diff options
Diffstat (limited to 'debian')
24 files changed, 278 insertions, 312 deletions
diff --git a/debian/changelog b/debian/changelog index 294f29f30..84269b035 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,30 @@ | |||
1 | openssh (1:5.7p1-1) UNRELEASED; urgency=low | ||
2 | |||
3 | * New upstream release (http://www.openssh.org/txt/release-5.7): | ||
4 | - Implement Elliptic Curve Cryptography modes for key exchange (ECDH) | ||
5 | and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA | ||
6 | offer better performance than plain DH and DSA at the same equivalent | ||
7 | symmetric key length, as well as much shorter keys. | ||
8 | - sftp(1)/sftp-server(8): add a protocol extension to support a hard | ||
9 | link operation. It is available through the "ln" command in the | ||
10 | client. The old "ln" behaviour of creating a symlink is available | ||
11 | using its "-s" option or through the preexisting "symlink" command. | ||
12 | - scp(1): Add a new -3 option to scp: Copies between two remote hosts | ||
13 | are transferred through the local host (closes: #508613). | ||
14 | - ssh(1): "atomically" create the listening mux socket by binding it on | ||
15 | a temporary name and then linking it into position after listen() has | ||
16 | succeeded. This allows the mux clients to determine that the server | ||
17 | socket is either ready or stale without races (closes: #454784). | ||
18 | Stale server sockets are now automatically removed (closes: #523250). | ||
19 | - ssh(1): install a SIGCHLD handler to reap expired child process | ||
20 | (closes: #594687). | ||
21 | - ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent | ||
22 | temporary directories (closes: #357469, although only if you arrange | ||
23 | for ssh-agent to actually see $TMPDIR since the setgid bit will cause | ||
24 | it to be stripped off). | ||
25 | |||
26 | -- Colin Watson <cjwatson@debian.org> Mon, 24 Jan 2011 12:07:24 +0000 | ||
27 | |||
1 | openssh (1:5.6p1-3) experimental; urgency=low | 28 | openssh (1:5.6p1-3) experimental; urgency=low |
2 | 29 | ||
3 | * Drop override for desktop-file-but-no-dh_desktop-call, which Lintian no | 30 | * Drop override for desktop-file-but-no-dh_desktop-call, which Lintian no |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index 34535f001..891b934ab 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -8,7 +8,7 @@ Index: b/Makefile.in | |||
8 | =================================================================== | 8 | =================================================================== |
9 | --- a/Makefile.in | 9 | --- a/Makefile.in |
10 | +++ b/Makefile.in | 10 | +++ b/Makefile.in |
11 | @@ -284,6 +284,7 @@ | 11 | @@ -287,6 +287,7 @@ |
12 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 | 12 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 |
13 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 | 13 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 |
14 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 14 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index b0761420e..32251397d 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -10,42 +10,42 @@ Index: b/servconf.c | |||
10 | =================================================================== | 10 | =================================================================== |
11 | --- a/servconf.c | 11 | --- a/servconf.c |
12 | +++ b/servconf.c | 12 | +++ b/servconf.c |
13 | @@ -136,6 +136,7 @@ | 13 | @@ -143,6 +143,7 @@ |
14 | options->revoked_keys_file = NULL; | ||
15 | options->trusted_user_ca_keys = NULL; | ||
16 | options->authorized_principals_file = NULL; | 14 | options->authorized_principals_file = NULL; |
15 | options->ip_qos_interactive = -1; | ||
16 | options->ip_qos_bulk = -1; | ||
17 | + options->debian_banner = -1; | 17 | + options->debian_banner = -1; |
18 | } | 18 | } |
19 | 19 | ||
20 | void | 20 | void |
21 | @@ -278,6 +279,8 @@ | 21 | @@ -293,6 +294,8 @@ |
22 | options->permit_tun = SSH_TUNMODE_NO; | 22 | options->ip_qos_interactive = IPTOS_LOWDELAY; |
23 | if (options->zero_knowledge_password_authentication == -1) | 23 | if (options->ip_qos_bulk == -1) |
24 | options->zero_knowledge_password_authentication = 0; | 24 | options->ip_qos_bulk = IPTOS_THROUGHPUT; |
25 | + if (options->debian_banner == -1) | 25 | + if (options->debian_banner == -1) |
26 | + options->debian_banner = 1; | 26 | + options->debian_banner = 1; |
27 | 27 | ||
28 | /* Turn privilege separation on by default */ | 28 | /* Turn privilege separation on by default */ |
29 | if (use_privsep == -1) | 29 | if (use_privsep == -1) |
30 | @@ -326,6 +329,7 @@ | 30 | @@ -342,6 +345,7 @@ |
31 | sUsePrivilegeSeparation, sAllowAgentForwarding, | ||
32 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 31 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
33 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | 32 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
33 | sKexAlgorithms, sIPQoS, | ||
34 | + sDebianBanner, | 34 | + sDebianBanner, |
35 | sDeprecated, sUnsupported | 35 | sDeprecated, sUnsupported |
36 | } ServerOpCodes; | 36 | } ServerOpCodes; |
37 | 37 | ||
38 | @@ -459,6 +463,7 @@ | 38 | @@ -477,6 +481,7 @@ |
39 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, | ||
40 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, | ||
41 | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, | 39 | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
40 | { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, | ||
41 | { "ipqos", sIPQoS, SSHCFG_ALL }, | ||
42 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 42 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
43 | { NULL, sBadOption, 0 } | 43 | { NULL, sBadOption, 0 } |
44 | }; | 44 | }; |
45 | 45 | ||
46 | @@ -1392,6 +1397,10 @@ | 46 | @@ -1439,6 +1444,10 @@ |
47 | charptr = &options->revoked_keys_file; | 47 | } |
48 | goto parse_filename; | 48 | break; |
49 | 49 | ||
50 | + case sDebianBanner: | 50 | + case sDebianBanner: |
51 | + intptr = &options->debian_banner; | 51 | + intptr = &options->debian_banner; |
@@ -58,7 +58,7 @@ Index: b/servconf.h | |||
58 | =================================================================== | 58 | =================================================================== |
59 | --- a/servconf.h | 59 | --- a/servconf.h |
60 | +++ b/servconf.h | 60 | +++ b/servconf.h |
61 | @@ -157,6 +157,8 @@ | 61 | @@ -160,6 +160,8 @@ |
62 | 62 | ||
63 | int num_permitted_opens; | 63 | int num_permitted_opens; |
64 | 64 | ||
@@ -85,7 +85,7 @@ Index: b/sshd_config.5 | |||
85 | =================================================================== | 85 | =================================================================== |
86 | --- a/sshd_config.5 | 86 | --- a/sshd_config.5 |
87 | +++ b/sshd_config.5 | 87 | +++ b/sshd_config.5 |
88 | @@ -340,6 +340,11 @@ | 88 | @@ -339,6 +339,11 @@ |
89 | .Dq no . | 89 | .Dq no . |
90 | The default is | 90 | The default is |
91 | .Dq delayed . | 91 | .Dq delayed . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 2fe365639..e804aa526 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -24,7 +24,7 @@ Index: b/readconf.c | |||
24 | =================================================================== | 24 | =================================================================== |
25 | --- a/readconf.c | 25 | --- a/readconf.c |
26 | +++ b/readconf.c | 26 | +++ b/readconf.c |
27 | @@ -1179,7 +1179,7 @@ | 27 | @@ -1223,7 +1223,7 @@ |
28 | if (options->forward_x11 == -1) | 28 | if (options->forward_x11 == -1) |
29 | options->forward_x11 = 0; | 29 | options->forward_x11 = 0; |
30 | if (options->forward_x11_trusted == -1) | 30 | if (options->forward_x11_trusted == -1) |
@@ -61,7 +61,7 @@ Index: b/ssh_config.5 | |||
61 | =================================================================== | 61 | =================================================================== |
62 | --- a/ssh_config.5 | 62 | --- a/ssh_config.5 |
63 | +++ b/ssh_config.5 | 63 | +++ b/ssh_config.5 |
64 | @@ -72,6 +72,22 @@ | 64 | @@ -71,6 +71,22 @@ |
65 | host-specific declarations should be given near the beginning of the | 65 | host-specific declarations should be given near the beginning of the |
66 | file, and general defaults at the end. | 66 | file, and general defaults at the end. |
67 | .Pp | 67 | .Pp |
@@ -84,7 +84,7 @@ Index: b/ssh_config.5 | |||
84 | The configuration file has the following format: | 84 | The configuration file has the following format: |
85 | .Pp | 85 | .Pp |
86 | Empty lines and lines starting with | 86 | Empty lines and lines starting with |
87 | @@ -483,7 +499,8 @@ | 87 | @@ -482,7 +498,8 @@ |
88 | Remote clients will be refused access after this time. | 88 | Remote clients will be refused access after this time. |
89 | .Pp | 89 | .Pp |
90 | The default is | 90 | The default is |
@@ -98,7 +98,7 @@ Index: b/sshd_config | |||
98 | =================================================================== | 98 | =================================================================== |
99 | --- a/sshd_config | 99 | --- a/sshd_config |
100 | +++ b/sshd_config | 100 | +++ b/sshd_config |
101 | @@ -36,6 +36,7 @@ | 101 | @@ -37,6 +37,7 @@ |
102 | # Authentication: | 102 | # Authentication: |
103 | 103 | ||
104 | #LoginGraceTime 2m | 104 | #LoginGraceTime 2m |
@@ -110,7 +110,7 @@ Index: b/sshd_config.5 | |||
110 | =================================================================== | 110 | =================================================================== |
111 | --- a/sshd_config.5 | 111 | --- a/sshd_config.5 |
112 | +++ b/sshd_config.5 | 112 | +++ b/sshd_config.5 |
113 | @@ -58,6 +58,33 @@ | 113 | @@ -57,6 +57,33 @@ |
114 | .Pq \&" | 114 | .Pq \&" |
115 | in order to represent arguments containing spaces. | 115 | in order to represent arguments containing spaces. |
116 | .Pp | 116 | .Pp |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index a71b42f0f..8e8285a1f 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -9,7 +9,7 @@ Index: b/dns.c | |||
9 | =================================================================== | 9 | =================================================================== |
10 | --- a/dns.c | 10 | --- a/dns.c |
11 | +++ b/dns.c | 11 | +++ b/dns.c |
12 | @@ -176,6 +176,7 @@ | 12 | @@ -177,6 +177,7 @@ |
13 | { | 13 | { |
14 | u_int counter; | 14 | u_int counter; |
15 | int result; | 15 | int result; |
@@ -17,7 +17,7 @@ Index: b/dns.c | |||
17 | struct rrsetinfo *fingerprints = NULL; | 17 | struct rrsetinfo *fingerprints = NULL; |
18 | 18 | ||
19 | u_int8_t hostkey_algorithm; | 19 | u_int8_t hostkey_algorithm; |
20 | @@ -199,8 +200,19 @@ | 20 | @@ -200,8 +201,19 @@ |
21 | return -1; | 21 | return -1; |
22 | } | 22 | } |
23 | 23 | ||
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index fb522013c..5cf8aa46b 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -8,7 +8,7 @@ Index: b/ssh_config.5 | |||
8 | =================================================================== | 8 | =================================================================== |
9 | --- a/ssh_config.5 | 9 | --- a/ssh_config.5 |
10 | +++ b/ssh_config.5 | 10 | +++ b/ssh_config.5 |
11 | @@ -562,6 +562,9 @@ | 11 | @@ -566,6 +566,9 @@ |
12 | will not be converted automatically, | 12 | will not be converted automatically, |
13 | but may be manually hashed using | 13 | but may be manually hashed using |
14 | .Xr ssh-keygen 1 . | 14 | .Xr ssh-keygen 1 . |
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch index d88382dcb..51d8a8e72 100644 --- a/debian/patches/gssapi-autoconf.patch +++ b/debian/patches/gssapi-autoconf.patch | |||
@@ -7,7 +7,7 @@ Index: b/config.h.in | |||
7 | =================================================================== | 7 | =================================================================== |
8 | --- a/config.h.in | 8 | --- a/config.h.in |
9 | +++ b/config.h.in | 9 | +++ b/config.h.in |
10 | @@ -1387,6 +1387,9 @@ | 10 | @@ -1417,6 +1417,9 @@ |
11 | /* Use btmp to log bad logins */ | 11 | /* Use btmp to log bad logins */ |
12 | #undef USE_BTMP | 12 | #undef USE_BTMP |
13 | 13 | ||
@@ -17,7 +17,7 @@ Index: b/config.h.in | |||
17 | /* Use libedit for sftp */ | 17 | /* Use libedit for sftp */ |
18 | #undef USE_LIBEDIT | 18 | #undef USE_LIBEDIT |
19 | 19 | ||
20 | @@ -1399,6 +1402,9 @@ | 20 | @@ -1432,6 +1435,9 @@ |
21 | /* Use PIPES instead of a socketpair() */ | 21 | /* Use PIPES instead of a socketpair() */ |
22 | #undef USE_PIPES | 22 | #undef USE_PIPES |
23 | 23 | ||
diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch deleted file mode 100644 index b93134933..000000000 --- a/debian/patches/gssapi-compat.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | Description: Compatibility with old GSSAPI option names | ||
2 | These options were supported by the old ssh-krb5 package in Debian. | ||
3 | . | ||
