From 5b4ccb39dd824bd953f91104a8cf2553038bb82d Mon Sep 17 00:00:00 2001 From: Jan F Date: Sun, 22 May 2011 23:49:15 +0200 Subject: [PATCH] add gssapi forced command --- openssh-5.8p2-force_krb.patch | 288 ++++++++++++++++++ ...serok.patch => openssh-5.8p2-kuserok.patch | 74 ++--- openssh.spec | 15 +- 3 files changed, 336 insertions(+), 41 deletions(-) create mode 100644 openssh-5.8p2-force_krb.patch rename openssh-5.8p1-kuserok.patch => openssh-5.8p2-kuserok.patch (63%) diff --git a/openssh-5.8p2-force_krb.patch b/openssh-5.8p2-force_krb.patch new file mode 100644 index 0000000..1842ce4 --- /dev/null +++ b/openssh-5.8p2-force_krb.patch @@ -0,0 +1,288 @@ +diff -up openssh-5.8p2/gss-serv-krb5.c.force_krb openssh-5.8p2/gss-serv-krb5.c +--- openssh-5.8p2/gss-serv-krb5.c.force_krb 2006-09-01 07:38:36.000000000 +0200 ++++ openssh-5.8p2/gss-serv-krb5.c 2011-05-19 03:41:45.801109545 +0200 +@@ -32,7 +32,9 @@ + #include + + #include ++#include + #include ++#include + + #include "xmalloc.h" + #include "key.h" +@@ -40,12 +42,11 @@ + #include "auth.h" + #include "log.h" + #include "servconf.h" ++#include "misc.h" + + #include "buffer.h" + #include "ssh-gss.h" + +-extern ServerOptions options; +- + #ifdef HEIMDAL + # include + #else +@@ -56,6 +57,16 @@ extern ServerOptions options; + # endif + #endif + ++extern Authctxt *the_authctxt; ++extern ServerOptions options; ++ ++/* all commands are allowed by default */ ++char **k5users_allowed_cmds = NULL; ++ ++static int ssh_gssapi_k5login_exists(); ++static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *, ++ int); ++ + static krb5_context krb_context = NULL; + + /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ +@@ -83,10 +94,11 @@ ssh_gssapi_krb5_init(void) + */ + + static int +-ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) ++ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *luser) + { + krb5_principal princ; + int retval; ++ int k5login_exists; + + if (ssh_gssapi_krb5_init() == 0) + return 0; +@@ -97,10 +109,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client + krb5_get_err_text(krb_context, retval)); + return 0; + } +- if (krb5_kuserok(krb_context, princ, name)) { ++ /* krb5_kuserok() returns 1 if .k5login DNE and this is self-login. ++ * We have to make sure to check .k5users in that case. */ ++ k5login_exists = ssh_gssapi_k5login_exists(); ++ /* NOTE: .k5login and .k5users must opened as root, not the user, ++ * because if they are on a krb5-protected filesystem, user credentials ++ * to access these files aren't available yet. */ ++ if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) { + retval = 1; + logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", +- name, (char *)client->displayname.value); ++ luser, (char *)client->displayname.value); ++ } else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value, ++ luser, k5login_exists)) { ++ retval = 1; ++ logit("Authorized to %s, krb5 principal %s " ++ "(ssh_gssapi_krb5_cmdok)", ++ luser, (char *)client->displayname.value); + } else + retval = 0; + +@@ -108,6 +132,134 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client + return retval; + } + ++/* Test for existence of .k5login. ++ * We need this as part of our .k5users check, because krb5_kuserok() ++ * returns success if .k5login DNE and user is logging in as himself. ++ * With .k5login absent and .k5users present, we don't want absence ++ * of .k5login to authorize self-login. (absence of both is required) ++ * Returns 1 if .k5login is available, 0 otherwise. ++ */ ++static int ++ssh_gssapi_k5login_exists() ++{ ++ char