forked from rpms/openssh
rebase to openssh-6.1p1 (#852651)
This commit is contained in:
parent
51ca3be245
commit
9fe1afc163
@ -1,17 +0,0 @@
|
||||
Index: auth-passwd.c
|
||||
===================================================================
|
||||
RCS file: /cvs/openssh/auth-passwd.c,v
|
||||
retrieving revision 1.90
|
||||
retrieving revision 1.91
|
||||
diff -u -r1.90 -r1.91
|
||||
--- auth-passwd.c 8 Mar 2009 00:40:28 -0000 1.90
|
||||
+++ auth-passwd.c 25 Apr 2012 23:51:28 -0000 1.91
|
||||
@@ -209,6 +209,7 @@
|
||||
* Authentication is accepted if the encrypted passwords
|
||||
* are identical.
|
||||
*/
|
||||
- return (strcmp(encrypted_password, pw_password) == 0);
|
||||
+ return encrypted_password != NULL &&
|
||||
+ strcmp(encrypted_password, pw_password) == 0;
|
||||
}
|
||||
#endif
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
||||
--- openssh-5.9p1/auth2-pubkey.c.akc 2012-02-06 20:47:36.641814218 +0100
|
||||
+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 20:47:36.665095838 +0100
|
||||
diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
||||
--- openssh-6.1p1/auth2-pubkey.c.akc 2012-09-14 20:20:48.459445650 +0200
|
||||
+++ openssh-6.1p1/auth2-pubkey.c 2012-09-14 20:20:48.520446072 +0200
|
||||
@@ -27,6 +27,7 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -9,7 +9,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <pwd.h>
|
||||
@@ -276,27 +277,15 @@ match_principals_file(char *file, struct
|
||||
@@ -277,27 +278,15 @@ match_principals_file(char *file, struct
|
||||
|
||||
/* return 1 if user allows given key */
|
||||
static int
|
||||
@ -38,7 +38,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
||||
found_key = 0;
|
||||
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
|
||||
|
||||
@@ -389,8 +378,6 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
@@ -390,8 +379,6 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -47,7 +47,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
||||
key_free(found);
|
||||
if (!found_key)
|
||||
debug2("key not found");
|
||||
@@ -452,13 +439,191 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
@@ -453,13 +440,191 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -240,10 +240,10 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
||||
if (auth_key_is_revoked(key))
|
||||
return 0;
|
||||
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
|
||||
diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
|
||||
--- openssh-5.9p1/configure.ac.akc 2012-02-06 20:47:36.656046570 +0100
|
||||
+++ openssh-5.9p1/configure.ac 2012-02-06 20:47:36.666095176 +0100
|
||||
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
|
||||
diff -up openssh-6.1p1/configure.ac.akc openssh-6.1p1/configure.ac
|
||||
--- openssh-6.1p1/configure.ac.akc 2012-07-06 03:49:29.000000000 +0200
|
||||
+++ openssh-6.1p1/configure.ac 2012-09-14 20:20:48.525446106 +0200
|
||||
@@ -1512,6 +1512,18 @@ AC_ARG_WITH([audit],
|
||||
esac ]
|
||||
)
|
||||
|
||||
@ -262,7 +262,7 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
|
||||
dnl Checks for library functions. Please keep in alphabetical order
|
||||
AC_CHECK_FUNCS([ \
|
||||
arc4random \
|
||||
@@ -4239,6 +4251,7 @@ echo " SELinux support
|
||||
@@ -4407,6 +4419,7 @@ echo " SELinux support
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
@ -270,10 +270,10 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
--- openssh-5.9p1/servconf.c.akc 2012-02-06 20:47:36.573033521 +0100
|
||||
+++ openssh-5.9p1/servconf.c 2012-02-06 20:47:36.667106367 +0100
|
||||
@@ -136,6 +136,8 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
||||
--- openssh-6.1p1/servconf.c.akc 2012-09-14 20:20:48.138443423 +0200
|
||||
+++ openssh-6.1p1/servconf.c 2012-09-14 20:27:34.546107295 +0200
|
||||
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
|
||||
options->num_permitted_opens = -1;
|
||||
options->adm_forced_command = NULL;
|
||||
options->chroot_directory = NULL;
|
||||
@ -282,18 +282,18 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
options->zero_knowledge_password_authentication = -1;
|
||||
options->revoked_keys_file = NULL;
|
||||
options->trusted_user_ca_keys = NULL;
|
||||
@@ -329,6 +331,7 @@ typedef enum {
|
||||
@@ -334,6 +336,7 @@ typedef enum {
|
||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||
sKexAlgorithms, sIPQoS,
|
||||
sKexAlgorithms, sIPQoS, sVersionAddendum,
|
||||
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -455,6 +458,13 @@ static struct {
|
||||
{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
|
||||
@@ -461,6 +464,14 @@ static struct {
|
||||
{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
|
||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
||||
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
|
||||
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
||||
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
|
||||
@ -301,12 +301,13 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
+ { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL },
|
||||
+ { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
|
||||
+#endif
|
||||
+
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
@@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions
|
||||
@@ -1532,6 +1543,24 @@ process_server_config_line(ServerOptions
|
||||
}
|
||||
break;
|
||||
return 0;
|
||||
|
||||
+ case sAuthorizedKeysCommand:
|
||||
+ len = strspn(cp, WHITESPACE);
|
||||
@ -329,7 +330,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
case sDeprecated:
|
||||
logit("%s line %d: Deprecated option %s",
|
||||
filename, linenum, arg);
|
||||
@@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d
|
||||
@@ -1682,6 +1711,8 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
|
||||
M_CP_INTOPT(kbd_interactive_authentication);
|
||||
M_CP_INTOPT(zero_knowledge_password_authentication);
|
||||
@ -338,30 +339,30 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
M_CP_INTOPT(permit_root_login);
|
||||
M_CP_INTOPT(permit_empty_passwd);
|
||||
|
||||
@@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
|
||||
@@ -1942,6 +1973,8 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sAuthorizedPrincipalsFile,
|
||||
o->authorized_principals_file);
|
||||
dump_cfg_string(sVersionAddendum, o->version_addendum);
|
||||
+ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
|
||||
+ dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
|
||||
|
||||
/* string arguments requiring a lookup */
|
||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||
diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
|
||||
--- openssh-5.9p1/servconf.h.akc 2012-02-06 20:47:36.574033734 +0100
|
||||
+++ openssh-5.9p1/servconf.h 2012-02-06 20:47:36.668096740 +0100
|
||||
diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
|
||||
--- openssh-6.1p1/servconf.h.akc 2012-09-14 20:20:48.000000000 +0200
|
||||
+++ openssh-6.1p1/servconf.h 2012-09-14 20:23:16.691844577 +0200
|
||||
@@ -169,6 +169,8 @@ typedef struct {
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
char *authorized_principals_file;
|
||||
+ char *authorized_keys_command;
|
||||
+ char *authorized_keys_command_runas;
|
||||
} ServerOptions;
|
||||
|
||||
/*
|
||||
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
|
||||
--- openssh-5.9p1/sshd_config.akc 2011-05-29 13:39:39.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd_config 2012-02-06 20:47:36.669067546 +0100
|
||||
char *version_addendum; /* Appended to SSH banner */
|
||||
} ServerOptions;
|
||||
diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
|
||||
--- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200
|
||||
+++ openssh-6.1p1/sshd_config 2012-09-14 20:30:46.950095769 +0200
|
||||
@@ -49,6 +49,9 @@
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
@ -369,12 +370,12 @@ diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
|
||||
+#AuthorizedKeysCommand none
|
||||
+#AuthorizedKeysCommandRunAs nobody
|
||||
+
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
|
||||
--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd_config.0 2012-02-06 20:47:36.669067546 +0100
|
||||
diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
|
||||
--- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200
|
||||
+++ openssh-6.1p1/sshd_config.0 2012-09-14 20:32:23.539624859 +0200
|
||||
@@ -71,6 +71,23 @@ DESCRIPTION
|
||||
|
||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||
@ -399,19 +400,19 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
|
||||
AuthorizedKeysFile
|
||||
Specifies the file that contains the public keys that can be used
|
||||
for user authentication. The format is described in the
|
||||
@@ -401,7 +418,8 @@ DESCRIPTION
|
||||
|
||||
@@ -402,7 +419,8 @@ DESCRIPTION
|
||||
Only a subset of keywords may be used on the lines following a
|
||||
Match keyword. Available keywords are AllowAgentForwarding,
|
||||
- AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile,
|
||||
+ AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand,
|
||||
+ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile,
|
||||
Banner, ChrootDirectory, ForceCommand, GatewayPorts,
|
||||
GSSAPIAuthentication, HostbasedAuthentication,
|
||||
Match keyword. Available keywords are AcceptEnv,
|
||||
AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
|
||||
- AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner,
|
||||
+ AllowUsers, AuthorizedKeysFile, AuthorizedKeysCommand,
|
||||
+ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, Banner,
|
||||
ChrootDirectory, DenyGroups, DenyUsers, ForceCommand,
|
||||
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
|
||||
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
|
||||
diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
|
||||
--- openssh-5.9p1/sshd_config.5.akc 2012-02-06 20:47:36.574891218 +0100
|
||||
+++ openssh-5.9p1/sshd_config.5 2012-02-06 20:49:58.913878595 +0100
|
||||
diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
|
||||
--- openssh-6.1p1/sshd_config.5.akc 2012-09-14 20:20:48.142443448 +0200
|
||||
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:29:56.003873873 +0200
|
||||
@@ -151,6 +151,19 @@ See
|
||||
in
|
||||
.Xr ssh_config 5
|
||||
@ -432,16 +433,16 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
|
||||
.It Cm AuthorizedKeysFile
|
||||
Specifies the file that contains the public keys that can be used
|
||||
for user authentication.
|
||||
@@ -706,6 +719,8 @@ Available keywords are
|
||||
.Cm AllowAgentForwarding ,
|
||||
@@ -712,6 +725,8 @@ Available keywords are
|
||||
.Cm AllowTcpForwarding ,
|
||||
.Cm AllowUsers ,
|
||||
.Cm AuthorizedKeysFile ,
|
||||
+.Cm AuthorizedKeysCommand ,
|
||||
+.Cm AuthorizedKeysCommandRunAs ,
|
||||
.Cm AuthorizedPrincipalsFile ,
|
||||
.Cm Banner ,
|
||||
.Cm ChrootDirectory ,
|
||||
@@ -718,6 +733,7 @@ Available keywords are
|
||||
@@ -726,6 +741,7 @@ Available keywords are
|
||||
.Cm KerberosAuthentication ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefile
|
||||
--- openssh-5.8p2/contrib/Makefile.askpass-ld 2011-08-08 22:54:06.050546199 +0200
|
||||
+++ openssh-5.8p2/contrib/Makefile 2011-08-08 22:54:43.364420118 +0200
|
||||
@@ -2,12 +2,12 @@ all:
|
||||
diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile
|
||||
--- openssh-6.1p1/contrib/Makefile.askpass-ld 2012-05-19 07:24:37.000000000 +0200
|
||||
+++ openssh-6.1p1/contrib/Makefile 2012-09-14 20:35:47.565704718 +0200
|
||||
@@ -4,12 +4,12 @@ all:
|
||||
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
|
||||
|
||||
gnome-ssh-askpass1: gnome-ssh-askpass1.c
|
||||
@ -11,8 +11,8 @@ diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefil
|
||||
`gnome-config --libs gnome gnomeui`
|
||||
|
||||
gnome-ssh-askpass2: gnome-ssh-askpass2.c
|
||||
- $(CC) `pkg-config --cflags gtk+-2.0` \
|
||||
+ $(CC) ${CFLAGS} `pkg-config --cflags gtk+-2.0` \
|
||||
- $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
|
||||
+ $(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \
|
||||
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
|
||||
`pkg-config --libs gtk+-2.0 x11`
|
||||
`$(PKG_CONFIG) --libs gtk+-2.0 x11`
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
|
||||
--- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
|
||||
+++ openssh-5.9p1/auth-pam.c 2011-09-14 08:09:47.074520582 +0200
|
||||
diff -up openssh-6.1p1/auth-pam.c.coverity openssh-6.1p1/auth-pam.c
|
||||
--- openssh-6.1p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
|
||||
+++ openssh-6.1p1/auth-pam.c 2012-09-14 21:16:41.264906486 +0200
|
||||
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
|
||||
if (sshpam_thread_status != -1)
|
||||
return (sshpam_thread_status);
|
||||
@ -15,43 +15,10 @@ diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
|
||||
return (status);
|
||||
}
|
||||
#endif
|
||||
diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
|
||||
--- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200
|
||||
+++ openssh-5.9p1/channels.c 2011-09-14 08:09:47.556582810 +0200
|
||||
@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
channel_max_fd = MAX(channel_max_fd, wfd);
|
||||
channel_max_fd = MAX(channel_max_fd, efd);
|
||||
|
||||
- if (rfd != -1)
|
||||
+ if (rfd >= 0)
|
||||
fcntl(rfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (wfd != -1 && wfd != rfd)
|
||||
+ if (wfd >= 0 && wfd != rfd)
|
||||
fcntl(wfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (efd != -1 && efd != rfd && efd != wfd)
|
||||
+ if (efd >= 0 && efd != rfd && efd != wfd)
|
||||
fcntl(efd, F_SETFD, FD_CLOEXEC);
|
||||
|
||||
c->rfd = rfd;
|
||||
@@ -248,11 +248,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
|
||||
/* enable nonblocking mode */
|
||||
if (nonblock) {
|
||||
- if (rfd != -1)
|
||||
+ if (rfd >= 0)
|
||||
set_nonblock(rfd);
|
||||
- if (wfd != -1)
|
||||
+ if (wfd >= 0)
|
||||
set_nonblock(wfd);
|
||||
- if (efd != -1)
|
||||
+ if (efd >= 0)
|
||||
set_nonblock(efd);
|
||||
}
|
||||
}
|
||||
diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
|
||||
--- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200
|
||||
+++ openssh-5.9p1/clientloop.c 2011-09-14 08:17:41.556521887 +0200
|
||||
@@ -1970,14 +1970,15 @@ client_input_global_request(int type, u_
|
||||
diff -up openssh-6.1p1/clientloop.c.coverity openssh-6.1p1/clientloop.c
|
||||
--- openssh-6.1p1/clientloop.c.coverity 2012-06-20 14:31:27.000000000 +0200
|
||||
+++ openssh-6.1p1/clientloop.c 2012-09-14 21:16:41.267906501 +0200
|
||||
@@ -2006,14 +2006,15 @@ client_input_global_request(int type, u_
|
||||
char *rtype;
|
||||
int want_reply;
|
||||
int success = 0;
|
||||
@ -69,10 +36,43 @@ diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
}
|
||||
diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
|
||||
--- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200
|
||||
+++ openssh-5.9p1/key.c 2011-09-14 08:09:47.803458435 +0200
|
||||
@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp)
|
||||
diff -up openssh-6.1p1/channels.c.coverity openssh-6.1p1/channels.c
|
||||
--- openssh-6.1p1/channels.c.coverity 2012-04-23 10:21:05.000000000 +0200
|
||||
+++ openssh-6.1p1/channels.c 2012-09-14 21:16:41.272906528 +0200
|
||||
@@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
channel_max_fd = MAX(channel_max_fd, wfd);
|
||||
channel_max_fd = MAX(channel_max_fd, efd);
|
||||
|
||||
- if (rfd != -1)
|
||||
+ if (rfd >= 0)
|
||||
fcntl(rfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (wfd != -1 && wfd != rfd)
|
||||
+ if (wfd >= 0 && wfd != rfd)
|
||||
fcntl(wfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (efd != -1 && efd != rfd && efd != wfd)
