diff options
Diffstat (limited to 'debian/patches')
26 files changed, 282 insertions, 250 deletions
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index ad2890400..c895e63db 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 153278a21da639b5ad965632485f79ea4ac5e705 Mon Sep 17 00:00:00 2001 | 1 | From 67a6cbb29f77920718884e783238f4a00fe64001 Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
@@ -13,7 +13,7 @@ Patch-Name: authorized-keys-man-symlink.patch | |||
13 | 1 file changed, 1 insertion(+) | 13 | 1 file changed, 1 insertion(+) |
14 | 14 | ||
15 | diff --git a/Makefile.in b/Makefile.in | 15 | diff --git a/Makefile.in b/Makefile.in |
16 | index 6175c6063..0ee0285f6 100644 | 16 | index 70050ffb6..ee166114d 100644 |
17 | --- a/Makefile.in | 17 | --- a/Makefile.in |
18 | +++ b/Makefile.in | 18 | +++ b/Makefile.in |
19 | @@ -356,6 +356,7 @@ install-files: | 19 | @@ -356,6 +356,7 @@ install-files: |
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch index ff5be43d8..90bb3e995 100644 --- a/debian/patches/conch-old-privkey-format.patch +++ b/debian/patches/conch-old-privkey-format.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 Mon Sep 17 00:00:00 2001 | 1 | From 1d2a55436d4b556269f42ad5f7e16608b5a8ed74 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Thu, 30 Aug 2018 00:58:56 +0100 | 3 | Date: Thu, 30 Aug 2018 00:58:56 +0100 |
4 | Subject: Work around conch interoperability failure | 4 | Subject: Work around conch interoperability failure |
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 98d97dce8..7963b03ed 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 905ffae23105d59b013aac809da6195d231b0395 Mon Sep 17 00:00:00 2001 | 1 | From a18385c6866da4d69f46b64626ae5d60b4cf4a66 Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch. | |||
8 | 8 | ||
9 | Bug-Debian: http://bugs.debian.org/562048 | 9 | Bug-Debian: http://bugs.debian.org/562048 |
10 | Forwarded: not-needed | 10 | Forwarded: not-needed |
11 | Last-Update: 2018-08-24 | 11 | Last-Update: 2018-10-19 |
12 | 12 | ||
13 | Patch-Name: debian-banner.patch | 13 | Patch-Name: debian-banner.patch |
14 | --- | 14 | --- |
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch | |||
19 | 4 files changed, 18 insertions(+), 1 deletion(-) | 19 | 4 files changed, 18 insertions(+), 1 deletion(-) |
20 | 20 | ||
21 | diff --git a/servconf.c b/servconf.c | 21 | diff --git a/servconf.c b/servconf.c |
22 | index e49984a81..bb43a649c 100644 | 22 | index 6caf1db38..c5dd617ef 100644 |
23 | --- a/servconf.c | 23 | --- a/servconf.c |
24 | +++ b/servconf.c | 24 | +++ b/servconf.c |
25 | @@ -181,6 +181,7 @@ initialize_server_options(ServerOptions *options) | 25 | @@ -182,6 +182,7 @@ initialize_server_options(ServerOptions *options) |
26 | options->fingerprint_hash = -1; | 26 | options->fingerprint_hash = -1; |
27 | options->disable_forwarding = -1; | 27 | options->disable_forwarding = -1; |
28 | options->expose_userauth_info = -1; | 28 | options->expose_userauth_info = -1; |
@@ -30,7 +30,7 @@ index e49984a81..bb43a649c 100644 | |||
30 | } | 30 | } |
31 | 31 | ||
32 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ | 32 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
33 | @@ -413,6 +414,8 @@ fill_default_server_options(ServerOptions *options) | 33 | @@ -417,6 +418,8 @@ fill_default_server_options(ServerOptions *options) |
34 | options->disable_forwarding = 0; | 34 | options->disable_forwarding = 0; |
35 | if (options->expose_userauth_info == -1) | 35 | if (options->expose_userauth_info == -1) |
36 | options->expose_userauth_info = 0; | 36 | options->expose_userauth_info = 0; |
@@ -39,7 +39,7 @@ index e49984a81..bb43a649c 100644 | |||
39 | 39 | ||
40 | assemble_algorithms(options); | 40 | assemble_algorithms(options); |
41 | 41 | ||
42 | @@ -500,6 +503,7 @@ typedef enum { | 42 | @@ -504,6 +507,7 @@ typedef enum { |
43 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 43 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
44 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, | 44 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
45 | sExposeAuthInfo, sRDomain, | 45 | sExposeAuthInfo, sRDomain, |
@@ -47,15 +47,15 @@ index e49984a81..bb43a649c 100644 | |||
47 | sDeprecated, sIgnore, sUnsupported | 47 | sDeprecated, sIgnore, sUnsupported |
48 | } ServerOpCodes; | 48 | } ServerOpCodes; |
49 | 49 | ||
50 | @@ -656,6 +660,7 @@ static struct { | 50 | @@ -661,6 +665,7 @@ static struct { |
51 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, | ||
52 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, | 51 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, |
53 | { "rdomain", sRDomain, SSHCFG_ALL }, | 52 | { "rdomain", sRDomain, SSHCFG_ALL }, |
53 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, | ||
54 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 54 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
55 | { NULL, sBadOption, 0 } | 55 | { NULL, sBadOption, 0 } |
56 | }; | 56 | }; |
57 | 57 | ||
58 | @@ -2164,6 +2169,10 @@ process_server_config_line(ServerOptions *options, char *line, | 58 | @@ -2173,6 +2178,10 @@ process_server_config_line(ServerOptions *options, char *line, |
59 | *charptr = xstrdup(arg); | 59 | *charptr = xstrdup(arg); |
60 | break; | 60 | break; |
61 | 61 | ||
@@ -67,10 +67,10 @@ index e49984a81..bb43a649c 100644 | |||
67 | case sIgnore: | 67 | case sIgnore: |
68 | case sUnsupported: | 68 | case sUnsupported: |
69 | diff --git a/servconf.h b/servconf.h | 69 | diff --git a/servconf.h b/servconf.h |
70 | index 9b117fe27..76098119b 100644 | 70 | index 3b76da816..4e3c54042 100644 |
71 | --- a/servconf.h | 71 | --- a/servconf.h |
72 | +++ b/servconf.h | 72 | +++ b/servconf.h |
73 | @@ -211,6 +211,8 @@ typedef struct { | 73 | @@ -212,6 +212,8 @@ typedef struct { |
74 | int fingerprint_hash; | 74 | int fingerprint_hash; |
75 | int expose_userauth_info; | 75 | int expose_userauth_info; |
76 | u_int64_t timing_secret; | 76 | u_int64_t timing_secret; |
@@ -80,7 +80,7 @@ index 9b117fe27..76098119b 100644 | |||
80 | 80 | ||
81 | /* Information about the incoming connection as used by Match */ | 81 | /* Information about the incoming connection as used by Match */ |
82 | diff --git a/sshd.c b/sshd.c | 82 | diff --git a/sshd.c b/sshd.c |
83 | index ffd3dad6a..698593605 100644 | 83 | index 9481272fc..d7e77d343 100644 |
84 | --- a/sshd.c | 84 | --- a/sshd.c |
85 | +++ b/sshd.c | 85 | +++ b/sshd.c |
86 | @@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) | 86 | @@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) |
@@ -94,10 +94,10 @@ index ffd3dad6a..698593605 100644 | |||
94 | options.version_addendum); | 94 | options.version_addendum); |
95 | 95 | ||
96 | diff --git a/sshd_config.5 b/sshd_config.5 | 96 | diff --git a/sshd_config.5 b/sshd_config.5 |
97 | index 0fbbccbde..96a69ab55 100644 | 97 | index e7e55dd71..37e6be38f 100644 |
98 | --- a/sshd_config.5 | 98 | --- a/sshd_config.5 |
99 | +++ b/sshd_config.5 | 99 | +++ b/sshd_config.5 |
100 | @@ -532,6 +532,11 @@ or | 100 | @@ -543,6 +543,11 @@ or |
101 | .Cm no . | 101 | .Cm no . |
102 | The default is | 102 | The default is |
103 | .Cm yes . | 103 | .Cm yes . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index fd86d5a4d..4866d52ad 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 157278376c0eb6e4de3d47e8573684095a230685 Mon Sep 17 00:00:00 2001 | 1 | From a433d9baa031d7136a8cf3e3807ebff83a3a8634 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch | |||
39 | 6 files changed, 77 insertions(+), 9 deletions(-) | 39 | 6 files changed, 77 insertions(+), 9 deletions(-) |
40 | 40 | ||
41 | diff --git a/readconf.c b/readconf.c | 41 | diff --git a/readconf.c b/readconf.c |
42 | index 3ed6dfb54..a3d42f2ae 100644 | 42 | index 6b01f20d2..661b8bf40 100644 |
43 | --- a/readconf.c | 43 | --- a/readconf.c |
44 | +++ b/readconf.c | 44 | +++ b/readconf.c |
45 | @@ -1974,7 +1974,7 @@ fill_default_options(Options * options) | 45 | @@ -2000,7 +2000,7 @@ fill_default_options(Options * options) |
46 | if (options->forward_x11 == -1) | 46 | if (options->forward_x11 == -1) |
47 | options->forward_x11 = 0; | 47 | options->forward_x11 = 0; |
48 | if (options->forward_x11_trusted == -1) | 48 | if (options->forward_x11_trusted == -1) |
@@ -52,10 +52,10 @@ index 3ed6dfb54..a3d42f2ae 100644 | |||
52 | options->forward_x11_timeout = 1200; | 52 | options->forward_x11_timeout = 1200; |
53 | /* | 53 | /* |
54 | diff --git a/ssh.1 b/ssh.1 | 54 | diff --git a/ssh.1 b/ssh.1 |
55 | index 0a8e63f51..ba55aa665 100644 | 55 | index ad1ed0f86..1bcc8edab 100644 |
56 | --- a/ssh.1 | 56 | --- a/ssh.1 |
57 | +++ b/ssh.1 | 57 | +++ b/ssh.1 |
58 | @@ -772,6 +772,16 @@ directive in | 58 | @@ -782,6 +782,16 @@ directive in |
59 | .Xr ssh_config 5 | 59 | .Xr ssh_config 5 |
60 | for more information. | 60 | for more information. |
61 | .Pp | 61 | .Pp |
@@ -72,7 +72,7 @@ index 0a8e63f51..ba55aa665 100644 | |||
72 | .It Fl x | 72 | .It Fl x |
73 | Disables X11 forwarding. | 73 | Disables X11 forwarding. |
74 | .Pp | 74 | .Pp |
75 | @@ -780,6 +790,17 @@ Enables trusted X11 forwarding. | 75 | @@ -790,6 +800,17 @@ Enables trusted X11 forwarding. |
76 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension | 76 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
77 | controls. | 77 | controls. |
78 | .Pp | 78 | .Pp |
@@ -114,7 +114,7 @@ index bcb9f153d..1b676fb2c 100644 | |||
114 | + HashKnownHosts yes | 114 | + HashKnownHosts yes |
115 | + GSSAPIAuthentication yes | 115 | + GSSAPIAuthentication yes |
116 | diff --git a/ssh_config.5 b/ssh_config.5 | 116 | diff --git a/ssh_config.5 b/ssh_config.5 |
117 | index cb68f51a6..35c578c3b 100644 | 117 | index a91355726..1a8e24bd1 100644 |
118 | --- a/ssh_config.5 | 118 | --- a/ssh_config.5 |
119 | +++ b/ssh_config.5 | 119 | +++ b/ssh_config.5 |
120 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | 120 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more |
@@ -140,7 +140,7 @@ index cb68f51a6..35c578c3b 100644 | |||
140 | The file contains keyword-argument pairs, one per line. | 140 | The file contains keyword-argument pairs, one per line. |
141 | Lines starting with | 141 | Lines starting with |
142 | .Ql # | 142 | .Ql # |
143 | @@ -681,11 +697,12 @@ elapsed. | 143 | @@ -699,11 +715,12 @@ elapsed. |
144 | .It Cm ForwardX11Trusted | 144 | .It Cm ForwardX11Trusted |
145 | If this option is set to | 145 | If this option is set to |
146 | .Cm yes , | 146 | .Cm yes , |
@@ -204,7 +204,7 @@ index 2c48105f8..ed8272f6d 100644 | |||
204 | # Example of overriding settings on a per-user basis | 204 | # Example of overriding settings on a per-user basis |
205 | #Match User anoncvs | 205 | #Match User anoncvs |
206 | diff --git a/sshd_config.5 b/sshd_config.5 | 206 | diff --git a/sshd_config.5 b/sshd_config.5 |
207 | index 9774831fe..15b82e84d 100644 | 207 | index 23f71fd1d..ba50a30f1 100644 |
208 | --- a/sshd_config.5 | 208 | --- a/sshd_config.5 |
209 | +++ b/sshd_config.5 | 209 | +++ b/sshd_config.5 |
210 | @@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes | 210 | @@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index 6e90d402c..e2acdf1a2 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 298716354cedb77d8e3672a2157d63e15a778d64 Mon Sep 17 00:00:00 2001 | 1 | From 0ee33d93c5c7a5fbb8b027aa24e7c9668125fda9 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 2b7936a5d..c6bc43299 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c1af61a47620c9f50efb53774139c308410f9296 Mon Sep 17 00:00:00 2001 | 1 | From 1d0c41a7e0b2426733ddb598248d0488c9c00a8b Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch | |||
13 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh_config.5 b/ssh_config.5 | 15 | diff --git a/ssh_config.5 b/ssh_config.5 |
16 | index 03341a229..cb68f51a6 100644 | 16 | index 7d55fa820..a91355726 100644 |
17 | --- a/ssh_config.5 | 17 | --- a/ssh_config.5 |
18 | +++ b/ssh_config.5 | 18 | +++ b/ssh_config.5 |
19 | @@ -775,6 +775,9 @@ Note that existing names and addresses in known hosts files | 19 | @@ -793,6 +793,9 @@ Note that existing names and addresses in known hosts files |
20 | will not be converted automatically, | 20 | will not be converted automatically, |
21 | but may be manually hashed using | 21 | but may be manually hashed using |
22 | .Xr ssh-keygen 1 . | 22 | .Xr ssh-keygen 1 . |
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index eb212da29..b6d4f1239 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From cae89cd0edc9d656661ea05b7ecca4c9a9ba4d77 Mon Sep 17 00:00:00 2001 | 1 | From df56506f727e37c13346259bdcd5975e257a259d Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 25edd5cbe..f62bf6672 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e6c7c11ac2576ac62334616bd4408bf64140bba7 Mon Sep 17 00:00:00 2001 | 1 | From 72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -17,14 +17,14 @@ have it merged into the main openssh package rather than having separate | |||
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
20 | Last-Updated: 2018-08-24 | 20 | Last-Updated: 2018-10-20 |
21 | 21 | ||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
24 | ChangeLog.gssapi | 113 ++++++++++++++++ | 24 | ChangeLog.gssapi | 113 ++++++++++++++++ |
25 | Makefile.in | 3 +- | 25 | Makefile.in | 3 +- |
26 | auth-krb5.c | 17 ++- | 26 | auth-krb5.c | 17 ++- |
27 | auth.c | 96 +------------- | 27 | auth.c | 96 +------------ |
28 | auth2-gss.c | 54 +++++++- | 28 | auth2-gss.c | 54 +++++++- |
29 | auth2.c | 2 + | 29 | auth2.c | 2 + |
30 | canohost.c | 93 +++++++++++++ | 30 | canohost.c | 93 +++++++++++++ |
@@ -32,17 +32,19 @@ Patch-Name: gssapi.patch | |||
32 | clientloop.c | 15 ++- | 32 | clientloop.c | 15 ++- |
33 | config.h.in | 6 + | 33 | config.h.in | 6 + |
34 | configure.ac | 24 ++++ | 34 | configure.ac | 24 ++++ |
35 | gss-genr.c | 277 +++++++++++++++++++++++++++++++++++++- | 35 | gss-genr.c | 280 +++++++++++++++++++++++++++++++++++++- |
36 | gss-serv-krb5.c | 85 +++++++++++- | 36 | gss-serv-krb5.c | 85 +++++++++++- |
37 | gss-serv.c | 184 ++++++++++++++++++++++++-- | 37 | gss-serv.c | 184 +++++++++++++++++++++++-- |
38 | kex.c | 19 +++ | 38 | kex.c | 19 +++ |
39 | kex.h | 14 ++ | 39 | kex.h | 14 ++ |
40 | kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++ | 40 | kexgssc.c | 341 +++++++++++++++++++++++++++++++++++++++++++++++ |
41 | kexgsss.c | 295 +++++++++++++++++++++++++++++++++++++++++ | 41 | kexgsss.c | 300 +++++++++++++++++++++++++++++++++++++++++ |
42 | monitor.c | 122 +++++++++++++++-- | 42 | monitor.c | 122 +++++++++++++++-- |
