diff options
Diffstat (limited to 'debian/patches')
25 files changed, 226 insertions, 208 deletions
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index 43a160a0f..68f5029d5 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b0cb3badf4d423f8ea7bf950e55ca72878cc224b Mon Sep 17 00:00:00 2001 | 1 | From eb51213d1bdc8d80cd7d0578737d8a7bfde992d2 Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch | |||
13 | 1 file changed, 1 insertion(+) | 13 | 1 file changed, 1 insertion(+) |
14 | 14 | ||
15 | diff --git a/Makefile.in b/Makefile.in | 15 | diff --git a/Makefile.in b/Makefile.in |
16 | index b68c1710f..bff1db49b 100644 | 16 | index bf1e1de47..3aa808a38 100644 |
17 | --- a/Makefile.in | 17 | --- a/Makefile.in |
18 | +++ b/Makefile.in | 18 | +++ b/Makefile.in |
19 | @@ -402,6 +402,7 @@ install-files: | 19 | @@ -406,6 +406,7 @@ install-files: |
20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 | 20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 |
21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 | 21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 |
22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch index c48220f63..dfd1058b8 100644 --- a/debian/patches/conch-old-privkey-format.patch +++ b/debian/patches/conch-old-privkey-format.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 39d3bb41ec288e8ba2384c65248440603f65349c Mon Sep 17 00:00:00 2001 | 1 | From f2697f0c5ff23bc13dce1c90fb4c1c934c02070b Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Thu, 30 Aug 2018 00:58:56 +0100 | 3 | Date: Thu, 30 Aug 2018 00:58:56 +0100 |
4 | Subject: Work around conch interoperability failure | 4 | Subject: Work around conch interoperability failure |
@@ -18,10 +18,10 @@ Patch-Name: conch-old-privkey-format.patch | |||
18 | 3 files changed, 14 insertions(+), 2 deletions(-) | 18 | 3 files changed, 14 insertions(+), 2 deletions(-) |
19 | 19 | ||
20 | diff --git a/regress/Makefile b/regress/Makefile | 20 | diff --git a/regress/Makefile b/regress/Makefile |
21 | index 774c10d41..01e257a94 100644 | 21 | index 62794d25f..53a50ffca 100644 |
22 | --- a/regress/Makefile | 22 | --- a/regress/Makefile |
23 | +++ b/regress/Makefile | 23 | +++ b/regress/Makefile |
24 | @@ -120,7 +120,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ | 24 | @@ -121,7 +121,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ |
25 | rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ | 25 | rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ |
26 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ | 26 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ |
27 | sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ | 27 | sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ |
@@ -44,10 +44,10 @@ index 6678813a2..6ff5da20b 100644 | |||
44 | 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} | 44 | 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} |
45 | if [ $? -ne 0 ]; then | 45 | if [ $? -ne 0 ]; then |
46 | diff --git a/regress/test-exec.sh b/regress/test-exec.sh | 46 | diff --git a/regress/test-exec.sh b/regress/test-exec.sh |
47 | index f5e3ee6f5..a3a40719f 100644 | 47 | index 5dc975d07..d8491b2be 100644 |
48 | --- a/regress/test-exec.sh | 48 | --- a/regress/test-exec.sh |
49 | +++ b/regress/test-exec.sh | 49 | +++ b/regress/test-exec.sh |
50 | @@ -573,6 +573,18 @@ REGRESS_INTEROP_CONCH=no | 50 | @@ -587,6 +587,18 @@ REGRESS_INTEROP_CONCH=no |
51 | if test -x "$CONCH" ; then | 51 | if test -x "$CONCH" ; then |
52 | REGRESS_INTEROP_CONCH=yes | 52 | REGRESS_INTEROP_CONCH=yes |
53 | fi | 53 | fi |
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 0d998fdd4..47a2fe372 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7d20d00ea24ec0c3fffacc80ab271d0699d198c6 Mon Sep 17 00:00:00 2001 | 1 | From 90c1c8771b61dd3ee0eacb4e1cfac404dc42f4b0 Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch. | |||
8 | 8 | ||
9 | Bug-Debian: http://bugs.debian.org/562048 | 9 | Bug-Debian: http://bugs.debian.org/562048 |
10 | Forwarded: not-needed | 10 | Forwarded: not-needed |
11 | Last-Update: 2020-02-21 | 11 | Last-Update: 2020-06-07 |
12 | 12 | ||
13 | Patch-Name: debian-banner.patch | 13 | Patch-Name: debian-banner.patch |
14 | --- | 14 | --- |
@@ -17,24 +17,24 @@ Patch-Name: debian-banner.patch | |||
17 | servconf.c | 9 +++++++++ | 17 | servconf.c | 9 +++++++++ |
18 | servconf.h | 2 ++ | 18 | servconf.h | 2 ++ |
19 | sshconnect.c | 2 +- | 19 | sshconnect.c | 2 +- |
20 | sshd.c | 3 ++- | 20 | sshd.c | 2 +- |
21 | sshd_config.5 | 5 +++++ | 21 | sshd_config.5 | 5 +++++ |
22 | 7 files changed, 23 insertions(+), 5 deletions(-) | 22 | 7 files changed, 22 insertions(+), 5 deletions(-) |
23 | 23 | ||
24 | diff --git a/kex.c b/kex.c | 24 | diff --git a/kex.c b/kex.c |
25 | index f638942d3..2abfbb95a 100644 | 25 | index 0e64bf760..aa5acaac3 100644 |
26 | --- a/kex.c | 26 | --- a/kex.c |
27 | +++ b/kex.c | 27 | +++ b/kex.c |
28 | @@ -1226,7 +1226,7 @@ send_error(struct ssh *ssh, char *msg) | 28 | @@ -1225,7 +1225,7 @@ send_error(struct ssh *ssh, char *msg) |
29 | */ | 29 | */ |
30 | int | 30 | int |
31 | kex_exchange_identification(struct ssh *ssh, int timeout_ms, | 31 | kex_exchange_identification(struct ssh *ssh, int timeout_ms, |
32 | - const char *version_addendum) | 32 | - const char *version_addendum) |
33 | + int debian_banner, const char *version_addendum) | 33 | + int debian_banner, const char *version_addendum) |
34 | { | 34 | { |
35 | int remote_major, remote_minor, mismatch; | 35 | int remote_major, remote_minor, mismatch, oerrno = 0; |
36 | size_t len, i, n; | 36 | size_t len, i, n; |
37 | @@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, | 37 | @@ -1243,7 +1243,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, |
38 | if (version_addendum != NULL && *version_addendum == '\0') | 38 | if (version_addendum != NULL && *version_addendum == '\0') |
39 | version_addendum = NULL; | 39 | version_addendum = NULL; |
40 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", | 40 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", |
@@ -43,7 +43,7 @@ index f638942d3..2abfbb95a 100644 | |||
43 | + debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, | 43 | + debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, |
44 | version_addendum == NULL ? "" : " ", | 44 | version_addendum == NULL ? "" : " ", |
45 | version_addendum == NULL ? "" : version_addendum)) != 0) { | 45 | version_addendum == NULL ? "" : version_addendum)) != 0) { |
46 | error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); | 46 | oerrno = errno; |
47 | diff --git a/kex.h b/kex.h | 47 | diff --git a/kex.h b/kex.h |
48 | index fe7141414..938dca03b 100644 | 48 | index fe7141414..938dca03b 100644 |
49 | --- a/kex.h | 49 | --- a/kex.h |
@@ -58,7 +58,7 @@ index fe7141414..938dca03b 100644 | |||
58 | struct kex *kex_new(void); | 58 | struct kex *kex_new(void); |
59 | int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); | 59 | int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); |
60 | diff --git a/servconf.c b/servconf.c | 60 | diff --git a/servconf.c b/servconf.c |
61 | index bf3cd84a4..7bbc25c2e 100644 | 61 | index ff5b9436c..cf4e52f3b 100644 |
62 | --- a/servconf.c | 62 | --- a/servconf.c |
63 | +++ b/servconf.c | 63 | +++ b/servconf.c |
64 | @@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options) | 64 | @@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options) |
@@ -94,7 +94,7 @@ index bf3cd84a4..7bbc25c2e 100644 | |||
94 | { NULL, sBadOption, 0 } | 94 | { NULL, sBadOption, 0 } |
95 | }; | 95 | }; |
96 | 96 | ||
97 | @@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, | 97 | @@ -2393,6 +2398,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, |
98 | *charptr = xstrdup(arg); | 98 | *charptr = xstrdup(arg); |
99 | break; | 99 | break; |
100 | 100 | ||
@@ -106,10 +106,10 @@ index bf3cd84a4..7bbc25c2e 100644 | |||
106 | case sIgnore: | 106 | case sIgnore: |
107 | case sUnsupported: | 107 | case sUnsupported: |
108 | diff --git a/servconf.h b/servconf.h | 108 | diff --git a/servconf.h b/servconf.h |
109 | index 3f47ea25e..3fa05fcac 100644 | 109 | index 253cad97e..5a2b60512 100644 |
110 | --- a/servconf.h | 110 | --- a/servconf.h |
111 | +++ b/servconf.h | 111 | +++ b/servconf.h |
112 | @@ -221,6 +221,8 @@ typedef struct { | 112 | @@ -226,6 +226,8 @@ typedef struct { |
113 | int expose_userauth_info; | 113 | int expose_userauth_info; |
114 | u_int64_t timing_secret; | 114 | u_int64_t timing_secret; |
115 | char *sk_provider; | 115 | char *sk_provider; |
@@ -119,37 +119,36 @@ index 3f47ea25e..3fa05fcac 100644 | |||
119 | 119 | ||
120 | /* Information about the incoming connection as used by Match */ | 120 | /* Information about the incoming connection as used by Match */ |
121 | diff --git a/sshconnect.c b/sshconnect.c | 121 | diff --git a/sshconnect.c b/sshconnect.c |
122 | index b796d3c8a..9f2412e0d 100644 | 122 | index f20d3e792..1e5b8ea5a 100644 |
123 | --- a/sshconnect.c | 123 | --- a/sshconnect.c |
124 | +++ b/sshconnect.c | 124 | +++ b/sshconnect.c |
125 | @@ -1292,7 +1292,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, | 125 | @@ -1293,7 +1293,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, |
126 | lowercase(host); | 126 | lowercase(host); |
127 | 127 | ||
128 | /* Exchange protocol version identification strings with the server. */ | 128 | /* Exchange protocol version identification strings with the server. */ |
129 | - if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0) | 129 | - if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0) |
130 | + if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0) | 130 | + if ((r = kex_exchange_identification(ssh, timeout_ms, 1, NULL)) != 0) |
131 | cleanup_exit(255); /* error already logged */ | 131 | sshpkt_fatal(ssh, r, "banner exchange"); |
132 | 132 | ||
133 | /* Put the connection into non-blocking mode. */ | 133 | /* Put the connection into non-blocking mode. */ |
134 | diff --git a/sshd.c b/sshd.c | 134 | diff --git a/sshd.c b/sshd.c |
135 | index 65916fc6d..da876a900 100644 | 135 | index e8b332ca4..baee13506 100644 |
136 | --- a/sshd.c | 136 | --- a/sshd.c |
137 | +++ b/sshd.c | 137 | +++ b/sshd.c |
138 | @@ -2187,7 +2187,8 @@ main(int ac, char **av) | 138 | @@ -2181,7 +2181,7 @@ main(int ac, char **av) |
139 | if (!debug_flag) | 139 | if (!debug_flag) |
140 | alarm(options.login_grace_time); | 140 | alarm(options.login_grace_time); |
141 | 141 | ||
142 | - if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0) | 142 | - if ((r = kex_exchange_identification(ssh, -1, |
143 | + if (kex_exchange_identification(ssh, -1, options.debian_banner, | 143 | + if ((r = kex_exchange_identification(ssh, -1, options.debian_banner, |
144 | + options.version_addendum) != 0) | 144 | options.version_addendum)) != 0) |
145 | cleanup_exit(255); /* error already logged */ | 145 | sshpkt_fatal(ssh, r, "banner exchange"); |
146 | 146 | ||
147 | ssh_packet_set_nonblocking(ssh); | ||
148 | diff --git a/sshd_config.5 b/sshd_config.5 | 147 | diff --git a/sshd_config.5 b/sshd_config.5 |
149 | index ebd09f891..c926f584c 100644 | 148 | index 9f093be1f..753ceda10 100644 |
150 | --- a/sshd_config.5 | 149 | --- a/sshd_config.5 |
151 | +++ b/sshd_config.5 | 150 | +++ b/sshd_config.5 |
152 | @@ -542,6 +542,11 @@ or | 151 | @@ -540,6 +540,11 @@ or |
153 | .Cm no . | 152 | .Cm no . |
154 | The default is | 153 | The default is |
155 | .Cm yes . | 154 | .Cm yes . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 35c71b0e9..d01331cc3 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8086961f9f4ad834e9c3b09b6e2c80273be1c506 Mon Sep 17 00:00:00 2001 | 1 | From 08ca1225e6979fc6b5b6e7f85ce5cb0ac5cc7405 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
@@ -43,10 +43,10 @@ Patch-Name: debian-config.patch | |||
43 | 6 files changed, 98 insertions(+), 9 deletions(-) | 43 | 6 files changed, 98 insertions(+), 9 deletions(-) |
44 | 44 | ||
45 | diff --git a/readconf.c b/readconf.c | 45 | diff --git a/readconf.c b/readconf.c |
46 | index 7f251dd4a..e82024678 100644 | 46 | index 5bf0afbb4..87b0dc62a 100644 |
47 | --- a/readconf.c | 47 | --- a/readconf.c |