|
||||
+ if (efd >= 0 && efd != rfd && efd != wfd)
|
||||
fcntl(efd, F_SETFD, FD_CLOEXEC);
|
||||
|
||||
c->rfd = rfd;
|
||||
@@ -251,11 +251,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
|
||||
/* enable nonblocking mode */
|
||||
if (nonblock) {
|
||||
- if (rfd != -1)
|
||||
+ if (rfd >= 0)
|
||||
set_nonblock(rfd);
|
||||
- if (wfd != -1)
|
||||
+ if (wfd >= 0)
|
||||
set_nonblock(wfd);
|
||||
- if (efd != -1)
|
||||
+ if (efd >= 0)
|
||||
set_nonblock(efd);
|
||||
}
|
||||
}
|
||||
diff -up openssh-6.1p1/key.c.coverity openssh-6.1p1/key.c
|
||||
--- openssh-6.1p1/key.c.coverity 2012-06-30 12:05:02.000000000 +0200
|
||||
+++ openssh-6.1p1/key.c 2012-09-14 21:16:41.274906537 +0200
|
||||
@@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp)
|
||||
success = 1;
|
||||
/*XXXX*/
|
||||
key_free(k);
|
||||
@ -83,10 +83,9 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
|
||||
/* advance cp: skip whitespace and data */
|
||||
while (*cp == ' ' || *cp == '\t')
|
||||
cp++;
|
||||
diff -up openssh-5.9p1/misc.c.coverity openssh-5.9p1/misc.c
|
||||
diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
|
||||
--- openssh-5.9p1/monitor.c.coverity 2011-08-05 22:15:18.000000000 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-14 08:09:47.914584009 +0200
|
||||
diff -up openssh-6.1p1/monitor.c.coverity openssh-6.1p1/monitor.c
|
||||
--- openssh-6.1p1/monitor.c.coverity 2012-06-30 00:33:17.000000000 +0200
|
||||
+++ openssh-6.1p1/monitor.c 2012-09-14 21:16:41.277906552 +0200
|
||||
@@ -420,7 +420,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
}
|
||||
|
||||
@ -96,7 +95,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
|
||||
;
|
||||
|
||||
if (!authctxt->valid)
|
||||
@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
@@ -1159,6 +1159,10 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -107,7 +106,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
|
||||
if (key != NULL)
|
||||
key_free(key);
|
||||
|
||||
@@ -1182,9 +1186,6 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
@@ -1180,9 +1184,6 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
xfree(chost);
|
||||
}
|
||||
|
||||
@ -117,9 +116,9 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, allowed);
|
||||
buffer_put_int(m, forced_command != NULL);
|
||||
diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
|
||||
--- openssh-5.9p1/monitor_wrap.c.coverity 2011-09-14 08:11:36.480500123 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.c 2011-09-14 08:14:11.279520598 +0200
|
||||
diff -up openssh-6.1p1/monitor_wrap.c.coverity openssh-6.1p1/monitor_wrap.c
|
||||
--- openssh-6.1p1/monitor_wrap.c.coverity 2011-06-20 06:42:23.000000000 +0200
|
||||
+++ openssh-6.1p1/monitor_wrap.c 2012-09-14 21:16:41.280906568 +0200
|
||||
@@ -707,10 +707,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
||||
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
||||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
||||
@ -134,9 +133,9 @@ diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
|
||||
return 0;
|
||||
}
|
||||
close(tmp1);
|
||||
diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c
|
||||
--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
|
||||
+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-14 08:09:48.084459344 +0200
|
||||
diff -up openssh-6.1p1/openbsd-compat/bindresvport.c.coverity openssh-6.1p1/openbsd-compat/bindresvport.c
|
||||
--- openssh-6.1p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
|
||||
+++ openssh-6.1p1/openbsd-compat/bindresvport.c 2012-09-14 21:16:41.281906573 +0200
|
||||
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
|
||||
struct sockaddr_in6 *in6;
|
||||
u_int16_t *portp;
|
||||
@ -146,9 +145,9 @@ diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/open
|
||||
int i;
|
||||
|
||||
if (sa == NULL) {
|
||||
diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
|
||||
--- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200
|
||||
+++ openssh-5.9p1/packet.c 2011-09-14 08:09:48.184587842 +0200
|
||||
diff -up openssh-6.1p1/packet.c.coverity openssh-6.1p1/packet.c
|
||||
--- openssh-6.1p1/packet.c.coverity 2012-03-09 00:28:07.000000000 +0100
|
||||
+++ openssh-6.1p1/packet.c 2012-09-14 21:16:41.284906588 +0200
|
||||
@@ -1177,6 +1177,7 @@ packet_read_poll1(void)
|
||||
case DEATTACK_DETECTED:
|
||||
packet_disconnect("crc32 compensation attack: "
|
||||
@ -157,7 +156,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
|
||||
case DEATTACK_DOS_DETECTED:
|
||||
packet_disconnect("deattack denial of "
|
||||
"service detected");
|
||||
@@ -1684,7 +1685,7 @@ void
|
||||
@@ -1678,7 +1679,7 @@ void
|
||||
packet_write_wait(void)
|
||||
{
|
||||
fd_set *setp;
|
||||
@ -166,9 +165,9 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
|
||||
struct timeval start, timeout, *timeoutp = NULL;
|
||||
|
||||
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
|
||||
diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
|
||||
--- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-5.9p1/progressmeter.c 2011-09-14 08:09:48.300586004 +0200
|
||||
diff -up openssh-6.1p1/progressmeter.c.coverity openssh-6.1p1/progressmeter.c
|
||||
--- openssh-6.1p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-6.1p1/progressmeter.c 2012-09-14 21:16:41.285906593 +0200
|
||||
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
|
||||
|
||||
static time_t start; /* start progress */
|
||||
@ -187,9 +186,9 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
|
||||
{
|
||||
start = last_update = time(NULL);
|
||||
file = f;
|
||||
diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
|
||||
--- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
|
||||
+++ openssh-5.9p1/progressmeter.h 2011-09-14 08:09:48.420645724 +0200
|
||||
diff -up openssh-6.1p1/progressmeter.h.coverity openssh-6.1p1/progressmeter.h
|
||||
--- openssh-6.1p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
|
||||
+++ openssh-6.1p1/progressmeter.h 2012-09-14 21:16:41.286906598 +0200
|
||||
@@ -23,5 +23,5 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
@ -197,9 +196,9 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
|
||||
-void start_progress_meter(char *, off_t, off_t *);
|
||||
+void start_progress_meter(const char *, off_t, off_t *);
|
||||
void stop_progress_meter(void);
|
||||
diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
|
||||
--- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100
|
||||
+++ openssh-5.9p1/scp.c 2011-09-14 08:09:48.531505457 +0200
|
||||
diff -up openssh-6.1p1/scp.c.coverity openssh-6.1p1/scp.c
|
||||
--- openssh-6.1p1/scp.c.coverity 2011-09-22 13:38:01.000000000 +0200
|
||||
+++ openssh-6.1p1/scp.c 2012-09-14 21:16:41.288906608 +0200
|
||||
@@ -155,7 +155,7 @@ killchild(int signo)
|
||||
{
|
||||
if (do_cmd_pid > 1) {
|
||||
@ -209,19 +208,10 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
|
||||
}
|
||||
|
||||
if (signo)
|
||||
diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
|
||||
--- openssh-5.9p1/servconf.c.coverity 2011-06-23 00:30:03.000000000 +0200
|
||||
+++ openssh-5.9p1/servconf.c 2011-09-14 08:30:17.557468182 +0200
|
||||
@@ -609,7 +609,7 @@ match_cfg_line(char **condition, int lin
|
||||
debug3("checking syntax for 'Match %s'", cp);
|
||||
else
|
||||
debug3("checking match for '%s' user %s host %s addr %s", cp,
|
||||
- user ? user : "(null)", host ? host : "(null)",
|
||||
+ user /* User is not NULL ? user : "(null)" */, host ? host : "(null)",
|
||||
address ? address : "(null)");
|
||||
|
||||
while ((attrib = strdelim(&cp)) && *attrib != '\0') {
|
||||
@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
|
||||
diff -up openssh-6.1p1/servconf.c.coverity openssh-6.1p1/servconf.c
|
||||
--- openssh-6.1p1/servconf.c.coverity 2012-07-31 04:22:38.000000000 +0200
|
||||
+++ openssh-6.1p1/servconf.c 2012-09-14 21:16:41.291906623 +0200
|
||||
@@ -1249,7 +1249,7 @@ process_server_config_line(ServerOptions
|
||||
fatal("%s line %d: Missing subsystem name.",
|
||||
filename, linenum);
|
||||
if (!*activep) {
|
||||
@ -230,7 +220,7 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
|
||||
break;
|
||||
}
|
||||
for (i = 0; i < options->num_subsystems; i++)
|
||||
@@ -1262,8 +1262,9 @@ process_server_config_line(ServerOptions
|
||||
@@ -1340,8 +1340,9 @@ process_server_config_line(ServerOptions
|
||||
if (*activep && *charptr == NULL) {
|
||||
*charptr = tilde_expand_filename(arg, getuid());
|
||||
/* increase optional counter */
|
||||
@ -242,9 +232,9 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
|
||||
}
|
||||
break;
|
||||
|
||||
diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
--- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200
|
||||
+++ openssh-5.9p1/serverloop.c 2011-09-14 08:09:48.793586380 +0200
|
||||
diff -up openssh-6.1p1/serverloop.c.coverity openssh-6.1p1/serverloop.c
|
||||
--- openssh-6.1p1/serverloop.c.coverity 2012-06-20 14:31:27.000000000 +0200
|
||||
+++ openssh-6.1p1/serverloop.c 2012-09-14 21:16:41.294906638 +0200
|
||||
@@ -147,13 +147,13 @@ notify_setup(void)
|
||||
static void
|
||||
notify_parent(void)
|
||||
@ -272,7 +262,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
debug2("notify_done: reading");
|
||||
}
|
||||
|
||||
@@ -330,7 +330,7 @@ wait_until_can_do_something(fd_set **rea
|
||||
@@ -336,7 +336,7 @@ wait_until_can_do_something(fd_set **rea
|
||||
* If we have buffered data, try to write some of that data
|
||||
* to the program.
|
||||
*/
|
||||
@ -281,7 +271,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
FD_SET(fdin, *writesetp);
|
||||
}
|
||||
notify_prepare(*readsetp);
|
||||
@@ -470,7 +470,7 @@ process_output(fd_set *writeset)
|
||||
@@ -476,7 +476,7 @@ process_output(fd_set *writeset)
|
||||
int len;
|
||||
|
||||
/* Write buffered data to program stdin. */
|
||||
@ -290,7 +280,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
data = buffer_ptr(&stdin_buffer);
|
||||
dlen = buffer_len(&stdin_buffer);
|
||||
len = write(fdin, data, dlen);
|
||||
@@ -583,7 +583,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
@@ -589,7 +589,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
set_nonblock(fdin);
|
||||
set_nonblock(fdout);
|
||||
/* we don't have stderr for interactive terminal sessions, see below */
|
||||
@ -299,7 +289,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
set_nonblock(fderr);
|
||||
|
||||
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
|
||||
@@ -607,7 +607,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
@@ -613,7 +613,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
max_fd = MAX(connection_in, connection_out);
|
||||
max_fd = MAX(max_fd, fdin);
|
||||
max_fd = MAX(max_fd, fdout);
|
||||
@ -308,7 +298,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
max_fd = MAX(max_fd, fderr);
|
||||
#endif
|
||||
|
||||
@@ -637,7 +637,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
@@ -643,7 +643,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
* If we have received eof, and there is no more pending
|
||||
* input data, cause a real eof by closing fdin.
|
||||
*/
|
||||
@ -317,7 +307,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
if (fdin != fdout)
|
||||
close(fdin);
|
||||
else
|
||||
@@ -735,15 +735,15 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
@@ -741,15 +741,15 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
buffer_free(&stderr_buffer);
|
||||
|
||||
/* Close the file descriptors. */
|
||||
@ -336,7 +326,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
close(fdin);
|
||||
fdin = -1;
|
||||
|
||||
@@ -937,7 +937,7 @@ server_input_window_size(int type, u_int
|
||||
@@ -943,7 +943,7 @@ server_input_window_size(int type, u_int
|
||||
|
||||
debug("Window change received.");
|
||||
packet_check_eom();
|
||||
@ -345,7 +335,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
pty_change_window_size(fdin, row, col, xpixel, ypixel);
|
||||
}
|
||||
|
||||
@@ -990,7 +990,7 @@ server_request_tun(void)
|
||||
@@ -996,7 +996,7 @@ server_request_tun(void)
|
||||
}
|
||||
|
||||
tun = packet_get_int();
|
||||
@ -354,9 +344,111 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
|
||||
goto done;
|
||||
tun = forced_tun_device;
|
||||
diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
--- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||
+++ openssh-5.9p1/sftp-client.c 2011-09-14 08:09:48.910470343 +0200
|
||||
diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
|
||||
--- openssh-6.1p1/sftp.c.coverity 2012-06-30 00:33:32.000000000 +0200
|
||||
+++ openssh-6.1p1/sftp.c 2012-09-14 21:16:41.297906653 +0200
|
||||
@@ -206,7 +206,7 @@ killchild(int signo)
|
||||
{
|
||||
if (sshpid > 1) {
|
||||
kill(sshpid, SIGTERM);
|
||||
- waitpid(sshpid, NULL, 0);
|
||||
+ (void) waitpid(sshpid, NULL, 0);
|
||||
}
|
||||
|
||||
_exit(1);
|
||||
@@ -316,7 +316,7 @@ local_do_ls(const char *args)
|
||||
|
||||
/* Strip one path (usually the pwd) from the start of another */
|
||||
static char *
|
||||
-path_strip(char *path, char *strip)
|
||||
+path_strip(const char *path, const char *strip)
|
||||
{
|
||||
size_t len;
|
||||
|
||||
@@ -334,7 +334,7 @@ path_strip(char *path, char *strip)
|
||||
}
|
||||
|
||||
static char *
|
||||
-make_absolute(char *p, char *pwd)
|
||||
+make_absolute(char *p, const char *pwd)
|
||||
{
|
||||
char *abs_str;
|
||||
|
||||
@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a
|
||||
}
|
||||
|
||||
static int
|
||||
-is_dir(char *path)
|
||||
+is_dir(const char *path)
|
||||
{
|
||||
struct stat sb;
|
||||
|
||||
@@ -494,7 +494,7 @@ is_dir(char *path)
|
||||
}
|
||||
|
||||
static int
|
||||
-remote_is_dir(struct sftp_conn *conn, char *path)
|
||||
+remote_is_dir(struct sftp_conn *conn, const char *path)
|
||||
{
|
||||
Attrib *a;
|
||||
|
||||
@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch
|
||||
|
||||
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
|
||||
static int
|
||||
-pathname_is_dir(char *pathname)
|
||||
+pathname_is_dir(const char *pathname)
|
||||
{
|
||||
size_t l = strlen(pathname);
|
||||
|
||||
@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname)
|
||||
}
|
||||
|
||||
static int
|
||||
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
|
||||
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
|
||||
int pflag, int rflag)
|
||||
{
|
||||
char *abs_src = NULL;
|
||||
@@ -590,7 +590,7 @@ out:
|
||||
}
|
||||
|
||||
static int
|
||||
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
|
||||
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
|
||||
int pflag, int rflag)
|
||||
{
|
||||
char *tmp_dst = NULL;
|
||||
@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void
|
||||
|
||||
/* sftp ls.1 replacement for directories */
|
||||
static int
|
||||
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
|
||||
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
|
||||
{
|
||||
int n;
|
||||
u_int c = 1, colspace = 0, columns = 1;
|
||||
@@ -780,7 +780,7 @@ do_ls_dir(struct sftp_conn *conn, char *
|
||||
|
||||
/* sftp ls.1 replacement which handles path globs */
|
||||
static int
|
||||
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
|
||||
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
|
||||
int lflag)
|
||||
{
|
||||
char *fname, *lname;
|
||||
@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
|
||||
}
|
||||
|
||||
static int
|
||||
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
|
||||
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
|
||||
{
|
||||
struct sftp_statvfs st;
|
||||
char s_used[FMT_SCALED_STRSIZE];
|
||||
diff -up openssh-6.1p1/sftp-client.c.coverity openssh-6.1p1/sftp-client.c
