summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/patches/gssapi-autoconf.patch5
-rw-r--r--debian/patches/gssapi-compat.patch30
-rw-r--r--debian/patches/gssapi-dump.patch20
-rw-r--r--debian/patches/gssapi.patch17
-rw-r--r--debian/patches/old-gssapi.patch41
-rw-r--r--debian/patches/series2
6 files changed, 80 insertions, 35 deletions
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch
index 1e7949116..0ae7d0129 100644
--- a/debian/patches/gssapi-autoconf.patch
+++ b/debian/patches/gssapi-autoconf.patch
@@ -1,3 +1,8 @@
1Description: Update config.h.in following GSSAPI patch
2Author: Colin Watson <cjwatson@debian.org>
3Forwarded: not-needed
4Last-Updated: 2010-02-27
5
1Index: b/config.h.in 6Index: b/config.h.in
2=================================================================== 7===================================================================
3--- a/config.h.in 8--- a/config.h.in
diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch
new file mode 100644
index 000000000..773a10895
--- /dev/null
+++ b/debian/patches/gssapi-compat.patch
@@ -0,0 +1,30 @@
1Description: Compatibility with old GSSAPI option names
2 These options were supported by the old ssh-krb5 package in Debian.
3Author: Colin Watson <cjwatson@debian.org>
4Last-Updated: 2010-02-27
5
6Index: b/servconf.c
7===================================================================
8--- a/servconf.c
9+++ b/servconf.c
10@@ -375,16 +375,20 @@
11 #ifdef GSSAPI
12 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
13 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
14+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
15 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
16 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
17 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
18 #else
19 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
20 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
21+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
22 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
23 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
24 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
25 #endif
26+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
27+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
28 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
29 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
30 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch
new file mode 100644
index 000000000..7292ac08d
--- /dev/null
+++ b/debian/patches/gssapi-dump.patch
@@ -0,0 +1,20 @@
1Description: GSSAPI configuration dump fixes
2 Add GSSAPIKeyExchange and GSSAPIStrictAcceptorCheck to sshd -T
3 configuration dump.
4Author: Colin Watson <cjwatson@debian.org>
5Last-Updated: 2010-02-27
6
7Index: b/servconf.c
8===================================================================
9--- a/servconf.c
10+++ b/servconf.c
11@@ -1624,7 +1624,9 @@
12 #endif
13 #ifdef GSSAPI
14 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
15+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
16 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
17+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
18 #endif
19 #ifdef JPAKE
20 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index a60a8b4e1..6550ba60b 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,3 +1,20 @@
1Description: GSSAPI key exchange support
2 This patch has been rejected upstream: "None of the OpenSSH developers are
3 in favour of adding this, and this situation has not changed for several
4 years. This is not a slight on Simon's patch, which is of fine quality,
5 but just that a) we don't trust GSSAPI implementations that much and b) we
6 don't like adding new KEX since they are pre-auth attack surface. This one
7 is particularly scary, since it requires hooks out to typically root-owned
8 system resources."
9 .
10 However, quite a lot of people rely on this in Debian, and it's better to
11 have it merged into the main openssh package rather than having separate
12 -krb5 packages (as we used to have). It seems to have a generally good
13 security history.
14Author: Simon Wilkinson <simon@sxw.org.uk>
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
16Last-Updated: 2010-02-27
17
1Index: b/ChangeLog.gssapi 18Index: b/ChangeLog.gssapi
2=================================================================== 19===================================================================
3--- /dev/null 20--- /dev/null
diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch
index 272654fd8..e2c4baa49 100644
--- a/debian/patches/old-gssapi.patch
+++ b/debian/patches/old-gssapi.patch
@@ -1,38 +1,9 @@
1Index: b/servconf.c 1Description: Interoperate with old GSSAPI authentication method
2=================================================================== 2 ssh-krb5 << 3.8.1p1-1 servers used a slightly different version.
3--- a/servconf.c 3Author: "Aaron M. Ucko" <ucko@debian.org>
4+++ b/servconf.c 4Bug-Debian: http://bugs.debian.org/328388
5@@ -375,16 +375,20 @@ 5Last-Updated: 2010-02-27
6 #ifdef GSSAPI 6
7 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
8 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
9+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
10 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
11 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
12 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
13 #else
14 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
15 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
16+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
17 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
18 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
19 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
20 #endif
21+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
22+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
23 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
24 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
25 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
26@@ -1620,7 +1624,9 @@
27 #endif
28 #ifdef GSSAPI
29 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
30+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
31 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
32+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
33 #endif
34 #ifdef JPAKE
35 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
36Index: b/sshconnect2.c 7Index: b/sshconnect2.c
37=================================================================== 8===================================================================
38--- a/sshconnect2.c 9--- a/sshconnect2.c
diff --git a/debian/patches/series b/debian/patches/series
index fa74a5ee6..18758bf51 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,6 +1,8 @@
1# GSSAPI 1# GSSAPI
2gssapi.patch 2gssapi.patch
3gssapi-autoconf.patch 3gssapi-autoconf.patch
4gssapi-compat.patch
5gssapi-dump.patch
4old-gssapi.patch 6old-gssapi.patch
5 7
6# Autotools 8# Autotools