forked from rpms/openssh
GSSAPI Key Exchange documentation improvements
from Debian patches: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
This commit is contained in:
parent
f33aef5318
commit
d9d9575f00
@ -363,13 +363,12 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c
|
|||||||
if (gss) {
|
if (gss) {
|
||||||
debug("Offering GSSAPI proposal: %s", gss);
|
debug("Offering GSSAPI proposal: %s", gss);
|
||||||
xasprintf(&options.kex_algorithms,
|
xasprintf(&options.kex_algorithms,
|
||||||
diff -up openssh-7.0p1/sshd_config.5.gsskexalg openssh-7.0p1/sshd_config.5
|
--- openssh-7.1p1/sshd_config.5.gsskexalg 2015-12-10 15:32:48.105418092 +0100
|
||||||
--- openssh-7.0p1/sshd_config.5.gsskexalg 2015-08-19 12:28:38.082518830 +0200
|
+++ openssh-7.1p1/sshd_config.5 2015-12-10 15:33:47.771279548 +0100
|
||||||
+++ openssh-7.0p1/sshd_config.5 2015-08-19 12:36:25.121471501 +0200
|
@@ -663,6 +663,18 @@ or updated credentials from a compatible
|
||||||
@@ -659,6 +659,18 @@ Controls whether the user's GSSAPI crede
|
For this to work
|
||||||
successful connection rekeying. This option can be used to accepted renewed
|
.Cm GSSAPIKeyExchange
|
||||||
or updated credentials from a compatible client. The default is
|
needs to be enabled in the server and also used by the client.
|
||||||
.Dq no .
|
|
||||||
+.It Cm GSSAPIKexAlgorithms
|
+.It Cm GSSAPIKexAlgorithms
|
||||||
+The list of key exchange algorithms that are accepted by GSSAPI
|
+The list of key exchange algorithms that are accepted by GSSAPI
|
||||||
+key exchange. Possible values are
|
+key exchange. Possible values are
|
||||||
|
47
openssh-7.1p1-gssapi-documentation.patch
Normal file
47
openssh-7.1p1-gssapi-documentation.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
|
||||||
|
--- openssh-7.1p1/ssh_config.5.gss-docs 2015-12-10 15:28:47.451966457 +0100
|
||||||
|
+++ openssh-7.1p1/ssh_config.5 2015-12-10 15:30:28.070738047 +0100
|
||||||
|
@@ -773,15 +773,26 @@ Note that this option applies to protoco
|
||||||
|
If set to
|
||||||
|
.Dq yes
|
||||||
|
then renewal of the client's GSSAPI credentials will force the rekeying of the
|
||||||
|
-ssh connection. With a compatible server, this can delegate the renewed
|
||||||
|
+ssh connection. With a compatible server, this will delegate the renewed
|
||||||
|
credentials to a session on the server.
|
||||||
|
+.Pp
|
||||||
|
+Checks are made to ensure that credentials are only propagated when the new
|
||||||
|
+credentials match the old ones on the originating client and where the
|
||||||
|
+receiving server still has the old set in its cache.
|
||||||
|
+.Pp
|
||||||
|
The default is
|
||||||
|
.Dq no .
|
||||||
|
+.Pp
|
||||||
|
+For this to work
|
||||||
|
+.Cm GSSAPIKeyExchange
|
||||||
|
+needs to be enabled in the server and also used by the client.
|
||||||
|
.It Cm GSSAPITrustDns
|
||||||
|
Set to
|
||||||
|
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
|
||||||
|
+.Dq yes
|
||||||
|
+to indicate that the DNS is trusted to securely canonicalize
|
||||||
|
the name of the host being connected to. If
|
||||||
|
-.Dq no, the hostname entered on the
|
||||||
|
+.Dq no ,
|
||||||
|
+the hostname entered on the
|
||||||
|
command line will be passed untouched to the GSSAPI library.
|
||||||
|
The default is
|
||||||
|
.Dq no .
|
||||||
|
diff -up openssh-7.1p1/sshd_config.5.gss-docs openssh-7.1p1/sshd_config.5
|
||||||
|
--- openssh-7.1p1/sshd_config.5.gss-docs 2015-12-10 15:28:47.453966452 +0100
|
||||||
|
+++ openssh-7.1p1/sshd_config.5 2015-12-10 15:28:47.461966434 +0100
|
||||||
|
@@ -653,6 +653,10 @@ Controls whether the user's GSSAPI crede
|
||||||
|
successful connection rekeying. This option can be used to accepted renewed
|
||||||
|
or updated credentials from a compatible client. The default is
|
||||||
|
.Dq no .
|
||||||
|
+.Pp
|
||||||
|
+For this to work
|
||||||
|
+.Cm GSSAPIKeyExchange
|
||||||
|
+needs to be enabled in the server and also used by the client.
|
||||||
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
|
as a comma-separated pattern list.
|
@ -176,6 +176,10 @@ Patch801: openssh-6.6p1-force_krb.patch
|
|||||||
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
|
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
|
||||||
# CVE-2014-9278
|
# CVE-2014-9278
|
||||||
Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
|
Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
|
||||||
|
# Documentation about GSSAPI
|
||||||
|
# from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
|
||||||
|
Patch803: openssh-7.1p1-gssapi-documentation.patch
|
||||||
|
|
||||||
Patch900: openssh-6.1p1-gssapi-canohost.patch
|
Patch900: openssh-6.1p1-gssapi-canohost.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
||||||
Patch901: openssh-6.6p1-kuserok.patch
|
Patch901: openssh-6.6p1-kuserok.patch
|
||||||
@ -443,6 +447,7 @@ popd
|
|||||||
#
|
#
|
||||||
%patch800 -p1 -b .gsskex
|
%patch800 -p1 -b .gsskex
|
||||||
%patch801 -p1 -b .force_krb
|
%patch801 -p1 -b .force_krb
|
||||||
|
%patch803 -p1 -b .gss-docs
|
||||||
#
|
#
|
||||||
%patch900 -p1 -b .canohost
|
%patch900 -p1 -b .canohost
|
||||||
%patch901 -p1 -b .kuserok
|
%patch901 -p1 -b .kuserok
|
||||||
|
Loading…
Reference in New Issue
Block a user