43 | monitor.h | 3 + | 43 | monitor.h | 3 + |
44 | monitor_wrap.c | 53 +++++++- | 44 | monitor_wrap.c | 53 +++++++- |
45 | monitor_wrap.h | 4 +- | 45 | monitor_wrap.h | 4 +- |
46 | opacket.c | 2 +- | ||
47 | opacket.h | 2 +- | ||
46 | readconf.c | 43 ++++++ | 48 | readconf.c | 43 ++++++ |
47 | readconf.h | 5 + | 49 | readconf.h | 5 + |
48 | servconf.c | 26 ++++ | 50 | servconf.c | 26 ++++ |
@@ -50,13 +52,13 @@ Patch-Name: gssapi.patch | |||
50 | ssh-gss.h | 41 +++++- | 52 | ssh-gss.h | 41 +++++- |
51 | ssh_config | 2 + | 53 | ssh_config | 2 + |
52 | ssh_config.5 | 32 +++++ | 54 | ssh_config.5 | 32 +++++ |
53 | sshconnect2.c | 133 ++++++++++++++++++- | 55 | sshconnect2.c | 133 +++++++++++++++++- |
54 | sshd.c | 112 +++++++++++++++- | 56 | sshd.c | 110 +++++++++++++++ |
55 | sshd_config | 2 + | 57 | sshd_config | 2 + |
56 | sshd_config.5 | 10 ++ | 58 | sshd_config.5 | 10 ++ |
57 | sshkey.c | 3 +- | 59 | sshkey.c | 3 +- |
58 | sshkey.h | 1 + | 60 | sshkey.h | 1 + |
59 | 35 files changed, 2087 insertions(+), 145 deletions(-) | 61 | 37 files changed, 2099 insertions(+), 146 deletions(-) |
60 | create mode 100644 ChangeLog.gssapi | 62 | create mode 100644 ChangeLog.gssapi |
61 | create mode 100644 kexgssc.c | 63 | create mode 100644 kexgssc.c |
62 | create mode 100644 kexgsss.c | 64 | create mode 100644 kexgsss.c |
@@ -181,7 +183,7 @@ index 000000000..f117a336a | |||
181 | + (from jbasney AT ncsa.uiuc.edu) | 183 | + (from jbasney AT ncsa.uiuc.edu) |
182 | + <gssapi-with-mic support is Bugzilla #1008> | 184 | + <gssapi-with-mic support is Bugzilla #1008> |
183 | diff --git a/Makefile.in b/Makefile.in | 185 | diff --git a/Makefile.in b/Makefile.in |
184 | index 2385c62a8..6175c6063 100644 | 186 | index 126b2c742..70050ffb6 100644 |
185 | --- a/Makefile.in | 187 | --- a/Makefile.in |
186 | +++ b/Makefile.in | 188 | +++ b/Makefile.in |
187 | @@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 189 | @@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
@@ -253,10 +255,10 @@ index 3096f1c8e..204752e1b 100644 | |||
253 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 255 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
254 | } | 256 | } |
255 | diff --git a/auth.c b/auth.c | 257 | diff --git a/auth.c b/auth.c |
256 | index 9a3bc96f1..80eb78c48 100644 | 258 | index 3ca3762cc..d8e6b4a3d 100644 |
257 | --- a/auth.c | 259 | --- a/auth.c |
258 | +++ b/auth.c | 260 | +++ b/auth.c |
259 | @@ -395,7 +395,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) | 261 | @@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) |
260 | case PERMIT_NO_PASSWD: | 262 | case PERMIT_NO_PASSWD: |
261 | if (strcmp(method, "publickey") == 0 || | 263 | if (strcmp(method, "publickey") == 0 || |
262 | strcmp(method, "hostbased") == 0 || | 264 | strcmp(method, "hostbased") == 0 || |
@@ -266,7 +268,7 @@ index 9a3bc96f1..80eb78c48 100644 | |||
266 | return 1; | 268 | return 1; |
267 | break; | 269 | break; |
268 | case PERMIT_FORCED_ONLY: | 270 | case PERMIT_FORCED_ONLY: |
269 | @@ -733,99 +734,6 @@ fakepw(void) | 271 | @@ -737,99 +738,6 @@ fakepw(void) |
270 | return (&fake); | 272 | return (&fake); |
271 | } | 273 | } |
272 | 274 | ||
@@ -460,7 +462,7 @@ index 9351e0428..1f12bb113 100644 | |||
460 | "gssapi-with-mic", | 462 | "gssapi-with-mic", |
461 | userauth_gssapi, | 463 | userauth_gssapi, |
462 | diff --git a/auth2.c b/auth2.c | 464 | diff --git a/auth2.c b/auth2.c |
463 | index ab8795895..96efe164c 100644 | 465 | index 4d19957a6..a77742819 100644 |
464 | --- a/auth2.c | 466 | --- a/auth2.c |
465 | +++ b/auth2.c | 467 | +++ b/auth2.c |
466 | @@ -74,6 +74,7 @@ extern Authmethod method_passwd; | 468 | @@ -74,6 +74,7 @@ extern Authmethod method_passwd; |
@@ -598,7 +600,7 @@ index 26d62855a..0cadc9f18 100644 | |||
598 | int get_peer_port(int); | 600 | int get_peer_port(int); |
599 | char *get_local_ipaddr(int); | 601 | char *get_local_ipaddr(int); |
600 | diff --git a/clientloop.c b/clientloop.c | 602 | diff --git a/clientloop.c b/clientloop.c |
601 | index ad35cb7ba..e69c5141f 100644 | 603 | index 8d312cdaa..1464634b0 100644 |
602 | --- a/clientloop.c | 604 | --- a/clientloop.c |
603 | +++ b/clientloop.c | 605 | +++ b/clientloop.c |
604 | @@ -112,6 +112,10 @@ | 606 | @@ -112,6 +112,10 @@ |
@@ -612,7 +614,7 @@ index ad35cb7ba..e69c5141f 100644 | |||
612 | /* import options */ | 614 | /* import options */ |
613 | extern Options options; | 615 | extern Options options; |
614 | 616 | ||
615 | @@ -1357,9 +1361,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, | 617 | @@ -1370,9 +1374,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, |
616 | break; | 618 | break; |
617 | 619 | ||
618 | /* Do channel operations unless rekeying in progress. */ | 620 | /* Do channel operations unless rekeying in progress. */ |
@@ -633,10 +635,10 @@ index ad35cb7ba..e69c5141f 100644 | |||
633 | client_process_net_input(readset); | 635 | client_process_net_input(readset); |
634 | 636 | ||
635 | diff --git a/config.h.in b/config.h.in | 637 | diff --git a/config.h.in b/config.h.in |
636 | index 7940b4c86..93295da07 100644 | 638 | index 91b65db8f..209760c7c 100644 |
637 | --- a/config.h.in | 639 | --- a/config.h.in |
638 | +++ b/config.h.in | 640 | +++ b/config.h.in |
639 | @@ -1749,6 +1749,9 @@ | 641 | @@ -1845,6 +1845,9 @@ |
640 | /* Use btmp to log bad logins */ | 642 | /* Use btmp to log bad logins */ |
641 | #undef USE_BTMP | 643 | #undef USE_BTMP |
642 | 644 | ||
@@ -646,7 +648,7 @@ index 7940b4c86..93295da07 100644 | |||
646 | /* Use libedit for sftp */ | 648 | /* Use libedit for sftp */ |
647 | #undef USE_LIBEDIT | 649 | #undef USE_LIBEDIT |
648 | 650 | ||
649 | @@ -1764,6 +1767,9 @@ | 651 | @@ -1860,6 +1863,9 @@ |
650 | /* Use PIPES instead of a socketpair() */ | 652 | /* Use PIPES instead of a socketpair() */ |
651 | #undef USE_PIPES | 653 | #undef USE_PIPES |
652 | 654 | ||
@@ -657,10 +659,10 @@ index 7940b4c86..93295da07 100644 | |||
657 | #undef USE_SOLARIS_PRIVS | 659 | #undef USE_SOLARIS_PRIVS |
658 | 660 | ||
659 | diff --git a/configure.ac b/configure.ac | 661 | diff --git a/configure.ac b/configure.ac |
660 | index 83e530750..82428b241 100644 | 662 | index 7379ab358..023e7cc55 100644 |
661 | --- a/configure.ac | 663 | --- a/configure.ac |
662 | +++ b/configure.ac | 664 | +++ b/configure.ac |
663 | @@ -673,6 +673,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 665 | @@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
664 | [Use tunnel device compatibility to OpenBSD]) | 666 | [Use tunnel device compatibility to OpenBSD]) |
665 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 667 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
666 | [Prepend the address family to IP tunnel traffic]) | 668 | [Prepend the address family to IP tunnel traffic]) |
@@ -692,7 +694,7 @@ index 83e530750..82428b241 100644 | |||
692 | AC_CHECK_DECL([AU_IPv4], [], | 694 | AC_CHECK_DECL([AU_IPv4], [], |
693 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) | 695 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) |
694 | diff --git a/gss-genr.c b/gss-genr.c | 696 | diff --git a/gss-genr.c b/gss-genr.c |
695 | index d56257b4a..285fc29a5 100644 | 697 | index d56257b4a..491e62cee 100644 |
696 | --- a/gss-genr.c | 698 | --- a/gss-genr.c |
697 | +++ b/gss-genr.c | 699 | +++ b/gss-genr.c |
698 | @@ -1,7 +1,7 @@ | 700 | @@ -1,7 +1,7 @@ |
@@ -704,13 +706,16 @@ index d56257b4a..285fc29a5 100644 | |||
704 | * | 706 | * |
705 | * Redistribution and use in source and binary forms, with or without | 707 | * Redistribution and use in source and binary forms, with or without |
706 | * modification, are permitted provided that the following conditions | 708 | * modification, are permitted provided that the following conditions |
707 | @@ -41,12 +41,34 @@ | 709 | @@ -39,14 +39,37 @@ |
710 | #include "xmalloc.h" | ||
711 | #include "ssherr.h" | ||
708 | #include "sshbuf.h" | 712 | #include "sshbuf.h" |
713 | +#include "sshkey.h" | ||
709 | #include "log.h" | 714 | #include "log.h" |
710 | #include "ssh2.h" | 715 | #include "ssh2.h" |
711 | +#include "cipher.h" | 716 | +#include "cipher.h" |
712 | +#include "kex.h" | 717 | +#include "kex.h" |
713 | +#include <openssl/evp.h> | 718 | +#include "digest.h" |
714 | 719 | ||
715 | #include "ssh-gss.h" | 720 | #include "ssh-gss.h" |
716 | 721 | ||
@@ -739,7 +744,7 @@ index d56257b4a..285fc29a5 100644 | |||
739 | /* sshbuf_get for gss_buffer_desc */ | 744 | /* sshbuf_get for gss_buffer_desc */ |
740 | int | 745 | int |
741 | ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) | 746 | ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) |
742 | @@ -62,6 +84,141 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) | 747 | @@ -62,6 +85,143 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) |
743 | return 0; | 748 | return 0; |
744 | } | 749 | } |
745 | 750 | ||
@@ -769,10 +774,9 @@ index d56257b4a..285fc29a5 100644 | |||
769 | + size_t i; | 774 | + size_t i; |
770 | + int r, oidpos, enclen; | 775 | + int r, oidpos, enclen; |
771 | + char *mechs, *encoded; | 776 | + char *mechs, *encoded; |
772 | + u_char digest[EVP_MAX_MD_SIZE]; | 777 | + u_char digest[SSH_DIGEST_MAX_LENGTH]; |
773 | + char deroid[2]; | 778 | + char deroid[2]; |
774 | + const EVP_MD *evp_md = EVP_md5(); | 779 | + struct ssh_digest_ctx *md; |
775 | + EVP_MD_CTX md; | ||
776 | + | 780 | + |
777 | + if (gss_enc2oid != NULL) { | 781 | + if (gss_enc2oid != NULL) { |
778 | + for (i = 0; gss_enc2oid[i].encoded != NULL; i++) | 782 | + for (i = 0; gss_enc2oid[i].encoded != NULL; i++) |
@@ -794,16 +798,19 @@ index d56257b4a..285fc29a5 100644 | |||
794 | + deroid[0] = SSH_GSS_OIDTYPE; | 798 | + deroid[0] = SSH_GSS_OIDTYPE; |
795 | + deroid[1] = gss_supported->elements[i].length; | 799 | + deroid[1] = gss_supported->elements[i].length; |
796 | + | 800 | + |
797 | + EVP_DigestInit(&md, evp_md); | 801 | + if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || |
798 | + EVP_DigestUpdate(&md, deroid, 2); | 802 | + ssh_digest_update(md, deroid, 2) != 0 || |
799 | + EVP_DigestUpdate(&md, | 803 | + ssh_digest_update(md, |
800 | + gss_supported->elements[i].elements, | 804 | + gss_supported->elements[i].elements, |
801 | + gss_supported->elements[i].length); | 805 | + gss_supported->elements[i].length) != 0 || |
802 | + EVP_DigestFinal(&md, digest, NULL); | 806 | + ssh_digest_final(md, digest, sizeof(digest)) != 0) |
807 | + fatal("%s: digest failed", __func__); | ||
803 | + | 808 | + |
804 | + encoded = xmalloc(EVP_MD_size(evp_md) * 2); | 809 | + encoded = xmalloc(ssh_digest_bytes(SSH_DIGEST_MD5) |
805 | + enclen = __b64_ntop(digest, EVP_MD_size(evp_md), | 810 | + * 2); |
806 | + encoded, EVP_MD_size(evp_md) * 2); | 811 | + enclen = __b64_ntop(digest, |
812 | + ssh_digest_bytes(SSH_DIGEST_MD5), encoded, | ||
813 | + ssh_digest_bytes(SSH_DIGEST_MD5) * 2); | ||
807 | + | 814 | + |
808 | + if (oidpos != 0) { | 815 | + if (oidpos != 0) { |
809 | + if ((r = sshbuf_put_u8(buf, ',')) != 0) | 816 | + if ((r = sshbuf_put_u8(buf, ',')) != 0) |
@@ -881,7 +888,7 @@ index d56257b4a..285fc29a5 100644 | |||
881 | /* Check that the OID in a data stream matches that in the context */ | 888 | /* Check that the OID in a data stream matches that in the context */ |
882 | int | 889 | int |
883 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) | 890 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) |
884 | @@ -218,7 +375,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, | 891 | @@ -218,7 +378,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, |
885 | } | 892 | } |
886 | 893 | ||
887 | ctx->major = gss_init_sec_context(&ctx->minor, | 894 | ctx->major = gss_init_sec_context(&ctx->minor, |
@@ -890,7 +897,7 @@ index d56257b4a..285fc29a5 100644 | |||
890 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, | 897 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, |
891 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); | 898 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); |
892 | 899 | ||
893 | @@ -247,9 +404,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) | 900 | @@ -247,9 +407,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) |
894 | return (ctx->major); | 901 | return (ctx->major); |
895 | } | 902 | } |
896 | 903 | ||
@@ -934,7 +941,7 @@ index d56257b4a..285fc29a5 100644 | |||
934 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, | 941 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, |
935 | GSS_C_QOP_DEFAULT, buffer, hash))) | 942 | GSS_C_QOP_DEFAULT, buffer, hash))) |
936 | ssh_gssapi_error(ctx); | 943 | ssh_gssapi_error(ctx); |
937 | @@ -257,6 +448,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | 944 | @@ -257,6 +451,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) |
938 | return (ctx->major); | 945 | return (ctx->major); |
939 | } | 946 | } |
940 | 947 | ||
@@ -954,7 +961,7 @@ index d56257b4a..285fc29a5 100644 | |||
954 | void | 961 | void |
955 | ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, | 962 | ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, |
956 | const char *context) | 963 | const char *context) |
957 | @@ -273,11 +477,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, | 964 | @@ -273,11 +480,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, |
958 | } | 965 | } |
959 | 966 | ||
960 | int | 967 | int |
@@ -972,7 +979,7 @@ index d56257b4a..285fc29a5 100644 | |||
972 | 979 | ||
973 | /* RFC 4462 says we MUST NOT do SPNEGO */ | 980 | /* RFC 4462 says we MUST NOT do SPNEGO */ |
974 | if (oid->length == spnego_oid.length && | 981 | if (oid->length == spnego_oid.length && |
975 | @@ -287,6 +496,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 982 | @@ -287,6 +499,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
976 | ssh_gssapi_build_ctx(ctx); | 983 | ssh_gssapi_build_ctx(ctx); |
977 | ssh_gssapi_set_oid(*ctx, oid); | 984 | ssh_gssapi_set_oid(*ctx, oid); |
978 | major = ssh_gssapi_import_name(*ctx, host); | 985 | major = ssh_gssapi_import_name(*ctx, host); |
@@ -983,7 +990,7 @@ index d56257b4a..285fc29a5 100644 | |||
983 | if (!GSS_ERROR(major)) { | 990 | if (!GSS_ERROR(major)) { |
984 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | 991 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, |
985 | NULL); | 992 | NULL); |
986 | @@ -296,10 +509,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 993 | @@ -296,10 +512,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
987 | GSS_C_NO_BUFFER); | 994 | GSS_C_NO_BUFFER); |
