Upgrade to openssh-5.6p1

This commit is contained in:
Jan F. Chadima 2010-08-03 02:41:49 +02:00
parent 98ba34ae05
commit 1b8a267cb9
14 changed files with 419 additions and 664 deletions

View File

@ -1,13 +0,0 @@
--- openssh-4.0p1/channels.c.exit-deadlock 2005-03-01 11:24:33.000000000 +0100
+++ openssh-4.0p1/channels.c 2005-04-05 22:25:15.197226237 +0200
@@ -1403,6 +1403,10 @@
u_int dlen;
int len;
+ if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+ debug("channel %d: forcing write", c->self);
+ FD_SET(c->wfd, writeset);
+ }
/* Send buffered output data to the socket. */
if (c->wfd != -1 &&
FD_ISSET(c->wfd, writeset) &&

View File

@ -1,24 +0,0 @@
diff -up openssh-5.3p1/auth1.c.skip-initial openssh-5.3p1/auth1.c
--- openssh-5.3p1/auth1.c.skip-initial 2009-03-08 01:40:28.000000000 +0100
+++ openssh-5.3p1/auth1.c 2009-10-02 13:55:00.000000000 +0200
@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt)
authctxt->valid ? "" : "invalid user ", authctxt->user);
/* If the user has no password, accept authentication immediately. */
- if (options.password_authentication &&
+ if (options.permit_empty_passwd && options.password_authentication &&
#ifdef KRB5
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif
diff -up openssh-5.3p1/auth2-none.c.skip-initial openssh-5.3p1/auth2-none.c
--- openssh-5.3p1/auth2-none.c.skip-initial 2009-03-08 01:40:28.000000000 +0100
+++ openssh-5.3p1/auth2-none.c 2009-10-02 13:56:21.000000000 +0200
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
{
none_enabled = 0;
packet_check_eom();
- if (options.password_authentication)
+ if (options.permit_empty_passwd && options.password_authentication)
return (PRIVSEP(auth_password(authctxt, "")));
return (0);
}

View File

@ -1,30 +0,0 @@
diff -up openssh-5.5p1/ssh-keygen.c.staterr openssh-5.5p1/ssh-keygen.c
--- openssh-5.5p1/ssh-keygen.c.staterr 2010-05-04 09:01:14.000000000 +0200
+++ openssh-5.5p1/ssh-keygen.c 2010-05-04 09:03:32.000000000 +0200
@@ -1831,13 +1831,19 @@ main(int argc, char **argv)
ask_filename(pw, "Enter file in which to save the key");
/* Create ~/.ssh directory if it doesn't already exist. */
- snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
- if (strstr(identity_file, dotsshdir) != NULL &&
- stat(dotsshdir, &st) < 0) {
- if (mkdir(dotsshdir, 0700) < 0)
- error("Could not create directory '%s'.", dotsshdir);
- else if (!quiet)
- printf("Created directory '%s'.\n", dotsshdir);
+ snprintf(dotsshdir, sizeof dotsshdir, "%s/%s",
+ pw->pw_dir, _PATH_SSH_USER_DIR);
+ if (strstr(identity_file, dotsshdir) != NULL) {
+ if (stat(dotsshdir, &st) < 0) {
+ if (errno != ENOENT) {
+ error("Could not stat %s: %s", dotsshdir,
+ strerror(errno));
+ } else if (mkdir(dotsshdir, 0700) < 0) {
+ error("Could not create directory '%s': %s",
+ dotsshdir, strerror(errno));
+ } else if (!quiet)
+ printf("Created directory '%s'.\n", dotsshdir);
+ }
}
/* If the file already exists, ask the user to confirm. */
if (!overwrite && stat(identity_file, &st) >= 0) {

View File

@ -1,171 +0,0 @@
diff -up openssh-5.5p1/channels.c.stderr openssh-5.5p1/channels.c
--- openssh-5.5p1/channels.c.stderr 2010-06-23 15:20:30.000000000 +0200
+++ openssh-5.5p1/channels.c 2010-06-23 15:23:06.000000000 +0200
@@ -838,8 +838,9 @@ channel_pre_open(Channel *c, fd_set *rea
if (c->extended_usage == CHAN_EXTENDED_WRITE &&
buffer_len(&c->extended) > 0)
FD_SET(c->efd, writeset);
- else if (!(c->flags & CHAN_EOF_SENT) &&
- c->extended_usage == CHAN_EXTENDED_READ &&
+ else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) &&
+ (c->extended_usage == CHAN_EXTENDED_READ ||
+ c->extended_usage == CHAN_EXTENDED_IGNORE) &&
buffer_len(&c->extended) < c->remote_window)
FD_SET(c->efd, readset);
}
@@ -1759,7 +1760,9 @@ channel_handle_efd(Channel *c, fd_set *r
buffer_consume(&c->extended, len);
c->local_consumed += len;
}
- } else if (c->extended_usage == CHAN_EXTENDED_READ &&
+ } else if (c->efd != -1 &&
+ (c->extended_usage == CHAN_EXTENDED_READ ||
+ c->extended_usage == CHAN_EXTENDED_IGNORE) &&
(c->detach_close || FD_ISSET(c->efd, readset))) {
len = read(c->efd, buf, sizeof(buf));
debug2("channel %d: read %d from efd %d",
@@ -1772,7 +1775,11 @@ channel_handle_efd(Channel *c, fd_set *r
c->self, c->efd);
channel_close_fd(&c->efd);
} else {
- buffer_append(&c->extended, buf, len);
+ if (c->extended_usage == CHAN_EXTENDED_IGNORE) {
+ debug3("channel %d: discard efd",
+ c->self);
+ } else
+ buffer_append(&c->extended, buf, len);
}
}
}
diff -up openssh-5.5p1/session.c.stderr openssh-5.5p1/session.c
--- openssh-5.5p1/session.c.stderr 2010-06-23 15:20:29.000000000 +0200
+++ openssh-5.5p1/session.c 2010-06-23 15:23:55.000000000 +0200
@@ -47,6 +47,7 @@
#include <arpa/inet.h>
#include <errno.h>
+#include <fcntl.h>
#include <grp.h>
#ifdef HAVE_PATHS_H
#include <paths.h>
@@ -104,7 +105,7 @@
/* func */
Session *session_new(void);
-void session_set_fds(Session *, int, int, int, int);
+void session_set_fds(Session *, int, int, int, int, int);
void session_pty_cleanup(Session *);
void session_proctitle(Session *);
int session_setup_x11fwd(Session *);
@@ -443,10 +444,14 @@ int
do_exec_no_pty(Session *s, const char *command)
{
pid_t pid;
+ int ignore_fderr = 0;
#ifdef USE_PIPES
int pin[2], pout[2], perr[2];
+ if (s == NULL)
+ fatal("do_exec_no_pty: no session");
+
/* Allocate pipes for communicating with the program. */
if (pipe(pin) < 0) {
error("%s: pipe in: %.100s", __func__, strerror(errno));
@@ -459,32 +464,38 @@ do_exec_no_pty(Session *s, const char *c
return -1;
}
if (pipe(perr) < 0) {
- error("%s: pipe err: %.100s", __func__, strerror(errno));
+ error("%s: pipe err: %.100s", __func__,
+ strerror(errno));
close(pin[0]);
close(pin[1]);
close(pout[0]);
close(pout[1]);
return -1;
}
+ if (s->is_subsystem)
+ ignore_fderr = 1;
#else
int inout[2], err[2];
+ if (s == NULL)
+ fatal("do_exec_no_pty: no session");
+
/* Uses socket pairs to communicate with the program. */
if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0) {
error("%s: socketpair #1: %.100s", __func__, strerror(errno));
return -1;
}
if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) {
- error("%s: socketpair #2: %.100s", __func__, strerror(errno));
+ error("%s: socketpair #2: %.100s", __func__,
+ strerror(errno));
close(inout[0]);
close(inout[1]);
return -1;
}
+ if (s->is_subsystem)
+ ignore_fderr = 1;
#endif
- if (s == NULL)
- fatal("do_exec_no_pty: no session");
-
session_proctitle(s);
/* Fork the child. */
@@ -595,11 +606,7 @@ do_exec_no_pty(Session *s, const char *c
close(perr[1]);
if (compat20) {
- if (s->is_subsystem) {
- close(perr[0]);
- perr[0] = -1;
- }
- session_set_fds(s, pin[1], pout[0], perr[0], 0);
+ session_set_fds(s, pin[1], pout[0], perr[0], ignore_fderr, 0);
} else {
/* Enter the interactive session. */
server_loop(pid, pin[1], pout[0], perr[0]);
@@ -615,10 +622,7 @@ do_exec_no_pty(Session *s, const char *c
* handle the case that fdin and fdout are the same.
*/
if (compat20) {
- session_set_fds(s, inout[1], inout[1],
- s->is_subsystem ? -1 : err[1], 0);
- if (s->is_subsystem)
- close(err[1]);
+ session_set_fds(s, inout[1], inout[1], err[1], ignore_fderr, 0);
} else {
server_loop(pid, inout[1], inout[1], err[1]);
/* server_loop has closed inout[1] and err[1]. */
@@ -740,7 +744,7 @@ do_exec_pty(Session *s, const char *comm
s->ptymaster = ptymaster;
packet_set_interactive(1);
if (compat20) {
- session_set_fds(s, ptyfd, fdout, -1, 1);
+ session_set_fds(s, ptyfd, fdout, -1, 1, 1);
} else {
server_loop(pid, ptyfd, fdout, -1);
/* server_loop _has_ closed ptyfd and fdout. */
@@ -2321,7 +2325,8 @@ session_input_channel_req(Channel *c, co
}
void
-session_set_fds(Session *s, int fdin, int fdout, int fderr, int is_tty)
+session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr,
+ int is_tty)
{
if (!compat20)
fatal("session_set_fds: called for proto != 2.0");
@@ -2333,7 +2338,7 @@ session_set_fds(Session *s, int fdin, in
fatal("no channel for session %d", s->self);
channel_set_fds(s->chanid,
fdout, fdin, fderr,
- fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
1, is_tty, CHAN_SES_WINDOW_DEFAULT);
}