48 | +++ b/readconf.c | 48 | +++ b/readconf.c |
49 | @@ -2087,7 +2087,7 @@ fill_default_options(Options * options) | 49 | @@ -2111,7 +2111,7 @@ fill_default_options(Options * options) |
50 | if (options->forward_x11 == -1) | 50 | if (options->forward_x11 == -1) |
51 | options->forward_x11 = 0; | 51 | options->forward_x11 = 0; |
52 | if (options->forward_x11_trusted == -1) | 52 | if (options->forward_x11_trusted == -1) |
@@ -56,10 +56,10 @@ index 7f251dd4a..e82024678 100644 | |||
56 | options->forward_x11_timeout = 1200; | 56 | options->forward_x11_timeout = 1200; |
57 | /* | 57 | /* |
58 | diff --git a/ssh.1 b/ssh.1 | 58 | diff --git a/ssh.1 b/ssh.1 |
59 | index b33a8049f..a8967c2f8 100644 | 59 | index 5a31b5dde..035823da3 100644 |
60 | --- a/ssh.1 | 60 | --- a/ssh.1 |
61 | +++ b/ssh.1 | 61 | +++ b/ssh.1 |
62 | @@ -809,6 +809,16 @@ directive in | 62 | @@ -812,6 +812,16 @@ directive in |
63 | .Xr ssh_config 5 | 63 | .Xr ssh_config 5 |
64 | for more information. | 64 | for more information. |
65 | .Pp | 65 | .Pp |
@@ -76,7 +76,7 @@ index b33a8049f..a8967c2f8 100644 | |||
76 | .It Fl x | 76 | .It Fl x |
77 | Disables X11 forwarding. | 77 | Disables X11 forwarding. |
78 | .Pp | 78 | .Pp |
79 | @@ -817,6 +827,20 @@ Enables trusted X11 forwarding. | 79 | @@ -820,6 +830,20 @@ Enables trusted X11 forwarding. |
80 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension | 80 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
81 | controls. | 81 | controls. |
82 | .Pp | 82 | .Pp |
@@ -123,7 +123,7 @@ index 1ff999b68..8a55237b9 100644 | |||
123 | + HashKnownHosts yes | 123 | + HashKnownHosts yes |
124 | + GSSAPIAuthentication yes | 124 | + GSSAPIAuthentication yes |
125 | diff --git a/ssh_config.5 b/ssh_config.5 | 125 | diff --git a/ssh_config.5 b/ssh_config.5 |
126 | index c6eaa63e7..34dc2d51b 100644 | 126 | index dd8241df1..aac3fabb7 100644 |
127 | --- a/ssh_config.5 | 127 | --- a/ssh_config.5 |
128 | +++ b/ssh_config.5 | 128 | +++ b/ssh_config.5 |
129 | @@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more | 129 | @@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more |
@@ -229,7 +229,7 @@ index 2c48105f8..459c1b230 100644 | |||
229 | # Example of overriding settings on a per-user basis | 229 | # Example of overriding settings on a per-user basis |
230 | #Match User anoncvs | 230 | #Match User anoncvs |
231 | diff --git a/sshd_config.5 b/sshd_config.5 | 231 | diff --git a/sshd_config.5 b/sshd_config.5 |
232 | index 25f4b8117..e8271be74 100644 | 232 | index c27f99937..b38025dbf 100644 |
233 | --- a/sshd_config.5 | 233 | --- a/sshd_config.5 |
234 | +++ b/sshd_config.5 | 234 | +++ b/sshd_config.5 |
235 | @@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes | 235 | @@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index 3744218ff..3b9e8df3c 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 74c1c0ef7689ea68dc8263f73c00ff8675f9f0fe Mon Sep 17 00:00:00 2001 | 1 | From ca39bb2ab1f56d8ecdeadc32d6bda1a8e73301ac Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index b0faea78c..f58bbaeee 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a14ddfc3f607b0bf29046bfb4b26a6d827fa58c7 Mon Sep 17 00:00:00 2001 | 1 | From 0402bdf307736b3afae8c80c84f04b0295990c45 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
@@ -13,7 +13,7 @@ Patch-Name: doc-hash-tab-completion.patch | |||
13 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh_config.5 b/ssh_config.5 | 15 | diff --git a/ssh_config.5 b/ssh_config.5 |
16 | index e61a0fd43..c6eaa63e7 100644 | 16 | index d814147d4..dd8241df1 100644 |
17 | --- a/ssh_config.5 | 17 | --- a/ssh_config.5 |
18 | +++ b/ssh_config.5 | 18 | +++ b/ssh_config.5 |
19 | @@ -848,6 +848,9 @@ Note that existing names and addresses in known hosts files | 19 | @@ -848,6 +848,9 @@ Note that existing names and addresses in known hosts files |
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index 35b370752..7436be62d 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 63da84c3570afb4fa6bab38fdac3e9af45d0ec54 Mon Sep 17 00:00:00 2001 | 1 | From 9b1d6a32944943b6b18861b97868c463bf5a6e8c Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 4bf1d3f73..685923e47 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 34aff3aa136e5a65f441b25811dd466488fda087 Mon Sep 17 00:00:00 2001 | 1 | From 79f9d21b406c172878896ef41cdc2502fc2f84a7 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -16,9 +16,12 @@ have it merged into the main openssh package rather than having separate | |||
16 | -krb5 packages (as we used to have). It seems to have a generally good | 16 | -krb5 packages (as we used to have). It seems to have a generally good |
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Author: Simon Wilkinson <simon@sxw.org.uk> | ||
20 | Author: Colin Watson <cjwatson@debian.org> | ||
21 | Author: Jakub Jelen <jjelen@redhat.com> | ||
19 | Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master | 22 | Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master |
20 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 23 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
21 | Last-Updated: 2020-02-21 | 24 | Last-Updated: 2020-06-07 |
22 | 25 | ||
23 | Patch-Name: gssapi.patch | 26 | Patch-Name: gssapi.patch |
24 | --- | 27 | --- |
@@ -49,23 +52,23 @@ Patch-Name: gssapi.patch | |||
49 | servconf.c | 47 ++++ | 52 | servconf.c | 47 ++++ |
50 | servconf.h | 3 + | 53 | servconf.h | 3 + |
51 | session.c | 10 +- | 54 | session.c | 10 +- |
52 | ssh-gss.h | 50 +++- | 55 | ssh-gss.h | 54 ++++- |
53 | ssh.1 | 8 + | 56 | ssh.1 | 8 + |
54 | ssh.c | 6 +- | 57 | ssh.c | 6 +- |
55 | ssh_config | 2 + | 58 | ssh_config | 2 + |
56 | ssh_config.5 | 57 +++++ | 59 | ssh_config.5 | 57 +++++ |
57 | sshconnect2.c | 142 +++++++++++- | 60 | sshconnect2.c | 154 +++++++++++- |
58 | sshd.c | 62 ++++- | 61 | sshd.c | 62 ++++- |
59 | sshd_config | 2 + | 62 | sshd_config | 2 + |
60 | sshd_config.5 | 30 +++ | 63 | sshd_config.5 | 30 +++ |
61 | sshkey.c | 3 +- | 64 | sshkey.c | 3 +- |
62 | sshkey.h | 1 + | 65 | sshkey.h | 1 + |
63 | 38 files changed, 2624 insertions(+), 160 deletions(-) | 66 | 38 files changed, 2640 insertions(+), 160 deletions(-) |
64 | create mode 100644 kexgssc.c | 67 | create mode 100644 kexgssc.c |
65 | create mode 100644 kexgsss.c | 68 | create mode 100644 kexgsss.c |
66 | 69 | ||
67 | diff --git a/Makefile.in b/Makefile.in | 70 | diff --git a/Makefile.in b/Makefile.in |
68 | index e7549470c..b68c1710f 100644 | 71 | index c9e4294d3..bf1e1de47 100644 |
69 | --- a/Makefile.in | 72 | --- a/Makefile.in |
70 | +++ b/Makefile.in | 73 | +++ b/Makefile.in |
71 | @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 74 | @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
@@ -336,7 +339,7 @@ index 9351e0428..d6446c0cf 100644 | |||
336 | "gssapi-with-mic", | 339 | "gssapi-with-mic", |
337 | userauth_gssapi, | 340 | userauth_gssapi, |
338 | diff --git a/auth2.c b/auth2.c | 341 | diff --git a/auth2.c b/auth2.c |
339 | index 0e7762242..1c217268c 100644 | 342 | index 91aaf34a6..a4a5e0069 100644 |
340 | --- a/auth2.c | 343 | --- a/auth2.c |
341 | +++ b/auth2.c | 344 | +++ b/auth2.c |
342 | @@ -73,6 +73,7 @@ extern Authmethod method_passwd; | 345 | @@ -73,6 +73,7 @@ extern Authmethod method_passwd; |
@@ -474,7 +477,7 @@ index 26d62855a..0cadc9f18 100644 | |||
474 | int get_peer_port(int); | 477 | int get_peer_port(int); |
475 | char *get_local_ipaddr(int); | 478 | char *get_local_ipaddr(int); |
476 | diff --git a/clientloop.c b/clientloop.c | 479 | diff --git a/clientloop.c b/clientloop.c |
477 | index ebd0dbca1..1bdac6a46 100644 | 480 | index da396c72a..42ace7789 100644 |
478 | --- a/clientloop.c | 481 | --- a/clientloop.c |
479 | +++ b/clientloop.c | 482 | +++ b/clientloop.c |
480 | @@ -112,6 +112,10 @@ | 483 | @@ -112,6 +112,10 @@ |
@@ -488,7 +491,7 @@ index ebd0dbca1..1bdac6a46 100644 | |||
488 | /* import options */ | 491 | /* import options */ |
489 | extern Options options; | 492 | extern Options options; |
490 | 493 | ||
491 | @@ -1379,9 +1383,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, | 494 | @@ -1361,9 +1365,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, |
492 | break; | 495 | break; |
493 | 496 | ||
494 | /* Do channel operations unless rekeying in progress. */ | 497 | /* Do channel operations unless rekeying in progress. */ |
@@ -509,10 +512,10 @@ index ebd0dbca1..1bdac6a46 100644 | |||
509 | client_process_net_input(ssh, readset); | 512 | client_process_net_input(ssh, readset); |
510 | 513 | ||
511 | diff --git a/configure.ac b/configure.ac | 514 | diff --git a/configure.ac b/configure.ac |
512 | index b689db4b5..efafb6bd8 100644 | 515 | index 460383757..d98e6f74a 100644 |
513 | --- a/configure.ac | 516 | --- a/configure.ac |
514 | +++ b/configure.ac | 517 | +++ b/configure.ac |
515 | @@ -674,6 +674,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 518 | @@ -676,6 +676,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
516 | [Use tunnel device compatibility to OpenBSD]) | 519 | [Use tunnel device compatibility to OpenBSD]) |
517 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 520 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
518 | [Prepend the address family to IP tunnel traffic]) | 521 | [Prepend the address family to IP tunnel traffic]) |
@@ -1053,11 +1056,11 @@ index a151bc1e4..ef9beb67c 100644 | |||
1053 | 1056 | ||
1054 | #endif /* KRB5 */ | 1057 | #endif /* KRB5 */ |
1055 | diff --git a/gss-serv.c b/gss-serv.c | 1058 | diff --git a/gss-serv.c b/gss-serv.c |
1056 | index ab3a15f0f..1d47870e7 100644 | 1059 | index b5d4bb2d1..55f4d4bda 100644 |
1057 | --- a/gss-serv.c | 1060 | --- a/gss-serv.c |
1058 | +++ b/gss-serv.c | 1061 | +++ b/gss-serv.c |
1059 | @@ -1,7 +1,7 @@ | 1062 | @@ -1,7 +1,7 @@ |
1060 | /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */ | 1063 | /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */ |
1061 | 1064 | ||
1062 | /* | 1065 | /* |
1063 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 1066 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -1327,7 +1330,7 @@ index ab3a15f0f..1d47870e7 100644 | |||
1327 | 1330 | ||
1328 | /* Privileged */ | 1331 | /* Privileged */ |
1329 | diff --git a/kex.c b/kex.c | 1332 | diff --git a/kex.c b/kex.c |
1330 | index ce85f0439..574c76093 100644 | 1333 | index 09c7258e0..144dee512 100644 |
1331 | --- a/kex.c | 1334 | --- a/kex.c |
1332 | +++ b/kex.c | 1335 | +++ b/kex.c |
1333 | @@ -57,11 +57,16 @@ | 1336 | @@ -57,11 +57,16 @@ |
@@ -1439,7 +1442,7 @@ index ce85f0439..574c76093 100644 | |||
1439 | /* put algorithm proposal into buffer */ | 1442 | /* put algorithm proposal into buffer */ |
1440 | int | 1443 | int |
1441 | kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) | 1444 | kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) |
1442 | @@ -698,6 +755,9 @@ kex_free(struct kex *kex) | 1445 | @@ -697,6 +754,9 @@ kex_free(struct kex *kex) |
1443 | sshbuf_free(kex->server_version); | 1446 | sshbuf_free(kex->server_version); |
1444 | sshbuf_free(kex->client_pub); | 1447 | sshbuf_free(kex->client_pub); |
1445 | free(kex->session_id); | 1448 | free(kex->session_id); |
@@ -2653,7 +2656,7 @@ index 000000000..60bc02deb | |||
2653 | +} | 2656 | +} |
2654 | +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ | 2657 | +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ |
2655 | diff --git a/monitor.c b/monitor.c | 2658 | diff --git a/monitor.c b/monitor.c |
2656 | index 2ce89fe90..ebf76c7f9 100644 | 2659 | index b6e855d5d..5347e900d 100644 |
2657 | --- a/monitor.c | 2660 | --- a/monitor.c |
2658 | +++ b/monitor.c | 2661 | +++ b/monitor.c |
2659 | @@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); | 2662 | @@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); |
@@ -2706,7 +2709,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2706 | 2709 | ||
2707 | if (auth_opts->permit_pty_flag) { | 2710 | if (auth_opts->permit_pty_flag) { |
2708 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 2711 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
2709 | @@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) | 2712 | @@ -1712,6 +1729,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) |