file[MAXPATHLEN]; ++ struct passwd *pw = the_authctxt->pw; ++ ++ snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir); ++ return access(file, F_OK) == 0; ++} ++ ++/* check .k5users for login or command authorization ++ * Returns 1 if principal is authorized, 0 otherwise. ++ * If principal is authorized, (global) k5users_allowed_cmds may be populated. ++ */ ++static int ++ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name, ++ const char *luser, int k5login_exists) ++{ ++ FILE *fp; ++ char file[MAXPATHLEN]; ++ char line[BUFSIZ]; ++ char kuser[65]; /* match krb5_kuserok() */ ++ struct stat st; ++ struct passwd *pw = the_authctxt->pw; ++ int found_principal = 0; ++ int ncommands = 0, allcommands = 0; ++ u_long linenum; ++ ++ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir); ++ /* If both .k5login and .k5users DNE, self-login is ok. */ ++ if (!k5login_exists && (access(file, F_OK) == -1)) { ++ return (krb5_aname_to_localname(krb_context, principal, ++ sizeof(kuser), kuser) == 0) && ++ (strcmp(kuser, luser) == 0); ++ } ++ if ((fp = fopen(file, "r")) == NULL) { ++ int saved_errno = errno; ++ /* 2nd access check to ease debugging if file perms are wrong. ++ * But we don't want to report this if .k5users simply DNE. */ ++ if (access(file, F_OK) == 0) { ++ logit("User %s fopen %s failed: %s", ++ pw->pw_name, file, strerror(saved_errno)); ++ } ++ return 0; ++ } ++ /* .k5users must be owned either by the user or by root */ ++ if (fstat(fileno(fp), &st) == -1) { ++ /* can happen, but very wierd error so report it */ ++ logit("User %s fstat %s failed: %s", ++ pw->pw_name, file, strerror(errno)); ++ fclose(fp); ++ return 0; ++ } ++ if (!(st.st_uid == pw->pw_uid || st.st_uid == 0)) { ++ logit("User %s %s is not owned by root or user", ++ pw->pw_name, file); ++ fclose(fp); ++ return 0; ++ } ++ /* .k5users must be a regular file. krb5_kuserok() doesn't do this ++ * check, but we don't want to be deficient if they add a check. */ ++ if (!S_ISREG(st.st_mode)) { ++ logit("User %s %s is not a regular file", pw->pw_name, file); ++ fclose(fp); ++ return 0; ++ } ++ /* file exists; initialize k5users_allowed_cmds (to none!) */ ++ k5users_allowed_cmds = xcalloc(++ncommands, ++ sizeof(*k5users_allowed_cmds)); ++ ++ /* Check each line. ksu allows unlimited length lines. We don't. */ ++ while (!allcommands && read_keyfile_line(fp, file, line, sizeof(line), ++ &linenum) != -1) { ++ char *token; ++ ++ /* we parse just like ksu, even though we could do better */ ++ token = strtok(line, " \t\n"); ++ if (strcmp(name, token) == 0) { ++ /* we matched on client principal */ ++ found_principal = 1; ++ if ((token = strtok(NULL, " \t\n")) == NULL) { ++ /* only shell is allowed */ ++ k5users_allowed_cmds[ncommands-1] = ++ xstrdup(pw->pw_shell); ++ k5users_allowed_cmds = ++ xrealloc(k5users_allowed_cmds, ++ncommands, ++ sizeof(*k5users_allowed_cmds)); ++ break; ++ } ++ /* process the allowed commands */ ++ while (token) { ++ if (strcmp(token, "*") == 0) { ++ allcommands = 1; ++ break; ++ } ++ k5users_allowed_cmds[ncommands-1] = ++ xstrdup(token); ++ k5users_allowed_cmds = ++ xrealloc(k5users_allowed_cmds, ++ncommands, ++ sizeof(*k5users_allowed_cmds)); ++ token = strtok(NULL, " \t\n"); ++ } ++ } ++ } ++ if (k5users_allowed_cmds) { ++ /* terminate vector */ ++ k5users_allowed_cmds[ncommands-1] = NULL; ++ /* if all commands are allowed, free vector */ ++ if (allcommands) { ++ int i; ++ for (i = 0; i < ncommands; i++) { ++ free(k5users_allowed_cmds[i]); ++ } ++ free(k5users_allowed_cmds); ++ k5users_allowed_cmds = NULL; ++ } ++ } ++ fclose(fp); ++ return found_principal; ++} ++ + + /* This writes out any forwarded credentials from the structure populated + * during userauth. Called after we have setuid to the user */ +diff -up openssh-5.8p2/session.c.force_krb openssh-5.8p2/session.c +--- openssh-5.8p2/session.c.force_krb 2011-05-19 03:41:41.000000000 +0200 ++++ openssh-5.8p2/session.c 2011-05-19 03:43:32.437173662 +0200 +@@ -816,6 +816,29 @@ do_exec(Session *s, const char *command) + debug("Forced command (key option) '%.900s'", command); + } + ++#ifdef GSSAPI ++#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */ ++ else if (k5users_allowed_cmds) { ++ const char *match = command; ++ int allowed = 0, i = 0; ++ ++ if (!match) ++ match = s->pw->pw_shell; ++ while (k5users_allowed_cmds[i]) { ++ if (strcmp(match, k5users_allowed_cmds[i++]) == 0) { ++ debug("Allowed command '%.900s'", match); ++ allowed = 1; ++ break; ++ } ++ } ++ if (!allowed) { ++ debug("command '%.900s' not allowed", match); ++ return 1; ++ } ++ } ++#endif ++#endif ++ + #ifdef SSH_AUDIT_EVENTS + if (s->command != NULL || s->command_handle != -1) + fatal("do_exec: command already set"); +diff -up openssh-5.8p2/sshd.8.force_krb openssh-5.8p2/sshd.8 +--- openssh-5.8p2/sshd.8.force_krb 2011-05-19 03:41:30.582114401 +0200 ++++ openssh-5.8p2/sshd.8 2011-05-19 03:41:46.159106308 +0200 +@@ -320,6 +320,7 @@ Finally, the server and the client enter + The client tries to authenticate itself using + host-based authentication, + public key authentication, ++GSSAPI authentication, + challenge-response authentication, + or password authentication. + .Pp +@@ -788,6 +789,12 @@ This file is used in exactly the same wa + but allows host-based authentication without permitting login with + rlogin/rsh. + .Pp ++.It Pa ~/.k5login ++.It Pa ~/.k5users ++These files enforce GSSAPI/Kerberos authentication access control. ++Further details are described in ++.Xr ksu 1 . ++.Pp + .It Pa ~/.ssh/ + This directory is the default location for all user-specific configuration + and authentication information. +diff -up openssh-5.8p2/ssh-gss.h.force_krb openssh-5.8p2/ssh-gss.h +--- openssh-5.8p2/ssh-gss.h.force_krb 2007-06-12 15:40:39.000000000 +0200 ++++ openssh-5.8p2/ssh-gss.h 2011-05-19 03:41:46.302234118 +0200 +@@ -48,6 +48,10 @@ + #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name + #endif /* GSS_C_NT_... */ + #endif /* !HEIMDAL */ ++ ++/* .k5users support */ ++extern char **k5users_allowed_cmds; ++ + #endif /* KRB5 */ + + /* draft-ietf-secsh-gsskeyex-06 */ diff --git a/openssh-5.8p1-kuserok.patch b/openssh-5.8p2-kuserok.patch similarity index 63% rename from openssh-5.8p1-kuserok.patch rename to openssh-5.8p2-kuserok.patch index fcd05d7..dfbece4 100644 --- a/openssh-5.8p1-kuserok.patch +++ b/openssh-5.8p2-kuserok.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c ---- openssh-5.8p1/auth-krb5.c.kuserok 2009-12-21 00:49:22.000000000 +0100 -+++ openssh-5.8p1/auth-krb5.c 2011-02-14 09:15:12.000000000 +0100 +diff -up openssh-5.8p2/auth-krb5.c.kuserok openssh-5.8p2/auth-krb5.c +--- openssh-5.8p2/auth-krb5.c.kuserok 2011-05-19 16:55:57.176106243 +0200 ++++ openssh-5.8p2/auth-krb5.c 2011-05-19 16:56:02.009109884 +0200 @@ -54,6 +54,20 @@ extern ServerOptions options; @@ -31,30 +31,30 @@ diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c problem = -1; goto out; } -diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c ---- openssh-5.8p1/gss-serv-krb5.c.kuserok 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.8p1/gss-serv-krb5.c 2011-02-14 09:15:12.000000000 +0100 -@@ -57,6 +57,7 @@ extern