From b5a62d0300b9e469ee2e84df6de1ad36e32ed4d7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 31 Aug 2010 22:47:15 +1000 Subject: - (djm) [Makefile.in] Add new ECC files --- Makefile.in | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'Makefile.in') diff --git a/Makefile.in b/Makefile.in index 5654d4341..bfd37d51e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.310 2010/05/12 06:51:39 dtucker Exp $ +# $Id: Makefile.in,v 1.311 2010/08/31 12:47:15 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -71,10 +71,10 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ log.o match.o md-sha256.o moduli.o nchan.o packet.o \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ - monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ - kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ - entropy.o gss-genr.o umac.o jpake.o schnorr.o \ - ssh-pkcs11.o + monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ + kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ + msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ + schnorr.o ssh-pkcs11.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ @@ -86,7 +86,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth-chall.o auth2-chall.o groupaccess.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ - monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ + monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ -- cgit v1.2.3 From 41bccf75af219888d55552134242207392d91d67 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 2 Jan 2011 21:53:07 +1100 Subject: - (djm) [configure.ac] Check whether libdes is needed when building with Heimdal krb5 support. On OpenBSD this library no longer exists, so linking it unconditionally causes a build failure; ok dtucker --- ChangeLog | 3 +++ Makefile.in | 4 ++-- configure.ac | 8 +++++--- 3 files changed, 10 insertions(+), 5 deletions(-) (limited to 'Makefile.in') diff --git a/ChangeLog b/ChangeLog index 5007e8c52..a1828c1f9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 20110102 - (djm) [loginrec.c] Fix some fd leaks on error paths. ok dtucker + - (djm) [configure.ac] Check whether libdes is needed when building + with Heimdal krb5 support. On OpenBSD this library no longer exists, + so linking it unconditionally causes a build failure; ok dtucker 20101226 - (dtucker) OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index bfd37d51e..889b23db3 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.311 2010/08/31 12:47:15 djm Exp $ +# $Id: Makefile.in,v 1.312 2011/01/02 10:53:08 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -230,7 +230,7 @@ catman-do: @for f in $(MANPAGES_IN) ; do \ base=`echo $$f | sed 's/\..*$$//'` ; \ echo "$$f -> $$base.0" ; \ - nroff -mandoc $$f | cat -v | sed -e 's/.\^H//g' \ + mandoc $$f | cat -v | sed -e 's/.\^H//g' \ >$$base.0 ; \ done diff --git a/configure.ac b/configure.ac index 0ea76c8fd..ec562b1c2 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.459 2010/12/04 12:20:50 dtucker Exp $ +# $Id: configure.ac,v 1.460 2011/01/02 10:53:09 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.459 $) +AC_REVISION($Revision: 1.460 $) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -3516,10 +3516,12 @@ AC_ARG_WITH(kerberos5, [ char *tmp = heimdal_version; ], [ AC_MSG_RESULT(yes) AC_DEFINE(HEIMDAL) - K5LIBS="-lkrb5 -ldes" + K5LIBS="-lkrb5" K5LIBS="$K5LIBS -lcom_err -lasn1" AC_CHECK_LIB(roken, net_write, [K5LIBS="$K5LIBS -lroken"]) + AC_CHECK_LIB(des, des_cbc_encrypt, + [K5LIBS="$K5LIBS -ldes"]) ], [ AC_MSG_RESULT(no) K5LIBS="-lkrb5 -lk5crypto -lcom_err" -- cgit v1.2.3 From d197fd64a1fa309295a99ce46e9ee016b84d2a59 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 3 Jan 2011 14:48:14 +1100 Subject: - (djm) [Makefile.in] revert local hack I didn't intend to commit --- ChangeLog | 3 +++ Makefile.in | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'Makefile.in') diff --git a/ChangeLog b/ChangeLog index a1828c1f9..4ee52850b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20110102 + - (djm) [Makefile.in] revert local hack I didn't intend to commit + 20110102 - (djm) [loginrec.c] Fix some fd leaks on error paths. ok dtucker - (djm) [configure.ac] Check whether libdes is needed when building diff --git a/Makefile.in b/Makefile.in index 889b23db3..b46a7b26f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.312 2011/01/02 10:53:08 djm Exp $ +# $Id: Makefile.in,v 1.313 2011/01/03 03:48:16 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -230,7 +230,7 @@ catman-do: @for f in $(MANPAGES_IN) ; do \ base=`echo $$f | sed 's/\..