diff options
Diffstat (limited to 'debian')
31 files changed, 301 insertions, 298 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index c476ca7ec..cc2aee698 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,8 +1,8 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 8698446b972003b63dfe5dcbdb86acfe986afb85 | 2 | 810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8 |
3 | 8698446b972003b63dfe5dcbdb86acfe986afb85 | 3 | 810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8 |
4 | baccdb349b31c47cd76fb63211f754ed33a9707e | 4 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 |
5 | baccdb349b31c47cd76fb63211f754ed33a9707e | 5 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 |
6 | openssh_6.8p1.orig.tar.gz | 6 | openssh_6.9p1.orig.tar.gz |
7 | cdbc51e46a902b30d263b05fdc71340920e91c92 | 7 | 86ab57f00d0fd9bf302760f2f6deac1b6e9df265 |
8 | 1475953 | 8 | 1487617 |
diff --git a/debian/changelog b/debian/changelog index 60049cd71..06ec4ab09 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,4 +1,4 @@ | |||
1 | openssh (1:6.8p1-1) UNRELEASED; urgency=medium | 1 | openssh (1:6.9p1-1) UNRELEASED; urgency=medium |
2 | 2 | ||
3 | * New upstream release (http://www.openssh.com/txt/release-6.8): | 3 | * New upstream release (http://www.openssh.com/txt/release-6.8): |
4 | - sshd(8): UseDNS now defaults to 'no'. Configurations that match | 4 | - sshd(8): UseDNS now defaults to 'no'. Configurations that match |
@@ -63,6 +63,72 @@ openssh (1:6.8p1-1) UNRELEASED; urgency=medium | |||
63 | - ssh-keygen(1): Fix broken private key conversion from non-OpenSSH | 63 | - ssh-keygen(1): Fix broken private key conversion from non-OpenSSH |
64 | formats. | 64 | formats. |
65 | - ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use. | 65 | - ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use. |
66 | * New upstream release (http://www.openssh.com/txt/release-6.9): | ||
67 | - SECURITY: ssh(1): When forwarding X11 connections with | ||
68 | ForwardX11Trusted=no, connections made after ForwardX11Timeout expired | ||
69 | could be permitted and no longer subject to XSECURITY restrictions | ||
70 | because of an ineffective timeout check in ssh(1) coupled with "fail | ||
71 | open" behaviour in the X11 server when clients attempted connections | ||
72 | with expired credentials. This problem was reported by Jann Horn. | ||
73 | - SECURITY: ssh-agent(1): Fix weakness of agent locking (ssh-add -x) to | ||
74 | password guessing by implementing an increasing failure delay, storing | ||
75 | a salted hash of the password rather than the password itself and | ||
76 | using a timing-safe comparison function for verifying unlock attempts. | ||
77 | This problem was reported by Ryan Castellucci. | ||
78 | - sshd(8): Support admin-specified arguments to AuthorizedKeysCommand | ||
79 | (closes: #740494). | ||
80 | - sshd(8): Add AuthorizedPrincipalsCommand that allows retrieving | ||
81 | authorized principals information from a subprocess rather than a | ||
82 | file. | ||
83 | - ssh(1), ssh-add(1): Support PKCS#11 devices with external PIN entry | ||
84 | devices. | ||
85 | - ssh-keygen(1): Support "ssh-keygen -lF hostname" to search known_hosts | ||
86 | and print key hashes rather than full keys. | ||
87 | - ssh-agent(1): Add -D flag to leave ssh-agent in foreground without | ||
88 | enabling debug mode. | ||
89 | - ssh(1), sshd(8): Deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD | ||
90 | message and do not try to use it against some 3rd-party SSH | ||
91 | implementations that use it (older PuTTY, WinSCP). | ||
92 | - ssh(1), sshd(8): Cap DH-GEX group size at 4Kbits for Cisco | ||
93 | implementations as some would fail when attempting to use group sizes | ||
94 | >4K (closes: #740307, LP: #1287222). | ||
95 | - ssh(1): Fix out-of-bound read in EscapeChar configuration option | ||
96 | parsing. | ||
97 | - sshd(8): Fix application of PermitTunnel, LoginGraceTime, | ||
98 | AuthenticationMethods and StreamLocalBindMask options in Match blocks. | ||
99 | - ssh(1), sshd(8): Improve disconnection message on TCP reset. | ||
100 | - ssh(1): Remove failed remote forwards established by multiplexing from | ||
101 | the list of active forwards. | ||
102 | - sshd(8): Make parsing of authorized_keys "environment=" options | ||
103 | independent of PermitUserEnv being enabled. | ||
104 | - sshd(8): Fix post-auth crash with permitopen=none (closes: #778807). | ||
105 | - ssh(1), ssh-add(1), ssh-keygen(1): Allow new-format private keys to be | ||
106 | encrypted with AEAD ciphers. | ||
107 | - ssh(1): Allow ListenAddress, Port and AddressFamily configuration | ||
108 | options to appear in any order. | ||
109 | - sshd(8): Check for and reject missing arguments for VersionAddendum | ||
110 | and ForceCommand. | ||
111 | - ssh(1), sshd(8): Don't treat unknown certificate extensions as fatal. | ||
112 | - ssh-keygen(1): Make stdout and stderr output consistent. | ||
113 | - ssh(1): Mention missing DISPLAY environment in debug log when X11 | ||
114 | forwarding requested. | ||
115 | - sshd(8): Correctly record login when UseLogin is set. | ||
116 | - sshd(8): Add some missing options to sshd -T output and fix output of | ||
117 | VersionAddendum and HostCertificate. | ||
118 | - Document and improve consistency of options that accept a "none" | ||
119 | argument: TrustedUserCAKeys, RevokedKeys, AuthorizedPrincipalsFile. | ||
120 | - ssh(1): Include remote username in debug output. | ||
121 | - sshd(8): Avoid compatibility problem with some versions of Tera Term, | ||
122 | which would crash when they received the hostkeys notification message | ||
123 | (hostkeys-00@openssh.com). | ||
124 | - sshd(8): Mention ssh-keygen -E as useful when comparing legacy MD5 | ||
125 | host key fingerprints. | ||
126 | - ssh(1): Clarify pseudo-terminal request behaviour and make manual | ||
127 | language consistent. | ||
128 | - ssh(1): Document that the TERM environment variable is not subject to | ||
129 | SendEnv and AcceptEnv; bz#2386 | ||
130 | - sshd(8): Format UsePAM setting when using sshd -T (closes: #767648). | ||
131 | - moduli(5): Update DH-GEX moduli (closes: #787037). | ||
66 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the | 132 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the |
67 | GSSAPI key exchange patch. | 133 | GSSAPI key exchange patch. |
68 | 134 | ||
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index 491656be2..1b52fd4cc 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c9c2ebb4680ea6872218b1e4519fe31a2043a27a Mon Sep 17 00:00:00 2001 | 1 | From ee78b163ac7fe57b819e8ddf84b32e67b6a950a3 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 |
4 | Subject: Quieten logs when multiple from= restrictions are used | 4 | Subject: Quieten logs when multiple from= restrictions are used |
@@ -16,7 +16,7 @@ Patch-Name: auth-log-verbosity.patch | |||
16 | 4 files changed, 32 insertions(+), 9 deletions(-) | 16 | 4 files changed, 32 insertions(+), 9 deletions(-) |
17 | 17 | ||
18 | diff --git a/auth-options.c b/auth-options.c | 18 | diff --git a/auth-options.c b/auth-options.c |
19 | index 4f0da9c..3fa236e 100644 | 19 | index facfc02..9ab1880 100644 |
20 | --- a/auth-options.c | 20 | --- a/auth-options.c |
21 | +++ b/auth-options.c | 21 | +++ b/auth-options.c |
22 | @@ -58,9 +58,20 @@ int forced_tun_device = -1; | 22 | @@ -58,9 +58,20 @@ int forced_tun_device = -1; |
@@ -40,7 +40,7 @@ index 4f0da9c..3fa236e 100644 | |||
40 | auth_clear_options(void) | 40 | auth_clear_options(void) |
41 | { | 41 | { |
42 | no_agent_forwarding_flag = 0; | 42 | no_agent_forwarding_flag = 0; |
43 | @@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | 43 | @@ -293,10 +304,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
44 | /* FALLTHROUGH */ | 44 | /* FALLTHROUGH */ |
45 | case 0: | 45 | case 0: |
46 | free(patterns); | 46 | free(patterns); |
@@ -58,7 +58,7 @@ index 4f0da9c..3fa236e 100644 | |||
58 | auth_debug_add("Your host '%.200s' is not " | 58 | auth_debug_add("Your host '%.200s' is not " |
59 | "permitted to use this key for login.", | 59 | "permitted to use this key for login.", |
60 | remote_host); | 60 | remote_host); |
61 | @@ -514,11 +528,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | 61 | @@ -519,11 +533,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, |
62 | break; | 62 | break; |
63 | case 0: | 63 | case 0: |
64 | /* no match */ | 64 | /* no match */ |
@@ -104,18 +104,18 @@ index cbd971b..4cf2163 100644 | |||
104 | * Go though the accepted keys, looking for the current key. If | 104 | * Go though the accepted keys, looking for the current key. If |
105 | * found, perform a challenge-response dialog to verify that the | 105 | * found, perform a challenge-response dialog to verify that the |
106 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c | 106 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c |
107 | index d943efa..0bda5c9 100644 | 107 | index 5aa319c..1eee161 100644 |
108 | --- a/auth2-pubkey.c | 108 | --- a/auth2-pubkey.c |
109 | +++ b/auth2-pubkey.c | 109 | +++ b/auth2-pubkey.c |
110 | @@ -282,6 +282,7 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) | 110 | @@ -561,6 +561,7 @@ process_principals(FILE *f, char *file, struct passwd *pw, |
111 | restore_uid(); | 111 | u_long linenum = 0; |
112 | return 0; | 112 | u_int i; |
113 | } | 113 | |
114 | + auth_start_parse_options(); | 114 | + auth_start_parse_options(); |
115 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 115 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
116 | /* Skip leading whitespace. */ | 116 | /* Skip leading whitespace. */ |
117 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 117 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
118 | @@ -343,6 +344,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) | 118 | @@ -726,6 +727,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) |
119 | found_key = 0; | 119 | found_key = 0; |
120 | 120 | ||
121 | found = NULL; | 121 | found = NULL; |
@@ -123,9 +123,9 @@ index d943efa..0bda5c9 100644 | |||
123 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 123 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
124 | char *cp, *key_options = NULL; | 124 | char *cp, *key_options = NULL; |
125 | if (found != NULL) | 125 | if (found != NULL) |
126 | @@ -482,6 +484,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | 126 | @@ -872,6 +874,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) |
127 | if (key_cert_check_authority(key, 0, 1, | 127 | if (key_cert_check_authority(key, 0, 1, |
128 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) | 128 | use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) |
129 | goto fail_reason; | 129 | goto fail_reason; |
130 | + auth_start_parse_options(); | 130 | + auth_start_parse_options(); |
131 | if (auth_cert_options(key, pw) != 0) | 131 | if (auth_cert_options(key, pw) != 0) |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index eb398f6a4..e2f08085e 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8a1a563ee326222155c74454e11e6ed62297c403 Mon Sep 17 00:00:00 2001 | 1 | From 4a7ce48c3db45ebb9cb76fe21fc9e8811a43d840 Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch index 0438b8f74..5ab47c0ca 100644 --- a/debian/patches/consolekit.patch +++ b/debian/patches/consolekit.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8b3111d597316954caaf8ddf2e7746491976c248 Mon Sep 17 00:00:00 2001 | 1 | From 1197fd975ab8fd11b1ac83557ef750129b16c0d8 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:57 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:57 +0000 |
4 | Subject: Add support for registering ConsoleKit sessions on login | 4 | Subject: Add support for registering ConsoleKit sessions on login |
@@ -37,10 +37,10 @@ index 3d2a328..c406aec 100644 | |||
37 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out | 37 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out |
38 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 | 38 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 |
39 | diff --git a/configure.ac b/configure.ac | 39 | diff --git a/configure.ac b/configure.ac |
40 | index 5f606ea..f7ce777 100644 | 40 | index 4d55c46..cd6acaf 100644 |
41 | --- a/configure.ac | 41 | --- a/configure.ac |
42 | +++ b/configure.ac | 42 | +++ b/configure.ac |
43 | @@ -4180,6 +4180,30 @@ AC_ARG_WITH([kerberos5], | 43 | @@ -4188,6 +4188,30 @@ AC_ARG_WITH([kerberos5], |
44 | AC_SUBST([GSSLIBS]) | 44 | AC_SUBST([GSSLIBS]) |
45 | AC_SUBST([K5LIBS]) | 45 | AC_SUBST([K5LIBS]) |
46 | 46 | ||
@@ -71,7 +71,7 @@ index 5f606ea..f7ce777 100644 | |||
71 | # Looking for programs, paths and files | 71 | # Looking for programs, paths and files |
72 | 72 | ||
73 | PRIVSEP_PATH=/var/empty | 73 | PRIVSEP_PATH=/var/empty |
74 | @@ -4981,6 +5005,7 @@ echo " MD5 password support: $MD5_MSG" | 74 | @@ -4989,6 +5013,7 @@ echo " MD5 password support: $MD5_MSG" |
75 | echo " libedit support: $LIBEDIT_MSG" | 75 | echo " libedit support: $LIBEDIT_MSG" |
76 | echo " Solaris process contract support: $SPC_MSG" | 76 | echo " Solaris process contract support: $SPC_MSG" |
77 | echo " Solaris project support: $SP_MSG" | 77 | echo " Solaris project support: $SP_MSG" |
@@ -357,7 +357,7 @@ index 0000000..8ce3716 | |||
357 | + | 357 | + |
358 | +#endif /* USE_CONSOLEKIT */ | 358 | +#endif /* USE_CONSOLEKIT */ |
359 | diff --git a/monitor.c b/monitor.c | 359 | diff --git a/monitor.c b/monitor.c |
360 | index 6ff05e4..ce7ba07 100644 | 360 | index 3a3d2f0..12ed6fd 100644 |
361 | --- a/monitor.c | 361 | --- a/monitor.c |
362 | +++ b/monitor.c | 362 | +++ b/monitor.c |
363 | @@ -104,6 +104,9 @@ | 363 | @@ -104,6 +104,9 @@ |
@@ -411,7 +411,7 @@ index 6ff05e4..ce7ba07 100644 | |||
411 | 411 | ||
412 | for (;;) | 412 | for (;;) |
413 | monitor_read(pmonitor, mon_dispatch, NULL); | 413 | monitor_read(pmonitor, mon_dispatch, NULL); |
