diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 318 |
1 files changed, 163 insertions, 155 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 8e946aa88..ea56167d7 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From eecddf8b72fcad83ccca43b1badb03782704f6b7 Mon Sep 17 00:00:00 2001 | 1 | From 9f717de15a8e113f7c6a3db52d75ce0172885f95 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -39,7 +39,7 @@ Patch-Name: gssapi.patch | |||
39 | kex.h | 14 +++ | 39 | kex.h | 14 +++ |
40 | kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 40 | kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
41 | kexgsss.c | 295 ++++++++++++++++++++++++++++++++++++++++++++++++ | 41 | kexgsss.c | 295 ++++++++++++++++++++++++++++++++++++++++++++++++ |
42 | monitor.c | 108 +++++++++++++++++- | 42 | monitor.c | 115 +++++++++++++++++-- |
43 | monitor.h | 3 + | 43 | monitor.h | 3 + |
44 | monitor_wrap.c | 47 +++++++- | 44 | monitor_wrap.c | 47 +++++++- |
45 | monitor_wrap.h | 4 +- | 45 | monitor_wrap.h | 4 +- |
@@ -56,14 +56,14 @@ Patch-Name: gssapi.patch | |||
56 | sshd_config.5 | 10 ++ | 56 | sshd_config.5 | 10 ++ |
57 | sshkey.c | 3 +- | 57 | sshkey.c | 3 +- |
58 | sshkey.h | 1 + | 58 | sshkey.h | 1 + |
59 | 35 files changed, 2054 insertions(+), 139 deletions(-) | 59 | 35 files changed, 2053 insertions(+), 147 deletions(-) |
60 | create mode 100644 ChangeLog.gssapi | 60 | create mode 100644 ChangeLog.gssapi |
61 | create mode 100644 kexgssc.c | 61 | create mode 100644 kexgssc.c |
62 | create mode 100644 kexgsss.c | 62 | create mode 100644 kexgsss.c |
63 | 63 | ||
64 | diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi | 64 | diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi |
65 | new file mode 100644 | 65 | new file mode 100644 |
66 | index 0000000..f117a33 | 66 | index 00000000..f117a336 |
67 | --- /dev/null | 67 | --- /dev/null |
68 | +++ b/ChangeLog.gssapi | 68 | +++ b/ChangeLog.gssapi |
69 | @@ -0,0 +1,113 @@ | 69 | @@ -0,0 +1,113 @@ |
@@ -181,7 +181,7 @@ index 0000000..f117a33 | |||
181 | + (from jbasney AT ncsa.uiuc.edu) | 181 | + (from jbasney AT ncsa.uiuc.edu) |
182 | + <gssapi-with-mic support is Bugzilla #1008> | 182 | + <gssapi-with-mic support is Bugzilla #1008> |
183 | diff --git a/Makefile.in b/Makefile.in | 183 | diff --git a/Makefile.in b/Makefile.in |
184 | index 12991cd..51817df 100644 | 184 | index e10f3742..00a320e1 100644 |
185 | --- a/Makefile.in | 185 | --- a/Makefile.in |
186 | +++ b/Makefile.in | 186 | +++ b/Makefile.in |
187 | @@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 187 | @@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
@@ -192,17 +192,17 @@ index 12991cd..51817df 100644 | |||
192 | platform-pledge.o platform-tracing.o | 192 | platform-pledge.o platform-tracing.o |
193 | 193 | ||
194 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 194 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
195 | @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 195 | @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ |
196 | auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ | 196 | auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ |
197 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ | 197 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
198 | monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ | 198 | monitor.o monitor_wrap.o auth-krb5.o \ |
199 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ | 199 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ |
200 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ | 200 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ |
201 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 201 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
202 | sftp-server.o sftp-common.o \ | 202 | sftp-server.o sftp-common.o \ |
203 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ | 203 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
204 | diff --git a/auth-krb5.c b/auth-krb5.c | 204 | diff --git a/auth-krb5.c b/auth-krb5.c |
205 | index a5a81ed..38e7fee 100644 | 205 | index a5a81ed2..38e7fee2 100644 |
206 | --- a/auth-krb5.c | 206 | --- a/auth-krb5.c |
207 | +++ b/auth-krb5.c | 207 | +++ b/auth-krb5.c |
208 | @@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | 208 | @@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) |
@@ -253,10 +253,10 @@ index a5a81ed..38e7fee 100644 | |||
253 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 253 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
254 | } | 254 | } |
255 | diff --git a/auth.c b/auth.c | 255 | diff --git a/auth.c b/auth.c |
256 | index 24527dd..f56dcc6 100644 | 256 | index 6ee6116d..c6390687 100644 |
257 | --- a/auth.c | 257 | --- a/auth.c |
258 | +++ b/auth.c | 258 | +++ b/auth.c |
259 | @@ -363,7 +363,8 @@ auth_root_allowed(const char *method) | 259 | @@ -372,7 +372,8 @@ auth_root_allowed(const char *method) |
260 | case PERMIT_NO_PASSWD: | 260 | case PERMIT_NO_PASSWD: |
261 | if (strcmp(method, "publickey") == 0 || | 261 | if (strcmp(method, "publickey") == 0 || |
262 | strcmp(method, "hostbased") == 0 || | 262 | strcmp(method, "hostbased") == 0 || |
@@ -266,7 +266,7 @@ index 24527dd..f56dcc6 100644 | |||
266 | return 1; | 266 | return 1; |
267 | break; | 267 | break; |
268 | case PERMIT_FORCED_ONLY: | 268 | case PERMIT_FORCED_ONLY: |
269 | @@ -786,99 +787,6 @@ fakepw(void) | 269 | @@ -795,99 +796,6 @@ fakepw(void) |
270 | } | 270 | } |
271 | 271 | ||
272 | /* | 272 | /* |
@@ -367,7 +367,7 @@ index 24527dd..f56dcc6 100644 | |||
367 | * connection. The host name is cached, so it is efficient to call this | 367 | * connection. The host name is cached, so it is efficient to call this |
368 | * several times. | 368 | * several times. |
369 | diff --git a/auth2-gss.c b/auth2-gss.c | 369 | diff --git a/auth2-gss.c b/auth2-gss.c |
370 | index 1ca8357..3b5036d 100644 | 370 | index 1ca83577..3b5036df 100644 |
371 | --- a/auth2-gss.c | 371 | --- a/auth2-gss.c |
372 | +++ b/auth2-gss.c | 372 | +++ b/auth2-gss.c |
373 | @@ -1,7 +1,7 @@ | 373 | @@ -1,7 +1,7 @@ |
@@ -454,7 +454,7 @@ index 1ca8357..3b5036d 100644 | |||
454 | "gssapi-with-mic", | 454 | "gssapi-with-mic", |
455 | userauth_gssapi, | 455 | userauth_gssapi, |
456 | diff --git a/auth2.c b/auth2.c | 456 | diff --git a/auth2.c b/auth2.c |
457 | index 9108b86..ce0d376 100644 | 457 | index 9108b861..ce0d3760 100644 |
458 | --- a/auth2.c | 458 | --- a/auth2.c |
459 | +++ b/auth2.c | 459 | +++ b/auth2.c |
460 | @@ -70,6 +70,7 @@ extern Authmethod method_passwd; | 460 | @@ -70,6 +70,7 @@ extern Authmethod method_passwd; |
@@ -474,7 +474,7 @@ index 9108b86..ce0d376 100644 | |||
474 | #endif | 474 | #endif |
475 | &method_passwd, | 475 | &method_passwd, |
476 | diff --git a/canohost.c b/canohost.c | 476 | diff --git a/canohost.c b/canohost.c |
477 | index f71a085..404731d 100644 | 477 | index f71a0856..404731d2 100644 |
478 | --- a/canohost.c | 478 | --- a/canohost.c |
479 | +++ b/canohost.c | 479 | +++ b/canohost.c |
480 | @@ -35,6 +35,99 @@ | 480 | @@ -35,6 +35,99 @@ |
@@ -578,7 +578,7 @@ index f71a085..404731d 100644 | |||
578 | ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) | 578 | ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) |
579 | { | 579 | { |
580 | diff --git a/canohost.h b/canohost.h | 580 | diff --git a/canohost.h b/canohost.h |
581 | index 26d6285..0cadc9f 100644 | 581 | index 26d62855..0cadc9f1 100644 |
