Prepare update to 5.4p1

This commit is contained in:
Jan F. Chadima 2010-03-03 09:36:51 +00:00
parent 53050644bf
commit 974c89c195
18 changed files with 459 additions and 607 deletions

View File

@ -1 +1,2 @@
openssh-5.4p1-snap20100302-noacss.tar.bz2
pam_ssh_agent_auth-0.9.2.tar.bz2

View File

@ -1,11 +0,0 @@
--- openssh-3.9p1/contrib/gnome-ssh-askpass2.c.keep-above 2003-11-21 13:48:56.000000000 +0100
+++ openssh-3.9p1/contrib/gnome-ssh-askpass2.c 2005-02-08 08:44:02.099739294 +0100
@@ -119,6 +119,8 @@
g_signal_connect(G_OBJECT(entry), "activate",
G_CALLBACK(ok_dialog), dialog);
+ gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
+
/* Grab focus */
gtk_widget_show_now(dialog);
if (grab_pointer) {

View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)
iD8DBQBBIgAxzo7LA4b/nEgRArlqAJ0UhIfcfbz+oAxn8AsiOeHBVMwFXwCgkXcX
hxmfq8nv/+hpiid1j9lAUx8=
=P4zN
-----END PGP SIGNATURE-----

View File

@ -1,9 +0,0 @@
--- openssh-5.2p1/openbsd-compat/openssl-compat.c~ 2010-01-27 17:36:29.000000000 -0500
+++ openssh-5.2p1/openbsd-compat/openssl-compat.c 2010-01-28 10:52:53.000000000 -0500
@@ -58,5 +58,6 @@
/* Enable use of crypto hardware */
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
+ OPENSSL_config(NULL);
}
#endif

View File

@ -1,64 +0,0 @@
diff -up openssh-5.2p1/openbsd-compat/port-linux.c.sesftp openssh-5.2p1/openbsd-compat/port-linux.c
--- openssh-5.2p1/openbsd-compat/port-linux.c.sesftp 2009-08-12 00:29:37.712368892 +0200
+++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-12 00:29:37.732544890 +0200
@@ -469,4 +469,36 @@ ssh_selinux_setup_pty(char *pwname, cons
freecon(user_ctx);
debug3("%s: done", __func__);
}
+
+void
+ssh_selinux_change_context(const char *newname)
+{
+ int len, newlen;
+ char *oldctx, *newctx, *cx;
+
+ if (!ssh_selinux_enabled())
+ return;
+
+ if (getcon((security_context_t *)&oldctx) < 0) {
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
+ return;
+ }
+ if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == NULL) {
+ logit ("%s: unparseable context %s", __func__, oldctx);
+ return;
+ }
+
+ newlen = strlen(oldctx) + strlen(newname) + 1;
+ newctx = xmalloc(newlen);
+ len = cx - oldctx + 1;
+ memcpy(newctx, oldctx, len);
+ strlcpy(newctx + len, newname, newlen - len);
+ if ((cx = index(cx + 1, ':')))
+ strlcat(newctx, cx, newlen);
+ debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, newctx);
+ if (setcon(newctx) < 0)
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
+ xfree(oldctx);
+ xfree(newctx);
+}
#endif /* WITH_SELINUX */
diff -up openssh-5.2p1/openbsd-compat/port-linux.h.sesftp openssh-5.2p1/openbsd-compat/port-linux.h
--- openssh-5.2p1/openbsd-compat/port-linux.h.sesftp 2008-03-26 21:27:21.000000000 +0100
+++ openssh-5.2p1/openbsd-compat/port-linux.h 2009-08-12 00:29:37.733388083 +0200
@@ -23,6 +23,7 @@
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *);
+void ssh_selinux_change_context(const char *);
#endif
#endif /* ! _PORT_LINUX_H */
diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c
--- openssh-5.2p1/session.c.sesftp 2009-08-12 00:29:37.659250161 +0200
+++ openssh-5.2p1/session.c 2009-08-12 00:29:37.729578695 +0200
@@ -1798,6 +1798,9 @@ do_child(Session *s, const char *command
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
+#ifdef WITH_SELINUX
+ ssh_selinux_change_context("sftpd_t");
+#endif
exit(sftp_server_main(i, argv, s->pw));
}

Binary file not shown.

Binary file not shown.