414 | @@ -2187,3 +2203,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { | 414 | @@ -2191,3 +2207,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { |
415 | 415 | ||
416 | #endif /* GSSAPI */ | 416 | #endif /* GSSAPI */ |
417 | 417 | ||
@@ -455,10 +455,10 @@ index 2d82b8b..fd8d92c 100644 | |||
455 | 455 | ||
456 | struct mm_master; | 456 | struct mm_master; |
457 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 457 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
458 | index 5aa9c47..a5f4e9d 100644 | 458 | index 6ae72a0..2a0fe9b 100644 |
459 | --- a/monitor_wrap.c | 459 | --- a/monitor_wrap.c |
460 | +++ b/monitor_wrap.c | 460 | +++ b/monitor_wrap.c |
461 | @@ -1150,3 +1150,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) | 461 | @@ -1151,3 +1151,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) |
462 | 462 | ||
463 | #endif /* GSSAPI */ | 463 | #endif /* GSSAPI */ |
464 | 464 | ||
@@ -493,7 +493,7 @@ index 5aa9c47..a5f4e9d 100644 | |||
493 | +} | 493 | +} |
494 | +#endif /* USE_CONSOLEKIT */ | 494 | +#endif /* USE_CONSOLEKIT */ |
495 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 495 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
496 | index 4d1e899..f99c31c 100644 | 496 | index 57e740f..6829392 100644 |
497 | --- a/monitor_wrap.h | 497 | --- a/monitor_wrap.h |
498 | +++ b/monitor_wrap.h | 498 | +++ b/monitor_wrap.h |
499 | @@ -108,4 +108,8 @@ int mm_skey_respond(void *, u_int, char **); | 499 | @@ -108,4 +108,8 @@ int mm_skey_respond(void *, u_int, char **); |
@@ -506,7 +506,7 @@ index 4d1e899..f99c31c 100644 | |||
506 | + | 506 | + |
507 | #endif /* _MM_WRAP_H_ */ | 507 | #endif /* _MM_WRAP_H_ */ |
508 | diff --git a/session.c b/session.c | 508 | diff --git a/session.c b/session.c |
509 | index d4b7725..785833f 100644 | 509 | index afac4a5..c6bd728 100644 |
510 | --- a/session.c | 510 | --- a/session.c |
511 | +++ b/session.c | 511 | +++ b/session.c |
512 | @@ -94,6 +94,7 @@ | 512 | @@ -94,6 +94,7 @@ |
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 5bc70a566..42fc5be76 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2c31a85436f1eac46e185382c2aa15406ae6c0ac Mon Sep 17 00:00:00 2001 | 1 | From 91729e3501d53d11fcc7a364b36994305c495945 Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch | |||
19 | 4 files changed, 18 insertions(+), 1 deletion(-) | 19 | 4 files changed, 18 insertions(+), 1 deletion(-) |
20 | 20 | ||
21 | diff --git a/servconf.c b/servconf.c | 21 | diff --git a/servconf.c b/servconf.c |
22 | index b3a2841..bec53e0 100644 | 22 | index 8a5bd7b..fe3e311 100644 |
23 | --- a/servconf.c | 23 | --- a/servconf.c |
24 | +++ b/servconf.c | 24 | +++ b/servconf.c |
25 | @@ -166,6 +166,7 @@ initialize_server_options(ServerOptions *options) | 25 | @@ -169,6 +169,7 @@ initialize_server_options(ServerOptions *options) |
26 | options->ip_qos_bulk = -1; | 26 | options->ip_qos_bulk = -1; |
27 | options->version_addendum = NULL; | 27 | options->version_addendum = NULL; |
28 | options->fingerprint_hash = -1; | 28 | options->fingerprint_hash = -1; |
@@ -30,7 +30,7 @@ index b3a2841..bec53e0 100644 | |||
30 | } | 30 | } |
31 | 31 | ||
32 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ | 32 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
33 | @@ -342,6 +343,8 @@ fill_default_server_options(ServerOptions *options) | 33 | @@ -347,6 +348,8 @@ fill_default_server_options(ServerOptions *options) |
34 | options->fwd_opts.streamlocal_bind_unlink = 0; | 34 | options->fwd_opts.streamlocal_bind_unlink = 0; |
35 | if (options->fingerprint_hash == -1) | 35 | if (options->fingerprint_hash == -1) |
36 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 36 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
@@ -39,7 +39,7 @@ index b3a2841..bec53e0 100644 | |||
39 | /* Turn privilege separation on by default */ | 39 | /* Turn privilege separation on by default */ |
40 | if (use_privsep == -1) | 40 | if (use_privsep == -1) |
41 | use_privsep = PRIVSEP_NOSANDBOX; | 41 | use_privsep = PRIVSEP_NOSANDBOX; |
42 | @@ -412,6 +415,7 @@ typedef enum { | 42 | @@ -419,6 +422,7 @@ typedef enum { |
43 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 43 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
44 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 44 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
45 | sAllowStreamLocalForwarding, sFingerprintHash, | 45 | sAllowStreamLocalForwarding, sFingerprintHash, |
@@ -47,7 +47,7 @@ index b3a2841..bec53e0 100644 | |||
47 | sDeprecated, sUnsupported | 47 | sDeprecated, sUnsupported |
48 | } ServerOpCodes; | 48 | } ServerOpCodes; |
49 | 49 | ||
50 | @@ -556,6 +560,7 @@ static struct { | 50 | @@ -565,6 +569,7 @@ static struct { |
51 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, | 51 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, |
52 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, | 52 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, |
53 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, | 53 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, |
@@ -55,7 +55,7 @@ index b3a2841..bec53e0 100644 | |||
55 | { NULL, sBadOption, 0 } | 55 | { NULL, sBadOption, 0 } |
56 | }; | 56 | }; |
57 | 57 | ||
58 | @@ -1777,6 +1782,10 @@ process_server_config_line(ServerOptions *options, char *line, | 58 | @@ -1850,6 +1855,10 @@ process_server_config_line(ServerOptions *options, char *line, |
59 | options->fingerprint_hash = value; | 59 | options->fingerprint_hash = value; |
60 | break; | 60 | break; |
61 | 61 | ||
@@ -67,10 +67,10 @@ index b3a2841..bec53e0 100644 | |||
67 | logit("%s line %d: Deprecated option %s", | 67 | logit("%s line %d: Deprecated option %s", |
68 | filename, linenum, arg); | 68 | filename, linenum, arg); |
69 | diff --git a/servconf.h b/servconf.h | 69 | diff --git a/servconf.h b/servconf.h |
70 | index d2ed4d7..ed0f171 100644 | 70 | index b99b270..ba7b739 100644 |
71 | --- a/servconf.h | 71 | --- a/servconf.h |
72 | +++ b/servconf.h | 72 | +++ b/servconf.h |
73 | @@ -192,6 +192,8 @@ typedef struct { | 73 | @@ -196,6 +196,8 @@ typedef struct { |
74 | char *auth_methods[MAX_AUTH_METHODS]; | 74 | char *auth_methods[MAX_AUTH_METHODS]; |
75 | 75 | ||
76 | int fingerprint_hash; | 76 | int fingerprint_hash; |
@@ -80,7 +80,7 @@ index d2ed4d7..ed0f171 100644 | |||
80 | 80 | ||
81 | /* Information about the incoming connection as used by Match */ | 81 | /* Information about the incoming connection as used by Match */ |
82 | diff --git a/sshd.c b/sshd.c | 82 | diff --git a/sshd.c b/sshd.c |
83 | index c362209..5435968 100644 | 83 | index 96e75c6..7886d0e 100644 |
84 | --- a/sshd.c | 84 | --- a/sshd.c |
85 | +++ b/sshd.c | 85 | +++ b/sshd.c |
86 | @@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out) | 86 | @@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out) |
@@ -94,10 +94,10 @@ index c362209..5435968 100644 | |||
94 | options.version_addendum, newline); | 94 | options.version_addendum, newline); |
95 | 95 | ||
96 | diff --git a/sshd_config.5 b/sshd_config.5 | 96 | diff --git a/sshd_config.5 b/sshd_config.5 |
97 | index d14576e..ec58635 100644 | 97 | index 1269bbd..a5afbc3 100644 |
98 | --- a/sshd_config.5 | 98 | --- a/sshd_config.5 |
99 | +++ b/sshd_config.5 | 99 | +++ b/sshd_config.5 |
100 | @@ -476,6 +476,11 @@ or | 100 | @@ -528,6 +528,11 @@ or |
101 | .Dq no . | 101 | .Dq no . |
102 | The default is | 102 | The default is |
103 | .Dq delayed . | 103 | .Dq delayed . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index a346ba678..4f5db8a91 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8698446b972003b63dfe5dcbdb86acfe986afb85 Mon Sep 17 00:00:00 2001 | 1 | From 810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
@@ -29,12 +29,12 @@ Patch-Name: debian-config.patch | |||
29 | readconf.c | 2 +- | 29 | readconf.c | 2 +- |
30 | ssh_config | 7 ++++++- | 30 | ssh_config | 7 ++++++- |
31 | ssh_config.5 | 19 ++++++++++++++++++- | 31 | ssh_config.5 | 19 ++++++++++++++++++- |
32 | sshd_config | 1 + | 32 | sshd_config | 3 ++- |
33 | sshd_config.5 | 25 +++++++++++++++++++++++++ | 33 | sshd_config.5 | 25 +++++++++++++++++++++++++ |
34 | 5 files changed, 51 insertions(+), 3 deletions(-) | 34 | 5 files changed, 52 insertions(+), 4 deletions(-) |
35 | 35 | ||
36 | diff --git a/readconf.c b/readconf.c | 36 | diff --git a/readconf.c b/readconf.c |
37 | index 2ef8d7b..66a62f2 100644 | 37 | index 5f6c37f..f0769b5 100644 |
38 | --- a/readconf.c | 38 | --- a/readconf.c |
39 | +++ b/readconf.c | 39 | +++ b/readconf.c |
40 | @@ -1748,7 +1748,7 @@ fill_default_options(Options * options) | 40 | @@ -1748,7 +1748,7 @@ fill_default_options(Options * options) |
@@ -71,7 +71,7 @@ index 228e5ab..c9386aa 100644 | |||
71 | + GSSAPIAuthentication yes | 71 | + GSSAPIAuthentication yes |
72 | + GSSAPIDelegateCredentials no | 72 | + GSSAPIDelegateCredentials no |
73 | diff --git a/ssh_config.5 b/ssh_config.5 | 73 | diff --git a/ssh_config.5 b/ssh_config.5 |
74 | index 3bd80fd..da8e544 100644 | 74 | index acd581b..844d1a0 100644 |
75 | --- a/ssh_config.5 | 75 | --- a/ssh_config.5 |
76 | +++ b/ssh_config.5 | 76 | +++ b/ssh_config.5 |
77 | @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more | 77 | @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more |
@@ -97,7 +97,7 @@ index 3bd80fd..da8e544 100644 | |||
97 | The configuration file has the following format: | 97 | The configuration file has the following format: |
98 | .Pp | 98 | .Pp |
99 | Empty lines and lines starting with | 99 | Empty lines and lines starting with |
100 | @@ -715,7 +731,8 @@ token used for the session will be set to expire after 20 minutes. | 100 | @@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes. |
101 | Remote clients will be refused access after this time. | 101 | Remote clients will be refused access after this time. |
102 | .Pp | 102 | .Pp |
103 | The default is | 103 | The default is |
@@ -108,19 +108,21 @@ index 3bd80fd..da8e544 100644 | |||
108 | See the X11 SECURITY extension specification for full details on | 108 | See the X11 SECURITY extension specification for full details on |
109 | the restrictions imposed on untrusted clients. | 109 | the restrictions imposed on untrusted clients. |
110 | diff --git a/sshd_config b/sshd_config | 110 | diff --git a/sshd_config b/sshd_config |
111 | index a71ad19..3391233 100644 | 111 | index 1dfd0f1..23a338f 100644 |
112 | --- a/sshd_config | 112 | --- a/sshd_config |
113 | +++ b/sshd_config | 113 | +++ b/sshd_config |
114 | @@ -41,6 +41,7 @@ | 114 | @@ -41,7 +41,8 @@ |
115 | # Authentication: | 115 | # Authentication: |
116 | 116 | ||
117 | #LoginGraceTime 2m | 117 | #LoginGraceTime 2m |
118 | -#PermitRootLogin no | ||
118 | +# See /usr/share/doc/openssh-server/README.Debian.gz. | 119 | +# See /usr/share/doc/openssh-server/README.Debian.gz. |
119 | #PermitRootLogin yes | 120 | +#PermitRootLogin without-password |
120 | #StrictModes yes | 121 | #StrictModes yes |
121 | #MaxAuthTries 6 | 122 | #MaxAuthTries 6 |
123 | #MaxSessions 10 | ||
122 | diff --git a/sshd_config.5 b/sshd_config.5 | 124 | diff --git a/sshd_config.5 b/sshd_config.5 |
123 | index 453d741..db1f2fd 100644 | 125 | index 355b445..eb6bff8 100644 |
124 | --- a/sshd_config.5 | 126 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 127 | +++ b/sshd_config.5 |
126 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes | 128 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index 97fe79aef..57bd567e4 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5cbcc7353649b84b5a7528e583458ee9473fd527 Mon Sep 17 00:00:00 2001 | 1 | From dbde51cd7abb931b2d8635230bd77c9ec3b75074 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 35d589353..b80cc4e25 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b0146d5a8c1b9d87f4255cbee40b31c938fea2f8 Mon Sep 17 00:00:00 2001 | 1 | From 9e2f66b771364d835a5308218b777b08935596b8 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch | |||
13 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh_config.5 b/ssh_config.5 | 15 | diff --git a/ssh_config.5 b/ssh_config.5 |
16 | index 8abcf40..3bd80fd 100644 | 16 | index 1d0c52b..acd581b 100644 |
17 | --- a/ssh_config.5 | 17 | --- a/ssh_config.5 |
18 | +++ b/ssh_config.5 | 18 | +++ b/ssh_config.5 |
19 | @@ -801,6 +801,9 @@ Note that existing names and addresses in known hosts files | 19 | @@ -802,6 +802,9 @@ Note that existing names and addresses in known hosts files |
20 | will not be converted automatically, | 20 | will not be converted automatically, |
21 | but may be manually hashed using | 21 | but may be manually hashed using |
22 | .Xr ssh-keygen 1 . | 22 | .Xr ssh-keygen 1 . |
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch index 8002929ab..151c57eb1 100644 --- a/debian/patches/doc-upstart.patch +++ b/debian/patches/doc-upstart.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c679bacbff13edaa44255c4f4c32ef5bc0f4ccbc Mon Sep 17 00:00:00 2001 | 1 | From 64f36a889a1afd364636c1ded6b6a694675fca67 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 |
4 | Subject: Refer to ssh's Upstart job as well as its init script | 4 | Subject: Refer to ssh's Upstart job as well as its init script |
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch | |||
12 | 1 file changed, 4 insertions(+), 1 deletion(-) | 12 | 1 file changed, 4 insertions(+), 1 deletion(-) |
13 | 13 | ||
14 | diff --git a/sshd.8 b/sshd.8 | 14 | diff --git a/sshd.8 b/sshd.8 |
15 | index 8dba6cf..e198017 100644 | 15 | index 2f4d4f3..42f1520 100644 |
16 | --- a/sshd.8 | 16 | --- a/sshd.8 |
17 | +++ b/sshd.8 | 17 | +++ b/sshd.8 |
18 | @@ -67,7 +67,10 @@ over an insecure network. | 18 | @@ -67,7 +67,10 @@ over an insecure network. |