|
||||
--- openssh-6.1p1/sftp-client.c.coverity 2012-07-02 14:15:39.000000000 +0200
|
||||
+++ openssh-6.1p1/sftp-client.c 2012-09-14 21:18:16.891332281 +0200
|
||||
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
|
||||
}
|
||||
|
||||
@ -393,7 +485,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
SFTP_DIRENT ***dir)
|
||||
{
|
||||
Buffer msg;
|
||||
@@ -571,7 +571,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
|
||||
@@ -572,7 +572,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
|
||||
}
|
||||
|
||||
int
|
||||
@ -402,7 +494,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
return(do_lsreaddir(conn, path, 0, dir));
|
||||
}
|
||||
@@ -589,7 +589,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
|
||||
@@ -590,7 +590,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
|
||||
}
|
||||
|
||||
int
|
||||
@ -411,7 +503,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
u_int status, id;
|
||||
|
||||
@@ -604,7 +604,7 @@ do_rm(struct sftp_conn *conn, char *path
|
||||
@@ -605,7 +605,7 @@ do_rm(struct sftp_conn *conn, char *path
|
||||
}
|
||||
|
||||
int
|
||||
@ -420,7 +512,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
u_int status, id;
|
||||
|
||||
@@ -620,7 +620,7 @@ do_mkdir(struct sftp_conn *conn, char *p
|
||||
@@ -621,7 +621,7 @@ do_mkdir(struct sftp_conn *conn, char *p
|
||||
}
|
||||
|
||||
int
|
||||
@ -429,7 +521,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
u_int status, id;
|
||||
|
||||
@@ -636,7 +636,7 @@ do_rmdir(struct sftp_conn *conn, char *p
|
||||
@@ -637,7 +637,7 @@ do_rmdir(struct sftp_conn *conn, char *p
|
||||
}
|
||||
|
||||
Attrib *
|
||||
@ -438,7 +530,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
u_int id;
|
||||
|
||||
@@ -650,7 +650,7 @@ do_stat(struct sftp_conn *conn, char *pa
|
||||
@@ -651,7 +651,7 @@ do_stat(struct sftp_conn *conn, char *pa
|
||||
}
|
||||
|
||||
Attrib *
|
||||
@ -447,7 +539,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
u_int id;
|
||||
|
||||
@@ -684,7 +684,7 @@ do_fstat(struct sftp_conn *conn, char *h
|
||||
@@ -685,7 +685,7 @@ do_fstat(struct sftp_conn *conn, char *h
|
||||
#endif
|
||||
|
||||
int
|
||||
@ -456,7 +548,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
u_int status, id;
|
||||
|
||||
@@ -701,7 +701,7 @@ do_setstat(struct sftp_conn *conn, char
|
||||
@@ -702,7 +702,7 @@ do_setstat(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
int
|
||||
@ -465,7 +557,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
Attrib *a)
|
||||
{
|
||||
u_int status, id;
|
||||
@@ -718,12 +718,12 @@ do_fsetstat(struct sftp_conn *conn, char
|
||||
@@ -719,7 +719,7 @@ do_fsetstat(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
char *
|
||||
@ -474,22 +566,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
Buffer msg;
|
||||
u_int type, expected_id, count, id;
|
||||
char *filename, *longname;
|
||||
- Attrib *a;
|
||||
+/*UNUSED Attrib *a; */
|
||||
|
||||
expected_id = id = conn->msg_id++;
|
||||
send_string_request(conn, id, SSH2_FXP_REALPATH, path,
|
||||
@@ -754,7 +754,7 @@ do_realpath(struct sftp_conn *conn, char
|
||||
|
||||
filename = buffer_get_string(&msg, NULL);
|
||||
longname = buffer_get_string(&msg, NULL);
|
||||
- a = decode_attrib(&msg);
|
||||
+ /*a =*/ (void) decode_attrib(&msg);
|
||||
|
||||
debug3("SSH_FXP_REALPATH %s -> %s", path, filename);
|
||||
|
||||
@@ -766,7 +766,7 @@ do_realpath(struct sftp_conn *conn, char
|
||||
@@ -768,7 +768,7 @@ do_realpath(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
int
|
||||
@ -498,7 +575,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
Buffer msg;
|
||||
u_int status, id;
|
||||
@@ -800,7 +800,7 @@ do_rename(struct sftp_conn *conn, char *
|
||||
@@ -802,7 +802,7 @@ do_rename(struct sftp_conn *conn, char *
|
||||
}
|
||||
|
||||
int
|
||||
@ -507,7 +584,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
Buffer msg;
|
||||
u_int status, id;
|
||||
@@ -833,7 +833,7 @@ do_hardlink(struct sftp_conn *conn, char
|
||||
@@ -835,7 +835,7 @@ do_hardlink(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
int
|
||||
@ -516,7 +593,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
Buffer msg;
|
||||
u_int status, id;
|
||||
@@ -984,7 +984,7 @@ send_read_request(struct sftp_conn *conn
|
||||
@@ -987,7 +987,7 @@ send_read_request(struct sftp_conn *conn
|
||||
}
|
||||
|
||||
int
|
||||
@ -525,7 +602,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
Attrib *a, int pflag)
|
||||
{
|
||||
Attrib junk;
|
||||
@@ -1223,7 +1223,7 @@ do_download(struct sftp_conn *conn, char
|
||||
@@ -1226,7 +1226,7 @@ do_download(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
static int
|
||||
@ -534,7 +611,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
Attrib *dirattrib, int pflag, int printflag, int depth)
|
||||
{
|
||||
int i, ret = 0;
|
||||
@@ -1313,7 +1313,7 @@ download_dir_internal(struct sftp_conn *
|
||||
@@ -1316,7 +1316,7 @@ download_dir_internal(struct sftp_conn *
|
||||
}
|
||||
|
||||
int
|
||||
@ -543,7 +620,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
Attrib *dirattrib, int pflag, int printflag)
|
||||
{
|
||||
char *src_canon;
|
||||
@@ -1331,7 +1331,7 @@ download_dir(struct sftp_conn *conn, cha
|
||||
@@ -1334,7 +1334,7 @@ download_dir(struct sftp_conn *conn, cha
|
||||
}
|
||||
|
||||
int
|
||||
@ -552,7 +629,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
int pflag)
|
||||
{
|
||||
int local_fd;
|
||||
@@ -1514,7 +1514,7 @@ do_upload(struct sftp_conn *conn, char *
|
||||
@@ -1517,7 +1517,7 @@ do_upload(struct sftp_conn *conn, char *
|
||||
}
|
||||
|
||||
static int
|
||||
@ -561,7 +638,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
int pflag, int printflag, int depth)
|
||||
{
|
||||
int ret = 0, status;
|
||||
@@ -1605,7 +1605,7 @@ upload_dir_internal(struct sftp_conn *co
|
||||
@@ -1608,7 +1608,7 @@ upload_dir_internal(struct sftp_conn *co
|
||||
}
|
||||
|
||||
int
|
||||
@ -570,7 +647,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
int pflag)
|
||||
{
|
||||
char *dst_canon;
|
||||
@@ -1622,7 +1622,7 @@ upload_dir(struct sftp_conn *conn, char
|
||||
@@ -1625,7 +1625,7 @@ upload_dir(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
char *
|
||||
@ -579,9 +656,9 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
{
|
||||
char *ret;
|
||||
size_t len = strlen(p1) + strlen(p2) + 2;
|
||||
diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
|
||||
--- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||
+++ openssh-5.9p1/sftp-client.h 2011-09-14 08:09:49.021583940 +0200
|
||||
diff -up openssh-6.1p1/sftp-client.h.coverity openssh-6.1p1/sftp-client.h
|
||||
--- openssh-6.1p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||
+++ openssh-6.1p1/sftp-client.h 2012-09-14 21:16:41.301906674 +0200
|
||||
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
|
||||
u_int sftp_proto_version(struct sftp_conn *);
|
||||
|
||||
@ -679,124 +756,9 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
|
||||
+char *path_append(const char *, const char *);
|
||||
|
||||
#endif
|
||||
diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
|
||||
--- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||
+++ openssh-5.9p1/sftp.c 2011-09-14 08:09:49.468493585 +0200
|
||||
@@ -206,7 +206,7 @@ killchild(int signo)
|
||||
{
|
||||
if (sshpid > 1) {
|
||||
kill(sshpid, SIGTERM);
|
||||
- waitpid(sshpid, NULL, 0);
|
||||
+ (void) waitpid(sshpid, NULL, 0);
|
||||
}
|
||||
|
||||
_exit(1);
|
||||
@@ -316,7 +316,7 @@ local_do_ls(const char *args)
|
||||
|
||||
/* Strip one path (usually the pwd) from the start of another */
|
||||
static char *
|
||||
-path_strip(char *path, char *strip)
|
||||
+path_strip(const char *path, const char *strip)
|
||||
{
|
||||
size_t len;
|
||||
|
||||
@@ -334,7 +334,7 @@ path_strip(char *path, char *strip)
|
||||
}
|
||||
|
||||
static char *
|
||||
-make_absolute(char *p, char *pwd)
|
||||
+make_absolute(char *p, const char *pwd)
|
||||
{
|
||||
char *abs_str;
|
||||
|
||||
@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a
|
||||
}
|
||||
|
||||
static int
|
||||
-is_dir(char *path)
|
||||
+is_dir(const char *path)
|
||||
{
|
||||
struct stat sb;
|
||||
|
||||
@@ -494,7 +494,7 @@ is_dir(char *path)
|
||||
}
|
||||
|
||||
static int
|
||||
-remote_is_dir(struct sftp_conn *conn, char *path)
|
||||
+remote_is_dir(struct sftp_conn *conn, const char *path)
|
||||
{
|
||||
Attrib *a;
|
||||
|
||||
@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch
|
||||
|
||||
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
|
||||
static int
|
||||
-pathname_is_dir(char *pathname)
|
||||
+pathname_is_dir(const char *pathname)
|
||||
{
|
||||
size_t l = strlen(pathname);
|
||||
|
||||
@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname)
|
||||
}
|
||||
|
||||
static int
|
||||
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
|
||||
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
|
||||
int pflag, int rflag)
|
||||
{
|
||||
char *abs_src = NULL;
|
||||
@@ -590,7 +590,7 @@ out:
|
||||
}
|
||||
|
||||
static int
|
||||
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
|
||||
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
|
||||
int pflag, int rflag)
|
||||
{
|
||||
char *tmp_dst = NULL;
|
||||
@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void
|
||||
|
||||
/* sftp ls.1 replacement for directories */
|
||||
static int
|
||||
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
|
||||
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
|
||||
{
|
||||
int n;
|
||||
u_int c = 1, colspace = 0, columns = 1;
|
||||
@@ -780,10 +780,10 @@ do_ls_dir(struct sftp_conn *conn, char *
|
||||
|
||||
/* sftp ls.1 replacement which handles path globs */
|
||||
static int
|
||||
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
|
||||
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
|
||||
int lflag)
|
||||
{
|
||||
- Attrib *a = NULL;
|
||||
+/*UNUSED Attrib *a = NULL;*/
|
||||
char *fname, *lname;
|
||||
glob_t g;
|
||||
int err;
|
||||
@@ -828,7 +828,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
|
||||
colspace = width / columns;
|
||||
}
|
||||
|
||||
- for (i = 0; g.gl_pathv[i] && !interrupted; i++, a = NULL) {
|
||||
+ for (i = 0; g.gl_pathv[i] && !interrupted; i++/*, a = NULL*/) {
|
||||
fname = path_strip(g.gl_pathv[i], strip_path);
|
||||
if (lflag & LS_LONG_VIEW) {
|
||||
if (g.gl_statv[i] == NULL) {
|
||||
@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
|
||||
}
|
||||
|
||||
static int
|
||||
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
|
||||
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
|
||||
{
|
||||
struct sftp_statvfs st;
|
||||
char s_used[FMT_SCALED_STRSIZE];
|
||||
diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
|
||||
--- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
|
||||
+++ openssh-5.9p1/ssh-agent.c 2011-09-14 08:09:49.572460295 +0200
|
||||
diff -up openssh-6.1p1/ssh-agent.c.coverity openssh-6.1p1/ssh-agent.c
|
||||
--- openssh-6.1p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
|
||||
+++ openssh-6.1p1/ssh-agent.c 2012-09-14 21:16:41.303906683 +0200
|
||||
@@ -1147,8 +1147,8 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
@ -808,10 +770,10 @@ diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
|
||||
|
||||
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
|
||||
/* Disable ptrace on Linux without sgid bit */
|
||||
diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-14 08:09:49.687509968 +0200
|
||||
@@ -676,8 +676,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||
diff -up openssh-6.1p1/sshd.c.coverity openssh-6.1p1/sshd.c
|
||||
--- openssh-6.1p1/sshd.c.coverity 2012-07-31 04:21:34.000000000 +0200
|
||||
+++ openssh-6.1p1/sshd.c 2012-09-14 21:16:41.307906705 +0200
|
||||
@@ -682,8 +682,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||
if (getuid() == 0 || geteuid() == 0)
|
||||
privsep_preauth_child();
|
||||
setproctitle("%s", "[net]");
|
||||
@ -823,7 +785,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -1302,6 +1304,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
@@ -1311,6 +1313,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (num_listen_socks < 0)
|
||||
break;
|
||||
}
|
||||
@ -833,7 +795,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
|
||||
}
|
||||
|
||||
|
||||
@@ -1774,7 +1779,7 @@ main(int ac, char **av)
|
||||
@@ -1768,7 +1773,7 @@ main(int ac, char **av)
|
||||
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
@ -1,6 +1,115 @@
|
||||
diff -up openssh-6.0p1/auth2.c.gsskex openssh-6.0p1/auth2.c
|
||||
--- openssh-6.0p1/auth2.c.gsskex 2012-09-12 15:32:19.110689080 +0200
|
||||
+++ openssh-6.0p1/auth2.c 2012-09-12 15:32:28.309651601 +0200
|
||||
diff -up openssh-6.1p1/auth-krb5.c.gsskex openssh-6.1p1/auth-krb5.c
|
||||
--- openssh-6.1p1/auth-krb5.c.gsskex 2012-04-26 01:52:15.000000000 +0200
|
||||
+++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:07:19.695203206 +0200
|
||||
@@ -50,6 +50,7 @@
|
||||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
+#include <sys/stat.h>
|
||||
#include <krb5.h>
|
||||
|
||||
extern ServerOptions options;
|
||||
@@ -170,8 +171,13 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
|
||||
len = strlen(authctxt->krb5_ticket_file) + 6;
|
||||
authctxt->krb5_ccname = xmalloc(len);
|
||||
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
|
||||
+#ifdef USE_CCAPI
|
||||
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
|
||||
authctxt->krb5_ticket_file);
|
||||
+#else
|
||||
+ snprintf(authctxt->krb5_ccname, len, "DIR:%s",
|
||||
+ authctxt->krb5_ticket_file);
|
||||
+#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
@@ -208,10 +214,33 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
void
|
||||
krb5_cleanup_proc(Authctxt *authctxt)
|
||||
{
|
||||
+ struct stat krb5_ccname_stat;
|
||||
+ char krb5_ccname[128], *krb5_ccname_dir_end;
|
||||
+
|
||||
debug("krb5_cleanup_proc called");
|
||||
if (authctxt->krb5_fwd_ccache) {
|
||||
krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
||||
authctxt->krb5_fwd_ccache = NULL;
|
||||
+
|
||||
+ /* assume ticket cache type DIR - DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */
|
||||
+ strncpy(krb5_ccname, authctxt->krb5_ccname + strlen("DIR::"), sizeof(krb5_ccname) - 10);
|
||||
+
|
||||
+ krb5_ccname_dir_end = strrchr(krb5_ccname, '/');
|
||||
+ if (krb5_ccname_dir_end != NULL) {
|
||||
+ strcpy(krb5_ccname_dir_end, "/primary");
|
||||
+
|
||||
+ if (stat(krb5_ccname, &krb5_ccname_stat) == 0) {
|
||||
+ if (unlink(krb5_ccname) == 0) {
|
||||
+ *krb5_ccname_dir_end = '\0';
|
||||
+ if (rmdir(krb5_ccname) == -1)
|
||||
+ debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno));
|
||||
+ }
|
||||
+ else
|
||||
+ debug("cache primary file '%s', remove failed: %s",
|
||||
+ krb5_ccname, strerror(errno)
|
||||
+ );
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
if (authctxt->krb5_user) {
|
||||
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
|
||||
@@ -226,31 +255,37 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
||||
#ifndef HEIMDAL
|
||||
krb5_error_code
|
||||
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||
- int tmpfd, ret, oerrno;
|
||||
- char ccname[40];
|
||||
+ int ret, oerrno;
|
||||
+ char ccname[128];
|
||||
mode_t old_umask;
|
||||
+#ifdef USE_CCAPI
|
||||
+ char cctemplate[] = "API:krb5cc_%d";
|
||||
+#else
|
||||
+ char cctemplate[] = "DIR:/tmp/krb5cc_%d_XXXXXXXXXX";
|
||||
+ char *tmpdir;
|
||||
+#endif
|
||||
|
||||
ret = snprintf(ccname, sizeof(ccname),
|
||||
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
|
||||
+ cctemplate, geteuid());
