From 415bddc1bdd2d0be418ab82520512d77643c05b0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 12 Jun 2007 23:43:16 +1000 Subject: - djm@cvs.openbsd.org 2007/06/12 11:15:17 [ssh.c ssh.1] Add "-K" flag for ssh to set GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI) and is useful for hosts with /home on Kerberised NFS; bz #1312 patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@ --- ChangeLog | 8 +++++++- ssh.1 | 7 +++++-- ssh.c | 10 +++++++--- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 41c47d2ab..890625fa2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,12 @@ fix slave exit value when a control master goes away without passing the full exit status by ensuring that the slave reads a full int. bz#1261 reported by frekko AT gmail.com; ok markus@ dtucker@ + - djm@cvs.openbsd.org 2007/06/12 11:15:17 + [ssh.c ssh.1] + Add "-K" flag for ssh to set GSSAPIAuthentication=yes and + GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI) + and is useful for hosts with /home on Kerberised NFS; bz #1312 + patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@ 20070611 - (djm) Bugzilla #1306: silence spurious error messages from hang-on-exit @@ -3037,4 +3043,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4693 2007/06/12 13:41:33 dtucker Exp $ +$Id: ChangeLog,v 1.4694 2007/06/12 13:43:16 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index 6b76c1c0e..336d851dd 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.268 2007/06/07 19:37:34 pvalchev Exp $ -.Dd $Mdocdate: June 7 2007 $ +.\" $OpenBSD: ssh.1,v 1.269 2007/06/12 11:15:17 djm Exp $ +.Dd $Mdocdate: June 11 2007 $ .Dt SSH 1 .Os .Sh NAME @@ -315,6 +315,9 @@ It is possible to have multiple .Fl i options (and multiple identities specified in configuration files). +.It Fl K +Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI +credentials to the server. .It Fl k Disables forwarding (delegation) of GSSAPI credentials to the server. .It Fl L Xo diff --git a/ssh.c b/ssh.c index 74c9a091b..5155da791 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.296 2007/06/12 11:11:08 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.297 2007/06/12 11:15:17 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -185,7 +185,7 @@ static void usage(void) { fprintf(stderr, -"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" +"usage: ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" " [-D [bind_address:]port] [-e escape_char] [-F configfile]\n" " [-i identity_file] [-L [bind_address:]port:host:hostport]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" @@ -272,7 +272,7 @@ main(int ac, char **av) again: while ((opt = getopt(ac, av, - "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) { + "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:XY")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; @@ -326,6 +326,10 @@ main(int ac, char **av) case 'k': options.gss_deleg_creds = 0; break; + case 'K': + options.gss_authentication = 1; + options.gss_deleg_creds = 1; + break; case 'i': if (stat(optarg, &st) < 0) { fprintf(stderr, "Warning: Identity file %s " -- cgit v1.2.3