diff options
Diffstat (limited to 'debian/patches')
29 files changed, 464 insertions, 687 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index 84a14cfb8..491656be2 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1ecd5db58295874d8b9a7ce98fe1880ab08fbcaf Mon Sep 17 00:00:00 2001 | 1 | From c9c2ebb4680ea6872218b1e4519fe31a2043a27a Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 |
4 | Subject: Quieten logs when multiple from= restrictions are used | 4 | Subject: Quieten logs when multiple from= restrictions are used |
@@ -16,10 +16,10 @@ Patch-Name: auth-log-verbosity.patch | |||
16 | 4 files changed, 32 insertions(+), 9 deletions(-) | 16 | 4 files changed, 32 insertions(+), 9 deletions(-) |
17 | 17 | ||
18 | diff --git a/auth-options.c b/auth-options.c | 18 | diff --git a/auth-options.c b/auth-options.c |
19 | index f3d9c9d..d4d22d7 100644 | 19 | index 4f0da9c..3fa236e 100644 |
20 | --- a/auth-options.c | 20 | --- a/auth-options.c |
21 | +++ b/auth-options.c | 21 | +++ b/auth-options.c |
22 | @@ -54,9 +54,20 @@ int forced_tun_device = -1; | 22 | @@ -58,9 +58,20 @@ int forced_tun_device = -1; |
23 | /* "principals=" option. */ | 23 | /* "principals=" option. */ |
24 | char *authorized_principals = NULL; | 24 | char *authorized_principals = NULL; |
25 | 25 | ||
@@ -40,7 +40,7 @@ index f3d9c9d..d4d22d7 100644 | |||
40 | auth_clear_options(void) | 40 | auth_clear_options(void) |
41 | { | 41 | { |
42 | no_agent_forwarding_flag = 0; | 42 | no_agent_forwarding_flag = 0; |
43 | @@ -284,10 +295,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | 43 | @@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
44 | /* FALLTHROUGH */ | 44 | /* FALLTHROUGH */ |
45 | case 0: | 45 | case 0: |
46 | free(patterns); | 46 | free(patterns); |
@@ -58,7 +58,7 @@ index f3d9c9d..d4d22d7 100644 | |||
58 | auth_debug_add("Your host '%.200s' is not " | 58 | auth_debug_add("Your host '%.200s' is not " |
59 | "permitted to use this key for login.", | 59 | "permitted to use this key for login.", |
60 | remote_host); | 60 | remote_host); |
61 | @@ -511,11 +525,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, | 61 | @@ -514,11 +528,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, |
62 | break; | 62 | break; |
63 | case 0: | 63 | case 0: |
64 | /* no match */ | 64 | /* no match */ |
@@ -79,7 +79,7 @@ index f3d9c9d..d4d22d7 100644 | |||
79 | "is not permitted to use this " | 79 | "is not permitted to use this " |
80 | "certificate for login.", | 80 | "certificate for login.", |
81 | diff --git a/auth-options.h b/auth-options.h | 81 | diff --git a/auth-options.h b/auth-options.h |
82 | index 7455c94..a3f0a02 100644 | 82 | index 34852e5..1653855 100644 |
83 | --- a/auth-options.h | 83 | --- a/auth-options.h |
84 | +++ b/auth-options.h | 84 | +++ b/auth-options.h |
85 | @@ -33,6 +33,7 @@ extern int forced_tun_device; | 85 | @@ -33,6 +33,7 @@ extern int forced_tun_device; |
@@ -89,12 +89,12 @@ index 7455c94..a3f0a02 100644 | |||
89 | +void auth_start_parse_options(void); | 89 | +void auth_start_parse_options(void); |
90 | int auth_parse_options(struct passwd *, char *, char *, u_long); | 90 | int auth_parse_options(struct passwd *, char *, char *, u_long); |
91 | void auth_clear_options(void); | 91 | void auth_clear_options(void); |
92 | int auth_cert_options(Key *, struct passwd *); | 92 | int auth_cert_options(struct sshkey *, struct passwd *); |
93 | diff --git a/auth-rsa.c b/auth-rsa.c | 93 | diff --git a/auth-rsa.c b/auth-rsa.c |
94 | index e9f4ede..5d7bdcb 100644 | 94 | index cbd971b..4cf2163 100644 |
95 | --- a/auth-rsa.c | 95 | --- a/auth-rsa.c |
96 | +++ b/auth-rsa.c | 96 | +++ b/auth-rsa.c |
97 | @@ -179,6 +179,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, | 97 | @@ -181,6 +181,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, |
98 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) | 98 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) |
99 | return 0; | 99 | return 0; |
100 | 100 | ||
@@ -104,10 +104,10 @@ index e9f4ede..5d7bdcb 100644 | |||
104 | * Go though the accepted keys, looking for the current key. If | 104 | * Go though the accepted keys, looking for the current key. If |
105 | * found, perform a challenge-response dialog to verify that the | 105 | * found, perform a challenge-response dialog to verify that the |
106 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c | 106 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c |
107 | index f3ca965..f78b046 100644 | 107 | index d943efa..0bda5c9 100644 |
108 | --- a/auth2-pubkey.c | 108 | --- a/auth2-pubkey.c |
109 | +++ b/auth2-pubkey.c | 109 | +++ b/auth2-pubkey.c |
110 | @@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) | 110 | @@ -282,6 +282,7 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) |
111 | restore_uid(); | 111 | restore_uid(); |
112 | return 0; | 112 | return 0; |
113 | } | 113 | } |
@@ -115,7 +115,7 @@ index f3ca965..f78b046 100644 | |||
115 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 115 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
116 | /* Skip leading whitespace. */ | 116 | /* Skip leading whitespace. */ |
117 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 117 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
118 | @@ -324,6 +325,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) | 118 | @@ -343,6 +344,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) |
119 | found_key = 0; | 119 | found_key = 0; |
120 | 120 | ||
121 | found = NULL; | 121 | found = NULL; |
@@ -123,7 +123,7 @@ index f3ca965..f78b046 100644 | |||
123 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 123 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
124 | char *cp, *key_options = NULL; | 124 | char *cp, *key_options = NULL; |
125 | if (found != NULL) | 125 | if (found != NULL) |
126 | @@ -459,6 +461,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | 126 | @@ -482,6 +484,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) |
127 | if (key_cert_check_authority(key, 0, 1, | 127 | if (key_cert_check_authority(key, 0, 1, |
128 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) | 128 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) |
129 | goto fail_reason; | 129 | goto fail_reason; |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index 6afb0420b..eb398f6a4 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 19b0441502c07401dd6d418f8f81cc7f1a44ccb1 Mon Sep 17 00:00:00 2001 | 1 | From 8a1a563ee326222155c74454e11e6ed62297c403 Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch | |||
13 | 1 file changed, 1 insertion(+) | 13 | 1 file changed, 1 insertion(+) |
14 | 14 | ||
15 | diff --git a/Makefile.in b/Makefile.in | 15 | diff --git a/Makefile.in b/Makefile.in |
16 | index c4cb8ea..a4402e9 100644 | 16 | index c406aec..37cb023 100644 |
17 | --- a/Makefile.in | 17 | --- a/Makefile.in |
18 | +++ b/Makefile.in | 18 | +++ b/Makefile.in |
19 | @@ -309,6 +309,7 @@ install-files: | 19 | @@ -325,6 +325,7 @@ install-files: |
20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 | 20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 |
21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 | 21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 |
22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch index e50c77f62..0438b8f74 100644 --- a/debian/patches/consolekit.patch +++ b/debian/patches/consolekit.patch | |||
@@ -1,15 +1,14 @@ | |||
1 | From f51fe0c55e54c12db952624e980d18f39c41e581 Mon Sep 17 00:00:00 2001 | 1 | From 8b3111d597316954caaf8ddf2e7746491976c248 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:57 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:57 +0000 |
4 | Subject: Add support for registering ConsoleKit sessions on login | 4 | Subject: Add support for registering ConsoleKit sessions on login |
5 | 5 | ||
6 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 | 6 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 |
7 | Last-Updated: 2014-10-07 | 7 | Last-Updated: 2015-08-19 |
8 | 8 | ||
9 | Patch-Name: consolekit.patch | 9 | Patch-Name: consolekit.patch |
10 | --- | 10 | --- |
11 | Makefile.in | 3 +- | 11 | Makefile.in | 3 +- |
12 | configure | 132 +++++++++++++++++++++++++++++++ | ||
13 | configure.ac | 25 ++++++ | 12 | configure.ac | 25 ++++++ |
14 | consolekit.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 13 | consolekit.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
15 | consolekit.h | 24 ++++++ | 14 | consolekit.h | 24 ++++++ |
@@ -19,15 +18,15 @@ Patch-Name: consolekit.patch | |||
19 | monitor_wrap.h | 4 + | 18 | monitor_wrap.h | 4 + |
20 | session.c | 13 ++++ | 19 | session.c | 13 ++++ |
21 | session.h | 6 ++ | 20 | session.h | 6 ++ |
22 | 11 files changed, 521 insertions(+), 1 deletion(-) | 21 | 10 files changed, 389 insertions(+), 1 deletion(-) |
23 | create mode 100644 consolekit.c | 22 | create mode 100644 consolekit.c |
24 | create mode 100644 consolekit.h | 23 | create mode 100644 consolekit.h |
25 | 24 | ||
26 | diff --git a/Makefile.in b/Makefile.in | 25 | diff --git a/Makefile.in b/Makefile.in |
27 | index 086d8dd..c4cb8ea 100644 | 26 | index 3d2a328..c406aec 100644 |
28 | --- a/Makefile.in | 27 | --- a/Makefile.in |
29 | +++ b/Makefile.in | 28 | +++ b/Makefile.in |
30 | @@ -107,7 +107,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 29 | @@ -111,7 +111,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
31 | sftp-server.o sftp-common.o \ | 30 | sftp-server.o sftp-common.o \ |
32 | roaming_common.o roaming_serv.o \ | 31 | roaming_common.o roaming_serv.o \ |
33 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ | 32 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
@@ -37,175 +36,11 @@ index 086d8dd..c4cb8ea 100644 | |||
37 | 36 | ||
38 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out | 37 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out |
39 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 | 38 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 |
40 | diff --git a/configure b/configure | ||
41 | index ea5f200..7be478a 100755 | ||
42 | --- a/configure | ||
43 | +++ b/configure | ||
44 | @@ -739,6 +739,7 @@ with_privsep_user | ||
45 | with_sandbox | ||
46 | with_selinux | ||
47 | with_kerberos5 | ||
48 | +with_consolekit | ||
49 | with_privsep_path | ||
50 | with_xauth | ||
51 | enable_strip | ||
52 | @@ -1430,6 +1431,7 @@ Optional Packages: | ||
53 | --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum) | ||
54 | --with-selinux Enable SELinux support | ||
55 | --with-kerberos5=PATH Enable Kerberos 5 support | ||
56 | + --with-consolekit Enable ConsoleKit support | ||
57 | --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) | ||
58 | --with-xauth=PATH Specify path to xauth program | ||
59 | --with-maildir=/path/to/mail Specify your system mail directory | ||
60 | @@ -17211,6 +17213,135 @@ fi | ||
61 | |||
62 | |||
63 | |||
64 | +# Check whether user wants ConsoleKit support | ||
65 | +CONSOLEKIT_MSG="no" | ||
66 | +LIBCK_CONNECTOR="" | ||
67 | + | ||
68 | +# Check whether --with-consolekit was given. | ||
69 | +if test "${with_consolekit+set}" = set; then : | ||
70 | + withval=$with_consolekit; if test "x$withval" != "xno" ; then | ||
71 | + if test -n "$ac_tool_prefix"; then | ||
72 | + # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. | ||
73 | +set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 | ||
74 | +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | ||
75 | +$as_echo_n "checking for $ac_word... " >&6; } | ||
76 | +if ${ac_cv_path_PKGCONFIG+:} false; then : | ||
77 | + $as_echo_n "(cached) " >&6 | ||
78 | +else | ||
79 | + case $PKGCONFIG in | ||
80 | + [\\/]* | ?:[\\/]*) | ||
81 | + ac_cv_path_PKGCONFIG="$PKGCONFIG" # Let the user override the test with a path. | ||
82 | + ;; | ||
83 | + *) | ||
84 | + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | ||
85 | +for as_dir in $PATH | ||
86 | +do | ||
87 | + IFS=$as_save_IFS | ||
88 | + test -z "$as_dir" && as_dir=. | ||
89 | + for ac_exec_ext in '' $ac_executable_extensions; do | ||
90 | + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then | ||
91 | + ac_cv_path_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext" | ||
92 | + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 | ||
93 | + break 2 | ||
94 | + fi | ||
95 | +done | ||
96 | + done | ||
97 | +IFS=$as_save_IFS | ||
98 | + | ||
99 | + ;; | ||
100 | +esac | ||
101 | +fi | ||
102 | +PKGCONFIG=$ac_cv_path_PKGCONFIG | ||
103 | +if test -n "$PKGCONFIG"; then | ||
104 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKGCONFIG" >&5 | ||
105 | +$as_echo "$PKGCONFIG" >&6; } | ||
106 | +else | ||
107 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
108 | +$as_echo "no" >&6; } | ||
109 | +fi | ||
110 | + | ||
111 | + | ||
112 | +fi | ||
113 | +if test -z "$ac_cv_path_PKGCONFIG"; then | ||
114 | + ac_pt_PKGCONFIG=$PKGCONFIG | ||
115 | + # Extract the first word of "pkg-config", so it can be a program name with args. | ||
116 | +set dummy pkg-config; ac_word=$2 | ||
117 | +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | ||
118 | +$as_echo_n "checking for $ac_word... " >&6; } | ||
119 | +if ${ac_cv_path_ac_pt_PKGCONFIG+:} false; then : | ||
120 | + $as_echo_n "(cached) " >&6 | ||
121 | +else | ||
122 | + case $ac_pt_PKGCONFIG in | ||
123 | + [\\/]* | ?:[\\/]*) | ||
124 | + ac_cv_path_ac_pt_PKGCONFIG="$ac_pt_PKGCONFIG" # Let the user override the test with a path. | ||
125 | + ;; | ||
126 | + *) | ||
127 | + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | ||
128 | +for as_dir in $PATH | ||
129 | +do | ||
130 | + IFS=$as_save_IFS | ||
131 | + test -z "$as_dir" && as_dir=. | ||
132 | + for ac_exec_ext in '' $ac_executable_extensions; do | ||
133 | + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then | ||
134 | + ac_cv_path_ac_pt_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext" | ||
135 | + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 | ||
136 | + break 2 | ||
137 | + fi | ||
138 | +done | ||
139 | + done | ||
140 | +IFS=$as_save_IFS | ||
141 | + | ||
142 | + ;; | ||
143 | +esac | ||
144 | +fi | ||
145 | +ac_pt_PKGCONFIG=$ac_cv_path_ac_pt_PKGCONFIG | ||
146 | +if test -n "$ac_pt_PKGCONFIG"; then | ||
147 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKGCONFIG" >&5 | ||
148 | +$as_echo "$ac_pt_PKGCONFIG" >&6; } | ||
149 | +else | ||
150 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
151 | +$as_echo "no" >&6; } | ||
152 | +fi | ||
153 | + | ||
154 | + if test "x$ac_pt_PKGCONFIG" = x; then | ||
155 | + PKGCONFIG="no" | ||
156 | + else | ||
157 | + case $cross_compiling:$ac_tool_warned in | ||
158 | +yes:) | ||
159 | +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 | ||
160 | +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} | ||
161 | +ac_tool_warned=yes ;; | ||
162 | +esac | ||
163 | + PKGCONFIG=$ac_pt_PKGCONFIG | ||
164 | + fi | ||
165 | +else | ||
166 | + PKGCONFIG="$ac_cv_path_PKGCONFIG" | ||
167 | +fi | ||
168 | + | ||
169 | + if test "$PKGCONFIG" != "no"; then | ||
170 | + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ck-connector" >&5 | ||
171 | +$as_echo_n "checking for ck-connector... " >&6; } | ||
172 | + if $PKGCONFIG --exists ck-connector; then | ||
173 | + CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector` | ||
174 | + CKCON_LIBS=`$PKGCONFIG --libs ck-connector` | ||
175 | + CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS" | ||
176 | + SSHDLIBS="$SSHDLIBS $CKCON_LIBS" | ||
177 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
178 | +$as_echo "yes" >&6; } | ||
179 | + | ||
180 | +$as_echo "#define USE_CONSOLEKIT 1" >>confdefs.h | ||
181 | + | ||
182 | + CONSOLEKIT_MSG="yes" | ||
183 | + else | ||
184 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
185 | +$as_echo "no" >&6; } | ||
186 | + fi | ||
187 | + fi | ||
188 | + fi | ||
189 | + | ||
190 | +fi | ||
191 | + | ||
192 | + | ||
193 | # Looking for programs, paths and files | ||
194 | |||
195 | PRIVSEP_PATH=/var/empty | ||
196 | @@ -19739,6 +19870,7 @@ echo " MD5 password support: $MD5_MSG" | ||
197 | echo " libedit support: $LIBEDIT_MSG" | ||
198 | echo " Solaris process contract support: $SPC_MSG" | ||
199 | echo " Solaris project support: $SP_MSG" | ||
200 | +echo " ConsoleKit support: $CONSOLEKIT_MSG" | ||
201 | echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" | ||
202 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | ||
203 | echo " BSD Auth support: $BSD_AUTH_MSG" | ||
204 | diff --git a/configure.ac b/configure.ac | 39 | diff --git a/configure.ac b/configure.ac |
205 | index 7f160f1..f5c65c5 100644 | 40 | index 5f606ea..f7ce777 100644 |
206 | --- a/configure.ac | 41 | --- a/configure.ac |
207 | +++ b/configure.ac | 42 | +++ b/configure.ac |
208 | @@ -4113,6 +4113,30 @@ AC_ARG_WITH([kerberos5], | 43 | @@ -4180,6 +4180,30 @@ AC_ARG_WITH([kerberos5], |
209 | AC_SUBST([GSSLIBS]) | 44 | AC_SUBST([GSSLIBS]) |
210 | AC_SUBST([K5LIBS]) | 45 | AC_SUBST([K5LIBS]) |
211 | 46 | ||
@@ -236,7 +71,7 @@ index 7f160f1..f5c65c5 100644 | |||
236 | # Looking for programs, paths and files | 71 | # Looking for programs, paths and files |
237 | 72 | ||
238 | PRIVSEP_PATH=/var/empty | 73 | PRIVSEP_PATH=/var/empty |
239 | @@ -4914,6 +4938,7 @@ echo " MD5 password support: $MD5_MSG" | 74 | @@ -4981,6 +5005,7 @@ echo " MD5 password support: $MD5_MSG" |
240 | echo " libedit support: $LIBEDIT_MSG" | 75 | echo " libedit support: $LIBEDIT_MSG" |
241 | echo " Solaris process contract support: $SPC_MSG" | 76 | echo " Solaris process contract support: $SPC_MSG" |
242 | echo " Solaris project support: $SP_MSG" | 77 | echo " Solaris project support: $SP_MSG" |
@@ -522,20 +357,20 @@ index 0000000..8ce3716 | |||
522 | + | 357 | + |
523 | +#endif /* USE_CONSOLEKIT */ | 358 | +#endif /* USE_CONSOLEKIT */ |
524 | diff --git a/monitor.c b/monitor.c | 359 | diff --git a/monitor.c b/monitor.c |
525 | index 94b194d..cc15ce4 100644 | 360 | index 6ff05e4..ce7ba07 100644 |
526 | --- a/monitor.c | 361 | --- a/monitor.c |
527 | +++ b/monitor.c | 362 | +++ b/monitor.c |
528 | @@ -100,6 +100,9 @@ | 363 | @@ -104,6 +104,9 @@ |
529 | #include "ssh2.h" | ||
530 | #include "roaming.h" | ||
531 | #include "authfd.h" | 364 | #include "authfd.h" |
365 | #include "match.h" | ||
366 | #include "ssherr.h" | ||
532 | +#ifdef USE_CONSOLEKIT | 367 | +#ifdef USE_CONSOLEKIT |
533 | +#include "consolekit.h" | 368 | +#include "consolekit.h" |
534 | +#endif | 369 | +#endif |
535 | 370 | ||
536 | #ifdef GSSAPI | 371 | #ifdef GSSAPI |
537 | static Gssctxt *gsscontext = NULL; | 372 | static Gssctxt *gsscontext = NULL; |
538 | @@ -190,6 +193,10 @@ int mm_answer_audit_command(int, Buffer *); | 373 | @@ -169,6 +172,10 @@ int mm_answer_audit_command(int, Buffer *); |
539 | 374 | ||
540 | static int monitor_read_log(struct monitor *); | 375 | static int monitor_read_log(struct monitor *); |
541 | 376 | ||
@@ -546,7 +381,7 @@ index 94b194d..cc15ce4 100644 | |||
546 | static Authctxt *authctxt; | 381 | static Authctxt *authctxt; |
547 | 382 | ||
548 | #ifdef WITH_SSH1 | 383 | #ifdef WITH_SSH1 |
549 | @@ -282,6 +289,9 @@ struct mon_table mon_dispatch_postauth20[] = { | 384 | @@ -261,6 +268,9 @@ struct mon_table mon_dispatch_postauth20[] = { |
550 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 385 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
551 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, | 386 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, |
552 | #endif | 387 | #endif |
@@ -556,7 +391,7 @@ index 94b194d..cc15ce4 100644 | |||
556 | {0, 0, NULL} | 391 | {0, 0, NULL} |
557 | }; | 392 | }; |
558 | 393 | ||
559 | @@ -327,6 +337,9 @@ struct mon_table mon_dispatch_postauth15[] = { | 394 | @@ -306,6 +316,9 @@ struct mon_table mon_dispatch_postauth15[] = { |
560 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 395 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
561 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, | 396 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, |
562 | #endif | 397 | #endif |
@@ -566,7 +401,7 @@ index 94b194d..cc15ce4 100644 | |||
566 | #endif /* WITH_SSH1 */ | 401 | #endif /* WITH_SSH1 */ |
567 | {0, 0, NULL} | 402 | {0, 0, NULL} |
568 | }; | 403 | }; |
569 | @@ -509,6 +522,9 @@ monitor_child_postauth(struct monitor *pmonitor) | 404 | @@ -488,6 +501,9 @@ monitor_child_postauth(struct monitor *pmonitor) |
570 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 405 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
571 | monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); | 406 | monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); |
572 | } | 407 | } |
@@ -576,7 +411,7 @@ index 94b194d..cc15ce4 100644 | |||
576 | 411 | ||
577 | for (;;) | 412 | for (;;) |
578 | monitor_read(pmonitor, mon_dispatch, NULL); | 413 | monitor_read(pmonitor, mon_dispatch, NULL); |
579 | @@ -2296,3 +2312,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { | 414 | @@ -2187,3 +2203,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { |
580 | 415 | ||
581 | #endif /* GSSAPI */ | 416 | #endif /* GSSAPI */ |
582 | 417 | ||
@@ -607,7 +442,7 @@ index 94b194d..cc15ce4 100644 | |||
607 | +} | 442 | +} |
608 | +#endif /* USE_CONSOLEKIT */ | 443 | +#endif /* USE_CONSOLEKIT */ |
609 | diff --git a/monitor.h b/monitor.h | 444 | diff --git a/monitor.h b/monitor.h |
610 | index 4d5e8fa..10ba59e 100644 | 445 | index 2d82b8b..fd8d92c 100644 |
611 | --- a/monitor.h | 446 | --- a/monitor.h |
612 | +++ b/monitor.h | 447 | +++ b/monitor.h |
613 | @@ -70,6 +70,8 @@ enum monitor_reqtype { | 448 | @@ -70,6 +70,8 @@ enum monitor_reqtype { |
@@ -620,10 +455,10 @@ index 4d5e8fa..10ba59e 100644 | |||
620 | 455 | ||
621 | struct mm_master; | 456 | struct mm_master; |
622 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 457 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
623 | index 6dc890a..4c57d4d 100644 | 458 | index 5aa9c47..a5f4e9d 100644 |
624 | --- a/monitor_wrap.c | 459 | --- a/monitor_wrap.c |
625 | +++ b/monitor_wrap.c | 460 | +++ b/monitor_wrap.c |
626 | @@ -1363,3 +1363,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) | 461 | @@ -1150,3 +1150,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) |
627 | 462 | ||
628 | #endif /* GSSAPI */ | 463 | #endif /* GSSAPI */ |
629 | 464 | ||
@@ -658,11 +493,11 @@ index 6dc890a..4c57d4d 100644 | |||
658 | +} | 493 | +} |
659 | +#endif /* USE_CONSOLEKIT */ | 494 | +#endif /* USE_CONSOLEKIT */ |
660 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 495 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
661 | index 9c2ee49..00e93fe 100644 | 496 | index 4d1e899..f99c31c 100644 |
