diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 126 |
1 files changed, 63 insertions, 63 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 29a689b0d..3d6dfac9a 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 70b18066d3921277861e98902c9cf41a10ac6898 Mon Sep 17 00:00:00 2001 | 1 | From 233e78235070e871b658c8f289e600bd52a99711 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate | |||
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
20 | Last-Updated: 2015-09-17 | 20 | Last-Updated: 2015-11-29 |
21 | 21 | ||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
@@ -359,10 +359,10 @@ index 7177962..3f49bdc 100644 | |||
359 | #endif | 359 | #endif |
360 | &method_passwd, | 360 | &method_passwd, |
361 | diff --git a/clientloop.c b/clientloop.c | 361 | diff --git a/clientloop.c b/clientloop.c |
362 | index dc0e557..77d5498 100644 | 362 | index 87ceb3d..fba1b54 100644 |
363 | --- a/clientloop.c | 363 | --- a/clientloop.c |
364 | +++ b/clientloop.c | 364 | +++ b/clientloop.c |
365 | @@ -114,6 +114,10 @@ | 365 | @@ -115,6 +115,10 @@ |
366 | #include "ssherr.h" | 366 | #include "ssherr.h" |
367 | #include "hostfile.h" | 367 | #include "hostfile.h" |
368 | 368 | ||
@@ -373,7 +373,7 @@ index dc0e557..77d5498 100644 | |||
373 | /* import options */ | 373 | /* import options */ |
374 | extern Options options; | 374 | extern Options options; |
375 | 375 | ||
376 | @@ -1609,6 +1613,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 376 | @@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
377 | /* Do channel operations unless rekeying in progress. */ | 377 | /* Do channel operations unless rekeying in progress. */ |
378 | if (!rekeying) { | 378 | if (!rekeying) { |
379 | channel_after_select(readset, writeset); | 379 | channel_after_select(readset, writeset); |
@@ -390,7 +390,7 @@ index dc0e557..77d5498 100644 | |||
390 | debug("need rekeying"); | 390 | debug("need rekeying"); |
391 | active_state->kex->done = 0; | 391 | active_state->kex->done = 0; |
392 | diff --git a/config.h.in b/config.h.in | 392 | diff --git a/config.h.in b/config.h.in |
393 | index 7e7e38e..6c7de98 100644 | 393 | index 7500df5..97accd8 100644 |
394 | --- a/config.h.in | 394 | --- a/config.h.in |
395 | +++ b/config.h.in | 395 | +++ b/config.h.in |
396 | @@ -1623,6 +1623,9 @@ | 396 | @@ -1623,6 +1623,9 @@ |
@@ -414,7 +414,7 @@ index 7e7e38e..6c7de98 100644 | |||
414 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 414 | #undef USE_SOLARIS_PROCESS_CONTRACTS |
415 | 415 | ||
416 | diff --git a/configure.ac b/configure.ac | 416 | diff --git a/configure.ac b/configure.ac |
417 | index bb0095f..df21693 100644 | 417 | index 9b05c30..7a25603 100644 |
418 | --- a/configure.ac | 418 | --- a/configure.ac |
419 | +++ b/configure.ac | 419 | +++ b/configure.ac |
420 | @@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 420 | @@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
@@ -1197,7 +1197,7 @@ index 53993d6..2f6baf7 100644 | |||
1197 | 1197 | ||
1198 | #endif | 1198 | #endif |
1199 | diff --git a/kex.c b/kex.c | 1199 | diff --git a/kex.c b/kex.c |
1200 | index dbc55ef..4d8e6f5 100644 | 1200 | index 5100c66..39a6f98 100644 |
1201 | --- a/kex.c | 1201 | --- a/kex.c |
1202 | +++ b/kex.c | 1202 | +++ b/kex.c |
1203 | @@ -55,6 +55,10 @@ | 1203 | @@ -55,6 +55,10 @@ |
@@ -1238,7 +1238,7 @@ index dbc55ef..4d8e6f5 100644 | |||
1238 | } | 1238 | } |
1239 | 1239 | ||
1240 | diff --git a/kex.h b/kex.h | 1240 | diff --git a/kex.h b/kex.h |
1241 | index f70b81f..7194b14 100644 | 1241 | index d71b532..ee46815 100644 |
