reformat several patches after openssh-6.1p1-authenticationmethods.patch
This commit is contained in:
parent
bffd1c2234
commit
5039c7c85d
@ -1,110 +1,6 @@
|
|||||||
diff -up openssh-6.1p1/auth.c.akc openssh-6.1p1/auth.c
|
|
||||||
--- openssh-6.1p1/auth.c.akc 2012-11-02 14:00:49.181077248 +0100
|
|
||||||
+++ openssh-6.1p1/auth.c 2012-11-02 14:00:49.253077860 +0100
|
|
||||||
@@ -413,39 +413,41 @@ check_key_in_hostfiles(struct passwd *pw
|
|
||||||
|
|
||||||
|
|
||||||
/*
|
|
||||||
- * Check a given file for security. This is defined as all components
|
|
||||||
+ * Check a given path for security. This is defined as all components
|
|
||||||
* of the path to the file must be owned by either the owner of
|
|
||||||
* of the file or root and no directories must be group or world writable.
|
|
||||||
*
|
|
||||||
* XXX Should any specific check be done for sym links ?
|
|
||||||
*
|
|
||||||
- * Takes an open file descriptor, the file name, a uid and and
|
|
||||||
+ * Takes an the file name, its stat information (preferably from fstat() to
|
|
||||||
+ * avoid races), the uid of the expected owner, their home directory and an
|
|
||||||
* error buffer plus max size as arguments.
|
|
||||||
*
|
|
||||||
* Returns 0 on success and -1 on failure
|
|
||||||
*/
|
|
||||||
-static int
|
|
||||||
-secure_filename(FILE *f, const char *file, struct passwd *pw,
|
|
||||||
- char *err, size_t errlen)
|
|
||||||
+int
|
|
||||||
+auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
|
|
||||||
+ uid_t uid, char *err, size_t errlen)
|
|
||||||
{
|
|
||||||
- uid_t uid = pw->pw_uid;
|
|
||||||
char buf[MAXPATHLEN], homedir[MAXPATHLEN];
|
|
||||||
char *cp;
|
|
||||||
int comparehome = 0;
|
|
||||||
struct stat st;
|
|
||||||
|
|
||||||
- if (realpath(file, buf) == NULL) {
|
|
||||||
- snprintf(err, errlen, "realpath %s failed: %s", file,
|
|
||||||
+ if (realpath(name, buf) == NULL) {
|
|
||||||
+ snprintf(err, errlen, "realpath %s failed: %s", name,
|
|
||||||
strerror(errno));
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- if (realpath(pw->pw_dir, homedir) != NULL)
|
|
||||||
+ if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
|
|
||||||
comparehome = 1;
|
|
||||||
|
|
||||||
- /* check the open file to avoid races */
|
|
||||||
- if (fstat(fileno(f), &st) < 0 ||
|
|
||||||
- (st.st_uid != 0 && st.st_uid != uid) ||
|
|
||||||
- (st.st_mode & 022) != 0) {
|
|
||||||
+ if (!S_ISREG(stp->st_mode)) {
|
|
||||||
+ snprintf(err, errlen, "%s is not a regular file", buf);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ if ((stp->st_uid != 0 && stp->st_uid != uid) ||
|
|
||||||
+ (stp->st_mode & 022) != 0) {
|
|
||||||
snprintf(err, errlen, "bad ownership or modes for file %s",
|
|
||||||
buf);
|
|
||||||
return -1;
|
|
||||||
@@ -481,6 +483,31 @@ secure_filename(FILE *f, const char *fil
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Version of secure_path() that accepts an open file descriptor to
|
|
||||||
+ * avoid races.
|
|
||||||
+ *
|
|
||||||
+ * Returns 0 on success and -1 on failure
|
|
||||||
+ */
|
|
||||||
+static int
|
|
||||||
+secure_filename(FILE *f, const char *file, struct passwd *pw,
|
|
||||||
+ char *err, size_t errlen)
|
|
||||||
+{
|
|
||||||
+ uid_t uid = pw->pw_uid;
|
|
||||||
+ char buf[MAXPATHLEN], homedir[MAXPATHLEN];
|
|
||||||
+ char *cp;
|
|
||||||
+ int comparehome = 0;
|
|
||||||
+ struct stat st;
|
|
||||||
+
|
|
||||||
+ /* check the open file to avoid races */
|
|
||||||
+ if (fstat(fileno(f), &st) < 0) {
|
|
||||||
+ snprintf(err, errlen, "cannot stat file %s: %s",
|
|
||||||
+ buf, strerror(errno));
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static FILE *
|
|
||||||
auth_openfile(const char *file, struct passwd *pw, int strict_modes,
|
|
||||||
int log_missing, char *file_type)
|
|
||||||
diff -up openssh-6.1p1/auth.h.akc openssh-6.1p1/auth.h
|
|
||||||
--- openssh-6.1p1/auth.h.akc 2012-11-02 14:00:49.239077742 +0100
|
|
||||||
+++ openssh-6.1p1/auth.h 2012-11-02 14:00:49.253077860 +0100
|
|
||||||
@@ -123,6 +123,10 @@ int auth_rhosts_rsa_key_allowed(struct
|
|
||||||
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
|
|
||||||
int user_key_allowed(struct passwd *, Key *);
|
|
||||||
|
|
||||||
+struct stat;
|
|
||||||
+int auth_secure_path(const char *, struct stat *, const char *, uid_t,
|
|
||||||
+ char *, size_t);
|
|
||||||
+
|
|
||||||
#ifdef KRB5
|
|
||||||
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
|
|
||||||
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
|
|
||||||
diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
||||||
--- openssh-6.1p1/auth2-pubkey.c.akc 2012-11-02 14:00:49.241077758 +0100
|
--- openssh-6.1p1/auth2-pubkey.c.akc 2012-11-28 17:12:43.238524384 +0100
|
||||||
+++ openssh-6.1p1/auth2-pubkey.c 2012-11-02 14:00:49.252077852 +0100
|
+++ openssh-6.1p1/auth2-pubkey.c 2012-11-28 17:12:43.263524297 +0100
|
||||||
@@ -27,9 +27,13 @@
|
@@ -27,9 +27,13 @@
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -361,10 +257,114 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
|||||||
for (i = 0; !success && i < options.num_authkeys_files; i++) {
|
for (i = 0; !success && i < options.num_authkeys_files; i++) {
|
||||||
file = expand_authorized_keys(
|
file = expand_authorized_keys(
|
||||||
options.authorized_keys_files[i], pw);
|
options.authorized_keys_files[i], pw);
|
||||||
|
diff -up openssh-6.1p1/auth.c.akc openssh-6.1p1/auth.c
|
||||||
|
--- openssh-6.1p1/auth.c.akc 2012-11-28 17:12:43.187524558 +0100
|
||||||
|
+++ openssh-6.1p1/auth.c 2012-11-28 17:12:43.263524297 +0100
|
||||||
|
@@ -411,39 +411,41 @@ check_key_in_hostfiles(struct passwd *pw
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * Check a given file for security. This is defined as all components
|
||||||
|
+ * Check a given path for security. This is defined as all components
|
||||||
|
* of the path to the file must be owned by either the owner of
|
||||||
|
* of the file or root and no directories must be group or world writable.
|
||||||
|
*
|
||||||
|
* XXX Should any specific check be done for sym links ?
|
||||||
|
*
|
||||||
|
- * Takes an open file descriptor, the file name, a uid and and
|
||||||
|
+ * Takes an the file name, its stat information (preferably from fstat() to
|
||||||
|
+ * avoid races), the uid of the expected owner, their home directory and an
|
||||||
|
* error buffer plus max size as arguments.
|
||||||
|
*
|
||||||
|
* Returns 0 on success and -1 on failure
|
||||||
|
*/
|
||||||
|
-static int
|
||||||
|
-secure_filename(FILE *f, const char *file, struct passwd *pw,
|
||||||
|
- char *err, size_t errlen)
|
||||||
|
+int
|
||||||
|
+auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
|
||||||
|
+ uid_t uid, char *err, size_t errlen)
|
||||||
|
{
|
||||||
|
- uid_t uid = pw->pw_uid;
|
||||||
|
char buf[MAXPATHLEN], homedir[MAXPATHLEN];
|
||||||
|
char *cp;
|
||||||
|
int comparehome = 0;
|
||||||
|
struct stat st;
|
||||||
|
|
||||||
|
- if (realpath(file, buf) == NULL) {
|
||||||
|
- snprintf(err, errlen, "realpath %s failed: %s", file,
|
||||||
|
+ if (realpath(name, buf) == NULL) {
|
||||||
|
+ snprintf(err, errlen, "realpath %s failed: %s", name,
|
||||||
|
strerror(errno));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
- if (realpath(pw->pw_dir, homedir) != NULL)
|
||||||
|
+ if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
|
||||||
|
comparehome = 1;
|
||||||
|
|
||||||
|
- /* check the open file to avoid races */
|
||||||
|
- if (fstat(fileno(f), &st) < 0 ||
|
||||||
|
- (st.st_uid != 0 && st.st_uid != uid) ||
|
||||||
|
- (st.st_mode & 022) != 0) {
|
||||||
|
+ if (!S_ISREG(stp->st_mode)) {
|
||||||
|
+ snprintf(err, errlen, "%s is not a regular file", buf);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ if ((stp->st_uid != 0 && stp->st_uid != uid) ||
|
||||||
|
+ (stp->st_mode & 022) != 0) {
|
||||||
|
snprintf(err, errlen, "bad ownership or modes for file %s",
|
||||||
|
buf);
|
||||||
|
return -1;
|
||||||
|
@@ -479,6 +481,31 @@ secure_filename(FILE *f, const char *fil
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Version of secure_path() that accepts an open file descriptor to
|
||||||
|
+ * avoid races.
|
||||||
|
+ *
|
||||||
|
+ * Returns 0 on success and -1 on failure
|
||||||
|
+ */
|
||||||
|
+static int
|
||||||
|
+secure_filename(FILE *f, const char *file, struct passwd *pw,
|
||||||
|
+ char *err, size_t errlen)
|
||||||
|
+{
|
||||||
|
+ uid_t uid = pw->pw_uid;
|
||||||
|
+ char buf[MAXPATHLEN], homedir[MAXPATHLEN];
|
||||||
|
+ char *cp;
|
||||||
|
+ int comparehome = 0;
|
||||||
|
+ struct stat st;
|
||||||
|
+
|
||||||
|
+ /* check the open file to avoid races */
|
||||||
|
+ if (fstat(fileno(f), &st) < 0) {
|
||||||
|
+ snprintf(err, errlen, "cannot stat file %s: %s",
|
||||||
|
+ buf, strerror(errno));
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static FILE *
|
||||||
|
auth_openfile(const char *file, struct passwd *pw, int strict_modes,
|
||||||
|
int log_missing, char *file_type)
|
||||||
|
diff -up openssh-6.1p1/auth.h.akc openssh-6.1p1/auth.h
|
||||||
|
--- openssh-6.1p1/auth.h.akc 2012-11-28 17:12:43.239524381 +0100
|
||||||
|
+++ openssh-6.1p1/auth.h 2012-11-28 17:12:43.263524297 +0100
|
||||||
|
@@ -125,6 +125,10 @@ int auth_rhosts_rsa_key_allowed(struct
|
||||||
|
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
|
||||||
|
int user_key_allowed(struct passwd *, Key *);
|
||||||
|
|
||||||
|
+struct stat;
|
||||||
|
+int auth_secure_path(const char *, struct stat *, const char *, uid_t,
|
||||||
|
+ char *, size_t);
|
||||||
|
+
|
||||||
|
#ifdef KRB5
|
||||||
|
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
|
||||||
|
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
|
||||||
diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
||||||
--- openssh-6.1p1/servconf.c.akc 2012-11-02 14:00:49.186077290 +0100
|
--- openssh-6.1p1/servconf.c.akc 2012-11-28 17:12:43.198524521 +0100
|
||||||
+++ openssh-6.1p1/servconf.c 2012-11-02 14:26:32.086138017 +0100
|
+++ openssh-6.1p1/servconf.c 2012-11-28 17:14:50.314005026 +0100
|
||||||
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
|
@@ -137,6 +137,8 @@ initialize_server_options(ServerOptions
|
||||||
options->num_permitted_opens = -1;
|
options->num_permitted_opens = -1;
|
||||||
options->adm_forced_command = NULL;
|
options->adm_forced_command = NULL;
|
||||||
options->chroot_directory = NULL;
|
options->chroot_directory = NULL;
|
||||||
@ -373,25 +373,25 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
|||||||
options->zero_knowledge_password_authentication = -1;
|
options->zero_knowledge_password_authentication = -1;
|
||||||
options->revoked_keys_file = NULL;
|
options->revoked_keys_file = NULL;
|
||||||
options->trusted_user_ca_keys = NULL;
|
options->trusted_user_ca_keys = NULL;
|
||||||
@@ -334,6 +336,7 @@ typedef enum {
|
@@ -331,6 +333,7 @@ typedef enum {
|
||||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||||
sKexAlgorithms, sIPQoS, sVersionAddendum,
|
sKexAlgorithms, sIPQoS, sVersionAddendum,
|
||||||
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||||
|
sAuthenticationMethods,
|
||||||
sDeprecated, sUnsupported
|
sDeprecated, sUnsupported
|
||||||
} ServerOpCodes;
|
} ServerOpCodes;
|
||||||
|
@@ -457,6 +460,9 @@ static struct {
|
||||||
@@ -460,6 +463,9 @@ static struct {
|
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||||
{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
|
|
||||||
{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
|
|
||||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||||
|
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
||||||
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
||||||
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
||||||
+ { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
+ { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
||||||
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
|
||||||
{ NULL, sBadOption, 0 }
|
{ NULL, sBadOption, 0 }
|
||||||
};
|
};
|
||||||
@@ -1532,6 +1538,26 @@ process_server_config_line(ServerOptions
|
@@ -1520,6 +1526,26 @@ process_server_config_line(ServerOptions
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
@ -418,7 +418,7 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
|||||||
case sDeprecated:
|
case sDeprecated:
|
||||||
logit("%s line %d: Deprecated option %s",
|
logit("%s line %d: Deprecated option %s",
|
||||||
filename, linenum, arg);
|
filename, linenum, arg);
|
||||||
@@ -1682,6 +1708,8 @@ copy_set_server_options(ServerOptions *d
|
@@ -1670,6 +1696,8 @@ copy_set_server_options(ServerOptions *d
|
||||||
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
|
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
|
||||||
M_CP_INTOPT(kbd_interactive_authentication);
|
M_CP_INTOPT(kbd_interactive_authentication);
|
||||||
M_CP_INTOPT(zero_knowledge_password_authentication);
|
M_CP_INTOPT(zero_knowledge_password_authentication);
|
||||||
@ -427,7 +427,7 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
|||||||
M_CP_INTOPT(permit_root_login);
|
M_CP_INTOPT(permit_root_login);
|
||||||
M_CP_INTOPT(permit_empty_passwd);
|
M_CP_INTOPT(permit_empty_passwd);
|
||||||
|
|
||||||
@@ -1942,6 +1970,8 @@ dump_config(ServerOptions *o)
|
@@ -1930,6 +1958,8 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_string(sAuthorizedPrincipalsFile,
|
dump_cfg_string(sAuthorizedPrincipalsFile,
|
||||||
o->authorized_principals_file);
|
o->authorized_principals_file);
|
||||||
dump_cfg_string(sVersionAddendum, o->version_addendum);
|
dump_cfg_string(sVersionAddendum, o->version_addendum);
|
||||||
@ -437,9 +437,9 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
|||||||
/* string arguments requiring a lookup */
|
/* string arguments requiring a lookup */
|
||||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||||
diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
|
diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
|
||||||
--- openssh-6.1p1/servconf.h.akc 2012-11-02 14:00:49.186077290 +0100
|
--- openssh-6.1p1/servconf.h.akc 2012-11-28 17:12:43.000000000 +0100
|
||||||
+++ openssh-6.1p1/servconf.h 2012-11-02 14:00:49.254077869 +0100
|
+++ openssh-6.1p1/servconf.h 2012-11-28 17:18:41.217055157 +0100
|
||||||
@@ -169,6 +169,8 @@ typedef struct {
|
@@ -167,6 +167,8 @@ typedef struct {
|
||||||
char *revoked_keys_file;
|
char *revoked_keys_file;
|
||||||
char *trusted_user_ca_keys;
|
char *trusted_user_ca_keys;
|
||||||
char *authorized_principals_file;
|
char *authorized_principals_file;
|
||||||
@ -447,10 +447,10 @@ diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
|
|||||||
+ char *authorized_keys_command_user;
|
+ char *authorized_keys_command_user;
|
||||||
|
|
||||||
char *version_addendum; /* Appended to SSH banner */
|
char *version_addendum; /* Appended to SSH banner */
|
||||||
} ServerOptions;
|
|
||||||
diff -up openssh-6.1p1/sshd.c.akc openssh-6.1p1/sshd.c
|
diff -up openssh-6.1p1/sshd.c.akc openssh-6.1p1/sshd.c
|
||||||
--- openssh-6.1p1/sshd.c.akc 2012-11-02 14:00:49.249077826 +0100
|
--- openssh-6.1p1/sshd.c.akc 2012-11-28 17:12:43.245524360 +0100
|
||||||
+++ openssh-6.1p1/sshd.c 2012-11-02 14:00:49.254077869 +0100
|
+++ openssh-6.1p1/sshd.c 2012-11-28 17:12:43.265524291 +0100
|
||||||
@@ -366,9 +366,20 @@ main_sigchld_handler(int sig)
|
@@ -366,9 +366,20 @@ main_sigchld_handler(int sig)
|
||||||
static void
|
static void
|
||||||
grace_alarm_handler(int sig)
|
grace_alarm_handler(int sig)
|
||||||
@ -472,22 +472,9 @@ diff -up openssh-6.1p1/sshd.c.akc openssh-6.1p1/sshd.c
|
|||||||
/* Log error and exit. */
|
/* Log error and exit. */
|
||||||
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
|
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
|
||||||
}
|
}
|
||||||
diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
|
|
||||||
--- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200
|
|
||||||
+++ openssh-6.1p1/sshd_config 2012-11-02 14:00:49.255077878 +0100
|
|
||||||
@@ -49,6 +49,9 @@
|
|
||||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
|
||||||
AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
|
|
||||||
+#AuthorizedKeysCommand none
|
|
||||||
+#AuthorizedKeysCommandUser nobody
|
|
||||||
+
|
|
||||||
#AuthorizedPrincipalsFile none
|
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
|
||||||
diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
|
diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
|
||||||
--- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200
|
--- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200
|
||||||
+++ openssh-6.1p1/sshd_config.0 2012-11-02 14:00:49.255077878 +0100
|
+++ openssh-6.1p1/sshd_config.0 2012-11-28 17:12:43.265524291 +0100
|
||||||
@@ -71,6 +71,23 @@ DESCRIPTION
|
@@ -71,6 +71,23 @@ DESCRIPTION
|
||||||
|
|
||||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||||
@ -523,12 +510,12 @@ diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
|
|||||||
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
|
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
|
||||||
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
|
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
|
||||||
diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
|
diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
|
||||||
--- openssh-6.1p1/sshd_config.5.akc 2012-11-02 14:00:49.187077299 +0100
|
--- openssh-6.1p1/sshd_config.5.akc 2012-11-28 17:12:43.199524517 +0100
|
||||||
+++ openssh-6.1p1/sshd_config.5 2012-11-02 14:00:49.255077878 +0100
|
+++ openssh-6.1p1/sshd_config.5 2012-11-28 17:16:23.736624980 +0100
|
||||||
@@ -151,6 +151,20 @@ See
|
@@ -173,6 +173,20 @@ Note that each authentication method lis
|
||||||
in
|
in the configuration.