View File

@ -1,6 +1,6 @@
diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
--- openssh-5.5p1.orig/auth2-pubkey.c 2010-03-21 14:51:21.000000000 -0400 --- openssh-5.6p1/auth2-pubkey.c.akc 2010-08-23 12:15:42.000000000 +0200
+++ openssh-5.5p1/auth2-pubkey.c 2010-07-03 20:23:43.000000000 -0400 +++ openssh-5.6p1/auth2-pubkey.c 2010-08-23 12:15:42.000000000 +0200
@@ -27,6 +27,7 @@ @@ -27,6 +27,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -9,7 +9,7 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c
#include <fcntl.h> #include <fcntl.h>
#include <pwd.h> #include <pwd.h>
@@ -178,27 +178,15 @@ @@ -264,27 +265,15 @@ match_principals_file(char *file, struct
/* return 1 if user allows given key */ /* return 1 if user allows given key */
static int static int
@ -38,7 +38,7 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c
found_key = 0; found_key = 0;
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@@ -273,8 +261,6 @@ @@ -377,8 +366,6 @@ user_key_allowed2(struct passwd *pw, Key
break; break;
} }
} }
@ -47,7 +47,7 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c
key_free(found); key_free(found);
if (!found_key) if (!found_key)
debug2("key not found"); debug2("key not found");
@@ -321,13 +307,191 @@ @@ -440,13 +427,191 @@ user_cert_trusted_ca(struct passwd *pw,
return ret; return ret;
} }
@ -240,10 +240,10 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c
if (auth_key_is_revoked(key)) if (auth_key_is_revoked(key))
return 0; return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
diff -ruN openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac
--- openssh-5.5p1.orig/configure.ac 2010-04-10 08:58:01.000000000 -0400 --- openssh-5.6p1/configure.ac.akc 2010-08-23 12:15:42.000000000 +0200
+++ openssh-5.5p1/configure.ac 2010-07-03 19:57:42.000000000 -0400 +++ openssh-5.6p1/configure.ac 2010-08-23 12:15:42.000000000 +0200
@@ -1346,6 +1346,18 @@ @@ -1346,6 +1346,18 @@ AC_ARG_WITH(audit,
esac ] esac ]
) )
@ -262,7 +262,7 @@ diff -ruN openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac
dnl Checks for library functions. Please keep in alphabetical order dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \ AC_CHECK_FUNCS( \
arc4random \ arc4random \
@@ -4181,6 +4193,7 @@ @@ -4209,6 +4221,7 @@ echo " Linux audit support
echo " Smartcard support: $SCARD_MSG" echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG" echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG" echo " TCP Wrappers support: $TCPW_MSG"
@ -270,10 +270,10 @@ diff -ruN openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac
echo " MD5 password support: $MD5_MSG" echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG" echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG" echo " Solaris process contract support: $SPC_MSG"
diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
--- openssh-5.5p1.orig/servconf.c 2010-03-25 19:40:04.000000000 -0400 --- openssh-5.6p1/servconf.c.akc 2010-08-23 12:15:41.000000000 +0200
+++ openssh-5.5p1/servconf.c 2010-07-03 19:59:07.000000000 -0400 +++ openssh-5.6p1/servconf.c 2010-08-23 12:22:22.000000000 +0200
@@ -128,6 +128,8 @@ @@ -129,6 +129,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1; options->num_permitted_opens = -1;
options->adm_forced_command = NULL; options->adm_forced_command = NULL;
options->chroot_directory = NULL; options->chroot_directory = NULL;
@ -282,18 +282,18 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c
options->zero_knowledge_password_authentication = -1; options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL; options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL; options->trusted_user_ca_keys = NULL;
@@ -311,6 +313,7 @@ @@ -316,6 +318,7 @@ typedef enum {
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate, sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs, + sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
sDeprecated, sUnsupported sDeprecated, sUnsupported
} ServerOpCodes; } ServerOpCodes;
@@ -432,6 +435,13 @@ @@ -439,6 +442,13 @@ static struct {
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND +#ifdef WITH_AUTHORIZED_KEYS_COMMAND
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL }, + { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
@ -304,7 +304,7 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c
{ NULL, sBadOption, 0 } { NULL, sBadOption, 0 }
}; };
@@ -1345,6 +1355,20 @@ @@ -1360,6 +1370,20 @@ process_server_config_line(ServerOptions
charptr = &options->revoked_keys_file; charptr = &options->revoked_keys_file;
goto parse_filename; goto parse_filename;
@ -325,7 +325,7 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c
case sDeprecated: case sDeprecated:
logit("%s line %d: Deprecated option %s", logit("%s line %d: Deprecated option %s",
filename, linenum, arg); filename, linenum, arg);
@@ -1438,6 +1462,8 @@ @@ -1453,6 +1477,8 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(gss_authentication); M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(rsa_authentication); M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication); M_CP_INTOPT(pubkey_authentication);
@ -333,54 +333,42 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c
+ M_CP_STROPT(authorized_keys_command_runas); + M_CP_STROPT(authorized_keys_command_runas);
M_CP_INTOPT(kerberos_authentication); M_CP_INTOPT(kerberos_authentication);
M_CP_INTOPT(hostbased_authentication); M_CP_INTOPT(hostbased_authentication);
M_CP_INTOPT(kbd_interactive_authentication); M_CP_INTOPT(hostbased_uses_name_from_packet_only);
@@ -1682,6 +1708,8 @@ @@ -1705,6 +1731,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sChrootDirectory, o->chroot_directory);
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
dump_cfg_string(sRevokedKeys, o->revoked_keys_file); dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file);
+ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); + dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
+ dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas); + dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
/* string arguments requiring a lookup */ /* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level)); dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -ruN openssh-5.5p1.orig/servconf.h openssh-5.5p1/servconf.h diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h
--- openssh-5.5p1.orig/servconf.h 2010-03-04 05:53:35.000000000 -0500 --- openssh-5.6p1/servconf.h.akc 2010-08-23 12:15:41.000000000 +0200
+++ openssh-5.5p1/servconf.h 2010-07-03 19:57:42.000000000 -0400 +++ openssh-5.6p1/servconf.h 2010-08-23 12:17:58.000000000 +0200
@@ -156,6 +156,8 @@ @@ -158,6 +158,8 @@ typedef struct {
char *chroot_directory;
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
char *authorized_principals_file;
+ char *authorized_keys_command; + char *authorized_keys_command;
+ char *authorized_keys_command_runas; + char *authorized_keys_command_runas;
} ServerOptions; } ServerOptions;
void initialize_server_options(ServerOptions *); void initialize_server_options(ServerOptions *);
diff -ruN openssh-5.5p1.orig/sshd_config openssh-5.5p1/sshd_config diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0
--- openssh-5.5p1.orig/sshd_config 2009-10-11 06:51:09.000000000 -0400 --- openssh-5.6p1/sshd_config.0.akc 2010-08-23 12:15:41.000000000 +0200
+++ openssh-5.5p1/sshd_config 2010-07-03 19:57:42.000000000 -0400 +++ openssh-5.6p1/sshd_config.0 2010-08-23 12:25:18.000000000 +0200
@@ -44,6 +44,8 @@ @@ -374,7 +374,8 @@ DESCRIPTION
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts Only a subset of keywords may be used on the lines following a
#RhostsRSAAuthentication no Match keyword. Available keywords are AllowAgentForwarding,
diff -ruN openssh-5.5p1.orig/sshd_config.0 openssh-5.5p1/sshd_config.0 - AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile,
--- openssh-5.5p1.orig/sshd_config.0 2010-04-15 20:17:12.000000000 -0400 + AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand,
+++ openssh-5.5p1/sshd_config.0 2010-07-03 19:57:42.000000000 -0400 + AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile,
@@ -352,7 +352,8 @@ Banner, ChrootDirectory, ForceCommand, GatewayPorts,
KbdInteractiveAuthentication, KerberosAuthentication, GSSAPIAuthentication, HostbasedAuthentication,
MaxAuthTries, MaxSessions, PasswordAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
PermitEmptyPasswords, PermitOpen, PermitRootLogin, @@ -496,6 +497,23 @@ DESCRIPTION
- PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
+ PubkeyAuthentication, AuthorizedKeysCommand, AuthorizedKeysCommandRunAs,
+ RhostsRSAAuthentication, RSAAuthentication,
X11DisplayOffset, X11Forwarding and X11UseLocalHost.
MaxAuthTries
@@ -467,6 +468,23 @@
this file is not readable, then public key authentication will be this file is not readable, then public key authentication will be
refused for all users. refused for all users.
@ -404,20 +392,27 @@ diff -ruN openssh-5.5p1.orig/sshd_config.0 openssh-5.5p1/sshd_config.0
RhostsRSAAuthentication RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication to- Specifies whether rhosts or /etc/hosts.equiv authentication to-
gether with successful RSA host authentication is allowed. The gether with successful RSA host authentication is allowed. The
diff -ruN openssh-5.5p1.orig/sshd_config.5 openssh-5.5p1/sshd_config.5 diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5
--- openssh-5.5p1.orig/sshd_config.5 2010-03-04 18:41:45.000000000 -0500 --- openssh-5.6p1/sshd_config.5.akc 2010-08-23 12:15:41.000000000 +0200
+++ openssh-5.5p1/sshd_config.5 2010-07-03 19:57:42.000000000 -0400 +++ openssh-5.6p1/sshd_config.5 2010-08-23 12:25:46.000000000 +0200
@@ -618,6 +618,9 @@ @@ -654,6 +654,8 @@ Available keywords are
.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding ,
.Cm AuthorizedKeysFile ,
+.Cm AuthorizedKeysCommand ,
+.Cm AuthorizedKeysCommandRunAs ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
@@ -666,6 +668,7 @@ Available keywords are
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,
.Cm MaxAuthTries , .Cm MaxAuthTries ,
.Cm MaxSessions , .Cm MaxSessions ,
+.Cm PubkeyAuthentication , +.Cm PubkeyAuthentication ,
+.Cm AuthorizedKeysCommand ,
+.Cm AuthorizedKeysCommandRunAs ,
.Cm PasswordAuthentication , .Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords , .Cm PermitEmptyPasswords ,
.Cm PermitOpen , .Cm PermitOpen ,
@@ -819,6 +822,20 @@ @@ -868,6 +871,20 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication. Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will Note that if this file is not readable, then public key authentication will
be refused for all users. be refused for all users.
@ -438,3 +433,15 @@ diff -ruN openssh-5.5p1.orig/sshd_config.5 openssh-5.5p1/sshd_config.5
.It Cm RhostsRSAAuthentication .It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed. with successful RSA host authentication is allowed.
diff -up openssh-5.6p1/sshd_config.akc openssh-5.6p1/sshd_config
--- openssh-5.6p1/sshd_config.akc 2010-08-23 12:15:41.000000000 +0200
+++ openssh-5.6p1/sshd_config 2010-08-23 12:15:42.000000000 +0200
@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no

View File

@ -0,0 +1,14 @@
diff -up openssh-5.6p1/channels.c.exit-deadlock openssh-5.6p1/channels.c
--- openssh-5.6p1/channels.c.exit-deadlock 2010-08-05 15:09:48.000000000 +0200
+++ openssh-5.6p1/channels.c 2010-08-23 12:41:43.000000000 +0200
@@ -1647,6 +1647,10 @@ channel_handle_wfd(Channel *c, fd_set *r
u_int dlen, olen = 0;
int len;
+ if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+ debug("channel %d: forcing write", c->self);
+ FD_SET(c->wfd, writeset);
+ }
/* Send buffered output data to the socket. */
if (c->wfd != -1 &&
FD_ISSET(c->wfd, writeset) &&