View File

@ -1,15 +1,15 @@
diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c
--- openssh-5.3p1/auth2-pubkey.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/auth2-pubkey.c 2009-10-02 14:12:00.000000000 +0200
@@ -33,6 +33,7 @@
#include <stdio.h>
#include <stdarg.h>
diff -up openssh-5.4p1/auth2-pubkey.c.fips openssh-5.4p1/auth2-pubkey.c
--- openssh-5.4p1/auth2-pubkey.c.fips 2010-03-01 17:55:26.000000000 +0100
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 17:57:56.000000000 +0100
@@ -35,6 +35,7 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
+#include <openssl/fips.h>
#include "xmalloc.h"
#include "ssh.h"
@@ -240,7 +241,7 @@ user_key_allowed2(struct passwd *pw, Key
@@ -269,7 +270,7 @@ user_key_allowed2(struct passwd *pw, Key
found_key = 1;
debug("matching key found: file %s, line %lu",
file, linenum);
@ -18,10 +18,10 @@ diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c
verbose("Found matching %s key: %s",
key_type(found), fp);
xfree(fp);
diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
--- openssh-5.3p1/authfile.c.fips 2006-09-01 07:38:36.000000000 +0200
+++ openssh-5.3p1/authfile.c 2009-10-02 14:12:00.000000000 +0200
@@ -143,8 +143,14 @@ key_save_private_rsa1(Key *key, const ch
diff -up openssh-5.4p1/authfile.c.fips openssh-5.4p1/authfile.c
--- openssh-5.4p1/authfile.c.fips 2010-01-12 09:42:29.000000000 +0100
+++ openssh-5.4p1/authfile.c 2010-03-01 17:55:28.000000000 +0100
@@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch
/* Allocate space for the private part of the key in the buffer. */
cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -38,7 +38,7 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
cipher_crypt(&ciphercontext, cp,
buffer_ptr(&buffer), buffer_len(&buffer));
cipher_cleanup(&ciphercontext);
@@ -414,8 +420,14 @@ key_load_private_rsa1(int fd, const char
@@ -421,8 +427,14 @@ key_load_private_rsa1(int fd, const char
cp = buffer_append_space(&decrypted, buffer_len(&buffer));
/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
@ -55,9 +55,9 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
cipher_crypt(&ciphercontext, cp,
buffer_ptr(&buffer), buffer_len(&buffer));
cipher_cleanup(&ciphercontext);
diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c
--- openssh-5.3p1/cipher.c.fips 2009-10-02 13:44:03.000000000 +0200
+++ openssh-5.3p1/cipher.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/cipher.c.fips openssh-5.4p1/cipher.c
--- openssh-5.4p1/cipher.c.fips 2010-03-01 15:09:22.000000000 +0100
+++ openssh-5.4p1/cipher.c 2010-03-01 17:55:28.000000000 +0100
@@ -40,6 +40,7 @@
#include <sys/types.h>
@ -142,9 +142,9 @@ diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c
}
/*
diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c
--- openssh-5.3p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
+++ openssh-5.3p1/cipher-ctr.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/cipher-ctr.c.fips openssh-5.4p1/cipher-ctr.c
--- openssh-5.4p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
+++ openssh-5.4p1/cipher-ctr.c 2010-03-01 17:55:28.000000000 +0100
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
@ -155,9 +155,9 @@ diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c
#endif
return (&aes_ctr);
}
diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h
--- openssh-5.3p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
+++ openssh-5.3p1/cipher.h 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/cipher.h.fips openssh-5.4p1/cipher.h
--- openssh-5.4p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
+++ openssh-5.4p1/cipher.h 2010-03-01 17:55:28.000000000 +0100
@@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe
const u_char *, u_int, int);
void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@ -167,9 +167,9 @@ diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h
u_int cipher_blocksize(const Cipher *);
u_int cipher_keylen(const Cipher *);
u_int cipher_is_cbc(const Cipher *);
diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c
--- openssh-5.3p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
+++ openssh-5.3p1/mac.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/mac.c.fips openssh-5.4p1/mac.c
--- openssh-5.4p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
+++ openssh-5.4p1/mac.c 2010-03-01 17:55:28.000000000 +0100
@@ -28,6 +28,7 @@
#include <sys/types.h>
@ -219,10 +219,10 @@ diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in
--- openssh-5.3p1/Makefile.in.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/Makefile.in 2009-10-02 14:20:18.000000000 +0200
@@ -136,28 +136,28 @@ libssh.a: $(LIBSSH_OBJS)
diff -up openssh-5.4p1/Makefile.in.fips openssh-5.4p1/Makefile.in
--- openssh-5.4p1/Makefile.in.fips 2010-02-24 08:18:51.000000000 +0100
+++ openssh-5.4p1/Makefile.in 2010-03-01 17:55:28.000000000 +0100
@@ -139,31 +139,31 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -240,28 +240,31 @@ diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o
- $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h
--- openssh-5.3p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100
+++ openssh-5.3p1/myproposal.h 2009-10-02 14:12:00.000000000 +0200
@@ -53,7 +53,12 @@
diff -up openssh-5.4p1/myproposal.h.fips openssh-5.4p1/myproposal.h
--- openssh-5.4p1/myproposal.h.fips 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/myproposal.h 2010-03-01 17:55:28.000000000 +0100
@@ -55,7 +55,12 @@
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG ""
@ -275,23 +278,9 @@ diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h
static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX,
diff -up openssh-5.3p1/nsskeys.c.fips openssh-5.3p1/nsskeys.c
--- openssh-5.3p1/nsskeys.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/nsskeys.c 2009-10-02 14:12:00.000000000 +0200
@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k)
break;
}
- p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
- debug("fingerprint %u %s", key_size(k), p);
+ p = key_fingerprint(k, SSH_FP_SHA1, SSH_FP_HEX);
+ debug("SHA1 fingerprint %u %s", key_size(k), p);
xfree(p);
return 0;
diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
+++ openssh-5.3p1/openbsd-compat/bsd-arc4random.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.4p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
+++ openssh-5.4p1/openbsd-compat/bsd-arc4random.c 2010-03-01 17:55:28.000000000 +0100
@@ -39,6 +39,7 @@
static int rc4_ready = 0;
static RC4_KEY rc4;
@ -333,9 +322,9 @@ diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbs
#endif /* !HAVE_ARC4RANDOM */
#ifndef ARC4RANDOM_BUF
diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
--- openssh-5.3p1/ssh-add.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/ssh-add.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/ssh-add.c.fips openssh-5.4p1/ssh-add.c
--- openssh-5.4p1/ssh-add.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh-add.c 2010-03-01 17:55:28.000000000 +0100
@@ -42,6 +42,7 @@
#include <sys/param.h>
@ -343,8 +332,8 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
+#include <openssl/fips.h>
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_LIBNSS
@@ -254,7 +255,7 @@ list_identities(AuthenticationConnection
#include <fcntl.h>
@@ -270,7 +271,7 @@ list_identities(AuthenticationConnection
key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1;
if (do_fp) {
@ -353,9 +342,9 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
SSH_FP_HEX);
printf("%d %s %s (%s)\n",
key_size(key), fp, comment, key_type(key));
diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
--- openssh-5.3p1/ssh-agent.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/ssh-agent.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/ssh-agent.c.fips openssh-5.4p1/ssh-agent.c
--- openssh-5.4p1/ssh-agent.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh-agent.c 2010-03-01 17:55:28.000000000 +0100
@@ -51,6 +51,7 @@
#include <openssl/evp.h>
@ -364,7 +353,7 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
#include "openbsd-compat/openssl-compat.h"
#include <errno.h>
@@ -200,9 +201,9 @@ confirm_key(Identity *id)
@@ -199,9 +200,9 @@ confirm_key(Identity *id)
char *p;
int ret = -1;
@ -377,9 +366,9 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
ret = 0;
xfree(p);
diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
--- openssh-5.3p1/ssh.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/ssh.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/ssh.c.fips openssh-5.4p1/ssh.c
--- openssh-5.4p1/ssh.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh.c 2010-03-01 17:55:28.000000000 +0100
@@ -72,6 +72,8 @@
#include <openssl/evp.h>
@ -389,7 +378,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -221,6 +223,10 @@ main(int ac, char **av)
@@ -225,6 +227,10 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
@ -400,8 +389,8 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
init_rng();
/*
@@ -281,6 +287,9 @@ main(int ac, char **av)
"ACD:F:I:KL:MNO:PR:S:TVw:XYy")) != -1) {
@@ -285,6 +291,9 @@ main(int ac, char **av)
"ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
+ if (FIPS_mode()) {
@ -410,7 +399,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
options.protocol = SSH_PROTO_1;
break;
case '2':
@@ -552,7 +561,6 @@ main(int ac, char **av)
@@ -581,7 +590,6 @@ main(int ac, char **av)
if (!host)
usage();
@ -418,7 +407,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
ERR_load_crypto_strings();
/* Initialize the command to execute on remote host. */
@@ -638,6 +646,10 @@ main(int ac, char **av)
@@ -667,6 +675,10 @@ main(int ac, char **av)
seed_rng();
@ -429,7 +418,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
@@ -704,6 +716,12 @@ main(int ac, char **av)
@@ -733,6 +745,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
@ -442,9 +431,9 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
/* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts, &timeout_ms,
diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
--- openssh-5.3p1/sshconnect2.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/sshconnect2.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/sshconnect2.c.fips openssh-5.4p1/sshconnect2.c
--- openssh-5.4p1/sshconnect2.c.fips 2010-03-01 17:55:28.000000000 +0100
+++ openssh-5.4p1/sshconnect2.c 2010-03-01 17:55:29.000000000 +0100
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
@ -477,7 +466,7 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
options.hostkeyalgorithms;
@@ -508,8 +518,8 @@ input_userauth_pk_ok(int type, u_int32_t
@@ -529,8 +539,8 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype);
goto done;
}
@ -488,19 +477,19 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
xfree(fp);
/*
diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
--- openssh-5.3p1/sshconnect.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/sshconnect.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/sshconnect.c.fips openssh-5.4p1/sshconnect.c
--- openssh-5.4p1/sshconnect.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/sshconnect.c 2010-03-01 17:55:29.000000000 +0100
@@ -40,6 +40,8 @@
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
+#include <openssl/fips.h>
+
#include "xmalloc.h"
#include "key.h"
#include "hostfile.h"
@@ -763,6 +765,7 @@ check_host_key(char *hostname, struct so
@@ -789,6 +791,7 @@ check_host_key(char *hostname, struct so
goto fail;
} else if (options.strict_host_key_checking == 2) {
char msg1[1024], msg2[1024];
@ -508,7 +497,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
if (show_other_keys(host, host_key))
snprintf(msg1, sizeof(msg1),
@@ -771,8 +774,8 @@ check_host_key(char *hostname, struct so
@@ -797,8 +800,8 @@ check_host_key(char *hostname, struct so
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
@ -519,7 +508,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
SSH_FP_RANDOMART);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
@@ -788,10 +791,10 @@ check_host_key(char *hostname, struct so
@@ -814,10 +817,10 @@ check_host_key(char *hostname, struct so
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
@ -532,7 +521,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "",
msg2);
@@ -1079,17 +1082,18 @@ show_key_from_file(const char *file, con
@@ -1131,17 +1134,18 @@ show_key_from_file(const char *file, con
Key *found;
char *fp, *ra;
int line, ret;
@ -555,7 +544,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
xfree(ra);
xfree(fp);
}
@@ -1135,8 +1139,9 @@ warn_changed_key(Key *host_key)
@@ -1187,8 +1191,9 @@ warn_changed_key(Key *host_key)
{
char *fp;
const char *type = key_type(host_key);
@ -566,7 +555,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
@@ -1144,8 +1149,8 @@ warn_changed_key(Key *host_key)
@@ -1196,8 +1201,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that the %s host key has just been changed.", type);
@ -577,9 +566,9 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
error("Please contact your system administrator.");
xfree(fp);
diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
--- openssh-5.3p1/sshd.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/sshd.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/sshd.c.fips openssh-5.4p1/sshd.c
--- openssh-5.4p1/sshd.c.fips 2010-03-01 17:55:27.000000000 +0100
+++ openssh-5.4p1/sshd.c 2010-03-01 17:55:29.000000000 +0100
@@ -76,6 +76,8 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
@ -589,7 +578,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE
@@ -1261,6 +1263,12 @@ main(int ac, char **av)
@@ -1298,6 +1300,12 @@ main(int ac, char **av)
(void)set_auth_parameters(ac, av);
#endif
__progname = ssh_get_progname(av[0]);
@ -602,7 +591,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
init_rng();
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
@@ -1413,8 +1421,6 @@ main(int ac, char **av)
@@ -1459,8 +1467,6 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -611,7 +600,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
/*
* Force logging to stderr until we have loaded the private host
* key (unless started from inetd)
@@ -1532,6 +1538,10 @@ main(int ac, char **av)
@@ -1578,6 +1584,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, key->type,
key_type(key));
}
@ -622,7 +611,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
@@ -1656,6 +1666,10 @@ main(int ac, char **av)
@@ -1742,6 +1752,10 @@ main(int ac, char **av)
/* Initialize the random number generator. */
arc4random_stir();
@ -633,7 +622,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
chdir("/");
@@ -2183,6 +2197,9 @@ do_ssh2_kex(void)
@@ -2274,6 +2288,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -643,7 +632,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2192,6 +2209,9 @@ do_ssh2_kex(void)
@@ -2283,6 +2300,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -653,9 +642,9 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
--- openssh-5.3p1/ssh-keygen.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/ssh-keygen.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/ssh-keygen.c.fips openssh-5.4p1/ssh-keygen.c
--- openssh-5.4p1/ssh-keygen.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh-keygen.c 2010-03-01 17:55:29.000000000 +0100
@@ -21,6 +21,7 @@
#include <openssl/evp.h>
@ -664,7 +653,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
#include "openbsd-compat/openssl-compat.h"
#include <errno.h>
@@ -537,7 +538,7 @@ do_fingerprint(struct passwd *pw)
@@ -524,7 +525,7 @@ do_fingerprint(struct passwd *pw)
enum fp_type fptype;
struct stat st;
@ -673,7 +662,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
if (!have_identity)
@@ -1506,14 +1507,15 @@ passphrase_again:
@@ -1808,14 +1809,15 @@ passphrase_again:
fclose(f);
if (!quiet) {

