summaryrefslogtreecommitdiff
path: root/debian/patches/gssapi.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r--debian/patches/gssapi.patch60
1 files changed, 30 insertions, 30 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index d78835bd6..786500feb 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
13 security history. 13 security history.
14Author: Simon Wilkinson <simon@sxw.org.uk> 14Author: Simon Wilkinson <simon@sxw.org.uk>
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
16Last-Updated: 2010-02-27 16Last-Updated: 2012-09-07
17 17
18Index: b/ChangeLog.gssapi 18Index: b/ChangeLog.gssapi
19=================================================================== 19===================================================================
@@ -176,8 +176,8 @@ Index: b/auth-krb5.c
176 #ifndef HEIMDAL 176 #ifndef HEIMDAL
177 krb5_error_code 177 krb5_error_code
178 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 178 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
179- int tmpfd, ret; 179- int tmpfd, ret, oerrno;
180+ int ret; 180+ int ret, oerrno;
181 char ccname[40]; 181 char ccname[40];
182 mode_t old_umask; 182 mode_t old_umask;
183+#ifdef USE_CCAPI 183+#ifdef USE_CCAPI
@@ -196,9 +196,9 @@ Index: b/auth-krb5.c
196+#ifndef USE_CCAPI 196+#ifndef USE_CCAPI
197 old_umask = umask(0177); 197 old_umask = umask(0177);
198 tmpfd = mkstemp(ccname + strlen("FILE:")); 198 tmpfd = mkstemp(ccname + strlen("FILE:"));
199 umask(old_umask); 199 oerrno = errno;
200@@ -249,6 +261,7 @@ 200@@ -251,6 +263,7 @@
201 return errno; 201 return oerrno;
202 } 202 }
203 close(tmpfd); 203 close(tmpfd);
204+#endif 204+#endif
@@ -327,7 +327,7 @@ Index: b/clientloop.c
327 /* import options */ 327 /* import options */
328 extern Options options; 328 extern Options options;
329 329
330@@ -1540,6 +1544,15 @@ 330@@ -1544,6 +1548,15 @@
331 /* Do channel operations unless rekeying in progress. */ 331 /* Do channel operations unless rekeying in progress. */
332 if (!rekeying) { 332 if (!rekeying) {
333 channel_after_select(readset, writeset); 333 channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
347=================================================================== 347===================================================================
348--- a/config.h.in 348--- a/config.h.in
349+++ b/config.h.in 349+++ b/config.h.in
350@@ -1465,6 +1465,9 @@ 350@@ -1471,6 +1471,9 @@
351 /* Use btmp to log bad logins */ 351 /* Use btmp to log bad logins */
352 #undef USE_BTMP 352 #undef USE_BTMP
353 353
@@ -357,7 +357,7 @@ Index: b/config.h.in
357 /* Use libedit for sftp */ 357 /* Use libedit for sftp */
358 #undef USE_LIBEDIT 358 #undef USE_LIBEDIT
359 359
360@@ -1480,6 +1483,9 @@ 360@@ -1486,6 +1489,9 @@
361 /* Use PIPES instead of a socketpair() */ 361 /* Use PIPES instead of a socketpair() */
362 #undef USE_PIPES 362 #undef USE_PIPES
363 363
@@ -1973,7 +1973,7 @@ Index: b/key.c
1973=================================================================== 1973===================================================================
1974--- a/key.c 1974--- a/key.c
1975+++ b/key.c 1975+++ b/key.c
1976@@ -971,6 +971,8 @@ 1976@@ -976,6 +976,8 @@
1977 } 1977 }
1978 break; 1978 break;
1979 #endif /* OPENSSL_HAS_ECC */ 1979 #endif /* OPENSSL_HAS_ECC */
@@ -1982,7 +1982,7 @@ Index: b/key.c
1982 } 1982 }
1983 return "ssh-unknown"; 1983 return "ssh-unknown";
1984 } 1984 }
1985@@ -1276,6 +1278,8 @@ 1985@@ -1281,6 +1283,8 @@
1986 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { 1986 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
1987 return KEY_ECDSA_CERT; 1987 return KEY_ECDSA_CERT;
1988 #endif 1988 #endif
@@ -2059,7 +2059,7 @@ Index: b/monitor.c
2059 } else { 2059 } else {
2060 mon_dispatch = mon_dispatch_postauth15; 2060 mon_dispatch = mon_dispatch_postauth15;
2061 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2061 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2062@@ -1803,6 +1820,13 @@ 2062@@ -1800,6 +1817,13 @@
2063 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2063 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2064 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2064 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2065 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2065 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2073,7 @@ Index: b/monitor.c
2073 kex->server = 1; 2073 kex->server = 1;
2074 kex->hostkey_type = buffer_get_int(m); 2074 kex->hostkey_type = buffer_get_int(m);
2075 kex->kex_type = buffer_get_int(m); 2075 kex->kex_type = buffer_get_int(m);