582 | --- a/canohost.h | 582 | --- a/canohost.h |
583 | +++ b/canohost.h | 583 | +++ b/canohost.h |
584 | @@ -15,6 +15,9 @@ | 584 | @@ -15,6 +15,9 @@ |
@@ -592,10 +592,10 @@ index 26d6285..0cadc9f 100644 | |||
592 | int get_peer_port(int); | 592 | int get_peer_port(int); |
593 | char *get_local_ipaddr(int); | 593 | char *get_local_ipaddr(int); |
594 | diff --git a/clientloop.c b/clientloop.c | 594 | diff --git a/clientloop.c b/clientloop.c |
595 | index 2c44f5d..421241f 100644 | 595 | index 4289a408..99c68b69 100644 |
596 | --- a/clientloop.c | 596 | --- a/clientloop.c |
597 | +++ b/clientloop.c | 597 | +++ b/clientloop.c |
598 | @@ -114,6 +114,10 @@ | 598 | @@ -113,6 +113,10 @@ |
599 | #include "ssherr.h" | 599 | #include "ssherr.h" |
600 | #include "hostfile.h" | 600 | #include "hostfile.h" |
601 | 601 | ||
@@ -606,7 +606,7 @@ index 2c44f5d..421241f 100644 | |||
606 | /* import options */ | 606 | /* import options */ |
607 | extern Options options; | 607 | extern Options options; |
608 | 608 | ||
609 | @@ -1666,9 +1670,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 609 | @@ -1664,9 +1668,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
610 | break; | 610 | break; |
611 | 611 | ||
612 | /* Do channel operations unless rekeying in progress. */ | 612 | /* Do channel operations unless rekeying in progress. */ |
@@ -627,10 +627,10 @@ index 2c44f5d..421241f 100644 | |||
627 | client_process_net_input(readset); | 627 | client_process_net_input(readset); |
628 | 628 | ||
629 | diff --git a/config.h.in b/config.h.in | 629 | diff --git a/config.h.in b/config.h.in |
630 | index 39d018f..d7caf9a 100644 | 630 | index 75e02ab4..afe540e9 100644 |
631 | --- a/config.h.in | 631 | --- a/config.h.in |
632 | +++ b/config.h.in | 632 | +++ b/config.h.in |
633 | @@ -1668,6 +1668,9 @@ | 633 | @@ -1667,6 +1667,9 @@ |
634 | /* Use btmp to log bad logins */ | 634 | /* Use btmp to log bad logins */ |
635 | #undef USE_BTMP | 635 | #undef USE_BTMP |
636 | 636 | ||
@@ -640,7 +640,7 @@ index 39d018f..d7caf9a 100644 | |||
640 | /* Use libedit for sftp */ | 640 | /* Use libedit for sftp */ |
641 | #undef USE_LIBEDIT | 641 | #undef USE_LIBEDIT |
642 | 642 | ||
643 | @@ -1683,6 +1686,9 @@ | 643 | @@ -1682,6 +1685,9 @@ |
644 | /* Use PIPES instead of a socketpair() */ | 644 | /* Use PIPES instead of a socketpair() */ |
645 | #undef USE_PIPES | 645 | #undef USE_PIPES |
646 | 646 | ||
@@ -651,10 +651,10 @@ index 39d018f..d7caf9a 100644 | |||
651 | #undef USE_SOLARIS_PRIVS | 651 | #undef USE_SOLARIS_PRIVS |
652 | 652 | ||
653 | diff --git a/configure.ac b/configure.ac | 653 | diff --git a/configure.ac b/configure.ac |
654 | index 373d21b..894ec3b 100644 | 654 | index eb9f45dc..5fdc696c 100644 |
655 | --- a/configure.ac | 655 | --- a/configure.ac |
656 | +++ b/configure.ac | 656 | +++ b/configure.ac |
657 | @@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 657 | @@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
658 | [Use tunnel device compatibility to OpenBSD]) | 658 | [Use tunnel device compatibility to OpenBSD]) |
659 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 659 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
660 | [Prepend the address family to IP tunnel traffic]) | 660 | [Prepend the address family to IP tunnel traffic]) |
@@ -686,11 +686,11 @@ index 373d21b..894ec3b 100644 | |||
686 | AC_CHECK_DECL([AU_IPv4], [], | 686 | AC_CHECK_DECL([AU_IPv4], [], |
687 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) | 687 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) |
688 | diff --git a/gss-genr.c b/gss-genr.c | 688 | diff --git a/gss-genr.c b/gss-genr.c |
689 | index d617d60..b4eca3f 100644 | 689 | index 62559ed9..0b3ae073 100644 |
690 | --- a/gss-genr.c | 690 | --- a/gss-genr.c |
691 | +++ b/gss-genr.c | 691 | +++ b/gss-genr.c |
692 | @@ -1,7 +1,7 @@ | 692 | @@ -1,7 +1,7 @@ |
693 | /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */ | 693 | /* $OpenBSD: gss-genr.c,v 1.24 2016/09/12 01:22:38 deraadt Exp $ */ |
694 | 694 | ||
695 | /* | 695 | /* |
696 | - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. | 696 | - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
@@ -698,7 +698,7 @@ index d617d60..b4eca3f 100644 | |||
698 | * | 698 | * |
699 | * Redistribution and use in source and binary forms, with or without | 699 | * Redistribution and use in source and binary forms, with or without |
700 | * modification, are permitted provided that the following conditions | 700 | * modification, are permitted provided that the following conditions |
701 | @@ -41,12 +41,167 @@ | 701 | @@ -40,12 +40,167 @@ |
702 | #include "buffer.h" | 702 | #include "buffer.h" |
703 | #include "log.h" | 703 | #include "log.h" |
704 | #include "ssh2.h" | 704 | #include "ssh2.h" |
@@ -866,7 +866,7 @@ index d617d60..b4eca3f 100644 | |||
866 | /* Check that the OID in a data stream matches that in the context */ | 866 | /* Check that the OID in a data stream matches that in the context */ |
867 | int | 867 | int |
868 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) | 868 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) |
869 | @@ -199,7 +354,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, | 869 | @@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, |
870 | } | 870 | } |
871 | 871 | ||
872 | ctx->major = gss_init_sec_context(&ctx->minor, | 872 | ctx->major = gss_init_sec_context(&ctx->minor, |
@@ -875,7 +875,7 @@ index d617d60..b4eca3f 100644 | |||
875 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, | 875 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, |
876 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); | 876 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); |
877 | 877 | ||
878 | @@ -229,8 +384,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) | 878 | @@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) |
879 | } | 879 | } |
880 | 880 | ||
881 | OM_uint32 | 881 | OM_uint32 |
@@ -918,7 +918,7 @@ index d617d60..b4eca3f 100644 | |||
918 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, | 918 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, |
919 | GSS_C_QOP_DEFAULT, buffer, hash))) | 919 | GSS_C_QOP_DEFAULT, buffer, hash))) |
920 | ssh_gssapi_error(ctx); | 920 | ssh_gssapi_error(ctx); |
921 | @@ -238,6 +427,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | 921 | @@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) |
922 | return (ctx->major); | 922 | return (ctx->major); |
923 | } | 923 | } |
924 | 924 | ||
@@ -938,7 +938,7 @@ index d617d60..b4eca3f 100644 | |||
938 | void | 938 | void |
939 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 939 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
940 | const char *context) | 940 | const char *context) |
941 | @@ -251,11 +453,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 941 | @@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
942 | } | 942 | } |
943 | 943 | ||
944 | int | 944 | int |
@@ -956,7 +956,7 @@ index d617d60..b4eca3f 100644 | |||
956 | 956 | ||
957 | /* RFC 4462 says we MUST NOT do SPNEGO */ | 957 | /* RFC 4462 says we MUST NOT do SPNEGO */ |
958 | if (oid->length == spnego_oid.length && | 958 | if (oid->length == spnego_oid.length && |
959 | @@ -265,6 +472,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 959 | @@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
960 | ssh_gssapi_build_ctx(ctx); | 960 | ssh_gssapi_build_ctx(ctx); |