View File

@ -1,6 +1,6 @@
diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c
--- openssh-5.3p1/auth2.c.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/auth2.c 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/auth2.c.gsskex openssh-5.4p1/auth2.c
--- openssh-5.4p1/auth2.c.gsskex 2010-03-01 18:14:24.000000000 +0100
+++ openssh-5.4p1/auth2.c 2010-03-01 18:14:28.000000000 +0100
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
@ -35,9 +35,9 @@ diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c
authctxt->failures++;
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c
--- openssh-5.3p1/auth2-gss.c.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/auth2-gss.c 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/auth2-gss.c.gsskex openssh-5.4p1/auth2-gss.c
--- openssh-5.4p1/auth2-gss.c.gsskex 2010-03-01 18:14:24.000000000 +0100
+++ openssh-5.4p1/auth2-gss.c 2010-03-01 18:14:28.000000000 +0100
@@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
@ -137,9 +137,9 @@ diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h
--- openssh-5.3p1/auth.h.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/auth.h 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/auth.h.gsskex openssh-5.4p1/auth.h
--- openssh-5.4p1/auth.h.gsskex 2010-03-01 18:14:25.000000000 +0100
+++ openssh-5.4p1/auth.h 2010-03-01 18:14:28.000000000 +0100
@@ -53,6 +53,7 @@ struct Authctxt {
int valid; /* user exists and is allowed to login */
int attempt;
@ -148,10 +148,10 @@ diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h
int force_pwchange;
char *user; /* username sent by the client */
char *service;
diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
--- openssh-5.3p1/auth-krb5.c.gsskex 2006-08-05 04:39:39.000000000 +0200
+++ openssh-5.3p1/auth-krb5.c 2009-11-20 14:39:04.000000000 +0100
@@ -166,8 +166,13 @@ auth_krb5_password(Authctxt *authctxt, c
diff -up openssh-5.4p1/auth-krb5.c.gsskex openssh-5.4p1/auth-krb5.c
--- openssh-5.4p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100
+++ openssh-5.4p1/auth-krb5.c 2010-03-01 18:14:28.000000000 +0100
@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
@ -165,7 +165,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
#ifdef USE_PAM
if (options.use_pam)
@@ -219,15 +224,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
@@ -226,15 +231,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@ -190,7 +190,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
umask(old_umask);
@@ -242,6 +254,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
@@ -249,6 +261,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
return errno;
}
close(tmpfd);
@ -198,9 +198,9 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
return (krb5_cc_resolve(ctx, ccname, ccache));
}
diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi
--- /dev/null 2009-11-13 11:29:57.672908570 +0100
+++ openssh-5.3p1/ChangeLog.gssapi 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/ChangeLog.gssapi.gsskex openssh-5.4p1/ChangeLog.gssapi
--- openssh-5.4p1/ChangeLog.gssapi.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/ChangeLog.gssapi 2010-03-01 18:14:28.000000000 +0100
@@ -0,0 +1,95 @@
+20090615
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
@ -297,9 +297,9 @@ diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
--- openssh-5.3p1/clientloop.c.gsskex 2009-08-28 03:21:07.000000000 +0200
+++ openssh-5.3p1/clientloop.c 2009-11-20 14:48:53.000000000 +0100
diff -up openssh-5.4p1/clientloop.c.gsskex openssh-5.4p1/clientloop.c
--- openssh-5.4p1/clientloop.c.gsskex 2010-01-30 07:28:35.000000000 +0100
+++ openssh-5.4p1/clientloop.c 2010-03-01 18:14:28.000000000 +0100
@@ -111,6 +111,10 @@
#include "msg.h"
#include "roaming.h"
@ -311,7 +311,7 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
/* import options */
extern Options options;
@@ -1430,6 +1434,13 @@ client_loop(int have_pty, int escape_cha
@@ -1431,6 +1435,13 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */
if (!rekeying) {
channel_after_select(readset, writeset);
@ -325,9 +325,9 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying");
xxx_kex->done = 0;
diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac
--- openssh-5.3p1/configure.ac.gsskex 2009-11-20 14:39:02.000000000 +0100
+++ openssh-5.3p1/configure.ac 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/configure.ac.gsskex openssh-5.4p1/configure.ac
--- openssh-5.4p1/configure.ac.gsskex 2010-03-01 18:14:27.000000000 +0100
+++ openssh-5.4p1/configure.ac 2010-03-01 18:14:28.000000000 +0100
@@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
@ -359,9 +359,9 @@ diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac
m4_pattern_allow(AU_IPv)
AC_CHECK_DECL(AU_IPv4, [],
AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c
--- openssh-5.3p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.3p1/gss-genr.c 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/gss-genr.c.gsskex openssh-5.4p1/gss-genr.c
--- openssh-5.4p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.4p1/gss-genr.c 2010-03-01 18:14:28.000000000 +0100
@@ -39,12 +39,167 @@
#include "buffer.h"
#include "log.h"
@ -700,9 +700,9 @@ diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c
+}
+
#endif /* GSSAPI */
diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c
--- openssh-5.3p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200
+++ openssh-5.3p1/gss-serv.c 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/gss-serv.c.gsskex openssh-5.4p1/gss-serv.c
--- openssh-5.4p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200
+++ openssh-5.4p1/gss-serv.c 2010-03-01 18:14:28.000000000 +0100
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
@ -1016,9 +1016,9 @@ diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c
}
#endif
diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c
--- openssh-5.3p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
+++ openssh-5.3p1/gss-serv-krb5.c 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/gss-serv-krb5.c.gsskex openssh-5.4p1/gss-serv-krb5.c
--- openssh-5.4p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
+++ openssh-5.4p1/gss-serv-krb5.c 2010-03-01 18:14:28.000000000 +0100
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1139,12 +1139,12 @@ diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c
};
#endif /* KRB5 */
diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
--- openssh-5.3p1/kex.c.gsskex 2009-06-21 10:15:25.000000000 +0200
+++ openssh-5.3p1/kex.c 2009-11-20 14:50:11.000000000 +0100
@@ -49,6 +49,10 @@
#include "dispatch.h"
diff -up openssh-5.4p1/kex.c.gsskex openssh-5.4p1/kex.c
--- openssh-5.4p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100
+++ openssh-5.4p1/kex.c 2010-03-01 18:18:42.000000000 +0100
@@ -50,6 +50,10 @@
#include "monitor.h"
#include "roaming.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
@ -1153,7 +1153,7 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256
@@ -325,6 +329,20 @@ choose_kex(Kex *k, char *client, char *s
@@ -326,6 +330,20 @@ choose_kex(Kex *k, char *client, char *s
k->kex_type = KEX_DH_GEX_SHA256;
k->evp_md = evp_ssh_sha256();
#endif
@ -1174,9 +1174,9 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
} else
fatal("bad kex alg %s", k->name);
}
diff -up /dev/null openssh-5.3p1/kexgssc.c
--- /dev/null 2009-11-13 11:29:57.672908570 +0100
+++ openssh-5.3p1/kexgssc.c 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/kexgssc.c.gsskex openssh-5.4p1/kexgssc.c
--- openssh-5.4p1/kexgssc.c.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/kexgssc.c 2010-03-01 18:14:28.000000000 +0100
@@ -0,0 +1,334 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1512,9 +1512,9 @@ diff -up /dev/null openssh-5.3p1/kexgssc.c
+}
+
+#endif /* GSSAPI */
diff -up /dev/null openssh-5.3p1/kexgsss.c
--- /dev/null 2009-11-13 11:29:57.672908570 +0100
+++ openssh-5.3p1/kexgsss.c 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/kexgsss.c.gsskex openssh-5.4p1/kexgsss.c
--- openssh-5.4p1/kexgsss.c.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/kexgsss.c 2010-03-01 18:14:28.000000000 +0100
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1804,10 +1804,10 @@ diff -up /dev/null openssh-5.3p1/kexgsss.c
+ ssh_gssapi_rekey_creds();
+}
+#endif /* GSSAPI */
diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
--- openssh-5.3p1/kex.h.gsskex 2009-06-21 10:15:25.000000000 +0200