662 | --- a/monitor_wrap.h | 497 | --- a/monitor_wrap.h |
663 | +++ b/monitor_wrap.h | 498 | +++ b/monitor_wrap.h |
664 | @@ -111,4 +111,8 @@ void *mm_zalloc(struct mm_master *, u_int, u_int); | 499 | @@ -108,4 +108,8 @@ int mm_skey_respond(void *, u_int, char **); |
665 | void mm_zfree(struct mm_master *, void *); | 500 | /* zlib allocation hooks */ |
666 | void mm_init_compression(struct mm_master *); | 501 | void mm_init_compression(struct mm_master *); |
667 | 502 | ||
668 | +#ifdef USE_CONSOLEKIT | 503 | +#ifdef USE_CONSOLEKIT |
@@ -671,10 +506,10 @@ index 9c2ee49..00e93fe 100644 | |||
671 | + | 506 | + |
672 | #endif /* _MM_WRAP_H_ */ | 507 | #endif /* _MM_WRAP_H_ */ |
673 | diff --git a/session.c b/session.c | 508 | diff --git a/session.c b/session.c |
674 | index 6f389ac..6250c20 100644 | 509 | index d4b7725..785833f 100644 |
675 | --- a/session.c | 510 | --- a/session.c |
676 | +++ b/session.c | 511 | +++ b/session.c |
677 | @@ -93,6 +93,7 @@ | 512 | @@ -94,6 +94,7 @@ |
678 | #include "kex.h" | 513 | #include "kex.h" |
679 | #include "monitor_wrap.h" | 514 | #include "monitor_wrap.h" |
680 | #include "sftp.h" | 515 | #include "sftp.h" |
@@ -682,7 +517,7 @@ index 6f389ac..6250c20 100644 | |||
682 | 517 | ||
683 | #if defined(KRB5) && defined(USE_AFS) | 518 | #if defined(KRB5) && defined(USE_AFS) |
684 | #include <kafs.h> | 519 | #include <kafs.h> |
685 | @@ -1143,6 +1144,9 @@ do_setup_env(Session *s, const char *shell) | 520 | @@ -1144,6 +1145,9 @@ do_setup_env(Session *s, const char *shell) |
686 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) | 521 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) |
687 | char *path = NULL; | 522 | char *path = NULL; |
688 | #endif | 523 | #endif |
@@ -692,7 +527,7 @@ index 6f389ac..6250c20 100644 | |||
692 | 527 | ||
693 | /* Initialize the environment. */ | 528 | /* Initialize the environment. */ |
694 | envsize = 100; | 529 | envsize = 100; |
695 | @@ -1287,6 +1291,11 @@ do_setup_env(Session *s, const char *shell) | 530 | @@ -1288,6 +1292,11 @@ do_setup_env(Session *s, const char *shell) |
696 | child_set_env(&env, &envsize, "KRB5CCNAME", | 531 | child_set_env(&env, &envsize, "KRB5CCNAME", |
697 | s->authctxt->krb5_ccname); | 532 | s->authctxt->krb5_ccname); |
698 | #endif | 533 | #endif |
@@ -704,7 +539,7 @@ index 6f389ac..6250c20 100644 | |||
704 | #ifdef USE_PAM | 539 | #ifdef USE_PAM |
705 | /* | 540 | /* |
706 | * Pull in any environment variables that may have | 541 | * Pull in any environment variables that may have |
707 | @@ -2350,6 +2359,10 @@ session_pty_cleanup2(Session *s) | 542 | @@ -2351,6 +2360,10 @@ session_pty_cleanup2(Session *s) |
708 | 543 | ||
709 | debug("session_pty_cleanup: session %d release %s", s->self, s->tty); | 544 | debug("session_pty_cleanup: session %d release %s", s->self, s->tty); |
710 | 545 | ||
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index ab64cbed5..5bc70a566 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 114c8a8fb488cbe39507edb75c51198a4b9e8b24 Mon Sep 17 00:00:00 2001 | 1 | From 2c31a85436f1eac46e185382c2aa15406ae6c0ac Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch. | |||
8 | 8 | ||
9 | Bug-Debian: http://bugs.debian.org/562048 | 9 | Bug-Debian: http://bugs.debian.org/562048 |
10 | Forwarded: not-needed | 10 | Forwarded: not-needed |
11 | Last-Update: 2014-10-07 | 11 | Last-Update: 2015-08-19 |
12 | 12 | ||
13 | Patch-Name: debian-banner.patch | 13 | Patch-Name: debian-banner.patch |
14 | --- | 14 | --- |
@@ -19,45 +19,45 @@ Patch-Name: debian-banner.patch | |||
19 | 4 files changed, 18 insertions(+), 1 deletion(-) | 19 | 4 files changed, 18 insertions(+), 1 deletion(-) |
20 | 20 | ||
21 | diff --git a/servconf.c b/servconf.c | 21 | diff --git a/servconf.c b/servconf.c |
22 | index a252487..6c7741a 100644 | 22 | index b3a2841..bec53e0 100644 |
23 | --- a/servconf.c | 23 | --- a/servconf.c |
24 | +++ b/servconf.c | 24 | +++ b/servconf.c |
25 | @@ -160,6 +160,7 @@ initialize_server_options(ServerOptions *options) | 25 | @@ -166,6 +166,7 @@ initialize_server_options(ServerOptions *options) |
26 | options->ip_qos_interactive = -1; | ||
27 | options->ip_qos_bulk = -1; | 26 | options->ip_qos_bulk = -1; |
28 | options->version_addendum = NULL; | 27 | options->version_addendum = NULL; |
28 | options->fingerprint_hash = -1; | ||
29 | + options->debian_banner = -1; | 29 | + options->debian_banner = -1; |
30 | } | 30 | } |
31 | 31 | ||
32 | void | 32 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
33 | @@ -321,6 +322,8 @@ fill_default_server_options(ServerOptions *options) | 33 | @@ -342,6 +343,8 @@ fill_default_server_options(ServerOptions *options) |
34 | options->fwd_opts.streamlocal_bind_mask = 0177; | ||
35 | if (options->fwd_opts.streamlocal_bind_unlink == -1) | ||
36 | options->fwd_opts.streamlocal_bind_unlink = 0; | 34 | options->fwd_opts.streamlocal_bind_unlink = 0; |
35 | if (options->fingerprint_hash == -1) | ||
36 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | ||
37 | + if (options->debian_banner == -1) | 37 | + if (options->debian_banner == -1) |
38 | + options->debian_banner = 1; | 38 | + options->debian_banner = 1; |
39 | /* Turn privilege separation on by default */ | 39 | /* Turn privilege separation on by default */ |
40 | if (use_privsep == -1) | 40 | if (use_privsep == -1) |
41 | use_privsep = PRIVSEP_NOSANDBOX; | 41 | use_privsep = PRIVSEP_NOSANDBOX; |
42 | @@ -373,6 +376,7 @@ typedef enum { | 42 | @@ -412,6 +415,7 @@ typedef enum { |
43 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 43 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
44 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 44 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
45 | sAllowStreamLocalForwarding, | 45 | sAllowStreamLocalForwarding, sFingerprintHash, |
46 | + sDebianBanner, | 46 | + sDebianBanner, |
47 | sDeprecated, sUnsupported | 47 | sDeprecated, sUnsupported |
48 | } ServerOpCodes; | 48 | } ServerOpCodes; |
49 | 49 | ||
50 | @@ -514,6 +518,7 @@ static struct { | 50 | @@ -556,6 +560,7 @@ static struct { |
51 | { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, | ||
52 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, | 51 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, |
53 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, | 52 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, |
53 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, | ||
54 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 54 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
55 | { NULL, sBadOption, 0 } | 55 | { NULL, sBadOption, 0 } |
56 | }; | 56 | }; |
57 | 57 | ||
58 | @@ -1697,6 +1702,10 @@ process_server_config_line(ServerOptions *options, char *line, | 58 | @@ -1777,6 +1782,10 @@ process_server_config_line(ServerOptions *options, char *line, |
59 | intptr = &options->fwd_opts.streamlocal_bind_unlink; | 59 | options->fingerprint_hash = value; |
60 | goto parse_flag; | 60 | break; |
61 | 61 | ||
62 | + case sDebianBanner: | 62 | + case sDebianBanner: |
63 | + intptr = &options->debian_banner; | 63 | + intptr = &options->debian_banner; |
@@ -67,23 +67,23 @@ index a252487..6c7741a 100644 | |||
67 | logit("%s line %d: Deprecated option %s", | 67 | logit("%s line %d: Deprecated option %s", |
68 | filename, linenum, arg); | 68 | filename, linenum, arg); |
69 | diff --git a/servconf.h b/servconf.h | 69 | diff --git a/servconf.h b/servconf.h |
70 | index f8265a8..fa48804 100644 | 70 | index d2ed4d7..ed0f171 100644 |
71 | --- a/servconf.h | 71 | --- a/servconf.h |
72 | +++ b/servconf.h | 72 | +++ b/servconf.h |
73 | @@ -188,6 +188,8 @@ typedef struct { | 73 | @@ -192,6 +192,8 @@ typedef struct { |
74 | |||
75 | u_int num_auth_methods; | ||
76 | char *auth_methods[MAX_AUTH_METHODS]; | 74 | char *auth_methods[MAX_AUTH_METHODS]; |
75 | |||
76 | int fingerprint_hash; | ||
77 | + | 77 | + |
78 | + int debian_banner; | 78 | + int debian_banner; |
79 | } ServerOptions; | 79 | } ServerOptions; |
80 | 80 | ||
81 | /* Information about the incoming connection as used by Match */ | 81 | /* Information about the incoming connection as used by Match */ |
82 | diff --git a/sshd.c b/sshd.c | 82 | diff --git a/sshd.c b/sshd.c |
83 | index 1710e71..87331c1 100644 | 83 | index c362209..5435968 100644 |
84 | --- a/sshd.c | 84 | --- a/sshd.c |
85 | +++ b/sshd.c | 85 | +++ b/sshd.c |
86 | @@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out) | 86 | @@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out) |
87 | } | 87 | } |
88 | 88 | ||
89 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", | 89 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
@@ -94,10 +94,10 @@ index 1710e71..87331c1 100644 | |||
94 | options.version_addendum, newline); | 94 | options.version_addendum, newline); |
95 | 95 | ||
96 | diff --git a/sshd_config.5 b/sshd_config.5 | 96 | diff --git a/sshd_config.5 b/sshd_config.5 |
97 | index 2843048..58997d3 100644 | 97 | index d14576e..ec58635 100644 |
98 | --- a/sshd_config.5 | 98 | --- a/sshd_config.5 |
99 | +++ b/sshd_config.5 | 99 | +++ b/sshd_config.5 |
100 | @@ -447,6 +447,11 @@ or | 100 | @@ -476,6 +476,11 @@ or |
101 | .Dq no . | 101 | .Dq no . |
102 | The default is | 102 | The default is |
103 | .Dq delayed . | 103 | .Dq delayed . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index f995717fa..a346ba678 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 581424965d2d722a991c3247d4c0bb5950cb4fc5 Mon Sep 17 00:00:00 2001 | 1 | From 8698446b972003b63dfe5dcbdb86acfe986afb85 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
@@ -22,7 +22,7 @@ debian/openssh-server.postinst. | |||
22 | 22 | ||
23 | Author: Russ Allbery <rra@debian.org> | 23 | Author: Russ Allbery <rra@debian.org> |
24 | Forwarded: not-needed | 24 | Forwarded: not-needed |
25 | Last-Update: 2015-03-22 | 25 | Last-Update: 2015-08-19 |
26 | 26 | ||
27 | Patch-Name: debian-config.patch | 27 | Patch-Name: debian-config.patch |
28 | --- | 28 | --- |
@@ -34,10 +34,10 @@ Patch-Name: debian-config.patch | |||
34 | 5 files changed, 51 insertions(+), 3 deletions(-) | 34 | 5 files changed, 51 insertions(+), 3 deletions(-) |
35 | 35 | ||
36 | diff --git a/readconf.c b/readconf.c | 36 | diff --git a/readconf.c b/readconf.c |
37 | index 0648867..29338b6 100644 | 37 | index 2ef8d7b..66a62f2 100644 |
38 | --- a/readconf.c | 38 | --- a/readconf.c |
39 | +++ b/readconf.c | 39 | +++ b/readconf.c |
40 | @@ -1681,7 +1681,7 @@ fill_default_options(Options * options) | 40 | @@ -1748,7 +1748,7 @@ fill_default_options(Options * options) |
41 | if (options->forward_x11 == -1) | 41 | if (options->forward_x11 == -1) |
42 | options->forward_x11 = 0; | 42 | options->forward_x11 = 0; |
43 | if (options->forward_x11_trusted == -1) | 43 | if (options->forward_x11_trusted == -1) |
@@ -71,10 +71,10 @@ index 228e5ab..c9386aa 100644 | |||
71 | + GSSAPIAuthentication yes | 71 | + GSSAPIAuthentication yes |
72 | + GSSAPIDelegateCredentials no | 72 | + GSSAPIDelegateCredentials no |
73 | diff --git a/ssh_config.5 b/ssh_config.5 | 73 | diff --git a/ssh_config.5 b/ssh_config.5 |
74 | index a1005ba..da3c177 100644 | 74 | index 3bd80fd..da8e544 100644 |
75 | --- a/ssh_config.5 | 75 | --- a/ssh_config.5 |
76 | +++ b/ssh_config.5 | 76 | +++ b/ssh_config.5 |
77 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | 77 | @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more |
78 | host-specific declarations should be given near the beginning of the | 78 | host-specific declarations should be given near the beginning of the |
79 | file, and general defaults at the end. | 79 | file, and general defaults at the end. |
80 | .Pp | 80 | .Pp |
@@ -97,7 +97,7 @@ index a1005ba..da3c177 100644 | |||
97 | The configuration file has the following format: | 97 | The configuration file has the following format: |
98 | .Pp | 98 | .Pp |
99 | Empty lines and lines starting with | 99 | Empty lines and lines starting with |
100 | @@ -673,7 +689,8 @@ token used for the session will be set to expire after 20 minutes. | 100 | @@ -715,7 +731,8 @@ token used for the session will be set to expire after 20 minutes. |
101 | Remote clients will be refused access after this time. | 101 | Remote clients will be refused access after this time. |
102 | .Pp | 102 | .Pp |
103 | The default is | 103 | The default is |
@@ -108,7 +108,7 @@ index a1005ba..da3c177 100644 | |||
108 | See the X11 SECURITY extension specification for full details on | 108 | See the X11 SECURITY extension specification for full details on |
109 | the restrictions imposed on untrusted clients. | 109 | the restrictions imposed on untrusted clients. |
110 | diff --git a/sshd_config b/sshd_config | 110 | diff --git a/sshd_config b/sshd_config |
111 | index d9b8594..4db32f5 100644 | 111 | index a71ad19..3391233 100644 |
112 | --- a/sshd_config | 112 | --- a/sshd_config |
113 | +++ b/sshd_config | 113 | +++ b/sshd_config |
114 | @@ -41,6 +41,7 @@ | 114 | @@ -41,6 +41,7 @@ |
@@ -120,7 +120,7 @@ index d9b8594..4db32f5 100644 | |||
120 | #StrictModes yes | 120 | #StrictModes yes |
121 | #MaxAuthTries 6 | 121 | #MaxAuthTries 6 |
122 | diff --git a/sshd_config.5 b/sshd_config.5 | 122 | diff --git a/sshd_config.5 b/sshd_config.5 |
123 | index 7396b23..7aa7b47 100644 | 123 | index 453d741..db1f2fd 100644 |
124 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
126 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes | 126 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index 0212ea841..97fe79aef 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4ac9937c1d9f1901ab0694114d76e59a138aae96 Mon Sep 17 00:00:00 2001 | 1 | From 5cbcc7353649b84b5a7528e583458ee9473fd527 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
@@ -18,10 +18,10 @@ Patch-Name: dnssec-sshfp.patch | |||
18 | 3 files changed, 21 insertions(+), 6 deletions(-) | 18 | 3 files changed, 21 insertions(+), 6 deletions(-) |
19 | 19 | ||
20 | diff --git a/dns.c b/dns.c | 20 | diff --git a/dns.c b/dns.c |
21 | index c4d073c..e5872c1 100644 | 21 | index f201b60..a406f58 100644 |
22 | --- a/dns.c | 22 | --- a/dns.c |
23 | +++ b/dns.c | 23 | +++ b/dns.c |
24 | @@ -203,6 +203,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | 24 | @@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, |
25 | { | 25 | { |
26 | u_int counter; | 26 | u_int counter; |
27 | int result; | 27 | int result; |
@@ -29,7 +29,7 @@ index c4d073c..e5872c1 100644 | |||
29 | struct rrsetinfo *fingerprints = NULL; | 29 | struct rrsetinfo *fingerprints = NULL; |
30 | 30 | ||
31 | u_int8_t hostkey_algorithm; | 31 | u_int8_t hostkey_algorithm; |
32 | @@ -226,8 +227,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | 32 | @@ -229,8 +230,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, |
33 | return -1; | 33 | return -1; |
34 | } | 34 | } |
35 | 35 | ||
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 8e6cfa575..35d589353 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2fd0b3814e27d584efa6df92845a7354e7c2de6c Mon Sep 17 00:00:00 2001 | 1 | From b0146d5a8c1b9d87f4255cbee40b31c938fea2f8 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch | |||
13 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh_config.5 b/ssh_config.5 | 15 | diff --git a/ssh_config.5 b/ssh_config.5 |
16 | index d68b45a..a1005ba 100644 | 16 | index 8abcf40..3bd80fd 100644 |
17 | --- a/ssh_config.5 | 17 | --- a/ssh_config.5 |
18 | +++ b/ssh_config.5 | 18 | +++ b/ssh_config.5 |
19 | @@ -759,6 +759,9 @@ Note that existing names and addresses in known hosts files | 19 | @@ -801,6 +801,9 @@ Note that existing names and addresses in known hosts files |
20 | will not be converted automatically, | 20 | will not be converted automatically, |
21 | but may be manually hashed using | 21 | but may be manually hashed using |
22 | .Xr ssh-keygen 1 . | 22 | .Xr ssh-keygen 1 . |
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch index c1ce1bcae..8002929ab 100644 --- a/debian/patches/doc-upstart.patch +++ b/debian/patches/doc-upstart.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 252e76b3ad6e83a798e479a2beba5be7000ff85e Mon Sep 17 00:00:00 2001 | 1 | From c679bacbff13edaa44255c4f4c32ef5bc0f4ccbc Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 |
4 | Subject: Refer to ssh's Upstart job as well as its init script | 4 | Subject: Refer to ssh's Upstart job as well as its init script |
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch | |||
12 | 1 file changed, 4 insertions(+), 1 deletion(-) | 12 | 1 file changed, 4 insertions(+), 1 deletion(-) |
13 | 13 | ||
14 | diff --git a/sshd.8 b/sshd.8 | 14 | diff --git a/sshd.8 b/sshd.8 |
15 | index 3538208..f8f9eac 100644 | 15 | index 8dba6cf..e198017 100644 |
16 | --- a/sshd.8 | 16 | --- a/sshd.8 |
17 | +++ b/sshd.8 | 17 | +++ b/sshd.8 |
18 | @@ -67,7 +67,10 @@ over an insecure network. | 18 | @@ -67,7 +67,10 @@ over an insecure network. |
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index 84fe03acc..79efb8971 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1195b028cb9f402633cfdcae6ec34bf63b4ab771 Mon Sep 17 00:00:00 2001 | 1 | From 02662744e60e6bbe532ff22c7f563026a7424b6c Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index e8cbc1083..b3c437194 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1c1b6fa17982eb622e2c4e8f4a279f2113f57413 Mon Sep 17 00:00:00 2001 | 1 | From 06879e71614170580ffa7568ec5c009f60a9d084 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -17,26 +17,25 @@ have it merged into the main openssh package rather than having separate | |||
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
20 | Last-Updated: 2014-10-07 | 20 | Last-Updated: 2015-08-19 |
21 | 21 | ||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
24 | ChangeLog.gssapi | 113 +++++++++++++++++++ | 24 | ChangeLog.gssapi | 113 +++++++++++++++++++ |
25 | Makefile.in | 3 +- | 25 | Makefile.in | 5 +- |
26 | auth-krb5.c | 17 ++- | 26 | auth-krb5.c | 17 ++- |
27 | auth2-gss.c | 48 +++++++- | 27 | auth2-gss.c | 48 +++++++- |
28 | auth2.c | 2 + | 28 | auth2.c | 2 + |
29 | clientloop.c | 13 +++ | 29 | clientloop.c | 13 +++ |
30 | config.h.in | 6 + | 30 | config.h.in | 6 + |
31 | configure | 57 ++++++++++ | ||
32 | configure.ac | 24 ++++ | 31 | configure.ac | 24 ++++ |
33 | gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- | 32 | gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- |
34 | gss-serv-krb5.c | 85 ++++++++++++-- | 33 | gss-serv-krb5.c | 85 ++++++++++++-- |
35 | gss-serv.c | 221 +++++++++++++++++++++++++++++++----- | 34 | gss-serv.c | 221 +++++++++++++++++++++++++++++++----- |
36 | kex.c | 16 +++ | 35 | kex.c | 16 +++ |
37 | kex.h | 14 +++ | 36 | kex.h | 14 +++ |
38 | kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 37 | kexgssc.c | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
39 | kexgsss.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++++ | 38 | kexgsss.c | 295 ++++++++++++++++++++++++++++++++++++++++++++++++ |
40 | monitor.c | 108 +++++++++++++++++- | 39 | monitor.c | 108 +++++++++++++++++- |
41 | monitor.h | 3 + | 40 | monitor.h | 3 + |
42 | monitor_wrap.c | 47 +++++++- | 41 | monitor_wrap.c | 47 +++++++- |
@@ -48,13 +47,13 @@ Patch-Name: gssapi.patch | |||
48 | ssh-gss.h | 41 ++++++- | 47 | ssh-gss.h | 41 ++++++- |
49 | ssh_config | 2 + | 48 | ssh_config | 2 + |
50 | ssh_config.5 | 34 +++++- | 49 | ssh_config.5 | 34 +++++- |
51 | sshconnect2.c | 124 ++++++++++++++++++++- | 50 | sshconnect2.c | 124 +++++++++++++++++++- |
52 | sshd.c | 110 ++++++++++++++++++ | 51 | sshd.c | 110 ++++++++++++++++++ |
53 | sshd_config | 2 + | 52 | sshd_config | 2 + |
54 | sshd_config.5 | 28 +++++ | 53 | sshd_config.5 | 28 +++++ |
55 | sshkey.c | 3 +- | 54 | sshkey.c | 3 +- |
56 | sshkey.h | 1 + | 55 | sshkey.h | 1 + |
57 | 33 files changed, 2052 insertions(+), 59 deletions(-) | 56 | 32 files changed, 2005 insertions(+), 60 deletions(-) |
58 | create mode 100644 ChangeLog.gssapi | 57 | create mode 100644 ChangeLog.gssapi |
59 | create mode 100644 kexgssc.c | 58 | create mode 100644 kexgssc.c |
60 | create mode 100644 kexgsss.c | 59 | create mode 100644 kexgsss.c |
@@ -179,21 +178,23 @@ index 0000000..f117a33 | |||
179 | + (from jbasney AT ncsa.uiuc.edu) | 178 | + (from jbasney AT ncsa.uiuc.edu) |
180 | + <gssapi-with-mic support is Bugzilla #1008> | 179 | + <gssapi-with-mic support is Bugzilla #1008> |
181 | diff --git a/Makefile.in b/Makefile.in | 180 | diff --git a/Makefile.in b/Makefile.in |
182 | index 06be3d5..086d8dd 100644 | 181 | index 40cc7aa..3d2a328 100644 |
183 | --- a/Makefile.in | 182 | --- a/Makefile.in |
184 | +++ b/Makefile.in | 183 | +++ b/Makefile.in |
185 | @@ -82,6 +82,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 184 | @@ -91,7 +91,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
186 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | 185 | sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ |
187 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ | 186 | kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ |
188 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ | 187 | kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ |
189 | + kexgssc.o \ | 188 | - kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o |
190 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ | 189 | + kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ |
191 | ssh-pkcs11.o krl.o smult_curve25519_ref.o \ | 190 | + kexgssc.o |
192 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ | 191 | |
193 | @@ -101,7 +102,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 192 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
193 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ | ||
194 | @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | ||
195 | auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ | ||
194 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ | 196 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
195 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ | 197 | monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ |
196 | kexc25519s.o auth-krb5.o \ | ||
197 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ | 198 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ |
198 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ | 199 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ |
199 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 200 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
@@ -251,11 +252,11 @@ index 0089b18..ec47869 100644 | |||
251 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 252 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
252 | } | 253 | } |
253 | diff --git a/auth2-gss.c b/auth2-gss.c | 254 | diff --git a/auth2-gss.c b/auth2-gss.c |