961 | ssh_gssapi_set_oid(*ctx, oid); | 961 | ssh_gssapi_set_oid(*ctx, oid); |
962 | major = ssh_gssapi_import_name(*ctx, host); | 962 | major = ssh_gssapi_import_name(*ctx, host); |
@@ -967,7 +967,7 @@ index d617d60..b4eca3f 100644 | |||
967 | if (!GSS_ERROR(major)) { | 967 | if (!GSS_ERROR(major)) { |
968 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | 968 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, |
969 | NULL); | 969 | NULL); |
970 | @@ -274,10 +485,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 970 | @@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
971 | GSS_C_NO_BUFFER); | 971 | GSS_C_NO_BUFFER); |
972 | } | 972 | } |
973 | 973 | ||
@@ -1036,7 +1036,7 @@ index d617d60..b4eca3f 100644 | |||
1036 | + | 1036 | + |
1037 | #endif /* GSSAPI */ | 1037 | #endif /* GSSAPI */ |
1038 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c | 1038 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c |
1039 | index 795992d..fd8b371 100644 | 1039 | index 795992d9..fd8b3718 100644 |
1040 | --- a/gss-serv-krb5.c | 1040 | --- a/gss-serv-krb5.c |
1041 | +++ b/gss-serv-krb5.c | 1041 | +++ b/gss-serv-krb5.c |
1042 | @@ -1,7 +1,7 @@ | 1042 | @@ -1,7 +1,7 @@ |
@@ -1162,7 +1162,7 @@ index 795992d..fd8b371 100644 | |||
1162 | 1162 | ||
1163 | #endif /* KRB5 */ | 1163 | #endif /* KRB5 */ |
1164 | diff --git a/gss-serv.c b/gss-serv.c | 1164 | diff --git a/gss-serv.c b/gss-serv.c |
1165 | index 53993d6..2f6baf7 100644 | 1165 | index 53993d67..2f6baf70 100644 |
1166 | --- a/gss-serv.c | 1166 | --- a/gss-serv.c |
1167 | +++ b/gss-serv.c | 1167 | +++ b/gss-serv.c |
1168 | @@ -1,7 +1,7 @@ | 1168 | @@ -1,7 +1,7 @@ |
@@ -1434,10 +1434,10 @@ index 53993d6..2f6baf7 100644 | |||
1434 | 1434 | ||
1435 | #endif | 1435 | #endif |
1436 | diff --git a/kex.c b/kex.c | 1436 | diff --git a/kex.c b/kex.c |
1437 | index 50c7a0f..c17d652 100644 | 1437 | index 6a94bc53..d8708684 100644 |
1438 | --- a/kex.c | 1438 | --- a/kex.c |
1439 | +++ b/kex.c | 1439 | +++ b/kex.c |
1440 | @@ -55,6 +55,10 @@ | 1440 | @@ -54,6 +54,10 @@ |
1441 | #include "sshbuf.h" | 1441 | #include "sshbuf.h" |
1442 | #include "digest.h" | 1442 | #include "digest.h" |
1443 | 1443 | ||
@@ -1474,7 +1474,7 @@ index 50c7a0f..c17d652 100644 | |||
1474 | return NULL; | 1474 | return NULL; |
1475 | } | 1475 | } |
1476 | 1476 | ||
1477 | @@ -587,6 +603,9 @@ kex_free(struct kex *kex) | 1477 | @@ -597,6 +613,9 @@ kex_free(struct kex *kex) |
1478 | sshbuf_free(kex->peer); | 1478 | sshbuf_free(kex->peer); |
1479 | sshbuf_free(kex->my); | 1479 | sshbuf_free(kex->my); |
1480 | free(kex->session_id); | 1480 | free(kex->session_id); |
@@ -1485,10 +1485,10 @@ index 50c7a0f..c17d652 100644 | |||
1485 | free(kex->server_version_string); | 1485 | free(kex->server_version_string); |
1486 | free(kex->failed_choice); | 1486 | free(kex->failed_choice); |
1487 | diff --git a/kex.h b/kex.h | 1487 | diff --git a/kex.h b/kex.h |
1488 | index c351955..8ed459a 100644 | 1488 | index 3794f212..fd56171d 100644 |
1489 | --- a/kex.h | 1489 | --- a/kex.h |
1490 | +++ b/kex.h | 1490 | +++ b/kex.h |
1491 | @@ -98,6 +98,9 @@ enum kex_exchange { | 1491 | @@ -99,6 +99,9 @@ enum kex_exchange { |
1492 | KEX_DH_GEX_SHA256, | 1492 | KEX_DH_GEX_SHA256, |
1493 | KEX_ECDH_SHA2, | 1493 | KEX_ECDH_SHA2, |
1494 | KEX_C25519_SHA256, | 1494 | KEX_C25519_SHA256, |
@@ -1498,7 +1498,7 @@ index c351955..8ed459a 100644 | |||
1498 | KEX_MAX | 1498 | KEX_MAX |
1499 | }; | 1499 | }; |
1500 | 1500 | ||
1501 | @@ -146,6 +149,12 @@ struct kex { | 1501 | @@ -147,6 +150,12 @@ struct kex { |
1502 | u_int flags; | 1502 | u_int flags; |
1503 | int hash_alg; | 1503 | int hash_alg; |
1504 | int ec_nid; | 1504 | int ec_nid; |
@@ -1511,7 +1511,7 @@ index c351955..8ed459a 100644 | |||
1511 | char *client_version_string; | 1511 | char *client_version_string; |
1512 | char *server_version_string; | 1512 | char *server_version_string; |
1513 | char *failed_choice; | 1513 | char *failed_choice; |
1514 | @@ -196,6 +205,11 @@ int kexecdh_server(struct ssh *); | 1514 | @@ -197,6 +206,11 @@ int kexecdh_server(struct ssh *); |
1515 | int kexc25519_client(struct ssh *); | 1515 | int kexc25519_client(struct ssh *); |
1516 | int kexc25519_server(struct ssh *); | 1516 | int kexc25519_server(struct ssh *); |
1517 | 1517 | ||
@@ -1525,7 +1525,7 @@ index c351955..8ed459a 100644 | |||
1525 | const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); | 1525 | const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); |
1526 | diff --git a/kexgssc.c b/kexgssc.c | 1526 | diff --git a/kexgssc.c b/kexgssc.c |
1527 | new file mode 100644 | 1527 | new file mode 100644 |
1528 | index 0000000..10447f2 | 1528 | index 00000000..10447f2b |
1529 | --- /dev/null | 1529 | --- /dev/null |
1530 | +++ b/kexgssc.c | 1530 | +++ b/kexgssc.c |
1531 | @@ -0,0 +1,338 @@ | 1531 | @@ -0,0 +1,338 @@ |
@@ -1869,7 +1869,7 @@ index 0000000..10447f2 | |||
1869 | +#endif /* GSSAPI */ | 1869 | +#endif /* GSSAPI */ |
1870 | diff --git a/kexgsss.c b/kexgsss.c | 1870 | diff --git a/kexgsss.c b/kexgsss.c |
1871 | new file mode 100644 | 1871 | new file mode 100644 |
1872 | index 0000000..38ca082 | 1872 | index 00000000..38ca082b |
1873 | --- /dev/null | 1873 | --- /dev/null |
1874 | +++ b/kexgsss.c | 1874 | +++ b/kexgsss.c |
1875 | @@ -0,0 +1,295 @@ | 1875 | @@ -0,0 +1,295 @@ |
@@ -2169,10 +2169,10 @@ index 0000000..38ca082 | |||
2169 | +} | 2169 | +} |
2170 | +#endif /* GSSAPI */ | 2170 | +#endif /* GSSAPI */ |
2171 | diff --git a/monitor.c b/monitor.c | 2171 | diff --git a/monitor.c b/monitor.c |
2172 | index cb57bd0..05bb48a 100644 | 2172 | index 43f48470..76d9e346 100644 |
2173 | --- a/monitor.c | 2173 | --- a/monitor.c |
2174 | +++ b/monitor.c | 2174 | +++ b/monitor.c |
2175 | @@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 2175 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
2176 | int mm_answer_gss_accept_ctx(int, Buffer *); | 2176 | int mm_answer_gss_accept_ctx(int, Buffer *); |
2177 | int mm_answer_gss_userok(int, Buffer *); | 2177 | int mm_answer_gss_userok(int, Buffer *); |
2178 | int mm_answer_gss_checkmic(int, Buffer *); | 2178 | int mm_answer_gss_checkmic(int, Buffer *); |
@@ -2181,10 +2181,10 @@ index cb57bd0..05bb48a 100644 | |||
2181 | #endif | 2181 | #endif |
2182 | 2182 | ||
2183 | #ifdef SSH_AUDIT_EVENTS | 2183 | #ifdef SSH_AUDIT_EVENTS |
2184 | @@ -235,11 +237,18 @@ struct mon_table mon_dispatch_proto20[] = { | 2184 | @@ -230,11 +232,18 @@ struct mon_table mon_dispatch_proto20[] = { |
2185 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 2185 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, |
2186 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 2186 | {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, |
2187 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 2187 | {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, |
2188 | + {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, | 2188 | + {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, |
2189 | #endif | 2189 | #endif |
2190 | {0, 0, NULL} | 2190 | {0, 0, NULL} |
@@ -2200,29 +2200,29 @@ index cb57bd0..05bb48a 100644 | |||
2200 | #ifdef WITH_OPENSSL | 2200 | #ifdef WITH_OPENSSL |
2201 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 2201 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2202 | #endif | 2202 | #endif |