4 | Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch. | ||
5 | Author: Colin Watson <cjwatson@debian.org> | ||
6 | Forwarded: yes | ||
7 | Last-Updated: 2010-03-01 | ||
8 | |||
9 | Index: b/servconf.c | ||
10 | =================================================================== | ||
11 | --- a/servconf.c | ||
12 | +++ b/servconf.c | ||
13 | @@ -381,16 +381,20 @@ | ||
14 | #ifdef GSSAPI | ||
15 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | ||
16 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
17 | + { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
18 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | ||
19 | { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | ||
20 | { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | ||
21 | #else | ||
22 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | ||
23 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | ||
24 | + { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, | ||
25 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | ||
26 | { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | ||
27 | { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | ||
28 | #endif | ||
29 | + { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, | ||
30 | + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, | ||
31 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | ||
32 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | ||
33 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | ||
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch deleted file mode 100644 index 0969c59b4..000000000 --- a/debian/patches/gssapi-dump.patch +++ /dev/null | |||
@@ -1,24 +0,0 @@ | |||
1 | Description: GSSAPI configuration dump fixes | ||
2 | Add GSSAPIKeyExchange, GSSAPIStrictAcceptorCheck, and | ||
3 | GSSAPIStoreCredentialsOnRekey to sshd -T configuration dump. | ||
4 | . | ||
5 | Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch. | ||
6 | Author: Colin Watson <cjwatson@debian.org> | ||
7 | Forwarded: yes | ||
8 | Last-Updated: 2010-02-27 | ||
9 | |||
10 | Index: b/servconf.c | ||
11 | =================================================================== | ||
12 | --- a/servconf.c | ||
13 | +++ b/servconf.c | ||
14 | @@ -1688,7 +1688,10 @@ | ||
15 | #endif | ||
16 | #ifdef GSSAPI | ||
17 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | ||
18 | + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); | ||
19 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | ||
20 | + dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); | ||
21 | + dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey); | ||
22 | #endif | ||
23 | #ifdef JPAKE | ||
24 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | ||
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 778c23023..692437142 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -19,14 +19,24 @@ Index: b/ChangeLog.gssapi | |||
19 | =================================================================== | 19 | =================================================================== |
20 | --- /dev/null | 20 | --- /dev/null |
21 | +++ b/ChangeLog.gssapi | 21 | +++ b/ChangeLog.gssapi |
22 | @@ -0,0 +1,103 @@ | 22 | @@ -0,0 +1,113 @@ |
23 | +20110101 | ||
24 | + - Finally update for OpenSSH 5.6p1 | ||
25 | + - Add GSSAPIServerIdentity option from Jim Basney | ||
26 | + | ||
27 | +20100308 | ||
28 | + - [ Makefile.in, key.c, key.h ] | ||
29 | + Updates for OpenSSH 5.4p1 | ||
30 | + - [ servconf.c ] | ||
31 | + Include GSSAPI options in the sshd -T configuration dump, and flag | ||
32 | + some older configuration options as being unsupported. Thanks to Colin | ||
33 | + Watson. | ||
34 | + - | ||
35 | + | ||
23 | +20100124 | 36 | +20100124 |
24 | + - [ sshconnect2.c ] | 37 | + - [ sshconnect2.c ] |
25 | + Adapt to deal with additional element in Authmethod structure. Thanks to | 38 | + Adapt to deal with additional element in Authmethod structure. Thanks to |
26 | + Colin Wilson | 39 | + Colin Watson |
27 | + - [ clientloop.c ] | ||
28 | + Protect credentials updated code with suitable #ifdefs. Thanks to Colin | ||
29 | + Wilson | ||
30 | + | 40 | + |
31 | +20090615 | 41 | +20090615 |
32 | + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c | 42 | + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c |
@@ -127,23 +137,23 @@ Index: b/Makefile.in | |||
127 | =================================================================== | 137 | =================================================================== |
128 | --- a/Makefile.in | 138 | --- a/Makefile.in |
129 | +++ b/Makefile.in | 139 | +++ b/Makefile.in |
130 | @@ -74,7 +74,7 @@ | 140 | @@ -75,7 +75,7 @@ |
131 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ | 141 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
132 | kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ | 142 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ |
133 | entropy.o gss-genr.o umac.o jpake.o schnorr.o \ | 143 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ |
134 | - ssh-pkcs11.o | 144 | - schnorr.o ssh-pkcs11.o |
135 | + ssh-pkcs11.o kexgssc.o | 145 | + schnorr.o kexgssc.o ssh-pkcs11.o |
136 | 146 | ||
137 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 147 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
138 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ | 148 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ |
139 | @@ -88,7 +88,7 @@ | 149 | @@ -90,7 +90,7 @@ |
140 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ | 150 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ |
141 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ | 151 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ |
142 | auth-krb5.o \ | 152 | auth-krb5.o \ |
143 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ | 153 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ |
144 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ | 154 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ |
145 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 155 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
146 | audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ | 156 | sftp-server.o sftp-common.o \ |
147 | roaming_common.o roaming_serv.o | 157 | roaming_common.o roaming_serv.o |
148 | Index: b/auth-krb5.c | 158 | Index: b/auth-krb5.c |
149 | =================================================================== | 159 | =================================================================== |
@@ -384,7 +394,7 @@ Index: b/configure.ac | |||
384 | =================================================================== | 394 | =================================================================== |
385 | --- a/configure.ac | 395 | --- a/configure.ac |
386 | +++ b/configure.ac | 396 | +++ b/configure.ac |
387 | @@ -477,6 +477,30 @@ | 397 | @@ -514,6 +514,30 @@ |
388 | [Use tunnel device compatibility to OpenBSD]) | 398 | [Use tunnel device compatibility to OpenBSD]) |
389 | AC_DEFINE(SSH_TUN_PREPEND_AF, 1, | 399 | AC_DEFINE(SSH_TUN_PREPEND_AF, 1, |
390 | [Prepend the address family to IP tunnel traffic]) | 400 | [Prepend the address family to IP tunnel traffic]) |
@@ -1222,9 +1232,9 @@ Index: b/kex.c | |||
1222 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1232 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1223 | # if defined(HAVE_EVP_SHA256) | 1233 | # if defined(HAVE_EVP_SHA256) |
1224 | # define evp_ssh_sha256 EVP_sha256 | 1234 | # define evp_ssh_sha256 EVP_sha256 |
1225 | @@ -326,6 +330,20 @@ | 1235 | @@ -358,6 +362,20 @@ |
1226 | k->kex_type = KEX_DH_GEX_SHA256; | 1236 | k->kex_type = KEX_ECDH_SHA2; |
1227 | k->evp_md = evp_ssh_sha256(); | 1237 | k->evp_md = kex_ecdh_name_to_evpmd(k->name); |
1228 | #endif | 1238 | #endif |
1229 | +#ifdef GSSAPI | 1239 | +#ifdef GSSAPI |
1230 | + } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, | 1240 | + } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, |
@@ -1247,17 +1257,17 @@ Index: b/kex.h | |||
1247 | =================================================================== | 1257 | =================================================================== |
1248 | --- a/kex.h | 1258 | --- a/kex.h |
1249 | +++ b/kex.h | 1259 | +++ b/kex.h |
1250 | @@ -67,6 +67,9 @@ | 1260 | @@ -73,6 +73,9 @@ |
1251 | KEX_DH_GRP14_SHA1, | ||
1252 | KEX_DH_GEX_SHA1, | 1261 | KEX_DH_GEX_SHA1, |
1253 | KEX_DH_GEX_SHA256, | 1262 | KEX_DH_GEX_SHA256, |
1263 | KEX_ECDH_SHA2, | ||
1254 | + KEX_GSS_GRP1_SHA1, | 1264 | + KEX_GSS_GRP1_SHA1, |
1255 | + KEX_GSS_GRP14_SHA1, | 1265 | + KEX_GSS_GRP14_SHA1, |
1256 | + KEX_GSS_GEX_SHA1, | 1266 | + KEX_GSS_GEX_SHA1, |
1257 | KEX_MAX | 1267 | KEX_MAX |
1258 | }; | 1268 | }; |
1259 | 1269 | ||
1260 | @@ -123,6 +126,12 @@ | 1270 | @@ -129,6 +132,12 @@ |
1261 | sig_atomic_t done; | 1271 | sig_atomic_t done; |
1262 | int flags; | 1272 | int flags; |
1263 | const EVP_MD *evp_md; | 1273 | const EVP_MD *evp_md; |
@@ -1270,9 +1280,9 @@ Index: b/kex.h | |||
1270 | char *client_version_string; | 1280 | char *client_version_string; |
1271 | char *server_version_string; | 1281 | char *server_version_string; |
1272 | int (*verify_host_key)(Key *); | 1282 | int (*verify_host_key)(Key *); |
1273 | @@ -146,6 +155,11 @@ | 1283 | @@ -156,6 +165,11 @@ |
1274 | void kexgex_client(Kex *); | 1284 | void kexecdh_client(Kex *); |
1275 | void kexgex_server(Kex *); | 1285 | void kexecdh_server(Kex *); |
1276 | 1286 | ||
1277 | +#ifdef GSSAPI | 1287 | +#ifdef GSSAPI |
1278 | +void kexgss_client(Kex *); | 1288 | +void kexgss_client(Kex *); |
@@ -1918,21 +1928,30 @@ Index: b/key.c | |||
1918 | =================================================================== | 1928 | =================================================================== |
1919 | --- a/key.c | 1929 | --- a/key.c |
1920 | +++ b/key.c | 1930 | +++ b/key.c |
1921 | @@ -1020,6 +1020,8 @@ | 1931 | @@ -971,6 +971,8 @@ |
1922 | return KEY_RSA_CERT; | 1932 | } |
1923 | } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { | 1933 | break; |
1924 | return KEY_DSA_CERT; | 1934 | #endif /* OPENSSL_HAS_ECC */ |
1935 | + case KEY_NULL: | ||
1936 | + return "null"; | ||
1937 | } | ||
1938 | return "ssh-unknown"; | ||
1939 | } | ||
1940 | @@ -1276,6 +1278,8 @@ | ||
1941 | strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { | ||
1942 | return KEY_ECDSA_CERT; | ||
1943 | #endif | ||
1925 | + } else if (strcmp(name, "null") == 0) { | 1944 | + } else if (strcmp(name, "null") == 0) { |
1926 | + return KEY_NULL; | 1945 | + return KEY_NULL; |
1927 | } | 1946 | } |
1947 | |||
1928 | debug2("key_type_from_name: unknown key type '%s'", name); | 1948 | debug2("key_type_from_name: unknown key type '%s'", name); |
1929 | return KEY_UNSPEC; | ||
1930 | Index: b/key.h | 1949 | Index: b/key.h |
1931 | =================================================================== | 1950 | =================================================================== |
1932 | --- a/key.h | 1951 | --- a/key.h |
1933 | +++ b/key.h | 1952 | +++ b/key.h |
1934 | @@ -39,6 +39,7 @@ | 1953 | @@ -44,6 +44,7 @@ |
1935 | KEY_DSA_CERT, | 1954 | KEY_ECDSA_CERT, |
1936 | KEY_RSA_CERT_V00, | 1955 | KEY_RSA_CERT_V00, |
1937 | KEY_DSA_CERT_V00, | 1956 | KEY_DSA_CERT_V00, |
1938 | + KEY_NULL, | 1957 | + KEY_NULL, |
@@ -1995,10 +2014,10 @@ Index: b/monitor.c | |||
1995 | } else { | 2014 | } else { |
1996 | mon_dispatch = mon_dispatch_postauth15; | 2015 | mon_dispatch = mon_dispatch_postauth15; |
1997 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2016 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
1998 | @@ -1691,6 +1708,13 @@ | 2017 | @@ -1692,6 +1709,13 @@ |
1999 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | ||
2000 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 2018 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
2001 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 2019 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
2020 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | ||
2002 | +#ifdef GSSAPI | 2021 | +#ifdef GSSAPI |
2003 | + if (options.gss_keyex) { | 2022 | + if (options.gss_keyex) { |
2004 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | 2023 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; |
@@ -2009,7 +2028,7 @@ Index: b/monitor.c | |||
2009 | kex->server = 1; | 2028 | kex->server = 1; |
2010 | kex->hostkey_type = buffer_get_int(m); | 2029 | kex->hostkey_type = buffer_get_int(m); |
2011 | kex->kex_type = buffer_get_int(m); | 2030 | kex->kex_type = buffer_get_int(m); |
2012 | @@ -1897,6 +1921,9 @@ | 2031 | @@ -1898,6 +1922,9 @@ |
2013 | OM_uint32 major; | 2032 | OM_uint32 major; |
2014 | u_int len; | 2033 | u_int len; |
2015 | 2034 | ||
@@ -2019,7 +2038,7 @@ Index: b/monitor.c | |||
2019 | goid.elements = buffer_get_string(m, &len); | 2038 | goid.elements = buffer_get_string(m, &len); |
