diff options
Diffstat (limited to 'debian')
-rw-r--r-- | debian/patches/gssapi-autoconf.patch | 5 | ||||
-rw-r--r-- | debian/patches/gssapi-compat.patch | 30 | ||||
-rw-r--r-- | debian/patches/gssapi-dump.patch | 20 | ||||
-rw-r--r-- | debian/patches/gssapi.patch | 17 | ||||
-rw-r--r-- | debian/patches/old-gssapi.patch | 41 | ||||
-rw-r--r-- | debian/patches/series | 2 |
6 files changed, 80 insertions, 35 deletions
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch index 1e7949116..0ae7d0129 100644 --- a/debian/patches/gssapi-autoconf.patch +++ b/debian/patches/gssapi-autoconf.patch | |||
@@ -1,3 +1,8 @@ | |||
1 | Description: Update config.h.in following GSSAPI patch | ||
2 | Author: Colin Watson <cjwatson@debian.org> | ||
3 | Forwarded: not-needed | ||
4 | Last-Updated: 2010-02-27 | ||
5 | |||
1 | Index: b/config.h.in | 6 | Index: b/config.h.in |
2 | =================================================================== | 7 | =================================================================== |
3 | --- a/config.h.in | 8 | --- a/config.h.in |
diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch new file mode 100644 index 000000000..773a10895 --- /dev/null +++ b/debian/patches/gssapi-compat.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | Description: Compatibility with old GSSAPI option names | ||
2 | These options were supported by the old ssh-krb5 package in Debian. | ||
3 | Author: Colin Watson <cjwatson@debian.org> | ||
4 | Last-Updated: 2010-02-27 | ||
5 | |||
6 | Index: b/servconf.c | ||
7 | =================================================================== | ||
8 | --- a/servconf.c | ||
9 | +++ b/servconf.c | ||
10 | @@ -375,16 +375,20 @@ | ||
11 | #ifdef GSSAPI | ||
12 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | ||
13 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
14 | + { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
15 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | ||
16 | { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | ||
17 | { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | ||
18 | #else | ||
19 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | ||
20 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | ||
21 | + { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, | ||
22 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | ||
23 | { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | ||
24 | { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | ||
25 | #endif | ||
26 | + { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, | ||
27 | + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, | ||
28 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | ||
29 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | ||
30 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | ||
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch new file mode 100644 index 000000000..7292ac08d --- /dev/null +++ b/debian/patches/gssapi-dump.patch | |||
@@ -0,0 +1,20 @@ | |||
1 | Description: GSSAPI configuration dump fixes | ||
2 | Add GSSAPIKeyExchange and GSSAPIStrictAcceptorCheck to sshd -T | ||
3 | configuration dump. | ||
4 | Author: Colin Watson <cjwatson@debian.org> | ||
5 | Last-Updated: 2010-02-27 | ||
6 | |||
7 | Index: b/servconf.c | ||
8 | =================================================================== | ||
9 | --- a/servconf.c | ||
10 | +++ b/servconf.c | ||
11 | @@ -1624,7 +1624,9 @@ | ||
12 | #endif | ||
13 | #ifdef GSSAPI | ||
14 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | ||
15 | + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); | ||
16 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | ||
17 | + dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); | ||
18 | #endif | ||
19 | #ifdef JPAKE | ||
20 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | ||
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index a60a8b4e1..6550ba60b 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,3 +1,20 @@ | |||
1 | Description: GSSAPI key exchange support | ||
2 | This patch has been rejected upstream: "None of the OpenSSH developers are | ||
3 | in favour of adding this, and this situation has not changed for several | ||
4 | years. This is not a slight on Simon's patch, which is of fine quality, | ||
5 | but just that a) we don't trust GSSAPI implementations that much and b) we | ||
6 | don't like adding new KEX since they are pre-auth attack surface. This one | ||
7 | is particularly scary, since it requires hooks out to typically root-owned | ||
8 | system resources." | ||
9 | . | ||
10 | However, quite a lot of people rely on this in Debian, and it's better to | ||
11 | have it merged into the main openssh package rather than having separate | ||
12 | -krb5 packages (as we used to have). It seems to have a generally good | ||
13 | security history. | ||
14 | Author: Simon Wilkinson <simon@sxw.org.uk> | ||
15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | ||
16 | Last-Updated: 2010-02-27 | ||
17 | |||
1 | Index: b/ChangeLog.gssapi | 18 | Index: b/ChangeLog.gssapi |
2 | =================================================================== | 19 | =================================================================== |
3 | --- /dev/null | 20 | --- /dev/null |
diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch index 272654fd8..e2c4baa49 100644 --- a/debian/patches/old-gssapi.patch +++ b/debian/patches/old-gssapi.patch | |||
@@ -1,38 +1,9 @@ | |||
1 | Index: b/servconf.c | 1 | Description: Interoperate with old GSSAPI authentication method |
2 | =================================================================== | 2 | ssh-krb5 << 3.8.1p1-1 servers used a slightly different version. |
3 | --- a/servconf.c | 3 | Author: "Aaron M. Ucko" <ucko@debian.org> |
4 | +++ b/servconf.c | 4 | Bug-Debian: http://bugs.debian.org/328388 |
5 | @@ -375,16 +375,20 @@ | 5 | Last-Updated: 2010-02-27 |
6 | #ifdef GSSAPI | 6 | |
7 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | ||
8 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
9 | + { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
10 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | ||
11 | { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | ||
12 | { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | ||
13 | #else | ||
14 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | ||
15 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | ||
16 | + { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, | ||
17 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | ||
18 | { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | ||
19 | { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | ||
20 | #endif | ||
21 | + { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, | ||
22 | + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, | ||
23 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | ||
24 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | ||
25 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | ||
26 | @@ -1620,7 +1624,9 @@ | ||
27 | #endif | ||
28 | #ifdef GSSAPI | ||
29 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | ||
30 | + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); | ||
31 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | ||
32 | + dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); | ||
33 | #endif | ||
34 | #ifdef JPAKE | ||
35 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | ||
36 | Index: b/sshconnect2.c | 7 | Index: b/sshconnect2.c |
37 | =================================================================== | 8 | =================================================================== |
38 | --- a/sshconnect2.c | 9 | --- a/sshconnect2.c |
diff --git a/debian/patches/series b/debian/patches/series index fa74a5ee6..18758bf51 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -1,6 +1,8 @@ | |||
1 | # GSSAPI | 1 | # GSSAPI |
2 | gssapi.patch | 2 | gssapi.patch |
3 | gssapi-autoconf.patch | 3 | gssapi-autoconf.patch |
4 | gssapi-compat.patch | ||
5 | gssapi-dump.patch | ||
4 | old-gssapi.patch | 6 | old-gssapi.patch |
5 | 7 | ||
6 | # Autotools | 8 | # Autotools |