add gssapi forced command

openssh-5.8p2-force_krb.patch

@@ -0,0 +1,288 @@
+diff -up openssh-5.8p2/gss-serv-krb5.c.force_krb openssh-5.8p2/gss-serv-krb5.c
+--- openssh-5.8p2/gss-serv-krb5.c.force_krb	2006-09-01 07:38:36.000000000 +0200
++++ openssh-5.8p2/gss-serv-krb5.c	2011-05-19 03:41:45.801109545 +0200
+@@ -32,7 +32,9 @@
+ #include <sys/types.h>
+ 
+ #include <stdarg.h>
++#include <stdio.h>
+ #include <string.h>
++#include <unistd.h>
+ 
+ #include "xmalloc.h"
+ #include "key.h"
+@@ -40,12 +42,11 @@
+ #include "auth.h"
+ #include "log.h"
+ #include "servconf.h"
++#include "misc.h"
+ 
+ #include "buffer.h"
+ #include "ssh-gss.h"
+ 
+-extern ServerOptions options;
+-
+ #ifdef HEIMDAL
+ # include <krb5.h>
+ #else
+@@ -56,6 +57,16 @@ extern ServerOptions options;
+ # endif
+ #endif
+ 
++extern Authctxt *the_authctxt;
++extern ServerOptions options;
++
++/* all commands are allowed by default */
++char **k5users_allowed_cmds = NULL;
++
++static int ssh_gssapi_k5login_exists();
++static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
++    int);
++
+ static krb5_context krb_context = NULL;
+ 
+ /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
+@@ -83,10 +94,11 @@ ssh_gssapi_krb5_init(void)
+  */
+ 
+ static int
+-ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
++ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *luser)
+ {
+ 	krb5_principal princ;
+ 	int retval;
++	int k5login_exists;
+ 
+ 	if (ssh_gssapi_krb5_init() == 0)
+ 		return 0;
+@@ -97,10 +109,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+ 		    krb5_get_err_text(krb_context, retval));
+ 		return 0;
+ 	}
+-	if (krb5_kuserok(krb_context, princ, name)) {
++	/* krb5_kuserok() returns 1 if .k5login DNE and this is self-login.
++	 * We have to make sure to check .k5users in that case. */
++	k5login_exists = ssh_gssapi_k5login_exists();
++	/* NOTE: .k5login and .k5users must opened as root, not the user,
++	 * because if they are on a krb5-protected filesystem, user credentials
++	 * to access these files aren't available yet. */
++	if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
+ 		retval = 1;
+ 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
+-		    name, (char *)client->displayname.value);
++		    luser, (char *)client->displayname.value);
++	} else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value,
++		luser, k5login_exists)) {
++		retval = 1;
++		logit("Authorized to %s, krb5 principal %s "
++		    "(ssh_gssapi_krb5_cmdok)",
++		    luser, (char *)client->displayname.value);
+ 	} else
+ 		retval = 0;
+ 
+@@ -108,6 +132,134 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+ 	return retval;
+ }
+ 
++/* Test for existence of .k5login.
++ * We need this as part of our .k5users check, because krb5_kuserok()
++ * returns success if .k5login DNE and user is logging in as himself.
++ * With .k5login absent and .k5users present, we don't want absence
++ * of .k5login to authorize self-login.  (absence of both is required)
++ * Returns 1 if .k5login is available, 0 otherwise.
++ */
++static int
++ssh_gssapi_k5login_exists()
++{
++	char file[MAXPATHLEN];
++	struct passwd *pw = the_authctxt->pw;
++
++	snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
++	return access(file, F_OK) == 0;
++}
++
++/* check .k5users for login or command authorization
++ * Returns 1 if principal is authorized, 0 otherwise.
++ * If principal is authorized, (global) k5users_allowed_cmds may be populated.
++ */
++static int
++ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
++    const char *luser, int k5login_exists)
++{
++	FILE *fp;
++	char file[MAXPATHLEN];
++	char line[BUFSIZ];
++	char kuser[65]; /* match krb5_kuserok() */
++	struct stat st;
++	struct passwd *pw = the_authctxt->pw;
++	int found_principal = 0;
++	int ncommands = 0, allcommands = 0;
++	u_long linenum;
++
++	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
++	/* If both .k5login and .k5users DNE, self-login is ok. */
++	if (!k5login_exists && (access(file, F_OK) == -1)) {
++		return (krb5_aname_to_localname(krb_context, principal,
++		    sizeof(kuser), kuser) == 0) &&
++		    (strcmp(kuser, luser) == 0);
++	}
++	if ((fp = fopen(file, "r")) == NULL) {
++		int saved_errno = errno;
++		/* 2nd access check to ease debugging if file perms are wrong.
++		 * But we don't want to report this if .k5users simply DNE. */
++		if (access(file, F_OK) == 0) {
++			logit("User %s fopen %s failed: %s",
++			    pw->pw_name, file, strerror(saved_errno));
++		}
++		return 0;
++	}
++	/* .k5users must be owned either by the user or by root */
++	if (fstat(fileno(fp), &st) == -1) {
++		/* can happen, but very wierd error so report it */
++		logit("User %s fstat %s failed: %s",