254 | index 447f896..284f364 100644 | 255 | index 1ca8357..3b5036d 100644 |
255 | --- a/auth2-gss.c | 256 | --- a/auth2-gss.c |
256 | +++ b/auth2-gss.c | 257 | +++ b/auth2-gss.c |
257 | @@ -1,7 +1,7 @@ | 258 | @@ -1,7 +1,7 @@ |
258 | /* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */ | 259 | /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */ |
259 | 260 | ||
260 | /* | 261 | /* |
261 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 262 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -263,9 +264,9 @@ index 447f896..284f364 100644 | |||
263 | * | 264 | * |
264 | * Redistribution and use in source and binary forms, with or without | 265 | * Redistribution and use in source and binary forms, with or without |
265 | * modification, are permitted provided that the following conditions | 266 | * modification, are permitted provided that the following conditions |
266 | @@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | 267 | @@ -53,6 +53,40 @@ static int input_gssapi_mic(int type, u_int32_t plen, void *ctxt); |
267 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 268 | static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
268 | static void input_gssapi_errtok(int, u_int32_t, void *); | 269 | static int input_gssapi_errtok(int, u_int32_t, void *); |
269 | 270 | ||
270 | +/* | 271 | +/* |
271 | + * The 'gssapi_keyex' userauth mechanism. | 272 | + * The 'gssapi_keyex' userauth mechanism. |
@@ -304,7 +305,7 @@ index 447f896..284f364 100644 | |||
304 | /* | 305 | /* |
305 | * We only support those mechanisms that we know about (ie ones that we know | 306 | * We only support those mechanisms that we know about (ie ones that we know |
306 | * how to check local user kuserok and the like) | 307 | * how to check local user kuserok and the like) |
307 | @@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | 308 | @@ -238,7 +272,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) |
308 | 309 | ||
309 | packet_check_eom(); | 310 | packet_check_eom(); |
310 | 311 | ||
@@ -314,7 +315,7 @@ index 447f896..284f364 100644 | |||
314 | 315 | ||
315 | authctxt->postponed = 0; | 316 | authctxt->postponed = 0; |
316 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 317 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
317 | @@ -271,7 +306,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 318 | @@ -274,7 +309,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
318 | gssbuf.length = buffer_len(&b); | 319 | gssbuf.length = buffer_len(&b); |
319 | 320 | ||
320 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | 321 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |
@@ -324,8 +325,8 @@ index 447f896..284f364 100644 | |||
324 | else | 325 | else |
325 | logit("GSSAPI MIC check failed"); | 326 | logit("GSSAPI MIC check failed"); |
326 | 327 | ||
327 | @@ -286,6 +322,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 328 | @@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
328 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); | 329 | return 0; |
329 | } | 330 | } |
330 | 331 | ||
331 | +Authmethod method_gsskeyex = { | 332 | +Authmethod method_gsskeyex = { |
@@ -338,7 +339,7 @@ index 447f896..284f364 100644 | |||
338 | "gssapi-with-mic", | 339 | "gssapi-with-mic", |
339 | userauth_gssapi, | 340 | userauth_gssapi, |
340 | diff --git a/auth2.c b/auth2.c | 341 | diff --git a/auth2.c b/auth2.c |
341 | index d9b440a..2f0d565 100644 | 342 | index 7177962..3f49bdc 100644 |
342 | --- a/auth2.c | 343 | --- a/auth2.c |
343 | +++ b/auth2.c | 344 | +++ b/auth2.c |
344 | @@ -70,6 +70,7 @@ extern Authmethod method_passwd; | 345 | @@ -70,6 +70,7 @@ extern Authmethod method_passwd; |
@@ -358,12 +359,12 @@ index d9b440a..2f0d565 100644 | |||
358 | #endif | 359 | #endif |
359 | &method_passwd, | 360 | &method_passwd, |
360 | diff --git a/clientloop.c b/clientloop.c | 361 | diff --git a/clientloop.c b/clientloop.c |
361 | index 397c965..f9175e3 100644 | 362 | index a9c8a90..7df9413 100644 |
362 | --- a/clientloop.c | 363 | --- a/clientloop.c |
363 | +++ b/clientloop.c | 364 | +++ b/clientloop.c |
364 | @@ -111,6 +111,10 @@ | 365 | @@ -114,6 +114,10 @@ |
365 | #include "msg.h" | 366 | #include "ssherr.h" |
366 | #include "roaming.h" | 367 | #include "hostfile.h" |
367 | 368 | ||
368 | +#ifdef GSSAPI | 369 | +#ifdef GSSAPI |
369 | +#include "ssh-gss.h" | 370 | +#include "ssh-gss.h" |
@@ -387,12 +388,12 @@ index 397c965..f9175e3 100644 | |||
387 | + | 388 | + |
388 | if (need_rekeying || packet_need_rekeying()) { | 389 | if (need_rekeying || packet_need_rekeying()) { |
389 | debug("need rekeying"); | 390 | debug("need rekeying"); |
390 | xxx_kex->done = 0; | 391 | active_state->kex->done = 0; |
391 | diff --git a/config.h.in b/config.h.in | 392 | diff --git a/config.h.in b/config.h.in |
392 | index 16d6206..a9a8b7a 100644 | 393 | index 7e7e38e..6c7de98 100644 |
393 | --- a/config.h.in | 394 | --- a/config.h.in |
394 | +++ b/config.h.in | 395 | +++ b/config.h.in |
395 | @@ -1622,6 +1622,9 @@ | 396 | @@ -1623,6 +1623,9 @@ |
396 | /* Use btmp to log bad logins */ | 397 | /* Use btmp to log bad logins */ |
397 | #undef USE_BTMP | 398 | #undef USE_BTMP |
398 | 399 | ||
@@ -402,7 +403,7 @@ index 16d6206..a9a8b7a 100644 | |||
402 | /* Use libedit for sftp */ | 403 | /* Use libedit for sftp */ |
403 | #undef USE_LIBEDIT | 404 | #undef USE_LIBEDIT |
404 | 405 | ||
405 | @@ -1637,6 +1640,9 @@ | 406 | @@ -1638,6 +1641,9 @@ |
406 | /* Use PIPES instead of a socketpair() */ | 407 | /* Use PIPES instead of a socketpair() */ |
407 | #undef USE_PIPES | 408 | #undef USE_PIPES |
408 | 409 | ||
@@ -412,79 +413,11 @@ index 16d6206..a9a8b7a 100644 | |||
412 | /* Define if you have Solaris process contracts */ | 413 | /* Define if you have Solaris process contracts */ |
413 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 414 | #undef USE_SOLARIS_PROCESS_CONTRACTS |
414 | 415 | ||
415 | diff --git a/configure b/configure | ||
416 | index 6815388..ea5f200 100755 | ||
417 | --- a/configure | ||
418 | +++ b/configure | ||
419 | @@ -7168,6 +7168,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h | ||
420 | |||
421 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | ||
422 | |||
423 | + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have the Security Authorization Session API" >&5 | ||
424 | +$as_echo_n "checking if we have the Security Authorization Session API... " >&6; } | ||
425 | + cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
426 | +/* end confdefs.h. */ | ||
427 | +#include <Security/AuthSession.h> | ||
428 | +int | ||
429 | +main () | ||
430 | +{ | ||
431 | +SessionCreate(0, 0); | ||
432 | + ; | ||
433 | + return 0; | ||
434 | +} | ||
435 | +_ACEOF | ||
436 | +if ac_fn_c_try_compile "$LINENO"; then : | ||
437 | + ac_cv_use_security_session_api="yes" | ||
438 | + | ||
439 | +$as_echo "#define USE_SECURITY_SESSION_API 1" >>confdefs.h | ||
440 | + | ||
441 | + LIBS="$LIBS -framework Security" | ||
442 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
443 | +$as_echo "yes" >&6; } | ||
444 | +else | ||
445 | + ac_cv_use_security_session_api="no" | ||
446 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
447 | +$as_echo "no" >&6; } | ||
448 | +fi | ||
449 | +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | ||
450 | + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have an in-memory credentials cache" >&5 | ||
451 | +$as_echo_n "checking if we have an in-memory credentials cache... " >&6; } | ||
452 | + cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
453 | +/* end confdefs.h. */ | ||
454 | +#include <Kerberos/Kerberos.h> | ||
455 | +int | ||
456 | +main () | ||
457 | +{ | ||
458 | +cc_context_t c; | ||
459 | + (void) cc_initialize (&c, 0, NULL, NULL); | ||
460 | + ; | ||
461 | + return 0; | ||
462 | +} | ||
463 | +_ACEOF | ||
464 | +if ac_fn_c_try_compile "$LINENO"; then : | ||
465 | + | ||
466 | +$as_echo "#define USE_CCAPI 1" >>confdefs.h | ||
467 | + | ||
468 | + LIBS="$LIBS -framework Security" | ||
469 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
470 | +$as_echo "yes" >&6; } | ||
471 | + if test "x$ac_cv_use_security_session_api" = "xno"; then | ||
472 | + as_fn_error $? "*** Need a security framework to use the credentials cache API ***" "$LINENO" 5 | ||
473 | + fi | ||
474 | +else | ||
475 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
476 | +$as_echo "no" >&6; } | ||
477 | + | ||
478 | +fi | ||
479 | +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | ||
480 | |||
481 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" | ||
482 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : | ||
483 | diff --git a/configure.ac b/configure.ac | 416 | diff --git a/configure.ac b/configure.ac |
484 | index 67c4486..90e81e1 100644 | 417 | index b4d6598..216a9fd 100644 |
485 | --- a/configure.ac | 418 | --- a/configure.ac |
486 | +++ b/configure.ac | 419 | +++ b/configure.ac |
487 | @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 420 | @@ -620,6 +620,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
488 | [Use tunnel device compatibility to OpenBSD]) | 421 | [Use tunnel device compatibility to OpenBSD]) |
489 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 422 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
490 | [Prepend the address family to IP tunnel traffic]) | 423 | [Prepend the address family to IP tunnel traffic]) |
@@ -516,11 +449,11 @@ index 67c4486..90e81e1 100644 | |||
516 | AC_CHECK_DECL([AU_IPv4], [], | 449 | AC_CHECK_DECL([AU_IPv4], [], |
517 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) | 450 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) |
518 | diff --git a/gss-genr.c b/gss-genr.c | 451 | diff --git a/gss-genr.c b/gss-genr.c |
519 | index b39281b..1e569ad 100644 | 452 | index 60ac65f..5610f0b 100644 |
520 | --- a/gss-genr.c | 453 | --- a/gss-genr.c |
521 | +++ b/gss-genr.c | 454 | +++ b/gss-genr.c |
522 | @@ -1,7 +1,7 @@ | 455 | @@ -1,7 +1,7 @@ |
523 | /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */ | 456 | /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */ |
524 | 457 | ||
525 | /* | 458 | /* |
526 | - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. | 459 | - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
@@ -528,7 +461,7 @@ index b39281b..1e569ad 100644 | |||
528 | * | 461 | * |
529 | * Redistribution and use in source and binary forms, with or without | 462 | * Redistribution and use in source and binary forms, with or without |
530 | * modification, are permitted provided that the following conditions | 463 | * modification, are permitted provided that the following conditions |
531 | @@ -39,12 +39,167 @@ | 464 | @@ -40,12 +40,167 @@ |
532 | #include "buffer.h" | 465 | #include "buffer.h" |
533 | #include "log.h" | 466 | #include "log.h" |
534 | #include "ssh2.h" | 467 | #include "ssh2.h" |
@@ -696,7 +629,7 @@ index b39281b..1e569ad 100644 | |||
696 | /* Check that the OID in a data stream matches that in the context */ | 629 | /* Check that the OID in a data stream matches that in the context */ |
697 | int | 630 | int |
698 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) | 631 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) |
699 | @@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, | 632 | @@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, |
700 | } | 633 | } |
701 | 634 | ||
702 | ctx->major = gss_init_sec_context(&ctx->minor, | 635 | ctx->major = gss_init_sec_context(&ctx->minor, |
@@ -705,7 +638,7 @@ index b39281b..1e569ad 100644 | |||
705 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, | 638 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, |
706 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); | 639 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); |
707 | 640 | ||
708 | @@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) | 641 | @@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) |
709 | } | 642 | } |
710 | 643 | ||
711 | OM_uint32 | 644 | OM_uint32 |
@@ -748,7 +681,7 @@ index b39281b..1e569ad 100644 | |||
748 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, | 681 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, |
749 | GSS_C_QOP_DEFAULT, buffer, hash))) | 682 | GSS_C_QOP_DEFAULT, buffer, hash))) |
750 | ssh_gssapi_error(ctx); | 683 | ssh_gssapi_error(ctx); |
751 | @@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | 684 | @@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) |
752 | return (ctx->major); | 685 | return (ctx->major); |
753 | } | 686 | } |
754 | 687 | ||
@@ -768,7 +701,7 @@ index b39281b..1e569ad 100644 | |||
768 | void | 701 | void |
769 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 702 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
770 | const char *context) | 703 | const char *context) |
771 | @@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 704 | @@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
772 | } | 705 | } |
773 | 706 | ||
774 | int | 707 | int |
@@ -786,7 +719,7 @@ index b39281b..1e569ad 100644 | |||
786 | 719 | ||
787 | /* RFC 4462 says we MUST NOT do SPNEGO */ | 720 | /* RFC 4462 says we MUST NOT do SPNEGO */ |
788 | if (oid->length == spnego_oid.length && | 721 | if (oid->length == spnego_oid.length && |
789 | @@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 722 | @@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
790 | ssh_gssapi_build_ctx(ctx); | 723 | ssh_gssapi_build_ctx(ctx); |
791 | ssh_gssapi_set_oid(*ctx, oid); | 724 | ssh_gssapi_set_oid(*ctx, oid); |
792 | major = ssh_gssapi_import_name(*ctx, host); | 725 | major = ssh_gssapi_import_name(*ctx, host); |
@@ -797,7 +730,7 @@ index b39281b..1e569ad 100644 | |||
797 | if (!GSS_ERROR(major)) { | 730 | if (!GSS_ERROR(major)) { |
798 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | 731 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, |
799 | NULL); | 732 | NULL); |
800 | @@ -272,10 +483,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 733 | @@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
801 | GSS_C_NO_BUFFER); | 734 | GSS_C_NO_BUFFER); |
802 | } | 735 | } |
803 | 736 | ||
@@ -992,11 +925,11 @@ index 795992d..fd8b371 100644 | |||
992 | 925 | ||
993 | #endif /* KRB5 */ | 926 | #endif /* KRB5 */ |
994 | diff --git a/gss-serv.c b/gss-serv.c | 927 | diff --git a/gss-serv.c b/gss-serv.c |
995 | index 5c59924..50fa438 100644 | 928 | index e7b8c52..539862d 100644 |
996 | --- a/gss-serv.c | 929 | --- a/gss-serv.c |
997 | +++ b/gss-serv.c | 930 | +++ b/gss-serv.c |
998 | @@ -1,7 +1,7 @@ | 931 | @@ -1,7 +1,7 @@ |
999 | /* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */ | 932 | /* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */ |
1000 | 933 | ||
1001 | /* | 934 | /* |
1002 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 935 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -1004,7 +937,7 @@ index 5c59924..50fa438 100644 | |||
1004 | * | 937 | * |
1005 | * Redistribution and use in source and binary forms, with or without | 938 | * Redistribution and use in source and binary forms, with or without |
1006 | * modification, are permitted provided that the following conditions | 939 | * modification, are permitted provided that the following conditions |
1007 | @@ -45,15 +45,21 @@ | 940 | @@ -44,15 +44,21 @@ |
1008 | #include "channels.h" | 941 | #include "channels.h" |
1009 | #include "session.h" | 942 | #include "session.h" |
1010 | #include "misc.h" | 943 | #include "misc.h" |
@@ -1028,7 +961,7 @@ index 5c59924..50fa438 100644 | |||
1028 | 961 | ||
1029 | #ifdef KRB5 | 962 | #ifdef KRB5 |
1030 | extern ssh_gssapi_mech gssapi_kerberos_mech; | 963 | extern ssh_gssapi_mech gssapi_kerberos_mech; |
1031 | @@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | 964 | @@ -99,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) |
1032 | char lname[NI_MAXHOST]; | 965 | char lname[NI_MAXHOST]; |
1033 | gss_OID_set oidset; | 966 | gss_OID_set oidset; |
1034 | 967 | ||
@@ -1075,7 +1008,7 @@ index 5c59924..50fa438 100644 | |||
1075 | } | 1008 | } |
1076 | 1009 | ||
1077 | /* Privileged */ | 1010 | /* Privileged */ |
1078 | @@ -133,6 +146,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | 1011 | @@ -132,6 +145,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) |
1079 | } | 1012 | } |
1080 | 1013 | ||
1081 | /* Unprivileged */ | 1014 | /* Unprivileged */ |
@@ -1105,7 +1038,7 @@ index 5c59924..50fa438 100644 | |||
1105 | void | 1038 | void |
1106 | ssh_gssapi_supported_oids(gss_OID_set *oidset) | 1039 | ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1107 | { | 1040 | { |
1108 | @@ -142,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) | 1041 | @@ -141,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1109 | gss_OID_set supported; | 1042 | gss_OID_set supported; |
1110 | 1043 | ||
1111 | gss_create_empty_oid_set(&min_status, oidset); | 1044 | gss_create_empty_oid_set(&min_status, oidset); |
@@ -1116,7 +1049,7 @@ index 5c59924..50fa438 100644 | |||
1116 | 1049 | ||
1117 | while (supported_mechs[i]->name != NULL) { | 1050 | while (supported_mechs[i]->name != NULL) { |
1118 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, | 1051 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, |
1119 | @@ -268,8 +306,48 @@ OM_uint32 | 1052 | @@ -267,8 +305,48 @@ OM_uint32 |
1120 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1053 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1121 | { | 1054 | { |
1122 | int i = 0; | 1055 | int i = 0; |
@@ -1166,7 +1099,7 @@ index 5c59924..50fa438 100644 | |||
1166 | 1099 | ||
1167 | client->mech = NULL; | 1100 | client->mech = NULL; |
1168 | 1101 | ||
1169 | @@ -284,6 +362,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1102 | @@ -283,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1170 | if (client->mech == NULL) | 1103 | if (client->mech == NULL) |
1171 | return GSS_S_FAILURE; | 1104 | return GSS_S_FAILURE; |
1172 | 1105 | ||
@@ -1180,7 +1113,7 @@ index 5c59924..50fa438 100644 | |||
1180 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, | 1113 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, |
1181 | &client->displayname, NULL))) { | 1114 | &client->displayname, NULL))) { |
1182 | ssh_gssapi_error(ctx); | 1115 | ssh_gssapi_error(ctx); |
1183 | @@ -301,6 +386,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1116 | @@ -300,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1184 | return (ctx->major); | 1117 | return (ctx->major); |
1185 | } | 1118 | } |
1186 | 1119 | ||
@@ -1189,7 +1122,7 @@ index 5c59924..50fa438 100644 | |||
1189 | /* We can't copy this structure, so we just move the pointer to it */ | 1122 | /* We can't copy this structure, so we just move the pointer to it */ |
1190 | client->creds = ctx->client_creds; | 1123 | client->creds = ctx->client_creds; |
1191 | ctx->client_creds = GSS_C_NO_CREDENTIAL; | 1124 | ctx->client_creds = GSS_C_NO_CREDENTIAL; |
1192 | @@ -348,7 +435,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) | 1125 | @@ -347,7 +434,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) |
1193 | 1126 | ||
1194 | /* Privileged */ | 1127 | /* Privileged */ |
1195 | int | 1128 | int |
@@ -1198,7 +1131,7 @@ index 5c59924..50fa438 100644 | |||
1198 | { | 1131 | { |
1199 | OM_uint32 lmin; | 1132 | OM_uint32 lmin; |
1200 | 1133 | ||
1201 | @@ -358,9 +445,11 @@ ssh_gssapi_userok(char *user) | 1134 | @@ -357,9 +444,11 @@ ssh_gssapi_userok(char *user) |
1202 | return 0; | 1135 | return 0; |
1203 | } | 1136 | } |
1204 | if (gssapi_client.mech && gssapi_client.mech->userok) | 1137 | if (gssapi_client.mech && gssapi_client.mech->userok) |
@@ -1212,7 +1145,7 @@ index 5c59924..50fa438 100644 | |||
1212 | /* Destroy delegated credentials if userok fails */ | 1145 | /* Destroy delegated credentials if userok fails */ |
1213 | gss_release_buffer(&lmin, &gssapi_client.displayname); | 1146 | gss_release_buffer(&lmin, &gssapi_client.displayname); |
1214 | gss_release_buffer(&lmin, &gssapi_client.exportedname); | 1147 | gss_release_buffer(&lmin, &gssapi_client.exportedname); |
1215 | @@ -374,14 +463,90 @@ ssh_gssapi_userok(char *user) | 1148 | @@ -373,14 +462,90 @@ ssh_gssapi_userok(char *user) |
1216 | return (0); | 1149 | return (0); |
1217 | } | 1150 | } |
1218 | 1151 | ||
@@ -1310,11 +1243,11 @@ index 5c59924..50fa438 100644 | |||
1310 | 1243 | ||
1311 | #endif | 1244 | #endif |
1312 | diff --git a/kex.c b/kex.c | 1245 | diff --git a/kex.c b/kex.c |
1313 | index a173e70..891852b 100644 | 1246 | index 8c2b001..be938ad 100644 |
1314 | --- a/kex.c | 1247 | --- a/kex.c |
1315 | +++ b/kex.c | 1248 | +++ b/kex.c |
1316 | @@ -53,6 +53,10 @@ | 1249 | @@ -55,6 +55,10 @@ |
1317 | #include "roaming.h" | 1250 | #include "sshbuf.h" |
1318 | #include "digest.h" | 1251 | #include "digest.h" |
1319 | 1252 | ||
1320 | +#ifdef GSSAPI | 1253 | +#ifdef GSSAPI |
@@ -1324,8 +1257,8 @@ index a173e70..891852b 100644 | |||
1324 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1257 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1325 | # if defined(HAVE_EVP_SHA256) | 1258 | # if defined(HAVE_EVP_SHA256) |
1326 | # define evp_ssh_sha256 EVP_sha256 | 1259 | # define evp_ssh_sha256 EVP_sha256 |
1327 | @@ -96,6 +100,14 @@ static const struct kexalg kexalgs[] = { | 1260 | @@ -97,6 +101,14 @@ static const struct kexalg kexalgs[] = { |
1328 | #endif /* HAVE_EVP_SHA256 */ | 1261 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |
1329 | { NULL, -1, -1, -1}, | 1262 | { NULL, -1, -1, -1}, |
1330 | }; | 1263 | }; |
1331 | +static const struct kexalg kexalg_prefixes[] = { | 1264 | +static const struct kexalg kexalg_prefixes[] = { |
@@ -1339,7 +1272,7 @@ index a173e70..891852b 100644 | |||
1339 | 1272 | ||
1340 | char * | 1273 | char * |
1341 | kex_alg_list(char sep) | 1274 | kex_alg_list(char sep) |
1342 | @@ -124,6 +136,10 @@ kex_alg_by_name(const char *name) | 1275 | @@ -129,6 +141,10 @@ kex_alg_by_name(const char *name) |
1343 | if (strcmp(k->name, name) == 0) | 1276 | if (strcmp(k->name, name) == 0) |
1344 | return k; | 1277 | return k; |
1345 | } | 1278 | } |
@@ -1351,10 +1284,10 @@ index a173e70..891852b 100644 | |||
1351 | } | 1284 | } |
1352 | 1285 | ||
1353 | diff --git a/kex.h b/kex.h | 1286 | diff --git a/kex.h b/kex.h |
1354 | index 4c40ec8..c179a4d 100644 | 1287 | index f70b81f..7194b14 100644 |
1355 | --- a/kex.h | 1288 | --- a/kex.h |
1356 | +++ b/kex.h | 1289 | +++ b/kex.h |
1357 | @@ -76,6 +76,9 @@ enum kex_exchange { | 1290 | @@ -93,6 +93,9 @@ enum kex_exchange { |
1358 | KEX_DH_GEX_SHA256, | 1291 | KEX_DH_GEX_SHA256, |
1359 | KEX_ECDH_SHA2, | 1292 | KEX_ECDH_SHA2, |
1360 | KEX_C25519_SHA256, | 1293 | KEX_C25519_SHA256, |