988 | } | 995 | } |
989 | 996 | ||
@@ -1540,10 +1547,10 @@ index 593de1208..4e5ead839 100644 | |||
1540 | const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); | 1547 | const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); |
1541 | diff --git a/kexgssc.c b/kexgssc.c | 1548 | diff --git a/kexgssc.c b/kexgssc.c |
1542 | new file mode 100644 | 1549 | new file mode 100644 |
1543 | index 000000000..953c0a248 | 1550 | index 000000000..3c8ae08dd |
1544 | --- /dev/null | 1551 | --- /dev/null |
1545 | +++ b/kexgssc.c | 1552 | +++ b/kexgssc.c |
1546 | @@ -0,0 +1,338 @@ | 1553 | @@ -0,0 +1,341 @@ |
1547 | +/* | 1554 | +/* |
1548 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1555 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1549 | + * | 1556 | + * |
@@ -1602,6 +1609,7 @@ index 000000000..953c0a248 | |||
1602 | + DH *dh; | 1609 | + DH *dh; |
1603 | + BIGNUM *dh_server_pub = NULL; | 1610 | + BIGNUM *dh_server_pub = NULL; |
1604 | + BIGNUM *shared_secret = NULL; | 1611 | + BIGNUM *shared_secret = NULL; |
1612 | + const BIGNUM *pub_key, *dh_p, *dh_g; | ||
1605 | + BIGNUM *p = NULL; | 1613 | + BIGNUM *p = NULL; |
1606 | + BIGNUM *g = NULL; | 1614 | + BIGNUM *g = NULL; |
1607 | + u_char *kbuf; | 1615 | + u_char *kbuf; |
@@ -1666,6 +1674,8 @@ index 000000000..953c0a248 | |||
1666 | + | 1674 | + |
1667 | + /* Step 1 - e is dh->pub_key */ | 1675 | + /* Step 1 - e is dh->pub_key */ |
1668 | + dh_gen_key(dh, ssh->kex->we_need * 8); | 1676 | + dh_gen_key(dh, ssh->kex->we_need * 8); |
1677 | + DH_get0_key(dh, &pub_key, NULL); | ||
1678 | + DH_get0_pqg(dh, &dh_p, NULL, &dh_g); | ||
1669 | + | 1679 | + |
1670 | + /* This is f, we initialise it now to make life easier */ | 1680 | + /* This is f, we initialise it now to make life easier */ |
1671 | + dh_server_pub = BN_new(); | 1681 | + dh_server_pub = BN_new(); |
@@ -1713,7 +1723,7 @@ index 000000000..953c0a248 | |||
1713 | + packet_start(SSH2_MSG_KEXGSS_INIT); | 1723 | + packet_start(SSH2_MSG_KEXGSS_INIT); |
1714 | + packet_put_string(send_tok.value, | 1724 | + packet_put_string(send_tok.value, |
1715 | + send_tok.length); | 1725 | + send_tok.length); |
1716 | + packet_put_bignum2(dh->pub_key); | 1726 | + packet_put_bignum2(pub_key); |
1717 | + first = 0; | 1727 | + first = 0; |
1718 | + } else { | 1728 | + } else { |
1719 | + packet_start(SSH2_MSG_KEXGSS_CONTINUE); | 1729 | + packet_start(SSH2_MSG_KEXGSS_CONTINUE); |
@@ -1822,7 +1832,7 @@ index 000000000..953c0a248 | |||
1822 | + sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), | 1832 | + sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), |
1823 | + sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), | 1833 | + sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), |
1824 | + (serverhostkey ? serverhostkey : empty), slen, | 1834 | + (serverhostkey ? serverhostkey : empty), slen, |
1825 | + dh->pub_key, /* e */ | 1835 | + pub_key, /* e */ |
1826 | + dh_server_pub, /* f */ | 1836 | + dh_server_pub, /* f */ |
1827 | + shared_secret, /* K */ | 1837 | + shared_secret, /* K */ |
1828 | + hash, &hashlen | 1838 | + hash, &hashlen |
@@ -1837,8 +1847,8 @@ index 000000000..953c0a248 | |||
1837 | + sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), | 1847 | + sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), |
1838 | + (serverhostkey ? serverhostkey : empty), slen, | 1848 | + (serverhostkey ? serverhostkey : empty), slen, |
1839 | + min, nbits, max, | 1849 | + min, nbits, max, |
1840 | + dh->p, dh->g, | 1850 | + dh_p, dh_g, |
1841 | + dh->pub_key, | 1851 | + pub_key, |
1842 | + dh_server_pub, | 1852 | + dh_server_pub, |
1843 | + shared_secret, | 1853 | + shared_secret, |
1844 | + hash, &hashlen | 1854 | + hash, &hashlen |
@@ -1884,10 +1894,10 @@ index 000000000..953c0a248 | |||
1884 | +#endif /* GSSAPI */ | 1894 | +#endif /* GSSAPI */ |
1885 | diff --git a/kexgsss.c b/kexgsss.c | 1895 | diff --git a/kexgsss.c b/kexgsss.c |
1886 | new file mode 100644 | 1896 | new file mode 100644 |
1887 | index 000000000..31ec6a890 | 1897 | index 000000000..18070f1d7 |
1888 | --- /dev/null | 1898 | --- /dev/null |
1889 | +++ b/kexgsss.c | 1899 | +++ b/kexgsss.c |
1890 | @@ -0,0 +1,295 @@ | 1900 | @@ -0,0 +1,300 @@ |
1891 | +/* | 1901 | +/* |
1892 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1902 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1893 | + * | 1903 | + * |
@@ -1958,6 +1968,7 @@ index 000000000..31ec6a890 | |||
1958 | + u_char *kbuf; | 1968 | + u_char *kbuf; |
1959 | + DH *dh; | 1969 | + DH *dh; |
1960 | + int min = -1, max = -1, nbits = -1; | 1970 | + int min = -1, max = -1, nbits = -1; |
1971 | + const BIGNUM *pub_key, *dh_p, *dh_g; | ||
1961 | + BIGNUM *shared_secret = NULL; | 1972 | + BIGNUM *shared_secret = NULL; |
1962 | + BIGNUM *dh_client_pub = NULL; | 1973 | + BIGNUM *dh_client_pub = NULL; |
1963 | + int type = 0; | 1974 | + int type = 0; |
@@ -2008,10 +2019,11 @@ index 000000000..31ec6a890 | |||
2008 | + nbits, MIN(DH_GRP_MAX, max))); | 2019 | + nbits, MIN(DH_GRP_MAX, max))); |
2009 | + if (dh == NULL) | 2020 | + if (dh == NULL) |
2010 | + packet_disconnect("Protocol error: no matching group found"); | 2021 | + packet_disconnect("Protocol error: no matching group found"); |
2022 | + DH_get0_pqg(dh, &dh_p, NULL, &dh_g); | ||
2011 | + | 2023 | + |
2012 | + packet_start(SSH2_MSG_KEXGSS_GROUP); | 2024 | + packet_start(SSH2_MSG_KEXGSS_GROUP); |
2013 | + packet_put_bignum2(dh->p); | 2025 | + packet_put_bignum2(dh_p); |
2014 | + packet_put_bignum2(dh->g); | 2026 | + packet_put_bignum2(dh_g); |
2015 | + packet_send(); | 2027 | + packet_send(); |
2016 | + | 2028 | + |
2017 | + packet_write_wait(); | 2029 | + packet_write_wait(); |
@@ -2103,6 +2115,9 @@ index 000000000..31ec6a890 | |||
2103 | + memset(kbuf, 0, klen); | 2115 | + memset(kbuf, 0, klen); |
2104 | + free(kbuf); | 2116 | + free(kbuf); |
2105 | + | 2117 | + |
2118 | + DH_get0_key(dh, &pub_key, NULL); | ||
2119 | + DH_get0_pqg(dh, &dh_p, NULL, &dh_g); | ||
2120 | + | ||
2106 | + hashlen = sizeof(hash); | 2121 | + hashlen = sizeof(hash); |
2107 | + switch (ssh->kex->kex_type) { | 2122 | + switch (ssh->kex->kex_type) { |
2108 | + case KEX_GSS_GRP1_SHA1: | 2123 | + case KEX_GSS_GRP1_SHA1: |
@@ -2113,7 +2128,7 @@ index 000000000..31ec6a890 | |||
2113 | + sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), | 2128 | + sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), |
2114 | + sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), | 2129 | + sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), |
2115 | + NULL, 0, /* Change this if we start sending host keys */ | 2130 | + NULL, 0, /* Change this if we start sending host keys */ |
2116 | + dh_client_pub, dh->pub_key, shared_secret, | 2131 | + dh_client_pub, pub_key, shared_secret, |
2117 | + hash, &hashlen | 2132 | + hash, &hashlen |
2118 | + ); | 2133 | + ); |
2119 | + break; | 2134 | + break; |
@@ -2125,9 +2140,9 @@ index 000000000..31ec6a890 | |||
2125 | + sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), | 2140 | + sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), |
2126 | + NULL, 0, | 2141 | + NULL, 0, |
2127 | + min, nbits, max, | 2142 | + min, nbits, max, |
2128 | + dh->p, dh->g, | 2143 | + dh_p, dh_g, |
2129 | + dh_client_pub, | 2144 | + dh_client_pub, |
2130 | + dh->pub_key, | 2145 | + pub_key, |
2131 | + shared_secret, | 2146 | + shared_secret, |
2132 | + hash, &hashlen | 2147 | + hash, &hashlen |
2133 | + ); | 2148 | + ); |
@@ -2151,7 +2166,7 @@ index 000000000..31ec6a890 | |||
2151 | + fatal("Couldn't get MIC"); | 2166 | + fatal("Couldn't get MIC"); |
2152 | + | 2167 | + |
2153 | + packet_start(SSH2_MSG_KEXGSS_COMPLETE); | 2168 | + packet_start(SSH2_MSG_KEXGSS_COMPLETE); |
2154 | + packet_put_bignum2(dh->pub_key); | 2169 | + packet_put_bignum2(pub_key); |
2155 | + packet_put_string(msg_tok.value,msg_tok.length); | 2170 | + packet_put_string(msg_tok.value,msg_tok.length); |
2156 | + | 2171 | + |
2157 | + if (send_tok.length != 0) { | 2172 | + if (send_tok.length != 0) { |
@@ -2184,10 +2199,10 @@ index 000000000..31ec6a890 | |||
2184 | +} | 2199 | +} |
2185 | +#endif /* GSSAPI */ | 2200 | +#endif /* GSSAPI */ |
2186 | diff --git a/monitor.c b/monitor.c | 2201 | diff --git a/monitor.c b/monitor.c |
2187 | index d4b4b0471..4e574a2ae 100644 | 2202 | index 531b2993a..eabc1e89b 100644 |
2188 | --- a/monitor.c | 2203 | --- a/monitor.c |
2189 | +++ b/monitor.c | 2204 | +++ b/monitor.c |
2190 | @@ -143,6 +143,8 @@ int mm_answer_gss_setup_ctx(int, struct sshbuf *); | 2205 | @@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(int, struct sshbuf *); |
2191 | int mm_answer_gss_accept_ctx(int, struct sshbuf *); | 2206 | int mm_answer_gss_accept_ctx(int, struct sshbuf *); |
2192 | int mm_answer_gss_userok(int, struct sshbuf *); | 2207 | int mm_answer_gss_userok(int, struct sshbuf *); |
2193 | int mm_answer_gss_checkmic(int, struct sshbuf *); | 2208 | int mm_answer_gss_checkmic(int, struct sshbuf *); |
@@ -2196,7 +2211,7 @@ index d4b4b0471..4e574a2ae 100644 | |||
2196 | #endif | 2211 | #endif |
2197 | 2212 | ||
2198 | #ifdef SSH_AUDIT_EVENTS | 2213 | #ifdef SSH_AUDIT_EVENTS |
2199 | @@ -213,11 +215,18 @@ struct mon_table mon_dispatch_proto20[] = { | 2214 | @@ -215,11 +217,18 @@ struct mon_table mon_dispatch_proto20[] = { |
2200 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | 2215 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, |
2201 | {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, | 2216 | {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, |
2202 | {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, | 2217 | {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, |
@@ -2215,7 +2230,7 @@ index d4b4b0471..4e574a2ae 100644 | |||
2215 | #ifdef WITH_OPENSSL | 2230 | #ifdef WITH_OPENSSL |
2216 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 2231 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2217 | #endif | 2232 | #endif |
2218 | @@ -287,6 +296,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 2233 | @@ -289,6 +298,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
2219 | /* Permit requests for moduli and signatures */ | 2234 | /* Permit requests for moduli and signatures */ |
2220 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2235 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2221 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2236 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2226,7 +2241,7 @@ index d4b4b0471..4e574a2ae 100644 | |||
2226 | 2241 | ||
2227 | /* The first few requests do not require asynchronous access */ | 2242 | /* The first few requests do not require asynchronous access */ |
2228 | while (!authenticated) { | 2243 | while (!authenticated) { |
2229 | @@ -399,6 +412,10 @@ monitor_child_postauth(struct monitor *pmonitor) | 2244 | @@ -401,6 +414,10 @@ monitor_child_postauth(struct monitor *pmonitor) |
2230 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2245 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2231 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2246 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2232 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2247 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -2237,7 +2252,7 @@ index d4b4b0471..4e574a2ae 100644 | |||
2237 | 2252 | ||
2238 | if (auth_opts->permit_pty_flag) { | 2253 | if (auth_opts->permit_pty_flag) { |
2239 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 2254 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
2240 | @@ -1662,6 +1679,13 @@ monitor_apply_keystate(struct monitor *pmonitor) | 2255 | @@ -1666,6 +1683,13 @@ monitor_apply_keystate(struct monitor *pmonitor) |
2241 | # endif | 2256 | # endif |
2242 | #endif /* WITH_OPENSSL */ | 2257 | #endif /* WITH_OPENSSL */ |
2243 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2258 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -2251,7 +2266,7 @@ index d4b4b0471..4e574a2ae 100644 | |||
2251 | kex->load_host_public_key=&get_hostkey_public_by_type; | 2266 | kex->load_host_public_key=&get_hostkey_public_by_type; |
2252 | kex->load_host_private_key=&get_hostkey_private_by_type; | 2267 | kex->load_host_private_key=&get_hostkey_private_by_type; |
2253 | kex->host_key_index=&get_hostkey_index; | 2268 | kex->host_key_index=&get_hostkey_index; |
2254 | @@ -1752,8 +1776,8 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m) | 2269 | @@ -1756,8 +1780,8 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m) |
2255 | u_char *p; | 2270 | u_char *p; |
2256 | int r; | 2271 | int r; |
2257 | 2272 | ||
@@ -2262,7 +2277,7 @@ index d4b4b0471..4e574a2ae 100644 | |||
2262 | 2277 | ||
2263 | if ((r = sshbuf_get_string(m, &p, &len)) != 0) | 2278 | if ((r = sshbuf_get_string(m, &p, &len)) != 0) |
2264 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 2279 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
2265 | @@ -1785,8 +1809,8 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) | 2280 | @@ -1789,8 +1813,8 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) |
2266 | OM_uint32 flags = 0; /* GSI needs this */ | 2281 | OM_uint32 flags = 0; /* GSI needs this */ |
2267 | int r; | 2282 | int r; |
2268 | 2283 | ||
@@ -2273,7 +2288,7 @@ index d4b4b0471..4e574a2ae 100644 | |||
2273 | 2288 | ||
2274 | if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) | 2289 | if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) |
2275 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 2290 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
2276 | @@ -1806,6 +1830,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) | 2291 | @@ -1810,6 +1834,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) |
2277 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2292 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2278 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2293 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2279 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2294 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2281,7 +2296,7 @@ index d4b4b0471..4e574a2ae 100644 | |||
2281 | } | 2296 | } |
2282 | return (0); | 2297 | return (0); |
2283 | } | 2298 | } |
2284 | @@ -1817,8 +1842,8 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m) | 2299 | @@ -1821,8 +1846,8 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m) |
2285 | OM_uint32 ret; | 2300 | OM_uint32 ret; |
2286 | int r; | 2301 | int r; |
2287 | 2302 | ||
@@ -2292,7 +2307,7 @@ index d4b4b0471..4e574a2ae 100644 | |||
2292 | 2307 | ||
