From 56276d29ea829cd4c92cd881b496388d93c23dee Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sat, 27 Feb 2010 18:08:33 +0000 Subject: DEP-3 tagging of GSSAPI patches; split old-gssapi.patch more appropriately --- debian/patches/gssapi-autoconf.patch | 5 +++++ debian/patches/gssapi-compat.patch | 30 ++++++++++++++++++++++++++ debian/patches/gssapi-dump.patch | 20 ++++++++++++++++++ debian/patches/gssapi.patch | 17 +++++++++++++++ debian/patches/old-gssapi.patch | 41 ++++++------------------------------ debian/patches/series | 2 ++ 6 files changed, 80 insertions(+), 35 deletions(-) create mode 100644 debian/patches/gssapi-compat.patch create mode 100644 debian/patches/gssapi-dump.patch (limited to 'debian/patches') diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch index 1e7949116..0ae7d0129 100644 --- a/debian/patches/gssapi-autoconf.patch +++ b/debian/patches/gssapi-autoconf.patch @@ -1,3 +1,8 @@ +Description: Update config.h.in following GSSAPI patch +Author: Colin Watson +Forwarded: not-needed +Last-Updated: 2010-02-27 + Index: b/config.h.in =================================================================== --- a/config.h.in diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch new file mode 100644 index 000000000..773a10895 --- /dev/null +++ b/debian/patches/gssapi-compat.patch @@ -0,0 +1,30 @@ +Description: Compatibility with old GSSAPI option names + These options were supported by the old ssh-krb5 package in Debian. +Author: Colin Watson +Last-Updated: 2010-02-27 + +Index: b/servconf.c +=================================================================== +--- a/servconf.c ++++ b/servconf.c +@@ -375,16 +375,20 @@ + #ifdef GSSAPI + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, ++ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, + { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, + { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, + { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, + #else + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, + { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, + { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, + { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, + #endif ++ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, + { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch new file mode 100644 index 000000000..7292ac08d --- /dev/null +++ b/debian/patches/gssapi-dump.patch @@ -0,0 +1,20 @@ +Description: GSSAPI configuration dump fixes + Add GSSAPIKeyExchange and GSSAPIStrictAcceptorCheck to sshd -T + configuration dump. +Author: Colin Watson +Last-Updated: 2010-02-27 + +Index: b/servconf.c +=================================================================== +--- a/servconf.c ++++ b/servconf.c +@@ -1624,7 +1624,9 @@ + #endif + #ifdef GSSAPI + dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); ++ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); + dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); ++ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); + #endif + #ifdef JPAKE + dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index a60a8b4e1..6550ba60b 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch @@ -1,3 +1,20 @@ +Description: GSSAPI key exchange support + This patch has been rejected upstream: "None of the OpenSSH developers are + in favour of adding this, and this situation has not changed for several + years. This is not a slight on Simon's patch, which is of fine quality, + but just that a) we don't trust GSSAPI implementations that much and b) we + don't like adding new KEX since they are pre-auth attack surface. This one + is particularly scary, since it requires hooks out to typically root-owned + system resources." + . + However, quite a lot of people rely on this in Debian, and it's better to + have it merged into the main openssh package rather than having separate + -krb5 packages (as we used to have). It seems to have a generally good + security history. +Author: Simon Wilkinson +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 +Last-Updated: 2010-02-27 + Index: b/ChangeLog.gssapi =================================================================== --- /dev/null diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch index 272654fd8..e2c4baa49 100644 --- a/debian/patches/old-gssapi.patch +++ b/debian/patches/old-gssapi.patch @@ -1,38 +1,9 @@ -Index: b/servconf.c -=================================================================== ---- a/servconf.c -+++ b/servconf.c -@@ -375,16 +375,20 @@ - #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, - { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, -+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, - { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, - { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, - { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, - #else - { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, - { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, -+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, - { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, - { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, - { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, - #endif -+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, -+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, - { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, - { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -1620,7 +1624,9 @@ - #endif - #ifdef GSSAPI - dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); -+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); - dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); -+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); - #endif - #ifdef JPAKE - dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, +Description: Interoperate with old GSSAPI authentication method + ssh-krb5 << 3.8.1p1-1 servers used a slightly different version. +Author: "Aaron M. Ucko" +Bug-Debian: http://bugs.debian.org/328388 +Last-Updated: 2010-02-27 + Index: b/sshconnect2.c =================================================================== --- a/sshconnect2.c diff --git a/debian/patches/series b/debian/patches/series index fa74a5ee6..18758bf51 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,6 +1,8 @@ # GSSAPI gssapi.patch gssapi-autoconf.patch +gssapi-compat.patch +gssapi-dump.patch old-gssapi.patch # Autotools -- cgit v1.2.3