diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 111 |
1 files changed, 55 insertions, 56 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 6550ba60b..5c1b83415 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -127,17 +127,16 @@ Index: b/Makefile.in | |||
127 | =================================================================== | 127 | =================================================================== |
128 | --- a/Makefile.in | 128 | --- a/Makefile.in |
129 | +++ b/Makefile.in | 129 | +++ b/Makefile.in |
130 | @@ -71,7 +71,8 @@ | 130 | @@ -74,7 +74,7 @@ |
131 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | ||
132 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ | 131 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ |
133 | kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ | 132 | kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ |
134 | - entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o | 133 | entropy.o gss-genr.o umac.o jpake.o schnorr.o \ |
135 | + entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o \ | 134 | - ssh-pkcs11.o |
136 | + kexgssc.o | 135 | + ssh-pkcs11.o kexgssc.o |
137 | 136 | ||
138 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 137 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
139 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ | 138 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ |
140 | @@ -85,7 +86,7 @@ | 139 | @@ -88,7 +88,7 @@ |
141 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ | 140 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ |
142 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ | 141 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ |
143 | auth-krb5.o \ | 142 | auth-krb5.o \ |
@@ -145,12 +144,12 @@ Index: b/Makefile.in | |||
145 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ | 144 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ |
146 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 145 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
147 | audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ | 146 | audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ |
148 | roaming_common.o | 147 | roaming_common.o roaming_serv.o |
149 | Index: b/auth-krb5.c | 148 | Index: b/auth-krb5.c |
150 | =================================================================== | 149 | =================================================================== |
151 | --- a/auth-krb5.c | 150 | --- a/auth-krb5.c |
152 | +++ b/auth-krb5.c | 151 | +++ b/auth-krb5.c |
153 | @@ -166,8 +166,13 @@ | 152 | @@ -170,8 +170,13 @@ |
154 | 153 | ||
155 | len = strlen(authctxt->krb5_ticket_file) + 6; | 154 | len = strlen(authctxt->krb5_ticket_file) + 6; |
156 | authctxt->krb5_ccname = xmalloc(len); | 155 | authctxt->krb5_ccname = xmalloc(len); |
@@ -164,7 +163,7 @@ Index: b/auth-krb5.c | |||
164 | 163 | ||
165 | #ifdef USE_PAM | 164 | #ifdef USE_PAM |
166 | if (options.use_pam) | 165 | if (options.use_pam) |
167 | @@ -219,15 +224,22 @@ | 166 | @@ -226,15 +231,22 @@ |
168 | #ifndef HEIMDAL | 167 | #ifndef HEIMDAL |
169 | krb5_error_code | 168 | krb5_error_code |
170 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 169 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
@@ -189,7 +188,7 @@ Index: b/auth-krb5.c | |||
189 | old_umask = umask(0177); | 188 | old_umask = umask(0177); |
190 | tmpfd = mkstemp(ccname + strlen("FILE:")); | 189 | tmpfd = mkstemp(ccname + strlen("FILE:")); |
191 | umask(old_umask); | 190 | umask(old_umask); |