2293 | if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || | 2308 | if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || |
2294 | (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) | 2309 | (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) |
2295 | @@ -1847,10 +1872,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m) | 2310 | @@ -1851,10 +1876,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m) |
2296 | int r, authenticated; | 2311 | int r, authenticated; |
2297 | const char *displayname; | 2312 | const char *displayname; |
2298 | 2313 | ||
@@ -2307,7 +2322,7 @@ index d4b4b0471..4e574a2ae 100644 | |||
2307 | 2322 | ||
2308 | sshbuf_reset(m); | 2323 | sshbuf_reset(m); |
2309 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) | 2324 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) |
2310 | @@ -1867,5 +1893,83 @@ mm_answer_gss_userok(int sock, struct sshbuf *m) | 2325 | @@ -1871,5 +1897,83 @@ mm_answer_gss_userok(int sock, struct sshbuf *m) |
2311 | /* Monitor loop will terminate if authenticated */ | 2326 | /* Monitor loop will terminate if authenticated */ |
2312 | return (authenticated); | 2327 | return (authenticated); |
2313 | } | 2328 | } |
@@ -2490,8 +2505,34 @@ index 644da081d..7f93144ff 100644 | |||
2490 | #endif | 2505 | #endif |
2491 | 2506 | ||
2492 | #ifdef USE_PAM | 2507 | #ifdef USE_PAM |
2508 | diff --git a/opacket.c b/opacket.c | ||
2509 | index e637d7a71..7672c0b59 100644 | ||
2510 | --- a/opacket.c | ||
2511 | +++ b/opacket.c | ||
2512 | @@ -80,7 +80,7 @@ ssh_packet_put_raw(struct ssh *ssh, const void *buf, u_int len) | ||
2513 | |||
2514 | #ifdef WITH_OPENSSL | ||
2515 | void | ||
2516 | -ssh_packet_put_bignum2(struct ssh *ssh, BIGNUM * value) | ||
2517 | +ssh_packet_put_bignum2(struct ssh *ssh, const BIGNUM * value) | ||
2518 | { | ||
2519 | int r; | ||
2520 | |||
2521 | diff --git a/opacket.h b/opacket.h | ||
2522 | index f92fe586e..1cf66a2d3 100644 | ||
2523 | --- a/opacket.h | ||
2524 | +++ b/opacket.h | ||
2525 | @@ -7,7 +7,7 @@ void ssh_packet_start(struct ssh *, u_char); | ||
2526 | void ssh_packet_put_char(struct ssh *, int ch); | ||
2527 | void ssh_packet_put_int(struct ssh *, u_int value); | ||
2528 | void ssh_packet_put_int64(struct ssh *, u_int64_t value); | ||
2529 | -void ssh_packet_put_bignum2(struct ssh *, BIGNUM * value); | ||
2530 | +void ssh_packet_put_bignum2(struct ssh *, const BIGNUM * value); | ||
2531 | void ssh_packet_put_ecpoint(struct ssh *, const EC_GROUP *, const EC_POINT *); | ||
2532 | void ssh_packet_put_string(struct ssh *, const void *buf, u_int len); | ||
2533 | void ssh_packet_put_cstring(struct ssh *, const char *str); | ||
2493 | diff --git a/readconf.c b/readconf.c | 2534 | diff --git a/readconf.c b/readconf.c |
2494 | index db5f2d547..4ad3c75fe 100644 | 2535 | index 433811521..36bc5e59a 100644 |
2495 | --- a/readconf.c | 2536 | --- a/readconf.c |
2496 | +++ b/readconf.c | 2537 | +++ b/readconf.c |
2497 | @@ -161,6 +161,8 @@ typedef enum { | 2538 | @@ -161,6 +161,8 @@ typedef enum { |
@@ -2524,7 +2565,7 @@ index db5f2d547..4ad3c75fe 100644 | |||
2524 | #endif | 2565 | #endif |
2525 | #ifdef ENABLE_PKCS11 | 2566 | #ifdef ENABLE_PKCS11 |
2526 | { "smartcarddevice", oPKCS11Provider }, | 2567 | { "smartcarddevice", oPKCS11Provider }, |
2527 | @@ -973,10 +985,30 @@ parse_time: | 2568 | @@ -974,10 +986,30 @@ parse_time: |
2528 | intptr = &options->gss_authentication; | 2569 | intptr = &options->gss_authentication; |
2529 | goto parse_flag; | 2570 | goto parse_flag; |
2530 | 2571 | ||
@@ -2555,7 +2596,7 @@ index db5f2d547..4ad3c75fe 100644 | |||
2555 | case oBatchMode: | 2596 | case oBatchMode: |
2556 | intptr = &options->batch_mode; | 2597 | intptr = &options->batch_mode; |
2557 | goto parse_flag; | 2598 | goto parse_flag; |
2558 | @@ -1817,7 +1849,12 @@ initialize_options(Options * options) | 2599 | @@ -1842,7 +1874,12 @@ initialize_options(Options * options) |
2559 | options->pubkey_authentication = -1; | 2600 | options->pubkey_authentication = -1; |
2560 | options->challenge_response_authentication = -1; | 2601 | options->challenge_response_authentication = -1; |
2561 | options->gss_authentication = -1; | 2602 | options->gss_authentication = -1; |
@@ -2568,7 +2609,7 @@ index db5f2d547..4ad3c75fe 100644 | |||
2568 | options->password_authentication = -1; | 2609 | options->password_authentication = -1; |
2569 | options->kbd_interactive_authentication = -1; | 2610 | options->kbd_interactive_authentication = -1; |
2570 | options->kbd_interactive_devices = NULL; | 2611 | options->kbd_interactive_devices = NULL; |
2571 | @@ -1962,8 +1999,14 @@ fill_default_options(Options * options) | 2612 | @@ -1988,8 +2025,14 @@ fill_default_options(Options * options) |
2572 | options->challenge_response_authentication = 1; | 2613 | options->challenge_response_authentication = 1; |
2573 | if (options->gss_authentication == -1) | 2614 | if (options->gss_authentication == -1) |
2574 | options->gss_authentication = 0; | 2615 | options->gss_authentication = 0; |
@@ -2584,7 +2625,7 @@ index db5f2d547..4ad3c75fe 100644 | |||
2584 | options->password_authentication = 1; | 2625 | options->password_authentication = 1; |
2585 | if (options->kbd_interactive_authentication == -1) | 2626 | if (options->kbd_interactive_authentication == -1) |
2586 | diff --git a/readconf.h b/readconf.h | 2627 | diff --git a/readconf.h b/readconf.h |
2587 | index c56887816..5ea0c296b 100644 | 2628 | index fc7e38251..8e4900d01 100644 |
2588 | --- a/readconf.h | 2629 | --- a/readconf.h |
2589 | +++ b/readconf.h | 2630 | +++ b/readconf.h |
2590 | @@ -40,7 +40,12 @@ typedef struct { | 2631 | @@ -40,7 +40,12 @@ typedef struct { |
@@ -2601,7 +2642,7 @@ index c56887816..5ea0c296b 100644 | |||
2601 | * authentication. */ | 2642 | * authentication. */ |
2602 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2643 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2603 | diff --git a/servconf.c b/servconf.c | 2644 | diff --git a/servconf.c b/servconf.c |
2604 | index c0f6af0be..e1ae07fb7 100644 | 2645 | index 932d363bb..4668b8a45 100644 |
2605 | --- a/servconf.c | 2646 | --- a/servconf.c |
2606 | +++ b/servconf.c | 2647 | +++ b/servconf.c |
2607 | @@ -124,8 +124,10 @@ initialize_server_options(ServerOptions *options) | 2648 | @@ -124,8 +124,10 @@ initialize_server_options(ServerOptions *options) |
@@ -2615,7 +2656,7 @@ index c0f6af0be..e1ae07fb7 100644 | |||
2615 | options->password_authentication = -1; | 2656 | options->password_authentication = -1; |
2616 | options->kbd_interactive_authentication = -1; | 2657 | options->kbd_interactive_authentication = -1; |
2617 | options->challenge_response_authentication = -1; | 2658 | options->challenge_response_authentication = -1; |
2618 | @@ -333,10 +335,14 @@ fill_default_server_options(ServerOptions *options) | 2659 | @@ -337,10 +339,14 @@ fill_default_server_options(ServerOptions *options) |
2619 | options->kerberos_get_afs_token = 0; | 2660 | options->kerberos_get_afs_token = 0; |
2620 | if (options->gss_authentication == -1) | 2661 | if (options->gss_authentication == -1) |
2621 | options->gss_authentication = 0; | 2662 | options->gss_authentication = 0; |
@@ -2630,7 +2671,7 @@ index c0f6af0be..e1ae07fb7 100644 | |||
2630 | if (options->password_authentication == -1) | 2671 | if (options->password_authentication == -1) |
2631 | options->password_authentication = 1; | 2672 | options->password_authentication = 1; |
2632 | if (options->kbd_interactive_authentication == -1) | 2673 | if (options->kbd_interactive_authentication == -1) |
2633 | @@ -481,6 +487,7 @@ typedef enum { | 2674 | @@ -485,6 +491,7 @@ typedef enum { |
2634 | sHostKeyAlgorithms, | 2675 | sHostKeyAlgorithms, |
2635 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 2676 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
2636 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 2677 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
@@ -2638,7 +2679,7 @@ index c0f6af0be..e1ae07fb7 100644 | |||
2638 | sAcceptEnv, sSetEnv, sPermitTunnel, | 2679 | sAcceptEnv, sSetEnv, sPermitTunnel, |
2639 | sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, | 2680 | sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, |
2640 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2681 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2641 | @@ -555,12 +562,20 @@ static struct { | 2682 | @@ -559,12 +566,20 @@ static struct { |
2642 | #ifdef GSSAPI | 2683 | #ifdef GSSAPI |
2643 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2684 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2644 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2685 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2659,7 +2700,7 @@ index c0f6af0be..e1ae07fb7 100644 | |||
2659 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2700 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2660 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2701 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2661 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2702 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2662 | @@ -1459,6 +1474,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2703 | @@ -1468,6 +1483,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2663 | intptr = &options->gss_authentication; | 2704 | intptr = &options->gss_authentication; |
2664 | goto parse_flag; | 2705 | goto parse_flag; |
2665 | 2706 | ||
@@ -2670,7 +2711,7 @@ index c0f6af0be..e1ae07fb7 100644 | |||
2670 | case sGssCleanupCreds: | 2711 | case sGssCleanupCreds: |
2671 | intptr = &options->gss_cleanup_creds; | 2712 | intptr = &options->gss_cleanup_creds; |
2672 | goto parse_flag; | 2713 | goto parse_flag; |
2673 | @@ -1467,6 +1486,10 @@ process_server_config_line(ServerOptions *options, char *line, | 2714 | @@ -1476,6 +1495,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2674 | intptr = &options->gss_strict_acceptor; | 2715 | intptr = &options->gss_strict_acceptor; |
2675 | goto parse_flag; | 2716 | goto parse_flag; |
2676 | 2717 | ||
@@ -2681,7 +2722,7 @@ index c0f6af0be..e1ae07fb7 100644 | |||
2681 | case sPasswordAuthentication: | 2722 | case sPasswordAuthentication: |
2682 | intptr = &options->password_authentication; | 2723 | intptr = &options->password_authentication; |
2683 | goto parse_flag; | 2724 | goto parse_flag; |
2684 | @@ -2551,7 +2574,10 @@ dump_config(ServerOptions *o) | 2725 | @@ -2560,7 +2583,10 @@ dump_config(ServerOptions *o) |
2685 | #endif | 2726 | #endif |
2686 | #ifdef GSSAPI | 2727 | #ifdef GSSAPI |
2687 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2728 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2693,10 +2734,10 @@ index c0f6af0be..e1ae07fb7 100644 | |||
2693 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2734 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
2694 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2735 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
2695 | diff --git a/servconf.h b/servconf.h | 2736 | diff --git a/servconf.h b/servconf.h |
2696 | index 557521d73..9b117fe27 100644 | 2737 | index 0175e00e8..3b76da816 100644 |
2697 | --- a/servconf.h | 2738 | --- a/servconf.h |
2698 | +++ b/servconf.h | 2739 | +++ b/servconf.h |
2699 | @@ -124,8 +124,10 @@ typedef struct { | 2740 | @@ -125,8 +125,10 @@ typedef struct { |
2700 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2741 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2701 | * authenticated with Kerberos. */ | 2742 | * authenticated with Kerberos. */ |
2702 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2743 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2825,10 +2866,10 @@ index c12f5ef52..bcb9f153d 100644 | |||
2825 | # CheckHostIP yes | 2866 | # CheckHostIP yes |
2826 | # AddressFamily any | 2867 | # AddressFamily any |
2827 | diff --git a/ssh_config.5 b/ssh_config.5 | 2868 | diff --git a/ssh_config.5 b/ssh_config.5 |
2828 | index f499396a3..5b99921b4 100644 | 2869 | index 4d5b01d3e..16c79368a 100644 |
2829 | --- a/ssh_config.5 | 2870 | --- a/ssh_config.5 |
2830 | +++ b/ssh_config.5 | 2871 | +++ b/ssh_config.5 |
2831 | @@ -718,10 +718,42 @@ The default is | 2872 | @@ -736,10 +736,42 @@ The default is |
2832 | Specifies whether user authentication based on GSSAPI is allowed. | 2873 | Specifies whether user authentication based on GSSAPI is allowed. |
2833 | The default is | 2874 | The default is |
2834 | .Cm no . | 2875 | .Cm no . |
@@ -2872,7 +2913,7 @@ index f499396a3..5b99921b4 100644 | |||
2872 | Indicates that | 2913 | Indicates that |
2873 | .Xr ssh 1 | 2914 | .Xr ssh 1 |
2874 | diff --git a/sshconnect2.c b/sshconnect2.c | 2915 | diff --git a/sshconnect2.c b/sshconnect2.c |
2875 | index 10e4f0a08..c6a1b1271 100644 | 2916 | index 1675f3935..8c872a4fb 100644 |
2876 | --- a/sshconnect2.c | 2917 | --- a/sshconnect2.c |
2877 | +++ b/sshconnect2.c | 2918 | +++ b/sshconnect2.c |
2878 | @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2919 | @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
@@ -2985,7 +3026,7 @@ index 10e4f0a08..c6a1b1271 100644 | |||
2985 | {"gssapi-with-mic", | 3026 | {"gssapi-with-mic", |
2986 | userauth_gssapi, | 3027 | userauth_gssapi, |
2987 | NULL, | 3028 | NULL, |
2988 | @@ -657,25 +723,40 @@ userauth_gssapi(Authctxt *authctxt) | 3029 | @@ -686,25 +752,40 @@ userauth_gssapi(Authctxt *authctxt) |
2989 | static u_int mech = 0; | 3030 | static u_int mech = 0; |
2990 | OM_uint32 min; | 3031 | OM_uint32 min; |
2991 | int r, ok = 0; | 3032 | int r, ok = 0; |
@@ -3028,7 +3069,7 @@ index 10e4f0a08..c6a1b1271 100644 | |||
3028 | if (!ok) | 3069 | if (!ok) |
3029 | return 0; | 3070 | return 0; |
3030 | 3071 | ||
3031 | @@ -906,6 +987,54 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) | 3072 | @@ -935,6 +1016,54 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) |
3032 | free(lang); | 3073 | free(lang); |
3033 | return r; | 3074 | return r; |
3034 | } | 3075 | } |
@@ -3084,7 +3125,7 @@ index 10e4f0a08..c6a1b1271 100644 | |||
3084 | 3125 | ||
3085 | int | 3126 | int |
3086 | diff --git a/sshd.c b/sshd.c | 3127 | diff --git a/sshd.c b/sshd.c |
3087 | index a738c3ab6..2e453cdf8 100644 | 3128 | index ba26287ba..539a000fd 100644 |
3088 | --- a/sshd.c | 3129 | --- a/sshd.c |
3089 | +++ b/sshd.c | 3130 | +++ b/sshd.c |
3090 | @@ -123,6 +123,10 @@ | 3131 | @@ -123,6 +123,10 @@ |
@@ -3098,16 +3139,7 @@ index a738c3ab6..2e453cdf8 100644 | |||
3098 | /* Re-exec fds */ | 3139 | /* Re-exec fds */ |
