 326 | ||
282 | @@ -290,6 +326,12 @@ | 327 | @@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
283 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); | 328 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); |
284 | } | 329 | } |
285 | 330 | ||
@@ -292,11 +337,11 @@ Index: b/auth2-gss.c | |||
292 | Authmethod method_gssapi = { | 337 | Authmethod method_gssapi = { |
293 | "gssapi-with-mic", | 338 | "gssapi-with-mic", |
294 | userauth_gssapi, | 339 | userauth_gssapi, |
295 | Index: b/auth2.c | 340 | diff --git a/auth2.c b/auth2.c |
296 | =================================================================== | 341 | index f0cab8c..6ed8f04 100644 |
297 | --- a/auth2.c | 342 | --- a/auth2.c |
298 | +++ b/auth2.c | 343 | +++ b/auth2.c |
299 | @@ -69,6 +69,7 @@ | 344 | @@ -69,6 +69,7 @@ extern Authmethod method_passwd; |
300 | extern Authmethod method_kbdint; | 345 | extern Authmethod method_kbdint; |
301 | extern Authmethod method_hostbased; | 346 | extern Authmethod method_hostbased; |
302 | #ifdef GSSAPI | 347 | #ifdef GSSAPI |
@@ -304,7 +349,7 @@ Index: b/auth2.c | |||
304 | extern Authmethod method_gssapi; | 349 | extern Authmethod method_gssapi; |
305 | #endif | 350 | #endif |
306 | #ifdef JPAKE | 351 | #ifdef JPAKE |
307 | @@ -79,6 +80,7 @@ | 352 | @@ -79,6 +80,7 @@ Authmethod *authmethods[] = { |
308 | &method_none, | 353 | &method_none, |
309 | &method_pubkey, | 354 | &method_pubkey, |
310 | #ifdef GSSAPI | 355 | #ifdef GSSAPI |
@@ -312,8 +357,8 @@ Index: b/auth2.c | |||
312 | &method_gssapi, | 357 | &method_gssapi, |
313 | #endif | 358 | #endif |
314 | #ifdef JPAKE | 359 | #ifdef JPAKE |
315 | Index: b/clientloop.c | 360 | diff --git a/clientloop.c b/clientloop.c |
316 | =================================================================== | 361 | index 23c2f23..311dc13 100644 |
317 | --- a/clientloop.c | 362 | --- a/clientloop.c |
318 | +++ b/clientloop.c | 363 | +++ b/clientloop.c |
319 | @@ -111,6 +111,10 @@ | 364 | @@ -111,6 +111,10 @@ |
@@ -327,7 +372,7 @@ Index: b/clientloop.c | |||
327 | /* import options */ | 372 | /* import options */ |
328 | extern Options options; | 373 | extern Options options; |
329 | 374 | ||
330 | @@ -1608,6 +1612,15 @@ | 375 | @@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
331 | /* Do channel operations unless rekeying in progress. */ | 376 | /* Do channel operations unless rekeying in progress. */ |
332 | if (!rekeying) { | 377 | if (!rekeying) { |
333 | channel_after_select(readset, writeset); | 378 | channel_after_select(readset, writeset); |
@@ -343,8 +388,8 @@ Index: b/clientloop.c | |||
343 | if (need_rekeying || packet_need_rekeying()) { | 388 | if (need_rekeying || packet_need_rekeying()) { |
344 | debug("need rekeying"); | 389 | debug("need rekeying"); |
345 | xxx_kex->done = 0; | 390 | xxx_kex->done = 0; |
346 | Index: b/config.h.in | 391 | diff --git a/config.h.in b/config.h.in |
347 | =================================================================== | 392 | index b75e501..34f1c9c 100644 |
348 | --- a/config.h.in | 393 | --- a/config.h.in |
349 | +++ b/config.h.in | 394 | +++ b/config.h.in |
350 | @@ -1546,6 +1546,9 @@ | 395 | @@ -1546,6 +1546,9 @@ |
@@ -367,11 +412,11 @@ Index: b/config.h.in | |||
367 | /* Define if you have Solaris process contracts */ | 412 | /* Define if you have Solaris process contracts */ |
368 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 413 | #undef USE_SOLARIS_PROCESS_CONTRACTS |
369 | 414 | ||
370 | Index: b/configure | 415 | diff --git a/configure b/configure |
371 | =================================================================== | 416 | index 0d6fad5..ceb1b5d 100755 |
372 | --- a/configure | 417 | --- a/configure |
373 | +++ b/configure | 418 | +++ b/configure |
374 | @@ -6780,6 +6780,63 @@ | 419 | @@ -6780,6 +6780,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h |
375 | 420 | ||
376 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | 421 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h |
377 | 422 | ||
@@ -435,11 +480,11 @@ Index: b/configure | |||
435 | 480 | ||
436 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" | 481 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" |
437 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : | 482 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : |
438 | Index: b/configure.ac | 483 | diff --git a/configure.ac b/configure.ac |
439 | =================================================================== | 484 | index 4a1b503..4c1a658 100644 |
440 | --- a/configure.ac | 485 | --- a/configure.ac |
441 | +++ b/configure.ac | 486 | +++ b/configure.ac |
442 | @@ -548,6 +548,30 @@ | 487 | @@ -548,6 +548,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
443 | [Use tunnel device compatibility to OpenBSD]) | 488 | [Use tunnel device compatibility to OpenBSD]) |
444 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 489 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
445 | [Prepend the address family to IP tunnel traffic]) | 490 | [Prepend the address family to IP tunnel traffic]) |
@@ -470,8 +515,8 @@ Index: b/configure.ac | |||
470 | m4_pattern_allow([AU_IPv]) | 515 | m4_pattern_allow([AU_IPv]) |
471 | AC_CHECK_DECL([AU_IPv4], [], | 516 | AC_CHECK_DECL([AU_IPv4], [], |
472 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) | 517 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) |
473 | Index: b/gss-genr.c | 518 | diff --git a/gss-genr.c b/gss-genr.c |
474 | =================================================================== | 519 | index b39281b..b7d1b7d 100644 |
475 | --- a/gss-genr.c | 520 | --- a/gss-genr.c |
476 | +++ b/gss-genr.c | 521 | +++ b/gss-genr.c |
477 | @@ -1,7 +1,7 @@ | 522 | @@ -1,7 +1,7 @@ |
@@ -651,7 +696,7 @@ Index: b/gss-genr.c | |||
651 | /* Check that the OID in a data stream matches that in the context */ | 696 | /* Check that the OID in a data stream matches that in the context */ |
652 | int | 697 | int |
653 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) | 698 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) |
654 | @@ -197,7 +352,7 @@ | 699 | @@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, |
655 | } | 700 | } |
656 | 701 | ||
657 | ctx->major = gss_init_sec_context(&ctx->minor, | 702 | ctx->major = gss_init_sec_context(&ctx->minor, |
@@ -660,7 +705,7 @@ Index: b/gss-genr.c | |||
660 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, | 705 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, |
661 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); | 706 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); |
662 | 707 | ||
663 | @@ -227,8 +382,42 @@ | 708 | @@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) |
664 | } | 709 | } |
665 | 710 | ||
666 | OM_uint32 | 711 | OM_uint32 |
@@ -703,7 +748,7 @@ Index: b/gss-genr.c | |||
703 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, | 748 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, |
704 | GSS_C_QOP_DEFAULT, buffer, hash))) | 749 | GSS_C_QOP_DEFAULT, buffer, hash))) |
705 | ssh_gssapi_error(ctx); | 750 | ssh_gssapi_error(ctx); |
706 | @@ -236,6 +425,19 @@ | 751 | @@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) |