2020 | goid.length = len; | 2039 | goid.length = len; |
2021 | 2040 | ||
2022 | @@ -1924,6 +1951,9 @@ | 2041 | @@ -1925,6 +1952,9 @@ |
2023 | OM_uint32 flags = 0; /* GSI needs this */ | 2042 | OM_uint32 flags = 0; /* GSI needs this */ |
2024 | u_int len; | 2043 | u_int len; |
2025 | 2044 | ||
@@ -2029,7 +2048,7 @@ Index: b/monitor.c | |||
2029 | in.value = buffer_get_string(m, &len); | 2048 | in.value = buffer_get_string(m, &len); |
2030 | in.length = len; | 2049 | in.length = len; |
2031 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2050 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2032 | @@ -1941,6 +1971,7 @@ | 2051 | @@ -1942,6 +1972,7 @@ |
2033 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2052 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2034 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2053 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2035 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2054 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2037,7 +2056,7 @@ Index: b/monitor.c | |||
2037 | } | 2056 | } |
2038 | return (0); | 2057 | return (0); |
2039 | } | 2058 | } |
2040 | @@ -1952,6 +1983,9 @@ | 2059 | @@ -1953,6 +1984,9 @@ |
2041 | OM_uint32 ret; | 2060 | OM_uint32 ret; |
2042 | u_int len; | 2061 | u_int len; |
2043 | 2062 | ||
@@ -2047,7 +2066,7 @@ Index: b/monitor.c | |||
2047 | gssbuf.value = buffer_get_string(m, &len); | 2066 | gssbuf.value = buffer_get_string(m, &len); |
2048 | gssbuf.length = len; | 2067 | gssbuf.length = len; |
2049 | mic.value = buffer_get_string(m, &len); | 2068 | mic.value = buffer_get_string(m, &len); |
2050 | @@ -1978,7 +2012,11 @@ | 2069 | @@ -1979,7 +2013,11 @@ |
2051 | { | 2070 | { |
2052 | int authenticated; | 2071 | int authenticated; |
2053 | 2072 | ||
@@ -2060,7 +2079,7 @@ Index: b/monitor.c | |||
2060 | 2079 | ||
2061 | buffer_clear(m); | 2080 | buffer_clear(m); |
2062 | buffer_put_int(m, authenticated); | 2081 | buffer_put_int(m, authenticated); |
2063 | @@ -1991,6 +2029,74 @@ | 2082 | @@ -1992,6 +2030,74 @@ |
2064 | /* Monitor loop will terminate if authenticated */ | 2083 | /* Monitor loop will terminate if authenticated */ |
2065 | return (authenticated); | 2084 | return (authenticated); |
2066 | } | 2085 | } |
@@ -2152,7 +2171,7 @@ Index: b/monitor_wrap.c | |||
2152 | =================================================================== | 2171 | =================================================================== |
2153 | --- a/monitor_wrap.c | 2172 | --- a/monitor_wrap.c |
2154 | +++ b/monitor_wrap.c | 2173 | +++ b/monitor_wrap.c |
2155 | @@ -1231,7 +1231,7 @@ | 2174 | @@ -1232,7 +1232,7 @@ |
2156 | } | 2175 | } |
2157 | 2176 | ||
2158 | int | 2177 | int |
@@ -2161,7 +2180,7 @@ Index: b/monitor_wrap.c | |||
2161 | { | 2180 | { |
2162 | Buffer m; | 2181 | Buffer m; |
2163 | int authenticated = 0; | 2182 | int authenticated = 0; |
2164 | @@ -1248,6 +1248,51 @@ | 2183 | @@ -1249,6 +1249,51 @@ |
2165 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2184 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2166 | return (authenticated); | 2185 | return (authenticated); |
2167 | } | 2186 | } |
@@ -2233,15 +2252,16 @@ Index: b/readconf.c | |||
2233 | =================================================================== | 2252 | =================================================================== |
2234 | --- a/readconf.c | 2253 | --- a/readconf.c |
2235 | +++ b/readconf.c | 2254 | +++ b/readconf.c |
2236 | @@ -127,6 +127,7 @@ | 2255 | @@ -129,6 +129,8 @@ |
2237 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 2256 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
2238 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 2257 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
2239 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 2258 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
2240 | + oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, | 2259 | + oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, |
2260 | + oGssServerIdentity, | ||
2241 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2261 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2242 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2262 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2243 | oHashKnownHosts, | 2263 | oHashKnownHosts, |
2244 | @@ -166,10 +167,18 @@ | 2264 | @@ -169,10 +171,19 @@ |
2245 | { "afstokenpassing", oUnsupported }, | 2265 | { "afstokenpassing", oUnsupported }, |
2246 | #if defined(GSSAPI) | 2266 | #if defined(GSSAPI) |
2247 | { "gssapiauthentication", oGssAuthentication }, | 2267 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2249,6 +2269,7 @@ Index: b/readconf.c | |||
2249 | { "gssapidelegatecredentials", oGssDelegateCreds }, | 2269 | { "gssapidelegatecredentials", oGssDelegateCreds }, |
2250 | + { "gssapitrustdns", oGssTrustDns }, | 2270 | + { "gssapitrustdns", oGssTrustDns }, |
2251 | + { "gssapiclientidentity", oGssClientIdentity }, | 2271 | + { "gssapiclientidentity", oGssClientIdentity }, |
2272 | + { "gssapiserveridentity", oGssServerIdentity }, | ||
2252 | + { "gssapirenewalforcesrekey", oGssRenewalRekey }, | 2273 | + { "gssapirenewalforcesrekey", oGssRenewalRekey }, |
2253 | #else | 2274 | #else |
2254 | { "gssapiauthentication", oUnsupported }, | 2275 | { "gssapiauthentication", oUnsupported }, |
@@ -2260,7 +2281,7 @@ Index: b/readconf.c | |||
2260 | #endif | 2281 | #endif |
2261 | { "fallbacktorsh", oDeprecated }, | 2282 | { "fallbacktorsh", oDeprecated }, |
2262 | { "usersh", oDeprecated }, | 2283 | { "usersh", oDeprecated }, |
2263 | @@ -474,10 +483,26 @@ | 2284 | @@ -479,10 +490,30 @@ |
2264 | intptr = &options->gss_authentication; | 2285 | intptr = &options->gss_authentication; |
2265 | goto parse_flag; | 2286 | goto parse_flag; |
2266 | 2287 | ||
@@ -2280,6 +2301,10 @@ Index: b/readconf.c | |||
2280 | + charptr = &options->gss_client_identity; | 2301 | + charptr = &options->gss_client_identity; |
2281 | + goto parse_string; | 2302 | + goto parse_string; |
2282 | + | 2303 | + |
2304 | + case oGssServerIdentity: | ||
2305 | + charptr = &options->gss_server_identity; | ||
2306 | + goto parse_string; | ||
2307 | + | ||
2283 | + case oGssRenewalRekey: | 2308 | + case oGssRenewalRekey: |
2284 | + intptr = &options->gss_renewal_rekey; | 2309 | + intptr = &options->gss_renewal_rekey; |
2285 | + goto parse_flag; | 2310 | + goto parse_flag; |
@@ -2287,7 +2312,7 @@ Index: b/readconf.c | |||
2287 | case oBatchMode: | 2312 | case oBatchMode: |
2288 | intptr = &options->batch_mode; | 2313 | intptr = &options->batch_mode; |
2289 | goto parse_flag; | 2314 | goto parse_flag; |
2290 | @@ -1058,7 +1083,11 @@ | 2315 | @@ -1092,7 +1123,12 @@ |
2291 | options->pubkey_authentication = -1; | 2316 | options->pubkey_authentication = -1; |
2292 | options->challenge_response_authentication = -1; | 2317 | options->challenge_response_authentication = -1; |
2293 | options->gss_authentication = -1; | 2318 | options->gss_authentication = -1; |
@@ -2296,10 +2321,11 @@ Index: b/readconf.c | |||
2296 | + options->gss_trust_dns = -1; | 2321 | + options->gss_trust_dns = -1; |
2297 | + options->gss_renewal_rekey = -1; | 2322 | + options->gss_renewal_rekey = -1; |
2298 | + options->gss_client_identity = NULL; | 2323 | + options->gss_client_identity = NULL; |
2324 | + options->gss_server_identity = NULL; | ||
2299 | options->password_authentication = -1; | 2325 | options->password_authentication = -1; |
2300 | options->kbd_interactive_authentication = -1; | 2326 | options->kbd_interactive_authentication = -1; |
2301 | options->kbd_interactive_devices = NULL; | 2327 | options->kbd_interactive_devices = NULL; |
2302 | @@ -1156,8 +1185,14 @@ | 2328 | @@ -1193,8 +1229,14 @@ |
2303 | options->challenge_response_authentication = 1; | 2329 | options->challenge_response_authentication = 1; |
2304 | if (options->gss_authentication == -1) | 2330 | if (options->gss_authentication == -1) |
2305 | options->gss_authentication = 0; | 2331 | options->gss_authentication = 0; |
@@ -2318,7 +2344,7 @@ Index: b/readconf.h | |||
2318 | =================================================================== | 2344 | =================================================================== |
2319 | --- a/readconf.h | 2345 | --- a/readconf.h |
2320 | +++ b/readconf.h | 2346 | +++ b/readconf.h |
2321 | @@ -46,7 +46,11 @@ | 2347 | @@ -46,7 +46,12 @@ |
2322 | int challenge_response_authentication; | 2348 | int challenge_response_authentication; |
2323 | /* Try S/Key or TIS, authentication. */ | 2349 | /* Try S/Key or TIS, authentication. */ |
2324 | int gss_authentication; /* Try GSS authentication */ | 2350 | int gss_authentication; /* Try GSS authentication */ |
@@ -2327,6 +2353,7 @@ Index: b/readconf.h | |||
2327 | + int gss_trust_dns; /* Trust DNS for GSS canonicalization */ | 2353 | + int gss_trust_dns; /* Trust DNS for GSS canonicalization */ |
2328 | + int gss_renewal_rekey; /* Credential renewal forces rekey */ | 2354 | + int gss_renewal_rekey; /* Credential renewal forces rekey */ |
2329 | + char *gss_client_identity; /* Principal to initiate GSSAPI with */ | 2355 | + char *gss_client_identity; /* Principal to initiate GSSAPI with */ |
2356 | + char *gss_server_identity; /* GSSAPI target principal */ | ||
2330 | int password_authentication; /* Try password | 2357 | int password_authentication; /* Try password |
2331 | * authentication. */ | 2358 | * authentication. */ |
2332 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2359 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
@@ -2334,7 +2361,7 @@ Index: b/servconf.c | |||
2334 | =================================================================== | 2361 | =================================================================== |
2335 | --- a/servconf.c | 2362 | --- a/servconf.c |
2336 | +++ b/servconf.c | 2363 | +++ b/servconf.c |
2337 | @@ -93,7 +93,10 @@ | 2364 | @@ -97,7 +97,10 @@ |
2338 | options->kerberos_ticket_cleanup = -1; | 2365 | options->kerberos_ticket_cleanup = -1; |
2339 | options->kerberos_get_afs_token = -1; | 2366 | options->kerberos_get_afs_token = -1; |
2340 | options->gss_authentication=-1; | 2367 | options->gss_authentication=-1; |
@@ -2345,7 +2372,7 @@ Index: b/servconf.c | |||
2345 | options->password_authentication = -1; | 2372 | options->password_authentication = -1; |
2346 | options->kbd_interactive_authentication = -1; | 2373 | options->kbd_interactive_authentication = -1; |
2347 | options->challenge_response_authentication = -1; | 2374 | options->challenge_response_authentication = -1; |
2348 | @@ -215,8 +218,14 @@ | 2375 | @@ -226,8 +229,14 @@ |
2349 | options->kerberos_get_afs_token = 0; | 2376 | options->kerberos_get_afs_token = 0; |
2350 | if (options->gss_authentication == -1) | 2377 | if (options->gss_authentication == -1) |
2351 | options->gss_authentication = 0; | 2378 | options->gss_authentication = 0; |
@@ -2360,7 +2387,7 @@ Index: b/servconf.c | |||
2360 | if (options->password_authentication == -1) | 2387 | if (options->password_authentication == -1) |
2361 | options->password_authentication = 1; | 2388 | options->password_authentication = 1; |
2362 | if (options->kbd_interactive_authentication == -1) | 2389 | if (options->kbd_interactive_authentication == -1) |
2363 | @@ -307,7 +316,9 @@ | 2390 | @@ -322,7 +331,9 @@ |
2364 | sBanner, sUseDNS, sHostbasedAuthentication, | 2391 | sBanner, sUseDNS, sHostbasedAuthentication, |
2365 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2392 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2366 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, | 2393 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
@@ -2371,23 +2398,28 @@ Index: b/servconf.c | |||
2371 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2398 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2372 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2399 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2373 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 2400 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
2374 | @@ -370,9 +381,15 @@ | 2401 | @@ -386,10 +397,20 @@ |
2375 | #ifdef GSSAPI | 2402 | #ifdef GSSAPI |
2376 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2403 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2377 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2404 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
2405 | + { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
2378 | + { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | 2406 | + { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, |
2379 | + { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | 2407 | + { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, |
2380 | + { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | 2408 | + { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, |
