diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 201 |
1 files changed, 99 insertions, 102 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 8bc83cace..aa9f25848 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6a0a4b2f79889c9b0d5e2478a6ee5f51be38dcc9 Mon Sep 17 00:00:00 2001 | 1 | From 374db1757fc18bd6647539b80977e6907a2cecd4 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -22,12 +22,12 @@ Last-Updated: 2016-01-04 | |||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
24 | ChangeLog.gssapi | 113 +++++++++++++++++++ | 24 | ChangeLog.gssapi | 113 +++++++++++++++++++ |
25 | Makefile.in | 5 +- | 25 | Makefile.in | 3 +- |
26 | auth-krb5.c | 17 ++- | 26 | auth-krb5.c | 17 ++- |
27 | auth.c | 3 +- | 27 | auth.c | 3 +- |
28 | auth2-gss.c | 48 +++++++- | 28 | auth2-gss.c | 48 +++++++- |
29 | auth2.c | 2 + | 29 | auth2.c | 2 + |
30 | clientloop.c | 13 +++ | 30 | clientloop.c | 15 ++- |
31 | config.h.in | 6 + | 31 | config.h.in | 6 + |
32 | configure.ac | 24 ++++ | 32 | configure.ac | 24 ++++ |
33 | gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- | 33 | gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- |
@@ -47,14 +47,14 @@ Patch-Name: gssapi.patch | |||
47 | servconf.h | 2 + | 47 | servconf.h | 2 + |
48 | ssh-gss.h | 41 ++++++- | 48 | ssh-gss.h | 41 ++++++- |
49 | ssh_config | 2 + | 49 | ssh_config | 2 + |
50 | ssh_config.5 | 36 +++++- | 50 | ssh_config.5 | 32 ++++++ |
51 | sshconnect2.c | 120 +++++++++++++++++++- | 51 | sshconnect2.c | 120 +++++++++++++++++++- |
52 | sshd.c | 110 ++++++++++++++++++ | 52 | sshd.c | 110 ++++++++++++++++++ |
53 | sshd_config | 2 + | 53 | sshd_config | 2 + |
54 | sshd_config.5 | 11 ++ | 54 | sshd_config.5 | 10 ++ |
55 | sshkey.c | 3 +- | 55 | sshkey.c | 3 +- |
56 | sshkey.h | 1 + | 56 | sshkey.h | 1 + |
57 | 33 files changed, 1955 insertions(+), 47 deletions(-) | 57 | 33 files changed, 1951 insertions(+), 46 deletions(-) |
58 | create mode 100644 ChangeLog.gssapi | 58 | create mode 100644 ChangeLog.gssapi |
59 | create mode 100644 kexgssc.c | 59 | create mode 100644 kexgssc.c |
60 | create mode 100644 kexgsss.c | 60 | create mode 100644 kexgsss.c |
@@ -179,19 +179,17 @@ index 0000000..f117a33 | |||
179 | + (from jbasney AT ncsa.uiuc.edu) | 179 | + (from jbasney AT ncsa.uiuc.edu) |
180 | + <gssapi-with-mic support is Bugzilla #1008> | 180 | + <gssapi-with-mic support is Bugzilla #1008> |
181 | diff --git a/Makefile.in b/Makefile.in | 181 | diff --git a/Makefile.in b/Makefile.in |
182 | index 40cc7aa..3d2a328 100644 | 182 | index d401787..0954c63 100644 |
183 | --- a/Makefile.in | 183 | --- a/Makefile.in |
184 | +++ b/Makefile.in | 184 | +++ b/Makefile.in |
185 | @@ -91,7 +91,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 185 | @@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
186 | sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ | ||
187 | kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ | 186 | kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ |
188 | kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ | 187 | kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ |
189 | - kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o | 188 | kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ |
190 | + kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ | 189 | + kexgssc.o \ |
191 | + kexgssc.o | 190 | platform-pledge.o |
192 | 191 | ||
193 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 192 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
194 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ | ||
195 | @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 193 | @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
196 | auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ | 194 | auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ |
197 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ | 195 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
@@ -200,9 +198,9 @@ index 40cc7aa..3d2a328 100644 | |||
200 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ | 198 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ |
201 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 199 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
202 | sftp-server.o sftp-common.o \ | 200 | sftp-server.o sftp-common.o \ |
203 | roaming_common.o roaming_serv.o \ | 201 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
204 | diff --git a/auth-krb5.c b/auth-krb5.c | 202 | diff --git a/auth-krb5.c b/auth-krb5.c |
205 | index 0089b18..ec47869 100644 | 203 | index d1c5a2f..f019fb1 100644 |
206 | --- a/auth-krb5.c | 204 | --- a/auth-krb5.c |
207 | +++ b/auth-krb5.c | 205 | +++ b/auth-krb5.c |
208 | @@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | 206 | @@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) |
@@ -374,10 +372,10 @@ index 7177962..3f49bdc 100644 | |||
374 | #endif | 372 | #endif |
375 | &method_passwd, | 373 | &method_passwd, |
376 | diff --git a/clientloop.c b/clientloop.c | 374 | diff --git a/clientloop.c b/clientloop.c |
377 | index 87ceb3d..fba1b54 100644 | 375 | index 9820455..1567e4a 100644 |
378 | --- a/clientloop.c | 376 | --- a/clientloop.c |
379 | +++ b/clientloop.c | 377 | +++ b/clientloop.c |
380 | @@ -115,6 +115,10 @@ | 378 | @@ -114,6 +114,10 @@ |
381 | #include "ssherr.h" | 379 | #include "ssherr.h" |
382 | #include "hostfile.h" | 380 | #include "hostfile.h" |
383 | 381 | ||
@@ -388,11 +386,14 @@ index 87ceb3d..fba1b54 100644 | |||
388 | /* import options */ | 386 | /* import options */ |