+++ openssh-5.3p1/kex.h 2009-11-20 14:39:05.000000000 +0100
@@ -66,6 +66,9 @@ enum kex_exchange {
diff -up openssh-5.4p1/kex.h.gsskex openssh-5.4p1/kex.h
--- openssh-5.4p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/kex.h 2010-03-01 18:14:28.000000000 +0100
@@ -67,6 +67,9 @@ enum kex_exchange {
KEX_DH_GRP14_SHA1,
KEX_DH_GEX_SHA1,
KEX_DH_GEX_SHA256,
@ -1817,7 +1817,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
KEX_MAX
};
@@ -121,6 +124,12 @@ struct Kex {
@@ -123,6 +126,12 @@ struct Kex {
sig_atomic_t done;
int flags;
const EVP_MD *evp_md;
@ -1830,7 +1830,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
char *client_version_string;
char *server_version_string;
int (*verify_host_key)(Key *);
@@ -143,6 +152,11 @@ void kexdh_server(Kex *);
@@ -146,6 +155,11 @@ void kexdh_server(Kex *);
void kexgex_client(Kex *);
void kexgex_server(Kex *);
@ -1842,54 +1842,58 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
diff -up openssh-5.3p1/key.c.gsskex openssh-5.3p1/key.c
--- openssh-5.3p1/key.c.gsskex 2009-11-20 14:38:59.000000000 +0100
+++ openssh-5.3p1/key.c 2009-11-20 14:39:05.000000000 +0100
@@ -825,6 +825,8 @@ key_type_from_name(char *name)
return KEY_RSA;
} else if (strcmp(name, "ssh-dss") == 0) {
return KEY_DSA;
diff -up openssh-5.4p1/key.c.gsskex openssh-5.4p1/key.c
--- openssh-5.4p1/key.c.gsskex 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/key.c 2010-03-01 18:20:43.000000000 +0100
@@ -969,6 +969,8 @@ key_type_from_name(char *name)
return KEY_RSA_CERT;
} else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
return KEY_DSA_CERT;
+ } else if (strcmp(name, "null") == 0) {
+ return KEY_NULL;
}
debug2("key_type_from_name: unknown key type '%s'", name);
return KEY_UNSPEC;
diff -up openssh-5.3p1/key.h.gsskex openssh-5.3p1/key.h
--- openssh-5.3p1/key.h.gsskex 2009-11-20 14:38:59.000000000 +0100
+++ openssh-5.3p1/key.h 2009-11-20 14:50:59.000000000 +0100
@@ -40,6 +40,7 @@ enum types {
KEY_RSA,
diff -up openssh-5.4p1/key.h.gsskex openssh-5.4p1/key.h
--- openssh-5.4p1/key.h.gsskex 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/key.h 2010-03-01 18:21:22.000000000 +0100
@@ -37,6 +37,7 @@ enum types {
KEY_DSA,
KEY_NSS,
KEY_RSA_CERT,
KEY_DSA_CERT,
+ KEY_NULL,
KEY_UNSPEC
};
enum fp_type {
diff -up openssh-5.3p1/Makefile.in.gsskex openssh-5.3p1/Makefile.in
--- openssh-5.3p1/Makefile.in.gsskex 2009-11-20 14:39:02.000000000 +0100
+++ openssh-5.3p1/Makefile.in 2009-11-20 15:06:44.000000000 +0100
@@ -71,7 +71,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
diff -up openssh-5.4p1/Makefile.in.gsskex openssh-5.4p1/Makefile.in
--- openssh-5.4p1/Makefile.in.gsskex 2010-03-01 18:14:27.000000000 +0100
+++ openssh-5.4p1/Makefile.in 2010-03-01 18:23:31.000000000 +0100
@@ -74,11 +74,11 @@
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
- entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o
+ entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o \
+ kexgssc.o
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
entropy.o gss-genr.o umac.o jpake.o schnorr.o \
- ssh-pkcs11.o
+ ssh-pkcs11.o kexgssc.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
@@ -85,7 +86,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
- roaming_common.o roaming_client.o
+ roaming_common.o roaming_client.o kexgssc.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
@@ -91,7 +91,7 @@
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
roaming_common.o
diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
--- openssh-5.3p1/monitor.c.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/monitor.c 2009-11-20 14:39:05.000000000 +0100
- roaming_common.o roaming_serv.o
+ roaming_common.o roaming_serv.o kexgsss.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c
--- openssh-5.4p1/monitor.c.gsskex 2010-03-01 18:14:25.000000000 +0100
+++ openssh-5.4p1/monitor.c 2010-03-01 18:14:29.000000000 +0100
@@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
@ -1956,7 +1960,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m);
@@ -1943,6 +1967,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
@@ -1944,6 +1968,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major;
u_int len;
@ -1966,7 +1970,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
goid.elements = buffer_get_string(m, &len);
goid.length = len;
@@ -1970,6 +1997,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
@@ -1971,6 +1998,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@ -1976,7 +1980,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1987,6 +2017,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
@@ -1988,6 +2018,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -1984,7 +1988,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
}
return (0);
}
@@ -1998,6 +2029,9 @@ mm_answer_gss_checkmic(int sock, Buffer
@@ -1999,6 +2030,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret;
u_int len;
@ -1994,7 +1998,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
@@ -2024,7 +2058,11 @@ mm_answer_gss_userok(int sock, Buffer *m
@@ -2025,7 +2059,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{
int authenticated;
@ -2007,7 +2011,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
buffer_clear(m);
buffer_put_int(m, authenticated);
@@ -2037,6 +2075,74 @@ mm_answer_gss_userok(int sock, Buffer *m
@@ -2038,6 +2076,74 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@ -2082,9 +2086,9 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
#endif /* GSSAPI */
#ifdef JPAKE
diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h
--- openssh-5.3p1/monitor.h.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/monitor.h 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/monitor.h.gsskex openssh-5.4p1/monitor.h
--- openssh-5.4p1/monitor.h.gsskex 2010-03-01 18:14:25.000000000 +0100
+++ openssh-5.4p1/monitor.h 2010-03-01 18:14:29.000000000 +0100
@@ -56,6 +56,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@ -2094,9 +2098,9 @@ diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h
MONITOR_REQ_PAM_START,
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c
--- openssh-5.3p1/monitor_wrap.c.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/monitor_wrap.c 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c
--- openssh-5.4p1/monitor_wrap.c.gsskex 2010-03-01 18:14:25.000000000 +0100
+++ openssh-5.4p1/monitor_wrap.c 2010-03-01 18:14:29.000000000 +0100
@@ -1267,7 +1267,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
}
@ -2158,9 +2162,9 @@ diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c
#endif /* GSSAPI */
#ifdef JPAKE
diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h
--- openssh-5.3p1/monitor_wrap.h.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/monitor_wrap.h 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/monitor_wrap.h.gsskex openssh-5.4p1/monitor_wrap.h
--- openssh-5.4p1/monitor_wrap.h.gsskex 2010-03-01 18:14:25.000000000 +0100
+++ openssh-5.4p1/monitor_wrap.h 2010-03-01 18:14:29.000000000 +0100
@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2173,10 +2177,10 @@ diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h
#endif
#ifdef USE_PAM
diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
--- openssh-5.3p1/readconf.c.gsskex 2009-11-20 14:38:59.000000000 +0100
+++ openssh-5.3p1/readconf.c 2009-11-20 14:39:06.000000000 +0100
@@ -128,6 +128,7 @@ typedef enum {
diff -up openssh-5.4p1/readconf.c.gsskex openssh-5.4p1/readconf.c
--- openssh-5.4p1/readconf.c.gsskex 2010-02-11 23:21:03.000000000 +0100
+++ openssh-5.4p1/readconf.c 2010-03-01 18:14:29.000000000 +0100
@@ -127,6 +127,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -2184,7 +2188,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
@@ -165,10 +166,18 @@ static struct {
@@ -164,10 +165,18 @@ static struct {
{ "afstokenpassing", oUnsupported },
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
@ -2203,7 +2207,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -462,10 +471,26 @@ parse_flag:
@@ -456,10 +465,26 @@ parse_flag:
intptr = &options->gss_authentication;
goto parse_flag;
@ -2230,7 +2234,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1029,7 +1054,11 @@ initialize_options(Options * options)
@@ -1015,7 +1040,11 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@ -2242,7 +2246,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1123,8 +1152,14 @@ fill_default_options(Options * options)