2381 | #else | 2409 | #else |
2382 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | 2410 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
2383 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | 2411 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
2412 | + { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, | ||
2384 | + { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | 2413 | + { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
2385 | + { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | 2414 | + { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, |
2386 | + { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | 2415 | + { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, |
2387 | #endif | 2416 | #endif |
2417 | + { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, | ||
2418 | + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, | ||
2388 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2419 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2389 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2420 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2390 | @@ -926,10 +943,22 @@ | 2421 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2422 | @@ -944,10 +965,22 @@ | ||
2391 | intptr = &options->gss_authentication; | 2423 | intptr = &options->gss_authentication; |
2392 | goto parse_flag; | 2424 | goto parse_flag; |
2393 | 2425 | ||
@@ -2410,11 +2442,22 @@ Index: b/servconf.c | |||
2410 | case sPasswordAuthentication: | 2442 | case sPasswordAuthentication: |
2411 | intptr = &options->password_authentication; | 2443 | intptr = &options->password_authentication; |
2412 | goto parse_flag; | 2444 | goto parse_flag; |
2445 | @@ -1704,7 +1737,10 @@ | ||
2446 | #endif | ||
2447 | #ifdef GSSAPI | ||
2448 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | ||
2449 | + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); | ||
2450 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | ||
2451 | + dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); | ||
2452 | + dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey); | ||
2453 | #endif | ||
2454 | #ifdef JPAKE | ||
2455 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | ||
2413 | Index: b/servconf.h | 2456 | Index: b/servconf.h |
2414 | =================================================================== | 2457 | =================================================================== |
2415 | --- a/servconf.h | 2458 | --- a/servconf.h |
2416 | +++ b/servconf.h | 2459 | +++ b/servconf.h |
2417 | @@ -94,7 +94,10 @@ | 2460 | @@ -97,7 +97,10 @@ |
2418 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2461 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2419 | * authenticated with Kerberos. */ | 2462 | * authenticated with Kerberos. */ |
2420 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2463 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2543,7 +2586,7 @@ Index: b/ssh_config.5 | |||
2543 | =================================================================== | 2586 | =================================================================== |
2544 | --- a/ssh_config.5 | 2587 | --- a/ssh_config.5 |
2545 | +++ b/ssh_config.5 | 2588 | +++ b/ssh_config.5 |
2546 | @@ -509,11 +509,38 @@ | 2589 | @@ -508,11 +508,43 @@ |
2547 | The default is | 2590 | The default is |
2548 | .Dq no . | 2591 | .Dq no . |
2549 | Note that this option applies to protocol version 2 only. | 2592 | Note that this option applies to protocol version 2 only. |
@@ -2557,6 +2600,11 @@ Index: b/ssh_config.5 | |||
2557 | +If set, specifies the GSSAPI client identity that ssh should use when | 2600 | +If set, specifies the GSSAPI client identity that ssh should use when |
2558 | +connecting to the server. The default is unset, which means that the default | 2601 | +connecting to the server. The default is unset, which means that the default |
2559 | +identity will be used. | 2602 | +identity will be used. |
2603 | +.It Cm GSSAPIServerIdentity | ||
2604 | +If set, specifies the GSSAPI server identity that ssh should expect when | ||
2605 | +connecting to the server. The default is unset, which means that the | ||
2606 | +expected GSSAPI server identity will be determined from the target | ||
2607 | +hostname. | ||
2560 | .It Cm GSSAPIDelegateCredentials | 2608 | .It Cm GSSAPIDelegateCredentials |
2561 | Forward (delegate) credentials to the server. | 2609 | Forward (delegate) credentials to the server. |
2562 | The default is | 2610 | The default is |
@@ -2587,7 +2635,7 @@ Index: b/sshconnect2.c | |||
2587 | =================================================================== | 2635 | =================================================================== |
2588 | --- a/sshconnect2.c | 2636 | --- a/sshconnect2.c |
2589 | +++ b/sshconnect2.c | 2637 | +++ b/sshconnect2.c |
2590 | @@ -106,9 +106,34 @@ | 2638 | @@ -159,9 +159,34 @@ |
2591 | { | 2639 | { |
2592 | Kex *kex; | 2640 | Kex *kex; |
2593 | 2641 | ||
@@ -2622,9 +2670,9 @@ Index: b/sshconnect2.c | |||
2622 | if (options.ciphers == (char *)-1) { | 2670 | if (options.ciphers == (char *)-1) { |
2623 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 2671 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
2624 | options.ciphers = NULL; | 2672 | options.ciphers = NULL; |
2625 | @@ -136,6 +161,17 @@ | 2673 | @@ -196,6 +221,17 @@ |
2626 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 2674 | if (options.kex_algorithms != NULL) |
2627 | options.hostkeyalgorithms; | 2675 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
2628 | 2676 | ||
2629 | +#ifdef GSSAPI | 2677 | +#ifdef GSSAPI |
2630 | + /* If we've got GSSAPI algorithms, then we also support the | 2678 | + /* If we've got GSSAPI algorithms, then we also support the |
@@ -2640,10 +2688,10 @@ Index: b/sshconnect2.c | |||
2640 | if (options.rekey_limit) | 2688 | if (options.rekey_limit) |
2641 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); | 2689 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); |
2642 | 2690 | ||
2643 | @@ -145,10 +181,26 @@ | 2691 | @@ -206,10 +242,30 @@ |
2644 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; | ||
2645 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 2692 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
2646 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | 2693 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; |
2694 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | ||
2647 | +#ifdef GSSAPI | 2695 | +#ifdef GSSAPI |
2648 | + if (options.gss_keyex) { | 2696 | + if (options.gss_keyex) { |
2649 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; | 2697 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; |
@@ -2660,14 +2708,18 @@ Index: b/sshconnect2.c | |||
2660 | + kex->gss_deleg_creds = options.gss_deleg_creds; | 2708 | + kex->gss_deleg_creds = options.gss_deleg_creds; |
2661 | + kex->gss_trust_dns = options.gss_trust_dns; | 2709 | + kex->gss_trust_dns = options.gss_trust_dns; |
2662 | + kex->gss_client = options.gss_client_identity; | 2710 | + kex->gss_client = options.gss_client_identity; |
2663 | + kex->gss_host = gss_host; | 2711 | + if (options.gss_server_identity) { |
2712 | + kex->gss_host = options.gss_server_identity; | ||
2713 | + } else { | ||
2714 | + kex->gss_host = gss_host; | ||
2715 | + } | ||
2664 | + } | 2716 | + } |
2665 | +#endif | 2717 | +#endif |
2666 | + | 2718 | + |
2667 | xxx_kex = kex; | 2719 | xxx_kex = kex; |
2668 | 2720 | ||
2669 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2721 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
2670 | @@ -243,6 +295,7 @@ | 2722 | @@ -304,6 +360,7 @@ |
2671 | void input_gssapi_hash(int type, u_int32_t, void *); | 2723 | void input_gssapi_hash(int type, u_int32_t, void *); |
2672 | void input_gssapi_error(int, u_int32_t, void *); | 2724 | void input_gssapi_error(int, u_int32_t, void *); |
2673 | void input_gssapi_errtok(int, u_int32_t, void *); | 2725 | void input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2675,7 +2727,7 @@ Index: b/sshconnect2.c | |||
2675 | #endif | 2727 | #endif |
2676 | 2728 | ||
2677 | void userauth(Authctxt *, char *); | 2729 | void userauth(Authctxt *, char *); |
2678 | @@ -258,6 +311,11 @@ | 2730 | @@ -319,6 +376,11 @@ |
2679 | 2731 | ||
2680 | Authmethod authmethods[] = { | 2732 | Authmethod authmethods[] = { |
2681 | #ifdef GSSAPI | 2733 | #ifdef GSSAPI |
@@ -2687,13 +2739,15 @@ Index: b/sshconnect2.c | |||
2687 | {"gssapi-with-mic", | 2739 | {"gssapi-with-mic", |
2688 | userauth_gssapi, | 2740 | userauth_gssapi, |
2689 | NULL, | 2741 | NULL, |
2690 | @@ -564,19 +622,29 @@ | 2742 | @@ -625,19 +687,31 @@ |
2691 | static u_int mech = 0; | 2743 | static u_int mech = 0; |
2692 | OM_uint32 min; | 2744 | OM_uint32 min; |
2693 | int ok = 0; | 2745 | int ok = 0; |
2694 | + const char *gss_host; | 2746 | + const char *gss_host; |
2695 | + | 2747 | + |
2696 | + if (options.gss_trust_dns) | 2748 | + if (options.gss_server_identity) |
2749 | + gss_host = options.gss_server_identity; | ||
2750 | + else if (options.gss_trust_dns) | ||
2697 | + gss_host = get_canonical_hostname(1); | 2751 | + gss_host = get_canonical_hostname(1); |
2698 | + else | 2752 | + else |
2699 | + gss_host = authctxt->host; | 2753 | + gss_host = authctxt->host; |
@@ -2719,7 +2773,7 @@ Index: b/sshconnect2.c | |||
2719 | ok = 1; /* Mechanism works */ | 2773 | ok = 1; /* Mechanism works */ |
2720 | } else { | 2774 | } else { |
2721 | mech++; | 2775 | mech++; |
2722 | @@ -673,8 +741,8 @@ | 2776 | @@ -734,8 +808,8 @@ |
2723 | { | 2777 | { |
2724 | Authctxt *authctxt = ctxt; | 2778 | Authctxt *authctxt = ctxt; |
2725 | Gssctxt *gssctxt; | 2779 | Gssctxt *gssctxt; |
@@ -2730,7 +2784,7 @@ Index: b/sshconnect2.c | |||
2730 | 2784 | ||
2731 | if (authctxt == NULL) | 2785 | if (authctxt == NULL) |
2732 | fatal("input_gssapi_response: no authentication context"); | 2786 | fatal("input_gssapi_response: no authentication context"); |
2733 | @@ -784,6 +852,48 @@ | 2787 | @@ -845,6 +919,48 @@ |
2734 | xfree(msg); | 2788 | xfree(msg); |
2735 | xfree(lang); | 2789 | xfree(lang); |
2736 | } | 2790 | } |
@@ -2794,7 +2848,7 @@ Index: b/sshd.c | |||
2794 | #ifdef LIBWRAP | 2848 | #ifdef LIBWRAP |
2795 | #include <tcpd.h> | 2849 | #include <tcpd.h> |
2796 | #include <syslog.h> | 2850 | #include <syslog.h> |
2797 | @@ -1586,10 +1590,13 @@ | 2851 | @@ -1590,10 +1594,13 @@ |
2798 | logit("Disabling protocol version 1. Could not load host key"); | 2852 | logit("Disabling protocol version 1. Could not load host key"); |
2799 | options.protocol &= ~SSH_PROTO_1; | 2853 | options.protocol &= ~SSH_PROTO_1; |
2800 | } | 2854 | } |
@@ -2808,7 +2862,7 @@ Index: b/sshd.c | |||
2808 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2862 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2809 | logit("sshd: no hostkeys available -- exiting."); | 2863 | logit("sshd: no hostkeys available -- exiting."); |
2810 | exit(1); | 2864 | exit(1); |
2811 | @@ -1918,6 +1925,60 @@ | 2865 | @@ -1922,6 +1929,60 @@ |
2812 | /* Log the connection. */ | 2866 | /* Log the connection. */ |
2813 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | 2867 | verbose("Connection from %.500s port %d", remote_ip, remote_port); |
2814 | 2868 | ||
@@ -2869,7 +2923,7 @@ Index: b/sshd.c | |||
2869 | /* | 2923 | /* |
2870 | * We don't want to listen forever unless the other side | 2924 | * We don't want to listen forever unless the other side |
2871 | * successfully authenticates itself. So we set up an alarm which is | 2925 | * successfully authenticates itself. So we set up an alarm which is |
2872 | @@ -2296,12 +2357,61 @@ | 2926 | @@ -2303,6 +2364,48 @@ |
2873 | 2927 | ||
2874 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2928 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
2875 | 2929 | ||
@@ -2918,9 +2972,10 @@ Index: b/sshd.c | |||
2918 | /* start key exchange */ | 2972 | /* start key exchange */ |
2919 | kex = kex_setup(myproposal); | 2973 | kex = kex_setup(myproposal); |
2920 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 2974 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
2921 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 2975 | @@ -2310,6 +2413,13 @@ |
2922 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 2976 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
2923 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 2977 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
2978 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | ||
2924 | +#ifdef GSSAPI | 2979 | +#ifdef GSSAPI |
2925 | + if (options.gss_keyex) { | 2980 | + if (options.gss_keyex) { |
2926 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | 2981 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; |
@@ -2935,7 +2990,7 @@ Index: b/sshd_config | |||