1242 | --- a/kex.h | 1242 | --- a/kex.h |
1243 | +++ b/kex.h | 1243 | +++ b/kex.h |
1244 | @@ -93,6 +93,9 @@ enum kex_exchange { | 1244 | @@ -93,6 +93,9 @@ enum kex_exchange { |
@@ -1263,8 +1263,8 @@ index f70b81f..7194b14 100644 | |||
1263 | +#endif | 1263 | +#endif |
1264 | char *client_version_string; | 1264 | char *client_version_string; |
1265 | char *server_version_string; | 1265 | char *server_version_string; |
1266 | int (*verify_host_key)(struct sshkey *, struct ssh *); | 1266 | char *failed_choice; |
1267 | @@ -184,6 +193,11 @@ int kexecdh_server(struct ssh *); | 1267 | @@ -187,6 +196,11 @@ int kexecdh_server(struct ssh *); |
1268 | int kexc25519_client(struct ssh *); | 1268 | int kexc25519_client(struct ssh *); |
1269 | int kexc25519_server(struct ssh *); | 1269 | int kexc25519_server(struct ssh *); |
1270 | 1270 | ||
@@ -1920,7 +1920,7 @@ index 0000000..0847469 | |||
1920 | +} | 1920 | +} |
1921 | +#endif /* GSSAPI */ | 1921 | +#endif /* GSSAPI */ |
1922 | diff --git a/monitor.c b/monitor.c | 1922 | diff --git a/monitor.c b/monitor.c |
1923 | index b410965..bdc2972 100644 | 1923 | index a914209..2658aaa 100644 |
1924 | --- a/monitor.c | 1924 | --- a/monitor.c |
1925 | +++ b/monitor.c | 1925 | +++ b/monitor.c |
1926 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 1926 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
@@ -2127,10 +2127,10 @@ index 93b8b66..bc50ade 100644 | |||
2127 | 2127 | ||
2128 | struct mm_master; | 2128 | struct mm_master; |
2129 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2129 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2130 | index e6217b3..71e7c08 100644 | 2130 | index eac421b..81ceddb 100644 |
2131 | --- a/monitor_wrap.c | 2131 | --- a/monitor_wrap.c |
2132 | +++ b/monitor_wrap.c | 2132 | +++ b/monitor_wrap.c |
2133 | @@ -1069,7 +1069,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2133 | @@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
2134 | } | 2134 | } |
2135 | 2135 | ||
2136 | int | 2136 | int |
@@ -2139,7 +2139,7 @@ index e6217b3..71e7c08 100644 | |||
2139 | { | 2139 | { |
2140 | Buffer m; | 2140 | Buffer m; |
2141 | int authenticated = 0; | 2141 | int authenticated = 0; |
2142 | @@ -1086,5 +1086,50 @@ mm_ssh_gssapi_userok(char *user) | 2142 | @@ -1085,5 +1085,50 @@ mm_ssh_gssapi_userok(char *user) |
2143 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2143 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2144 | return (authenticated); | 2144 | return (authenticated); |
2145 | } | 2145 | } |
@@ -2207,7 +2207,7 @@ index de4a08f..9758290 100644 | |||
2207 | 2207 | ||
2208 | #ifdef USE_PAM | 2208 | #ifdef USE_PAM |
2209 | diff --git a/readconf.c b/readconf.c | 2209 | diff --git a/readconf.c b/readconf.c |
2210 | index db7d0bb..68dac76 100644 | 2210 | index 1d03bdf..43b7570 100644 |
2211 | --- a/readconf.c | 2211 | --- a/readconf.c |
2212 | +++ b/readconf.c | 2212 | +++ b/readconf.c |
2213 | @@ -147,6 +147,8 @@ typedef enum { | 2213 | @@ -147,6 +147,8 @@ typedef enum { |
@@ -2219,7 +2219,7 @@ index db7d0bb..68dac76 100644 | |||
2219 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2219 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2220 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2220 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2221 | oHashKnownHosts, | 2221 | oHashKnownHosts, |
2222 | @@ -191,10 +193,19 @@ static struct { | 2222 | @@ -192,10 +194,19 @@ static struct { |
2223 | { "afstokenpassing", oUnsupported }, | 2223 | { "afstokenpassing", oUnsupported }, |