707 | return (ctx->major); | 752 | return (ctx->major); |
708 | } | 753 | } |
709 | 754 | ||
@@ -723,7 +768,7 @@ Index: b/gss-genr.c | |||
723 | void | 768 | void |
724 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 769 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
725 | const char *context) | 770 | const char *context) |
726 | @@ -249,11 +451,16 @@ | 771 | @@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
727 | } | 772 | } |
728 | 773 | ||
729 | int | 774 | int |
@@ -741,7 +786,7 @@ Index: b/gss-genr.c | |||
741 | 786 | ||
742 | /* RFC 4462 says we MUST NOT do SPNEGO */ | 787 | /* RFC 4462 says we MUST NOT do SPNEGO */ |
743 | if (oid->length == spnego_oid.length && | 788 | if (oid->length == spnego_oid.length && |
744 | @@ -263,6 +470,10 @@ | 789 | @@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
745 | ssh_gssapi_build_ctx(ctx); | 790 | ssh_gssapi_build_ctx(ctx); |
746 | ssh_gssapi_set_oid(*ctx, oid); | 791 | ssh_gssapi_set_oid(*ctx, oid); |
747 | major = ssh_gssapi_import_name(*ctx, host); | 792 | major = ssh_gssapi_import_name(*ctx, host); |
@@ -752,7 +797,7 @@ Index: b/gss-genr.c | |||
752 | if (!GSS_ERROR(major)) { | 797 | if (!GSS_ERROR(major)) { |
753 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | 798 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, |
754 | NULL); | 799 | NULL); |
755 | @@ -272,10 +483,67 @@ | 800 | @@ -272,10 +483,67 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
756 | GSS_C_NO_BUFFER); | 801 | GSS_C_NO_BUFFER); |
757 | } | 802 | } |
758 | 803 | ||
@@ -821,8 +866,8 @@ Index: b/gss-genr.c | |||
821 | +} | 866 | +} |
822 | + | 867 | + |
823 | #endif /* GSSAPI */ | 868 | #endif /* GSSAPI */ |
824 | Index: b/gss-serv-krb5.c | 869 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c |
825 | =================================================================== | 870 | index 87f2683..c55446a 100644 |
826 | --- a/gss-serv-krb5.c | 871 | --- a/gss-serv-krb5.c |
827 | +++ b/gss-serv-krb5.c | 872 | +++ b/gss-serv-krb5.c |
828 | @@ -1,7 +1,7 @@ | 873 | @@ -1,7 +1,7 @@ |
@@ -834,7 +879,7 @@ Index: b/gss-serv-krb5.c | |||
834 | * | 879 | * |
835 | * Redistribution and use in source and binary forms, with or without | 880 | * Redistribution and use in source and binary forms, with or without |
836 | * modification, are permitted provided that the following conditions | 881 | * modification, are permitted provided that the following conditions |
837 | @@ -122,6 +122,7 @@ | 882 | @@ -122,6 +122,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
838 | OM_uint32 maj_status, min_status; | 883 | OM_uint32 maj_status, min_status; |
839 | int len; | 884 | int len; |
840 | const char *errmsg; | 885 | const char *errmsg; |
@@ -842,7 +887,7 @@ Index: b/gss-serv-krb5.c | |||
842 | 887 | ||
843 | if (client->creds == NULL) { | 888 | if (client->creds == NULL) { |
844 | debug("No credentials stored"); | 889 | debug("No credentials stored"); |
845 | @@ -174,11 +175,16 @@ | 890 | @@ -174,11 +175,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
846 | return; | 891 | return; |
847 | } | 892 | } |
848 | 893 | ||
@@ -863,7 +908,7 @@ Index: b/gss-serv-krb5.c | |||
863 | 908 | ||
864 | #ifdef USE_PAM | 909 | #ifdef USE_PAM |
865 | if (options.use_pam) | 910 | if (options.use_pam) |
866 | @@ -190,6 +196,71 @@ | 911 | @@ -190,6 +196,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
867 | return; | 912 | return; |
868 | } | 913 | } |
869 | 914 | ||
@@ -935,7 +980,7 @@ Index: b/gss-serv-krb5.c | |||
935 | ssh_gssapi_mech gssapi_kerberos_mech = { | 980 | ssh_gssapi_mech gssapi_kerberos_mech = { |
936 | "toWM5Slw5Ew8Mqkay+al2g==", | 981 | "toWM5Slw5Ew8Mqkay+al2g==", |
937 | "Kerberos", | 982 | "Kerberos", |
938 | @@ -197,7 +268,8 @@ | 983 | @@ -197,7 +268,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { |
939 | NULL, | 984 | NULL, |
940 | &ssh_gssapi_krb5_userok, | 985 | &ssh_gssapi_krb5_userok, |
941 | NULL, | 986 | NULL, |
@@ -945,8 +990,8 @@ Index: b/gss-serv-krb5.c | |||
945 | }; | 990 | }; |
946 | 991 | ||
947 | #endif /* KRB5 */ | 992 | #endif /* KRB5 */ |
948 | Index: b/gss-serv.c | 993 | diff --git a/gss-serv.c b/gss-serv.c |
949 | =================================================================== | 994 | index 95348e2..97f366f 100644 |
950 | --- a/gss-serv.c | 995 | --- a/gss-serv.c |
951 | +++ b/gss-serv.c | 996 | +++ b/gss-serv.c |
952 | @@ -1,7 +1,7 @@ | 997 | @@ -1,7 +1,7 @@ |
@@ -982,7 +1027,7 @@ Index: b/gss-serv.c | |||
982 | 1027 | ||
983 | #ifdef KRB5 | 1028 | #ifdef KRB5 |
984 | extern ssh_gssapi_mech gssapi_kerberos_mech; | 1029 | extern ssh_gssapi_mech gssapi_kerberos_mech; |
985 | @@ -81,25 +87,32 @@ | 1030 | @@ -81,25 +87,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) |
986 | char lname[MAXHOSTNAMELEN]; | 1031 | char lname[MAXHOSTNAMELEN]; |
987 | gss_OID_set oidset; | 1032 | gss_OID_set oidset; |
988 | 1033 | ||
@@ -991,16 +1036,16 @@ Index: b/gss-serv.c | |||
991 | + if (options.gss_strict_acceptor) { | 1036 | + if (options.gss_strict_acceptor) { |
992 | + gss_create_empty_oid_set(&status, &oidset); | 1037 | + gss_create_empty_oid_set(&status, &oidset); |
993 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); | 1038 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); |
994 | + | ||
995 | + if (gethostname(lname, MAXHOSTNAMELEN)) { | ||
996 | + gss_release_oid_set(&status, &oidset); | ||
997 | + return (-1); | ||
998 | + } | ||
999 | 1039 | ||
1000 | - if (gethostname(lname, MAXHOSTNAMELEN)) { | 1040 | - if (gethostname(lname, MAXHOSTNAMELEN)) { |
1001 | - gss_release_oid_set(&status, &oidset); | 1041 | - gss_release_oid_set(&status, &oidset); |
1002 | - return (-1); | 1042 | - return (-1); |
1003 | - } | 1043 | - } |
1044 | + if (gethostname(lname, MAXHOSTNAMELEN)) { | ||
1045 | + gss_release_oid_set(&status, &oidset); | ||
1046 | + return (-1); | ||
1047 | + } | ||
1048 | + | ||
1004 | + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | 1049 | + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
1005 | + gss_release_oid_set(&status, &oidset); | 1050 | + gss_release_oid_set(&status, &oidset); |
1006 | + return (ctx->major); | 1051 | + return (ctx->major); |
@@ -1029,7 +1074,7 @@ Index: b/gss-serv.c | |||
1029 | } | 1074 | } |
1030 | 1075 | ||
1031 | /* Privileged */ | 1076 | /* Privileged */ |
1032 | @@ -114,6 +127,29 @@ | 1077 | @@ -114,6 +127,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) |
1033 | } | 1078 | } |
1034 | 1079 | ||
1035 | /* Unprivileged */ | 1080 | /* Unprivileged */ |
@@ -1059,7 +1104,7 @@ Index: b/gss-serv.c | |||
1059 | void | 1104 | void |
1060 | ssh_gssapi_supported_oids(gss_OID_set *oidset) | 1105 | ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1061 | { | 1106 | { |
1062 | @@ -123,7 +159,9 @@ | 1107 | @@ -123,7 +159,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1063 | gss_OID_set supported; | 1108 | gss_OID_set supported; |
1064 | 1109 | ||
1065 | gss_create_empty_oid_set(&min_status, oidset); | 1110 | gss_create_empty_oid_set(&min_status, oidset); |
@@ -1070,7 +1115,7 @@ Index: b/gss-serv.c | |||
1070 | 1115 | ||