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index 79efb8971..cdb3fc7f0 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 02662744e60e6bbe532ff22c7f563026a7424b6c Mon Sep 17 00:00:00 2001 | 1 | From f3e58419e41e29f5d03c2d91f4576febac922112 Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index b3c437194..3f616af7d 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 06879e71614170580ffa7568ec5c009f60a9d084 Mon Sep 17 00:00:00 2001 | 1 | From 5d3dc7ea4c96cab9483d5389a3b04163771fdee2 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -31,7 +31,7 @@ Patch-Name: gssapi.patch | |||
31 | configure.ac | 24 ++++ | 31 | configure.ac | 24 ++++ |
32 | gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- | 32 | gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- |
33 | gss-serv-krb5.c | 85 ++++++++++++-- | 33 | gss-serv-krb5.c | 85 ++++++++++++-- |
34 | gss-serv.c | 221 +++++++++++++++++++++++++++++++----- | 34 | gss-serv.c | 185 +++++++++++++++++++++++++++--- |
35 | kex.c | 16 +++ | 35 | kex.c | 16 +++ |
36 | kex.h | 14 +++ | 36 | kex.h | 14 +++ |
37 | kexgssc.c | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 37 | kexgssc.c | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
@@ -42,18 +42,18 @@ Patch-Name: gssapi.patch | |||
42 | monitor_wrap.h | 4 +- | 42 | monitor_wrap.h | 4 +- |
43 | readconf.c | 42 +++++++ | 43 | readconf.c | 42 +++++++ |
44 | readconf.h | 5 + | 44 | readconf.h | 5 + |
45 | servconf.c | 38 ++++++- | 45 | servconf.c | 28 ++++- |
46 | servconf.h | 3 + | 46 | servconf.h | 2 + |
47 | ssh-gss.h | 41 ++++++- | 47 | ssh-gss.h | 41 ++++++- |
48 | ssh_config | 2 + | 48 | ssh_config | 2 + |
49 | ssh_config.5 | 34 +++++- | 49 | ssh_config.5 | 34 +++++- |
50 | sshconnect2.c | 124 +++++++++++++++++++- | 50 | sshconnect2.c | 124 +++++++++++++++++++- |
51 | sshd.c | 110 ++++++++++++++++++ | 51 | sshd.c | 110 ++++++++++++++++++ |
52 | sshd_config | 2 + | 52 | sshd_config | 2 + |
53 | sshd_config.5 | 28 +++++ | 53 | sshd_config.5 | 11 ++ |
54 | sshkey.c | 3 +- | 54 | sshkey.c | 3 +- |
55 | sshkey.h | 1 + | 55 | sshkey.h | 1 + |
56 | 32 files changed, 2005 insertions(+), 60 deletions(-) | 56 | 32 files changed, 1955 insertions(+), 46 deletions(-) |
57 | create mode 100644 ChangeLog.gssapi | 57 | create mode 100644 ChangeLog.gssapi |
58 | create mode 100644 kexgssc.c | 58 | create mode 100644 kexgssc.c |
59 | create mode 100644 kexgsss.c | 59 | create mode 100644 kexgsss.c |
@@ -359,7 +359,7 @@ index 7177962..3f49bdc 100644 | |||
359 | #endif | 359 | #endif |
360 | &method_passwd, | 360 | &method_passwd, |
361 | diff --git a/clientloop.c b/clientloop.c | 361 | diff --git a/clientloop.c b/clientloop.c |
362 | index a9c8a90..7df9413 100644 | 362 | index dc0e557..77d5498 100644 |
363 | --- a/clientloop.c | 363 | --- a/clientloop.c |
364 | +++ b/clientloop.c | 364 | +++ b/clientloop.c |
365 | @@ -114,6 +114,10 @@ | 365 | @@ -114,6 +114,10 @@ |
@@ -373,7 +373,7 @@ index a9c8a90..7df9413 100644 | |||
373 | /* import options */ | 373 | /* import options */ |
374 | extern Options options; | 374 | extern Options options; |
375 | 375 | ||
376 | @@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 376 | @@ -1609,6 +1613,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
377 | /* Do channel operations unless rekeying in progress. */ | 377 | /* Do channel operations unless rekeying in progress. */ |
378 | if (!rekeying) { | 378 | if (!rekeying) { |
379 | channel_after_select(readset, writeset); | 379 | channel_after_select(readset, writeset); |
@@ -414,10 +414,10 @@ index 7e7e38e..6c7de98 100644 | |||
414 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 414 | #undef USE_SOLARIS_PROCESS_CONTRACTS |
415 | 415 | ||
416 | diff --git a/configure.ac b/configure.ac | 416 | diff --git a/configure.ac b/configure.ac |
417 | index b4d6598..216a9fd 100644 | 417 | index bb0095f..df21693 100644 |
418 | --- a/configure.ac | 418 | --- a/configure.ac |
419 | +++ b/configure.ac | 419 | +++ b/configure.ac |
420 | @@ -620,6 +620,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 420 | @@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
421 | [Use tunnel device compatibility to OpenBSD]) | 421 | [Use tunnel device compatibility to OpenBSD]) |
422 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 422 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
423 | [Prepend the address family to IP tunnel traffic]) | 423 | [Prepend the address family to IP tunnel traffic]) |
@@ -449,7 +449,7 @@ index b4d6598..216a9fd 100644 | |||
449 | AC_CHECK_DECL([AU_IPv4], [], | 449 | AC_CHECK_DECL([AU_IPv4], [], |
450 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) | 450 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) |
451 | diff --git a/gss-genr.c b/gss-genr.c | 451 | diff --git a/gss-genr.c b/gss-genr.c |
452 | index 60ac65f..5610f0b 100644 | 452 | index d617d60..b4eca3f 100644 |
453 | --- a/gss-genr.c | 453 | --- a/gss-genr.c |
454 | +++ b/gss-genr.c | 454 | +++ b/gss-genr.c |
455 | @@ -1,7 +1,7 @@ | 455 | @@ -1,7 +1,7 @@ |
@@ -461,7 +461,7 @@ index 60ac65f..5610f0b 100644 | |||
461 | * | 461 | * |
462 | * Redistribution and use in source and binary forms, with or without | 462 | * Redistribution and use in source and binary forms, with or without |
463 | * modification, are permitted provided that the following conditions | 463 | * modification, are permitted provided that the following conditions |
464 | @@ -40,12 +40,167 @@ | 464 | @@ -41,12 +41,167 @@ |
465 | #include "buffer.h" | 465 | #include "buffer.h" |
466 | #include "log.h" | 466 | #include "log.h" |
467 | #include "ssh2.h" | 467 | #include "ssh2.h" |
@@ -629,7 +629,7 @@ index 60ac65f..5610f0b 100644 | |||
629 | /* Check that the OID in a data stream matches that in the context */ | 629 | /* Check that the OID in a data stream matches that in the context */ |
630 | int | 630 | int |
631 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) | 631 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) |
632 | @@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, | 632 | @@ -199,7 +354,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, |
633 | } | 633 | } |
634 | 634 | ||
635 | ctx->major = gss_init_sec_context(&ctx->minor, | 635 | ctx->major = gss_init_sec_context(&ctx->minor, |
@@ -638,7 +638,7 @@ index 60ac65f..5610f0b 100644 | |||
638 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, | 638 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, |
639 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); | 639 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); |
640 | 640 | ||
641 | @@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) | 641 | @@ -229,8 +384,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) |
642 | } | 642 | } |
643 | 643 | ||
644 | OM_uint32 | 644 | OM_uint32 |
@@ -681,7 +681,7 @@ index 60ac65f..5610f0b 100644 | |||
681 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, | 681 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, |
682 | GSS_C_QOP_DEFAULT, buffer, hash))) | 682 | GSS_C_QOP_DEFAULT, buffer, hash))) |
683 | ssh_gssapi_error(ctx); | 683 | ssh_gssapi_error(ctx); |
684 | @@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | 684 | @@ -238,6 +427,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) |
685 | return (ctx->major); | 685 | return (ctx->major); |
686 | } | 686 | } |
687 | 687 | ||
@@ -701,7 +701,7 @@ index 60ac65f..5610f0b 100644 | |||
701 | void | 701 | void |
702 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 702 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
703 | const char *context) | 703 | const char *context) |
704 | @@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 704 | @@ -251,11 +453,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
705 | } | 705 | } |
706 | 706 | ||
707 | int | 707 | int |
@@ -719,7 +719,7 @@ index 60ac65f..5610f0b 100644 | |||
719 | 719 | ||
720 | /* RFC 4462 says we MUST NOT do SPNEGO */ | 720 | /* RFC 4462 says we MUST NOT do SPNEGO */ |
721 | if (oid->length == spnego_oid.length && | 721 | if (oid->length == spnego_oid.length && |
722 | @@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 722 | @@ -265,6 +472,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
723 | ssh_gssapi_build_ctx(ctx); | 723 | ssh_gssapi_build_ctx(ctx); |
724 | ssh_gssapi_set_oid(*ctx, oid); | 724 | ssh_gssapi_set_oid(*ctx, oid); |
725 | major = ssh_gssapi_import_name(*ctx, host); | 725 | major = ssh_gssapi_import_name(*ctx, host); |
@@ -730,7 +730,7 @@ index 60ac65f..5610f0b 100644 | |||
730 | if (!GSS_ERROR(major)) { | 730 | if (!GSS_ERROR(major)) { |
731 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | 731 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, |
732 | NULL); | 732 | NULL); |
733 | @@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 733 | @@ -274,10 +485,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
734 | GSS_C_NO_BUFFER); | 734 | GSS_C_NO_BUFFER); |
735 | } | 735 | } |
736 | 736 | ||
@@ -925,11 +925,11 @@ index 795992d..fd8b371 100644 | |||
925 | 925 | ||
926 | #endif /* KRB5 */ | 926 | #endif /* KRB5 */ |
927 | diff --git a/gss-serv.c b/gss-serv.c | 927 | diff --git a/gss-serv.c b/gss-serv.c |
928 | index e7b8c52..539862d 100644 | 928 | index 53993d6..2f6baf7 100644 |
929 | --- a/gss-serv.c | 929 | --- a/gss-serv.c |
930 | +++ b/gss-serv.c | 930 | +++ b/gss-serv.c |
931 | @@ -1,7 +1,7 @@ | 931 | @@ -1,7 +1,7 @@ |
932 | /* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */ | 932 | /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */ |
933 | 933 | ||
934 | /* | 934 | /* |
935 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 935 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -937,11 +937,10 @@ index e7b8c52..539862d 100644 | |||
937 | * | 937 | * |
938 | * Redistribution and use in source and binary forms, with or without | 938 | * Redistribution and use in source and binary forms, with or without |
939 | * modification, are permitted provided that the following conditions | 939 | * modification, are permitted provided that the following conditions |
940 | @@ -44,15 +44,21 @@ | 940 | @@ -45,17 +45,22 @@ |
941 | #include "channels.h" | ||
942 | #include "session.h" | 941 | #include "session.h" |
943 | #include "misc.h" | 942 | #include "misc.h" |
944 | +#include "servconf.h" | 943 | #include "servconf.h" |
945 | +#include "uidswap.h" | 944 | +#include "uidswap.h" |
946 | 945 | ||
947 | #include "ssh-gss.h" | 946 | #include "ssh-gss.h" |
@@ -949,6 +948,8 @@ index e7b8c52..539862d 100644 | |||
949 | + | 948 | + |
950 | +extern ServerOptions options; | 949 | +extern ServerOptions options; |
951 | 950 | ||
951 | extern ServerOptions options; | ||
952 | |||
952 | static ssh_gssapi_client gssapi_client = | 953 | static ssh_gssapi_client gssapi_client = |
953 | { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, | 954 | { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
954 | - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; | 955 | - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; |
@@ -961,54 +962,7 @@ index e7b8c52..539862d 100644 | |||
961 | 962 | ||
962 | #ifdef KRB5 | 963 | #ifdef KRB5 |
963 | extern ssh_gssapi_mech gssapi_kerberos_mech; | 964 | extern ssh_gssapi_mech gssapi_kerberos_mech; |
964 | @@ -99,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | 965 | @@ -142,6 +147,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) |
965 | char lname[NI_MAXHOST]; | ||
966 | gss_OID_set oidset; | ||
967 | |||
968 | - gss_create_empty_oid_set(&status, &oidset); | ||
969 | - gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
970 | + if (options.gss_strict_acceptor) { | ||
971 | + gss_create_empty_oid_set(&status, &oidset); | ||
972 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
973 | |||
974 | - if (gethostname(lname, sizeof(lname))) { | ||
975 | - gss_release_oid_set(&status, &oidset); | ||
976 | - return (-1); | ||
977 | - } | ||
978 | + if (gethostname(lname, sizeof(lname))) { | ||
979 | + gss_release_oid_set(&status, &oidset); | ||
980 | + return (-1); | ||
981 | + } | ||
982 | + | ||
983 | + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
984 | + gss_release_oid_set(&status, &oidset); | ||
985 | + return (ctx->major); | ||
986 | + } | ||
987 | + | ||
988 | + if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
989 | + ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, | ||
990 | + NULL, NULL))) | ||
991 | + ssh_gssapi_error(ctx); | ||
992 | |||
993 | - if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
994 | gss_release_oid_set(&status, &oidset); | ||
995 | return (ctx->major); | ||
996 | + } else { | ||
997 | + ctx->name = GSS_C_NO_NAME; | ||
998 | + ctx->creds = GSS_C_NO_CREDENTIAL; | ||
999 | } | ||
1000 | - | ||
1001 | - if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
1002 | - ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) | ||
1003 | - ssh_gssapi_error(ctx); | ||
1004 | - | ||
1005 | - gss_release_oid_set(&status, &oidset); | ||
1006 | - return (ctx->major); | ||
1007 | + return GSS_S_COMPLETE; | ||
1008 | } | ||
1009 | |||
1010 | /* Privileged */ | ||
1011 | @@ -132,6 +145,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | ||
1012 | } | 966 | } |
1013 | 967 | ||
1014 | /* Unprivileged */ | 968 | /* Unprivileged */ |
@@ -1038,7 +992,7 @@ index e7b8c52..539862d 100644 | |||
1038 | void | 992 | void |
1039 | ssh_gssapi_supported_oids(gss_OID_set *oidset) | 993 | ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1040 | { | 994 | { |
1041 | @@ -141,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) | 995 | @@ -151,7 +179,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1042 | gss_OID_set supported; | 996 | gss_OID_set supported; |
1043 | 997 | ||
1044 | gss_create_empty_oid_set(&min_status, oidset); | 998 | gss_create_empty_oid_set(&min_status, oidset); |
@@ -1049,7 +1003,7 @@ index e7b8c52..539862d 100644 | |||
1049 | 1003 | ||
1050 | while (supported_mechs[i]->name != NULL) { | 1004 | while (supported_mechs[i]->name != NULL) { |
1051 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, | 1005 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, |