389 | extern Options options; | 387 | extern Options options; |
390 | 388 | ||
391 | @@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 389 | @@ -1662,9 +1666,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
390 | break; | ||
391 | |||
392 | /* Do channel operations unless rekeying in progress. */ | 392 | /* Do channel operations unless rekeying in progress. */ |
393 | if (!rekeying) { | 393 | - if (!ssh_packet_is_rekeying(active_state)) |
394 | + if (!ssh_packet_is_rekeying(active_state)) { | ||
394 | channel_after_select(readset, writeset); | 395 | channel_after_select(readset, writeset); |
395 | + | 396 | |
396 | +#ifdef GSSAPI | 397 | +#ifdef GSSAPI |
397 | + if (options.gss_renewal_rekey && | 398 | + if (options.gss_renewal_rekey && |
398 | + ssh_gssapi_credentials_updated(NULL)) { | 399 | + ssh_gssapi_credentials_updated(NULL)) { |
@@ -400,15 +401,16 @@ index 87ceb3d..fba1b54 100644 | |||
400 | + need_rekeying = 1; | 401 | + need_rekeying = 1; |
401 | + } | 402 | + } |
402 | +#endif | 403 | +#endif |
404 | + } | ||
403 | + | 405 | + |
404 | if (need_rekeying || packet_need_rekeying()) { | 406 | /* Buffer input from the connection. */ |
405 | debug("need rekeying"); | 407 | client_process_net_input(readset); |
406 | active_state->kex->done = 0; | 408 | |
407 | diff --git a/config.h.in b/config.h.in | 409 | diff --git a/config.h.in b/config.h.in |
408 | index 7500df5..97accd8 100644 | 410 | index 89bf1b0..621c139 100644 |
409 | --- a/config.h.in | 411 | --- a/config.h.in |
410 | +++ b/config.h.in | 412 | +++ b/config.h.in |
411 | @@ -1623,6 +1623,9 @@ | 413 | @@ -1641,6 +1641,9 @@ |
412 | /* Use btmp to log bad logins */ | 414 | /* Use btmp to log bad logins */ |
413 | #undef USE_BTMP | 415 | #undef USE_BTMP |
414 | 416 | ||
@@ -418,21 +420,21 @@ index 7500df5..97accd8 100644 | |||
418 | /* Use libedit for sftp */ | 420 | /* Use libedit for sftp */ |
419 | #undef USE_LIBEDIT | 421 | #undef USE_LIBEDIT |
420 | 422 | ||
421 | @@ -1638,6 +1641,9 @@ | 423 | @@ -1656,6 +1659,9 @@ |
422 | /* Use PIPES instead of a socketpair() */ | 424 | /* Use PIPES instead of a socketpair() */ |
423 | #undef USE_PIPES | 425 | #undef USE_PIPES |
424 | 426 | ||
425 | +/* platform has the Security Authorization Session API */ | 427 | +/* platform has the Security Authorization Session API */ |
426 | +#undef USE_SECURITY_SESSION_API | 428 | +#undef USE_SECURITY_SESSION_API |
427 | + | 429 | + |
428 | /* Define if you have Solaris process contracts */ | 430 | /* Define if you have Solaris privileges */ |
429 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 431 | #undef USE_SOLARIS_PRIVS |
430 | 432 | ||
431 | diff --git a/configure.ac b/configure.ac | 433 | diff --git a/configure.ac b/configure.ac |
432 | index 9b05c30..7a25603 100644 | 434 | index 7258cc0..5f1ff74 100644 |
433 | --- a/configure.ac | 435 | --- a/configure.ac |
434 | +++ b/configure.ac | 436 | +++ b/configure.ac |
435 | @@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 437 | @@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
436 | [Use tunnel device compatibility to OpenBSD]) | 438 | [Use tunnel device compatibility to OpenBSD]) |
437 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 439 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
438 | [Prepend the address family to IP tunnel traffic]) | 440 | [Prepend the address family to IP tunnel traffic]) |
@@ -1212,10 +1214,10 @@ index 53993d6..2f6baf7 100644 | |||
1212 | 1214 | ||
1213 | #endif | 1215 | #endif |
1214 | diff --git a/kex.c b/kex.c | 1216 | diff --git a/kex.c b/kex.c |
1215 | index b777b7d..390bb69 100644 | 1217 | index d371f47..913e923 100644 |
1216 | --- a/kex.c | 1218 | --- a/kex.c |
1217 | +++ b/kex.c | 1219 | +++ b/kex.c |
1218 | @@ -55,6 +55,10 @@ | 1220 | @@ -54,6 +54,10 @@ |
1219 | #include "sshbuf.h" | 1221 | #include "sshbuf.h" |
1220 | #include "digest.h" | 1222 | #include "digest.h" |
1221 | 1223 | ||
@@ -1226,7 +1228,7 @@ index b777b7d..390bb69 100644 | |||
1226 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1228 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1227 | # if defined(HAVE_EVP_SHA256) | 1229 | # if defined(HAVE_EVP_SHA256) |
1228 | # define evp_ssh_sha256 EVP_sha256 | 1230 | # define evp_ssh_sha256 EVP_sha256 |
1229 | @@ -97,6 +101,14 @@ static const struct kexalg kexalgs[] = { | 1231 | @@ -109,6 +113,14 @@ static const struct kexalg kexalgs[] = { |
1230 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ | 1232 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |
1231 | { NULL, -1, -1, -1}, | 1233 | { NULL, -1, -1, -1}, |
1232 | }; | 1234 | }; |
@@ -1241,7 +1243,7 @@ index b777b7d..390bb69 100644 | |||
1241 | 1243 | ||
1242 | char * | 1244 | char * |
1243 | kex_alg_list(char sep) | 1245 | kex_alg_list(char sep) |
1244 | @@ -129,6 +141,10 @@ kex_alg_by_name(const char *name) | 1246 | @@ -141,6 +153,10 @@ kex_alg_by_name(const char *name) |
1245 | if (strcmp(k->name, name) == 0) | 1247 | if (strcmp(k->name, name) == 0) |
1246 | return k; | 1248 | return k; |
1247 | } | 1249 | } |
@@ -1253,10 +1255,10 @@ index b777b7d..390bb69 100644 | |||
1253 | } | 1255 | } |
1254 | 1256 | ||
1255 | diff --git a/kex.h b/kex.h | 1257 | diff --git a/kex.h b/kex.h |
1256 | index d71b532..ee46815 100644 | 1258 | index 1c58966..123ef83 100644 |
1257 | --- a/kex.h | 1259 | --- a/kex.h |
1258 | +++ b/kex.h | 1260 | +++ b/kex.h |
1259 | @@ -93,6 +93,9 @@ enum kex_exchange { | 1261 | @@ -92,6 +92,9 @@ enum kex_exchange { |
1260 | KEX_DH_GEX_SHA256, | 1262 | KEX_DH_GEX_SHA256, |
1261 | KEX_ECDH_SHA2, | 1263 | KEX_ECDH_SHA2, |