2710 | # ifdef OPENSSL_HAS_ECC | 2713 | # ifdef OPENSSL_HAS_ECC |
2711 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; | 2714 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
2712 | # endif | 2715 | # endif |
@@ -2724,7 +2727,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2724 | #endif /* WITH_OPENSSL */ | 2727 | #endif /* WITH_OPENSSL */ |
2725 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; | 2728 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; |
2726 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; | 2729 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; |
2727 | @@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | 2730 | @@ -1805,8 +1833,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
2728 | u_char *p; | 2731 | u_char *p; |
2729 | int r; | 2732 | int r; |
2730 | 2733 | ||
@@ -2735,7 +2738,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2735 | 2738 | ||
2736 | if ((r = sshbuf_get_string(m, &p, &len)) != 0) | 2739 | if ((r = sshbuf_get_string(m, &p, &len)) != 0) |
2737 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 2740 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
2738 | @@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | 2741 | @@ -1838,8 +1866,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
2739 | OM_uint32 flags = 0; /* GSI needs this */ | 2742 | OM_uint32 flags = 0; /* GSI needs this */ |
2740 | int r; | 2743 | int r; |
2741 | 2744 | ||
@@ -2746,7 +2749,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2746 | 2749 | ||
2747 | if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) | 2750 | if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) |
2748 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 2751 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
2749 | @@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | 2752 | @@ -1859,6 +1887,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
2750 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2753 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2751 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2754 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2752 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2755 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2754,7 +2757,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2754 | } | 2757 | } |
2755 | return (0); | 2758 | return (0); |
2756 | } | 2759 | } |
2757 | @@ -1871,8 +1900,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) | 2760 | @@ -1870,8 +1899,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) |
2758 | OM_uint32 ret; | 2761 | OM_uint32 ret; |
2759 | int r; | 2762 | int r; |
2760 | 2763 | ||
@@ -2765,7 +2768,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2765 | 2768 | ||
2766 | if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || | 2769 | if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || |
2767 | (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) | 2770 | (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) |
2768 | @@ -1898,13 +1927,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) | 2771 | @@ -1897,13 +1926,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) |
2769 | int | 2772 | int |
2770 | mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | 2773 | mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
2771 | { | 2774 | { |
@@ -2787,7 +2790,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2787 | 2790 | ||
2788 | sshbuf_reset(m); | 2791 | sshbuf_reset(m); |
2789 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) | 2792 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) |
2790 | @@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | 2793 | @@ -1912,7 +1945,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
2791 | debug3("%s: sending result %d", __func__, authenticated); | 2794 | debug3("%s: sending result %d", __func__, authenticated); |
2792 | mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); | 2795 | mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); |
2793 | 2796 | ||
@@ -2800,7 +2803,7 @@ index 2ce89fe90..ebf76c7f9 100644 | |||
2800 | 2803 | ||
2801 | if ((displayname = ssh_gssapi_displayname()) != NULL) | 2804 | if ((displayname = ssh_gssapi_displayname()) != NULL) |
2802 | auth2_record_info(authctxt, "%s", displayname); | 2805 | auth2_record_info(authctxt, "%s", displayname); |
2803 | @@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | 2806 | @@ -1920,5 +1957,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
2804 | /* Monitor loop will terminate if authenticated */ | 2807 | /* Monitor loop will terminate if authenticated */ |
2805 | return (authenticated); | 2808 | return (authenticated); |
2806 | } | 2809 | } |
@@ -2995,7 +2998,7 @@ index 23ab096aa..485590c18 100644 | |||
2995 | 2998 | ||
2996 | #ifdef USE_PAM | 2999 | #ifdef USE_PAM |
2997 | diff --git a/readconf.c b/readconf.c | 3000 | diff --git a/readconf.c b/readconf.c |
2998 | index f3cac6b3a..da8022dd0 100644 | 3001 | index 2afcbaeca..fb585e248 100644 |
2999 | --- a/readconf.c | 3002 | --- a/readconf.c |
3000 | +++ b/readconf.c | 3003 | +++ b/readconf.c |
3001 | @@ -67,6 +67,7 @@ | 3004 | @@ -67,6 +67,7 @@ |
@@ -3038,7 +3041,7 @@ index f3cac6b3a..da8022dd0 100644 | |||
3038 | #endif | 3041 | #endif |
3039 | #ifdef ENABLE_PKCS11 | 3042 | #ifdef ENABLE_PKCS11 |
3040 | { "pkcs11provider", oPKCS11Provider }, | 3043 | { "pkcs11provider", oPKCS11Provider }, |
3041 | @@ -1029,10 +1044,42 @@ parse_time: | 3044 | @@ -1053,10 +1068,42 @@ parse_time: |
3042 | intptr = &options->gss_authentication; | 3045 | intptr = &options->gss_authentication; |
3043 | goto parse_flag; | 3046 | goto parse_flag; |
3044 | 3047 | ||
@@ -3081,7 +3084,7 @@ index f3cac6b3a..da8022dd0 100644 | |||
3081 | case oBatchMode: | 3084 | case oBatchMode: |
3082 | intptr = &options->batch_mode; | 3085 | intptr = &options->batch_mode; |
3083 | goto parse_flag; | 3086 | goto parse_flag; |
3084 | @@ -1911,7 +1958,13 @@ initialize_options(Options * options) | 3087 | @@ -1935,7 +1982,13 @@ initialize_options(Options * options) |
3085 | options->pubkey_authentication = -1; | 3088 | options->pubkey_authentication = -1; |
3086 | options->challenge_response_authentication = -1; | 3089 | options->challenge_response_authentication = -1; |
3087 | options->gss_authentication = -1; | 3090 | options->gss_authentication = -1; |
@@ -3095,7 +3098,7 @@ index f3cac6b3a..da8022dd0 100644 | |||
3095 | options->password_authentication = -1; | 3098 | options->password_authentication = -1; |
3096 | options->kbd_interactive_authentication = -1; | 3099 | options->kbd_interactive_authentication = -1; |
3097 | options->kbd_interactive_devices = NULL; | 3100 | options->kbd_interactive_devices = NULL; |
3098 | @@ -2059,8 +2112,18 @@ fill_default_options(Options * options) | 3101 | @@ -2083,8 +2136,18 @@ fill_default_options(Options * options) |
3099 | options->challenge_response_authentication = 1; | 3102 | options->challenge_response_authentication = 1; |
3100 | if (options->gss_authentication == -1) | 3103 | if (options->gss_authentication == -1) |
3101 | options->gss_authentication = 0; | 3104 | options->gss_authentication = 0; |
@@ -3114,7 +3117,7 @@ index f3cac6b3a..da8022dd0 100644 | |||
3114 | if (options->password_authentication == -1) | 3117 | if (options->password_authentication == -1) |
3115 | options->password_authentication = 1; | 3118 | options->password_authentication = 1; |
3116 | if (options->kbd_interactive_authentication == -1) | 3119 | if (options->kbd_interactive_authentication == -1) |
3117 | @@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host) | 3120 | @@ -2726,7 +2789,14 @@ dump_client_config(Options *o, const char *host) |
3118 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); | 3121 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); |
3119 | #ifdef GSSAPI | 3122 | #ifdef GSSAPI |
3120 | dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); | 3123 | dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); |
@@ -3130,7 +3133,7 @@ index f3cac6b3a..da8022dd0 100644 | |||
3130 | dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); | 3133 | dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); |
3131 | dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); | 3134 | dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); |
3132 | diff --git a/readconf.h b/readconf.h | 3135 | diff --git a/readconf.h b/readconf.h |
3133 | index feedb3d20..a8a8870d7 100644 | 3136 | index e143a1082..c405b837f 100644 |
3134 | --- a/readconf.h | 3137 | --- a/readconf.h |
3135 | +++ b/readconf.h | 3138 | +++ b/readconf.h |
3136 | @@ -41,7 +41,13 @@ typedef struct { | 3139 | @@ -41,7 +41,13 @@ typedef struct { |
@@ -3148,7 +3151,7 @@ index feedb3d20..a8a8870d7 100644 | |||
3148 | * authentication. */ | 3151 | * authentication. */ |
3149 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 3152 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
3150 | diff --git a/servconf.c b/servconf.c | 3153 | diff --git a/servconf.c b/servconf.c |
3151 | index 70f5f73f0..191575a16 100644 | 3154 | index ba0a92c7b..f38ba9e44 100644 |
3152 | --- a/servconf.c | 3155 | --- a/servconf.c |
3153 | +++ b/servconf.c | 3156 | +++ b/servconf.c |
3154 | @@ -69,6 +69,7 @@ | 3157 | @@ -69,6 +69,7 @@ |
@@ -3221,7 +3224,7 @@ index 70f5f73f0..191575a16 100644 | |||
3221 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 3224 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
3222 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 3225 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
3223 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 3226 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
3224 | @@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, | 3227 | @@ -1555,6 +1578,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, |
3225 | intptr = &options->gss_authentication; | 3228 | intptr = &options->gss_authentication; |
3226 | goto parse_flag; | 3229 | goto parse_flag; |
3227 | 3230 | ||
@@ -3232,7 +3235,7 @@ index 70f5f73f0..191575a16 100644 | |||
3232 | case sGssCleanupCreds: | 3235 | case sGssCleanupCreds: |
3233 | intptr = &options->gss_cleanup_creds; | 3236 | intptr = &options->gss_cleanup_creds; |
3234 | goto parse_flag; | 3237 | goto parse_flag; |
3235 | @@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, | 3238 | @@ -1563,6 +1590,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, |
3236 | intptr = &options->gss_strict_acceptor; | 3239 | intptr = &options->gss_strict_acceptor; |
3237 | goto parse_flag; | 3240 | goto parse_flag; |
3238 | 3241 | ||
@@ -3255,7 +3258,7 @@ index 70f5f73f0..191575a16 100644 | |||
3255 | case sPasswordAuthentication: | 3258 | case sPasswordAuthentication: |
3256 | intptr = &options->password_authentication; | 3259 | intptr = &options->password_authentication; |
3257 | goto parse_flag; | 3260 | goto parse_flag; |
3258 | @@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o) | 3261 | @@ -2791,6 +2834,10 @@ dump_config(ServerOptions *o) |
3259 | #ifdef GSSAPI | 3262 | #ifdef GSSAPI |
3260 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 3263 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
3261 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | 3264 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); |
@@ -3267,10 +3270,10 @@ index 70f5f73f0..191575a16 100644 | |||
3267 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 3270 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
3268 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 3271 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
3269 | diff --git a/servconf.h b/servconf.h | 3272 | diff --git a/servconf.h b/servconf.h |
3270 | index 4202a2d02..3f47ea25e 100644 | 3273 | index a420f398d..253cad97e 100644 |
3271 | --- a/servconf.h | 3274 | --- a/servconf.h |
3272 | +++ b/servconf.h | 3275 | +++ b/servconf.h |
3273 | @@ -132,8 +132,11 @@ typedef struct { | 3276 | @@ -137,8 +137,11 @@ typedef struct { |
3274 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 3277 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