1052 | @@ -267,8 +305,48 @@ OM_uint32 | 1006 | @@ -277,8 +307,48 @@ OM_uint32 |
1053 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1007 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1054 | { | 1008 | { |
1055 | int i = 0; | 1009 | int i = 0; |
@@ -1074,8 +1028,7 @@ index e7b8c52..539862d 100644 | |||
1074 | + | 1028 | + |
1075 | + ctx->major = gss_compare_name(&ctx->minor, client->name, | 1029 | + ctx->major = gss_compare_name(&ctx->minor, client->name, |
1076 | + new_name, &equal); | 1030 | + new_name, &equal); |
1077 | 1031 | + | |
1078 | - gss_buffer_desc ename; | ||
1079 | + if (GSS_ERROR(ctx->major)) { | 1032 | + if (GSS_ERROR(ctx->major)) { |
1080 | + ssh_gssapi_error(ctx); | 1033 | + ssh_gssapi_error(ctx); |
1081 | + return (ctx->major); | 1034 | + return (ctx->major); |
@@ -1085,7 +1038,8 @@ index e7b8c52..539862d 100644 | |||
1085 | + debug("Rekeyed credentials have different name"); | 1038 | + debug("Rekeyed credentials have different name"); |
1086 | + return GSS_S_COMPLETE; | 1039 | + return GSS_S_COMPLETE; |
1087 | + } | 1040 | + } |
1088 | + | 1041 | |
1042 | - gss_buffer_desc ename; | ||
1089 | + debug("Marking rekeyed credentials for export"); | 1043 | + debug("Marking rekeyed credentials for export"); |
1090 | + | 1044 | + |
1091 | + gss_release_name(&ctx->minor, &client->name); | 1045 | + gss_release_name(&ctx->minor, &client->name); |
@@ -1099,7 +1053,7 @@ index e7b8c52..539862d 100644 | |||
1099 | 1053 | ||
1100 | client->mech = NULL; | 1054 | client->mech = NULL; |
1101 | 1055 | ||
1102 | @@ -283,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1056 | @@ -293,6 +363,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1103 | if (client->mech == NULL) | 1057 | if (client->mech == NULL) |
1104 | return GSS_S_FAILURE; | 1058 | return GSS_S_FAILURE; |
1105 | 1059 | ||
@@ -1113,7 +1067,7 @@ index e7b8c52..539862d 100644 | |||
1113 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, | 1067 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, |
1114 | &client->displayname, NULL))) { | 1068 | &client->displayname, NULL))) { |
1115 | ssh_gssapi_error(ctx); | 1069 | ssh_gssapi_error(ctx); |
1116 | @@ -300,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1070 | @@ -310,6 +387,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1117 | return (ctx->major); | 1071 | return (ctx->major); |
1118 | } | 1072 | } |
1119 | 1073 | ||
@@ -1122,7 +1076,7 @@ index e7b8c52..539862d 100644 | |||
1122 | /* We can't copy this structure, so we just move the pointer to it */ | 1076 | /* We can't copy this structure, so we just move the pointer to it */ |
1123 | client->creds = ctx->client_creds; | 1077 | client->creds = ctx->client_creds; |
1124 | ctx->client_creds = GSS_C_NO_CREDENTIAL; | 1078 | ctx->client_creds = GSS_C_NO_CREDENTIAL; |
1125 | @@ -347,7 +434,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) | 1079 | @@ -357,7 +436,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) |
1126 | 1080 | ||
1127 | /* Privileged */ | 1081 | /* Privileged */ |
1128 | int | 1082 | int |
@@ -1131,7 +1085,7 @@ index e7b8c52..539862d 100644 | |||
1131 | { | 1085 | { |
1132 | OM_uint32 lmin; | 1086 | OM_uint32 lmin; |
1133 | 1087 | ||
1134 | @@ -357,9 +444,11 @@ ssh_gssapi_userok(char *user) | 1088 | @@ -367,9 +446,11 @@ ssh_gssapi_userok(char *user) |
1135 | return 0; | 1089 | return 0; |
1136 | } | 1090 | } |
1137 | if (gssapi_client.mech && gssapi_client.mech->userok) | 1091 | if (gssapi_client.mech && gssapi_client.mech->userok) |
@@ -1145,7 +1099,7 @@ index e7b8c52..539862d 100644 | |||
1145 | /* Destroy delegated credentials if userok fails */ | 1099 | /* Destroy delegated credentials if userok fails */ |
1146 | gss_release_buffer(&lmin, &gssapi_client.displayname); | 1100 | gss_release_buffer(&lmin, &gssapi_client.displayname); |
1147 | gss_release_buffer(&lmin, &gssapi_client.exportedname); | 1101 | gss_release_buffer(&lmin, &gssapi_client.exportedname); |
1148 | @@ -373,14 +462,90 @@ ssh_gssapi_userok(char *user) | 1102 | @@ -383,14 +464,90 @@ ssh_gssapi_userok(char *user) |
1149 | return (0); | 1103 | return (0); |
1150 | } | 1104 | } |
1151 | 1105 | ||
@@ -1243,7 +1197,7 @@ index e7b8c52..539862d 100644 | |||
1243 | 1197 | ||
1244 | #endif | 1198 | #endif |
1245 | diff --git a/kex.c b/kex.c | 1199 | diff --git a/kex.c b/kex.c |
1246 | index 8c2b001..be938ad 100644 | 1200 | index dbc55ef..4d8e6f5 100644 |
1247 | --- a/kex.c | 1201 | --- a/kex.c |
1248 | +++ b/kex.c | 1202 | +++ b/kex.c |
1249 | @@ -55,6 +55,10 @@ | 1203 | @@ -55,6 +55,10 @@ |
@@ -1966,7 +1920,7 @@ index 0000000..0847469 | |||
1966 | +} | 1920 | +} |
1967 | +#endif /* GSSAPI */ | 1921 | +#endif /* GSSAPI */ |
1968 | diff --git a/monitor.c b/monitor.c | 1922 | diff --git a/monitor.c b/monitor.c |
1969 | index bab6ce8..a2027e5 100644 | 1923 | index b410965..bdc2972 100644 |
1970 | --- a/monitor.c | 1924 | --- a/monitor.c |
1971 | +++ b/monitor.c | 1925 | +++ b/monitor.c |
1972 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 1926 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
@@ -2019,7 +1973,7 @@ index bab6ce8..a2027e5 100644 | |||
2019 | } else { | 1973 | } else { |
2020 | mon_dispatch = mon_dispatch_postauth15; | 1974 | mon_dispatch = mon_dispatch_postauth15; |
2021 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 1975 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2022 | @@ -1860,6 +1877,13 @@ monitor_apply_keystate(struct monitor *pmonitor) | 1976 | @@ -1864,6 +1881,13 @@ monitor_apply_keystate(struct monitor *pmonitor) |
2023 | # endif | 1977 | # endif |
2024 | #endif /* WITH_OPENSSL */ | 1978 | #endif /* WITH_OPENSSL */ |
2025 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 1979 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -2033,7 +1987,7 @@ index bab6ce8..a2027e5 100644 | |||
2033 | kex->load_host_public_key=&get_hostkey_public_by_type; | 1987 | kex->load_host_public_key=&get_hostkey_public_by_type; |
2034 | kex->load_host_private_key=&get_hostkey_private_by_type; | 1988 | kex->load_host_private_key=&get_hostkey_private_by_type; |
2035 | kex->host_key_index=&get_hostkey_index; | 1989 | kex->host_key_index=&get_hostkey_index; |
2036 | @@ -1959,6 +1983,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 1990 | @@ -1963,6 +1987,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2037 | OM_uint32 major; | 1991 | OM_uint32 major; |
2038 | u_int len; | 1992 | u_int len; |
2039 | 1993 | ||
@@ -2043,7 +1997,7 @@ index bab6ce8..a2027e5 100644 | |||
2043 | goid.elements = buffer_get_string(m, &len); | 1997 | goid.elements = buffer_get_string(m, &len); |
2044 | goid.length = len; | 1998 | goid.length = len; |
2045 | 1999 | ||
2046 | @@ -1986,6 +2013,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2000 | @@ -1990,6 +2017,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2047 | OM_uint32 flags = 0; /* GSI needs this */ | 2001 | OM_uint32 flags = 0; /* GSI needs this */ |
2048 | u_int len; | 2002 | u_int len; |
2049 | 2003 | ||
@@ -2053,7 +2007,7 @@ index bab6ce8..a2027e5 100644 | |||
2053 | in.value = buffer_get_string(m, &len); | 2007 | in.value = buffer_get_string(m, &len); |
2054 | in.length = len; | 2008 | in.length = len; |
2055 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2009 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2056 | @@ -2003,6 +2033,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2010 | @@ -2007,6 +2037,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2057 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2011 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2058 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2012 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2059 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2013 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2061,7 +2015,7 @@ index bab6ce8..a2027e5 100644 | |||
2061 | } | 2015 | } |
2062 | return (0); | 2016 | return (0); |
2063 | } | 2017 | } |
2064 | @@ -2014,6 +2045,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2018 | @@ -2018,6 +2049,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2065 | OM_uint32 ret; | 2019 | OM_uint32 ret; |
2066 | u_int len; | 2020 | u_int len; |
2067 | 2021 | ||
@@ -2071,7 +2025,7 @@ index bab6ce8..a2027e5 100644 | |||
2071 | gssbuf.value = buffer_get_string(m, &len); | 2025 | gssbuf.value = buffer_get_string(m, &len); |
2072 | gssbuf.length = len; | 2026 | gssbuf.length = len; |
2073 | mic.value = buffer_get_string(m, &len); | 2027 | mic.value = buffer_get_string(m, &len); |
2074 | @@ -2040,7 +2074,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2028 | @@ -2044,7 +2078,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2075 | { | 2029 | { |
2076 | int authenticated; | 2030 | int authenticated; |
2077 | 2031 | ||
@@ -2084,7 +2038,7 @@ index bab6ce8..a2027e5 100644 | |||
2084 | 2038 | ||
2085 | buffer_clear(m); | 2039 | buffer_clear(m); |
2086 | buffer_put_int(m, authenticated); | 2040 | buffer_put_int(m, authenticated); |
2087 | @@ -2053,5 +2091,73 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2041 | @@ -2057,5 +2095,73 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2088 | /* Monitor loop will terminate if authenticated */ | 2042 | /* Monitor loop will terminate if authenticated */ |
2089 | return (authenticated); | 2043 | return (authenticated); |
2090 | } | 2044 | } |
@@ -2173,10 +2127,10 @@ index 93b8b66..bc50ade 100644 | |||
2173 | 2127 | ||
2174 | struct mm_master; | 2128 | struct mm_master; |
2175 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2129 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2176 | index b379f05..b667218 100644 | 2130 | index e6217b3..71e7c08 100644 |
2177 | --- a/monitor_wrap.c | 2131 | --- a/monitor_wrap.c |
2178 | +++ b/monitor_wrap.c | 2132 | +++ b/monitor_wrap.c |
2179 | @@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2133 | @@ -1069,7 +1069,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
2180 | } | 2134 | } |
2181 | 2135 | ||
2182 | int | 2136 | int |
@@ -2185,7 +2139,7 @@ index b379f05..b667218 100644 | |||
2185 | { | 2139 | { |
2186 | Buffer m; | 2140 | Buffer m; |
2187 | int authenticated = 0; | 2141 | int authenticated = 0; |
2188 | @@ -1085,5 +1085,50 @@ mm_ssh_gssapi_userok(char *user) | 2142 | @@ -1086,5 +1086,50 @@ mm_ssh_gssapi_userok(char *user) |
2189 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2143 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2190 | return (authenticated); | 2144 | return (authenticated); |
2191 | } | 2145 | } |
@@ -2237,7 +2191,7 @@ index b379f05..b667218 100644 | |||
2237 | #endif /* GSSAPI */ | 2191 | #endif /* GSSAPI */ |
2238 | 2192 | ||
2239 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 2193 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
2240 | index e18784a..0c770e8 100644 | 2194 | index de4a08f..9758290 100644 |
2241 | --- a/monitor_wrap.h | 2195 | --- a/monitor_wrap.h |
2242 | +++ b/monitor_wrap.h | 2196 | +++ b/monitor_wrap.h |
2243 | @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); | 2197 | @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); |
@@ -2253,7 +2207,7 @@ index e18784a..0c770e8 100644 | |||
2253 | 2207 | ||
2254 | #ifdef USE_PAM | 2208 | #ifdef USE_PAM |
2255 | diff --git a/readconf.c b/readconf.c | 2209 | diff --git a/readconf.c b/readconf.c |
2256 | index 42a2961..254dbce 100644 | 2210 | index db7d0bb..68dac76 100644 |
2257 | --- a/readconf.c | 2211 | --- a/readconf.c |
2258 | +++ b/readconf.c | 2212 | +++ b/readconf.c |
2259 | @@ -147,6 +147,8 @@ typedef enum { | 2213 | @@ -147,6 +147,8 @@ typedef enum { |
@@ -2362,21 +2316,21 @@ index 576b9e3..ef39c4c 100644 | |||
2362 | * authentication. */ | 2316 | * authentication. */ |
2363 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2317 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2364 | diff --git a/servconf.c b/servconf.c | 2318 | diff --git a/servconf.c b/servconf.c |
2365 | index 3185462..f68c0d0 100644 | 2319 | index df93fc4..2f7f41e 100644 |
2366 | --- a/servconf.c | 2320 | --- a/servconf.c |
2367 | +++ b/servconf.c | 2321 | +++ b/servconf.c |
2368 | @@ -114,7 +114,10 @@ initialize_server_options(ServerOptions *options) | 2322 | @@ -115,8 +115,10 @@ initialize_server_options(ServerOptions *options) |
2369 | options->kerberos_ticket_cleanup = -1; | 2323 | options->kerberos_ticket_cleanup = -1; |
2370 | options->kerberos_get_afs_token = -1; | 2324 | options->kerberos_get_afs_token = -1; |
2371 | options->gss_authentication=-1; | 2325 | options->gss_authentication=-1; |
2372 | + options->gss_keyex = -1; | 2326 | + options->gss_keyex = -1; |
2373 | options->gss_cleanup_creds = -1; | 2327 | options->gss_cleanup_creds = -1; |
2374 | + options->gss_strict_acceptor = -1; | 2328 | options->gss_strict_acceptor = -1; |
2375 | + options->gss_store_rekey = -1; | 2329 | + options->gss_store_rekey = -1; |
2376 | options->password_authentication = -1; | 2330 | options->password_authentication = -1; |
2377 | options->kbd_interactive_authentication = -1; | 2331 | options->kbd_interactive_authentication = -1; |
2378 | options->challenge_response_authentication = -1; | 2332 | options->challenge_response_authentication = -1; |
2379 | @@ -269,8 +272,14 @@ fill_default_server_options(ServerOptions *options) | 2333 | @@ -275,10 +277,14 @@ fill_default_server_options(ServerOptions *options) |
2380 | options->kerberos_get_afs_token = 0; | 2334 | options->kerberos_get_afs_token = 0; |
2381 | if (options->gss_authentication == -1) | 2335 | if (options->gss_authentication == -1) |
2382 | options->gss_authentication = 0; | 2336 | options->gss_authentication = 0; |
@@ -2384,37 +2338,35 @@ index 3185462..f68c0d0 100644 | |||
2384 | + options->gss_keyex = 0; | 2338 | + options->gss_keyex = 0; |
2385 | if (options->gss_cleanup_creds == -1) | 2339 | if (options->gss_cleanup_creds == -1) |
2386 | options->gss_cleanup_creds = 1; | 2340 | options->gss_cleanup_creds = 1; |