192 | @@ -242,6 +254,7 @@ | 191 | @@ -249,6 +261,7 @@ |
193 | return errno; | 192 | return errno; |
194 | } | 193 | } |
195 | close(tmpfd); | 194 | close(tmpfd); |
@@ -365,7 +364,7 @@ Index: b/clientloop.c | |||
365 | /* import options */ | 364 | /* import options */ |
366 | extern Options options; | 365 | extern Options options; |
367 | 366 | ||
368 | @@ -1430,6 +1434,15 @@ | 367 | @@ -1431,6 +1435,15 @@ |
369 | /* Do channel operations unless rekeying in progress. */ | 368 | /* Do channel operations unless rekeying in progress. */ |
370 | if (!rekeying) { | 369 | if (!rekeying) { |
371 | channel_after_select(readset, writeset); | 370 | channel_after_select(readset, writeset); |
@@ -1212,9 +1211,9 @@ Index: b/kex.c | |||
1212 | =================================================================== | 1211 | =================================================================== |
1213 | --- a/kex.c | 1212 | --- a/kex.c |
1214 | +++ b/kex.c | 1213 | +++ b/kex.c |
1215 | @@ -49,6 +49,10 @@ | 1214 | @@ -50,6 +50,10 @@ |
1216 | #include "dispatch.h" | ||
1217 | #include "monitor.h" | 1215 | #include "monitor.h" |
1216 | #include "roaming.h" | ||
1218 | 1217 | ||
1219 | +#ifdef GSSAPI | 1218 | +#ifdef GSSAPI |
1220 | +#include "ssh-gss.h" | 1219 | +#include "ssh-gss.h" |
@@ -1223,7 +1222,7 @@ Index: b/kex.c | |||
1223 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1222 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1224 | # if defined(HAVE_EVP_SHA256) | 1223 | # if defined(HAVE_EVP_SHA256) |
1225 | # define evp_ssh_sha256 EVP_sha256 | 1224 | # define evp_ssh_sha256 EVP_sha256 |
1226 | @@ -325,6 +329,20 @@ | 1225 | @@ -326,6 +330,20 @@ |
1227 | k->kex_type = KEX_DH_GEX_SHA256; | 1226 | k->kex_type = KEX_DH_GEX_SHA256; |
1228 | k->evp_md = evp_ssh_sha256(); | 1227 | k->evp_md = evp_ssh_sha256(); |
1229 | #endif | 1228 | #endif |
@@ -1248,7 +1247,7 @@ Index: b/kex.h | |||
1248 | =================================================================== | 1247 | =================================================================== |
1249 | --- a/kex.h | 1248 | --- a/kex.h |
1250 | +++ b/kex.h | 1249 | +++ b/kex.h |
1251 | @@ -66,6 +66,9 @@ | 1250 | @@ -67,6 +67,9 @@ |
1252 | KEX_DH_GRP14_SHA1, | 1251 | KEX_DH_GRP14_SHA1, |
1253 | KEX_DH_GEX_SHA1, | 1252 | KEX_DH_GEX_SHA1, |
1254 | KEX_DH_GEX_SHA256, | 1253 | KEX_DH_GEX_SHA256, |
@@ -1258,7 +1257,7 @@ Index: b/kex.h | |||
1258 | KEX_MAX | 1257 | KEX_MAX |
1259 | }; | 1258 | }; |
1260 | 1259 | ||
1261 | @@ -121,6 +124,12 @@ | 1260 | @@ -123,6 +126,12 @@ |
1262 | sig_atomic_t done; | 1261 | sig_atomic_t done; |
1263 | int flags; | 1262 | int flags; |
1264 | const EVP_MD *evp_md; | 1263 | const EVP_MD *evp_md; |
@@ -1271,7 +1270,7 @@ Index: b/kex.h | |||
1271 | char *client_version_string; | 1270 | char *client_version_string; |
1272 | char *server_version_string; | 1271 | char *server_version_string; |
1273 | int (*verify_host_key)(Key *); | 1272 | int (*verify_host_key)(Key *); |
1274 | @@ -143,6 +152,11 @@ | 1273 | @@ -146,6 +155,11 @@ |
1275 | void kexgex_client(Kex *); | 1274 | void kexgex_client(Kex *); |
1276 | void kexgex_server(Kex *); | 1275 | void kexgex_server(Kex *); |
1277 | 1276 | ||
@@ -1919,10 +1918,10 @@ Index: b/key.c | |||
1919 | =================================================================== | 1918 | =================================================================== |
1920 | --- a/key.c | 1919 | --- a/key.c |
1921 | +++ b/key.c | 1920 | +++ b/key.c |
1922 | @@ -764,6 +764,8 @@ | 1921 | @@ -969,6 +969,8 @@ |