|
||||||
.Xr ssh_config 5
|
The default is not to require multiple authentication; successful completion
|
||||||
for more information on patterns.
|
of a single authentication method is sufficient.
|
||||||
+.It Cm AuthorizedKeysCommand
|
+.It Cm AuthorizedKeysCommand
|
||||||
+Specifies a program to be used for lookup of the user's public keys.
|
+Specifies a program to be used for lookup of the user's public keys.
|
||||||
+The program will be invoked with a single argument of the username
|
+The program will be invoked with a single argument of the username
|
||||||
@ -546,16 +533,16 @@ diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
|
|||||||
.It Cm AuthorizedKeysFile
|
.It Cm AuthorizedKeysFile
|
||||||
Specifies the file that contains the public keys that can be used
|
Specifies the file that contains the public keys that can be used
|
||||||
for user authentication.
|
for user authentication.
|
||||||
@@ -712,6 +726,8 @@ Available keywords are
|
@@ -734,6 +748,8 @@ Available keywords are
|
||||||
.Cm AllowTcpForwarding ,
|
.Cm AllowTcpForwarding ,
|
||||||
.Cm AllowUsers ,
|
.Cm AllowUsers ,
|
||||||
.Cm AuthorizedKeysFile ,
|
.Cm AuthenticationMethods ,
|
||||||
+.Cm AuthorizedKeysCommand ,
|
+.Cm AuthorizedKeysCommand ,
|
||||||
+.Cm AuthorizedKeysCommandUser ,
|
+.Cm AuthorizedKeysCommandUser ,
|
||||||
|
.Cm AuthorizedKeysFile ,
|
||||||
.Cm AuthorizedPrincipalsFile ,
|
.Cm AuthorizedPrincipalsFile ,
|
||||||
.Cm Banner ,
|
.Cm Banner ,
|
||||||
.Cm ChrootDirectory ,
|
@@ -749,6 +765,7 @@ Available keywords are
|
||||||
@@ -726,6 +742,7 @@ Available keywords are
|
|
||||||
.Cm KerberosAuthentication ,
|
.Cm KerberosAuthentication ,
|
||||||
.Cm MaxAuthTries ,
|
.Cm MaxAuthTries ,
|
||||||
.Cm MaxSessions ,
|
.Cm MaxSessions ,
|
||||||
@ -563,3 +550,16 @@ diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
|
|||||||
.Cm PasswordAuthentication ,
|
.Cm PasswordAuthentication ,
|
||||||
.Cm PermitEmptyPasswords ,
|
.Cm PermitEmptyPasswords ,
|
||||||
.Cm PermitOpen ,
|
.Cm PermitOpen ,
|
||||||
|
diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
|
||||||
|
--- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200
|
||||||
|
+++ openssh-6.1p1/sshd_config 2012-11-28 17:12:43.265524291 +0100
|
||||||
|
@@ -49,6 +49,9 @@
|
||||||
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
|
+#AuthorizedKeysCommand none
|
||||||
|
+#AuthorizedKeysCommandUser nobody
|
||||||
|
+
|
||||||
|
#AuthorizedPrincipalsFile none
|
||||||
|
|
||||||
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh-6.0p1/audit-bsm.c.audit4 openssh-6.0p1/audit-bsm.c
|
diff -up openssh-6.1p1/audit-bsm.c.audit4 openssh-6.1p1/audit-bsm.c
|
||||||
--- openssh-6.0p1/audit-bsm.c.audit4 2012-08-06 20:35:56.306789054 +0200
|
--- openssh-6.1p1/audit-bsm.c.audit4 2012-11-28 14:20:38.990185823 +0100
|
||||||
+++ openssh-6.0p1/audit-bsm.c 2012-08-06 20:35:56.314789022 +0200
|
+++ openssh-6.1p1/audit-bsm.c 2012-11-28 14:20:38.995185800 +0100
|
||||||
@@ -485,4 +485,10 @@ audit_kex_body(int ctos, char *enc, char
|
@@ -485,4 +485,10 @@ audit_kex_body(int ctos, char *enc, char
|
||||||
{
|
{
|
||||||
/* not implemented */
|
/* not implemented */
|
||||||
@ -12,9 +12,9 @@ diff -up openssh-6.0p1/audit-bsm.c.audit4 openssh-6.0p1/audit-bsm.c
|
|||||||
+ /* not implemented */
|
+ /* not implemented */
|
||||||
+}
|
+}
|
||||||
#endif /* BSM */
|
#endif /* BSM */
|
||||||
diff -up openssh-6.0p1/audit.c.audit4 openssh-6.0p1/audit.c
|
diff -up openssh-6.1p1/audit.c.audit4 openssh-6.1p1/audit.c
|
||||||
--- openssh-6.0p1/audit.c.audit4 2012-08-06 20:35:56.307789050 +0200
|
--- openssh-6.1p1/audit.c.audit4 2012-11-28 14:20:38.990185823 +0100
|
||||||
+++ openssh-6.0p1/audit.c 2012-08-06 20:35:56.315789018 +0200
|
+++ openssh-6.1p1/audit.c 2012-11-28 14:20:38.995185800 +0100
|
||||||
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
|
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||||
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
||||||
}
|
}
|
||||||
@ -44,9 +44,9 @@ diff -up openssh-6.0p1/audit.c.audit4 openssh-6.0p1/audit.c
|
|||||||
+}
|
+}
|
||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-6.0p1/audit.h.audit4 openssh-6.0p1/audit.h
|
diff -up openssh-6.1p1/audit.h.audit4 openssh-6.1p1/audit.h
|
||||||
--- openssh-6.0p1/audit.h.audit4 2012-08-06 20:35:56.308789046 +0200
|
--- openssh-6.1p1/audit.h.audit4 2012-11-28 14:20:38.990185823 +0100
|
||||||
+++ openssh-6.0p1/audit.h 2012-08-06 20:35:56.315789018 +0200
|
+++ openssh-6.1p1/audit.h 2012-11-28 14:20:38.995185800 +0100
|
||||||
@@ -62,5 +62,7 @@ void audit_unsupported(int);
|
@@ -62,5 +62,7 @@ void audit_unsupported(int);
|
||||||
void audit_kex(int, char *, char *, char *);
|
void audit_kex(int, char *, char *, char *);
|
||||||
void audit_unsupported_body(int);
|
void audit_unsupported_body(int);
|
||||||
@ -55,9 +55,9 @@ diff -up openssh-6.0p1/audit.h.audit4 openssh-6.0p1/audit.h
|
|||||||
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
#endif /* _SSH_AUDIT_H */
|
||||||
diff -up openssh-6.0p1/audit-linux.c.audit4 openssh-6.0p1/audit-linux.c
|
diff -up openssh-6.1p1/audit-linux.c.audit4 openssh-6.1p1/audit-linux.c
|
||||||
--- openssh-6.0p1/audit-linux.c.audit4 2012-08-06 20:35:56.307789050 +0200
|
--- openssh-6.1p1/audit-linux.c.audit4 2012-11-28 14:20:38.990185823 +0100
|
||||||
+++ openssh-6.0p1/audit-linux.c 2012-08-06 20:35:56.315789018 +0200
|
+++ openssh-6.1p1/audit-linux.c 2012-11-28 14:20:38.995185800 +0100
|
||||||
@@ -294,6 +294,8 @@ audit_unsupported_body(int what)
|
@@ -294,6 +294,8 @@ audit_unsupported_body(int what)
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
@ -108,9 +108,9 @@ diff -up openssh-6.0p1/audit-linux.c.audit4 openssh-6.0p1/audit-linux.c
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
#endif /* USE_LINUX_AUDIT */
|
#endif /* USE_LINUX_AUDIT */
|
||||||
diff -up openssh-6.0p1/auditstub.c.audit4 openssh-6.0p1/auditstub.c
|
diff -up openssh-6.1p1/auditstub.c.audit4 openssh-6.1p1/auditstub.c
|
||||||
--- openssh-6.0p1/auditstub.c.audit4 2012-08-06 20:35:56.308789046 +0200
|
--- openssh-6.1p1/auditstub.c.audit4 2012-11-28 14:20:38.990185823 +0100
|
||||||
+++ openssh-6.0p1/auditstub.c 2012-08-06 20:35:56.316789015 +0200
|
+++ openssh-6.1p1/auditstub.c 2012-11-28 14:20:38.995185800 +0100
|
||||||
@@ -27,6 +27,8 @@
|
@@ -27,6 +27,8 @@
|
||||||
* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
|
* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
|
||||||
*/
|
*/
|
||||||
@ -133,9 +133,9 @@ diff -up openssh-6.0p1/auditstub.c.audit4 openssh-6.0p1/auditstub.c
|
|||||||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||||
+{
|
+{
|
||||||
+}
|
+}
|
||||||
diff -up openssh-6.0p1/kex.c.audit4 openssh-6.0p1/kex.c
|
diff -up openssh-6.1p1/kex.c.audit4 openssh-6.1p1/kex.c
|
||||||
--- openssh-6.0p1/kex.c.audit4 2012-08-06 20:35:56.309789042 +0200
|
--- openssh-6.1p1/kex.c.audit4 2012-11-28 14:20:38.991185818 +0100
|
||||||
+++ openssh-6.0p1/kex.c 2012-08-06 20:35:56.317789011 +0200
|
+++ openssh-6.1p1/kex.c 2012-11-28 14:20:38.995185800 +0100
|
||||||
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
|
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||||
fprintf(stderr, "\n");
|
fprintf(stderr, "\n");
|
||||||
}
|
}
|
||||||
@ -171,9 +171,9 @@ diff -up openssh-6.0p1/kex.c.audit4 openssh-6.0p1/kex.c
|
|||||||
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
|
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
diff -up openssh-6.0p1/kex.h.audit4 openssh-6.0p1/kex.h
|
diff -up openssh-6.1p1/kex.h.audit4 openssh-6.1p1/kex.h
|
||||||
--- openssh-6.0p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
|
--- openssh-6.1p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
|
||||||
+++ openssh-6.0p1/kex.h 2012-08-06 20:35:56.317789011 +0200
|
+++ openssh-6.1p1/kex.h 2012-11-28 14:20:38.996185795 +0100
|
||||||
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
|
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
|
||||||
void kexecdh_client(Kex *);
|
void kexecdh_client(Kex *);
|
||||||
void kexecdh_server(Kex *);
|
void kexecdh_server(Kex *);
|
||||||
@ -183,10 +183,10 @@ diff -up openssh-6.0p1/kex.h.audit4 openssh-6.0p1/kex.h
|
|||||||
void
|
void
|
||||||
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
|
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
|
||||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||||
diff -up openssh-6.0p1/mac.c.audit4 openssh-6.0p1/mac.c
|
diff -up openssh-6.1p1/mac.c.audit4 openssh-6.1p1/mac.c
|
||||||
--- openssh-6.0p1/mac.c.audit4 2012-01-17 04:03:38.000000000 +0100
|
--- openssh-6.1p1/mac.c.audit4 2012-06-30 00:34:59.000000000 +0200
|
||||||
+++ openssh-6.0p1/mac.c 2012-08-06 20:35:56.318789007 +0200
|
+++ openssh-6.1p1/mac.c 2012-11-28 14:20:38.996185795 +0100
|
||||||
@@ -171,6 +171,20 @@ mac_clear(Mac *mac)
|
@@ -169,6 +169,20 @@ mac_clear(Mac *mac)
|
||||||
mac->umac_ctx = NULL;
|
mac->umac_ctx = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -207,17 +207,17 @@ diff -up openssh-6.0p1/mac.c.audit4 openssh-6.0p1/mac.c
|
|||||||
/* XXX copied from ciphers_valid */
|
/* XXX copied from ciphers_valid */
|
||||||
#define MAC_SEP ","
|
#define MAC_SEP ","
|
||||||
int
|
int
|
||||||
diff -up openssh-6.0p1/mac.h.audit4 openssh-6.0p1/mac.h
|
diff -up openssh-6.1p1/mac.h.audit4 openssh-6.1p1/mac.h
|
||||||
--- openssh-6.0p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
|
--- openssh-6.1p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
|
||||||
+++ openssh-6.0p1/mac.h 2012-08-06 20:35:56.318789007 +0200
|
+++ openssh-6.1p1/mac.h 2012-11-28 14:20:38.996185795 +0100
|
||||||
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
||||||
int mac_init(Mac *);
|
int mac_init(Mac *);
|
||||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||||
void mac_clear(Mac *);
|
void mac_clear(Mac *);
|
||||||
+void mac_destroy(Mac *);
|
+void mac_destroy(Mac *);
|
||||||
diff -up openssh-6.0p1/monitor.c.audit4 openssh-6.0p1/monitor.c
|
diff -up openssh-6.1p1/monitor.c.audit4 openssh-6.1p1/monitor.c
|
||||||
--- openssh-6.0p1/monitor.c.audit4 2012-08-06 20:35:56.310789038 +0200
|
--- openssh-6.1p1/monitor.c.audit4 2012-11-28 14:20:38.992185813 +0100
|
||||||
+++ openssh-6.0p1/monitor.c 2012-08-06 20:35:56.319789003 +0200
|
+++ openssh-6.1p1/monitor.c 2012-11-28 17:02:17.677045093 +0100
|
||||||
@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
|
@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
|
||||||
int mm_answer_audit_end_command(int, Buffer *);
|
int mm_answer_audit_end_command(int, Buffer *);
|
||||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||||
@ -226,7 +226,7 @@ diff -up openssh-6.0p1/monitor.c.audit4 openssh-6.0p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
static int monitor_read_log(struct monitor *);
|
static int monitor_read_log(struct monitor *);
|
||||||
@@ -242,6 +243,7 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -241,6 +242,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
@ -234,7 +234,7 @@ diff -up openssh-6.0p1/monitor.c.audit4 openssh-6.0p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef BSD_AUTH
|
#ifdef BSD_AUTH
|
||||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||||
@@ -281,6 +283,7 @@ struct mon_table mon_dispatch_postauth20
|
@@ -280,6 +282,7 @@ struct mon_table mon_dispatch_postauth20
|
||||||
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
@ -242,7 +242,7 @@ diff -up openssh-6.0p1/monitor.c.audit4 openssh-6.0p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -314,6 +317,7 @@ struct mon_table mon_dispatch_proto15[]
|
@@ -313,6 +316,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
@ -250,7 +250,7 @@ diff -up openssh-6.0p1/monitor.c.audit4 openssh-6.0p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -328,6 +332,7 @@ struct mon_table mon_dispatch_postauth15
|
@@ -327,6 +331,7 @@ struct mon_table mon_dispatch_postauth15
|
||||||