View File

@ -1,7 +1,7 @@
diff -up openssh-5.5p1/auth2-pubkey.c.fips openssh-5.5p1/auth2-pubkey.c diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c
--- openssh-5.5p1/auth2-pubkey.c.fips 2010-04-16 08:46:47.000000000 +0200 --- openssh-5.6p1/auth2-pubkey.c.fips 2010-08-23 12:43:40.000000000 +0200
+++ openssh-5.5p1/auth2-pubkey.c 2010-04-16 08:46:48.000000000 +0200 +++ openssh-5.6p1/auth2-pubkey.c 2010-08-23 12:43:41.000000000 +0200
@@ -35,6 +35,7 @@ @@ -36,6 +36,7 @@
#include <string.h> #include <string.h>
#include <time.h> #include <time.h>
#include <unistd.h> #include <unistd.h>
@ -9,7 +9,7 @@ diff -up openssh-5.5p1/auth2-pubkey.c.fips openssh-5.5p1/auth2-pubkey.c
#include "xmalloc.h" #include "xmalloc.h"
#include "ssh.h" #include "ssh.h"
@@ -274,7 +275,7 @@ user_key_allowed2(struct passwd *pw, Key @@ -359,7 +360,7 @@ user_search_key_in_file(FILE *f, char *f
found_key = 1; found_key = 1;
debug("matching key found: file %s, line %lu", debug("matching key found: file %s, line %lu",
file, linenum); file, linenum);
@ -18,9 +18,9 @@ diff -up openssh-5.5p1/auth2-pubkey.c.fips openssh-5.5p1/auth2-pubkey.c
verbose("Found matching %s key: %s", verbose("Found matching %s key: %s",
key_type(found), fp); key_type(found), fp);
xfree(fp); xfree(fp);
diff -up openssh-5.5p1/authfile.c.fips openssh-5.5p1/authfile.c diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c
--- openssh-5.5p1/authfile.c.fips 2010-03-04 11:53:35.000000000 +0100 --- openssh-5.6p1/authfile.c.fips 2010-08-05 05:05:16.000000000 +0200
+++ openssh-5.5p1/authfile.c 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/authfile.c 2010-08-23 12:43:41.000000000 +0200
@@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch @@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch
/* Allocate space for the private part of the key in the buffer. */ /* Allocate space for the private part of the key in the buffer. */
cp = buffer_append_space(&encrypted, buffer_len(&buffer)); cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -55,9 +55,9 @@ diff -up openssh-5.5p1/authfile.c.fips openssh-5.5p1/authfile.c
cipher_crypt(&ciphercontext, cp, cipher_crypt(&ciphercontext, cp,
buffer_ptr(&buffer), buffer_len(&buffer)); buffer_ptr(&buffer), buffer_len(&buffer));
cipher_cleanup(&ciphercontext); cipher_cleanup(&ciphercontext);
diff -up openssh-5.5p1/cipher.c.fips openssh-5.5p1/cipher.c diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
--- openssh-5.5p1/cipher.c.fips 2010-04-16 08:34:06.000000000 +0200 --- openssh-5.6p1/cipher.c.fips 2010-08-23 09:49:50.000000000 +0200
+++ openssh-5.5p1/cipher.c 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/cipher.c 2010-08-23 12:43:41.000000000 +0200
@@ -40,6 +40,7 @@ @@ -40,6 +40,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -142,9 +142,9 @@ diff -up openssh-5.5p1/cipher.c.fips openssh-5.5p1/cipher.c
} }
/* /*
diff -up openssh-5.5p1/cipher-ctr.c.fips openssh-5.5p1/cipher-ctr.c diff -up openssh-5.6p1/cipher-ctr.c.fips openssh-5.6p1/cipher-ctr.c
--- openssh-5.5p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 --- openssh-5.6p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
+++ openssh-5.5p1/cipher-ctr.c 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/cipher-ctr.c 2010-08-23 12:43:41.000000000 +0200
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void) @@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr; aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP #ifndef SSH_OLD_EVP
@ -155,9 +155,9 @@ diff -up openssh-5.5p1/cipher-ctr.c.fips openssh-5.5p1/cipher-ctr.c
#endif #endif
return (&aes_ctr); return (&aes_ctr);
} }
diff -up openssh-5.5p1/cipher.h.fips openssh-5.5p1/cipher.h diff -up openssh-5.6p1/cipher.h.fips openssh-5.6p1/cipher.h
--- openssh-5.5p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100 --- openssh-5.6p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
+++ openssh-5.5p1/cipher.h 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/cipher.h 2010-08-23 12:43:41.000000000 +0200
@@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe @@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe
const u_char *, u_int, int); const u_char *, u_int, int);
void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@ -167,9 +167,9 @@ diff -up openssh-5.5p1/cipher.h.fips openssh-5.5p1/cipher.h
u_int cipher_blocksize(const Cipher *); u_int cipher_blocksize(const Cipher *);
u_int cipher_keylen(const Cipher *); u_int cipher_keylen(const Cipher *);
u_int cipher_is_cbc(const Cipher *); u_int cipher_is_cbc(const Cipher *);
diff -up openssh-5.5p1/mac.c.fips openssh-5.5p1/mac.c diff -up openssh-5.6p1/mac.c.fips openssh-5.6p1/mac.c
--- openssh-5.5p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 --- openssh-5.6p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
+++ openssh-5.5p1/mac.c 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/mac.c 2010-08-23 12:43:41.000000000 +0200
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -219,10 +219,10 @@ diff -up openssh-5.5p1/mac.c.fips openssh-5.5p1/mac.c
for (i = 0; macs[i].name; i++) { for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) { if (strcmp(name, macs[i].name) == 0) {
diff -up openssh-5.5p1/Makefile.in.fips openssh-5.5p1/Makefile.in diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in
--- openssh-5.5p1/Makefile.in.fips 2010-03-13 22:41:34.000000000 +0100 --- openssh-5.6p1/Makefile.in.fips 2010-08-23 12:43:40.000000000 +0200
+++ openssh-5.5p1/Makefile.in 2010-04-16 09:48:16.000000000 +0200 +++ openssh-5.6p1/Makefile.in 2010-08-23 12:46:24.000000000 +0200
@@ -141,25 +141,25 @@ @@ -141,25 +141,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@ $(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -253,8 +253,8 @@ diff -up openssh-5.5p1/Makefile.in.fips openssh-5.5p1/Makefile.in
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -168,7 +168,7 @@ @@ -168,7 +168,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@ -263,10 +263,10 @@ diff -up openssh-5.5p1/Makefile.in.fips openssh-5.5p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-5.5p1/myproposal.h.fips openssh-5.5p1/myproposal.h diff -up openssh-5.6p1/myproposal.h.fips openssh-5.6p1/myproposal.h
--- openssh-5.5p1/myproposal.h.fips 2010-02-26 21:55:05.000000000 +0100 --- openssh-5.6p1/myproposal.h.fips 2010-04-16 07:56:22.000000000 +0200
+++ openssh-5.5p1/myproposal.h 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/myproposal.h 2010-08-23 12:43:41.000000000 +0200
@@ -55,7 +55,12 @@ @@ -58,7 +58,12 @@
"hmac-sha1-96,hmac-md5-96" "hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG "" #define KEX_DEFAULT_LANG ""
@ -280,9 +280,9 @@ diff -up openssh-5.5p1/myproposal.h.fips openssh-5.5p1/myproposal.h
static char *myproposal[PROPOSAL_MAX] = { static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX, KEX_DEFAULT_KEX,
diff -up openssh-5.5p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.5p1/openbsd-compat/bsd-arc4random.c diff -up openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.6p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.5p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100 --- openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
+++ openssh-5.5p1/openbsd-compat/bsd-arc4random.c 2010-04-16 09:17:30.000000000 +0200 +++ openssh-5.6p1/openbsd-compat/bsd-arc4random.c 2010-08-23 12:43:41.000000000 +0200
@@ -39,6 +39,7 @@ @@ -39,6 +39,7 @@
static int rc4_ready = 0; static int rc4_ready = 0;
static RC4_KEY rc4; static RC4_KEY rc4;
@ -324,9 +324,9 @@ diff -up openssh-5.5p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.5p1/openbs
#endif /* !HAVE_ARC4RANDOM */ #endif /* !HAVE_ARC4RANDOM */
#ifndef HAVE_ARC4RANDOM_BUF #ifndef HAVE_ARC4RANDOM_BUF
diff -up openssh-5.5p1/ssh-add.c.fips openssh-5.5p1/ssh-add.c diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c
--- openssh-5.5p1/ssh-add.c.fips 2010-03-03 00:25:42.000000000 +0100 --- openssh-5.6p1/ssh-add.c.fips 2010-05-21 06:56:47.000000000 +0200
+++ openssh-5.5p1/ssh-add.c 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/ssh-add.c 2010-08-23 12:43:41.000000000 +0200
@@ -42,6 +42,7 @@ @@ -42,6 +42,7 @@
#include <sys/param.h> #include <sys/param.h>
@ -335,7 +335,7 @@ diff -up openssh-5.5p1/ssh-add.c.fips openssh-5.5p1/ssh-add.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include <fcntl.h> #include <fcntl.h>
@@ -269,7 +270,7 @@ list_identities(AuthenticationConnection @@ -277,7 +278,7 @@ list_identities(AuthenticationConnection
key = ssh_get_next_identity(ac, &comment, version)) { key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1; had_identities = 1;
if (do_fp) { if (do_fp) {
@ -344,9 +344,9 @@ diff -up openssh-5.5p1/ssh-add.c.fips openssh-5.5p1/ssh-add.c
SSH_FP_HEX); SSH_FP_HEX);
printf("%d %s %s (%s)\n", printf("%d %s %s (%s)\n",
key_size(key), fp, comment, key_type(key)); key_size(key), fp, comment, key_type(key));
diff -up openssh-5.5p1/ssh-agent.c.fips openssh-5.5p1/ssh-agent.c diff -up openssh-5.6p1/ssh-agent.c.fips openssh-5.6p1/ssh-agent.c
--- openssh-5.5p1/ssh-agent.c.fips 2010-02-26 21:55:06.000000000 +0100 --- openssh-5.6p1/ssh-agent.c.fips 2010-04-16 07:56:22.000000000 +0200
+++ openssh-5.5p1/ssh-agent.c 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/ssh-agent.c 2010-08-23 12:43:41.000000000 +0200
@@ -51,6 +51,7 @@ @@ -51,6 +51,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
@ -368,9 +368,9 @@ diff -up openssh-5.5p1/ssh-agent.c.fips openssh-5.5p1/ssh-agent.c
ret = 0; ret = 0;
xfree(p); xfree(p);
diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
--- openssh-5.5p1/ssh.c.fips 2010-02-26 21:55:06.000000000 +0100 --- openssh-5.6p1/ssh.c.fips 2010-08-16 17:59:31.000000000 +0200
+++ openssh-5.5p1/ssh.c 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/ssh.c 2010-08-23 12:43:41.000000000 +0200
@@ -72,6 +72,8 @@ @@ -72,6 +72,8 @@
#include <openssl/evp.h> #include <openssl/evp.h>
@ -380,7 +380,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
@@ -225,6 +227,10 @@ main(int ac, char **av) @@ -235,6 +237,10 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -391,7 +391,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
init_rng(); init_rng();
/* /*
@@ -285,6 +291,9 @@ main(int ac, char **av) @@ -301,6 +307,9 @@ main(int ac, char **av)
"ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
switch (opt) { switch (opt) {
case '1': case '1':
@ -401,7 +401,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
options.protocol = SSH_PROTO_1; options.protocol = SSH_PROTO_1;
break; break;
case '2': case '2':
@@ -581,7 +590,6 @@ main(int ac, char **av) @@ -599,7 +608,6 @@ main(int ac, char **av)
if (!host) if (!host)
usage(); usage();
@ -409,7 +409,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
ERR_load_crypto_strings(); ERR_load_crypto_strings();
/* Initialize the command to execute on remote host. */ /* Initialize the command to execute on remote host. */
@@ -667,6 +675,10 @@ main(int ac, char **av) @@ -685,6 +693,10 @@ main(int ac, char **av)
seed_rng(); seed_rng();
@ -420,7 +420,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
if (options.user == NULL) if (options.user == NULL)
options.user = xstrdup(pw->pw_name); options.user = xstrdup(pw->pw_name);
@@ -733,6 +745,12 @@ main(int ac, char **av) @@ -752,6 +764,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000; timeout_ms = options.connection_timeout * 1000;
@ -433,9 +433,9 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
/* Open a connection to the remote host. */ /* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port, if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts, &timeout_ms, options.address_family, options.connection_attempts, &timeout_ms,
diff -up openssh-5.5p1/sshconnect2.c.fips openssh-5.5p1/sshconnect2.c diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
--- openssh-5.5p1/sshconnect2.c.fips 2010-04-16 08:46:48.000000000 +0200 --- openssh-5.6p1/sshconnect2.c.fips 2010-08-23 12:43:41.000000000 +0200
+++ openssh-5.5p1/sshconnect2.c 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/sshconnect2.c 2010-08-23 12:43:41.000000000 +0200
@@ -44,6 +44,8 @@ @@ -44,6 +44,8 @@
#include <vis.h> #include <vis.h>
#endif #endif
@ -479,9 +479,9 @@ diff -up openssh-5.5p1/sshconnect2.c.fips openssh-5.5p1/sshconnect2.c
xfree(fp); xfree(fp);
/* /*
diff -up openssh-5.5p1/sshconnect.c.fips openssh-5.5p1/sshconnect.c diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
--- openssh-5.5p1/sshconnect.c.fips 2010-03-04 11:53:36.000000000 +0100 --- openssh-5.6p1/sshconnect.c.fips 2010-04-18 00:08:21.000000000 +0200
+++ openssh-5.5p1/sshconnect.c 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/sshconnect.c 2010-08-23 12:43:41.000000000 +0200
@@ -40,6 +40,8 @@ @@ -40,6 +40,8 @@
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
@ -568,9 +568,9 @@ diff -up openssh-5.5p1/sshconnect.c.fips openssh-5.5p1/sshconnect.c
error("Please contact your system administrator."); error("Please contact your system administrator.");
xfree(fp); xfree(fp);
diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
--- openssh-5.5p1/sshd.c.fips 2010-04-16 08:46:48.000000000 +0200 --- openssh-5.6p1/sshd.c.fips 2010-08-23 12:43:40.000000000 +0200
+++ openssh-5.5p1/sshd.c 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/sshd.c 2010-08-23 12:43:41.000000000 +0200
@@ -76,6 +76,8 @@ @@ -76,6 +76,8 @@
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/md5.h> #include <openssl/md5.h>
@ -580,7 +580,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE #ifdef HAVE_SECUREWARE
@@ -1298,6 +1300,12 @@ main(int ac, char **av) @@ -1307,6 +1309,12 @@ main(int ac, char **av)
(void)set_auth_parameters(ac, av); (void)set_auth_parameters(ac, av);
#endif #endif
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -593,7 +593,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
init_rng(); init_rng();
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
@@ -1459,8 +1467,6 @@ main(int ac, char **av) @@ -1468,8 +1476,6 @@ main(int ac, char **av)
else else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -602,7 +602,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
/* /*
* Force logging to stderr until we have loaded the private host * Force logging to stderr until we have loaded the private host
* key (unless started from inetd) * key (unless started from inetd)
@@ -1578,6 +1584,10 @@ main(int ac, char **av) @@ -1587,6 +1593,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, key->type, debug("private host key: #%d type %d %s", i, key->type,
key_type(key)); key_type(key));
} }
@ -613,7 +613,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
@@ -1742,6 +1752,10 @@ main(int ac, char **av) @@ -1751,6 +1761,10 @@ main(int ac, char **av)
/* Initialize the random number generator. */ /* Initialize the random number generator. */
arc4random_stir(); arc4random_stir();
@ -624,7 +624,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
/* Chdir to the root directory so that the current disk can be /* Chdir to the root directory so that the current disk can be
unmounted if desired. */ unmounted if desired. */
chdir("/"); chdir("/");
@@ -2275,6 +2289,9 @@ do_ssh2_kex(void) @@ -2284,6 +2298,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) { if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -634,7 +634,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
} }
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2284,6 +2301,9 @@ do_ssh2_kex(void) @@ -2293,6 +2310,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) { if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -644,9 +644,9 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
} }
if (options.compression == COMP_NONE) { if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_CTOS] =
diff -up openssh-5.5p1/ssh-keygen.c.fips openssh-5.5p1/ssh-keygen.c diff -up openssh-5.6p1/ssh-keygen.c.fips openssh-5.6p1/ssh-keygen.c
--- openssh-5.5p1/ssh-keygen.c.fips 2010-03-21 19:58:24.000000000 +0100 --- openssh-5.6p1/ssh-keygen.c.fips 2010-08-23 12:43:40.000000000 +0200
+++ openssh-5.5p1/ssh-keygen.c 2010-04-16 08:46:49.000000000 +0200 +++ openssh-5.6p1/ssh-keygen.c 2010-08-23 12:43:41.000000000 +0200
@@ -21,6 +21,7 @@ @@ -21,6 +21,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
@ -655,7 +655,7 @@ diff -up openssh-5.5p1/ssh-keygen.c.fips openssh-5.5p1/ssh-keygen.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include <errno.h> #include <errno.h>
@@ -527,7 +528,7 @@ do_fingerprint(struct passwd *pw) @@ -692,7 +693,7 @@ do_fingerprint(struct passwd *pw)
enum fp_type fptype; enum fp_type fptype;
struct stat st; struct stat st;
@ -664,7 +664,7 @@ diff -up openssh-5.5p1/ssh-keygen.c.fips openssh-5.5p1/ssh-keygen.c
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
if (!have_identity) if (!have_identity)
@@ -1916,14 +1917,15 @@ passphrase_again: @@ -2209,14 +2210,15 @@ passphrase_again:
fclose(f); fclose(f);
if (!quiet) { if (!quiet) {