2387 | + if (options->gss_strict_acceptor == -1) | 2341 | if (options->gss_strict_acceptor == -1) |
2342 | - options->gss_strict_acceptor = 0; | ||
2388 | + options->gss_strict_acceptor = 1; | 2343 | + options->gss_strict_acceptor = 1; |
2389 | + if (options->gss_store_rekey == -1) | 2344 | + if (options->gss_store_rekey == -1) |
2390 | + options->gss_store_rekey = 0; | 2345 | + options->gss_store_rekey = 0; |
2391 | if (options->password_authentication == -1) | 2346 | if (options->password_authentication == -1) |
2392 | options->password_authentication = 1; | 2347 | options->password_authentication = 1; |
2393 | if (options->kbd_interactive_authentication == -1) | 2348 | if (options->kbd_interactive_authentication == -1) |
2394 | @@ -391,7 +400,9 @@ typedef enum { | 2349 | @@ -401,6 +407,7 @@ typedef enum { |
2395 | sBanner, sUseDNS, sHostbasedAuthentication, | ||
2396 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, | 2350 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
2397 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 2351 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
2398 | - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, | 2352 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
2399 | + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | ||
2400 | + sGssKeyEx, sGssStoreRekey, | 2353 | + sGssKeyEx, sGssStoreRekey, |
2401 | + sAcceptEnv, sPermitTunnel, | 2354 | sAcceptEnv, sPermitTunnel, |
2402 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2355 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2403 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2356 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2404 | sHostCertificate, | 2357 | @@ -473,12 +480,20 @@ static struct { |
2405 | @@ -462,10 +473,20 @@ static struct { | ||
2406 | #ifdef GSSAPI | 2358 | #ifdef GSSAPI |
2407 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2359 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2408 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2360 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
2409 | + { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2361 | + { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, |
2410 | + { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | 2362 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, |
2411 | + { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | 2363 | + { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, |
2412 | + { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | 2364 | + { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, |
2413 | #else | 2365 | #else |
2414 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | 2366 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
2415 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | 2367 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
2416 | + { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, | 2368 | + { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, |
2417 | + { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | 2369 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
2418 | + { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | 2370 | + { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, |
2419 | + { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | 2371 | + { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, |
2420 | #endif | 2372 | #endif |
@@ -2423,7 +2375,7 @@ index 3185462..f68c0d0 100644 | |||
2423 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2375 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2424 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2376 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2425 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2377 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2426 | @@ -1166,10 +1187,22 @@ process_server_config_line(ServerOptions *options, char *line, | 2378 | @@ -1214,6 +1229,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2427 | intptr = &options->gss_authentication; | 2379 | intptr = &options->gss_authentication; |
2428 | goto parse_flag; | 2380 | goto parse_flag; |
2429 | 2381 | ||
@@ -2434,11 +2386,10 @@ index 3185462..f68c0d0 100644 | |||
2434 | case sGssCleanupCreds: | 2386 | case sGssCleanupCreds: |
2435 | intptr = &options->gss_cleanup_creds; | 2387 | intptr = &options->gss_cleanup_creds; |
2436 | goto parse_flag; | 2388 | goto parse_flag; |
2389 | @@ -1222,6 +1241,10 @@ process_server_config_line(ServerOptions *options, char *line, | ||
2390 | intptr = &options->gss_strict_acceptor; | ||
2391 | goto parse_flag; | ||
2437 | 2392 | ||
2438 | + case sGssStrictAcceptor: | ||
2439 | + intptr = &options->gss_strict_acceptor; | ||
2440 | + goto parse_flag; | ||
2441 | + | ||
2442 | + case sGssStoreRekey: | 2393 | + case sGssStoreRekey: |
2443 | + intptr = &options->gss_store_rekey; | 2394 | + intptr = &options->gss_store_rekey; |
2444 | + goto parse_flag; | 2395 | + goto parse_flag; |
@@ -2446,7 +2397,7 @@ index 3185462..f68c0d0 100644 | |||
2446 | case sPasswordAuthentication: | 2397 | case sPasswordAuthentication: |
2447 | intptr = &options->password_authentication; | 2398 | intptr = &options->password_authentication; |
2448 | goto parse_flag; | 2399 | goto parse_flag; |
2449 | @@ -2125,7 +2158,10 @@ dump_config(ServerOptions *o) | 2400 | @@ -2229,7 +2252,10 @@ dump_config(ServerOptions *o) |
2450 | #endif | 2401 | #endif |
2451 | #ifdef GSSAPI | 2402 | #ifdef GSSAPI |
2452 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2403 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2458,16 +2409,16 @@ index 3185462..f68c0d0 100644 | |||
2458 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2409 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
2459 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2410 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
2460 | diff --git a/servconf.h b/servconf.h | 2411 | diff --git a/servconf.h b/servconf.h |
2461 | index 9922f0c..d2ed4d7 100644 | 2412 | index 606d80c..b99b270 100644 |
2462 | --- a/servconf.h | 2413 | --- a/servconf.h |
2463 | +++ b/servconf.h | 2414 | +++ b/servconf.h |
2464 | @@ -115,7 +115,10 @@ typedef struct { | 2415 | @@ -117,8 +117,10 @@ typedef struct { |
2465 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2416 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2466 | * authenticated with Kerberos. */ | 2417 | * authenticated with Kerberos. */ |
2467 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2418 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
2468 | + int gss_keyex; /* If true, permit GSSAPI key exchange */ | 2419 | + int gss_keyex; /* If true, permit GSSAPI key exchange */ |
2469 | int gss_cleanup_creds; /* If true, destroy cred cache on logout */ | 2420 | int gss_cleanup_creds; /* If true, destroy cred cache on logout */ |
2470 | + int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ | 2421 | int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ |
2471 | + int gss_store_rekey; | 2422 | + int gss_store_rekey; |
2472 | int password_authentication; /* If true, permit password | 2423 | int password_authentication; /* If true, permit password |
2473 | * authentication. */ | 2424 | * authentication. */ |
@@ -2589,10 +2540,10 @@ index 03a228f..228e5ab 100644 | |||
2589 | # CheckHostIP yes | 2540 | # CheckHostIP yes |
2590 | # AddressFamily any | 2541 | # AddressFamily any |
2591 | diff --git a/ssh_config.5 b/ssh_config.5 | 2542 | diff --git a/ssh_config.5 b/ssh_config.5 |
2592 | index 140d0ba..4476171 100644 | 2543 | index 268a627..b840261 100644 |
2593 | --- a/ssh_config.5 | 2544 | --- a/ssh_config.5 |
2594 | +++ b/ssh_config.5 | 2545 | +++ b/ssh_config.5 |
2595 | @@ -743,11 +743,43 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2546 | @@ -744,11 +744,43 @@ Specifies whether user authentication based on GSSAPI is allowed. |
2596 | The default is | 2547 | The default is |
2597 | .Dq no . | 2548 | .Dq no . |
2598 | Note that this option applies to protocol version 2 only. | 2549 | Note that this option applies to protocol version 2 only. |
@@ -2638,7 +2589,7 @@ index 140d0ba..4476171 100644 | |||
2638 | Indicates that | 2589 | Indicates that |
2639 | .Xr ssh 1 | 2590 | .Xr ssh 1 |
2640 | diff --git a/sshconnect2.c b/sshconnect2.c | 2591 | diff --git a/sshconnect2.c b/sshconnect2.c |
2641 | index ba56f64..faa8ec5 100644 | 2592 | index fcaed6b..44c89e6 100644 |
2642 | --- a/sshconnect2.c | 2593 | --- a/sshconnect2.c |
2643 | +++ b/sshconnect2.c | 2594 | +++ b/sshconnect2.c |
2644 | @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2595 | @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
@@ -2840,7 +2791,7 @@ index ba56f64..faa8ec5 100644 | |||
2840 | 2791 | ||
2841 | int | 2792 | int |
2842 | diff --git a/sshd.c b/sshd.c | 2793 | diff --git a/sshd.c b/sshd.c |
2843 | index e1c767c..cf38bae 100644 | 2794 | index 6f8c6f2..6b85e6c 100644 |
2844 | --- a/sshd.c | 2795 | --- a/sshd.c |
2845 | +++ b/sshd.c | 2796 | +++ b/sshd.c |
2846 | @@ -125,6 +125,10 @@ | 2797 | @@ -125,6 +125,10 @@ |
@@ -2854,7 +2805,7 @@ index e1c767c..cf38bae 100644 | |||
2854 | #ifndef O_NOCTTY | 2805 | #ifndef O_NOCTTY |
2855 | #define O_NOCTTY 0 | 2806 | #define O_NOCTTY 0 |
2856 | #endif | 2807 | #endif |
2857 | @@ -1815,10 +1819,13 @@ main(int ac, char **av) | 2808 | @@ -1823,10 +1827,13 @@ main(int ac, char **av) |
2858 | logit("Disabling protocol version 1. Could not load host key"); | 2809 | logit("Disabling protocol version 1. Could not load host key"); |
2859 | options.protocol &= ~SSH_PROTO_1; | 2810 | options.protocol &= ~SSH_PROTO_1; |
2860 | } | 2811 | } |
@@ -2868,9 +2819,9 @@ index e1c767c..cf38bae 100644 | |||
2868 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2819 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2869 | logit("sshd: no hostkeys available -- exiting."); | 2820 | logit("sshd: no hostkeys available -- exiting."); |
2870 | exit(1); | 2821 | exit(1); |
2871 | @@ -2132,6 +2139,60 @@ main(int ac, char **av) | 2822 | @@ -2141,6 +2148,60 @@ main(int ac, char **av) |
2872 | remote_ip, remote_port, | 2823 | remote_ip, remote_port, laddr, get_local_port()); |
2873 | get_local_ipaddr(sock_in), get_local_port()); | 2824 | free(laddr); |
2874 | 2825 | ||
2875 | +#ifdef USE_SECURITY_SESSION_API | 2826 | +#ifdef USE_SECURITY_SESSION_API |
2876 | + /* | 2827 | + /* |
@@ -2929,7 +2880,7 @@ index e1c767c..cf38bae 100644 | |||
2929 | /* | 2880 | /* |
2930 | * We don't want to listen forever unless the other side | 2881 | * We don't want to listen forever unless the other side |
2931 | * successfully authenticates itself. So we set up an alarm which is | 2882 | * successfully authenticates itself. So we set up an alarm which is |
2932 | @@ -2561,6 +2622,48 @@ do_ssh2_kex(void) | 2883 | @@ -2570,6 +2631,48 @@ do_ssh2_kex(void) |
2933 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2884 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
2934 | list_hostkey_types()); | 2885 | list_hostkey_types()); |
2935 | 2886 | ||
@@ -2978,7 +2929,7 @@ index e1c767c..cf38bae 100644 | |||
2978 | /* start key exchange */ | 2929 | /* start key exchange */ |
2979 | if ((r = kex_setup(active_state, myproposal)) != 0) | 2930 | if ((r = kex_setup(active_state, myproposal)) != 0) |
2980 | fatal("kex_setup: %s", ssh_err(r)); | 2931 | fatal("kex_setup: %s", ssh_err(r)); |
2981 | @@ -2575,6 +2678,13 @@ do_ssh2_kex(void) | 2932 | @@ -2584,6 +2687,13 @@ do_ssh2_kex(void) |
2982 | # endif | 2933 | # endif |
2983 | #endif | 2934 | #endif |
2984 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2935 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -2993,7 +2944,7 @@ index e1c767c..cf38bae 100644 | |||
2993 | kex->client_version_string=client_version_string; | 2944 | kex->client_version_string=client_version_string; |
2994 | kex->server_version_string=server_version_string; | 2945 | kex->server_version_string=server_version_string; |
2995 | diff --git a/sshd_config b/sshd_config | 2946 | diff --git a/sshd_config b/sshd_config |
2996 | index c9042ac..a71ad19 100644 | 2947 | index cf7d8e1..1dfd0f1 100644 |
2997 | --- a/sshd_config | 2948 | --- a/sshd_config |
2998 | +++ b/sshd_config | 2949 | +++ b/sshd_config |
2999 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys | 2950 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
@@ -3006,10 +2957,10 @@ index c9042ac..a71ad19 100644 | |||
3006 | # Set this to 'yes' to enable PAM authentication, account processing, | 2957 | # Set this to 'yes' to enable PAM authentication, account processing, |
3007 | # and session processing. If this is enabled, PAM authentication will | 2958 | # and session processing. If this is enabled, PAM authentication will |
3008 | diff --git a/sshd_config.5 b/sshd_config.5 | 2959 | diff --git a/sshd_config.5 b/sshd_config.5 |
3009 | index 6dce0c7..0331496 100644 | 2960 | index 5ab4318..68424f1 100644 |
3010 | --- a/sshd_config.5 | 2961 | --- a/sshd_config.5 |
3011 | +++ b/sshd_config.5 | 2962 | +++ b/sshd_config.5 |
3012 | @@ -564,12 +564,40 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2963 | @@ -616,6 +616,12 @@ Specifies whether user authentication based on GSSAPI is allowed. |
3013 | The default is | 2964 | The default is |
3014 | .Dq no . | 2965 | .Dq no . |
3015 | Note that this option applies to protocol version 2 only. | 2966 | Note that this option applies to protocol version 2 only. |
@@ -3022,26 +2973,10 @@ index 6dce0c7..0331496 100644 | |||
3022 | .It Cm GSSAPICleanupCredentials | 2973 | .It Cm GSSAPICleanupCredentials |
3023 | Specifies whether to automatically destroy the user's credentials cache | 2974 | Specifies whether to automatically destroy the user's credentials cache |
3024 | on logout. | 2975 | on logout. |
2976 | @@ -637,6 +643,11 @@ machine's default store. | ||
2977 | This facility is provided to assist with operation on multi homed machines. | ||