3275 | * authenticated with Kerberos. */ | 3278 | * authenticated with Kerberos. */ |
3276 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 3279 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -3283,7 +3286,7 @@ index 4202a2d02..3f47ea25e 100644 | |||
3283 | * authentication. */ | 3286 | * authentication. */ |
3284 | int kbd_interactive_authentication; /* If true, permit */ | 3287 | int kbd_interactive_authentication; /* If true, permit */ |
3285 | diff --git a/session.c b/session.c | 3288 | diff --git a/session.c b/session.c |
3286 | index 8c0e54f79..06a33442a 100644 | 3289 | index 18cdfa8cf..f9c2c866e 100644 |
3287 | --- a/session.c | 3290 | --- a/session.c |
3288 | +++ b/session.c | 3291 | +++ b/session.c |
3289 | @@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) | 3292 | @@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) |
@@ -3309,7 +3312,7 @@ index 8c0e54f79..06a33442a 100644 | |||
3309 | 3312 | ||
3310 | /* remove agent socket */ | 3313 | /* remove agent socket */ |
3311 | diff --git a/ssh-gss.h b/ssh-gss.h | 3314 | diff --git a/ssh-gss.h b/ssh-gss.h |
3312 | index 36180d07a..70dd36658 100644 | 3315 | index 36180d07a..50d80bbca 100644 |
3313 | --- a/ssh-gss.h | 3316 | --- a/ssh-gss.h |
3314 | +++ b/ssh-gss.h | 3317 | +++ b/ssh-gss.h |
3315 | @@ -1,6 +1,6 @@ | 3318 | @@ -1,6 +1,6 @@ |
@@ -3320,7 +3323,7 @@ index 36180d07a..70dd36658 100644 | |||
3320 | * | 3323 | * |
3321 | * Redistribution and use in source and binary forms, with or without | 3324 | * Redistribution and use in source and binary forms, with or without |
3322 | * modification, are permitted provided that the following conditions | 3325 | * modification, are permitted provided that the following conditions |
3323 | @@ -61,10 +61,30 @@ | 3326 | @@ -61,10 +61,34 @@ |
3324 | 3327 | ||
3325 | #define SSH_GSS_OIDTYPE 0x06 | 3328 | #define SSH_GSS_OIDTYPE 0x06 |
3326 | 3329 | ||
@@ -3340,8 +3343,12 @@ index 36180d07a..70dd36658 100644 | |||
3340 | +#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-" | 3343 | +#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-" |
3341 | + | 3344 | + |
3342 | +#define GSS_KEX_DEFAULT_KEX \ | 3345 | +#define GSS_KEX_DEFAULT_KEX \ |
3343 | + KEX_GSS_GEX_SHA1_ID "," \ | 3346 | + KEX_GSS_GRP14_SHA256_ID "," \ |
3344 | + KEX_GSS_GRP14_SHA1_ID | 3347 | + KEX_GSS_GRP16_SHA512_ID "," \ |
3348 | + KEX_GSS_NISTP256_SHA256_ID "," \ | ||
3349 | + KEX_GSS_C25519_SHA256_ID "," \ | ||
3350 | + KEX_GSS_GRP14_SHA1_ID "," \ | ||
3351 | + KEX_GSS_GEX_SHA1_ID | ||
3345 | + | 3352 | + |
3346 | typedef struct { | 3353 | typedef struct { |
3347 | char *filename; | 3354 | char *filename; |
@@ -3351,7 +3358,7 @@ index 36180d07a..70dd36658 100644 | |||
3351 | void *data; | 3358 | void *data; |
3352 | } ssh_gssapi_ccache; | 3359 | } ssh_gssapi_ccache; |
3353 | 3360 | ||
3354 | @@ -72,8 +92,11 @@ typedef struct { | 3361 | @@ -72,8 +96,11 @@ typedef struct { |
3355 | gss_buffer_desc displayname; | 3362 | gss_buffer_desc displayname; |
3356 | gss_buffer_desc exportedname; | 3363 | gss_buffer_desc exportedname; |
3357 | gss_cred_id_t creds; | 3364 | gss_cred_id_t creds; |
@@ -3363,7 +3370,7 @@ index 36180d07a..70dd36658 100644 | |||
3363 | } ssh_gssapi_client; | 3370 | } ssh_gssapi_client; |
3364 | 3371 | ||
3365 | typedef struct ssh_gssapi_mech_struct { | 3372 | typedef struct ssh_gssapi_mech_struct { |
3366 | @@ -84,6 +107,7 @@ typedef struct ssh_gssapi_mech_struct { | 3373 | @@ -84,6 +111,7 @@ typedef struct ssh_gssapi_mech_struct { |
3367 | int (*userok) (ssh_gssapi_client *, char *); | 3374 | int (*userok) (ssh_gssapi_client *, char *); |
3368 | int (*localname) (ssh_gssapi_client *, char **); | 3375 | int (*localname) (ssh_gssapi_client *, char **); |
3369 | void (*storecreds) (ssh_gssapi_client *); | 3376 | void (*storecreds) (ssh_gssapi_client *); |
@@ -3371,7 +3378,7 @@ index 36180d07a..70dd36658 100644 | |||
3371 | } ssh_gssapi_mech; | 3378 | } ssh_gssapi_mech; |
3372 | 3379 | ||
3373 | typedef struct { | 3380 | typedef struct { |
3374 | @@ -94,10 +118,11 @@ typedef struct { | 3381 | @@ -94,10 +122,11 @@ typedef struct { |
3375 | gss_OID oid; /* client */ | 3382 | gss_OID oid; /* client */ |
3376 | gss_cred_id_t creds; /* server */ | 3383 | gss_cred_id_t creds; /* server */ |
3377 | gss_name_t client; /* server */ | 3384 | gss_name_t client; /* server */ |
@@ -3384,7 +3391,7 @@ index 36180d07a..70dd36658 100644 | |||
3384 | 3391 | ||
3385 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); | 3392 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); |
3386 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); | 3393 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); |
3387 | @@ -109,6 +134,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *); | 3394 | @@ -109,6 +138,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *); |
3388 | 3395 | ||
3389 | struct sshbuf; | 3396 | struct sshbuf; |
3390 | int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *); | 3397 | int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *); |
@@ -3392,7 +3399,7 @@ index 36180d07a..70dd36658 100644 | |||
3392 | 3399 | ||
3393 | OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); | 3400 | OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); |
3394 | OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int, | 3401 | OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int, |
3395 | @@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **); | 3402 | @@ -123,17 +153,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **); |
3396 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | 3403 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
3397 | void ssh_gssapi_buildmic(struct sshbuf *, const char *, | 3404 | void ssh_gssapi_buildmic(struct sshbuf *, const char *, |
3398 | const char *, const char *); | 3405 | const char *, const char *); |
@@ -3429,10 +3436,10 @@ index 36180d07a..70dd36658 100644 | |||
3429 | 3436 | ||
3430 | #endif /* _SSH_GSS_H */ | 3437 | #endif /* _SSH_GSS_H */ |
3431 | diff --git a/ssh.1 b/ssh.1 | 3438 | diff --git a/ssh.1 b/ssh.1 |
3432 | index 60de6087a..db5c65bc7 100644 | 3439 | index dce5f404b..7a3ba31ab 100644 |
3433 | --- a/ssh.1 | 3440 | --- a/ssh.1 |
3434 | +++ b/ssh.1 | 3441 | +++ b/ssh.1 |
3435 | @@ -503,7 +503,13 @@ For full details of the options listed below, and their possible values, see | 3442 | @@ -506,7 +506,13 @@ For full details of the options listed below, and their possible values, see |
3436 | .It GatewayPorts | 3443 | .It GatewayPorts |
3437 | .It GlobalKnownHostsFile | 3444 | .It GlobalKnownHostsFile |
3438 | .It GSSAPIAuthentication | 3445 | .It GSSAPIAuthentication |
@@ -3446,7 +3453,7 @@ index 60de6087a..db5c65bc7 100644 | |||
3446 | .It HashKnownHosts | 3453 | .It HashKnownHosts |
3447 | .It Host | 3454 | .It Host |
3448 | .It HostbasedAuthentication | 3455 | .It HostbasedAuthentication |
3449 | @@ -579,6 +585,8 @@ flag), | 3456 | @@ -582,6 +588,8 @@ flag), |
3450 | (supported message integrity codes), | 3457 | (supported message integrity codes), |
3451 | .Ar kex | 3458 | .Ar kex |
3452 | (key exchange algorithms), | 3459 | (key exchange algorithms), |
@@ -3456,10 +3463,10 @@ index 60de6087a..db5c65bc7 100644 | |||
3456 | (key types), | 3463 | (key types), |
3457 | .Ar key-cert | 3464 | .Ar key-cert |
3458 | diff --git a/ssh.c b/ssh.c | 3465 | diff --git a/ssh.c b/ssh.c |
3459 | index 15aee569e..110cf9c19 100644 | 3466 | index 98b6ce788..4a81ef810 100644 |
3460 | --- a/ssh.c | 3467 | --- a/ssh.c |
3461 | +++ b/ssh.c | 3468 | +++ b/ssh.c |
3462 | @@ -747,6 +747,8 @@ main(int ac, char **av) | 3469 | @@ -773,6 +773,8 @@ main(int ac, char **av) |
3463 | else if (strcmp(optarg, "kex") == 0 || | 3470 | else if (strcmp(optarg, "kex") == 0 || |
3464 | strcasecmp(optarg, "KexAlgorithms") == 0) | 3471 | strcasecmp(optarg, "KexAlgorithms") == 0) |
3465 | cp = kex_alg_list('\n'); | 3472 | cp = kex_alg_list('\n'); |
@@ -3468,7 +3475,7 @@ index 15aee569e..110cf9c19 100644 | |||
3468 | else if (strcmp(optarg, "key") == 0) | 3475 | else if (strcmp(optarg, "key") == 0) |
3469 | cp = sshkey_alg_list(0, 0, 0, '\n'); | 3476 | cp = sshkey_alg_list(0, 0, 0, '\n'); |
3470 | else if (strcmp(optarg, "key-cert") == 0) | 3477 | else if (strcmp(optarg, "key-cert") == 0) |
3471 | @@ -772,8 +774,8 @@ main(int ac, char **av) | 3478 | @@ -798,8 +800,8 @@ main(int ac, char **av) |
3472 | } else if (strcmp(optarg, "help") == 0) { | 3479 | } else if (strcmp(optarg, "help") == 0) { |
3473 | cp = xstrdup( | 3480 | cp = xstrdup( |
3474 | "cipher\ncipher-auth\ncompression\nkex\n" | 3481 | "cipher\ncipher-auth\ncompression\nkex\n" |
@@ -3493,7 +3500,7 @@ index 5e8ef548b..1ff999b68 100644 | |||
3493 | # CheckHostIP yes | 3500 | # CheckHostIP yes |
3494 | # AddressFamily any | 3501 | # AddressFamily any |
3495 | diff --git a/ssh_config.5 b/ssh_config.5 | 3502 | diff --git a/ssh_config.5 b/ssh_config.5 |
3496 | index 06a32d314..3f4906972 100644 | 3503 | index dc010ccbd..e2a2359f9 100644 |
3497 | --- a/ssh_config.5 | 3504 | --- a/ssh_config.5 |
3498 | +++ b/ssh_config.5 | 3505 | +++ b/ssh_config.5 |
3499 | @@ -766,10 +766,67 @@ The default is | 3506 | @@ -766,10 +766,67 @@ The default is |
@@ -3559,13 +3566,13 @@ index 06a32d314..3f4906972 100644 | |||
3559 | +.Ed | 3566 | +.Ed |
3560 | +.Pp | 3567 | +.Pp |
3561 | +The default is | 3568 | +The default is |
3562 | +.Dq gss-gex-sha1-,gss-group14-sha1- . | 3569 | +.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- . |
3563 | +This option only applies to protocol version 2 connections using GSSAPI. | 3570 | +This option only applies to connections using GSSAPI. |
3564 | .It Cm HashKnownHosts | 3571 | .It Cm HashKnownHosts |
3565 | Indicates that | 3572 | Indicates that |
3566 | .Xr ssh 1 | 3573 | .Xr ssh 1 |
3567 | diff --git a/sshconnect2.c b/sshconnect2.c | 3574 | diff --git a/sshconnect2.c b/sshconnect2.c |
3568 | index af00fb30c..03bc87eb4 100644 | 3575 | index 1a6545edf..79a22e600 100644 |
3569 | --- a/sshconnect2.c | 3576 | --- a/sshconnect2.c |
3570 | +++ b/sshconnect2.c | 3577 | +++ b/sshconnect2.c |
3571 | @@ -80,8 +80,6 @@ | 3578 | @@ -80,8 +80,6 @@ |
@@ -3589,7 +3596,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3589 | xxx_host = host; | 3596 | xxx_host = host; |
3590 | xxx_hostaddr = hostaddr; | 3597 | xxx_hostaddr = hostaddr; |
3591 | 3598 | ||
3592 | @@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) | 3599 | @@ -206,6 +209,41 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) |
3593 | compat_pkalg_proposal(options.hostkeyalgorithms); | 3600 | compat_pkalg_proposal(options.hostkeyalgorithms); |
3594 | } | 3601 | } |
3595 | 3602 | ||
@@ -3599,12 +3606,18 @@ index af00fb30c..03bc87eb4 100644 | |||
3599 | + * client to the key exchange algorithm proposal */ | 3606 | + * client to the key exchange algorithm proposal */ |
3600 | + orig = myproposal[PROPOSAL_KEX_ALGS]; | 3607 | + orig = myproposal[PROPOSAL_KEX_ALGS]; |
3601 | + | 3608 | + |
3602 | + if (options.gss_server_identity) | 3609 | + if (options.gss_server_identity) { |
3603 | + gss_host = xstrdup(options.gss_server_identity); | 3610 | + gss_host = xstrdup(options.gss_server_identity); |
3604 | + else if (options.gss_trust_dns) | 3611 | + } else if (options.gss_trust_dns) { |
3605 | + gss_host = remote_hostname(ssh); | 3612 | + gss_host = remote_hostname(ssh); |
3606 | + else | 3613 | + /* Fall back to specified host if we are using proxy command |
3614 | + * and can not use DNS on that socket */ | ||
3615 | + if (strcmp(gss_host, "UNKNOWN") == 0) { | ||
3616 | + gss_host = xstrdup(host); | ||
3617 | + } | ||
3618 | + } else { | ||
3607 | + gss_host = xstrdup(host); | 3619 | + gss_host = xstrdup(host); |
3620 | + } | ||
3608 | + | 3621 | + |
3609 | + gss = ssh_gssapi_client_mechanisms(gss_host, | 3622 | + gss = ssh_gssapi_client_mechanisms(gss_host, |
3610 | + options.gss_client_identity, options.gss_kex_algorithms); | 3623 | + options.gss_client_identity, options.gss_kex_algorithms); |
@@ -3625,7 +3638,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3625 | if (options.rekey_limit || options.rekey_interval) | 3638 | if (options.rekey_limit || options.rekey_interval) |