View File

@ -1,6 +1,6 @@
diff -up openssh-5.5p1/auth2.c.gsskex openssh-5.5p1/auth2.c diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c
--- openssh-5.5p1/auth2.c.gsskex 2010-05-13 15:59:50.000000000 +0200 --- openssh-5.6p1/auth2.c.gsskex 2010-08-23 12:51:56.000000000 +0200
+++ openssh-5.5p1/auth2.c 2010-05-13 15:59:58.000000000 +0200 +++ openssh-5.6p1/auth2.c 2010-08-23 12:51:58.000000000 +0200
@@ -69,6 +69,7 @@ extern Authmethod method_passwd; @@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint; extern Authmethod method_kbdint;
extern Authmethod method_hostbased; extern Authmethod method_hostbased;
@ -35,9 +35,9 @@ diff -up openssh-5.5p1/auth2.c.gsskex openssh-5.5p1/auth2.c
authctxt->failures++; authctxt->failures++;
if (authctxt->failures >= options.max_authtries) { if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
diff -up openssh-5.5p1/auth2-gss.c.gsskex openssh-5.5p1/auth2-gss.c diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c
--- openssh-5.5p1/auth2-gss.c.gsskex 2010-05-13 15:59:50.000000000 +0200 --- openssh-5.6p1/auth2-gss.c.gsskex 2010-08-23 12:51:56.000000000 +0200
+++ openssh-5.5p1/auth2-gss.c 2010-05-13 15:59:58.000000000 +0200 +++ openssh-5.6p1/auth2-gss.c 2010-08-23 12:51:58.000000000 +0200
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
@ -137,9 +137,9 @@ diff -up openssh-5.5p1/auth2-gss.c.gsskex openssh-5.5p1/auth2-gss.c
Authmethod method_gssapi = { Authmethod method_gssapi = {
"gssapi-with-mic", "gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
diff -up openssh-5.5p1/auth.h.gsskex openssh-5.5p1/auth.h diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h
--- openssh-5.5p1/auth.h.gsskex 2010-05-13 15:59:50.000000000 +0200 --- openssh-5.6p1/auth.h.gsskex 2010-08-23 12:51:56.000000000 +0200
+++ openssh-5.5p1/auth.h 2010-05-13 15:59:58.000000000 +0200 +++ openssh-5.6p1/auth.h 2010-08-23 12:51:58.000000000 +0200
@@ -53,6 +53,7 @@ struct Authctxt { @@ -53,6 +53,7 @@ struct Authctxt {
int valid; /* user exists and is allowed to login */ int valid; /* user exists and is allowed to login */
int attempt; int attempt;
@ -148,9 +148,9 @@ diff -up openssh-5.5p1/auth.h.gsskex openssh-5.5p1/auth.h
int force_pwchange; int force_pwchange;
char *user; /* username sent by the client */ char *user; /* username sent by the client */
char *service; char *service;
diff -up openssh-5.5p1/auth-krb5.c.gsskex openssh-5.5p1/auth-krb5.c diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c
--- openssh-5.5p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 --- openssh-5.6p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100
+++ openssh-5.5p1/auth-krb5.c 2010-05-13 15:59:58.000000000 +0200 +++ openssh-5.6p1/auth-krb5.c 2010-08-23 12:51:58.000000000 +0200
@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c @@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6; len = strlen(authctxt->krb5_ticket_file) + 6;
@ -198,9 +198,9 @@ diff -up openssh-5.5p1/auth-krb5.c.gsskex openssh-5.5p1/auth-krb5.c
return (krb5_cc_resolve(ctx, ccname, ccache)); return (krb5_cc_resolve(ctx, ccname, ccache));
} }
diff -up openssh-5.5p1/ChangeLog.gssapi.gsskex openssh-5.5p1/ChangeLog.gssapi diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi
--- openssh-5.5p1/ChangeLog.gssapi.gsskex 2010-05-13 15:59:58.000000000 +0200 --- openssh-5.6p1/ChangeLog.gssapi.gsskex 2010-08-23 12:51:58.000000000 +0200
+++ openssh-5.5p1/ChangeLog.gssapi 2010-05-13 15:59:58.000000000 +0200 +++ openssh-5.6p1/ChangeLog.gssapi 2010-08-23 12:51:58.000000000 +0200
@@ -0,0 +1,95 @@ @@ -0,0 +1,95 @@
+20090615 +20090615
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
@ -297,9 +297,9 @@ diff -up openssh-5.5p1/ChangeLog.gssapi.gsskex openssh-5.5p1/ChangeLog.gssapi
+ add support for GssapiTrustDns option for gssapi-with-mic + add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu) + (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008> + <gssapi-with-mic support is Bugzilla #1008>
diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c
--- openssh-5.5p1/clientloop.c.gsskex 2010-03-21 19:54:02.000000000 +0100 --- openssh-5.6p1/clientloop.c.gsskex 2010-08-03 08:04:46.000000000 +0200
+++ openssh-5.5p1/clientloop.c 2010-05-13 15:59:58.000000000 +0200 +++ openssh-5.6p1/clientloop.c 2010-08-23 12:51:58.000000000 +0200
@@ -111,6 +111,10 @@ @@ -111,6 +111,10 @@
#include "msg.h" #include "msg.h"
#include "roaming.h" #include "roaming.h"
@ -311,7 +311,7 @@ diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c
/* import options */ /* import options */
extern Options options; extern Options options;
@@ -1431,6 +1435,13 @@ client_loop(int have_pty, int escape_cha @@ -1483,6 +1487,13 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */ /* Do channel operations unless rekeying in progress. */
if (!rekeying) { if (!rekeying) {
channel_after_select(readset, writeset); channel_after_select(readset, writeset);
@ -325,9 +325,9 @@ diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c
if (need_rekeying || packet_need_rekeying()) { if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying"); debug("need rekeying");
xxx_kex->done = 0; xxx_kex->done = 0;
diff -up openssh-5.5p1/configure.ac.gsskex openssh-5.5p1/configure.ac diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac
--- openssh-5.5p1/configure.ac.gsskex 2010-05-13 15:59:52.000000000 +0200 --- openssh-5.6p1/configure.ac.gsskex 2010-08-23 12:51:57.000000000 +0200
+++ openssh-5.5p1/configure.ac 2010-05-13 15:59:58.000000000 +0200 +++ openssh-5.6p1/configure.ac 2010-08-23 12:51:58.000000000 +0200
@@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary(" @@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD]) [Use tunnel device compatibility to OpenBSD])
AC_DEFINE(SSH_TUN_PREPEND_AF, 1, AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
@ -359,9 +359,9 @@ diff -up openssh-5.5p1/configure.ac.gsskex openssh-5.5p1/configure.ac
m4_pattern_allow(AU_IPv) m4_pattern_allow(AU_IPv)
AC_CHECK_DECL(AU_IPv4, [], AC_CHECK_DECL(AU_IPv4, [],
AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
diff -up openssh-5.5p1/gss-genr.c.gsskex openssh-5.5p1/gss-genr.c diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c
--- openssh-5.5p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 --- openssh-5.6p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.5p1/gss-genr.c 2010-05-13 15:59:58.000000000 +0200 +++ openssh-5.6p1/gss-genr.c 2010-08-23 12:51:58.000000000 +0200
@@ -39,12 +39,167 @@ @@ -39,12 +39,167 @@
#include "buffer.h" #include "buffer.h"
#include "log.h" #include "log.h"
@ -700,9 +700,9 @@ diff -up openssh-5.5p1/gss-genr.c.gsskex openssh-5.5p1/gss-genr.c
+} +}
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff -up openssh-5.5p1/gss-serv.c.gsskex openssh-5.5p1/gss-serv.c diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c
--- openssh-5.5p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 --- openssh-5.6p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200
+++ openssh-5.5p1/gss-serv.c 2010-05-13 15:59:58.000000000 +0200 +++ openssh-5.6p1/gss-serv.c 2010-08-23 12:51:58.000000000 +0200
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
@ -1016,9 +1016,9 @@ diff -up openssh-5.5p1/gss-serv.c.gsskex openssh-5.5p1/gss-serv.c
} }
#endif #endif
diff -up openssh-5.5p1/gss-serv-krb5.c.gsskex openssh-5.5p1/gss-serv-krb5.c diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
--- openssh-5.5p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 --- openssh-5.6p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
+++ openssh-5.5p1/gss-serv-krb5.c 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/gss-serv-krb5.c 2010-08-23 12:51:58.000000000 +0200
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1139,9 +1139,9 @@ diff -up openssh-5.5p1/gss-serv-krb5.c.gsskex openssh-5.5p1/gss-serv-krb5.c
}; };
#endif /* KRB5 */ #endif /* KRB5 */
diff -up openssh-5.5p1/kex.c.gsskex openssh-5.5p1/kex.c diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c
--- openssh-5.5p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100 --- openssh-5.6p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100
+++ openssh-5.5p1/kex.c 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/kex.c 2010-08-23 12:51:58.000000000 +0200
@@ -50,6 +50,10 @@ @@ -50,6 +50,10 @@
#include "monitor.h" #include "monitor.h"
#include "roaming.h" #include "roaming.h"
@ -1174,9 +1174,9 @@ diff -up openssh-5.5p1/kex.c.gsskex openssh-5.5p1/kex.c
} else } else
fatal("bad kex alg %s", k->name); fatal("bad kex alg %s", k->name);
} }
diff -up openssh-5.5p1/kexgssc.c.gsskex openssh-5.5p1/kexgssc.c diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c
--- openssh-5.5p1/kexgssc.c.gsskex 2010-05-13 15:59:59.000000000 +0200 --- openssh-5.6p1/kexgssc.c.gsskex 2010-08-23 12:51:58.000000000 +0200
+++ openssh-5.5p1/kexgssc.c 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/kexgssc.c 2010-08-23 12:51:58.000000000 +0200
@@ -0,0 +1,334 @@ @@ -0,0 +1,334 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1512,9 +1512,9 @@ diff -up openssh-5.5p1/kexgssc.c.gsskex openssh-5.5p1/kexgssc.c
+} +}
+ +
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-5.5p1/kexgsss.c.gsskex openssh-5.5p1/kexgsss.c diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c
--- openssh-5.5p1/kexgsss.c.gsskex 2010-05-13 15:59:59.000000000 +0200 --- openssh-5.6p1/kexgsss.c.gsskex 2010-08-23 12:51:58.000000000 +0200
+++ openssh-5.5p1/kexgsss.c 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/kexgsss.c 2010-08-23 12:51:58.000000000 +0200
@@ -0,0 +1,288 @@ @@ -0,0 +1,288 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1804,9 +1804,9 @@ diff -up openssh-5.5p1/kexgsss.c.gsskex openssh-5.5p1/kexgsss.c
+ ssh_gssapi_rekey_creds(); + ssh_gssapi_rekey_creds();
+} +}
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-5.5p1/kex.h.gsskex openssh-5.5p1/kex.h diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h
--- openssh-5.5p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100 --- openssh-5.6p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.5p1/kex.h 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/kex.h 2010-08-23 12:51:58.000000000 +0200
@@ -67,6 +67,9 @@ enum kex_exchange { @@ -67,6 +67,9 @@ enum kex_exchange {
KEX_DH_GRP14_SHA1, KEX_DH_GRP14_SHA1,
KEX_DH_GEX_SHA1, KEX_DH_GEX_SHA1,
@ -1842,32 +1842,32 @@ diff -up openssh-5.5p1/kex.h.gsskex openssh-5.5p1/kex.h
void void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
diff -up openssh-5.5p1/key.c.gsskex openssh-5.5p1/key.c diff -up openssh-5.6p1/key.c.gsskex openssh-5.6p1/key.c
--- openssh-5.5p1/key.c.gsskex 2010-03-21 19:58:24.000000000 +0100 --- openssh-5.6p1/key.c.gsskex 2010-07-16 05:58:37.000000000 +0200
+++ openssh-5.5p1/key.c 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/key.c 2010-08-23 12:56:03.000000000 +0200
@@ -982,6 +982,8 @@ key_type_from_name(char *name) @@ -1020,6 +1020,8 @@ key_type_from_name(char *name)
return KEY_RSA_CERT; return KEY_RSA_CERT;
} else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
return KEY_DSA_CERT; return KEY_DSA_CERT;
+ } else if (strcmp(name, "null") == 0) { + } else if (strcmp(name, "null") == 0) {
+ return KEY_NULL; + return KEY_NULL;
} }
debug2("key_type_from_name: unknown key type '%s'", name); debug2("key_type_from_name: unknown key type '%s'", name);
return KEY_UNSPEC; return KEY_UNSPEC;
diff -up openssh-5.5p1/key.h.gsskex openssh-5.5p1/key.h diff -up openssh-5.6p1/key.h.gsskex openssh-5.6p1/key.h
--- openssh-5.5p1/key.h.gsskex 2010-03-21 19:58:24.000000000 +0100 --- openssh-5.6p1/key.h.gsskex 2010-04-16 07:56:22.000000000 +0200
+++ openssh-5.5p1/key.h 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/key.h 2010-08-23 12:56:32.000000000 +0200
@@ -37,6 +37,7 @@ enum types { @@ -39,6 +39,7 @@ enum types {
KEY_DSA,
KEY_RSA_CERT,
KEY_DSA_CERT, KEY_DSA_CERT,
KEY_RSA_CERT_V00,
KEY_DSA_CERT_V00,
+ KEY_NULL, + KEY_NULL,
KEY_UNSPEC KEY_UNSPEC
}; };
enum fp_type { enum fp_type {
diff -up openssh-5.5p1/Makefile.in.gsskex openssh-5.5p1/Makefile.in diff -up openssh-5.6p1/Makefile.in.gsskex openssh-5.6p1/Makefile.in
--- openssh-5.5p1/Makefile.in.gsskex 2010-05-13 15:59:57.000000000 +0200 --- openssh-5.6p1/Makefile.in.gsskex 2010-08-23 12:51:58.000000000 +0200
+++ openssh-5.5p1/Makefile.in 2010-05-13 16:01:34.000000000 +0200 +++ openssh-5.6p1/Makefile.in 2010-08-23 12:51:58.000000000 +0200
@@ -76,11 +76,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b @@ -76,11 +76,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
@ -1891,9 +1891,9 @@ diff -up openssh-5.5p1/Makefile.in.gsskex openssh-5.5p1/Makefile.in
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
diff -up openssh-5.5p1/monitor.c.gsskex openssh-5.5p1/monitor.c diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
--- openssh-5.5p1/monitor.c.gsskex 2010-05-13 15:59:50.000000000 +0200 --- openssh-5.6p1/monitor.c.gsskex 2010-08-23 12:51:56.000000000 +0200
+++ openssh-5.5p1/monitor.c 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/monitor.c 2010-08-23 12:51:58.000000000 +0200
@@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer @@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_userok(int, Buffer *);
@ -2086,9 +2086,9 @@ diff -up openssh-5.5p1/monitor.c.gsskex openssh-5.5p1/monitor.c
#endif /* GSSAPI */ #endif /* GSSAPI */
#ifdef JPAKE #ifdef JPAKE
diff -up openssh-5.5p1/monitor.h.gsskex openssh-5.5p1/monitor.h diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h