1071 | while (supported_mechs[i]->name != NULL) { | 1116 | while (supported_mechs[i]->name != NULL) { |
1072 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, | 1117 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, |
1073 | @@ -249,8 +287,48 @@ | 1118 | @@ -249,8 +287,48 @@ OM_uint32 |
1074 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1119 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1075 | { | 1120 | { |
1076 | int i = 0; | 1121 | int i = 0; |
@@ -1120,7 +1165,7 @@ Index: b/gss-serv.c | |||
1120 | 1165 | ||
1121 | client->mech = NULL; | 1166 | client->mech = NULL; |
1122 | 1167 | ||
1123 | @@ -265,6 +343,13 @@ | 1168 | @@ -265,6 +343,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1124 | if (client->mech == NULL) | 1169 | if (client->mech == NULL) |
1125 | return GSS_S_FAILURE; | 1170 | return GSS_S_FAILURE; |
1126 | 1171 | ||
@@ -1134,7 +1179,7 @@ Index: b/gss-serv.c | |||
1134 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, | 1179 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, |
1135 | &client->displayname, NULL))) { | 1180 | &client->displayname, NULL))) { |
1136 | ssh_gssapi_error(ctx); | 1181 | ssh_gssapi_error(ctx); |
1137 | @@ -282,6 +367,8 @@ | 1182 | @@ -282,6 +367,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1138 | return (ctx->major); | 1183 | return (ctx->major); |
1139 | } | 1184 | } |
1140 | 1185 | ||
@@ -1143,7 +1188,7 @@ Index: b/gss-serv.c | |||
1143 | /* We can't copy this structure, so we just move the pointer to it */ | 1188 | /* We can't copy this structure, so we just move the pointer to it */ |
1144 | client->creds = ctx->client_creds; | 1189 | client->creds = ctx->client_creds; |
1145 | ctx->client_creds = GSS_C_NO_CREDENTIAL; | 1190 | ctx->client_creds = GSS_C_NO_CREDENTIAL; |
1146 | @@ -329,7 +416,7 @@ | 1191 | @@ -329,7 +416,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) |
1147 | 1192 | ||
1148 | /* Privileged */ | 1193 | /* Privileged */ |
1149 | int | 1194 | int |
@@ -1152,7 +1197,7 @@ Index: b/gss-serv.c | |||
1152 | { | 1197 | { |
1153 | OM_uint32 lmin; | 1198 | OM_uint32 lmin; |
1154 | 1199 | ||
1155 | @@ -339,9 +426,11 @@ | 1200 | @@ -339,9 +426,11 @@ ssh_gssapi_userok(char *user) |
1156 | return 0; | 1201 | return 0; |
1157 | } | 1202 | } |
1158 | if (gssapi_client.mech && gssapi_client.mech->userok) | 1203 | if (gssapi_client.mech && gssapi_client.mech->userok) |
@@ -1166,7 +1211,7 @@ Index: b/gss-serv.c | |||
1166 | /* Destroy delegated credentials if userok fails */ | 1211 | /* Destroy delegated credentials if userok fails */ |
1167 | gss_release_buffer(&lmin, &gssapi_client.displayname); | 1212 | gss_release_buffer(&lmin, &gssapi_client.displayname); |
1168 | gss_release_buffer(&lmin, &gssapi_client.exportedname); | 1213 | gss_release_buffer(&lmin, &gssapi_client.exportedname); |
1169 | @@ -354,14 +443,90 @@ | 1214 | @@ -354,14 +443,90 @@ ssh_gssapi_userok(char *user) |
1170 | return (0); | 1215 | return (0); |
1171 | } | 1216 | } |
1172 | 1217 | ||
@@ -1263,8 +1308,8 @@ Index: b/gss-serv.c | |||
1263 | } | 1308 | } |
1264 | 1309 | ||
1265 | #endif | 1310 | #endif |
1266 | Index: b/kex.c | 1311 | diff --git a/kex.c b/kex.c |
1267 | =================================================================== | 1312 | index 54bd1a4..1ec2782 100644 |
1268 | --- a/kex.c | 1313 | --- a/kex.c |
1269 | +++ b/kex.c | 1314 | +++ b/kex.c |
1270 | @@ -50,6 +50,10 @@ | 1315 | @@ -50,6 +50,10 @@ |
@@ -1278,7 +1323,7 @@ Index: b/kex.c | |||
1278 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1323 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1279 | # if defined(HAVE_EVP_SHA256) | 1324 | # if defined(HAVE_EVP_SHA256) |
1280 | # define evp_ssh_sha256 EVP_sha256 | 1325 | # define evp_ssh_sha256 EVP_sha256 |
1281 | @@ -82,6 +86,14 @@ | 1326 | @@ -82,6 +86,14 @@ static const struct kexalg kexalgs[] = { |
1282 | #endif | 1327 | #endif |
1283 | { NULL, -1, -1, NULL}, | 1328 | { NULL, -1, -1, NULL}, |
1284 | }; | 1329 | }; |
@@ -1293,7 +1338,7 @@ Index: b/kex.c | |||
1293 | 1338 | ||
1294 | char * | 1339 | char * |
1295 | kex_alg_list(void) | 1340 | kex_alg_list(void) |
1296 | @@ -110,6 +122,10 @@ | 1341 | @@ -110,6 +122,10 @@ kex_alg_by_name(const char *name) |
1297 | if (strcmp(k->name, name) == 0) | 1342 | if (strcmp(k->name, name) == 0) |
1298 | return k; | 1343 | return k; |
1299 | } | 1344 | } |
@@ -1304,11 +1349,11 @@ Index: b/kex.c | |||
1304 | return NULL; | 1349 | return NULL; |
1305 | } | 1350 | } |
1306 | 1351 | ||
1307 | Index: b/kex.h | 1352 | diff --git a/kex.h b/kex.h |
1308 | =================================================================== | 1353 | index 9f1e1ad..d5046c6 100644 |
1309 | --- a/kex.h | 1354 | --- a/kex.h |
1310 | +++ b/kex.h | 1355 | +++ b/kex.h |
1311 | @@ -74,6 +74,9 @@ | 1356 | @@ -74,6 +74,9 @@ enum kex_exchange { |
1312 | KEX_DH_GEX_SHA1, | 1357 | KEX_DH_GEX_SHA1, |
1313 | KEX_DH_GEX_SHA256, | 1358 | KEX_DH_GEX_SHA256, |
1314 | KEX_ECDH_SHA2, | 1359 | KEX_ECDH_SHA2, |
@@ -1318,7 +1363,7 @@ Index: b/kex.h | |||
1318 | KEX_MAX | 1363 | KEX_MAX |
1319 | }; | 1364 | }; |
1320 | 1365 | ||
1321 | @@ -133,6 +136,12 @@ | 1366 | @@ -133,6 +136,12 @@ struct Kex { |
1322 | int flags; | 1367 | int flags; |
1323 | const EVP_MD *evp_md; | 1368 | const EVP_MD *evp_md; |
1324 | int ec_nid; | 1369 | int ec_nid; |
@@ -1331,7 +1376,7 @@ Index: b/kex.h | |||
1331 | char *client_version_string; | 1376 | char *client_version_string; |
1332 | char *server_version_string; | 1377 | char *server_version_string; |
1333 | int (*verify_host_key)(Key *); | 1378 | int (*verify_host_key)(Key *); |
1334 | @@ -162,6 +171,11 @@ | 1379 | @@ -162,6 +171,11 @@ void kexgex_server(Kex *); |
1335 | void kexecdh_client(Kex *); | 1380 | void kexecdh_client(Kex *); |
1336 | void kexecdh_server(Kex *); | 1381 | void kexecdh_server(Kex *); |
1337 | 1382 | ||
@@ -1343,8 +1388,9 @@ Index: b/kex.h | |||
1343 | void | 1388 | void |
1344 | kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, | 1389 | kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, |
1345 | BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); | 1390 | BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); |
1346 | Index: b/kexgssc.c | 1391 | diff --git a/kexgssc.c b/kexgssc.c |
1347 | =================================================================== | 1392 | new file mode 100644 |
1393 | index 0000000..616893c | ||
1348 | --- /dev/null | 1394 | --- /dev/null |
1349 | +++ b/kexgssc.c | 1395 | +++ b/kexgssc.c |
1350 | @@ -0,0 +1,333 @@ | 1396 | @@ -0,0 +1,333 @@ |
@@ -1681,8 +1727,9 @@ Index: b/kexgssc.c | |||
1681 | +} | 1727 | +} |
1682 | + | 1728 | + |
1683 | +#endif /* GSSAPI */ | 1729 | +#endif /* GSSAPI */ |
1684 | Index: b/kexgsss.c | 1730 | diff --git a/kexgsss.c b/kexgsss.c |
1685 | =================================================================== | 1731 | new file mode 100644 |
1732 | index 0000000..18b065b | ||
1686 | --- /dev/null | 1733 | --- /dev/null |
1687 | +++ b/kexgsss.c | 1734 | +++ b/kexgsss.c |
1688 | @@ -0,0 +1,289 @@ | 1735 | @@ -0,0 +1,289 @@ |
@@ -1975,11 +2022,11 @@ Index: b/kexgsss.c | |||
