forked from rpms/openssh
add gssapi forced command
This commit is contained in:
parent
c2c99d4dd7
commit
5b4ccb39dd
288
openssh-5.8p2-force_krb.patch
Normal file
288
openssh-5.8p2-force_krb.patch
Normal file
@ -0,0 +1,288 @@
|
|||||||
|
diff -up openssh-5.8p2/gss-serv-krb5.c.force_krb openssh-5.8p2/gss-serv-krb5.c
|
||||||
|
--- openssh-5.8p2/gss-serv-krb5.c.force_krb 2006-09-01 07:38:36.000000000 +0200
|
||||||
|
+++ openssh-5.8p2/gss-serv-krb5.c 2011-05-19 03:41:45.801109545 +0200
|
||||||
|
@@ -32,7 +32,9 @@
|
||||||
|
#include <sys/types.h>
|
||||||
|
|
||||||
|
#include <stdarg.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "key.h"
|
||||||
|
@@ -40,12 +42,11 @@
|
||||||
|
#include "auth.h"
|
||||||
|
#include "log.h"
|
||||||
|
#include "servconf.h"
|
||||||
|
+#include "misc.h"
|
||||||
|
|
||||||
|
#include "buffer.h"
|
||||||
|
#include "ssh-gss.h"
|
||||||
|
|
||||||
|
-extern ServerOptions options;
|
||||||
|
-
|
||||||
|
#ifdef HEIMDAL
|
||||||
|
# include <krb5.h>
|
||||||
|
#else
|
||||||
|
@@ -56,6 +57,16 @@ extern ServerOptions options;
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+extern Authctxt *the_authctxt;
|
||||||
|
+extern ServerOptions options;
|
||||||
|
+
|
||||||
|
+/* all commands are allowed by default */
|
||||||
|
+char **k5users_allowed_cmds = NULL;
|
||||||
|
+
|
||||||
|
+static int ssh_gssapi_k5login_exists();
|
||||||
|
+static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
|
||||||
|
+ int);
|
||||||
|
+
|
||||||
|
static krb5_context krb_context = NULL;
|
||||||
|
|
||||||
|
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
|
||||||
|
@@ -83,10 +94,11 @@ ssh_gssapi_krb5_init(void)
|
||||||
|
*/
|
||||||
|
|
||||||
|
static int
|
||||||
|
-ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||||
|
+ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *luser)
|
||||||
|
{
|
||||||
|
krb5_principal princ;
|
||||||
|
int retval;
|
||||||
|
+ int k5login_exists;
|
||||||
|
|
||||||
|
if (ssh_gssapi_krb5_init() == 0)
|
||||||
|
return 0;
|
||||||
|
@@ -97,10 +109,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
||||||
|
krb5_get_err_text(krb_context, retval));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
- if (krb5_kuserok(krb_context, princ, name)) {
|
||||||
|
+ /* krb5_kuserok() returns 1 if .k5login DNE and this is self-login.
|
||||||
|
+ * We have to make sure to check .k5users in that case. */
|
||||||
|
+ k5login_exists = ssh_gssapi_k5login_exists();
|
||||||
|
+ /* NOTE: .k5login and .k5users must opened as root, not the user,
|
||||||
|
+ * because if they are on a krb5-protected filesystem, user credentials
|
||||||
|
+ * to access these files aren't available yet. */
|
||||||
|
+ if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
|
||||||
|
retval = 1;
|
||||||
|
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||||
|
- name, (char *)client->displayname.value);
|
||||||
|
+ luser, (char *)client->displayname.value);
|
||||||
|
+ } else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value,
|
||||||
|
+ luser, k5login_exists)) {
|
||||||
|
+ retval = 1;
|
||||||
|
+ logit("Authorized to %s, krb5 principal %s "
|
||||||
|
+ "(ssh_gssapi_krb5_cmdok)",
|
||||||
|
+ luser, (char *)client->displayname.value);
|
||||||
|
} else
|
||||||
|
retval = 0;
|
||||||
|
|
||||||
|
@@ -108,6 +132,134 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Test for existence of .k5login.
|
||||||
|
+ * We need this as part of our .k5users check, because krb5_kuserok()
|
||||||
|
+ * returns success if .k5login DNE and user is logging in as himself.