@@ -1107,8 +1136,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@ -2257,9 +2261,9 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h
--- openssh-5.3p1/readconf.h.gsskex 2009-11-20 14:38:59.000000000 +0100
+++ openssh-5.3p1/readconf.h 2009-11-20 14:39:06.000000000 +0100
diff -up openssh-5.4p1/readconf.h.gsskex openssh-5.4p1/readconf.h
--- openssh-5.4p1/readconf.h.gsskex 2010-02-11 23:21:03.000000000 +0100
+++ openssh-5.4p1/readconf.h 2010-03-01 18:14:29.000000000 +0100
@@ -44,7 +44,11 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@ -2272,10 +2276,10 @@ diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
--- openssh-5.3p1/servconf.c.gsskex 2009-11-20 14:39:03.000000000 +0100
+++ openssh-5.3p1/servconf.c 2009-11-20 14:52:27.000000000 +0100
@@ -92,7 +92,10 @@ initialize_server_options(ServerOptions
diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c
--- openssh-5.4p1/servconf.c.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/servconf.c 2010-03-01 18:25:32.000000000 +0100
@@ -93,7 +93,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@ -2286,7 +2290,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -213,8 +216,14 @@ fill_default_server_options(ServerOption
@@ -215,8 +218,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@ -2301,7 +2305,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -308,7 +317,9 @@ typedef enum {
@@ -310,7 +319,9 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -2311,8 +2315,8 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
+ sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication,
@@ -371,9 +382,15 @@ static struct {
sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -373,9 +384,15 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -2328,7 +2332,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
#endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -906,10 +923,22 @@ process_server_config_line(ServerOptions
@@ -935,10 +952,22 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@ -2351,10 +2355,10 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h
--- openssh-5.3p1/servconf.h.gsskex 2009-11-20 14:39:03.000000000 +0100
+++ openssh-5.3p1/servconf.h 2009-11-20 14:39:06.000000000 +0100
@@ -91,7 +91,10 @@ typedef struct {
diff -up openssh-5.4p1/servconf.h.gsskex openssh-5.4p1/servconf.h
--- openssh-5.4p1/servconf.h.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/servconf.h 2010-03-01 18:14:29.000000000 +0100
@@ -94,7 +94,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
@ -2365,9 +2369,9 @@ diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5
--- openssh-5.3p1/ssh_config.5.gsskex 2009-02-23 00:53:58.000000000 +0100
+++ openssh-5.3p1/ssh_config.5 2009-11-20 14:39:06.000000000 +0100
diff -up openssh-5.4p1/ssh_config.5.gsskex openssh-5.4p1/ssh_config.5
--- openssh-5.4p1/ssh_config.5.gsskex 2010-02-11 23:26:02.000000000 +0100
+++ openssh-5.4p1/ssh_config.5 2010-03-01 18:14:29.000000000 +0100
@@ -478,11 +478,38 @@ Specifies whether user authentication ba
The default is
.Dq no .
@ -2408,9 +2412,9 @@ diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config
--- openssh-5.3p1/ssh_config.gsskex 2009-11-20 14:38:53.000000000 +0100
+++ openssh-5.3p1/ssh_config 2009-11-20 14:39:06.000000000 +0100
diff -up openssh-5.4p1/ssh_config.gsskex openssh-5.4p1/ssh_config
--- openssh-5.4p1/ssh_config.gsskex 2010-03-01 18:14:24.000000000 +0100
+++ openssh-5.4p1/ssh_config 2010-03-01 18:14:29.000000000 +0100
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
@ -2420,9 +2424,9 @@ diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config
# BatchMode no
# CheckHostIP yes
# AddressFamily any
diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
--- openssh-5.3p1/sshconnect2.c.gsskex 2009-11-20 14:39:01.000000000 +0100
+++ openssh-5.3p1/sshconnect2.c 2009-11-20 15:05:03.000000000 +0100
diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c
--- openssh-5.4p1/sshconnect2.c.gsskex 2010-03-01 18:14:27.000000000 +0100
+++ openssh-5.4p1/sshconnect2.c 2010-03-01 18:14:29.000000000 +0100
@@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho
{
Kex *kex;
@ -2503,7 +2507,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
xxx_kex = kex;
dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
@@ -247,6 +299,7 @@ void input_gssapi_token(int type, u_int3
@@ -253,6 +305,7 @@ void input_gssapi_token(int type, u_int3
void input_gssapi_hash(int type, u_int32_t, void *);
void input_gssapi_error(int, u_int32_t, void *);
void input_gssapi_errtok(int, u_int32_t, void *);
@ -2511,7 +2515,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
#endif
void userauth(Authctxt *, char *);
@@ -262,6 +315,10 @@ static char *authmethods_get(void);
@@ -268,6 +321,10 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@ -2522,7 +2526,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
{"gssapi-with-mic",
userauth_gssapi,
NULL,
@@ -555,23 +612,35 @@ userauth_gssapi(Authctxt *authctxt)
@@ -576,23 +633,35 @@ userauth_gssapi(Authctxt *authctxt)
int ok = 0;
char* remotehost = NULL;
const char* canonicalhost = get_canonical_hostname(1);
@ -2560,7 +2564,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
ok = 1; /* Mechanism works */
} else {
mech++;
@@ -668,8 +737,8 @@ input_gssapi_response(int type, u_int32_
@@ -689,8 +758,8 @@ input_gssapi_response(int type, u_int32_
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@ -2571,7 +2575,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
@@ -779,6 +848,48 @@ input_gssapi_error(int type, u_int32_t p
@@ -800,6 +869,48 @@ input_gssapi_error(int type, u_int32_t p
xfree(msg);
xfree(lang);
}
@ -2620,9 +2624,9 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
#endif /* GSSAPI */
int
diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
--- openssh-5.3p1/sshd.c.gsskex 2009-11-20 14:39:01.000000000 +0100
+++ openssh-5.3p1/sshd.c 2009-11-20 14:53:31.000000000 +0100
diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c
--- openssh-5.4p1/sshd.c.gsskex 2010-03-01 18:14:27.000000000 +0100
+++ openssh-5.4p1/sshd.c 2010-03-01 18:14:29.000000000 +0100
@@ -129,6 +129,10 @@ int allow_severity;
int deny_severity;
#endif /* LIBWRAP */
@ -2634,7 +2638,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
@@ -1546,10 +1550,13 @@ main(int ac, char **av)
@@ -1592,10 +1596,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@ -2648,7 +2652,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
@@ -1837,6 +1844,60 @@ main(int ac, char **av)
@@ -1928,6 +1935,60 @@ main(int ac, char **av)
/* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port);
@ -2709,7 +2713,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
@@ -2223,12 +2284,61 @@ do_ssh2_kex(void)
@@ -2314,12 +2375,61 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
@ -2771,9 +2775,9 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5
--- openssh-5.3p1/sshd_config.5.gsskex 2009-11-20 14:39:03.000000000 +0100
+++ openssh-5.3p1/sshd_config.5 2009-11-20 14:39:06.000000000 +0100
diff -up openssh-5.4p1/sshd_config.5.gsskex openssh-5.4p1/sshd_config.5
--- openssh-5.4p1/sshd_config.5.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/sshd_config.5 2010-03-01 18:14:29.000000000 +0100
@@ -379,12 +379,40 @@ Specifies whether user authentication ba
The default is
.Dq no .
@ -2815,10 +2819,10 @@ diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config
--- openssh-5.3p1/sshd_config.gsskex 2009-11-20 14:39:04.000000000 +0100
+++ openssh-5.3p1/sshd_config 2009-11-20 14:54:30.000000000 +0100
@@ -80,6 +80,8 @@ ChallengeResponseAuthentication no
diff -up openssh-5.4p1/sshd_config.gsskex openssh-5.4p1/sshd_config
--- openssh-5.4p1/sshd_config.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/sshd_config 2010-03-01 18:14:29.000000000 +0100
@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
@ -2827,9 +2831,9 @@ diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -up openssh-5.3p1/ssh-gss.h.gsskex openssh-5.3p1/ssh-gss.h
--- openssh-5.3p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
+++ openssh-5.3p1/ssh-gss.h 2009-11-20 14:39:06.000000000 +0100
diff -up openssh-5.4p1/ssh-gss.h.gsskex openssh-5.4p1/ssh-gss.h
--- openssh-5.4p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
+++ openssh-5.4p1/ssh-gss.h 2010-03-01 18:14:30.000000000 +0100
@@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*