1975 | + ssh_gssapi_rekey_creds(); | 2022 | + ssh_gssapi_rekey_creds(); |
1976 | +} | 2023 | +} |
1977 | +#endif /* GSSAPI */ | 2024 | +#endif /* GSSAPI */ |
1978 | Index: b/key.c | 2025 | diff --git a/key.c b/key.c |
1979 | =================================================================== | 2026 | index 55ee789..2591635 100644 |
1980 | --- a/key.c | 2027 | --- a/key.c |
1981 | +++ b/key.c | 2028 | +++ b/key.c |
1982 | @@ -933,6 +933,7 @@ | 2029 | @@ -933,6 +933,7 @@ static const struct keytype keytypes[] = { |
1983 | KEY_RSA_CERT_V00, 0, 1 }, | 2030 | KEY_RSA_CERT_V00, 0, 1 }, |
1984 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", | 2031 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", |
1985 | KEY_DSA_CERT_V00, 0, 1 }, | 2032 | KEY_DSA_CERT_V00, 0, 1 }, |
@@ -1987,11 +2034,11 @@ Index: b/key.c | |||
1987 | { NULL, NULL, -1, -1, 0 } | 2034 | { NULL, NULL, -1, -1, 0 } |
1988 | }; | 2035 | }; |
1989 | 2036 | ||
1990 | Index: b/key.h | 2037 | diff --git a/key.h b/key.h |
1991 | =================================================================== | 2038 | index 17358ae..b57d6a4 100644 |
1992 | --- a/key.h | 2039 | --- a/key.h |
1993 | +++ b/key.h | 2040 | +++ b/key.h |
1994 | @@ -44,6 +44,7 @@ | 2041 | @@ -44,6 +44,7 @@ enum types { |
1995 | KEY_ECDSA_CERT, | 2042 | KEY_ECDSA_CERT, |
1996 | KEY_RSA_CERT_V00, | 2043 | KEY_RSA_CERT_V00, |
1997 | KEY_DSA_CERT_V00, | 2044 | KEY_DSA_CERT_V00, |
@@ -1999,11 +2046,11 @@ Index: b/key.h | |||
1999 | KEY_UNSPEC | 2046 | KEY_UNSPEC |
2000 | }; | 2047 | }; |
2001 | enum fp_type { | 2048 | enum fp_type { |
2002 | Index: b/monitor.c | 2049 | diff --git a/monitor.c b/monitor.c |
2003 | =================================================================== | 2050 | index 44dff98..9079c97 100644 |
2004 | --- a/monitor.c | 2051 | --- a/monitor.c |
2005 | +++ b/monitor.c | 2052 | +++ b/monitor.c |
2006 | @@ -181,6 +181,8 @@ | 2053 | @@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
2007 | int mm_answer_gss_accept_ctx(int, Buffer *); | 2054 | int mm_answer_gss_accept_ctx(int, Buffer *); |
2008 | int mm_answer_gss_userok(int, Buffer *); | 2055 | int mm_answer_gss_userok(int, Buffer *); |
2009 | int mm_answer_gss_checkmic(int, Buffer *); | 2056 | int mm_answer_gss_checkmic(int, Buffer *); |
@@ -2012,7 +2059,7 @@ Index: b/monitor.c | |||
2012 | #endif | 2059 | #endif |
2013 | 2060 | ||
2014 | #ifdef SSH_AUDIT_EVENTS | 2061 | #ifdef SSH_AUDIT_EVENTS |
2015 | @@ -253,6 +255,7 @@ | 2062 | @@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[] = { |
2016 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 2063 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
2017 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 2064 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
2018 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 2065 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
@@ -2020,7 +2067,7 @@ Index: b/monitor.c | |||
2020 | #endif | 2067 | #endif |
2021 | #ifdef JPAKE | 2068 | #ifdef JPAKE |
2022 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, | 2069 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, |
2023 | @@ -265,6 +268,12 @@ | 2070 | @@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[] = { |
2024 | }; | 2071 | }; |
2025 | 2072 | ||
2026 | struct mon_table mon_dispatch_postauth20[] = { | 2073 | struct mon_table mon_dispatch_postauth20[] = { |
@@ -2033,7 +2080,7 @@ Index: b/monitor.c | |||
2033 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 2080 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2034 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 2081 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
2035 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 2082 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
2036 | @@ -373,6 +382,10 @@ | 2083 | @@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
2037 | /* Permit requests for moduli and signatures */ | 2084 | /* Permit requests for moduli and signatures */ |
2038 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2085 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2039 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2086 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2044,7 +2091,7 @@ Index: b/monitor.c | |||
2044 | } else { | 2091 | } else { |
2045 | mon_dispatch = mon_dispatch_proto15; | 2092 | mon_dispatch = mon_dispatch_proto15; |
2046 | 2093 | ||
2047 | @@ -487,6 +500,10 @@ | 2094 | @@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *pmonitor) |
2048 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2095 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2049 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2096 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2050 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2097 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -2055,7 +2102,7 @@ Index: b/monitor.c | |||
2055 | } else { | 2102 | } else { |
2056 | mon_dispatch = mon_dispatch_postauth15; | 2103 | mon_dispatch = mon_dispatch_postauth15; |
2057 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2104 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2058 | @@ -1855,6 +1872,13 @@ | 2105 | @@ -1855,6 +1872,13 @@ mm_get_kex(Buffer *m) |
2059 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 2106 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
2060 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 2107 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
2061 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2108 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
@@ -2069,7 +2116,7 @@ Index: b/monitor.c | |||
2069 | kex->server = 1; | 2116 | kex->server = 1; |
2070 | kex->hostkey_type = buffer_get_int(m); | 2117 | kex->hostkey_type = buffer_get_int(m); |
2071 | kex->kex_type = buffer_get_int(m); | 2118 | kex->kex_type = buffer_get_int(m); |
2072 | @@ -2062,6 +2086,9 @@ | 2119 | @@ -2062,6 +2086,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2073 | OM_uint32 major; | 2120 | OM_uint32 major; |
2074 | u_int len; | 2121 | u_int len; |
2075 | 2122 | ||
@@ -2079,7 +2126,7 @@ Index: b/monitor.c | |||
2079 | goid.elements = buffer_get_string(m, &len); | 2126 | goid.elements = buffer_get_string(m, &len); |
2080 | goid.length = len; | 2127 | goid.length = len; |
2081 | 2128 | ||
2082 | @@ -2089,6 +2116,9 @@ | 2129 | @@ -2089,6 +2116,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2083 | OM_uint32 flags = 0; /* GSI needs this */ | 2130 | OM_uint32 flags = 0; /* GSI needs this */ |
2084 | u_int len; | 2131 | u_int len; |
2085 | 2132 | ||
@@ -2089,7 +2136,7 @@ Index: b/monitor.c | |||
2089 | in.value = buffer_get_string(m, &len); | 2136 | in.value = buffer_get_string(m, &len); |
2090 | in.length = len; | 2137 | in.length = len; |
2091 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2138 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2092 | @@ -2106,6 +2136,7 @@ | 2139 | @@ -2106,6 +2136,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2093 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2140 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2094 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2141 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2095 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2142 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2097,7 +2144,7 @@ Index: b/monitor.c | |||