|
||||||
|
+ * With .k5login absent and .k5users present, we don't want absence
|
||||||
|
+ * of .k5login to authorize self-login. (absence of both is required)
|
||||||
|
+ * Returns 1 if .k5login is available, 0 otherwise.
|
||||||
|
+ */
|
||||||
|
+static int
|
||||||
|
+ssh_gssapi_k5login_exists()
|
||||||
|
+{
|
||||||
|
+ char file[MAXPATHLEN];
|
||||||
|
+ struct passwd *pw = the_authctxt->pw;
|
||||||
|
+
|
||||||
|
+ snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
||||||
|
+ return access(file, F_OK) == 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* check .k5users for login or command authorization
|
||||||
|
+ * Returns 1 if principal is authorized, 0 otherwise.
|
||||||
|
+ * If principal is authorized, (global) k5users_allowed_cmds may be populated.
|
||||||
|
+ */
|
||||||
|
+static int
|
||||||
|
+ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
|
||||||
|
+ const char *luser, int k5login_exists)
|
||||||
|
+{
|
||||||
|
+ FILE *fp;
|
||||||
|
+ char file[MAXPATHLEN];
|
||||||
|
+ char line[BUFSIZ];
|
||||||
|
+ char kuser[65]; /* match krb5_kuserok() */
|
||||||
|
+ struct stat st;
|
||||||
|
+ struct passwd *pw = the_authctxt->pw;
|
||||||
|
+ int found_principal = 0;
|
||||||
|
+ int ncommands = 0, allcommands = 0;
|
||||||
|
+ u_long linenum;
|
||||||
|
+
|
||||||
|
+ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||||
|
+ /* If both .k5login and .k5users DNE, self-login is ok. */
|
||||||
|
+ if (!k5login_exists && (access(file, F_OK) == -1)) {
|
||||||
|
+ return (krb5_aname_to_localname(krb_context, principal,
|
||||||
|
+ sizeof(kuser), kuser) == 0) &&
|
||||||
|
+ (strcmp(kuser, luser) == 0);
|
||||||
|
+ }
|
||||||
|
+ if ((fp = fopen(file, "r")) == NULL) {
|
||||||
|
+ int saved_errno = errno;
|
||||||
|
+ /* 2nd access check to ease debugging if file perms are wrong.
|
||||||
|
+ * But we don't want to report this if .k5users simply DNE. */
|
||||||
|
+ if (access(file, F_OK) == 0) {
|
||||||
|
+ logit("User %s fopen %s failed: %s",
|
||||||
|
+ pw->pw_name, file, strerror(saved_errno));
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ /* .k5users must be owned either by the user or by root */
|
||||||
|
+ if (fstat(fileno(fp), &st) == -1) {
|
||||||
|
+ /* can happen, but very wierd error so report it */
|
||||||
|
+ logit("User %s fstat %s failed: %s",
|
||||||
|
+ pw->pw_name, file, strerror(errno));
|
||||||
|
+ fclose(fp);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ if (!(st.st_uid == pw->pw_uid || st.st_uid == 0)) {
|
||||||
|
+ logit("User %s %s is not owned by root or user",
|
||||||
|
+ pw->pw_name, file);
|
||||||
|
+ fclose(fp);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ /* .k5users must be a regular file. krb5_kuserok() doesn't do this
|
||||||
|
+ * check, but we don't want to be deficient if they add a check. */
|
||||||
|
+ if (!S_ISREG(st.st_mode)) {
|
||||||
|
+ logit("User %s %s is not a regular file", pw->pw_name, file);
|
||||||
|
+ fclose(fp);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ /* file exists; initialize k5users_allowed_cmds (to none!) */
|
||||||
|
+ k5users_allowed_cmds = xcalloc(++ncommands,
|
||||||
|
+ sizeof(*k5users_allowed_cmds));
|
||||||
|
+
|
||||||
|
+ /* Check each line. ksu allows unlimited length lines. We don't. */
|
||||||
|
+ while (!allcommands && read_keyfile_line(fp, file, line, sizeof(line),
|
||||||
|
+ &linenum) != -1) {
|
||||||
|
+ char *token;
|
||||||
|
+
|
||||||
|
+ /* we parse just like ksu, even though we could do better */