*$$//'` ; \ echo "$$f -> $$base.0" ; \ - mandoc $$f | cat -v | sed -e 's/.\^H//g' \ + nroff -mandoc $$f | cat -v | sed -e 's/.\^H//g' \ >$$base.0 ; \ done -- cgit v1.2.3 From 30a69e7bba0161eabb678b9902fbd04e7495d86e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 4 Jan 2011 08:16:27 +1100 Subject: - (djm) [configure.ac Makefile.in] Use mandoc as preferred manpage formatter if it is present, followed by nroff and groff respectively. Fixes distprep target on OpenBSD (which has bumped groff/nroff to ports in favour of mandoc). feedback and ok tim --- ChangeLog | 8 +++++++- Makefile.in | 5 +++-- configure.ac | 20 ++++++++++++++++++-- 3 files changed, 28 insertions(+), 5 deletions(-) (limited to 'Makefile.in') diff --git a/ChangeLog b/ChangeLog index 4ee52850b..135ad48fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,10 @@ -20110102 +20110104 + - (djm) [configure.ac Makefile.in] Use mandoc as preferred manpage + formatter if it is present, followed by nroff and groff respectively. + Fixes distprep target on OpenBSD (which has bumped groff/nroff to ports + in favour of mandoc). feedback and ok tim + +20110103 - (djm) [Makefile.in] revert local hack I didn't intend to commit 20110102 diff --git a/Makefile.in b/Makefile.in index b46a7b26f..be65be6b3 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.313 2011/01/03 03:48:16 djm Exp $ +# $Id: Makefile.in,v 1.314 2011/01/03 21:16:29 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -58,6 +58,7 @@ ENT=@ENT@ XAUTH_PATH=@XAUTH_PATH@ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ EXEEXT=@EXEEXT@ +MANFMT=@MANFMT@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ @@ -230,7 +231,7 @@ catman-do: @for f in $(MANPAGES_IN) ; do \ base=`echo $$f | sed 's/\..*$$//'` ; \ echo "$$f -> $$base.0" ; \ - nroff -mandoc $$f | cat -v | sed -e 's/.\^H//g' \ + $(MANFMT) $$f | cat -v | sed -e 's/.\^H//g' \ >$$base.0 ; \ done diff --git a/configure.ac b/configure.ac index ec562b1c2..0eeb4df78 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.460 2011/01/02 10:53:09 djm Exp $ +# $Id: configure.ac,v 1.461 2011/01/03 21:16:29 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.460 $) +AC_REVISION($Revision: 1.461 $) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -41,8 +41,24 @@ AC_PATH_PROG(TEST_MINUS_S_SH, bash) AC_PATH_PROG(TEST_MINUS_S_SH, ksh) AC_PATH_PROG(TEST_MINUS_S_SH, sh) AC_PATH_PROG(SH, sh) +AC_PATH_PROG(GROFF, groff) +AC_PATH_PROG(NROFF, nroff) +AC_PATH_PROG(MANDOC, mandoc) AC_SUBST(TEST_SHELL,sh) +dnl select manpage formatter +if test "x$MANDOC" != "x" ; then + MANFMT="$MANDOC" +elif test "x$NROFF" != "x" ; then + MANFMT="$NROFF -mandoc" +elif test "x$GROFF" != "x" ; then + MANFMT="$GROFF -mandoc -Tascii" +else + AC_MSG_WARN([no manpage formatted found]) + MANFMT="false" +fi +AC_SUBST(MANFMT) + dnl for buildpkg.sh AC_PATH_PROG(PATH_GROUPADD_PROG, groupadd, groupadd, [/usr/sbin${PATH_SEPARATOR}/etc]) -- cgit v1.2.3 From e63b7f28213b28efb412e7ea723fdb2b8de4843b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 9 Jan 2011 09:19:50 +1100 Subject: - (djm) [Makefile.in] list ssh_host_ecdsa key in PATHSUBS; spotted by openssh AT roumenpetrov.info --- ChangeLog | 4 ++++ Makefile.in | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'Makefile.in') diff --git a/ChangeLog b/ChangeLog index 31868a919..6dde0e858 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20110109 + - (djm) [Makefile.in] list ssh_host_ecdsa key in PATHSUBS; spotted by + openssh AT roumenpetrov.info + 20110108 - (djm) [regress/keytype.sh] s/echo -n/echon/ to repair failing regress test on OSX and others. Reported by imorgan AT nas.nasa.gov diff --git a/Makefile.in b/Makefile.in index be65be6b3..7c55c7582 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.314 2011/01/03 21:16:29 djm Exp $ +# $Id: Makefile.in,v 1.315 2011/01/08 22:19:53 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -109,6 +109,7 @@ PATHSUBS = \ -e 's|/usr/libexec|$(libexecdir)|g' \ -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \ -e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \ + -e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \ -e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \ -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \ -e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \ -- cgit v1.2.3 From cce927c25f93596a62b6d45c61a9d7fddf3d35c2 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 12 Jan 2011 19:06:31 -0800 Subject: - (tim) [Makefile.in] test the ECC bits if we have the capability. ok djm --- ChangeLog | 1 + Makefile.in | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'Makefile.in') diff --git a/ChangeLog b/ChangeLog index 986c2ae2c..56a808bcd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ 20110213 - (djm) [misc.c] include time.h for nanosleep() prototype + - (tim) [Makefile.in] test the ECC bits if we have the capability. ok djm 20110212 - OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index 7c55c7582..13b6dedea 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.315 2011/01/08 22:19:53 djm Exp $ +# $Id: Makefile.in,v 1.316 2011/01/13 03:06:38 tim Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -407,6 +407,7 @@ tests interop-tests: $(TARGETS) TEST_SSH_PUTTYGEN="puttygen"; \ TEST_SSH_CONCH="conch"; \ TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \ + TEST_SSH_ECC="@TEST_SSH_ECC@" ; \ cd $(srcdir)/regress || exit $$?; \ $(MAKE) \ .OBJDIR="$${BUILDDIR}/regress" \ @@ -427,7 +428,8 @@ tests interop-tests: $(TARGETS) TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \ TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \ TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \ - TEST_SSH_IPV6="@TEST_SSH_IPV6@" \ + TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \ + TEST_SSH_ECC="$${TEST_SSH_ECC}" \ EXEEXT="$(EXEEXT)" \ $@ && echo all tests passed -- cgit v1.2.3 From 9b87a5ce3ca693c257c6097fb4c6906910b1900b Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 12 Jan 2011 22:35:43 -0800 Subject: - (tim) [Makefile.in configure.ac opensshd.init.in] Add support for generating ecdsa keys. ok djm. --- ChangeLog | 2 ++ Makefile.in | 28 ++++++++++++++++++---------- configure.ac | 7 +++++-- opensshd.init.in | 4 ++++ 4 files changed, 29 insertions(+), 12 deletions(-) (limited to 'Makefile.in') diff --git a/ChangeLog b/ChangeLog index 56a808bcd..2cc303de0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20110213 - (djm) [misc.c] include time.h for nanosleep() prototype - (tim) [Makefile.in] test the ECC bits if we have the capability. ok djm + - (tim) [Makefile.in configure.ac opensshd.init.in] Add support for generating + ecdsa keys. ok djm. 20110212 - OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index 13b6dedea..ea6fadc4a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.316 2011/01/13 03:06:38 tim Exp $ +# $Id: Makefile.in,v 1.317 2011/01/13 06:35:46 tim Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -326,20 +326,27 @@ install-sysconf: host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ - if [ -f "$(DESTDIR)$(sysconfdir)/ssh_host_key" ] ; then \ - echo "$(DESTDIR)$(sysconfdir)/ssh_host_key already exists, skipping." ; \ + if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \ + echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \ else \ - ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ; \ + ./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \ fi ; \ - if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key ] ; then \ - echo "$(DESTDIR)$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ + if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \ + echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ else \ - ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ; \ + ./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \ fi ; \ - if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key ] ; then \ - echo "$(DESTDIR)$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \ + if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \ + echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \ else \ - ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" ; \ + ./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \ + fi ; \ + if [ -z "@COMMENT_OUT_ECC@" ] ; then \ + if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \ + echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \ + else \ + ./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \ + fi ; \ fi ; \ fi ; @@ -347,6 +354,7 @@ host-key-force: ssh-keygen$(EXEEXT) ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" +@COMMENT_OUT_ECC@ ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N "" uninstallall: uninstall -rm -f $(DESTDIR)$(sysconfdir)/ssh_config diff --git a/configure.ac b/configure.ac index 93dd22174..3d4d11c92 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.463 2011/01/12 05:00:39 djm Exp $ +# $Id: configure.ac,v 1.464 2011/01/13 06:35:46 tim Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.463 $) +AC_REVISION($Revision: 1.464 $) AC_CONFIG_SRCDIR([ssh.c]) # local macros @@ -2258,13 +2258,16 @@ int main(void) { AC_DEFINE(OPENSSL_HAS_ECC, 1, [libcrypto includes complete ECC support]) TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" ], [ AC_MSG_RESULT(no) TEST_SSH_ECC=no + COMMENT_OUT_ECC="#no ecc#" ] ) AC_SUBST(TEST_SSH_ECC) +AC_SUBST(COMMENT_OUT_ECC) saved_LIBS="$LIBS" AC_CHECK_LIB(iaf, ia_openinfo, [ diff --git a/opensshd.init.in b/opensshd.init.in index d0aff7794..0db60caa7 100755 --- a/opensshd.init.in +++ b/opensshd.init.in @@ -20,6 +20,7 @@ SSH_KEYGEN=$prefix/bin/ssh-keygen HOST_KEY_RSA1=$sysconfdir/ssh_host_key HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key +@COMMENT_OUT_ECC@HOST_KEY_ECDSA=$sysconfdir/ssh_host_ecdsa_key checkkeys() { @@ -32,6 +33,9 @@ checkkeys() { if [ ! -f $HOST_KEY_RSA ]; then ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N "" fi +@COMMENT_OUT_ECC@ if [ ! -f $HOST_KEY_ECDSA ]; then +@COMMENT_OUT_ECC@ ${SSH_KEYGEN} -t ecdsa -f ${HOST_KEY_ECDSA} -N "" +@COMMENT_OUT_ECC@ fi } stop_service() { -- cgit v1.2.3 From e9b40487fa41696a8f045ff7a5447ce9da511913 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 14 Jan 2011 14:47:37 +1100 Subject: - (djm) [Makefile.in] Use shell test to disable ecdsa key generating in host-key-force target rather than a substitution that is replaced with a comment so that the Makefile.in is still a syntactically valid Makefile (useful to run the distprep target) --- ChangeLog | 4 ++++ Makefile.in | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'Makefile.in') diff --git a/ChangeLog b/ChangeLog index 5ea138ed7..f441d8d63 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ [PROTOCOL.mux] correct protocol names and add a couple of missing protocol number defines; patch from bert.wesarg AT googlemail.com + - (djm) [Makefile.in] Use shell test to disable ecdsa key generating in + host-key-force target rather than a substitution that is replaced with a + comment so that the Makefile.in is still a syntactically valid Makefile + (useful to run the distprep target) 20110213 - (djm) [misc.c] include time.h for nanosleep() prototype diff --git a/Makefile.in b/Makefile.in index ea6fadc4a..3ace262e8 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.317 2011/01/13 06:35:46 tim Exp $ +# $Id: Makefile.in,v 1.318 2011/01/14 03:47:40 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -354,7 +354,7 @@ host-key-force: ssh-keygen$(EXEEXT) ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" -@COMMENT_OUT_ECC@ ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N "" + test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N "" uninstallall: uninstall -rm -f $(DESTDIR)$(sysconfdir)/ssh_config -- cgit v1.2.3 From 50c61f88abdb356d45026dc1427ddb461b626e45 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 16 Jan 2011 18:28:09 +1100 Subject: - (dtucker) [Makefile.in configure.ac regress/kextype.sh] Skip sha256-based on configurations that don't have it. --- ChangeLog | 4 ++++ Makefile.in | 4 +++- configure.ac | 8 +++++--- regress/kextype.sh | 4 +++- 4 files changed, 15 insertions(+), 5 deletions(-) (limited to 'Makefile.in') diff --git a/ChangeLog b/ChangeLog index ccc8bc302..1266e9984 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20110116 + - (dtucker) [Makefile.in configure.ac regress/kextype.sh] Skip sha256-based + on configurations that don't have it. + 20110114 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/01/13 21:54:53 diff --git a/Makefile.in b/Makefile.in index 