2076@@ -2009,6 +2033,9 @@ 2076@@ -2006,6 +2030,9 @@
2077 OM_uint32 major; 2077 OM_uint32 major;
2078 u_int len; 2078 u_int len;
2079 2079
@@ -2083,7 +2083,7 @@ Index: b/monitor.c
2083 goid.elements = buffer_get_string(m, &len); 2083 goid.elements = buffer_get_string(m, &len);
2084 goid.length = len; 2084 goid.length = len;
2085 2085
2086@@ -2036,6 +2063,9 @@ 2086@@ -2033,6 +2060,9 @@
2087 OM_uint32 flags = 0; /* GSI needs this */ 2087 OM_uint32 flags = 0; /* GSI needs this */
2088 u_int len; 2088 u_int len;
2089 2089
@@ -2093,7 +2093,7 @@ Index: b/monitor.c
2093 in.value = buffer_get_string(m, &len); 2093 in.value = buffer_get_string(m, &len);
2094 in.length = len; 2094 in.length = len;
2095 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2095 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2096@@ -2053,6 +2083,7 @@ 2096@@ -2050,6 +2080,7 @@
2097 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2097 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2098 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2098 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2099 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2099 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2101,7 @@ Index: b/monitor.c
2101 } 2101 }
2102 return (0); 2102 return (0);
2103 } 2103 }
2104@@ -2064,6 +2095,9 @@ 2104@@ -2061,6 +2092,9 @@
2105 OM_uint32 ret; 2105 OM_uint32 ret;
2106 u_int len; 2106 u_int len;
2107 2107
@@ -2111,7 +2111,7 @@ Index: b/monitor.c
2111 gssbuf.value = buffer_get_string(m, &len); 2111 gssbuf.value = buffer_get_string(m, &len);
2112 gssbuf.length = len; 2112 gssbuf.length = len;
2113 mic.value = buffer_get_string(m, &len); 2113 mic.value = buffer_get_string(m, &len);
2114@@ -2090,7 +2124,11 @@ 2114@@ -2087,7 +2121,11 @@
2115 { 2115 {
2116 int authenticated; 2116 int authenticated;
2117 2117
@@ -2124,7 +2124,7 @@ Index: b/monitor.c
2124 2124
2125 buffer_clear(m); 2125 buffer_clear(m);
2126 buffer_put_int(m, authenticated); 2126 buffer_put_int(m, authenticated);
2127@@ -2103,6 +2141,74 @@ 2127@@ -2100,6 +2138,74 @@
2128 /* Monitor loop will terminate if authenticated */ 2128 /* Monitor loop will terminate if authenticated */
2129 return (authenticated); 2129 return (authenticated);
2130 } 2130 }
@@ -2406,7 +2406,7 @@ Index: b/servconf.c
2406=================================================================== 2406===================================================================
2407--- a/servconf.c 2407--- a/servconf.c
2408+++ b/servconf.c 2408+++ b/servconf.c
2409@@ -97,7 +97,10 @@ 2409@@ -100,7 +100,10 @@
2410 options->kerberos_ticket_cleanup = -1; 2410 options->kerberos_ticket_cleanup = -1;
2411 options->kerberos_get_afs_token = -1; 2411 options->kerberos_get_afs_token = -1;
2412 options->gss_authentication=-1; 2412 options->gss_authentication=-1;
@@ -2417,7 +2417,7 @@ Index: b/servconf.c
2417 options->password_authentication = -1; 2417 options->password_authentication = -1;
2418 options->kbd_interactive_authentication = -1; 2418 options->kbd_interactive_authentication = -1;
2419 options->challenge_response_authentication = -1; 2419 options->challenge_response_authentication = -1;
2420@@ -225,8 +228,14 @@ 2420@@ -229,8 +232,14 @@
2421 options->kerberos_get_afs_token = 0; 2421 options->kerberos_get_afs_token = 0;
2422 if (options->gss_authentication == -1) 2422 if (options->gss_authentication == -1)
2423 options->gss_authentication = 0; 2423 options->gss_authentication = 0;
@@ -2432,7 +2432,7 @@ Index: b/servconf.c
2432 if (options->password_authentication == -1) 2432 if (options->password_authentication == -1)
2433 options->password_authentication = 1; 2433 options->password_authentication = 1;
2434 if (options->kbd_interactive_authentication == -1) 2434 if (options->kbd_interactive_authentication == -1)
2435@@ -318,7 +327,9 @@ 2435@@ -323,7 +332,9 @@
2436 sBanner, sUseDNS, sHostbasedAuthentication, 2436 sBanner, sUseDNS, sHostbasedAuthentication,
2437 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2437 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2438 sClientAliveCountMax, sAuthorizedKeysFile, 2438 sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2443,7 +2443,7 @@ Index: b/servconf.c
2443 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2443 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2444 sUsePrivilegeSeparation, sAllowAgentForwarding, 2444 sUsePrivilegeSeparation, sAllowAgentForwarding,
2445 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2445 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2446@@ -382,10 +393,20 @@ 2446@@ -387,10 +398,20 @@