3025 | The default is | 2978 | The default is |
3026 | .Dq yes . | 2979 | .Dq yes . |
3027 | Note that this option applies to protocol version 2 only. | ||
3028 | +.It Cm GSSAPIStrictAcceptorCheck | ||
3029 | +Determines whether to be strict about the identity of the GSSAPI acceptor | ||
3030 | +a client authenticates against. If | ||
3031 | +.Dq yes | ||
3032 | +then the client must authenticate against the | ||
3033 | +.Pa host | ||
3034 | +service on the current hostname. If | ||
3035 | +.Dq no | ||
3036 | +then the client may authenticate against any service key stored in the | ||
3037 | +machine's default store. This facility is provided to assist with operation | ||
3038 | +on multi homed machines. | ||
3039 | +The default is | ||
3040 | +.Dq yes . | ||
3041 | +Note that this option applies only to protocol version 2 GSSAPI connections, | ||
3042 | +and setting it to | ||
3043 | +.Dq no | ||
3044 | +may only work with recent Kerberos GSSAPI libraries. | ||
3045 | +.It Cm GSSAPIStoreCredentialsOnRekey | 2980 | +.It Cm GSSAPIStoreCredentialsOnRekey |
3046 | +Controls whether the user's GSSAPI credentials should be updated following a | 2981 | +Controls whether the user's GSSAPI credentials should be updated following a |
3047 | +successful connection rekeying. This option can be used to accepted renewed | 2982 | +successful connection rekeying. This option can be used to accepted renewed |
@@ -3051,7 +2986,7 @@ index 6dce0c7..0331496 100644 | |||
3051 | Specifies the key types that will be accepted for hostbased authentication | 2986 | Specifies the key types that will be accepted for hostbased authentication |
3052 | as a comma-separated pattern list. | 2987 | as a comma-separated pattern list. |
3053 | diff --git a/sshkey.c b/sshkey.c | 2988 | diff --git a/sshkey.c b/sshkey.c |
3054 | index 4768790..cd5992e 100644 | 2989 | index cfe5980..2c87d80 100644 |
3055 | --- a/sshkey.c | 2990 | --- a/sshkey.c |
3056 | +++ b/sshkey.c | 2991 | +++ b/sshkey.c |
3057 | @@ -116,6 +116,7 @@ static const struct keytype keytypes[] = { | 2992 | @@ -116,6 +116,7 @@ static const struct keytype keytypes[] = { |
@@ -3072,7 +3007,7 @@ index 4768790..cd5992e 100644 | |||
3072 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | 3007 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) |
3073 | continue; | 3008 | continue; |
3074 | diff --git a/sshkey.h b/sshkey.h | 3009 | diff --git a/sshkey.h b/sshkey.h |
3075 | index 62c1c3e..9314e85 100644 | 3010 | index cdac0e2..b010b8e 100644 |
3076 | --- a/sshkey.h | 3011 | --- a/sshkey.h |
3077 | +++ b/sshkey.h | 3012 | +++ b/sshkey.h |
3078 | @@ -64,6 +64,7 @@ enum sshkey_types { | 3013 | @@ -64,6 +64,7 @@ enum sshkey_types { |
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch index 6ea643210..ac8630b4c 100644 --- a/debian/patches/helpful-wait-terminate.patch +++ b/debian/patches/helpful-wait-terminate.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9a440da8025dbc120803ee09c2a7ac8c638d31c2 Mon Sep 17 00:00:00 2001 | 1 | From 5496170cd67abb653e385277bd83b69f1b10905d Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 |
4 | Subject: Mention ~& when waiting for forwarded connections to terminate | 4 | Subject: Mention ~& when waiting for forwarded connections to terminate |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index 0adfbd2b5..09c178db4 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7efad61f1e562f504a5ff3fb0ae90ac05a208e66 Mon Sep 17 00:00:00 2001 | 1 | From 02a61bcb045503a5f3f7e274ac1f4524e30f87c8 Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch | |||
26 | 3 files changed, 34 insertions(+), 4 deletions(-) | 26 | 3 files changed, 34 insertions(+), 4 deletions(-) |
27 | 27 | ||
28 | diff --git a/readconf.c b/readconf.c | 28 | diff --git a/readconf.c b/readconf.c |
29 | index 278fe15..1d2d596 100644 | 29 | index 85eea48..5c5890c 100644 |
30 | --- a/readconf.c | 30 | --- a/readconf.c |
31 | +++ b/readconf.c | 31 | +++ b/readconf.c |
32 | @@ -159,6 +159,7 @@ typedef enum { | 32 | @@ -159,6 +159,7 @@ typedef enum { |
@@ -72,7 +72,7 @@ index 278fe15..1d2d596 100644 | |||
72 | options->server_alive_count_max = 3; | 72 | options->server_alive_count_max = 3; |
73 | if (options->control_master == -1) | 73 | if (options->control_master == -1) |
74 | diff --git a/ssh_config.5 b/ssh_config.5 | 74 | diff --git a/ssh_config.5 b/ssh_config.5 |
75 | index dd35dd8..250c0d1 100644 | 75 | index f7510b6..21d3e94 100644 |
76 | --- a/ssh_config.5 | 76 | --- a/ssh_config.5 |
77 | +++ b/ssh_config.5 | 77 | +++ b/ssh_config.5 |
78 | @@ -233,8 +233,12 @@ Valid arguments are | 78 | @@ -233,8 +233,12 @@ Valid arguments are |
@@ -89,7 +89,7 @@ index dd35dd8..250c0d1 100644 | |||
89 | The argument must be | 89 | The argument must be |
90 | .Dq yes | 90 | .Dq yes |
91 | or | 91 | or |
92 | @@ -1420,8 +1424,15 @@ from the server, | 92 | @@ -1425,8 +1429,15 @@ from the server, |
93 | will send a message through the encrypted | 93 | will send a message through the encrypted |
94 | channel to request a response from the server. | 94 | channel to request a response from the server. |
95 | The default | 95 | The default |
@@ -106,7 +106,7 @@ index dd35dd8..250c0d1 100644 | |||
106 | .It Cm StreamLocalBindMask | 106 | .It Cm StreamLocalBindMask |
107 | Sets the octal file creation mode mask | 107 | Sets the octal file creation mode mask |
108 | .Pq umask | 108 | .Pq umask |
109 | @@ -1487,6 +1498,12 @@ Specifies whether the system should send TCP keepalive messages to the | 109 | @@ -1492,6 +1503,12 @@ Specifies whether the system should send TCP keepalive messages to the |
110 | other side. | 110 | other side. |
111 | If they are sent, death of the connection or crash of one | 111 | If they are sent, death of the connection or crash of one |
112 | of the machines will be properly noticed. | 112 | of the machines will be properly noticed. |
@@ -120,10 +120,10 @@ index dd35dd8..250c0d1 100644 | |||
120 | connections will die if the route is down temporarily, and some people | 120 | connections will die if the route is down temporarily, and some people |
121 | find it annoying. | 121 | find it annoying. |
122 | diff --git a/sshd_config.5 b/sshd_config.5 | 122 | diff --git a/sshd_config.5 b/sshd_config.5 |
123 | index 0331496..d14576e 100644 | 123 | index 68424f1..1269bbd 100644 |
124 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
126 | @@ -1392,6 +1392,9 @@ This avoids infinitely hanging sessions. | 126 | @@ -1443,6 +1443,9 @@ This avoids infinitely hanging sessions. |
127 | .Pp | 127 | .Pp |
128 | To disable TCP keepalive messages, the value should be set to | 128 | To disable TCP keepalive messages, the value should be set to |
129 | .Dq no . | 129 | .Dq no . |
@@ -132,4 +132,4 @@ index 0331496..d14576e 100644 | |||
132 | +.Cm KeepAlive . | 132 | +.Cm KeepAlive . |
133 | .It Cm TrustedUserCAKeys | 133 | .It Cm TrustedUserCAKeys |
134 | Specifies a file containing public keys of certificate authorities that are | 134 | Specifies a file containing public keys of certificate authorities that are |
135 | trusted to sign user certificates for authentication. | 135 | trusted to sign user certificates for authentication, or |
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch index 7aa035726..a285b4c69 100644 --- a/debian/patches/lintian-symlink-pickiness.patch +++ b/debian/patches/lintian-symlink-pickiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 90fc009420a03c598d6f003df5466191ab4d12b2 Mon Sep 17 00:00:00 2001 | 1 | From 1237c8b43799156af8972c53c9ccc6b27140a284 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 |
4 | Subject: Fix picky lintian errors about slogin symlinks | 4 | Subject: Fix picky lintian errors about slogin symlinks |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index 127ed9f9e..84804481e 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From aedcf9cb37f512b929ce895ba1fccc9ca39166b0 Mon Sep 17 00:00:00 2001 | 1 | From f948cb2d089ebf70b70db3d483d09ad97a0cf371 Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
@@ -13,7 +13,7 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch | |||
13 | 1 file changed, 6 insertions(+), 1 deletion(-) | 13 | 1 file changed, 6 insertions(+), 1 deletion(-) |
14 | 14 | ||
15 | diff --git a/sshconnect.c b/sshconnect.c | 15 | diff --git a/sshconnect.c b/sshconnect.c |
16 | index 0073c6e..6065dff 100644 | 16 | index 8adc943..0c9fc6c 100644 |
17 | --- a/sshconnect.c | 17 | --- a/sshconnect.c |
18 | +++ b/sshconnect.c | 18 | +++ b/sshconnect.c |
19 | @@ -1078,9 +1078,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 19 | @@ -1078,9 +1078,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch index f4d8bca66..73b16a368 100644 --- a/debian/patches/no-openssl-version-status.patch +++ b/debian/patches/no-openssl-version-status.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6b85aa42144010401906754b98f9876651669163 Mon Sep 17 00:00:00 2001 | 1 | From d3777c50b834493fcfbc3549e1dfb465c10abeec Mon Sep 17 00:00:00 2001 |
2 | From: Kurt Roeckx <kurt@roeckx.be> | 2 | From: Kurt Roeckx <kurt@roeckx.be> |
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 |
4 | Subject: Don't check the status field of the OpenSSL version | 4 | Subject: Don't check the status field of the OpenSSL version |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index f5b96f4a1..97971707f 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 96c2797aaa79d687e75dc56f40f7102131d87fb1 Mon Sep 17 00:00:00 2001 | 1 | From 3303a9d037ae9b62e5af01f467d8053cbd9c8410 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
@@ -88,7 +88,7 @@ index 9b93666..19bed1e 100644 | |||
88 | The file format is described in | 88 | The file format is described in |
89 | .Xr moduli 5 . | 89 | .Xr moduli 5 . |
90 | diff --git a/ssh.1 b/ssh.1 | 90 | diff --git a/ssh.1 b/ssh.1 |
91 | index 53c711a..04de6cf 100644 | 91 | index c84196f..c3e1266 100644 |
92 | --- a/ssh.1 | 92 | --- a/ssh.1 |
93 | +++ b/ssh.1 | 93 | +++ b/ssh.1 |
94 | @@ -766,6 +766,10 @@ Protocol 1 is restricted to using only RSA keys, | 94 | @@ -766,6 +766,10 @@ Protocol 1 is restricted to using only RSA keys, |
@@ -103,7 +103,7 @@ index 53c711a..04de6cf 100644 | |||
103 | .Pp | 103 | .Pp |
104 | The file | 104 | The file |
105 | diff --git a/sshd.8 b/sshd.8 | 105 | diff --git a/sshd.8 b/sshd.8 |
106 | index fc2154c..8dba6cf 100644 | 106 | index 5afd10f..2f4d4f3 100644 |
107 | --- a/sshd.8 | 107 | --- a/sshd.8 |
108 | +++ b/sshd.8 | 108 | +++ b/sshd.8 |
109 | @@ -67,7 +67,7 @@ over an insecure network. | 109 | @@ -67,7 +67,7 @@ over an insecure network. |
@@ -115,7 +115,7 @@ index fc2154c..8dba6cf 100644 | |||
115 | It forks a new | 115 | It forks a new |
116 | daemon for each incoming connection. | 116 | daemon for each incoming connection. |
117 | The forked daemons handle | 117 | The forked daemons handle |
118 | @@ -862,7 +862,7 @@ This file is for host-based authentication (see | 118 | @@ -864,7 +864,7 @@ This file is for host-based authentication (see |
119 | .Xr ssh 1 ) . | 119 | .Xr ssh 1 ) . |
120 | It should only be writable by root. | 120 | It should only be writable by root. |
121 | .Pp | 121 | .Pp |
@@ -124,7 +124,7 @@ index fc2154c..8dba6cf 100644 | |||
124 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | 124 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
125 | The file format is described in | 125 | The file format is described in |
126 | .Xr moduli 5 . | 126 | .Xr moduli 5 . |
127 | @@ -961,7 +961,6 @@ The content of this file is not sensitive; it can be world-readable. | 127 | @@ -963,7 +963,6 @@ The content of this file is not sensitive; it can be world-readable. |
128 | .Xr ssh-keyscan 1 , | 128 | .Xr ssh-keyscan 1 , |
129 | .Xr chroot 2 , | 129 | .Xr chroot 2 , |
130 | .Xr hosts_access 5 , | 130 | .Xr hosts_access 5 , |
@@ -133,10 +133,10 @@ index fc2154c..8dba6cf 100644 | |||
133 | .Xr sshd_config 5 , | 133 | .Xr sshd_config 5 , |
134 | .Xr inetd 8 , | 134 | .Xr inetd 8 , |
135 | diff --git a/sshd_config.5 b/sshd_config.5 | 135 | diff --git a/sshd_config.5 b/sshd_config.5 |
136 | index ec58635..453d741 100644 | 136 | index a5afbc3..355b445 100644 |
137 | --- a/sshd_config.5 | 137 | --- a/sshd_config.5 |
138 | +++ b/sshd_config.5 | 138 | +++ b/sshd_config.5 |
139 | @@ -322,8 +322,7 @@ This option is only available for protocol version 2. | 139 | @@ -374,8 +374,7 @@ This option is only available for protocol version 2. |
140 | By default, no banner is displayed. | 140 | By default, no banner is displayed. |
141 | .It Cm ChallengeResponseAuthentication | 141 | .It Cm ChallengeResponseAuthentication |
142 | Specifies whether challenge-response authentication is allowed (e.g. via | 142 | Specifies whether challenge-response authentication is allowed (e.g. via |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index 11674a915..6eb7b7243 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9f6aded97671ee8b9164f0524b3ac622d827dcde Mon Sep 17 00:00:00 2001 | 1 | From c3a4906692ddd85d8530d2fdb74822ae793f18db Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
@@ -19,7 +19,7 @@ Patch-Name: package-versioning.patch | |||
19 | 3 files changed, 9 insertions(+), 4 deletions(-) | 19 | 3 files changed, 9 insertions(+), 4 deletions(-) |
20 | 20 | ||
21 | diff --git a/sshconnect.c b/sshconnect.c | 21 | diff --git a/sshconnect.c b/sshconnect.c |
22 | index 6065dff..a6c9e20 100644 | 22 | index 0c9fc6c..988f4ef 100644 |
23 | --- a/sshconnect.c | 23 | --- a/sshconnect.c |
24 | +++ b/sshconnect.c | 24 | +++ b/sshconnect.c |
25 | @@ -524,10 +524,10 @@ send_client_banner(int connection_out, int minor1) | 25 | @@ -524,10 +524,10 @@ send_client_banner(int connection_out, int minor1) |
@@ -36,7 +36,7 @@ index 6065dff..a6c9e20 100644 | |||
36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, | 36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, |