2203 | @@ -354,6 +363,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 2203 | @@ -301,6 +310,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
2204 | /* Permit requests for moduli and signatures */ | 2204 | /* Permit requests for moduli and signatures */ |
2205 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2205 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2206 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2206 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2207 | +#ifdef GSSAPI | 2207 | +#ifdef GSSAPI |
2208 | + /* and for the GSSAPI key exchange */ | 2208 | + /* and for the GSSAPI key exchange */ |
2209 | + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | 2209 | + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); |
2210 | +#endif | 2210 | +#endif |
2211 | } else { | ||
2212 | mon_dispatch = mon_dispatch_proto15; | ||
2213 | 2211 | ||
2214 | @@ -462,6 +475,10 @@ monitor_child_postauth(struct monitor *pmonitor) | 2212 | /* The first few requests do not require asynchronous access */ |
2215 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2213 | while (!authenticated) { |
2216 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2214 | @@ -400,6 +413,10 @@ monitor_child_postauth(struct monitor *pmonitor) |
2217 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2215 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2216 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | ||
2217 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | ||
2218 | +#ifdef GSSAPI | 2218 | +#ifdef GSSAPI |
2219 | + /* and for the GSSAPI key exchange */ | 2219 | + /* and for the GSSAPI key exchange */ |
2220 | + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | 2220 | + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); |
2221 | +#endif | 2221 | +#endif |
2222 | } else { | 2222 | |
2223 | mon_dispatch = mon_dispatch_postauth15; | 2223 | if (!no_pty_flag) { |
2224 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2224 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
2225 | @@ -1876,6 +1893,13 @@ monitor_apply_keystate(struct monitor *pmonitor) | 2225 | @@ -1601,6 +1618,13 @@ monitor_apply_keystate(struct monitor *pmonitor) |
2226 | # endif | 2226 | # endif |
2227 | #endif /* WITH_OPENSSL */ | 2227 | #endif /* WITH_OPENSSL */ |
2228 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2228 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -2236,27 +2236,29 @@ index cb57bd0..05bb48a 100644 | |||
2236 | kex->load_host_public_key=&get_hostkey_public_by_type; | 2236 | kex->load_host_public_key=&get_hostkey_public_by_type; |
2237 | kex->load_host_private_key=&get_hostkey_private_by_type; | 2237 | kex->load_host_private_key=&get_hostkey_private_by_type; |
2238 | kex->host_key_index=&get_hostkey_index; | 2238 | kex->host_key_index=&get_hostkey_index; |
2239 | @@ -1975,6 +1999,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 2239 | @@ -1680,8 +1704,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2240 | OM_uint32 major; | 2240 | OM_uint32 major; |
2241 | u_int len; | 2241 | u_int len; |
2242 | 2242 | ||
2243 | - if (!options.gss_authentication) | ||
2244 | - fatal("%s: GSSAPI authentication not enabled", __func__); | ||
2243 | + if (!options.gss_authentication && !options.gss_keyex) | 2245 | + if (!options.gss_authentication && !options.gss_keyex) |
2244 | + fatal("In GSSAPI monitor when GSSAPI is disabled"); | 2246 | + fatal("%s: GSSAPI not enabled", __func__); |
2245 | + | 2247 | |
2246 | goid.elements = buffer_get_string(m, &len); | 2248 | goid.elements = buffer_get_string(m, &len); |
2247 | goid.length = len; | 2249 | goid.length = len; |
2248 | 2250 | @@ -1710,8 +1734,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |
2249 | @@ -2002,6 +2029,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | ||
2250 | OM_uint32 flags = 0; /* GSI needs this */ | 2251 | OM_uint32 flags = 0; /* GSI needs this */ |
2251 | u_int len; | 2252 | u_int len; |
2252 | 2253 | ||
2254 | - if (!options.gss_authentication) | ||
2255 | - fatal("%s: GSSAPI authentication not enabled", __func__); | ||
2253 | + if (!options.gss_authentication && !options.gss_keyex) | 2256 | + if (!options.gss_authentication && !options.gss_keyex) |
2254 | + fatal("In GSSAPI monitor when GSSAPI is disabled"); | 2257 | + fatal("%s: GSSAPI not enabled", __func__); |
2255 | + | 2258 | |
2256 | in.value = buffer_get_string(m, &len); | 2259 | in.value = buffer_get_string(m, &len); |
2257 | in.length = len; | 2260 | in.length = len; |
2258 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2261 | @@ -1730,6 +1754,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2259 | @@ -2019,6 +2049,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | ||
2260 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2262 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2261 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2263 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2262 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2264 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2264,30 +2266,33 @@ index cb57bd0..05bb48a 100644 | |||
2264 | } | 2266 | } |
2265 | return (0); | 2267 | return (0); |
2266 | } | 2268 | } |
2267 | @@ -2030,6 +2061,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2269 | @@ -1741,8 +1766,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2268 | OM_uint32 ret; | 2270 | OM_uint32 ret; |
2269 | u_int len; | 2271 | u_int len; |
2270 | 2272 | ||
2273 | - if (!options.gss_authentication) | ||
2274 | - fatal("%s: GSSAPI authentication not enabled", __func__); | ||
2271 | + if (!options.gss_authentication && !options.gss_keyex) | 2275 | + if (!options.gss_authentication && !options.gss_keyex) |
2272 | + fatal("In GSSAPI monitor when GSSAPI is disabled"); | 2276 | + fatal("%s: GSSAPI not enabled", __func__); |
2273 | + | 2277 | |
2274 | gssbuf.value = buffer_get_string(m, &len); | 2278 | gssbuf.value = buffer_get_string(m, &len); |
2275 | gssbuf.length = len; | 2279 | gssbuf.length = len; |
2276 | mic.value = buffer_get_string(m, &len); | 2280 | @@ -1770,10 +1795,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2277 | @@ -2056,7 +2090,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | ||
2278 | { | 2281 | { |
2279 | int authenticated; | 2282 | int authenticated; |
2280 | 2283 | ||
2281 | - authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); | 2284 | - if (!options.gss_authentication) |
2285 | - fatal("%s: GSSAPI authentication not enabled", __func__); | ||
2282 | + if (!options.gss_authentication && !options.gss_keyex) | 2286 | + if (!options.gss_authentication && !options.gss_keyex) |
2283 | + fatal("In GSSAPI monitor when GSSAPI is disabled"); | 2287 | + fatal("%s: GSSAPI not enabled", __func__); |
2284 | + | 2288 | |
2289 | - authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); | ||
2285 | + authenticated = authctxt->valid && | 2290 | + authenticated = authctxt->valid && |
2286 | + ssh_gssapi_userok(authctxt->user, authctxt->pw); | 2291 | + ssh_gssapi_userok(authctxt->user, authctxt->pw); |
2287 | 2292 | ||
2288 | buffer_clear(m); | 2293 | buffer_clear(m); |
2289 | buffer_put_int(m, authenticated); | 2294 | buffer_put_int(m, authenticated); |
2290 | @@ -2069,5 +2107,73 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2295 | @@ -1786,5 +1812,76 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2291 | /* Monitor loop will terminate if authenticated */ | 2296 | /* Monitor loop will terminate if authenticated */ |