3ace262e8..c4011daf7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.318 2011/01/14 03:47:40 djm Exp $ +# $Id: Makefile.in,v 1.319 2011/01/16 07:28:10 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -416,6 +416,7 @@ tests interop-tests: $(TARGETS) TEST_SSH_CONCH="conch"; \ TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \ TEST_SSH_ECC="@TEST_SSH_ECC@" ; \ + TEST_SSH_SHA256="@TEST_SSH_SHA256@" ; \ cd $(srcdir)/regress || exit $$?; \ $(MAKE) \ .OBJDIR="$${BUILDDIR}/regress" \ @@ -438,6 +439,7 @@ tests interop-tests: $(TARGETS) TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \ TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \ TEST_SSH_ECC="$${TEST_SSH_ECC}" \ + TEST_SSH_SHA256="$${TEST_SSH_SHA256}" \ EXEEXT="$(EXEEXT)" \ $@ && echo all tests passed diff --git a/configure.ac b/configure.ac index 3d4d11c92..1817dd909 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.464 2011/01/13 06:35:46 tim Exp $ +# $Id: configure.ac,v 1.465 2011/01/16 07:28:12 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.464 $) +AC_REVISION($Revision: 1.465 $) AC_CONFIG_SRCDIR([ssh.c]) # local macros @@ -2239,7 +2239,9 @@ if test "x$check_for_libcrypt_later" = "x1"; then fi # Search for SHA256 support in libc and/or OpenSSL -AC_CHECK_FUNCS(SHA256_Update EVP_sha256) +AC_CHECK_FUNCS(SHA256_Update EVP_sha256, [TEST_SSH_SHA256=yes], + [TEST_SSH_SHA256=no]) +AC_SUBST(TEST_SSH_SHA256) # Check complete ECC support in OpenSSL AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) diff --git a/regress/kextype.sh b/regress/kextype.sh index 9f8b7bcd0..79c0817bb 100644 --- a/regress/kextype.sh +++ b/regress/kextype.sh @@ -10,7 +10,9 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak if test "$TEST_SSH_ECC" = "yes"; then kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521" fi -kextypes="$kextypes diffie-hellman-group-exchange-sha256" +if test "$TEST_SSH_SHA256" = "yes"; then + kextypes="$kextypes diffie-hellman-group-exchange-sha256" +fi kextypes="$kextypes diffie-hellman-group-exchange-sha1" kextypes="$kextypes diffie-hellman-group14-sha1" kextypes="$kextypes diffie-hellman-group1-sha1" -- cgit v1.2.3 From ea52a829699e981a58a69a77342e7ca3715a5f5b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 17 Jan 2011 21:15:27 +1100 Subject: - (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.h configure.ac defines.h loginrec.c] Bug #1402: add linux audit subsystem support, based on patches from Tomas Mraz and jchadima at redhat. --- ChangeLog | 3 ++ LICENCE | 1 + Makefile.in | 5 ++- audit-bsm.c | 6 +-- audit-linux.c | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ audit.c | 10 ++--- audit.h | 9 +++-- configure.ac | 16 ++++++-- defines.h | 7 +++- loginrec.c | 4 +- 10 files changed, 167 insertions(+), 20 deletions(-) create mode 100644 audit-linux.c (limited to 'Makefile.in') diff --git a/ChangeLog b/ChangeLog index 6230fdc26..f393ca491 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,9 @@ - (tim) [regress/agent-getpeereid.sh] shell portability fix. - (dtucker) [openbsd-compat/port-linux.c] Fix minor bug caught by -Werror on the tinderbox. + - (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.h + configure.ac defines.h loginrec.c] Bug #1402: add linux audit subsystem + support, based on patches from Tomas Mraz and jchadima at redhat. 20110116 - (dtucker) [Makefile.in configure.ac regress/kextype.sh] Skip sha256-based diff --git a/LICENCE b/LICENCE index 3964b1d77..120d6fd54 100644 --- a/LICENCE +++ b/LICENCE @@ -206,6 +206,7 @@ OpenSSH contains no GPL code. Sun Microsystems The SCO Group Daniel Walsh + Red Hat, Inc * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/Makefile.in b/Makefile.in index c4011daf7..77a78aa61 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.319 2011/01/16 07:28:10 dtucker Exp $ +# $Id: Makefile.in,v 1.320 2011/01/17 10:15:29 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -82,6 +82,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ roaming_common.o roaming_client.o SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + audit.o audit-bsm.o audit-linux.o platform.