2935 | =================================================================== | 2990 | =================================================================== |
2936 | --- a/sshd_config | 2991 | --- a/sshd_config |
2937 | +++ b/sshd_config | 2992 | +++ b/sshd_config |
2938 | @@ -71,6 +71,8 @@ | 2993 | @@ -72,6 +72,8 @@ |
2939 | # GSSAPI options | 2994 | # GSSAPI options |
2940 | #GSSAPIAuthentication no | 2995 | #GSSAPIAuthentication no |
2941 | #GSSAPICleanupCredentials yes | 2996 | #GSSAPICleanupCredentials yes |
@@ -2948,7 +3003,7 @@ Index: b/sshd_config.5 | |||
2948 | =================================================================== | 3003 | =================================================================== |
2949 | --- a/sshd_config.5 | 3004 | --- a/sshd_config.5 |
2950 | +++ b/sshd_config.5 | 3005 | +++ b/sshd_config.5 |
2951 | @@ -424,12 +424,40 @@ | 3006 | @@ -423,12 +423,40 @@ |
2952 | The default is | 3007 | The default is |
2953 | .Dq no . | 3008 | .Dq no . |
2954 | Note that this option applies to protocol version 2 only. | 3009 | Note that this option applies to protocol version 2 only. |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index 9e1705719..89011cfb7 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -18,24 +18,24 @@ Index: b/readconf.c | |||
18 | =================================================================== | 18 | =================================================================== |
19 | --- a/readconf.c | 19 | --- a/readconf.c |
20 | +++ b/readconf.c | 20 | +++ b/readconf.c |
21 | @@ -134,6 +134,7 @@ | 21 | @@ -138,6 +138,7 @@ |
22 | oHashKnownHosts, | ||
23 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | 22 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, |
24 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, | 23 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, |
24 | oKexAlgorithms, oIPQoS, | ||
25 | + oProtocolKeepAlives, oSetupTimeOut, | 25 | + oProtocolKeepAlives, oSetupTimeOut, |
26 | oDeprecated, oUnsupported | 26 | oDeprecated, oUnsupported |
27 | } OpCodes; | 27 | } OpCodes; |
28 | 28 | ||
29 | @@ -251,6 +252,8 @@ | 29 | @@ -258,6 +259,8 @@ |
30 | #else | ||
31 | { "zeroknowledgepasswordauthentication", oUnsupported }, | ||
32 | #endif | 30 | #endif |
31 | { "kexalgorithms", oKexAlgorithms }, | ||
32 | { "ipqos", oIPQoS }, | ||
33 | + { "protocolkeepalives", oProtocolKeepAlives }, | 33 | + { "protocolkeepalives", oProtocolKeepAlives }, |
34 | + { "setuptimeout", oSetupTimeOut }, | 34 | + { "setuptimeout", oSetupTimeOut }, |
35 | 35 | ||
36 | { NULL, oBadOption } | 36 | { NULL, oBadOption } |
37 | }; | 37 | }; |
38 | @@ -865,6 +868,8 @@ | 38 | @@ -888,6 +891,8 @@ |
39 | goto parse_flag; | 39 | goto parse_flag; |
40 | 40 | ||
41 | case oServerAliveInterval: | 41 | case oServerAliveInterval: |
@@ -44,7 +44,7 @@ Index: b/readconf.c | |||
44 | intptr = &options->server_alive_interval; | 44 | intptr = &options->server_alive_interval; |
45 | goto parse_time; | 45 | goto parse_time; |
46 | 46 | ||
47 | @@ -1284,8 +1289,13 @@ | 47 | @@ -1336,8 +1341,13 @@ |
48 | options->rekey_limit = 0; | 48 | options->rekey_limit = 0; |
49 | if (options->verify_host_key_dns == -1) | 49 | if (options->verify_host_key_dns == -1) |
50 | options->verify_host_key_dns = 0; | 50 | options->verify_host_key_dns = 0; |
@@ -64,7 +64,7 @@ Index: b/ssh_config.5 | |||
64 | =================================================================== | 64 | =================================================================== |
65 | --- a/ssh_config.5 | 65 | --- a/ssh_config.5 |
66 | +++ b/ssh_config.5 | 66 | +++ b/ssh_config.5 |
67 | @@ -128,8 +128,12 @@ | 67 | @@ -127,8 +127,12 @@ |
68 | If set to | 68 | If set to |
69 | .Dq yes , | 69 | .Dq yes , |
70 | passphrase/password querying will be disabled. | 70 | passphrase/password querying will be disabled. |
@@ -78,7 +78,7 @@ Index: b/ssh_config.5 | |||
78 | The argument must be | 78 | The argument must be |
79 | .Dq yes | 79 | .Dq yes |
80 | or | 80 | or |
81 | @@ -994,8 +998,15 @@ | 81 | @@ -1058,8 +1062,15 @@ |
82 | will send a message through the encrypted | 82 | will send a message through the encrypted |
83 | channel to request a response from the server. | 83 | channel to request a response from the server. |
84 | The default | 84 | The default |
@@ -95,7 +95,7 @@ Index: b/ssh_config.5 | |||
95 | .It Cm StrictHostKeyChecking | 95 | .It Cm StrictHostKeyChecking |
96 | If this flag is set to | 96 | If this flag is set to |
97 | .Dq yes , | 97 | .Dq yes , |
98 | @@ -1034,6 +1045,12 @@ | 98 | @@ -1098,6 +1109,12 @@ |
99 | other side. | 99 | other side. |
100 | If they are sent, death of the connection or crash of one | 100 | If they are sent, death of the connection or crash of one |
101 | of the machines will be properly noticed. | 101 | of the machines will be properly noticed. |
@@ -112,7 +112,7 @@ Index: b/sshd_config.5 | |||
112 | =================================================================== | 112 | =================================================================== |
113 | --- a/sshd_config.5 | 113 | --- a/sshd_config.5 |
114 | +++ b/sshd_config.5 | 114 | +++ b/sshd_config.5 |
115 | @@ -985,6 +985,9 @@ | 115 | @@ -1034,6 +1034,9 @@ |
116 | .Pp | 116 | .Pp |
117 | To disable TCP keepalive messages, the value should be set to | 117 | To disable TCP keepalive messages, the value should be set to |
118 | .Dq no . | 118 | .Dq no . |
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch index 955d38b50..f5ac00814 100644 --- a/debian/patches/lintian-symlink-pickiness.patch +++ b/debian/patches/lintian-symlink-pickiness.patch | |||
@@ -9,7 +9,7 @@ Index: b/Makefile.in | |||
9 | =================================================================== | 9 | =================================================================== |
10 | --- a/Makefile.in | 10 | --- a/Makefile.in |
11 | +++ b/Makefile.in | 11 | +++ b/Makefile.in |
12 | @@ -294,9 +294,9 @@ | 12 | @@ -297,9 +297,9 @@ |
13 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 13 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
14 | $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 | 14 | $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 |
15 | -rm -f $(DESTDIR)$(bindir)/slogin | 15 | -rm -f $(DESTDIR)$(bindir)/slogin |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index de63e46f8..fc07e8861 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1 | |||
34 | =================================================================== | 34 | =================================================================== |
35 | --- a/ssh-keygen.1 | 35 | --- a/ssh-keygen.1 |
36 | +++ b/ssh-keygen.1 | 36 | +++ b/ssh-keygen.1 |
37 | @@ -148,9 +148,7 @@ | 37 | @@ -147,9 +147,7 @@ |
38 | .Pa ~/.ssh/id_dsa | 38 | .Pa ~/.ssh/id_dsa |
39 | or | 39 | or |
40 | .Pa ~/.ssh/id_rsa . | 40 | .Pa ~/.ssh/id_rsa . |
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1 | |||
45 | .Pp | 45 | .Pp |
46 | Normally this program generates the key and asks for a file in which | 46 | Normally this program generates the key and asks for a file in which |
47 | to store the private key. | 47 | to store the private key. |
48 | @@ -394,9 +392,7 @@ | 48 | @@ -393,9 +391,7 @@ |
49 | .It Fl q | 49 | .It Fl q |
50 | Silence | 50 | Silence |
51 | .Nm ssh-keygen . | 51 | .Nm ssh-keygen . |
@@ -60,7 +60,7 @@ Index: b/ssh.1 | |||
60 | =================================================================== | 60 | =================================================================== |
61 | --- a/ssh.1 | 61 | --- a/ssh.1 |
62 | +++ b/ssh.1 | 62 | +++ b/ssh.1 |
63 | @@ -728,6 +728,10 @@ | 63 | @@ -726,6 +726,10 @@ |
64 | .Sx HISTORY | 64 | .Sx HISTORY |
65 | section of | 65 | section of |
66 | .Xr ssl 8 | 66 | .Xr ssl 8 |
@@ -68,14 +68,14 @@ Index: b/ssh.1 | |||
68 | +.nh | 68 | +.nh |
69 | +http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) | 69 | +http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) |
70 | +.hy | 70 | +.hy |
71 | contains a brief discussion of the two algorithms. | 71 | contains a brief discussion of the DSA and RSA algorithms. |
72 | .Pp | 72 | .Pp |
73 | The file | 73 | The file |
74 | Index: b/sshd.8 | 74 | Index: b/sshd.8 |
75 | =================================================================== | 75 | =================================================================== |
76 | --- a/sshd.8 | 76 | --- a/sshd.8 |
77 | +++ b/sshd.8 | 77 | +++ b/sshd.8 |
78 | @@ -70,7 +70,7 @@ | 78 | @@ -69,7 +69,7 @@ |
79 | .Nm | 79 | .Nm |
80 | listens for connections from clients. | 80 | listens for connections from clients. |
81 | It is normally started at boot from | 81 | It is normally started at boot from |
@@ -84,16 +84,16 @@ Index: b/sshd.8 | |||
84 | It forks a new | 84 | It forks a new |
85 | daemon for each incoming connection. | 85 | daemon for each incoming connection. |
86 | The forked daemons handle | 86 | The forked daemons handle |
87 | @@ -845,7 +845,7 @@ | 87 | @@ -850,7 +850,7 @@ |
88 | .Xr ssh 1 ) . | 88 | .Xr ssh 1 ) . |
89 | It should only be writable by root. | 89 | It should only be writable by root. |
90 | .Pp | 90 | .Pp |
91 | -.It /etc/moduli | 91 | -.It Pa /etc/moduli |
92 | +.It /etc/ssh/moduli | 92 | +.It Pa /etc/ssh/moduli |
93 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | 93 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
94 | The file format is described in | 94 | The file format is described in |
95 | .Xr moduli 5 . | 95 | .Xr moduli 5 . |
96 | @@ -941,7 +941,6 @@ | 96 | @@ -948,7 +948,6 @@ |
97 | .Xr ssh-vulnkey 1 , | 97 | .Xr ssh-vulnkey 1 , |
98 | .Xr chroot 2 , | 98 | .Xr chroot 2 , |
99 | .Xr hosts_access 5 , | 99 | .Xr hosts_access 5 , |
@@ -105,7 +105,7 @@ Index: b/sshd_config.5 | |||
105 | =================================================================== | 105 | =================================================================== |
106 | --- a/sshd_config.5 | 106 | --- a/sshd_config.5 |
107 | +++ b/sshd_config.5 | 107 | +++ b/sshd_config.5 |
108 | @@ -222,8 +222,7 @@ | 108 | @@ -221,8 +221,7 @@ |
109 | By default, no banner is displayed. | 109 | By default, no banner is displayed. |
110 | .It Cm ChallengeResponseAuthentication | 110 | .It Cm ChallengeResponseAuthentication |
111 | Specifies whether challenge-response authentication is allowed (e.g. via | 111 | Specifies whether challenge-response authentication is allowed (e.g. via |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index 67e014002..ffd416d98 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -11,7 +11,7 @@ Index: b/sshconnect.c | |||
11 | =================================================================== | 11 | =================================================================== |
12 | --- a/sshconnect.c | 12 | --- a/sshconnect.c |
13 | +++ b/sshconnect.c | 13 | +++ b/sshconnect.c |
14 | @@ -542,7 +542,7 @@ | 14 | @@ -556,7 +556,7 @@ |
15 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", | 15 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", |
16 | compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, | 16 | compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, |
17 | compat20 ? PROTOCOL_MINOR_2 : minor1, | 17 | compat20 ? PROTOCOL_MINOR_2 : minor1, |
@@ -38,7 +38,7 @@ Index: b/version.h | |||
38 | --- a/version.h | 38 | --- a/version.h |
39 | +++ b/version.h | 39 | +++ b/version.h |
40 | @@ -3,4 +3,9 @@ | 40 | @@ -3,4 +3,9 @@ |
41 | #define SSH_VERSION "OpenSSH_5.6" | 41 | #define SSH_VERSION "OpenSSH_5.7" |
42 | 42 | ||
43 | #define SSH_PORTABLE "p1" | 43 | #define SSH_PORTABLE "p1" |
44 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 44 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index 3f06225ad..239c1b599 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -11,7 +11,7 @@ Index: b/scp.c | |||
11 | =================================================================== | 11 | =================================================================== |
12 | --- a/scp.c | 12 | --- a/scp.c |
13 | +++ b/scp.c | 13 | +++ b/scp.c |
14 | @@ -182,8 +182,16 @@ | 14 | @@ -189,8 +189,16 @@ |
15 | 15 | ||
16 | if (verbose_mode) { | 16 | if (verbose_mode) { |
17 | fprintf(stderr, "Executing:"); | 17 | fprintf(stderr, "Executing:"); |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 8a7e7c687..74cd06201 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -33,7 +33,7 @@ Index: b/auth1.c | |||
33 | /* Get the name of the user that we wish to log in as. */ | 33 | /* Get the name of the user that we wish to log in as. */ |
34 | packet_read_expect(SSH_CMSG_USER); | 34 | packet_read_expect(SSH_CMSG_USER); |
35 | @@ -392,11 +392,17 @@ | 35 | @@ -392,11 +392,17 @@ |
36 | user = packet_get_string(&ulen); | 36 | user = packet_get_cstring(&ulen); |
37 | packet_check_eom(); | 37 | packet_check_eom(); |
38 | 38 | ||
39 | + if ((role = strchr(user, '/')) != NULL) | 39 | + if ((role = strchr(user, '/')) != NULL) |