2097 | } | 2144 | } |
2098 | return (0); | 2145 | return (0); |
2099 | } | 2146 | } |
2100 | @@ -2117,6 +2148,9 @@ | 2147 | @@ -2117,6 +2148,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2101 | OM_uint32 ret; | 2148 | OM_uint32 ret; |
2102 | u_int len; | 2149 | u_int len; |
2103 | 2150 | ||
@@ -2107,7 +2154,7 @@ Index: b/monitor.c | |||
2107 | gssbuf.value = buffer_get_string(m, &len); | 2154 | gssbuf.value = buffer_get_string(m, &len); |
2108 | gssbuf.length = len; | 2155 | gssbuf.length = len; |
2109 | mic.value = buffer_get_string(m, &len); | 2156 | mic.value = buffer_get_string(m, &len); |
2110 | @@ -2143,7 +2177,11 @@ | 2157 | @@ -2143,7 +2177,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2111 | { | 2158 | { |
2112 | int authenticated; | 2159 | int authenticated; |
2113 | 2160 | ||
@@ -2120,7 +2167,7 @@ Index: b/monitor.c | |||
2120 | 2167 | ||
2121 | buffer_clear(m); | 2168 | buffer_clear(m); |
2122 | buffer_put_int(m, authenticated); | 2169 | buffer_put_int(m, authenticated); |
2123 | @@ -2156,6 +2194,74 @@ | 2170 | @@ -2156,6 +2194,74 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2124 | /* Monitor loop will terminate if authenticated */ | 2171 | /* Monitor loop will terminate if authenticated */ |
2125 | return (authenticated); | 2172 | return (authenticated); |
2126 | } | 2173 | } |
@@ -2195,11 +2242,11 @@ Index: b/monitor.c | |||
2195 | #endif /* GSSAPI */ | 2242 | #endif /* GSSAPI */ |
2196 | 2243 | ||
2197 | #ifdef JPAKE | 2244 | #ifdef JPAKE |
2198 | Index: b/monitor.h | 2245 | diff --git a/monitor.h b/monitor.h |
2199 | =================================================================== | 2246 | index 2caa469..315ef99 100644 |
2200 | --- a/monitor.h | 2247 | --- a/monitor.h |
2201 | +++ b/monitor.h | 2248 | +++ b/monitor.h |
2202 | @@ -70,6 +70,9 @@ | 2249 | @@ -70,6 +70,9 @@ enum monitor_reqtype { |
2203 | MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, | 2250 | MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, |
2204 | MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, | 2251 | MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, |
2205 | 2252 | ||
@@ -2209,11 +2256,11 @@ Index: b/monitor.h | |||
2209 | }; | 2256 | }; |
2210 | 2257 | ||
2211 | struct mm_master; | 2258 | struct mm_master; |
2212 | Index: b/monitor_wrap.c | 2259 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2213 | =================================================================== | 2260 | index 4ce4696..44019f3 100644 |
2214 | --- a/monitor_wrap.c | 2261 | --- a/monitor_wrap.c |
2215 | +++ b/monitor_wrap.c | 2262 | +++ b/monitor_wrap.c |
2216 | @@ -1273,7 +1273,7 @@ | 2263 | @@ -1273,7 +1273,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
2217 | } | 2264 | } |
2218 | 2265 | ||
2219 | int | 2266 | int |
@@ -2222,7 +2269,7 @@ Index: b/monitor_wrap.c | |||
2222 | { | 2269 | { |
2223 | Buffer m; | 2270 | Buffer m; |
2224 | int authenticated = 0; | 2271 | int authenticated = 0; |
2225 | @@ -1290,6 +1290,51 @@ | 2272 | @@ -1290,6 +1290,51 @@ mm_ssh_gssapi_userok(char *user) |
2226 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2273 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2227 | return (authenticated); | 2274 | return (authenticated); |
2228 | } | 2275 | } |
@@ -2274,11 +2321,11 @@ Index: b/monitor_wrap.c | |||
2274 | #endif /* GSSAPI */ | 2321 | #endif /* GSSAPI */ |
2275 | 2322 | ||
2276 | #ifdef JPAKE | 2323 | #ifdef JPAKE |
2277 | Index: b/monitor_wrap.h | 2324 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
2278 | =================================================================== | 2325 | index 0c7f2e3..ec9b9b1 100644 |
2279 | --- a/monitor_wrap.h | 2326 | --- a/monitor_wrap.h |
2280 | +++ b/monitor_wrap.h | 2327 | +++ b/monitor_wrap.h |
2281 | @@ -58,8 +58,10 @@ | 2328 | @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); |
2282 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | 2329 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); |
2283 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, | 2330 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, |
2284 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); | 2331 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); |
@@ -2290,11 +2337,11 @@ Index: b/monitor_wrap.h | |||
2290 | #endif | 2337 | #endif |
2291 | 2338 | ||
2292 | #ifdef USE_PAM | 2339 | #ifdef USE_PAM |
2293 | Index: b/readconf.c | 2340 | diff --git a/readconf.c b/readconf.c |
2294 | =================================================================== | 2341 | index 1464430..2695fd6 100644 |
2295 | --- a/readconf.c | 2342 | --- a/readconf.c |
2296 | +++ b/readconf.c | 2343 | +++ b/readconf.c |
2297 | @@ -132,6 +132,8 @@ | 2344 | @@ -132,6 +132,8 @@ typedef enum { |
2298 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 2345 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
2299 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 2346 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
2300 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 2347 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
@@ -2303,7 +2350,7 @@ Index: b/readconf.c | |||
2303 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2350 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2304 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2351 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2305 | oHashKnownHosts, | 2352 | oHashKnownHosts, |
2306 | @@ -172,10 +174,19 @@ | 2353 | @@ -172,10 +174,19 @@ static struct { |
2307 | { "afstokenpassing", oUnsupported }, | 2354 | { "afstokenpassing", oUnsupported }, |
2308 | #if defined(GSSAPI) | 2355 | #if defined(GSSAPI) |
2309 | { "gssapiauthentication", oGssAuthentication }, | 2356 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2323,7 +2370,7 @@ Index: b/readconf.c | |||
2323 | #endif | 2370 | #endif |
2324 | { "fallbacktorsh", oDeprecated }, | 2371 | { "fallbacktorsh", oDeprecated }, |
2325 | { "usersh", oDeprecated }, | 2372 | { "usersh", oDeprecated }, |
2326 | @@ -516,10 +527,30 @@ | 2373 | @@ -516,10 +527,30 @@ parse_flag: |
2327 | intptr = &options->gss_authentication; | 2374 | intptr = &options->gss_authentication; |
2328 | goto parse_flag; | 2375 | goto parse_flag; |
2329 | 2376 | ||
@@ -2354,7 +2401,7 @@ Index: b/readconf.c | |||
2354 | case oBatchMode: | 2401 | case oBatchMode: |
2355 | intptr = &options->batch_mode; | 2402 | intptr = &options->batch_mode; |
2356 | goto parse_flag; | 2403 | goto parse_flag; |
2357 | @@ -1168,7 +1199,12 @@ | 2404 | @@ -1168,7 +1199,12 @@ initialize_options(Options * options) |
2358 | options->pubkey_authentication = -1; | 2405 | options->pubkey_authentication = -1; |
2359 | options->challenge_response_authentication = -1; | 2406 | options->challenge_response_authentication = -1; |
2360 | options->gss_authentication = -1; | 2407 | options->gss_authentication = -1; |