ServerOptions options; - #endif +diff -up openssh-5.8p2/gss-serv-krb5.c.kuserok openssh-5.8p2/gss-serv-krb5.c +--- openssh-5.8p2/gss-serv-krb5.c.kuserok 2011-05-19 16:56:01.000000000 +0200 ++++ openssh-5.8p2/gss-serv-krb5.c 2011-05-20 05:48:50.681167894 +0200 +@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr + int); static krb5_context krb_context = NULL; +extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *); /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ -@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client - krb5_get_err_text(krb_context, retval)); - return 0; - } -- if (krb5_kuserok(krb_context, princ, name)) { -+ if (ssh_krb5_kuserok(krb_context, princ, name)) { +@@ -115,7 +116,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client + /* NOTE: .k5login and .k5users must opened as root, not the user, + * because if they are on a krb5-protected filesystem, user credentials + * to access these files aren't available yet. */ +- if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) { ++ if (ssh_krb5_kuserok(krb_context, princ, luser) && k5login_exists) { retval = 1; logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", - name, (char *)client->displayname.value); -diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c ---- openssh-5.8p1/servconf.c.kuserok 2011-02-14 09:15:12.000000000 +0100 -+++ openssh-5.8p1/servconf.c 2011-02-14 09:20:22.000000000 +0100 -@@ -142,6 +142,7 @@ initialize_server_options(ServerOptions + luser, (char *)client->displayname.value); +diff -up openssh-5.8p2/servconf.c.kuserok openssh-5.8p2/servconf.c +--- openssh-5.8p2/servconf.c.kuserok 2011-05-19 16:55:59.549112264 +0200 ++++ openssh-5.8p2/servconf.c 2011-05-19 16:56:02.332106613 +0200 +@@ -145,6 +145,7 @@ initialize_server_options(ServerOptions options->authorized_principals_file = NULL; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; @@ -62,7 +62,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c } void -@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption +@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption if (use_privsep == -1) use_privsep = 1; @@ -71,7 +71,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " -@@ -312,7 +315,7 @@ typedef enum { +@@ -321,7 +324,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, @@ -80,7 +80,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, -@@ -381,11 +384,13 @@ static struct { +@@ -392,11 +395,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -94,7 +94,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1341,6 +1346,10 @@ process_server_config_line(ServerOptions +@@ -1374,6 +1379,10 @@ process_server_config_line(ServerOptions *activep = value; break; @@ -105,7 +105,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -1544,6 +1553,7 @@ copy_set_server_options(ServerOptions *d +@@ -1577,6 +1586,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); @@ -113,7 +113,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c M_CP_STROPT(banner); if (preauth) -@@ -1764,6 +1774,7 @@ dump_config(ServerOptions *o) +@@ -1800,6 +1810,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); @@ -121,10 +121,10 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h ---- openssh-5.8p1/servconf.h.kuserok 2011-02-14 09:15:12.000000000 +0100 -+++ openssh-5.8p1/servconf.h 2011-02-14 09:15:12.000000000 +0100 -@@ -157,6 +157,7 @@ typedef struct { +diff -up openssh-5.8p2/servconf.h.kuserok openssh-5.8p2/servconf.h +--- openssh-5.8p2/servconf.h.kuserok 2011-05-19 16:55:59.676167388 +0200 ++++ openssh-5.8p2/servconf.h 2011-05-19 16:56:02.449168732 +0200 +@@ -160,6 +160,7 @@ typedef struct { int num_permitted_opens; @@ -132,10 +132,10 @@ diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5 ---- openssh-5.8p1/sshd_config.5.kuserok 2011-02-14 09:15:12.000000000 +0100 -+++ openssh-5.8p1/sshd_config.5 2011-02-14 09:17:11.000000000 +0100 -@@ -574,6 +574,10 @@ Specifies whether to automatically destr +diff -up openssh-5.8p2/sshd_config.5.kuserok openssh-5.8p2/sshd_config.5 +--- openssh-5.8p2/sshd_config.5.kuserok 2011-05-19 16:56:00.265169181 +0200 ++++ openssh-5.8p2/sshd_config.5 2011-05-19 16:56:02.588114955 +0200 +@@ -602,6 +602,10 @@ Specifies whether to automatically destr file on logout. The default is .Dq yes . @@ -146,7 +146,7 @@ diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5 .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -@@ -715,6 +719,7 @@ Available keywords are +@@ -743,6 +747,7 @@ Available keywords are .Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , @@ -154,9 +154,9 @@ diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5 .Cm MaxAuthTries , .Cm MaxSessions , .Cm PubkeyAuthentication , -diff -up openssh-5.8p1/sshd_config.kuserok openssh-5.8p1/sshd_config ---- openssh-5.8p1/sshd_config.kuserok 2011-02-14 09:15:12.000000000 +0100 -+++ openssh-5.8p1/sshd_config 2011-02-14 09:15:12.000000000 +0100 +diff -up openssh-5.8p2/sshd_config.kuserok openssh-5.8p2/sshd_config +--- openssh-5.8p2/sshd_config.kuserok 2011-05-19 16:56:00.886106293 +0200 ++++ openssh-5.8p2/sshd_config 2011-05-19 16:56:02.716105342 +0200 @@ -73,6 +73,7 @@ ChallengeResponseAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes diff --git a/openssh.spec b/openssh.spec index d63f152..c61aeed 100644 --- a/openssh.spec +++ b/openssh.spec @@ -74,7 +74,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.8p2 -%define openssh_rel 1 +%define openssh_rel 2 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 31 @@ -151,8 +151,6 @@ Patch31: openssh-5.2p1-allow-ip-opts.patch Patch32: openssh-5.8p1-randclean.patch # #https://bugzilla.mindrot.org/show_bug.cgi?id=1636 # Patch33: openssh-5.1p1-log-in-chroot.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1780 -Patch34: openssh-5.8p1-kuserok.patch #http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h Patch35: openssh-5.8p1-glob.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1891 @@ -182,6 +180,10 @@ Patch60: openssh-5.8p1-gsskex.patch Patch61: openssh-5.8p1-gssapi-canohost.patch #? Patch62: openssh-5.8p1-localdomain.patch +#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html +Patch63: openssh-5.8p2-force_krb.patch +#https://bugzilla.mindrot.org/show_bug.cgi?id=1780 +Patch64: openssh-5.8p2-kuserok.patch #--- #https://bugzilla.mindrot.org/show_bug.cgi?id=1604 # sctp @@ -333,6 +335,7 @@ The module is most useful for su and sudo service stacks. %setup -q -a 4 #Do not enable by default ###%patch99 -p1 -b .wIm + %patch0 -p1 -b .redhat %patch100 -p1 -b .fingerprint %patch200 -p1 -b .exit @@ -368,7 +371,6 @@ popd %patch30 -p1 -b .keygen %patch31 -p1 -b .ip-opts %patch32 -p1 -b .randclean -%patch34 -p1 -b .kuserok %patch35 -p1 -b .glob %patch36 -p1 -b .pwchange %patch37 -p1 -b .keyperm @@ -384,6 +386,8 @@ popd %patch60 -p1 -b .gsskex %patch61 -p1 -b .canohost %patch62 -p1 -b .localdomain +%patch63 -p1 -b .force_krb +%patch64 -p1 -b .kuserok autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -736,6 +740,9 @@ exit 0 %endif %changelog +* Mon May 23 2011 Jan F. Chadima - 5.8p2-2 + 0.9.2-31 +- add gssapi forced command + * Tue May 3 2011 Jan F. Chadima - 5.8p2-1 + 0.9.2-31 - update the openssh version