|
||||
if (ret < 0 || (size_t)ret >= sizeof(ccname))
|
||||
return ENOMEM;
|
||||
|
||||
- old_umask = umask(0177);
|
||||
- tmpfd = mkstemp(ccname + strlen("FILE:"));
|
||||
+#ifndef USE_CCAPI
|
||||
+ old_umask = umask(0077);
|
||||
+ tmpdir = mkdtemp(ccname + strlen("DIR:"));
|
||||
oerrno = errno;
|
||||
umask(old_umask);
|
||||
- if (tmpfd == -1) {
|
||||
- logit("mkstemp(): %.100s", strerror(oerrno));
|
||||
+ if (tmpdir == NULL) {
|
||||
+ logit("mkdtemp(): %.100s", strerror(oerrno));
|
||||
return oerrno;
|
||||
}
|
||||
|
||||
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
|
||||
+ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {
|
||||
oerrno = errno;
|
||||
- logit("fchmod(): %.100s", strerror(oerrno));
|
||||
- close(tmpfd);
|
||||
+ logit("chmod(): %.100s", strerror(oerrno));
|
||||
return oerrno;
|
||||
}
|
||||
- close(tmpfd);
|
||||
+#endif
|
||||
|
||||
return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||
}
|
||||
diff -up openssh-6.1p1/auth2.c.gsskex openssh-6.1p1/auth2.c
|
||||
--- openssh-6.1p1/auth2.c.gsskex 2012-09-14 20:57:55.291263269 +0200
|
||||
+++ openssh-6.1p1/auth2.c 2012-09-14 20:57:55.853266860 +0200
|
||||
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
|
||||
extern Authmethod method_kbdint;
|
||||
extern Authmethod method_hostbased;
|
||||
@ -17,9 +126,9 @@ diff -up openssh-6.0p1/auth2.c.gsskex openssh-6.0p1/auth2.c
|
||||
&method_gssapi,
|
||||
#endif
|
||||
#ifdef JPAKE
|
||||
diff -up openssh-6.0p1/auth2-gss.c.gsskex openssh-6.0p1/auth2-gss.c
|
||||
--- openssh-6.0p1/auth2-gss.c.gsskex 2012-09-12 15:32:19.126689015 +0200
|
||||
+++ openssh-6.0p1/auth2-gss.c 2012-09-12 15:32:28.309651601 +0200
|
||||
diff -up openssh-6.1p1/auth2-gss.c.gsskex openssh-6.1p1/auth2-gss.c
|
||||
--- openssh-6.1p1/auth2-gss.c.gsskex 2012-09-14 20:57:55.292263276 +0200
|
||||
+++ openssh-6.1p1/auth2-gss.c 2012-09-14 20:57:55.855266873 +0200
|
||||
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
|
||||
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
|
||||
static void input_gssapi_errtok(int, u_int32_t, void *);
|
||||
@ -94,233 +203,9 @@ diff -up openssh-6.0p1/auth2-gss.c.gsskex openssh-6.0p1/auth2-gss.c
|
||||
Authmethod method_gssapi = {
|
||||
"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
diff -up openssh-6.0p1/auth-krb5.c.gsskex openssh-6.0p1/auth-krb5.c
|
||||
--- openssh-6.0p1/auth-krb5.c.gsskex 2012-09-12 15:32:19.118689046 +0200
|
||||
+++ openssh-6.0p1/auth-krb5.c 2012-09-12 16:03:22.216097657 +0200
|
||||
@@ -50,6 +50,7 @@
|
||||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
+#include <sys/stat.h>
|
||||
#include <krb5.h>
|
||||
|
||||
extern ServerOptions options;
|
||||
@@ -170,8 +171,13 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
|
||||
len = strlen(authctxt->krb5_ticket_file) + 6;
|
||||
authctxt->krb5_ccname = xmalloc(len);
|
||||
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
|
||||
+#ifdef USE_CCAPI
|
||||
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
|
||||
authctxt->krb5_ticket_file);
|
||||
+#else
|
||||
+ snprintf(authctxt->krb5_ccname, len, "DIR:%s",
|
||||
+ authctxt->krb5_ticket_file);
|
||||
+#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
@@ -208,10 +214,33 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
void
|
||||
krb5_cleanup_proc(Authctxt *authctxt)
|
||||
{
|
||||
+ struct stat krb5_ccname_stat;
|
||||
+ char krb5_ccname[128], *krb5_ccname_dir_end;
|
||||
+
|
||||
debug("krb5_cleanup_proc called");
|
||||
if (authctxt->krb5_fwd_ccache) {
|
||||
krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
||||
authctxt->krb5_fwd_ccache = NULL;
|
||||
+
|
||||
+ /* assume ticket cache type DIR - DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */
|
||||
+ strncpy(krb5_ccname, authctxt->krb5_ccname + strlen("DIR::"), sizeof(krb5_ccname) - 10);
|
||||
+
|
||||
+ krb5_ccname_dir_end = strrchr(krb5_ccname, '/');
|
||||
+ if (krb5_ccname_dir_end != NULL) {
|
||||
+ strcpy(krb5_ccname_dir_end, "/primary");
|
||||
+
|
||||
+ if (stat(krb5_ccname, &krb5_ccname_stat) == 0) {
|
||||
+ if (unlink(krb5_ccname) == 0) {
|
||||
+ *krb5_ccname_dir_end = '\0';
|
||||
+ if (rmdir(krb5_ccname) == -1)
|
||||
+ debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno));
|
||||
+ }
|
||||
+ else
|
||||
+ debug("cache primary file '%s', remove failed: %s",
|
||||
+ krb5_ccname, strerror(errno)
|
||||
+ );
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
if (authctxt->krb5_user) {
|
||||
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
|
||||
@@ -226,29 +255,35 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
||||
#ifndef HEIMDAL
|
||||
krb5_error_code
|
||||
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||
- int tmpfd, ret;
|
||||
+ int ret;
|
||||
char ccname[40];
|
||||
mode_t old_umask;
|
||||
+#ifdef USE_CCAPI
|
||||
+ char cctemplate[] = "API:krb5cc_%d";
|
||||
+#else
|
||||
+ char cctemplate[] = "DIR:/tmp/krb5cc_%d_XXXXXXXXXX";
|
||||
+ char *tmpdir;
|
||||
+#endif
|
||||
|
||||
ret = snprintf(ccname, sizeof(ccname),
|
||||
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
|
||||
+ cctemplate, geteuid());
|
||||
if (ret < 0 || (size_t)ret >= sizeof(ccname))
|
||||
return ENOMEM;
|
||||
|
||||
- old_umask = umask(0177);
|
||||
- tmpfd = mkstemp(ccname + strlen("FILE:"));
|
||||
+#ifndef USE_CCAPI
|
||||
+ old_umask = umask(0077);
|
||||
+ tmpdir = mkdtemp(ccname + strlen("DIR:"));
|
||||
umask(old_umask);
|
||||
- if (tmpfd == -1) {
|
||||
- logit("mkstemp(): %.100s", strerror(errno));
|
||||
+ if (tmpdir == NULL) {
|
||||
+ logit("mkdtemp(): %.100s", strerror(errno));
|
||||
return errno;
|
||||
}
|
||||
-
|
||||
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
|
||||
- logit("fchmod(): %.100s", strerror(errno));
|
||||
- close(tmpfd);
|
||||
+ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {
|
||||
+ logit("chmod(): %.100s", strerror(errno));
|
||||
return errno;
|
||||
}
|
||||
- close(tmpfd);
|
||||
+
|
||||
+#endif
|
||||
|
||||
return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||
}
|
||||
diff -up openssh-6.0p1/ChangeLog.gssapi.gsskex openssh-6.0p1/ChangeLog.gssapi
|
||||
--- openssh-6.0p1/ChangeLog.gssapi.gsskex 2012-09-12 15:32:19.106689094 +0200
|
||||
+++ openssh-6.0p1/ChangeLog.gssapi 2012-09-12 15:32:28.310651598 +0200
|
||||
@@ -0,0 +1,113 @@
|
||||
+20110101
|
||||
+ - Finally update for OpenSSH 5.6p1
|
||||
+ - Add GSSAPIServerIdentity option from Jim Basney
|
||||
+
|
||||
+20100308
|
||||
+ - [ Makefile.in, key.c, key.h ]
|
||||
+ Updates for OpenSSH 5.4p1
|
||||
+ - [ servconf.c ]
|
||||
+ Include GSSAPI options in the sshd -T configuration dump, and flag
|
||||
+ some older configuration options as being unsupported. Thanks to Colin
|
||||
+ Watson.
|
||||
+ -
|
||||
+
|
||||
+20100124
|
||||
+ - [ sshconnect2.c ]
|
||||
+ Adapt to deal with additional element in Authmethod structure. Thanks to
|
||||
+ Colin Watson
|
||||
+
|
||||
+20090615
|
||||
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
|
||||
+ sshd.c ]
|
||||
+ Fix issues identified by Greg Hudson following a code review
|
||||
+ Check return value of gss_indicate_mechs
|
||||
+ Protect GSSAPI calls in monitor, so they can only be used if enabled
|
||||
+ Check return values of bignum functions in key exchange
|
||||
+ Use BN_clear_free to clear other side's DH value
|
||||
+ Make ssh_gssapi_id_kex more robust
|
||||
+ Only configure kex table pointers if GSSAPI is enabled
|
||||
+ Don't leak mechanism list, or gss mechanism list
|
||||
+ Cast data.length before printing
|
||||
+ If serverkey isn't provided, use an empty string, rather than NULL
|
||||
+
|
||||
+20090201
|
||||
+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
|
||||
+ ssh_config.5 sshconnet2.c ]
|
||||
+ Add support for the GSSAPIClientIdentity option, which allows the user
|
||||
+ to specify which GSSAPI identity to use to contact a given server
|
||||
+
|
||||
+20080404
|
||||
+ - [ gss-serv.c ]
|
||||
+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
|
||||
+ been omitted from a previous version of this patch. Reported by Borislav
|
||||
+ Stoichkov
|
||||
+
|
||||
+20070317
|
||||
+ - [ gss-serv-krb5.c ]
|
||||
+ Remove C99ism, where new_ccname was being declared in the middle of a
|
||||
+ function
|
||||
+
|
||||
+20061220
|
||||
+ - [ servconf.c ]
|
||||
+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
|
||||
+ documented, behaviour. Reported by Dan Watson.
|
||||
+
|
||||
+20060910
|
||||
+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
|
||||
+ ssh-gss.h ]
|
||||
+ add support for gss-group14-sha1 key exchange mechanisms
|
||||
+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
|
||||
+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
|
||||
+ acceptor principal checking on multi-homed machines.
|
||||
+ <Bugzilla #928>
|
||||
+ - [ sshd_config ssh_config ]
|
||||
+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
|
||||
+ configuration files
|
||||
+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
|
||||
+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
|
||||
+ Limit length of error messages displayed by client
|
||||
+
|
||||
+20060909
|
||||
+ - [ gss-genr.c gss-serv.c ]
|
||||
+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
|
||||
+ only, where they belong
|
||||
+ <Bugzilla #1225>
|
||||
+
|
||||
+20060829
|
||||
+ - [ gss-serv-krb5.c ]
|
||||
+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
|
||||
+ variable
|
||||
+
|
||||
+20060828
|
||||
+ - [ gss-genr.c ]
|
||||
+ Avoid Heimdal context freeing problem
|
||||
+ <Fixed upstream 20060829>
|
||||
+
|
||||
+20060818
|
||||
+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
|
||||
+ Make sure that SPENGO is disabled
|
||||
+ <Bugzilla #1218 - Fixed upstream 20060818>
|
||||
+
|
||||
+20060421
|
||||
+ - [ gssgenr.c, sshconnect2.c ]
|
||||
+ a few type changes (signed versus unsigned, int versus size_t) to
|
||||
+ fix compiler errors/warnings
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ - [ kexgssc.c, sshconnect2.c ]
|
||||
+ fix uninitialized variable warnings
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ - [ gssgenr.c ]
|
||||
+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ <Bugzilla #1220 >
|
||||
+ - [ gss-serv-krb5.c ]
|
||||
+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ <Fixed upstream 20060304>
|
||||
+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
|
||||
+ add client-side GssapiKeyExchange option
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ - [ sshconnect2.c ]
|
||||
+ add support for GssapiTrustDns option for gssapi-with-mic
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ <gssapi-with-mic support is Bugzilla #1008>
|
||||
diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
|
||||
--- openssh-6.0p1/clientloop.c.gsskex 2012-09-12 15:32:19.113689067 +0200
|
||||
+++ openssh-6.0p1/clientloop.c 2012-09-12 15:32:28.311651595 +0200
|
||||
diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c
|
||||
--- openssh-6.1p1/clientloop.c.gsskex 2012-09-14 20:57:54.862260529 +0200
|
||||
+++ openssh-6.1p1/clientloop.c 2012-09-14 20:57:55.861266911 +0200
|
||||
@@ -111,6 +111,10 @@
|
||||
#include "msg.h"
|
||||
#include "roaming.h"
|
||||
@ -332,7 +217,7 @@ diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
|
||||
/* import options */
|
||||
extern Options options;
|
||||
|
||||
@@ -1540,6 +1544,15 @@ client_loop(int have_pty, int escape_cha
|
||||
@@ -1544,6 +1548,15 @@ client_loop(int have_pty, int escape_cha
|
||||
/* Do channel operations unless rekeying in progress. */
|
||||
if (!rekeying) {
|
||||
channel_after_select(readset, writeset);
|
||||
@ -348,9 +233,9 @@ diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
|
||||
if (need_rekeying || packet_need_rekeying()) {
|
||||
debug("need rekeying");
|
||||
xxx_kex->done = 0;
|
||||
diff -up openssh-6.0p1/configure.ac.gsskex openssh-6.0p1/configure.ac
|
||||
--- openssh-6.0p1/configure.ac.gsskex 2012-09-12 15:32:19.085689183 +0200
|
||||
+++ openssh-6.0p1/configure.ac 2012-09-12 15:32:28.312651591 +0200
|
||||
diff -up openssh-6.1p1/configure.ac.gsskex openssh-6.1p1/configure.ac
|
||||
--- openssh-6.1p1/configure.ac.gsskex 2012-09-14 20:57:55.756266240 +0200
|
||||
+++ openssh-6.1p1/configure.ac 2012-09-14 20:57:55.865266937 +0200
|
||||
@@ -545,6 +545,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
[Use tunnel device compatibility to OpenBSD])
|
||||
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
||||
@ -382,9 +267,9 @@ diff -up openssh-6.0p1/configure.ac.gsskex openssh-6.0p1/configure.ac
|
||||
m4_pattern_allow([AU_IPv])
|
||||
AC_CHECK_DECL([AU_IPv4], [],
|
||||
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
|
||||
diff -up openssh-6.0p1/gss-genr.c.gsskex openssh-6.0p1/gss-genr.c
|
||||
--- openssh-6.0p1/gss-genr.c.gsskex 2012-09-12 15:32:19.097689132 +0200
|
||||
+++ openssh-6.0p1/gss-genr.c 2012-09-12 15:32:28.313651587 +0200
|
||||
diff -up openssh-6.1p1/gss-genr.c.gsskex openssh-6.1p1/gss-genr.c
|
||||
--- openssh-6.1p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
|
||||
+++ openssh-6.1p1/gss-genr.c 2012-09-14 20:57:55.867266949 +0200
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
|
||||
|
||||
@ -732,9 +617,9 @@ diff -up openssh-6.0p1/gss-genr.c.gsskex openssh-6.0p1/gss-genr.c
|
||||
+}
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
diff -up openssh-6.0p1/gss-serv.c.gsskex openssh-6.0p1/gss-serv.c
|
||||
--- openssh-6.0p1/gss-serv.c.gsskex 2012-09-12 15:32:19.123689027 +0200
|
||||
+++ openssh-6.0p1/gss-serv.c 2012-09-12 15:53:27.719520213 +0200
|
||||
diff -up openssh-6.1p1/gss-serv.c.gsskex openssh-6.1p1/gss-serv.c
|
||||
--- openssh-6.1p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200
|
||||
+++ openssh-6.1p1/gss-serv.c 2012-09-14 20:57:55.870266969 +0200
|
||||
@@ -45,15 +45,20 @@
|
||||
#include "channels.h"
|
||||
#include "session.h"
|
||||
@ -1073,9 +958,9 @@ diff -up openssh-6.0p1/gss-serv.c.gsskex openssh-6.0p1/gss-serv.c
|
||||
}
|
||||
|
||||
#endif
|
||||
diff -up openssh-6.0p1/gss-serv-krb5.c.gsskex openssh-6.0p1/gss-serv-krb5.c
|
||||
--- openssh-6.0p1/gss-serv-krb5.c.gsskex 2012-09-12 15:32:19.115689059 +0200
|
||||
+++ openssh-6.0p1/gss-serv-krb5.c 2012-09-12 16:36:15.768054426 +0200
|
||||
diff -up openssh-6.1p1/gss-serv-krb5.c.gsskex openssh-6.1p1/gss-serv-krb5.c
|
||||
--- openssh-6.1p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
|
||||
+++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 20:57:55.872266981 +0200
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
@ -1198,9 +1083,126 @@ diff -up openssh-6.0p1/gss-serv-krb5.c.gsskex openssh-6.0p1/gss-serv-krb5.c
|
||||
};
|
||||
|
||||
#endif /* KRB5 */
|
||||
diff -up openssh-6.0p1/kex.c.gsskex openssh-6.0p1/kex.c
|
||||
--- openssh-6.0p1/kex.c.gsskex 2012-09-12 15:32:19.096689136 +0200
|
||||
+++ openssh-6.0p1/kex.c 2012-09-12 15:32:28.315651579 +0200
|
||||
diff -up openssh-6.1p1/ChangeLog.gssapi.gsskex openssh-6.1p1/ChangeLog.gssapi
|
||||
--- openssh-6.1p1/ChangeLog.gssapi.gsskex 2012-09-14 20:57:55.858266892 +0200
|
||||
+++ openssh-6.1p1/ChangeLog.gssapi 2012-09-14 20:57:55.859266899 +0200
|
||||
@@ -0,0 +1,113 @@
|
||||
+20110101
|
||||
+ - Finally update for OpenSSH 5.6p1
|
||||
+ - Add GSSAPIServerIdentity option from Jim Basney
|
||||
+
|
||||
+20100308
|
||||
+ - [ Makefile.in, key.c, key.h ]
|
||||
+ Updates for OpenSSH 5.4p1
|
||||
+ - [ servconf.c ]
|
||||
+ Include GSSAPI options in the sshd -T configuration dump, and flag
|
||||
+ some older configuration options as being unsupported. Thanks to Colin
|
||||
+ Watson.