1923 | return KEY_RSA; | 1922 | return KEY_RSA_CERT; |
1924 | } else if (strcmp(name, "ssh-dss") == 0) { | 1923 | } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { |
1925 | return KEY_DSA; | 1924 | return KEY_DSA_CERT; |
1926 | + } else if (strcmp(name, "null") == 0) { | 1925 | + } else if (strcmp(name, "null") == 0) { |
1927 | + return KEY_NULL; | 1926 | + return KEY_NULL; |
1928 | } | 1927 | } |
@@ -1932,10 +1931,10 @@ Index: b/key.h | |||
1932 | =================================================================== | 1931 | =================================================================== |
1933 | --- a/key.h | 1932 | --- a/key.h |
1934 | +++ b/key.h | 1933 | +++ b/key.h |
1935 | @@ -34,6 +34,7 @@ | 1934 | @@ -37,6 +37,7 @@ |
1936 | KEY_RSA1, | ||
1937 | KEY_RSA, | ||
1938 | KEY_DSA, | 1935 | KEY_DSA, |
1936 | KEY_RSA_CERT, | ||
1937 | KEY_DSA_CERT, | ||
1939 | + KEY_NULL, | 1938 | + KEY_NULL, |
1940 | KEY_UNSPEC | 1939 | KEY_UNSPEC |
1941 | }; | 1940 | }; |
@@ -1996,7 +1995,7 @@ Index: b/monitor.c | |||
1996 | } else { | 1995 | } else { |
1997 | mon_dispatch = mon_dispatch_postauth15; | 1996 | mon_dispatch = mon_dispatch_postauth15; |
1998 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 1997 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
1999 | @@ -1706,6 +1723,13 @@ | 1998 | @@ -1691,6 +1708,13 @@ |
2000 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1999 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; |
2001 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 2000 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
2002 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 2001 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
@@ -2010,7 +2009,7 @@ Index: b/monitor.c | |||
2010 | kex->server = 1; | 2009 | kex->server = 1; |
2011 | kex->hostkey_type = buffer_get_int(m); | 2010 | kex->hostkey_type = buffer_get_int(m); |
2012 | kex->kex_type = buffer_get_int(m); | 2011 | kex->kex_type = buffer_get_int(m); |
2013 | @@ -1911,6 +1935,9 @@ | 2012 | @@ -1897,6 +1921,9 @@ |
2014 | OM_uint32 major; | 2013 | OM_uint32 major; |
2015 | u_int len; | 2014 | u_int len; |
2016 | 2015 | ||
@@ -2020,7 +2019,7 @@ Index: b/monitor.c | |||
2020 | goid.elements = buffer_get_string(m, &len); | 2019 | goid.elements = buffer_get_string(m, &len); |
2021 | goid.length = len; | 2020 | goid.length = len; |
2022 | 2021 | ||
2023 | @@ -1938,6 +1965,9 @@ | 2022 | @@ -1924,6 +1951,9 @@ |
2024 | OM_uint32 flags = 0; /* GSI needs this */ | 2023 | OM_uint32 flags = 0; /* GSI needs this */ |
2025 | u_int len; | 2024 | u_int len; |
2026 | 2025 | ||
@@ -2030,7 +2029,7 @@ Index: b/monitor.c | |||
2030 | in.value = buffer_get_string(m, &len); | 2029 | in.value = buffer_get_string(m, &len); |
2031 | in.length = len; | 2030 | in.length = len; |
2032 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2031 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2033 | @@ -1955,6 +1985,7 @@ | 2032 | @@ -1941,6 +1971,7 @@ |
2034 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2033 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2035 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2034 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2036 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2035 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2038,7 +2037,7 @@ Index: b/monitor.c | |||
2038 | } | 2037 | } |
2039 | return (0); | 2038 | return (0); |
2040 | } | 2039 | } |
2041 | @@ -1966,6 +1997,9 @@ | 2040 | @@ -1952,6 +1983,9 @@ |