@@ -1364,8 +1297,8 @@ index 4c40ec8..c179a4d 100644 | |||
1364 | KEX_MAX | 1297 | KEX_MAX |
1365 | }; | 1298 | }; |
1366 | 1299 | ||
1367 | @@ -135,6 +138,12 @@ struct Kex { | 1300 | @@ -139,6 +142,12 @@ struct kex { |
1368 | int flags; | 1301 | u_int flags; |
1369 | int hash_alg; | 1302 | int hash_alg; |
1370 | int ec_nid; | 1303 | int ec_nid; |
1371 | +#ifdef GSSAPI | 1304 | +#ifdef GSSAPI |
@@ -1376,25 +1309,25 @@ index 4c40ec8..c179a4d 100644 | |||
1376 | +#endif | 1309 | +#endif |
1377 | char *client_version_string; | 1310 | char *client_version_string; |
1378 | char *server_version_string; | 1311 | char *server_version_string; |
1379 | int (*verify_host_key)(Key *); | 1312 | int (*verify_host_key)(struct sshkey *, struct ssh *); |
1380 | @@ -167,6 +176,11 @@ void kexecdh_server(Kex *); | 1313 | @@ -184,6 +193,11 @@ int kexecdh_server(struct ssh *); |
1381 | void kexc25519_client(Kex *); | 1314 | int kexc25519_client(struct ssh *); |
1382 | void kexc25519_server(Kex *); | 1315 | int kexc25519_server(struct ssh *); |
1383 | 1316 | ||
1384 | +#ifdef GSSAPI | 1317 | +#ifdef GSSAPI |
1385 | +void kexgss_client(Kex *); | 1318 | +int kexgss_client(struct ssh *); |
1386 | +void kexgss_server(Kex *); | 1319 | +int kexgss_server(struct ssh *); |
1387 | +#endif | 1320 | +#endif |
1388 | + | 1321 | + |
1389 | void | 1322 | int kex_dh_hash(const char *, const char *, |
1390 | kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, | 1323 | const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, |
1391 | BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); | 1324 | const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); |
1392 | diff --git a/kexgssc.c b/kexgssc.c | 1325 | diff --git a/kexgssc.c b/kexgssc.c |
1393 | new file mode 100644 | 1326 | new file mode 100644 |
1394 | index 0000000..92a31c5 | 1327 | index 0000000..a49bac2 |
1395 | --- /dev/null | 1328 | --- /dev/null |
1396 | +++ b/kexgssc.c | 1329 | +++ b/kexgssc.c |
1397 | @@ -0,0 +1,332 @@ | 1330 | @@ -0,0 +1,336 @@ |
1398 | +/* | 1331 | +/* |
1399 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1332 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1400 | + * | 1333 | + * |
@@ -1439,43 +1372,46 @@ index 0000000..92a31c5 | |||
1439 | +#include "log.h" | 1372 | +#include "log.h" |
1440 | +#include "packet.h" | 1373 | +#include "packet.h" |
1441 | +#include "dh.h" | 1374 | +#include "dh.h" |
1375 | +#include "digest.h" | ||
1442 | + | 1376 | + |
1443 | +#include "ssh-gss.h" | 1377 | +#include "ssh-gss.h" |
1444 | + | 1378 | + |
1445 | +void | 1379 | +int |
1446 | +kexgss_client(Kex *kex) { | 1380 | +kexgss_client(struct ssh *ssh) { |
1447 | + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 1381 | + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
1448 | + gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr; | 1382 | + gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr; |
1449 | + Gssctxt *ctxt; | 1383 | + Gssctxt *ctxt; |
1450 | + OM_uint32 maj_status, min_status, ret_flags; | 1384 | + OM_uint32 maj_status, min_status, ret_flags; |
1451 | + u_int klen, kout, slen = 0, hashlen, strlen; | 1385 | + u_int klen, kout, slen = 0, strlen; |
1452 | + DH *dh; | 1386 | + DH *dh; |
1453 | + BIGNUM *dh_server_pub = NULL; | 1387 | + BIGNUM *dh_server_pub = NULL; |
1454 | + BIGNUM *shared_secret = NULL; | 1388 | + BIGNUM *shared_secret = NULL; |
1455 | + BIGNUM *p = NULL; | 1389 | + BIGNUM *p = NULL; |
1456 | + BIGNUM *g = NULL; | 1390 | + BIGNUM *g = NULL; |
1457 | + u_char *kbuf, *hash; | 1391 | + u_char *kbuf; |
1458 | + u_char *serverhostkey = NULL; | 1392 | + u_char *serverhostkey = NULL; |
1459 | + u_char *empty = ""; | 1393 | + u_char *empty = ""; |
1460 | + char *msg; | 1394 | + char *msg; |
1461 | + int type = 0; | 1395 | + int type = 0; |
1462 | + int first = 1; | 1396 | + int first = 1; |
1463 | + int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; | 1397 | + int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; |
1398 | + u_char hash[SSH_DIGEST_MAX_LENGTH]; | ||
1399 | + size_t hashlen; | ||
1464 | + | 1400 | + |
1465 | + /* Initialise our GSSAPI world */ | 1401 | + /* Initialise our GSSAPI world */ |
1466 | + ssh_gssapi_build_ctx(&ctxt); | 1402 | + ssh_gssapi_build_ctx(&ctxt); |
1467 | + if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type) | 1403 | + if (ssh_gssapi_id_kex(ctxt, ssh->kex->name, ssh->kex->kex_type) |
1468 | + == GSS_C_NO_OID) | 1404 | + == GSS_C_NO_OID) |
1469 | + fatal("Couldn't identify host exchange"); | 1405 | + fatal("Couldn't identify host exchange"); |
1470 | + | 1406 | + |
1471 | + if (ssh_gssapi_import_name(ctxt, kex->gss_host)) | 1407 | + if (ssh_gssapi_import_name(ctxt, ssh->kex->gss_host)) |
1472 | + fatal("Couldn't import hostname"); | 1408 | + fatal("Couldn't import hostname"); |
1473 | + | 1409 | + |
1474 | + if (kex->gss_client && | 1410 | + if (ssh->kex->gss_client && |
1475 | + ssh_gssapi_client_identity(ctxt, kex->gss_client)) | 1411 | + ssh_gssapi_client_identity(ctxt, ssh->kex->gss_client)) |
1476 | + fatal("Couldn't acquire client credentials"); | 1412 | + fatal("Couldn't acquire client credentials"); |
1477 | + | 1413 | + |
1478 | + switch (kex->kex_type) { | 1414 | + switch (ssh->kex->kex_type) { |
1479 | + case KEX_GSS_GRP1_SHA1: | 1415 | + case KEX_GSS_GRP1_SHA1: |
1480 | + dh = dh_new_group1(); | 1416 | + dh = dh_new_group1(); |
1481 | + break; | 1417 | + break; |
@@ -1484,7 +1420,7 @@ index 0000000..92a31c5 | |||
1484 | + break; | 1420 | + break; |
1485 | + case KEX_GSS_GEX_SHA1: | 1421 | + case KEX_GSS_GEX_SHA1: |
1486 | + debug("Doing group exchange\n"); | 1422 | + debug("Doing group exchange\n"); |
1487 | + nbits = dh_estimate(kex->we_need * 8); | 1423 | + nbits = dh_estimate(ssh->kex->we_need * 8); |
1488 | + packet_start(SSH2_MSG_KEXGSS_GROUPREQ); | 1424 | + packet_start(SSH2_MSG_KEXGSS_GROUPREQ); |
1489 | + packet_put_int(min); | 1425 | + packet_put_int(min); |
1490 | + packet_put_int(nbits); | 1426 | + packet_put_int(nbits); |
@@ -1509,11 +1445,11 @@ index 0000000..92a31c5 | |||
1509 | + dh = dh_new_group(g, p); | 1445 | + dh = dh_new_group(g, p); |
1510 | + break; | 1446 | + break; |
1511 | + default: | 1447 | + default: |
1512 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | 1448 | + fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); |
1513 | + } | 1449 | + } |
1514 | + | 1450 | + |
1515 | + /* Step 1 - e is dh->pub_key */ | 1451 | + /* Step 1 - e is dh->pub_key */ |
1516 | + dh_gen_key(dh, kex->we_need * 8); | 1452 | + dh_gen_key(dh, ssh->kex->we_need * 8); |
1517 | + | 1453 | + |
1518 | + /* This is f, we initialise it now to make life easier */ | 1454 | + /* This is f, we initialise it now to make life easier */ |
1519 | + dh_server_pub = BN_new(); | 1455 | + dh_server_pub = BN_new(); |
@@ -1526,7 +1462,7 @@ index 0000000..92a31c5 | |||
1526 | + debug("Calling gss_init_sec_context"); | 1462 | + debug("Calling gss_init_sec_context"); |
1527 | + | 1463 | + |
1528 | + maj_status = ssh_gssapi_init_ctx(ctxt, | 1464 | + maj_status = ssh_gssapi_init_ctx(ctxt, |
1529 | + kex->gss_deleg_creds, token_ptr, &send_tok, | 1465 | + ssh->kex->gss_deleg_creds, token_ptr, &send_tok, |
1530 | + &ret_flags); | 1466 | + &ret_flags); |
1531 | + | 1467 | + |
1532 | + if (GSS_ERROR(maj_status)) { | 1468 | + if (GSS_ERROR(maj_status)) { |
@@ -1659,38 +1595,39 @@ index 0000000..92a31c5 | |||
1659 | + memset(kbuf, 0, klen); | 1595 | + memset(kbuf, 0, klen); |
1660 | + free(kbuf); | 1596 | + free(kbuf); |
1661 | + | 1597 | + |
1662 | + switch (kex->kex_type) { | 1598 | + hashlen = sizeof(hash); |
1599 | + switch (ssh->kex->kex_type) { | ||
1663 | + case KEX_GSS_GRP1_SHA1: | 1600 | + case KEX_GSS_GRP1_SHA1: |
1664 | + case KEX_GSS_GRP14_SHA1: | 1601 | + case KEX_GSS_GRP14_SHA1: |
1665 | + kex_dh_hash( kex->client_version_string, | 1602 | + kex_dh_hash( ssh->kex->client_version_string, |
1666 | + kex->server_version_string, | 1603 | + ssh->kex->server_version_string, |
1667 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | 1604 | + buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), |
1668 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | 1605 | + buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), |
1669 | + (serverhostkey ? serverhostkey : empty), slen, | 1606 | + (serverhostkey ? serverhostkey : empty), slen, |
1670 | + dh->pub_key, /* e */ | 1607 | + dh->pub_key, /* e */ |
1671 | + dh_server_pub, /* f */ | 1608 | + dh_server_pub, /* f */ |
1672 | + shared_secret, /* K */ | 1609 | + shared_secret, /* K */ |
1673 | + &hash, &hashlen | 1610 | + hash, &hashlen |
1674 | + ); | 1611 | + ); |
1675 | + break; | 1612 | + break; |
1676 | + case KEX_GSS_GEX_SHA1: | 1613 | + case KEX_GSS_GEX_SHA1: |
1677 | + kexgex_hash( | 1614 | + kexgex_hash( |
1678 | + kex->hash_alg, | 1615 | + ssh->kex->hash_alg, |
1679 | + kex->client_version_string, | 1616 | + ssh->kex->client_version_string, |
1680 | + kex->server_version_string, | 1617 | + ssh->kex->server_version_string, |
1681 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | 1618 | + buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), |
1682 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | 1619 | + buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), |
1683 | + (serverhostkey ? serverhostkey : empty), slen, | 1620 | + (serverhostkey ? serverhostkey : empty), slen, |
1684 | + min, nbits, max, | 1621 | + min, nbits, max, |
1685 | + dh->p, dh->g, | 1622 | + dh->p, dh->g, |
1686 | + dh->pub_key, | 1623 | + dh->pub_key, |
1687 | + dh_server_pub, | 1624 | + dh_server_pub, |
1688 | + shared_secret, | 1625 | + shared_secret, |
1689 | + &hash, &hashlen | 1626 | + hash, &hashlen |
1690 | + ); | 1627 | + ); |
1691 | + break; | 1628 | + break; |
1692 | + default: | 1629 | + default: |
1693 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | 1630 | + fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); |
1694 | + } | 1631 | + } |
1695 | + | 1632 | + |
1696 | + gssbuf.value = hash; | 1633 | + gssbuf.value = hash; |
@@ -1707,13 +1644,13 @@ index 0000000..92a31c5 | |||
1707 | + BN_clear_free(dh_server_pub); | 1644 | + BN_clear_free(dh_server_pub); |
1708 | + | 1645 | + |
1709 | + /* save session id */ | 1646 | + /* save session id */ |
1710 | + if (kex->session_id == NULL) { | 1647 | + if (ssh->kex->session_id == NULL) { |
1711 | + kex->session_id_len = hashlen; | 1648 | + ssh->kex->session_id_len = hashlen; |
1712 | + kex->session_id = xmalloc(kex->session_id_len); | 1649 | + ssh->kex->session_id = xmalloc(ssh->kex->session_id_len); |
1713 | + memcpy(kex->session_id, hash, kex->session_id_len); | 1650 | + memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len); |
1714 | + } | 1651 | + } |
1715 | + | 1652 | + |
1716 | + if (kex->gss_deleg_creds) | 1653 | + if (ssh->kex->gss_deleg_creds) |
1717 | + ssh_gssapi_credentials_updated(ctxt); | 1654 | + ssh_gssapi_credentials_updated(ctxt); |
1718 | + | 1655 | + |
1719 | + if (gss_kex_context == NULL) | 1656 | + if (gss_kex_context == NULL) |
@@ -1721,18 +1658,18 @@ index 0000000..92a31c5 | |||
1721 | + else | 1658 | + else |
1722 | + ssh_gssapi_delete_ctx(&ctxt); | 1659 | + ssh_gssapi_delete_ctx(&ctxt); |
1723 | + | 1660 | + |
1724 | + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); | 1661 | + kex_derive_keys_bn(ssh, hash, hashlen, shared_secret); |
1725 | + BN_clear_free(shared_secret); | 1662 | + BN_clear_free(shared_secret); |
1726 | + kex_finish(kex); | 1663 | + return kex_send_newkeys(ssh); |
1727 | +} | 1664 | +} |
1728 | + | 1665 | + |
1729 | +#endif /* GSSAPI */ | 1666 | +#endif /* GSSAPI */ |
1730 | diff --git a/kexgsss.c b/kexgsss.c | 1667 | diff --git a/kexgsss.c b/kexgsss.c |
1731 | new file mode 100644 | 1668 | new file mode 100644 |
1732 | index 0000000..6a0ece8 | 1669 | index 0000000..0847469 |
1733 | --- /dev/null | 1670 | --- /dev/null |
1734 | +++ b/kexgsss.c | 1671 | +++ b/kexgsss.c |
1735 | @@ -0,0 +1,290 @@ | 1672 | @@ -0,0 +1,295 @@ |
1736 | +/* | 1673 | +/* |
1737 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1674 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1738 | + * | 1675 | + * |
@@ -1779,11 +1716,12 @@ index 0000000..6a0ece8 | |||
1779 | +#include "monitor_wrap.h" | 1716 | +#include "monitor_wrap.h" |
1780 | +#include "misc.h" | 1717 | +#include "misc.h" |
1781 | +#include "servconf.h" | 1718 | +#include "servconf.h" |
1719 | +#include "digest.h" | ||
1782 | + | 1720 | + |
1783 | +extern ServerOptions options; | 1721 | +extern ServerOptions options; |
1784 | + | 1722 | + |
1785 | +void | 1723 | +int |
1786 | +kexgss_server(Kex *kex) | 1724 | +kexgss_server(struct ssh *ssh) |
1787 | +{ | 1725 | +{ |
1788 | + OM_uint32 maj_status, min_status; | 1726 | + OM_uint32 maj_status, min_status; |
1789 | + | 1727 | + |
@@ -1798,8 +1736,8 @@ index 0000000..6a0ece8 | |||
1798 | + gss_buffer_desc gssbuf, recv_tok, msg_tok; | 1736 | + gss_buffer_desc gssbuf, recv_tok, msg_tok; |
1799 | + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 1737 | + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
1800 | + Gssctxt *ctxt = NULL; | 1738 | + Gssctxt *ctxt = NULL; |
1801 | + u_int slen, klen, kout, hashlen; | 1739 | + u_int slen, klen, kout; |
1802 | + u_char *kbuf, *hash; | 1740 | + u_char *kbuf; |
1803 | + DH *dh; | 1741 | + DH *dh; |
1804 | + int min = -1, max = -1, nbits = -1; | 1742 | + int min = -1, max = -1, nbits = -1; |
1805 | + BIGNUM *shared_secret = NULL; | 1743 | + BIGNUM *shared_secret = NULL; |
@@ -1807,6 +1745,8 @@ index 0000000..6a0ece8 | |||
1807 | + int type = 0; | 1745 | + int type = 0; |
1808 | + gss_OID oid; | 1746 | + gss_OID oid; |
1809 | + char *mechs; | 1747 | + char *mechs; |
1748 | + u_char hash[SSH_DIGEST_MAX_LENGTH]; | ||
1749 | + size_t hashlen; | ||
1810 | + | 1750 | + |
1811 | + /* Initialise GSSAPI */ | 1751 | + /* Initialise GSSAPI */ |
1812 | + | 1752 | + |
@@ -1819,8 +1759,8 @@ index 0000000..6a0ece8 | |||
1819 | + free(mechs); | 1759 | + free(mechs); |
1820 | + } | 1760 | + } |
1821 | + | 1761 | + |
1822 | + debug2("%s: Identifying %s", __func__, kex->name); | 1762 | + debug2("%s: Identifying %s", __func__, ssh->kex->name); |
1823 | + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); | 1763 | + oid = ssh_gssapi_id_kex(NULL, ssh->kex->name, ssh->kex->kex_type); |
1824 | + if (oid == GSS_C_NO_OID) | 1764 | + if (oid == GSS_C_NO_OID) |
1825 | + fatal("Unknown gssapi mechanism"); | 1765 | + fatal("Unknown gssapi mechanism"); |
1826 | + | 1766 | + |
@@ -1829,7 +1769,7 @@ index 0000000..6a0ece8 | |||
1829 | + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) | 1769 | + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) |
1830 | + fatal("Unable to acquire credentials for the server"); | 1770 | + fatal("Unable to acquire credentials for the server"); |
1831 | + | 1771 | + |
1832 | + switch (kex->kex_type) { | 1772 | + switch (ssh->kex->kex_type) { |
1833 | + case KEX_GSS_GRP1_SHA1: | 1773 | + case KEX_GSS_GRP1_SHA1: |
1834 | + dh = dh_new_group1(); | 1774 | + dh = dh_new_group1(); |
1835 | + break; | 1775 | + break; |
@@ -1860,10 +1800,10 @@ index 0000000..6a0ece8 | |||
1860 | + packet_write_wait(); | 1800 | + packet_write_wait(); |
1861 | + break; | 1801 | + break; |
1862 | + default: | 1802 | + default: |
1863 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | 1803 | + fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); |
1864 | + } | 1804 | + } |
1865 | + | 1805 | + |
1866 | + dh_gen_key(dh, kex->we_need * 8); | 1806 | + dh_gen_key(dh, ssh->kex->we_need * 8); |
1867 | + | 1807 | + |
1868 | + do { | 1808 | + do { |
1869 | + debug("Wait SSH2_MSG_GSSAPI_INIT"); | 1809 | + debug("Wait SSH2_MSG_GSSAPI_INIT"); |
@@ -1946,43 +1886,44 @@ index 0000000..6a0ece8 | |||
1946 | + memset(kbuf, 0, klen); | 1886 | + memset(kbuf, 0, klen); |
1947 | + free(kbuf); | 1887 | + free(kbuf); |
1948 | + | 1888 | + |
1949 | + switch (kex->kex_type) { | 1889 | + hashlen = sizeof(hash); |
1890 | + switch (ssh->kex->kex_type) { | ||
1950 | + case KEX_GSS_GRP1_SHA1: | 1891 | + case KEX_GSS_GRP1_SHA1: |
1951 | + case KEX_GSS_GRP14_SHA1: | 1892 | + case KEX_GSS_GRP14_SHA1: |
1952 | + kex_dh_hash( | 1893 | + kex_dh_hash( |
1953 | + kex->client_version_string, kex->server_version_string, | 1894 | + ssh->kex->client_version_string, ssh->kex->server_version_string, |
1954 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | 1895 | + buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), |
1955 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | 1896 | + buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), |
1956 | + NULL, 0, /* Change this if we start sending host keys */ | 1897 | + NULL, 0, /* Change this if we start sending host keys */ |
1957 | + dh_client_pub, dh->pub_key, shared_secret, | 1898 | + dh_client_pub, dh->pub_key, shared_secret, |
1958 | + &hash, &hashlen | 1899 | + hash, &hashlen |
1959 | + ); | 1900 | + ); |
1960 | + break; | 1901 | + break; |
1961 | + case KEX_GSS_GEX_SHA1: | 1902 | + case KEX_GSS_GEX_SHA1: |
1962 | + kexgex_hash( | 1903 | + kexgex_hash( |
1963 | + kex->hash_alg, | 1904 | + ssh->kex->hash_alg, |
1964 | + kex->client_version_string, kex->server_version_string, | 1905 | + ssh->kex->client_version_string, ssh->kex->server_version_string, |
1965 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | 1906 | + buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), |
1966 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | 1907 | + buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), |
1967 | + NULL, 0, | 1908 | + NULL, 0, |
1968 | + min, nbits, max, | 1909 | + min, nbits, max, |
1969 | + dh->p, dh->g, | 1910 | + dh->p, dh->g, |
1970 | + dh_client_pub, | 1911 | + dh_client_pub, |
1971 | + dh->pub_key, | 1912 | + dh->pub_key, |
1972 | + shared_secret, | 1913 | + shared_secret, |
1973 | + &hash, &hashlen | 1914 | + hash, &hashlen |
1974 | + ); | 1915 | + ); |
1975 | + break; | 1916 | + break; |
1976 | + default: | 1917 | + default: |
1977 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | 1918 | + fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); |
1978 | + } | 1919 | + } |
1979 | + | 1920 | + |
1980 | + BN_clear_free(dh_client_pub); | 1921 | + BN_clear_free(dh_client_pub); |
1981 | + | 1922 | + |
1982 | + if (kex->session_id == NULL) { | 1923 | + if (ssh->kex->session_id == NULL) { |
1983 | + kex->session_id_len = hashlen; | 1924 | + ssh->kex->session_id_len = hashlen; |
1984 | + kex->session_id = xmalloc(kex->session_id_len); | 1925 | + ssh->kex->session_id = xmalloc(ssh->kex->session_id_len); |
1985 | + memcpy(kex->session_id, hash, kex->session_id_len); | 1926 | + memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len); |
1986 | + } | 1927 | + } |
1987 | + | 1928 | + |
1988 | + gssbuf.value = hash; | 1929 | + gssbuf.value = hash; |
@@ -2013,21 +1954,22 @@ index 0000000..6a0ece8 | |||
2013 | + | 1954 | + |
2014 | + DH_free(dh); | 1955 | + DH_free(dh); |
2015 | + | 1956 | + |
2016 | + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); | 1957 | + kex_derive_keys_bn(ssh, hash, hashlen, shared_secret); |
2017 | + BN_clear_free(shared_secret); | 1958 | + BN_clear_free(shared_secret); |
2018 | + kex_finish(kex); | 1959 | + kex_send_newkeys(ssh); |
2019 | + | 1960 | + |
2020 | + /* If this was a rekey, then save out any delegated credentials we | 1961 | + /* If this was a rekey, then save out any delegated credentials we |
2021 | + * just exchanged. */ | 1962 | + * just exchanged. */ |
2022 | + if (options.gss_store_rekey) | 1963 | + if (options.gss_store_rekey) |
2023 | + ssh_gssapi_rekey_creds(); | 1964 | + ssh_gssapi_rekey_creds(); |
1965 | + return 0; | ||
2024 | +} | 1966 | +} |
2025 | +#endif /* GSSAPI */ | 1967 | +#endif /* GSSAPI */ |
2026 | diff --git a/monitor.c b/monitor.c | 1968 | diff --git a/monitor.c b/monitor.c |
2027 | index dbe29f1..b0896ef 100644 | 1969 | index bab6ce8..a2027e5 100644 |
2028 | --- a/monitor.c | 1970 | --- a/monitor.c |
2029 | +++ b/monitor.c | 1971 | +++ b/monitor.c |
2030 | @@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 1972 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
2031 | int mm_answer_gss_accept_ctx(int, Buffer *); | 1973 | int mm_answer_gss_accept_ctx(int, Buffer *); |
2032 | int mm_answer_gss_userok(int, Buffer *); | 1974 | int mm_answer_gss_userok(int, Buffer *); |
2033 | int mm_answer_gss_checkmic(int, Buffer *); | 1975 | int mm_answer_gss_checkmic(int, Buffer *); |
@@ -2036,7 +1978,7 @@ index dbe29f1..b0896ef 100644 | |||
2036 | #endif | 1978 | #endif |
2037 | 1979 | ||
2038 | #ifdef SSH_AUDIT_EVENTS | 1980 | #ifdef SSH_AUDIT_EVENTS |
2039 | @@ -255,11 +257,18 @@ struct mon_table mon_dispatch_proto20[] = { | 1981 | @@ -234,11 +236,18 @@ struct mon_table mon_dispatch_proto20[] = { |
2040 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 1982 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
2041 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 1983 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
2042 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 1984 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
@@ -2055,7 +1997,7 @@ index dbe29f1..b0896ef 100644 | |||
2055 | #ifdef WITH_OPENSSL | 1997 | #ifdef WITH_OPENSSL |
2056 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 1998 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2057 | #endif | 1999 | #endif |
2058 | @@ -374,6 +383,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 2000 | @@ -353,6 +362,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
2059 | /* Permit requests for moduli and signatures */ | 2001 | /* Permit requests for moduli and signatures */ |
2060 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2002 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2061 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2003 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2066,7 +2008,7 @@ index dbe29f1..b0896ef 100644 | |||
2066 | } else { | 2008 | } else { |
2067 | mon_dispatch = mon_dispatch_proto15; | 2009 | mon_dispatch = mon_dispatch_proto15; |
2068 | 2010 | ||
2069 | @@ -482,6 +495,10 @@ monitor_child_postauth(struct monitor *pmonitor) | 2011 | @@ -461,6 +474,10 @@ monitor_child_postauth(struct monitor *pmonitor) |
2070 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2012 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2071 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2013 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2072 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2014 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -2077,21 +2019,21 @@ index dbe29f1..b0896ef 100644 | |||