--- openssh-5.5p1/monitor.h.gsskex 2010-05-13 15:59:50.000000000 +0200 --- openssh-5.6p1/monitor.h.gsskex 2010-08-23 12:51:56.000000000 +0200
+++ openssh-5.5p1/monitor.h 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/monitor.h 2010-08-23 12:51:58.000000000 +0200
@@ -56,6 +56,8 @@ enum monitor_reqtype { @@ -56,6 +56,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@ -2098,9 +2098,9 @@ diff -up openssh-5.5p1/monitor.h.gsskex openssh-5.5p1/monitor.h
MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_START,
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
diff -up openssh-5.5p1/monitor_wrap.c.gsskex openssh-5.5p1/monitor_wrap.c diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c
--- openssh-5.5p1/monitor_wrap.c.gsskex 2010-05-13 15:59:51.000000000 +0200 --- openssh-5.6p1/monitor_wrap.c.gsskex 2010-08-23 12:51:56.000000000 +0200
+++ openssh-5.5p1/monitor_wrap.c 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/monitor_wrap.c 2010-08-23 12:51:58.000000000 +0200
@@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss @@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
} }
@ -2162,9 +2162,9 @@ diff -up openssh-5.5p1/monitor_wrap.c.gsskex openssh-5.5p1/monitor_wrap.c
#endif /* GSSAPI */ #endif /* GSSAPI */
#ifdef JPAKE #ifdef JPAKE
diff -up openssh-5.5p1/monitor_wrap.h.gsskex openssh-5.5p1/monitor_wrap.h diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h
--- openssh-5.5p1/monitor_wrap.h.gsskex 2010-05-13 15:59:51.000000000 +0200 --- openssh-5.6p1/monitor_wrap.h.gsskex 2010-08-23 12:51:56.000000000 +0200
+++ openssh-5.5p1/monitor_wrap.h 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/monitor_wrap.h 2010-08-23 12:51:58.000000000 +0200
@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K @@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2177,18 +2177,18 @@ diff -up openssh-5.5p1/monitor_wrap.h.gsskex openssh-5.5p1/monitor_wrap.h
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM
diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
--- openssh-5.5p1/readconf.c.gsskex 2010-02-11 23:21:03.000000000 +0100 --- openssh-5.6p1/readconf.c.gsskex 2010-08-03 08:04:46.000000000 +0200
+++ openssh-5.5p1/readconf.c 2010-05-13 15:59:59.000000000 +0200 +++ openssh-5.6p1/readconf.c 2010-08-23 12:57:26.000000000 +0200
@@ -127,6 +127,7 @@ typedef enum { @@ -127,6 +127,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost, oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds, oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, + oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, oSendEnv, oControlPath, oControlMaster, oControlPersist,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oHashKnownHosts,
@@ -164,10 +165,18 @@ static struct { @@ -166,10 +167,18 @@ static struct {
{ "afstokenpassing", oUnsupported }, { "afstokenpassing", oUnsupported },
#if defined(GSSAPI) #if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication }, { "gssapiauthentication", oGssAuthentication },
@ -2207,7 +2207,7 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c
#endif #endif
{ "fallbacktorsh", oDeprecated }, { "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated }, { "usersh", oDeprecated },
@@ -456,10 +465,26 @@ parse_flag: @@ -474,10 +483,26 @@ parse_flag:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2234,7 +2234,7 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c
case oBatchMode: case oBatchMode:
intptr = &options->batch_mode; intptr = &options->batch_mode;
goto parse_flag; goto parse_flag;
@@ -1015,7 +1040,11 @@ initialize_options(Options * options) @@ -1058,7 +1083,11 @@ initialize_options(Options * options)
options->pubkey_authentication = -1; options->pubkey_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
options->gss_authentication = -1; options->gss_authentication = -1;
@ -2246,7 +2246,7 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL; options->kbd_interactive_devices = NULL;
@@ -1107,8 +1136,14 @@ fill_default_options(Options * options) @@ -1156,8 +1185,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1; options->challenge_response_authentication = 1;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -2261,10 +2261,10 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
diff -up openssh-5.5p1/readconf.h.gsskex openssh-5.5p1/readconf.h diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h
--- openssh-5.5p1/readconf.h.gsskex 2010-02-11 23:21:03.000000000 +0100 --- openssh-5.6p1/readconf.h.gsskex 2010-08-03 08:04:46.000000000 +0200
+++ openssh-5.5p1/readconf.h 2010-05-13 16:00:00.000000000 +0200 +++ openssh-5.6p1/readconf.h 2010-08-23 12:51:59.000000000 +0200
@@ -44,7 +44,11 @@ typedef struct { @@ -46,7 +46,11 @@ typedef struct {
int challenge_response_authentication; int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */ /* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */ int gss_authentication; /* Try GSS authentication */
@ -2276,9 +2276,9 @@ diff -up openssh-5.5p1/readconf.h.gsskex openssh-5.5p1/readconf.h
int password_authentication; /* Try password int password_authentication; /* Try password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
--- openssh-5.5p1/servconf.c.gsskex 2010-05-13 15:59:54.000000000 +0200 --- openssh-5.6p1/servconf.c.gsskex 2010-08-23 12:51:56.000000000 +0200
+++ openssh-5.5p1/servconf.c 2010-05-13 16:00:00.000000000 +0200 +++ openssh-5.6p1/servconf.c 2010-08-23 12:51:59.000000000 +0200
@@ -93,7 +93,10 @@ initialize_server_options(ServerOptions @@ -93,7 +93,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
@ -2290,7 +2290,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
@@ -217,8 +220,14 @@ fill_default_server_options(ServerOption @@ -218,8 +221,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0; options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -2305,7 +2305,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -312,7 +321,9 @@ typedef enum { @@ -313,7 +322,9 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -2316,7 +2316,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate, sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -376,9 +387,15 @@ static struct { @@ -377,9 +388,15 @@ static struct {
#ifdef GSSAPI #ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -2332,7 +2332,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
#endif #endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -939,10 +956,22 @@ process_server_config_line(ServerOptions @@ -941,10 +958,22 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2355,9 +2355,9 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
case sPasswordAuthentication: case sPasswordAuthentication:
intptr = &options->password_authentication; intptr = &options->password_authentication;
goto parse_flag; goto parse_flag;
diff -up openssh-5.5p1/servconf.h.gsskex openssh-5.5p1/servconf.h diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h
--- openssh-5.5p1/servconf.h.gsskex 2010-05-13 15:59:54.000000000 +0200 --- openssh-5.6p1/servconf.h.gsskex 2010-08-23 12:51:56.000000000 +0200
+++ openssh-5.5p1/servconf.h 2010-05-13 16:00:00.000000000 +0200 +++ openssh-5.6p1/servconf.h 2010-08-23 12:51:59.000000000 +0200
@@ -94,7 +94,10 @@ typedef struct { @@ -94,7 +94,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */ * authenticated with Kerberos. */
@ -2369,10 +2369,10 @@ diff -up openssh-5.5p1/servconf.h.gsskex openssh-5.5p1/servconf.h
int password_authentication; /* If true, permit password int password_authentication; /* If true, permit password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* If true, permit */ int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-5.5p1/ssh_config.5.gsskex openssh-5.5p1/ssh_config.5 diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5
--- openssh-5.5p1/ssh_config.5.gsskex 2010-03-26 02:09:13.000000000 +0100 --- openssh-5.6p1/ssh_config.5.gsskex 2010-08-05 05:03:13.000000000 +0200
+++ openssh-5.5p1/ssh_config.5 2010-05-13 16:00:00.000000000 +0200 +++ openssh-5.6p1/ssh_config.5 2010-08-23 12:51:59.000000000 +0200
@@ -478,11 +478,38 @@ Specifies whether user authentication ba @@ -509,11 +509,38 @@ Specifies whether user authentication ba
The default is The default is
.Dq no . .Dq no .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.
@ -2412,9 +2412,9 @@ diff -up openssh-5.5p1/ssh_config.5.gsskex openssh-5.5p1/ssh_config.5
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
.Xr ssh 1 .Xr ssh 1
diff -up openssh-5.5p1/ssh_config.gsskex openssh-5.5p1/ssh_config diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config
--- openssh-5.5p1/ssh_config.gsskex 2010-05-13 15:59:48.000000000 +0200 --- openssh-5.6p1/ssh_config.gsskex 2010-08-23 12:51:55.000000000 +0200
+++ openssh-5.5p1/ssh_config 2010-05-13 16:00:00.000000000 +0200 +++ openssh-5.6p1/ssh_config 2010-08-23 12:51:59.000000000 +0200
@@ -26,6 +26,8 @@ @@ -26,6 +26,8 @@
# HostbasedAuthentication no # HostbasedAuthentication no
# GSSAPIAuthentication no # GSSAPIAuthentication no
@ -2424,9 +2424,9 @@ diff -up openssh-5.5p1/ssh_config.gsskex openssh-5.5p1/ssh_config
# BatchMode no # BatchMode no
# CheckHostIP yes # CheckHostIP yes
# AddressFamily any # AddressFamily any
diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
--- openssh-5.5p1/sshconnect2.c.gsskex 2010-05-13 15:59:57.000000000 +0200 --- openssh-5.6p1/sshconnect2.c.gsskex 2010-08-23 12:51:58.000000000 +0200
+++ openssh-5.5p1/sshconnect2.c 2010-05-13 16:00:00.000000000 +0200 +++ openssh-5.6p1/sshconnect2.c 2010-08-23 12:51:59.000000000 +0200
@@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho
{ {
Kex *kex; Kex *kex;
@ -2624,9 +2624,9 @@ diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c
#endif /* GSSAPI */ #endif /* GSSAPI */
int int
diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
--- openssh-5.5p1/sshd.c.gsskex 2010-05-13 15:59:57.000000000 +0200 --- openssh-5.6p1/sshd.c.gsskex 2010-08-23 12:51:58.000000000 +0200
+++ openssh-5.5p1/sshd.c 2010-05-13 16:00:00.000000000 +0200 +++ openssh-5.6p1/sshd.c 2010-08-23 12:51:59.000000000 +0200
@@ -129,6 +129,10 @@ int allow_severity; @@ -129,6 +129,10 @@ int allow_severity;
int deny_severity; int deny_severity;
#endif /* LIBWRAP */ #endif /* LIBWRAP */
@ -2638,7 +2638,7 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c
#ifndef O_NOCTTY #ifndef O_NOCTTY
#define O_NOCTTY 0 #define O_NOCTTY 0
#endif #endif
@@ -1592,10 +1596,13 @@ main(int ac, char **av) @@ -1601,10 +1605,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
} }
@ -2652,7 +2652,7 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting."); logit("sshd: no hostkeys available -- exiting.");
exit(1); exit(1);
@@ -1928,6 +1935,60 @@ main(int ac, char **av) @@ -1937,6 +1944,60 @@ main(int ac, char **av)
/* Log the connection. */ /* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port); verbose("Connection from %.500s port %d", remote_ip, remote_port);
@ -2713,7 +2713,7 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c
/* /*
* We don't want to listen forever unless the other side * We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is * successfully authenticates itself. So we set up an alarm which is
@@ -2315,12 +2376,61 @@ do_ssh2_kex(void) @@ -2324,12 +2385,61 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
@ -2775,10 +2775,10 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c
kex->server = 1; kex->server = 1;
kex->client_version_string=client_version_string; kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string; kex->server_version_string=server_version_string;
diff -up openssh-5.5p1/sshd_config.5.gsskex openssh-5.5p1/sshd_config.5 diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5
--- openssh-5.5p1/sshd_config.5.gsskex 2010-05-13 15:59:54.000000000 +0200 --- openssh-5.6p1/sshd_config.5.gsskex 2010-08-23 12:51:56.000000000 +0200
+++ openssh-5.5p1/sshd_config.5 2010-05-13 16:00:00.000000000 +0200 +++ openssh-5.6p1/sshd_config.5 2010-08-23 12:51:59.000000000 +0200
@@ -379,12 +379,40 @@ Specifies whether user authentication ba @@ -424,12 +424,40 @@ Specifies whether user authentication ba
The default is The default is
.Dq no . .Dq no .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.
@ -2819,9 +2819,9 @@ diff -up openssh-5.5p1/sshd_config.5.gsskex openssh-5.5p1/sshd_config.5
.It Cm HostbasedAuthentication .It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed with successful public key client host authentication is allowed
diff -up openssh-5.5p1/sshd_config.gsskex openssh-5.5p1/sshd_config diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config
--- openssh-5.5p1/sshd_config.gsskex 2010-05-13 15:59:54.000000000 +0200 --- openssh-5.6p1/sshd_config.gsskex 2010-08-23 12:51:56.000000000 +0200
+++ openssh-5.5p1/sshd_config 2010-05-13 16:00:00.000000000 +0200 +++ openssh-5.6p1/sshd_config 2010-08-23 12:51:59.000000000 +0200
@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no @@ -78,6 +78,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes #GSSAPICleanupCredentials yes
@ -2831,9 +2831,9 @@ diff -up openssh-5.5p1/sshd_config.gsskex openssh-5.5p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
diff -up openssh-5.5p1/ssh-gss.h.gsskex openssh-5.5p1/ssh-gss.h diff -up openssh-5.6p1/ssh-gss.h.gsskex openssh-5.6p1/ssh-gss.h
--- openssh-5.5p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 --- openssh-5.6p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
+++ openssh-5.5p1/ssh-gss.h 2010-05-13 16:00:00.000000000 +0200 +++ openssh-5.6p1/ssh-gss.h 2010-08-23 12:51:59.000000000 +0200
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/* /*