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
@ -258,8 +258,8 @@ diff -up openssh-6.0p1/monitor.c.audit4 openssh-6.0p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -449,10 +454,6 @@ monitor_child_preauth(Authctxt *_authctx
|
@@ -448,10 +453,6 @@ monitor_child_preauth(Authctxt *_authctx
|
||||||
authenticated = 0;
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
- /* Drain any buffered messages from the child */
|
- /* Drain any buffered messages from the child */
|
||||||
@ -269,7 +269,7 @@ diff -up openssh-6.0p1/monitor.c.audit4 openssh-6.0p1/monitor.c
|
|||||||
if (!authctxt->valid)
|
if (!authctxt->valid)
|
||||||
fatal("%s: authenticated invalid user", __func__);
|
fatal("%s: authenticated invalid user", __func__);
|
||||||
if (strcmp(auth_method, "unknown") == 0)
|
if (strcmp(auth_method, "unknown") == 0)
|
||||||
@@ -1953,11 +1954,13 @@ mm_get_keystate(struct monitor *pmonitor
|
@@ -1950,11 +1951,13 @@ mm_get_keystate(struct monitor *pmonitor
|
||||||
|
|
||||||
blob = buffer_get_string(&m, &bloblen);
|
blob = buffer_get_string(&m, &bloblen);
|
||||||
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
|
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
|
||||||
@ -283,7 +283,7 @@ diff -up openssh-6.0p1/monitor.c.audit4 openssh-6.0p1/monitor.c
|
|||||||
xfree(blob);
|
xfree(blob);
|
||||||
|
|
||||||
/* Now get sequence numbers for the packets */
|
/* Now get sequence numbers for the packets */
|
||||||
@@ -2003,6 +2006,21 @@ mm_get_keystate(struct monitor *pmonitor
|
@@ -2000,6 +2003,21 @@ mm_get_keystate(struct monitor *pmonitor
|
||||||
}
|
}
|
||||||
|
|
||||||
buffer_free(&m);
|
buffer_free(&m);
|
||||||
@ -305,7 +305,7 @@ diff -up openssh-6.0p1/monitor.c.audit4 openssh-6.0p1/monitor.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -2449,4 +2467,22 @@ mm_answer_audit_kex_body(int sock, Buffe
|
@@ -2444,4 +2462,22 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -328,9 +328,9 @@ diff -up openssh-6.0p1/monitor.c.audit4 openssh-6.0p1/monitor.c
|
|||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-6.0p1/monitor.h.audit4 openssh-6.0p1/monitor.h
|
diff -up openssh-6.1p1/monitor.h.audit4 openssh-6.1p1/monitor.h
|
||||||
--- openssh-6.0p1/monitor.h.audit4 2012-08-06 20:35:56.310789038 +0200
|
--- openssh-6.1p1/monitor.h.audit4 2012-11-28 14:20:38.992185813 +0100
|
||||||
+++ openssh-6.0p1/monitor.h 2012-08-06 20:35:56.319789003 +0200
|
+++ openssh-6.1p1/monitor.h 2012-11-28 14:20:38.997185790 +0100
|
||||||
@@ -63,6 +63,7 @@ enum monitor_reqtype {
|
@@ -63,6 +63,7 @@ enum monitor_reqtype {
|
||||||
MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
|
MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
|
||||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||||
@ -339,9 +339,9 @@ diff -up openssh-6.0p1/monitor.h.audit4 openssh-6.0p1/monitor.h
|
|||||||
MONITOR_REQ_TERM,
|
MONITOR_REQ_TERM,
|
||||||
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
|
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
|
||||||
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
|
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
|
||||||
diff -up openssh-6.0p1/monitor_wrap.c.audit4 openssh-6.0p1/monitor_wrap.c
|
diff -up openssh-6.1p1/monitor_wrap.c.audit4 openssh-6.1p1/monitor_wrap.c
|
||||||
--- openssh-6.0p1/monitor_wrap.c.audit4 2012-08-06 20:35:56.311789034 +0200
|
--- openssh-6.1p1/monitor_wrap.c.audit4 2012-11-28 14:20:38.992185813 +0100
|
||||||
+++ openssh-6.0p1/monitor_wrap.c 2012-08-06 20:35:56.320788999 +0200
|
+++ openssh-6.1p1/monitor_wrap.c 2012-11-28 14:20:38.997185790 +0100
|
||||||
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
|
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
|
||||||
fatal("%s: conversion of newkeys failed", __func__);
|
fatal("%s: conversion of newkeys failed", __func__);
|
||||||
|
|
||||||
@ -377,9 +377,9 @@ diff -up openssh-6.0p1/monitor_wrap.c.audit4 openssh-6.0p1/monitor_wrap.c
|
|||||||
+ buffer_free(&m);
|
+ buffer_free(&m);
|
||||||
+}
|
+}
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-6.0p1/monitor_wrap.h.audit4 openssh-6.0p1/monitor_wrap.h
|
diff -up openssh-6.1p1/monitor_wrap.h.audit4 openssh-6.1p1/monitor_wrap.h
|
||||||
--- openssh-6.0p1/monitor_wrap.h.audit4 2012-08-06 20:35:56.311789034 +0200
|
--- openssh-6.1p1/monitor_wrap.h.audit4 2012-11-28 14:20:38.992185813 +0100
|
||||||
+++ openssh-6.0p1/monitor_wrap.h 2012-08-06 20:35:56.320788999 +0200
|
+++ openssh-6.1p1/monitor_wrap.h 2012-11-28 14:20:38.997185790 +0100
|
||||||
@@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
|
@@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
|
||||||
void mm_audit_end_command(int, const char *);
|
void mm_audit_end_command(int, const char *);
|
||||||
void mm_audit_unsupported_body(int);
|
void mm_audit_unsupported_body(int);
|
||||||
@ -388,9 +388,9 @@ diff -up openssh-6.0p1/monitor_wrap.h.audit4 openssh-6.0p1/monitor_wrap.h
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
struct Session;
|
struct Session;
|
||||||
diff -up openssh-6.0p1/packet.c.audit4 openssh-6.0p1/packet.c
|
diff -up openssh-6.1p1/packet.c.audit4 openssh-6.1p1/packet.c
|
||||||
--- openssh-6.0p1/packet.c.audit4 2012-08-06 20:35:56.282789147 +0200
|
--- openssh-6.1p1/packet.c.audit4 2012-11-28 14:20:38.973185902 +0100
|
||||||
+++ openssh-6.0p1/packet.c 2012-08-06 20:35:56.321788995 +0200
|
+++ openssh-6.1p1/packet.c 2012-11-28 14:20:38.998185785 +0100
|
||||||
@@ -60,6 +60,7 @@
|
@@ -60,6 +60,7 @@
|
||||||
#include <signal.h>
|
#include <signal.h>
|
||||||
|
|
||||||
@ -582,18 +582,18 @@ diff -up openssh-6.0p1/packet.c.audit4 openssh-6.0p1/packet.c
|
|||||||
+ backup_state = NULL;
|
+ backup_state = NULL;
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
diff -up openssh-6.0p1/packet.h.audit4 openssh-6.0p1/packet.h
|
diff -up openssh-6.1p1/packet.h.audit4 openssh-6.1p1/packet.h
|
||||||
--- openssh-6.0p1/packet.h.audit4 2012-02-10 22:19:21.000000000 +0100
|
--- openssh-6.1p1/packet.h.audit4 2012-02-10 22:19:21.000000000 +0100
|
||||||
+++ openssh-6.0p1/packet.h 2012-08-06 20:35:56.321788995 +0200
|
+++ openssh-6.1p1/packet.h 2012-11-28 14:20:38.998185785 +0100
|
||||||
@@ -123,4 +123,5 @@ void packet_restore_state(void);
|
@@ -123,4 +123,5 @@ void packet_restore_state(void);
|
||||||
void *packet_get_input(void);
|
void *packet_get_input(void);
|
||||||
void *packet_get_output(void);
|
void *packet_get_output(void);
|
||||||
|
|
||||||
+void packet_destroy_all(int, int);
|
+void packet_destroy_all(int, int);
|
||||||
#endif /* PACKET_H */
|
#endif /* PACKET_H */
|
||||||
diff -up openssh-6.0p1/session.c.audit4 openssh-6.0p1/session.c
|
diff -up openssh-6.1p1/session.c.audit4 openssh-6.1p1/session.c
|
||||||
--- openssh-6.0p1/session.c.audit4 2012-08-06 20:35:56.296789093 +0200
|
--- openssh-6.1p1/session.c.audit4 2012-11-28 14:20:38.983185855 +0100
|
||||||
+++ openssh-6.0p1/session.c 2012-08-06 20:35:56.322788991 +0200
|
+++ openssh-6.1p1/session.c 2012-11-28 14:20:38.998185785 +0100
|
||||||
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
|
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
|
||||||
|
|
||||||
/* remove hostkey from the child's memory */
|
/* remove hostkey from the child's memory */
|
||||||
@ -604,10 +604,10 @@ diff -up openssh-6.0p1/session.c.audit4 openssh-6.0p1/session.c
|
|||||||
|
|
||||||
/* Force a password change */
|
/* Force a password change */
|
||||||
if (s->authctxt->force_pwchange) {
|
if (s->authctxt->force_pwchange) {
|
||||||
diff -up openssh-6.0p1/sshd.c.audit4 openssh-6.0p1/sshd.c
|
diff -up openssh-6.1p1/sshd.c.audit4 openssh-6.1p1/sshd.c
|
||||||
--- openssh-6.0p1/sshd.c.audit4 2012-08-06 20:35:56.312789030 +0200
|
--- openssh-6.1p1/sshd.c.audit4 2012-11-28 14:20:38.993185808 +0100
|
||||||
+++ openssh-6.0p1/sshd.c 2012-08-06 20:35:56.323788987 +0200
|
+++ openssh-6.1p1/sshd.c 2012-11-28 14:20:38.999185780 +0100
|
||||||
@@ -690,6 +690,8 @@ privsep_preauth(Authctxt *authctxt)
|
@@ -692,6 +692,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -616,7 +616,7 @@ diff -up openssh-6.0p1/sshd.c.audit4 openssh-6.0p1/sshd.c
|
|||||||
static void
|
static void
|
||||||
privsep_postauth(Authctxt *authctxt)
|
privsep_postauth(Authctxt *authctxt)
|
||||||
{
|
{
|
||||||
@@ -714,6 +716,10 @@ privsep_postauth(Authctxt *authctxt)
|
@@ -716,6 +718,10 @@ privsep_postauth(Authctxt *authctxt)
|
||||||
else if (pmonitor->m_pid != 0) {
|
else if (pmonitor->m_pid != 0) {
|
||||||
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
|
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
|
||||||
buffer_clear(&loginmsg);
|
buffer_clear(&loginmsg);
|
||||||
@ -627,7 +627,7 @@ diff -up openssh-6.0p1/sshd.c.audit4 openssh-6.0p1/sshd.c
|
|||||||
monitor_child_postauth(pmonitor);
|
monitor_child_postauth(pmonitor);
|
||||||
|
|
||||||
/* NEVERREACHED */
|
/* NEVERREACHED */
|
||||||
@@ -2005,6 +2011,7 @@ main(int ac, char **av)
|
@@ -2016,6 +2022,7 @@ main(int ac, char **av)
|
||||||
*/
|
*/
|
||||||
if (use_privsep) {
|
if (use_privsep) {
|
||||||
mm_send_keystate(pmonitor);
|
mm_send_keystate(pmonitor);
|
||||||
@ -635,7 +635,7 @@ diff -up openssh-6.0p1/sshd.c.audit4 openssh-6.0p1/sshd.c
|
|||||||
exit(0);
|
exit(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2057,6 +2064,8 @@ main(int ac, char **av)
|
@@ -2068,6 +2075,8 @@ main(int ac, char **av)
|
||||||
do_authenticated(authctxt);
|
do_authenticated(authctxt);
|
||||||
|
|
||||||
/* The connection has been terminated. */
|
/* The connection has been terminated. */
|
||||||
@ -644,7 +644,7 @@ diff -up openssh-6.0p1/sshd.c.audit4 openssh-6.0p1/sshd.c
|
|||||||
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
||||||
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
||||||
verbose("Transferred: sent %llu, received %llu bytes",
|
verbose("Transferred: sent %llu, received %llu bytes",
|
||||||
@@ -2374,6 +2383,16 @@ do_ssh2_kex(void)
|
@@ -2385,6 +2394,16 @@ do_ssh2_kex(void)
|
||||||
void
|
void
|
||||||
cleanup_exit(int i)
|
cleanup_exit(int i)
|
||||||
{
|
{
|
||||||
@ -661,7 +661,7 @@ diff -up openssh-6.0p1/sshd.c.audit4 openssh-6.0p1/sshd.c
|
|||||||
if (the_authctxt) {
|
if (the_authctxt) {
|
||||||
do_cleanup(the_authctxt);
|
do_cleanup(the_authctxt);
|
||||||
if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
|
if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
|
||||||
@@ -2384,6 +2403,8 @@ cleanup_exit(int i)
|
@@ -2395,6 +2414,8 @@ cleanup_exit(int i)
|
||||||
pmonitor->m_pid, strerror(errno));
|
pmonitor->m_pid, strerror(errno));
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -1,6 +1,102 @@
|
|||||||
|
diff -up openssh-6.1p1/auth2.c.gsskex openssh-6.1p1/auth2.c
|
||||||
|
--- openssh-6.1p1/auth2.c.gsskex 2012-11-30 13:58:08.871298935 +0100
|
||||||
|
+++ openssh-6.1p1/auth2.c 2012-11-30 13:58:08.946298649 +0100
|
||||||
|
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
|
||||||
|
extern Authmethod method_kbdint;
|
||||||
|
extern Authmethod method_hostbased;
|
||||||
|
#ifdef GSSAPI
|
||||||
|
+extern Authmethod method_gsskeyex;
|
||||||
|
extern Authmethod method_gssapi;
|
||||||
|
#endif
|
||||||
|
#ifdef JPAKE
|
||||||
|
@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
|
||||||
|
&method_none,
|
||||||
|
&method_pubkey,
|
||||||
|
#ifdef GSSAPI
|
||||||
|
+ &method_gsskeyex,
|
||||||
|
&method_gssapi,
|
||||||
|
#endif
|
||||||
|
#ifdef JPAKE
|
||||||
|
diff -up openssh-6.1p1/auth2-gss.c.gsskex openssh-6.1p1/auth2-gss.c
|
||||||
|
--- openssh-6.1p1/auth2-gss.c.gsskex 2012-11-30 13:58:08.871298935 +0100
|
||||||
|
+++ openssh-6.1p1/auth2-gss.c 2012-11-30 13:59:19.622985133 +0100
|
||||||
|
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
|
||||||
|
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
|
||||||
|
static void input_gssapi_errtok(int, u_int32_t, void *);
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * The 'gssapi_keyex' userauth mechanism.