2077 | } else { | 2019 | } else { |
2078 | mon_dispatch = mon_dispatch_postauth15; | 2020 | mon_dispatch = mon_dispatch_postauth15; |
2079 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2021 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2080 | @@ -1861,6 +1878,13 @@ mm_get_kex(Buffer *m) | 2022 | @@ -1860,6 +1877,13 @@ monitor_apply_keystate(struct monitor *pmonitor) |
2081 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2023 | # endif |
2082 | #endif | 2024 | #endif /* WITH_OPENSSL */ |
2083 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2025 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
2084 | +#ifdef GSSAPI | 2026 | +#ifdef GSSAPI |
2085 | + if (options.gss_keyex) { | 2027 | + if (options.gss_keyex) { |
2086 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | 2028 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; |
2087 | + kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | 2029 | + kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; |
2088 | + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; | 2030 | + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; |
2089 | + } | 2031 | + } |
2090 | +#endif | 2032 | +#endif |
2091 | kex->server = 1; | 2033 | kex->load_host_public_key=&get_hostkey_public_by_type; |
2092 | kex->hostkey_type = buffer_get_int(m); | 2034 | kex->load_host_private_key=&get_hostkey_private_by_type; |
2093 | kex->kex_type = buffer_get_int(m); | 2035 | kex->host_key_index=&get_hostkey_index; |
2094 | @@ -2068,6 +2092,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 2036 | @@ -1959,6 +1983,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2095 | OM_uint32 major; | 2037 | OM_uint32 major; |
2096 | u_int len; | 2038 | u_int len; |
2097 | 2039 | ||
@@ -2101,7 +2043,7 @@ index dbe29f1..b0896ef 100644 | |||
2101 | goid.elements = buffer_get_string(m, &len); | 2043 | goid.elements = buffer_get_string(m, &len); |
2102 | goid.length = len; | 2044 | goid.length = len; |
2103 | 2045 | ||
2104 | @@ -2095,6 +2122,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2046 | @@ -1986,6 +2013,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2105 | OM_uint32 flags = 0; /* GSI needs this */ | 2047 | OM_uint32 flags = 0; /* GSI needs this */ |
2106 | u_int len; | 2048 | u_int len; |
2107 | 2049 | ||
@@ -2111,7 +2053,7 @@ index dbe29f1..b0896ef 100644 | |||
2111 | in.value = buffer_get_string(m, &len); | 2053 | in.value = buffer_get_string(m, &len); |
2112 | in.length = len; | 2054 | in.length = len; |
2113 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2055 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2114 | @@ -2112,6 +2142,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2056 | @@ -2003,6 +2033,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2115 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2057 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2116 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2058 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2117 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2059 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2119,7 +2061,7 @@ index dbe29f1..b0896ef 100644 | |||
2119 | } | 2061 | } |
2120 | return (0); | 2062 | return (0); |
2121 | } | 2063 | } |
2122 | @@ -2123,6 +2154,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2064 | @@ -2014,6 +2045,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2123 | OM_uint32 ret; | 2065 | OM_uint32 ret; |
2124 | u_int len; | 2066 | u_int len; |
2125 | 2067 | ||
@@ -2129,7 +2071,7 @@ index dbe29f1..b0896ef 100644 | |||
2129 | gssbuf.value = buffer_get_string(m, &len); | 2071 | gssbuf.value = buffer_get_string(m, &len); |
2130 | gssbuf.length = len; | 2072 | gssbuf.length = len; |
2131 | mic.value = buffer_get_string(m, &len); | 2073 | mic.value = buffer_get_string(m, &len); |
2132 | @@ -2149,7 +2183,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2074 | @@ -2040,7 +2074,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2133 | { | 2075 | { |
2134 | int authenticated; | 2076 | int authenticated; |
2135 | 2077 | ||
@@ -2142,7 +2084,7 @@ index dbe29f1..b0896ef 100644 | |||
2142 | 2084 | ||
2143 | buffer_clear(m); | 2085 | buffer_clear(m); |
2144 | buffer_put_int(m, authenticated); | 2086 | buffer_put_int(m, authenticated); |
2145 | @@ -2162,5 +2200,73 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2087 | @@ -2053,5 +2091,73 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2146 | /* Monitor loop will terminate if authenticated */ | 2088 | /* Monitor loop will terminate if authenticated */ |
2147 | return (authenticated); | 2089 | return (authenticated); |
2148 | } | 2090 | } |
@@ -2217,7 +2159,7 @@ index dbe29f1..b0896ef 100644 | |||
2217 | #endif /* GSSAPI */ | 2159 | #endif /* GSSAPI */ |
2218 | 2160 | ||
2219 | diff --git a/monitor.h b/monitor.h | 2161 | diff --git a/monitor.h b/monitor.h |
2220 | index 5bc41b5..7f32b0c 100644 | 2162 | index 93b8b66..bc50ade 100644 |
2221 | --- a/monitor.h | 2163 | --- a/monitor.h |
2222 | +++ b/monitor.h | 2164 | +++ b/monitor.h |
2223 | @@ -65,6 +65,9 @@ enum monitor_reqtype { | 2165 | @@ -65,6 +65,9 @@ enum monitor_reqtype { |
@@ -2231,10 +2173,10 @@ index 5bc41b5..7f32b0c 100644 | |||
2231 | 2173 | ||
2232 | struct mm_master; | 2174 | struct mm_master; |
2233 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2175 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2234 | index 45dc169..e476f0d 100644 | 2176 | index b379f05..b667218 100644 |
2235 | --- a/monitor_wrap.c | 2177 | --- a/monitor_wrap.c |
2236 | +++ b/monitor_wrap.c | 2178 | +++ b/monitor_wrap.c |
2237 | @@ -1281,7 +1281,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2179 | @@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
2238 | } | 2180 | } |
2239 | 2181 | ||
2240 | int | 2182 | int |
@@ -2243,7 +2185,7 @@ index 45dc169..e476f0d 100644 | |||
2243 | { | 2185 | { |
2244 | Buffer m; | 2186 | Buffer m; |
2245 | int authenticated = 0; | 2187 | int authenticated = 0; |
2246 | @@ -1298,5 +1298,50 @@ mm_ssh_gssapi_userok(char *user) | 2188 | @@ -1085,5 +1085,50 @@ mm_ssh_gssapi_userok(char *user) |
2247 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2189 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2248 | return (authenticated); | 2190 | return (authenticated); |
2249 | } | 2191 | } |
@@ -2295,7 +2237,7 @@ index 45dc169..e476f0d 100644 | |||
2295 | #endif /* GSSAPI */ | 2237 | #endif /* GSSAPI */ |
2296 | 2238 | ||
2297 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 2239 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
2298 | index 18c2501..a4e9d24 100644 | 2240 | index e18784a..0c770e8 100644 |
2299 | --- a/monitor_wrap.h | 2241 | --- a/monitor_wrap.h |
2300 | +++ b/monitor_wrap.h | 2242 | +++ b/monitor_wrap.h |
2301 | @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); | 2243 | @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); |
@@ -2311,10 +2253,10 @@ index 18c2501..a4e9d24 100644 | |||
2311 | 2253 | ||
2312 | #ifdef USE_PAM | 2254 | #ifdef USE_PAM |
2313 | diff --git a/readconf.c b/readconf.c | 2255 | diff --git a/readconf.c b/readconf.c |
2314 | index 7948ce1..9127e93 100644 | 2256 | index 42a2961..254dbce 100644 |
2315 | --- a/readconf.c | 2257 | --- a/readconf.c |
2316 | +++ b/readconf.c | 2258 | +++ b/readconf.c |
2317 | @@ -142,6 +142,8 @@ typedef enum { | 2259 | @@ -147,6 +147,8 @@ typedef enum { |
2318 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 2260 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
2319 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 2261 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
2320 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 2262 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
@@ -2323,7 +2265,7 @@ index 7948ce1..9127e93 100644 | |||
2323 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2265 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2324 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2266 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2325 | oHashKnownHosts, | 2267 | oHashKnownHosts, |
2326 | @@ -185,10 +187,19 @@ static struct { | 2268 | @@ -191,10 +193,19 @@ static struct { |
2327 | { "afstokenpassing", oUnsupported }, | 2269 | { "afstokenpassing", oUnsupported }, |
2328 | #if defined(GSSAPI) | 2270 | #if defined(GSSAPI) |
2329 | { "gssapiauthentication", oGssAuthentication }, | 2271 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2343,7 +2285,7 @@ index 7948ce1..9127e93 100644 | |||
2343 | #endif | 2285 | #endif |
2344 | { "fallbacktorsh", oDeprecated }, | 2286 | { "fallbacktorsh", oDeprecated }, |
2345 | { "usersh", oDeprecated }, | 2287 | { "usersh", oDeprecated }, |
2346 | @@ -865,10 +876,30 @@ parse_time: | 2288 | @@ -892,10 +903,30 @@ parse_time: |
2347 | intptr = &options->gss_authentication; | 2289 | intptr = &options->gss_authentication; |
2348 | goto parse_flag; | 2290 | goto parse_flag; |
2349 | 2291 | ||
@@ -2374,7 +2316,7 @@ index 7948ce1..9127e93 100644 | |||
2374 | case oBatchMode: | 2316 | case oBatchMode: |
2375 | intptr = &options->batch_mode; | 2317 | intptr = &options->batch_mode; |
2376 | goto parse_flag; | 2318 | goto parse_flag; |
2377 | @@ -1538,7 +1569,12 @@ initialize_options(Options * options) | 2319 | @@ -1601,7 +1632,12 @@ initialize_options(Options * options) |
2378 | options->pubkey_authentication = -1; | 2320 | options->pubkey_authentication = -1; |
2379 | options->challenge_response_authentication = -1; | 2321 | options->challenge_response_authentication = -1; |
2380 | options->gss_authentication = -1; | 2322 | options->gss_authentication = -1; |
@@ -2387,7 +2329,7 @@ index 7948ce1..9127e93 100644 | |||
2387 | options->password_authentication = -1; | 2329 | options->password_authentication = -1; |
2388 | options->kbd_interactive_authentication = -1; | 2330 | options->kbd_interactive_authentication = -1; |
2389 | options->kbd_interactive_devices = NULL; | 2331 | options->kbd_interactive_devices = NULL; |
2390 | @@ -1661,8 +1697,14 @@ fill_default_options(Options * options) | 2332 | @@ -1728,8 +1764,14 @@ fill_default_options(Options * options) |
2391 | options->challenge_response_authentication = 1; | 2333 | options->challenge_response_authentication = 1; |
2392 | if (options->gss_authentication == -1) | 2334 | if (options->gss_authentication == -1) |
2393 | options->gss_authentication = 0; | 2335 | options->gss_authentication = 0; |
@@ -2403,7 +2345,7 @@ index 7948ce1..9127e93 100644 | |||
2403 | options->password_authentication = 1; | 2345 | options->password_authentication = 1; |
2404 | if (options->kbd_interactive_authentication == -1) | 2346 | if (options->kbd_interactive_authentication == -1) |
2405 | diff --git a/readconf.h b/readconf.h | 2347 | diff --git a/readconf.h b/readconf.h |
2406 | index 0b9cb77..0e29889 100644 | 2348 | index 576b9e3..ef39c4c 100644 |
2407 | --- a/readconf.h | 2349 | --- a/readconf.h |
2408 | +++ b/readconf.h | 2350 | +++ b/readconf.h |
2409 | @@ -45,7 +45,12 @@ typedef struct { | 2351 | @@ -45,7 +45,12 @@ typedef struct { |
@@ -2420,10 +2362,10 @@ index 0b9cb77..0e29889 100644 | |||
2420 | * authentication. */ | 2362 | * authentication. */ |
2421 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2363 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2422 | diff --git a/servconf.c b/servconf.c | 2364 | diff --git a/servconf.c b/servconf.c |
2423 | index b7f3294..cb3c831 100644 | 2365 | index 3185462..f68c0d0 100644 |
2424 | --- a/servconf.c | 2366 | --- a/servconf.c |
2425 | +++ b/servconf.c | 2367 | +++ b/servconf.c |
2426 | @@ -109,7 +109,10 @@ initialize_server_options(ServerOptions *options) | 2368 | @@ -114,7 +114,10 @@ initialize_server_options(ServerOptions *options) |
2427 | options->kerberos_ticket_cleanup = -1; | 2369 | options->kerberos_ticket_cleanup = -1; |
2428 | options->kerberos_get_afs_token = -1; | 2370 | options->kerberos_get_afs_token = -1; |
2429 | options->gss_authentication=-1; | 2371 | options->gss_authentication=-1; |
@@ -2434,7 +2376,7 @@ index b7f3294..cb3c831 100644 | |||
2434 | options->password_authentication = -1; | 2376 | options->password_authentication = -1; |
2435 | options->kbd_interactive_authentication = -1; | 2377 | options->kbd_interactive_authentication = -1; |
2436 | options->challenge_response_authentication = -1; | 2378 | options->challenge_response_authentication = -1; |
2437 | @@ -250,8 +253,14 @@ fill_default_server_options(ServerOptions *options) | 2379 | @@ -269,8 +272,14 @@ fill_default_server_options(ServerOptions *options) |
2438 | options->kerberos_get_afs_token = 0; | 2380 | options->kerberos_get_afs_token = 0; |
2439 | if (options->gss_authentication == -1) | 2381 | if (options->gss_authentication == -1) |
2440 | options->gss_authentication = 0; | 2382 | options->gss_authentication = 0; |
@@ -2449,10 +2391,10 @@ index b7f3294..cb3c831 100644 | |||
2449 | if (options->password_authentication == -1) | 2391 | if (options->password_authentication == -1) |
2450 | options->password_authentication = 1; | 2392 | options->password_authentication = 1; |
2451 | if (options->kbd_interactive_authentication == -1) | 2393 | if (options->kbd_interactive_authentication == -1) |
2452 | @@ -352,7 +361,9 @@ typedef enum { | 2394 | @@ -391,7 +400,9 @@ typedef enum { |
2453 | sBanner, sUseDNS, sHostbasedAuthentication, | 2395 | sBanner, sUseDNS, sHostbasedAuthentication, |
2454 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2396 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
2455 | sClientAliveCountMax, sAuthorizedKeysFile, | 2397 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
2456 | - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, | 2398 | - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, |
2457 | + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 2399 | + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
2458 | + sGssKeyEx, sGssStoreRekey, | 2400 | + sGssKeyEx, sGssStoreRekey, |
@@ -2460,7 +2402,7 @@ index b7f3294..cb3c831 100644 | |||
2460 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2402 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2461 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2403 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2462 | sHostCertificate, | 2404 | sHostCertificate, |
2463 | @@ -421,10 +432,20 @@ static struct { | 2405 | @@ -462,10 +473,20 @@ static struct { |
2464 | #ifdef GSSAPI | 2406 | #ifdef GSSAPI |
2465 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2407 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2466 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2408 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2481,7 +2423,7 @@ index b7f3294..cb3c831 100644 | |||
2481 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2423 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2482 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2424 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2483 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2425 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2484 | @@ -1104,10 +1125,22 @@ process_server_config_line(ServerOptions *options, char *line, | 2426 | @@ -1166,10 +1187,22 @@ process_server_config_line(ServerOptions *options, char *line, |
2485 | intptr = &options->gss_authentication; | 2427 | intptr = &options->gss_authentication; |
2486 | goto parse_flag; | 2428 | goto parse_flag; |
2487 | 2429 | ||
@@ -2504,7 +2446,7 @@ index b7f3294..cb3c831 100644 | |||
2504 | case sPasswordAuthentication: | 2446 | case sPasswordAuthentication: |
2505 | intptr = &options->password_authentication; | 2447 | intptr = &options->password_authentication; |
2506 | goto parse_flag; | 2448 | goto parse_flag; |
2507 | @@ -2042,7 +2075,10 @@ dump_config(ServerOptions *o) | 2449 | @@ -2125,7 +2158,10 @@ dump_config(ServerOptions *o) |
2508 | #endif | 2450 | #endif |
2509 | #ifdef GSSAPI | 2451 | #ifdef GSSAPI |
2510 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2452 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2516,10 +2458,10 @@ index b7f3294..cb3c831 100644 | |||
2516 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2458 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
2517 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2459 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
2518 | diff --git a/servconf.h b/servconf.h | 2460 | diff --git a/servconf.h b/servconf.h |
2519 | index 766db3a..f8265a8 100644 | 2461 | index 9922f0c..d2ed4d7 100644 |
2520 | --- a/servconf.h | 2462 | --- a/servconf.h |
2521 | +++ b/servconf.h | 2463 | +++ b/servconf.h |
2522 | @@ -113,7 +113,10 @@ typedef struct { | 2464 | @@ -115,7 +115,10 @@ typedef struct { |
2523 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2465 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2524 | * authenticated with Kerberos. */ | 2466 | * authenticated with Kerberos. */ |
2525 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2467 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2647,10 +2589,10 @@ index 03a228f..228e5ab 100644 | |||
2647 | # CheckHostIP yes | 2589 | # CheckHostIP yes |
2648 | # AddressFamily any | 2590 | # AddressFamily any |
2649 | diff --git a/ssh_config.5 b/ssh_config.5 | 2591 | diff --git a/ssh_config.5 b/ssh_config.5 |
2650 | index f9ede7a..e6649ac 100644 | 2592 | index 140d0ba..4476171 100644 |
2651 | --- a/ssh_config.5 | 2593 | --- a/ssh_config.5 |
2652 | +++ b/ssh_config.5 | 2594 | +++ b/ssh_config.5 |
2653 | @@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2595 | @@ -743,11 +743,43 @@ Specifies whether user authentication based on GSSAPI is allowed. |
2654 | The default is | 2596 | The default is |
2655 | .Dq no . | 2597 | .Dq no . |
2656 | Note that this option applies to protocol version 2 only. | 2598 | Note that this option applies to protocol version 2 only. |
@@ -2696,12 +2638,12 @@ index f9ede7a..e6649ac 100644 | |||
2696 | Indicates that | 2638 | Indicates that |
2697 | .Xr ssh 1 | 2639 | .Xr ssh 1 |
2698 | diff --git a/sshconnect2.c b/sshconnect2.c | 2640 | diff --git a/sshconnect2.c b/sshconnect2.c |
2699 | index 68f7f4f..7b478f1 100644 | 2641 | index ba56f64..faa8ec5 100644 |
2700 | --- a/sshconnect2.c | 2642 | --- a/sshconnect2.c |
2701 | +++ b/sshconnect2.c | 2643 | +++ b/sshconnect2.c |
2702 | @@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2644 | @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2703 | char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; | 2645 | struct kex *kex; |
2704 | Kex *kex; | 2646 | int r; |
2705 | 2647 | ||
2706 | +#ifdef GSSAPI | 2648 | +#ifdef GSSAPI |
2707 | + char *orig = NULL, *gss = NULL; | 2649 | + char *orig = NULL, *gss = NULL; |
@@ -2734,7 +2676,7 @@ index 68f7f4f..7b478f1 100644 | |||
2734 | if (options.ciphers == (char *)-1) { | 2676 | if (options.ciphers == (char *)-1) { |
2735 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 2677 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
2736 | options.ciphers = NULL; | 2678 | options.ciphers = NULL; |
2737 | @@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2679 | @@ -200,6 +225,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2738 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | 2680 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
2739 | myproposal[PROPOSAL_KEX_ALGS]); | 2681 | myproposal[PROPOSAL_KEX_ALGS]); |
2740 | 2682 | ||
@@ -2752,8 +2694,8 @@ index 68f7f4f..7b478f1 100644 | |||
2752 | if (options.rekey_limit || options.rekey_interval) | 2694 | if (options.rekey_limit || options.rekey_interval) |
2753 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2695 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2754 | (time_t)options.rekey_interval); | 2696 | (time_t)options.rekey_interval); |
2755 | @@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2697 | @@ -218,10 +254,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2756 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | 2698 | # endif |
2757 | #endif | 2699 | #endif |
2758 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; | 2700 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; |
2759 | +#ifdef GSSAPI | 2701 | +#ifdef GSSAPI |
@@ -2780,18 +2722,18 @@ index 68f7f4f..7b478f1 100644 | |||
2780 | + } | 2722 | + } |
2781 | +#endif | 2723 | +#endif |
2782 | + | 2724 | + |
2783 | xxx_kex = kex; | 2725 | dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); |
2784 | 2726 | ||
2785 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2727 | if (options.use_roaming && !kex->roaming) { |
2786 | @@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *); | 2728 | @@ -313,6 +369,7 @@ int input_gssapi_token(int type, u_int32_t, void *); |
2787 | void input_gssapi_hash(int type, u_int32_t, void *); | 2729 | int input_gssapi_hash(int type, u_int32_t, void *); |
2788 | void input_gssapi_error(int, u_int32_t, void *); | 2730 | int input_gssapi_error(int, u_int32_t, void *); |
2789 | void input_gssapi_errtok(int, u_int32_t, void *); | 2731 | int input_gssapi_errtok(int, u_int32_t, void *); |
2790 | +int userauth_gsskeyex(Authctxt *authctxt); | 2732 | +int userauth_gsskeyex(Authctxt *authctxt); |
2791 | #endif | 2733 | #endif |
2792 | 2734 | ||
2793 | void userauth(Authctxt *, char *); | 2735 | void userauth(Authctxt *, char *); |
2794 | @@ -321,6 +378,11 @@ static char *authmethods_get(void); | 2736 | @@ -328,6 +385,11 @@ static char *authmethods_get(void); |
2795 | 2737 | ||
2796 | Authmethod authmethods[] = { | 2738 | Authmethod authmethods[] = { |
2797 | #ifdef GSSAPI | 2739 | #ifdef GSSAPI |
@@ -2803,7 +2745,7 @@ index 68f7f4f..7b478f1 100644 | |||
2803 | {"gssapi-with-mic", | 2745 | {"gssapi-with-mic", |
2804 | userauth_gssapi, | 2746 | userauth_gssapi, |
2805 | NULL, | 2747 | NULL, |
2806 | @@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt) | 2748 | @@ -634,19 +696,31 @@ userauth_gssapi(Authctxt *authctxt) |
2807 | static u_int mech = 0; | 2749 | static u_int mech = 0; |
2808 | OM_uint32 min; | 2750 | OM_uint32 min; |
2809 | int ok = 0; | 2751 | int ok = 0; |
@@ -2837,7 +2779,7 @@ index 68f7f4f..7b478f1 100644 | |||
2837 | ok = 1; /* Mechanism works */ | 2779 | ok = 1; /* Mechanism works */ |
2838 | } else { | 2780 | } else { |
2839 | mech++; | 2781 | mech++; |
2840 | @@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | 2782 | @@ -743,8 +817,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) |
2841 | { | 2783 | { |
2842 | Authctxt *authctxt = ctxt; | 2784 | Authctxt *authctxt = ctxt; |
2843 | Gssctxt *gssctxt; | 2785 | Gssctxt *gssctxt; |
@@ -2848,9 +2790,9 @@ index 68f7f4f..7b478f1 100644 | |||
2848 | 2790 | ||