3626 | ssh_packet_set_rekey_limits(ssh, options.rekey_limit, | 3639 | ssh_packet_set_rekey_limits(ssh, options.rekey_limit, |
3627 | options.rekey_interval); | 3640 | options.rekey_interval); |
3628 | @@ -224,16 +256,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) | 3641 | @@ -224,16 +262,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) |
3629 | # ifdef OPENSSL_HAS_ECC | 3642 | # ifdef OPENSSL_HAS_ECC |
3630 | ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; | 3643 | ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; |
3631 | # endif | 3644 | # endif |
@@ -3673,7 +3686,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3673 | if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) | 3686 | if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) |
3674 | fatal("kex_prop2buf: %s", ssh_err(r)); | 3687 | fatal("kex_prop2buf: %s", ssh_err(r)); |
3675 | 3688 | ||
3676 | @@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); | 3689 | @@ -330,6 +398,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); |
3677 | static int input_gssapi_token(int type, u_int32_t, struct ssh *); | 3690 | static int input_gssapi_token(int type, u_int32_t, struct ssh *); |
3678 | static int input_gssapi_error(int, u_int32_t, struct ssh *); | 3691 | static int input_gssapi_error(int, u_int32_t, struct ssh *); |
3679 | static int input_gssapi_errtok(int, u_int32_t, struct ssh *); | 3692 | static int input_gssapi_errtok(int, u_int32_t, struct ssh *); |
@@ -3681,7 +3694,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3681 | #endif | 3694 | #endif |
3682 | 3695 | ||
3683 | void userauth(struct ssh *, char *); | 3696 | void userauth(struct ssh *, char *); |
3684 | @@ -346,6 +409,11 @@ static char *authmethods_get(void); | 3697 | @@ -346,6 +415,11 @@ static char *authmethods_get(void); |
3685 | 3698 | ||
3686 | Authmethod authmethods[] = { | 3699 | Authmethod authmethods[] = { |
3687 | #ifdef GSSAPI | 3700 | #ifdef GSSAPI |
@@ -3693,18 +3706,24 @@ index af00fb30c..03bc87eb4 100644 | |||
3693 | {"gssapi-with-mic", | 3706 | {"gssapi-with-mic", |
3694 | userauth_gssapi, | 3707 | userauth_gssapi, |
3695 | userauth_gssapi_cleanup, | 3708 | userauth_gssapi_cleanup, |
3696 | @@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh) | 3709 | @@ -716,12 +790,31 @@ userauth_gssapi(struct ssh *ssh) |
3697 | OM_uint32 min; | 3710 | OM_uint32 min; |
3698 | int r, ok = 0; | 3711 | int r, ok = 0; |
3699 | gss_OID mech = NULL; | 3712 | gss_OID mech = NULL; |
3700 | + char *gss_host; | 3713 | + char *gss_host; |
3701 | + | 3714 | + |
3702 | + if (options.gss_server_identity) | 3715 | + if (options.gss_server_identity) { |
3703 | + gss_host = xstrdup(options.gss_server_identity); | 3716 | + gss_host = xstrdup(options.gss_server_identity); |
3704 | + else if (options.gss_trust_dns) | 3717 | + } else if (options.gss_trust_dns) { |
3705 | + gss_host = remote_hostname(ssh); | 3718 | + gss_host = remote_hostname(ssh); |
3706 | + else | 3719 | + /* Fall back to specified host if we are using proxy command |
3720 | + * and can not use DNS on that socket */ | ||
3721 | + if (strcmp(gss_host, "UNKNOWN") == 0) { | ||
3722 | + gss_host = authctxt->host; | ||
3723 | + } | ||
3724 | + } else { | ||
3707 | + gss_host = xstrdup(authctxt->host); | 3725 | + gss_host = xstrdup(authctxt->host); |
3726 | + } | ||
3708 | 3727 | ||
3709 | /* Try one GSSAPI method at a time, rather than sending them all at | 3728 | /* Try one GSSAPI method at a time, rather than sending them all at |
3710 | * once. */ | 3729 | * once. */ |
@@ -3720,7 +3739,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3720 | 3739 | ||
3721 | /* Check to see whether the mechanism is usable before we offer it */ | 3740 | /* Check to see whether the mechanism is usable before we offer it */ |
3722 | while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && | 3741 | while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && |
3723 | @@ -730,13 +811,15 @@ userauth_gssapi(struct ssh *ssh) | 3742 | @@ -730,13 +823,15 @@ userauth_gssapi(struct ssh *ssh) |
3724 | elements[authctxt->mech_tried]; | 3743 | elements[authctxt->mech_tried]; |
3725 | /* My DER encoding requires length<128 */ | 3744 | /* My DER encoding requires length<128 */ |
3726 | if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, | 3745 | if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, |
@@ -3737,7 +3756,7 @@ index af00fb30c..03bc87eb4 100644 | |||
3737 | if (!ok || mech == NULL) | 3756 | if (!ok || mech == NULL) |
3738 | return 0; | 3757 | return 0; |
3739 | 3758 | ||
3740 | @@ -976,6 +1059,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) | 3759 | @@ -976,6 +1071,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) |
3741 | free(lang); | 3760 | free(lang); |
3742 | return r; | 3761 | return r; |
3743 | } | 3762 | } |
@@ -3794,10 +3813,10 @@ index af00fb30c..03bc87eb4 100644 | |||
3794 | 3813 | ||
3795 | static int | 3814 | static int |
3796 | diff --git a/sshd.c b/sshd.c | 3815 | diff --git a/sshd.c b/sshd.c |
3797 | index 60b2aaf73..d92f03aaf 100644 | 3816 | index 6f8f11a3b..02fca5c28 100644 |
3798 | --- a/sshd.c | 3817 | --- a/sshd.c |
3799 | +++ b/sshd.c | 3818 | +++ b/sshd.c |
3800 | @@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh) | 3819 | @@ -816,8 +816,8 @@ notify_hostkeys(struct ssh *ssh) |
3801 | } | 3820 | } |
3802 | debug3("%s: sent %u hostkeys", __func__, nkeys); | 3821 | debug3("%s: sent %u hostkeys", __func__, nkeys); |
3803 | if (nkeys == 0) | 3822 | if (nkeys == 0) |
@@ -3808,7 +3827,7 @@ index 60b2aaf73..d92f03aaf 100644 | |||
3808 | sshpkt_fatal(ssh, r, "%s: send", __func__); | 3827 | sshpkt_fatal(ssh, r, "%s: send", __func__); |
3809 | sshbuf_free(buf); | 3828 | sshbuf_free(buf); |
3810 | } | 3829 | } |
3811 | @@ -1852,7 +1852,8 @@ main(int ac, char **av) | 3830 | @@ -1851,7 +1851,8 @@ main(int ac, char **av) |
3812 | free(fp); | 3831 | free(fp); |
3813 | } | 3832 | } |
3814 | accumulate_host_timing_secret(cfg, NULL); | 3833 | accumulate_host_timing_secret(cfg, NULL); |
@@ -3818,7 +3837,7 @@ index 60b2aaf73..d92f03aaf 100644 | |||
3818 | logit("sshd: no hostkeys available -- exiting."); | 3837 | logit("sshd: no hostkeys available -- exiting."); |
3819 | exit(1); | 3838 | exit(1); |
3820 | } | 3839 | } |
3821 | @@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh) | 3840 | @@ -2342,6 +2343,48 @@ do_ssh2_kex(struct ssh *ssh) |
3822 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 3841 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
3823 | list_hostkey_types()); | 3842 | list_hostkey_types()); |
3824 | 3843 | ||
@@ -3867,7 +3886,7 @@ index 60b2aaf73..d92f03aaf 100644 | |||
3867 | /* start key exchange */ | 3886 | /* start key exchange */ |
3868 | if ((r = kex_setup(ssh, myproposal)) != 0) | 3887 | if ((r = kex_setup(ssh, myproposal)) != 0) |
3869 | fatal("kex_setup: %s", ssh_err(r)); | 3888 | fatal("kex_setup: %s", ssh_err(r)); |
3870 | @@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh) | 3889 | @@ -2357,7 +2400,18 @@ do_ssh2_kex(struct ssh *ssh) |
3871 | # ifdef OPENSSL_HAS_ECC | 3890 | # ifdef OPENSSL_HAS_ECC |
3872 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; | 3891 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
3873 | # endif | 3892 | # endif |
@@ -3901,10 +3920,10 @@ index 19b7c91a1..2c48105f8 100644 | |||
3901 | # Set this to 'yes' to enable PAM authentication, account processing, | 3920 | # Set this to 'yes' to enable PAM authentication, account processing, |
3902 | # and session processing. If this is enabled, PAM authentication will | 3921 | # and session processing. If this is enabled, PAM authentication will |
3903 | diff --git a/sshd_config.5 b/sshd_config.5 | 3922 | diff --git a/sshd_config.5 b/sshd_config.5 |
3904 | index 70ccea449..f6b41a2f8 100644 | 3923 | index b294efc2d..360e5fb1a 100644 |
3905 | --- a/sshd_config.5 | 3924 | --- a/sshd_config.5 |
3906 | +++ b/sshd_config.5 | 3925 | +++ b/sshd_config.5 |
3907 | @@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache | 3926 | @@ -644,6 +644,11 @@ Specifies whether to automatically destroy the user's credentials cache |
3908 | on logout. | 3927 | on logout. |
3909 | The default is | 3928 | The default is |
3910 | .Cm yes . | 3929 | .Cm yes . |
@@ -3916,7 +3935,7 @@ index 70ccea449..f6b41a2f8 100644 | |||
3916 | .It Cm GSSAPIStrictAcceptorCheck | 3935 | .It Cm GSSAPIStrictAcceptorCheck |
3917 | Determines whether to be strict about the identity of the GSSAPI acceptor | 3936 | Determines whether to be strict about the identity of the GSSAPI acceptor |
3918 | a client authenticates against. | 3937 | a client authenticates against. |
3919 | @@ -660,6 +665,31 @@ machine's default store. | 3938 | @@ -658,6 +663,31 @@ machine's default store. |
3920 | This facility is provided to assist with operation on multi homed machines. | 3939 | This facility is provided to assist with operation on multi homed machines. |
3921 | The default is | 3940 | The default is |
3922 | .Cm yes . | 3941 | .Cm yes . |
@@ -3943,13 +3962,13 @@ index 70ccea449..f6b41a2f8 100644 | |||
3943 | +.Ed | 3962 | +.Ed |
3944 | +.Pp | 3963 | +.Pp |
3945 | +The default is | 3964 | +The default is |
3946 | +.Dq gss-gex-sha1-,gss-group14-sha1- . | 3965 | +.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- . |
3947 | +This option only applies to protocol version 2 connections using GSSAPI. | 3966 | +This option only applies to connections using GSSAPI. |
3948 | .It Cm HostbasedAcceptedKeyTypes | 3967 | .It Cm HostbasedAcceptedKeyTypes |
3949 | Specifies the key types that will be accepted for hostbased authentication | 3968 | Specifies the key types that will be accepted for hostbased authentication |
3950 | as a list of comma-separated patterns. | 3969 | as a list of comma-separated patterns. |
3951 | diff --git a/sshkey.c b/sshkey.c | 3970 | diff --git a/sshkey.c b/sshkey.c |
3952 | index 57995ee68..fd5b77246 100644 | 3971 | index 1571e3d93..1ac32a0ec 100644 |
3953 | --- a/sshkey.c | 3972 | --- a/sshkey.c |
3954 | +++ b/sshkey.c | 3973 | +++ b/sshkey.c |
3955 | @@ -154,6 +154,7 @@ static const struct keytype keytypes[] = { | 3974 | @@ -154,6 +154,7 @@ static const struct keytype keytypes[] = { |
@@ -3970,7 +3989,7 @@ index 57995ee68..fd5b77246 100644 | |||
3970 | if (!include_sigonly && kt->sigonly) | 3989 | if (!include_sigonly && kt->sigonly) |
3971 | continue; | 3990 | continue; |
3972 | diff --git a/sshkey.h b/sshkey.h | 3991 | diff --git a/sshkey.h b/sshkey.h |
3973 | index 71a3fddcb..37a43a67a 100644 | 3992 | index 9c1d4f637..f586e8967 100644 |
3974 | --- a/sshkey.h | 3993 | --- a/sshkey.h |
3975 | +++ b/sshkey.h | 3994 | +++ b/sshkey.h |
3976 | @@ -69,6 +69,7 @@ enum sshkey_types { | 3995 | @@ -69,6 +69,7 @@ enum sshkey_types { |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index 734118a19..4a26d9d31 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 3558be2914c0127489faae40ce2eae66142c3287 Mon Sep 17 00:00:00 2001 | 1 | From 24c9c811bfd227e467ab1ce00503f08dcc22c0f4 Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch | |||
26 | 3 files changed, 34 insertions(+), 4 deletions(-) | 26 | 3 files changed, 34 insertions(+), 4 deletions(-) |
27 | 27 | ||
28 | diff --git a/readconf.c b/readconf.c | 28 | diff --git a/readconf.c b/readconf.c |
29 | index 0fc996871..2399208f8 100644 | 29 | index 2ccc48572..431243193 100644 |
30 | --- a/readconf.c | 30 | --- a/readconf.c |
31 | +++ b/readconf.c | 31 | +++ b/readconf.c |
32 | @@ -176,6 +176,7 @@ typedef enum { | 32 | @@ -176,6 +176,7 @@ typedef enum { |
@@ -46,7 +46,7 @@ index 0fc996871..2399208f8 100644 | |||
46 | 46 | ||
47 | { NULL, oBadOption } | 47 | { NULL, oBadOption } |
48 | }; | 48 | }; |
49 | @@ -1495,6 +1498,8 @@ parse_keytypes: | 49 | @@ -1519,6 +1522,8 @@ parse_keytypes: |
50 | goto parse_flag; | 50 | goto parse_flag; |
51 | 51 | ||
52 | case oServerAliveInterval: | 52 | case oServerAliveInterval: |
@@ -55,7 +55,7 @@ index 0fc996871..2399208f8 100644 | |||
55 | intptr = &options->server_alive_interval; | 55 | intptr = &options->server_alive_interval; |
56 | goto parse_time; | 56 | goto parse_time; |
57 | 57 | ||