2224 | #if defined(GSSAPI) | 2224 | #if defined(GSSAPI) |
2225 | { "gssapiauthentication", oGssAuthentication }, | 2225 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2239,7 +2239,7 @@ index db7d0bb..68dac76 100644 | |||
2239 | #endif | 2239 | #endif |
2240 | { "fallbacktorsh", oDeprecated }, | 2240 | { "fallbacktorsh", oDeprecated }, |
2241 | { "usersh", oDeprecated }, | 2241 | { "usersh", oDeprecated }, |
2242 | @@ -892,10 +903,30 @@ parse_time: | 2242 | @@ -894,10 +905,30 @@ parse_time: |
2243 | intptr = &options->gss_authentication; | 2243 | intptr = &options->gss_authentication; |
2244 | goto parse_flag; | 2244 | goto parse_flag; |
2245 | 2245 | ||
@@ -2283,7 +2283,7 @@ index db7d0bb..68dac76 100644 | |||
2283 | options->password_authentication = -1; | 2283 | options->password_authentication = -1; |
2284 | options->kbd_interactive_authentication = -1; | 2284 | options->kbd_interactive_authentication = -1; |
2285 | options->kbd_interactive_devices = NULL; | 2285 | options->kbd_interactive_devices = NULL; |
2286 | @@ -1728,8 +1764,14 @@ fill_default_options(Options * options) | 2286 | @@ -1729,8 +1765,14 @@ fill_default_options(Options * options) |
2287 | options->challenge_response_authentication = 1; | 2287 | options->challenge_response_authentication = 1; |
2288 | if (options->gss_authentication == -1) | 2288 | if (options->gss_authentication == -1) |
2289 | options->gss_authentication = 0; | 2289 | options->gss_authentication = 0; |
@@ -2299,7 +2299,7 @@ index db7d0bb..68dac76 100644 | |||
2299 | options->password_authentication = 1; | 2299 | options->password_authentication = 1; |
2300 | if (options->kbd_interactive_authentication == -1) | 2300 | if (options->kbd_interactive_authentication == -1) |
2301 | diff --git a/readconf.h b/readconf.h | 2301 | diff --git a/readconf.h b/readconf.h |
2302 | index 576b9e3..ef39c4c 100644 | 2302 | index bb2d552..e7e80c3 100644 |
2303 | --- a/readconf.h | 2303 | --- a/readconf.h |
2304 | +++ b/readconf.h | 2304 | +++ b/readconf.h |
2305 | @@ -45,7 +45,12 @@ typedef struct { | 2305 | @@ -45,7 +45,12 @@ typedef struct { |
@@ -2316,10 +2316,10 @@ index 576b9e3..ef39c4c 100644 | |||
2316 | * authentication. */ | 2316 | * authentication. */ |
2317 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2317 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2318 | diff --git a/servconf.c b/servconf.c | 2318 | diff --git a/servconf.c b/servconf.c |
2319 | index df93fc4..2f7f41e 100644 | 2319 | index 6c7a91e..cfe7029 100644 |
2320 | --- a/servconf.c | 2320 | --- a/servconf.c |
2321 | +++ b/servconf.c | 2321 | +++ b/servconf.c |
2322 | @@ -115,8 +115,10 @@ initialize_server_options(ServerOptions *options) | 2322 | @@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options) |
2323 | options->kerberos_ticket_cleanup = -1; | 2323 | options->kerberos_ticket_cleanup = -1; |
2324 | options->kerberos_get_afs_token = -1; | 2324 | options->kerberos_get_afs_token = -1; |
2325 | options->gss_authentication=-1; | 2325 | options->gss_authentication=-1; |
@@ -2346,15 +2346,15 @@ index df93fc4..2f7f41e 100644 | |||
2346 | if (options->password_authentication == -1) | 2346 | if (options->password_authentication == -1) |
2347 | options->password_authentication = 1; | 2347 | options->password_authentication = 1; |
2348 | if (options->kbd_interactive_authentication == -1) | 2348 | if (options->kbd_interactive_authentication == -1) |
2349 | @@ -401,6 +407,7 @@ typedef enum { | 2349 | @@ -412,6 +418,7 @@ typedef enum { |