++		    pw->pw_name, file, strerror(errno));
++		fclose(fp);
++		return 0;
++	}
++	if (!(st.st_uid == pw->pw_uid || st.st_uid == 0)) {
++		logit("User %s %s is not owned by root or user",
++		    pw->pw_name, file);
++		fclose(fp);
++		return 0;
++	}
++	/* .k5users must be a regular file.  krb5_kuserok() doesn't do this
++	  * check, but we don't want to be deficient if they add a check. */
++	if (!S_ISREG(st.st_mode)) {
++		logit("User %s %s is not a regular file", pw->pw_name, file);
++		fclose(fp);
++		return 0;
++	}
++	/* file exists; initialize k5users_allowed_cmds (to none!) */
++	k5users_allowed_cmds = xcalloc(++ncommands,
++	    sizeof(*k5users_allowed_cmds));
++
++	/* Check each line.  ksu allows unlimited length lines.  We don't. */
++	while (!allcommands && read_keyfile_line(fp, file, line, sizeof(line),
++	    &linenum) != -1) {
++		char *token;
++
++		/* we parse just like ksu, even though we could do better */
++		token = strtok(line, " \t\n");
++		if (strcmp(name, token) == 0) {
++			/* we matched on client principal */
++			found_principal = 1;
++			if ((token = strtok(NULL, " \t\n")) == NULL) {
++				/* only shell is allowed */
++				k5users_allowed_cmds[ncommands-1] =
++				    xstrdup(pw->pw_shell);
++				k5users_allowed_cmds =
++				    xrealloc(k5users_allowed_cmds, ++ncommands,
++					sizeof(*k5users_allowed_cmds));
++				break;
++			}
++			/* process the allowed commands */
++			while (token) {
++				if (strcmp(token, "*") == 0) {
++					allcommands = 1;
++					break;
++				}
++				k5users_allowed_cmds[ncommands-1] =
++				    xstrdup(token);
++				k5users_allowed_cmds =
++				    xrealloc(k5users_allowed_cmds, ++ncommands,
++					sizeof(*k5users_allowed_cmds));
++				token = strtok(NULL, " \t\n");
++			}
++		}
++       }
++	if (k5users_allowed_cmds) {
++		/* terminate vector */
++		k5users_allowed_cmds[ncommands-1] = NULL;
++		/* if all commands are allowed, free vector */
++		if (allcommands) {
++			int i;
++			for (i = 0; i < ncommands; i++) {
++				free(k5users_allowed_cmds[i]);
++			}
++			free(k5users_allowed_cmds);
++			k5users_allowed_cmds = NULL;
++		}
++	}
++	fclose(fp);
++	return found_principal;
++}
++ 
+ 
+ /* This writes out any forwarded credentials from the structure populated
+  * during userauth. Called after we have setuid to the user */
+diff -up openssh-5.8p2/session.c.force_krb openssh-5.8p2/session.c
+--- openssh-5.8p2/session.c.force_krb	2011-05-19 03:41:41.000000000 +0200
++++ openssh-5.8p2/session.c	2011-05-19 03:43:32.437173662 +0200
+@@ -816,6 +816,29 @@ do_exec(Session *s, const char *command)
+ 		debug("Forced command (key option) '%.900s'", command);
+ 	}
+ 
++#ifdef GSSAPI
++#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
++	else if (k5users_allowed_cmds) {
++		const char *match = command;
++		int allowed = 0, i = 0;
++ 
++		if (!match)
++			match = s->pw->pw_shell;
++		while (k5users_allowed_cmds[i]) {
++			if (strcmp(match, k5users_allowed_cmds[i++]) == 0) {
++				debug("Allowed command '%.900s'", match);
++				allowed = 1;
++				break;
++			}
++		}
++		if (!allowed) {
++			debug("command '%.900s' not allowed", match);
++			return 1;
++		}
++	}
++#endif
++#endif
++
+ #ifdef SSH_AUDIT_EVENTS
+ 	if (s->command != NULL || s->command_handle != -1)
+ 		fatal("do_exec: command already set");
+diff -up openssh-5.8p2/sshd.8.force_krb openssh-5.8p2/sshd.8
+--- openssh-5.8p2/sshd.8.force_krb	2011-05-19 03:41:30.582114401 +0200
++++ openssh-5.8p2/sshd.8	2011-05-19 03:41:46.159106308 +0200
+@@ -320,6 +320,7 @@ Finally, the server and the client enter
+ The client tries to authenticate itself using
+ host-based authentication,
+ public key authentication,
++GSSAPI authentication,
+ challenge-response authentication,
+ or password authentication.
+ .Pp
+@@ -788,6 +789,12 @@ This file is used in exactly the same wa
+ but allows host-based authentication without permitting login with
+ rlogin/rsh.
+ .Pp
++.It Pa ~/.k5login
++.It Pa ~/.k5users
++These files enforce GSSAPI/Kerberos authentication access control.
++Further details are described in
++.Xr ksu 1 .
++.Pp
+ .It Pa ~/.ssh/
+ This directory is the default location for all user-specific configuration
+ and authentication information.
+diff -up openssh-5.8p2/ssh-gss.h.force_krb openssh-5.8p2/ssh-gss.h
+--- openssh-5.8p2/ssh-gss.h.force_krb	2007-06-12 15:40:39.000000000 +0200
++++ openssh-5.8p2/ssh-gss.h	2011-05-19 03:41:46.302234118 +0200
+@@ -48,6 +48,10 @@
+ #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+ #endif /* GSS_C_NT_... */
+ #endif /* !HEIMDAL */
++
++/* .k5users support */
++extern char **k5users_allowed_cmds;
++
+ #endif /* KRB5 */
+ 
+ /* draft-ietf-secsh-gsskeyex-06 */