58 | @@ -2198,8 +2203,13 @@ fill_default_options(Options * options) | 58 | @@ -2222,8 +2227,13 @@ fill_default_options(Options * options) |
59 | options->rekey_interval = 0; | 59 | options->rekey_interval = 0; |
60 | if (options->verify_host_key_dns == -1) | 60 | if (options->verify_host_key_dns == -1) |
61 | options->verify_host_key_dns = 0; | 61 | options->verify_host_key_dns = 0; |
@@ -72,7 +72,7 @@ index 0fc996871..2399208f8 100644 | |||
72 | options->server_alive_count_max = 3; | 72 | options->server_alive_count_max = 3; |
73 | if (options->control_master == -1) | 73 | if (options->control_master == -1) |
74 | diff --git a/ssh_config.5 b/ssh_config.5 | 74 | diff --git a/ssh_config.5 b/ssh_config.5 |
75 | index 3f4906972..3079db19b 100644 | 75 | index e2a2359f9..85ab7447f 100644 |
76 | --- a/ssh_config.5 | 76 | --- a/ssh_config.5 |
77 | +++ b/ssh_config.5 | 77 | +++ b/ssh_config.5 |
78 | @@ -266,9 +266,13 @@ If set to | 78 | @@ -266,9 +266,13 @@ If set to |
@@ -90,7 +90,7 @@ index 3f4906972..3079db19b 100644 | |||
90 | The argument must be | 90 | The argument must be |
91 | .Cm yes | 91 | .Cm yes |
92 | or | 92 | or |
93 | @@ -1593,7 +1597,14 @@ from the server, | 93 | @@ -1604,7 +1608,14 @@ from the server, |
94 | will send a message through the encrypted | 94 | will send a message through the encrypted |
95 | channel to request a response from the server. | 95 | channel to request a response from the server. |
96 | The default | 96 | The default |
@@ -106,7 +106,7 @@ index 3f4906972..3079db19b 100644 | |||
106 | .It Cm SetEnv | 106 | .It Cm SetEnv |
107 | Directly specify one or more environment variables and their contents to | 107 | Directly specify one or more environment variables and their contents to |
108 | be sent to the server. | 108 | be sent to the server. |
109 | @@ -1673,6 +1684,12 @@ Specifies whether the system should send TCP keepalive messages to the | 109 | @@ -1684,6 +1695,12 @@ Specifies whether the system should send TCP keepalive messages to the |
110 | other side. | 110 | other side. |
111 | If they are sent, death of the connection or crash of one | 111 | If they are sent, death of the connection or crash of one |
112 | of the machines will be properly noticed. | 112 | of the machines will be properly noticed. |
@@ -120,10 +120,10 @@ index 3f4906972..3079db19b 100644 | |||
120 | connections will die if the route is down temporarily, and some people | 120 | connections will die if the route is down temporarily, and some people |
121 | find it annoying. | 121 | find it annoying. |
122 | diff --git a/sshd_config.5 b/sshd_config.5 | 122 | diff --git a/sshd_config.5 b/sshd_config.5 |
123 | index f6b41a2f8..ebd09f891 100644 | 123 | index 360e5fb1a..9f093be1f 100644 |
124 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
126 | @@ -1668,6 +1668,9 @@ This avoids infinitely hanging sessions. | 126 | @@ -1680,6 +1680,9 @@ This avoids infinitely hanging sessions. |
127 | .Pp | 127 | .Pp |
128 | To disable TCP keepalive messages, the value should be set to | 128 | To disable TCP keepalive messages, the value should be set to |
129 | .Cm no . | 129 | .Cm no . |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index 6d48d7589..50b51619c 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c18e3c8125fc4553951705a1da8c86395d219bb1 Mon Sep 17 00:00:00 2001 | 1 | From 8ec2f85d03524a6b4954f0a29496b5a301f92080 Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
@@ -14,7 +14,7 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch | |||
14 | 1 file changed, 8 insertions(+), 1 deletion(-) | 14 | 1 file changed, 8 insertions(+), 1 deletion(-) |
15 | 15 | ||
16 | diff --git a/sshconnect.c b/sshconnect.c | 16 | diff --git a/sshconnect.c b/sshconnect.c |
17 | index 4a5d4a003..b796d3c8a 100644 | 17 | index bfbf80e92..f20d3e792 100644 |
18 | --- a/sshconnect.c | 18 | --- a/sshconnect.c |
19 | +++ b/sshconnect.c | 19 | +++ b/sshconnect.c |
20 | @@ -991,9 +991,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 20 | @@ -991,9 +991,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch index 02a798b85..b91cbd4ea 100644 --- a/debian/patches/no-openssl-version-status.patch +++ b/debian/patches/no-openssl-version-status.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ba0377ab3e6b68f7ab747f500991a0445c7f4086 Mon Sep 17 00:00:00 2001 | 1 | From a5d0b90bbd2c5a6bdec17b1abc5dca8166ae73f7 Mon Sep 17 00:00:00 2001 |
2 | From: Kurt Roeckx <kurt@roeckx.be> | 2 | From: Kurt Roeckx <kurt@roeckx.be> |
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 |
4 | Subject: Don't check the status field of the OpenSSL version | 4 | Subject: Don't check the status field of the OpenSSL version |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index 34ec87094..342487057 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 39fe318a4b572deeb3f7d03e55d319c0ab112a28 Mon Sep 17 00:00:00 2001 | 1 | From 34bf12a8e8fcc7720168dac307ef9388af93b947 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
@@ -44,10 +44,10 @@ index ef0de0850..149846c8c 100644 | |||
44 | .Sh SEE ALSO | 44 | .Sh SEE ALSO |
45 | .Xr ssh-keygen 1 , | 45 | .Xr ssh-keygen 1 , |
46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 | 46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 |
47 | index 7af564297..d6a7870e0 100644 | 47 | index 059c1b034..45866f931 100644 |
48 | --- a/ssh-keygen.1 | 48 | --- a/ssh-keygen.1 |
49 | +++ b/ssh-keygen.1 | 49 | +++ b/ssh-keygen.1 |
50 | @@ -196,9 +196,7 @@ key in | 50 | @@ -197,9 +197,7 @@ key in |
51 | .Pa ~/.ssh/id_ed25519_sk | 51 | .Pa ~/.ssh/id_ed25519_sk |
52 | or | 52 | or |
53 | .Pa ~/.ssh/id_rsa . | 53 | .Pa ~/.ssh/id_rsa . |
@@ -58,7 +58,7 @@ index 7af564297..d6a7870e0 100644 | |||
58 | .Pp | 58 | .Pp |
59 | Normally this program generates the key and asks for a file in which | 59 | Normally this program generates the key and asks for a file in which |
60 | to store the private key. | 60 | to store the private key. |
61 | @@ -261,9 +259,7 @@ If | 61 | @@ -262,9 +260,7 @@ If |
62 | .Fl f | 62 | .Fl f |
63 | has also been specified, its argument is used as a prefix to the | 63 | has also been specified, its argument is used as a prefix to the |
64 | default path for the resulting host key files. | 64 | default path for the resulting host key files. |
@@ -69,7 +69,7 @@ index 7af564297..d6a7870e0 100644 | |||
69 | .It Fl a Ar rounds | 69 | .It Fl a Ar rounds |
70 | When saving a private key, this option specifies the number of KDF | 70 | When saving a private key, this option specifies the number of KDF |
71 | (key derivation function) rounds used. | 71 | (key derivation function) rounds used. |
72 | @@ -783,7 +779,7 @@ option. | 72 | @@ -787,7 +783,7 @@ option. |
73 | Valid generator values are 2, 3, and 5. | 73 | Valid generator values are 2, 3, and 5. |
74 | .Pp | 74 | .Pp |
75 | Screened DH groups may be installed in | 75 | Screened DH groups may be installed in |
@@ -78,7 +78,7 @@ index 7af564297..d6a7870e0 100644 | |||
78 | It is important that this file contains moduli of a range of bit lengths and | 78 | It is important that this file contains moduli of a range of bit lengths and |
79 | that both ends of a connection share common moduli. | 79 | that both ends of a connection share common moduli. |
80 | .Pp | 80 | .Pp |
81 | @@ -1154,7 +1150,7 @@ on all machines | 81 | @@ -1158,7 +1154,7 @@ on all machines |
82 | where the user wishes to log in using public key authentication. | 82 | where the user wishes to log in using public key authentication. |
83 | There is no need to keep the contents of this file secret. | 83 | There is no need to keep the contents of this file secret. |
84 | .Pp | 84 | .Pp |
@@ -88,10 +88,10 @@ index 7af564297..d6a7870e0 100644 | |||
88 | The file format is described in | 88 | The file format is described in |
89 | .Xr moduli 5 . | 89 | .Xr moduli 5 . |
90 | diff --git a/ssh.1 b/ssh.1 | 90 | diff --git a/ssh.1 b/ssh.1 |
91 | index cf991e4ee..17b0e984f 100644 | 91 | index a80be8efe..566fdba6b 100644 |
92 | --- a/ssh.1 | 92 | --- a/ssh.1 |
93 | +++ b/ssh.1 | 93 | +++ b/ssh.1 |
94 | @@ -887,6 +887,10 @@ implements public key authentication protocol automatically, | 94 | @@ -890,6 +890,10 @@ implements public key authentication protocol automatically, |
95 | using one of the DSA, ECDSA, Ed25519 or RSA algorithms. | 95 | using one of the DSA, ECDSA, Ed25519 or RSA algorithms. |
96 | The HISTORY section of | 96 | The HISTORY section of |
97 | .Xr ssl 8 | 97 | .Xr ssl 8 |
@@ -133,10 +133,10 @@ index 730520231..5ce0ea4fa 100644 | |||
133 | .Xr sshd_config 5 , | 133 | .Xr sshd_config 5 , |
134 | .Xr inetd 8 , | 134 | .Xr inetd 8 , |
135 | diff --git a/sshd_config.5 b/sshd_config.5 | 135 | diff --git a/sshd_config.5 b/sshd_config.5 |
136 | index c926f584c..25f4b8117 100644 | 136 | index 753ceda10..c27f99937 100644 |
137 | --- a/sshd_config.5 | 137 | --- a/sshd_config.5 |
138 | +++ b/sshd_config.5 | 138 | +++ b/sshd_config.5 |
139 | @@ -387,8 +387,7 @@ Certificates signed using other algorithms will not be accepted for | 139 | @@ -385,8 +385,7 @@ Certificates signed using other algorithms will not be accepted for |
140 | public key or host-based authentication. | 140 | public key or host-based authentication. |
141 | .It Cm ChallengeResponseAuthentication | 141 | .It Cm ChallengeResponseAuthentication |
142 | Specifies whether challenge-response authentication is allowed (e.g. via | 142 | Specifies whether challenge-response authentication is allowed (e.g. via |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index 32a7a1fed..a560ae940 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a4f868858c3395cacb59c58786b501317b9a3d03 Mon Sep 17 00:00:00 2001 | 1 | From d66c30698f807ab95aee7ea4a882c192884df047 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
@@ -18,10 +18,10 @@ Patch-Name: package-versioning.patch | |||
18 | 2 files changed, 7 insertions(+), 2 deletions(-) | 18 | 2 files changed, 7 insertions(+), 2 deletions(-) |
19 | 19 | ||
20 | diff --git a/kex.c b/kex.c | 20 | diff --git a/kex.c b/kex.c |
21 | index 574c76093..f638942d3 100644 | 21 | index 144dee512..0e64bf760 100644 |
22 | --- a/kex.c | 22 | --- a/kex.c |
23 | +++ b/kex.c | 23 | +++ b/kex.c |
24 | @@ -1244,7 +1244,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, | 24 | @@ -1243,7 +1243,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, |
25 | if (version_addendum != NULL && *version_addendum == '\0') | 25 | if (version_addendum != NULL && *version_addendum == '\0') |
26 | version_addendum = NULL; | 26 | version_addendum = NULL; |
27 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", | 27 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", |
@@ -29,13 +29,13 @@ index 574c76093..f638942d3 100644 | |||
29 | + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, | 29 | + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, |
30 | version_addendum == NULL ? "" : " ", | 30 | version_addendum == NULL ? "" : " ", |
31 | version_addendum == NULL ? "" : version_addendum)) != 0) { | 31 | version_addendum == NULL ? "" : version_addendum)) != 0) { |
32 | error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); | 32 | oerrno = errno; |
33 | diff --git a/version.h b/version.h | 33 | diff --git a/version.h b/version.h |
34 | index c2affcb2a..d79126cc3 100644 | 34 | index a2eca3ec8..158eaee70 100644 |
35 | --- a/version.h | 35 | --- a/version.h |
36 | +++ b/version.h | 36 | +++ b/version.h |
37 | @@ -3,4 +3,9 @@ | 37 | @@ -3,4 +3,9 @@ |
38 | #define SSH_VERSION "OpenSSH_8.2" | 38 | #define SSH_VERSION "OpenSSH_8.3" |
39 | 39 | ||
40 | #define SSH_PORTABLE "p1" | 40 | #define SSH_PORTABLE "p1" |
41 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 41 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch index aa6f4cc31..e32c31717 100644 --- a/debian/patches/restore-authorized_keys2.patch +++ b/debian/patches/restore-authorized_keys2.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 58390cbd5e07df92729b794beb491f7352b26993 Mon Sep 17 00:00:00 2001 | 1 | From a31d1fdf19480d9a184a27a4d221655f408f74d7 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 5 Mar 2017 02:02:11 +0000 | 3 | Date: Sun, 5 Mar 2017 02:02:11 +0000 |