View File

@ -1,6 +1,6 @@
diff -up openssh-5.5p1/ssh-keygen.0.keygen openssh-5.5p1/ssh-keygen.0 diff -up openssh-5.6p1/ssh-keygen.0.keygen openssh-5.6p1/ssh-keygen.0
--- openssh-5.5p1/ssh-keygen.0.keygen 2010-04-16 02:17:11.000000000 +0200 --- openssh-5.6p1/ssh-keygen.0.keygen 2010-08-22 16:30:03.000000000 +0200
+++ openssh-5.5p1/ssh-keygen.0 2010-05-04 08:19:22.000000000 +0200 +++ openssh-5.6p1/ssh-keygen.0 2010-08-23 12:37:19.000000000 +0200
@@ -4,7 +4,7 @@ NAME @@ -4,7 +4,7 @@ NAME
ssh-keygen - authentication key generation, management and conversion ssh-keygen - authentication key generation, management and conversion
@ -9,8 +9,8 @@ diff -up openssh-5.5p1/ssh-keygen.0.keygen openssh-5.5p1/ssh-keygen.0
+ ssh-keygen [-q] [-o] [-b bits] -t type [-N new_passphrase] [-C comment] + ssh-keygen [-q] [-o] [-b bits] -t type [-N new_passphrase] [-C comment]
[-f output_keyfile] [-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
ssh-keygen -i [-f input_keyfile] ssh-keygen -i [-m key_format] [-f input_keyfile]
@@ -222,6 +222,8 @@ DESCRIPTION @@ -232,6 +232,8 @@ DESCRIPTION
-q Silence ssh-keygen. Used by /etc/rc when creating a new key. -q Silence ssh-keygen. Used by /etc/rc when creating a new key.
@ -19,18 +19,18 @@ diff -up openssh-5.5p1/ssh-keygen.0.keygen openssh-5.5p1/ssh-keygen.0
-R hostname -R hostname
Removes all keys belonging to hostname from a known_hosts file. Removes all keys belonging to hostname from a known_hosts file.
This option is useful to delete hashed hosts (see the -H option This option is useful to delete hashed hosts (see the -H option
diff -up openssh-5.5p1/ssh-keygen.1.keygen openssh-5.5p1/ssh-keygen.1 diff -up openssh-5.6p1/ssh-keygen.1.keygen openssh-5.6p1/ssh-keygen.1
--- openssh-5.5p1/ssh-keygen.1.keygen 2010-03-21 19:57:49.000000000 +0100 --- openssh-5.6p1/ssh-keygen.1.keygen 2010-08-05 05:05:32.000000000 +0200
+++ openssh-5.5p1/ssh-keygen.1 2010-05-04 08:19:22.000000000 +0200 +++ openssh-5.6p1/ssh-keygen.1 2010-08-23 12:36:25.000000000 +0200
@@ -47,6 +47,7 @@ @@ -47,6 +47,7 @@
.Nm ssh-keygen
.Bk -words .Bk -words
.Nm ssh-keygen
.Op Fl q .Op Fl q
+.Op Fl o +.Op Fl o
.Op Fl b Ar bits .Op Fl b Ar bits
.Fl t Ar type .Fl t Ar type
.Op Fl N Ar new_passphrase .Op Fl N Ar new_passphrase
@@ -370,6 +371,8 @@ Silence @@ -397,6 +398,8 @@ Silence
Used by Used by
.Pa /etc/rc .Pa /etc/rc
when creating a new key. when creating a new key.
@ -39,9 +39,9 @@ diff -up openssh-5.5p1/ssh-keygen.1.keygen openssh-5.5p1/ssh-keygen.1
.It Fl R Ar hostname .It Fl R Ar hostname
Removes all keys belonging to Removes all keys belonging to
.Ar hostname .Ar hostname
diff -up openssh-5.5p1/ssh-keygen.c.keygen openssh-5.5p1/ssh-keygen.c diff -up openssh-5.6p1/ssh-keygen.c.keygen openssh-5.6p1/ssh-keygen.c
--- openssh-5.5p1/ssh-keygen.c.keygen 2010-03-21 19:58:24.000000000 +0100 --- openssh-5.6p1/ssh-keygen.c.keygen 2010-08-05 05:05:32.000000000 +0200
+++ openssh-5.5p1/ssh-keygen.c 2010-05-04 08:22:22.000000000 +0200 +++ openssh-5.6p1/ssh-keygen.c 2010-08-23 12:34:40.000000000 +0200
@@ -72,6 +72,7 @@ int change_passphrase = 0; @@ -72,6 +72,7 @@ int change_passphrase = 0;
int change_comment = 0; int change_comment = 0;
@ -50,16 +50,16 @@ diff -up openssh-5.5p1/ssh-keygen.c.keygen openssh-5.5p1/ssh-keygen.c
int log_level = SYSLOG_LEVEL_INFO; int log_level = SYSLOG_LEVEL_INFO;
@@ -1540,7 +1541,7 @@ main(int argc, char **argv) @@ -1798,7 +1799,7 @@ main(int argc, char **argv)
exit(1); exit(1);
} }
- while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:N:n:" - while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
+ while ((opt = getopt(argc, argv, "degiqopclBHLhvxXyF:b:f:t:D:I:P:N:n:" + while ((opt = getopt(argc, argv, "degiqopclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
"O:C:r:g:R:T:G:M:S:s:a:V:W:")) != -1) { "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
switch (opt) { switch (opt) {
case 'b': case 'b':
@@ -1605,6 +1606,9 @@ main(int argc, char **argv) @@ -1878,6 +1879,9 @@ main(int argc, char **argv)
case 'q': case 'q':
quiet = 1; quiet = 1;
break; break;
@ -69,8 +69,8 @@ diff -up openssh-5.5p1/ssh-keygen.c.keygen openssh-5.5p1/ssh-keygen.c
case 'e': case 'e':
case 'x': case 'x':
/* export key */ /* export key */
@@ -1835,7 +1839,7 @@ main(int argc, char **argv) @@ -2124,7 +2128,7 @@ main(int argc, char **argv)
printf("Created directory '%s'.\n", dotsshdir); }
} }
/* If the file already exists, ask the user to confirm. */ /* If the file already exists, ask the user to confirm. */
- if (stat(identity_file, &st) >= 0) { - if (stat(identity_file, &st) >= 0) {

View File

@ -1,6 +1,6 @@
diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c
--- openssh-5.5p1/auth-krb5.c.kuserok 2010-07-07 13:12:01.000000000 +0200 --- openssh-5.6p1/auth-krb5.c.kuserok 2010-08-23 13:01:19.000000000 +0200
+++ openssh-5.5p1/auth-krb5.c 2010-07-07 13:12:03.000000000 +0200 +++ openssh-5.6p1/auth-krb5.c 2010-08-23 13:01:21.000000000 +0200
@@ -146,9 +146,11 @@ auth_krb5_password(Authctxt *authctxt, c @@ -146,9 +146,11 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem) if (problem)
goto out; goto out;
@ -16,18 +16,18 @@ diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c
} }
problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
--- openssh-5.5p1/servconf.c.kuserok 2010-07-07 13:12:02.000000000 +0200 --- openssh-5.6p1/servconf.c.kuserok 2010-08-23 13:01:20.000000000 +0200
+++ openssh-5.5p1/servconf.c 2010-07-07 13:12:04.000000000 +0200 +++ openssh-5.6p1/servconf.c 2010-08-23 13:02:14.000000000 +0200
@@ -137,6 +137,7 @@ initialize_server_options(ServerOptions @@ -138,6 +138,7 @@ initialize_server_options(ServerOptions
options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL; options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL; options->trusted_user_ca_keys = NULL;
options->authorized_principals_file = NULL;
+ options->use_kuserok = -1; + options->use_kuserok = -1;
} }
void void
@@ -285,6 +286,8 @@ fill_default_server_options(ServerOption @@ -286,6 +287,8 @@ fill_default_server_options(ServerOption
if (use_privsep == -1) if (use_privsep == -1)
use_privsep = 1; use_privsep = 1;
@ -36,7 +36,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
#ifndef HAVE_MMAP #ifndef HAVE_MMAP
if (use_privsep && options->compression == 1) { if (use_privsep && options->compression == 1) {
error("This platform does not support both privilege " error("This platform does not support both privilege "
@@ -306,7 +309,7 @@ typedef enum { @@ -307,7 +310,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -45,7 +45,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
sKerberosTgtPassing, sChallengeResponseAuthentication, sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
@@ -376,11 +379,13 @@ static struct { @@ -377,11 +380,13 @@ static struct {
#else #else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -59,7 +59,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
#endif #endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1335,6 +1340,10 @@ process_server_config_line(ServerOptions @@ -1341,6 +1346,10 @@ process_server_config_line(ServerOptions
*activep = value; *activep = value;
break; break;
@ -70,7 +70,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); arg = strdelim(&cp);
if (!arg || *arg == '\0') if (!arg || *arg == '\0')
@@ -1517,6 +1526,7 @@ copy_set_server_options(ServerOptions *d @@ -1525,6 +1534,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(x11_use_localhost); M_CP_INTOPT(x11_use_localhost);
M_CP_INTOPT(max_sessions); M_CP_INTOPT(max_sessions);
M_CP_INTOPT(max_authtries); M_CP_INTOPT(max_authtries);
@ -78,7 +78,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
M_CP_STROPT(banner); M_CP_STROPT(banner);
if (preauth) if (preauth)
@@ -1734,6 +1744,7 @@ dump_config(ServerOptions *o) @@ -1745,6 +1755,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@ -86,9 +86,9 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
--- openssh-5.5p1/servconf.h.kuserok 2010-07-07 13:12:02.000000000 +0200 --- openssh-5.6p1/servconf.h.kuserok 2010-08-23 13:01:20.000000000 +0200
+++ openssh-5.5p1/servconf.h 2010-07-07 13:12:04.000000000 +0200 +++ openssh-5.6p1/servconf.h 2010-08-23 13:01:21.000000000 +0200
@@ -157,6 +157,7 @@ typedef struct { @@ -157,6 +157,7 @@ typedef struct {
int num_permitted_opens; int num_permitted_opens;
@ -97,10 +97,10 @@ diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h
char *chroot_directory; char *chroot_directory;
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5 diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
--- openssh-5.5p1/sshd_config.5.kuserok 2010-07-07 13:12:03.000000000 +0200 --- openssh-5.6p1/sshd_config.5.kuserok 2010-08-23 13:01:21.000000000 +0200
+++ openssh-5.5p1/sshd_config.5 2010-07-07 13:21:02.000000000 +0200 +++ openssh-5.6p1/sshd_config.5 2010-08-23 13:03:15.000000000 +0200
@@ -519,6 +519,10 @@ Specifies whether to automatically destr @@ -564,6 +564,10 @@ Specifies whether to automatically destr
file on logout. file on logout.
The default is The default is
.Dq yes . .Dq yes .
@ -111,17 +111,17 @@ diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5
.It Cm KeyRegenerationInterval .It Cm KeyRegenerationInterval
In protocol version 1, the ephemeral server key is automatically regenerated In protocol version 1, the ephemeral server key is automatically regenerated
after this many seconds (if it has been used). after this many seconds (if it has been used).
@@ -644,6 +648,7 @@ Available keywords are @@ -694,6 +698,7 @@ Available keywords are
.Cm HostbasedAuthentication , .Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication , .Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,
+.Cm KerberosUseKuserok , +.Cm KerberosUseKuserok ,
.Cm MaxAuthTries , .Cm MaxAuthTries ,
.Cm MaxSessions , .Cm MaxSessions ,
.Cm PubkeyAuthentication , .Cm PubkeyAuthentication ,
diff -up openssh-5.5p1/sshd_config.kuserok openssh-5.5p1/sshd_config diff -up openssh-5.6p1/sshd_config.kuserok openssh-5.6p1/sshd_config
--- openssh-5.5p1/sshd_config.kuserok 2010-07-07 13:12:03.000000000 +0200 --- openssh-5.6p1/sshd_config.kuserok 2010-08-23 13:01:21.000000000 +0200
+++ openssh-5.5p1/sshd_config 2010-07-07 13:12:04.000000000 +0200 +++ openssh-5.6p1/sshd_config 2010-08-23 13:01:21.000000000 +0200
@@ -72,6 +72,7 @@ ChallengeResponseAuthentication no @@ -72,6 +72,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes #KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes #KerberosTicketCleanup yes