openssh-5.8p2-kuserok.patch

@@ -1,6 +1,6 @@
-diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c
---- openssh-5.8p1/auth-krb5.c.kuserok	2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.8p1/auth-krb5.c	2011-02-14 09:15:12.000000000 +0100
+diff -up openssh-5.8p2/auth-krb5.c.kuserok openssh-5.8p2/auth-krb5.c
+--- openssh-5.8p2/auth-krb5.c.kuserok	2011-05-19 16:55:57.176106243 +0200
++++ openssh-5.8p2/auth-krb5.c	2011-05-19 16:56:02.009109884 +0200
 @@ -54,6 +54,20 @@
  
  extern ServerOptions	 options;
@@ -31,30 +31,30 @@ diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c
  		problem = -1;
  		goto out;
  	}
-diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c
---- openssh-5.8p1/gss-serv-krb5.c.kuserok	2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.8p1/gss-serv-krb5.c	2011-02-14 09:15:12.000000000 +0100
-@@ -57,6 +57,7 @@ extern ServerOptions options;
- #endif
+diff -up openssh-5.8p2/gss-serv-krb5.c.kuserok openssh-5.8p2/gss-serv-krb5.c
+--- openssh-5.8p2/gss-serv-krb5.c.kuserok	2011-05-19 16:56:01.000000000 +0200
++++ openssh-5.8p2/gss-serv-krb5.c	2011-05-20 05:48:50.681167894 +0200
+@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
+     int);
  
  static krb5_context krb_context = NULL;
 +extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
  