@@ -173,7 +173,7 @@ Index: b/monitor_wrap.c | |||
173 | =================================================================== | 173 | =================================================================== |
174 | --- a/monitor_wrap.c | 174 | --- a/monitor_wrap.c |
175 | +++ b/monitor_wrap.c | 175 | +++ b/monitor_wrap.c |
176 | @@ -279,10 +279,10 @@ | 176 | @@ -280,10 +280,10 @@ |
177 | return (banner); | 177 | return (banner); |
178 | } | 178 | } |
179 | 179 | ||
@@ -186,7 +186,7 @@ Index: b/monitor_wrap.c | |||
186 | { | 186 | { |
187 | Buffer m; | 187 | Buffer m; |
188 | 188 | ||
189 | @@ -291,12 +291,30 @@ | 189 | @@ -292,11 +292,29 @@ |
190 | buffer_init(&m); | 190 | buffer_init(&m); |
191 | buffer_put_cstring(&m, service); | 191 | buffer_put_cstring(&m, service); |
192 | buffer_put_cstring(&m, style ? style : ""); | 192 | buffer_put_cstring(&m, style ? style : ""); |
@@ -196,7 +196,7 @@ Index: b/monitor_wrap.c | |||
196 | 196 | ||
197 | buffer_free(&m); | 197 | buffer_free(&m); |
198 | } | 198 | } |
199 | 199 | + | |
200 | +/* Inform the privileged process about role */ | 200 | +/* Inform the privileged process about role */ |
201 | + | 201 | + |
202 | +void | 202 | +void |
@@ -213,10 +213,9 @@ Index: b/monitor_wrap.c | |||
213 | + | 213 | + |
214 | + buffer_free(&m); | 214 | + buffer_free(&m); |
215 | +} | 215 | +} |
216 | + | 216 | |
217 | /* Do the password authentication */ | 217 | /* Do the password authentication */ |
218 | int | 218 | int |
219 | mm_auth_password(Authctxt *authctxt, char *password) | ||
220 | Index: b/monitor_wrap.h | 219 | Index: b/monitor_wrap.h |
221 | =================================================================== | 220 | =================================================================== |
222 | --- a/monitor_wrap.h | 221 | --- a/monitor_wrap.h |
diff --git a/debian/patches/series b/debian/patches/series index f3c6a87e0..751a9868c 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -1,8 +1,6 @@ | |||
1 | # GSSAPI | 1 | # GSSAPI |
2 | gssapi.patch | 2 | gssapi.patch |
3 | gssapi-autoconf.patch | 3 | gssapi-autoconf.patch |
4 | gssapi-compat.patch | ||
5 | gssapi-dump.patch | ||
6 | 4 | ||
7 | # SELinux | 5 | # SELinux |
8 | selinux-role.patch | 6 | selinux-role.patch |
@@ -41,4 +39,3 @@ doc-hash-tab-completion.patch | |||
41 | # Debian-specific configuration | 39 | # Debian-specific configuration |
42 | gnome-ssh-askpass2-icon.patch | 40 | gnome-ssh-askpass2-icon.patch |
43 | debian-config.patch | 41 | debian-config.patch |
44 | ssh-sigchld.patch | ||
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index ddae43a45..5100d8ec7 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -10,18 +10,18 @@ Index: b/sshconnect.c | |||
10 | =================================================================== | 10 | =================================================================== |
11 | --- a/sshconnect.c | 11 | --- a/sshconnect.c |
12 | +++ b/sshconnect.c | 12 | +++ b/sshconnect.c |
13 | @@ -141,7 +141,7 @@ | 13 | @@ -144,7 +144,7 @@ |
14 | |||
15 | /* Execute the proxy command. Note that we gave up any | 14 | /* Execute the proxy command. Note that we gave up any |
16 | extra privileges above. */ | 15 | extra privileges above. */ |
16 | signal(SIGPIPE, SIG_DFL); | ||
17 | - execv(argv[0], argv); | 17 | - execv(argv[0], argv); |
18 | + execvp(argv[0], argv); | 18 | + execvp(argv[0], argv); |
19 | perror(argv[0]); | 19 | perror(argv[0]); |
20 | exit(1); | 20 | exit(1); |
21 | } | 21 | } |
22 | @@ -1243,7 +1243,7 @@ | 22 | @@ -1274,7 +1274,7 @@ |
23 | pid = fork(); | ||
24 | if (pid == 0) { | 23 | if (pid == 0) { |
24 | signal(SIGPIPE, SIG_DFL); | ||
25 | debug3("Executing %s -c \"%s\"", shell, args); | 25 | debug3("Executing %s -c \"%s\"", shell, args); |
26 | - execl(shell, shell, "-c", args, (char *)NULL); | 26 | - execl(shell, shell, "-c", args, (char *)NULL); |
27 | + execlp(shell, shell, "-c", args, (char *)NULL); | 27 | + execlp(shell, shell, "-c", args, (char *)NULL); |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 4a651bfa1..43d9d4d44 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -11,7 +11,7 @@ Index: b/ssh.1 | |||
11 | =================================================================== | 11 | =================================================================== |
12 | --- a/ssh.1 | 12 | --- a/ssh.1 |
13 | +++ b/ssh.1 | 13 | +++ b/ssh.1 |
14 | @@ -1396,6 +1396,7 @@ | 14 | @@ -1406,6 +1406,7 @@ |
15 | .Xr sftp 1 , | 15 | .Xr sftp 1 , |
16 | .Xr ssh-add 1 , | 16 | .Xr ssh-add 1 , |
17 | .Xr ssh-agent 1 , | 17 | .Xr ssh-agent 1 , |
diff --git a/debian/patches/ssh-sigchld.patch b/debian/patches/ssh-sigchld.patch deleted file mode 100644 index 21d286b21..000000000 --- a/debian/patches/ssh-sigchld.patch +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | Description: Install a SIGCHLD handler to reap expired child processes | ||
2 | Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6166 | ||
3 | Bug-Debian: http://bugs.debian.org/594687 | ||
4 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1812 | ||
5 | Forwarded: not-needed | ||
6 | Last-Update: 2010-10-26 | ||
7 | |||
8 | Index: b/ssh.c | ||
9 | =================================================================== | ||
10 | --- a/ssh.c | ||
11 | +++ b/ssh.c | ||
12 | @@ -50,6 +50,7 @@ | ||
13 | #include <sys/ioctl.h> | ||
14 | #include <sys/param.h> | ||
15 | #include <sys/socket.h> | ||
16 | +#include <sys/wait.h> | ||
17 | |||
18 | #include <ctype.h> | ||
19 | #include <errno.h> | ||
20 | @@ -210,6 +211,7 @@ | ||
21 | static int ssh_session(void); | ||
22 | static int ssh_session2(void); | ||
23 | static void load_public_identity_files(void); | ||
24 | +static void main_sigchld_handler(int); | ||
25 | |||
26 | /* from muxclient.c */ | ||
27 | void muxclient(const char *); | ||
28 | @@ -849,6 +851,7 @@ | ||
29 | tilde_expand_filename(options.user_hostfile2, original_real_uid); | ||
30 | |||
31 | signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ | ||
32 | + signal(SIGCHLD, main_sigchld_handler); | ||
33 | |||
34 | /* Log into the remote system. Never returns if the login fails. */ | ||
35 | ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, | ||
36 | @@ -1532,3 +1535,19 @@ | ||
37 | bzero(pwdir, strlen(pwdir)); | ||
38 | xfree(pwdir); | ||
39 | } | ||
40 | + | ||
41 | +static void | ||
42 | +main_sigchld_handler(int sig) | ||
43 | +{ | ||
44 | + int save_errno = errno; | ||
45 | + pid_t pid; | ||
46 | + int status; | ||
47 | + | ||
48 | + while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || | ||
49 | + (pid < 0 && errno == EINTR)) | ||
50 | + ; | ||
51 | + | ||
52 | + signal(sig, main_sigchld_handler); | ||
53 | + errno = save_errno; | ||
54 | +} | ||
55 | + | ||
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index 81c225a7f..444aef251 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch | |||
@@ -32,7 +32,7 @@ Index: b/Makefile.in | |||
32 | 32 | ||
33 | CC=@CC@ | 33 | CC=@CC@ |
34 | LD=@LD@ | 34 | LD=@LD@ |
35 | @@ -62,7 +64,7 @@ | 35 | @@ -63,7 +65,7 @@ |
36 | INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ | 36 | INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ |
37 | INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ | 37 | INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ |
38 | 38 | ||
@@ -41,8 +41,8 @@ Index: b/Makefile.in | |||
41 | 41 | ||
42 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 42 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
43 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ | 43 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ |
44 | @@ -93,8 +95,8 @@ | 44 | @@ -95,8 +97,8 @@ |
45 | audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ | 45 | sftp-server.o sftp-common.o \ |
46 | roaming_common.o roaming_serv.o | 46 | roaming_common.o roaming_serv.o |
47 | 47 | ||
48 | -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out | 48 | -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out |
@@ -52,7 +52,7 @@ Index: b/Makefile.in | |||
52 | MANTYPE = @MANTYPE@ | 52 | MANTYPE = @MANTYPE@ |
53 | 53 | ||
54 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out | 54 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out |
55 | @@ -174,6 +176,9 @@ | 55 | @@ -177,6 +179,9 @@ |
56 | ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o | 56 | ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o |
57 | $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | 57 | $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
58 | 58 | ||
@@ -62,7 +62,7 @@ Index: b/Makefile.in | |||
62 | # test driver for the loginrec code - not built by default | 62 | # test driver for the loginrec code - not built by default |
63 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o | 63 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o |
64 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) | 64 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) |
65 | @@ -268,6 +273,7 @@ | 65 | @@ -271,6 +276,7 @@ |
66 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) | 66 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) |
67 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 67 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
68 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 68 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
@@ -70,7 +70,7 @@ Index: b/Makefile.in | |||
70 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 | 70 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 |
71 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 | 71 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 |
72 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 | 72 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 |
73 | @@ -285,6 +291,7 @@ | 73 | @@ -288,6 +294,7 @@ |
74 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | 74 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
75 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | 75 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
76 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 76 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
@@ -78,7 +78,7 @@ Index: b/Makefile.in | |||
78 | -rm -f $(DESTDIR)$(bindir)/slogin | 78 | -rm -f $(DESTDIR)$(bindir)/slogin |
79 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin | 79 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin |
80 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | 80 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 |
81 | @@ -366,6 +373,7 @@ | 81 | @@ -377,6 +384,7 @@ |
82 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) | 82 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) |
83 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) | 83 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) |
84 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) | 84 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) |
@@ -86,7 +86,7 @@ Index: b/Makefile.in | |||
86 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 86 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
87 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) | 87 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) |
88 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 88 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
89 | @@ -379,6 +387,7 @@ | 89 | @@ -390,6 +398,7 @@ |
90 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 | 90 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 |
91 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 | 91 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 |
92 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 | 92 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 |
@@ -111,15 +111,15 @@ Index: b/auth-rsa.c | |||
111 | =================================================================== | 111 | =================================================================== |
112 | --- a/auth-rsa.c | 112 | --- a/auth-rsa.c |
113 | +++ b/auth-rsa.c | 113 | +++ b/auth-rsa.c |
114 | @@ -94,7 +94,7 @@ | 114 | @@ -247,7 +247,7 @@ |
115 | MD5_CTX md; | 115 | file, linenum, BN_num_bits(key->rsa->n), bits); |
116 | int len; | ||
117 | 116 | ||
118 | - if (auth_key_is_revoked(key)) | 117 | /* Never accept a revoked key */ |
119 | + if (auth_key_is_revoked(key, 0)) | 118 | - if (auth_key_is_revoked(key)) |
120 | return 0; | 119 | + if (auth_key_is_revoked(key, 0)) |
120 | break; | ||
121 | 121 | ||
122 | /* don't allow short keys */ | 122 | /* We have found the desired key. */ |
123 | Index: b/auth.c | 123 | Index: b/auth.c |
124 | =================================================================== | 124 | =================================================================== |
125 | --- a/auth.c | 125 | --- a/auth.c |
@@ -132,7 +132,7 @@ Index: b/auth.c | |||