|
||||
+ -
|
||||
+
|
||||
+20100124
|
||||
+ - [ sshconnect2.c ]
|
||||
+ Adapt to deal with additional element in Authmethod structure. Thanks to
|
||||
+ Colin Watson
|
||||
+
|
||||
+20090615
|
||||
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
|
||||
+ sshd.c ]
|
||||
+ Fix issues identified by Greg Hudson following a code review
|
||||
+ Check return value of gss_indicate_mechs
|
||||
+ Protect GSSAPI calls in monitor, so they can only be used if enabled
|
||||
+ Check return values of bignum functions in key exchange
|
||||
+ Use BN_clear_free to clear other side's DH value
|
||||
+ Make ssh_gssapi_id_kex more robust
|
||||
+ Only configure kex table pointers if GSSAPI is enabled
|
||||
+ Don't leak mechanism list, or gss mechanism list
|
||||
+ Cast data.length before printing
|
||||
+ If serverkey isn't provided, use an empty string, rather than NULL
|
||||
+
|
||||
+20090201
|
||||
+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
|
||||
+ ssh_config.5 sshconnet2.c ]
|
||||
+ Add support for the GSSAPIClientIdentity option, which allows the user
|
||||
+ to specify which GSSAPI identity to use to contact a given server
|
||||
+
|
||||
+20080404
|
||||
+ - [ gss-serv.c ]
|
||||
+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
|
||||
+ been omitted from a previous version of this patch. Reported by Borislav
|
||||
+ Stoichkov
|
||||
+
|
||||
+20070317
|
||||
+ - [ gss-serv-krb5.c ]
|
||||
+ Remove C99ism, where new_ccname was being declared in the middle of a
|
||||
+ function
|
||||
+
|
||||
+20061220
|
||||
+ - [ servconf.c ]
|
||||
+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
|
||||
+ documented, behaviour. Reported by Dan Watson.
|
||||
+
|
||||
+20060910
|
||||
+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
|
||||
+ ssh-gss.h ]
|
||||
+ add support for gss-group14-sha1 key exchange mechanisms
|
||||
+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
|
||||
+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
|
||||
+ acceptor principal checking on multi-homed machines.
|
||||
+ <Bugzilla #928>
|
||||
+ - [ sshd_config ssh_config ]
|
||||
+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
|
||||
+ configuration files
|
||||
+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
|
||||
+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
|
||||
+ Limit length of error messages displayed by client
|
||||
+
|
||||
+20060909
|
||||
+ - [ gss-genr.c gss-serv.c ]
|
||||
+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
|
||||
+ only, where they belong
|
||||
+ <Bugzilla #1225>
|
||||
+
|
||||
+20060829
|
||||
+ - [ gss-serv-krb5.c ]
|
||||
+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
|
||||
+ variable
|
||||
+
|
||||
+20060828
|
||||
+ - [ gss-genr.c ]
|
||||
+ Avoid Heimdal context freeing problem
|
||||
+ <Fixed upstream 20060829>
|
||||
+
|
||||
+20060818
|
||||
+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
|
||||
+ Make sure that SPENGO is disabled
|
||||
+ <Bugzilla #1218 - Fixed upstream 20060818>
|
||||
+
|
||||
+20060421
|
||||
+ - [ gssgenr.c, sshconnect2.c ]
|
||||
+ a few type changes (signed versus unsigned, int versus size_t) to
|
||||
+ fix compiler errors/warnings
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ - [ kexgssc.c, sshconnect2.c ]
|
||||
+ fix uninitialized variable warnings
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ - [ gssgenr.c ]
|
||||
+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ <Bugzilla #1220 >
|
||||
+ - [ gss-serv-krb5.c ]
|
||||
+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ <Fixed upstream 20060304>
|
||||
+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
|
||||
+ add client-side GssapiKeyExchange option
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ - [ sshconnect2.c ]
|
||||
+ add support for GssapiTrustDns option for gssapi-with-mic
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ <gssapi-with-mic support is Bugzilla #1008>
|
||||
diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c
|
||||
--- openssh-6.1p1/kex.c.gsskex 2012-09-14 20:57:55.139262298 +0200
|
||||
+++ openssh-6.1p1/kex.c 2012-09-14 20:57:55.874266995 +0200
|
||||
@@ -51,6 +51,10 @@
|
||||
#include "roaming.h"
|
||||
#include "audit.h"
|
||||
@ -1233,9 +1235,9 @@ diff -up openssh-6.0p1/kex.c.gsskex openssh-6.0p1/kex.c
|
||||
} else
|
||||
fatal("bad kex alg %s", k->name);
|
||||
}
|
||||
diff -up openssh-6.0p1/kexgssc.c.gsskex openssh-6.0p1/kexgssc.c
|
||||
--- openssh-6.0p1/kexgssc.c.gsskex 2012-09-12 15:32:19.105689098 +0200
|
||||
+++ openssh-6.0p1/kexgssc.c 2012-09-12 15:32:28.315651579 +0200
|
||||
diff -up openssh-6.1p1/kexgssc.c.gsskex openssh-6.1p1/kexgssc.c
|
||||
--- openssh-6.1p1/kexgssc.c.gsskex 2012-09-14 20:57:55.875267001 +0200
|
||||
+++ openssh-6.1p1/kexgssc.c 2012-09-14 20:57:55.875267001 +0200
|
||||
@@ -0,0 +1,334 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1571,9 +1573,9 @@ diff -up openssh-6.0p1/kexgssc.c.gsskex openssh-6.0p1/kexgssc.c
|
||||
+}
|
||||
+
|
||||
+#endif /* GSSAPI */
|
||||
diff -up openssh-6.0p1/kexgsss.c.gsskex openssh-6.0p1/kexgsss.c
|
||||
--- openssh-6.0p1/kexgsss.c.gsskex 2012-09-12 15:32:19.116689055 +0200
|
||||
+++ openssh-6.0p1/kexgsss.c 2012-09-12 15:32:28.316651574 +0200
|
||||
diff -up openssh-6.1p1/kexgsss.c.gsskex openssh-6.1p1/kexgsss.c
|
||||
--- openssh-6.1p1/kexgsss.c.gsskex 2012-09-14 20:57:55.876267007 +0200
|
||||
+++ openssh-6.1p1/kexgsss.c 2012-09-14 20:57:55.876267007 +0200
|
||||
@@ -0,0 +1,288 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1863,9 +1865,9 @@ diff -up openssh-6.0p1/kexgsss.c.gsskex openssh-6.0p1/kexgsss.c
|
||||
+ ssh_gssapi_rekey_creds();
|
||||
+}
|
||||
+#endif /* GSSAPI */
|
||||
diff -up openssh-6.0p1/kex.h.gsskex openssh-6.0p1/kex.h
|
||||
--- openssh-6.0p1/kex.h.gsskex 2012-09-12 15:32:19.093689148 +0200
|
||||
+++ openssh-6.0p1/kex.h 2012-09-12 15:32:28.316651574 +0200
|
||||
diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h
|
||||
--- openssh-6.1p1/kex.h.gsskex 2012-09-14 20:57:55.141262312 +0200
|
||||
+++ openssh-6.1p1/kex.h 2012-09-14 20:57:55.878267019 +0200
|
||||
@@ -73,6 +73,9 @@ enum kex_exchange {
|
||||
KEX_DH_GEX_SHA1,
|
||||
KEX_DH_GEX_SHA256,
|
||||
@ -1901,10 +1903,10 @@ diff -up openssh-6.0p1/kex.h.gsskex openssh-6.0p1/kex.h
|
||||
void newkeys_destroy(Newkeys *newkeys);
|
||||
|
||||
void
|
||||
diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c
|
||||
--- openssh-6.0p1/key.c.gsskex 2012-09-12 15:32:19.103689108 +0200
|
||||
+++ openssh-6.0p1/key.c 2012-09-12 15:32:28.317651570 +0200
|
||||
@@ -1006,6 +1006,8 @@ key_ssh_name_from_type_nid(int type, int
|
||||
diff -up openssh-6.1p1/key.c.gsskex openssh-6.1p1/key.c
|
||||
--- openssh-6.1p1/key.c.gsskex 2012-09-14 20:57:55.593265199 +0200
|
||||
+++ openssh-6.1p1/key.c 2012-09-14 20:57:55.881267039 +0200
|
||||
@@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int
|
||||
}
|
||||
break;
|
||||
#endif /* OPENSSL_HAS_ECC */
|
||||
@ -1913,7 +1915,7 @@ diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c
|
||||
}
|
||||
return "ssh-unknown";
|
||||
}
|
||||
@@ -1311,6 +1313,8 @@ key_type_from_name(char *name)
|
||||
@@ -1316,6 +1318,8 @@ key_type_from_name(char *name)
|
||||
strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
|
||||
return KEY_ECDSA_CERT;
|
||||
#endif
|
||||
@ -1922,9 +1924,9 @@ diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c
|
||||
}
|
||||
|
||||
debug2("key_type_from_name: unknown key type '%s'", name);
|
||||
diff -up openssh-6.0p1/key.h.gsskex openssh-6.0p1/key.h
|
||||
--- openssh-6.0p1/key.h.gsskex 2012-09-12 15:32:19.094689144 +0200
|
||||
+++ openssh-6.0p1/key.h 2012-09-12 15:32:28.318651566 +0200
|
||||
diff -up openssh-6.1p1/key.h.gsskex openssh-6.1p1/key.h
|
||||
--- openssh-6.1p1/key.h.gsskex 2012-09-14 20:57:55.184262586 +0200
|
||||
+++ openssh-6.1p1/key.h 2012-09-14 20:57:55.882267045 +0200
|
||||
@@ -44,6 +44,7 @@ enum types {
|
||||
KEY_ECDSA_CERT,
|
||||
KEY_RSA_CERT_V00,
|
||||
@ -1933,9 +1935,9 @@ diff -up openssh-6.0p1/key.h.gsskex openssh-6.0p1/key.h
|
||||
KEY_UNSPEC
|
||||
};
|
||||
enum fp_type {
|
||||
diff -up openssh-6.0p1/Makefile.in.gsskex openssh-6.0p1/Makefile.in
|
||||
--- openssh-6.0p1/Makefile.in.gsskex 2012-09-12 15:32:19.128689006 +0200
|
||||
+++ openssh-6.0p1/Makefile.in 2012-09-12 15:32:28.318651566 +0200
|
||||
diff -up openssh-6.1p1/Makefile.in.gsskex openssh-6.1p1/Makefile.in
|
||||
--- openssh-6.1p1/Makefile.in.gsskex 2012-09-14 20:57:55.832266726 +0200
|
||||
+++ openssh-6.1p1/Makefile.in 2012-09-14 20:57:55.884267058 +0200
|
||||
@@ -75,6 +75,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
@ -1953,9 +1955,9 @@ diff -up openssh-6.0p1/Makefile.in.gsskex openssh-6.0p1/Makefile.in
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
sftp-server.o sftp-common.o \
|
||||
roaming_common.o roaming_serv.o \
|
||||
diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
|
||||
--- openssh-6.0p1/monitor.c.gsskex 2012-09-12 15:32:19.112689072 +0200
|
||||
+++ openssh-6.0p1/monitor.c 2012-09-12 15:32:28.319651562 +0200
|
||||
diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
||||
--- openssh-6.1p1/monitor.c.gsskex 2012-09-14 20:57:55.299263321 +0200
|
||||
+++ openssh-6.1p1/monitor.c 2012-09-14 20:57:55.888267083 +0200
|
||||
@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
|
||||
int mm_answer_gss_accept_ctx(int, Buffer *);
|
||||
int mm_answer_gss_userok(int, Buffer *);
|
||||
@ -2008,7 +2010,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
|
||||
} else {
|
||||
mon_dispatch = mon_dispatch_postauth15;
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||
@@ -1942,6 +1959,13 @@ mm_get_kex(Buffer *m)
|
||||
@@ -1939,6 +1956,13 @@ mm_get_kex(Buffer *m)
|
||||
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
||||
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
||||
@ -2022,7 +2024,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
|
||||
kex->server = 1;
|
||||
kex->hostkey_type = buffer_get_int(m);
|
||||
kex->kex_type = buffer_get_int(m);
|
||||
@@ -2165,6 +2189,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
||||
@@ -2162,6 +2186,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
||||
OM_uint32 major;
|
||||
u_int len;
|
||||
|
||||
@ -2032,7 +2034,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
|
||||
goid.elements = buffer_get_string(m, &len);
|
||||
goid.length = len;
|
||||
|
||||
@@ -2192,6 +2219,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
@@ -2189,6 +2216,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
OM_uint32 flags = 0; /* GSI needs this */
|
||||
u_int len;
|
||||
|
||||
@ -2042,7 +2044,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
|
||||
in.value = buffer_get_string(m, &len);
|
||||
in.length = len;
|
||||
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
|
||||
@@ -2209,6 +2239,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
@@ -2206,6 +2236,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||
@ -2050,7 +2052,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
@@ -2220,6 +2251,9 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||
@@ -2217,6 +2248,9 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||
OM_uint32 ret;
|
||||
u_int len;
|
||||
|
||||
@ -2060,7 +2062,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
|
||||
gssbuf.value = buffer_get_string(m, &len);
|
||||
gssbuf.length = len;
|
||||
mic.value = buffer_get_string(m, &len);
|
||||
@@ -2246,7 +2280,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -2243,7 +2277,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
{
|
||||
int authenticated;
|
||||
|
||||
@ -2073,7 +2075,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
|
||||
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, authenticated);
|
||||
@@ -2260,6 +2298,74 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -2257,6 +2295,74 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
}
|
||||
@ -2148,9 +2150,9 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
#ifdef JPAKE
|
||||
diff -up openssh-6.0p1/monitor.h.gsskex openssh-6.0p1/monitor.h
|
||||
--- openssh-6.0p1/monitor.h.gsskex 2012-09-12 15:32:19.119689041 +0200
|
||||
+++ openssh-6.0p1/monitor.h 2012-09-12 15:32:28.319651562 +0200
|
||||
diff -up openssh-6.1p1/monitor.h.gsskex openssh-6.1p1/monitor.h
|
||||
--- openssh-6.1p1/monitor.h.gsskex 2012-09-14 20:57:55.300263327 +0200
|
||||
+++ openssh-6.1p1/monitor.h 2012-09-14 20:57:55.889267090 +0200
|
||||
@@ -56,6 +56,8 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
|
||||
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
|
||||
@ -2160,9 +2162,9 @@ diff -up openssh-6.0p1/monitor.h.gsskex openssh-6.0p1/monitor.h
|
||||
MONITOR_REQ_PAM_START,
|
||||
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
|
||||
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
|
||||
diff -up openssh-6.0p1/monitor_wrap.c.gsskex openssh-6.0p1/monitor_wrap.c
|
||||
--- openssh-6.0p1/monitor_wrap.c.gsskex 2012-09-12 15:32:19.122689031 +0200
|
||||
+++ openssh-6.0p1/monitor_wrap.c 2012-09-12 15:32:28.320651557 +0200
|
||||
diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c
|
||||
--- openssh-6.1p1/monitor_wrap.c.gsskex 2012-09-14 20:57:55.302263340 +0200
|
||||
+++ openssh-6.1p1/monitor_wrap.c 2012-09-14 20:57:55.892267109 +0200
|
||||
@@ -1326,7 +1326,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||
}
|
||||
|
||||
@ -2224,9 +2226,9 @@ diff -up openssh-6.0p1/monitor_wrap.c.gsskex openssh-6.0p1/monitor_wrap.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
#ifdef JPAKE
|
||||
diff -up openssh-6.0p1/monitor_wrap.h.gsskex openssh-6.0p1/monitor_wrap.h
|
||||
--- openssh-6.0p1/monitor_wrap.h.gsskex 2012-09-12 15:32:19.107689091 +0200
|
||||
+++ openssh-6.0p1/monitor_wrap.h 2012-09-12 15:32:28.321651552 +0200
|
||||
diff -up openssh-6.1p1/monitor_wrap.h.gsskex openssh-6.1p1/monitor_wrap.h
|
||||
--- openssh-6.1p1/monitor_wrap.h.gsskex 2012-09-14 20:57:55.304263353 +0200
|
||||
+++ openssh-6.1p1/monitor_wrap.h 2012-09-14 20:57:55.893267116 +0200
|
||||
@@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
|
||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
||||
@ -2239,9 +2241,9 @@ diff -up openssh-6.0p1/monitor_wrap.h.gsskex openssh-6.0p1/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
diff -up openssh-6.0p1/readconf.c.gsskex openssh-6.0p1/readconf.c
|
||||
--- openssh-6.0p1/readconf.c.gsskex 2012-09-12 15:32:19.100689120 +0200
|
||||
+++ openssh-6.0p1/readconf.c 2012-09-12 15:32:28.321651552 +0200
|
||||
diff -up openssh-6.1p1/readconf.c.gsskex openssh-6.1p1/readconf.c
|
||||
--- openssh-6.1p1/readconf.c.gsskex 2011-10-02 09:59:03.000000000 +0200
|
||||
+++ openssh-6.1p1/readconf.c 2012-09-14 20:57:55.896267134 +0200
|
||||
@@ -129,6 +129,8 @@ typedef enum {
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
@ -2330,9 +2332,9 @@ diff -up openssh-6.0p1/readconf.c.gsskex openssh-6.0p1/readconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
diff -up openssh-6.0p1/readconf.h.gsskex openssh-6.0p1/readconf.h
|
||||
--- openssh-6.0p1/readconf.h.gsskex 2012-09-12 15:32:19.125689019 +0200
|
||||
+++ openssh-6.0p1/readconf.h 2012-09-12 15:32:28.322651548 +0200
|
||||
diff -up openssh-6.1p1/readconf.h.gsskex openssh-6.1p1/readconf.h
|
||||
--- openssh-6.1p1/readconf.h.gsskex 2011-10-02 09:59:03.000000000 +0200
|
||||
+++ openssh-6.1p1/readconf.h 2012-09-14 20:57:55.897267141 +0200
|
||||
@@ -48,7 +48,12 @@ typedef struct {
|
||||
int challenge_response_authentication;
|
||||
/* Try S/Key or TIS, authentication. */
|
||||
@ -2346,10 +2348,10 @@ diff -up openssh-6.0p1/readconf.h.gsskex openssh-6.0p1/readconf.h
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
|
||||
--- openssh-6.0p1/servconf.c.gsskex 2012-09-12 15:32:19.088689170 +0200
|
||||
+++ openssh-6.0p1/servconf.c 2012-09-12 15:32:28.323651545 +0200
|
||||
@@ -99,7 +99,10 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
|
||||
--- openssh-6.1p1/servconf.c.gsskex 2012-09-14 20:57:55.760266266 +0200
|
||||
+++ openssh-6.1p1/servconf.c 2012-09-14 20:57:55.900267160 +0200
|
||||
