summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog5
-rw-r--r--debian/patches/banner-noslash.patch2
-rw-r--r--debian/patches/old-gssapi.patch115
-rw-r--r--debian/patches/series1
-rw-r--r--debian/patches/ssh-vulnkey.patch4
5 files changed, 8 insertions, 119 deletions
diff --git a/debian/changelog b/debian/changelog
index 2b75de5a1..8ce7bbae4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,11 @@ openssh (1:5.3p1-4) UNRELEASED; urgency=low
5 * Include debian/ssh-askpass-gnome.png in the Debian tarball now that 5 * Include debian/ssh-askpass-gnome.png in the Debian tarball now that
6 we're using a source format that permits this, rather than messing 6 we're using a source format that permits this, rather than messing
7 around with uudecode. 7 around with uudecode.
8 * Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<
9 3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi
10 mechanism was removed due to a serious security hole, and since these
11 versions of ssh-krb5 are no longer security-supported by Debian I don't
12 think there's any point keeping client compatibility for them.
8 13
9 -- Colin Watson <cjwatson@debian.org> Mon, 01 Mar 2010 12:24:41 +0000 14 -- Colin Watson <cjwatson@debian.org> Mon, 01 Mar 2010 12:24:41 +0000
10 15
diff --git a/debian/patches/banner-noslash.patch b/debian/patches/banner-noslash.patch
index af5f4213c..fa7b08f23 100644
--- a/debian/patches/banner-noslash.patch
+++ b/debian/patches/banner-noslash.patch
@@ -11,7 +11,7 @@ Index: b/sshconnect2.c
11=================================================================== 11===================================================================
12--- a/sshconnect2.c 12--- a/sshconnect2.c
13+++ b/sshconnect2.c 13+++ b/sshconnect2.c
14@@ -477,7 +477,7 @@ 14@@ -472,7 +472,7 @@
15 if (len > 65536) 15 if (len > 65536)
16 len = 65536; 16 len = 65536;
17 msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ 17 msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch
deleted file mode 100644
index 1ef689331..000000000
--- a/debian/patches/old-gssapi.patch
+++ /dev/null
@@ -1,115 +0,0 @@
1Description: Interoperate with old GSSAPI authentication method
2 ssh-krb5 << 3.8.1p1-1 servers used a slightly different version.
3 .
4 Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch.
5Author: "Aaron M. Ucko" <ucko@debian.org>
6Bug-Debian: http://bugs.debian.org/328388
7Forwarded: yes
8Last-Updated: 2010-03-01
9
10Index: b/sshconnect2.c
11===================================================================
12--- a/sshconnect2.c
13+++ b/sshconnect2.c
14@@ -314,6 +314,11 @@
15 NULL,
16 &options.gss_authentication,
17 NULL},
18+ {"gssapi",
19+ userauth_gssapi,
20+ NULL,
21+ &options.gss_authentication,
22+ NULL},
23 #endif
24 {"hostbased",
25 userauth_hostbased,
26@@ -601,6 +606,7 @@
27 OM_uint32 min;
28 int ok = 0;
29 const char *gss_host;
30+ int old_gssapi_method;
31
32 if (options.gss_trust_dns)
33 gss_host = get_canonical_hostname(1);
34@@ -639,13 +645,25 @@
35 packet_put_cstring(authctxt->service);
36 packet_put_cstring(authctxt->method->name);
37
38- packet_put_int(1);
39+ old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
40+
41+ /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
42+ * tagged OIDs. As such we include both tagged and untagged oids
43+ * for the old gssapi method.
44+ * We only include tagged oids for the new gssapi-with-mic method.