  /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
  
-@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
- 		    krb5_get_err_text(krb_context, retval));
- 		return 0;
- 	}
--	if (krb5_kuserok(krb_context, princ, name)) {
-+	if (ssh_krb5_kuserok(krb_context, princ, name)) {
+@@ -115,7 +116,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+ 	/* NOTE: .k5login and .k5users must opened as root, not the user,
+ 	 * because if they are on a krb5-protected filesystem, user credentials
+ 	 * to access these files aren't available yet. */
+-	if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
++	if (ssh_krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
  		retval = 1;
  		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
- 		    name, (char *)client->displayname.value);
-diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
---- openssh-5.8p1/servconf.c.kuserok	2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/servconf.c	2011-02-14 09:20:22.000000000 +0100
-@@ -142,6 +142,7 @@ initialize_server_options(ServerOptions 
+ 		    luser, (char *)client->displayname.value);
+diff -up openssh-5.8p2/servconf.c.kuserok openssh-5.8p2/servconf.c
+--- openssh-5.8p2/servconf.c.kuserok	2011-05-19 16:55:59.549112264 +0200
++++ openssh-5.8p2/servconf.c	2011-05-19 16:56:02.332106613 +0200
+@@ -145,6 +145,7 @@ initialize_server_options(ServerOptions
  	options->authorized_principals_file = NULL;
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
@@ -62,7 +62,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
  }
  
  void
-@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
+@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption
  	if (use_privsep == -1)
  		use_privsep = 1;
  
@@ -71,7 +71,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
  #ifndef HAVE_MMAP
  	if (use_privsep && options->compression == 1) {
  		error("This platform does not support both privilege "
-@@ -312,7 +315,7 @@ typedef enum {
+@@ -321,7 +324,7 @@ typedef enum {
  	sPermitRootLogin, sLogFacility, sLogLevel,
  	sRhostsRSAAuthentication, sRSAAuthentication,
  	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@@ -80,7 +80,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
  	sKerberosTgtPassing, sChallengeResponseAuthentication,
  	sPasswordAuthentication, sKbdInteractiveAuthentication,
  	sListenAddress, sAddressFamily,
-@@ -381,11 +384,13 @@ static struct {
+@@ -392,11 +395,13 @@ static struct {
  #else
  	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
  #endif
@@ -94,7 +94,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
  #endif
  	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
  	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1341,6 +1346,10 @@ process_server_config_line(ServerOptions
+@@ -1374,6 +1379,10 @@ process_server_config_line(ServerOptions
  		*activep = value;
  		break;
  
@@ -105,7 +105,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
  	case sPermitOpen:
  		arg = strdelim(&cp);
  		if (!arg || *arg == '\0')
-@@ -1544,6 +1553,7 @@ copy_set_server_options(ServerOptions *d
+@@ -1577,6 +1586,7 @@ copy_set_server_options(ServerOptions *d
  	M_CP_INTOPT(max_authtries);
  	M_CP_INTOPT(ip_qos_interactive);
  	M_CP_INTOPT(ip_qos_bulk);
@@ -113,7 +113,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
  
  	M_CP_STROPT(banner);
  	if (preauth)
-@@ -1764,6 +1774,7 @@ dump_config(ServerOptions *o)
+@@ -1800,6 +1810,7 @@ dump_config(ServerOptions *o)
  	dump_cfg_fmtint(sUseDNS, o->use_dns);
  	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
  	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@@ -121,10 +121,10 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
  
  	/* string arguments */
  	dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h
---- openssh-5.8p1/servconf.h.kuserok	2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/servconf.h	2011-02-14 09:15:12.000000000 +0100
-@@ -157,6 +157,7 @@ typedef struct {
+diff -up openssh-5.8p2/servconf.h.kuserok openssh-5.8p2/servconf.h
+--- openssh-5.8p2/servconf.h.kuserok	2011-05-19 16:55:59.676167388 +0200
++++ openssh-5.8p2/servconf.h	2011-05-19 16:56:02.449168732 +0200
+@@ -160,6 +160,7 @@ typedef struct {
  
  	int	num_permitted_opens;
  