2849 | if (authctxt == NULL) | 2791 | if (authctxt == NULL) |
2850 | fatal("input_gssapi_response: no authentication context"); | 2792 | fatal("input_gssapi_response: no authentication context"); |
2851 | @@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | 2793 | @@ -857,6 +931,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) |
2852 | free(msg); | ||
2853 | free(lang); | 2794 | free(lang); |
2795 | return 0; | ||
2854 | } | 2796 | } |
2855 | + | 2797 | + |
2856 | +int | 2798 | +int |
@@ -2898,12 +2840,12 @@ index 68f7f4f..7b478f1 100644 | |||
2898 | 2840 | ||
2899 | int | 2841 | int |
2900 | diff --git a/sshd.c b/sshd.c | 2842 | diff --git a/sshd.c b/sshd.c |
2901 | index 481d001..e6706a8 100644 | 2843 | index e1c767c..cf38bae 100644 |
2902 | --- a/sshd.c | 2844 | --- a/sshd.c |
2903 | +++ b/sshd.c | 2845 | +++ b/sshd.c |
2904 | @@ -123,6 +123,10 @@ | 2846 | @@ -125,6 +125,10 @@ |
2905 | #include "ssh-sandbox.h" | ||
2906 | #include "version.h" | 2847 | #include "version.h" |
2848 | #include "ssherr.h" | ||
2907 | 2849 | ||
2908 | +#ifdef USE_SECURITY_SESSION_API | 2850 | +#ifdef USE_SECURITY_SESSION_API |
2909 | +#include <Security/AuthSession.h> | 2851 | +#include <Security/AuthSession.h> |
@@ -2912,7 +2854,7 @@ index 481d001..e6706a8 100644 | |||
2912 | #ifndef O_NOCTTY | 2854 | #ifndef O_NOCTTY |
2913 | #define O_NOCTTY 0 | 2855 | #define O_NOCTTY 0 |
2914 | #endif | 2856 | #endif |
2915 | @@ -1745,10 +1749,13 @@ main(int ac, char **av) | 2857 | @@ -1815,10 +1819,13 @@ main(int ac, char **av) |
2916 | logit("Disabling protocol version 1. Could not load host key"); | 2858 | logit("Disabling protocol version 1. Could not load host key"); |
2917 | options.protocol &= ~SSH_PROTO_1; | 2859 | options.protocol &= ~SSH_PROTO_1; |
2918 | } | 2860 | } |
@@ -2926,7 +2868,7 @@ index 481d001..e6706a8 100644 | |||
2926 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2868 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2927 | logit("sshd: no hostkeys available -- exiting."); | 2869 | logit("sshd: no hostkeys available -- exiting."); |
2928 | exit(1); | 2870 | exit(1); |
2929 | @@ -2060,6 +2067,60 @@ main(int ac, char **av) | 2871 | @@ -2132,6 +2139,60 @@ main(int ac, char **av) |
2930 | remote_ip, remote_port, | 2872 | remote_ip, remote_port, |
2931 | get_local_ipaddr(sock_in), get_local_port()); | 2873 | get_local_ipaddr(sock_in), get_local_port()); |
2932 | 2874 | ||
@@ -2987,7 +2929,7 @@ index 481d001..e6706a8 100644 | |||
2987 | /* | 2929 | /* |
2988 | * We don't want to listen forever unless the other side | 2930 | * We don't want to listen forever unless the other side |
2989 | * successfully authenticates itself. So we set up an alarm which is | 2931 | * successfully authenticates itself. So we set up an alarm which is |
2990 | @@ -2482,6 +2543,48 @@ do_ssh2_kex(void) | 2932 | @@ -2561,6 +2622,48 @@ do_ssh2_kex(void) |
2991 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2933 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
2992 | list_hostkey_types()); | 2934 | list_hostkey_types()); |
2993 | 2935 | ||
@@ -3034,10 +2976,10 @@ index 481d001..e6706a8 100644 | |||
3034 | +#endif | 2976 | +#endif |
3035 | + | 2977 | + |
3036 | /* start key exchange */ | 2978 | /* start key exchange */ |
3037 | kex = kex_setup(myproposal); | 2979 | if ((r = kex_setup(active_state, myproposal)) != 0) |
3038 | #ifdef WITH_OPENSSL | 2980 | fatal("kex_setup: %s", ssh_err(r)); |
3039 | @@ -2492,6 +2595,13 @@ do_ssh2_kex(void) | 2981 | @@ -2575,6 +2678,13 @@ do_ssh2_kex(void) |
3040 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2982 | # endif |
3041 | #endif | 2983 | #endif |
3042 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2984 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
3043 | +#ifdef GSSAPI | 2985 | +#ifdef GSSAPI |
@@ -3051,7 +2993,7 @@ index 481d001..e6706a8 100644 | |||
3051 | kex->client_version_string=client_version_string; | 2993 | kex->client_version_string=client_version_string; |
3052 | kex->server_version_string=server_version_string; | 2994 | kex->server_version_string=server_version_string; |
3053 | diff --git a/sshd_config b/sshd_config | 2995 | diff --git a/sshd_config b/sshd_config |
3054 | index e9045bc..d9b8594 100644 | 2996 | index c9042ac..a71ad19 100644 |
3055 | --- a/sshd_config | 2997 | --- a/sshd_config |
3056 | +++ b/sshd_config | 2998 | +++ b/sshd_config |
3057 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys | 2999 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
@@ -3064,10 +3006,10 @@ index e9045bc..d9b8594 100644 | |||
3064 | # Set this to 'yes' to enable PAM authentication, account processing, | 3006 | # Set this to 'yes' to enable PAM authentication, account processing, |
3065 | # and session processing. If this is enabled, PAM authentication will | 3007 | # and session processing. If this is enabled, PAM authentication will |
3066 | diff --git a/sshd_config.5 b/sshd_config.5 | 3008 | diff --git a/sshd_config.5 b/sshd_config.5 |
3067 | index fd44abe..c8b43da 100644 | 3009 | index 6dce0c7..0331496 100644 |
3068 | --- a/sshd_config.5 | 3010 | --- a/sshd_config.5 |
3069 | +++ b/sshd_config.5 | 3011 | +++ b/sshd_config.5 |
3070 | @@ -527,12 +527,40 @@ Specifies whether user authentication based on GSSAPI is allowed. | 3012 | @@ -564,12 +564,40 @@ Specifies whether user authentication based on GSSAPI is allowed. |
3071 | The default is | 3013 | The default is |
3072 | .Dq no . | 3014 | .Dq no . |
3073 | Note that this option applies to protocol version 2 only. | 3015 | Note that this option applies to protocol version 2 only. |
@@ -3105,14 +3047,14 @@ index fd44abe..c8b43da 100644 | |||
3105 | +successful connection rekeying. This option can be used to accepted renewed | 3047 | +successful connection rekeying. This option can be used to accepted renewed |
3106 | +or updated credentials from a compatible client. The default is | 3048 | +or updated credentials from a compatible client. The default is |
3107 | +.Dq no . | 3049 | +.Dq no . |
3108 | .It Cm HostbasedAuthentication | 3050 | .It Cm HostbasedAcceptedKeyTypes |
3109 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 3051 | Specifies the key types that will be accepted for hostbased authentication |
3110 | with successful public key client host authentication is allowed | 3052 | as a comma-separated pattern list. |
3111 | diff --git a/sshkey.c b/sshkey.c | 3053 | diff --git a/sshkey.c b/sshkey.c |
3112 | index fdd0c8a..1a96eae 100644 | 3054 | index 4768790..cd5992e 100644 |
3113 | --- a/sshkey.c | 3055 | --- a/sshkey.c |
3114 | +++ b/sshkey.c | 3056 | +++ b/sshkey.c |
3115 | @@ -110,6 +110,7 @@ static const struct keytype keytypes[] = { | 3057 | @@ -116,6 +116,7 @@ static const struct keytype keytypes[] = { |
3116 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", | 3058 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", |
3117 | KEY_DSA_CERT_V00, 0, 1 }, | 3059 | KEY_DSA_CERT_V00, 0, 1 }, |
3118 | #endif /* WITH_OPENSSL */ | 3060 | #endif /* WITH_OPENSSL */ |
@@ -3120,7 +3062,7 @@ index fdd0c8a..1a96eae 100644 | |||
3120 | { NULL, NULL, -1, -1, 0 } | 3062 | { NULL, NULL, -1, -1, 0 } |
3121 | }; | 3063 | }; |
3122 | 3064 | ||
3123 | @@ -198,7 +199,7 @@ key_alg_list(int certs_only, int plain_only) | 3065 | @@ -204,7 +205,7 @@ key_alg_list(int certs_only, int plain_only) |
3124 | const struct keytype *kt; | 3066 | const struct keytype *kt; |
3125 | 3067 | ||
3126 | for (kt = keytypes; kt->type != -1; kt++) { | 3068 | for (kt = keytypes; kt->type != -1; kt++) { |
@@ -3130,7 +3072,7 @@ index fdd0c8a..1a96eae 100644 | |||
3130 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | 3072 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) |
3131 | continue; | 3073 | continue; |
3132 | diff --git a/sshkey.h b/sshkey.h | 3074 | diff --git a/sshkey.h b/sshkey.h |
3133 | index 450b30c..b573e7f 100644 | 3075 | index 62c1c3e..9314e85 100644 |
3134 | --- a/sshkey.h | 3076 | --- a/sshkey.h |
3135 | +++ b/sshkey.h | 3077 | +++ b/sshkey.h |
3136 | @@ -64,6 +64,7 @@ enum sshkey_types { | 3078 | @@ -64,6 +64,7 @@ enum sshkey_types { |
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch index de43f2a80..6ea643210 100644 --- a/debian/patches/helpful-wait-terminate.patch +++ b/debian/patches/helpful-wait-terminate.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From aca34215fc0e85d6b49e04f0a3cd0db79732125e Mon Sep 17 00:00:00 2001 | 1 | From 9a440da8025dbc120803ee09c2a7ac8c638d31c2 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 |
4 | Subject: Mention ~& when waiting for forwarded connections to terminate | 4 | Subject: Mention ~& when waiting for forwarded connections to terminate |
@@ -12,7 +12,7 @@ Patch-Name: helpful-wait-terminate.patch | |||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | 12 | 1 file changed, 1 insertion(+), 1 deletion(-) |
13 | 13 | ||
14 | diff --git a/serverloop.c b/serverloop.c | 14 | diff --git a/serverloop.c b/serverloop.c |
15 | index e92f9e2..813e5bf 100644 | 15 | index 306ac36..68f0251 100644 |
16 | --- a/serverloop.c | 16 | --- a/serverloop.c |
17 | +++ b/serverloop.c | 17 | +++ b/serverloop.c |
18 | @@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) | 18 | @@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index 15acabc0e..0adfbd2b5 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bd3abc2f732da3a61e4158b915480808957a4357 Mon Sep 17 00:00:00 2001 | 1 | From 7efad61f1e562f504a5ff3fb0ae90ac05a208e66 Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
@@ -16,7 +16,7 @@ keepalives. | |||
16 | Author: Ian Jackson <ian@chiark.greenend.org.uk> | 16 | Author: Ian Jackson <ian@chiark.greenend.org.uk> |
17 | Author: Matthew Vernon <matthew@debian.org> | 17 | Author: Matthew Vernon <matthew@debian.org> |
18 | Author: Colin Watson <cjwatson@debian.org> | 18 | Author: Colin Watson <cjwatson@debian.org> |
19 | Last-Update: 2014-10-07 | 19 | Last-Update: 2015-08-19 |
20 | 20 | ||
21 | Patch-Name: keepalive-extensions.patch | 21 | Patch-Name: keepalive-extensions.patch |
22 | --- | 22 | --- |
@@ -26,27 +26,27 @@ Patch-Name: keepalive-extensions.patch | |||
26 | 3 files changed, 34 insertions(+), 4 deletions(-) | 26 | 3 files changed, 34 insertions(+), 4 deletions(-) |
27 | 27 | ||
28 | diff --git a/readconf.c b/readconf.c | 28 | diff --git a/readconf.c b/readconf.c |
29 | index bc879eb..337818c 100644 | 29 | index 278fe15..1d2d596 100644 |
30 | --- a/readconf.c | 30 | --- a/readconf.c |
31 | +++ b/readconf.c | 31 | +++ b/readconf.c |
32 | @@ -153,6 +153,7 @@ typedef enum { | 32 | @@ -159,6 +159,7 @@ typedef enum { |
33 | oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, | ||
34 | oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, | 33 | oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, |
35 | oStreamLocalBindMask, oStreamLocalBindUnlink, | 34 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, |
35 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, | ||
36 | + oProtocolKeepAlives, oSetupTimeOut, | 36 | + oProtocolKeepAlives, oSetupTimeOut, |
37 | oIgnoredUnknownOption, oDeprecated, oUnsupported | 37 | oIgnoredUnknownOption, oDeprecated, oUnsupported |
38 | } OpCodes; | 38 | } OpCodes; |
39 | 39 | ||
40 | @@ -278,6 +279,8 @@ static struct { | 40 | @@ -288,6 +289,8 @@ static struct { |
41 | { "streamlocalbindmask", oStreamLocalBindMask }, | 41 | { "updatehostkeys", oUpdateHostkeys }, |
42 | { "streamlocalbindunlink", oStreamLocalBindUnlink }, | 42 | { "hostbasedkeytypes", oHostbasedKeyTypes }, |
43 | { "ignoreunknown", oIgnoreUnknown }, | 43 | { "ignoreunknown", oIgnoreUnknown }, |
44 | + { "protocolkeepalives", oProtocolKeepAlives }, | 44 | + { "protocolkeepalives", oProtocolKeepAlives }, |
45 | + { "setuptimeout", oSetupTimeOut }, | 45 | + { "setuptimeout", oSetupTimeOut }, |
46 | 46 | ||
47 | { NULL, oBadOption } | 47 | { NULL, oBadOption } |
48 | }; | 48 | }; |
49 | @@ -1271,6 +1274,8 @@ parse_int: | 49 | @@ -1299,6 +1302,8 @@ parse_int: |
50 | goto parse_flag; | 50 | goto parse_flag; |
51 | 51 | ||
52 | case oServerAliveInterval: | 52 | case oServerAliveInterval: |
@@ -55,7 +55,7 @@ index bc879eb..337818c 100644 | |||
55 | intptr = &options->server_alive_interval; | 55 | intptr = &options->server_alive_interval; |
56 | goto parse_time; | 56 | goto parse_time; |
57 | 57 | ||
58 | @@ -1791,8 +1796,13 @@ fill_default_options(Options * options) | 58 | @@ -1858,8 +1863,13 @@ fill_default_options(Options * options) |
59 | options->rekey_interval = 0; | 59 | options->rekey_interval = 0; |
60 | if (options->verify_host_key_dns == -1) | 60 | if (options->verify_host_key_dns == -1) |
61 | options->verify_host_key_dns = 0; | 61 | options->verify_host_key_dns = 0; |
@@ -72,10 +72,10 @@ index bc879eb..337818c 100644 | |||
72 | options->server_alive_count_max = 3; | 72 | options->server_alive_count_max = 3; |
73 | if (options->control_master == -1) | 73 | if (options->control_master == -1) |
74 | diff --git a/ssh_config.5 b/ssh_config.5 | 74 | diff --git a/ssh_config.5 b/ssh_config.5 |
75 | index 01f1f7f..ea92ea8 100644 | 75 | index dd35dd8..250c0d1 100644 |
76 | --- a/ssh_config.5 | 76 | --- a/ssh_config.5 |
77 | +++ b/ssh_config.5 | 77 | +++ b/ssh_config.5 |
78 | @@ -205,8 +205,12 @@ Valid arguments are | 78 | @@ -233,8 +233,12 @@ Valid arguments are |
79 | If set to | 79 | If set to |
80 | .Dq yes , | 80 | .Dq yes , |
81 | passphrase/password querying will be disabled. | 81 | passphrase/password querying will be disabled. |
@@ -89,7 +89,7 @@ index 01f1f7f..ea92ea8 100644 | |||
89 | The argument must be | 89 | The argument must be |
90 | .Dq yes | 90 | .Dq yes |
91 | or | 91 | or |
92 | @@ -1336,8 +1340,15 @@ from the server, | 92 | @@ -1420,8 +1424,15 @@ from the server, |
93 | will send a message through the encrypted | 93 | will send a message through the encrypted |
94 | channel to request a response from the server. | 94 | channel to request a response from the server. |
95 | The default | 95 | The default |
@@ -106,7 +106,7 @@ index 01f1f7f..ea92ea8 100644 | |||
106 | .It Cm StreamLocalBindMask | 106 | .It Cm StreamLocalBindMask |
107 | Sets the octal file creation mode mask | 107 | Sets the octal file creation mode mask |
108 | .Pq umask | 108 | .Pq umask |
109 | @@ -1403,6 +1414,12 @@ Specifies whether the system should send TCP keepalive messages to the | 109 | @@ -1487,6 +1498,12 @@ Specifies whether the system should send TCP keepalive messages to the |
110 | other side. | 110 | other side. |
111 | If they are sent, death of the connection or crash of one | 111 | If they are sent, death of the connection or crash of one |
112 | of the machines will be properly noticed. | 112 | of the machines will be properly noticed. |
@@ -120,10 +120,10 @@ index 01f1f7f..ea92ea8 100644 | |||
120 | connections will die if the route is down temporarily, and some people | 120 | connections will die if the route is down temporarily, and some people |
121 | find it annoying. | 121 | find it annoying. |
122 | diff --git a/sshd_config.5 b/sshd_config.5 | 122 | diff --git a/sshd_config.5 b/sshd_config.5 |
123 | index c8b43da..2843048 100644 | 123 | index 0331496..d14576e 100644 |
124 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
126 | @@ -1307,6 +1307,9 @@ This avoids infinitely hanging sessions. | 126 | @@ -1392,6 +1392,9 @@ This avoids infinitely hanging sessions. |
127 | .Pp | 127 | .Pp |
128 | To disable TCP keepalive messages, the value should be set to | 128 | To disable TCP keepalive messages, the value should be set to |
129 | .Dq no . | 129 | .Dq no . |
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch index 81b924e35..7aa035726 100644 --- a/debian/patches/lintian-symlink-pickiness.patch +++ b/debian/patches/lintian-symlink-pickiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 248d3bb8de371b55aaf3a8f544c15f3a25eb7339 Mon Sep 17 00:00:00 2001 | 1 | From 90fc009420a03c598d6f003df5466191ab4d12b2 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 |
4 | Subject: Fix picky lintian errors about slogin symlinks | 4 | Subject: Fix picky lintian errors about slogin symlinks |
@@ -15,10 +15,10 @@ Patch-Name: lintian-symlink-pickiness.patch | |||
15 | 1 file changed, 2 insertions(+), 2 deletions(-) | 15 | 1 file changed, 2 insertions(+), 2 deletions(-) |
16 | 16 | ||
17 | diff --git a/Makefile.in b/Makefile.in | 17 | diff --git a/Makefile.in b/Makefile.in |
18 | index a4402e9..4eab574 100644 | 18 | index 37cb023..f52f903 100644 |
19 | --- a/Makefile.in | 19 | --- a/Makefile.in |
20 | +++ b/Makefile.in | 20 | +++ b/Makefile.in |
21 | @@ -315,9 +315,9 @@ install-files: | 21 | @@ -331,9 +331,9 @@ install-files: |
22 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | 22 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
23 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 23 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
24 | -rm -f $(DESTDIR)$(bindir)/slogin | 24 | -rm -f $(DESTDIR)$(bindir)/slogin |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index f90c7e2b1..127ed9f9e 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 064453886f4c3d8ac0b0c8d015ad614c8bce3b42 Mon Sep 17 00:00:00 2001 | 1 | From aedcf9cb37f512b929ce895ba1fccc9ca39166b0 Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch | |||
13 | 1 file changed, 6 insertions(+), 1 deletion(-) | 13 | 1 file changed, 6 insertions(+), 1 deletion(-) |
14 | 14 | ||
15 | diff --git a/sshconnect.c b/sshconnect.c | 15 | diff --git a/sshconnect.c b/sshconnect.c |
16 | index 26116d2..ab83d0c 100644 | 16 | index 0073c6e..6065dff 100644 |
17 | --- a/sshconnect.c | 17 | --- a/sshconnect.c |
18 | +++ b/sshconnect.c | 18 | +++ b/sshconnect.c |
19 | @@ -1066,9 +1066,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 19 | @@ -1078,9 +1078,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
20 | error("%s. This could either mean that", key_msg); | 20 | error("%s. This could either mean that", key_msg); |
21 | error("DNS SPOOFING is happening or the IP address for the host"); | 21 | error("DNS SPOOFING is happening or the IP address for the host"); |
22 | error("and its host key have changed at the same time."); | 22 | error("and its host key have changed at the same time."); |
@@ -30,7 +30,7 @@ index 26116d2..ab83d0c 100644 | |||
30 | } | 30 | } |
31 | /* The host key has changed. */ | 31 | /* The host key has changed. */ |
32 | warn_changed_key(host_key); | 32 | warn_changed_key(host_key); |
33 | @@ -1076,6 +1079,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 33 | @@ -1088,6 +1091,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
34 | user_hostfiles[0]); | 34 | user_hostfiles[0]); |
35 | error("Offending %s key in %s:%lu", key_type(host_found->key), | 35 | error("Offending %s key in %s:%lu", key_type(host_found->key), |
36 | host_found->file, host_found->line); | 36 | host_found->file, host_found->line); |
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch index dfcef83b0..f4d8bca66 100644 --- a/debian/patches/no-openssl-version-status.patch +++ b/debian/patches/no-openssl-version-status.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 37fd625165d0df302e441d9cad9bcc742378eef5 Mon Sep 17 00:00:00 2001 | 1 | From 6b85aa42144010401906754b98f9876651669163 Mon Sep 17 00:00:00 2001 |
2 | From: Kurt Roeckx <kurt@roeckx.be> | 2 | From: Kurt Roeckx <kurt@roeckx.be> |
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 |
4 | Subject: Don't check the status field of the OpenSSL version | 4 | Subject: Don't check the status field of the OpenSSL version |
@@ -23,10 +23,10 @@ Patch-Name: no-openssl-version-status.patch | |||
23 | 2 files changed, 4 insertions(+), 3 deletions(-) | 23 | 2 files changed, 4 insertions(+), 3 deletions(-) |
24 | 24 | ||
25 | diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c | 25 | diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c |
26 | index 36570e4..defd5fb 100644 | 26 | index 63a660c..3f62403 100644 |
27 | --- a/openbsd-compat/openssl-compat.c | 27 | --- a/openbsd-compat/openssl-compat.c |
28 | +++ b/openbsd-compat/openssl-compat.c | 28 | +++ b/openbsd-compat/openssl-compat.c |
29 | @@ -34,7 +34,7 @@ | 29 | @@ -36,7 +36,7 @@ |
30 | /* | 30 | /* |
31 | * OpenSSL version numbers: MNNFFPPS: major minor fix patch status | 31 | * OpenSSL version numbers: MNNFFPPS: major minor fix patch status |
32 | * We match major, minor, fix and status (not patch) for <1.0.0. | 32 | * We match major, minor, fix and status (not patch) for <1.0.0. |
@@ -35,7 +35,7 @@ index 36570e4..defd5fb 100644 | |||
35 | * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed | 35 | * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed |
36 | * within a patch series. | 36 | * within a patch series. |
37 | */ | 37 | */ |
38 | @@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver) | 38 | @@ -57,10 +57,10 @@ ssh_compatible_openssl(long headerver, long libver) |
39 | } | 39 | } |
40 | 40 | ||
41 | /* | 41 | /* |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index 37ad675d4..f5b96f4a1 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0b9407d3023938b02bccf7dd1874a871d0cc8eb5 Mon Sep 17 00:00:00 2001 | 1 | From 96c2797aaa79d687e75dc56f40f7102131d87fb1 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
@@ -44,10 +44,10 @@ index ef0de08..149846c 100644 | |||
44 | .Sh SEE ALSO | 44 | .Sh SEE ALSO |
45 | .Xr ssh-keygen 1 , | 45 | .Xr ssh-keygen 1 , |
46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 | 46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 |
47 | index 723a016..79b948c 100644 | 47 | index 9b93666..19bed1e 100644 |
48 | --- a/ssh-keygen.1 | 48 | --- a/ssh-keygen.1 |
49 | +++ b/ssh-keygen.1 | 49 | +++ b/ssh-keygen.1 |
50 | @@ -172,9 +172,7 @@ key in | 50 | @@ -174,9 +174,7 @@ key in |
51 | .Pa ~/.ssh/id_ed25519 | 51 | .Pa ~/.ssh/id_ed25519 |
52 | or | 52 | or |
53 | .Pa ~/.ssh/id_rsa . | 53 | .Pa ~/.ssh/id_rsa . |
@@ -58,7 +58,7 @@ index 723a016..79b948c 100644 | |||
58 | .Pp | 58 | .Pp |
59 | Normally this program generates the key and asks for a file in which | 59 | Normally this program generates the key and asks for a file in which |
60 | to store the private key. | 60 | to store the private key. |
61 | @@ -221,9 +219,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) | 61 | @@ -223,9 +221,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) |
62 | for which host keys | 62 | for which host keys |
63 | do not exist, generate the host keys with the default key file path, | 63 | do not exist, generate the host keys with the default key file path, |
64 | an empty passphrase, default bits for the key type, and default comment. | 64 | an empty passphrase, default bits for the key type, and default comment. |