2447 #ifdef GSSAPI 2447 #ifdef GSSAPI
2448 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2448 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2449 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2449 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2464,7 +2464,7 @@ Index: b/servconf.c
2464 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2464 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2465 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2465 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2466 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2466 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2467@@ -962,10 +983,22 @@ 2467@@ -1031,10 +1052,22 @@
2468 intptr = &options->gss_authentication; 2468 intptr = &options->gss_authentication;
2469 goto parse_flag; 2469 goto parse_flag;
2470 2470
@@ -2487,7 +2487,7 @@ Index: b/servconf.c
2487 case sPasswordAuthentication: 2487 case sPasswordAuthentication:
2488 intptr = &options->password_authentication; 2488 intptr = &options->password_authentication;
2489 goto parse_flag; 2489 goto parse_flag;
2490@@ -1720,7 +1753,10 @@ 2490@@ -1868,7 +1901,10 @@
2491 #endif 2491 #endif
2492 #ifdef GSSAPI 2492 #ifdef GSSAPI
2493 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2493 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2893,7 +2893,7 @@ Index: b/sshd.c
2893 #ifdef LIBWRAP 2893 #ifdef LIBWRAP
2894 #include <tcpd.h> 2894 #include <tcpd.h>
2895 #include <syslog.h> 2895 #include <syslog.h>
2896@@ -1616,10 +1620,13 @@ 2896@@ -1607,10 +1611,13 @@
2897 logit("Disabling protocol version 1. Could not load host key"); 2897 logit("Disabling protocol version 1. Could not load host key");
2898 options.protocol &= ~SSH_PROTO_1; 2898 options.protocol &= ~SSH_PROTO_1;
2899 } 2899 }
@@ -2907,7 +2907,7 @@ Index: b/sshd.c
2907 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2907 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2908 logit("sshd: no hostkeys available -- exiting."); 2908 logit("sshd: no hostkeys available -- exiting.");
2909 exit(1); 2909 exit(1);
2910@@ -1948,6 +1955,60 @@ 2910@@ -1938,6 +1945,60 @@
2911 /* Log the connection. */ 2911 /* Log the connection. */
2912 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2912 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2913 2913
@@ -2968,7 +2968,7 @@ Index: b/sshd.c
2968 /* 2968 /*
2969 * We don't want to listen forever unless the other side 2969 * We don't want to listen forever unless the other side
2970 * successfully authenticates itself. So we set up an alarm which is 2970 * successfully authenticates itself. So we set up an alarm which is
2971@@ -2329,6 +2390,48 @@ 2971@@ -2319,6 +2380,48 @@
2972 2972
2973 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2973 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2974 2974
@@ -3017,7 +3017,7 @@ Index: b/sshd.c
3017 /* start key exchange */ 3017 /* start key exchange */
3018 kex = kex_setup(myproposal); 3018 kex = kex_setup(myproposal);
3019 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3019 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
3020@@ -2336,6 +2439,13 @@ 3020@@ -2326,6 +2429,13 @@
3021 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 3021 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
3022 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 3022 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3023 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3023 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3035,7 +3035,7 @@ Index: b/sshd_config
3035=================================================================== 3035===================================================================
3036--- a/sshd_config 3036--- a/sshd_config
3037+++ b/sshd_config 3037+++ b/sshd_config
3038@@ -75,6 +75,8 @@ 3038@@ -77,6 +77,8 @@
3039 # GSSAPI options 3039 # GSSAPI options
3040 #GSSAPIAuthentication no 3040 #GSSAPIAuthentication no
3041 #GSSAPICleanupCredentials yes 3041 #GSSAPICleanupCredentials yes
@@ -3048,7 +3048,7 @@ Index: b/sshd_config.5
3048=================================================================== 3048===================================================================
3049--- a/sshd_config.5 3049--- a/sshd_config.5
3050+++ b/sshd_config.5 3050+++ b/sshd_config.5
3051@@ -424,12 +424,40 @@ 3051@@ -426,12 +426,40 @@
3052 The default is 3052 The default is
3053 .Dq no . 3053 .Dq no .
3054 Note that this option applies to protocol version 2 only. 3054 Note that this option applies to protocol version 2 only.