|
||||||
|
+ */
|
||||||
|
+static int
|
||||||
|
+userauth_gsskeyex(Authctxt *authctxt)
|
||||||
|
+{
|
||||||
|
+ int authenticated = 0;
|
||||||
|
+ Buffer b;
|
||||||
|
+ gss_buffer_desc mic, gssbuf;
|
||||||
|
+ u_int len;
|
||||||
|
+
|
||||||
|
+ mic.value = packet_get_string(&len);
|
||||||
|
+ mic.length = len;
|
||||||
|
+
|
||||||
|
+ packet_check_eom();
|
||||||
|
+
|
||||||
|
+ ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
||||||
|
+ "gssapi-keyex");
|
||||||
|
+
|
||||||
|
+ gssbuf.value = buffer_ptr(&b);
|
||||||
|
+ gssbuf.length = buffer_len(&b);
|
||||||
|
+
|
||||||
|
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
|
||||||
|
+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
|
||||||
|
+ &gssbuf, &mic))))
|
||||||
|
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
||||||
|
+ authctxt->pw));
|
||||||
|
+
|
||||||
|
+ buffer_free(&b);
|
||||||
|
+ xfree(mic.value);
|
||||||
|
+
|
||||||
|
+ return (authenticated);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* We only support those mechanisms that we know about (ie ones that we know
|
||||||
|
* how to check local user kuserok and the like)
|
||||||
|
@@ -244,7 +278,8 @@ input_gssapi_exchange_complete(int type,
|
||||||
|
|
||||||
|
packet_check_eom();
|
||||||
|
|
||||||
|
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
|
||||||
|
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
||||||
|
+ authctxt->pw));
|
||||||
|
|
||||||
|
authctxt->postponed = 0;
|
||||||
|
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
|
||||||
|
@@ -286,7 +321,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
|
gssbuf.length = buffer_len(&b);
|
||||||
|
|
||||||
|
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
|
||||||
|
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
|
||||||
|
+ authenticated =
|
||||||
|
+ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
|
||||||
|
else
|
||||||
|
logit("GSSAPI MIC check failed");
|
||||||
|
|
||||||
|
@@ -303,6 +339,12 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
|
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
+Authmethod method_gsskeyex = {
|
||||||
|
+ "gssapi-keyex",
|
||||||
|
+ userauth_gsskeyex,
|
||||||
|
+ &options.gss_authentication
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
Authmethod method_gssapi = {
|
||||||
|
"gssapi-with-mic",
|
||||||
|
userauth_gssapi,
|
||||||
diff -up openssh-6.1p1/auth-krb5.c.gsskex openssh-6.1p1/auth-krb5.c
|
diff -up openssh-6.1p1/auth-krb5.c.gsskex openssh-6.1p1/auth-krb5.c
|
||||||
--- openssh-6.1p1/auth-krb5.c.gsskex 2012-04-26 01:52:15.000000000 +0200
|
--- openssh-6.1p1/auth-krb5.c.gsskex 2012-04-26 01:52:15.000000000 +0200
|
||||||
+++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:07:19.695203206 +0200
|
+++ openssh-6.1p1/auth-krb5.c 2012-11-30 13:58:08.947298647 +0100
|
||||||
@@ -50,6 +50,7 @@
|
@@ -50,6 +50,7 @@
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
@ -107,105 +203,126 @@ diff -up openssh-6.1p1/auth-krb5.c.gsskex openssh-6.1p1/auth-krb5.c
|
|||||||
|
|
||||||
return (krb5_cc_resolve(ctx, ccname, ccache));
|
return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
}
|
}
|
||||||
diff -up openssh-6.1p1/auth2.c.gsskex openssh-6.1p1/auth2.c
|
diff -up openssh-6.1p1/ChangeLog.gssapi.gsskex openssh-6.1p1/ChangeLog.gssapi
|
||||||
--- openssh-6.1p1/auth2.c.gsskex 2012-09-14 20:57:55.291263269 +0200
|
--- openssh-6.1p1/ChangeLog.gssapi.gsskex 2012-11-30 13:58:08.947298647 +0100
|
||||||
+++ openssh-6.1p1/auth2.c 2012-09-14 20:57:55.853266860 +0200
|
+++ openssh-6.1p1/ChangeLog.gssapi 2012-11-30 13:58:08.947298647 +0100
|
||||||
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
|
@@ -0,0 +1,113 @@
|
||||||
extern Authmethod method_kbdint;
|
+20110101
|
||||||
extern Authmethod method_hostbased;
|
+ - Finally update for OpenSSH 5.6p1
|
||||||
#ifdef GSSAPI
|
+ - Add GSSAPIServerIdentity option from Jim Basney
|
||||||
+extern Authmethod method_gsskeyex;
|
|
||||||
extern Authmethod method_gssapi;
|
|
||||||
#endif
|
|
||||||
#ifdef JPAKE
|
|
||||||
@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
|
|
||||||
&method_none,
|
|
||||||
&method_pubkey,
|
|
||||||
#ifdef GSSAPI
|
|
||||||
+ &method_gsskeyex,
|
|
||||||
&method_gssapi,
|
|
||||||
#endif
|
|
||||||
#ifdef JPAKE
|
|
||||||
diff -up openssh-6.1p1/auth2-gss.c.gsskex openssh-6.1p1/auth2-gss.c
|
|
||||||
--- openssh-6.1p1/auth2-gss.c.gsskex 2012-09-14 20:57:55.292263276 +0200
|
|
||||||
+++ openssh-6.1p1/auth2-gss.c 2012-09-14 20:57:55.855266873 +0200
|
|
||||||
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
|
|
||||||
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
|
|
||||||
static void input_gssapi_errtok(int, u_int32_t, void *);
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * The 'gssapi_keyex' userauth mechanism.
|
|
||||||
+ */
|
|
||||||
+static int
|
|
||||||
+userauth_gsskeyex(Authctxt *authctxt)
|
|
||||||
+{
|
|
||||||
+ int authenticated = 0;
|
|
||||||
+ Buffer b;
|
|
||||||
+ gss_buffer_desc mic, gssbuf;
|
|
||||||
+ u_int len;
|
|
||||||
+
|
+
|
||||||
+ mic.value = packet_get_string(&len);
|
+20100308
|
||||||
+ mic.length = len;
|
+ - [ Makefile.in, key.c, key.h ]
|
||||||
|
+ Updates for OpenSSH 5.4p1
|
||||||
|
+ - [ servconf.c ]
|
||||||
|
+ Include GSSAPI options in the sshd -T configuration dump, and flag
|
||||||
|
+ some older configuration options as being unsupported. Thanks to Colin
|
||||||
|
+ Watson.
|
||||||
|
+ -
|
||||||
+
|
+
|
||||||
+ packet_check_eom();
|
+20100124
|
||||||
|
+ - [ sshconnect2.c ]
|
||||||
|
+ Adapt to deal with additional element in Authmethod structure. Thanks to
|
||||||
|
+ Colin Watson
|
||||||
+
|
+
|
||||||
+ ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
+20090615
|
||||||
+ "gssapi-keyex");
|
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
|
||||||
|
+ sshd.c ]
|
||||||
|
+ Fix issues identified by Greg Hudson following a code review
|
||||||
|
+ Check return value of gss_indicate_mechs
|
||||||
|
+ Protect GSSAPI calls in monitor, so they can only be used if enabled
|
||||||
|
+ Check return values of bignum functions in key exchange
|
||||||
|
+ Use BN_clear_free to clear other side's DH value
|
||||||
|
+ Make ssh_gssapi_id_kex more robust
|
||||||
|
+ Only configure kex table pointers if GSSAPI is enabled
|
||||||
|
+ Don't leak mechanism list, or gss mechanism list
|
||||||
|
+ Cast data.length before printing
|
||||||
|
+ If serverkey isn't provided, use an empty string, rather than NULL
|
||||||
+
|
+
|
||||||
+ gssbuf.value = buffer_ptr(&b);
|
+20090201
|
||||||
+ gssbuf.length = buffer_len(&b);
|
+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
|
||||||
|
+ ssh_config.5 sshconnet2.c ]
|
||||||
|
+ Add support for the GSSAPIClientIdentity option, which allows the user
|
||||||
|
+ to specify which GSSAPI identity to use to contact a given server
|
||||||
+
|
+
|
||||||
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
|
+20080404
|
||||||
+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
|
+ - [ gss-serv.c ]
|
||||||
+ &gssbuf, &mic))))
|
+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
|
||||||
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
+ been omitted from a previous version of this patch. Reported by Borislav
|
||||||
+ authctxt->pw));
|
+ Stoichkov
|
||||||
+
|
+
|
||||||
+ buffer_free(&b);
|
+20070317
|
||||||
+ xfree(mic.value);
|
+ - [ gss-serv-krb5.c ]
|
||||||
|
+ Remove C99ism, where new_ccname was being declared in the middle of a
|
||||||
|
+ function
|
||||||
+
|
+
|
||||||
+ return (authenticated);
|
+20061220
|
||||||
+}
|
+ - [ servconf.c ]
|
||||||
|
+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
|
||||||
|
+ documented, behaviour. Reported by Dan Watson.
|
||||||
+
|
+
|
||||||
/*
|
+20060910
|
||||||
* We only support those mechanisms that we know about (ie ones that we know
|
+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
|
||||||
* how to check local user kuserok and the like)
|
+ ssh-gss.h ]
|
||||||
@@ -244,7 +278,8 @@ input_gssapi_exchange_complete(int type,
|
+ add support for gss-group14-sha1 key exchange mechanisms
|
||||||
|
+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
|
||||||
packet_check_eom();
|
+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
|
||||||
|
+ acceptor principal checking on multi-homed machines.
|
||||||
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
|
+ <Bugzilla #928>
|
||||||
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
+ - [ sshd_config ssh_config ]
|
||||||
+ authctxt->pw));
|
+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
|
||||||
|
+ configuration files
|
||||||
authctxt->postponed = 0;
|
+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
|
||||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
|
+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
|
||||||
@@ -286,7 +321,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
+ Limit length of error messages displayed by client
|
||||||
gssbuf.length = buffer_len(&b);
|
|
||||||
|
|
||||||
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
|
|
||||||
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
|
|
||||||
+ authenticated =
|
|
||||||
+ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
|
|
||||||
else
|
|
||||||
logit("GSSAPI MIC check failed");
|
|
||||||
|
|
||||||
@@ -303,6 +339,12 @@ input_gssapi_mic(int type, u_int32_t ple
|
|
||||||
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
+Authmethod method_gsskeyex = {
|
|
||||||
+ "gssapi-keyex",
|
|
||||||
+ userauth_gsskeyex,
|
|
||||||
+ &options.gss_authentication
|
|
||||||
+};
|
|
||||||
+
|
+
|
||||||
Authmethod method_gssapi = {
|
+20060909
|
||||||
"gssapi-with-mic",
|
+ - [ gss-genr.c gss-serv.c ]
|
||||||
userauth_gssapi,
|
+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
|
||||||
|
+ only, where they belong
|
||||||
|
+ <Bugzilla #1225>
|
||||||
|
+
|
||||||
|
+20060829
|
||||||
|
+ - [ gss-serv-krb5.c ]
|
||||||
|
+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
|
||||||
|
+ variable
|
||||||
|
+
|
||||||
|
+20060828
|
||||||
|
+ - [ gss-genr.c ]
|
||||||
|
+ Avoid Heimdal context freeing problem
|
||||||
|
+ <Fixed upstream 20060829>
|
||||||
|
+
|
||||||
|
+20060818
|
||||||
|
+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
|
||||||
|
+ Make sure that SPENGO is disabled
|
||||||
|
+ <Bugzilla #1218 - Fixed upstream 20060818>
|
||||||
|
+
|
||||||
|
+20060421
|
||||||
|
+ - [ gssgenr.c, sshconnect2.c ]
|
||||||
|
+ a few type changes (signed versus unsigned, int versus size_t) to
|
||||||
|
+ fix compiler errors/warnings
|
||||||
|
+ (from jbasney AT ncsa.uiuc.edu)
|
||||||
|
+ - [ kexgssc.c, sshconnect2.c ]
|
||||||
|
+ fix uninitialized variable warnings
|
||||||
|
+ (from jbasney AT ncsa.uiuc.edu)
|
||||||
|
+ - [ gssgenr.c ]
|
||||||
|
+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
|
||||||
|
+ (from jbasney AT ncsa.uiuc.edu)
|
||||||
|
+ <Bugzilla #1220 >
|
||||||
|
+ - [ gss-serv-krb5.c ]
|
||||||
|
+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
|
||||||
|
+ (from jbasney AT ncsa.uiuc.edu)
|
||||||
|
+ <Fixed upstream 20060304>
|
||||||
|
+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
|
||||||
|
+ add client-side GssapiKeyExchange option
|
||||||
|
+ (from jbasney AT ncsa.uiuc.edu)
|
||||||
|
+ - [ sshconnect2.c ]
|
||||||
|
+ add support for GssapiTrustDns option for gssapi-with-mic
|
||||||
|
+ (from jbasney AT ncsa.uiuc.edu)
|
||||||
|
+ <gssapi-with-mic support is Bugzilla #1008>
|
||||||
diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c
|
diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c
|
||||||
--- openssh-6.1p1/clientloop.c.gsskex 2012-09-14 20:57:54.862260529 +0200
|
--- openssh-6.1p1/clientloop.c.gsskex 2012-11-30 13:58:08.781299279 +0100
|
||||||
+++ openssh-6.1p1/clientloop.c 2012-09-14 20:57:55.861266911 +0200
|
+++ openssh-6.1p1/clientloop.c 2012-11-30 13:58:08.948298644 +0100
|
||||||
@@ -111,6 +111,10 @@
|
@@ -111,6 +111,10 @@
|
||||||
#include "msg.h"
|
#include "msg.h"
|
||||||
#include "roaming.h"
|
#include "roaming.h"
|
||||||
@ -234,8 +351,8 @@ diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c
|
|||||||
debug("need rekeying");
|
debug("need rekeying");
|
||||||
xxx_kex->done = 0;
|
xxx_kex->done = 0;
|
||||||
diff -up openssh-6.1p1/configure.ac.gsskex openssh-6.1p1/configure.ac
|
diff -up openssh-6.1p1/configure.ac.gsskex openssh-6.1p1/configure.ac
|
||||||
--- openssh-6.1p1/configure.ac.gsskex 2012-09-14 20:57:55.756266240 +0200
|
--- openssh-6.1p1/configure.ac.gsskex 2012-11-30 13:58:08.934298697 +0100
|
||||||
+++ openssh-6.1p1/configure.ac 2012-09-14 20:57:55.865266937 +0200
|
+++ openssh-6.1p1/configure.ac 2012-11-30 13:58:08.949298640 +0100
|
||||||
@@ -545,6 +545,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
@@ -545,6 +545,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||||
[Use tunnel device compatibility to OpenBSD])
|
[Use tunnel device compatibility to OpenBSD])
|
||||||
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
||||||
@ -269,7 +386,7 @@ diff -up openssh-6.1p1/configure.ac.gsskex openssh-6.1p1/configure.ac
|
|||||||
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
|
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
|
||||||
diff -up openssh-6.1p1/gss-genr.c.gsskex openssh-6.1p1/gss-genr.c
|
diff -up openssh-6.1p1/gss-genr.c.gsskex openssh-6.1p1/gss-genr.c
|
||||||
--- openssh-6.1p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
|
--- openssh-6.1p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
|
||||||
+++ openssh-6.1p1/gss-genr.c 2012-09-14 20:57:55.867266949 +0200
|
+++ openssh-6.1p1/gss-genr.c 2012-11-30 13:58:08.949298640 +0100
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
|
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
|
||||||
|
|
||||||
@ -619,7 +736,7 @@ diff -up openssh-6.1p1/gss-genr.c.gsskex openssh-6.1p1/gss-genr.c
|
|||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
diff -up openssh-6.1p1/gss-serv.c.gsskex openssh-6.1p1/gss-serv.c
|
diff -up openssh-6.1p1/gss-serv.c.gsskex openssh-6.1p1/gss-serv.c
|
||||||
--- openssh-6.1p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200
|
--- openssh-6.1p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200
|
||||||
+++ openssh-6.1p1/gss-serv.c 2012-09-14 20:57:55.870266969 +0200
|
+++ openssh-6.1p1/gss-serv.c 2012-11-30 13:58:08.949298640 +0100
|
||||||
@@ -45,15 +45,20 @@
|
@@ -45,15 +45,20 @@
|
||||||
#include "channels.h"
|
#include "channels.h"
|
||||||
#include "session.h"
|
#include "session.h"
|
||||||
@ -960,7 +1077,7 @@ diff -up openssh-6.1p1/gss-serv.c.gsskex openssh-6.1p1/gss-serv.c
|
|||||||
#endif
|
#endif
|
||||||
diff -up openssh-6.1p1/gss-serv-krb5.c.gsskex openssh-6.1p1/gss-serv-krb5.c
|
diff -up openssh-6.1p1/gss-serv-krb5.c.gsskex openssh-6.1p1/gss-serv-krb5.c
|
||||||
--- openssh-6.1p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
|
--- openssh-6.1p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
|
||||||
+++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 20:57:55.872266981 +0200
|
+++ openssh-6.1p1/gss-serv-krb5.c 2012-11-30 13:58:08.949298640 +0100
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
|
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
|
||||||
|
|
||||||
@ -1083,126 +1200,9 @@ diff -up openssh-6.1p1/gss-serv-krb5.c.gsskex openssh-6.1p1/gss-serv-krb5.c
|
|||||||
};
|
};
|
||||||
|
|
||||||
#endif /* KRB5 */
|
#endif /* KRB5 */
|
||||||
diff -up openssh-6.1p1/ChangeLog.gssapi.gsskex openssh-6.1p1/ChangeLog.gssapi
|
|
||||||
--- openssh-6.1p1/ChangeLog.gssapi.gsskex 2012-09-14 20:57:55.858266892 +0200
|
|
||||||
+++ openssh-6.1p1/ChangeLog.gssapi 2012-09-14 20:57:55.859266899 +0200
|
|
||||||
@@ -0,0 +1,113 @@
|
|
||||||
+20110101
|
|
||||||
+ - Finally update for OpenSSH 5.6p1
|
|
||||||
+ - Add GSSAPIServerIdentity option from Jim Basney
|
|
||||||
+
|
|
||||||
+20100308
|
|
||||||
+ - [ Makefile.in, key.c, key.h ]
|
|
||||||
+ Updates for OpenSSH 5.4p1
|
|
||||||
+ - [ servconf.c ]
|
|
||||||
+ Include GSSAPI options in the sshd -T configuration dump, and flag
|
|
||||||
+ some older configuration options as being unsupported. Thanks to Colin
|
|
||||||
+ Watson.