@@ -69,7 +69,7 @@ index 723a016..79b948c 100644 | |||
69 | .It Fl a Ar rounds | 69 | .It Fl a Ar rounds |
70 | When saving a new-format private key (i.e. an ed25519 key or any SSH protocol | 70 | When saving a new-format private key (i.e. an ed25519 key or any SSH protocol |
71 | 2 key when the | 71 | 2 key when the |
72 | @@ -628,7 +624,7 @@ option. | 72 | @@ -638,7 +634,7 @@ option. |
73 | Valid generator values are 2, 3, and 5. | 73 | Valid generator values are 2, 3, and 5. |
74 | .Pp | 74 | .Pp |
75 | Screened DH groups may be installed in | 75 | Screened DH groups may be installed in |
@@ -78,7 +78,7 @@ index 723a016..79b948c 100644 | |||
78 | It is important that this file contains moduli of a range of bit lengths and | 78 | It is important that this file contains moduli of a range of bit lengths and |
79 | that both ends of a connection share common moduli. | 79 | that both ends of a connection share common moduli. |
80 | .Sh CERTIFICATES | 80 | .Sh CERTIFICATES |
81 | @@ -827,7 +823,7 @@ on all machines | 81 | @@ -837,7 +833,7 @@ on all machines |
82 | where the user wishes to log in using public key authentication. | 82 | where the user wishes to log in using public key authentication. |
83 | There is no need to keep the contents of this file secret. | 83 | There is no need to keep the contents of this file secret. |
84 | .Pp | 84 | .Pp |
@@ -88,10 +88,10 @@ index 723a016..79b948c 100644 | |||
88 | The file format is described in | 88 | The file format is described in |
89 | .Xr moduli 5 . | 89 | .Xr moduli 5 . |
90 | diff --git a/ssh.1 b/ssh.1 | 90 | diff --git a/ssh.1 b/ssh.1 |
91 | index 7f6ab77..de178cd 100644 | 91 | index 53c711a..04de6cf 100644 |
92 | --- a/ssh.1 | 92 | --- a/ssh.1 |
93 | +++ b/ssh.1 | 93 | +++ b/ssh.1 |
94 | @@ -753,6 +753,10 @@ Protocol 1 is restricted to using only RSA keys, | 94 | @@ -766,6 +766,10 @@ Protocol 1 is restricted to using only RSA keys, |
95 | but protocol 2 may use any. | 95 | but protocol 2 may use any. |
96 | The HISTORY section of | 96 | The HISTORY section of |
97 | .Xr ssl 8 | 97 | .Xr ssl 8 |
@@ -103,7 +103,7 @@ index 7f6ab77..de178cd 100644 | |||
103 | .Pp | 103 | .Pp |
104 | The file | 104 | The file |
105 | diff --git a/sshd.8 b/sshd.8 | 105 | diff --git a/sshd.8 b/sshd.8 |
106 | index eaeac45..3538208 100644 | 106 | index fc2154c..8dba6cf 100644 |
107 | --- a/sshd.8 | 107 | --- a/sshd.8 |
108 | +++ b/sshd.8 | 108 | +++ b/sshd.8 |
109 | @@ -67,7 +67,7 @@ over an insecure network. | 109 | @@ -67,7 +67,7 @@ over an insecure network. |
@@ -133,10 +133,10 @@ index eaeac45..3538208 100644 | |||
133 | .Xr sshd_config 5 , | 133 | .Xr sshd_config 5 , |
134 | .Xr inetd 8 , | 134 | .Xr inetd 8 , |
135 | diff --git a/sshd_config.5 b/sshd_config.5 | 135 | diff --git a/sshd_config.5 b/sshd_config.5 |
136 | index 58997d3..7396b23 100644 | 136 | index ec58635..453d741 100644 |
137 | --- a/sshd_config.5 | 137 | --- a/sshd_config.5 |
138 | +++ b/sshd_config.5 | 138 | +++ b/sshd_config.5 |
139 | @@ -303,8 +303,7 @@ This option is only available for protocol version 2. | 139 | @@ -322,8 +322,7 @@ This option is only available for protocol version 2. |
140 | By default, no banner is displayed. | 140 | By default, no banner is displayed. |
141 | .It Cm ChallengeResponseAuthentication | 141 | .It Cm ChallengeResponseAuthentication |
142 | Specifies whether challenge-response authentication is allowed (e.g. via | 142 | Specifies whether challenge-response authentication is allowed (e.g. via |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index 07a28af9a..11674a915 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8679c96f74ee7dbea6c15c764b036fbab7372740 Mon Sep 17 00:00:00 2001 | 1 | From 9f6aded97671ee8b9164f0524b3ac622d827dcde Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch | |||
19 | 3 files changed, 9 insertions(+), 4 deletions(-) | 19 | 3 files changed, 9 insertions(+), 4 deletions(-) |
20 | 20 | ||
21 | diff --git a/sshconnect.c b/sshconnect.c | 21 | diff --git a/sshconnect.c b/sshconnect.c |
22 | index ab83d0c..563405e 100644 | 22 | index 6065dff..a6c9e20 100644 |
23 | --- a/sshconnect.c | 23 | --- a/sshconnect.c |
24 | +++ b/sshconnect.c | 24 | +++ b/sshconnect.c |
25 | @@ -521,10 +521,10 @@ send_client_banner(int connection_out, int minor1) | 25 | @@ -524,10 +524,10 @@ send_client_banner(int connection_out, int minor1) |
26 | /* Send our own protocol version identification. */ | 26 | /* Send our own protocol version identification. */ |
27 | if (compat20) { | 27 | if (compat20) { |
28 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", | 28 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", |
@@ -36,10 +36,10 @@ index ab83d0c..563405e 100644 | |||
36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, | 36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, |
37 | strlen(client_version_string)) != strlen(client_version_string)) | 37 | strlen(client_version_string)) != strlen(client_version_string)) |
38 | diff --git a/sshd.c b/sshd.c | 38 | diff --git a/sshd.c b/sshd.c |
39 | index 48a14dd..1710e71 100644 | 39 | index 3b4e97c..c362209 100644 |
40 | --- a/sshd.c | 40 | --- a/sshd.c |
41 | +++ b/sshd.c | 41 | +++ b/sshd.c |
42 | @@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out) | 42 | @@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in, int sock_out) |
43 | } | 43 | } |
44 | 44 | ||
45 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", | 45 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
@@ -49,11 +49,11 @@ index 48a14dd..1710e71 100644 | |||
49 | options.version_addendum, newline); | 49 | options.version_addendum, newline); |
50 | 50 | ||
51 | diff --git a/version.h b/version.h | 51 | diff --git a/version.h b/version.h |
52 | index cc8a079..0fee7c3 100644 | 52 | index dfe3ee9..94569ac 100644 |
53 | --- a/version.h | 53 | --- a/version.h |
54 | +++ b/version.h | 54 | +++ b/version.h |
55 | @@ -3,4 +3,9 @@ | 55 | @@ -3,4 +3,9 @@ |
56 | #define SSH_VERSION "OpenSSH_6.7" | 56 | #define SSH_VERSION "OpenSSH_6.8" |
57 | 57 | ||
58 | #define SSH_PORTABLE "p1" | 58 | #define SSH_PORTABLE "p1" |
59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index 6d9a2f9c0..ff16b9850 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From dc028c5992b4b14cca380b6ad2115fcc6907a8b7 Mon Sep 17 00:00:00 2001 | 1 | From 34592a434851697537873eed1eb83ba0a640c5c8 Mon Sep 17 00:00:00 2001 |
2 | From: Peter Samuelson <peter@p12n.org> | 2 | From: Peter Samuelson <peter@p12n.org> |
3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 |
4 | Subject: Reduce severity of "Killed by signal %d" | 4 | Subject: Reduce severity of "Killed by signal %d" |
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch | |||
22 | 1 file changed, 4 insertions(+), 2 deletions(-) | 22 | 1 file changed, 4 insertions(+), 2 deletions(-) |
23 | 23 | ||
24 | diff --git a/clientloop.c b/clientloop.c | 24 | diff --git a/clientloop.c b/clientloop.c |
25 | index 046ca8b..0180774 100644 | 25 | index 156a196..45cef88 100644 |
26 | --- a/clientloop.c | 26 | --- a/clientloop.c |
27 | +++ b/clientloop.c | 27 | +++ b/clientloop.c |
28 | @@ -1705,8 +1705,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 28 | @@ -1707,8 +1707,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
29 | exit_status = 0; | 29 | exit_status = 0; |
30 | } | 30 | } |
31 | 31 | ||
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch index c590f52ce..c9da26f7d 100644 --- a/debian/patches/restore-tcp-wrappers.patch +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a Mon Sep 17 00:00:00 2001 | 1 | From 7df209aed8ded9a6cab34e704576998786bdc890 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | 3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 |
4 | Subject: Restore TCP wrappers support | 4 | Subject: Restore TCP wrappers support |
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch | |||
28 | 3 files changed, 89 insertions(+) | 28 | 3 files changed, 89 insertions(+) |
29 | 29 | ||
30 | diff --git a/configure.ac b/configure.ac | 30 | diff --git a/configure.ac b/configure.ac |
31 | index 90e81e1..7f160f1 100644 | 31 | index 216a9fd..5f606ea 100644 |
32 | --- a/configure.ac | 32 | --- a/configure.ac |
33 | +++ b/configure.ac | 33 | +++ b/configure.ac |
34 | @@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey], | 34 | @@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey], |
35 | ] | 35 | ] |
36 | ) | 36 | ) |
37 | 37 | ||
@@ -94,7 +94,7 @@ index 90e81e1..7f160f1 100644 | |||
94 | # Check whether user wants to use ldns | 94 | # Check whether user wants to use ldns |
95 | LDNS_MSG="no" | 95 | LDNS_MSG="no" |
96 | AC_ARG_WITH(ldns, | 96 | AC_ARG_WITH(ldns, |
97 | @@ -4853,6 +4909,7 @@ echo " KerberosV support: $KRB5_MSG" | 97 | @@ -4920,6 +4976,7 @@ echo " KerberosV support: $KRB5_MSG" |
98 | echo " SELinux support: $SELINUX_MSG" | 98 | echo " SELinux support: $SELINUX_MSG" |
99 | echo " Smartcard support: $SCARD_MSG" | 99 | echo " Smartcard support: $SCARD_MSG" |
100 | echo " S/KEY support: $SKEY_MSG" | 100 | echo " S/KEY support: $SKEY_MSG" |
@@ -103,7 +103,7 @@ index 90e81e1..7f160f1 100644 | |||
103 | echo " libedit support: $LIBEDIT_MSG" | 103 | echo " libedit support: $LIBEDIT_MSG" |
104 | echo " Solaris process contract support: $SPC_MSG" | 104 | echo " Solaris process contract support: $SPC_MSG" |
105 | diff --git a/sshd.8 b/sshd.8 | 105 | diff --git a/sshd.8 b/sshd.8 |
106 | index 01459d6..eaeac45 100644 | 106 | index 3c53f7c..fc2154c 100644 |
107 | --- a/sshd.8 | 107 | --- a/sshd.8 |
108 | +++ b/sshd.8 | 108 | +++ b/sshd.8 |
109 | @@ -851,6 +851,12 @@ the user's home directory becomes accessible. | 109 | @@ -851,6 +851,12 @@ the user's home directory becomes accessible. |
@@ -128,10 +128,10 @@ index 01459d6..eaeac45 100644 | |||
128 | .Xr moduli 5 , | 128 | .Xr moduli 5 , |
129 | .Xr sshd_config 5 , | 129 | .Xr sshd_config 5 , |
130 | diff --git a/sshd.c b/sshd.c | 130 | diff --git a/sshd.c b/sshd.c |
131 | index e6706a8..3a6be65 100644 | 131 | index cf38bae..9cbe8c4 100644 |
132 | --- a/sshd.c | 132 | --- a/sshd.c |
133 | +++ b/sshd.c | 133 | +++ b/sshd.c |
134 | @@ -127,6 +127,13 @@ | 134 | @@ -129,6 +129,13 @@ |
135 | #include <Security/AuthSession.h> | 135 | #include <Security/AuthSession.h> |
136 | #endif | 136 | #endif |
137 | 137 | ||
@@ -145,7 +145,7 @@ index e6706a8..3a6be65 100644 | |||
145 | #ifndef O_NOCTTY | 145 | #ifndef O_NOCTTY |
146 | #define O_NOCTTY 0 | 146 | #define O_NOCTTY 0 |
147 | #endif | 147 | #endif |
148 | @@ -2061,6 +2068,24 @@ main(int ac, char **av) | 148 | @@ -2133,6 +2140,24 @@ main(int ac, char **av) |
149 | #ifdef SSH_AUDIT_EVENTS | 149 | #ifdef SSH_AUDIT_EVENTS |
150 | audit_connection_from(remote_ip, remote_port); | 150 | audit_connection_from(remote_ip, remote_port); |
151 | #endif | 151 | #endif |
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index ee006da93..52e709112 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From fd174c13c46191abdb33c0a45545573a8e06b061 Mon Sep 17 00:00:00 2001 | 1 | From 4f55e60d2296feba17b473b2146a75debe29993a Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
@@ -17,10 +17,10 @@ Patch-Name: scp-quoting.patch | |||
17 | 1 file changed, 10 insertions(+), 2 deletions(-) | 17 | 1 file changed, 10 insertions(+), 2 deletions(-) |
18 | 18 | ||
19 | diff --git a/scp.c b/scp.c | 19 | diff --git a/scp.c b/scp.c |
20 | index 1ec3b70..a1b318b 100644 | 20 | index 887b014..afa4a2f 100644 |
21 | --- a/scp.c | 21 | --- a/scp.c |
22 | +++ b/scp.c | 22 | +++ b/scp.c |
23 | @@ -189,8 +189,16 @@ do_local_cmd(arglist *a) | 23 | @@ -190,8 +190,16 @@ do_local_cmd(arglist *a) |
24 | 24 | ||
25 | if (verbose_mode) { | 25 | if (verbose_mode) { |
26 | fprintf(stderr, "Executing:"); | 26 | fprintf(stderr, "Executing:"); |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 1fa0bf928..da53671e3 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c9638aa44d787849cea1ae273f0908c6313fd19b Mon Sep 17 00:00:00 2001 | 1 | From b9e97e15e25e4c836cb550213e3ee59b19096f9d Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better. | |||
9 | 9 | ||
10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 | 10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 |
11 | Bug-Debian: http://bugs.debian.org/394795 | 11 | Bug-Debian: http://bugs.debian.org/394795 |
12 | Last-Update: 2013-09-14 | 12 | Last-Update: 2015-08-19 |
13 | 13 | ||
14 | Patch-Name: selinux-role.patch | 14 | Patch-Name: selinux-role.patch |
15 | --- | 15 | --- |
@@ -32,10 +32,10 @@ Patch-Name: selinux-role.patch | |||
32 | 16 files changed, 104 insertions(+), 31 deletions(-) | 32 | 16 files changed, 104 insertions(+), 31 deletions(-) |
33 | 33 | ||
34 | diff --git a/auth.h b/auth.h | 34 | diff --git a/auth.h b/auth.h |
35 | index d081c94..f099e98 100644 | 35 | index db86037..4985cd8 100644 |
36 | --- a/auth.h | 36 | --- a/auth.h |
37 | +++ b/auth.h | 37 | +++ b/auth.h |
38 | @@ -59,6 +59,7 @@ struct Authctxt { | 38 | @@ -62,6 +62,7 @@ struct Authctxt { |
39 | char *service; | 39 | char *service; |
40 | struct passwd *pw; /* set if 'valid' */ | 40 | struct passwd *pw; /* set if 'valid' */ |
41 | char *style; | 41 | char *style; |
@@ -44,10 +44,10 @@ index d081c94..f099e98 100644 | |||
44 | char *info; /* Extra info for next auth_log */ | 44 | char *info; /* Extra info for next auth_log */ |
45 | #ifdef BSD_AUTH | 45 | #ifdef BSD_AUTH |
46 | diff --git a/auth1.c b/auth1.c | 46 | diff --git a/auth1.c b/auth1.c |
47 | index 5038828..52b17db 100644 | 47 | index 5073c49..dd00648 100644 |
48 | --- a/auth1.c | 48 | --- a/auth1.c |
49 | +++ b/auth1.c | 49 | +++ b/auth1.c |
50 | @@ -381,7 +381,7 @@ void | 50 | @@ -383,7 +383,7 @@ void |
51 | do_authentication(Authctxt *authctxt) | 51 | do_authentication(Authctxt *authctxt) |
52 | { | 52 | { |
53 | u_int ulen; | 53 | u_int ulen; |
@@ -56,7 +56,7 @@ index 5038828..52b17db 100644 | |||
56 | 56 | ||
57 | /* Get the name of the user that we wish to log in as. */ | 57 | /* Get the name of the user that we wish to log in as. */ |
58 | packet_read_expect(SSH_CMSG_USER); | 58 | packet_read_expect(SSH_CMSG_USER); |
59 | @@ -390,11 +390,17 @@ do_authentication(Authctxt *authctxt) | 59 | @@ -392,11 +392,17 @@ do_authentication(Authctxt *authctxt) |
60 | user = packet_get_cstring(&ulen); | 60 | user = packet_get_cstring(&ulen); |
61 | packet_check_eom(); | 61 | packet_check_eom(); |
62 | 62 | ||
@@ -75,10 +75,10 @@ index 5038828..52b17db 100644 | |||
75 | /* Verify that the user is a valid user. */ | 75 | /* Verify that the user is a valid user. */ |
76 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) | 76 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) |
77 | diff --git a/auth2.c b/auth2.c | 77 | diff --git a/auth2.c b/auth2.c |
78 | index 2f0d565..fa1a588 100644 | 78 | index 3f49bdc..6eb3cc7 100644 |
79 | --- a/auth2.c | 79 | --- a/auth2.c |
80 | +++ b/auth2.c | 80 | +++ b/auth2.c |
81 | @@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 81 | @@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
82 | { | 82 | { |
83 | Authctxt *authctxt = ctxt; | 83 | Authctxt *authctxt = ctxt; |
84 | Authmethod *m = NULL; | 84 | Authmethod *m = NULL; |
@@ -87,7 +87,7 @@ index 2f0d565..fa1a588 100644 | |||
87 | int authenticated = 0; | 87 | int authenticated = 0; |
88 | 88 | ||
89 | if (authctxt == NULL) | 89 | if (authctxt == NULL) |
90 | @@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 90 | @@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
91 | debug("userauth-request for user %s service %s method %s", user, service, method); | 91 | debug("userauth-request for user %s service %s method %s", user, service, method); |
92 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 92 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
93 | 93 | ||
@@ -101,7 +101,7 @@ index 2f0d565..fa1a588 100644 | |||
101 | 101 | ||
102 | if (authctxt->attempt++ == 0) { | 102 | if (authctxt->attempt++ == 0) { |
103 | /* setup auth context */ | 103 | /* setup auth context */ |
104 | @@ -254,8 +259,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 104 | @@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
105 | use_privsep ? " [net]" : ""); | 105 | use_privsep ? " [net]" : ""); |
106 | authctxt->service = xstrdup(service); | 106 | authctxt->service = xstrdup(service); |
107 | authctxt->style = style ? xstrdup(style) : NULL; | 107 | authctxt->style = style ? xstrdup(style) : NULL; |
@@ -113,10 +113,10 @@ index 2f0d565..fa1a588 100644 | |||
113 | if (auth2_setup_methods_lists(authctxt) != 0) | 113 | if (auth2_setup_methods_lists(authctxt) != 0) |
114 | packet_disconnect("no authentication methods enabled"); | 114 | packet_disconnect("no authentication methods enabled"); |
115 | diff --git a/monitor.c b/monitor.c | 115 | diff --git a/monitor.c b/monitor.c |
116 | index b0896ef..94b194d 100644 | 116 | index a2027e5..6ff05e4 100644 |
117 | --- a/monitor.c | 117 | --- a/monitor.c |
118 | +++ b/monitor.c | 118 | +++ b/monitor.c |
119 | @@ -148,6 +148,7 @@ int mm_answer_sign(int, Buffer *); | 119 | @@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *); |
120 | int mm_answer_pwnamallow(int, Buffer *); | 120 | int mm_answer_pwnamallow(int, Buffer *); |
121 | int mm_answer_auth2_read_banner(int, Buffer *); | 121 | int mm_answer_auth2_read_banner(int, Buffer *); |
122 | int mm_answer_authserv(int, Buffer *); | 122 | int mm_answer_authserv(int, Buffer *); |
@@ -124,7 +124,7 @@ index b0896ef..94b194d 100644 | |||
124 | int mm_answer_authpassword(int, Buffer *); | 124 | int mm_answer_authpassword(int, Buffer *); |
125 | int mm_answer_bsdauthquery(int, Buffer *); | 125 | int mm_answer_bsdauthquery(int, Buffer *); |
126 | int mm_answer_bsdauthrespond(int, Buffer *); | 126 | int mm_answer_bsdauthrespond(int, Buffer *); |
127 | @@ -229,6 +230,7 @@ struct mon_table mon_dispatch_proto20[] = { | 127 | @@ -208,6 +209,7 @@ struct mon_table mon_dispatch_proto20[] = { |
128 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 128 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
129 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 129 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
130 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 130 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -132,7 +132,7 @@ index b0896ef..94b194d 100644 | |||
132 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 132 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
133 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 133 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
134 | #ifdef USE_PAM | 134 | #ifdef USE_PAM |
135 | @@ -841,6 +843,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) | 135 | @@ -879,6 +881,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) |
136 | else { | 136 | else { |
137 | /* Allow service/style information on the auth context */ | 137 | /* Allow service/style information on the auth context */ |
138 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 138 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
@@ -140,7 +140,7 @@ index b0896ef..94b194d 100644 | |||
140 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 140 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
141 | } | 141 | } |
142 | #ifdef USE_PAM | 142 | #ifdef USE_PAM |
143 | @@ -871,14 +874,37 @@ mm_answer_authserv(int sock, Buffer *m) | 143 | @@ -909,14 +912,37 @@ mm_answer_authserv(int sock, Buffer *m) |
144 | 144 | ||
145 | authctxt->service = buffer_get_string(m, NULL); | 145 | authctxt->service = buffer_get_string(m, NULL); |
146 | authctxt->style = buffer_get_string(m, NULL); | 146 | authctxt->style = buffer_get_string(m, NULL); |
@@ -180,7 +180,7 @@ index b0896ef..94b194d 100644 | |||
180 | return (0); | 180 | return (0); |
181 | } | 181 | } |
182 | 182 | ||
183 | @@ -1485,7 +1511,7 @@ mm_answer_pty(int sock, Buffer *m) | 183 | @@ -1540,7 +1566,7 @@ mm_answer_pty(int sock, Buffer *m) |
184 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 184 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
185 | if (res == 0) | 185 | if (res == 0) |
186 | goto error; | 186 | goto error; |
@@ -190,7 +190,7 @@ index b0896ef..94b194d 100644 | |||
190 | buffer_put_int(m, 1); | 190 | buffer_put_int(m, 1); |
191 | buffer_put_cstring(m, s->tty); | 191 | buffer_put_cstring(m, s->tty); |
192 | diff --git a/monitor.h b/monitor.h | 192 | diff --git a/monitor.h b/monitor.h |
193 | index 7f32b0c..4d5e8fa 100644 | 193 | index bc50ade..2d82b8b 100644 |
194 | --- a/monitor.h | 194 | --- a/monitor.h |
195 | +++ b/monitor.h | 195 | +++ b/monitor.h |
196 | @@ -68,6 +68,8 @@ enum monitor_reqtype { | 196 | @@ -68,6 +68,8 @@ enum monitor_reqtype { |
@@ -203,10 +203,10 @@ index 7f32b0c..4d5e8fa 100644 | |||
203 | 203 | ||
204 | struct mm_master; | 204 | struct mm_master; |
205 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 205 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
206 | index e476f0d..6dc890a 100644 | 206 | index b667218..5aa9c47 100644 |
207 | --- a/monitor_wrap.c | 207 | --- a/monitor_wrap.c |
208 | +++ b/monitor_wrap.c | 208 | +++ b/monitor_wrap.c |
209 | @@ -324,10 +324,10 @@ mm_auth2_read_banner(void) | 209 | @@ -329,10 +329,10 @@ mm_auth2_read_banner(void) |
210 | return (banner); | 210 | return (banner); |
211 | } | 211 | } |
212 | 212 | ||
@@ -219,7 +219,7 @@ index e476f0d..6dc890a 100644 | |||
219 | { | 219 | { |
220 | Buffer m; | 220 | Buffer m; |
221 | 221 | ||
222 | @@ -336,12 +336,30 @@ mm_inform_authserv(char *service, char *style) | 222 | @@ -341,12 +341,30 @@ mm_inform_authserv(char *service, char *style) |
223 | buffer_init(&m); | 223 | buffer_init(&m); |
224 | buffer_put_cstring(&m, service); | 224 | buffer_put_cstring(&m, service); |
225 | buffer_put_cstring(&m, style ? style : ""); | 225 | buffer_put_cstring(&m, style ? style : ""); |
@@ -251,13 +251,13 @@ index e476f0d..6dc890a 100644 | |||
251 | int | 251 | int |
252 | mm_auth_password(Authctxt *authctxt, char *password) | 252 | mm_auth_password(Authctxt *authctxt, char *password) |
253 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 253 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
254 | index a4e9d24..9c2ee49 100644 | 254 | index 0c770e8..4d1e899 100644 |
255 | --- a/monitor_wrap.h | 255 | --- a/monitor_wrap.h |
256 | +++ b/monitor_wrap.h | 256 | +++ b/monitor_wrap.h |
257 | @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); | 257 | @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); |
258 | int mm_is_monitor(void); | 258 | int mm_is_monitor(void); |
259 | DH *mm_choose_dh(int, int, int); | 259 | DH *mm_choose_dh(int, int, int); |
260 | int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); | 260 | int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int); |