3099 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 3140 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
3100 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 3141 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
3101 | @@ -536,7 +540,7 @@ privsep_preauth_child(void) | 3142 | @@ -1810,10 +1814,13 @@ main(int ac, char **av) |
3102 | |||
3103 | #ifdef GSSAPI | ||
3104 | /* Cache supported mechanism OIDs for later use */ | ||
3105 | - if (options.gss_authentication) | ||
3106 | + if (options.gss_authentication || options.gss_keyex) | ||
3107 | ssh_gssapi_prepare_supported_oids(); | ||
3108 | #endif | ||
3109 | |||
3110 | @@ -1811,10 +1815,13 @@ main(int ac, char **av) | ||
3111 | free(fp); | 3143 | free(fp); |
3112 | } | 3144 | } |
3113 | accumulate_host_timing_secret(cfg, NULL); | 3145 | accumulate_host_timing_secret(cfg, NULL); |
@@ -3121,7 +3153,7 @@ index a738c3ab6..2e453cdf8 100644 | |||
3121 | 3153 | ||
3122 | /* | 3154 | /* |
3123 | * Load certificates. They are stored in an array at identical | 3155 | * Load certificates. They are stored in an array at identical |
3124 | @@ -2105,6 +2112,60 @@ main(int ac, char **av) | 3156 | @@ -2104,6 +2111,60 @@ main(int ac, char **av) |
3125 | rdomain == NULL ? "" : "\""); | 3157 | rdomain == NULL ? "" : "\""); |
3126 | free(laddr); | 3158 | free(laddr); |
3127 | 3159 | ||
@@ -3182,7 +3214,7 @@ index a738c3ab6..2e453cdf8 100644 | |||
3182 | /* | 3214 | /* |
3183 | * We don't want to listen forever unless the other side | 3215 | * We don't want to listen forever unless the other side |
3184 | * successfully authenticates itself. So we set up an alarm which is | 3216 | * successfully authenticates itself. So we set up an alarm which is |
3185 | @@ -2288,6 +2349,48 @@ do_ssh2_kex(void) | 3217 | @@ -2287,6 +2348,48 @@ do_ssh2_kex(void) |
3186 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 3218 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
3187 | list_hostkey_types()); | 3219 | list_hostkey_types()); |
3188 | 3220 | ||
@@ -3231,7 +3263,7 @@ index a738c3ab6..2e453cdf8 100644 | |||
3231 | /* start key exchange */ | 3263 | /* start key exchange */ |
3232 | if ((r = kex_setup(active_state, myproposal)) != 0) | 3264 | if ((r = kex_setup(active_state, myproposal)) != 0) |
3233 | fatal("kex_setup: %s", ssh_err(r)); | 3265 | fatal("kex_setup: %s", ssh_err(r)); |
3234 | @@ -2305,6 +2408,13 @@ do_ssh2_kex(void) | 3266 | @@ -2304,6 +2407,13 @@ do_ssh2_kex(void) |
3235 | # endif | 3267 | # endif |
3236 | #endif | 3268 | #endif |
3237 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 3269 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -3259,10 +3291,10 @@ index 19b7c91a1..2c48105f8 100644 | |||
3259 | # Set this to 'yes' to enable PAM authentication, account processing, | 3291 | # Set this to 'yes' to enable PAM authentication, account processing, |
3260 | # and session processing. If this is enabled, PAM authentication will | 3292 | # and session processing. If this is enabled, PAM authentication will |
3261 | diff --git a/sshd_config.5 b/sshd_config.5 | 3293 | diff --git a/sshd_config.5 b/sshd_config.5 |
3262 | index e1b54ba20..a0ac717c7 100644 | 3294 | index c6484370b..985eef5a2 100644 |
3263 | --- a/sshd_config.5 | 3295 | --- a/sshd_config.5 |
3264 | +++ b/sshd_config.5 | 3296 | +++ b/sshd_config.5 |
3265 | @@ -637,6 +637,11 @@ The default is | 3297 | @@ -648,6 +648,11 @@ The default is |
3266 | Specifies whether user authentication based on GSSAPI is allowed. | 3298 | Specifies whether user authentication based on GSSAPI is allowed. |
3267 | The default is | 3299 | The default is |
3268 | .Cm no . | 3300 | .Cm no . |
@@ -3274,7 +3306,7 @@ index e1b54ba20..a0ac717c7 100644 | |||
3274 | .It Cm GSSAPICleanupCredentials | 3306 | .It Cm GSSAPICleanupCredentials |
3275 | Specifies whether to automatically destroy the user's credentials cache | 3307 | Specifies whether to automatically destroy the user's credentials cache |
3276 | on logout. | 3308 | on logout. |
3277 | @@ -656,6 +661,11 @@ machine's default store. | 3309 | @@ -667,6 +672,11 @@ machine's default store. |
3278 | This facility is provided to assist with operation on multi homed machines. | 3310 | This facility is provided to assist with operation on multi homed machines. |
3279 | The default is | 3311 | The default is |
3280 | .Cm yes . | 3312 | .Cm yes . |
@@ -3287,10 +3319,10 @@ index e1b54ba20..a0ac717c7 100644 | |||
3287 | Specifies the key types that will be accepted for hostbased authentication | 3319 | Specifies the key types that will be accepted for hostbased authentication |
3288 | as a list of comma-separated patterns. | 3320 | as a list of comma-separated patterns. |
3289 | diff --git a/sshkey.c b/sshkey.c | 3321 | diff --git a/sshkey.c b/sshkey.c |
3290 | index 72c08c7e0..91e99a262 100644 | 3322 | index 6555c5ef8..a85c185fc 100644 |
3291 | --- a/sshkey.c | 3323 | --- a/sshkey.c |
3292 | +++ b/sshkey.c | 3324 | +++ b/sshkey.c |
3293 | @@ -140,6 +140,7 @@ static const struct keytype keytypes[] = { | 3325 | @@ -135,6 +135,7 @@ static const struct keytype keytypes[] = { |
3294 | # endif /* OPENSSL_HAS_NISTP521 */ | 3326 | # endif /* OPENSSL_HAS_NISTP521 */ |
3295 | # endif /* OPENSSL_HAS_ECC */ | 3327 | # endif /* OPENSSL_HAS_ECC */ |
3296 | #endif /* WITH_OPENSSL */ | 3328 | #endif /* WITH_OPENSSL */ |
@@ -3298,7 +3330,7 @@ index 72c08c7e0..91e99a262 100644 | |||
3298 | { NULL, NULL, NULL, -1, -1, 0, 0 } | 3330 | { NULL, NULL, NULL, -1, -1, 0, 0 } |
3299 | }; | 3331 | }; |
3300 | 3332 | ||
3301 | @@ -228,7 +229,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) | 3333 | @@ -223,7 +224,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) |
3302 | const struct keytype *kt; | 3334 | const struct keytype *kt; |
3303 | 3335 | ||
3304 | for (kt = keytypes; kt->type != -1; kt++) { | 3336 | for (kt = keytypes; kt->type != -1; kt++) { |
@@ -3308,10 +3340,10 @@ index 72c08c7e0..91e99a262 100644 | |||
3308 | if (!include_sigonly && kt->sigonly) | 3340 | if (!include_sigonly && kt->sigonly) |
3309 | continue; | 3341 | continue; |
3310 | diff --git a/sshkey.h b/sshkey.h | 3342 | diff --git a/sshkey.h b/sshkey.h |
3311 | index 9060b2ecb..0cbdcfd74 100644 | 3343 | index f6a007fdf..f54deb0c0 100644 |
3312 | --- a/sshkey.h | 3344 | --- a/sshkey.h |
3313 | +++ b/sshkey.h | 3345 | +++ b/sshkey.h |
3314 | @@ -63,6 +63,7 @@ enum sshkey_types { | 3346 | @@ -64,6 +64,7 @@ enum sshkey_types { |
3315 | KEY_ED25519_CERT, | 3347 | KEY_ED25519_CERT, |
3316 | KEY_XMSS, | 3348 | KEY_XMSS, |
3317 | KEY_XMSS_CERT, | 3349 | KEY_XMSS_CERT, |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index fc052ea73..4207302c3 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2c0a1fef2aaf16c5b97694139239797f0ea33d27 Mon Sep 17 00:00:00 2001 | 1 | From 7ba31c6ff505278fb9f33b695605ca3a093caba2 Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
@@ -16,7 +16,7 @@ keepalives. | |||
16 | Author: Ian Jackson <ian@chiark.greenend.org.uk> | 16 | Author: Ian Jackson <ian@chiark.greenend.org.uk> |
17 | Author: Matthew Vernon <matthew@debian.org> | 17 | Author: Matthew Vernon <matthew@debian.org> |
18 | Author: Colin Watson <cjwatson@debian.org> | 18 | Author: Colin Watson <cjwatson@debian.org> |
19 | Last-Update: 2018-08-24 | 19 | Last-Update: 2018-10-19 |
20 | 20 | ||
21 | Patch-Name: keepalive-extensions.patch | 21 | Patch-Name: keepalive-extensions.patch |
22 | --- | 22 | --- |
@@ -26,18 +26,18 @@ Patch-Name: keepalive-extensions.patch | |||
26 | 3 files changed, 34 insertions(+), 4 deletions(-) | 26 | 3 files changed, 34 insertions(+), 4 deletions(-) |
27 | 27 | ||
28 | diff --git a/readconf.c b/readconf.c | 28 | diff --git a/readconf.c b/readconf.c |
29 | index 6e26ba32d..3fd0fe7b7 100644 | 29 | index 5e655e924..052d4b1ac 100644 |
30 | --- a/readconf.c | 30 | --- a/readconf.c |
31 | +++ b/readconf.c | 31 | +++ b/readconf.c |
32 | @@ -175,6 +175,7 @@ typedef enum { | 32 | @@ -175,6 +175,7 @@ typedef enum { |
33 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, | 33 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, |
34 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, | 34 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, |
35 | oPubkeyAcceptedKeyTypes, oProxyJump, | 35 | oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, |
36 | + oProtocolKeepAlives, oSetupTimeOut, | 36 | + oProtocolKeepAlives, oSetupTimeOut, |
37 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported | 37 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported |
38 | } OpCodes; | 38 | } OpCodes; |
39 | 39 | ||
40 | @@ -321,6 +322,8 @@ static struct { | 40 | @@ -322,6 +323,8 @@ static struct { |
41 | { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, | 41 | { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, |
42 | { "ignoreunknown", oIgnoreUnknown }, | 42 | { "ignoreunknown", oIgnoreUnknown }, |
43 | { "proxyjump", oProxyJump }, | 43 | { "proxyjump", oProxyJump }, |
@@ -46,7 +46,7 @@ index 6e26ba32d..3fd0fe7b7 100644 | |||
46 | 46 | ||
47 | { NULL, oBadOption } | 47 | { NULL, oBadOption } |
48 | }; | 48 | }; |
49 | @@ -1401,6 +1404,8 @@ parse_keytypes: | 49 | @@ -1415,6 +1418,8 @@ parse_keytypes: |
50 | goto parse_flag; | 50 | goto parse_flag; |
51 | 51 | ||
52 | case oServerAliveInterval: | 52 | case oServerAliveInterval: |
@@ -55,7 +55,7 @@ index 6e26ba32d..3fd0fe7b7 100644 | |||
55 | intptr = &options->server_alive_interval; | 55 | intptr = &options->server_alive_interval; |
56 | goto parse_time; | 56 | goto parse_time; |
57 | 57 | ||
58 | @@ -2075,8 +2080,13 @@ fill_default_options(Options * options) | 58 | @@ -2101,8 +2106,13 @@ fill_default_options(Options * options) |
59 | options->rekey_interval = 0; | 59 | options->rekey_interval = 0; |
60 | if (options->verify_host_key_dns == -1) | 60 | if (options->verify_host_key_dns == -1) |
61 | options->verify_host_key_dns = 0; | 61 | options->verify_host_key_dns = 0; |
@@ -72,7 +72,7 @@ index 6e26ba32d..3fd0fe7b7 100644 | |||
72 | options->server_alive_count_max = 3; | 72 | options->server_alive_count_max = 3; |
73 | if (options->control_master == -1) | 73 | if (options->control_master == -1) |
74 | diff --git a/ssh_config.5 b/ssh_config.5 | 74 | diff --git a/ssh_config.5 b/ssh_config.5 |
75 | index 5b99921b4..86ada128e 100644 | 75 | index 16c79368a..54e143c93 100644 |
76 | --- a/ssh_config.5 | 76 | --- a/ssh_config.5 |
77 | +++ b/ssh_config.5 | 77 | +++ b/ssh_config.5 |
78 | @@ -247,8 +247,12 @@ Valid arguments are | 78 | @@ -247,8 +247,12 @@ Valid arguments are |
@@ -89,7 +89,7 @@ index 5b99921b4..86ada128e 100644 | |||
89 | The argument must be | 89 | The argument must be |
90 | .Cm yes | 90 | .Cm yes |
91 | or | 91 | or |
92 | @@ -1463,7 +1467,14 @@ from the server, | 92 | @@ -1485,7 +1489,14 @@ from the server, |
93 | will send a message through the encrypted | 93 | will send a message through the encrypted |
94 | channel to request a response from the server. | 94 | channel to request a response from the server. |
95 | The default | 95 | The default |
@@ -105,7 +105,7 @@ index 5b99921b4..86ada128e 100644 | |||
105 | .It Cm SetEnv | 105 | .It Cm SetEnv |
106 | Directly specify one or more environment variables and their contents to | 106 | Directly specify one or more environment variables and their contents to |
107 | be sent to the server. | 107 | be sent to the server. |
108 | @@ -1543,6 +1554,12 @@ Specifies whether the system should send TCP keepalive messages to the | 108 | @@ -1565,6 +1576,12 @@ Specifies whether the system should send TCP keepalive messages to the |
109 | other side. | 109 | other side. |
110 | If they are sent, death of the connection or crash of one | 110 | If they are sent, death of the connection or crash of one |
111 | of the machines will be properly noticed. | 111 | of the machines will be properly noticed. |
@@ -119,10 +119,10 @@ index 5b99921b4..86ada128e 100644 | |||
119 | connections will die if the route is down temporarily, and some people | 119 | connections will die if the route is down temporarily, and some people |
120 | find it annoying. | 120 | find it annoying. |
121 | diff --git a/sshd_config.5 b/sshd_config.5 | 121 | diff --git a/sshd_config.5 b/sshd_config.5 |
122 | index a0ac717c7..0fbbccbde 100644 | 122 | index 985eef5a2..e7e55dd71 100644 |
123 | --- a/sshd_config.5 | 123 | --- a/sshd_config.5 |
124 | +++ b/sshd_config.5 | 124 | +++ b/sshd_config.5 |
125 | @@ -1566,6 +1566,9 @@ This avoids infinitely hanging sessions. | 125 | @@ -1577,6 +1577,9 @@ This avoids infinitely hanging sessions. |
126 | .Pp | 126 | .Pp |
127 | To disable TCP keepalive messages, the value should be set to | 127 | To disable TCP keepalive messages, the value should be set to |
128 | .Cm no . | 128 | .Cm no . |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index 3f0d5fba3..75ed46db7 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0e0121b6dc0ffc2ec6a171328fea530378df2b3b Mon Sep 17 00:00:00 2001 | 1 | From bb8bb2621914ad600202e38d5b9b4f4544b191e5 Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch | |||
14 | 1 file changed, 8 insertions(+), 1 deletion(-) | 14 | 1 file changed, 8 insertions(+), 1 deletion(-) |
15 | 15 | ||
16 | diff --git a/sshconnect.c b/sshconnect.c | 16 | diff --git a/sshconnect.c b/sshconnect.c |
17 | index a2efe6d15..ab5966066 100644 | 17 | index 700ea6c3c..158e8146f 100644 |
18 | --- a/sshconnect.c | 18 | --- a/sshconnect.c |
19 | +++ b/sshconnect.c | 19 | +++ b/sshconnect.c |
20 | @@ -1112,9 +1112,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 20 | @@ -1121,9 +1121,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
21 | error("%s. This could either mean that", key_msg); | 21 | error("%s. This could either mean that", key_msg); |
22 | error("DNS SPOOFING is happening or the IP address for the host"); | 22 | error("DNS SPOOFING is happening or the IP address for the host"); |
23 | error("and its host key have changed at the same time."); | 23 | error("and its host key have changed at the same time."); |
@@ -32,7 +32,7 @@ index a2efe6d15..ab5966066 100644 | |||
32 | } | 32 | } |
33 | /* The host key has changed. */ | 33 | /* The host key has changed. */ |
34 | warn_changed_key(host_key); | 34 | warn_changed_key(host_key); |
35 | @@ -1123,6 +1127,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 35 | @@ -1132,6 +1136,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
36 | error("Offending %s key in %s:%lu", | 36 | error("Offending %s key in %s:%lu", |
37 | sshkey_type(host_found->key), | 37 | sshkey_type(host_found->key), |