View File

@ -1,6 +1,6 @@
diff -up openssh-5.5p1/configure.ac.ldap openssh-5.5p1/configure.ac diff -up openssh-5.6p1/configure.ac.ldap openssh-5.6p1/configure.ac
--- openssh-5.5p1/configure.ac.ldap 2010-07-07 14:36:34.000000000 +0200 --- openssh-5.6p1/configure.ac.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/configure.ac 2010-07-07 14:36:34.000000000 +0200 +++ openssh-5.6p1/configure.ac 2010-08-23 12:28:11.000000000 +0200
@@ -1358,6 +1358,106 @@ AC_ARG_WITH(authorized-keys-command, @@ -1358,6 +1358,106 @@ AC_ARG_WITH(authorized-keys-command,
] ]
) )
@ -108,9 +108,9 @@ diff -up openssh-5.5p1/configure.ac.ldap openssh-5.5p1/configure.ac
dnl Checks for library functions. Please keep in alphabetical order dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \ AC_CHECK_FUNCS( \
arc4random \ arc4random \
diff -up openssh-5.5p1/ldapbody.c.ldap openssh-5.5p1/ldapbody.c diff -up openssh-5.6p1/ldapbody.c.ldap openssh-5.6p1/ldapbody.c
--- openssh-5.5p1/ldapbody.c.ldap 2010-07-07 14:36:34.000000000 +0200 --- openssh-5.6p1/ldapbody.c.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ldapbody.c 2010-07-07 14:36:34.000000000 +0200 +++ openssh-5.6p1/ldapbody.c 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,494 @@ @@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -606,9 +606,9 @@ diff -up openssh-5.5p1/ldapbody.c.ldap openssh-5.5p1/ldapbody.c
+ return; + return;
+} +}
+ +
diff -up openssh-5.5p1/ldapbody.h.ldap openssh-5.5p1/ldapbody.h diff -up openssh-5.6p1/ldapbody.h.ldap openssh-5.6p1/ldapbody.h
--- openssh-5.5p1/ldapbody.h.ldap 2010-07-07 14:36:34.000000000 +0200 --- openssh-5.6p1/ldapbody.h.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ldapbody.h 2010-07-07 14:36:34.000000000 +0200 +++ openssh-5.6p1/ldapbody.h 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,37 @@ @@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -647,9 +647,9 @@ diff -up openssh-5.5p1/ldapbody.h.ldap openssh-5.5p1/ldapbody.h
+ +
+#endif /* LDAPBODY_H */ +#endif /* LDAPBODY_H */
+ +
diff -up openssh-5.5p1/ldapconf.c.ldap openssh-5.5p1/ldapconf.c diff -up openssh-5.6p1/ldapconf.c.ldap openssh-5.6p1/ldapconf.c
--- openssh-5.5p1/ldapconf.c.ldap 2010-07-07 14:36:34.000000000 +0200 --- openssh-5.6p1/ldapconf.c.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ldapconf.c 2010-07-07 14:36:34.000000000 +0200 +++ openssh-5.6p1/ldapconf.c 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,682 @@ @@ -0,0 +1,682 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1333,9 +1333,9 @@ diff -up openssh-5.5p1/ldapconf.c.ldap openssh-5.5p1/ldapconf.c
+ dump_cfg_string(lSSH_Filter, options.ssh_filter); + dump_cfg_string(lSSH_Filter, options.ssh_filter);
+} +}
+ +
diff -up openssh-5.5p1/ldapconf.h.ldap openssh-5.5p1/ldapconf.h diff -up openssh-5.6p1/ldapconf.h.ldap openssh-5.6p1/ldapconf.h
--- openssh-5.5p1/ldapconf.h.ldap 2010-07-07 14:36:34.000000000 +0200 --- openssh-5.6p1/ldapconf.h.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ldapconf.h 2010-07-07 14:36:34.000000000 +0200 +++ openssh-5.6p1/ldapconf.h 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,71 @@ @@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1408,9 +1408,9 @@ diff -up openssh-5.5p1/ldapconf.h.ldap openssh-5.5p1/ldapconf.h
+void dump_config(void); +void dump_config(void);
+ +
+#endif /* LDAPCONF_H */ +#endif /* LDAPCONF_H */
diff -up openssh-5.5p1/ldap.conf.ldap openssh-5.5p1/ldap.conf diff -up openssh-5.6p1/ldap.conf.ldap openssh-5.6p1/ldap.conf
--- openssh-5.5p1/ldap.conf.ldap 2010-07-07 14:36:34.000000000 +0200 --- openssh-5.6p1/ldap.conf.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ldap.conf 2010-07-07 14:36:34.000000000 +0200 +++ openssh-5.6p1/ldap.conf 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,88 @@ @@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+# +#
@ -1500,9 +1500,9 @@ diff -up openssh-5.5p1/ldap.conf.ldap openssh-5.5p1/ldap.conf
+#tls_cert +#tls_cert
+#tls_key +#tls_key
+ +
diff -up openssh-5.5p1/ldap-helper.c.ldap openssh-5.5p1/ldap-helper.c diff -up openssh-5.6p1/ldap-helper.c.ldap openssh-5.6p1/ldap-helper.c
--- openssh-5.5p1/ldap-helper.c.ldap 2010-07-07 14:36:34.000000000 +0200 --- openssh-5.6p1/ldap-helper.c.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ldap-helper.c 2010-07-07 14:36:34.000000000 +0200 +++ openssh-5.6p1/ldap-helper.c 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,154 @@ @@ -0,0 +1,154 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1658,9 +1658,9 @@ diff -up openssh-5.5p1/ldap-helper.c.ldap openssh-5.5p1/ldap-helper.c
+void *buffer_get_string(Buffer *b, u_int *l) {} +void *buffer_get_string(Buffer *b, u_int *l) {}
+void buffer_put_string(Buffer *b, const void *f, u_int l) {} +void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+ +
diff -up openssh-5.5p1/ldap-helper.h.ldap openssh-5.5p1/ldap-helper.h diff -up openssh-5.6p1/ldap-helper.h.ldap openssh-5.6p1/ldap-helper.h
--- openssh-5.5p1/ldap-helper.h.ldap 2010-07-07 14:36:34.000000000 +0200 --- openssh-5.6p1/ldap-helper.h.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ldap-helper.h 2010-07-07 14:36:34.000000000 +0200 +++ openssh-5.6p1/ldap-helper.h 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1694,9 +1694,9 @@ diff -up openssh-5.5p1/ldap-helper.h.ldap openssh-5.5p1/ldap-helper.h
+extern int config_warning_config_file; +extern int config_warning_config_file;
+ +
+#endif /* LDAP_HELPER_H */ +#endif /* LDAP_HELPER_H */
diff -up openssh-5.5p1/ldapincludes.h.ldap openssh-5.5p1/ldapincludes.h diff -up openssh-5.6p1/ldapincludes.h.ldap openssh-5.6p1/ldapincludes.h
--- openssh-5.5p1/ldapincludes.h.ldap 2010-07-07 14:36:34.000000000 +0200 --- openssh-5.6p1/ldapincludes.h.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ldapincludes.h 2010-07-07 14:36:34.000000000 +0200 +++ openssh-5.6p1/ldapincludes.h 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1739,9 +1739,9 @@ diff -up openssh-5.5p1/ldapincludes.h.ldap openssh-5.5p1/ldapincludes.h
+#endif +#endif
+ +
+#endif /* LDAPINCLUDES_H */ +#endif /* LDAPINCLUDES_H */
diff -up openssh-5.5p1/ldapmisc.c.ldap openssh-5.5p1/ldapmisc.c diff -up openssh-5.6p1/ldapmisc.c.ldap openssh-5.6p1/ldapmisc.c
--- openssh-5.5p1/ldapmisc.c.ldap 2010-07-07 14:36:34.000000000 +0200 --- openssh-5.6p1/ldapmisc.c.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ldapmisc.c 2010-07-07 14:36:34.000000000 +0200 +++ openssh-5.6p1/ldapmisc.c 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+ +
+#include "ldapincludes.h" +#include "ldapincludes.h"
@ -1822,9 +1822,9 @@ diff -up openssh-5.5p1/ldapmisc.c.ldap openssh-5.5p1/ldapmisc.c
+} +}
+#endif +#endif
+ +
diff -up openssh-5.5p1/ldapmisc.h.ldap openssh-5.5p1/ldapmisc.h diff -up openssh-5.6p1/ldapmisc.h.ldap openssh-5.6p1/ldapmisc.h
--- openssh-5.5p1/ldapmisc.h.ldap 2010-07-07 14:36:35.000000000 +0200 --- openssh-5.6p1/ldapmisc.h.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ldapmisc.h 2010-07-07 14:36:35.000000000 +0200 +++ openssh-5.6p1/ldapmisc.h 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1861,9 +1861,9 @@ diff -up openssh-5.5p1/ldapmisc.h.ldap openssh-5.5p1/ldapmisc.h
+ +
+#endif /* LDAPMISC_H */ +#endif /* LDAPMISC_H */
+ +
diff -up openssh-5.5p1/lpk-user-example.txt.ldap openssh-5.5p1/lpk-user-example.txt diff -up openssh-5.6p1/lpk-user-example.txt.ldap openssh-5.6p1/lpk-user-example.txt
--- openssh-5.5p1/lpk-user-example.txt.ldap 2010-07-07 14:36:35.000000000 +0200 --- openssh-5.6p1/lpk-user-example.txt.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/lpk-user-example.txt 2010-07-07 14:36:35.000000000 +0200 +++ openssh-5.6p1/lpk-user-example.txt 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,117 @@ @@ -0,0 +1,117 @@
+ +
+Post to ML -> User Made Quick Install Doc. +Post to ML -> User Made Quick Install Doc.
@ -1982,9 +1982,9 @@ diff -up openssh-5.5p1/lpk-user-example.txt.ldap openssh-5.5p1/lpk-user-example.
+puTTY). Login should succeed. +puTTY). Login should succeed.
+ +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in
--- openssh-5.5p1/Makefile.in.ldap 2010-03-13 22:41:34.000000000 +0100 --- openssh-5.6p1/Makefile.in.ldap 2010-05-12 08:51:39.000000000 +0200
+++ openssh-5.5p1/Makefile.in 2010-07-07 14:36:35.000000000 +0200 +++ openssh-5.6p1/Makefile.in 2010-08-23 12:29:24.000000000 +0200
@@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas @@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
SFTP_SERVER=$(libexecdir)/sftp-server SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@ -2004,26 +2004,9 @@ diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
@@ -74,11 +76,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b @@ -93,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
entropy.o gss-genr.o umac.o jpake.o schnorr.o \
- ssh-pkcs11.o
+ ssh-pkcs11.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
- roaming_common.o roaming_client.o
+ roaming_common.o roaming_client.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
@@ -91,10 +93,10 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
- roaming_common.o roaming_serv.o roaming_common.o roaming_serv.o
+ roaming_common.o roaming_serv.o
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
@ -2034,7 +2017,7 @@ diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in
CONFIGFILES=sshd_config.out ssh_config.out moduli.out CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -162,6 +164,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss @@ -162,6 +164,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
@ -2085,9 +2068,9 @@ diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
tests interop-tests: $(TARGETS) tests interop-tests: $(TARGETS)
diff -up openssh-5.5p1/openssh-lpk-openldap.schema.ldap openssh-5.5p1/openssh-lpk-openldap.schema diff -up openssh-5.6p1/openssh-lpk-openldap.schema.ldap openssh-5.6p1/openssh-lpk-openldap.schema
--- openssh-5.5p1/openssh-lpk-openldap.schema.ldap 2010-07-07 14:36:35.000000000 +0200 --- openssh-5.6p1/openssh-lpk-openldap.schema.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/openssh-lpk-openldap.schema 2010-07-07 14:36:35.000000000 +0200 +++ openssh-5.6p1/openssh-lpk-openldap.schema 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2110,9 +2093,9 @@ diff -up openssh-5.5p1/openssh-lpk-openldap.schema.ldap openssh-5.5p1/openssh-lp
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
diff -up openssh-5.5p1/openssh-lpk-sun.schema.ldap openssh-5.5p1/openssh-lpk-sun.schema diff -up openssh-5.6p1/openssh-lpk-sun.schema.ldap openssh-5.6p1/openssh-lpk-sun.schema
--- openssh-5.5p1/openssh-lpk-sun.schema.ldap 2010-07-07 14:36:35.000000000 +0200 --- openssh-5.6p1/openssh-lpk-sun.schema.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/openssh-lpk-sun.schema 2010-07-07 14:36:35.000000000 +0200 +++ openssh-5.6p1/openssh-lpk-sun.schema 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2137,9 +2120,9 @@ diff -up openssh-5.5p1/openssh-lpk-sun.schema.ldap openssh-5.5p1/openssh-lpk-sun
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
diff -up openssh-5.5p1/README.lpk.ldap openssh-5.5p1/README.lpk diff -up openssh-5.6p1/README.lpk.ldap openssh-5.6p1/README.lpk
--- openssh-5.5p1/README.lpk.ldap 2010-07-07 14:36:35.000000000 +0200 --- openssh-5.6p1/README.lpk.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/README.lpk 2010-07-07 14:36:35.000000000 +0200 +++ openssh-5.6p1/README.lpk 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,274 @@ @@ -0,0 +1,274 @@
+OpenSSH LDAP PUBLIC KEY PATCH +OpenSSH LDAP PUBLIC KEY PATCH
+Copyright (c) 2003 Eric AUGE (eau@phear.org) +Copyright (c) 2003 Eric AUGE (eau@phear.org)
@ -2415,9 +2398,9 @@ diff -up openssh-5.5p1/README.lpk.ldap openssh-5.5p1/README.lpk
+- CONTACT : +- CONTACT :
+ Jan F. Chadima <jchadima@redhat.com> + Jan F. Chadima <jchadima@redhat.com>
+ +
diff -up openssh-5.5p1/ssh-ldap.conf.5.ldap openssh-5.5p1/ssh-ldap.conf.5 diff -up openssh-5.6p1/ssh-ldap.conf.5.ldap openssh-5.6p1/ssh-ldap.conf.5
--- openssh-5.5p1/ssh-ldap.conf.5.ldap 2010-07-07 14:36:35.000000000 +0200 --- openssh-5.6p1/ssh-ldap.conf.5.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ssh-ldap.conf.5 2010-07-07 14:36:35.000000000 +0200 +++ openssh-5.6p1/ssh-ldap.conf.5 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,373 @@ @@ -0,0 +1,373 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"
@ -2792,9 +2775,9 @@ diff -up openssh-5.5p1/ssh-ldap.conf.5.ldap openssh-5.5p1/ssh-ldap.conf.5
+OpenSSH 5.5 + PKA-LDAP . +OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS +.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com +.An Jan F. Chadima Aq jchadima@redhat.com
diff -up openssh-5.5p1/ssh-ldap-helper.8.ldap openssh-5.5p1/ssh-ldap-helper.8 diff -up openssh-5.6p1/ssh-ldap-helper.8.ldap openssh-5.6p1/ssh-ldap-helper.8
--- openssh-5.5p1/ssh-ldap-helper.8.ldap 2010-07-07 14:36:35.000000000 +0200 --- openssh-5.6p1/ssh-ldap-helper.8.ldap 2010-08-23 12:28:11.000000000 +0200
+++ openssh-5.5p1/ssh-ldap-helper.8 2010-07-07 14:36:35.000000000 +0200 +++ openssh-5.6p1/ssh-ldap-helper.8 2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,78 @@ @@ -0,0 +1,78 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"