2042 | OM_uint32 ret; | 2041 | OM_uint32 ret; |
2043 | u_int len; | 2042 | u_int len; |
2044 | 2043 | ||
@@ -2048,7 +2047,7 @@ Index: b/monitor.c | |||
2048 | gssbuf.value = buffer_get_string(m, &len); | 2047 | gssbuf.value = buffer_get_string(m, &len); |
2049 | gssbuf.length = len; | 2048 | gssbuf.length = len; |
2050 | mic.value = buffer_get_string(m, &len); | 2049 | mic.value = buffer_get_string(m, &len); |
2051 | @@ -1992,7 +2026,11 @@ | 2050 | @@ -1978,7 +2012,11 @@ |
2052 | { | 2051 | { |
2053 | int authenticated; | 2052 | int authenticated; |
2054 | 2053 | ||
@@ -2061,7 +2060,7 @@ Index: b/monitor.c | |||
2061 | 2060 | ||
2062 | buffer_clear(m); | 2061 | buffer_clear(m); |
2063 | buffer_put_int(m, authenticated); | 2062 | buffer_put_int(m, authenticated); |
2064 | @@ -2005,6 +2043,74 @@ | 2063 | @@ -1991,6 +2029,74 @@ |
2065 | /* Monitor loop will terminate if authenticated */ | 2064 | /* Monitor loop will terminate if authenticated */ |
2066 | return (authenticated); | 2065 | return (authenticated); |
2067 | } | 2066 | } |
@@ -2153,7 +2152,7 @@ Index: b/monitor_wrap.c | |||
2153 | =================================================================== | 2152 | =================================================================== |
2154 | --- a/monitor_wrap.c | 2153 | --- a/monitor_wrap.c |
2155 | +++ b/monitor_wrap.c | 2154 | +++ b/monitor_wrap.c |
2156 | @@ -1248,7 +1248,7 @@ | 2155 | @@ -1231,7 +1231,7 @@ |
2157 | } | 2156 | } |
2158 | 2157 | ||
2159 | int | 2158 | int |
@@ -2162,7 +2161,7 @@ Index: b/monitor_wrap.c | |||
2162 | { | 2161 | { |
2163 | Buffer m; | 2162 | Buffer m; |
2164 | int authenticated = 0; | 2163 | int authenticated = 0; |
2165 | @@ -1265,6 +1265,51 @@ | 2164 | @@ -1248,6 +1248,51 @@ |
2166 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2165 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2167 | return (authenticated); | 2166 | return (authenticated); |
2168 | } | 2167 | } |
@@ -2261,7 +2260,7 @@ Index: b/readconf.c | |||
2261 | #endif | 2260 | #endif |
2262 | { "fallbacktorsh", oDeprecated }, | 2261 | { "fallbacktorsh", oDeprecated }, |
2263 | { "usersh", oDeprecated }, | 2262 | { "usersh", oDeprecated }, |
2264 | @@ -454,10 +463,26 @@ | 2263 | @@ -456,10 +465,26 @@ |
2265 | intptr = &options->gss_authentication; | 2264 | intptr = &options->gss_authentication; |
2266 | goto parse_flag; | 2265 | goto parse_flag; |
2267 | 2266 | ||
@@ -2288,7 +2287,7 @@ Index: b/readconf.c | |||
2288 | case oBatchMode: | 2287 | case oBatchMode: |
2289 | intptr = &options->batch_mode; | 2288 | intptr = &options->batch_mode; |
2290 | goto parse_flag; | 2289 | goto parse_flag; |
2291 | @@ -1013,7 +1038,11 @@ | 2290 | @@ -1015,7 +1040,11 @@ |
2292 | options->pubkey_authentication = -1; | 2291 | options->pubkey_authentication = -1; |
2293 | options->challenge_response_authentication = -1; | 2292 | options->challenge_response_authentication = -1; |
2294 | options->gss_authentication = -1; | 2293 | options->gss_authentication = -1; |
@@ -2300,7 +2299,7 @@ Index: b/readconf.c | |||
2300 | options->password_authentication = -1; | 2299 | options->password_authentication = -1; |
2301 | options->kbd_interactive_authentication = -1; | 2300 | options->kbd_interactive_authentication = -1; |
2302 | options->kbd_interactive_devices = NULL; | 2301 | options->kbd_interactive_devices = NULL; |
2303 | @@ -1105,8 +1134,14 @@ | 2302 | @@ -1107,8 +1136,14 @@ |
2304 | options->challenge_response_authentication = 1; | 2303 | options->challenge_response_authentication = 1; |