|
|
||||||
+ -
|
|
||||||
+
|
|
||||||
+20100124
|
|
||||||
+ - [ sshconnect2.c ]
|
|
||||||
+ Adapt to deal with additional element in Authmethod structure. Thanks to
|
|
||||||
+ Colin Watson
|
|
||||||
+
|
|
||||||
+20090615
|
|
||||||
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
|
|
||||||
+ sshd.c ]
|
|
||||||
+ Fix issues identified by Greg Hudson following a code review
|
|
||||||
+ Check return value of gss_indicate_mechs
|
|
||||||
+ Protect GSSAPI calls in monitor, so they can only be used if enabled
|
|
||||||
+ Check return values of bignum functions in key exchange
|
|
||||||
+ Use BN_clear_free to clear other side's DH value
|
|
||||||
+ Make ssh_gssapi_id_kex more robust
|
|
||||||
+ Only configure kex table pointers if GSSAPI is enabled
|
|
||||||
+ Don't leak mechanism list, or gss mechanism list
|
|
||||||
+ Cast data.length before printing
|
|
||||||
+ If serverkey isn't provided, use an empty string, rather than NULL
|
|
||||||
+
|
|
||||||
+20090201
|
|
||||||
+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
|
|
||||||
+ ssh_config.5 sshconnet2.c ]
|
|
||||||
+ Add support for the GSSAPIClientIdentity option, which allows the user
|
|
||||||
+ to specify which GSSAPI identity to use to contact a given server
|
|
||||||
+
|
|
||||||
+20080404
|
|
||||||
+ - [ gss-serv.c ]
|
|
||||||
+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
|
|
||||||
+ been omitted from a previous version of this patch. Reported by Borislav
|
|
||||||
+ Stoichkov
|
|
||||||
+
|
|
||||||
+20070317
|
|
||||||
+ - [ gss-serv-krb5.c ]
|
|
||||||
+ Remove C99ism, where new_ccname was being declared in the middle of a
|
|
||||||
+ function
|
|
||||||
+
|
|
||||||
+20061220
|
|
||||||
+ - [ servconf.c ]
|
|
||||||
+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
|
|
||||||
+ documented, behaviour. Reported by Dan Watson.
|
|
||||||
+
|
|
||||||
+20060910
|
|
||||||
+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
|
|
||||||
+ ssh-gss.h ]
|
|
||||||
+ add support for gss-group14-sha1 key exchange mechanisms
|
|
||||||
+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
|
|
||||||
+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
|
|
||||||
+ acceptor principal checking on multi-homed machines.
|
|
||||||
+ <Bugzilla #928>
|
|
||||||
+ - [ sshd_config ssh_config ]
|
|
||||||
+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
|
|
||||||
+ configuration files
|
|
||||||
+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
|
|
||||||
+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
|
|
||||||
+ Limit length of error messages displayed by client
|
|
||||||
+
|
|
||||||
+20060909
|
|
||||||
+ - [ gss-genr.c gss-serv.c ]
|
|
||||||
+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
|
|
||||||
+ only, where they belong
|
|
||||||
+ <Bugzilla #1225>
|
|
||||||
+
|
|
||||||
+20060829
|
|
||||||
+ - [ gss-serv-krb5.c ]
|
|
||||||
+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
|
|
||||||
+ variable
|
|
||||||
+
|
|
||||||
+20060828
|
|
||||||
+ - [ gss-genr.c ]
|
|
||||||
+ Avoid Heimdal context freeing problem
|
|
||||||
+ <Fixed upstream 20060829>
|
|
||||||
+
|
|
||||||
+20060818
|
|
||||||
+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
|
|
||||||
+ Make sure that SPENGO is disabled
|
|
||||||
+ <Bugzilla #1218 - Fixed upstream 20060818>
|
|
||||||
+
|
|
||||||
+20060421
|
|
||||||
+ - [ gssgenr.c, sshconnect2.c ]
|
|
||||||
+ a few type changes (signed versus unsigned, int versus size_t) to
|
|
||||||
+ fix compiler errors/warnings
|
|
||||||
+ (from jbasney AT ncsa.uiuc.edu)
|
|
||||||
+ - [ kexgssc.c, sshconnect2.c ]
|
|
||||||
+ fix uninitialized variable warnings
|
|
||||||
+ (from jbasney AT ncsa.uiuc.edu)
|
|
||||||
+ - [ gssgenr.c ]
|
|
||||||
+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
|
|
||||||
+ (from jbasney AT ncsa.uiuc.edu)
|
|
||||||
+ <Bugzilla #1220 >
|
|
||||||
+ - [ gss-serv-krb5.c ]
|
|
||||||
+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
|
|
||||||
+ (from jbasney AT ncsa.uiuc.edu)
|
|
||||||
+ <Fixed upstream 20060304>
|
|
||||||
+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
|
|
||||||
+ add client-side GssapiKeyExchange option
|
|
||||||
+ (from jbasney AT ncsa.uiuc.edu)
|
|
||||||
+ - [ sshconnect2.c ]
|
|
||||||
+ add support for GssapiTrustDns option for gssapi-with-mic
|
|
||||||
+ (from jbasney AT ncsa.uiuc.edu)
|
|
||||||
+ <gssapi-with-mic support is Bugzilla #1008>
|
|
||||||
diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c
|
diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c
|
||||||
--- openssh-6.1p1/kex.c.gsskex 2012-09-14 20:57:55.139262298 +0200
|
--- openssh-6.1p1/kex.c.gsskex 2012-11-30 13:58:08.820299131 +0100
|
||||||
+++ openssh-6.1p1/kex.c 2012-09-14 20:57:55.874266995 +0200
|
+++ openssh-6.1p1/kex.c 2012-11-30 13:58:08.950298635 +0100
|
||||||
@@ -51,6 +51,10 @@
|
@@ -51,6 +51,10 @@
|
||||||
#include "roaming.h"
|
#include "roaming.h"
|
||||||
#include "audit.h"
|
#include "audit.h"
|
||||||
@ -1236,8 +1236,8 @@ diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c
|
|||||||
fatal("bad kex alg %s", k->name);
|
fatal("bad kex alg %s", k->name);
|
||||||
}
|
}
|
||||||
diff -up openssh-6.1p1/kexgssc.c.gsskex openssh-6.1p1/kexgssc.c
|
diff -up openssh-6.1p1/kexgssc.c.gsskex openssh-6.1p1/kexgssc.c
|
||||||
--- openssh-6.1p1/kexgssc.c.gsskex 2012-09-14 20:57:55.875267001 +0200
|
--- openssh-6.1p1/kexgssc.c.gsskex 2012-11-30 13:58:08.950298635 +0100
|
||||||
+++ openssh-6.1p1/kexgssc.c 2012-09-14 20:57:55.875267001 +0200
|
+++ openssh-6.1p1/kexgssc.c 2012-11-30 13:58:08.950298635 +0100
|
||||||
@@ -0,0 +1,334 @@
|
@@ -0,0 +1,334 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
@ -1574,8 +1574,8 @@ diff -up openssh-6.1p1/kexgssc.c.gsskex openssh-6.1p1/kexgssc.c
|
|||||||
+
|
+
|
||||||
+#endif /* GSSAPI */
|
+#endif /* GSSAPI */
|
||||||
diff -up openssh-6.1p1/kexgsss.c.gsskex openssh-6.1p1/kexgsss.c
|
diff -up openssh-6.1p1/kexgsss.c.gsskex openssh-6.1p1/kexgsss.c
|
||||||
--- openssh-6.1p1/kexgsss.c.gsskex 2012-09-14 20:57:55.876267007 +0200
|
--- openssh-6.1p1/kexgsss.c.gsskex 2012-11-30 13:58:08.950298635 +0100
|
||||||
+++ openssh-6.1p1/kexgsss.c 2012-09-14 20:57:55.876267007 +0200
|
+++ openssh-6.1p1/kexgsss.c 2012-11-30 13:58:08.950298635 +0100
|
||||||
@@ -0,0 +1,288 @@
|
@@ -0,0 +1,288 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
@ -1866,8 +1866,8 @@ diff -up openssh-6.1p1/kexgsss.c.gsskex openssh-6.1p1/kexgsss.c
|
|||||||
+}
|
+}
|
||||||
+#endif /* GSSAPI */
|
+#endif /* GSSAPI */
|
||||||
diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h
|
diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h
|
||||||
--- openssh-6.1p1/kex.h.gsskex 2012-09-14 20:57:55.141262312 +0200
|
--- openssh-6.1p1/kex.h.gsskex 2012-11-30 13:58:08.820299131 +0100
|
||||||
+++ openssh-6.1p1/kex.h 2012-09-14 20:57:55.878267019 +0200
|
+++ openssh-6.1p1/kex.h 2012-11-30 13:58:08.950298635 +0100
|
||||||
@@ -73,6 +73,9 @@ enum kex_exchange {
|
@@ -73,6 +73,9 @@ enum kex_exchange {
|
||||||
KEX_DH_GEX_SHA1,
|
KEX_DH_GEX_SHA1,
|
||||||
KEX_DH_GEX_SHA256,
|
KEX_DH_GEX_SHA256,
|
||||||
@ -1904,8 +1904,8 @@ diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h
|
|||||||
|
|
||||||
void
|
void
|
||||||
diff -up openssh-6.1p1/key.c.gsskex openssh-6.1p1/key.c
|
diff -up openssh-6.1p1/key.c.gsskex openssh-6.1p1/key.c
|
||||||
--- openssh-6.1p1/key.c.gsskex 2012-09-14 20:57:55.593265199 +0200
|
--- openssh-6.1p1/key.c.gsskex 2012-11-30 13:58:08.912298779 +0100
|
||||||
+++ openssh-6.1p1/key.c 2012-09-14 20:57:55.881267039 +0200
|
+++ openssh-6.1p1/key.c 2012-11-30 13:58:08.951298630 +0100
|
||||||
@@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int
|
@@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
@ -1925,8 +1925,8 @@ diff -up openssh-6.1p1/key.c.gsskex openssh-6.1p1/key.c
|
|||||||
|
|
||||||
debug2("key_type_from_name: unknown key type '%s'", name);
|
debug2("key_type_from_name: unknown key type '%s'", name);
|
||||||
diff -up openssh-6.1p1/key.h.gsskex openssh-6.1p1/key.h
|
diff -up openssh-6.1p1/key.h.gsskex openssh-6.1p1/key.h
|
||||||
--- openssh-6.1p1/key.h.gsskex 2012-09-14 20:57:55.184262586 +0200
|
--- openssh-6.1p1/key.h.gsskex 2012-11-30 13:58:08.827299104 +0100
|
||||||
+++ openssh-6.1p1/key.h 2012-09-14 20:57:55.882267045 +0200
|
+++ openssh-6.1p1/key.h 2012-11-30 13:58:08.951298630 +0100
|
||||||
@@ -44,6 +44,7 @@ enum types {
|
@@ -44,6 +44,7 @@ enum types {
|
||||||
KEY_ECDSA_CERT,
|
KEY_ECDSA_CERT,
|
||||||
KEY_RSA_CERT_V00,
|
KEY_RSA_CERT_V00,
|
||||||
@ -1936,8 +1936,8 @@ diff -up openssh-6.1p1/key.h.gsskex openssh-6.1p1/key.h
|
|||||||
};
|
};
|
||||||
enum fp_type {
|
enum fp_type {
|
||||||
diff -up openssh-6.1p1/Makefile.in.gsskex openssh-6.1p1/Makefile.in
|
diff -up openssh-6.1p1/Makefile.in.gsskex openssh-6.1p1/Makefile.in
|
||||||
--- openssh-6.1p1/Makefile.in.gsskex 2012-09-14 20:57:55.832266726 +0200
|
--- openssh-6.1p1/Makefile.in.gsskex 2012-11-30 13:58:08.945298652 +0100
|
||||||
+++ openssh-6.1p1/Makefile.in 2012-09-14 20:57:55.884267058 +0200
|
+++ openssh-6.1p1/Makefile.in 2012-11-30 13:58:08.951298630 +0100
|
||||||
@@ -75,6 +75,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
@@ -75,6 +75,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||||
@ -1956,8 +1956,8 @@ diff -up openssh-6.1p1/Makefile.in.gsskex openssh-6.1p1/Makefile.in
|
|||||||
sftp-server.o sftp-common.o \
|
sftp-server.o sftp-common.o \
|
||||||
roaming_common.o roaming_serv.o \
|
roaming_common.o roaming_serv.o \
|
||||||
diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
||||||
--- openssh-6.1p1/monitor.c.gsskex 2012-09-14 20:57:55.299263321 +0200
|
--- openssh-6.1p1/monitor.c.gsskex 2012-11-30 13:58:08.873298927 +0100
|
||||||
+++ openssh-6.1p1/monitor.c 2012-09-14 20:57:55.888267083 +0200
|
+++ openssh-6.1p1/monitor.c 2012-11-30 13:58:08.952298626 +0100
|
||||||
@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
|
@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
|
||||||
int mm_answer_gss_accept_ctx(int, Buffer *);
|
int mm_answer_gss_accept_ctx(int, Buffer *);
|
||||||
int mm_answer_gss_userok(int, Buffer *);
|
int mm_answer_gss_userok(int, Buffer *);
|
||||||
@ -1988,7 +1988,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
|||||||
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
|
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
|
||||||
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
|
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
|
||||||
{MONITOR_REQ_PTY, 0, mm_answer_pty},
|
{MONITOR_REQ_PTY, 0, mm_answer_pty},
|
||||||
@@ -406,6 +415,10 @@ monitor_child_preauth(Authctxt *_authctx
|
@@ -404,6 +413,10 @@ monitor_child_preauth(Authctxt *_authctx
|
||||||
/* Permit requests for moduli and signatures */
|
/* Permit requests for moduli and signatures */
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||||
@ -1998,8 +1998,8 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
|||||||
+#endif
|
+#endif
|
||||||
} else {
|
} else {
|
||||||
mon_dispatch = mon_dispatch_proto15;
|
mon_dispatch = mon_dispatch_proto15;
|
||||||
req_auth = &options.required_auth1;
|
|
||||||
@@ -512,6 +525,10 @@ monitor_child_postauth(struct monitor *p
|
@@ -516,6 +529,10 @@ monitor_child_postauth(struct monitor *p
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||||
@ -2010,7 +2010,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
|||||||
} else {
|
} else {
|
||||||
mon_dispatch = mon_dispatch_postauth15;
|
mon_dispatch = mon_dispatch_postauth15;
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||||
@@ -1939,6 +1956,13 @@ mm_get_kex(Buffer *m)
|
@@ -1948,6 +1965,13 @@ mm_get_kex(Buffer *m)
|
||||||
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
||||||
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
||||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
||||||
@ -2024,7 +2024,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
|||||||
kex->server = 1;
|
kex->server = 1;
|
||||||
kex->hostkey_type = buffer_get_int(m);
|
kex->hostkey_type = buffer_get_int(m);
|
||||||
kex->kex_type = buffer_get_int(m);
|
kex->kex_type = buffer_get_int(m);
|
||||||
@@ -2162,6 +2186,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
@@ -2171,6 +2195,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
||||||
OM_uint32 major;
|
OM_uint32 major;
|
||||||
u_int len;
|
u_int len;
|
||||||
|
|
||||||
@ -2034,7 +2034,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
|||||||
goid.elements = buffer_get_string(m, &len);
|
goid.elements = buffer_get_string(m, &len);
|
||||||
goid.length = len;
|
goid.length = len;
|
||||||
|
|
||||||
@@ -2189,6 +2216,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
@@ -2198,6 +2225,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||||
OM_uint32 flags = 0; /* GSI needs this */
|
OM_uint32 flags = 0; /* GSI needs this */
|
||||||
u_int len;
|
u_int len;
|
||||||
|
|
||||||
@ -2044,7 +2044,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
|||||||
in.value = buffer_get_string(m, &len);
|
in.value = buffer_get_string(m, &len);
|
||||||
in.length = len;
|
in.length = len;
|
||||||
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
|
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
|
||||||
@@ -2206,6 +2236,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
@@ -2215,6 +2245,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||||
@ -2052,7 +2052,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
|||||||
}
|
}
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
@@ -2217,6 +2248,9 @@ mm_answer_gss_checkmic(int sock, Buffer
|
@@ -2226,6 +2257,9 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||||
OM_uint32 ret;
|
OM_uint32 ret;
|
||||||
u_int len;
|
u_int len;
|
||||||
|
|
||||||
@ -2062,7 +2062,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
|||||||
gssbuf.value = buffer_get_string(m, &len);
|
gssbuf.value = buffer_get_string(m, &len);
|
||||||
gssbuf.length = len;
|
gssbuf.length = len;
|
||||||
mic.value = buffer_get_string(m, &len);
|
mic.value = buffer_get_string(m, &len);
|
||||||
@@ -2243,7 +2277,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
@@ -2252,7 +2286,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||||
{
|
{
|
||||||
int authenticated;
|
int authenticated;
|
||||||
|
|
||||||
@ -2075,7 +2075,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
|||||||
|
|
||||||
buffer_clear(m);
|
buffer_clear(m);
|
||||||
buffer_put_int(m, authenticated);
|
buffer_put_int(m, authenticated);
|
||||||
@@ -2257,6 +2295,74 @@ mm_answer_gss_userok(int sock, Buffer *m
|
@@ -2265,6 +2303,74 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||||
/* Monitor loop will terminate if authenticated */
|
/* Monitor loop will terminate if authenticated */
|
||||||
return (authenticated);
|
return (authenticated);
|
||||||
}
|
}
|
||||||
@ -2151,8 +2151,8 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
|
|||||||
|
|
||||||
#ifdef JPAKE
|
#ifdef JPAKE
|
||||||
diff -up openssh-6.1p1/monitor.h.gsskex openssh-6.1p1/monitor.h
|
diff -up openssh-6.1p1/monitor.h.gsskex openssh-6.1p1/monitor.h
|
||||||
--- openssh-6.1p1/monitor.h.gsskex 2012-09-14 20:57:55.300263327 +0200
|
--- openssh-6.1p1/monitor.h.gsskex 2012-11-30 13:58:08.873298927 +0100
|
||||||
+++ openssh-6.1p1/monitor.h 2012-09-14 20:57:55.889267090 +0200
|
+++ openssh-6.1p1/monitor.h 2012-11-30 13:58:08.952298626 +0100
|
||||||