4 | Subject: Restore reading authorized_keys2 by default | 4 | Subject: Restore reading authorized_keys2 by default |
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch index d73cc283c..e544e3874 100644 --- a/debian/patches/restore-tcp-wrappers.patch +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 31d42cd8624f29508f772447e617ab043a6487d9 Mon Sep 17 00:00:00 2001 | 1 | From 7e3de67f8447064d6963e8299653d8e01baaef1e Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | 3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 |
4 | Subject: Restore TCP wrappers support | 4 | Subject: Restore TCP wrappers support |
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch | |||
28 | 3 files changed, 89 insertions(+) | 28 | 3 files changed, 89 insertions(+) |
29 | 29 | ||
30 | diff --git a/configure.ac b/configure.ac | 30 | diff --git a/configure.ac b/configure.ac |
31 | index efafb6bd8..cee7cbc51 100644 | 31 | index d98e6f74a..812b7218f 100644 |
32 | --- a/configure.ac | 32 | --- a/configure.ac |
33 | +++ b/configure.ac | 33 | +++ b/configure.ac |
34 | @@ -1556,6 +1556,62 @@ else | 34 | @@ -1558,6 +1558,62 @@ else |
35 | AC_MSG_RESULT([no]) | 35 | AC_MSG_RESULT([no]) |
36 | fi | 36 | fi |
37 | 37 | ||
@@ -94,7 +94,7 @@ index efafb6bd8..cee7cbc51 100644 | |||
94 | # Check whether user wants to use ldns | 94 | # Check whether user wants to use ldns |
95 | LDNS_MSG="no" | 95 | LDNS_MSG="no" |
96 | AC_ARG_WITH(ldns, | 96 | AC_ARG_WITH(ldns, |
97 | @@ -5413,6 +5469,7 @@ echo " PAM support: $PAM_MSG" | 97 | @@ -5479,6 +5535,7 @@ echo " PAM support: $PAM_MSG" |
98 | echo " OSF SIA support: $SIA_MSG" | 98 | echo " OSF SIA support: $SIA_MSG" |
99 | echo " KerberosV support: $KRB5_MSG" | 99 | echo " KerberosV support: $KRB5_MSG" |
100 | echo " SELinux support: $SELINUX_MSG" | 100 | echo " SELinux support: $SELINUX_MSG" |
@@ -128,7 +128,7 @@ index c5f8987d2..730520231 100644 | |||
128 | .Xr moduli 5 , | 128 | .Xr moduli 5 , |
129 | .Xr sshd_config 5 , | 129 | .Xr sshd_config 5 , |
130 | diff --git a/sshd.c b/sshd.c | 130 | diff --git a/sshd.c b/sshd.c |
131 | index d92f03aaf..62dc55cf2 100644 | 131 | index 02fca5c28..e96d90809 100644 |
132 | --- a/sshd.c | 132 | --- a/sshd.c |
133 | +++ b/sshd.c | 133 | +++ b/sshd.c |
134 | @@ -124,6 +124,13 @@ | 134 | @@ -124,6 +124,13 @@ |
@@ -145,7 +145,7 @@ index d92f03aaf..62dc55cf2 100644 | |||
145 | /* Re-exec fds */ | 145 | /* Re-exec fds */ |
146 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 146 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
147 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 147 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
148 | @@ -2138,6 +2145,24 @@ main(int ac, char **av) | 148 | @@ -2132,6 +2139,24 @@ main(int ac, char **av) |
149 | #ifdef SSH_AUDIT_EVENTS | 149 | #ifdef SSH_AUDIT_EVENTS |
150 | audit_connection_from(remote_ip, remote_port); | 150 | audit_connection_from(remote_ip, remote_port); |
151 | #endif | 151 | #endif |
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch index 13192e380..0ec75419a 100644 --- a/debian/patches/revert-ipqos-defaults.patch +++ b/debian/patches/revert-ipqos-defaults.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 86fe78ef4686485394b464cf9d3393ce27b33979 Mon Sep 17 00:00:00 2001 | 1 | From 39b8d128ef980a410bb1ea0ee80e95ac9fff59c3 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Mon, 8 Apr 2019 10:46:29 +0100 | 3 | Date: Mon, 8 Apr 2019 10:46:29 +0100 |
4 | Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP | 4 | Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP |
@@ -24,10 +24,10 @@ Patch-Name: revert-ipqos-defaults.patch | |||
24 | 4 files changed, 8 insertions(+), 12 deletions(-) | 24 | 4 files changed, 8 insertions(+), 12 deletions(-) |
25 | 25 | ||
26 | diff --git a/readconf.c b/readconf.c | 26 | diff --git a/readconf.c b/readconf.c |
27 | index e82024678..1b9494d7c 100644 | 27 | index 87b0dc62a..9a646dcaa 100644 |
28 | --- a/readconf.c | 28 | --- a/readconf.c |
29 | +++ b/readconf.c | 29 | +++ b/readconf.c |
30 | @@ -2230,9 +2230,9 @@ fill_default_options(Options * options) | 30 | @@ -2254,9 +2254,9 @@ fill_default_options(Options * options) |
31 | if (options->visual_host_key == -1) | 31 | if (options->visual_host_key == -1) |
32 | options->visual_host_key = 0; | 32 | options->visual_host_key = 0; |
33 | if (options->ip_qos_interactive == -1) | 33 | if (options->ip_qos_interactive == -1) |
@@ -40,7 +40,7 @@ index e82024678..1b9494d7c 100644 | |||
40 | options->request_tty = REQUEST_TTY_AUTO; | 40 | options->request_tty = REQUEST_TTY_AUTO; |
41 | if (options->proxy_use_fdpass == -1) | 41 | if (options->proxy_use_fdpass == -1) |
42 | diff --git a/servconf.c b/servconf.c | 42 | diff --git a/servconf.c b/servconf.c |
43 | index 7bbc25c2e..470ad3619 100644 | 43 | index cf4e52f3b..c290e9786 100644 |
44 | --- a/servconf.c | 44 | --- a/servconf.c |
45 | +++ b/servconf.c | 45 | +++ b/servconf.c |
46 | @@ -452,9 +452,9 @@ fill_default_server_options(ServerOptions *options) | 46 | @@ -452,9 +452,9 @@ fill_default_server_options(ServerOptions *options) |
@@ -56,7 +56,7 @@ index 7bbc25c2e..470ad3619 100644 | |||
56 | options->version_addendum = xstrdup(""); | 56 | options->version_addendum = xstrdup(""); |
57 | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) | 57 | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) |
58 | diff --git a/ssh_config.5 b/ssh_config.5 | 58 | diff --git a/ssh_config.5 b/ssh_config.5 |
59 | index 34dc2d51b..91beb6f50 100644 | 59 | index aac3fabb7..2574b1004 100644 |
60 | --- a/ssh_config.5 | 60 | --- a/ssh_config.5 |
61 | +++ b/ssh_config.5 | 61 | +++ b/ssh_config.5 |
62 | @@ -1140,11 +1140,9 @@ If one argument is specified, it is used as the packet class unconditionally. | 62 | @@ -1140,11 +1140,9 @@ If one argument is specified, it is used as the packet class unconditionally. |
@@ -74,10 +74,10 @@ index 34dc2d51b..91beb6f50 100644 | |||
74 | .It Cm KbdInteractiveAuthentication | 74 | .It Cm KbdInteractiveAuthentication |
75 | Specifies whether to use keyboard-interactive authentication. | 75 | Specifies whether to use keyboard-interactive authentication. |
76 | diff --git a/sshd_config.5 b/sshd_config.5 | 76 | diff --git a/sshd_config.5 b/sshd_config.5 |
77 | index e8271be74..d25b2f3d5 100644 | 77 | index b38025dbf..88db4db07 100644 |
78 | --- a/sshd_config.5 | 78 | --- a/sshd_config.5 |
79 | +++ b/sshd_config.5 | 79 | +++ b/sshd_config.5 |
80 | @@ -914,11 +914,9 @@ If one argument is specified, it is used as the packet class unconditionally. | 80 | @@ -925,11 +925,9 @@ If one argument is specified, it is used as the packet class unconditionally. |
81 | If two values are specified, the first is automatically selected for | 81 | If two values are specified, the first is automatically selected for |
82 | interactive sessions and the second for non-interactive sessions. | 82 | interactive sessions and the second for non-interactive sessions. |
83 | The default is | 83 | The default is |
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index 8935b8e04..0166c914a 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5166a6af68da4778c7e2c2d117bb56361c7aa361 Mon Sep 17 00:00:00 2001 | 1 | From 2520672d1ccfd88744c93bac102f461f9b1e0cf3 Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch | |||
17 | 1 file changed, 10 insertions(+), 2 deletions(-) | 17 | 1 file changed, 10 insertions(+), 2 deletions(-) |
18 | 18 | ||
19 | diff --git a/scp.c b/scp.c | 19 | diff --git a/scp.c b/scp.c |
20 | index 6901e0c94..9b64aa5f4 100644 | 20 | index b4492a062..66b4af8e8 100644 |
21 | --- a/scp.c | 21 | --- a/scp.c |
22 | +++ b/scp.c | 22 | +++ b/scp.c |
23 | @@ -201,8 +201,16 @@ do_local_cmd(arglist *a) | 23 | @@ -201,8 +201,16 @@ do_local_cmd(arglist *a) |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 63e44af55..b0088c104 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b108c6bbe4b3691600a272b27fa24d9080018db7 Mon Sep 17 00:00:00 2001 | 1 | From 8641a3f57e67e087b4500beb9916e06c4d0ba94c Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -43,7 +43,7 @@ index becc672b5..5da9fe75f 100644 | |||
43 | /* Method lists for multiple authentication */ | 43 | /* Method lists for multiple authentication */ |
44 | char **auth_methods; /* modified from server config */ | 44 | char **auth_methods; /* modified from server config */ |
45 | diff --git a/auth2.c b/auth2.c | 45 | diff --git a/auth2.c b/auth2.c |
46 | index 1c217268c..92a6bcaf4 100644 | 46 | index a4a5e0069..05d6c2447 100644 |
47 | --- a/auth2.c | 47 | --- a/auth2.c |
48 | +++ b/auth2.c | 48 | +++ b/auth2.c |
49 | @@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | 49 | @@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
@@ -81,7 +81,7 @@ index 1c217268c..92a6bcaf4 100644 | |||
81 | if (auth2_setup_methods_lists(authctxt) != 0) | 81 | if (auth2_setup_methods_lists(authctxt) != 0) |
82 | ssh_packet_disconnect(ssh, | 82 | ssh_packet_disconnect(ssh, |
83 | diff --git a/monitor.c b/monitor.c | 83 | diff --git a/monitor.c b/monitor.c |
84 | index ebf76c7f9..947fdfadc 100644 | 84 | index 5347e900d..8002aca86 100644 |
85 | --- a/monitor.c | 85 | --- a/monitor.c |
86 | +++ b/monitor.c | 86 | +++ b/monitor.c |
87 | @@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *); | 87 | @@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *); |
@@ -154,7 +154,7 @@ index ebf76c7f9..947fdfadc 100644 | |||
154 | return (0); | 154 | return (0); |
155 | } | 155 | } |
156 | 156 | ||
157 | @@ -1554,7 +1583,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) | 157 | @@ -1553,7 +1582,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) |
158 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 158 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
159 | if (res == 0) | 159 | if (res == 0) |
160 | goto error; | 160 | goto error; |
@@ -245,7 +245,7 @@ index 485590c18..370b08e17 100644 | |||
245 | char *mm_auth2_read_banner(void); | 245 | char *mm_auth2_read_banner(void); |
246 | int mm_auth_password(struct ssh *, char *); | 246 | int mm_auth_password(struct ssh *, char *); |
247 | diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c | 247 | diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c |
248 | index 622988822..3e6e07670 100644 | 248 | index f46094faf..56f1d2c1e 100644 |
249 | --- a/openbsd-compat/port-linux.c | 249 | --- a/openbsd-compat/port-linux.c |
250 | +++ b/openbsd-compat/port-linux.c | 250 | +++ b/openbsd-compat/port-linux.c |
251 | @@ -56,7 +56,7 @@ ssh_selinux_enabled(void) | 251 | @@ -56,7 +56,7 @@ ssh_selinux_enabled(void) |
@@ -363,7 +363,7 @@ index ea4f9c584..60d72ffe7 100644 | |||
363 | char *platform_krb5_get_principal_name(const char *); | 363 | char *platform_krb5_get_principal_name(const char *); |
364 | int platform_sys_dir_uid(uid_t); | 364 | int platform_sys_dir_uid(uid_t); |
365 | diff --git a/session.c b/session.c | 365 | diff --git a/session.c b/session.c |
366 | index 06a33442a..871799590 100644 | 366 | index f9c2c866e..837a8bacf 100644 |
367 | --- a/session.c | 367 | --- a/session.c |
368 | +++ b/session.c | 368 | +++ b/session.c |
369 | @@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid) | 369 | @@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid) |
@@ -425,10 +425,10 @@ index ce59dabd9..675c91146 100644 | |||
425 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); | 425 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); |
426 | 426 | ||
427 | diff --git a/sshd.c b/sshd.c | 427 | diff --git a/sshd.c b/sshd.c |
428 | index 62dc55cf2..65916fc6d 100644 | 428 | index e96d90809..e8b332ca4 100644 |
429 | --- a/sshd.c | 429 | --- a/sshd.c |
430 | +++ b/sshd.c | 430 | +++ b/sshd.c |
431 | @@ -595,7 +595,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) | 431 | @@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) |
432 | reseed_prngs(); | 432 | reseed_prngs(); |
433 | 433 | ||
434 | /* Drop privileges */ | 434 | /* Drop privileges */ |
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 43fb1d145..4752e2a71 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c19bcc02b07b450d585d0fd10ccd96174aeb3b7c Mon Sep 17 00:00:00 2001 | 1 | From b78e6371a98460f5d12683406674e117d64b35f2 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch | |||