2305 | if (options->gss_authentication == -1) | 2304 | if (options->gss_authentication == -1) |
2306 | options->gss_authentication = 0; | 2305 | options->gss_authentication = 0; |
@@ -2335,7 +2334,7 @@ Index: b/servconf.c | |||
2335 | =================================================================== | 2334 | =================================================================== |
2336 | --- a/servconf.c | 2335 | --- a/servconf.c |
2337 | +++ b/servconf.c | 2336 | +++ b/servconf.c |
2338 | @@ -92,7 +92,10 @@ | 2337 | @@ -93,7 +93,10 @@ |
2339 | options->kerberos_ticket_cleanup = -1; | 2338 | options->kerberos_ticket_cleanup = -1; |
2340 | options->kerberos_get_afs_token = -1; | 2339 | options->kerberos_get_afs_token = -1; |
2341 | options->gss_authentication=-1; | 2340 | options->gss_authentication=-1; |
@@ -2346,7 +2345,7 @@ Index: b/servconf.c | |||
2346 | options->password_authentication = -1; | 2345 | options->password_authentication = -1; |
2347 | options->kbd_interactive_authentication = -1; | 2346 | options->kbd_interactive_authentication = -1; |
2348 | options->challenge_response_authentication = -1; | 2347 | options->challenge_response_authentication = -1; |
2349 | @@ -210,8 +213,14 @@ | 2348 | @@ -214,8 +217,14 @@ |
2350 | options->kerberos_get_afs_token = 0; | 2349 | options->kerberos_get_afs_token = 0; |
2351 | if (options->gss_authentication == -1) | 2350 | if (options->gss_authentication == -1) |
2352 | options->gss_authentication = 0; | 2351 | options->gss_authentication = 0; |
@@ -2361,7 +2360,7 @@ Index: b/servconf.c | |||
2361 | if (options->password_authentication == -1) | 2360 | if (options->password_authentication == -1) |
2362 | options->password_authentication = 1; | 2361 | options->password_authentication = 1; |
2363 | if (options->kbd_interactive_authentication == -1) | 2362 | if (options->kbd_interactive_authentication == -1) |
2364 | @@ -302,7 +311,9 @@ | 2363 | @@ -306,7 +315,9 @@ |
2365 | sBanner, sUseDNS, sHostbasedAuthentication, | 2364 | sBanner, sUseDNS, sHostbasedAuthentication, |
2366 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2365 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2367 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, | 2366 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
@@ -2371,8 +2370,8 @@ Index: b/servconf.c | |||
2371 | + sAcceptEnv, sPermitTunnel, | 2370 | + sAcceptEnv, sPermitTunnel, |
2372 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2371 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2373 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2372 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2374 | sZeroKnowledgePasswordAuthentication, | 2373 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
2375 | @@ -364,9 +375,15 @@ | 2374 | @@ -369,9 +380,15 @@ |
2376 | #ifdef GSSAPI | 2375 | #ifdef GSSAPI |
2377 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2376 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2378 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2377 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2388,7 +2387,7 @@ Index: b/servconf.c | |||
2388 | #endif | 2387 | #endif |
2389 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2388 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2390 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2389 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2391 | @@ -891,10 +908,22 @@ | 2390 | @@ -925,10 +942,22 @@ |
2392 | intptr = &options->gss_authentication; | 2391 | intptr = &options->gss_authentication; |
