Merge gssapi-keyex and gssapi-auth

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-08 12:58:47 +02:00 · 2023-06-08 12:58:47 +02:00 · c5082a3f81
commit c5082a3f81
parent 2b67ec48c2
3 changed files with 21 additions and 25 deletions
--- a/openssh-8.0p1-gssapi-keyex.patch
+++ b/openssh-8.0p1-gssapi-keyex.patch
@ -2611,6 +2611,23 @@ index 2ce89fe9..ebf76c7f 100644
 	/* The first few requests do not require asynchronous access */
 	while (!authenticated) {
@@ -376,8 +376,15 @@ monitor_child_preauth(struct ssh *ssh, s
 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
 			auth_log(ssh, authenticated, partial,
 			    auth_method, auth_submethod);
 -			if (!partial && !authenticated)
 +			if (!partial && !authenticated) {
 +#ifdef GSSAPI
 +				/* If gssapi-with-mic failed, MONITOR_REQ_GSSCHECKMIC is disabled.
 +				 * We have to reenable it to try again for gssapi-keyex */
 +				if (strcmp(auth_method, "gssapi-with-mic") == 0 && options.gss_keyex)
 +					monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
 +#endif
 				authctxt->failures++;
 +			}
 			if (authenticated || partial) {
 				auth2_update_session_info(authctxt,
 				    auth_method, auth_submethod);
@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
 	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
 	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
--- a/openssh-8.7p1-gssapi-auth.patch
+++ b/openssh-8.7p1-gssapi-auth.patch
@ -1,20 +0,0 @@
 diff --color -rup a/monitor.c b/monitor.c
 --- a/monitor.c	2022-07-11 15:11:28.146863144 +0200
 +++ b/monitor.c	2022-07-11 15:15:35.726655877 +0200
@@ -376,8 +376,15 @@ monitor_child_preauth(struct ssh *ssh, s
 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
 			auth_log(ssh, authenticated, partial,
 			    auth_method, auth_submethod);
 -			if (!partial && !authenticated)
 +			if (!partial && !authenticated) {
 +#ifdef GSSAPI
 +				/* If gssapi-with-mic failed, MONITOR_REQ_GSSCHECKMIC is disabled.
 +				 * We have to reenable it to try again for gssapi-keyex */
 +				if (strcmp(auth_method, "gssapi-with-mic") == 0 && options.gss_keyex)
 +					monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
 +#endif
 				authctxt->failures++;
 +			}
 			if (authenticated || partial) {
 				auth2_update_session_info(authctxt,
 				    auth_method, auth_submethod);
--- a/openssh.spec
+++ b/openssh.spec
@ -137,6 +137,10 @@ Patch711: openssh-7.8p1-UsePAM-warning.patch
 # GSSAPI Key Exchange (RFC 4462 + RFC 8732)
 # from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
 # and
 # Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
 # upstream MR:
 # https://github.com/openssh-gsskex/openssh-gsskex/pull/21
 Patch800: openssh-8.0p1-gssapi-keyex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
 Patch801: openssh-6.6p1-force_krb.patch
@ -215,10 +219,6 @@ Patch984: openssh-8.7p1-ibmca.patch
 # upstream bug:
 # https://bugzilla.mindrot.org/show_bug.cgi?id=3455
 Patch1002: openssh-8.7p1-ssh-manpage.patch
 # Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
 # upstream MR:
 # https://github.com/openssh-gsskex/openssh-gsskex/pull/21
 Patch1004: openssh-8.7p1-gssapi-auth.patch
 # Don't propose disallowed algorithms during hostkey negotiation
 # upstream MR:
@ -424,7 +424,6 @@ popd
 %patch -P 700 -p1 -b .fips
 %patch -P 1002 -p1 -b .ssh-manpage
 %patch -P 1004 -p1 -b .gssapi-auth
 %patch -P 1006 -p1 -b .negotiate-supported-algs