View File

@ -1,7 +1,7 @@
diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac diff -up openssh-5.6p1/configure.ac.mls openssh-5.6p1/configure.ac
--- openssh-5.4p1/configure.ac.mls 2010-03-01 15:24:27.000000000 +0100 --- openssh-5.6p1/configure.ac.mls 2010-08-23 12:11:36.000000000 +0200
+++ openssh-5.4p1/configure.ac 2010-03-01 15:24:28.000000000 +0100 +++ openssh-5.6p1/configure.ac 2010-08-23 12:11:36.000000000 +0200
@@ -3360,6 +3360,7 @@ AC_ARG_WITH(selinux, @@ -3390,6 +3390,7 @@ AC_ARG_WITH(selinux,
SSHDLIBS="$SSHDLIBS $LIBSELINUX" SSHDLIBS="$SSHDLIBS $LIBSELINUX"
LIBS="$LIBS $LIBSELINUX" LIBS="$LIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
@ -9,23 +9,21 @@ diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac
LIBS="$save_LIBS" LIBS="$save_LIBS"
fi ] fi ]
) )
diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c diff -up openssh-5.6p1/misc.c.mls openssh-5.6p1/misc.c
--- openssh-5.4p1/misc.c.mls 2010-01-10 00:31:12.000000000 +0100 --- openssh-5.6p1/misc.c.mls 2010-08-03 08:05:05.000000000 +0200
+++ openssh-5.4p1/misc.c 2010-03-01 15:24:28.000000000 +0100 +++ openssh-5.6p1/misc.c 2010-08-23 12:14:16.000000000 +0200
@@ -423,6 +423,7 @@ char * @@ -424,6 +424,7 @@ char *
colon(char *cp) colon(char *cp)
{ {
int flag = 0; int flag = 0;
+ int start = 1; + int start = 1;
if (*cp == ':') /* Leading colon is part of file name. */ if (*cp == ':') /* Leading colon is part of file name. */
return (0); return NULL;
@@ -436,8 +437,13 @@ colon(char *cp) @@ -439,6 +440,13 @@ colon(char *cp)
return (cp+1);
if (*cp == ':' && !flag)
return (cp); return (cp);
- if (*cp == '/') if (*cp == '/')
- return (0); return NULL;
+ if (start) { + if (start) {
+ /* Slash on beginning or after dots only denotes file name. */ + /* Slash on beginning or after dots only denotes file name. */
+ if (*cp == '/') + if (*cp == '/')
@ -34,11 +32,11 @@ diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c
+ start = 0; + start = 0;
+ } + }
} }
return (0); return NULL;
} }
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-compat/port-linux.c diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-compat/port-linux.c
--- openssh-5.4p1/openbsd-compat/port-linux.c.mls 2010-03-01 15:24:27.000000000 +0100 --- openssh-5.6p1/openbsd-compat/port-linux.c.mls 2010-08-23 12:11:36.000000000 +0200
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:25:50.000000000 +0100 +++ openssh-5.6p1/openbsd-compat/port-linux.c 2010-08-23 12:11:37.000000000 +0200
@@ -35,13 +35,24 @@ @@ -35,13 +35,24 @@
#include "key.h" #include "key.h"
#include "hostfile.h" #include "hostfile.h"
@ -417,10 +415,10 @@ diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-com
/* XXX: should these calls fatal() upon failure in enforcing mode? */ /* XXX: should these calls fatal() upon failure in enforcing mode? */
diff -up openssh-5.4p1/sshd.c.mls openssh-5.4p1/sshd.c diff -up openssh-5.6p1/sshd.c.mls openssh-5.6p1/sshd.c
--- openssh-5.4p1/sshd.c.mls 2010-03-01 15:24:27.000000000 +0100 --- openssh-5.6p1/sshd.c.mls 2010-08-23 12:11:36.000000000 +0200
+++ openssh-5.4p1/sshd.c 2010-03-01 15:24:28.000000000 +0100 +++ openssh-5.6p1/sshd.c 2010-08-23 12:11:37.000000000 +0200
@@ -1987,6 +1987,9 @@ main(int ac, char **av) @@ -1997,6 +1997,9 @@ main(int ac, char **av)
restore_uid(); restore_uid();
} }
#endif #endif

View File

@ -1,19 +1,19 @@
diff -up openssh-5.3p1/contrib/ssh-copy-id.selabel openssh-5.3p1/contrib/ssh-copy-id diff -up openssh-5.6p1/contrib/ssh-copy-id.selabel openssh-5.6p1/contrib/ssh-copy-id
--- openssh-5.3p1/contrib/ssh-copy-id.selabel 2009-01-21 10:29:21.000000000 +0100 --- openssh-5.6p1/contrib/ssh-copy-id.selabel 2010-08-10 05:36:09.000000000 +0200
+++ openssh-5.3p1/contrib/ssh-copy-id 2009-10-02 14:21:54.000000000 +0200 +++ openssh-5.6p1/contrib/ssh-copy-id 2010-08-23 12:50:20.000000000 +0200
@@ -38,7 +38,7 @@ if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || @@ -41,7 +41,7 @@ fi
exit 1 # strip any trailing colon
fi host=`echo $1 | sed 's/:$//'`
-{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 -{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1
+{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys; test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys" || exit 1 +{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys; test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys" || exit 1
cat <<EOF cat <<EOF
Now try logging into the machine, with "ssh '$1'", and check in: Now try logging into the machine, with "ssh '$host'", and check in:
diff -up openssh-5.3p1/Makefile.in.selabel openssh-5.3p1/Makefile.in diff -up openssh-5.6p1/Makefile.in.selabel openssh-5.6p1/Makefile.in
--- openssh-5.3p1/Makefile.in.selabel 2009-10-02 14:21:54.000000000 +0200 --- openssh-5.6p1/Makefile.in.selabel 2010-08-23 12:47:39.000000000 +0200
+++ openssh-5.3p1/Makefile.in 2009-10-02 14:23:23.000000000 +0200 +++ openssh-5.6p1/Makefile.in 2010-08-23 12:47:39.000000000 +0200
@@ -136,7 +136,7 @@ libssh.a: $(LIBSSH_OBJS) @@ -141,7 +141,7 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@ $(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -22,9 +22,9 @@ diff -up openssh-5.3p1/Makefile.in.selabel openssh-5.3p1/Makefile.in
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS)
diff -up openssh-5.3p1/ssh.c.selabel openssh-5.3p1/ssh.c diff -up openssh-5.6p1/ssh.c.selabel openssh-5.6p1/ssh.c
--- openssh-5.3p1/ssh.c.selabel 2009-10-02 14:21:54.000000000 +0200 --- openssh-5.6p1/ssh.c.selabel 2010-08-23 12:47:39.000000000 +0200
+++ openssh-5.3p1/ssh.c 2009-10-02 14:21:54.000000000 +0200 +++ openssh-5.6p1/ssh.c 2010-08-23 12:47:39.000000000 +0200
@@ -74,6 +74,7 @@ @@ -74,6 +74,7 @@
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/fips.h> #include <openssl/fips.h>
@ -33,7 +33,7 @@ diff -up openssh-5.3p1/ssh.c.selabel openssh-5.3p1/ssh.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
@@ -792,10 +793,15 @@ main(int ac, char **av) @@ -848,10 +849,15 @@ main(int ac, char **av)
*/ */
r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir, r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);

View File

@ -73,7 +73,7 @@
%define openssh_ver 5.6p1 %define openssh_ver 5.6p1
%define openssh_rel 1 %define openssh_rel 1
%define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 26 %define pam_ssh_agent_rel 27
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
@ -94,44 +94,38 @@ Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/p
Source5: pam_ssh_agent-rmheaders Source5: pam_ssh_agent-rmheaders
Patch0: openssh-5.4p1-redhat.patch Patch0: openssh-5.4p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1638
Patch2: openssh-5.3p1-skip-initial.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 #https://bugzilla.mindrot.org/show_bug.cgi?id=1640
Patch4: openssh-5.2p1-vendor.patch Patch4: openssh-5.2p1-vendor.patch
Patch10: pam_ssh_agent_auth-0.9-build.patch Patch10: pam_ssh_agent_auth-0.9-build.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 #https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Patch12: openssh-5.4p1-selinux.patch Patch12: openssh-5.4p1-selinux.patch
Patch13: openssh-5.5p1-mls.patch Patch13: openssh-5.6p1-mls.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch16: openssh-5.3p1-audit.patch Patch16: openssh-5.3p1-audit.patch
Patch18: openssh-5.4p1-pam_selinux.patch Patch18: openssh-5.4p1-pam_selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663 #https://bugzilla.mindrot.org/show_bug.cgi?id=1663
Patch20: openssh-5.5p1-authorized-keys-command.patch Patch20: openssh-5.6p1-authorized-keys-command.patch
Patch21: openssh-5.5p1-ldap.patch Patch21: openssh-5.6p1-ldap.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1668 #https://bugzilla.mindrot.org/show_bug.cgi?id=1668
Patch23: openssh-5.5p1-keygen.patch Patch23: openssh-5.6p1-keygen.patch
Patch24: openssh-4.3p1-fromto-remote.patch Patch24: openssh-4.3p1-fromto-remote.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1636 #https://bugzilla.mindrot.org/show_bug.cgi?id=1636
Patch27: openssh-5.1p1-log-in-chroot.patch Patch27: openssh-5.1p1-log-in-chroot.patch
Patch30: openssh-4.0p1-exit-deadlock.patch Patch30: openssh-5.6p1-exit-deadlock.patch
Patch35: openssh-5.1p1-askpass-progress.patch Patch35: openssh-5.1p1-askpass-progress.patch
Patch38: openssh-4.3p2-askpass-grab-info.patch Patch38: openssh-4.3p2-askpass-grab-info.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644 #https://bugzilla.mindrot.org/show_bug.cgi?id=1644
Patch44: openssh-5.2p1-allow-ip-opts.patch Patch44: openssh-5.2p1-allow-ip-opts.patch
Patch49: openssh-4.3p2-gssapi-canohost.patch Patch49: openssh-4.3p2-gssapi-canohost.patch
Patch62: openssh-5.1p1-scp-manpage.patch Patch62: openssh-5.1p1-scp-manpage.patch
Patch65: openssh-5.5p1-fips.patch Patch65: openssh-5.6p1-fips.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1614 #https://bugzilla.mindrot.org/show_bug.cgi?id=1614
Patch69: openssh-5.3p1-selabel.patch Patch69: openssh-5.6p1-selabel.patch
Patch71: openssh-5.2p1-edns.patch Patch71: openssh-5.2p1-edns.patch
Patch73: openssh-5.5p1-gsskex.patch Patch73: openssh-5.6p1-gsskex.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1701 #https://bugzilla.mindrot.org/show_bug.cgi?id=1701
Patch74: openssh-5.3p1-randclean.patch Patch74: openssh-5.3p1-randclean.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1740 Patch78: openssh-5.6p1-kuserok.patch
Patch76: openssh-5.5p1-staterr.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1750
Patch77: openssh-5.5p1-stderr.patch
Patch78: openssh-5.5p1-kuserok.patch
Patch79: openssh-5.5p1-x11.patch Patch79: openssh-5.5p1-x11.patch
License: BSD License: BSD
@ -268,7 +262,6 @@ The module is most useful for su and sudo service stacks.
%prep %prep
%setup -q -a 4 %setup -q -a 4
%patch0 -p1 -b .redhat %patch0 -p1 -b .redhat
%patch2 -p1 -b .skip-initial
%patch4 -p1 -b .vendor %patch4 -p1 -b .vendor
%if %{pam_ssh_agent} %if %{pam_ssh_agent}
@ -303,8 +296,6 @@ popd
%patch71 -p1 -b .edns %patch71 -p1 -b .edns
%patch73 -p1 -b .gsskex %patch73 -p1 -b .gsskex
%patch74 -p1 -b .randclean %patch74 -p1 -b .randclean
%patch76 -p1 -b .staterr
%patch77 -p1 -b .stderr
%patch78 -p1 -b .kuserok %patch78 -p1 -b .kuserok
%patch79 -p1 -b .x11 %patch79 -p1 -b .x11