1262 | KEX_C25519_SHA256, | 1264 | KEX_C25519_SHA256, |
@@ -1266,7 +1268,7 @@ index d71b532..ee46815 100644 | |||
1266 | KEX_MAX | 1268 | KEX_MAX |
1267 | }; | 1269 | }; |
1268 | 1270 | ||
1269 | @@ -139,6 +142,12 @@ struct kex { | 1271 | @@ -140,6 +143,12 @@ struct kex { |
1270 | u_int flags; | 1272 | u_int flags; |
1271 | int hash_alg; | 1273 | int hash_alg; |
1272 | int ec_nid; | 1274 | int ec_nid; |
@@ -1279,7 +1281,7 @@ index d71b532..ee46815 100644 | |||
1279 | char *client_version_string; | 1281 | char *client_version_string; |
1280 | char *server_version_string; | 1282 | char *server_version_string; |
1281 | char *failed_choice; | 1283 | char *failed_choice; |
1282 | @@ -187,6 +196,11 @@ int kexecdh_server(struct ssh *); | 1284 | @@ -190,6 +199,11 @@ int kexecdh_server(struct ssh *); |
1283 | int kexc25519_client(struct ssh *); | 1285 | int kexc25519_client(struct ssh *); |
1284 | int kexc25519_server(struct ssh *); | 1286 | int kexc25519_server(struct ssh *); |
1285 | 1287 | ||
@@ -1935,10 +1937,10 @@ index 0000000..0847469 | |||
1935 | +} | 1937 | +} |
1936 | +#endif /* GSSAPI */ | 1938 | +#endif /* GSSAPI */ |
1937 | diff --git a/monitor.c b/monitor.c | 1939 | diff --git a/monitor.c b/monitor.c |
1938 | index a914209..2658aaa 100644 | 1940 | index ac7dd30..6c82023 100644 |
1939 | --- a/monitor.c | 1941 | --- a/monitor.c |
1940 | +++ b/monitor.c | 1942 | +++ b/monitor.c |
1941 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 1943 | @@ -156,6 +156,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
1942 | int mm_answer_gss_accept_ctx(int, Buffer *); | 1944 | int mm_answer_gss_accept_ctx(int, Buffer *); |
1943 | int mm_answer_gss_userok(int, Buffer *); | 1945 | int mm_answer_gss_userok(int, Buffer *); |
1944 | int mm_answer_gss_checkmic(int, Buffer *); | 1946 | int mm_answer_gss_checkmic(int, Buffer *); |
@@ -1947,7 +1949,7 @@ index a914209..2658aaa 100644 | |||
1947 | #endif | 1949 | #endif |
1948 | 1950 | ||
1949 | #ifdef SSH_AUDIT_EVENTS | 1951 | #ifdef SSH_AUDIT_EVENTS |
1950 | @@ -234,11 +236,18 @@ struct mon_table mon_dispatch_proto20[] = { | 1952 | @@ -233,11 +235,18 @@ struct mon_table mon_dispatch_proto20[] = { |
1951 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 1953 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
1952 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 1954 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
1953 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 1955 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
@@ -1966,7 +1968,7 @@ index a914209..2658aaa 100644 | |||
1966 | #ifdef WITH_OPENSSL | 1968 | #ifdef WITH_OPENSSL |
1967 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 1969 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
1968 | #endif | 1970 | #endif |
1969 | @@ -353,6 +362,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 1971 | @@ -352,6 +361,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
1970 | /* Permit requests for moduli and signatures */ | 1972 | /* Permit requests for moduli and signatures */ |
1971 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 1973 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
1972 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 1974 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -1977,7 +1979,7 @@ index a914209..2658aaa 100644 | |||
1977 | } else { | 1979 | } else { |
1978 | mon_dispatch = mon_dispatch_proto15; | 1980 | mon_dispatch = mon_dispatch_proto15; |
1979 | 1981 | ||
1980 | @@ -461,6 +474,10 @@ monitor_child_postauth(struct monitor *pmonitor) | 1982 | @@ -460,6 +473,10 @@ monitor_child_postauth(struct monitor *pmonitor) |
1981 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 1983 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
1982 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 1984 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
1983 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 1985 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -1988,7 +1990,7 @@ index a914209..2658aaa 100644 | |||
1988 | } else { | 1990 | } else { |
1989 | mon_dispatch = mon_dispatch_postauth15; | 1991 | mon_dispatch = mon_dispatch_postauth15; |
1990 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 1992 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
1991 | @@ -1864,6 +1881,13 @@ monitor_apply_keystate(struct monitor *pmonitor) | 1993 | @@ -1861,6 +1878,13 @@ monitor_apply_keystate(struct monitor *pmonitor) |
1992 | # endif | 1994 | # endif |
1993 | #endif /* WITH_OPENSSL */ | 1995 | #endif /* WITH_OPENSSL */ |
1994 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 1996 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -2002,7 +2004,7 @@ index a914209..2658aaa 100644 | |||
2002 | kex->load_host_public_key=&get_hostkey_public_by_type; | 2004 | kex->load_host_public_key=&get_hostkey_public_by_type; |
2003 | kex->load_host_private_key=&get_hostkey_private_by_type; | 2005 | kex->load_host_private_key=&get_hostkey_private_by_type; |
2004 | kex->host_key_index=&get_hostkey_index; | 2006 | kex->host_key_index=&get_hostkey_index; |
2005 | @@ -1963,6 +1987,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 2007 | @@ -1960,6 +1984,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2006 | OM_uint32 major; | 2008 | OM_uint32 major; |
2007 | u_int len; | 2009 | u_int len; |
2008 | 2010 | ||
@@ -2012,7 +2014,7 @@ index a914209..2658aaa 100644 | |||
2012 | goid.elements = buffer_get_string(m, &len); | 2014 | goid.elements = buffer_get_string(m, &len); |
2013 | goid.length = len; | 2015 | goid.length = len; |