@@ -102,7 +102,10 @@ initialize_server_options(ServerOptions
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
options->kerberos_get_afs_token = -1;
|
||||
options->gss_authentication=-1;
|
||||
@ -2360,7 +2362,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -232,8 +235,14 @@ fill_default_server_options(ServerOption
|
||||
@@ -236,8 +239,14 @@ fill_default_server_options(ServerOption
|
||||
options->kerberos_get_afs_token = 0;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2375,7 +2377,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -327,7 +336,9 @@ typedef enum {
|
||||
@@ -333,7 +342,9 @@ typedef enum {
|
||||
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
@ -2386,7 +2388,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
|
||||
sRequiredAuthentications1, sRequiredAuthentications2,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
@@ -393,10 +404,20 @@ static struct {
|
||||
@@ -399,10 +410,20 @@ static struct {
|
||||
#ifdef GSSAPI
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
@ -2407,7 +2409,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
||||
@@ -983,10 +1004,22 @@ process_server_config_line(ServerOptions
|
||||
@@ -1054,10 +1075,22 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2430,7 +2432,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
@@ -1794,6 +1827,9 @@ dump_config(ServerOptions *o)
|
||||
@@ -1944,6 +1977,9 @@ dump_config(ServerOptions *o)
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
||||
@ -2440,9 +2442,9 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
|
||||
#endif
|
||||
#ifdef JPAKE
|
||||
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
|
||||
diff -up openssh-6.0p1/servconf.h.gsskex openssh-6.0p1/servconf.h
|
||||
--- openssh-6.0p1/servconf.h.gsskex 2012-09-12 15:32:19.121689034 +0200
|
||||
+++ openssh-6.0p1/servconf.h 2012-09-12 15:32:28.323651545 +0200
|
||||
diff -up openssh-6.1p1/servconf.h.gsskex openssh-6.1p1/servconf.h
|
||||
--- openssh-6.1p1/servconf.h.gsskex 2012-09-14 20:57:55.762266278 +0200
|
||||
+++ openssh-6.1p1/servconf.h 2012-09-14 20:57:55.902267173 +0200
|
||||
@@ -103,7 +103,10 @@ typedef struct {
|
||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||
* authenticated with Kerberos. */
|
||||
@ -2454,9 +2456,21 @@ diff -up openssh-6.0p1/servconf.h.gsskex openssh-6.0p1/servconf.h
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
diff -up openssh-6.0p1/ssh_config.5.gsskex openssh-6.0p1/ssh_config.5
|
||||
--- openssh-6.0p1/ssh_config.5.gsskex 2012-09-12 15:32:19.091689156 +0200
|
||||
+++ openssh-6.0p1/ssh_config.5 2012-09-12 15:32:28.324651542 +0200
|
||||
diff -up openssh-6.1p1/ssh_config.gsskex openssh-6.1p1/ssh_config
|
||||
--- openssh-6.1p1/ssh_config.gsskex 2012-09-14 20:57:55.707265928 +0200
|
||||
+++ openssh-6.1p1/ssh_config 2012-09-14 20:57:55.906267198 +0200
|
||||
@@ -26,6 +26,8 @@
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
+# GSSAPIKeyExchange no
|
||||
+# GSSAPITrustDNS no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
diff -up openssh-6.1p1/ssh_config.5.gsskex openssh-6.1p1/ssh_config.5
|
||||
--- openssh-6.1p1/ssh_config.5.gsskex 2012-07-02 10:53:38.000000000 +0200
|
||||
+++ openssh-6.1p1/ssh_config.5 2012-09-14 20:57:55.904267186 +0200
|
||||
@@ -527,11 +527,43 @@ Specifies whether user authentication ba
|
||||
The default is
|
||||
.Dq no .
|
||||
@ -2502,21 +2516,9 @@ diff -up openssh-6.0p1/ssh_config.5.gsskex openssh-6.0p1/ssh_config.5
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
diff -up openssh-6.0p1/ssh_config.gsskex openssh-6.0p1/ssh_config
|
||||
--- openssh-6.0p1/ssh_config.gsskex 2012-09-12 15:32:19.087689174 +0200
|
||||
+++ openssh-6.0p1/ssh_config 2012-09-12 15:32:28.324651542 +0200
|
||||
@@ -26,6 +26,8 @@
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
+# GSSAPIKeyExchange no
|
||||
+# GSSAPITrustDNS no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
diff -up openssh-6.0p1/sshconnect2.c.gsskex openssh-6.0p1/sshconnect2.c
|
||||
--- openssh-6.0p1/sshconnect2.c.gsskex 2012-09-12 15:32:19.099689124 +0200
|
||||
+++ openssh-6.0p1/sshconnect2.c 2012-09-12 15:32:28.325651538 +0200
|
||||
diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
|
||||
--- openssh-6.1p1/sshconnect2.c.gsskex 2012-09-14 20:57:55.605265275 +0200
|
||||
+++ openssh-6.1p1/sshconnect2.c 2012-09-14 20:57:55.909267218 +0200
|
||||
@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
{
|
||||
Kex *kex;
|
||||
@ -2715,9 +2717,9 @@ diff -up openssh-6.0p1/sshconnect2.c.gsskex openssh-6.0p1/sshconnect2.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
int
|
||||
diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
|
||||
--- openssh-6.0p1/sshd.c.gsskex 2012-09-12 15:32:19.130688998 +0200
|
||||
+++ openssh-6.0p1/sshd.c 2012-09-12 15:32:28.326651534 +0200
|
||||
diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
|
||||
--- openssh-6.1p1/sshd.c.gsskex 2012-09-14 20:57:55.799266515 +0200
|
||||
+++ openssh-6.1p1/sshd.c 2012-09-14 20:57:55.912267237 +0200
|
||||
@@ -124,6 +124,10 @@
|
||||
#include "ssh-sandbox.h"
|
||||
#include "version.h"
|
||||
@ -2729,7 +2731,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
|
||||
#ifdef LIBWRAP
|
||||
#include <tcpd.h>
|
||||
#include <syslog.h>
|
||||
@@ -1701,10 +1705,13 @@ main(int ac, char **av)
|
||||
@@ -1692,10 +1696,13 @@ main(int ac, char **av)
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
}
|
||||
@ -2743,7 +2745,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
|
||||
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
|
||||
logit("sshd: no hostkeys available -- exiting.");
|
||||
exit(1);
|
||||
@@ -2037,6 +2044,60 @@ main(int ac, char **av)
|
||||
@@ -2027,6 +2034,60 @@ main(int ac, char **av)
|
||||
/* Log the connection. */
|
||||
verbose("Connection from %.500s port %d", remote_ip, remote_port);
|
||||
|
||||
@ -2804,7 +2806,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
|
||||
/*
|
||||
* We don't want to listen forever unless the other side
|
||||
* successfully authenticates itself. So we set up an alarm which is
|
||||
@@ -2435,6 +2496,48 @@ do_ssh2_kex(void)
|
||||
@@ -2425,6 +2486,48 @@ do_ssh2_kex(void)
|
||||
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
|
||||
|
||||
@ -2853,7 +2855,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
|
||||
/* start key exchange */
|
||||
kex = kex_setup(myproposal);
|
||||
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
|
||||
@@ -2442,6 +2545,13 @@ do_ssh2_kex(void)
|
||||
@@ -2432,6 +2535,13 @@ do_ssh2_kex(void)
|
||||
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
||||
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
||||
@ -2867,10 +2869,22 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
|
||||
kex->server = 1;
|
||||
kex->client_version_string=client_version_string;
|
||||
kex->server_version_string=server_version_string;
|
||||
diff -up openssh-6.0p1/sshd_config.5.gsskex openssh-6.0p1/sshd_config.5
|
||||
--- openssh-6.0p1/sshd_config.5.gsskex 2012-09-12 15:32:19.109689084 +0200
|
||||
+++ openssh-6.0p1/sshd_config.5 2012-09-12 15:32:28.327651530 +0200
|
||||
@@ -437,12 +437,40 @@ Specifies whether user authentication ba
|
||||
diff -up openssh-6.1p1/sshd_config.gsskex openssh-6.1p1/sshd_config
|
||||
--- openssh-6.1p1/sshd_config.gsskex 2012-09-14 20:57:55.801266528 +0200
|
||||
+++ openssh-6.1p1/sshd_config 2012-09-14 20:57:55.916267263 +0200
|
||||
@@ -85,6 +85,8 @@ ChallengeResponseAuthentication no
|
||||
GSSAPIAuthentication yes
|
||||
#GSSAPICleanupCredentials yes
|
||||
GSSAPICleanupCredentials yes
|
||||
+#GSSAPIStrictAcceptorCheck yes
|
||||
+#GSSAPIKeyExchange no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
diff -up openssh-6.1p1/sshd_config.5.gsskex openssh-6.1p1/sshd_config.5
|
||||
--- openssh-6.1p1/sshd_config.5.gsskex 2012-09-14 20:57:55.767266310 +0200
|
||||
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:57:55.915267256 +0200
|
||||
@@ -439,12 +439,40 @@ Specifies whether user authentication ba
|
||||
The default is
|
||||
.Dq no .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
@ -2911,21 +2925,9 @@ diff -up openssh-6.0p1/sshd_config.5.gsskex openssh-6.0p1/sshd_config.5
|
||||
.It Cm HostbasedAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||
with successful public key client host authentication is allowed
|
||||
diff -up openssh-6.0p1/sshd_config.gsskex openssh-6.0p1/sshd_config
|
||||
--- openssh-6.0p1/sshd_config.gsskex 2012-09-12 15:32:19.102689112 +0200
|
||||
+++ openssh-6.0p1/sshd_config 2012-09-12 15:32:28.327651530 +0200
|
||||
@@ -83,6 +83,8 @@ ChallengeResponseAuthentication no
|
||||
GSSAPIAuthentication yes
|
||||
#GSSAPICleanupCredentials yes
|
||||
GSSAPICleanupCredentials yes
|
||||
+#GSSAPIStrictAcceptorCheck yes
|
||||
+#GSSAPIKeyExchange no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
diff -up openssh-6.0p1/ssh-gss.h.gsskex openssh-6.0p1/ssh-gss.h
|
||||
--- openssh-6.0p1/ssh-gss.h.gsskex 2012-09-12 15:32:19.090689160 +0200
|
||||
+++ openssh-6.0p1/ssh-gss.h 2012-09-12 15:32:28.328651526 +0200
|
||||
diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
|
||||
--- openssh-6.1p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
|
||||
+++ openssh-6.1p1/ssh-gss.h 2012-09-14 20:57:55.918267275 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
|
||||
/*
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
|
||||
--- openssh-5.9p0/auth-krb5.c.kuserok 2011-08-30 16:37:32.651150128 +0200
|
||||
+++ openssh-5.9p0/auth-krb5.c 2011-08-30 16:37:37.549087368 +0200
|
||||
@@ -54,6 +54,20 @@
|
||||
diff -up openssh-6.1p1/auth-krb5.c.kuserok openssh-6.1p1/auth-krb5.c
|
||||
--- openssh-6.1p1/auth-krb5.c.kuserok 2012-09-14 21:08:16.941496194 +0200
|
||||
+++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:08:17.063496896 +0200
|
||||
@@ -55,6 +55,20 @@
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
@ -22,7 +22,7 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
|
||||
static int
|
||||
krb5_init(void *context)
|
||||
{
|
||||
@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
@@ -147,7 +161,7 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
@ -31,9 +31,9 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
|
||||
problem = -1;
|
||||
goto out;
|
||||
}
|
||||
diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c
|
||||
--- openssh-5.9p0/gss-serv-krb5.c.kuserok 2011-08-30 16:37:36.988024804 +0200
|
||||
+++ openssh-5.9p0/gss-serv-krb5.c 2011-08-30 16:37:37.659088030 +0200
|
||||
diff -up openssh-6.1p1/gss-serv-krb5.c.kuserok openssh-6.1p1/gss-serv-krb5.c
|
||||
--- openssh-6.1p1/gss-serv-krb5.c.kuserok 2012-09-14 21:08:17.019496642 +0200
|
||||
+++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 21:08:17.065496906 +0200
|
||||
@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
|
||||
int);
|
||||
|
||||
@ -51,19 +51,19 @@ diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c
|
||||
retval = 1;
|
||||
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||
luser, (char *)client->displayname.value);
|
||||
diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
|
||||
--- openssh-5.9p0/servconf.c.kuserok 2011-08-30 16:37:35.093073603 +0200
|
||||
+++ openssh-5.9p0/servconf.c 2011-08-30 16:41:13.568087145 +0200
|
||||
@@ -144,6 +144,7 @@ initialize_server_options(ServerOptions
|
||||
options->authorized_principals_file = NULL;
|
||||
diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
|
||||
--- openssh-6.1p1/servconf.c.kuserok 2012-09-14 21:08:16.989496471 +0200
|
||||
+++ openssh-6.1p1/servconf.c 2012-09-14 21:09:30.864868698 +0200
|
||||
@@ -152,6 +152,7 @@ initialize_server_options(ServerOptions
|
||||
options->ip_qos_interactive = -1;
|
||||
options->ip_qos_bulk = -1;
|
||||
options->version_addendum = NULL;
|
||||
+ options->use_kuserok = -1;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
|
||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
@@ -301,6 +302,8 @@ fill_default_server_options(ServerOption
|
||||
options->version_addendum = xstrdup("");
|
||||
if (options->show_patchlevel == -1)
|
||||
options->show_patchlevel = 0;
|
||||
+ if (options->use_kuserok == -1)
|
||||
@ -71,7 +71,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
|
||||
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
@@ -317,7 +320,7 @@ typedef enum {
|
||||
@@ -327,7 +330,7 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
@ -80,7 +80,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
@@ -388,11 +391,13 @@ static struct {
|
||||
@@ -399,11 +402,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
@ -94,7 +94,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
|
||||
#endif
|
||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1371,6 +1376,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1486,6 +1491,10 @@ process_server_config_line(ServerOptions
|
||||
*activep = value;
|
||||
break;
|
||||
|
||||
@ -105,7 +105,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -1580,6 +1589,7 @@ copy_set_server_options(ServerOptions *d
|
||||
@@ -1769,6 +1778,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(max_authtries);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
@ -113,7 +113,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
|
||||
|
||||
/* See comment in servconf.h */
|
||||
COPY_MATCH_STRING_OPTS();
|
||||
@@ -1816,6 +1826,7 @@ dump_config(ServerOptions *o)
|
||||
@@ -2005,6 +2015,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
@ -121,10 +121,10 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h
|
||||
--- openssh-5.9p0/servconf.h.kuserok 2011-08-30 16:37:35.201051957 +0200
|
||||
+++ openssh-5.9p0/servconf.h 2011-08-30 16:37:37.926087431 +0200
|
||||
@@ -166,6 +166,7 @@ typedef struct {
|
||||
diff -up openssh-6.1p1/servconf.h.kuserok openssh-6.1p1/servconf.h
|
||||
--- openssh-6.1p1/servconf.h.kuserok 2012-09-14 21:08:16.990496476 +0200
|
||||
+++ openssh-6.1p1/servconf.h 2012-09-14 21:08:17.071496942 +0200
|
||||
@@ -169,6 +169,7 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
@ -132,10 +132,21 @@ diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
|
||||
--- openssh-5.9p0/sshd_config.5.kuserok 2011-08-30 16:37:35.979024607 +0200
|
||||
+++ openssh-5.9p0/sshd_config.5 2011-08-30 16:37:38.040087843 +0200
|
||||
@@ -603,6 +603,10 @@ Specifies whether to automatically destr
|
||||
diff -up openssh-6.1p1/sshd_config.kuserok openssh-6.1p1/sshd_config
|
||||
--- openssh-6.1p1/sshd_config.kuserok 2012-09-14 21:08:17.002496545 +0200
|
||||
+++ openssh-6.1p1/sshd_config 2012-09-14 21:08:17.074496957 +0200
|
||||
@@ -79,6 +79,7 @@ ChallengeResponseAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
+#KerberosUseKuserok yes
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
diff -up openssh-6.1p1/sshd_config.5.kuserok openssh-6.1p1/sshd_config.5
|
||||
--- openssh-6.1p1/sshd_config.5.kuserok 2012-09-14 21:08:17.004496556 +0200
|
||||
+++ openssh-6.1p1/sshd_config.5 2012-09-14 21:08:17.073496952 +0200
|
||||
@@ -618,6 +618,10 @@ Specifies whether to automatically destr
|
||||
file on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
@ -146,7 +157,7 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
@@ -746,6 +750,7 @@ Available keywords are
|
||||
@@ -767,6 +771,7 @@ Available keywords are
|
||||
.Cm HostbasedUsesNameFromPacketOnly ,
|
||||
.Cm KbdInteractiveAuthentication ,
|
||||
.Cm KerberosAuthentication ,
|
||||
@ -154,14 +165,3 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
.Cm PubkeyAuthentication ,
|
||||
diff -up openssh-5.9p0/sshd_config.kuserok openssh-5.9p0/sshd_config
|
||||
--- openssh-5.9p0/sshd_config.kuserok 2011-08-30 16:37:36.808026328 +0200
|
||||
+++ openssh-5.9p0/sshd_config 2011-08-30 16:37:38.148071520 +0200
|
||||
@@ -77,6 +77,7 @@ ChallengeResponseAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
+#KerberosUseKuserok yes
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
@ -1,10 +1,9 @@
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 8dcfdf2..95b63ad 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1592,6 +1592,10 @@ main(int ac, char **av)
|
||||
diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c
|
||||
--- openssh-6.1p1/sshd.c.log-usepam-no 2012-09-14 20:54:58.000000000 +0200
|
||||
+++ openssh-6.1p1/sshd.c 2012-09-14 20:55:42.289477749 +0200
|
||||
@@ -1617,6 +1617,10 @@ main(int ac, char **av)
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
&cfg, NULL, NULL, NULL);
|
||||
&cfg, NULL);
|
||||
|
||||
+ /* 'UsePAM no' is not supported in Fedora */
|
||||
+ if (! options.use_pam)
|
||||
@ -13,11 +12,10 @@ index 8dcfdf2..95b63ad 100644
|
||||
seed_rng();
|
||||
|
||||
/* Fill in default values for those options not explicitly set. */
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index 8c16754..9f28b04 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -92,6 +92,8 @@ GSSAPICleanupCredentials yes
|
||||
diff -up openssh-6.1p1/sshd_config.log-usepam-no openssh-6.1p1/sshd_config
|
||||
--- openssh-6.1p1/sshd_config.log-usepam-no 2012-09-14 20:54:58.514255748 +0200
|
||||
+++ openssh-6.1p1/sshd_config 2012-09-14 20:54:58.551255954 +0200
|
||||
@@ -95,6 +95,8 @@ GSSAPICleanupCredentials yes
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
|
||||
--- openssh-5.9p1/auth.c.required-authentication 2012-07-27 12:21:41.181601972 +0200
|
||||
+++ openssh-5.9p1/auth.c 2012-07-27 12:21:41.203602020 +0200
|
||||
diff -up openssh-6.1p1/auth.c.required-authentication openssh-6.1p1/auth.c
|
||||
--- openssh-6.1p1/auth.c.required-authentication 2012-09-14 20:17:56.730488188 +0200
|
||||
+++ openssh-6.1p1/auth.c 2012-09-14 20:17:56.795488498 +0200
|
||||
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
|
||||
}
|
||||
|
||||
@ -32,7 +32,7 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
|
||||
{
|
||||
switch (options.permit_root_login) {
|
||||
case PERMIT_YES:
|
||||
@@ -694,3 +696,57 @@ fakepw(void)
|
||||
@@ -696,3 +698,57 @@ fakepw(void)
|
||||
|
||||
return (&fake);
|
||||
}
|
||||
@ -90,9 +90,9 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
|
||||
+
|
||||
+ return (ret);
|
||||
+}
|
||||
diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
|
||||
--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
|
||||
+++ openssh-5.9p1/auth.h 2012-07-27 12:21:41.204602022 +0200
|
||||
diff -up openssh-6.1p1/auth.h.required-authentication openssh-6.1p1/auth.h
|
||||
--- openssh-6.1p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
|
||||
+++ openssh-6.1p1/auth.h 2012-09-14 20:17:56.796488502 +0200
|
||||
@@ -142,10 +142,11 @@ void disable_forwarding(void);
|
||||
void do_authentication(Authctxt *);
|
||||
void do_authentication2(Authctxt *);
|
||||
@ -120,9 +120,9 @@ diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
|
||||
|
||||
int sys_auth_passwd(Authctxt *, const char *);
|
||||
|
||||
diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
|
||||
--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
|
||||
+++ openssh-5.9p1/auth1.c 2012-07-27 12:50:50.708706675 +0200
|
||||
diff -up openssh-6.1p1/auth1.c.required-authentication openssh-6.1p1/auth1.c
|
||||
--- openssh-6.1p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
|
||||
+++ openssh-6.1p1/auth1.c 2012-09-14 20:17:56.798488515 +0200
|
||||
@@ -98,6 +98,55 @@ static const struct AuthMethod1
|
||||
return (NULL);
|
||||
}
|
||||
@ -281,9 +281,9 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
|
||||
|
||||
packet_start(SSH_SMSG_FAILURE);
|
||||
packet_send();
|
||||
diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
|
||||
--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
|
||||
+++ openssh-5.9p1/auth2.c 2012-07-27 12:51:59.048241612 +0200
|
||||
diff -up openssh-6.1p1/auth2.c.required-authentication openssh-6.1p1/auth2.c
|
||||
--- openssh-6.1p1/auth2.c.required-authentication 2011-12-19 00:52:51.000000000 +0100
|
||||
+++ openssh-6.1p1/auth2.c 2012-09-14 20:17:56.799488520 +0200
|
||||
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
|
||||
{
|
||||
Authctxt *authctxt = ctxt;
|
||||
@ -452,9 +452,9 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
|
||||
+ return (ret);
|
||||
+}
|
||||
+
|
||||
diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
|
||||
--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
|
||||
+++ openssh-5.9p1/auth2-gss.c 2012-07-27 12:21:41.206602026 +0200
|
||||
diff -up openssh-6.1p1/auth2-gss.c.required-authentication openssh-6.1p1/auth2-gss.c
|
||||
--- openssh-6.1p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
|
||||
+++ openssh-6.1p1/auth2-gss.c 2012-09-14 20:17:56.801488528 +0200
|
||||
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
|
||||
}
|
||||
authctxt->postponed = 0;
|
||||
@ -482,9 +482,9 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
|
||||
}
|
||||
|
||||
Authmethod method_gssapi = {
|
||||
diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
|
||||
--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
|
||||
+++ openssh-5.9p1/auth2-chall.c 2012-07-27 12:21:41.206602026 +0200
|
||||
diff -up openssh-6.1p1/auth2-chall.c.required-authentication openssh-6.1p1/auth2-chall.c
|
||||
--- openssh-6.1p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
|
||||
+++ openssh-6.1p1/auth2-chall.c 2012-09-14 20:17:56.802488532 +0200
|
||||
@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
|
||||
auth2_challenge_start(authctxt);
|
||||
}
|
||||
@ -495,9 +495,9 @@ diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2
|
||||
xfree(method);
|
||||
}
|
||||
|
||||
diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
|
||||
--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
|
||||
+++ openssh-5.9p1/auth2-none.c 2012-07-27 12:21:41.207602028 +0200
|
||||
diff -up openssh-6.1p1/auth2-none.c.required-authentication openssh-6.1p1/auth2-none.c
|
||||
--- openssh-6.1p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
|
||||
+++ openssh-6.1p1/auth2-none.c 2012-09-14 20:17:56.803488537 +0200
|
||||
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
|
||||
{
|
||||
none_enabled = 0;
|
||||
@ -507,9 +507,9 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
|
||||
return (PRIVSEP(auth_password(authctxt, "")));
|
||||
return (0);
|
||||
}
|
||||
diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
--- openssh-5.9p1/monitor.c.required-authentication 2012-07-27 12:21:41.161601930 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2012-07-27 12:51:18.884927066 +0200
|
||||
diff -up openssh-6.1p1/monitor.c.required-authentication openssh-6.1p1/monitor.c
|
||||
--- openssh-6.1p1/monitor.c.required-authentication 2012-09-14 20:17:56.685487974 +0200
|
||||
+++ openssh-6.1p1/monitor.c 2012-09-14 20:17:56.806488552 +0200
|
||||
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
|
||||
static char *hostbased_cuser = NULL;
|
||||
static char *hostbased_chost = NULL;
|
||||
@ -579,7 +579,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
}
|
||||
|
||||
/* Drain any buffered messages from the child */
|
||||
@@ -862,6 +878,7 @@ mm_answer_authpassword(int sock, Buffer
|
||||
@@ -860,6 +876,7 @@ mm_answer_authpassword(int sock, Buffer
|
||||
auth_method = "none";
|
||||
else
|
||||
auth_method = "password";
|
||||
@ -587,7 +587,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
|
||||
/* Causes monitor loop to terminate if authenticated */
|
||||
return (authenticated);
|
||||
@@ -921,6 +938,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
|
||||
@@ -919,6 +936,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
|
||||
mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
|
||||
|
||||
auth_method = "bsdauth";
|
||||
@ -595,7 +595,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
|
||||
return (authok != 0);
|
||||
}
|
||||
@@ -970,6 +988,7 @@ mm_answer_skeyrespond(int sock, Buffer *
|
||||
@@ -968,6 +986,7 @@ mm_answer_skeyrespond(int sock, Buffer *
|
||||
mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
|
||||
|
||||
auth_method = "skey";
|
||||
@ -603,7 +603,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
|
||||
return (authok != 0);
|
||||
}
|
||||
@@ -1059,7 +1078,8 @@ mm_answer_pam_query(int sock, Buffer *m)
|
||||
@@ -1057,7 +1076,8 @@ mm_answer_pam_query(int sock, Buffer *m)
|
||||
xfree(prompts);
|
||||
if (echo_on != NULL)
|
||||
xfree(echo_on);
|
||||
@ -613,7 +613,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
|
||||
return (0);
|
||||
}
|
||||
@@ -1088,7 +1108,8 @@ mm_answer_pam_respond(int sock, Buffer *
|
||||
@@ -1086,7 +1106,8 @@ mm_answer_pam_respond(int sock, Buffer *
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, ret);
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
|
||||
@ -623,7 +623,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
if (ret == 0)
|
||||
sshpam_authok = sshpam_ctxt;
|
||||
return (0);
|
||||
@@ -1102,7 +1123,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
|
||||
@@ -1100,7 +1121,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
|
||||
(sshpam_device.free_ctx)(sshpam_ctxt);
|
||||
buffer_clear(m);
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
|
||||
@ -633,7 +633,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
return (sshpam_authok == sshpam_ctxt);
|
||||
}
|
||||
#endif
|
||||
@@ -1138,6 +1160,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
@@ -1136,6 +1158,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
allowed = options.pubkey_authentication &&
|
||||
user_key_allowed(authctxt->pw, key);
|
||||
auth_method = "publickey";
|
||||
@ -641,7 +641,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
if (options.pubkey_authentication && allowed != 1)
|
||||
auth_clear_options();
|
||||
break;
|
||||
@@ -1146,6 +1169,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
@@ -1144,6 +1167,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
hostbased_key_allowed(authctxt->pw,
|
||||
cuser, chost, key);
|
||||
auth_method = "hostbased";
|
||||
@ -649,7 +649,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
break;
|
||||
case MM_RSAHOSTKEY:
|
||||
key->type = KEY_RSA1; /* XXX */
|
||||
@@ -1155,6 +1179,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
@@ -1153,6 +1177,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
if (options.rhosts_rsa_authentication && allowed != 1)
|
||||
auth_clear_options();
|
||||
auth_method = "rsa";
|
||||
@ -657,7 +657,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
break;
|
||||
default:
|
||||
fatal("%s: unknown key type %d", __func__, type);
|
||||
@@ -1180,7 +1205,8 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
@@ -1178,7 +1203,8 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
hostbased_chost = chost;
|
||||
} else {
|
||||
/* Log failed attempt */
|
||||
@ -667,7 +667,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
xfree(blob);
|
||||
xfree(cuser);
|
||||
xfree(chost);
|
||||
@@ -1356,6 +1382,7 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
@@ -1354,6 +1380,7 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
xfree(data);
|
||||
|
||||
auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
|
||||
@ -675,7 +675,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
|
||||
monitor_reset_key_state();
|
||||
|
||||
@@ -1545,6 +1572,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
|
||||
@@ -1543,6 +1570,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
|
||||
debug3("%s entering", __func__);
|
||||
|
||||
auth_method = "rsa";
|
||||
@ -683,7 +683,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
if (options.rsa_authentication && authctxt->valid) {
|
||||
if ((client_n = BN_new()) == NULL)
|
||||
fatal("%s: BN_new", __func__);
|
||||
@@ -1650,6 +1678,7 @@ mm_answer_rsa_response(int sock, Buffer
|
||||
@@ -1648,6 +1676,7 @@ mm_answer_rsa_response(int sock, Buffer
|
||||
xfree(response);
|
||||
|
||||
auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
|
||||
@ -691,7 +691,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
|
||||
/* reset state */
|
||||
BN_clear_free(ssh1_challenge);
|
||||
@@ -2099,6 +2128,7 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -2097,6 +2126,7 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
||||
|
||||
auth_method = "gssapi-with-mic";
|
||||
@ -699,7 +699,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
@@ -2303,6 +2333,7 @@ mm_answer_jpake_check_confirm(int sock,
|
||||
@@ -2301,6 +2331,7 @@ mm_answer_jpake_check_confirm(int sock,
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
|
||||
|
||||
auth_method = "jpake-01@openssh.com";
|
||||
@ -707,10 +707,10 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
|
||||
--- openssh-5.9p1/servconf.c.required-authentication 2012-07-27 12:21:41.167601942 +0200
|
||||
+++ openssh-5.9p1/servconf.c 2012-07-27 12:21:41.209602032 +0200
|
||||
@@ -42,6 +42,8 @@
|
||||
diff -up openssh-6.1p1/servconf.c.required-authentication openssh-6.1p1/servconf.c
|
||||
--- openssh-6.1p1/servconf.c.required-authentication 2012-09-14 20:17:56.699488040 +0200
|
||||
+++ openssh-6.1p1/servconf.c 2012-09-14 20:19:49.179983651 +0200
|
||||
@@ -43,6 +43,8 @@
|
||||
#include "key.h"
|
||||
#include "kex.h"
|
||||
#include "mac.h"
|
||||
@ -719,7 +719,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
|
||||
#include "match.h"
|
||||
#include "channels.h"
|
||||
#include "groupaccess.h"
|
||||
@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions
|
||||
@@ -132,6 +134,8 @@ initialize_server_options(ServerOptions
|
||||
options->num_authkeys_files = 0;
|
||||
options->num_accept_env = 0;
|
||||
options->permit_tun = -1;
|
||||
@ -728,7 +728,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
|
||||
options->num_permitted_opens = -1;
|
||||
options->adm_forced_command = NULL;
|
||||
options->chroot_directory = NULL;
|
||||
@@ -319,6 +323,7 @@ typedef enum {
|
||||
@@ -324,6 +328,7 @@ typedef enum {
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
@ -736,16 +736,16 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||
@@ -447,6 +452,8 @@ static struct {
|
||||
@@ -452,6 +457,8 @@ static struct {
|
||||
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||
+ { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
|
||||
+ { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
|
||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
|
||||
@@ -1298,6 +1305,33 @@ process_server_config_line(ServerOptions
|
||||
options->max_startups = options->max_startups_begin;
|
||||
break;
|
||||
|
||||
@ -779,9 +779,9 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
|
||||
case sMaxAuthTries:
|
||||
intptr = &options->max_authtries;
|
||||
goto parse_int;
|
||||
diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
|
||||
--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200
|
||||
+++ openssh-5.9p1/servconf.h 2012-07-27 12:21:41.210602035 +0200
|
||||
diff -up openssh-6.1p1/servconf.h.required-authentication openssh-6.1p1/servconf.h
|
||||
--- openssh-6.1p1/servconf.h.required-authentication 2012-07-31 04:21:34.000000000 +0200
|
||||
+++ openssh-6.1p1/servconf.h 2012-09-14 20:17:56.810488571 +0200
|
||||
@@ -154,6 +154,9 @@ typedef struct {
|
||||
u_int num_authkeys_files; /* Files containing public keys */
|
||||
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
|
||||
@ -792,10 +792,10 @@ diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf
|
||||
char *adm_forced_command;
|
||||
|
||||
int use_pam; /* Enable auth via PAM */
|
||||
diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
|
||||
--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd_config.5 2012-07-27 12:38:47.607222070 +0200
|
||||
@@ -723,6 +723,8 @@ Available keywords are
|
||||
diff -up openssh-6.1p1/sshd_config.5.required-authentication openssh-6.1p1/sshd_config.5
|
||||
--- openssh-6.1p1/sshd_config.5.required-authentication 2012-07-02 10:53:38.000000000 +0200
|
||||
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:17:56.812488582 +0200
|
||||
@@ -731,6 +731,8 @@ Available keywords are
|
||||
.Cm PermitOpen ,
|
||||
.Cm PermitRootLogin ,
|
||||
.Cm PermitTunnel ,
|
||||
@ -804,7 +804,7 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
|
||||
.Cm PubkeyAuthentication ,
|
||||
.Cm RhostsRSAAuthentication ,
|
||||
.Cm RSAAuthentication ,
|
||||
@@ -920,6 +922,21 @@ Specifies a list of revoked public keys.