View File

@ -1,7 +1,7 @@
diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac
--- openssh-5.3p1/configure.ac.mls 2009-10-02 14:04:31.000000000 +0200
+++ openssh-5.3p1/configure.ac 2009-10-02 14:04:31.000000000 +0200
@@ -3404,6 +3404,7 @@ AC_ARG_WITH(selinux,
diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac
--- openssh-5.4p1/configure.ac.mls 2010-03-01 15:24:27.000000000 +0100
+++ openssh-5.4p1/configure.ac 2010-03-01 15:24:28.000000000 +0100
@@ -3360,6 +3360,7 @@ AC_ARG_WITH(selinux,
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
LIBS="$LIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
@ -9,9 +9,9 @@ diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac
LIBS="$save_LIBS"
fi ]
)
diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c
--- openssh-5.3p1/misc.c.mls 2009-02-21 22:47:02.000000000 +0100
+++ openssh-5.3p1/misc.c 2009-10-02 14:04:31.000000000 +0200
diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c
--- openssh-5.4p1/misc.c.mls 2010-01-10 00:31:12.000000000 +0100
+++ openssh-5.4p1/misc.c 2010-03-01 15:24:28.000000000 +0100
@@ -423,6 +423,7 @@ char *
colon(char *cp)
{
@ -36,15 +36,16 @@ diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c
}
return (0);
}
diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-compat/port-linux.c
--- openssh-5.3p1/openbsd-compat/port-linux.c.mls 2009-10-02 14:04:31.000000000 +0200
+++ openssh-5.3p1/openbsd-compat/port-linux.c 2009-10-02 14:04:31.000000000 +0200
@@ -33,12 +33,23 @@
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-compat/port-linux.c
--- openssh-5.4p1/openbsd-compat/port-linux.c.mls 2010-03-01 15:24:27.000000000 +0100
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:25:50.000000000 +0100
@@ -35,13 +35,24 @@
#include "key.h"
#include "hostfile.h"
#include "auth.h"
+#include "xmalloc.h"
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
+#include <selinux/context.h>
@ -63,7 +64,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
@@ -54,17 +65,173 @@ ssh_selinux_enabled(void)
@@ -57,17 +68,173 @@ ssh_selinux_enabled(void)
return (enabled);
}
@ -243,7 +244,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
#ifdef HAVE_GETSEUSERBYNAME
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
sename = NULL;
@@ -72,38 +239,63 @@ ssh_selinux_getctxbyname(char *pwname)
@@ -75,38 +242,63 @@ ssh_selinux_getctxbyname(char *pwname)
}
#else
sename = pwname;
@ -329,7 +330,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
#ifdef HAVE_GETSEUSERBYNAME
if (sename != NULL)
@@ -111,14 +303,20 @@ ssh_selinux_getctxbyname(char *pwname)
@@ -114,14 +306,20 @@ ssh_selinux_getctxbyname(char *pwname)
if (lvl != NULL)
xfree(lvl);
#endif
@ -351,7 +352,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
security_context_t user_ctx = NULL;
if (!ssh_selinux_enabled())
@@ -126,22 +324,45 @@ ssh_selinux_setup_exec_context(char *pwn
@@ -129,22 +327,45 @@ ssh_selinux_setup_exec_context(char *pwn
debug3("%s: setting execution context", __func__);
@ -404,7 +405,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
debug3("%s: done", __func__);
}
@@ -159,7 +380,10 @@ ssh_selinux_setup_pty(char *pwname, cons
@@ -162,7 +383,10 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
@ -416,10 +417,10 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c
--- openssh-5.3p1/session.c.mls 2009-08-20 08:20:50.000000000 +0200
+++ openssh-5.3p1/session.c 2009-10-02 14:06:12.000000000 +0200
@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw)
diff -up openssh-5.4p1/session.c.mls openssh-5.4p1/session.c
--- openssh-5.4p1/session.c.mls 2010-01-12 09:51:48.000000000 +0100
+++ openssh-5.4p1/session.c 2010-03-01 15:24:28.000000000 +0100
@@ -1559,10 +1559,6 @@ do_setusercontext(struct passwd *pw)
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
@ -430,10 +431,10 @@ diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c
}
static void
diff -up openssh-5.3p1/sshd.c.mls openssh-5.3p1/sshd.c
--- openssh-5.3p1/sshd.c.mls 2009-10-02 14:04:31.000000000 +0200
+++ openssh-5.3p1/sshd.c 2009-10-02 14:04:31.000000000 +0200
@@ -1896,6 +1896,9 @@ main(int ac, char **av)
diff -up openssh-5.4p1/sshd.c.mls openssh-5.4p1/sshd.c
--- openssh-5.4p1/sshd.c.mls 2010-03-01 15:24:27.000000000 +0100
+++ openssh-5.4p1/sshd.c 2010-03-01 15:24:28.000000000 +0100
@@ -1987,6 +1987,9 @@ main(int ac, char **av)
restore_uid();
}
#endif

View File

@ -186,7 +186,7 @@ diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c
diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h
--- openssh-5.3p1/key.h.nss-keys 2008-06-12 20:40:35.000000000 +0200
+++ openssh-5.3p1/key.h 2009-11-27 13:43:01.000000000 +0100
@@ -29,11 +29,17 @@
@@ -30,6 +30,11 @@
#include <openssl/rsa.h>
#include <openssl/dsa.h>
@ -198,13 +198,15 @@ diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h
typedef struct Key Key;
enum types {
KEY_RSA1,
KEY_RSA,
@@ -37,6 +42,7 @@
KEY_DSA,
KEY_RSA_CERT,
KEY_DSA_CERT,
+ KEY_NSS,
KEY_UNSPEC
};
enum fp_type {
@@ -48,16 +54,30 @@ enum fp_rep {
@@ -51,6 +57,15 @@
/* key is stored in external hardware */
#define KEY_FLAG_EXT 0x0001
@ -218,23 +220,25 @@ diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h
+};
+#endif
struct Key {
int type;
int flags;
#define CERT_MAX_PRINCIPALS 256
struct KeyCert {
@@ -70,11 +85,16 @@
RSA *rsa;
DSA *dsa;
struct KeyCert *cert;
+#ifdef HAVE_LIBNSS
+ NSSKey *nss;
+#endif
};
Key *key_new(int);
void key_add_private(Key *);
Key *key_new_private(int);
+Key *key_new_nss(int);
+Key *key_new_nss_copy(int, const Key *);
void key_free(Key *);
Key *key_demote(const Key *);
int key_equal(const Key *, const Key *);
int key_equal_public(const Key *, const Key *);
diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in
--- openssh-5.3p1/Makefile.in.nss-keys 2009-08-28 02:47:38.000000000 +0200
+++ openssh-5.3p1/Makefile.in 2009-11-27 13:43:01.000000000 +0100

View File

@ -1,18 +1,6 @@
diff -up openssh-5.0p1/auth-pam.h.pam_selinux openssh-5.0p1/auth-pam.h
--- openssh-5.0p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200
+++ openssh-5.0p1/auth-pam.h 2008-04-30 14:25:28.000000000 +0200
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-5.0p1/auth-pam.c.pam_selinux openssh-5.0p1/auth-pam.c
--- openssh-5.0p1/auth-pam.c.pam_selinux 2008-03-11 12:58:25.000000000 +0100
+++ openssh-5.0p1/auth-pam.c 2008-04-30 14:25:21.000000000 +0200
diff -up openssh-5.4p1/auth-pam.c.pam_selinux openssh-5.4p1/auth-pam.c
--- openssh-5.4p1/auth-pam.c.pam_selinux 2009-07-12 14:07:21.000000000 +0200
+++ openssh-5.4p1/auth-pam.c 2010-03-01 15:27:23.000000000 +0100
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
@ -22,18 +10,30 @@ diff -up openssh-5.0p1/auth-pam.c.pam_selinux openssh-5.0p1/auth-pam.c
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/openbsd-compat/port-linux.c
--- openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux 2008-04-07 22:01:37.000000000 +0200
+++ openssh-5.0p1/openbsd-compat/port-linux.c 2008-04-30 14:26:17.000000000 +0200
@@ -34,6 +34,7 @@
diff -up openssh-5.4p1/auth-pam.h.pam_selinux openssh-5.4p1/auth-pam.h
--- openssh-5.4p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200
+++ openssh-5.4p1/auth-pam.h 2010-03-01 15:27:23.000000000 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/openbsd-compat/port-linux.c
--- openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux 2010-03-01 15:27:22.000000000 +0100
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:27:53.000000000 +0100
@@ -36,6 +36,7 @@
#include "hostfile.h"
#include "auth.h"
#include "xmalloc.h"
+#include "servconf.h"
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
@@ -47,6 +48,7 @@
@@ -50,6 +51,7 @@
#include <unistd.h>
#endif
@ -41,7 +41,7 @@ diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/ope
extern Authctxt *the_authctxt;
extern int inetd_flag;
extern int rexeced_flag;
@@ -208,29 +210,38 @@ get_user_context(const char *sename, con
@@ -211,29 +213,38 @@ get_user_context(const char *sename, con
return -1;
}
@ -92,7 +92,7 @@ diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/ope
#ifdef HAVE_GETSEUSERBYNAME
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
@@ -311,6 +322,36 @@ ssh_selinux_getctxbyname(char *pwname,
@@ -314,6 +325,36 @@ ssh_selinux_getctxbyname(char *pwname,
return (r);
}
@ -129,7 +129,7 @@ diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/ope
/* Set the execution context to the default for the specified user */
void
ssh_selinux_setup_exec_context(char *pwname)
@@ -322,6 +363,24 @@ ssh_selinux_setup_exec_context(char *pwn
@@ -325,6 +366,24 @@ ssh_selinux_setup_exec_context(char *pwn
if (!ssh_selinux_enabled())
return;