@@ -56,6 +56,8 @@ enum monitor_reqtype {
|
@@ -56,6 +56,8 @@ enum monitor_reqtype {
|
||||||
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
|
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
|
||||||
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
|
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
|
||||||
@ -2163,8 +2163,8 @@ diff -up openssh-6.1p1/monitor.h.gsskex openssh-6.1p1/monitor.h
|
|||||||
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
|
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
|
||||||
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
|
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
|
||||||
diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c
|
diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c
|
||||||
--- openssh-6.1p1/monitor_wrap.c.gsskex 2012-09-14 20:57:55.302263340 +0200
|
--- openssh-6.1p1/monitor_wrap.c.gsskex 2012-11-30 13:58:08.873298927 +0100
|
||||||
+++ openssh-6.1p1/monitor_wrap.c 2012-09-14 20:57:55.892267109 +0200
|
+++ openssh-6.1p1/monitor_wrap.c 2012-11-30 13:58:08.952298626 +0100
|
||||||
@@ -1326,7 +1326,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
@@ -1326,7 +1326,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2227,8 +2227,8 @@ diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c
|
|||||||
|
|
||||||
#ifdef JPAKE
|
#ifdef JPAKE
|
||||||
diff -up openssh-6.1p1/monitor_wrap.h.gsskex openssh-6.1p1/monitor_wrap.h
|
diff -up openssh-6.1p1/monitor_wrap.h.gsskex openssh-6.1p1/monitor_wrap.h
|
||||||
--- openssh-6.1p1/monitor_wrap.h.gsskex 2012-09-14 20:57:55.304263353 +0200
|
--- openssh-6.1p1/monitor_wrap.h.gsskex 2012-11-30 13:58:08.874298923 +0100
|
||||||
+++ openssh-6.1p1/monitor_wrap.h 2012-09-14 20:57:55.893267116 +0200
|
+++ openssh-6.1p1/monitor_wrap.h 2012-11-30 13:58:08.953298623 +0100
|
||||||
@@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
|
@@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
|
||||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||||
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
||||||
@ -2243,7 +2243,7 @@ diff -up openssh-6.1p1/monitor_wrap.h.gsskex openssh-6.1p1/monitor_wrap.h
|
|||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
diff -up openssh-6.1p1/readconf.c.gsskex openssh-6.1p1/readconf.c
|
diff -up openssh-6.1p1/readconf.c.gsskex openssh-6.1p1/readconf.c
|
||||||
--- openssh-6.1p1/readconf.c.gsskex 2011-10-02 09:59:03.000000000 +0200
|
--- openssh-6.1p1/readconf.c.gsskex 2011-10-02 09:59:03.000000000 +0200
|
||||||
+++ openssh-6.1p1/readconf.c 2012-09-14 20:57:55.896267134 +0200
|
+++ openssh-6.1p1/readconf.c 2012-11-30 13:58:08.953298623 +0100
|
||||||
@@ -129,6 +129,8 @@ typedef enum {
|
@@ -129,6 +129,8 @@ typedef enum {
|
||||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||||
@ -2334,7 +2334,7 @@ diff -up openssh-6.1p1/readconf.c.gsskex openssh-6.1p1/readconf.c
|
|||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
diff -up openssh-6.1p1/readconf.h.gsskex openssh-6.1p1/readconf.h
|
diff -up openssh-6.1p1/readconf.h.gsskex openssh-6.1p1/readconf.h
|
||||||
--- openssh-6.1p1/readconf.h.gsskex 2011-10-02 09:59:03.000000000 +0200
|
--- openssh-6.1p1/readconf.h.gsskex 2011-10-02 09:59:03.000000000 +0200
|
||||||
+++ openssh-6.1p1/readconf.h 2012-09-14 20:57:55.897267141 +0200
|
+++ openssh-6.1p1/readconf.h 2012-11-30 13:58:08.953298623 +0100
|
||||||
@@ -48,7 +48,12 @@ typedef struct {
|
@@ -48,7 +48,12 @@ typedef struct {
|
||||||
int challenge_response_authentication;
|
int challenge_response_authentication;
|
||||||
/* Try S/Key or TIS, authentication. */
|
/* Try S/Key or TIS, authentication. */
|
||||||
@ -2349,8 +2349,8 @@ diff -up openssh-6.1p1/readconf.h.gsskex openssh-6.1p1/readconf.h
|
|||||||
* authentication. */
|
* authentication. */
|
||||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||||
diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
|
diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
|
||||||
--- openssh-6.1p1/servconf.c.gsskex 2012-09-14 20:57:55.760266266 +0200
|
--- openssh-6.1p1/servconf.c.gsskex 2012-11-30 13:58:08.935298693 +0100
|
||||||
+++ openssh-6.1p1/servconf.c 2012-09-14 20:57:55.900267160 +0200
|
+++ openssh-6.1p1/servconf.c 2012-11-30 13:58:08.954298621 +0100
|
||||||
@@ -102,7 +102,10 @@ initialize_server_options(ServerOptions
|
@@ -102,7 +102,10 @@ initialize_server_options(ServerOptions
|
||||||
options->kerberos_ticket_cleanup = -1;
|
options->kerberos_ticket_cleanup = -1;
|
||||||
options->kerberos_get_afs_token = -1;
|
options->kerberos_get_afs_token = -1;
|
||||||
@ -2362,7 +2362,7 @@ diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
|
|||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
@@ -236,8 +239,14 @@ fill_default_server_options(ServerOption
|
@@ -234,8 +237,14 @@ fill_default_server_options(ServerOption
|
||||||
options->kerberos_get_afs_token = 0;
|
options->kerberos_get_afs_token = 0;
|
||||||
if (options->gss_authentication == -1)
|
if (options->gss_authentication == -1)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
@ -2377,7 +2377,7 @@ diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
|
|||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -333,7 +342,9 @@ typedef enum {
|
@@ -331,7 +340,9 @@ typedef enum {
|
||||||
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||||
sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
@ -2385,10 +2385,10 @@ diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
|
|||||||
+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
+ sGssKeyEx, sGssStoreRekey,
|
+ sGssKeyEx, sGssStoreRekey,
|
||||||
+ sAcceptEnv, sPermitTunnel,
|
+ sAcceptEnv, sPermitTunnel,
|
||||||
sRequiredAuthentications1, sRequiredAuthentications2,
|
|
||||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||||
@@ -399,10 +410,20 @@ static struct {
|
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||||
|
@@ -397,10 +408,20 @@ static struct {
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||||
@ -2409,7 +2409,7 @@ diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
|
|||||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
||||||
@@ -1054,10 +1075,22 @@ process_server_config_line(ServerOptions
|
@@ -1046,10 +1067,22 @@ process_server_config_line(ServerOptions
|
||||||
intptr = &options->gss_authentication;
|
intptr = &options->gss_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -2432,7 +2432,7 @@ diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
|
|||||||
case sPasswordAuthentication:
|
case sPasswordAuthentication:
|
||||||
intptr = &options->password_authentication;
|
intptr = &options->password_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -1944,6 +1977,9 @@ dump_config(ServerOptions *o)
|
@@ -1929,6 +1962,9 @@ dump_config(ServerOptions *o)
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||||
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
||||||
@ -2443,9 +2443,9 @@ diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
|
|||||||
#ifdef JPAKE
|
#ifdef JPAKE
|
||||||
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
|
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
|
||||||
diff -up openssh-6.1p1/servconf.h.gsskex openssh-6.1p1/servconf.h
|
diff -up openssh-6.1p1/servconf.h.gsskex openssh-6.1p1/servconf.h
|
||||||
--- openssh-6.1p1/servconf.h.gsskex 2012-09-14 20:57:55.762266278 +0200
|
--- openssh-6.1p1/servconf.h.gsskex 2012-11-30 13:58:08.935298693 +0100
|
||||||
+++ openssh-6.1p1/servconf.h 2012-09-14 20:57:55.902267173 +0200
|
+++ openssh-6.1p1/servconf.h 2012-11-30 13:58:08.954298621 +0100
|
||||||
@@ -103,7 +103,10 @@ typedef struct {
|
@@ -104,7 +104,10 @@ typedef struct {
|
||||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||||
* authenticated with Kerberos. */
|
* authenticated with Kerberos. */
|
||||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
@ -2456,21 +2456,9 @@ diff -up openssh-6.1p1/servconf.h.gsskex openssh-6.1p1/servconf.h
|
|||||||
int password_authentication; /* If true, permit password
|
int password_authentication; /* If true, permit password
|
||||||
* authentication. */
|
* authentication. */
|
||||||
int kbd_interactive_authentication; /* If true, permit */
|
int kbd_interactive_authentication; /* If true, permit */
|
||||||
diff -up openssh-6.1p1/ssh_config.gsskex openssh-6.1p1/ssh_config
|
|
||||||
--- openssh-6.1p1/ssh_config.gsskex 2012-09-14 20:57:55.707265928 +0200
|
|
||||||
+++ openssh-6.1p1/ssh_config 2012-09-14 20:57:55.906267198 +0200
|
|
||||||
@@ -26,6 +26,8 @@
|
|
||||||
# HostbasedAuthentication no
|
|
||||||
# GSSAPIAuthentication no
|
|
||||||
# GSSAPIDelegateCredentials no
|
|
||||||
+# GSSAPIKeyExchange no
|
|
||||||
+# GSSAPITrustDNS no
|
|
||||||
# BatchMode no
|
|
||||||
# CheckHostIP yes
|
|
||||||
# AddressFamily any
|
|
||||||
diff -up openssh-6.1p1/ssh_config.5.gsskex openssh-6.1p1/ssh_config.5
|
diff -up openssh-6.1p1/ssh_config.5.gsskex openssh-6.1p1/ssh_config.5
|
||||||
--- openssh-6.1p1/ssh_config.5.gsskex 2012-07-02 10:53:38.000000000 +0200
|
--- openssh-6.1p1/ssh_config.5.gsskex 2012-07-02 10:53:38.000000000 +0200
|
||||||
+++ openssh-6.1p1/ssh_config.5 2012-09-14 20:57:55.904267186 +0200
|
+++ openssh-6.1p1/ssh_config.5 2012-11-30 13:58:08.954298621 +0100
|
||||||
@@ -527,11 +527,43 @@ Specifies whether user authentication ba
|
@@ -527,11 +527,43 @@ Specifies whether user authentication ba
|
||||||
The default is
|
The default is
|
||||||
.Dq no .
|
.Dq no .
|
||||||
@ -2516,9 +2504,21 @@ diff -up openssh-6.1p1/ssh_config.5.gsskex openssh-6.1p1/ssh_config.5
|
|||||||
.It Cm HashKnownHosts
|
.It Cm HashKnownHosts
|
||||||
Indicates that
|
Indicates that
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
|
diff -up openssh-6.1p1/ssh_config.gsskex openssh-6.1p1/ssh_config
|
||||||
|
--- openssh-6.1p1/ssh_config.gsskex 2012-11-30 13:58:08.927298724 +0100
|
||||||
|
+++ openssh-6.1p1/ssh_config 2012-11-30 13:58:08.954298621 +0100
|
||||||
|
@@ -26,6 +26,8 @@
|
||||||
|
# HostbasedAuthentication no
|
||||||
|
# GSSAPIAuthentication no
|
||||||
|
# GSSAPIDelegateCredentials no
|
||||||
|
+# GSSAPIKeyExchange no
|
||||||
|
+# GSSAPITrustDNS no
|
||||||
|
# BatchMode no
|
||||||
|
# CheckHostIP yes
|
||||||
|
# AddressFamily any
|
||||||
diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
|
diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
|
||||||
--- openssh-6.1p1/sshconnect2.c.gsskex 2012-09-14 20:57:55.605265275 +0200
|
--- openssh-6.1p1/sshconnect2.c.gsskex 2012-11-30 13:58:08.913298775 +0100
|
||||||
+++ openssh-6.1p1/sshconnect2.c 2012-09-14 20:57:55.909267218 +0200
|
+++ openssh-6.1p1/sshconnect2.c 2012-11-30 13:58:08.955298617 +0100
|
||||||
@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
{
|
{
|
||||||
Kex *kex;
|
Kex *kex;
|
||||||
@ -2718,8 +2718,8 @@ diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
|
|||||||
|
|
||||||
int
|
int
|
||||||
diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
|
diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
|
||||||
--- openssh-6.1p1/sshd.c.gsskex 2012-09-14 20:57:55.799266515 +0200
|
--- openssh-6.1p1/sshd.c.gsskex 2012-11-30 13:58:08.940298674 +0100
|
||||||
+++ openssh-6.1p1/sshd.c 2012-09-14 20:57:55.912267237 +0200
|
+++ openssh-6.1p1/sshd.c 2012-11-30 13:58:08.955298617 +0100
|
||||||
@@ -124,6 +124,10 @@
|
@@ -124,6 +124,10 @@
|
||||||
#include "ssh-sandbox.h"
|
#include "ssh-sandbox.h"
|
||||||
#include "version.h"
|
#include "version.h"
|
||||||
@ -2731,7 +2731,7 @@ diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
|
|||||||
#ifdef LIBWRAP
|
#ifdef LIBWRAP
|
||||||
#include <tcpd.h>
|
#include <tcpd.h>
|
||||||
#include <syslog.h>
|
#include <syslog.h>
|
||||||
@@ -1692,10 +1696,13 @@ main(int ac, char **av)
|
@@ -1723,10 +1727,13 @@ main(int ac, char **av)
|
||||||
logit("Disabling protocol version 1. Could not load host key");
|
logit("Disabling protocol version 1. Could not load host key");
|
||||||
options.protocol &= ~SSH_PROTO_1;
|
options.protocol &= ~SSH_PROTO_1;
|
||||||
}
|
}
|
||||||
@ -2745,7 +2745,7 @@ diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
|
|||||||
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
|
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
|
||||||
logit("sshd: no hostkeys available -- exiting.");
|
logit("sshd: no hostkeys available -- exiting.");
|
||||||
exit(1);
|
exit(1);
|
||||||
@@ -2027,6 +2034,60 @@ main(int ac, char **av)
|
@@ -2058,6 +2065,60 @@ main(int ac, char **av)
|
||||||
/* Log the connection. */
|
/* Log the connection. */
|
||||||
verbose("Connection from %.500s port %d", remote_ip, remote_port);
|
verbose("Connection from %.500s port %d", remote_ip, remote_port);
|
||||||
|
|
||||||
@ -2806,7 +2806,7 @@ diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
|
|||||||
/*
|
/*
|
||||||
* We don't want to listen forever unless the other side
|
* We don't want to listen forever unless the other side
|
||||||
* successfully authenticates itself. So we set up an alarm which is
|
* successfully authenticates itself. So we set up an alarm which is
|
||||||
@@ -2425,6 +2486,48 @@ do_ssh2_kex(void)
|
@@ -2456,6 +2517,48 @@ do_ssh2_kex(void)
|
||||||
|
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
|
||||||
|
|
||||||
@ -2855,7 +2855,7 @@ diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
|
|||||||
/* start key exchange */
|
/* start key exchange */
|
||||||
kex = kex_setup(myproposal);
|
kex = kex_setup(myproposal);
|
||||||
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
|
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
|
||||||
@@ -2432,6 +2535,13 @@ do_ssh2_kex(void)
|
@@ -2463,6 +2566,13 @@ do_ssh2_kex(void)
|
||||||
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
||||||
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
||||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
||||||
@ -2869,22 +2869,10 @@ diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
|
|||||||
kex->server = 1;
|
kex->server = 1;
|
||||||
kex->client_version_string=client_version_string;
|
kex->client_version_string=client_version_string;
|
||||||
kex->server_version_string=server_version_string;
|
kex->server_version_string=server_version_string;
|
||||||
diff -up openssh-6.1p1/sshd_config.gsskex openssh-6.1p1/sshd_config
|
|
||||||
--- openssh-6.1p1/sshd_config.gsskex 2012-09-14 20:57:55.801266528 +0200
|
|
||||||
+++ openssh-6.1p1/sshd_config 2012-09-14 20:57:55.916267263 +0200
|
|
||||||
@@ -85,6 +85,8 @@ ChallengeResponseAuthentication no
|
|
||||||
GSSAPIAuthentication yes
|
|
||||||
#GSSAPICleanupCredentials yes
|
|
||||||
GSSAPICleanupCredentials yes
|
|
||||||
+#GSSAPIStrictAcceptorCheck yes
|
|
||||||
+#GSSAPIKeyExchange no
|
|
||||||
|
|
||||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
|
||||||
diff -up openssh-6.1p1/sshd_config.5.gsskex openssh-6.1p1/sshd_config.5
|
diff -up openssh-6.1p1/sshd_config.5.gsskex openssh-6.1p1/sshd_config.5
|
||||||
--- openssh-6.1p1/sshd_config.5.gsskex 2012-09-14 20:57:55.767266310 +0200
|
--- openssh-6.1p1/sshd_config.5.gsskex 2012-11-30 13:58:08.935298693 +0100
|
||||||
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:57:55.915267256 +0200
|
+++ openssh-6.1p1/sshd_config.5 2012-11-30 13:58:08.956298613 +0100
|
||||||
@@ -439,12 +439,40 @@ Specifies whether user authentication ba
|
@@ -462,12 +462,40 @@ Specifies whether user authentication ba
|
||||||
The default is
|
The default is
|
||||||
.Dq no .