|
||||
@@ -931,6 +933,21 @@ Specifies a list of revoked public keys.
|
||||
Keys listed in this file will be refused for public key authentication.
|
||||
Note that if this file is not readable, then public key authentication will
|
||||
be refused for all users.
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
|
||||
--- openssh-5.9p1/configure.ac.vendor 2012-02-06 17:35:37.439855272 +0100
|
||||
+++ openssh-5.9p1/configure.ac 2012-02-06 17:35:37.510219862 +0100
|
||||
@@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog],
|
||||
diff -up openssh-6.1p1/configure.ac.vendor openssh-6.1p1/configure.ac
|
||||
--- openssh-6.1p1/configure.ac.vendor 2012-09-14 20:36:49.153085211 +0200
|
||||
+++ openssh-6.1p1/configure.ac 2012-09-14 20:36:49.559088133 +0200
|
||||
@@ -4303,6 +4303,12 @@ AC_ARG_WITH([lastlog],
|
||||
fi
|
||||
]
|
||||
)
|
||||
@ -14,7 +14,7 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
|
||||
|
||||
dnl lastlog, [uw]tmpx? detection
|
||||
dnl NOTE: set the paths in the platform section to avoid the
|
||||
@@ -4361,6 +4367,7 @@ echo " Translate v4 in v6 hack
|
||||
@@ -4529,6 +4535,7 @@ echo " Translate v4 in v6 hack
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
@ -22,10 +22,10 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
|
||||
|
||||
echo ""
|
||||
|
||||
diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
|
||||
--- openssh-5.9p1/servconf.c.vendor 2012-02-06 17:35:37.432972267 +0100
|
||||
+++ openssh-5.9p1/servconf.c 2012-02-06 17:37:58.806272833 +0100
|
||||
@@ -125,6 +125,7 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c
|
||||
--- openssh-6.1p1/servconf.c.vendor 2012-09-14 20:36:49.124085002 +0200
|
||||
+++ openssh-6.1p1/servconf.c 2012-09-14 20:50:34.995972516 +0200
|
||||
@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions
|
||||
options->max_authtries = -1;
|
||||
options->max_sessions = -1;
|
||||
options->banner = NULL;
|
||||
@ -33,16 +33,17 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -283,6 +284,8 @@ fill_default_server_options(ServerOption
|
||||
options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||
if (options->ip_qos_bulk == -1)
|
||||
@@ -289,6 +290,9 @@ fill_default_server_options(ServerOption
|
||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
+ if (options->show_patchlevel == -1)
|
||||
+ options->show_patchlevel = 0;
|
||||
|
||||
+
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
@@ -321,7 +324,7 @@ typedef enum {
|
||||
use_privsep = PRIVSEP_NOSANDBOX;
|
||||
@@ -326,7 +330,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
||||
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
@ -51,7 +52,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
@@ -436,6 +439,7 @@ static struct {
|
||||
@@ -441,6 +445,7 @@ static struct {
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
@ -59,7 +60,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1162,6 +1167,10 @@ process_server_config_line(ServerOptions
|
||||
multistate_ptr = multistate_privsep;
|
||||
goto parse_multistate;
|
||||
|
||||
@ -70,7 +71,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
@@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o)
|
||||
@@ -1956,6 +1965,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseLogin, o->use_login);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
|
||||
@ -78,9 +79,9 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
|
||||
--- openssh-5.9p1/servconf.h.vendor 2012-02-06 17:35:37.434095467 +0100
|
||||
+++ openssh-5.9p1/servconf.h 2012-02-06 17:35:37.512225786 +0100
|
||||
diff -up openssh-6.1p1/servconf.h.vendor openssh-6.1p1/servconf.h
|
||||
--- openssh-6.1p1/servconf.h.vendor 2012-09-14 20:36:49.125085009 +0200
|
||||
+++ openssh-6.1p1/servconf.h 2012-09-14 20:36:49.564088168 +0200
|
||||
@@ -140,6 +140,7 @@ typedef struct {
|
||||
int max_authtries;
|
||||
int max_sessions;
|
||||
@ -89,10 +90,10 @@ diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
|
||||
--- openssh-5.9p1/sshd_config.vendor 2012-02-06 17:35:37.499226201 +0100
|
||||
+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:37.515220444 +0100
|
||||
@@ -112,6 +112,7 @@ X11Forwarding yes
|
||||
diff -up openssh-6.1p1/sshd_config.vendor openssh-6.1p1/sshd_config
|
||||
--- openssh-6.1p1/sshd_config.vendor 2012-09-14 20:36:49.507087759 +0200
|
||||
+++ openssh-6.1p1/sshd_config 2012-09-14 20:36:49.565088175 +0200
|
||||
@@ -114,6 +114,7 @@ UsePrivilegeSeparation sandbox # Defaul
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
@ -100,10 +101,10 @@ diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10
|
||||
diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
|
||||
--- openssh-5.9p1/sshd_config.0.vendor 2012-02-06 17:35:37.500225787 +0100
|
||||
+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:35:37.513225808 +0100
|
||||
@@ -556,6 +556,11 @@ DESCRIPTION
|
||||
diff -up openssh-6.1p1/sshd_config.0.vendor openssh-6.1p1/sshd_config.0
|
||||
--- openssh-6.1p1/sshd_config.0.vendor 2012-09-14 20:36:49.510087780 +0200
|
||||
+++ openssh-6.1p1/sshd_config.0 2012-09-14 20:36:49.567088190 +0200
|
||||
@@ -558,6 +558,11 @@ DESCRIPTION
|
||||
Defines the number of bits in the ephemeral protocol version 1
|
||||
server key. The minimum value is 512, and the default is 1024.
|
||||
|
||||
@ -115,10 +116,10 @@ diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
|
||||
StrictModes
|
||||
Specifies whether sshd(8) should check file modes and ownership
|
||||
of the user's files and home directory before accepting login.
|
||||
diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
|
||||
--- openssh-5.9p1/sshd_config.5.vendor 2012-02-06 17:35:37.500225787 +0100
|
||||
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:35:37.514220449 +0100
|
||||
@@ -982,6 +982,14 @@ This option applies to protocol version
|
||||
diff -up openssh-6.1p1/sshd_config.5.vendor openssh-6.1p1/sshd_config.5
|
||||
--- openssh-6.1p1/sshd_config.5.vendor 2012-09-14 20:36:49.512087794 +0200
|
||||
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:36:49.568088198 +0200
|
||||
@@ -978,6 +978,14 @@ This option applies to protocol version
|
||||
.It Cm ServerKeyBits
|
||||
Defines the number of bits in the ephemeral protocol version 1 server key.
|
||||
The minimum value is 512, and the default is 1024.
|
||||
@ -133,19 +134,19 @@ diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
|
||||
.It Cm StrictModes
|
||||
Specifies whether
|
||||
.Xr sshd 8
|
||||
diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.vendor 2012-02-06 17:35:37.485230832 +0100
|
||||
+++ openssh-5.9p1/sshd.c 2012-02-06 17:35:37.513225808 +0100
|
||||
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
|
||||
minor = PROTOCOL_MINOR_1;
|
||||
diff -up openssh-6.1p1/sshd.c.vendor openssh-6.1p1/sshd.c
|
||||
--- openssh-6.1p1/sshd.c.vendor 2012-09-14 20:36:49.399086981 +0200
|
||||
+++ openssh-6.1p1/sshd.c 2012-09-14 20:47:30.696088744 +0200
|
||||
@@ -433,7 +433,7 @@ sshd_exchange_identification(int sock_in
|
||||
}
|
||||
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
|
||||
- SSH_VERSION, newline);
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
|
||||
server_version_string = xstrdup(buf);
|
||||
|
||||
/* Send our protocol version identification. */
|
||||
@@ -1634,7 +1634,8 @@ main(int ac, char **av)
|
||||
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
|
||||
- major, minor, SSH_VERSION,
|
||||
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
*options.version_addendum == '\0' ? "" : " ",
|
||||
options.version_addendum, newline);
|
||||
|
||||
@@ -1635,7 +1635,8 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
19
openssh.spec
19
openssh.spec
@ -108,7 +108,7 @@ Source13: sshd-keygen
|
||||
Patch0: openssh-5.9p1-wIm.patch
|
||||
|
||||
#?
|
||||
Patch100: openssh-5.9p1-coverity.patch
|
||||
Patch100: openssh-6.1p1-coverity.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
|
||||
Patch101: openssh-5.8p1-fingerprint.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
|
||||
@ -118,7 +118,7 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
|
||||
Patch103: openssh-5.8p1-packet.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=983
|
||||
#Patch104: openssh-5.9p1-2auth.patch
|
||||
Patch104: openssh-5.9p1-required-authentications.patch
|
||||
Patch104: openssh-6.1p1-required-authentications.patch
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
Patch200: openssh-5.8p1-audit0.patch
|
||||
@ -150,7 +150,7 @@ Patch402: openssh-5.9p1-sftp-chroot.patch
|
||||
Patch404: openssh-5.9p1-privsep-selinux.patch
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
|
||||
Patch500: openssh-5.9p1-akc.patch
|
||||
Patch500: openssh-6.1p1-akc.patch
|
||||
#?-- unwanted child :(
|
||||
Patch501: openssh-6.0p1-ldap.patch
|
||||
#?
|
||||
@ -173,7 +173,7 @@ Patch606: openssh-5.9p1-ipv6man.patch
|
||||
#?
|
||||
Patch607: openssh-5.8p2-sigpipe.patch
|
||||
#?
|
||||
Patch608: openssh-5.8p2-askpass-ld.patch
|
||||
Patch608: openssh-6.1p1-askpass-ld.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
|
||||
Patch609: openssh-5.5p1-x11.patch
|
||||
|
||||
@ -196,29 +196,27 @@ Patch707: openssh-5.9p1-redhat.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
|
||||
Patch708: openssh-6.0p1-entropy.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
|
||||
Patch709: openssh-5.9p1-vendor.patch
|
||||
Patch709: openssh-6.1p1-vendor.patch
|
||||
#?
|
||||
Patch710: openssh-5.9p1-copy-id-restorecon.patch
|
||||
# warn users for unsupported UsePAM=no (#757545)
|
||||
Patch711: openssh-5.9p1-log-usepam-no.patch
|
||||
Patch711: openssh-6.1p1-log-usepam-no.patch
|
||||
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
|
||||
Patch712: openssh-5.9p1-ctr-evp-fast.patch
|
||||
# add cavs test binary for the aes-ctr
|
||||
Patch713: openssh-5.9p1-ctr-cavstest.patch
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=815993
|
||||
Patch714: openssh-5.9p1-null-xcrypt.patch
|
||||
|
||||
|
||||
#http://www.sxw.org.uk/computing/patches/openssh.html
|
||||
#changed cache storage type - #848228
|
||||
Patch800: openssh-6.0p1-gsskex.patch
|
||||
Patch800: openssh-6.1p1-gsskex.patch
|
||||
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
||||
Patch801: openssh-5.8p2-force_krb.patch
|
||||
|
||||
#?
|
||||
Patch900: openssh-5.8p1-gssapi-canohost.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
||||
Patch901: openssh-5.9p1-kuserok.patch
|
||||
Patch901: openssh-6.1p1-kuserok.patch
|
||||
#---
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1604
|
||||
# sctp
|
||||
@ -459,7 +457,6 @@ popd
|
||||
%patch711 -p1 -b .log-usepam-no
|
||||
%patch712 -p1 -b .evp-ctr
|
||||
%patch713 -p1 -b .ctr-cavs
|
||||
%patch714 -p0 -b .null-xcrypt
|
||||
|
||||
%patch800 -p1 -b .gsskex
|
||||
%patch801 -p1 -b .force_krb
|
||||
|
Loading…
Reference in New Issue
Block a user