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ auth.o auth1.o auth2.o auth-options.o session.o \ auth-chall.o auth2-chall.o groupaccess.o \ @@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ + sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out diff --git a/audit-bsm.c b/audit-bsm.c index 2c417bc27..f196d4f1e 100644 --- a/audit-bsm.c +++ b/audit-bsm.c @@ -1,4 +1,4 @@ -/* $Id: audit-bsm.c,v 1.6 2008/02/25 10:05:04 dtucker Exp $ */ +/* $Id: audit-bsm.c,v 1.7 2011/01/17 10:15:29 dtucker Exp $ */ /* * TODO @@ -305,13 +305,13 @@ audit_run_command(const char *command) } void -audit_session_open(const char *ttyn) +audit_session_open(struct logininfo *li) { /* not implemented */ } void -audit_session_close(const char *ttyn) +audit_session_close(struct logininfo *li) { /* not implemented */ } diff --git a/audit-linux.c b/audit-linux.c new file mode 100644 index 000000000..b3ee2f4da --- /dev/null +++ b/audit-linux.c @@ -0,0 +1,126 @@ +/* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */ + +/* + * Copyright 2010 Red Hat, Inc. All rights reserved. + * Use is subject to license terms. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Red Hat author: Jan F. Chadima + */ + +#include "includes.h" +#if defined(USE_LINUX_AUDIT) +#include +#include +#include + +#include "log.h" +#include "audit.h" +#include "canohost.h" + +const char* audit_username(void); + +int +linux_audit_record_event(int uid, const char *username, + const char *hostname, const char *ip, const char *ttyn, int success) +{ + int audit_fd, rc, saved_errno; + + audit_fd = audit_open(); + if (audit_fd < 0) { + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return 1; /* No audit support in kernel */ + else + return 0; /* Must prevent login */ + } + rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, + NULL, "login", username ? username : "(unknown)", + username == NULL ? uid : -1, hostname, ip, ttyn, success); + saved_errno = errno; + close(audit_fd); + /* + * Do not report error if the error is EPERM and sshd is run as non + * root user. + */ + if ((rc == -EPERM) && (geteuid() != 0)) + rc = 0; + errno = saved_errno; + return (rc >= 0); +} + +/* Below is the sshd audit API code */ + +void +audit_connection_from(const char *host, int port) +{ +} + /* not implemented */ + +void +audit_run_command(const char *command) +{ + /* not implemented */ +} + +void +audit_session_open(struct logininfo *li) +{ + if (linux_audit_record_event(li->uid, NULL, li->hostname, + NULL, li->line, 1) == 0) + fatal("linux_audit_write_entry failed: %s", strerror(errno)); +} + +void +audit_session_close(struct logininfo *li) +{ + /* not implemented */ +} + +void +audit_event(ssh_audit_event_t event) +{ + switch(event) { + case SSH_AUTH_SUCCESS: + case SSH_CONNECTION_CLOSE: + case SSH_NOLOGIN: + case SSH_LOGIN_EXCEED_MAXTRIES: + case SSH_LOGIN_ROOT_DENIED: + break; + + case SSH_AUTH_FAIL_NONE: + case SSH_AUTH_FAIL_PASSWD: + case SSH_AUTH_FAIL_KBDINT: + case SSH_AUTH_FAIL_PUBKEY: + case SSH_AUTH_FAIL_HOSTBASED: + case SSH_AUTH_FAIL_GSSAPI: + case SSH_INVALID_USER: + linux_audit_record_event(-1, audit_username(), NULL, + get_remote_ipaddr(), "sshd", 0); + break; + + default: + debug("%s: unhandled event %d", __func__, event); + } +} + +#endif /* USE_LINUX_AUDIT */ diff --git a/audit.c b/audit.c index dbea34cb2..ced57fa64 100644 --- a/audit.c +++ b/audit.c @@ -1,4 +1,4 @@ -/* $Id: audit.c,v 1.5 2006/09/01 05:38:36 djm Exp $ */ +/* $Id: audit.c,v 1.6 2011/01/17 10:15:30 dtucker Exp $ */ /* * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. @@ -147,9 +147,9 @@ audit_event(ssh_audit_event_t event) * within a single connection. */ void -audit_session_open(const char *ttyn) +audit_session_open(struct logininfo *li) { - const char *t = ttyn ? ttyn : "(no tty)"; + const char *t = li->line ? li->line : "(no tty)"; debug("audit session open euid %d user %s tty name %s", geteuid(), audit_username(), t); @@ -163,9 +163,9 @@ audit_session_open(const char *ttyn) * within a single connection. */ void -audit_session_close(const char *ttyn) +audit_session_close(struct logininfo *li) { - const char *t = ttyn ? ttyn : "(no tty)"; + const char *t = li->line ? li->line : "(no tty)"; debug("audit session close euid %d user %s tty name %s", geteuid(), audit_username(), t); diff --git a/audit.h b/audit.h index 695f72354..92ede5bc4 100644 --- a/audit.h +++ b/audit.h @@ -1,4 +1,4 @@ -/* $Id: audit.h,v 1.3 2006/08/05 14:05:10 dtucker Exp $ */ +/* $Id: audit.h,v 