|
||||||
|
+ token = strtok(line, " \t\n");
|
||||||
|
+ if (strcmp(name, token) == 0) {
|
||||||
|
+ /* we matched on client principal */
|
||||||
|
+ found_principal = 1;
|
||||||
|
+ if ((token = strtok(NULL, " \t\n")) == NULL) {
|
||||||
|
+ /* only shell is allowed */
|
||||||
|
+ k5users_allowed_cmds[ncommands-1] =
|
||||||
|
+ xstrdup(pw->pw_shell);
|
||||||
|
+ k5users_allowed_cmds =
|
||||||
|
+ xrealloc(k5users_allowed_cmds, ++ncommands,
|
||||||
|
+ sizeof(*k5users_allowed_cmds));
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ /* process the allowed commands */
|
||||||
|
+ while (token) {
|
||||||
|
+ if (strcmp(token, "*") == 0) {
|
||||||
|
+ allcommands = 1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ k5users_allowed_cmds[ncommands-1] =
|
||||||
|
+ xstrdup(token);
|
||||||
|
+ k5users_allowed_cmds =
|
||||||
|
+ xrealloc(k5users_allowed_cmds, ++ncommands,
|
||||||
|
+ sizeof(*k5users_allowed_cmds));
|
||||||
|
+ token = strtok(NULL, " \t\n");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (k5users_allowed_cmds) {
|
||||||
|
+ /* terminate vector */
|
||||||
|
+ k5users_allowed_cmds[ncommands-1] = NULL;
|
||||||
|
+ /* if all commands are allowed, free vector */
|
||||||
|
+ if (allcommands) {
|
||||||
|
+ int i;
|
||||||
|
+ for (i = 0; i < ncommands; i++) {
|
||||||
|
+ free(k5users_allowed_cmds[i]);
|
||||||
|
+ }
|
||||||
|
+ free(k5users_allowed_cmds);
|
||||||
|
+ k5users_allowed_cmds = NULL;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ fclose(fp);
|
||||||
|
+ return found_principal;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
|
||||||
|
/* This writes out any forwarded credentials from the structure populated
|
||||||
|
* during userauth. Called after we have setuid to the user */
|
||||||
|
diff -up openssh-5.8p2/session.c.force_krb openssh-5.8p2/session.c
|
||||||
|
--- openssh-5.8p2/session.c.force_krb 2011-05-19 03:41:41.000000000 +0200
|
||||||
|
+++ openssh-5.8p2/session.c 2011-05-19 03:43:32.437173662 +0200
|
||||||
|
@@ -816,6 +816,29 @@ do_exec(Session *s, const char *command)
|
||||||
|
debug("Forced command (key option) '%.900s'", command);
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef GSSAPI
|
||||||
|
+#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
|
||||||
|
+ else if (k5users_allowed_cmds) {
|
||||||
|
+ const char *match = command;
|
||||||
|
+ int allowed = 0, i = 0;
|
||||||
|
+
|
||||||
|
+ if (!match)
|
||||||
|
+ match = s->pw->pw_shell;
|
||||||
|
+ while (k5users_allowed_cmds[i]) {
|
||||||
|
+ if (strcmp(match, k5users_allowed_cmds[i++]) == 0) {
|
||||||
|
+ debug("Allowed command '%.900s'", match);
|
||||||
|
+ allowed = 1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (!allowed) {
|
||||||
|
+ debug("command '%.900s' not allowed", match);
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
if (s->command != NULL || s->command_handle != -1)
|
||||||
|
fatal("do_exec: command already set");
|
||||||
|
diff -up openssh-5.8p2/sshd.8.force_krb openssh-5.8p2/sshd.8
|
||||||
|
--- openssh-5.8p2/sshd.8.force_krb 2011-05-19 03:41:30.582114401 +0200
|
||||||
|
+++ openssh-5.8p2/sshd.8 2011-05-19 03:41:46.159106308 +0200
|
||||||
|
@@ -320,6 +320,7 @@ Finally, the server and the client enter
|
||||||
|
The client tries to authenticate itself using
|
||||||
|
host-based authentication,
|
||||||
|
public key authentication,
|
||||||
|
+GSSAPI authentication,
|
||||||
|
challenge-response authentication,
|
||||||
|
or password authentication.