2350 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, | 2350 | sHostKeyAlgorithms, |
2351 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 2351 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
2352 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 2352 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
2353 | + sGssKeyEx, sGssStoreRekey, | 2353 | + sGssKeyEx, sGssStoreRekey, |
2354 | sAcceptEnv, sPermitTunnel, | 2354 | sAcceptEnv, sPermitTunnel, |
2355 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2355 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2356 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2356 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2357 | @@ -473,12 +480,20 @@ static struct { | 2357 | @@ -485,12 +492,20 @@ static struct { |
2358 | #ifdef GSSAPI | 2358 | #ifdef GSSAPI |
2359 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2359 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2360 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2360 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2375,7 +2375,7 @@ index df93fc4..2f7f41e 100644 | |||
2375 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2375 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2376 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2376 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2377 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2377 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2378 | @@ -1214,6 +1229,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2378 | @@ -1231,6 +1246,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2379 | intptr = &options->gss_authentication; | 2379 | intptr = &options->gss_authentication; |
2380 | goto parse_flag; | 2380 | goto parse_flag; |
2381 | 2381 | ||
@@ -2386,7 +2386,7 @@ index df93fc4..2f7f41e 100644 | |||
2386 | case sGssCleanupCreds: | 2386 | case sGssCleanupCreds: |
2387 | intptr = &options->gss_cleanup_creds; | 2387 | intptr = &options->gss_cleanup_creds; |
2388 | goto parse_flag; | 2388 | goto parse_flag; |
2389 | @@ -1222,6 +1241,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2389 | @@ -1239,6 +1258,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2390 | intptr = &options->gss_strict_acceptor; | 2390 | intptr = &options->gss_strict_acceptor; |
2391 | goto parse_flag; | 2391 | goto parse_flag; |
2392 | 2392 | ||
@@ -2397,7 +2397,7 @@ index df93fc4..2f7f41e 100644 | |||
2397 | case sPasswordAuthentication: | 2397 | case sPasswordAuthentication: |
2398 | intptr = &options->password_authentication; | 2398 | intptr = &options->password_authentication; |
2399 | goto parse_flag; | 2399 | goto parse_flag; |
2400 | @@ -2229,7 +2252,10 @@ dump_config(ServerOptions *o) | 2400 | @@ -2246,7 +2269,10 @@ dump_config(ServerOptions *o) |
2401 | #endif | 2401 | #endif |
2402 | #ifdef GSSAPI | 2402 | #ifdef GSSAPI |
2403 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2403 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2409,10 +2409,10 @@ index df93fc4..2f7f41e 100644 | |||
2409 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2409 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
2410 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2410 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
2411 | diff --git a/servconf.h b/servconf.h | 2411 | diff --git a/servconf.h b/servconf.h |
2412 | index 606d80c..b99b270 100644 | 2412 | index f4137af..778ba17 100644 |
2413 | --- a/servconf.h | 2413 | --- a/servconf.h |
2414 | +++ b/servconf.h | 2414 | +++ b/servconf.h |