2292 | return (authenticated); | 2297 | return (authenticated); |
2293 | } | 2298 | } |
@@ -2301,7 +2306,7 @@ index cb57bd0..05bb48a 100644 | |||
2301 | + u_int len; | 2306 | + u_int len; |
2302 | + | 2307 | + |
2303 | + if (!options.gss_authentication && !options.gss_keyex) | 2308 | + if (!options.gss_authentication && !options.gss_keyex) |
2304 | + fatal("In GSSAPI monitor when GSSAPI is disabled"); | 2309 | + fatal("%s: GSSAPI not enabled", __func__); |
2305 | + | 2310 | + |
2306 | + data.value = buffer_get_string(m, &len); | 2311 | + data.value = buffer_get_string(m, &len); |
2307 | + data.length = len; | 2312 | + data.length = len; |
@@ -2341,6 +2346,9 @@ index cb57bd0..05bb48a 100644 | |||
2341 | + ssh_gssapi_ccache store; | 2346 | + ssh_gssapi_ccache store; |
2342 | + int ok; | 2347 | + int ok; |
2343 | + | 2348 | + |
2349 | + if (!options.gss_authentication && !options.gss_keyex) | ||
2350 | + fatal("%s: GSSAPI not enabled", __func__); | ||
2351 | + | ||
2344 | + store.filename = buffer_get_string(m, NULL); | 2352 | + store.filename = buffer_get_string(m, NULL); |
2345 | + store.envvar = buffer_get_string(m, NULL); | 2353 | + store.envvar = buffer_get_string(m, NULL); |
2346 | + store.envval = buffer_get_string(m, NULL); | 2354 | + store.envval = buffer_get_string(m, NULL); |
@@ -2362,7 +2370,7 @@ index cb57bd0..05bb48a 100644 | |||
2362 | #endif /* GSSAPI */ | 2370 | #endif /* GSSAPI */ |
2363 | 2371 | ||
2364 | diff --git a/monitor.h b/monitor.h | 2372 | diff --git a/monitor.h b/monitor.h |
2365 | index 93b8b66..bc50ade 100644 | 2373 | index d68f6745..ec41404c 100644 |
2366 | --- a/monitor.h | 2374 | --- a/monitor.h |
2367 | +++ b/monitor.h | 2375 | +++ b/monitor.h |
2368 | @@ -65,6 +65,9 @@ enum monitor_reqtype { | 2376 | @@ -65,6 +65,9 @@ enum monitor_reqtype { |
@@ -2374,12 +2382,12 @@ index 93b8b66..bc50ade 100644 | |||
2374 | + | 2382 | + |
2375 | }; | 2383 | }; |
2376 | 2384 | ||
2377 | struct mm_master; | 2385 | struct monitor { |
2378 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2386 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2379 | index 99dc13b..5a9f1b5 100644 | 2387 | index 64ff9288..d5cb640a 100644 |
2380 | --- a/monitor_wrap.c | 2388 | --- a/monitor_wrap.c |
2381 | +++ b/monitor_wrap.c | 2389 | +++ b/monitor_wrap.c |
2382 | @@ -1073,7 +1073,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2390 | @@ -924,7 +924,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
2383 | } | 2391 | } |
2384 | 2392 | ||
2385 | int | 2393 | int |
@@ -2388,7 +2396,7 @@ index 99dc13b..5a9f1b5 100644 | |||
2388 | { | 2396 | { |
2389 | Buffer m; | 2397 | Buffer m; |
2390 | int authenticated = 0; | 2398 | int authenticated = 0; |
2391 | @@ -1090,5 +1090,50 @@ mm_ssh_gssapi_userok(char *user) | 2399 | @@ -941,5 +941,50 @@ mm_ssh_gssapi_userok(char *user) |
2392 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2400 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2393 | return (authenticated); | 2401 | return (authenticated); |
2394 | } | 2402 | } |
@@ -2440,10 +2448,10 @@ index 99dc13b..5a9f1b5 100644 | |||
2440 | #endif /* GSSAPI */ | 2448 | #endif /* GSSAPI */ |
2441 | 2449 | ||
2442 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 2450 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
2443 | index 9fd02b3..b5414c2 100644 | 2451 | index db5902f5..8f9dd896 100644 |
2444 | --- a/monitor_wrap.h | 2452 | --- a/monitor_wrap.h |
2445 | +++ b/monitor_wrap.h | 2453 | +++ b/monitor_wrap.h |
2446 | @@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); | 2454 | @@ -55,8 +55,10 @@ int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); |
2447 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | 2455 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); |
2448 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, | 2456 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, |
2449 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); | 2457 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); |
@@ -2456,7 +2464,7 @@ index 9fd02b3..b5414c2 100644 | |||
2456 | 2464 | ||
2457 | #ifdef USE_PAM | 2465 | #ifdef USE_PAM |
2458 | diff --git a/readconf.c b/readconf.c | 2466 | diff --git a/readconf.c b/readconf.c |
2459 | index c177202..e019195 100644 | 2467 | index fa3fab8f..7902ef26 100644 |
2460 | --- a/readconf.c | 2468 | --- a/readconf.c |
2461 | +++ b/readconf.c | 2469 | +++ b/readconf.c |
2462 | @@ -160,6 +160,8 @@ typedef enum { | 2470 | @@ -160,6 +160,8 @@ typedef enum { |
@@ -2488,7 +2496,7 @@ index c177202..e019195 100644 | |||
2488 | #endif | 2496 | #endif |
2489 | { "fallbacktorsh", oDeprecated }, | 2497 | { "fallbacktorsh", oDeprecated }, |
2490 | { "usersh", oDeprecated }, | 2498 | { "usersh", oDeprecated }, |
2491 | @@ -962,10 +973,30 @@ parse_time: | 2499 | @@ -961,10 +972,30 @@ parse_time: |
2492 | intptr = &options->gss_authentication; | 2500 | intptr = &options->gss_authentication; |
2493 | goto parse_flag; | 2501 | goto parse_flag; |
2494 | 2502 | ||
@@ -2519,7 +2527,7 @@ index c177202..e019195 100644 | |||
2519 | case oBatchMode: | 2527 | case oBatchMode: |
2520 | intptr = &options->batch_mode; | 2528 | intptr = &options->batch_mode; |
2521 | goto parse_flag; | 2529 | goto parse_flag; |
2522 | @@ -1777,7 +1808,12 @@ initialize_options(Options * options) | 2530 | @@ -1776,7 +1807,12 @@ initialize_options(Options * options) |
2523 | options->pubkey_authentication = -1; | 2531 | options->pubkey_authentication = -1; |
2524 | options->challenge_response_authentication = -1; | 2532 | options->challenge_response_authentication = -1; |
2525 | options->gss_authentication = -1; | 2533 | options->gss_authentication = -1; |
@@ -2532,7 +2540,7 @@ index c177202..e019195 100644 | |||
2532 | options->password_authentication = -1; | 2540 | options->password_authentication = -1; |
2533 | options->kbd_interactive_authentication = -1; | 2541 | options->kbd_interactive_authentication = -1; |
2534 | options->kbd_interactive_devices = NULL; | 2542 | options->kbd_interactive_devices = NULL; |
2535 | @@ -1921,8 +1957,14 @@ fill_default_options(Options * options) | 2543 | @@ -1920,8 +1956,14 @@ fill_default_options(Options * options) |
2536 | options->challenge_response_authentication = 1; | 2544 | options->challenge_response_authentication = 1; |
2537 | if (options->gss_authentication == -1) | 2545 | if (options->gss_authentication == -1) |
2538 | options->gss_authentication = 0; | 2546 | options->gss_authentication = 0; |
@@ -2548,7 +2556,7 @@ index c177202..e019195 100644 | |||
2548 | options->password_authentication = 1; | 2556 | options->password_authentication = 1; |
2549 | if (options->kbd_interactive_authentication == -1) | 2557 | if (options->kbd_interactive_authentication == -1) |
2550 | diff --git a/readconf.h b/readconf.h | 2558 | diff --git a/readconf.h b/readconf.h |
2551 | index cef55f7..fd3d7c7 100644 | 2559 | index cef55f71..fd3d7c75 100644 |
2552 | --- a/readconf.h | 2560 | --- a/readconf.h |
2553 | +++ b/readconf.h | 2561 | +++ b/readconf.h |
2554 | @@ -45,7 +45,12 @@ typedef struct { | 2562 | @@ -45,7 +45,12 @@ typedef struct { |
@@ -2565,10 +2573,10 @@ index cef55f7..fd3d7c7 100644 | |||
2565 | * authentication. */ | 2573 | * authentication. */ |
2566 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2574 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2567 | diff --git a/servconf.c b/servconf.c | 2575 | diff --git a/servconf.c b/servconf.c |