View File

@ -1,7 +1,7 @@
diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
--- openssh-5.3p1/auth2-pubkey.c.pka 2009-03-08 01:40:28.000000000 +0100
+++ openssh-5.3p1/auth2-pubkey.c 2010-01-04 16:07:53.000000000 +0100
@@ -175,26 +175,14 @@ done:
diff -up openssh-5.4p1/auth2-pubkey.c.pka openssh-5.4p1/auth2-pubkey.c
--- openssh-5.4p1/auth2-pubkey.c.pka 2010-03-01 18:10:48.000000000 +0100
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 18:10:50.000000000 +0100
@@ -186,27 +186,15 @@ done:
/* return 1 if user allows given key */
static int
@ -9,6 +9,7 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
char line[SSH_MAX_PUBKEY_BYTES];
const char *reason;
int found_key = 0;
- FILE *f;
u_long linenum = 0;
@ -27,9 +28,9 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
- }
-
found_key = 0;
found = key_new(key->type);
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@@ -239,21 +227,160 @@ user_key_allowed2(struct passwd *pw, Key
@@ -277,21 +265,160 @@ user_key_allowed2(struct passwd *pw, Key
break;
}
}
@ -193,63 +194,10 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
file = authorized_keys_file(pw);
success = user_key_allowed2(pw, key, file);
xfree(file);
diff -up openssh-5.3p1/configure.pka openssh-5.3p1/configure
--- openssh-5.3p1/configure.pka 2009-10-13 19:27:51.000000000 +0200
+++ openssh-5.3p1/configure 2009-10-15 06:26:33.000000000 +0200
@@ -769,6 +769,7 @@ with_skey
with_tcp_wrappers
with_libedit
with_audit
+with_pka
with_ssl_dir
with_openssl_header_check
with_ssl_engine
@@ -1473,6 +1474,7 @@ Optional Packages:
--with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
--with-libedit[=PATH] Enable libedit support for sftp
--with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)
+ --with-pka Enable pubkey agent support
--with-ssl-dir=PATH Specify path to OpenSSL installation
--without-openssl-header-check Disable OpenSSL version consistency check
--with-ssl-engine Enable OpenSSL (hardware) ENGINE support
@@ -13443,6 +13445,25 @@ $as_echo "$as_me: error: Unknown audit m
fi
+# Check whether user wants pubkey agent support
+PKA_MSG="no"
+
+# Check whether --with-pka was given.
+if test "${with_pka+set}" = set; then
+ withval=$with_pka;
+ if test "x$withval" != "xno" ; then
+
+cat >>confdefs.h <<\_ACEOF
+#define WITH_PUBKEY_AGENT 1
+_ACEOF
+
+ PKA_MSG="yes"
+ fi
+
+
+fi
+
+
@@ -32772,6 +32793,7 @@ echo " Linux audit support
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
+echo " PKA support: $PKA_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
--- openssh-5.3p1/configure.ac.pka 2009-09-11 06:56:08.000000000 +0200
+++ openssh-5.3p1/configure.ac 2010-01-04 16:07:53.000000000 +0100
@@ -1319,6 +1319,18 @@ AC_ARG_WITH(audit,
diff -up openssh-5.4p1/configure.ac.pka openssh-5.4p1/configure.ac
--- openssh-5.4p1/configure.ac.pka 2010-03-01 18:10:47.000000000 +0100
+++ openssh-5.4p1/configure.ac 2010-03-01 18:10:50.000000000 +0100
@@ -1323,6 +1323,18 @@ AC_ARG_WITH(audit,
esac ]
)
@ -268,7 +216,7 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \
arc4random \
@@ -4229,6 +4241,7 @@ echo " SELinux support
@@ -4206,6 +4218,7 @@ echo " Linux audit support
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
@ -276,10 +224,10 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
--- openssh-5.3p1/servconf.c.pka 2009-06-21 12:26:17.000000000 +0200
+++ openssh-5.3p1/servconf.c 2010-01-04 16:07:53.000000000 +0100
@@ -127,6 +127,8 @@ initialize_server_options(ServerOptions
diff -up openssh-5.4p1/servconf.c.pka openssh-5.4p1/servconf.c
--- openssh-5.4p1/servconf.c.pka 2010-03-01 18:10:46.000000000 +0100
+++ openssh-5.4p1/servconf.c 2010-03-01 18:13:23.000000000 +0100
@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
@ -288,18 +236,18 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
options->zero_knowledge_password_authentication = -1;
}
@@ -306,6 +308,7 @@ typedef enum {
@@ -312,6 +314,7 @@ typedef enum {
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
+ sPubkeyAgent, sPubkeyAgentRunAs,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -424,6 +427,13 @@ static struct {
{ "permitopen", sPermitOpen, SSHCFG_ALL },
@@ -432,6 +435,13 @@ static struct {
{ "forcecommand", sForceCommand, SSHCFG_ALL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
+#ifdef WITH_PUBKEY_AGENT
+ { "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
+ { "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
@ -310,7 +258,7 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
{ NULL, sBadOption, 0 }
};
@@ -1294,6 +1304,20 @@ process_server_config_line(ServerOptions
@@ -1332,6 +1342,20 @@ process_server_config_line(ServerOptions
*charptr = xstrdup(arg);
break;
@ -331,7 +279,7 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -1387,6 +1411,8 @@ copy_set_server_options(ServerOptions *d
@@ -1425,6 +1449,8 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication);
@ -340,10 +288,10 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
M_CP_INTOPT(kerberos_authentication);
M_CP_INTOPT(hostbased_authentication);
M_CP_INTOPT(kbd_interactive_authentication);
@@ -1626,6 +1652,10 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
@@ -1666,6 +1692,10 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
+#ifdef WITH_PUBKEY_AGENT
+ dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
+ dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
@ -351,10 +299,10 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-5.3p1/servconf.h.pka openssh-5.3p1/servconf.h
--- openssh-5.3p1/servconf.h.pka 2009-01-28 06:31:23.000000000 +0100
+++ openssh-5.3p1/servconf.h 2010-01-04 16:07:53.000000000 +0100
@@ -151,6 +151,8 @@ typedef struct {
diff -up openssh-5.4p1/servconf.h.pka openssh-5.4p1/servconf.h
--- openssh-5.4p1/servconf.h.pka 2010-03-01 18:10:46.000000000 +0100
+++ openssh-5.4p1/servconf.h 2010-03-01 18:10:50.000000000 +0100
@@ -155,6 +155,8 @@ typedef struct {
int num_permitted_opens;
char *chroot_directory;
@ -363,26 +311,20 @@ diff -up openssh-5.3p1/servconf.h.pka openssh-5.3p1/servconf.h
} ServerOptions;
void initialize_server_options(ServerOptions *);
diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0
--- openssh-5.3p1/sshd_config.0.pka 2009-09-26 08:31:16.000000000 +0200
+++ openssh-5.3p1/sshd_config.0 2010-01-04 16:07:53.000000000 +0100
@@ -344,10 +344,11 @@ DESCRIPTION
AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
diff -up openssh-5.4p1/sshd_config.0.pka openssh-5.4p1/sshd_config.0
--- openssh-5.4p1/sshd_config.0.pka 2010-03-01 18:10:46.000000000 +0100
+++ openssh-5.4p1/sshd_config.0 2010-03-01 18:10:50.000000000 +0100
@@ -352,7 +352,8 @@ DESCRIPTION
KbdInteractiveAuthentication, KerberosAuthentication,
- MaxAuthTries, MaxSessions, PasswordAuthentication,
- PermitEmptyPasswords, PermitOpen, PermitRootLogin,
- RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
- X11Forwarding and X11UseLocalHost.
+ MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent,
+ PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords,
+ PermitOpen, PermitRootLogin, RhostsRSAAuthentication,
+ RSAAuthentication, X11DisplayOffset, X11Forwarding and
+ X11UseLocalHost.
MaxAuthTries, MaxSessions, PasswordAuthentication,
PermitEmptyPasswords, PermitOpen, PermitRootLogin,
- PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
+ PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
+ RhostsRSAAuthentication, RSAAuthentication,
X11DisplayOffset, X11Forwarding and X11UseLocalHost.
MaxAuthTries
Specifies the maximum number of authentication attempts permitted
@@ -455,6 +456,17 @@ DESCRIPTION
@@ -461,6 +462,17 @@ DESCRIPTION
fault is ``yes''. Note that this option applies to protocol ver-
sion 2 only.
@ -400,22 +342,10 @@ diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0
RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication to-
gether with successful RSA host authentication is allowed. The
diff -up openssh-5.3p1/sshd_config.pka openssh-5.3p1/sshd_config
--- openssh-5.3p1/sshd_config.pka 2008-07-02 14:35:43.000000000 +0200
+++ openssh-5.3p1/sshd_config 2010-01-04 16:07:53.000000000 +0100
@@ -46,6 +46,8 @@ Protocol 2
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
+#PubkeyAgent none
+#PubkeyAgentRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
--- openssh-5.3p1/sshd_config.5.pka 2009-08-28 02:27:08.000000000 +0200
+++ openssh-5.3p1/sshd_config.5 2010-01-04 16:07:53.000000000 +0100
@@ -610,6 +610,9 @@ Available keywords are
diff -up openssh-5.4p1/sshd_config.5.pka openssh-5.4p1/sshd_config.5
--- openssh-5.4p1/sshd_config.5.pka 2010-03-01 18:10:46.000000000 +0100
+++ openssh-5.4p1/sshd_config.5 2010-03-01 18:10:50.000000000 +0100
@@ -618,6 +618,9 @@ Available keywords are
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
@ -425,7 +355,7 @@ diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
@@ -805,6 +808,16 @@ Specifies whether public key authenticat
@@ -814,6 +817,16 @@ Specifies whether public key authenticat
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
@ -442,3 +372,15 @@ diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
diff -up openssh-5.4p1/sshd_config.pka openssh-5.4p1/sshd_config
--- openssh-5.4p1/sshd_config.pka 2010-03-01 18:10:46.000000000 +0100
+++ openssh-5.4p1/sshd_config 2010-03-01 18:10:50.000000000 +0100
@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
+#PubkeyAgent none
+#PubkeyAgentRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no