132 | #include "auth.h" | 132 | #include "auth.h" |
133 | #include "auth-options.h" | 133 | #include "auth-options.h" |
134 | #include "canohost.h" | 134 | #include "canohost.h" |
135 | @@ -615,10 +616,34 @@ | 135 | @@ -621,10 +622,34 @@ |
136 | 136 | ||
137 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | 137 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ |
138 | int | 138 | int |
@@ -223,7 +223,7 @@ Index: b/authfile.c | |||
223 | 223 | ||
224 | /* Version identification string for SSH v1 identity files. */ | 224 | /* Version identification string for SSH v1 identity files. */ |
225 | static const char authfile_id_string[] = | 225 | static const char authfile_id_string[] = |
226 | @@ -814,3 +815,140 @@ | 226 | @@ -906,3 +907,140 @@ |
227 | return ret; | 227 | return ret; |
228 | } | 228 | } |
229 | 229 | ||
@@ -390,7 +390,7 @@ Index: b/pathnames.h | |||
390 | #ifndef _PATH_SSH_PIDDIR | 390 | #ifndef _PATH_SSH_PIDDIR |
391 | #define _PATH_SSH_PIDDIR "/var/run" | 391 | #define _PATH_SSH_PIDDIR "/var/run" |
392 | #endif | 392 | #endif |
393 | @@ -43,6 +47,9 @@ | 393 | @@ -44,6 +48,9 @@ |
394 | /* Backwards compatibility */ | 394 | /* Backwards compatibility */ |
395 | #define _PATH_DH_PRIMES SSHDIR "/primes" | 395 | #define _PATH_DH_PRIMES SSHDIR "/primes" |
396 | 396 | ||
@@ -404,7 +404,7 @@ Index: b/readconf.c | |||
404 | =================================================================== | 404 | =================================================================== |
405 | --- a/readconf.c | 405 | --- a/readconf.c |
406 | +++ b/readconf.c | 406 | +++ b/readconf.c |
407 | @@ -123,6 +123,7 @@ | 407 | @@ -125,6 +125,7 @@ |
408 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, | 408 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, |
409 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, | 409 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, |
410 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, | 410 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, |
@@ -412,7 +412,7 @@ Index: b/readconf.c | |||
412 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, | 412 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, |
413 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 413 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
414 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 414 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
415 | @@ -154,6 +155,7 @@ | 415 | @@ -158,6 +159,7 @@ |
416 | { "passwordauthentication", oPasswordAuthentication }, | 416 | { "passwordauthentication", oPasswordAuthentication }, |
417 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 417 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
418 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 418 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
@@ -420,7 +420,7 @@ Index: b/readconf.c | |||
420 | { "rsaauthentication", oRSAAuthentication }, | 420 | { "rsaauthentication", oRSAAuthentication }, |
421 | { "pubkeyauthentication", oPubkeyAuthentication }, | 421 | { "pubkeyauthentication", oPubkeyAuthentication }, |
422 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 422 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
423 | @@ -479,6 +481,10 @@ | 423 | @@ -486,6 +488,10 @@ |
424 | intptr = &options->challenge_response_authentication; | 424 | intptr = &options->challenge_response_authentication; |
425 | goto parse_flag; | 425 | goto parse_flag; |
426 | 426 | ||
@@ -431,7 +431,7 @@ Index: b/readconf.c | |||
431 | case oGssAuthentication: | 431 | case oGssAuthentication: |
432 | intptr = &options->gss_authentication; | 432 | intptr = &options->gss_authentication; |
433 | goto parse_flag; | 433 | goto parse_flag; |
434 | @@ -1093,6 +1099,7 @@ | 434 | @@ -1134,6 +1140,7 @@ |
435 | options->kbd_interactive_devices = NULL; | 435 | options->kbd_interactive_devices = NULL; |
436 | options->rhosts_rsa_authentication = -1; | 436 | options->rhosts_rsa_authentication = -1; |
437 | options->hostbased_authentication = -1; | 437 | options->hostbased_authentication = -1; |
@@ -439,7 +439,7 @@ Index: b/readconf.c | |||
439 | options->batch_mode = -1; | 439 | options->batch_mode = -1; |
440 | options->check_host_ip = -1; | 440 | options->check_host_ip = -1; |
441 | options->strict_host_key_checking = -1; | 441 | options->strict_host_key_checking = -1; |
442 | @@ -1201,6 +1208,8 @@ | 442 | @@ -1245,6 +1252,8 @@ |
443 | options->rhosts_rsa_authentication = 0; | 443 | options->rhosts_rsa_authentication = 0; |
444 | if (options->hostbased_authentication == -1) | 444 | if (options->hostbased_authentication == -1) |
445 | options->hostbased_authentication = 0; | 445 | options->hostbased_authentication = 0; |
@@ -452,7 +452,7 @@ Index: b/readconf.h | |||
452 | =================================================================== | 452 | =================================================================== |
453 | --- a/readconf.h | 453 | --- a/readconf.h |
454 | +++ b/readconf.h | 454 | +++ b/readconf.h |
455 | @@ -56,6 +56,7 @@ | 455 | @@ -57,6 +57,7 @@ |
456 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 456 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
457 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ | 457 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ |
458 | int zero_knowledge_password_authentication; /* Try jpake */ | 458 | int zero_knowledge_password_authentication; /* Try jpake */ |
@@ -464,7 +464,7 @@ Index: b/servconf.c | |||
464 | =================================================================== | 464 | =================================================================== |
465 | --- a/servconf.c | 465 | --- a/servconf.c |
466 | +++ b/servconf.c | 466 | +++ b/servconf.c |
467 | @@ -100,6 +100,7 @@ | 467 | @@ -104,6 +104,7 @@ |
468 | options->password_authentication = -1; | 468 | options->password_authentication = -1; |
469 | options->kbd_interactive_authentication = -1; | 469 | options->kbd_interactive_authentication = -1; |
470 | options->challenge_response_authentication = -1; | 470 | options->challenge_response_authentication = -1; |
@@ -472,7 +472,7 @@ Index: b/servconf.c | |||
472 | options->permit_empty_passwd = -1; | 472 | options->permit_empty_passwd = -1; |
473 | options->permit_user_env = -1; | 473 | options->permit_user_env = -1; |
474 | options->use_login = -1; | 474 | options->use_login = -1; |
475 | @@ -232,6 +233,8 @@ | 475 | @@ -243,6 +244,8 @@ |
476 | options->kbd_interactive_authentication = 0; | 476 | options->kbd_interactive_authentication = 0; |
477 | if (options->challenge_response_authentication == -1) | 477 | if (options->challenge_response_authentication == -1) |
478 | options->challenge_response_authentication = 1; | 478 | options->challenge_response_authentication = 1; |
@@ -481,7 +481,7 @@ Index: b/servconf.c | |||
481 | if (options->permit_empty_passwd == -1) | 481 | if (options->permit_empty_passwd == -1) |
482 | options->permit_empty_passwd = 0; | 482 | options->permit_empty_passwd = 0; |
483 | if (options->permit_user_env == -1) | 483 | if (options->permit_user_env == -1) |
484 | @@ -307,7 +310,7 @@ | 484 | @@ -322,7 +325,7 @@ |
485 | sListenAddress, sAddressFamily, | 485 | sListenAddress, sAddressFamily, |
486 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 486 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
487 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 487 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
@@ -490,7 +490,7 @@ Index: b/servconf.c | |||
490 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 490 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
491 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 491 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
492 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 492 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
493 | @@ -416,6 +419,7 @@ | 493 | @@ -432,6 +435,7 @@ |
494 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 494 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
495 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 495 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
496 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 496 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
@@ -498,7 +498,7 @@ Index: b/servconf.c | |||
498 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, | 498 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, |
499 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 499 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
500 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 500 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
501 | @@ -1011,6 +1015,10 @@ | 501 | @@ -1029,6 +1033,10 @@ |
502 | intptr = &options->tcp_keep_alive; | 502 | intptr = &options->tcp_keep_alive; |
503 | goto parse_flag; | 503 | goto parse_flag; |
504 | 504 | ||
@@ -509,7 +509,7 @@ Index: b/servconf.c | |||
509 | case sEmptyPasswd: | 509 | case sEmptyPasswd: |
510 | intptr = &options->permit_empty_passwd; | 510 | intptr = &options->permit_empty_passwd; |
511 | goto parse_flag; | 511 | goto parse_flag; |
512 | @@ -1708,6 +1716,7 @@ | 512 | @@ -1757,6 +1765,7 @@ |
513 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 513 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
514 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 514 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
515 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 515 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
@@ -521,7 +521,7 @@ Index: b/servconf.h | |||
521 | =================================================================== | 521 | =================================================================== |
522 | --- a/servconf.h | 522 | --- a/servconf.h |
523 | +++ b/servconf.h | 523 | +++ b/servconf.h |
524 | @@ -104,6 +104,7 @@ | 524 | @@ -107,6 +107,7 @@ |
525 | int challenge_response_authentication; | 525 | int challenge_response_authentication; |
526 | int zero_knowledge_password_authentication; | 526 | int zero_knowledge_password_authentication; |
527 | /* If true, permit jpake auth */ | 527 | /* If true, permit jpake auth */ |
@@ -533,7 +533,7 @@ Index: b/ssh-add.1 | |||
533 | =================================================================== | 533 | =================================================================== |
534 | --- a/ssh-add.1 | 534 | --- a/ssh-add.1 |
535 | +++ b/ssh-add.1 | 535 | +++ b/ssh-add.1 |
536 | @@ -82,6 +82,10 @@ | 536 | @@ -81,6 +81,10 @@ |
537 | .Nm | 537 | .Nm |
538 | to work. | 538 | to work. |
539 | .Pp | 539 | .Pp |
@@ -544,7 +544,7 @@ Index: b/ssh-add.1 | |||
544 | The options are as follows: | 544 | The options are as follows: |
545 | .Bl -tag -width Ds | 545 | .Bl -tag -width Ds |
546 | .It Fl c | 546 | .It Fl c |
547 | @@ -182,6 +186,7 @@ | 547 | @@ -183,6 +187,7 @@ |
548 | .Xr ssh 1 , | 548 | .Xr ssh 1 , |
549 | .Xr ssh-agent 1 , | 549 | .Xr ssh-agent 1 , |
550 | .Xr ssh-keygen 1 , | 550 | .Xr ssh-keygen 1 , |
@@ -556,7 +556,7 @@ Index: b/ssh-add.c | |||
556 | =================================================================== | 556 | =================================================================== |
557 | --- a/ssh-add.c | 557 | --- a/ssh-add.c |
558 | +++ b/ssh-add.c | 558 | +++ b/ssh-add.c |
559 | @@ -139,7 +139,7 @@ | 559 | @@ -142,7 +142,7 @@ |
560 | add_file(AuthenticationConnection *ac, const char *filename) | 560 | add_file(AuthenticationConnection *ac, const char *filename) |
561 | { | 561 | { |
562 | Key *private, *cert; | 562 | Key *private, *cert; |
@@ -565,7 +565,7 @@ Index: b/ssh-add.c | |||
565 | char msg[1024], *certpath; | 565 | char msg[1024], *certpath; |
566 | int fd, perms_ok, ret = -1; | 566 | int fd, perms_ok, ret = -1; |
567 | 567 | ||
568 | @@ -184,6 +184,14 @@ | 568 | @@ -187,6 +187,14 @@ |
569 | "Bad passphrase, try again for %.200s: ", comment); | 569 | "Bad passphrase, try again for %.200s: ", comment); |
570 | } | 570 | } |
571 | } | 571 | } |
@@ -584,7 +584,7 @@ Index: b/ssh-keygen.1 | |||
584 | =================================================================== | 584 | =================================================================== |
585 | --- a/ssh-keygen.1 | 585 | --- a/ssh-keygen.1 |
586 | +++ b/ssh-keygen.1 | 586 | +++ b/ssh-keygen.1 |
587 | @@ -669,6 +669,7 @@ | 587 | @@ -659,6 +659,7 @@ |
588 | .Xr ssh 1 , | 588 | .Xr ssh 1 , |
589 | .Xr ssh-add 1 , | 589 | .Xr ssh-add 1 , |
590 | .Xr ssh-agent 1 , | 590 | .Xr ssh-agent 1 , |
@@ -1236,7 +1236,7 @@ Index: b/ssh.1 | |||
1236 | =================================================================== | 1236 | =================================================================== |
1237 | --- a/ssh.1 | 1237 | --- a/ssh.1 |
1238 | +++ b/ssh.1 | 1238 | +++ b/ssh.1 |
1239 | @@ -1392,6 +1392,7 @@ | 1239 | @@ -1402,6 +1402,7 @@ |