2415 | @@ -117,8 +117,10 @@ typedef struct { | 2415 | @@ -118,8 +118,10 @@ typedef struct { |
2416 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2416 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2417 | * authenticated with Kerberos. */ | 2417 | * authenticated with Kerberos. */ |
2418 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2418 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2540,10 +2540,10 @@ index 03a228f..228e5ab 100644 | |||
2540 | # CheckHostIP yes | 2540 | # CheckHostIP yes |
2541 | # AddressFamily any | 2541 | # AddressFamily any |
2542 | diff --git a/ssh_config.5 b/ssh_config.5 | 2542 | diff --git a/ssh_config.5 b/ssh_config.5 |
2543 | index 268a627..59ce400 100644 | 2543 | index 5b0975f..b2dc49b 100644 |
2544 | --- a/ssh_config.5 | 2544 | --- a/ssh_config.5 |
2545 | +++ b/ssh_config.5 | 2545 | +++ b/ssh_config.5 |
2546 | @@ -744,11 +744,45 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2546 | @@ -749,11 +749,45 @@ Specifies whether user authentication based on GSSAPI is allowed. |
2547 | The default is | 2547 | The default is |
2548 | .Dq no . | 2548 | .Dq no . |
2549 | Note that this option applies to protocol version 2 only. | 2549 | Note that this option applies to protocol version 2 only. |
@@ -2591,7 +2591,7 @@ index 268a627..59ce400 100644 | |||
2591 | Indicates that | 2591 | Indicates that |
2592 | .Xr ssh 1 | 2592 | .Xr ssh 1 |
2593 | diff --git a/sshconnect2.c b/sshconnect2.c | 2593 | diff --git a/sshconnect2.c b/sshconnect2.c |
2594 | index fcaed6b..44c89e6 100644 | 2594 | index 7751031..e2ea826 100644 |
2595 | --- a/sshconnect2.c | 2595 | --- a/sshconnect2.c |
2596 | +++ b/sshconnect2.c | 2596 | +++ b/sshconnect2.c |
2597 | @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2597 | @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
@@ -2626,12 +2626,12 @@ index fcaed6b..44c89e6 100644 | |||
2626 | + } | 2626 | + } |
2627 | +#endif | 2627 | +#endif |
2628 | + | 2628 | + |
2629 | if (options.ciphers == (char *)-1) { | ||
2630 | logit("No valid ciphers for protocol version 2 given, using defaults."); | ||
2631 | options.ciphers = NULL; | ||
2632 | @@ -200,6 +225,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | ||
2633 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | 2629 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
2634 | myproposal[PROPOSAL_KEX_ALGS]); | 2630 | options.kex_algorithms); |
2631 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | ||
2632 | @@ -193,6 +218,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | ||
2633 | order_hostkeyalgs(host, hostaddr, port)); | ||
2634 | } | ||
2635 | 2635 | ||
2636 | +#ifdef GSSAPI | 2636 | +#ifdef GSSAPI |
2637 | + /* If we've got GSSAPI algorithms, then we also support the | 2637 | + /* If we've got GSSAPI algorithms, then we also support the |
@@ -2647,7 +2647,7 @@ index fcaed6b..44c89e6 100644 | |||
2647 | if (options.rekey_limit || options.rekey_interval) | 2647 | if (options.rekey_limit || options.rekey_interval) |
2648 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2648 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2649 | (time_t)options.rekey_interval); | 2649 | (time_t)options.rekey_interval); |
2650 | @@ -218,10 +254,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2650 | @@ -211,10 +247,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2651 | # endif | 2651 | # endif |
2652 | #endif | 2652 | #endif |
2653 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; | 2653 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; |