2014 | 2016 | ||
2015 | @@ -1990,6 +2017,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2017 | @@ -1987,6 +2014,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2016 | OM_uint32 flags = 0; /* GSI needs this */ | 2018 | OM_uint32 flags = 0; /* GSI needs this */ |
2017 | u_int len; | 2019 | u_int len; |
2018 | 2020 | ||
@@ -2022,7 +2024,7 @@ index a914209..2658aaa 100644 | |||
2022 | in.value = buffer_get_string(m, &len); | 2024 | in.value = buffer_get_string(m, &len); |
2023 | in.length = len; | 2025 | in.length = len; |
2024 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2026 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2025 | @@ -2007,6 +2037,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2027 | @@ -2004,6 +2034,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2026 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2028 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2027 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2029 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2028 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2030 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2030,7 +2032,7 @@ index a914209..2658aaa 100644 | |||
2030 | } | 2032 | } |
2031 | return (0); | 2033 | return (0); |
2032 | } | 2034 | } |
2033 | @@ -2018,6 +2049,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2035 | @@ -2015,6 +2046,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2034 | OM_uint32 ret; | 2036 | OM_uint32 ret; |
2035 | u_int len; | 2037 | u_int len; |
2036 | 2038 | ||
@@ -2040,7 +2042,7 @@ index a914209..2658aaa 100644 | |||
2040 | gssbuf.value = buffer_get_string(m, &len); | 2042 | gssbuf.value = buffer_get_string(m, &len); |
2041 | gssbuf.length = len; | 2043 | gssbuf.length = len; |
2042 | mic.value = buffer_get_string(m, &len); | 2044 | mic.value = buffer_get_string(m, &len); |
2043 | @@ -2044,7 +2078,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2045 | @@ -2041,7 +2075,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2044 | { | 2046 | { |
2045 | int authenticated; | 2047 | int authenticated; |
2046 | 2048 | ||
@@ -2053,7 +2055,7 @@ index a914209..2658aaa 100644 | |||
2053 | 2055 | ||
2054 | buffer_clear(m); | 2056 | buffer_clear(m); |
2055 | buffer_put_int(m, authenticated); | 2057 | buffer_put_int(m, authenticated); |
2056 | @@ -2057,5 +2095,73 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2058 | @@ -2054,5 +2092,73 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2057 | /* Monitor loop will terminate if authenticated */ | 2059 | /* Monitor loop will terminate if authenticated */ |
2058 | return (authenticated); | 2060 | return (authenticated); |
2059 | } | 2061 | } |
@@ -2142,7 +2144,7 @@ index 93b8b66..bc50ade 100644 | |||
2142 | 2144 | ||
2143 | struct mm_master; | 2145 | struct mm_master; |
2144 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2146 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2145 | index eac421b..81ceddb 100644 | 2147 | index c5db6df..74fbd2e 100644 |
2146 | --- a/monitor_wrap.c | 2148 | --- a/monitor_wrap.c |
2147 | +++ b/monitor_wrap.c | 2149 | +++ b/monitor_wrap.c |
2148 | @@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2150 | @@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
@@ -2206,7 +2208,7 @@ index eac421b..81ceddb 100644 | |||
2206 | #endif /* GSSAPI */ | 2208 | #endif /* GSSAPI */ |
2207 | 2209 | ||
2208 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 2210 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
2209 | index de4a08f..9758290 100644 | 2211 | index eb820ae..403f8d0 100644 |
2210 | --- a/monitor_wrap.h | 2212 | --- a/monitor_wrap.h |
2211 | +++ b/monitor_wrap.h | 2213 | +++ b/monitor_wrap.h |
2212 | @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); | 2214 | @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); |
@@ -2222,10 +2224,10 @@ index de4a08f..9758290 100644 | |||
2222 | 2224 | ||
2223 | #ifdef USE_PAM | 2225 | #ifdef USE_PAM |
2224 | diff --git a/readconf.c b/readconf.c | 2226 | diff --git a/readconf.c b/readconf.c |
2225 | index cd01482..56e0f44 100644 | 2227 | index 69d4553..d2a3d4b 100644 |
2226 | --- a/readconf.c | 2228 | --- a/readconf.c |
2227 | +++ b/readconf.c | 2229 | +++ b/readconf.c |
2228 | @@ -147,6 +147,8 @@ typedef enum { | 2230 | @@ -148,6 +148,8 @@ typedef enum { |
2229 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 2231 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
2230 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 2232 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
2231 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 2233 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
@@ -2234,7 +2236,7 @@ index cd01482..56e0f44 100644 | |||
2234 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2236 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2235 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2237 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2236 | oHashKnownHosts, | 2238 | oHashKnownHosts, |
2237 | @@ -192,10 +194,19 @@ static struct { | 2239 | @@ -193,10 +195,19 @@ static struct { |
2238 | { "afstokenpassing", oUnsupported }, | 2240 | { "afstokenpassing", oUnsupported }, |
2239 | #if defined(GSSAPI) | 2241 | #if defined(GSSAPI) |
2240 | { "gssapiauthentication", oGssAuthentication }, | 2242 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2254,7 +2256,7 @@ index cd01482..56e0f44 100644 | |||
2254 | #endif | 2256 | #endif |
2255 | { "fallbacktorsh", oDeprecated }, | 2257 | { "fallbacktorsh", oDeprecated }, |