|
||||||
|
.Pp
|
||||||
|
@@ -788,6 +789,12 @@ This file is used in exactly the same wa
|
||||||
|
but allows host-based authentication without permitting login with
|
||||||
|
rlogin/rsh.
|
||||||
|
.Pp
|
||||||
|
+.It Pa ~/.k5login
|
||||||
|
+.It Pa ~/.k5users
|
||||||
|
+These files enforce GSSAPI/Kerberos authentication access control.
|
||||||
|
+Further details are described in
|
||||||
|
+.Xr ksu 1 .
|
||||||
|
+.Pp
|
||||||
|
.It Pa ~/.ssh/
|
||||||
|
This directory is the default location for all user-specific configuration
|
||||||
|
and authentication information.
|
||||||
|
diff -up openssh-5.8p2/ssh-gss.h.force_krb openssh-5.8p2/ssh-gss.h
|
||||||
|
--- openssh-5.8p2/ssh-gss.h.force_krb 2007-06-12 15:40:39.000000000 +0200
|
||||||
|
+++ openssh-5.8p2/ssh-gss.h 2011-05-19 03:41:46.302234118 +0200
|
||||||
|
@@ -48,6 +48,10 @@
|
||||||
|
#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
|
||||||
|
#endif /* GSS_C_NT_... */
|
||||||
|
#endif /* !HEIMDAL */
|
||||||
|
+
|
||||||
|
+/* .k5users support */
|
||||||
|
+extern char **k5users_allowed_cmds;
|
||||||
|
+
|
||||||
|
#endif /* KRB5 */
|
||||||
|
|
||||||
|
/* draft-ietf-secsh-gsskeyex-06 */
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c
|
diff -up openssh-5.8p2/auth-krb5.c.kuserok openssh-5.8p2/auth-krb5.c
|
||||||
--- openssh-5.8p1/auth-krb5.c.kuserok 2009-12-21 00:49:22.000000000 +0100
|
--- openssh-5.8p2/auth-krb5.c.kuserok 2011-05-19 16:55:57.176106243 +0200
|
||||||
+++ openssh-5.8p1/auth-krb5.c 2011-02-14 09:15:12.000000000 +0100
|
+++ openssh-5.8p2/auth-krb5.c 2011-05-19 16:56:02.009109884 +0200
|
||||||
@@ -54,6 +54,20 @@
|
@@ -54,6 +54,20 @@
|
||||||
|
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
@ -31,30 +31,30 @@ diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c
|
|||||||
problem = -1;
|
problem = -1;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c
|
diff -up openssh-5.8p2/gss-serv-krb5.c.kuserok openssh-5.8p2/gss-serv-krb5.c
|
||||||
--- openssh-5.8p1/gss-serv-krb5.c.kuserok 2006-09-01 07:38:36.000000000 +0200
|
--- openssh-5.8p2/gss-serv-krb5.c.kuserok 2011-05-19 16:56:01.000000000 +0200
|
||||||
+++ openssh-5.8p1/gss-serv-krb5.c 2011-02-14 09:15:12.000000000 +0100
|
+++ openssh-5.8p2/gss-serv-krb5.c 2011-05-20 05:48:50.681167894 +0200
|
||||||
@@ -57,6 +57,7 @@ extern ServerOptions options;
|
@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
|
||||||
#endif
|
int);
|
||||||
|
|
||||||
static krb5_context krb_context = NULL;
|
static krb5_context krb_context = NULL;
|
||||||
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
|
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
|
||||||
|
|
||||||
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
|
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
|
||||||
|
|
||||||
@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
@@ -115,7 +116,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
||||||
krb5_get_err_text(krb_context, retval));
|
/* NOTE: .k5login and .k5users must opened as root, not the user,
|
||||||
return 0;
|
* because if they are on a krb5-protected filesystem, user credentials
|
||||||
}
|
* to access these files aren't available yet. */
|
||||||
- if (krb5_kuserok(krb_context, princ, name)) {
|
- if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
|
||||||
+ if (ssh_krb5_kuserok(krb_context, princ, name)) {
|
+ if (ssh_krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
|
||||||