@@ -2678,7 +2678,7 @@ index fcaed6b..44c89e6 100644 | |||
2678 | dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); | 2678 | dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); |
2679 | 2679 | ||
2680 | if (options.use_roaming && !kex->roaming) { | 2680 | if (options.use_roaming && !kex->roaming) { |
2681 | @@ -313,6 +369,7 @@ int input_gssapi_token(int type, u_int32_t, void *); | 2681 | @@ -306,6 +362,7 @@ int input_gssapi_token(int type, u_int32_t, void *); |
2682 | int input_gssapi_hash(int type, u_int32_t, void *); | 2682 | int input_gssapi_hash(int type, u_int32_t, void *); |
2683 | int input_gssapi_error(int, u_int32_t, void *); | 2683 | int input_gssapi_error(int, u_int32_t, void *); |
2684 | int input_gssapi_errtok(int, u_int32_t, void *); | 2684 | int input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2686,7 +2686,7 @@ index fcaed6b..44c89e6 100644 | |||
2686 | #endif | 2686 | #endif |
2687 | 2687 | ||
2688 | void userauth(Authctxt *, char *); | 2688 | void userauth(Authctxt *, char *); |
2689 | @@ -328,6 +385,11 @@ static char *authmethods_get(void); | 2689 | @@ -321,6 +378,11 @@ static char *authmethods_get(void); |
2690 | 2690 | ||
2691 | Authmethod authmethods[] = { | 2691 | Authmethod authmethods[] = { |
2692 | #ifdef GSSAPI | 2692 | #ifdef GSSAPI |
@@ -2698,7 +2698,7 @@ index fcaed6b..44c89e6 100644 | |||
2698 | {"gssapi-with-mic", | 2698 | {"gssapi-with-mic", |
2699 | userauth_gssapi, | 2699 | userauth_gssapi, |
2700 | NULL, | 2700 | NULL, |
2701 | @@ -634,19 +696,31 @@ userauth_gssapi(Authctxt *authctxt) | 2701 | @@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt) |
2702 | static u_int mech = 0; | 2702 | static u_int mech = 0; |
2703 | OM_uint32 min; | 2703 | OM_uint32 min; |
2704 | int ok = 0; | 2704 | int ok = 0; |
@@ -2732,7 +2732,7 @@ index fcaed6b..44c89e6 100644 | |||
2732 | ok = 1; /* Mechanism works */ | 2732 | ok = 1; /* Mechanism works */ |
2733 | } else { | 2733 | } else { |
2734 | mech++; | 2734 | mech++; |
2735 | @@ -743,8 +817,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | 2735 | @@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) |
2736 | { | 2736 | { |
2737 | Authctxt *authctxt = ctxt; | 2737 | Authctxt *authctxt = ctxt; |
2738 | Gssctxt *gssctxt; | 2738 | Gssctxt *gssctxt; |
@@ -2743,7 +2743,7 @@ index fcaed6b..44c89e6 100644 | |||
2743 | 2743 | ||
2744 | if (authctxt == NULL) | 2744 | if (authctxt == NULL) |
2745 | fatal("input_gssapi_response: no authentication context"); | 2745 | fatal("input_gssapi_response: no authentication context"); |
2746 | @@ -857,6 +931,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | 2746 | @@ -850,6 +924,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) |
2747 | free(lang); | 2747 | free(lang); |
2748 | return 0; | 2748 | return 0; |
2749 | } | 2749 | } |
@@ -2793,10 +2793,10 @@ index fcaed6b..44c89e6 100644 | |||
2793 | 2793 | ||
2794 | int | 2794 | int |
2795 | diff --git a/sshd.c b/sshd.c | 2795 | diff --git a/sshd.c b/sshd.c |
2796 | index 6f8c6f2..6b85e6c 100644 | 2796 | index c7dd8cb..32adb1f 100644 |
2797 | --- a/sshd.c | 2797 | --- a/sshd.c |
2798 | +++ b/sshd.c | 2798 | +++ b/sshd.c |
2799 | @@ -125,6 +125,10 @@ | 2799 | @@ -126,6 +126,10 @@ |
2800 | #include "version.h" | 2800 | #include "version.h" |
2801 | #include "ssherr.h" | 2801 | #include "ssherr.h" |
2802 | 2802 | ||
@@ -2807,7 +2807,7 @@ index 6f8c6f2..6b85e6c 100644 | |||
2807 | #ifndef O_NOCTTY | 2807 | #ifndef O_NOCTTY |
2808 | #define O_NOCTTY 0 | 2808 | #define O_NOCTTY 0 |
2809 | #endif | 2809 | #endif |