45+ */
46+ packet_put_int(old_gssapi_method ? 2 : 1);
47
48 packet_put_int((gss_supported->elements[mech].length) + 2);
49 packet_put_char(SSH_GSS_OIDTYPE);
50 packet_put_char(gss_supported->elements[mech].length);
51 packet_put_raw(gss_supported->elements[mech].elements,
52 gss_supported->elements[mech].length);
53+ if (old_gssapi_method) {
54+ packet_put_int(gss_supported->elements[mech].length);
55+ packet_put_raw(gss_supported->elements[mech].elements,
56+ gss_supported->elements[mech].length);
57+ }
58
59 packet_send();
60
61@@ -685,8 +703,10 @@
62 }
63
64 if (status == GSS_S_COMPLETE) {
65+ int old_gssapi_method = !strcmp(authctxt->method->name,
66+ "gssapi");
67 /* send either complete or MIC, depending on mechanism */
68- if (!(flags & GSS_C_INTEG_FLAG)) {
69+ if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
70 packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
71 packet_send();
72 } else {
73@@ -720,7 +740,7 @@
74 Authctxt *authctxt = ctxt;
75 Gssctxt *gssctxt;
76 u_int oidlen;
77- u_char *oidv;
78+ u_char *oidv, *oidv_free;
79
80 if (authctxt == NULL)
81 fatal("input_gssapi_response: no authentication context");
82@@ -728,22 +748,28 @@
83
84 /* Setup our OID */
85 oidv = packet_get_string(&oidlen);
86+ oidv_free = oidv;
87
88 if (oidlen <= 2 ||
89 oidv[0] != SSH_GSS_OIDTYPE ||
90 oidv[1] != oidlen - 2) {
91- xfree(oidv);
92 debug("Badly encoded mechanism OID received");
93- userauth(authctxt, NULL);
94- return;
95+ if (oidlen < 2) {
96+ xfree(oidv_free);
97+ userauth(authctxt, NULL);
98+ return;
99+ }
100+ } else {
101+ oidlen -= 2;
102+ oidv += 2;
103 }
104
105- if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
106+ if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
107 fatal("Server returned different OID than expected");
108
109 packet_check_eom();
110
111- xfree(oidv);
112+ xfree(oidv_free);
113
114 if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
115 /* Start again with next method on list */
diff --git a/debian/patches/series b/debian/patches/series
index fd6f569d0..7f410e363 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,7 +3,6 @@ gssapi.patch
3gssapi-autoconf.patch 3gssapi-autoconf.patch
4gssapi-compat.patch 4gssapi-compat.patch
5gssapi-dump.patch 5gssapi-dump.patch
6old-gssapi.patch
7 6
8# Autotools 7# Autotools
9config-guess-sub.patch 8config-guess-sub.patch
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index c1df3b7f4..a0396a6eb 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -1315,7 +1315,7 @@ Index: b/sshconnect2.c
1315=================================================================== 1315===================================================================
1316--- a/sshconnect2.c 1316--- a/sshconnect2.c
1317+++ b/sshconnect2.c 1317+++ b/sshconnect2.c
1318@@ -1418,6 +1418,8 @@ 1318@@ -1392,6 +1392,8 @@
1319 1319
1320 /* list of keys stored in the filesystem */ 1320 /* list of keys stored in the filesystem */
1321 for (i = 0; i < options.num_identity_files; i++) { 1321 for (i = 0; i < options.num_identity_files; i++) {
@@ -1324,7 +1324,7 @@ Index: b/sshconnect2.c
1324 key = options.identity_keys[i]; 1324 key = options.identity_keys[i];
1325 if (key && key->type == KEY_RSA1) 1325 if (key && key->type == KEY_RSA1)
1326 continue; 1326 continue;
1327@@ -1508,7 +1510,7 @@ 1327@@ -1482,7 +1484,7 @@
1328 if (id->key && id->key->type != KEY_RSA1) { 1328 if (id->key && id->key->type != KEY_RSA1) {
1329 debug("Offering public key: %s", id->filename); 1329 debug("Offering public key: %s", id->filename);
1330 sent = send_pubkey_test(authctxt, id); 1330 sent = send_pubkey_test(authctxt, id);