38 | host_found->file, host_found->line); | 38 | host_found->file, host_found->line); |
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch index 9c9c664d4..3b2e05e58 100644 --- a/debian/patches/no-openssl-version-status.patch +++ b/debian/patches/no-openssl-version-status.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4d75300bdb447824c974febd3d04331755dde3ca Mon Sep 17 00:00:00 2001 | 1 | From 690051b3aa4ff72af57e4a82d640858357eef820 Mon Sep 17 00:00:00 2001 |
2 | From: Kurt Roeckx <kurt@roeckx.be> | 2 | From: Kurt Roeckx <kurt@roeckx.be> |
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 |
4 | Subject: Don't check the status field of the OpenSSL version | 4 | Subject: Don't check the status field of the OpenSSL version |
@@ -23,7 +23,7 @@ Patch-Name: no-openssl-version-status.patch | |||
23 | 2 files changed, 4 insertions(+), 3 deletions(-) | 23 | 2 files changed, 4 insertions(+), 3 deletions(-) |
24 | 24 | ||
25 | diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c | 25 | diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c |
26 | index 259fccbec..aaa953f2d 100644 | 26 | index 8b4a36274..ea0b0c9fb 100644 |
27 | --- a/openbsd-compat/openssl-compat.c | 27 | --- a/openbsd-compat/openssl-compat.c |
28 | +++ b/openbsd-compat/openssl-compat.c | 28 | +++ b/openbsd-compat/openssl-compat.c |
29 | @@ -34,7 +34,7 @@ | 29 | @@ -34,7 +34,7 @@ |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index dacff74c3..cdb905b2e 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f48c4fd12f8ecd275226e357454e45f10c20ac92 Mon Sep 17 00:00:00 2001 | 1 | From 96c85e746d4f94c7d2748a200e5817ad8a987918 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
@@ -44,7 +44,7 @@ index ef0de0850..149846c8c 100644 | |||
44 | .Sh SEE ALSO | 44 | .Sh SEE ALSO |
45 | .Xr ssh-keygen 1 , | 45 | .Xr ssh-keygen 1 , |
46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 | 46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 |
47 | index dd6e7e5a8..33e0bbcc1 100644 | 47 | index bfa2eb5f3..da6b5ed76 100644 |
48 | --- a/ssh-keygen.1 | 48 | --- a/ssh-keygen.1 |
49 | +++ b/ssh-keygen.1 | 49 | +++ b/ssh-keygen.1 |
50 | @@ -176,9 +176,7 @@ key in | 50 | @@ -176,9 +176,7 @@ key in |
@@ -78,7 +78,7 @@ index dd6e7e5a8..33e0bbcc1 100644 | |||
78 | It is important that this file contains moduli of a range of bit lengths and | 78 | It is important that this file contains moduli of a range of bit lengths and |
79 | that both ends of a connection share common moduli. | 79 | that both ends of a connection share common moduli. |
80 | .Sh CERTIFICATES | 80 | .Sh CERTIFICATES |
81 | @@ -864,7 +860,7 @@ on all machines | 81 | @@ -877,7 +873,7 @@ on all machines |
82 | where the user wishes to log in using public key authentication. | 82 | where the user wishes to log in using public key authentication. |
83 | There is no need to keep the contents of this file secret. | 83 | There is no need to keep the contents of this file secret. |
84 | .Pp | 84 | .Pp |
@@ -88,10 +88,10 @@ index dd6e7e5a8..33e0bbcc1 100644 | |||
88 | The file format is described in | 88 | The file format is described in |
89 | .Xr moduli 5 . | 89 | .Xr moduli 5 . |
90 | diff --git a/ssh.1 b/ssh.1 | 90 | diff --git a/ssh.1 b/ssh.1 |
91 | index cb0fdd50e..d41426781 100644 | 91 | index 81f29af43..5dfad6daa 100644 |
92 | --- a/ssh.1 | 92 | --- a/ssh.1 |
93 | +++ b/ssh.1 | 93 | +++ b/ssh.1 |
94 | @@ -850,6 +850,10 @@ implements public key authentication protocol automatically, | 94 | @@ -860,6 +860,10 @@ implements public key authentication protocol automatically, |
95 | using one of the DSA, ECDSA, Ed25519 or RSA algorithms. | 95 | using one of the DSA, ECDSA, Ed25519 or RSA algorithms. |
96 | The HISTORY section of | 96 | The HISTORY section of |
97 | .Xr ssl 8 | 97 | .Xr ssl 8 |
@@ -133,11 +133,11 @@ index 57a7fd66b..4abc01d66 100644 | |||
133 | .Xr sshd_config 5 , | 133 | .Xr sshd_config 5 , |
134 | .Xr inetd 8 , | 134 | .Xr inetd 8 , |
135 | diff --git a/sshd_config.5 b/sshd_config.5 | 135 | diff --git a/sshd_config.5 b/sshd_config.5 |
136 | index 96a69ab55..9774831fe 100644 | 136 | index 37e6be38f..23f71fd1d 100644 |
137 | --- a/sshd_config.5 | 137 | --- a/sshd_config.5 |
138 | +++ b/sshd_config.5 | 138 | +++ b/sshd_config.5 |
139 | @@ -384,8 +384,7 @@ then no banner is displayed. | 139 | @@ -395,8 +395,7 @@ Certificates signed using other algorithms will not be accepted for |
140 | By default, no banner is displayed. | 140 | public key or host-based authentication. |
141 | .It Cm ChallengeResponseAuthentication | 141 | .It Cm ChallengeResponseAuthentication |
142 | Specifies whether challenge-response authentication is allowed (e.g. via | 142 | Specifies whether challenge-response authentication is allowed (e.g. via |
143 | -PAM or through authentication styles supported in | 143 | -PAM or through authentication styles supported in |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index 470d057b2..809c78846 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 97c5d99b8d1957d5a29ca34157a9bfe2ed5c7003 Mon Sep 17 00:00:00 2001 | 1 | From b258a00bedcf29200b394c671c6deb1e53157f32 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
@@ -19,7 +19,7 @@ Patch-Name: package-versioning.patch | |||
19 | 3 files changed, 8 insertions(+), 3 deletions(-) | 19 | 3 files changed, 8 insertions(+), 3 deletions(-) |
20 | 20 | ||
21 | diff --git a/sshconnect.c b/sshconnect.c | 21 | diff --git a/sshconnect.c b/sshconnect.c |
22 | index ab5966066..d3656e47a 100644 | 22 | index 158e8146f..b9418e277 100644 |
23 | --- a/sshconnect.c | 23 | --- a/sshconnect.c |
24 | +++ b/sshconnect.c | 24 | +++ b/sshconnect.c |
25 | @@ -609,7 +609,7 @@ send_client_banner(int connection_out, int minor1) | 25 | @@ -609,7 +609,7 @@ send_client_banner(int connection_out, int minor1) |
@@ -32,7 +32,7 @@ index ab5966066..d3656e47a 100644 | |||
32 | strlen(client_version_string)) != strlen(client_version_string)) | 32 | strlen(client_version_string)) != strlen(client_version_string)) |
33 | fatal("write: %.100s", strerror(errno)); | 33 | fatal("write: %.100s", strerror(errno)); |
34 | diff --git a/sshd.c b/sshd.c | 34 | diff --git a/sshd.c b/sshd.c |
35 | index 92d15c82d..ffd3dad6a 100644 | 35 | index 2bc6679e5..9481272fc 100644 |
36 | --- a/sshd.c | 36 | --- a/sshd.c |
37 | +++ b/sshd.c | 37 | +++ b/sshd.c |
38 | @@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) | 38 | @@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) |
@@ -45,11 +45,11 @@ index 92d15c82d..ffd3dad6a 100644 | |||
45 | options.version_addendum); | 45 | options.version_addendum); |
46 | 46 | ||
47 | diff --git a/version.h b/version.h | 47 | diff --git a/version.h b/version.h |
48 | index f1bbf00f3..e7df751e1 100644 | 48 | index 422dfbc3a..5e1ce0426 100644 |
49 | --- a/version.h | 49 | --- a/version.h |
50 | +++ b/version.h | 50 | +++ b/version.h |
51 | @@ -3,4 +3,9 @@ | 51 | @@ -3,4 +3,9 @@ |
52 | #define SSH_VERSION "OpenSSH_7.8" | 52 | #define SSH_VERSION "OpenSSH_7.9" |
53 | 53 | ||
54 | #define SSH_PORTABLE "p1" | 54 | #define SSH_PORTABLE "p1" |
55 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 55 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch index 6f0abc35f..fcb1ac7e3 100644 --- a/debian/patches/restore-authorized_keys2.patch +++ b/debian/patches/restore-authorized_keys2.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2bc71f46ab96ec8af88a5b86786fb0835d9b65bc Mon Sep 17 00:00:00 2001 | 1 | From cebe4b82b280810172877a7f3d489c506c9a0691 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 5 Mar 2017 02:02:11 +0000 | 3 | Date: Sun, 5 Mar 2017 02:02:11 +0000 |
4 | Subject: Restore reading authorized_keys2 by default | 4 | Subject: Restore reading authorized_keys2 by default |
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch index 91f3377b1..fdc6cf18a 100644 --- a/debian/patches/restore-tcp-wrappers.patch +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 84a7a1b1c767056c80add9f0e15c9f9ec23ec94d Mon Sep 17 00:00:00 2001 | 1 | From 389e16d0109d8c49a761cd7c267438b05c9ab984 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | 3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 |
4 | Subject: Restore TCP wrappers support | 4 | Subject: Restore TCP wrappers support |
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch | |||
28 | 3 files changed, 89 insertions(+) | 28 | 3 files changed, 89 insertions(+) |
29 | 29 | ||
30 | diff --git a/configure.ac b/configure.ac | 30 | diff --git a/configure.ac b/configure.ac |
31 | index 82428b241..ebc10f51e 100644 | 31 | index 023e7cc55..917300b43 100644 |
32 | --- a/configure.ac | 32 | --- a/configure.ac |
33 | +++ b/configure.ac | 33 | +++ b/configure.ac |
34 | @@ -1526,6 +1526,62 @@ else | 34 | @@ -1517,6 +1517,62 @@ else |
35 | AC_MSG_RESULT([no]) | 35 | AC_MSG_RESULT([no]) |
36 | fi | 36 | fi |
37 | 37 | ||
@@ -94,7 +94,7 @@ index 82428b241..ebc10f51e 100644 | |||
94 | # Check whether user wants to use ldns | 94 | # Check whether user wants to use ldns |
95 | LDNS_MSG="no" | 95 | LDNS_MSG="no" |
96 | AC_ARG_WITH(ldns, | 96 | AC_ARG_WITH(ldns, |
97 | @@ -5201,6 +5257,7 @@ echo " PAM support: $PAM_MSG" | 97 | @@ -5329,6 +5385,7 @@ echo " PAM support: $PAM_MSG" |
98 | echo " OSF SIA support: $SIA_MSG" | 98 | echo " OSF SIA support: $SIA_MSG" |
99 | echo " KerberosV support: $KRB5_MSG" | 99 | echo " KerberosV support: $KRB5_MSG" |
100 | echo " SELinux support: $SELINUX_MSG" | 100 | echo " SELinux support: $SELINUX_MSG" |
@@ -128,7 +128,7 @@ index fb133c14b..57a7fd66b 100644 | |||
128 | .Xr moduli 5 , | 128 | .Xr moduli 5 , |
129 | .Xr sshd_config 5 , | 129 | .Xr sshd_config 5 , |
130 | diff --git a/sshd.c b/sshd.c | 130 | diff --git a/sshd.c b/sshd.c |
131 | index 2e453cdf8..71c360da0 100644 | 131 | index 539a000fd..673db87f6 100644 |
132 | --- a/sshd.c | 132 | --- a/sshd.c |
133 | +++ b/sshd.c | 133 | +++ b/sshd.c |
134 | @@ -127,6 +127,13 @@ | 134 | @@ -127,6 +127,13 @@ |
@@ -145,7 +145,7 @@ index 2e453cdf8..71c360da0 100644 | |||
145 | /* Re-exec fds */ | 145 | /* Re-exec fds */ |
146 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 146 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
147 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 147 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
148 | @@ -2100,6 +2107,24 @@ main(int ac, char **av) | 148 | @@ -2099,6 +2106,24 @@ main(int ac, char **av) |
149 | #ifdef SSH_AUDIT_EVENTS | 149 | #ifdef SSH_AUDIT_EVENTS |
150 | audit_connection_from(remote_ip, remote_port); | 150 | audit_connection_from(remote_ip, remote_port); |
151 | #endif | 151 | #endif |
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index c52632134..d054b2a82 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f14447b774639c6de52f452e5a0e012939832855 Mon Sep 17 00:00:00 2001 | 1 | From eefdc7046766b52e39f1b6eafcde22c1e013ce9f Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch index 2febc4e38..e864427bd 100644 --- a/debian/patches/seccomp-s390-flock-ipc.patch +++ b/debian/patches/seccomp-s390-flock-ipc.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 04910479f7869c27065950b7deb0d69d85230927 Mon Sep 17 00:00:00 2001 | 1 | From 690939ba320d93e6f3ab5266bea94d8fb06c8bae Mon Sep 17 00:00:00 2001 |
2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | 2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> |
3 | Date: Tue, 9 May 2017 10:53:04 -0300 | 3 | Date: Tue, 9 May 2017 10:53:04 -0300 |
4 | Subject: Allow flock and ipc syscall for s390 architecture | 4 | Subject: Allow flock and ipc syscall for s390 architecture |
@@ -14,7 +14,7 @@ Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | |||
14 | Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | 14 | Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 |
15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | 15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 |
16 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 | 16 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 |
17 | Last-Update: 2018-08-24 | 17 | Last-Update: 2018-10-19 |
18 | 18 | ||
19 | Patch-Name: seccomp-s390-flock-ipc.patch | 19 | Patch-Name: seccomp-s390-flock-ipc.patch |
20 | --- | 20 | --- |
@@ -22,7 +22,7 @@ Patch-Name: seccomp-s390-flock-ipc.patch | |||
22 | 1 file changed, 6 insertions(+) | 22 | 1 file changed, 6 insertions(+) |
23 | 23 | ||
24 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | 24 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c |
25 | index 12c4ee130..bcea77997 100644 | 25 | index 5edbc6946..d4bc20828 100644 |
26 | --- a/sandbox-seccomp-filter.c | 26 | --- a/sandbox-seccomp-filter.c |
27 | +++ b/sandbox-seccomp-filter.c | 27 | +++ b/sandbox-seccomp-filter.c |
28 | @@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { | 28 | @@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { |
@@ -32,10 +32,10 @@ index 12c4ee130..bcea77997 100644 | |||
32 | +#if defined(__NR_flock) && defined(__s390__) | 32 | +#if defined(__NR_flock) && defined(__s390__) |
33 | + SC_ALLOW(__NR_flock), | 33 | + SC_ALLOW(__NR_flock), |
34 | +#endif | 34 | +#endif |
35 | #ifdef __NR_geteuid | 35 | #ifdef __NR_futex |
36 | SC_ALLOW(__NR_geteuid), | 36 | SC_ALLOW(__NR_futex), |
37 | #endif | 37 | #endif |
38 | @@ -190,6 +193,9 @@ static const struct sock_filter preauth_insns[] = { | 38 | @@ -193,6 +196,9 @@ static const struct sock_filter preauth_insns[] = { |
39 | #ifdef __NR_getuid32 | 39 | #ifdef __NR_getuid32 |
40 | SC_ALLOW(__NR_getuid32), | 40 | SC_ALLOW(__NR_getuid32), |
41 | #endif | 41 | #endif |
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch index fc3af3e64..ecbe1d142 100644 --- a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch +++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 16a47fc4b04977a14f44dd433c8da1499fa80671 Mon Sep 17 00:00:00 2001 | 1 | From 9ce189b9f22890421b7f8d3f49a39186d3ce3e14 Mon Sep 17 00:00:00 2001 |
2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | 2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> |
3 | Date: Tue, 9 May 2017 13:33:30 -0300 | 3 | Date: Tue, 9 May 2017 13:33:30 -0300 |
4 | Subject: Enable specific ioctl call for EP11 crypto card (s390) | 4 | Subject: Enable specific ioctl call for EP11 crypto card (s390) |
@@ -19,10 +19,10 @@ Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch | |||
19 | 1 file changed, 2 insertions(+) | 19 | 1 file changed, 2 insertions(+) |
20 | 20 | ||
21 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | 21 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c |