@@ -2367,7 +2414,7 @@ Index: b/readconf.c | |||
2367 | options->password_authentication = -1; | 2414 | options->password_authentication = -1; |
2368 | options->kbd_interactive_authentication = -1; | 2415 | options->kbd_interactive_authentication = -1; |
2369 | options->kbd_interactive_devices = NULL; | 2416 | options->kbd_interactive_devices = NULL; |
2370 | @@ -1268,8 +1304,14 @@ | 2417 | @@ -1268,8 +1304,14 @@ fill_default_options(Options * options) |
2371 | options->challenge_response_authentication = 1; | 2418 | options->challenge_response_authentication = 1; |
2372 | if (options->gss_authentication == -1) | 2419 | if (options->gss_authentication == -1) |
2373 | options->gss_authentication = 0; | 2420 | options->gss_authentication = 0; |
@@ -2382,11 +2429,11 @@ Index: b/readconf.c | |||
2382 | if (options->password_authentication == -1) | 2429 | if (options->password_authentication == -1) |
2383 | options->password_authentication = 1; | 2430 | options->password_authentication = 1; |
2384 | if (options->kbd_interactive_authentication == -1) | 2431 | if (options->kbd_interactive_authentication == -1) |
2385 | Index: b/readconf.h | 2432 | diff --git a/readconf.h b/readconf.h |
2386 | =================================================================== | 2433 | index 23fc500..675b35d 100644 |
2387 | --- a/readconf.h | 2434 | --- a/readconf.h |
2388 | +++ b/readconf.h | 2435 | +++ b/readconf.h |
2389 | @@ -48,7 +48,12 @@ | 2436 | @@ -48,7 +48,12 @@ typedef struct { |
2390 | int challenge_response_authentication; | 2437 | int challenge_response_authentication; |
2391 | /* Try S/Key or TIS, authentication. */ | 2438 | /* Try S/Key or TIS, authentication. */ |
2392 | int gss_authentication; /* Try GSS authentication */ | 2439 | int gss_authentication; /* Try GSS authentication */ |
@@ -2399,11 +2446,11 @@ Index: b/readconf.h | |||
2399 | int password_authentication; /* Try password | 2446 | int password_authentication; /* Try password |
2400 | * authentication. */ | 2447 | * authentication. */ |
2401 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2448 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2402 | Index: b/servconf.c | 2449 | diff --git a/servconf.c b/servconf.c |
2403 | =================================================================== | 2450 | index 747edde..c938ae3 100644 |
2404 | --- a/servconf.c | 2451 | --- a/servconf.c |
2405 | +++ b/servconf.c | 2452 | +++ b/servconf.c |
2406 | @@ -107,7 +107,10 @@ | 2453 | @@ -107,7 +107,10 @@ initialize_server_options(ServerOptions *options) |
2407 | options->kerberos_ticket_cleanup = -1; | 2454 | options->kerberos_ticket_cleanup = -1; |
2408 | options->kerberos_get_afs_token = -1; | 2455 | options->kerberos_get_afs_token = -1; |
2409 | options->gss_authentication=-1; | 2456 | options->gss_authentication=-1; |
@@ -2414,7 +2461,7 @@ Index: b/servconf.c | |||
2414 | options->password_authentication = -1; | 2461 | options->password_authentication = -1; |
2415 | options->kbd_interactive_authentication = -1; | 2462 | options->kbd_interactive_authentication = -1; |
2416 | options->challenge_response_authentication = -1; | 2463 | options->challenge_response_authentication = -1; |
2417 | @@ -240,8 +243,14 @@ | 2464 | @@ -240,8 +243,14 @@ fill_default_server_options(ServerOptions *options) |
2418 | options->kerberos_get_afs_token = 0; | 2465 | options->kerberos_get_afs_token = 0; |
2419 | if (options->gss_authentication == -1) | 2466 | if (options->gss_authentication == -1) |
2420 | options->gss_authentication = 0; | 2467 | options->gss_authentication = 0; |
@@ -2429,7 +2476,7 @@ Index: b/servconf.c | |||
2429 | if (options->password_authentication == -1) | 2476 | if (options->password_authentication == -1) |
2430 | options->password_authentication = 1; | 2477 | options->password_authentication = 1; |
2431 | if (options->kbd_interactive_authentication == -1) | 2478 | if (options->kbd_interactive_authentication == -1) |
2432 | @@ -338,7 +347,9 @@ | 2479 | @@ -338,7 +347,9 @@ typedef enum { |
2433 | sBanner, sUseDNS, sHostbasedAuthentication, | 2480 | sBanner, sUseDNS, sHostbasedAuthentication, |
2434 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2481 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2435 | sClientAliveCountMax, sAuthorizedKeysFile, | 2482 | sClientAliveCountMax, sAuthorizedKeysFile, |
@@ -2440,7 +2487,7 @@ Index: b/servconf.c | |||
2440 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2487 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2441 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2488 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2442 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 2489 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
2443 | @@ -405,10 +416,20 @@ | 2490 | @@ -405,10 +416,20 @@ static struct { |
2444 | #ifdef GSSAPI | 2491 | #ifdef GSSAPI |
2445 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2492 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2446 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2493 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2461,7 +2508,7 @@ Index: b/servconf.c | |||
2461 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2508 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2462 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2509 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2463 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2510 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2464 | @@ -1073,10 +1094,22 @@ | 2511 | @@ -1073,10 +1094,22 @@ process_server_config_line(ServerOptions *options, char *line, |
2465 | intptr = &options->gss_authentication; | 2512 | intptr = &options->gss_authentication; |
2466 | goto parse_flag; | 2513 | goto parse_flag; |
2467 | 2514 | ||
@@ -2484,7 +2531,7 @@ Index: b/servconf.c | |||
2484 | case sPasswordAuthentication: | 2531 | case sPasswordAuthentication: |
2485 | intptr = &options->password_authentication; | 2532 | intptr = &options->password_authentication; |
2486 | goto parse_flag; | 2533 | goto parse_flag; |
2487 | @@ -1983,7 +2016,10 @@ | 2534 | @@ -1983,7 +2016,10 @@ dump_config(ServerOptions *o) |
2488 | #endif | 2535 | #endif |
2489 | #ifdef GSSAPI | 2536 | #ifdef GSSAPI |
2490 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2537 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2495,11 +2542,11 @@ Index: b/servconf.c | |||
2495 | #endif | 2542 | #endif |
2496 | #ifdef JPAKE | 2543 | #ifdef JPAKE |
2497 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | 2544 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, |
2498 | Index: b/servconf.h | 2545 | diff --git a/servconf.h b/servconf.h |
2499 | =================================================================== | 2546 | index 98aad8b..ab6e346 100644 |
2500 | --- a/servconf.h | 2547 | --- a/servconf.h |
2501 | +++ b/servconf.h | 2548 | +++ b/servconf.h |
2502 | @@ -111,7 +111,10 @@ | 2549 | @@ -111,7 +111,10 @@ typedef struct { |
2503 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2550 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2504 | * authenticated with Kerberos. */ | 2551 | * authenticated with Kerberos. */ |