2256 | { "usersh", oDeprecated }, | 2258 | { "usersh", oDeprecated }, |
2257 | @@ -894,10 +905,30 @@ parse_time: | 2259 | @@ -926,10 +937,30 @@ parse_time: |
2258 | intptr = &options->gss_authentication; | 2260 | intptr = &options->gss_authentication; |
2259 | goto parse_flag; | 2261 | goto parse_flag; |
2260 | 2262 | ||
@@ -2285,7 +2287,7 @@ index cd01482..56e0f44 100644 | |||
2285 | case oBatchMode: | 2287 | case oBatchMode: |
2286 | intptr = &options->batch_mode; | 2288 | intptr = &options->batch_mode; |
2287 | goto parse_flag; | 2289 | goto parse_flag; |
2288 | @@ -1601,7 +1632,12 @@ initialize_options(Options * options) | 2290 | @@ -1648,7 +1679,12 @@ initialize_options(Options * options) |
2289 | options->pubkey_authentication = -1; | 2291 | options->pubkey_authentication = -1; |
2290 | options->challenge_response_authentication = -1; | 2292 | options->challenge_response_authentication = -1; |
2291 | options->gss_authentication = -1; | 2293 | options->gss_authentication = -1; |
@@ -2298,7 +2300,7 @@ index cd01482..56e0f44 100644 | |||
2298 | options->password_authentication = -1; | 2300 | options->password_authentication = -1; |
2299 | options->kbd_interactive_authentication = -1; | 2301 | options->kbd_interactive_authentication = -1; |
2300 | options->kbd_interactive_devices = NULL; | 2302 | options->kbd_interactive_devices = NULL; |
2301 | @@ -1729,8 +1765,14 @@ fill_default_options(Options * options) | 2303 | @@ -1777,8 +1813,14 @@ fill_default_options(Options * options) |
2302 | options->challenge_response_authentication = 1; | 2304 | options->challenge_response_authentication = 1; |
2303 | if (options->gss_authentication == -1) | 2305 | if (options->gss_authentication == -1) |
2304 | options->gss_authentication = 0; | 2306 | options->gss_authentication = 0; |
@@ -2314,7 +2316,7 @@ index cd01482..56e0f44 100644 | |||
2314 | options->password_authentication = 1; | 2316 | options->password_authentication = 1; |
2315 | if (options->kbd_interactive_authentication == -1) | 2317 | if (options->kbd_interactive_authentication == -1) |
2316 | diff --git a/readconf.h b/readconf.h | 2318 | diff --git a/readconf.h b/readconf.h |
2317 | index bb2d552..e7e80c3 100644 | 2319 | index c84d068..37a0555 100644 |
2318 | --- a/readconf.h | 2320 | --- a/readconf.h |
2319 | +++ b/readconf.h | 2321 | +++ b/readconf.h |
2320 | @@ -45,7 +45,12 @@ typedef struct { | 2322 | @@ -45,7 +45,12 @@ typedef struct { |
@@ -2331,7 +2333,7 @@ index bb2d552..e7e80c3 100644 | |||
2331 | * authentication. */ | 2333 | * authentication. */ |
2332 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2334 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2333 | diff --git a/servconf.c b/servconf.c | 2335 | diff --git a/servconf.c b/servconf.c |
2334 | index 6c7a91e..cfe7029 100644 | 2336 | index b19d30e..b8af6dd 100644 |
2335 | --- a/servconf.c | 2337 | --- a/servconf.c |
2336 | +++ b/servconf.c | 2338 | +++ b/servconf.c |
2337 | @@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options) | 2339 | @@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options) |
@@ -2345,7 +2347,7 @@ index 6c7a91e..cfe7029 100644 | |||
2345 | options->password_authentication = -1; | 2347 | options->password_authentication = -1; |
2346 | options->kbd_interactive_authentication = -1; | 2348 | options->kbd_interactive_authentication = -1; |
2347 | options->challenge_response_authentication = -1; | 2349 | options->challenge_response_authentication = -1; |
2348 | @@ -275,10 +277,14 @@ fill_default_server_options(ServerOptions *options) | 2350 | @@ -287,10 +289,14 @@ fill_default_server_options(ServerOptions *options) |
2349 | options->kerberos_get_afs_token = 0; | 2351 | options->kerberos_get_afs_token = 0; |
2350 | if (options->gss_authentication == -1) | 2352 | if (options->gss_authentication == -1) |
2351 | options->gss_authentication = 0; | 2353 | options->gss_authentication = 0; |
@@ -2361,7 +2363,7 @@ index 6c7a91e..cfe7029 100644 | |||
2361 | if (options->password_authentication == -1) | 2363 | if (options->password_authentication == -1) |
2362 | options->password_authentication = 1; | 2364 | options->password_authentication = 1; |
2363 | if (options->kbd_interactive_authentication == -1) | 2365 | if (options->kbd_interactive_authentication == -1) |
2364 | @@ -412,6 +418,7 @@ typedef enum { | 2366 | @@ -419,6 +425,7 @@ typedef enum { |
2365 | sHostKeyAlgorithms, | 2367 | sHostKeyAlgorithms, |
2366 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 2368 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
2367 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 2369 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
@@ -2369,7 +2371,7 @@ index 6c7a91e..cfe7029 100644 | |||
2369 | sAcceptEnv, sPermitTunnel, | 2371 | sAcceptEnv, sPermitTunnel, |
2370 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2372 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2371 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2373 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2372 | @@ -485,12 +492,20 @@ static struct { | 2374 | @@ -492,12 +499,20 @@ static struct { |
2373 | #ifdef GSSAPI | 2375 | #ifdef GSSAPI |
2374 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2376 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2375 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2377 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2390,7 +2392,7 @@ index 6c7a91e..cfe7029 100644 | |||