|
.Dq no .
|
||||||
Note that this option applies to protocol version 2 only.
|
Note that this option applies to protocol version 2 only.
|
||||||
@ -2925,9 +2913,21 @@ diff -up openssh-6.1p1/sshd_config.5.gsskex openssh-6.1p1/sshd_config.5
|
|||||||
.It Cm HostbasedAuthentication
|
.It Cm HostbasedAuthentication
|
||||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||||
with successful public key client host authentication is allowed
|
with successful public key client host authentication is allowed
|
||||||
|
diff -up openssh-6.1p1/sshd_config.gsskex openssh-6.1p1/sshd_config
|
||||||
|
--- openssh-6.1p1/sshd_config.gsskex 2012-11-30 13:58:08.940298674 +0100
|
||||||
|
+++ openssh-6.1p1/sshd_config 2012-11-30 13:58:08.956298613 +0100
|
||||||
|
@@ -89,6 +89,8 @@ ChallengeResponseAuthentication no
|
||||||
|
GSSAPIAuthentication yes
|
||||||
|
#GSSAPICleanupCredentials yes
|
||||||
|
GSSAPICleanupCredentials yes
|
||||||
|
+#GSSAPIStrictAcceptorCheck yes
|
||||||
|
+#GSSAPIKeyExchange no
|
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
|
diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
|
||||||
--- openssh-6.1p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
|
--- openssh-6.1p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
|
||||||
+++ openssh-6.1p1/ssh-gss.h 2012-09-14 20:57:55.918267275 +0200
|
+++ openssh-6.1p1/ssh-gss.h 2012-11-30 13:58:08.956298613 +0100
|
||||||
@@ -1,6 +1,6 @@
|
@@ -1,6 +1,6 @@
|
||||||
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
|
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
|
@ -1,44 +1,7 @@
|
|||||||
diff -up openssh-6.0p1/auth.h.role-mls openssh-6.0p1/auth.h
|
diff -up openssh-6.1p1/auth1.c.role-mls openssh-6.1p1/auth1.c
|
||||||
--- openssh-6.0p1/auth.h.role-mls 2012-06-24 16:57:17.540262700 +0200
|
--- openssh-6.1p1/auth1.c.role-mls 2012-11-28 17:06:43.657990103 +0100
|
||||||
+++ openssh-6.0p1/auth.h 2012-06-24 16:49:35.802071204 +0200
|
+++ openssh-6.1p1/auth1.c 2012-11-28 17:06:43.699989959 +0100
|
||||||
@@ -59,6 +59,9 @@ struct Authctxt {
|
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
|
||||||
char *service;
|
|
||||||
struct passwd *pw; /* set if 'valid' */
|
|
||||||
char *style;
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+ char *role;
|
|
||||||
+#endif
|
|
||||||
void *kbdintctxt;
|
|
||||||
void *jpake_ctx;
|
|
||||||
#ifdef BSD_AUTH
|
|
||||||
diff -up openssh-6.0p1/auth-pam.c.role-mls openssh-6.0p1/auth-pam.c
|
|
||||||
--- openssh-6.0p1/auth-pam.c.role-mls 2012-06-24 16:57:17.532262382 +0200
|
|
||||||
+++ openssh-6.0p1/auth-pam.c 2012-06-24 16:49:35.803071166 +0200
|
|
||||||
@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
|
|
||||||
* during the ssh authentication process.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
-do_pam_putenv(char *name, char *value)
|
|
||||||
+do_pam_putenv(char *name, const char *value)
|
|
||||||
{
|
|
||||||
int ret = 1;
|
|
||||||
#ifdef HAVE_PAM_PUTENV
|
|
||||||
diff -up openssh-6.0p1/auth-pam.h.role-mls openssh-6.0p1/auth-pam.h
|
|
||||||
--- openssh-6.0p1/auth-pam.h.role-mls 2012-06-24 16:57:17.515261702 +0200
|
|
||||||
+++ openssh-6.0p1/auth-pam.h 2012-06-24 16:49:35.804071128 +0200
|
|
||||||
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
|
||||||
void do_pam_set_tty(const char *);
|
|
||||||
void do_pam_setcred(int );
|
|
||||||
void do_pam_chauthtok(void);
|
|
||||||
-int do_pam_putenv(char *, char *);
|
|
||||||
+int do_pam_putenv(char *, const char *);
|
|
||||||
char ** fetch_pam_environment(void);
|
|
||||||
char ** fetch_pam_child_environment(void);
|
|
||||||
void free_pam_environment(char **);
|
|
||||||
diff -up openssh-6.0p1/auth1.c.role-mls openssh-6.0p1/auth1.c
|
|
||||||
--- openssh-6.0p1/auth1.c.role-mls 2012-06-24 16:57:17.505261305 +0200
|
|
||||||
+++ openssh-6.0p1/auth1.c 2012-06-24 16:49:35.805071090 +0200
|
|
||||||
@@ -468,6 +468,9 @@ do_authentication(Authctxt *authctxt)
|
|
||||||
{
|
{
|
||||||
u_int ulen;
|
u_int ulen;
|
||||||
char *user, *style = NULL;
|
char *user, *style = NULL;
|
||||||
@ -48,7 +11,7 @@ diff -up openssh-6.0p1/auth1.c.role-mls openssh-6.0p1/auth1.c
|
|||||||
|
|
||||||
/* Get the name of the user that we wish to log in as. */
|
/* Get the name of the user that we wish to log in as. */
|
||||||
packet_read_expect(SSH_CMSG_USER);
|
packet_read_expect(SSH_CMSG_USER);
|
||||||
@@ -476,11 +479,24 @@ do_authentication(Authctxt *authctxt)
|
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
|
||||||
user = packet_get_cstring(&ulen);
|
user = packet_get_cstring(&ulen);
|
||||||
packet_check_eom();
|
packet_check_eom();
|
||||||
|
|
||||||
@ -73,20 +36,20 @@ diff -up openssh-6.0p1/auth1.c.role-mls openssh-6.0p1/auth1.c
|
|||||||
|
|
||||||
/* Verify that the user is a valid user. */
|
/* Verify that the user is a valid user. */
|
||||||
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
||||||
diff -up openssh-6.0p1/auth2.c.role-mls openssh-6.0p1/auth2.c
|
diff -up openssh-6.1p1/auth2.c.role-mls openssh-6.1p1/auth2.c
|
||||||
--- openssh-6.0p1/auth2.c.role-mls 2012-06-24 16:57:17.507261384 +0200
|
--- openssh-6.1p1/auth2.c.role-mls 2012-11-28 17:06:43.661990089 +0100
|
||||||
+++ openssh-6.0p1/auth2.c 2012-06-24 16:49:35.806071052 +0200
|
+++ openssh-6.1p1/auth2.c 2012-11-28 17:11:09.058916613 +0100
|
||||||
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
|
@@ -218,6 +218,9 @@ input_userauth_request(int type, u_int32
|
||||||
Authctxt *authctxt = ctxt;
|
Authctxt *authctxt = ctxt;
|
||||||
Authmethod *m = NULL;
|
Authmethod *m = NULL;
|
||||||
char *user, *service, *method, *active_methods, *style = NULL;
|
char *user, *service, *method, *style = NULL;
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ char *role = NULL;
|
+ char *role = NULL;
|
||||||
+#endif
|
+#endif
|
||||||
int authenticated = 0;
|
int authenticated = 0;
|
||||||
|
|
||||||
if (authctxt == NULL)
|
if (authctxt == NULL)
|
||||||
@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32
|
@@ -229,6 +232,11 @@ input_userauth_request(int type, u_int32
|
||||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||||
|
|
||||||
@ -98,7 +61,7 @@ diff -up openssh-6.0p1/auth2.c.role-mls openssh-6.0p1/auth2.c
|
|||||||
if ((style = strchr(user, ':')) != NULL)
|
if ((style = strchr(user, ':')) != NULL)
|
||||||
*style++ = 0;
|
*style++ = 0;
|
||||||
|
|
||||||
@@ -249,8 +257,15 @@ input_userauth_request(int type, u_int32
|
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32
|
||||||
use_privsep ? " [net]" : "");
|
use_privsep ? " [net]" : "");
|
||||||
authctxt->service = xstrdup(service);
|
authctxt->service = xstrdup(service);
|
||||||
authctxt->style = style ? xstrdup(style) : NULL;
|
authctxt->style = style ? xstrdup(style) : NULL;
|
||||||
@ -113,11 +76,11 @@ diff -up openssh-6.0p1/auth2.c.role-mls openssh-6.0p1/auth2.c
|
|||||||
+#endif
|
+#endif
|
||||||
+ }
|
+ }
|
||||||
userauth_banner();
|
userauth_banner();
|
||||||
} else if (strcmp(user, authctxt->user) != 0 ||
|
if (auth2_setup_methods_lists(authctxt) != 0)
|
||||||
strcmp(service, authctxt->service) != 0) {
|
packet_disconnect("no authentication methods enabled");
|
||||||
diff -up openssh-6.0p1/auth2-gss.c.role-mls openssh-6.0p1/auth2-gss.c
|
diff -up openssh-6.1p1/auth2-gss.c.role-mls openssh-6.1p1/auth2-gss.c
|
||||||
--- openssh-6.0p1/auth2-gss.c.role-mls 2012-06-24 16:57:17.522261982 +0200
|
--- openssh-6.1p1/auth2-gss.c.role-mls 2011-05-05 06:04:11.000000000 +0200
|
||||||
+++ openssh-6.0p1/auth2-gss.c 2012-06-24 16:49:35.806071052 +0200
|
+++ openssh-6.1p1/auth2-gss.c 2012-11-28 17:06:43.700989956 +0100
|
||||||
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
Authctxt *authctxt = ctxt;
|
Authctxt *authctxt = ctxt;
|
||||||
Gssctxt *gssctxt;
|
Gssctxt *gssctxt;
|
||||||
@ -150,9 +113,9 @@ diff -up openssh-6.0p1/auth2-gss.c.role-mls openssh-6.0p1/auth2-gss.c
|
|||||||
xfree(mic.value);
|
xfree(mic.value);
|
||||||
|
|
||||||
authctxt->postponed = 0;
|
authctxt->postponed = 0;
|
||||||
diff -up openssh-6.0p1/auth2-hostbased.c.role-mls openssh-6.0p1/auth2-hostbased.c
|
diff -up openssh-6.1p1/auth2-hostbased.c.role-mls openssh-6.1p1/auth2-hostbased.c
|
||||||
--- openssh-6.0p1/auth2-hostbased.c.role-mls 2012-06-24 16:57:17.535262501 +0200
|
--- openssh-6.1p1/auth2-hostbased.c.role-mls 2012-11-28 17:06:43.669990062 +0100
|
||||||
+++ openssh-6.0p1/auth2-hostbased.c 2012-06-24 16:49:35.807071014 +0200
|
+++ openssh-6.1p1/auth2-hostbased.c 2012-11-28 17:06:43.700989956 +0100
|
||||||
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
|
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||||
buffer_put_string(&b, session_id2, session_id2_len);
|
buffer_put_string(&b, session_id2, session_id2_len);
|
||||||
/* reconstruct packet */
|
/* reconstruct packet */
|
||||||
@ -170,9 +133,9 @@ diff -up openssh-6.0p1/auth2-hostbased.c.role-mls openssh-6.0p1/auth2-hostbased.
|
|||||||
buffer_put_cstring(&b, service);
|
buffer_put_cstring(&b, service);
|
||||||
buffer_put_cstring(&b, "hostbased");
|
buffer_put_cstring(&b, "hostbased");
|
||||||
buffer_put_string(&b, pkalg, alen);
|
buffer_put_string(&b, pkalg, alen);
|
||||||
diff -up openssh-6.0p1/auth2-pubkey.c.role-mls openssh-6.0p1/auth2-pubkey.c
|
diff -up openssh-6.1p1/auth2-pubkey.c.role-mls openssh-6.1p1/auth2-pubkey.c
|
||||||
--- openssh-6.0p1/auth2-pubkey.c.role-mls 2012-06-24 16:57:17.517261782 +0200
|
--- openssh-6.1p1/auth2-pubkey.c.role-mls 2012-11-28 17:06:43.669990062 +0100
|
||||||
+++ openssh-6.0p1/auth2-pubkey.c 2012-06-24 16:49:35.807071014 +0200
|
+++ openssh-6.1p1/auth2-pubkey.c 2012-11-28 17:06:43.700989956 +0100
|
||||||
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
|
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
|
||||||
}
|
}
|
||||||
/* reconstruct packet */
|
/* reconstruct packet */
|
||||||
@ -190,9 +153,46 @@ diff -up openssh-6.0p1/auth2-pubkey.c.role-mls openssh-6.0p1/auth2-pubkey.c
|
|||||||
buffer_put_cstring(&b,
|
buffer_put_cstring(&b,
|
||||||
datafellows & SSH_BUG_PKSERVICE ?
|
datafellows & SSH_BUG_PKSERVICE ?