16 | 1 file changed, 2 insertions(+), 2 deletions(-) | 16 | 1 file changed, 2 insertions(+), 2 deletions(-) |
17 | 17 | ||
18 | diff --git a/sshconnect.c b/sshconnect.c | 18 | diff --git a/sshconnect.c b/sshconnect.c |
19 | index 4711af782..4a5d4a003 100644 | 19 | index af08be415..bfbf80e92 100644 |
20 | --- a/sshconnect.c | 20 | --- a/sshconnect.c |
21 | +++ b/sshconnect.c | 21 | +++ b/sshconnect.c |
22 | @@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg, | 22 | @@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg, |
@@ -28,7 +28,7 @@ index 4711af782..4a5d4a003 100644 | |||
28 | perror(argv[0]); | 28 | perror(argv[0]); |
29 | exit(1); | 29 | exit(1); |
30 | } | 30 | } |
31 | @@ -1388,7 +1388,7 @@ ssh_local_cmd(const char *args) | 31 | @@ -1389,7 +1389,7 @@ ssh_local_cmd(const char *args) |
32 | if (pid == 0) { | 32 | if (pid == 0) { |
33 | ssh_signal(SIGPIPE, SIG_DFL); | 33 | ssh_signal(SIGPIPE, SIG_DFL); |
34 | debug3("Executing %s -c \"%s\"", shell, args); | 34 | debug3("Executing %s -c \"%s\"", shell, args); |
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index e7849e6c3..ed23334d9 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ad09303388f0172ab6e028aaf27d87cf873d123d Mon Sep 17 00:00:00 2001 | 1 | From 303cbd5533df863d518bc61d837ce56a93166b11 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 8f796719d..52e5bf70b 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4b1e0000a099f988553ccc4b274e1790b5114c12 Mon Sep 17 00:00:00 2001 | 1 | From 81723f749647928d918de21057d9dbfbebaa8e53 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch | |||
18 | 1 file changed, 1 insertion(+) | 18 | 1 file changed, 1 insertion(+) |
19 | 19 | ||
20 | diff --git a/ssh.1 b/ssh.1 | 20 | diff --git a/ssh.1 b/ssh.1 |
21 | index 17b0e984f..b33a8049f 100644 | 21 | index 566fdba6b..5a31b5dde 100644 |
22 | --- a/ssh.1 | 22 | --- a/ssh.1 |
23 | +++ b/ssh.1 | 23 | +++ b/ssh.1 |
24 | @@ -1610,6 +1610,7 @@ if an error occurred. | 24 | @@ -1613,6 +1613,7 @@ if an error occurred. |
25 | .Xr sftp 1 , | 25 | .Xr sftp 1 , |
26 | .Xr ssh-add 1 , | 26 | .Xr ssh-add 1 , |
27 | .Xr ssh-agent 1 , | 27 | .Xr ssh-agent 1 , |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index 99116e9c4..cc2656bda 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 11d571f137c76d8c2e38b1c1a537b04cc279f8e3 Mon Sep 17 00:00:00 2001 | 1 | From 6ed578a01fd61f9c930ef46cfefc467203ddd6c0 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch | |||
17 | 2 files changed, 2 insertions(+) | 17 | 2 files changed, 2 insertions(+) |
18 | 18 | ||
19 | diff --git a/readconf.c b/readconf.c | 19 | diff --git a/readconf.c b/readconf.c |
20 | index da8022dd0..0fc996871 100644 | 20 | index fb585e248..2ccc48572 100644 |
21 | --- a/readconf.c | 21 | --- a/readconf.c |
22 | +++ b/readconf.c | 22 | +++ b/readconf.c |
23 | @@ -191,6 +191,7 @@ static struct { | 23 | @@ -191,6 +191,7 @@ static struct { |
@@ -29,7 +29,7 @@ index da8022dd0..0fc996871 100644 | |||
29 | { "useroaming", oDeprecated }, | 29 | { "useroaming", oDeprecated }, |
30 | { "usersh", oDeprecated }, | 30 | { "usersh", oDeprecated }, |
31 | diff --git a/servconf.c b/servconf.c | 31 | diff --git a/servconf.c b/servconf.c |
32 | index 191575a16..bf3cd84a4 100644 | 32 | index f38ba9e44..ff5b9436c 100644 |
33 | --- a/servconf.c | 33 | --- a/servconf.c |
34 | +++ b/servconf.c | 34 | +++ b/servconf.c |
35 | @@ -656,6 +656,7 @@ static struct { | 35 | @@ -656,6 +656,7 @@ static struct { |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index 234d95ad2..273f8069f 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 387c2c1954773733bae9fca21a92db62c31180bd Mon Sep 17 00:00:00 2001 | 1 | From f2c3eb379d31f24de20dc9a2e0089ed84f52055b Mon Sep 17 00:00:00 2001 |
2 | From: Natalie Amery <nmamery@chiark.greenend.org.uk> | 2 | From: Natalie Amery <nmamery@chiark.greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
@@ -33,10 +33,10 @@ index d9c2d136c..1749af6d1 100644 | |||
33 | { "FATAL", SYSLOG_LEVEL_FATAL }, | 33 | { "FATAL", SYSLOG_LEVEL_FATAL }, |
34 | { "ERROR", SYSLOG_LEVEL_ERROR }, | 34 | { "ERROR", SYSLOG_LEVEL_ERROR }, |
35 | diff --git a/ssh.c b/ssh.c | 35 | diff --git a/ssh.c b/ssh.c |
36 | index 110cf9c19..6138fd4d3 100644 | 36 | index 4a81ef810..7879d4f4d 100644 |
37 | --- a/ssh.c | 37 | --- a/ssh.c |
38 | +++ b/ssh.c | 38 | +++ b/ssh.c |
39 | @@ -1305,7 +1305,7 @@ main(int ac, char **av) | 39 | @@ -1339,7 +1339,7 @@ main(int ac, char **av) |
40 | /* Do not allocate a tty if stdin is not a tty. */ | 40 | /* Do not allocate a tty if stdin is not a tty. */ |
41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && | 41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && |
42 | options.request_tty != REQUEST_TTY_FORCE) { | 42 | options.request_tty != REQUEST_TTY_FORCE) { |
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch index fdcfca30d..a85ed6732 100644 --- a/debian/patches/systemd-readiness.patch +++ b/debian/patches/systemd-readiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a208834b2d1811dac7054d7fdcdd04672f8b19f6 Mon Sep 17 00:00:00 2001 | 1 | From fe8c9983321154a61f4f06be602f925f1fd24ee7 Mon Sep 17 00:00:00 2001 |
2 | From: Michael Biebl <biebl@debian.org> | 2 | From: Michael Biebl <biebl@debian.org> |
3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 | 3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 |
4 | Subject: Add systemd readiness notification support | 4 | Subject: Add systemd readiness notification support |
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch | |||
14 | 2 files changed, 33 insertions(+) | 14 | 2 files changed, 33 insertions(+) |
15 | 15 | ||
16 | diff --git a/configure.ac b/configure.ac | 16 | diff --git a/configure.ac b/configure.ac |
17 | index cee7cbc51..5db3013de 100644 | 17 | index 812b7218f..7e0584d2c 100644 |
18 | --- a/configure.ac | 18 | --- a/configure.ac |
19 | +++ b/configure.ac | 19 | +++ b/configure.ac |
20 | @@ -4664,6 +4664,29 @@ AC_ARG_WITH([kerberos5], | 20 | @@ -4730,6 +4730,29 @@ AC_ARG_WITH([kerberos5], |
21 | AC_SUBST([GSSLIBS]) | 21 | AC_SUBST([GSSLIBS]) |
22 | AC_SUBST([K5LIBS]) | 22 | AC_SUBST([K5LIBS]) |
23 | 23 | ||
@@ -47,7 +47,7 @@ index cee7cbc51..5db3013de 100644 | |||
47 | # Looking for programs, paths and files | 47 | # Looking for programs, paths and files |
48 | 48 | ||
49 | PRIVSEP_PATH=/var/empty | 49 | PRIVSEP_PATH=/var/empty |
50 | @@ -5476,6 +5499,7 @@ echo " libldns support: $LDNS_MSG" | 50 | @@ -5542,6 +5565,7 @@ echo " libldns support: $LDNS_MSG" |
51 | echo " Solaris process contract support: $SPC_MSG" | 51 | echo " Solaris process contract support: $SPC_MSG" |
52 | echo " Solaris project support: $SP_MSG" | 52 | echo " Solaris project support: $SP_MSG" |
53 | echo " Solaris privilege support: $SPP_MSG" | 53 | echo " Solaris privilege support: $SPP_MSG" |
@@ -56,7 +56,7 @@ index cee7cbc51..5db3013de 100644 | |||
56 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | 56 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" |
57 | echo " BSD Auth support: $BSD_AUTH_MSG" | 57 | echo " BSD Auth support: $BSD_AUTH_MSG" |
58 | diff --git a/sshd.c b/sshd.c | 58 | diff --git a/sshd.c b/sshd.c |
59 | index da876a900..c069505a0 100644 | 59 | index baee13506..d2d1877d4 100644 |
60 | --- a/sshd.c | 60 | --- a/sshd.c |
61 | +++ b/sshd.c | 61 | +++ b/sshd.c |
62 | @@ -85,6 +85,10 @@ | 62 | @@ -85,6 +85,10 @@ |
@@ -70,7 +70,7 @@ index da876a900..c069505a0 100644 | |||
70 | #include "xmalloc.h" | 70 | #include "xmalloc.h" |
71 | #include "ssh.h" | 71 | #include "ssh.h" |
72 | #include "ssh2.h" | 72 | #include "ssh2.h" |
73 | @@ -2027,6 +2031,11 @@ main(int ac, char **av) | 73 | @@ -2026,6 +2030,11 @@ main(int ac, char **av) |
74 | } | 74 | } |
75 | } | 75 | } |
76 | 76 | ||
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 8bd35addf..19c1809d9 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 3309e464e5ae6c940ddd584eed4d2d403f4c168c Mon Sep 17 00:00:00 2001 | 1 | From cb72edd9757c469f3b5dc9cde374715ae8b54509 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
@@ -27,7 +27,7 @@ Patch-Name: user-group-modes.patch | |||
27 | 7 files changed, 63 insertions(+), 13 deletions(-) | 27 | 7 files changed, 63 insertions(+), 13 deletions(-) |
28 | 28 | ||
29 | diff --git a/auth-rhosts.c b/auth-rhosts.c | 29 | diff --git a/auth-rhosts.c b/auth-rhosts.c |
30 | index 7a10210b6..587f53721 100644 | 30 | index e81321b49..3bcc73766 100644 |
31 | --- a/auth-rhosts.c | 31 | --- a/auth-rhosts.c |
32 | +++ b/auth-rhosts.c | 32 | +++ b/auth-rhosts.c |
33 | @@ -260,8 +260,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, | 33 | @@ -260,8 +260,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, |
@@ -65,7 +65,7 @@ index 687c57b42..aed3c13ac 100644 | |||
65 | "bad owner or modes for %.200s", | 65 | "bad owner or modes for %.200s", |
66 | pw->pw_name, user_hostfile); | 66 | pw->pw_name, user_hostfile); |
67 | diff --git a/misc.c b/misc.c | 67 | diff --git a/misc.c b/misc.c |
68 | index 3a31d5c18..073d3be19 100644 | 68 | index 554ceb0b1..75fe4dfea 100644 |
69 | --- a/misc.c | 69 | --- a/misc.c |
70 | +++ b/misc.c | 70 | +++ b/misc.c |
71 | @@ -61,8 +61,9 @@ | 71 | @@ -61,8 +61,9 @@ |
@@ -169,10 +169,10 @@ index 4a05db2da..5db594b91 100644 | |||
169 | #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) | 169 | #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) |
170 | #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) | 170 | #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) |
171 | diff --git a/readconf.c b/readconf.c | 171 | diff --git a/readconf.c b/readconf.c |
172 | index 2399208f8..7f251dd4a 100644 | 172 | index 431243193..5bf0afbb4 100644 |
173 | --- a/readconf.c | 173 | --- a/readconf.c |
174 | +++ b/readconf.c | 174 | +++ b/readconf.c |
175 | @@ -1902,8 +1902,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, | 175 | @@ -1926,8 +1926,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, |
176 | 176 | ||
177 | if (fstat(fileno(f), &sb) == -1) | 177 | if (fstat(fileno(f), &sb) == -1) |
178 | fatal("fstat %s: %s", filename, strerror(errno)); | 178 | fatal("fstat %s: %s", filename, strerror(errno)); |
@@ -183,10 +183,10 @@ index 2399208f8..7f251dd4a 100644 | |||
183 | } | 183 | } |
184 | 184 | ||
185 | diff --git a/ssh.1 b/ssh.1 | 185 | diff --git a/ssh.1 b/ssh.1 |
186 | index db5c65bc7..cf991e4ee 100644 | 186 | index 7a3ba31ab..a80be8efe 100644 |
187 | --- a/ssh.1 | 187 | --- a/ssh.1 |
188 | +++ b/ssh.1 | 188 | +++ b/ssh.1 |
189 | @@ -1506,6 +1506,8 @@ The file format and configuration options are described in | 189 | @@ -1509,6 +1509,8 @@ The file format and configuration options are described in |
190 | .Xr ssh_config 5 . | 190 | .Xr ssh_config 5 . |
191 | Because of the potential for abuse, this file must have strict permissions: | 191 | Because of the potential for abuse, this file must have strict permissions: |
192 | read/write for the user, and not writable by others. | 192 | read/write for the user, and not writable by others. |
@@ -196,10 +196,10 @@ index db5c65bc7..cf991e4ee 100644 | |||
196 | .It Pa ~/.ssh/environment | 196 | .It Pa ~/.ssh/environment |
197 | Contains additional definitions for environment variables; see | 197 | Contains additional definitions for environment variables; see |
198 | diff --git a/ssh_config.5 b/ssh_config.5 | 198 | diff --git a/ssh_config.5 b/ssh_config.5 |
199 | index 3079db19b..e61a0fd43 100644 | 199 | index 85ab7447f..d814147d4 100644 |
200 | --- a/ssh_config.5 | 200 | --- a/ssh_config.5 |
201 | +++ b/ssh_config.5 | 201 | +++ b/ssh_config.5 |
202 | @@ -1952,6 +1952,8 @@ The format of this file is described above. | 202 | @@ -1957,6 +1957,8 @@ The format of this file is described above. |
203 | This file is used by the SSH client. | 203 | This file is used by the SSH client. |
204 | Because of the potential for abuse, this file must have strict permissions: | 204 | Because of the potential for abuse, this file must have strict permissions: |
205 | read/write for the user, and not writable by others. | 205 | read/write for the user, and not writable by others. |