2390 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2392 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2391 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2393 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2392 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2394 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2393 | @@ -1231,6 +1246,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2395 | @@ -1242,6 +1257,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2394 | intptr = &options->gss_authentication; | 2396 | intptr = &options->gss_authentication; |
2395 | goto parse_flag; | 2397 | goto parse_flag; |
2396 | 2398 | ||
@@ -2401,7 +2403,7 @@ index 6c7a91e..cfe7029 100644 | |||
2401 | case sGssCleanupCreds: | 2403 | case sGssCleanupCreds: |
2402 | intptr = &options->gss_cleanup_creds; | 2404 | intptr = &options->gss_cleanup_creds; |
2403 | goto parse_flag; | 2405 | goto parse_flag; |
2404 | @@ -1239,6 +1258,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2406 | @@ -1250,6 +1269,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2405 | intptr = &options->gss_strict_acceptor; | 2407 | intptr = &options->gss_strict_acceptor; |
2406 | goto parse_flag; | 2408 | goto parse_flag; |
2407 | 2409 | ||
@@ -2412,7 +2414,7 @@ index 6c7a91e..cfe7029 100644 | |||
2412 | case sPasswordAuthentication: | 2414 | case sPasswordAuthentication: |
2413 | intptr = &options->password_authentication; | 2415 | intptr = &options->password_authentication; |
2414 | goto parse_flag; | 2416 | goto parse_flag; |
2415 | @@ -2246,7 +2269,10 @@ dump_config(ServerOptions *o) | 2417 | @@ -2265,7 +2288,10 @@ dump_config(ServerOptions *o) |
2416 | #endif | 2418 | #endif |
2417 | #ifdef GSSAPI | 2419 | #ifdef GSSAPI |
2418 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2420 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2542,7 +2544,7 @@ index a99d7f0..914701b 100644 | |||
2542 | 2544 | ||
2543 | #endif /* _SSH_GSS_H */ | 2545 | #endif /* _SSH_GSS_H */ |
2544 | diff --git a/ssh_config b/ssh_config | 2546 | diff --git a/ssh_config b/ssh_config |
2545 | index 03a228f..228e5ab 100644 | 2547 | index 90fb63f..4e879cd 100644 |
2546 | --- a/ssh_config | 2548 | --- a/ssh_config |
2547 | +++ b/ssh_config | 2549 | +++ b/ssh_config |
2548 | @@ -26,6 +26,8 @@ | 2550 | @@ -26,6 +26,8 @@ |
@@ -2555,19 +2557,18 @@ index 03a228f..228e5ab 100644 | |||
2555 | # CheckHostIP yes | 2557 | # CheckHostIP yes |
2556 | # AddressFamily any | 2558 | # AddressFamily any |
2557 | diff --git a/ssh_config.5 b/ssh_config.5 | 2559 | diff --git a/ssh_config.5 b/ssh_config.5 |
2558 | index a47f3ca..cac8cda 100644 | 2560 | index caf13a6..9060d5b 100644 |
2559 | --- a/ssh_config.5 | 2561 | --- a/ssh_config.5 |
2560 | +++ b/ssh_config.5 | 2562 | +++ b/ssh_config.5 |
2561 | @@ -749,11 +749,45 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2563 | @@ -826,10 +826,42 @@ The default is |
2564 | Specifies whether user authentication based on GSSAPI is allowed. | ||
2562 | The default is | 2565 | The default is |
2563 | .Dq no . | 2566 | .Dq no . |
2564 | Note that this option applies to protocol version 2 only. | ||
2565 | +.It Cm GSSAPIKeyExchange | 2567 | +.It Cm GSSAPIKeyExchange |
2566 | +Specifies whether key exchange based on GSSAPI may be used. When using | 2568 | +Specifies whether key exchange based on GSSAPI may be used. When using |
2567 | +GSSAPI key exchange the server need not have a host key. | 2569 | +GSSAPI key exchange the server need not have a host key. |
2568 | +The default is | 2570 | +The default is |
2569 | +.Dq no . | 2571 | +.Dq no . |
2570 | +Note that this option applies to protocol version 2 only. | ||
2571 | +.It Cm GSSAPIClientIdentity | 2572 | +.It Cm GSSAPIClientIdentity |
2572 | +If set, specifies the GSSAPI client identity that ssh should use when | 2573 | +If set, specifies the GSSAPI client identity that ssh should use when |
2573 | +connecting to the server. The default is unset, which means that the default | 2574 | +connecting to the server. The default is unset, which means that the default |
@@ -2581,8 +2582,6 @@ index a47f3ca..cac8cda 100644 | |||
2581 | Forward (delegate) credentials to the server. | 2582 | Forward (delegate) credentials to the server. |
2582 | The default is | 2583 | The default is |
2583 | .Dq no . | 2584 | .Dq no . |
2584 | -Note that this option applies to protocol version 2 only. | ||
2585 | +Note that this option applies to protocol version 2 connections using GSSAPI. | ||
2586 | +.It Cm GSSAPIRenewalForcesRekey | 2585 | +.It Cm GSSAPIRenewalForcesRekey |
2587 | +If set to | 2586 | +If set to |
2588 | +.Dq yes | 2587 | +.Dq yes |
@@ -2601,15 +2600,14 @@ index a47f3ca..cac8cda 100644 | |||
2601 | +command line will be passed untouched to the GSSAPI library. | 2600 | +command line will be passed untouched to the GSSAPI library. |
2602 | +The default is | 2601 | +The default is |
2603 | +.Dq no . | 2602 | +.Dq no . |
2604 | +This option only applies to protocol version 2 connections using GSSAPI. | ||
2605 | .It Cm HashKnownHosts | 2603 | .It Cm HashKnownHosts |
2606 | Indicates that | 2604 | Indicates that |
2607 | .Xr ssh 1 | 2605 | .Xr ssh 1 |
2608 | diff --git a/sshconnect2.c b/sshconnect2.c | 2606 | diff --git a/sshconnect2.c b/sshconnect2.c |
2609 | index 7751031..32e9b0d 100644 | 2607 | index f79c96b..b452eae 100644 |
2610 | --- a/sshconnect2.c | 2608 | --- a/sshconnect2.c |
2611 | +++ b/sshconnect2.c | 2609 | +++ b/sshconnect2.c |
2612 | @@ -160,6 +160,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2610 | @@ -161,6 +161,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2613 | struct kex *kex; | 2611 | struct kex *kex; |