2810 | @@ -1823,10 +1827,13 @@ main(int ac, char **av) | 2810 | @@ -1827,10 +1831,13 @@ main(int ac, char **av) |
2811 | logit("Disabling protocol version 1. Could not load host key"); | 2811 | logit("Disabling protocol version 1. Could not load host key"); |
2812 | options.protocol &= ~SSH_PROTO_1; | 2812 | options.protocol &= ~SSH_PROTO_1; |
2813 | } | 2813 | } |
@@ -2821,7 +2821,7 @@ index 6f8c6f2..6b85e6c 100644 | |||
2821 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2821 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2822 | logit("sshd: no hostkeys available -- exiting."); | 2822 | logit("sshd: no hostkeys available -- exiting."); |
2823 | exit(1); | 2823 | exit(1); |
2824 | @@ -2141,6 +2148,60 @@ main(int ac, char **av) | 2824 | @@ -2145,6 +2152,60 @@ main(int ac, char **av) |
2825 | remote_ip, remote_port, laddr, get_local_port()); | 2825 | remote_ip, remote_port, laddr, get_local_port()); |
2826 | free(laddr); | 2826 | free(laddr); |
2827 | 2827 | ||
@@ -2882,7 +2882,7 @@ index 6f8c6f2..6b85e6c 100644 | |||
2882 | /* | 2882 | /* |
2883 | * We don't want to listen forever unless the other side | 2883 | * We don't want to listen forever unless the other side |
2884 | * successfully authenticates itself. So we set up an alarm which is | 2884 | * successfully authenticates itself. So we set up an alarm which is |
2885 | @@ -2570,6 +2631,48 @@ do_ssh2_kex(void) | 2885 | @@ -2563,6 +2624,48 @@ do_ssh2_kex(void) |
2886 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2886 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
2887 | list_hostkey_types()); | 2887 | list_hostkey_types()); |
2888 | 2888 | ||
@@ -2931,7 +2931,7 @@ index 6f8c6f2..6b85e6c 100644 | |||
2931 | /* start key exchange */ | 2931 | /* start key exchange */ |
2932 | if ((r = kex_setup(active_state, myproposal)) != 0) | 2932 | if ((r = kex_setup(active_state, myproposal)) != 0) |
2933 | fatal("kex_setup: %s", ssh_err(r)); | 2933 | fatal("kex_setup: %s", ssh_err(r)); |
2934 | @@ -2584,6 +2687,13 @@ do_ssh2_kex(void) | 2934 | @@ -2577,6 +2680,13 @@ do_ssh2_kex(void) |
2935 | # endif | 2935 | # endif |
2936 | #endif | 2936 | #endif |
2937 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2937 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -2946,7 +2946,7 @@ index 6f8c6f2..6b85e6c 100644 | |||
2946 | kex->client_version_string=client_version_string; | 2946 | kex->client_version_string=client_version_string; |
2947 | kex->server_version_string=server_version_string; | 2947 | kex->server_version_string=server_version_string; |
2948 | diff --git a/sshd_config b/sshd_config | 2948 | diff --git a/sshd_config b/sshd_config |
2949 | index cf7d8e1..1dfd0f1 100644 | 2949 | index 4d77f05..64786c9 100644 |
2950 | --- a/sshd_config | 2950 | --- a/sshd_config |
2951 | +++ b/sshd_config | 2951 | +++ b/sshd_config |
2952 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys | 2952 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
@@ -2959,10 +2959,10 @@ index cf7d8e1..1dfd0f1 100644 | |||
2959 | # Set this to 'yes' to enable PAM authentication, account processing, | 2959 | # Set this to 'yes' to enable PAM authentication, account processing, |
2960 | # and session processing. If this is enabled, PAM authentication will | 2960 | # and session processing. If this is enabled, PAM authentication will |
2961 | diff --git a/sshd_config.5 b/sshd_config.5 | 2961 | diff --git a/sshd_config.5 b/sshd_config.5 |
2962 | index 5ab4318..68424f1 100644 | 2962 | index 58e277f..712f620 100644 |