2393 | goto parse_flag; | 2392 | goto parse_flag; |
2394 | 2393 | ||
@@ -2415,7 +2414,7 @@ Index: b/servconf.h | |||
2415 | =================================================================== | 2414 | =================================================================== |
2416 | --- a/servconf.h | 2415 | --- a/servconf.h |
2417 | +++ b/servconf.h | 2416 | +++ b/servconf.h |
2418 | @@ -91,7 +91,10 @@ | 2417 | @@ -94,7 +94,10 @@ |
2419 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2418 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2420 | * authenticated with Kerberos. */ | 2419 | * authenticated with Kerberos. */ |
2421 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2420 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2588,7 +2587,7 @@ Index: b/sshconnect2.c | |||
2588 | =================================================================== | 2587 | =================================================================== |
2589 | --- a/sshconnect2.c | 2588 | --- a/sshconnect2.c |
2590 | +++ b/sshconnect2.c | 2589 | +++ b/sshconnect2.c |
2591 | @@ -105,9 +105,34 @@ | 2590 | @@ -106,9 +106,34 @@ |
2592 | { | 2591 | { |
2593 | Kex *kex; | 2592 | Kex *kex; |
2594 | 2593 | ||
@@ -2623,7 +2622,7 @@ Index: b/sshconnect2.c | |||
2623 | if (options.ciphers == (char *)-1) { | 2622 | if (options.ciphers == (char *)-1) { |
2624 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 2623 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
2625 | options.ciphers = NULL; | 2624 | options.ciphers = NULL; |
2626 | @@ -135,6 +160,17 @@ | 2625 | @@ -136,6 +161,17 @@ |
2627 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 2626 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
2628 | options.hostkeyalgorithms; | 2627 | options.hostkeyalgorithms; |
2629 | 2628 | ||
@@ -2641,7 +2640,7 @@ Index: b/sshconnect2.c | |||
2641 | if (options.rekey_limit) | 2640 | if (options.rekey_limit) |
2642 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); | 2641 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); |
2643 | 2642 | ||
2644 | @@ -144,10 +180,26 @@ | 2643 | @@ -145,10 +181,26 @@ |
2645 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; | 2644 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; |
2646 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 2645 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
2647 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | 2646 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; |
@@ -2668,7 +2667,7 @@ Index: b/sshconnect2.c | |||
2668 | xxx_kex = kex; | 2667 | xxx_kex = kex; |
2669 | 2668 | ||
2670 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2669 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
2671 | @@ -236,6 +288,7 @@ | 2670 | @@ -243,6 +295,7 @@ |
2672 | void input_gssapi_hash(int type, u_int32_t, void *); | 2671 | void input_gssapi_hash(int type, u_int32_t, void *); |
2673 | void input_gssapi_error(int, u_int32_t, void *); | 2672 | void input_gssapi_error(int, u_int32_t, void *); |
2674 | void input_gssapi_errtok(int, u_int32_t, void *); | 2673 | void input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2676,7 +2675,7 @@ Index: b/sshconnect2.c | |||
2676 | #endif | 2675 | #endif |
2677 | 2676 | ||
2678 | void userauth(Authctxt *, char *); | 2677 | void userauth(Authctxt *, char *); |
2679 | @@ -251,6 +304,11 @@ | 2678 | @@ -258,6 +311,11 @@ |
2680 | 2679 | ||
2681 | Authmethod authmethods[] = { | 2680 | Authmethod authmethods[] = { |
2682 | #ifdef GSSAPI | 2681 | #ifdef GSSAPI |