2568 | index 873b0d0..9b06281 100644 | 2576 | index 795ddbab..14c81fa9 100644 |
2569 | --- a/servconf.c | 2577 | --- a/servconf.c |
2570 | +++ b/servconf.c | 2578 | +++ b/servconf.c |
2571 | @@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options) | 2579 | @@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options) |
2572 | options->kerberos_ticket_cleanup = -1; | 2580 | options->kerberos_ticket_cleanup = -1; |
2573 | options->kerberos_get_afs_token = -1; | 2581 | options->kerberos_get_afs_token = -1; |
2574 | options->gss_authentication=-1; | 2582 | options->gss_authentication=-1; |
@@ -2579,7 +2587,7 @@ index 873b0d0..9b06281 100644 | |||
2579 | options->password_authentication = -1; | 2587 | options->password_authentication = -1; |
2580 | options->kbd_interactive_authentication = -1; | 2588 | options->kbd_interactive_authentication = -1; |
2581 | options->challenge_response_authentication = -1; | 2589 | options->challenge_response_authentication = -1; |
2582 | @@ -287,10 +289,14 @@ fill_default_server_options(ServerOptions *options) | 2590 | @@ -267,10 +269,14 @@ fill_default_server_options(ServerOptions *options) |
2583 | options->kerberos_get_afs_token = 0; | 2591 | options->kerberos_get_afs_token = 0; |
2584 | if (options->gss_authentication == -1) | 2592 | if (options->gss_authentication == -1) |
2585 | options->gss_authentication = 0; | 2593 | options->gss_authentication = 0; |
@@ -2595,7 +2603,7 @@ index 873b0d0..9b06281 100644 | |||
2595 | if (options->password_authentication == -1) | 2603 | if (options->password_authentication == -1) |
2596 | options->password_authentication = 1; | 2604 | options->password_authentication = 1; |
2597 | if (options->kbd_interactive_authentication == -1) | 2605 | if (options->kbd_interactive_authentication == -1) |
2598 | @@ -427,6 +433,7 @@ typedef enum { | 2606 | @@ -407,6 +413,7 @@ typedef enum { |
2599 | sHostKeyAlgorithms, | 2607 | sHostKeyAlgorithms, |
2600 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 2608 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
2601 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 2609 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
@@ -2603,7 +2611,7 @@ index 873b0d0..9b06281 100644 | |||
2603 | sAcceptEnv, sPermitTunnel, | 2611 | sAcceptEnv, sPermitTunnel, |
2604 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2612 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2605 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2613 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2606 | @@ -500,12 +507,20 @@ static struct { | 2614 | @@ -480,12 +487,20 @@ static struct { |
2607 | #ifdef GSSAPI | 2615 | #ifdef GSSAPI |
2608 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2616 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2609 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2617 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2624,7 +2632,7 @@ index 873b0d0..9b06281 100644 | |||
2624 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2632 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2625 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2633 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2626 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2634 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2627 | @@ -1251,6 +1266,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2635 | @@ -1207,6 +1222,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2628 | intptr = &options->gss_authentication; | 2636 | intptr = &options->gss_authentication; |
2629 | goto parse_flag; | 2637 | goto parse_flag; |
2630 | 2638 | ||
@@ -2635,7 +2643,7 @@ index 873b0d0..9b06281 100644 | |||
2635 | case sGssCleanupCreds: | 2643 | case sGssCleanupCreds: |
2636 | intptr = &options->gss_cleanup_creds; | 2644 | intptr = &options->gss_cleanup_creds; |
2637 | goto parse_flag; | 2645 | goto parse_flag; |
2638 | @@ -1259,6 +1278,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2646 | @@ -1215,6 +1234,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2639 | intptr = &options->gss_strict_acceptor; | 2647 | intptr = &options->gss_strict_acceptor; |
2640 | goto parse_flag; | 2648 | goto parse_flag; |
2641 | 2649 | ||
@@ -2646,7 +2654,7 @@ index 873b0d0..9b06281 100644 | |||
2646 | case sPasswordAuthentication: | 2654 | case sPasswordAuthentication: |
2647 | intptr = &options->password_authentication; | 2655 | intptr = &options->password_authentication; |
2648 | goto parse_flag; | 2656 | goto parse_flag; |
2649 | @@ -2308,7 +2331,10 @@ dump_config(ServerOptions *o) | 2657 | @@ -2248,7 +2271,10 @@ dump_config(ServerOptions *o) |
2650 | #endif | 2658 | #endif |
2651 | #ifdef GSSAPI | 2659 | #ifdef GSSAPI |
2652 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2660 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2658,10 +2666,10 @@ index 873b0d0..9b06281 100644 | |||
2658 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2666 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
2659 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2667 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
2660 | diff --git a/servconf.h b/servconf.h | 2668 | diff --git a/servconf.h b/servconf.h |
2661 | index f4137af..778ba17 100644 | 2669 | index 5853a974..90dfa4c2 100644 |
2662 | --- a/servconf.h | 2670 | --- a/servconf.h |
2663 | +++ b/servconf.h | 2671 | +++ b/servconf.h |
2664 | @@ -118,8 +118,10 @@ typedef struct { | 2672 | @@ -112,8 +112,10 @@ typedef struct { |
2665 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2673 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2666 | * authenticated with Kerberos. */ | 2674 | * authenticated with Kerberos. */ |
2667 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2675 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2673,7 +2681,7 @@ index f4137af..778ba17 100644 | |||
2673 | * authentication. */ | 2681 | * authentication. */ |
2674 | int kbd_interactive_authentication; /* If true, permit */ | 2682 | int kbd_interactive_authentication; /* If true, permit */ |
2675 | diff --git a/ssh-gss.h b/ssh-gss.h | 2683 | diff --git a/ssh-gss.h b/ssh-gss.h |
2676 | index a99d7f0..914701b 100644 | 2684 | index a99d7f08..914701bc 100644 |
2677 | --- a/ssh-gss.h | 2685 | --- a/ssh-gss.h |
2678 | +++ b/ssh-gss.h | 2686 | +++ b/ssh-gss.h |
2679 | @@ -1,6 +1,6 @@ | 2687 | @@ -1,6 +1,6 @@ |
@@ -2776,7 +2784,7 @@ index a99d7f0..914701b 100644 | |||
2776 | 2784 | ||
2777 | #endif /* _SSH_GSS_H */ | 2785 | #endif /* _SSH_GSS_H */ |
2778 | diff --git a/ssh_config b/ssh_config | 2786 | diff --git a/ssh_config b/ssh_config |
2779 | index 90fb63f..4e879cd 100644 | 2787 | index 90fb63f0..4e879cd2 100644 |
2780 | --- a/ssh_config | 2788 | --- a/ssh_config |
2781 | +++ b/ssh_config | 2789 | +++ b/ssh_config |
2782 | @@ -26,6 +26,8 @@ | 2790 | @@ -26,6 +26,8 @@ |
@@ -2789,18 +2797,18 @@ index 90fb63f..4e879cd 100644 | |||
2789 | # CheckHostIP yes | 2797 | # CheckHostIP yes |
2790 | # AddressFamily any | 2798 | # AddressFamily any |
2791 | diff --git a/ssh_config.5 b/ssh_config.5 | 2799 | diff --git a/ssh_config.5 b/ssh_config.5 |
2792 | index 7630e7b..707d0e1 100644 | 2800 | index 591365f3..a7703fc7 100644 |
2793 | --- a/ssh_config.5 | 2801 | --- a/ssh_config.5 |
2794 | +++ b/ssh_config.5 | 2802 | +++ b/ssh_config.5 |