22 | index bcea77997..f216ba353 100644 | 22 | index d4bc20828..ef4de8c65 100644 |
23 | --- a/sandbox-seccomp-filter.c | 23 | --- a/sandbox-seccomp-filter.c |
24 | +++ b/sandbox-seccomp-filter.c | 24 | +++ b/sandbox-seccomp-filter.c |
25 | @@ -253,6 +253,8 @@ static const struct sock_filter preauth_insns[] = { | 25 | @@ -256,6 +256,8 @@ static const struct sock_filter preauth_insns[] = { |
26 | SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), | 26 | SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), |
27 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), | 27 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), |
28 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), | 28 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 95d582067..269a87c76 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 03979f2e0768e146d179c66f2d2e33afe61c1be3 Mon Sep 17 00:00:00 2001 | 1 | From cf3f6ac19812e4d32874304b3854b055831c2124 Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -43,7 +43,7 @@ index 977562f0a..90802a5eb 100644 | |||
43 | /* Method lists for multiple authentication */ | 43 | /* Method lists for multiple authentication */ |
44 | char **auth_methods; /* modified from server config */ | 44 | char **auth_methods; /* modified from server config */ |
45 | diff --git a/auth2.c b/auth2.c | 45 | diff --git a/auth2.c b/auth2.c |
46 | index 96efe164c..90a247c1c 100644 | 46 | index a77742819..3035926ba 100644 |
47 | --- a/auth2.c | 47 | --- a/auth2.c |
48 | +++ b/auth2.c | 48 | +++ b/auth2.c |
49 | @@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | 49 | @@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
@@ -81,10 +81,10 @@ index 96efe164c..90a247c1c 100644 | |||
81 | if (auth2_setup_methods_lists(authctxt) != 0) | 81 | if (auth2_setup_methods_lists(authctxt) != 0) |
82 | packet_disconnect("no authentication methods enabled"); | 82 | packet_disconnect("no authentication methods enabled"); |
83 | diff --git a/monitor.c b/monitor.c | 83 | diff --git a/monitor.c b/monitor.c |
84 | index 4e574a2ae..c1e7e9b80 100644 | 84 | index eabc1e89b..08fddabd7 100644 |
85 | --- a/monitor.c | 85 | --- a/monitor.c |
86 | +++ b/monitor.c | 86 | +++ b/monitor.c |
87 | @@ -115,6 +115,7 @@ int mm_answer_sign(int, struct sshbuf *); | 87 | @@ -117,6 +117,7 @@ int mm_answer_sign(int, struct sshbuf *); |
88 | int mm_answer_pwnamallow(int, struct sshbuf *); | 88 | int mm_answer_pwnamallow(int, struct sshbuf *); |
89 | int mm_answer_auth2_read_banner(int, struct sshbuf *); | 89 | int mm_answer_auth2_read_banner(int, struct sshbuf *); |
90 | int mm_answer_authserv(int, struct sshbuf *); | 90 | int mm_answer_authserv(int, struct sshbuf *); |
@@ -92,7 +92,7 @@ index 4e574a2ae..c1e7e9b80 100644 | |||
92 | int mm_answer_authpassword(int, struct sshbuf *); | 92 | int mm_answer_authpassword(int, struct sshbuf *); |
93 | int mm_answer_bsdauthquery(int, struct sshbuf *); | 93 | int mm_answer_bsdauthquery(int, struct sshbuf *); |
94 | int mm_answer_bsdauthrespond(int, struct sshbuf *); | 94 | int mm_answer_bsdauthrespond(int, struct sshbuf *); |
95 | @@ -191,6 +192,7 @@ struct mon_table mon_dispatch_proto20[] = { | 95 | @@ -193,6 +194,7 @@ struct mon_table mon_dispatch_proto20[] = { |
96 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 96 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
97 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 97 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
98 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 98 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -100,7 +100,7 @@ index 4e574a2ae..c1e7e9b80 100644 | |||
100 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 100 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
101 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 101 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
102 | #ifdef USE_PAM | 102 | #ifdef USE_PAM |
103 | @@ -813,6 +815,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) | 103 | @@ -817,6 +819,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) |
104 | 104 | ||
105 | /* Allow service/style information on the auth context */ | 105 | /* Allow service/style information on the auth context */ |
106 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 106 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
@@ -108,7 +108,7 @@ index 4e574a2ae..c1e7e9b80 100644 | |||
108 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 108 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
109 | 109 | ||
110 | #ifdef USE_PAM | 110 | #ifdef USE_PAM |
111 | @@ -846,16 +849,42 @@ mm_answer_authserv(int sock, struct sshbuf *m) | 111 | @@ -850,16 +853,42 @@ mm_answer_authserv(int sock, struct sshbuf *m) |
112 | monitor_permit_authentications(1); | 112 | monitor_permit_authentications(1); |
113 | 113 | ||
114 | if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || | 114 | if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || |
@@ -154,7 +154,7 @@ index 4e574a2ae..c1e7e9b80 100644 | |||
154 | return (0); | 154 | return (0); |
155 | } | 155 | } |
156 | 156 | ||
157 | @@ -1497,7 +1526,7 @@ mm_answer_pty(int sock, struct sshbuf *m) | 157 | @@ -1501,7 +1530,7 @@ mm_answer_pty(int sock, struct sshbuf *m) |
158 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 158 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
159 | if (res == 0) | 159 | if (res == 0) |
160 | goto error; | 160 | goto error; |
@@ -245,10 +245,10 @@ index 7f93144ff..79e78cc90 100644 | |||
245 | char *mm_auth2_read_banner(void); | 245 | char *mm_auth2_read_banner(void); |
246 | int mm_auth_password(struct ssh *, char *); | 246 | int mm_auth_password(struct ssh *, char *); |
247 | diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c | 247 | diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c |
248 | index 8c5325cc3..9fdda664f 100644 | 248 | index 622988822..3e6e07670 100644 |
249 | --- a/openbsd-compat/port-linux.c | 249 | --- a/openbsd-compat/port-linux.c |
250 | +++ b/openbsd-compat/port-linux.c | 250 | +++ b/openbsd-compat/port-linux.c |
251 | @@ -55,7 +55,7 @@ ssh_selinux_enabled(void) | 251 | @@ -56,7 +56,7 @@ ssh_selinux_enabled(void) |
252 | 252 | ||
253 | /* Return the default security context for the given username */ | 253 | /* Return the default security context for the given username */ |
254 | static security_context_t | 254 | static security_context_t |
@@ -257,7 +257,7 @@ index 8c5325cc3..9fdda664f 100644 | |||
257 | { | 257 | { |
258 | security_context_t sc = NULL; | 258 | security_context_t sc = NULL; |
259 | char *sename = NULL, *lvl = NULL; | 259 | char *sename = NULL, *lvl = NULL; |
260 | @@ -70,9 +70,16 @@ ssh_selinux_getctxbyname(char *pwname) | 260 | @@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname) |
261 | #endif | 261 | #endif |
262 | 262 | ||
263 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 263 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
@@ -276,7 +276,7 @@ index 8c5325cc3..9fdda664f 100644 | |||
276 | #endif | 276 | #endif |
277 | 277 | ||
278 | if (r != 0) { | 278 | if (r != 0) { |
279 | @@ -102,7 +109,7 @@ ssh_selinux_getctxbyname(char *pwname) | 279 | @@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname) |
280 | 280 | ||
281 | /* Set the execution context to the default for the specified user */ | 281 | /* Set the execution context to the default for the specified user */ |
282 | void | 282 | void |
@@ -285,7 +285,7 @@ index 8c5325cc3..9fdda664f 100644 | |||
285 | { | 285 | { |
286 | security_context_t user_ctx = NULL; | 286 | security_context_t user_ctx = NULL; |
287 | 287 | ||
288 | @@ -111,7 +118,7 @@ ssh_selinux_setup_exec_context(char *pwname) | 288 | @@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname) |
289 | 289 | ||
290 | debug3("%s: setting execution context", __func__); | 290 | debug3("%s: setting execution context", __func__); |
291 | 291 | ||
@@ -294,7 +294,7 @@ index 8c5325cc3..9fdda664f 100644 | |||
294 | if (setexeccon(user_ctx) != 0) { | 294 | if (setexeccon(user_ctx) != 0) { |
295 | switch (security_getenforce()) { | 295 | switch (security_getenforce()) { |
296 | case -1: | 296 | case -1: |
297 | @@ -133,7 +140,7 @@ ssh_selinux_setup_exec_context(char *pwname) | 297 | @@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname) |
298 | 298 | ||
299 | /* Set the TTY context for the specified user */ | 299 | /* Set the TTY context for the specified user */ |
300 | void | 300 | void |
@@ -303,7 +303,7 @@ index 8c5325cc3..9fdda664f 100644 | |||
303 | { | 303 | { |
304 | security_context_t new_tty_ctx = NULL; | 304 | security_context_t new_tty_ctx = NULL; |
305 | security_context_t user_ctx = NULL; | 305 | security_context_t user_ctx = NULL; |
306 | @@ -145,7 +152,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) | 306 | @@ -146,7 +153,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) |
307 | 307 | ||
308 | debug3("%s: setting TTY context on %s", __func__, tty); | 308 | debug3("%s: setting TTY context on %s", __func__, tty); |
309 | 309 | ||
@@ -363,10 +363,10 @@ index ea4f9c584..60d72ffe7 100644 | |||
363 | char *platform_krb5_get_principal_name(const char *); | 363 | char *platform_krb5_get_principal_name(const char *); |
364 | int platform_sys_dir_uid(uid_t); | 364 | int platform_sys_dir_uid(uid_t); |
365 | diff --git a/session.c b/session.c | 365 | diff --git a/session.c b/session.c |
366 | index f2cf52006..d5d2e94b0 100644 | 366 | index 2d0958d11..19f38637e 100644 |
367 | --- a/session.c | 367 | --- a/session.c |
368 | +++ b/session.c | 368 | +++ b/session.c |
369 | @@ -1378,7 +1378,7 @@ safely_chroot(const char *path, uid_t uid) | 369 | @@ -1380,7 +1380,7 @@ safely_chroot(const char *path, uid_t uid) |
370 | 370 | ||
371 | /* Set login name, uid, gid, and groups. */ | 371 | /* Set login name, uid, gid, and groups. */ |
372 | void | 372 | void |
@@ -375,7 +375,7 @@ index f2cf52006..d5d2e94b0 100644 | |||
375 | { | 375 | { |
376 | char uidstr[32], *chroot_path, *tmp; | 376 | char uidstr[32], *chroot_path, *tmp; |
377 | 377 | ||
378 | @@ -1406,7 +1406,7 @@ do_setusercontext(struct passwd *pw) | 378 | @@ -1408,7 +1408,7 @@ do_setusercontext(struct passwd *pw) |
379 | endgrent(); | 379 | endgrent(); |
380 | #endif | 380 | #endif |
381 | 381 | ||
@@ -384,7 +384,7 @@ index f2cf52006..d5d2e94b0 100644 | |||
384 | 384 | ||
385 | if (!in_chroot && options.chroot_directory != NULL && | 385 | if (!in_chroot && options.chroot_directory != NULL && |
386 | strcasecmp(options.chroot_directory, "none") != 0) { | 386 | strcasecmp(options.chroot_directory, "none") != 0) { |
387 | @@ -1545,7 +1545,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) | 387 | @@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) |
388 | 388 | ||
389 | /* Force a password change */ | 389 | /* Force a password change */ |
390 | if (s->authctxt->force_pwchange) { | 390 | if (s->authctxt->force_pwchange) { |
@@ -393,7 +393,7 @@ index f2cf52006..d5d2e94b0 100644 | |||
393 | child_close_fds(ssh); | 393 | child_close_fds(ssh); |
394 | do_pwchange(s); | 394 | do_pwchange(s); |
395 | exit(1); | 395 | exit(1); |
396 | @@ -1563,7 +1563,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) | 396 | @@ -1565,7 +1565,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) |
397 | /* When PAM is enabled we rely on it to do the nologin check */ | 397 | /* When PAM is enabled we rely on it to do the nologin check */ |
398 | if (!options.use_pam) | 398 | if (!options.use_pam) |
399 | do_nologin(pw); | 399 | do_nologin(pw); |
@@ -402,7 +402,7 @@ index f2cf52006..d5d2e94b0 100644 | |||
402 | /* | 402 | /* |
403 | * PAM session modules in do_setusercontext may have | 403 | * PAM session modules in do_setusercontext may have |
404 | * generated messages, so if this in an interactive | 404 | * generated messages, so if this in an interactive |
405 | @@ -1953,7 +1953,7 @@ session_pty_req(struct ssh *ssh, Session *s) | 405 | @@ -1955,7 +1955,7 @@ session_pty_req(struct ssh *ssh, Session *s) |
406 | ssh_tty_parse_modes(ssh, s->ttyfd); | 406 | ssh_tty_parse_modes(ssh, s->ttyfd); |
407 | 407 | ||
408 | if (!use_privsep) | 408 | if (!use_privsep) |
@@ -412,10 +412,10 @@ index f2cf52006..d5d2e94b0 100644 | |||
412 | /* Set window size from the packet. */ | 412 | /* Set window size from the packet. */ |
413 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); | 413 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); |
414 | diff --git a/session.h b/session.h | 414 | diff --git a/session.h b/session.h |
415 | index 54dd1f0ca..8535ebcef 100644 | 415 | index ce59dabd9..675c91146 100644 |
416 | --- a/session.h | 416 | --- a/session.h |
417 | +++ b/session.h | 417 | +++ b/session.h |
418 | @@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *); | 418 | @@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *); |
419 | Session *session_new(void); | 419 | Session *session_new(void); |
420 | Session *session_by_tty(char *); | 420 | Session *session_by_tty(char *); |
421 | void session_close(struct ssh *, Session *); | 421 | void session_close(struct ssh *, Session *); |
@@ -425,10 +425,10 @@ index 54dd1f0ca..8535ebcef 100644 | |||
425 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); | 425 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); |
426 | 426 | ||
427 | diff --git a/sshd.c b/sshd.c | 427 | diff --git a/sshd.c b/sshd.c |
428 | index 71c360da0..92d15c82d 100644 | 428 | index 673db87f6..2bc6679e5 100644 |
429 | --- a/sshd.c | 429 | --- a/sshd.c |
430 | +++ b/sshd.c | 430 | +++ b/sshd.c |
431 | @@ -684,7 +684,7 @@ privsep_postauth(Authctxt *authctxt) | 431 | @@ -683,7 +683,7 @@ privsep_postauth(Authctxt *authctxt) |
432 | reseed_prngs(); | 432 | reseed_prngs(); |
433 | 433 | ||
434 | /* Drop privileges */ | 434 | /* Drop privileges */ |
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 7e91b9b14..ad574e829 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0e7d3495f758a4ecccc14eda31845ea0efc89251 Mon Sep 17 00:00:00 2001 | 1 | From cabad6b7182cd6eaa8b760718200a316e7f578ed Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch | |||
16 | 1 file changed, 2 insertions(+), 2 deletions(-) | 16 | 1 file changed, 2 insertions(+), 2 deletions(-) |
17 | 17 | ||
18 | diff --git a/sshconnect.c b/sshconnect.c | 18 | diff --git a/sshconnect.c b/sshconnect.c |
19 | index 78813c164..a2efe6d15 100644 | 19 | index 6d819279e..700ea6c3c 100644 |
20 | --- a/sshconnect.c | 20 | --- a/sshconnect.c |
21 | +++ b/sshconnect.c | 21 | +++ b/sshconnect.c |
