Adding a mechanism to disable GSSAPIDelegateCredentials in sshd_config
Resolves: RHEL-5281
This commit is contained in:
Dmitry Belyavskiy
parent
40f5f26708
commit
2c179221a3
122
openssh-9.9p1-sshd-no-delegate-credentials.patch
Normal file
122
openssh-9.9p1-sshd-no-delegate-credentials.patch
Normal file
@ -0,0 +1,122 @@
|
||||
diff --git a/gss-serv.c b/gss-serv.c
|
||||
index 5c0491cf1..e2c501d0c 100644
|
||||
--- a/gss-serv.c
|
||||
+++ b/gss-serv.c
|
||||
@@ -509,6 +509,11 @@ ssh_gssapi_cleanup_creds(void)
|
||||
int
|
||||
ssh_gssapi_storecreds(void)
|
||||
{
|
||||
+ if (options.gss_deleg_creds == 0) {
|
||||
+ debug_f("delegate credential is disabled, doing nothing");
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
|
||||
return (*gssapi_client.mech->storecreds)(&gssapi_client);
|
||||
} else
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index aab653244..02a9888c9 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -144,6 +144,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->gss_authentication=-1;
|
||||
options->gss_keyex = -1;
|
||||
options->gss_cleanup_creds = -1;
|
||||
+ options->gss_deleg_creds = -1;
|
||||
options->gss_strict_acceptor = -1;
|
||||
options->gss_store_rekey = -1;
|
||||
options->gss_kex_algorithms = NULL;
|
||||
@@ -403,6 +404,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->gss_keyex = 0;
|
||||
if (options->gss_cleanup_creds == -1)
|
||||
options->gss_cleanup_creds = 1;
|
||||
+ if (options->gss_deleg_creds == -1)
|
||||
+ options->gss_deleg_creds = 1;
|
||||
if (options->gss_strict_acceptor == -1)
|
||||
options->gss_strict_acceptor = 1;
|
||||
if (options->gss_store_rekey == -1)
|
||||
@@ -598,7 +601,8 @@ typedef enum {
|
||||
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
||||
sPerSourcePenalties, sPerSourcePenaltyExemptList,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
- sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||
+ sGssAuthentication, sGssCleanupCreds, sGssDelegateCreds,
|
||||
+ sGssEnablek5users, sGssStrictAcceptor,
|
||||
sGssKeyEx, sGssIndicators, sGssKexAlgorithms, sGssStoreRekey,
|
||||
sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||
@@ -690,6 +694,7 @@ static struct {
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
{ "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
+ { "gssapidelegatecredentials", sGssDelegateCreds, SSHCFG_GLOBAL },
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||
@@ -700,6 +705,7 @@ static struct {
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "gssapidelegatecredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1713,6 +1719,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
intptr = &options->gss_cleanup_creds;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sGssDelegateCreds:
|
||||
+ intptr = &options->gss_deleg_creds;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sGssStrictAcceptor:
|
||||
intptr = &options->gss_strict_acceptor;
|
||||
goto parse_flag;
|
||||
@@ -3359,6 +3369,7 @@ dump_config(ServerOptions *o)
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
||||
+ dump_cfg_fmtint(sGssDelegateCreds, o->gss_deleg_creds);
|
||||
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
|
||||
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
|
||||
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
|
||||
diff --git a/servconf.h b/servconf.h
|
||||
index 7c41df417..6bfdf6305 100644
|
||||
--- a/servconf.h
|
||||
+++ b/servconf.h
|
||||
@@ -158,6 +158,7 @@ typedef struct {
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||
+ int gss_deleg_creds; /* If true, accept delegated GSS credentials */
|
||||
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
|
||||
int gss_store_rekey;
|
||||
char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
||||
diff --git a/sshd_config.0 b/sshd_config.0
|
||||
index 49349bb30..e798f4df5 100644
|
||||
--- a/sshd_config.0
|
||||
+++ b/sshd_config.0
|
||||
@@ -453,6 +453,9 @@ DESCRIPTION
|
||||
Specifies whether to automatically destroy the user's credentials
|
||||
cache on logout. The default is yes.
|
||||
|
||||
+ GSSAPIDelegateCredentials
|
||||
+ Accept delegated credentials on the server side. The default is yes.
|
||||
+
|
||||
GSSAPIStrictAcceptorCheck
|
||||
Determines whether to be strict about the identity of the GSSAPI
|
||||
acceptor a client authenticates against. If set to yes then the
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 90ab87edd..8c677bfd0 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -733,6 +733,9 @@ Specifies whether to automatically destroy the user's credentials cache
|
||||
on logout.
|
||||
The default is
|
||||
.Cm yes .
|
||||
+.It Cm GSSAPIDelegateCredentials
|
||||
+Accept delegated credentials on the server side. The default is
|
||||
+.CM yes .
|
||||
.It Cm GSSAPIEnablek5users
|
||||
Specifies whether to look at .k5users file for GSSAPI authentication
|
||||
access control. Further details are described in
|
||||
@ -43,7 +43,7 @@
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
Version: %{openssh_ver}
|
||||
Release: 17%{?dist}
|
||||
Release: 18%{?dist}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
@ -225,6 +225,7 @@ Patch1031: openssh-10.0-mlkem-nist.patch
|
||||
Patch1032: openssh-9.9p1-reject-cntrl-chars-in-username.patch
|
||||
# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
|
||||
Patch1033: openssh-9.9p1-reject-null-char-in-url-string.patch
|
||||
Patch1034: openssh-9.9p1-sshd-no-delegate-credentials.patch
|
||||
|
||||
License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
|
||||
Requires: /sbin/nologin
|
||||
@ -423,6 +424,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
|
||||
%patch -P 1031 -p1 -b .mlkem-nist
|
||||
%patch -P 1032 -p1 -b .reject-cntrl-chars-in-username
|
||||
%patch -P 1033 -p1 -b .reject-null-char-in-url-string
|
||||
%patch -P 1034 -p1 -b .sshd-nogsscreds
|
||||
|
||||
%patch -P 100 -p1 -b .coverity
|
||||
|
||||
@ -703,6 +705,10 @@ test -f %{sysconfig_anaconda} && \
|
||||
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
|
||||
|
||||
%changelog
|
||||
* Fri Dec 05 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-18
|
||||
- Adding a mechanism to disable GSSAPIDelegateCredentials in sshd_config
|
||||
Resolves: RHEL-5281
|
||||
|
||||
* Fri Dec 05 2025 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-17
|
||||
- CVE-2025-61984: Reject usernames with control characters
|
||||
Resolves: RHEL-128399
|
||||
|
||||
Loading…
Reference in New Issue
Block a user