@@ -2688,7 +2687,7 @@ Index: b/sshconnect2.c | |||
2688 | {"gssapi-with-mic", | 2687 | {"gssapi-with-mic", |
2689 | userauth_gssapi, | 2688 | userauth_gssapi, |
2690 | NULL, | 2689 | NULL, |
2691 | @@ -542,19 +600,29 @@ | 2690 | @@ -564,19 +622,29 @@ |
2692 | static u_int mech = 0; | 2691 | static u_int mech = 0; |
2693 | OM_uint32 min; | 2692 | OM_uint32 min; |
2694 | int ok = 0; | 2693 | int ok = 0; |
@@ -2720,7 +2719,7 @@ Index: b/sshconnect2.c | |||
2720 | ok = 1; /* Mechanism works */ | 2719 | ok = 1; /* Mechanism works */ |
2721 | } else { | 2720 | } else { |
2722 | mech++; | 2721 | mech++; |
2723 | @@ -651,8 +719,8 @@ | 2722 | @@ -673,8 +741,8 @@ |
2724 | { | 2723 | { |
2725 | Authctxt *authctxt = ctxt; | 2724 | Authctxt *authctxt = ctxt; |
2726 | Gssctxt *gssctxt; | 2725 | Gssctxt *gssctxt; |
@@ -2731,7 +2730,7 @@ Index: b/sshconnect2.c | |||
2731 | 2730 | ||
2732 | if (authctxt == NULL) | 2731 | if (authctxt == NULL) |
2733 | fatal("input_gssapi_response: no authentication context"); | 2732 | fatal("input_gssapi_response: no authentication context"); |
2734 | @@ -762,6 +830,48 @@ | 2733 | @@ -784,6 +852,48 @@ |
2735 | xfree(msg); | 2734 | xfree(msg); |
2736 | xfree(lang); | 2735 | xfree(lang); |
2737 | } | 2736 | } |
@@ -2795,7 +2794,7 @@ Index: b/sshd.c | |||
2795 | #ifdef LIBWRAP | 2794 | #ifdef LIBWRAP |
2796 | #include <tcpd.h> | 2795 | #include <tcpd.h> |
2797 | #include <syslog.h> | 2796 | #include <syslog.h> |
2798 | @@ -1531,10 +1535,13 @@ | 2797 | @@ -1577,10 +1581,13 @@ |
2799 | logit("Disabling protocol version 1. Could not load host key"); | 2798 | logit("Disabling protocol version 1. Could not load host key"); |
2800 | options.protocol &= ~SSH_PROTO_1; | 2799 | options.protocol &= ~SSH_PROTO_1; |
2801 | } | 2800 | } |
@@ -2809,7 +2808,7 @@ Index: b/sshd.c | |||
2809 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2808 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2810 | logit("sshd: no hostkeys available -- exiting."); | 2809 | logit("sshd: no hostkeys available -- exiting."); |
2811 | exit(1); | 2810 | exit(1); |
2812 | @@ -1818,6 +1825,60 @@ | 2811 | @@ -1909,6 +1916,60 @@ |
2813 | /* Log the connection. */ | 2812 | /* Log the connection. */ |
2814 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | 2813 | verbose("Connection from %.500s port %d", remote_ip, remote_port); |
2815 | 2814 | ||
@@ -2870,7 +2869,7 @@ Index: b/sshd.c | |||
2870 | /* | 2869 | /* |
2871 | * We don't want to listen forever unless the other side | 2870 | * We don't want to listen forever unless the other side |
2872 | * successfully authenticates itself. So we set up an alarm which is | 2871 | * successfully authenticates itself. So we set up an alarm which is |
2873 | @@ -2195,12 +2256,61 @@ | 2872 | @@ -2287,12 +2348,61 @@ |
2874 | 2873 | ||
2875 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2874 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
2876 | 2875 | ||
@@ -2936,7 +2935,7 @@ Index: b/sshd_config | |||
2936 | =================================================================== | 2935 | =================================================================== |
2937 | --- a/sshd_config | 2936 | --- a/sshd_config |
2938 | +++ b/sshd_config | 2937 | +++ b/sshd_config |
2939 | @@ -73,6 +73,8 @@ | 2938 | @@ -71,6 +71,8 @@ |
2940 | # GSSAPI options | 2939 | # GSSAPI options |
2941 | #GSSAPIAuthentication no | 2940 | #GSSAPIAuthentication no |
2942 | #GSSAPICleanupCredentials yes | 2941 | #GSSAPICleanupCredentials yes |