2505 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2552 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2510,8 +2557,8 @@ Index: b/servconf.h | |||
2510 | int password_authentication; /* If true, permit password | 2557 | int password_authentication; /* If true, permit password |
2511 | * authentication. */ | 2558 | * authentication. */ |
2512 | int kbd_interactive_authentication; /* If true, permit */ | 2559 | int kbd_interactive_authentication; /* If true, permit */ |
2513 | Index: b/ssh-gss.h | 2560 | diff --git a/ssh-gss.h b/ssh-gss.h |
2514 | =================================================================== | 2561 | index 077e13c..bc6e8f9 100644 |
2515 | --- a/ssh-gss.h | 2562 | --- a/ssh-gss.h |
2516 | +++ b/ssh-gss.h | 2563 | +++ b/ssh-gss.h |
2517 | @@ -1,6 +1,6 @@ | 2564 | @@ -1,6 +1,6 @@ |
@@ -2545,7 +2592,7 @@ Index: b/ssh-gss.h | |||
2545 | void *data; | 2592 | void *data; |
2546 | } ssh_gssapi_ccache; | 2593 | } ssh_gssapi_ccache; |
2547 | 2594 | ||
2548 | @@ -72,8 +84,11 @@ | 2595 | @@ -72,8 +84,11 @@ typedef struct { |
2549 | gss_buffer_desc displayname; | 2596 | gss_buffer_desc displayname; |
2550 | gss_buffer_desc exportedname; | 2597 | gss_buffer_desc exportedname; |
2551 | gss_cred_id_t creds; | 2598 | gss_cred_id_t creds; |
@@ -2557,7 +2604,7 @@ Index: b/ssh-gss.h | |||
2557 | } ssh_gssapi_client; | 2604 | } ssh_gssapi_client; |
2558 | 2605 | ||
2559 | typedef struct ssh_gssapi_mech_struct { | 2606 | typedef struct ssh_gssapi_mech_struct { |
2560 | @@ -84,6 +99,7 @@ | 2607 | @@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct { |
2561 | int (*userok) (ssh_gssapi_client *, char *); | 2608 | int (*userok) (ssh_gssapi_client *, char *); |
2562 | int (*localname) (ssh_gssapi_client *, char **); | 2609 | int (*localname) (ssh_gssapi_client *, char **); |
2563 | void (*storecreds) (ssh_gssapi_client *); | 2610 | void (*storecreds) (ssh_gssapi_client *); |
@@ -2565,7 +2612,7 @@ Index: b/ssh-gss.h | |||
2565 | } ssh_gssapi_mech; | 2612 | } ssh_gssapi_mech; |
2566 | 2613 | ||
2567 | typedef struct { | 2614 | typedef struct { |
2568 | @@ -94,10 +110,11 @@ | 2615 | @@ -94,10 +110,11 @@ typedef struct { |
2569 | gss_OID oid; /* client */ | 2616 | gss_OID oid; /* client */ |
2570 | gss_cred_id_t creds; /* server */ | 2617 | gss_cred_id_t creds; /* server */ |
2571 | gss_name_t client; /* server */ | 2618 | gss_name_t client; /* server */ |
@@ -2578,7 +2625,7 @@ Index: b/ssh-gss.h | |||
2578 | 2625 | ||
2579 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); | 2626 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); |
2580 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); | 2627 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); |
2581 | @@ -117,16 +134,30 @@ | 2628 | @@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **); |
2582 | void ssh_gssapi_delete_ctx(Gssctxt **); | 2629 | void ssh_gssapi_delete_ctx(Gssctxt **); |
2583 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | 2630 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
2584 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); | 2631 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); |
@@ -2611,8 +2658,8 @@ Index: b/ssh-gss.h | |||
2611 | #endif /* GSSAPI */ | 2658 | #endif /* GSSAPI */ |
2612 | 2659 | ||
2613 | #endif /* _SSH_GSS_H */ | 2660 | #endif /* _SSH_GSS_H */ |
2614 | Index: b/ssh_config | 2661 | diff --git a/ssh_config b/ssh_config |
2615 | =================================================================== | 2662 | index bb40819..3234321 100644 |
2616 | --- a/ssh_config | 2663 | --- a/ssh_config |
2617 | +++ b/ssh_config | 2664 | +++ b/ssh_config |
2618 | @@ -26,6 +26,8 @@ | 2665 | @@ -26,6 +26,8 @@ |
@@ -2624,11 +2671,11 @@ Index: b/ssh_config | |||
2624 | # BatchMode no | 2671 | # BatchMode no |
2625 | # CheckHostIP yes | 2672 | # CheckHostIP yes |
2626 | # AddressFamily any | 2673 | # AddressFamily any |
2627 | Index: b/ssh_config.5 | 2674 | diff --git a/ssh_config.5 b/ssh_config.5 |
2628 | =================================================================== | 2675 | index 5d76c6d..e72919a 100644 |
2629 | --- a/ssh_config.5 | 2676 | --- a/ssh_config.5 |
2630 | +++ b/ssh_config.5 | 2677 | +++ b/ssh_config.5 |
2631 | @@ -529,11 +529,43 @@ | 2678 | @@ -529,11 +529,43 @@ Specifies whether user authentication based on GSSAPI is allowed. |
2632 | The default is | 2679 | The default is |
2633 | .Dq no . | 2680 | .Dq no . |
2634 | Note that this option applies to protocol version 2 only. | 2681 | Note that this option applies to protocol version 2 only. |
@@ -2673,11 +2720,11 @@ Index: b/ssh_config.5 | |||
2673 | .It Cm HashKnownHosts | 2720 | .It Cm HashKnownHosts |
2674 | Indicates that | 2721 | Indicates that |
2675 | .Xr ssh 1 | 2722 | .Xr ssh 1 |
2676 | Index: b/sshconnect2.c | 2723 | diff --git a/sshconnect2.c b/sshconnect2.c |
2677 | =================================================================== | 2724 | index 70e3cd8..0b13530 100644 |
2678 | --- a/sshconnect2.c | 2725 | --- a/sshconnect2.c |
2679 | +++ b/sshconnect2.c | 2726 | +++ b/sshconnect2.c |
2680 | @@ -160,9 +160,34 @@ | 2727 | @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2681 | { | 2728 | { |
2682 | Kex *kex; | 2729 | Kex *kex; |
2683 | 2730 | ||
@@ -2712,7 +2759,7 @@ Index: b/sshconnect2.c | |||
2712 | if (options.ciphers == (char *)-1) { | 2759 | if (options.ciphers == (char *)-1) { |
2713 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 2760 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
2714 | options.ciphers = NULL; | 2761 | options.ciphers = NULL; |
2715 | @@ -197,6 +222,17 @@ | 2762 | @@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2716 | if (options.kex_algorithms != NULL) | 2763 | if (options.kex_algorithms != NULL) |
2717 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 2764 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
2718 | 2765 | ||
@@ -2730,7 +2777,7 @@ Index: b/sshconnect2.c | |||
2730 | if (options.rekey_limit || options.rekey_interval) | 2777 | if (options.rekey_limit || options.rekey_interval) |
2731 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2778 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2732 | (time_t)options.rekey_interval); | 2779 | (time_t)options.rekey_interval); |
2733 | @@ -208,10 +244,30 @@ | 2780 | @@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2734 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 2781 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
2735 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | 2782 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; |
2736 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | 2783 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; |
@@ -2761,7 +2808,7 @@ Index: b/sshconnect2.c | |||
2761 | xxx_kex = kex; | 2808 | xxx_kex = kex; |
2762 | 2809 | ||
2763 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2810 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
2764 | @@ -307,6 +363,7 @@ | 2811 | @@ -307,6 +363,7 @@ void input_gssapi_token(int type, u_int32_t, void *); |