1.4 2011/01/17 10:15:30 dtucker Exp $ */ /* * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. @@ -26,6 +26,9 @@ #ifndef _SSH_AUDIT_H # define _SSH_AUDIT_H + +#include "loginrec.h" + enum ssh_audit_event_type { SSH_LOGIN_EXCEED_MAXTRIES, SSH_LOGIN_ROOT_DENIED, @@ -46,8 +49,8 @@ typedef enum ssh_audit_event_type ssh_audit_event_t; void audit_connection_from(const char *, int); void audit_event(ssh_audit_event_t); -void audit_session_open(const char *); -void audit_session_close(const char *); +void audit_session_open(struct logininfo *); +void audit_session_close(struct logininfo *); void audit_run_command(const char *); ssh_audit_event_t audit_classify_auth(const char *); diff --git a/configure.ac b/configure.ac index 02e8423c0..233d3cfa1 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.466 2011/01/17 05:17:09 djm Exp $ +# $Id: configure.ac,v 1.467 2011/01/17 10:15:30 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.466 $) +AC_REVISION($Revision: 1.467 $) AC_CONFIG_SRCDIR([ssh.c]) # local macros @@ -1378,7 +1378,7 @@ int main(void) AUDIT_MODULE=none AC_ARG_WITH(audit, - [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)], + [ --with-audit=module Enable audit support (modules=debug,bsm,linux)], [ AC_MSG_CHECKING(for supported audit module) case "$withval" in @@ -1402,10 +1402,18 @@ AC_ARG_WITH(audit, AC_CHECK_FUNCS(getaudit_addr aug_get_machine) AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module]) ;; + linux) + AC_MSG_RESULT(linux) + AUDIT_MODULE=linux + dnl Checks for headers, libs and functions + AC_CHECK_HEADERS(libaudit.h) + SSHDLIBS="$SSHDLIBS -laudit" + AC_DEFINE(USE_LINUX_AUDIT, 1, [Use Linux audit module]) + ;; debug) AUDIT_MODULE=debug AC_MSG_RESULT(debug) - AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module) + AC_DEFINE(SSH_AUDIT_EVENTS, 1, [Use audit debugging module]) ;; no) AC_MSG_RESULT(no) diff --git a/defines.h b/defines.h index ed438bd88..cd273066d 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.163 2010/11/23 23:50:05 djm Exp $ */ +/* $Id: defines.h,v 1.164 2011/01/17 10:15:31 dtucker Exp $ */ /* Constants */ @@ -607,6 +607,11 @@ struct winsize { # define CUSTOM_SSH_AUDIT_EVENTS #endif +#ifdef USE_LINUX_AUDIT +# define SSH_AUDIT_EVENTS +# define CUSTOM_SSH_AUDIT_EVENTS +#endif + #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__) # define __func__ __FUNCTION__ #elif !defined(HAVE___func__) diff --git a/loginrec.c b/loginrec.c index 587d55f7d..32941c985 100644 --- a/loginrec.c +++ b/loginrec.c @@ -469,9 +469,9 @@ login_write(struct logininfo *li) #endif #ifdef SSH_AUDIT_EVENTS if (li->type == LTYPE_LOGIN) - audit_session_open(li->line); + audit_session_open(li); else if (li->type == LTYPE_LOGOUT) - audit_session_close(li->line); + audit_session_close(li); #endif return (0); } -- cgit v1.2.3 From 4e8aa4da57000c7bba8e5c49163bc0c0ca383f78 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 24 Jan 2011 11:40:46 +0000 Subject: import openssh-5.6p1-gsskex-all-20110101.patch --- ChangeLog.gssapi | 18 ++++++++++++++---- Makefile.in | 4 ++-- key.c | 2 ++ readconf.c | 7 +++++++ readconf.h | 1 + servconf.c | 7 +++++++ ssh_config.5 | 5 +++++ sshconnect2.c | 10 ++++++++-- 8 files changed, 46 insertions(+), 8 deletions(-) (limited to 'Makefile.in') diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi index 0c3f5a44f..f117a336a 100644 --- a/ChangeLog.gssapi +++ b/ChangeLog.gssapi @@ -1,10 +1,20 @@ +20110101 + - Finally update for OpenSSH 5.6p1 + - Add GSSAPIServerIdentity option from Jim Basney + +20100308 + - [ Makefile.in, key.c, key.h ] + Updates for OpenSSH 5.4p1 + - [ servconf.c ] + Include GSSAPI options in the sshd -T configuration dump, and flag + some older configuration options as being unsupported. Thanks to Colin + Watson. + - + 20100124 - [ sshconnect2.c ] Adapt to deal with additional element in Authmethod structure. Thanks to - Colin Wilson - - [ clientloop.c ] - Protect credentials updated code with suitable #ifdefs. Thanks to Colin - Wilson + Colin Watson 20090615 - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c diff --git a/Makefile.in b/Makefile.in index 8678a1dc5..eaf362652 100644 --- a/Makefile.in +++ b/Makefile.in @@ -73,8 +73,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ - entropy.o gss-genr.o umac.o jpake.o schnorr.o \ - ssh-pkcs11.o kexgssc.o + entropy.o gss-genr.o umac.o jpake.o schnorr.o kexgssc.o \ + ssh-pkcs11.