2614 | int r; | 2612 | int r; |
2615 | 2613 | ||
@@ -2621,7 +2619,7 @@ index 7751031..32e9b0d 100644 | |||
2621 | xxx_host = host; | 2619 | xxx_host = host; |
2622 | xxx_hostaddr = hostaddr; | 2620 | xxx_hostaddr = hostaddr; |
2623 | 2621 | ||
2624 | @@ -193,6 +198,33 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2622 | @@ -195,6 +200,33 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2625 | order_hostkeyalgs(host, hostaddr, port)); | 2623 | order_hostkeyalgs(host, hostaddr, port)); |
2626 | } | 2624 | } |
2627 | 2625 | ||
@@ -2655,7 +2653,7 @@ index 7751031..32e9b0d 100644 | |||
2655 | if (options.rekey_limit || options.rekey_interval) | 2653 | if (options.rekey_limit || options.rekey_interval) |
2656 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2654 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2657 | (time_t)options.rekey_interval); | 2655 | (time_t)options.rekey_interval); |
2658 | @@ -211,10 +243,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2656 | @@ -213,10 +245,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2659 | # endif | 2657 | # endif |
2660 | #endif | 2658 | #endif |
2661 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; | 2659 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; |
@@ -2685,8 +2683,8 @@ index 7751031..32e9b0d 100644 | |||
2685 | + | 2683 | + |
2686 | dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); | 2684 | dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); |
2687 | 2685 | ||
2688 | if (options.use_roaming && !kex->roaming) { | 2686 | /* remove ext-info from the KEX proposals for rekeying */ |
2689 | @@ -306,6 +358,7 @@ int input_gssapi_token(int type, u_int32_t, void *); | 2687 | @@ -311,6 +363,7 @@ int input_gssapi_token(int type, u_int32_t, void *); |
2690 | int input_gssapi_hash(int type, u_int32_t, void *); | 2688 | int input_gssapi_hash(int type, u_int32_t, void *); |
2691 | int input_gssapi_error(int, u_int32_t, void *); | 2689 | int input_gssapi_error(int, u_int32_t, void *); |
2692 | int input_gssapi_errtok(int, u_int32_t, void *); | 2690 | int input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2694,7 +2692,7 @@ index 7751031..32e9b0d 100644 | |||
2694 | #endif | 2692 | #endif |
2695 | 2693 | ||
2696 | void userauth(Authctxt *, char *); | 2694 | void userauth(Authctxt *, char *); |
2697 | @@ -321,6 +374,11 @@ static char *authmethods_get(void); | 2695 | @@ -326,6 +379,11 @@ static char *authmethods_get(void); |
2698 | 2696 | ||
2699 | Authmethod authmethods[] = { | 2697 | Authmethod authmethods[] = { |
2700 | #ifdef GSSAPI | 2698 | #ifdef GSSAPI |
@@ -2706,7 +2704,7 @@ index 7751031..32e9b0d 100644 | |||
2706 | {"gssapi-with-mic", | 2704 | {"gssapi-with-mic", |
2707 | userauth_gssapi, | 2705 | userauth_gssapi, |
2708 | NULL, | 2706 | NULL, |
2709 | @@ -627,19 +685,31 @@ userauth_gssapi(Authctxt *authctxt) | 2707 | @@ -656,19 +714,31 @@ userauth_gssapi(Authctxt *authctxt) |
2710 | static u_int mech = 0; | 2708 | static u_int mech = 0; |
2711 | OM_uint32 min; | 2709 | OM_uint32 min; |
2712 | int ok = 0; | 2710 | int ok = 0; |
@@ -2740,7 +2738,7 @@ index 7751031..32e9b0d 100644 | |||
2740 | ok = 1; /* Mechanism works */ | 2738 | ok = 1; /* Mechanism works */ |
2741 | } else { | 2739 | } else { |
2742 | mech++; | 2740 | mech++; |
2743 | @@ -736,8 +806,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | 2741 | @@ -765,8 +835,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) |
2744 | { | 2742 | { |
2745 | Authctxt *authctxt = ctxt; | 2743 | Authctxt *authctxt = ctxt; |
2746 | Gssctxt *gssctxt; | 2744 | Gssctxt *gssctxt; |
@@ -2751,7 +2749,7 @@ index 7751031..32e9b0d 100644 | |||
2751 | 2749 | ||
2752 | if (authctxt == NULL) | 2750 | if (authctxt == NULL) |
2753 | fatal("input_gssapi_response: no authentication context"); | 2751 | fatal("input_gssapi_response: no authentication context"); |
2754 | @@ -850,6 +920,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | 2752 | @@ -879,6 +949,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) |
2755 | free(lang); | 2753 | free(lang); |
2756 | return 0; | 2754 | return 0; |
2757 | } | 2755 | } |
@@ -2801,10 +2799,10 @@ index 7751031..32e9b0d 100644 | |||
2801 | 2799 | ||
2802 | int | 2800 | int |
2803 | diff --git a/sshd.c b/sshd.c | 2801 | diff --git a/sshd.c b/sshd.c |
2804 | index 43d4650..d659a68 100644 | 2802 | index 430569c..5cd9129 100644 |
2805 | --- a/sshd.c | 2803 | --- a/sshd.c |
2806 | +++ b/sshd.c | 2804 | +++ b/sshd.c |
2807 | @@ -126,6 +126,10 @@ | 2805 | @@ -125,6 +125,10 @@ |
2808 | #include "version.h" | 2806 | #include "version.h" |
2809 | #include "ssherr.h" | 2807 | #include "ssherr.h" |
2810 | 2808 | ||
@@ -2890,7 +2888,7 @@ index 43d4650..d659a68 100644 | |||
2890 | /* | 2888 | /* |
2891 | * We don't want to listen forever unless the other side | 2889 | * We don't want to listen forever unless the other side |
2892 | * successfully authenticates itself. So we set up an alarm which is | 2890 | * successfully authenticates itself. So we set up an alarm which is |
2893 | @@ -2569,6 +2630,48 @@ do_ssh2_kex(void) | 2891 | @@ -2571,6 +2632,48 @@ do_ssh2_kex(void) |
2894 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2892 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
2895 | list_hostkey_types()); | 2893 | list_hostkey_types()); |
2896 | 2894 | ||
@@ -2939,7 +2937,7 @@ index 43d4650..d659a68 100644 | |||
2939 | /* start key exchange */ | 2937 | /* start key exchange */ |