37 | strlen(client_version_string)) != strlen(client_version_string)) | 37 | strlen(client_version_string)) != strlen(client_version_string)) |
38 | diff --git a/sshd.c b/sshd.c | 38 | diff --git a/sshd.c b/sshd.c |
39 | index 3b4e97c..c362209 100644 | 39 | index 9ff9e8b..96e75c6 100644 |
40 | --- a/sshd.c | 40 | --- a/sshd.c |
41 | +++ b/sshd.c | 41 | +++ b/sshd.c |
42 | @@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in, int sock_out) | 42 | @@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in, int sock_out) |
@@ -49,11 +49,11 @@ index 3b4e97c..c362209 100644 | |||
49 | options.version_addendum, newline); | 49 | options.version_addendum, newline); |
50 | 50 | ||
51 | diff --git a/version.h b/version.h | 51 | diff --git a/version.h b/version.h |
52 | index dfe3ee9..94569ac 100644 | 52 | index b58fbe1..bff2b3b 100644 |
53 | --- a/version.h | 53 | --- a/version.h |
54 | +++ b/version.h | 54 | +++ b/version.h |
55 | @@ -3,4 +3,9 @@ | 55 | @@ -3,4 +3,9 @@ |
56 | #define SSH_VERSION "OpenSSH_6.8" | 56 | #define SSH_VERSION "OpenSSH_6.9" |
57 | 57 | ||
58 | #define SSH_PORTABLE "p1" | 58 | #define SSH_PORTABLE "p1" |
59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index ff16b9850..ba16a9943 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 34592a434851697537873eed1eb83ba0a640c5c8 Mon Sep 17 00:00:00 2001 | 1 | From 7c26c2f768c5d457c6645c1e1c077ba10a853626 Mon Sep 17 00:00:00 2001 |
2 | From: Peter Samuelson <peter@p12n.org> | 2 | From: Peter Samuelson <peter@p12n.org> |
3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 |
4 | Subject: Reduce severity of "Killed by signal %d" | 4 | Subject: Reduce severity of "Killed by signal %d" |
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch | |||
22 | 1 file changed, 4 insertions(+), 2 deletions(-) | 22 | 1 file changed, 4 insertions(+), 2 deletions(-) |
23 | 23 | ||
24 | diff --git a/clientloop.c b/clientloop.c | 24 | diff --git a/clientloop.c b/clientloop.c |
25 | index 156a196..45cef88 100644 | 25 | index 964353d..65f90b8 100644 |
26 | --- a/clientloop.c | 26 | --- a/clientloop.c |
27 | +++ b/clientloop.c | 27 | +++ b/clientloop.c |
28 | @@ -1707,8 +1707,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 28 | @@ -1720,8 +1720,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
29 | exit_status = 0; | 29 | exit_status = 0; |
30 | } | 30 | } |
31 | 31 | ||
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch index c9da26f7d..9e0435313 100644 --- a/debian/patches/restore-tcp-wrappers.patch +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7df209aed8ded9a6cab34e704576998786bdc890 Mon Sep 17 00:00:00 2001 | 1 | From ace4bfab52b31a2833636a243ba150fdf0f48293 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | 3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 |
4 | Subject: Restore TCP wrappers support | 4 | Subject: Restore TCP wrappers support |
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch | |||
28 | 3 files changed, 89 insertions(+) | 28 | 3 files changed, 89 insertions(+) |
29 | 29 | ||
30 | diff --git a/configure.ac b/configure.ac | 30 | diff --git a/configure.ac b/configure.ac |
31 | index 216a9fd..5f606ea 100644 | 31 | index df21693..4d55c46 100644 |
32 | --- a/configure.ac | 32 | --- a/configure.ac |
33 | +++ b/configure.ac | 33 | +++ b/configure.ac |
34 | @@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey], | 34 | @@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey], |
35 | ] | 35 | ] |
36 | ) | 36 | ) |
37 | 37 | ||
@@ -94,7 +94,7 @@ index 216a9fd..5f606ea 100644 | |||
94 | # Check whether user wants to use ldns | 94 | # Check whether user wants to use ldns |
95 | LDNS_MSG="no" | 95 | LDNS_MSG="no" |
96 | AC_ARG_WITH(ldns, | 96 | AC_ARG_WITH(ldns, |
97 | @@ -4920,6 +4976,7 @@ echo " KerberosV support: $KRB5_MSG" | 97 | @@ -4928,6 +4984,7 @@ echo " KerberosV support: $KRB5_MSG" |
98 | echo " SELinux support: $SELINUX_MSG" | 98 | echo " SELinux support: $SELINUX_MSG" |
99 | echo " Smartcard support: $SCARD_MSG" | 99 | echo " Smartcard support: $SCARD_MSG" |
100 | echo " S/KEY support: $SKEY_MSG" | 100 | echo " S/KEY support: $SKEY_MSG" |
@@ -103,10 +103,10 @@ index 216a9fd..5f606ea 100644 | |||
103 | echo " libedit support: $LIBEDIT_MSG" | 103 | echo " libedit support: $LIBEDIT_MSG" |
104 | echo " Solaris process contract support: $SPC_MSG" | 104 | echo " Solaris process contract support: $SPC_MSG" |
105 | diff --git a/sshd.8 b/sshd.8 | 105 | diff --git a/sshd.8 b/sshd.8 |
106 | index 3c53f7c..fc2154c 100644 | 106 | index dcf20f0..5afd10f 100644 |
107 | --- a/sshd.8 | 107 | --- a/sshd.8 |
108 | +++ b/sshd.8 | 108 | +++ b/sshd.8 |
109 | @@ -851,6 +851,12 @@ the user's home directory becomes accessible. | 109 | @@ -853,6 +853,12 @@ the user's home directory becomes accessible. |
110 | This file should be writable only by the user, and need not be | 110 | This file should be writable only by the user, and need not be |
111 | readable by anyone else. | 111 | readable by anyone else. |
112 | .Pp | 112 | .Pp |
@@ -119,7 +119,7 @@ index 3c53f7c..fc2154c 100644 | |||
119 | .It Pa /etc/hosts.equiv | 119 | .It Pa /etc/hosts.equiv |
120 | This file is for host-based authentication (see | 120 | This file is for host-based authentication (see |
121 | .Xr ssh 1 ) . | 121 | .Xr ssh 1 ) . |
122 | @@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable. | 122 | @@ -956,6 +962,7 @@ The content of this file is not sensitive; it can be world-readable. |
123 | .Xr ssh-keygen 1 , | 123 | .Xr ssh-keygen 1 , |
124 | .Xr ssh-keyscan 1 , | 124 | .Xr ssh-keyscan 1 , |
125 | .Xr chroot 2 , | 125 | .Xr chroot 2 , |
@@ -128,7 +128,7 @@ index 3c53f7c..fc2154c 100644 | |||
128 | .Xr moduli 5 , | 128 | .Xr moduli 5 , |
129 | .Xr sshd_config 5 , | 129 | .Xr sshd_config 5 , |
130 | diff --git a/sshd.c b/sshd.c | 130 | diff --git a/sshd.c b/sshd.c |
131 | index cf38bae..9cbe8c4 100644 | 131 | index 6b85e6c..186ad55 100644 |
132 | --- a/sshd.c | 132 | --- a/sshd.c |
133 | +++ b/sshd.c | 133 | +++ b/sshd.c |
134 | @@ -129,6 +129,13 @@ | 134 | @@ -129,6 +129,13 @@ |
@@ -145,7 +145,7 @@ index cf38bae..9cbe8c4 100644 | |||
145 | #ifndef O_NOCTTY | 145 | #ifndef O_NOCTTY |
146 | #define O_NOCTTY 0 | 146 | #define O_NOCTTY 0 |
147 | #endif | 147 | #endif |
148 | @@ -2133,6 +2140,24 @@ main(int ac, char **av) | 148 | @@ -2141,6 +2148,24 @@ main(int ac, char **av) |
149 | #ifdef SSH_AUDIT_EVENTS | 149 | #ifdef SSH_AUDIT_EVENTS |
150 | audit_connection_from(remote_ip, remote_port); | 150 | audit_connection_from(remote_ip, remote_port); |
151 | #endif | 151 | #endif |
@@ -169,4 +169,4 @@ index cf38bae..9cbe8c4 100644 | |||
169 | +#endif /* LIBWRAP */ | 169 | +#endif /* LIBWRAP */ |
170 | 170 | ||
171 | /* Log the connection. */ | 171 | /* Log the connection. */ |
172 | verbose("Connection from %s port %d on %s port %d", | 172 | laddr = get_local_ipaddr(sock_in); |
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index 52e709112..fcf389dec 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4f55e60d2296feba17b473b2146a75debe29993a Mon Sep 17 00:00:00 2001 | 1 | From 9921536f50f50eb283dea50c77753eb0773d4258 Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch | |||
17 | 1 file changed, 10 insertions(+), 2 deletions(-) | 17 | 1 file changed, 10 insertions(+), 2 deletions(-) |
18 | 18 | ||
19 | diff --git a/scp.c b/scp.c | 19 | diff --git a/scp.c b/scp.c |
20 | index 887b014..afa4a2f 100644 | 20 | index 593fe89..e39294e 100644 |
21 | --- a/scp.c | 21 | --- a/scp.c |
22 | +++ b/scp.c | 22 | +++ b/scp.c |
23 | @@ -190,8 +190,16 @@ do_local_cmd(arglist *a) | 23 | @@ -190,8 +190,16 @@ do_local_cmd(arglist *a) |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index da53671e3..617aa3b11 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b9e97e15e25e4c836cb550213e3ee59b19096f9d Mon Sep 17 00:00:00 2001 | 1 | From 8b3e4a6ddad01fef62d153ac3b033de61a02696e Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -32,7 +32,7 @@ Patch-Name: selinux-role.patch | |||
32 | 16 files changed, 104 insertions(+), 31 deletions(-) | 32 | 16 files changed, 104 insertions(+), 31 deletions(-) |
33 | 33 | ||
34 | diff --git a/auth.h b/auth.h | 34 | diff --git a/auth.h b/auth.h |
35 | index db86037..4985cd8 100644 | 35 | index 8b27575..3c2222f 100644 |
36 | --- a/auth.h | 36 | --- a/auth.h |
37 | +++ b/auth.h | 37 | +++ b/auth.h |
38 | @@ -62,6 +62,7 @@ struct Authctxt { | 38 | @@ -62,6 +62,7 @@ struct Authctxt { |
@@ -113,7 +113,7 @@ index 3f49bdc..6eb3cc7 100644 | |||
113 | if (auth2_setup_methods_lists(authctxt) != 0) | 113 | if (auth2_setup_methods_lists(authctxt) != 0) |
114 | packet_disconnect("no authentication methods enabled"); | 114 | packet_disconnect("no authentication methods enabled"); |
115 | diff --git a/monitor.c b/monitor.c | 115 | diff --git a/monitor.c b/monitor.c |
116 | index a2027e5..6ff05e4 100644 | 116 | index bdc2972..3a3d2f0 100644 |
117 | --- a/monitor.c | 117 | --- a/monitor.c |
118 | +++ b/monitor.c | 118 | +++ b/monitor.c |
119 | @@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *); | 119 | @@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *); |
@@ -180,7 +180,7 @@ index a2027e5..6ff05e4 100644 | |||
180 | return (0); | 180 | return (0); |
181 | } | 181 | } |
182 | 182 | ||
183 | @@ -1540,7 +1566,7 @@ mm_answer_pty(int sock, Buffer *m) | 183 | @@ -1544,7 +1570,7 @@ mm_answer_pty(int sock, Buffer *m) |
184 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 184 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
185 | if (res == 0) | 185 | if (res == 0) |
186 | goto error; | 186 | goto error; |
@@ -203,10 +203,10 @@ index bc50ade..2d82b8b 100644 | |||
203 | 203 | ||
204 | struct mm_master; | 204 | struct mm_master; |
205 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 205 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
206 | index b667218..5aa9c47 100644 | 206 | index 71e7c08..6ae72a0 100644 |
207 | --- a/monitor_wrap.c | 207 | --- a/monitor_wrap.c |
208 | +++ b/monitor_wrap.c | 208 | +++ b/monitor_wrap.c |
209 | @@ -329,10 +329,10 @@ mm_auth2_read_banner(void) | 209 | @@ -327,10 +327,10 @@ mm_auth2_read_banner(void) |
210 | return (banner); | 210 | return (banner); |
211 | } | 211 | } |
212 | 212 | ||
@@ -219,7 +219,7 @@ index b667218..5aa9c47 100644 | |||
219 | { | 219 | { |
220 | Buffer m; | 220 | Buffer m; |
221 | 221 | ||
222 | @@ -341,12 +341,30 @@ mm_inform_authserv(char *service, char *style) | 222 | @@ -339,12 +339,30 @@ mm_inform_authserv(char *service, char *style) |
223 | buffer_init(&m); | 223 | buffer_init(&m); |
224 | buffer_put_cstring(&m, service); | 224 | buffer_put_cstring(&m, service); |
225 | buffer_put_cstring(&m, style ? style : ""); | 225 | buffer_put_cstring(&m, style ? style : ""); |
@@ -251,7 +251,7 @@ index b667218..5aa9c47 100644 | |||
251 | int | 251 | int |
252 | mm_auth_password(Authctxt *authctxt, char *password) | 252 | mm_auth_password(Authctxt *authctxt, char *password) |
253 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 253 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
254 | index 0c770e8..4d1e899 100644 | 254 | index 9758290..57e740f 100644 |
255 | --- a/monitor_wrap.h | 255 | --- a/monitor_wrap.h |
256 | +++ b/monitor_wrap.h | 256 | +++ b/monitor_wrap.h |
257 | @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); | 257 | @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); |
@@ -396,7 +396,7 @@ index 1c7a45d..436ae7c 100644 | |||
396 | char *platform_krb5_get_principal_name(const char *); | 396 | char *platform_krb5_get_principal_name(const char *); |
397 | int platform_sys_dir_uid(uid_t); | 397 | int platform_sys_dir_uid(uid_t); |
398 | diff --git a/session.c b/session.c | 398 | diff --git a/session.c b/session.c |
399 | index 54bac36..d4b7725 100644 | 399 | index 5a64715..afac4a5 100644 |
400 | --- a/session.c | 400 | --- a/session.c |
401 | +++ b/session.c | 401 | +++ b/session.c |
402 | @@ -1487,7 +1487,7 @@ safely_chroot(const char *path, uid_t uid) | 402 | @@ -1487,7 +1487,7 @@ safely_chroot(const char *path, uid_t uid) |
@@ -458,7 +458,7 @@ index 6a2f35e..ef6593c 100644 | |||
458 | const char *value); | 458 | const char *value); |
459 | 459 | ||
460 | diff --git a/sshd.c b/sshd.c | 460 | diff --git a/sshd.c b/sshd.c |
461 | index 9cbe8c4..3b4e97c 100644 | 461 | index 186ad55..9ff9e8b 100644 |
462 | --- a/sshd.c | 462 | --- a/sshd.c |
463 | +++ b/sshd.c | 463 | +++ b/sshd.c |
464 | @@ -781,7 +781,7 @@ privsep_postauth(Authctxt *authctxt) | 464 | @@ -781,7 +781,7 @@ privsep_postauth(Authctxt *authctxt) |
@@ -471,7 +471,7 @@ index 9cbe8c4..3b4e97c 100644 | |||
471 | skip: | 471 | skip: |
472 | /* It is safe now to apply the key state */ | 472 | /* It is safe now to apply the key state */ |
473 | diff --git a/sshpty.c b/sshpty.c | 473 | diff --git a/sshpty.c b/sshpty.c |
474 | index d2ff8c1..f7b1f6d 100644 | 474 | index 7bb7641..0e32b39 100644 |
475 | --- a/sshpty.c | 475 | --- a/sshpty.c |
476 | +++ b/sshpty.c | 476 | +++ b/sshpty.c |
477 | @@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, | 477 | @@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, |
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 549ef38dd..c12d86132 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8a8bbc66b8eefd7c679d5769f087209188deafe7 Mon Sep 17 00:00:00 2001 | 1 | From 865180de0e7d4735170faac2d584603fbe0530b2 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch | |||
16 | 1 file changed, 2 insertions(+), 2 deletions(-) | 16 | 1 file changed, 2 insertions(+), 2 deletions(-) |
17 | 17 | ||
18 | diff --git a/sshconnect.c b/sshconnect.c | 18 | diff --git a/sshconnect.c b/sshconnect.c |
19 | index 9e51506..0073c6e 100644 | 19 | index f41960c..8adc943 100644 |
20 | --- a/sshconnect.c | 20 | --- a/sshconnect.c |
21 | +++ b/sshconnect.c | 21 | +++ b/sshconnect.c |
22 | @@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) | 22 | @@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) |