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ diff --git a/key.c b/key.c index 57ad9fd02..020f503b6 100644 --- a/key.c +++ b/key.c @@ -851,6 +851,8 @@ key_ssh_name(const Key *k) return "ssh-rsa-cert-v01@openssh.com"; case KEY_DSA_CERT: return "ssh-dss-cert-v01@openssh.com"; + case KEY_NULL: + return "null"; } return "ssh-unknown"; } diff --git a/readconf.c b/readconf.c index 36750a843..0d551b9ae 100644 --- a/readconf.c +++ b/readconf.c @@ -128,6 +128,7 @@ typedef enum { oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, + oGssServerIdentity, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, @@ -171,6 +172,7 @@ static struct { { "gssapidelegatecredentials", oGssDelegateCreds }, { "gssapitrustdns", oGssTrustDns }, { "gssapiclientidentity", oGssClientIdentity }, + { "gssapiserveridentity", oGssServerIdentity }, { "gssapirenewalforcesrekey", oGssRenewalRekey }, #else { "gssapiauthentication", oUnsupported }, @@ -499,6 +501,10 @@ parse_flag: charptr = &options->gss_client_identity; goto parse_string; + case oGssServerIdentity: + charptr = &options->gss_server_identity; + goto parse_string; + case oGssRenewalRekey: intptr = &options->gss_renewal_rekey; goto parse_flag; @@ -1088,6 +1094,7 @@ initialize_options(Options * options) options->gss_trust_dns = -1; options->gss_renewal_rekey = -1; options->gss_client_identity = NULL; + options->gss_server_identity = NULL; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; diff --git a/readconf.h b/readconf.h index f81eaff47..bb3ff0481 100644 --- a/readconf.h +++ b/readconf.h @@ -51,6 +51,7 @@ typedef struct { int gss_trust_dns; /* Trust DNS for GSS canonicalization */ int gss_renewal_rekey; /* Credential renewal forces rekey */ char *gss_client_identity; /* Principal to initiate GSSAPI with */ + char *gss_server_identity; /* GSSAPI target principal */ int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff --git a/servconf.c b/servconf.c index 2aa516b2a..3ce2397c3 100644 --- a/servconf.c +++ b/servconf.c @@ -381,16 +381,20 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, + { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, #else { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, + { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, #endif + { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, @@ -1684,7 +1688,10 @@ dump_config(ServerOptions *o) #endif #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); + dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); + dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey); #endif #ifdef JPAKE dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, diff --git a/ssh_config.5 b/ssh_config.5 index 91c2cd2c6..321a94db6 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -519,6 +519,11 @@ Note that this option applies to protocol version 2 only. If set, specifies the GSSAPI client identity that ssh should use when connecting to the server. The default is unset, which means that the default identity will be used. +.It Cm GSSAPIServerIdentity +If set, specifies the GSSAPI server identity that ssh should expect when +connecting to the server. The default is unset, which means that the +expected GSSAPI server identity will be determined from the target +hostname. .It Cm GSSAPIDelegateCredentials Forward (delegate) credentials to the server. The default is diff --git a/sshconnect2.c b/sshconnect2.c index d045365f3..1a03c6bf3 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -197,7 +197,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) kex->gss_deleg_creds = options.gss_deleg_creds; kex->gss_trust_dns = options.gss_trust_dns; kex->gss_client = options.gss_client_identity; - kex->gss_host = gss_host; + if (options.gss_server_identity) { + kex->gss_host = options.gss_server_identity; + } else { + kex->gss_host = gss_host; + } } #endif @@ -624,7 +628,9 @@ userauth_gssapi(Authctxt *authctxt) int ok = 0; const char *gss_host; - if (options.gss_trust_dns) + if (options.gss_server_identity) + gss_host = options.gss_server_identity; + else if (options.gss_trust_dns) gss_host = get_canonical_hostname(1); else gss_host = authctxt->host; -- cgit v1.2.3