1240 | .Xr ssh-agent 1 , | 1240 | .Xr ssh-agent 1 , |
1241 | .Xr ssh-keygen 1 , | 1241 | .Xr ssh-keygen 1 , |
1242 | .Xr ssh-keyscan 1 , | 1242 | .Xr ssh-keyscan 1 , |
@@ -1248,7 +1248,7 @@ Index: b/ssh.c | |||
1248 | =================================================================== | 1248 | =================================================================== |
1249 | --- a/ssh.c | 1249 | --- a/ssh.c |
1250 | +++ b/ssh.c | 1250 | +++ b/ssh.c |
1251 | @@ -1422,7 +1422,7 @@ | 1251 | @@ -1448,7 +1448,7 @@ |
1252 | static void | 1252 | static void |
1253 | load_public_identity_files(void) | 1253 | load_public_identity_files(void) |
1254 | { | 1254 | { |
@@ -1257,7 +1257,7 @@ Index: b/ssh.c | |||
1257 | char *pwdir = NULL, *pwname = NULL; | 1257 | char *pwdir = NULL, *pwname = NULL; |
1258 | int i = 0; | 1258 | int i = 0; |
1259 | Key *public; | 1259 | Key *public; |
1260 | @@ -1479,6 +1479,22 @@ | 1260 | @@ -1505,6 +1505,22 @@ |
1261 | public = key_load_public(filename, NULL); | 1261 | public = key_load_public(filename, NULL); |
1262 | debug("identity file %s type %d", filename, | 1262 | debug("identity file %s type %d", filename, |
1263 | public ? public->type : -1); | 1263 | public ? public->type : -1); |
@@ -1284,7 +1284,7 @@ Index: b/ssh_config.5 | |||
1284 | =================================================================== | 1284 | =================================================================== |
1285 | --- a/ssh_config.5 | 1285 | --- a/ssh_config.5 |
1286 | +++ b/ssh_config.5 | 1286 | +++ b/ssh_config.5 |
1287 | @@ -1082,6 +1082,23 @@ | 1287 | @@ -1146,6 +1146,23 @@ |
1288 | .Dq any . | 1288 | .Dq any . |
1289 | The default is | 1289 | The default is |
1290 | .Dq any:any . | 1290 | .Dq any:any . |
@@ -1312,7 +1312,7 @@ Index: b/sshconnect2.c | |||
1312 | =================================================================== | 1312 | =================================================================== |
1313 | --- a/sshconnect2.c | 1313 | --- a/sshconnect2.c |
1314 | +++ b/sshconnect2.c | 1314 | +++ b/sshconnect2.c |
1315 | @@ -1421,6 +1421,8 @@ | 1315 | @@ -1488,6 +1488,8 @@ |
1316 | 1316 | ||
1317 | /* list of keys stored in the filesystem */ | 1317 | /* list of keys stored in the filesystem */ |
1318 | for (i = 0; i < options.num_identity_files; i++) { | 1318 | for (i = 0; i < options.num_identity_files; i++) { |
@@ -1321,7 +1321,7 @@ Index: b/sshconnect2.c | |||
1321 | key = options.identity_keys[i]; | 1321 | key = options.identity_keys[i]; |
1322 | if (key && key->type == KEY_RSA1) | 1322 | if (key && key->type == KEY_RSA1) |
1323 | continue; | 1323 | continue; |
1324 | @@ -1514,7 +1516,7 @@ | 1324 | @@ -1581,7 +1583,7 @@ |
1325 | debug("Offering %s public key: %s", key_type(id->key), | 1325 | debug("Offering %s public key: %s", key_type(id->key), |
1326 | id->filename); | 1326 | id->filename); |
1327 | sent = send_pubkey_test(authctxt, id); | 1327 | sent = send_pubkey_test(authctxt, id); |
@@ -1334,7 +1334,7 @@ Index: b/sshd.8 | |||
1334 | =================================================================== | 1334 | =================================================================== |
1335 | --- a/sshd.8 | 1335 | --- a/sshd.8 |
1336 | +++ b/sshd.8 | 1336 | +++ b/sshd.8 |
1337 | @@ -938,6 +938,7 @@ | 1337 | @@ -945,6 +945,7 @@ |
1338 | .Xr ssh-agent 1 , | 1338 | .Xr ssh-agent 1 , |
1339 | .Xr ssh-keygen 1 , | 1339 | .Xr ssh-keygen 1 , |
1340 | .Xr ssh-keyscan 1 , | 1340 | .Xr ssh-keyscan 1 , |
@@ -1346,7 +1346,7 @@ Index: b/sshd.c | |||
1346 | =================================================================== | 1346 | =================================================================== |
1347 | --- a/sshd.c | 1347 | --- a/sshd.c |
1348 | +++ b/sshd.c | 1348 | +++ b/sshd.c |
1349 | @@ -1573,6 +1573,11 @@ | 1349 | @@ -1576,6 +1576,11 @@ |
1350 | sensitive_data.host_keys[i] = NULL; | 1350 | sensitive_data.host_keys[i] = NULL; |
1351 | continue; | 1351 | continue; |
1352 | } | 1352 | } |
@@ -1362,7 +1362,7 @@ Index: b/sshd_config.5 | |||
1362 | =================================================================== | 1362 | =================================================================== |
1363 | --- a/sshd_config.5 | 1363 | --- a/sshd_config.5 |
1364 | +++ b/sshd_config.5 | 1364 | +++ b/sshd_config.5 |
1365 | @@ -743,6 +743,20 @@ | 1365 | @@ -792,6 +792,20 @@ |
1366 | Specifies whether password authentication is allowed. | 1366 | Specifies whether password authentication is allowed. |
1367 | The default is | 1367 | The default is |
1368 | .Dq yes . | 1368 | .Dq yes . |
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch index dac1ca1cc..5f1caddc9 100644 --- a/debian/patches/ssh1-keepalive.patch +++ b/debian/patches/ssh1-keepalive.patch | |||
@@ -12,11 +12,11 @@ Index: b/clientloop.c | |||
12 | server_alive_check(void) | 12 | server_alive_check(void) |
13 | { | 13 | { |
14 | - if (packet_inc_alive_timeouts() > options.server_alive_count_max) { | 14 | - if (packet_inc_alive_timeouts() > options.server_alive_count_max) { |
15 | - logit("Timeout, server not responding."); | 15 | - logit("Timeout, server %s not responding.", host); |
16 | - cleanup_exit(255); | 16 | - cleanup_exit(255); |
17 | + if (compat20) { | 17 | + if (compat20) { |
18 | + if (packet_inc_alive_timeouts() > options.server_alive_count_max) { | 18 | + if (packet_inc_alive_timeouts() > options.server_alive_count_max) { |
19 | + logit("Timeout, server not responding."); | 19 | + logit("Timeout, server %s not responding.", host); |
20 | + cleanup_exit(255); | 20 | + cleanup_exit(255); |
21 | + } | 21 | + } |
22 | + packet_start(SSH2_MSG_GLOBAL_REQUEST); | 22 | + packet_start(SSH2_MSG_GLOBAL_REQUEST); |
@@ -51,7 +51,7 @@ Index: b/ssh_config.5 | |||
51 | =================================================================== | 51 | =================================================================== |
52 | --- a/ssh_config.5 | 52 | --- a/ssh_config.5 |
53 | +++ b/ssh_config.5 | 53 | +++ b/ssh_config.5 |
54 | @@ -983,7 +983,10 @@ | 54 | @@ -1047,7 +1047,10 @@ |
55 | .Cm ServerAliveCountMax | 55 | .Cm ServerAliveCountMax |
56 | is left at the default, if the server becomes unresponsive, | 56 | is left at the default, if the server becomes unresponsive, |
57 | ssh will disconnect after approximately 45 seconds. | 57 | ssh will disconnect after approximately 45 seconds. |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index 3cb9fdc65..9b560217f 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -26,7 +26,7 @@ Index: b/ssh.c | |||
26 | =================================================================== | 26 | =================================================================== |
27 | --- a/ssh.c | 27 | --- a/ssh.c |
28 | +++ b/ssh.c | 28 | +++ b/ssh.c |
29 | @@ -642,7 +642,7 @@ | 29 | @@ -641,7 +641,7 @@ |
30 | tty_flag = 0; | 30 | tty_flag = 0; |
31 | /* Do not allocate a tty if stdin is not a tty. */ | 31 | /* Do not allocate a tty if stdin is not a tty. */ |
32 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { | 32 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 69700e592..fe2d99be0 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -15,7 +15,7 @@ Index: b/readconf.c | |||
15 | =================================================================== | 15 | =================================================================== |
16 | --- a/readconf.c | 16 | --- a/readconf.c |
17 | +++ b/readconf.c | 17 | +++ b/readconf.c |
18 | @@ -28,6 +28,8 @@ | 18 | @@ -30,6 +30,8 @@ |
19 | #include <stdio.h> | 19 | #include <stdio.h> |
20 | #include <string.h> | 20 | #include <string.h> |
21 | #include <unistd.h> | 21 | #include <unistd.h> |
@@ -24,7 +24,7 @@ Index: b/readconf.c | |||
24 | 24 | ||
25 | #include "xmalloc.h" | 25 | #include "xmalloc.h" |
26 | #include "ssh.h" | 26 | #include "ssh.h" |
27 | @@ -1045,8 +1047,7 @@ | 27 | @@ -1085,8 +1087,7 @@ |
28 | 28 | ||
29 | if (fstat(fileno(f), &sb) == -1) | 29 | if (fstat(fileno(f), &sb) == -1) |
30 | fatal("fstat %s: %s", filename, strerror(errno)); | 30 | fatal("fstat %s: %s", filename, strerror(errno)); |
@@ -38,20 +38,20 @@ Index: b/ssh.1 | |||
38 | =================================================================== | 38 | =================================================================== |
39 | --- a/ssh.1 | 39 | --- a/ssh.1 |
40 | +++ b/ssh.1 | 40 | +++ b/ssh.1 |
41 | @@ -1290,6 +1290,8 @@ | 41 | @@ -1293,6 +1293,8 @@ |
42 | .Xr ssh_config 5 . | 42 | .Xr ssh_config 5 . |
43 | Because of the potential for abuse, this file must have strict permissions: | 43 | Because of the potential for abuse, this file must have strict permissions: |
44 | read/write for the user, and not accessible by others. | 44 | read/write for the user, and not accessible by others. |
45 | +It may be group-writable provided that the group in question contains only | 45 | +It may be group-writable provided that the group in question contains only |
46 | +the user. | 46 | +the user. |
47 | .Pp | 47 | .Pp |
48 | .It ~/.ssh/environment | 48 | .It Pa ~/.ssh/environment |
49 | Contains additional definitions for environment variables; see | 49 | Contains additional definitions for environment variables; see |
50 | Index: b/ssh_config.5 | 50 | Index: b/ssh_config.5 |
51 | =================================================================== | 51 | =================================================================== |
52 | --- a/ssh_config.5 | 52 | --- a/ssh_config.5 |
53 | +++ b/ssh_config.5 | 53 | +++ b/ssh_config.5 |
54 | @@ -1235,6 +1235,8 @@ | 54 | @@ -1299,6 +1299,8 @@ |
55 | This file is used by the SSH client. | 55 | This file is used by the SSH client. |
56 | Because of the potential for abuse, this file must have strict permissions: | 56 | Because of the potential for abuse, this file must have strict permissions: |
57 | read/write for the user, and not accessible by others. | 57 | read/write for the user, and not accessible by others. |
@@ -64,7 +64,7 @@ Index: b/auth.c | |||
64 | =================================================================== | 64 | =================================================================== |
65 | --- a/auth.c | 65 | --- a/auth.c |
66 | +++ b/auth.c | 66 | +++ b/auth.c |
67 | @@ -393,8 +393,7 @@ | 67 | @@ -392,8 +392,7 @@ |
68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
69 | if (options.strict_modes && | 69 | if (options.strict_modes && |
70 | (stat(user_hostfile, &st) == 0) && | 70 | (stat(user_hostfile, &st) == 0) && |
@@ -74,7 +74,7 @@ Index: b/auth.c | |||
74 | logit("Authentication refused for %.100s: " | 74 | logit("Authentication refused for %.100s: " |
75 | "bad owner or modes for %.200s", | 75 | "bad owner or modes for %.200s", |
76 | pw->pw_name, user_hostfile); | 76 | pw->pw_name, user_hostfile); |
77 | @@ -448,8 +447,7 @@ | 77 | @@ -454,8 +453,7 @@ |
78 | 78 | ||
79 | /* check the open file to avoid races */ | 79 | /* check the open file to avoid races */ |
80 | if (fstat(fileno(f), &st) < 0 || | 80 | if (fstat(fileno(f), &st) < 0 || |
@@ -84,7 +84,7 @@ Index: b/auth.c | |||
84 | snprintf(err, errlen, "bad ownership or modes for file %s", | 84 | snprintf(err, errlen, "bad ownership or modes for file %s", |
85 | buf); | 85 | buf); |
86 | return -1; | 86 | return -1; |
87 | @@ -465,8 +463,7 @@ | 87 | @@ -471,8 +469,7 @@ |
88 | 88 | ||
89 | debug3("secure_filename: checking '%s'", buf); | 89 | debug3("secure_filename: checking '%s'", buf); |
90 | if (stat(buf, &st) < 0 || | 90 | if (stat(buf, &st) < 0 || |
@@ -98,7 +98,7 @@ Index: b/misc.c | |||
98 | =================================================================== | 98 | =================================================================== |
99 | --- a/misc.c | 99 | --- a/misc.c |
100 | +++ b/misc.c | 100 | +++ b/misc.c |
101 | @@ -45,8 +45,9 @@ | 101 | @@ -48,8 +48,9 @@ |
102 | #include <netdb.h> | 102 | #include <netdb.h> |
103 | #ifdef HAVE_PATHS_H | 103 | #ifdef HAVE_PATHS_H |
104 | # include <paths.h> | 104 | # include <paths.h> |
@@ -109,7 +109,7 @@ Index: b/misc.c | |||
109 | #ifdef SSH_TUN_OPENBSD | 109 | #ifdef SSH_TUN_OPENBSD |
110 | #include <net/if.h> | 110 | #include <net/if.h> |
111 | #endif | 111 | #endif |
112 | @@ -639,6 +640,55 @@ | 112 | @@ -642,6 +643,55 @@ |
113 | } | 113 | } |
114 | 114 | ||
115 | int | 115 | int |
@@ -169,7 +169,7 @@ Index: b/misc.h | |||
169 | =================================================================== | 169 | =================================================================== |
170 | --- a/misc.h | 170 | --- a/misc.h |
171 | +++ b/misc.h | 171 | +++ b/misc.h |
172 | @@ -92,4 +92,6 @@ | 172 | @@ -102,4 +102,6 @@ |
173 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | 173 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); |
174 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); | 174 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); |
175 | 175 | ||