2795 | @@ -826,10 +826,42 @@ The default is | 2803 | @@ -748,10 +748,42 @@ The default is |
2796 | Specifies whether user authentication based on GSSAPI is allowed. | 2804 | Specifies whether user authentication based on GSSAPI is allowed. |
2797 | The default is | 2805 | The default is |
2798 | .Dq no . | 2806 | .Cm no . |
2799 | +.It Cm GSSAPIKeyExchange | 2807 | +.It Cm GSSAPIKeyExchange |
2800 | +Specifies whether key exchange based on GSSAPI may be used. When using | 2808 | +Specifies whether key exchange based on GSSAPI may be used. When using |
2801 | +GSSAPI key exchange the server need not have a host key. | 2809 | +GSSAPI key exchange the server need not have a host key. |
2802 | +The default is | 2810 | +The default is |
2803 | +.Dq no . | 2811 | +.Cm no . |
2804 | +.It Cm GSSAPIClientIdentity | 2812 | +.It Cm GSSAPIClientIdentity |
2805 | +If set, specifies the GSSAPI client identity that ssh should use when | 2813 | +If set, specifies the GSSAPI client identity that ssh should use when |
2806 | +connecting to the server. The default is unset, which means that the default | 2814 | +connecting to the server. The default is unset, which means that the default |
@@ -2813,30 +2821,30 @@ index 7630e7b..707d0e1 100644 | |||
2813 | .It Cm GSSAPIDelegateCredentials | 2821 | .It Cm GSSAPIDelegateCredentials |
2814 | Forward (delegate) credentials to the server. | 2822 | Forward (delegate) credentials to the server. |
2815 | The default is | 2823 | The default is |
2816 | .Dq no . | 2824 | .Cm no . |
2817 | +.It Cm GSSAPIRenewalForcesRekey | 2825 | +.It Cm GSSAPIRenewalForcesRekey |
2818 | +If set to | 2826 | +If set to |
2819 | +.Dq yes | 2827 | +.Cm yes |
2820 | +then renewal of the client's GSSAPI credentials will force the rekeying of the | 2828 | +then renewal of the client's GSSAPI credentials will force the rekeying of the |
2821 | +ssh connection. With a compatible server, this can delegate the renewed | 2829 | +ssh connection. With a compatible server, this can delegate the renewed |
2822 | +credentials to a session on the server. | 2830 | +credentials to a session on the server. |
2823 | +The default is | 2831 | +The default is |
2824 | +.Dq no . | 2832 | +.Cm no . |
2825 | +.It Cm GSSAPITrustDns | 2833 | +.It Cm GSSAPITrustDns |
2826 | +Set to | 2834 | +Set to |
2827 | +.Dq yes | 2835 | +.Cm yes |
2828 | +to indicate that the DNS is trusted to securely canonicalize | 2836 | +to indicate that the DNS is trusted to securely canonicalize |
2829 | +the name of the host being connected to. If | 2837 | +the name of the host being connected to. If |
2830 | +.Dq no , | 2838 | +.Cm no , |
2831 | +the hostname entered on the | 2839 | +the hostname entered on the |
2832 | +command line will be passed untouched to the GSSAPI library. | 2840 | +command line will be passed untouched to the GSSAPI library. |
2833 | +The default is | 2841 | +The default is |
2834 | +.Dq no . | 2842 | +.Cm no . |
2835 | .It Cm HashKnownHosts | 2843 | .It Cm HashKnownHosts |
2836 | Indicates that | 2844 | Indicates that |
2837 | .Xr ssh 1 | 2845 | .Xr ssh 1 |
2838 | diff --git a/sshconnect2.c b/sshconnect2.c | 2846 | diff --git a/sshconnect2.c b/sshconnect2.c |
2839 | index fae8b0f..34b9d30 100644 | 2847 | index 103a2b36..d534e619 100644 |
2840 | --- a/sshconnect2.c | 2848 | --- a/sshconnect2.c |
2841 | +++ b/sshconnect2.c | 2849 | +++ b/sshconnect2.c |
2842 | @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2850 | @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
@@ -2923,7 +2931,7 @@ index fae8b0f..34b9d30 100644 | |||
2923 | #endif | 2931 | #endif |
2924 | 2932 | ||
2925 | void userauth(Authctxt *, char *); | 2933 | void userauth(Authctxt *, char *); |
2926 | @@ -326,6 +378,11 @@ static char *authmethods_get(void); | 2934 | @@ -327,6 +379,11 @@ static char *authmethods_get(void); |
2927 | 2935 | ||
2928 | Authmethod authmethods[] = { | 2936 | Authmethod authmethods[] = { |
2929 | #ifdef GSSAPI | 2937 | #ifdef GSSAPI |
@@ -2935,7 +2943,7 @@ index fae8b0f..34b9d30 100644 | |||
2935 | {"gssapi-with-mic", | 2943 | {"gssapi-with-mic", |
2936 | userauth_gssapi, | 2944 | userauth_gssapi, |
2937 | NULL, | 2945 | NULL, |
2938 | @@ -650,25 +707,40 @@ userauth_gssapi(Authctxt *authctxt) | 2946 | @@ -652,25 +709,40 @@ userauth_gssapi(Authctxt *authctxt) |
2939 | static u_int mech = 0; | 2947 | static u_int mech = 0; |
2940 | OM_uint32 min; | 2948 | OM_uint32 min; |
2941 | int ok = 0; | 2949 | int ok = 0; |
@@ -2978,7 +2986,7 @@ index fae8b0f..34b9d30 100644 | |||
2978 | if (!ok) | 2986 | if (!ok) |
2979 | return 0; | 2987 | return 0; |
2980 | 2988 | ||
2981 | @@ -759,8 +831,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | 2989 | @@ -761,8 +833,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) |
2982 | { | 2990 | { |
2983 | Authctxt *authctxt = ctxt; | 2991 | Authctxt *authctxt = ctxt; |
2984 | Gssctxt *gssctxt; | 2992 | Gssctxt *gssctxt; |
@@ -2989,7 +2997,7 @@ index fae8b0f..34b9d30 100644 | |||
2989 | 2997 | ||
2990 | if (authctxt == NULL) | 2998 | if (authctxt == NULL) |
2991 | fatal("input_gssapi_response: no authentication context"); | 2999 | fatal("input_gssapi_response: no authentication context"); |
2992 | @@ -873,6 +945,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | 3000 | @@ -875,6 +947,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) |
2993 | free(lang); | 3001 | free(lang); |
2994 | return 0; | 3002 | return 0; |
2995 | } | 3003 | } |
@@ -3039,10 +3047,10 @@ index fae8b0f..34b9d30 100644 | |||
3039 | 3047 | ||
3040 | int | 3048 | int |
3041 | diff --git a/sshd.c b/sshd.c | 3049 | diff --git a/sshd.c b/sshd.c |
3042 | index 799c771..ebb88c7 100644 | 3050 | index 1dc4d182..ec2cf976 100644 |
3043 | --- a/sshd.c | 3051 | --- a/sshd.c |
3044 | +++ b/sshd.c | 3052 | +++ b/sshd.c |
3045 | @@ -125,6 +125,10 @@ | 3053 | @@ -123,6 +123,10 @@ |
3046 | #include "version.h" | 3054 | #include "version.h" |
3047 | #include "ssherr.h" | 3055 | #include "ssherr.h" |
3048 | 3056 | ||
@@ -3050,24 +3058,24 @@ index 799c771..ebb88c7 100644 | |||
3050 | +#include <Security/AuthSession.h> | 3058 | +#include <Security/AuthSession.h> |
3051 | +#endif | 3059 | +#endif |
3052 | + | 3060 | + |
3053 | #ifndef O_NOCTTY | 3061 | /* Re-exec fds */ |
3054 | #define O_NOCTTY 0 | 3062 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
3055 | #endif | 3063 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
3056 | @@ -1892,10 +1896,13 @@ main(int ac, char **av) | 3064 | @@ -1705,10 +1709,13 @@ main(int ac, char **av) |
3057 | logit("Disabling protocol version 1. Could not load host key"); | 3065 | key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); |
3058 | options.protocol &= ~SSH_PROTO_1; | 3066 | free(fp); |
3059 | } | 3067 | } |
3060 | +#ifndef GSSAPI | 3068 | +#ifndef GSSAPI |
3061 | + /* The GSSAPI key exchange can run without a host key */ | 3069 | + /* The GSSAPI key exchange can run without a host key */ |
3062 | if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { | 3070 | if (!sensitive_data.have_ssh2_key) { |
3063 | logit("Disabling protocol version 2. Could not load host key"); | ||
3064 | options.protocol &= ~SSH_PROTO_2; | ||
3065 | } | ||
3066 | +#endif | ||
3067 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | ||
3068 | logit("sshd: no hostkeys available -- exiting."); | 3071 | logit("sshd: no hostkeys available -- exiting."); |
3069 | exit(1); | 3072 | exit(1); |