2765 | void input_gssapi_hash(int type, u_int32_t, void *); | 2812 | void input_gssapi_hash(int type, u_int32_t, void *); |
2766 | void input_gssapi_error(int, u_int32_t, void *); | 2813 | void input_gssapi_error(int, u_int32_t, void *); |
2767 | void input_gssapi_errtok(int, u_int32_t, void *); | 2814 | void input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2769,7 +2816,7 @@ Index: b/sshconnect2.c | |||
2769 | #endif | 2816 | #endif |
2770 | 2817 | ||
2771 | void userauth(Authctxt *, char *); | 2818 | void userauth(Authctxt *, char *); |
2772 | @@ -322,6 +379,11 @@ | 2819 | @@ -322,6 +379,11 @@ static char *authmethods_get(void); |
2773 | 2820 | ||
2774 | Authmethod authmethods[] = { | 2821 | Authmethod authmethods[] = { |
2775 | #ifdef GSSAPI | 2822 | #ifdef GSSAPI |
@@ -2781,7 +2828,7 @@ Index: b/sshconnect2.c | |||
2781 | {"gssapi-with-mic", | 2828 | {"gssapi-with-mic", |
2782 | userauth_gssapi, | 2829 | userauth_gssapi, |
2783 | NULL, | 2830 | NULL, |
2784 | @@ -625,19 +687,31 @@ | 2831 | @@ -625,19 +687,31 @@ userauth_gssapi(Authctxt *authctxt) |
2785 | static u_int mech = 0; | 2832 | static u_int mech = 0; |
2786 | OM_uint32 min; | 2833 | OM_uint32 min; |
2787 | int ok = 0; | 2834 | int ok = 0; |
@@ -2815,7 +2862,7 @@ Index: b/sshconnect2.c | |||
2815 | ok = 1; /* Mechanism works */ | 2862 | ok = 1; /* Mechanism works */ |
2816 | } else { | 2863 | } else { |
2817 | mech++; | 2864 | mech++; |
2818 | @@ -734,8 +808,8 @@ | 2865 | @@ -734,8 +808,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) |
2819 | { | 2866 | { |
2820 | Authctxt *authctxt = ctxt; | 2867 | Authctxt *authctxt = ctxt; |
2821 | Gssctxt *gssctxt; | 2868 | Gssctxt *gssctxt; |
@@ -2826,7 +2873,7 @@ Index: b/sshconnect2.c | |||
2826 | 2873 | ||
2827 | if (authctxt == NULL) | 2874 | if (authctxt == NULL) |
2828 | fatal("input_gssapi_response: no authentication context"); | 2875 | fatal("input_gssapi_response: no authentication context"); |
2829 | @@ -844,6 +918,48 @@ | 2876 | @@ -844,6 +918,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) |
2830 | free(msg); | 2877 | free(msg); |
2831 | free(lang); | 2878 | free(lang); |
2832 | } | 2879 | } |
@@ -2875,8 +2922,8 @@ Index: b/sshconnect2.c | |||
2875 | #endif /* GSSAPI */ | 2922 | #endif /* GSSAPI */ |
2876 | 2923 | ||
2877 | int | 2924 | int |
2878 | Index: b/sshd.c | 2925 | diff --git a/sshd.c b/sshd.c |
2879 | =================================================================== | 2926 | index 174cc7a..4eddeb8 100644 |
2880 | --- a/sshd.c | 2927 | --- a/sshd.c |
2881 | +++ b/sshd.c | 2928 | +++ b/sshd.c |
2882 | @@ -122,6 +122,10 @@ | 2929 | @@ -122,6 +122,10 @@ |
@@ -2890,7 +2937,7 @@ Index: b/sshd.c | |||
2890 | #ifdef LIBWRAP | 2937 | #ifdef LIBWRAP |
2891 | #include <tcpd.h> | 2938 | #include <tcpd.h> |
2892 | #include <syslog.h> | 2939 | #include <syslog.h> |
2893 | @@ -1703,10 +1707,13 @@ | 2940 | @@ -1703,10 +1707,13 @@ main(int ac, char **av) |
2894 | logit("Disabling protocol version 1. Could not load host key"); | 2941 | logit("Disabling protocol version 1. Could not load host key"); |
2895 | options.protocol &= ~SSH_PROTO_1; | 2942 | options.protocol &= ~SSH_PROTO_1; |
2896 | } | 2943 | } |
@@ -2904,7 +2951,7 @@ Index: b/sshd.c | |||
2904 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2951 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2905 | logit("sshd: no hostkeys available -- exiting."); | 2952 | logit("sshd: no hostkeys available -- exiting."); |
2906 | exit(1); | 2953 | exit(1); |
2907 | @@ -2035,6 +2042,60 @@ | 2954 | @@ -2035,6 +2042,60 @@ main(int ac, char **av) |
2908 | /* Log the connection. */ | 2955 | /* Log the connection. */ |
2909 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | 2956 | verbose("Connection from %.500s port %d", remote_ip, remote_port); |
2910 | 2957 | ||
@@ -2965,7 +3012,7 @@ Index: b/sshd.c | |||
2965 | /* | 3012 | /* |
2966 | * We don't want to listen forever unless the other side | 3013 | * We don't want to listen forever unless the other side |
2967 | * successfully authenticates itself. So we set up an alarm which is | 3014 | * successfully authenticates itself. So we set up an alarm which is |
2968 | @@ -2439,6 +2500,48 @@ | 3015 | @@ -2439,6 +2500,48 @@ do_ssh2_kex(void) |
2969 | 3016 | ||
2970 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 3017 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
2971 | 3018 | ||
@@ -3014,7 +3061,7 @@ Index: b/sshd.c | |||
3014 | /* start key exchange */ | 3061 | /* start key exchange */ |
3015 | kex = kex_setup(myproposal); | 3062 | kex = kex_setup(myproposal); |
3016 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 3063 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
3017 | @@ -2446,6 +2549,13 @@ | 3064 | @@ -2446,6 +2549,13 @@ do_ssh2_kex(void) |
3018 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 3065 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
3019 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 3066 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
3020 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 3067 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
@@ -3028,11 +3075,11 @@ Index: b/sshd.c | |||
3028 | kex->server = 1; | 3075 | kex->server = 1; |
3029 | kex->client_version_string=client_version_string; | 3076 | kex->client_version_string=client_version_string; |
3030 | kex->server_version_string=server_version_string; | 3077 | kex->server_version_string=server_version_string; |
3031 | Index: b/sshd_config | 3078 | diff --git a/sshd_config b/sshd_config |
3032 | =================================================================== | 3079 | index b786361..9450141 100644 |
3033 | --- a/sshd_config | 3080 | --- a/sshd_config |
3034 | +++ b/sshd_config | 3081 | +++ b/sshd_config |
3035 | @@ -83,6 +83,8 @@ | 3082 | @@ -83,6 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
3036 | # GSSAPI options | 3083 | # GSSAPI options |
3037 | #GSSAPIAuthentication no | 3084 | #GSSAPIAuthentication no |
3038 | #GSSAPICleanupCredentials yes | 3085 | #GSSAPICleanupCredentials yes |
@@ -3041,11 +3088,11 @@ Index: b/sshd_config | |||
3041 | 3088 | ||
3042 | # Set this to 'yes' to enable PAM authentication, account processing, | 3089 | # Set this to 'yes' to enable PAM authentication, account processing, |
3043 | # and session processing. If this is enabled, PAM authentication will | 3090 | # and session processing. If this is enabled, PAM authentication will |
3044 | Index: b/sshd_config.5 | 3091 | diff --git a/sshd_config.5 b/sshd_config.5 |
3045 | =================================================================== | 3092 | index 3abac6c..525d9c8 100644 |
3046 | --- a/sshd_config.5 | 3093 | --- a/sshd_config.5 |
3047 | +++ b/sshd_config.5 | 3094 | +++ b/sshd_config.5 |
3048 | @@ -484,12 +484,40 @@ | 3095 | @@ -484,12 +484,40 @@ Specifies whether user authentication based on GSSAPI is allowed. |
3049 | The default is | 3096 | The default is |
3050 | .Dq no . | 3097 | .Dq no . |
3051 | Note that this option applies to protocol version 2 only. | 3098 | Note that this option applies to protocol version 2 only. |