261 | -void mm_inform_authserv(char *, char *); | 261 | -void mm_inform_authserv(char *, char *); |
262 | +void mm_inform_authserv(char *, char *, char *); | 262 | +void mm_inform_authserv(char *, char *, char *); |
263 | +void mm_inform_authrole(char *); | 263 | +void mm_inform_authrole(char *); |
@@ -396,10 +396,10 @@ index 1c7a45d..436ae7c 100644 | |||
396 | char *platform_krb5_get_principal_name(const char *); | 396 | char *platform_krb5_get_principal_name(const char *); |
397 | int platform_sys_dir_uid(uid_t); | 397 | int platform_sys_dir_uid(uid_t); |
398 | diff --git a/session.c b/session.c | 398 | diff --git a/session.c b/session.c |
399 | index 3e96557..6f389ac 100644 | 399 | index 54bac36..d4b7725 100644 |
400 | --- a/session.c | 400 | --- a/session.c |
401 | +++ b/session.c | 401 | +++ b/session.c |
402 | @@ -1486,7 +1486,7 @@ safely_chroot(const char *path, uid_t uid) | 402 | @@ -1487,7 +1487,7 @@ safely_chroot(const char *path, uid_t uid) |
403 | 403 | ||
404 | /* Set login name, uid, gid, and groups. */ | 404 | /* Set login name, uid, gid, and groups. */ |
405 | void | 405 | void |
@@ -408,7 +408,7 @@ index 3e96557..6f389ac 100644 | |||
408 | { | 408 | { |
409 | char *chroot_path, *tmp; | 409 | char *chroot_path, *tmp; |
410 | #ifdef USE_LIBIAF | 410 | #ifdef USE_LIBIAF |
411 | @@ -1517,7 +1517,7 @@ do_setusercontext(struct passwd *pw) | 411 | @@ -1518,7 +1518,7 @@ do_setusercontext(struct passwd *pw) |
412 | endgrent(); | 412 | endgrent(); |
413 | #endif | 413 | #endif |
414 | 414 | ||
@@ -417,7 +417,7 @@ index 3e96557..6f389ac 100644 | |||
417 | 417 | ||
418 | if (options.chroot_directory != NULL && | 418 | if (options.chroot_directory != NULL && |
419 | strcasecmp(options.chroot_directory, "none") != 0) { | 419 | strcasecmp(options.chroot_directory, "none") != 0) { |
420 | @@ -1676,7 +1676,7 @@ do_child(Session *s, const char *command) | 420 | @@ -1677,7 +1677,7 @@ do_child(Session *s, const char *command) |
421 | 421 | ||
422 | /* Force a password change */ | 422 | /* Force a password change */ |
423 | if (s->authctxt->force_pwchange) { | 423 | if (s->authctxt->force_pwchange) { |
@@ -426,7 +426,7 @@ index 3e96557..6f389ac 100644 | |||
426 | child_close_fds(); | 426 | child_close_fds(); |
427 | do_pwchange(s); | 427 | do_pwchange(s); |
428 | exit(1); | 428 | exit(1); |
429 | @@ -1703,7 +1703,7 @@ do_child(Session *s, const char *command) | 429 | @@ -1704,7 +1704,7 @@ do_child(Session *s, const char *command) |
430 | /* When PAM is enabled we rely on it to do the nologin check */ | 430 | /* When PAM is enabled we rely on it to do the nologin check */ |
431 | if (!options.use_pam) | 431 | if (!options.use_pam) |
432 | do_nologin(pw); | 432 | do_nologin(pw); |
@@ -435,7 +435,7 @@ index 3e96557..6f389ac 100644 | |||
435 | /* | 435 | /* |
436 | * PAM session modules in do_setusercontext may have | 436 | * PAM session modules in do_setusercontext may have |
437 | * generated messages, so if this in an interactive | 437 | * generated messages, so if this in an interactive |
438 | @@ -2114,7 +2114,7 @@ session_pty_req(Session *s) | 438 | @@ -2115,7 +2115,7 @@ session_pty_req(Session *s) |
439 | tty_parse_modes(s->ttyfd, &n_bytes); | 439 | tty_parse_modes(s->ttyfd, &n_bytes); |
440 | 440 | ||
441 | if (!use_privsep) | 441 | if (!use_privsep) |
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644 | |||
458 | const char *value); | 458 | const char *value); |
459 | 459 | ||
460 | diff --git a/sshd.c b/sshd.c | 460 | diff --git a/sshd.c b/sshd.c |
461 | index 3a6be65..48a14dd 100644 | 461 | index 9cbe8c4..3b4e97c 100644 |
462 | --- a/sshd.c | 462 | --- a/sshd.c |
463 | +++ b/sshd.c | 463 | +++ b/sshd.c |
464 | @@ -772,7 +772,7 @@ privsep_postauth(Authctxt *authctxt) | 464 | @@ -781,7 +781,7 @@ privsep_postauth(Authctxt *authctxt) |
465 | explicit_bzero(rnd, sizeof(rnd)); | 465 | explicit_bzero(rnd, sizeof(rnd)); |
466 | 466 | ||
467 | /* Drop privileges */ | 467 | /* Drop privileges */ |
@@ -471,7 +471,7 @@ index 3a6be65..48a14dd 100644 | |||
471 | skip: | 471 | skip: |
472 | /* It is safe now to apply the key state */ | 472 | /* It is safe now to apply the key state */ |
473 | diff --git a/sshpty.c b/sshpty.c | 473 | diff --git a/sshpty.c b/sshpty.c |
474 | index a2059b7..3512ec8 100644 | 474 | index d2ff8c1..f7b1f6d 100644 |
475 | --- a/sshpty.c | 475 | --- a/sshpty.c |
476 | +++ b/sshpty.c | 476 | +++ b/sshpty.c |
477 | @@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, | 477 | @@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, |
@@ -483,7 +483,7 @@ index a2059b7..3512ec8 100644 | |||
483 | { | 483 | { |
484 | struct group *grp; | 484 | struct group *grp; |
485 | gid_t gid; | 485 | gid_t gid; |
486 | @@ -214,7 +214,7 @@ pty_setowner(struct passwd *pw, const char *tty) | 486 | @@ -209,7 +209,7 @@ pty_setowner(struct passwd *pw, const char *tty) |
487 | strerror(errno)); | 487 | strerror(errno)); |
488 | 488 | ||
489 | #ifdef WITH_SELINUX | 489 | #ifdef WITH_SELINUX |
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 07e20f03d..549ef38dd 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 66377fbb52584b41bd7f6f19116107fbbad41058 Mon Sep 17 00:00:00 2001 | 1 | From 8a8bbc66b8eefd7c679d5769f087209188deafe7 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch | |||
16 | 1 file changed, 2 insertions(+), 2 deletions(-) | 16 | 1 file changed, 2 insertions(+), 2 deletions(-) |
17 | 17 | ||
18 | diff --git a/sshconnect.c b/sshconnect.c | 18 | diff --git a/sshconnect.c b/sshconnect.c |
19 | index ac09eae..26116d2 100644 | 19 | index 9e51506..0073c6e 100644 |
20 | --- a/sshconnect.c | 20 | --- a/sshconnect.c |
21 | +++ b/sshconnect.c | 21 | +++ b/sshconnect.c |
22 | @@ -228,7 +228,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) | 22 | @@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) |
23 | /* Execute the proxy command. Note that we gave up any | 23 | /* Execute the proxy command. Note that we gave up any |
24 | extra privileges above. */ | 24 | extra privileges above. */ |
25 | signal(SIGPIPE, SIG_DFL); | 25 | signal(SIGPIPE, SIG_DFL); |
@@ -28,7 +28,7 @@ index ac09eae..26116d2 100644 | |||
28 | perror(argv[0]); | 28 | perror(argv[0]); |
29 | exit(1); | 29 | exit(1); |
30 | } | 30 | } |
31 | @@ -1416,7 +1416,7 @@ ssh_local_cmd(const char *args) | 31 | @@ -1470,7 +1470,7 @@ ssh_local_cmd(const char *args) |
32 | if (pid == 0) { | 32 | if (pid == 0) { |
33 | signal(SIGPIPE, SIG_DFL); | 33 | signal(SIGPIPE, SIG_DFL); |
34 | debug3("Executing %s -c \"%s\"", shell, args); | 34 | debug3("Executing %s -c \"%s\"", shell, args); |
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch index 1eaa7758b..80e775dc1 100644 --- a/debian/patches/sigstop.patch +++ b/debian/patches/sigstop.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 689f465c66059e527974c6d4ea8e95f04d5abab7 Mon Sep 17 00:00:00 2001 | 1 | From a8e779107942d044d281461c609ec29129dec51e Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 |
4 | Subject: Support synchronisation with service supervisor using SIGSTOP | 4 | Subject: Support synchronisation with service supervisor using SIGSTOP |
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch | |||
13 | 1 file changed, 10 insertions(+) | 13 | 1 file changed, 10 insertions(+) |
14 | 14 | ||
15 | diff --git a/sshd.c b/sshd.c | 15 | diff --git a/sshd.c b/sshd.c |
16 | index 87331c1..23d5a64 100644 | 16 | index 5435968..f8db3ae 100644 |
17 | --- a/sshd.c | 17 | --- a/sshd.c |
18 | +++ b/sshd.c | 18 | +++ b/sshd.c |
19 | @@ -1958,6 +1958,16 @@ main(int ac, char **av) | 19 | @@ -2030,6 +2030,16 @@ main(int ac, char **av) |
20 | } | 20 | } |
21 | } | 21 | } |
22 | 22 | ||
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index 9c3ddc86e..b382252a3 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 78dd041bb6ad29ceb35f05b539b09ccf761eaee2 Mon Sep 17 00:00:00 2001 | 1 | From 101d1dd7f95d75f1862c541a5b8d4032d4623d53 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch | |||
13 | 1 file changed, 15 insertions(+) | 13 | 1 file changed, 15 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh-agent.1 b/ssh-agent.1 | 15 | diff --git a/ssh-agent.1 b/ssh-agent.1 |
16 | index a1e634f..f2c4080 100644 | 16 | index 6759afe..25de326 100644 |
17 | --- a/ssh-agent.1 | 17 | --- a/ssh-agent.1 |
18 | +++ b/ssh-agent.1 | 18 | +++ b/ssh-agent.1 |
19 | @@ -172,6 +172,21 @@ environment variable holds the agent's process ID. | 19 | @@ -181,6 +181,21 @@ environment variable holds the agent's process ID. |
20 | .Pp | 20 | .Pp |
21 | The agent exits automatically when the command given on the command | 21 | The agent exits automatically when the command given on the command |
22 | line terminates. | 22 | line terminates. |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 0ccf7c42b..0fe3b6da4 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From cbd5cb03866f6df50c82d26588b73135d05bf245 Mon Sep 17 00:00:00 2001 | 1 | From fac628fd57d3d357b86d77987f896d6289240345 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch | |||
18 | 1 file changed, 1 insertion(+) | 18 | 1 file changed, 1 insertion(+) |
19 | 19 | ||
20 | diff --git a/ssh.1 b/ssh.1 | 20 | diff --git a/ssh.1 b/ssh.1 |
21 | index de178cd..2606b15 100644 | 21 | index 04de6cf..c8892fe 100644 |
22 | --- a/ssh.1 | 22 | --- a/ssh.1 |
23 | +++ b/ssh.1 | 23 | +++ b/ssh.1 |
24 | @@ -1458,6 +1458,7 @@ if an error occurred. | 24 | @@ -1471,6 +1471,7 @@ if an error occurred. |
25 | .Xr sftp 1 , | 25 | .Xr sftp 1 , |
26 | .Xr ssh-add 1 , | 26 | .Xr ssh-add 1 , |
27 | .Xr ssh-agent 1 , | 27 | .Xr ssh-agent 1 , |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index 427ee6be1..28b98f527 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e6836d7c98c75d3252de56c2f3ea07e12c817e00 Mon Sep 17 00:00:00 2001 | 1 | From d027dea6b4b659a7ad537e452db563763302eabd Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch | |||
17 | 2 files changed, 2 insertions(+) | 17 | 2 files changed, 2 insertions(+) |
18 | 18 | ||
19 | diff --git a/readconf.c b/readconf.c | 19 | diff --git a/readconf.c b/readconf.c |
20 | index 9127e93..bc879eb 100644 | 20 | index 254dbce..278fe15 100644 |
21 | --- a/readconf.c | 21 | --- a/readconf.c |
22 | +++ b/readconf.c | 22 | +++ b/readconf.c |
23 | @@ -174,6 +174,7 @@ static struct { | 23 | @@ -180,6 +180,7 @@ static struct { |
24 | { "passwordauthentication", oPasswordAuthentication }, | 24 | { "passwordauthentication", oPasswordAuthentication }, |
25 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 25 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
26 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 26 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
@@ -29,10 +29,10 @@ index 9127e93..bc879eb 100644 | |||
29 | { "pubkeyauthentication", oPubkeyAuthentication }, | 29 | { "pubkeyauthentication", oPubkeyAuthentication }, |
30 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 30 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
31 | diff --git a/servconf.c b/servconf.c | 31 | diff --git a/servconf.c b/servconf.c |
32 | index cb3c831..a252487 100644 | 32 | index f68c0d0..b3a2841 100644 |
33 | --- a/servconf.c | 33 | --- a/servconf.c |
34 | +++ b/servconf.c | 34 | +++ b/servconf.c |
35 | @@ -462,6 +462,7 @@ static struct { | 35 | @@ -503,6 +503,7 @@ static struct { |
36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch index 2e5fa306d..e6bc72440 100644 --- a/debian/patches/ssh1-keepalive.patch +++ b/debian/patches/ssh1-keepalive.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From cbbc8577950b93090171c7394bcdeb68b7c3cd0c Mon Sep 17 00:00:00 2001 | 1 | From 396f7d932b391fc92ac7ccdf8813f49564e2bbab Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:51 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:51 +0000 |
4 | Subject: Partial server keep-alive implementation for SSH1 | 4 | Subject: Partial server keep-alive implementation for SSH1 |
@@ -13,10 +13,10 @@ Patch-Name: ssh1-keepalive.patch | |||
13 | 2 files changed, 19 insertions(+), 11 deletions(-) | 13 | 2 files changed, 19 insertions(+), 11 deletions(-) |
14 | 14 | ||
15 | diff --git a/clientloop.c b/clientloop.c | 15 | diff --git a/clientloop.c b/clientloop.c |
16 | index f9175e3..046ca8b 100644 | 16 | index 7df9413..156a196 100644 |
17 | --- a/clientloop.c | 17 | --- a/clientloop.c |
18 | +++ b/clientloop.c | 18 | +++ b/clientloop.c |
19 | @@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) | 19 | @@ -564,16 +564,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) |
20 | static void | 20 | static void |
21 | server_alive_check(void) | 21 | server_alive_check(void) |
22 | { | 22 | { |
@@ -47,7 +47,7 @@ index f9175e3..046ca8b 100644 | |||
47 | } | 47 | } |
48 | 48 | ||
49 | /* | 49 | /* |
50 | @@ -634,7 +639,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, | 50 | @@ -635,7 +640,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, |
51 | */ | 51 | */ |
52 | 52 | ||
53 | timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ | 53 | timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ |
@@ -57,10 +57,10 @@ index f9175e3..046ca8b 100644 | |||
57 | server_alive_time = now + options.server_alive_interval; | 57 | server_alive_time = now + options.server_alive_interval; |
58 | } | 58 | } |
59 | diff --git a/ssh_config.5 b/ssh_config.5 | 59 | diff --git a/ssh_config.5 b/ssh_config.5 |
60 | index e6649ac..01f1f7f 100644 | 60 | index 4476171..dd35dd8 100644 |
61 | --- a/ssh_config.5 | 61 | --- a/ssh_config.5 |
62 | +++ b/ssh_config.5 | 62 | +++ b/ssh_config.5 |
63 | @@ -1325,7 +1325,10 @@ If, for example, | 63 | @@ -1409,7 +1409,10 @@ If, for example, |
64 | .Cm ServerAliveCountMax | 64 | .Cm ServerAliveCountMax |
65 | is left at the default, if the server becomes unresponsive, | 65 | is left at the default, if the server becomes unresponsive, |
66 | ssh will disconnect after approximately 45 seconds. | 66 | ssh will disconnect after approximately 45 seconds. |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index bfc236927..d760e6c19 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 69f7c00e04d1baa01a9038eeb764cfed0830fb19 Mon Sep 17 00:00:00 2001 | 1 | From fbe5bd9e957ea90404158b3a3c11a6b91fe6f010 Mon Sep 17 00:00:00 2001 |
2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> | 2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644 | |||
33 | { "FATAL", SYSLOG_LEVEL_FATAL }, | 33 | { "FATAL", SYSLOG_LEVEL_FATAL }, |
34 | { "ERROR", SYSLOG_LEVEL_ERROR }, | 34 | { "ERROR", SYSLOG_LEVEL_ERROR }, |
35 | diff --git a/ssh.c b/ssh.c | 35 | diff --git a/ssh.c b/ssh.c |
36 | index 26e9681..5bce695 100644 | 36 | index 0ad82f0..e8be6fe 100644 |
37 | --- a/ssh.c | 37 | --- a/ssh.c |
38 | +++ b/ssh.c | 38 | +++ b/ssh.c |
39 | @@ -989,7 +989,7 @@ main(int ac, char **av) | 39 | @@ -1107,7 +1107,7 @@ main(int ac, char **av) |
40 | /* Do not allocate a tty if stdin is not a tty. */ | 40 | /* Do not allocate a tty if stdin is not a tty. */ |
41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && | 41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && |
42 | options.request_tty != REQUEST_TTY_FORCE) { | 42 | options.request_tty != REQUEST_TTY_FORCE) { |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index e4e4657f3..8ce3d1f71 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 28ea747089f695e58a476a2849133402d4f86b92 Mon Sep 17 00:00:00 2001 | 1 | From 39b2121148a0aa016a648446823c8f02c5fd95b3 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
@@ -28,10 +28,10 @@ Patch-Name: user-group-modes.patch | |||
28 | 8 files changed, 82 insertions(+), 29 deletions(-) | 28 | 8 files changed, 82 insertions(+), 29 deletions(-) |
29 | 29 | ||
30 | diff --git a/auth-rhosts.c b/auth-rhosts.c | 30 | diff --git a/auth-rhosts.c b/auth-rhosts.c |
31 | index b5bedee..11fcca6 100644 | 31 | index ee9e827..2ff2cff 100644 |
32 | --- a/auth-rhosts.c | 32 | --- a/auth-rhosts.c |
33 | +++ b/auth-rhosts.c | 33 | +++ b/auth-rhosts.c |
34 | @@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam | 34 | @@ -271,8 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam |
35 | return 0; | 35 | return 0; |
36 | } | 36 | } |
37 | if (options.strict_modes && | 37 | if (options.strict_modes && |
@@ -41,7 +41,7 @@ index b5bedee..11fcca6 100644 | |||
41 | logit("Rhosts authentication refused for %.100s: " | 41 | logit("Rhosts authentication refused for %.100s: " |
42 | "bad ownership or modes for home directory.", pw->pw_name); | 42 | "bad ownership or modes for home directory.", pw->pw_name); |
43 | auth_debug_add("Rhosts authentication refused for %.100s: " | 43 | auth_debug_add("Rhosts authentication refused for %.100s: " |
44 | @@ -283,8 +282,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam | 44 | @@ -298,8 +297,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam |
45 | * allowing access to their account by anyone. | 45 | * allowing access to their account by anyone. |
46 | */ | 46 | */ |
47 | if (options.strict_modes && | 47 | if (options.strict_modes && |
@@ -52,10 +52,10 @@ index b5bedee..11fcca6 100644 | |||
52 | pw->pw_name, buf); | 52 | pw->pw_name, buf); |
53 | auth_debug_add("Bad file modes for %.200s", buf); | 53 | auth_debug_add("Bad file modes for %.200s", buf); |
54 | diff --git a/auth.c b/auth.c | 54 | diff --git a/auth.c b/auth.c |
55 | index 5e60682..18de51a 100644 | 55 | index f9b7673..41e3876 100644 |
56 | --- a/auth.c | 56 | --- a/auth.c |
57 | +++ b/auth.c | 57 | +++ b/auth.c |
58 | @@ -421,8 +421,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | 58 | @@ -423,8 +423,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, |
59 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 59 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
60 | if (options.strict_modes && | 60 | if (options.strict_modes && |
61 | (stat(user_hostfile, &st) == 0) && | 61 | (stat(user_hostfile, &st) == 0) && |
@@ -65,7 +65,7 @@ index 5e60682..18de51a 100644 | |||
65 | logit("Authentication refused for %.100s: " | 65 | logit("Authentication refused for %.100s: " |
66 | "bad owner or modes for %.200s", | 66 | "bad owner or modes for %.200s", |
67 | pw->pw_name, user_hostfile); | 67 | pw->pw_name, user_hostfile); |
68 | @@ -484,8 +483,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, | 68 | @@ -486,8 +485,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
69 | snprintf(err, errlen, "%s is not a regular file", buf); | 69 | snprintf(err, errlen, "%s is not a regular file", buf); |
70 | return -1; | 70 | return -1; |
71 | } | 71 | } |
@@ -75,7 +75,7 @@ index 5e60682..18de51a 100644 | |||
75 | snprintf(err, errlen, "bad ownership or modes for file %s", | 75 | snprintf(err, errlen, "bad ownership or modes for file %s", |
76 | buf); | 76 | buf); |
77 | return -1; | 77 | return -1; |
78 | @@ -500,8 +498,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, | 78 | @@ -502,8 +500,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
79 | strlcpy(buf, cp, sizeof(buf)); | 79 | strlcpy(buf, cp, sizeof(buf)); |
80 | 80 | ||
81 | if (stat(buf, &st) < 0 || | 81 | if (stat(buf, &st) < 0 || |
@@ -86,7 +86,7 @@ index 5e60682..18de51a 100644 | |||
86 | "bad ownership or modes for directory %s", buf); | 86 | "bad ownership or modes for directory %s", buf); |
87 | return -1; | 87 | return -1; |
88 | diff --git a/misc.c b/misc.c | 88 | diff --git a/misc.c b/misc.c |
89 | index 94b05b0..c25ccd8 100644 | 89 | index 38af3df..d745480 100644 |
90 | --- a/misc.c | 90 | --- a/misc.c |
91 | +++ b/misc.c | 91 | +++ b/misc.c |
92 | @@ -50,8 +50,9 @@ | 92 | @@ -50,8 +50,9 @@ |
@@ -216,10 +216,10 @@ index f35ec39..9a23e6e 100644 | |||
216 | - return 0; | 216 | - return 0; |
217 | -} | 217 | -} |
218 | diff --git a/readconf.c b/readconf.c | 218 | diff --git a/readconf.c b/readconf.c |
219 | index 337818c..0648867 100644 | 219 | index 1d2d596..2ef8d7b 100644 |
220 | --- a/readconf.c | 220 | --- a/readconf.c |
221 | +++ b/readconf.c | 221 | +++ b/readconf.c |
222 | @@ -38,6 +38,8 @@ | 222 | @@ -39,6 +39,8 @@ |
223 | #include <stdio.h> | 223 | #include <stdio.h> |
224 | #include <string.h> | 224 | #include <string.h> |
225 | #include <unistd.h> | 225 | #include <unistd.h> |
@@ -228,7 +228,7 @@ index 337818c..0648867 100644 | |||
228 | #ifdef HAVE_UTIL_H | 228 | #ifdef HAVE_UTIL_H |
229 | #include <util.h> | 229 | #include <util.h> |
230 | #endif | 230 | #endif |
231 | @@ -1516,8 +1518,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, | 231 | @@ -1579,8 +1581,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, |
232 | 232 | ||
233 | if (fstat(fileno(f), &sb) == -1) | 233 | if (fstat(fileno(f), &sb) == -1) |
234 | fatal("fstat %s: %s", filename, strerror(errno)); | 234 | fatal("fstat %s: %s", filename, strerror(errno)); |
@@ -239,10 +239,10 @@ index 337818c..0648867 100644 | |||
239 | } | 239 | } |
240 | 240 | ||
241 | diff --git a/ssh.1 b/ssh.1 | 241 | diff --git a/ssh.1 b/ssh.1 |
242 | index fa5cfb2..7f6ab77 100644 | 242 | index da64b71..53c711a 100644 |
243 | --- a/ssh.1 | 243 | --- a/ssh.1 |
244 | +++ b/ssh.1 | 244 | +++ b/ssh.1 |
245 | @@ -1342,6 +1342,8 @@ The file format and configuration options are described in | 245 | @@ -1355,6 +1355,8 @@ The file format and configuration options are described in |
246 | .Xr ssh_config 5 . | 246 | .Xr ssh_config 5 . |
247 | Because of the potential for abuse, this file must have strict permissions: | 247 | Because of the potential for abuse, this file must have strict permissions: |
248 | read/write for the user, and not writable by others. | 248 | read/write for the user, and not writable by others. |
@@ -252,10 +252,10 @@ index fa5cfb2..7f6ab77 100644 | |||
252 | .It Pa ~/.ssh/environment | 252 | .It Pa ~/.ssh/environment |
253 | Contains additional definitions for environment variables; see | 253 | Contains additional definitions for environment variables; see |
254 | diff --git a/ssh_config.5 b/ssh_config.5 | 254 | diff --git a/ssh_config.5 b/ssh_config.5 |
255 | index ea92ea8..d68b45a 100644 | 255 | index 250c0d1..8abcf40 100644 |
256 | --- a/ssh_config.5 | 256 | --- a/ssh_config.5 |
257 | +++ b/ssh_config.5 | 257 | +++ b/ssh_config.5 |
258 | @@ -1587,6 +1587,8 @@ The format of this file is described above. | 258 | @@ -1701,6 +1701,8 @@ The format of this file is described above. |
259 | This file is used by the SSH client. | 259 | This file is used by the SSH client. |
260 | Because of the potential for abuse, this file must have strict permissions: | 260 | Because of the potential for abuse, this file must have strict permissions: |
261 | read/write for the user, and not accessible by others. | 261 | read/write for the user, and not accessible by others. |