retval = 1;
|
retval = 1;
|
||||||
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||||
name, (char *)client->displayname.value);
|
luser, (char *)client->displayname.value);
|
||||||
diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
|
diff -up openssh-5.8p2/servconf.c.kuserok openssh-5.8p2/servconf.c
|
||||||
--- openssh-5.8p1/servconf.c.kuserok 2011-02-14 09:15:12.000000000 +0100
|
--- openssh-5.8p2/servconf.c.kuserok 2011-05-19 16:55:59.549112264 +0200
|
||||||
+++ openssh-5.8p1/servconf.c 2011-02-14 09:20:22.000000000 +0100
|
+++ openssh-5.8p2/servconf.c 2011-05-19 16:56:02.332106613 +0200
|
||||||
@@ -142,6 +142,7 @@ initialize_server_options(ServerOptions
|
@@ -145,6 +145,7 @@ initialize_server_options(ServerOptions
|
||||||
options->authorized_principals_file = NULL;
|
options->authorized_principals_file = NULL;
|
||||||
options->ip_qos_interactive = -1;
|
options->ip_qos_interactive = -1;
|
||||||
options->ip_qos_bulk = -1;
|
options->ip_qos_bulk = -1;
|
||||||
@ -62,7 +62,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
|
@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption
|
||||||
if (use_privsep == -1)
|
if (use_privsep == -1)
|
||||||
use_privsep = 1;
|
use_privsep = 1;
|
||||||
|
|
||||||
@ -71,7 +71,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
|
|||||||
#ifndef HAVE_MMAP
|
#ifndef HAVE_MMAP
|
||||||
if (use_privsep && options->compression == 1) {
|
if (use_privsep && options->compression == 1) {
|
||||||
error("This platform does not support both privilege "
|
error("This platform does not support both privilege "
|
||||||
@@ -312,7 +315,7 @@ typedef enum {
|
@@ -321,7 +324,7 @@ typedef enum {
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
@ -80,7 +80,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
|
|||||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||||
sListenAddress, sAddressFamily,
|
sListenAddress, sAddressFamily,
|
||||||
@@ -381,11 +384,13 @@ static struct {
|
@@ -392,11 +395,13 @@ static struct {
|
||||||
#else
|
#else
|
||||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
#endif
|
#endif
|
||||||
@ -94,7 +94,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
|
|||||||
#endif
|
#endif
|
||||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
@@ -1341,6 +1346,10 @@ process_server_config_line(ServerOptions
|
@@ -1374,6 +1379,10 @@ process_server_config_line(ServerOptions
|
||||||
*activep = value;
|
*activep = value;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -105,7 +105,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
|
|||||||
case sPermitOpen:
|
case sPermitOpen:
|
||||||
arg = strdelim(&cp);
|
arg = strdelim(&cp);
|
||||||
if (!arg || *arg == '\0')
|
if (!arg || *arg == '\0')
|
||||||
@@ -1544,6 +1553,7 @@ copy_set_server_options(ServerOptions *d
|
@@ -1577,6 +1586,7 @@ copy_set_server_options(ServerOptions *d
|
||||||
M_CP_INTOPT(max_authtries);
|
M_CP_INTOPT(max_authtries);
|
||||||
M_CP_INTOPT(ip_qos_interactive);
|
M_CP_INTOPT(ip_qos_interactive);
|
||||||
M_CP_INTOPT(ip_qos_bulk);
|
M_CP_INTOPT(ip_qos_bulk);
|
||||||
@ -113,7 +113,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
|
|||||||
|
|
||||||
M_CP_STROPT(banner);
|
M_CP_STROPT(banner);
|
||||||
if (preauth)
|
if (preauth)
|
||||||
@@ -1764,6 +1774,7 @@ dump_config(ServerOptions *o)
|
@@ -1800,6 +1810,7 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||||
@ -121,10 +121,10 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