@@ -132,10 +132,10 @@ diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h
  	char   *chroot_directory;
  	char   *revoked_keys_file;
  	char   *trusted_user_ca_keys;
-diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5
---- openssh-5.8p1/sshd_config.5.kuserok	2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/sshd_config.5	2011-02-14 09:17:11.000000000 +0100
-@@ -574,6 +574,10 @@ Specifies whether to automatically destr
+diff -up openssh-5.8p2/sshd_config.5.kuserok openssh-5.8p2/sshd_config.5
+--- openssh-5.8p2/sshd_config.5.kuserok	2011-05-19 16:56:00.265169181 +0200
++++ openssh-5.8p2/sshd_config.5	2011-05-19 16:56:02.588114955 +0200
+@@ -602,6 +602,10 @@ Specifies whether to automatically destr
  file on logout.
  The default is
  .Dq yes .
@@ -146,7 +146,7 @@ diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5
  .It Cm KexAlgorithms
  Specifies the available KEX (Key Exchange) algorithms.
  Multiple algorithms must be comma-separated.
-@@ -715,6 +719,7 @@ Available keywords are
+@@ -743,6 +747,7 @@ Available keywords are
  .Cm HostbasedUsesNameFromPacketOnly ,
  .Cm KbdInteractiveAuthentication ,
  .Cm KerberosAuthentication ,
@@ -154,9 +154,9 @@ diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5
  .Cm MaxAuthTries ,
  .Cm MaxSessions ,
  .Cm PubkeyAuthentication ,
-diff -up openssh-5.8p1/sshd_config.kuserok openssh-5.8p1/sshd_config
---- openssh-5.8p1/sshd_config.kuserok	2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/sshd_config	2011-02-14 09:15:12.000000000 +0100
+diff -up openssh-5.8p2/sshd_config.kuserok openssh-5.8p2/sshd_config
+--- openssh-5.8p2/sshd_config.kuserok	2011-05-19 16:56:00.886106293 +0200
++++ openssh-5.8p2/sshd_config	2011-05-19 16:56:02.716105342 +0200
 @@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes

openssh.spec

@@ -74,7 +74,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p2
-%define openssh_rel 1
+%define openssh_rel 2
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 31
 
@@ -151,8 +151,6 @@ Patch31: openssh-5.2p1-allow-ip-opts.patch
 Patch32: openssh-5.8p1-randclean.patch
 # #https://bugzilla.mindrot.org/show_bug.cgi?id=1636
 # Patch33: openssh-5.1p1-log-in-chroot.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
-Patch34: openssh-5.8p1-kuserok.patch
 #http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
 Patch35: openssh-5.8p1-glob.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1891
@@ -182,6 +180,10 @@ Patch60: openssh-5.8p1-gsskex.patch
 Patch61: openssh-5.8p1-gssapi-canohost.patch
 #?
 Patch62: openssh-5.8p1-localdomain.patch
+#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
+Patch63: openssh-5.8p2-force_krb.patch
+#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
+Patch64: openssh-5.8p2-kuserok.patch
 #---
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1604
 # sctp
@@ -333,6 +335,7 @@ The module is most useful for su and sudo service stacks.
 %setup -q -a 4
 #Do not enable by default
 ###%patch99 -p1 -b .wIm
+
 %patch0 -p1 -b .redhat
 %patch100 -p1 -b .fingerprint
 %patch200 -p1 -b .exit
@@ -368,7 +371,6 @@ popd
 %patch30 -p1 -b .keygen
 %patch31 -p1 -b .ip-opts
 %patch32 -p1 -b .randclean
-%patch34 -p1 -b .kuserok
 %patch35 -p1 -b .glob
 %patch36 -p1 -b .pwchange
 %patch37 -p1 -b .keyperm
@@ -384,6 +386,8 @@ popd
 %patch60 -p1 -b .gsskex
 %patch61 -p1 -b .canohost
 %patch62 -p1 -b .localdomain
+%patch63 -p1 -b .force_krb
+%patch64 -p1 -b .kuserok
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -736,6 +740,9 @@ exit 0
 %endif
 
 %changelog
+* Mon May 23 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-2 + 0.9.2-31
+- add gssapi forced command
+
 * Tue May  3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-1 + 0.9.2-31
 - update the openssh version