3070 | @@ -2207,6 +2214,60 @@ main(int ac, char **av) | 3073 | } |
3074 | +#endif | ||
3075 | |||
3076 | /* | ||
3077 | * Load certificates. They are stored in an array at identical | ||
3078 | @@ -1978,6 +1985,60 @@ main(int ac, char **av) | ||
3071 | remote_ip, remote_port, laddr, ssh_local_port(ssh)); | 3079 | remote_ip, remote_port, laddr, ssh_local_port(ssh)); |
3072 | free(laddr); | 3080 | free(laddr); |
3073 | 3081 | ||
@@ -3128,7 +3136,7 @@ index 799c771..ebb88c7 100644 | |||
3128 | /* | 3136 | /* |
3129 | * We don't want to listen forever unless the other side | 3137 | * We don't want to listen forever unless the other side |
3130 | * successfully authenticates itself. So we set up an alarm which is | 3138 | * successfully authenticates itself. So we set up an alarm which is |
3131 | @@ -2631,6 +2692,48 @@ do_ssh2_kex(void) | 3139 | @@ -2159,6 +2220,48 @@ do_ssh2_kex(void) |
3132 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 3140 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
3133 | list_hostkey_types()); | 3141 | list_hostkey_types()); |
3134 | 3142 | ||
@@ -3177,7 +3185,7 @@ index 799c771..ebb88c7 100644 | |||
3177 | /* start key exchange */ | 3185 | /* start key exchange */ |
3178 | if ((r = kex_setup(active_state, myproposal)) != 0) | 3186 | if ((r = kex_setup(active_state, myproposal)) != 0) |
3179 | fatal("kex_setup: %s", ssh_err(r)); | 3187 | fatal("kex_setup: %s", ssh_err(r)); |
3180 | @@ -2648,6 +2751,13 @@ do_ssh2_kex(void) | 3188 | @@ -2176,6 +2279,13 @@ do_ssh2_kex(void) |
3181 | # endif | 3189 | # endif |
3182 | #endif | 3190 | #endif |
3183 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 3191 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -3192,10 +3200,10 @@ index 799c771..ebb88c7 100644 | |||
3192 | kex->client_version_string=client_version_string; | 3200 | kex->client_version_string=client_version_string; |
3193 | kex->server_version_string=server_version_string; | 3201 | kex->server_version_string=server_version_string; |
3194 | diff --git a/sshd_config b/sshd_config | 3202 | diff --git a/sshd_config b/sshd_config |
3195 | index 75ae8e7..3fe3e01 100644 | 3203 | index 9f09e4a6..00e5a728 100644 |
3196 | --- a/sshd_config | 3204 | --- a/sshd_config |
3197 | +++ b/sshd_config | 3205 | +++ b/sshd_config |
3198 | @@ -83,6 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys | 3206 | @@ -70,6 +70,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
3199 | # GSSAPI options | 3207 | # GSSAPI options |
3200 | #GSSAPIAuthentication no | 3208 | #GSSAPIAuthentication no |
3201 | #GSSAPICleanupCredentials yes | 3209 | #GSSAPICleanupCredentials yes |
@@ -3205,38 +3213,38 @@ index 75ae8e7..3fe3e01 100644 | |||
3205 | # Set this to 'yes' to enable PAM authentication, account processing, | 3213 | # Set this to 'yes' to enable PAM authentication, account processing, |
3206 | # and session processing. If this is enabled, PAM authentication will | 3214 | # and session processing. If this is enabled, PAM authentication will |
3207 | diff --git a/sshd_config.5 b/sshd_config.5 | 3215 | diff --git a/sshd_config.5 b/sshd_config.5 |
3208 | index 1bc26ec..3b4cba9 100644 | 3216 | index 32b29d24..dd765b39 100644 |
3209 | --- a/sshd_config.5 | 3217 | --- a/sshd_config.5 |
3210 | +++ b/sshd_config.5 | 3218 | +++ b/sshd_config.5 |
3211 | @@ -632,6 +632,11 @@ The default is | 3219 | @@ -623,6 +623,11 @@ The default is |
3212 | Specifies whether user authentication based on GSSAPI is allowed. | 3220 | Specifies whether user authentication based on GSSAPI is allowed. |
3213 | The default is | 3221 | The default is |
3214 | .Dq no . | 3222 | .Cm no . |
3215 | +.It Cm GSSAPIKeyExchange | 3223 | +.It Cm GSSAPIKeyExchange |
3216 | +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange | 3224 | +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange |
3217 | +doesn't rely on ssh keys to verify host identity. | 3225 | +doesn't rely on ssh keys to verify host identity. |
3218 | +The default is | 3226 | +The default is |
3219 | +.Dq no . | 3227 | +.Cm no . |
3220 | .It Cm GSSAPICleanupCredentials | 3228 | .It Cm GSSAPICleanupCredentials |
3221 | Specifies whether to automatically destroy the user's credentials cache | 3229 | Specifies whether to automatically destroy the user's credentials cache |
3222 | on logout. | 3230 | on logout. |
3223 | @@ -652,6 +657,11 @@ machine's default store. | 3231 | @@ -642,6 +647,11 @@ machine's default store. |
3224 | This facility is provided to assist with operation on multi homed machines. | 3232 | This facility is provided to assist with operation on multi homed machines. |
3225 | The default is | 3233 | The default is |
3226 | .Dq yes . | 3234 | .Cm yes . |
3227 | +.It Cm GSSAPIStoreCredentialsOnRekey | 3235 | +.It Cm GSSAPIStoreCredentialsOnRekey |
3228 | +Controls whether the user's GSSAPI credentials should be updated following a | 3236 | +Controls whether the user's GSSAPI credentials should be updated following a |
3229 | +successful connection rekeying. This option can be used to accepted renewed | 3237 | +successful connection rekeying. This option can be used to accepted renewed |
3230 | +or updated credentials from a compatible client. The default is | 3238 | +or updated credentials from a compatible client. The default is |
3231 | +.Dq no . | 3239 | +.Cm no . |
3232 | .It Cm HostbasedAcceptedKeyTypes | 3240 | .It Cm HostbasedAcceptedKeyTypes |
3233 | Specifies the key types that will be accepted for hostbased authentication | 3241 | Specifies the key types that will be accepted for hostbased authentication |
3234 | as a comma-separated pattern list. | 3242 | as a comma-separated pattern list. |
3235 | diff --git a/sshkey.c b/sshkey.c | 3243 | diff --git a/sshkey.c b/sshkey.c |
3236 | index c9f04cd..558bbbe 100644 | 3244 | index c01da6c3..377d72fa 100644 |
3237 | --- a/sshkey.c | 3245 | --- a/sshkey.c |
3238 | +++ b/sshkey.c | 3246 | +++ b/sshkey.c |
3239 | @@ -115,6 +115,7 @@ static const struct keytype keytypes[] = { | 3247 | @@ -114,6 +114,7 @@ static const struct keytype keytypes[] = { |
3240 | # endif /* OPENSSL_HAS_NISTP521 */ | 3248 | # endif /* OPENSSL_HAS_NISTP521 */ |
3241 | # endif /* OPENSSL_HAS_ECC */ | 3249 | # endif /* OPENSSL_HAS_ECC */ |
3242 | #endif /* WITH_OPENSSL */ | 3250 | #endif /* WITH_OPENSSL */ |
@@ -3244,7 +3252,7 @@ index c9f04cd..558bbbe 100644 | |||
3244 | { NULL, NULL, -1, -1, 0, 0 } | 3252 | { NULL, NULL, -1, -1, 0, 0 } |
3245 | }; | 3253 | }; |
3246 | 3254 | ||
3247 | @@ -203,7 +204,7 @@ key_alg_list(int certs_only, int plain_only) | 3255 | @@ -202,7 +203,7 @@ sshkey_alg_list(int certs_only, int plain_only, char sep) |
3248 | const struct keytype *kt; | 3256 | const struct keytype *kt; |
3249 | 3257 | ||
3250 | for (kt = keytypes; kt->type != -1; kt++) { | 3258 | for (kt = keytypes; kt->type != -1; kt++) { |
@@ -3254,7 +3262,7 @@ index c9f04cd..558bbbe 100644 | |||
3254 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | 3262 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) |
3255 | continue; | 3263 | continue; |
3256 | diff --git a/sshkey.h b/sshkey.h | 3264 | diff --git a/sshkey.h b/sshkey.h |
3257 | index 8c3d866..e0caa37 100644 | 3265 | index f3936384..7eb2a139 100644 |
3258 | --- a/sshkey.h | 3266 | --- a/sshkey.h |
3259 | +++ b/sshkey.h | 3267 | +++ b/sshkey.h |
3260 | @@ -62,6 +62,7 @@ enum sshkey_types { | 3268 | @@ -62,6 +62,7 @@ enum sshkey_types { |