|
|||||||
|
|
||||||
/* string arguments */
|
/* string arguments */
|
||||||
dump_cfg_string(sPidFile, o->pid_file);
|
dump_cfg_string(sPidFile, o->pid_file);
|
||||||
diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h
|
diff -up openssh-5.8p2/servconf.h.kuserok openssh-5.8p2/servconf.h
|
||||||
--- openssh-5.8p1/servconf.h.kuserok 2011-02-14 09:15:12.000000000 +0100
|
--- openssh-5.8p2/servconf.h.kuserok 2011-05-19 16:55:59.676167388 +0200
|
||||||
+++ openssh-5.8p1/servconf.h 2011-02-14 09:15:12.000000000 +0100
|
+++ openssh-5.8p2/servconf.h 2011-05-19 16:56:02.449168732 +0200
|
||||||
@@ -157,6 +157,7 @@ typedef struct {
|
@@ -160,6 +160,7 @@ typedef struct {
|
||||||
|
|
||||||
int num_permitted_opens;
|
int num_permitted_opens;
|
||||||
|
|
||||||
@ -132,10 +132,10 @@ diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h
|
|||||||
char *chroot_directory;
|
char *chroot_directory;
|
||||||
char *revoked_keys_file;
|
char *revoked_keys_file;
|
||||||
char *trusted_user_ca_keys;
|
char *trusted_user_ca_keys;
|
||||||
diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5
|
diff -up openssh-5.8p2/sshd_config.5.kuserok openssh-5.8p2/sshd_config.5
|
||||||
--- openssh-5.8p1/sshd_config.5.kuserok 2011-02-14 09:15:12.000000000 +0100
|
--- openssh-5.8p2/sshd_config.5.kuserok 2011-05-19 16:56:00.265169181 +0200
|
||||||
+++ openssh-5.8p1/sshd_config.5 2011-02-14 09:17:11.000000000 +0100
|
+++ openssh-5.8p2/sshd_config.5 2011-05-19 16:56:02.588114955 +0200
|
||||||
@@ -574,6 +574,10 @@ Specifies whether to automatically destr
|
@@ -602,6 +602,10 @@ Specifies whether to automatically destr
|
||||||
file on logout.
|
file on logout.
|
||||||
The default is
|
The default is
|
||||||
.Dq yes .
|
.Dq yes .
|
||||||
@ -146,7 +146,7 @@ diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5
|
|||||||
.It Cm KexAlgorithms
|
.It Cm KexAlgorithms
|
||||||
Specifies the available KEX (Key Exchange) algorithms.
|
Specifies the available KEX (Key Exchange) algorithms.
|
||||||
Multiple algorithms must be comma-separated.
|
Multiple algorithms must be comma-separated.
|
||||||
@@ -715,6 +719,7 @@ Available keywords are
|
@@ -743,6 +747,7 @@ Available keywords are
|
||||||
.Cm HostbasedUsesNameFromPacketOnly ,
|
.Cm HostbasedUsesNameFromPacketOnly ,
|
||||||
.Cm KbdInteractiveAuthentication ,
|
.Cm KbdInteractiveAuthentication ,
|
||||||
.Cm KerberosAuthentication ,
|
.Cm KerberosAuthentication ,
|
||||||
@ -154,9 +154,9 @@ diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5
|
|||||||
.Cm MaxAuthTries ,
|
.Cm MaxAuthTries ,
|
||||||
.Cm MaxSessions ,
|
.Cm MaxSessions ,
|
||||||
.Cm PubkeyAuthentication ,
|
.Cm PubkeyAuthentication ,
|
||||||
diff -up openssh-5.8p1/sshd_config.kuserok openssh-5.8p1/sshd_config
|
diff -up openssh-5.8p2/sshd_config.kuserok openssh-5.8p2/sshd_config
|
||||||
--- openssh-5.8p1/sshd_config.kuserok 2011-02-14 09:15:12.000000000 +0100
|
--- openssh-5.8p2/sshd_config.kuserok 2011-05-19 16:56:00.886106293 +0200
|
||||||
+++ openssh-5.8p1/sshd_config 2011-02-14 09:15:12.000000000 +0100
|
+++ openssh-5.8p2/sshd_config 2011-05-19 16:56:02.716105342 +0200
|
||||||
@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
|
@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
|
||||||
#KerberosOrLocalPasswd yes
|
#KerberosOrLocalPasswd yes
|
||||||
#KerberosTicketCleanup yes
|
#KerberosTicketCleanup yes
|
15
openssh.spec
15
openssh.spec