2963 | --- a/sshd_config.5 | 2963 | --- a/sshd_config.5 |
2964 | +++ b/sshd_config.5 | 2964 | +++ b/sshd_config.5 |
2965 | @@ -616,6 +616,12 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2965 | @@ -621,6 +621,12 @@ Specifies whether user authentication based on GSSAPI is allowed. |
2966 | The default is | 2966 | The default is |
2967 | .Dq no . | 2967 | .Dq no . |
2968 | Note that this option applies to protocol version 2 only. | 2968 | Note that this option applies to protocol version 2 only. |
@@ -2975,7 +2975,7 @@ index 5ab4318..68424f1 100644 | |||
2975 | .It Cm GSSAPICleanupCredentials | 2975 | .It Cm GSSAPICleanupCredentials |
2976 | Specifies whether to automatically destroy the user's credentials cache | 2976 | Specifies whether to automatically destroy the user's credentials cache |
2977 | on logout. | 2977 | on logout. |
2978 | @@ -637,6 +643,11 @@ machine's default store. | 2978 | @@ -642,6 +648,11 @@ machine's default store. |
2979 | This facility is provided to assist with operation on multi homed machines. | 2979 | This facility is provided to assist with operation on multi homed machines. |
2980 | The default is | 2980 | The default is |
2981 | .Dq yes . | 2981 | .Dq yes . |
@@ -2988,18 +2988,18 @@ index 5ab4318..68424f1 100644 | |||
2988 | Specifies the key types that will be accepted for hostbased authentication | 2988 | Specifies the key types that will be accepted for hostbased authentication |
2989 | as a comma-separated pattern list. | 2989 | as a comma-separated pattern list. |
2990 | diff --git a/sshkey.c b/sshkey.c | 2990 | diff --git a/sshkey.c b/sshkey.c |
2991 | index cfe5980..2c87d80 100644 | 2991 | index dbb16e2..14b6dc3 100644 |
2992 | --- a/sshkey.c | 2992 | --- a/sshkey.c |
2993 | +++ b/sshkey.c | 2993 | +++ b/sshkey.c |
2994 | @@ -116,6 +116,7 @@ static const struct keytype keytypes[] = { | 2994 | @@ -112,6 +112,7 @@ static const struct keytype keytypes[] = { |
2995 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", | 2995 | # endif /* OPENSSL_HAS_NISTP521 */ |
2996 | KEY_DSA_CERT_V00, 0, 1 }, | 2996 | # endif /* OPENSSL_HAS_ECC */ |
2997 | #endif /* WITH_OPENSSL */ | 2997 | #endif /* WITH_OPENSSL */ |
2998 | + { "null", "null", KEY_NULL, 0, 0 }, | 2998 | + { "null", "null", KEY_NULL, 0, 0 }, |
2999 | { NULL, NULL, -1, -1, 0 } | 2999 | { NULL, NULL, -1, -1, 0 } |
3000 | }; | 3000 | }; |
3001 | 3001 | ||
3002 | @@ -204,7 +205,7 @@ key_alg_list(int certs_only, int plain_only) | 3002 | @@ -200,7 +201,7 @@ key_alg_list(int certs_only, int plain_only) |
3003 | const struct keytype *kt; | 3003 | const struct keytype *kt; |
3004 | 3004 | ||
3005 | for (kt = keytypes; kt->type != -1; kt++) { | 3005 | for (kt = keytypes; kt->type != -1; kt++) { |
@@ -3009,13 +3009,13 @@ index cfe5980..2c87d80 100644 | |||
3009 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | 3009 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) |
3010 | continue; | 3010 | continue; |
3011 | diff --git a/sshkey.h b/sshkey.h | 3011 | diff --git a/sshkey.h b/sshkey.h |
3012 | index cdac0e2..b010b8e 100644 | 3012 | index c8d3cdd..5cf4e5d 100644 |
3013 | --- a/sshkey.h | 3013 | --- a/sshkey.h |
3014 | +++ b/sshkey.h | 3014 | +++ b/sshkey.h |
3015 | @@ -64,6 +64,7 @@ enum sshkey_types { | 3015 | @@ -62,6 +62,7 @@ enum sshkey_types { |
3016 | KEY_DSA_CERT, | ||
3017 | KEY_ECDSA_CERT, | ||
3016 | KEY_ED25519_CERT, | 3018 | KEY_ED25519_CERT, |
3017 | KEY_RSA_CERT_V00, | ||
3018 | KEY_DSA_CERT_V00, | ||
3019 | + KEY_NULL, | 3019 | + KEY_NULL, |
3020 | KEY_UNSPEC | 3020 | KEY_UNSPEC |
3021 | }; | 3021 | }; |