@@ -28,7 +28,7 @@ index 9e51506..0073c6e 100644 | |||
28 | perror(argv[0]); | 28 | perror(argv[0]); |
29 | exit(1); | 29 | exit(1); |
30 | } | 30 | } |
31 | @@ -1470,7 +1470,7 @@ ssh_local_cmd(const char *args) | 31 | @@ -1471,7 +1471,7 @@ ssh_local_cmd(const char *args) |
32 | if (pid == 0) { | 32 | if (pid == 0) { |
33 | signal(SIGPIPE, SIG_DFL); | 33 | signal(SIGPIPE, SIG_DFL); |
34 | debug3("Executing %s -c \"%s\"", shell, args); | 34 | debug3("Executing %s -c \"%s\"", shell, args); |
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch index 80e775dc1..ae65d8285 100644 --- a/debian/patches/sigstop.patch +++ b/debian/patches/sigstop.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a8e779107942d044d281461c609ec29129dec51e Mon Sep 17 00:00:00 2001 | 1 | From b0b95d9689563856ac4992c90b65ed4fd8f3fae6 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 |
4 | Subject: Support synchronisation with service supervisor using SIGSTOP | 4 | Subject: Support synchronisation with service supervisor using SIGSTOP |
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch | |||
13 | 1 file changed, 10 insertions(+) | 13 | 1 file changed, 10 insertions(+) |
14 | 14 | ||
15 | diff --git a/sshd.c b/sshd.c | 15 | diff --git a/sshd.c b/sshd.c |
16 | index 5435968..f8db3ae 100644 | 16 | index 7886d0e..cc8ecaf 100644 |
17 | --- a/sshd.c | 17 | --- a/sshd.c |
18 | +++ b/sshd.c | 18 | +++ b/sshd.c |
19 | @@ -2030,6 +2030,16 @@ main(int ac, char **av) | 19 | @@ -2038,6 +2038,16 @@ main(int ac, char **av) |
20 | } | 20 | } |
21 | } | 21 | } |
22 | 22 | ||
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index b382252a3..aa9fa7e4d 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 101d1dd7f95d75f1862c541a5b8d4032d4623d53 Mon Sep 17 00:00:00 2001 | 1 | From 95d0369e741776a0d18cffb2e4526dee37ebdbd6 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch | |||
13 | 1 file changed, 15 insertions(+) | 13 | 1 file changed, 15 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh-agent.1 b/ssh-agent.1 | 15 | diff --git a/ssh-agent.1 b/ssh-agent.1 |
16 | index 6759afe..25de326 100644 | 16 | index d0aa712..2a940d9 100644 |
17 | --- a/ssh-agent.1 | 17 | --- a/ssh-agent.1 |
18 | +++ b/ssh-agent.1 | 18 | +++ b/ssh-agent.1 |
19 | @@ -181,6 +181,21 @@ environment variable holds the agent's process ID. | 19 | @@ -186,6 +186,21 @@ environment variable holds the agent's process ID. |
20 | .Pp | 20 | .Pp |
21 | The agent exits automatically when the command given on the command | 21 | The agent exits automatically when the command given on the command |
22 | line terminates. | 22 | line terminates. |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 0fe3b6da4..fce893c91 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From fac628fd57d3d357b86d77987f896d6289240345 Mon Sep 17 00:00:00 2001 | 1 | From abc6170edaed77f07694dd001c87077376157eaa Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch | |||
18 | 1 file changed, 1 insertion(+) | 18 | 1 file changed, 1 insertion(+) |
19 | 19 | ||
20 | diff --git a/ssh.1 b/ssh.1 | 20 | diff --git a/ssh.1 b/ssh.1 |
21 | index 04de6cf..c8892fe 100644 | 21 | index c3e1266..2178863 100644 |
22 | --- a/ssh.1 | 22 | --- a/ssh.1 |
23 | +++ b/ssh.1 | 23 | +++ b/ssh.1 |
24 | @@ -1471,6 +1471,7 @@ if an error occurred. | 24 | @@ -1487,6 +1487,7 @@ if an error occurred. |
25 | .Xr sftp 1 , | 25 | .Xr sftp 1 , |
26 | .Xr ssh-add 1 , | 26 | .Xr ssh-add 1 , |
27 | .Xr ssh-agent 1 , | 27 | .Xr ssh-agent 1 , |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index 28b98f527..7af91e955 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d027dea6b4b659a7ad537e452db563763302eabd Mon Sep 17 00:00:00 2001 | 1 | From dd02db02d322c9db67d42fe491727854f951c828 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch | |||
17 | 2 files changed, 2 insertions(+) | 17 | 2 files changed, 2 insertions(+) |
18 | 18 | ||
19 | diff --git a/readconf.c b/readconf.c | 19 | diff --git a/readconf.c b/readconf.c |
20 | index 254dbce..278fe15 100644 | 20 | index 68dac76..85eea48 100644 |
21 | --- a/readconf.c | 21 | --- a/readconf.c |
22 | +++ b/readconf.c | 22 | +++ b/readconf.c |
23 | @@ -180,6 +180,7 @@ static struct { | 23 | @@ -180,6 +180,7 @@ static struct { |
@@ -29,10 +29,10 @@ index 254dbce..278fe15 100644 | |||
29 | { "pubkeyauthentication", oPubkeyAuthentication }, | 29 | { "pubkeyauthentication", oPubkeyAuthentication }, |
30 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 30 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
31 | diff --git a/servconf.c b/servconf.c | 31 | diff --git a/servconf.c b/servconf.c |
32 | index f68c0d0..b3a2841 100644 | 32 | index 2f7f41e..8a5bd7b 100644 |
33 | --- a/servconf.c | 33 | --- a/servconf.c |
34 | +++ b/servconf.c | 34 | +++ b/servconf.c |
35 | @@ -503,6 +503,7 @@ static struct { | 35 | @@ -510,6 +510,7 @@ static struct { |
36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch index e6bc72440..48308bcff 100644 --- a/debian/patches/ssh1-keepalive.patch +++ b/debian/patches/ssh1-keepalive.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 396f7d932b391fc92ac7ccdf8813f49564e2bbab Mon Sep 17 00:00:00 2001 | 1 | From b3d7661669a0f5255ede81f82c25951aeba9576c Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:51 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:51 +0000 |
4 | Subject: Partial server keep-alive implementation for SSH1 | 4 | Subject: Partial server keep-alive implementation for SSH1 |
@@ -13,10 +13,10 @@ Patch-Name: ssh1-keepalive.patch | |||
13 | 2 files changed, 19 insertions(+), 11 deletions(-) | 13 | 2 files changed, 19 insertions(+), 11 deletions(-) |
14 | 14 | ||
15 | diff --git a/clientloop.c b/clientloop.c | 15 | diff --git a/clientloop.c b/clientloop.c |
16 | index 7df9413..156a196 100644 | 16 | index 77d5498..964353d 100644 |
17 | --- a/clientloop.c | 17 | --- a/clientloop.c |
18 | +++ b/clientloop.c | 18 | +++ b/clientloop.c |
19 | @@ -564,16 +564,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) | 19 | @@ -577,16 +577,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) |
20 | static void | 20 | static void |
21 | server_alive_check(void) | 21 | server_alive_check(void) |
22 | { | 22 | { |
@@ -47,7 +47,7 @@ index 7df9413..156a196 100644 | |||
47 | } | 47 | } |
48 | 48 | ||
49 | /* | 49 | /* |
50 | @@ -635,7 +640,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, | 50 | @@ -648,7 +653,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, |
51 | */ | 51 | */ |
52 | 52 | ||
53 | timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ | 53 | timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ |
@@ -57,10 +57,10 @@ index 7df9413..156a196 100644 | |||
57 | server_alive_time = now + options.server_alive_interval; | 57 | server_alive_time = now + options.server_alive_interval; |
58 | } | 58 | } |
59 | diff --git a/ssh_config.5 b/ssh_config.5 | 59 | diff --git a/ssh_config.5 b/ssh_config.5 |
60 | index 4476171..dd35dd8 100644 | 60 | index b840261..f7510b6 100644 |
61 | --- a/ssh_config.5 | 61 | --- a/ssh_config.5 |
62 | +++ b/ssh_config.5 | 62 | +++ b/ssh_config.5 |
63 | @@ -1409,7 +1409,10 @@ If, for example, | 63 | @@ -1414,7 +1414,10 @@ If, for example, |
64 | .Cm ServerAliveCountMax | 64 | .Cm ServerAliveCountMax |
65 | is left at the default, if the server becomes unresponsive, | 65 | is left at the default, if the server becomes unresponsive, |
66 | ssh will disconnect after approximately 45 seconds. | 66 | ssh will disconnect after approximately 45 seconds. |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index d760e6c19..e829e50fd 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From fbe5bd9e957ea90404158b3a3c11a6b91fe6f010 Mon Sep 17 00:00:00 2001 | 1 | From 9e6bb8525886d99876eb43a3b39c96bdf3032146 Mon Sep 17 00:00:00 2001 |
2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> | 2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644 | |||
33 | { "FATAL", SYSLOG_LEVEL_FATAL }, | 33 | { "FATAL", SYSLOG_LEVEL_FATAL }, |
34 | { "ERROR", SYSLOG_LEVEL_ERROR }, | 34 | { "ERROR", SYSLOG_LEVEL_ERROR }, |
35 | diff --git a/ssh.c b/ssh.c | 35 | diff --git a/ssh.c b/ssh.c |
36 | index 0ad82f0..e8be6fe 100644 | 36 | index 3fd5a94..d99f7ef 100644 |
37 | --- a/ssh.c | 37 | --- a/ssh.c |
38 | +++ b/ssh.c | 38 | +++ b/ssh.c |
39 | @@ -1107,7 +1107,7 @@ main(int ac, char **av) | 39 | @@ -1105,7 +1105,7 @@ main(int ac, char **av) |
40 | /* Do not allocate a tty if stdin is not a tty. */ | 40 | /* Do not allocate a tty if stdin is not a tty. */ |
41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && | 41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && |
42 | options.request_tty != REQUEST_TTY_FORCE) { | 42 | options.request_tty != REQUEST_TTY_FORCE) { |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 8ce3d1f71..9213c1f29 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 39b2121148a0aa016a648446823c8f02c5fd95b3 Mon Sep 17 00:00:00 2001 | 1 | From 209c51110996719eab04236d72f776eed6bd8226 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
@@ -52,10 +52,10 @@ index ee9e827..2ff2cff 100644 | |||
52 | pw->pw_name, buf); | 52 | pw->pw_name, buf); |
53 | auth_debug_add("Bad file modes for %.200s", buf); | 53 | auth_debug_add("Bad file modes for %.200s", buf); |
54 | diff --git a/auth.c b/auth.c | 54 | diff --git a/auth.c b/auth.c |
55 | index f9b7673..41e3876 100644 | 55 | index e6c094d..a99c475 100644 |
56 | --- a/auth.c | 56 | --- a/auth.c |
57 | +++ b/auth.c | 57 | +++ b/auth.c |
58 | @@ -423,8 +423,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | 58 | @@ -422,8 +422,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, |
59 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 59 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
60 | if (options.strict_modes && | 60 | if (options.strict_modes && |
61 | (stat(user_hostfile, &st) == 0) && | 61 | (stat(user_hostfile, &st) == 0) && |
@@ -65,7 +65,7 @@ index f9b7673..41e3876 100644 | |||
65 | logit("Authentication refused for %.100s: " | 65 | logit("Authentication refused for %.100s: " |
66 | "bad owner or modes for %.200s", | 66 | "bad owner or modes for %.200s", |
67 | pw->pw_name, user_hostfile); | 67 | pw->pw_name, user_hostfile); |
68 | @@ -486,8 +485,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, | 68 | @@ -485,8 +484,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
69 | snprintf(err, errlen, "%s is not a regular file", buf); | 69 | snprintf(err, errlen, "%s is not a regular file", buf); |
70 | return -1; | 70 | return -1; |
71 | } | 71 | } |
@@ -75,7 +75,7 @@ index f9b7673..41e3876 100644 | |||
75 | snprintf(err, errlen, "bad ownership or modes for file %s", | 75 | snprintf(err, errlen, "bad ownership or modes for file %s", |
76 | buf); | 76 | buf); |
77 | return -1; | 77 | return -1; |
78 | @@ -502,8 +500,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, | 78 | @@ -501,8 +499,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
79 | strlcpy(buf, cp, sizeof(buf)); | 79 | strlcpy(buf, cp, sizeof(buf)); |
80 | 80 | ||
81 | if (stat(buf, &st) < 0 || | 81 | if (stat(buf, &st) < 0 || |
@@ -86,7 +86,7 @@ index f9b7673..41e3876 100644 | |||
86 | "bad ownership or modes for directory %s", buf); | 86 | "bad ownership or modes for directory %s", buf); |
87 | return -1; | 87 | return -1; |
88 | diff --git a/misc.c b/misc.c | 88 | diff --git a/misc.c b/misc.c |
89 | index 38af3df..d745480 100644 | 89 | index ddd2b2d..1c063ea 100644 |
90 | --- a/misc.c | 90 | --- a/misc.c |
91 | +++ b/misc.c | 91 | +++ b/misc.c |
92 | @@ -50,8 +50,9 @@ | 92 | @@ -50,8 +50,9 @@ |
@@ -216,7 +216,7 @@ index f35ec39..9a23e6e 100644 | |||
216 | - return 0; | 216 | - return 0; |
217 | -} | 217 | -} |
218 | diff --git a/readconf.c b/readconf.c | 218 | diff --git a/readconf.c b/readconf.c |
219 | index 1d2d596..2ef8d7b 100644 | 219 | index 5c5890c..5f6c37f 100644 |
220 | --- a/readconf.c | 220 | --- a/readconf.c |
221 | +++ b/readconf.c | 221 | +++ b/readconf.c |
222 | @@ -39,6 +39,8 @@ | 222 | @@ -39,6 +39,8 @@ |
@@ -239,10 +239,10 @@ index 1d2d596..2ef8d7b 100644 | |||
239 | } | 239 | } |
240 | 240 | ||
241 | diff --git a/ssh.1 b/ssh.1 | 241 | diff --git a/ssh.1 b/ssh.1 |
242 | index da64b71..53c711a 100644 | 242 | index df7ac86..c84196f 100644 |
243 | --- a/ssh.1 | 243 | --- a/ssh.1 |
244 | +++ b/ssh.1 | 244 | +++ b/ssh.1 |
245 | @@ -1355,6 +1355,8 @@ The file format and configuration options are described in | 245 | @@ -1371,6 +1371,8 @@ The file format and configuration options are described in |
246 | .Xr ssh_config 5 . | 246 | .Xr ssh_config 5 . |
247 | Because of the potential for abuse, this file must have strict permissions: | 247 | Because of the potential for abuse, this file must have strict permissions: |
248 | read/write for the user, and not writable by others. | 248 | read/write for the user, and not writable by others. |
@@ -252,10 +252,10 @@ index da64b71..53c711a 100644 | |||
252 | .It Pa ~/.ssh/environment | 252 | .It Pa ~/.ssh/environment |
253 | Contains additional definitions for environment variables; see | 253 | Contains additional definitions for environment variables; see |
254 | diff --git a/ssh_config.5 b/ssh_config.5 | 254 | diff --git a/ssh_config.5 b/ssh_config.5 |
255 | index 250c0d1..8abcf40 100644 | 255 | index 21d3e94..1d0c52b 100644 |
256 | --- a/ssh_config.5 | 256 | --- a/ssh_config.5 |
257 | +++ b/ssh_config.5 | 257 | +++ b/ssh_config.5 |
258 | @@ -1701,6 +1701,8 @@ The format of this file is described above. | 258 | @@ -1706,6 +1706,8 @@ The format of this file is described above. |
259 | This file is used by the SSH client. | 259 | This file is used by the SSH client. |
260 | Because of the potential for abuse, this file must have strict permissions: | 260 | Because of the potential for abuse, this file must have strict permissions: |
261 | read/write for the user, and not accessible by others. | 261 | read/write for the user, and not accessible by others. |