@ -74,7 +74,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%define openssh_ver 5.8p2
|
%define openssh_ver 5.8p2
|
||||||
%define openssh_rel 1
|
%define openssh_rel 2
|
||||||
%define pam_ssh_agent_ver 0.9.2
|
%define pam_ssh_agent_ver 0.9.2
|
||||||
%define pam_ssh_agent_rel 31
|
%define pam_ssh_agent_rel 31
|
||||||
|
|
||||||
@ -151,8 +151,6 @@ Patch31: openssh-5.2p1-allow-ip-opts.patch
|
|||||||
Patch32: openssh-5.8p1-randclean.patch
|
Patch32: openssh-5.8p1-randclean.patch
|
||||||
# #https://bugzilla.mindrot.org/show_bug.cgi?id=1636
|
# #https://bugzilla.mindrot.org/show_bug.cgi?id=1636
|
||||||
# Patch33: openssh-5.1p1-log-in-chroot.patch
|
# Patch33: openssh-5.1p1-log-in-chroot.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
|
||||||
Patch34: openssh-5.8p1-kuserok.patch
|
|
||||||
#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
|
#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
|
||||||
Patch35: openssh-5.8p1-glob.patch
|
Patch35: openssh-5.8p1-glob.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1891
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1891
|
||||||
@ -182,6 +180,10 @@ Patch60: openssh-5.8p1-gsskex.patch
|
|||||||
Patch61: openssh-5.8p1-gssapi-canohost.patch
|
Patch61: openssh-5.8p1-gssapi-canohost.patch
|
||||||
#?
|
#?
|
||||||
Patch62: openssh-5.8p1-localdomain.patch
|
Patch62: openssh-5.8p1-localdomain.patch
|
||||||
|
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
||||||
|
Patch63: openssh-5.8p2-force_krb.patch
|
||||||
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
||||||
|
Patch64: openssh-5.8p2-kuserok.patch
|
||||||
#---
|
#---
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1604
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1604
|
||||||
# sctp
|
# sctp
|
||||||
@ -333,6 +335,7 @@ The module is most useful for su and sudo service stacks.
|
|||||||
%setup -q -a 4
|
%setup -q -a 4
|
||||||
#Do not enable by default
|
#Do not enable by default
|
||||||
###%patch99 -p1 -b .wIm
|
###%patch99 -p1 -b .wIm
|
||||||
|
|
||||||
%patch0 -p1 -b .redhat
|
%patch0 -p1 -b .redhat
|
||||||
%patch100 -p1 -b .fingerprint
|
%patch100 -p1 -b .fingerprint
|
||||||
%patch200 -p1 -b .exit
|
%patch200 -p1 -b .exit
|
||||||
@ -368,7 +371,6 @@ popd
|
|||||||
%patch30 -p1 -b .keygen
|
%patch30 -p1 -b .keygen
|
||||||
%patch31 -p1 -b .ip-opts
|
%patch31 -p1 -b .ip-opts
|
||||||
%patch32 -p1 -b .randclean
|
%patch32 -p1 -b .randclean
|
||||||
%patch34 -p1 -b .kuserok
|
|
||||||
%patch35 -p1 -b .glob
|
%patch35 -p1 -b .glob
|
||||||
%patch36 -p1 -b .pwchange
|
%patch36 -p1 -b .pwchange
|
||||||
%patch37 -p1 -b .keyperm
|
%patch37 -p1 -b .keyperm
|
||||||
@ -384,6 +386,8 @@ popd
|
|||||||
%patch60 -p1 -b .gsskex
|
%patch60 -p1 -b .gsskex
|
||||||
%patch61 -p1 -b .canohost
|
%patch61 -p1 -b .canohost
|
||||||
%patch62 -p1 -b .localdomain
|
%patch62 -p1 -b .localdomain
|
||||||
|
%patch63 -p1 -b .force_krb
|
||||||
|
%patch64 -p1 -b .kuserok
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
@ -736,6 +740,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 23 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-2 + 0.9.2-31
|
||||||
|
- add gssapi forced command
|
||||||
|
|
||||||
* Tue May 3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-1 + 0.9.2-31
|
* Tue May 3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-1 + 0.9.2-31
|
||||||
- update the openssh version
|
- update the openssh version
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user