|
||||||
"ssh-userauth" :
|
"ssh-userauth" :
|
||||||
diff -up openssh-6.0p1/misc.c.role-mls openssh-6.0p1/misc.c
|
diff -up openssh-6.1p1/auth.h.role-mls openssh-6.1p1/auth.h
|
||||||
--- openssh-6.0p1/misc.c.role-mls 2012-06-24 17:02:27.116348979 +0200
|
--- openssh-6.1p1/auth.h.role-mls 2012-11-28 17:06:43.669990062 +0100
|
||||||
+++ openssh-6.0p1/misc.c 2012-06-24 16:58:09.631883672 +0200
|
+++ openssh-6.1p1/auth.h 2012-11-28 17:06:43.699989959 +0100
|
||||||
|
@@ -59,6 +59,9 @@ struct Authctxt {
|
||||||
|
char *service;
|
||||||
|
struct passwd *pw; /* set if 'valid' */
|
||||||
|
char *style;
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ char *role;
|
||||||
|
+#endif
|
||||||
|
void *kbdintctxt;
|
||||||
|
void *jpake_ctx;
|
||||||
|
#ifdef BSD_AUTH
|
||||||
|
diff -up openssh-6.1p1/auth-pam.c.role-mls openssh-6.1p1/auth-pam.c
|
||||||
|
--- openssh-6.1p1/auth-pam.c.role-mls 2012-11-28 17:06:43.638990168 +0100
|
||||||
|
+++ openssh-6.1p1/auth-pam.c 2012-11-28 17:06:43.699989959 +0100
|
||||||
|
@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
|
||||||
|
* during the ssh authentication process.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
-do_pam_putenv(char *name, char *value)
|
||||||
|
+do_pam_putenv(char *name, const char *value)
|
||||||
|
{
|
||||||
|
int ret = 1;
|
||||||
|
#ifdef HAVE_PAM_PUTENV
|
||||||
|
diff -up openssh-6.1p1/auth-pam.h.role-mls openssh-6.1p1/auth-pam.h
|
||||||
|
--- openssh-6.1p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200
|
||||||
|
+++ openssh-6.1p1/auth-pam.h 2012-11-28 17:06:43.699989959 +0100
|
||||||
|
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
||||||
|
void do_pam_set_tty(const char *);
|
||||||
|
void do_pam_setcred(int );
|
||||||
|
void do_pam_chauthtok(void);
|
||||||
|
-int do_pam_putenv(char *, char *);
|
||||||
|
+int do_pam_putenv(char *, const char *);
|
||||||
|
char ** fetch_pam_environment(void);
|
||||||
|
char ** fetch_pam_child_environment(void);
|
||||||
|
void free_pam_environment(char **);
|
||||||
|
diff -up openssh-6.1p1/misc.c.role-mls openssh-6.1p1/misc.c
|
||||||
|
--- openssh-6.1p1/misc.c.role-mls 2011-09-22 13:34:36.000000000 +0200
|
||||||
|
+++ openssh-6.1p1/misc.c 2012-11-28 17:06:43.701989952 +0100
|
||||||
@@ -427,6 +427,7 @@ char *
|
@@ -427,6 +427,7 @@ char *
|
||||||
colon(char *cp)
|
colon(char *cp)
|
||||||
{
|
{
|
||||||
@ -215,9 +215,9 @@ diff -up openssh-6.0p1/misc.c.role-mls openssh-6.0p1/misc.c
|
|||||||
}
|
}
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
diff -up openssh-6.0p1/monitor.c.role-mls openssh-6.0p1/monitor.c
|
diff -up openssh-6.1p1/monitor.c.role-mls openssh-6.1p1/monitor.c
|
||||||
--- openssh-6.0p1/monitor.c.role-mls 2012-06-24 16:57:17.510261504 +0200
|
--- openssh-6.1p1/monitor.c.role-mls 2012-11-28 17:06:43.686990004 +0100
|
||||||
+++ openssh-6.0p1/monitor.c 2012-06-24 16:49:35.809070938 +0200
|
+++ openssh-6.1p1/monitor.c 2012-11-28 17:06:43.701989952 +0100
|
||||||
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
|
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
|
||||||
int mm_answer_pwnamallow(int, Buffer *);
|
int mm_answer_pwnamallow(int, Buffer *);
|
||||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||||
@ -228,7 +228,7 @@ diff -up openssh-6.0p1/monitor.c.role-mls openssh-6.0p1/monitor.c
|
|||||||
int mm_answer_authpassword(int, Buffer *);
|
int mm_answer_authpassword(int, Buffer *);
|
||||||
int mm_answer_bsdauthquery(int, Buffer *);
|
int mm_answer_bsdauthquery(int, Buffer *);
|
||||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||||
@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -231,6 +234,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||||
@ -238,7 +238,7 @@ diff -up openssh-6.0p1/monitor.c.role-mls openssh-6.0p1/monitor.c
|
|||||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
@@ -835,6 +841,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
@@ -838,6 +844,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||||
else {
|
else {
|
||||||
/* Allow service/style information on the auth context */
|
/* Allow service/style information on the auth context */
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||||
@ -248,7 +248,7 @@ diff -up openssh-6.0p1/monitor.c.role-mls openssh-6.0p1/monitor.c
|
|||||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||||
}
|
}
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
@@ -878,6 +887,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
@@ -881,6 +890,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -274,7 +274,7 @@ diff -up openssh-6.0p1/monitor.c.role-mls openssh-6.0p1/monitor.c
|
|||||||
int
|
int
|
||||||
mm_answer_authpassword(int sock, Buffer *m)
|
mm_answer_authpassword(int sock, Buffer *m)
|
||||||
{
|
{
|
||||||
@@ -1254,7 +1282,7 @@ static int
|
@@ -1251,7 +1279,7 @@ static int
|
||||||
monitor_valid_userblob(u_char *data, u_int datalen)
|
monitor_valid_userblob(u_char *data, u_int datalen)
|
||||||
{
|
{
|
||||||
Buffer b;
|
Buffer b;
|
||||||
@ -283,7 +283,7 @@ diff -up openssh-6.0p1/monitor.c.role-mls openssh-6.0p1/monitor.c
|
|||||||
u_int len;
|
u_int len;
|
||||||
int fail = 0;
|
int fail = 0;
|
||||||
|
|
||||||
@@ -1280,6 +1308,8 @@ monitor_valid_userblob(u_char *data, u_i
|
@@ -1277,6 +1305,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||||
fail++;
|
fail++;
|
||||||
p = buffer_get_string(&b, NULL);
|
p = buffer_get_string(&b, NULL);
|
||||||
@ -292,7 +292,7 @@ diff -up openssh-6.0p1/monitor.c.role-mls openssh-6.0p1/monitor.c
|
|||||||
if (strcmp(authctxt->user, p) != 0) {
|
if (strcmp(authctxt->user, p) != 0) {
|
||||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||||
authctxt->user, p);
|
authctxt->user, p);
|
||||||
@@ -1311,7 +1341,7 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1308,7 +1338,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||||
char *chost)
|
char *chost)
|
||||||
{
|
{
|
||||||
Buffer b;
|
Buffer b;
|
||||||
@ -301,7 +301,7 @@ diff -up openssh-6.0p1/monitor.c.role-mls openssh-6.0p1/monitor.c
|
|||||||
u_int len;
|
u_int len;
|
||||||
int fail = 0;
|
int fail = 0;
|
||||||
|
|
||||||
@@ -1328,6 +1358,8 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1325,6 +1355,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||||
fail++;
|
fail++;
|
||||||
p = buffer_get_string(&b, NULL);
|
p = buffer_get_string(&b, NULL);
|
||||||
@ -310,9 +310,9 @@ diff -up openssh-6.0p1/monitor.c.role-mls openssh-6.0p1/monitor.c
|
|||||||
if (strcmp(authctxt->user, p) != 0) {
|
if (strcmp(authctxt->user, p) != 0) {
|
||||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||||
authctxt->user, p);
|
authctxt->user, p);
|
||||||
diff -up openssh-6.0p1/monitor.h.role-mls openssh-6.0p1/monitor.h
|
diff -up openssh-6.1p1/monitor.h.role-mls openssh-6.1p1/monitor.h
|
||||||
--- openssh-6.0p1/monitor.h.role-mls 2012-06-24 16:57:17.520261902 +0200
|
--- openssh-6.1p1/monitor.h.role-mls 2012-11-28 17:06:43.686990004 +0100
|
||||||
+++ openssh-6.0p1/monitor.h 2012-06-24 16:49:35.809070938 +0200
|
+++ openssh-6.1p1/monitor.h 2012-11-28 17:06:43.701989952 +0100
|
||||||
@@ -31,6 +31,9 @@
|
@@ -31,6 +31,9 @@
|
||||||
enum monitor_reqtype {
|
enum monitor_reqtype {
|
||||||
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
|
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
|
||||||
@ -323,9 +323,9 @@ diff -up openssh-6.0p1/monitor.h.role-mls openssh-6.0p1/monitor.h
|
|||||||
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
|
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
|
||||||
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
|
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
|
||||||
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
|
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
|
||||||
diff -up openssh-6.0p1/monitor_wrap.c.role-mls openssh-6.0p1/monitor_wrap.c
|
diff -up openssh-6.1p1/monitor_wrap.c.role-mls openssh-6.1p1/monitor_wrap.c
|
||||||
--- openssh-6.0p1/monitor_wrap.c.role-mls 2012-06-24 16:57:17.537262580 +0200
|
--- openssh-6.1p1/monitor_wrap.c.role-mls 2012-11-28 17:06:43.686990004 +0100
|
||||||
+++ openssh-6.0p1/monitor_wrap.c 2012-06-24 16:49:35.810070900 +0200
|
+++ openssh-6.1p1/monitor_wrap.c 2012-11-28 17:06:43.702989948 +0100
|
||||||
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
|
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
|
||||||
buffer_free(&m);
|
buffer_free(&m);
|
||||||
}
|
}
|
||||||
@ -352,9 +352,9 @@ diff -up openssh-6.0p1/monitor_wrap.c.role-mls openssh-6.0p1/monitor_wrap.c
|
|||||||
/* Do the password authentication */
|
/* Do the password authentication */
|
||||||
int
|
int
|
||||||
mm_auth_password(Authctxt *authctxt, char *password)
|
mm_auth_password(Authctxt *authctxt, char *password)
|
||||||
diff -up openssh-6.0p1/monitor_wrap.h.role-mls openssh-6.0p1/monitor_wrap.h
|
diff -up openssh-6.1p1/monitor_wrap.h.role-mls openssh-6.1p1/monitor_wrap.h
|
||||||
--- openssh-6.0p1/monitor_wrap.h.role-mls 2012-06-24 16:57:17.513261623 +0200
|
--- openssh-6.1p1/monitor_wrap.h.role-mls 2012-11-28 17:06:43.686990004 +0100
|
||||||
+++ openssh-6.0p1/monitor_wrap.h 2012-06-24 16:49:35.811070862 +0200
|
+++ openssh-6.1p1/monitor_wrap.h 2012-11-28 17:06:43.702989948 +0100
|
||||||
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
|
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
|
||||||
DH *mm_choose_dh(int, int, int);
|
DH *mm_choose_dh(int, int, int);
|
||||||
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
||||||
@ -365,9 +365,9 @@ diff -up openssh-6.0p1/monitor_wrap.h.role-mls openssh-6.0p1/monitor_wrap.h
|
|||||||
struct passwd *mm_getpwnamallow(const char *);
|
struct passwd *mm_getpwnamallow(const char *);
|
||||||
char *mm_auth2_read_banner(void);
|
char *mm_auth2_read_banner(void);
|
||||||
int mm_auth_password(struct Authctxt *, char *);
|
int mm_auth_password(struct Authctxt *, char *);
|
||||||
diff -up openssh-6.0p1/openbsd-compat/Makefile.in.role-mls openssh-6.0p1/openbsd-compat/Makefile.in
|
diff -up openssh-6.1p1/openbsd-compat/Makefile.in.role-mls openssh-6.1p1/openbsd-compat/Makefile.in
|
||||||
--- openssh-6.0p1/openbsd-compat/Makefile.in.role-mls 2012-06-24 16:57:17.525262102 +0200
|
--- openssh-6.1p1/openbsd-compat/Makefile.in.role-mls 2011-11-04 01:25:25.000000000 +0100
|
||||||
+++ openssh-6.0p1/openbsd-compat/Makefile.in 2012-06-24 16:51:38.087889399 +0200
|
+++ openssh-6.1p1/openbsd-compat/Makefile.in 2012-11-28 17:06:43.702989948 +0100
|
||||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
|
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
|
||||||
|
|
||||||
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||||
@ -377,9 +377,9 @@ diff -up openssh-6.0p1/openbsd-compat/Makefile.in.role-mls openssh-6.0p1/openbsd
|
|||||||
|
|
||||||
.c.o:
|
.c.o:
|
||||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||||
diff -up openssh-6.0p1/openbsd-compat/port-linux.c.role-mls openssh-6.0p1/openbsd-compat/port-linux.c
|
diff -up openssh-6.1p1/openbsd-compat/port-linux.c.role-mls openssh-6.1p1/openbsd-compat/port-linux.c
|
||||||
--- openssh-6.0p1/openbsd-compat/port-linux.c.role-mls 2012-06-24 16:57:17.527262182 +0200
|
--- openssh-6.1p1/openbsd-compat/port-linux.c.role-mls 2012-03-09 00:25:18.000000000 +0100
|
||||||
+++ openssh-6.0p1/openbsd-compat/port-linux.c 2012-06-24 17:00:55.621978528 +0200
|
+++ openssh-6.1p1/openbsd-compat/port-linux.c 2012-11-28 17:06:43.702989948 +0100
|
||||||
@@ -31,68 +31,271 @@
|
@@ -31,68 +31,271 @@
|
||||||
|
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
@ -840,9 +840,9 @@ diff -up openssh-6.0p1/openbsd-compat/port-linux.c.role-mls openssh-6.0p1/openbs
|
|||||||
#endif /* WITH_SELINUX */
|
#endif /* WITH_SELINUX */
|
||||||
|
|
||||||
#ifdef LINUX_OOM_ADJUST
|
#ifdef LINUX_OOM_ADJUST
|
||||||
diff -up openssh-6.0p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.0p1/openbsd-compat/port-linux_part_2.c
|
diff -up openssh-6.1p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.1p1/openbsd-compat/port-linux_part_2.c
|
||||||
--- openssh-6.0p1/openbsd-compat/port-linux_part_2.c.role-mls 2012-06-24 16:57:17.530262302 +0200
|
--- openssh-6.1p1/openbsd-compat/port-linux_part_2.c.role-mls 2012-11-28 17:06:43.703989944 +0100
|
||||||
+++ openssh-6.0p1/openbsd-compat/port-linux_part_2.c 2012-06-24 16:49:35.813070786 +0200
|
+++ openssh-6.1p1/openbsd-compat/port-linux_part_2.c 2012-11-28 17:06:43.703989944 +0100
|
||||||
@@ -0,0 +1,75 @@
|
@@ -0,0 +1,75 @@
|
||||||
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
||||||
+
|
+
|
||||||
@ -919,10 +919,10 @@ diff -up openssh-6.0p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.0p1
|
|||||||
+#endif /* WITH_SELINUX */
|
+#endif /* WITH_SELINUX */
|
||||||
+
|
+
|
||||||
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
|
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
|
||||||
diff -up openssh-6.0p1/sshd.c.role-mls openssh-6.0p1/sshd.c
|
diff -up openssh-6.1p1/sshd.c.role-mls openssh-6.1p1/sshd.c
|
||||||
--- openssh-6.0p1/sshd.c.role-mls 2012-06-24 17:02:56.543257378 +0200
|
--- openssh-6.1p1/sshd.c.role-mls 2012-11-28 17:06:43.688989996 +0100
|
||||||
+++ openssh-6.0p1/sshd.c 2012-06-24 16:58:09.634883844 +0200
|
+++ openssh-6.1p1/sshd.c 2012-11-28 17:06:43.703989944 +0100
|
||||||
@@ -2090,6 +2090,9 @@ main(int ac, char **av)
|
@@ -2101,6 +2101,9 @@ main(int ac, char **av)
|
||||||
restore_uid();
|
restore_uid();
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
@ -120,7 +120,7 @@ Patch202: openssh-5.9p1-audit2.patch
|
|||||||
# -"-
|
# -"-
|
||||||
Patch203: openssh-5.9p1-audit3.patch
|
Patch203: openssh-5.9p1-audit3.patch
|
||||||
# -"-
|
# -"-
|
||||||
Patch204: openssh-6.0p1-audit4.patch
|
Patch204: openssh-6.1p1-audit4.patch
|
||||||
# -"-
|
# -"-
|
||||||
Patch205: openssh-6.0p1-audit5.patch
|
Patch205: openssh-6.0p1-audit5.patch
|
||||||
|
|
||||||
@ -132,7 +132,7 @@ Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
|
|||||||
# explicitly make pam callbacks visible
|
# explicitly make pam callbacks visible
|
||||||
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
|
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
||||||
Patch400: openssh-6.0p1-role-mls.patch
|
Patch400: openssh-6.1p1-role-mls.patch
|
||||||
#?
|
#?
|
||||||
#Patch402: openssh-5.9p1-sftp-chroot.patch
|
#Patch402: openssh-5.9p1-sftp-chroot.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1940
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1940
|
||||||
|
Loading…
Reference in New Issue
Block a user