2940 | if ((r = kex_setup(active_state, myproposal)) != 0) | 2938 | if ((r = kex_setup(active_state, myproposal)) != 0) |
2941 | fatal("kex_setup: %s", ssh_err(r)); | 2939 | fatal("kex_setup: %s", ssh_err(r)); |
2942 | @@ -2583,6 +2686,13 @@ do_ssh2_kex(void) | 2940 | @@ -2585,6 +2688,13 @@ do_ssh2_kex(void) |
2943 | # endif | 2941 | # endif |
2944 | #endif | 2942 | #endif |
2945 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2943 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -2954,7 +2952,7 @@ index 43d4650..d659a68 100644 | |||
2954 | kex->client_version_string=client_version_string; | 2952 | kex->client_version_string=client_version_string; |
2955 | kex->server_version_string=server_version_string; | 2953 | kex->server_version_string=server_version_string; |
2956 | diff --git a/sshd_config b/sshd_config | 2954 | diff --git a/sshd_config b/sshd_config |
2957 | index 4d77f05..64786c9 100644 | 2955 | index a848d73..f103298 100644 |
2958 | --- a/sshd_config | 2956 | --- a/sshd_config |
2959 | +++ b/sshd_config | 2957 | +++ b/sshd_config |
2960 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys | 2958 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
@@ -2967,23 +2965,22 @@ index 4d77f05..64786c9 100644 | |||
2967 | # Set this to 'yes' to enable PAM authentication, account processing, | 2965 | # Set this to 'yes' to enable PAM authentication, account processing, |
2968 | # and session processing. If this is enabled, PAM authentication will | 2966 | # and session processing. If this is enabled, PAM authentication will |
2969 | diff --git a/sshd_config.5 b/sshd_config.5 | 2967 | diff --git a/sshd_config.5 b/sshd_config.5 |
2970 | index b18d340..5491c89 100644 | 2968 | index a37a3ac..c6d6858 100644 |
2971 | --- a/sshd_config.5 | 2969 | --- a/sshd_config.5 |
2972 | +++ b/sshd_config.5 | 2970 | +++ b/sshd_config.5 |
2973 | @@ -621,6 +621,12 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2971 | @@ -623,6 +623,11 @@ The default is |
2972 | Specifies whether user authentication based on GSSAPI is allowed. | ||
2974 | The default is | 2973 | The default is |
2975 | .Dq no . | 2974 | .Dq no . |
2976 | Note that this option applies to protocol version 2 only. | ||
2977 | +.It Cm GSSAPIKeyExchange | 2975 | +.It Cm GSSAPIKeyExchange |
2978 | +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange | 2976 | +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange |
2979 | +doesn't rely on ssh keys to verify host identity. | 2977 | +doesn't rely on ssh keys to verify host identity. |
2980 | +The default is | 2978 | +The default is |
2981 | +.Dq no . | 2979 | +.Dq no . |
2982 | +Note that this option applies to protocol version 2 only. | ||
2983 | .It Cm GSSAPICleanupCredentials | 2980 | .It Cm GSSAPICleanupCredentials |
2984 | Specifies whether to automatically destroy the user's credentials cache | 2981 | Specifies whether to automatically destroy the user's credentials cache |
2985 | on logout. | 2982 | on logout. |
2986 | @@ -642,6 +648,11 @@ machine's default store. | 2983 | @@ -643,6 +648,11 @@ machine's default store. |
2987 | This facility is provided to assist with operation on multi homed machines. | 2984 | This facility is provided to assist with operation on multi homed machines. |
2988 | The default is | 2985 | The default is |
2989 | .Dq yes . | 2986 | .Dq yes . |
@@ -2996,28 +2993,28 @@ index b18d340..5491c89 100644 | |||
2996 | Specifies the key types that will be accepted for hostbased authentication | 2993 | Specifies the key types that will be accepted for hostbased authentication |
2997 | as a comma-separated pattern list. | 2994 | as a comma-separated pattern list. |
2998 | diff --git a/sshkey.c b/sshkey.c | 2995 | diff --git a/sshkey.c b/sshkey.c |
2999 | index 32dd8f2..5368e7c 100644 | 2996 | index 87b093e..e595b11 100644 |
3000 | --- a/sshkey.c | 2997 | --- a/sshkey.c |
3001 | +++ b/sshkey.c | 2998 | +++ b/sshkey.c |
3002 | @@ -112,6 +112,7 @@ static const struct keytype keytypes[] = { | 2999 | @@ -115,6 +115,7 @@ static const struct keytype keytypes[] = { |
3003 | # endif /* OPENSSL_HAS_NISTP521 */ | 3000 | # endif /* OPENSSL_HAS_NISTP521 */ |
3004 | # endif /* OPENSSL_HAS_ECC */ | 3001 | # endif /* OPENSSL_HAS_ECC */ |
3005 | #endif /* WITH_OPENSSL */ | 3002 | #endif /* WITH_OPENSSL */ |
3006 | + { "null", "null", KEY_NULL, 0, 0 }, | 3003 | + { "null", "null", KEY_NULL, 0, 0, 0 }, |
3007 | { NULL, NULL, -1, -1, 0 } | 3004 | { NULL, NULL, -1, -1, 0, 0 } |
3008 | }; | 3005 | }; |
3009 | 3006 | ||
3010 | @@ -200,7 +201,7 @@ key_alg_list(int certs_only, int plain_only) | 3007 | @@ -203,7 +204,7 @@ key_alg_list(int certs_only, int plain_only) |
3011 | const struct keytype *kt; | 3008 | const struct keytype *kt; |
3012 | 3009 | ||
3013 | for (kt = keytypes; kt->type != -1; kt++) { | 3010 | for (kt = keytypes; kt->type != -1; kt++) { |
3014 | - if (kt->name == NULL) | 3011 | - if (kt->name == NULL || kt->sigonly) |
3015 | + if (kt->name == NULL || kt->type == KEY_NULL) | 3012 | + if (kt->name == NULL || kt->sigonly || kt->type == KEY_NULL) |
3016 | continue; | 3013 | continue; |
3017 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | 3014 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) |
3018 | continue; | 3015 | continue; |
3019 | diff --git a/sshkey.h b/sshkey.h | 3016 | diff --git a/sshkey.h b/sshkey.h |
3020 | index c8d3cdd..5cf4e5d 100644 | 3017 | index a20a14f..2259cbb 100644 |
3021 | --- a/sshkey.h | 3018 | --- a/sshkey.h |
3022 | +++ b/sshkey.h | 3019 | +++ b/sshkey.h |
3023 | @@ -62,6 +62,7 @@ enum sshkey_types { | 3020 | @@ -62,6 +62,7 @@ enum sshkey_types { |