22 | @@ -229,7 +229,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, | 22 | @@ -229,7 +229,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, |
@@ -28,7 +28,7 @@ index 78813c164..a2efe6d15 100644 | |||
28 | perror(argv[0]); | 28 | perror(argv[0]); |
29 | exit(1); | 29 | exit(1); |
30 | } | 30 | } |
31 | @@ -1525,7 +1525,7 @@ ssh_local_cmd(const char *args) | 31 | @@ -1534,7 +1534,7 @@ ssh_local_cmd(const char *args) |
32 | if (pid == 0) { | 32 | if (pid == 0) { |
33 | signal(SIGPIPE, SIG_DFL); | 33 | signal(SIGPIPE, SIG_DFL); |
34 | debug3("Executing %s -c \"%s\"", shell, args); | 34 | debug3("Executing %s -c \"%s\"", shell, args); |
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index ae29c2afb..ed6ef3d46 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 67414e1884f4ac0eb391988b932af2dd9b2ab5ae Mon Sep 17 00:00:00 2001 | 1 | From 6d4521d39a852dc5627187c045c933f4e1cb4601 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 5f9e9bbc8..bb1e10973 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0d0221146dc61545ca1dba099f669d5d6a37504e Mon Sep 17 00:00:00 2001 | 1 | From d1064c2689df8d0894a68ac9671d14ab125bc91b Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch | |||
18 | 1 file changed, 1 insertion(+) | 18 | 1 file changed, 1 insertion(+) |
19 | 19 | ||
20 | diff --git a/ssh.1 b/ssh.1 | 20 | diff --git a/ssh.1 b/ssh.1 |
21 | index d41426781..0a8e63f51 100644 | 21 | index 5dfad6daa..ad1ed0f86 100644 |
22 | --- a/ssh.1 | 22 | --- a/ssh.1 |
23 | +++ b/ssh.1 | 23 | +++ b/ssh.1 |
24 | @@ -1575,6 +1575,7 @@ if an error occurred. | 24 | @@ -1585,6 +1585,7 @@ if an error occurred. |
25 | .Xr sftp 1 , | 25 | .Xr sftp 1 , |
26 | .Xr ssh-add 1 , | 26 | .Xr ssh-add 1 , |
27 | .Xr ssh-agent 1 , | 27 | .Xr ssh-agent 1 , |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index da0f358d8..ca3e090bd 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 80ef33d2e2559a2fcb71940f0ef0de18f426dab4 Mon Sep 17 00:00:00 2001 | 1 | From eccbd3637a2b8544fdcfdd5d1a00a9dfdac62aeb Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch | |||
17 | 2 files changed, 2 insertions(+) | 17 | 2 files changed, 2 insertions(+) |
18 | 18 | ||
19 | diff --git a/readconf.c b/readconf.c | 19 | diff --git a/readconf.c b/readconf.c |
20 | index 4ad3c75fe..6e26ba32d 100644 | 20 | index 36bc5e59a..5e655e924 100644 |
21 | --- a/readconf.c | 21 | --- a/readconf.c |
22 | +++ b/readconf.c | 22 | +++ b/readconf.c |
23 | @@ -190,6 +190,7 @@ static struct { | 23 | @@ -190,6 +190,7 @@ static struct { |
@@ -29,10 +29,10 @@ index 4ad3c75fe..6e26ba32d 100644 | |||
29 | { "useroaming", oDeprecated }, | 29 | { "useroaming", oDeprecated }, |
30 | { "usersh", oDeprecated }, | 30 | { "usersh", oDeprecated }, |
31 | diff --git a/servconf.c b/servconf.c | 31 | diff --git a/servconf.c b/servconf.c |
32 | index e1ae07fb7..e49984a81 100644 | 32 | index 4668b8a45..6caf1db38 100644 |
33 | --- a/servconf.c | 33 | --- a/servconf.c |
34 | +++ b/servconf.c | 34 | +++ b/servconf.c |
35 | @@ -596,6 +596,7 @@ static struct { | 35 | @@ -600,6 +600,7 @@ static struct { |
36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index 1610d40d1..3093a41fb 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d47fa6fefb418c6d8f5a6d3dd49fd9dc7fce0c74 Mon Sep 17 00:00:00 2001 | 1 | From e755ec70d62bfb9b02159123f4e870b00010be77 Mon Sep 17 00:00:00 2001 |
2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> | 2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
@@ -33,10 +33,10 @@ index d9c2d136c..1749af6d1 100644 | |||
33 | { "FATAL", SYSLOG_LEVEL_FATAL }, | 33 | { "FATAL", SYSLOG_LEVEL_FATAL }, |
34 | { "ERROR", SYSLOG_LEVEL_ERROR }, | 34 | { "ERROR", SYSLOG_LEVEL_ERROR }, |
35 | diff --git a/ssh.c b/ssh.c | 35 | diff --git a/ssh.c b/ssh.c |
36 | index ce628848c..6ee0f8c68 100644 | 36 | index 0777c31e4..3140fed4c 100644 |
37 | --- a/ssh.c | 37 | --- a/ssh.c |
38 | +++ b/ssh.c | 38 | +++ b/ssh.c |
39 | @@ -1252,7 +1252,7 @@ main(int ac, char **av) | 39 | @@ -1258,7 +1258,7 @@ main(int ac, char **av) |
40 | /* Do not allocate a tty if stdin is not a tty. */ | 40 | /* Do not allocate a tty if stdin is not a tty. */ |
41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && | 41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && |
42 | options.request_tty != REQUEST_TTY_FORCE) { | 42 | options.request_tty != REQUEST_TTY_FORCE) { |
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch index 95753542e..c5dee41ad 100644 --- a/debian/patches/systemd-readiness.patch +++ b/debian/patches/systemd-readiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ba2be368348f9f411377f494e209faedf53903de Mon Sep 17 00:00:00 2001 | 1 | From da34947128351bee9d2530574432190548f5be58 Mon Sep 17 00:00:00 2001 |
2 | From: Michael Biebl <biebl@debian.org> | 2 | From: Michael Biebl <biebl@debian.org> |
3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 | 3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 |
4 | Subject: Add systemd readiness notification support | 4 | Subject: Add systemd readiness notification support |
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch | |||
14 | 2 files changed, 33 insertions(+) | 14 | 2 files changed, 33 insertions(+) |
15 | 15 | ||
16 | diff --git a/configure.ac b/configure.ac | 16 | diff --git a/configure.ac b/configure.ac |
17 | index ebc10f51e..dab138640 100644 | 17 | index 917300b43..8a5db4cb5 100644 |
18 | --- a/configure.ac | 18 | --- a/configure.ac |
19 | +++ b/configure.ac | 19 | +++ b/configure.ac |
20 | @@ -4458,6 +4458,29 @@ AC_ARG_WITH([kerberos5], | 20 | @@ -4586,6 +4586,29 @@ AC_ARG_WITH([kerberos5], |
21 | AC_SUBST([GSSLIBS]) | 21 | AC_SUBST([GSSLIBS]) |
22 | AC_SUBST([K5LIBS]) | 22 | AC_SUBST([K5LIBS]) |
23 | 23 | ||
@@ -47,7 +47,7 @@ index ebc10f51e..dab138640 100644 | |||
47 | # Looking for programs, paths and files | 47 | # Looking for programs, paths and files |
48 | 48 | ||
49 | PRIVSEP_PATH=/var/empty | 49 | PRIVSEP_PATH=/var/empty |
50 | @@ -5264,6 +5287,7 @@ echo " libldns support: $LDNS_MSG" | 50 | @@ -5392,6 +5415,7 @@ echo " libldns support: $LDNS_MSG" |
51 | echo " Solaris process contract support: $SPC_MSG" | 51 | echo " Solaris process contract support: $SPC_MSG" |
52 | echo " Solaris project support: $SP_MSG" | 52 | echo " Solaris project support: $SP_MSG" |
53 | echo " Solaris privilege support: $SPP_MSG" | 53 | echo " Solaris privilege support: $SPP_MSG" |
@@ -56,7 +56,7 @@ index ebc10f51e..dab138640 100644 | |||
56 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | 56 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" |
57 | echo " BSD Auth support: $BSD_AUTH_MSG" | 57 | echo " BSD Auth support: $BSD_AUTH_MSG" |
58 | diff --git a/sshd.c b/sshd.c | 58 | diff --git a/sshd.c b/sshd.c |
59 | index 698593605..7ff109175 100644 | 59 | index d7e77d343..a1c3970b3 100644 |
60 | --- a/sshd.c | 60 | --- a/sshd.c |
61 | +++ b/sshd.c | 61 | +++ b/sshd.c |
62 | @@ -85,6 +85,10 @@ | 62 | @@ -85,6 +85,10 @@ |
@@ -70,7 +70,7 @@ index 698593605..7ff109175 100644 | |||
70 | #include "xmalloc.h" | 70 | #include "xmalloc.h" |
71 | #include "ssh.h" | 71 | #include "ssh.h" |
72 | #include "ssh2.h" | 72 | #include "ssh2.h" |
73 | @@ -1991,6 +1995,11 @@ main(int ac, char **av) | 73 | @@ -1990,6 +1994,11 @@ main(int ac, char **av) |
74 | } | 74 | } |
75 | } | 75 | } |
76 | 76 | ||
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index cc9cbacad..bc2390e06 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 840f43066f9cdf5f6bb07992aca1c5f43be8eb80 Mon Sep 17 00:00:00 2001 | 1 | From 7b931d36ad36a93d2b1811858ca29408ec44ecae Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
@@ -51,10 +51,10 @@ index 57296e1f6..546aa0495 100644 | |||
51 | pw->pw_name, buf); | 51 | pw->pw_name, buf); |
52 | auth_debug_add("Bad file modes for %.200s", buf); | 52 | auth_debug_add("Bad file modes for %.200s", buf); |
53 | diff --git a/auth.c b/auth.c | 53 | diff --git a/auth.c b/auth.c |
54 | index 80eb78c48..ad25631a5 100644 | 54 | index d8e6b4a3d..9d1d453f1 100644 |
55 | --- a/auth.c | 55 | --- a/auth.c |
56 | +++ b/auth.c | 56 | +++ b/auth.c |
57 | @@ -469,8 +469,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, | 57 | @@ -473,8 +473,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, |
58 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 58 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
59 | if (options.strict_modes && | 59 | if (options.strict_modes && |
60 | (stat(user_hostfile, &st) == 0) && | 60 | (stat(user_hostfile, &st) == 0) && |
@@ -65,10 +65,10 @@ index 80eb78c48..ad25631a5 100644 | |||
65 | "bad owner or modes for %.200s", | 65 | "bad owner or modes for %.200s", |
66 | pw->pw_name, user_hostfile); | 66 | pw->pw_name, user_hostfile); |
67 | diff --git a/misc.c b/misc.c | 67 | diff --git a/misc.c b/misc.c |
68 | index ae4d29b84..2f3dbda0c 100644 | 68 | index bdc06fdb3..5159e6692 100644 |
69 | --- a/misc.c | 69 | --- a/misc.c |
70 | +++ b/misc.c | 70 | +++ b/misc.c |
71 | @@ -57,8 +57,9 @@ | 71 | @@ -58,8 +58,9 @@ |
72 | #include <netdb.h> | 72 | #include <netdb.h> |
73 | #ifdef HAVE_PATHS_H | 73 | #ifdef HAVE_PATHS_H |
74 | # include <paths.h> | 74 | # include <paths.h> |
@@ -79,7 +79,7 @@ index ae4d29b84..2f3dbda0c 100644 | |||
79 | #ifdef SSH_TUN_OPENBSD | 79 | #ifdef SSH_TUN_OPENBSD |
80 | #include <net/if.h> | 80 | #include <net/if.h> |
81 | #endif | 81 | #endif |
82 | @@ -1024,6 +1025,55 @@ percent_expand(const char *string, ...) | 82 | @@ -1028,6 +1029,55 @@ percent_expand(const char *string, ...) |
83 | #undef EXPAND_MAX_KEYS | 83 | #undef EXPAND_MAX_KEYS |
84 | } | 84 | } |
85 | 85 | ||
@@ -135,7 +135,7 @@ index ae4d29b84..2f3dbda0c 100644 | |||
135 | int | 135 | int |
136 | tun_open(int tun, int mode, char **ifname) | 136 | tun_open(int tun, int mode, char **ifname) |
137 | { | 137 | { |
138 | @@ -1782,8 +1832,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, | 138 | @@ -1786,8 +1836,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, |
139 | snprintf(err, errlen, "%s is not a regular file", buf); | 139 | snprintf(err, errlen, "%s is not a regular file", buf); |
140 | return -1; | 140 | return -1; |
141 | } | 141 | } |
@@ -145,7 +145,7 @@ index ae4d29b84..2f3dbda0c 100644 | |||
145 | snprintf(err, errlen, "bad ownership or modes for file %s", | 145 | snprintf(err, errlen, "bad ownership or modes for file %s", |
146 | buf); | 146 | buf); |
147 | return -1; | 147 | return -1; |
148 | @@ -1798,8 +1847,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, | 148 | @@ -1802,8 +1851,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, |
149 | strlcpy(buf, cp, sizeof(buf)); | 149 | strlcpy(buf, cp, sizeof(buf)); |
150 | 150 | ||
151 | if (stat(buf, &st) < 0 || | 151 | if (stat(buf, &st) < 0 || |
@@ -156,10 +156,10 @@ index ae4d29b84..2f3dbda0c 100644 | |||
156 | "bad ownership or modes for directory %s", buf); | 156 | "bad ownership or modes for directory %s", buf); |
157 | return -1; | 157 | return -1; |
158 | diff --git a/misc.h b/misc.h | 158 | diff --git a/misc.h b/misc.h |
159 | index 6be289fd2..213c3abb7 100644 | 159 | index 31b207a8d..aaf966e65 100644 |
160 | --- a/misc.h | 160 | --- a/misc.h |
161 | +++ b/misc.h | 161 | +++ b/misc.h |
162 | @@ -167,6 +167,8 @@ int safe_path_fd(int, const char *, struct passwd *, | 162 | @@ -168,6 +168,8 @@ int safe_path_fd(int, const char *, struct passwd *, |
163 | char *read_passphrase(const char *, int); | 163 | char *read_passphrase(const char *, int); |
164 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | 164 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); |
165 | 165 | ||
@@ -169,10 +169,10 @@ index 6be289fd2..213c3abb7 100644 | |||
169 | #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) | 169 | #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) |
170 | #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) | 170 | #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) |
171 | diff --git a/readconf.c b/readconf.c | 171 | diff --git a/readconf.c b/readconf.c |
172 | index 3fd0fe7b7..3ed6dfb54 100644 | 172 | index 052d4b1ac..6b01f20d2 100644 |
173 | --- a/readconf.c | 173 | --- a/readconf.c |
174 | +++ b/readconf.c | 174 | +++ b/readconf.c |
175 | @@ -1795,8 +1795,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, | 175 | @@ -1820,8 +1820,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, |
176 | 176 | ||
177 | if (fstat(fileno(f), &sb) == -1) | 177 | if (fstat(fileno(f), &sb) == -1) |
178 | fatal("fstat %s: %s", filename, strerror(errno)); | 178 | fatal("fstat %s: %s", filename, strerror(errno)); |
@@ -183,10 +183,10 @@ index 3fd0fe7b7..3ed6dfb54 100644 | |||
183 | } | 183 | } |
184 | 184 | ||
185 | diff --git a/ssh.1 b/ssh.1 | 185 | diff --git a/ssh.1 b/ssh.1 |
186 | index b20908a5e..cb0fdd50e 100644 | 186 | index 7760c3075..81f29af43 100644 |
187 | --- a/ssh.1 | 187 | --- a/ssh.1 |
188 | +++ b/ssh.1 | 188 | +++ b/ssh.1 |
189 | @@ -1475,6 +1475,8 @@ The file format and configuration options are described in | 189 | @@ -1485,6 +1485,8 @@ The file format and configuration options are described in |
190 | .Xr ssh_config 5 . | 190 | .Xr ssh_config 5 . |
191 | Because of the potential for abuse, this file must have strict permissions: | 191 | Because of the potential for abuse, this file must have strict permissions: |
192 | read/write for the user, and not writable by others. | 192 | read/write for the user, and not writable by others. |
@@ -196,10 +196,10 @@ index b20908a5e..cb0fdd50e 100644 | |||
196 | .It Pa ~/.ssh/environment | 196 | .It Pa ~/.ssh/environment |
197 | Contains additional definitions for environment variables; see | 197 | Contains additional definitions for environment variables; see |
198 | diff --git a/ssh_config.5 b/ssh_config.5 | 198 | diff --git a/ssh_config.5 b/ssh_config.5 |
199 | index 86ada128e..03341a229 100644 | 199 | index 54e143c93..7d55fa820 100644 |
200 | --- a/ssh_config.5 | 200 | --- a/ssh_config.5 |
201 | +++ b/ssh_config.5 | 201 | +++ b/ssh_config.5 |
202 | @@ -1813,6 +1813,8 @@ The format of this file is described above. | 202 | @@ -1835,6 +1835,8 @@ The format of this file is described above. |
203 | This file is used by the SSH client. | 203 | This file is used by the SSH client. |
204 | Because of the potential for abuse, this file must have strict permissions: | 204 | Because of the potential for abuse, this file must have strict permissions: |
205 | read/write for the user, and not accessible by others. | 205 | read/write for the user, and not accessible by others. |