Merge gssapi-keyex and gssapi-auth

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-08 12:58:47 +02:00 · 2023-06-08 12:58:47 +02:00 · c5082a3f81
commit c5082a3f81
parent 2b67ec48c2
3 changed files with 21 additions and 25 deletions
--- a/openssh-8.0p1-gssapi-keyex.patch
+++ b/openssh-8.0p1-gssapi-keyex.patch
@ -2611,6 +2611,23 @@ index 2ce89fe9..ebf76c7f 100644
 
 	/* The first few requests do not require asynchronous access */
 	while (!authenticated) {
+@@ -376,8 +376,15 @@ monitor_child_preauth(struct ssh *ssh, s
+ 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
+ 			auth_log(ssh, authenticated, partial,
+ 			    auth_method, auth_submethod);
+-			if (!partial && !authenticated)
+			if (!partial && !authenticated) {
+#ifdef GSSAPI
+				/* If gssapi-with-mic failed, MONITOR_REQ_GSSCHECKMIC is disabled.
+				 * We have to reenable it to try again for gssapi-keyex */
+				if (strcmp(auth_method, "gssapi-with-mic") == 0 && options.gss_keyex)
+					monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+#endif
+ 				authctxt->failures++;
+			}
+ 			if (authenticated || partial) {
+ 				auth2_update_session_info(authctxt,
+ 				    auth_method, auth_submethod);
@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
 	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
 	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
--- a/openssh-8.7p1-gssapi-auth.patch
+++ b/openssh-8.7p1-gssapi-auth.patch
@ -1,20 +0,0 @@
-diff --color -rup a/monitor.c b/monitor.c
--- a/monitor.c	2022-07-11 15:11:28.146863144 +0200
-+++ b/monitor.c	2022-07-11 15:15:35.726655877 +0200
-@@ -376,8 +376,15 @@ monitor_child_preauth(struct ssh *ssh, s
- 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
- 			auth_log(ssh, authenticated, partial,
- 			    auth_method, auth_submethod);
-			if (!partial && !authenticated)
-+			if (!partial && !authenticated) {
-+#ifdef GSSAPI
-+				/* If gssapi-with-mic failed, MONITOR_REQ_GSSCHECKMIC is disabled.
-+				 * We have to reenable it to try again for gssapi-keyex */
-+				if (strcmp(auth_method, "gssapi-with-mic") == 0 && options.gss_keyex)
-+					monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
-+#endif
- 				authctxt->failures++;
-+			}
- 			if (authenticated || partial) {
- 				auth2_update_session_info(authctxt,
- 				    auth_method, auth_submethod);
--- a/openssh.spec
+++ b/openssh.spec
@ -137,6 +137,10 @@ Patch711: openssh-7.8p1-UsePAM-warning.patch

 # GSSAPI Key Exchange (RFC 4462 + RFC 8732)
 # from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
+# and
+# Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
+# upstream MR:
+# https://github.com/openssh-gsskex/openssh-gsskex/pull/21
 Patch800: openssh-8.0p1-gssapi-keyex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
 Patch801: openssh-6.6p1-force_krb.patch
@ -215,10 +219,6 @@ Patch984: openssh-8.7p1-ibmca.patch
 # upstream bug:
 # https://bugzilla.mindrot.org/show_bug.cgi?id=3455
 Patch1002: openssh-8.7p1-ssh-manpage.patch
-# Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
-# upstream MR:
-# https://github.com/openssh-gsskex/openssh-gsskex/pull/21
-Patch1004: openssh-8.7p1-gssapi-auth.patch

 # Don't propose disallowed algorithms during hostkey negotiation
 # upstream MR:
@ -424,7 +424,6 @@ popd
 %patch -P 700 -p1 -b .fips

 %patch -P 1002 -p1 -b .ssh-manpage
-%patch -P 1004 -p1 -b .gssapi-auth

 %patch -P 1006 -p1 -b .negotiate-supported-algs