View File

@ -1,10 +1,10 @@
diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
--- openssh-5.2p1/ssh_config.redhat 2009-02-21 02:45:02.000000000 +0100
+++ openssh-5.2p1/ssh_config 2009-08-09 08:45:11.302092427 +0200
@@ -44,3 +44,14 @@
# TunnelDevice any:any
diff -up openssh-5.4p1/ssh_config.redhat openssh-5.4p1/ssh_config
--- openssh-5.4p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
+++ openssh-5.4p1/ssh_config 2010-03-01 15:15:51.000000000 +0100
@@ -45,3 +45,14 @@
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
+Host *
+ GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
@ -16,10 +16,10 @@ diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
--- openssh-5.2p1/sshd_config.0.redhat 2009-02-23 01:18:15.000000000 +0100
+++ openssh-5.2p1/sshd_config.0 2009-08-09 08:45:11.276555108 +0200
@@ -491,9 +491,9 @@ DESCRIPTION
diff -up openssh-5.4p1/sshd_config.0.redhat openssh-5.4p1/sshd_config.0
--- openssh-5.4p1/sshd_config.0.redhat 2010-03-01 14:30:04.000000000 +0100
+++ openssh-5.4p1/sshd_config.0 2010-03-01 15:14:13.000000000 +0100
@@ -501,9 +501,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
@ -32,10 +32,10 @@ diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
--- openssh-5.2p1/sshd_config.5.redhat 2009-02-23 01:00:24.000000000 +0100
+++ openssh-5.2p1/sshd_config.5 2009-08-09 08:45:11.278927203 +0200
@@ -848,7 +848,7 @@ Note that this option applies to protoco
diff -up openssh-5.4p1/sshd_config.5.redhat openssh-5.4p1/sshd_config.5
--- openssh-5.4p1/sshd_config.5.redhat 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/sshd_config.5 2010-03-01 15:14:14.000000000 +0100
@@ -865,7 +865,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
@ -44,10 +44,10 @@ diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive
diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
--- openssh-5.2p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200
+++ openssh-5.2p1/sshd_config 2009-08-09 08:47:40.850857227 +0200
@@ -33,6 +33,7 @@ Protocol 2
diff -up openssh-5.4p1/sshd_config.redhat openssh-5.4p1/sshd_config
--- openssh-5.4p1/sshd_config.redhat 2009-10-11 12:51:09.000000000 +0200
+++ openssh-5.4p1/sshd_config 2010-03-01 15:14:14.000000000 +0100
@@ -31,6 +31,7 @@
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
@ -55,7 +55,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
#LogLevel INFO
# Authentication:
@@ -60,9 +61,11 @@ Protocol 2
@@ -58,9 +59,11 @@
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
@ -67,7 +67,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
# Kerberos options
#KerberosAuthentication no
@@ -72,7 +75,9 @@ Protocol 2
@@ -70,7 +73,9 @@
# GSSAPI options
#GSSAPIAuthentication no
@ -77,7 +77,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -84,11 +89,19 @@ Protocol 2
@@ -82,11 +87,19 @@
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

View File

@ -1,7 +1,7 @@
diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
--- openssh-5.2p1/auth1.c.selinux 2008-07-09 12:54:05.000000000 +0200
+++ openssh-5.2p1/auth1.c 2009-08-11 22:43:07.918183730 +0200
@@ -392,6 +392,9 @@ do_authentication(Authctxt *authctxt)
diff -up openssh-5.4p1/auth1.c.selinux openssh-5.4p1/auth1.c
--- openssh-5.4p1/auth1.c.selinux 2010-03-01 15:19:56.000000000 +0100
+++ openssh-5.4p1/auth1.c 2010-03-01 15:19:57.000000000 +0100
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
@ -11,7 +11,7 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -400,11 +403,25 @@ do_authentication(Authctxt *authctxt)
@@ -392,11 +395,25 @@ do_authentication(Authctxt *authctxt)
user = packet_get_string(&ulen);
packet_check_eom();
@ -37,9 +37,9 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c
--- openssh-5.2p1/auth2.c.selinux 2008-11-05 06:20:46.000000000 +0100
+++ openssh-5.2p1/auth2.c 2009-08-11 22:43:07.919756192 +0200
diff -up openssh-5.4p1/auth2.c.selinux openssh-5.4p1/auth2.c
--- openssh-5.4p1/auth2.c.selinux 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.4p1/auth2.c 2010-03-01 15:19:57.000000000 +0100
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
@ -79,9 +79,9 @@ diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c
userauth_banner();
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c
--- openssh-5.2p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100
+++ openssh-5.2p1/auth2-gss.c 2009-08-11 22:43:07.921723295 +0200
diff -up openssh-5.4p1/auth2-gss.c.selinux openssh-5.4p1/auth2-gss.c
--- openssh-5.4p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100
+++ openssh-5.4p1/auth2-gss.c 2010-03-01 15:19:57.000000000 +0100
@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@ -114,9 +114,9 @@ diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c
xfree(mic.value);
authctxt->postponed = 0;
diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c
--- openssh-5.2p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200
+++ openssh-5.2p1/auth2-hostbased.c 2009-08-11 22:43:07.923721059 +0200
diff -up openssh-5.4p1/auth2-hostbased.c.selinux openssh-5.4p1/auth2-hostbased.c
--- openssh-5.4p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200
+++ openssh-5.4p1/auth2-hostbased.c 2010-03-01 15:19:57.000000000 +0100
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
@ -134,10 +134,10 @@ diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c
--- openssh-5.2p1/auth2-pubkey.c.selinux 2008-07-04 04:54:25.000000000 +0200
+++ openssh-5.2p1/auth2-pubkey.c 2009-08-11 22:43:07.925704588 +0200
@@ -117,7 +117,15 @@ userauth_pubkey(Authctxt *authctxt)
diff -up openssh-5.4p1/auth2-pubkey.c.selinux openssh-5.4p1/auth2-pubkey.c
--- openssh-5.4p1/auth2-pubkey.c.selinux 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 15:19:57.000000000 +0100
@@ -119,7 +119,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@ -154,9 +154,9 @@ diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h
--- openssh-5.2p1/auth.h.selinux 2008-11-05 06:20:46.000000000 +0100
+++ openssh-5.2p1/auth.h 2009-08-11 22:43:07.927199901 +0200
diff -up openssh-5.4p1/auth.h.selinux openssh-5.4p1/auth.h
--- openssh-5.4p1/auth.h.selinux 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/auth.h 2010-03-01 15:19:57.000000000 +0100
@@ -58,6 +58,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
@ -167,21 +167,21 @@ diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h
void *kbdintctxt;
void *jpake_ctx;
#ifdef BSD_AUTH
diff -up openssh-5.2p1/configure.ac.selinux openssh-5.2p1/configure.ac
--- openssh-5.2p1/configure.ac.selinux 2009-02-16 05:37:03.000000000 +0100
+++ openssh-5.2p1/configure.ac 2009-08-11 22:43:07.930259052 +0200
@@ -3335,6 +3335,7 @@ AC_ARG_WITH(selinux,
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
AC_MSG_ERROR(SELinux support requires libselinux library))
diff -up openssh-5.4p1/configure.ac.selinux openssh-5.4p1/configure.ac
--- openssh-5.4p1/configure.ac.selinux 2010-03-01 15:19:57.000000000 +0100
+++ openssh-5.4p1/configure.ac 2010-03-01 15:21:12.000000000 +0100
@@ -3358,6 +3358,7 @@ AC_ARG_WITH(selinux,
],
AC_MSG_ERROR(SELinux support requires libselinux library))
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
+ LIBS="$LIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
LIBS="$save_LIBS"
fi ]
diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
--- openssh-5.2p1/monitor.c.selinux 2009-02-14 06:33:31.000000000 +0100
+++ openssh-5.2p1/monitor.c 2009-08-11 22:43:07.933623092 +0200
@@ -135,6 +135,9 @@ int mm_answer_sign(int, Buffer *);
diff -up openssh-5.4p1/monitor.c.selinux openssh-5.4p1/monitor.c
--- openssh-5.4p1/monitor.c.selinux 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/monitor.c 2010-03-01 15:19:57.000000000 +0100
@@ -137,6 +137,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
@ -191,7 +191,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
@@ -211,6 +214,9 @@ struct mon_table mon_dispatch_proto20[]
@@ -213,6 +216,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -201,7 +201,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -680,6 +686,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
@@ -682,6 +688,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -211,7 +211,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
@@ -724,6 +733,25 @@ mm_answer_authserv(int sock, Buffer *m)
@@ -726,6 +735,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
@ -237,7 +237,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
int
mm_answer_authpassword(int sock, Buffer *m)
{
@@ -1102,7 +1130,7 @@ static int
@@ -1104,7 +1132,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
@ -246,7 +246,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
u_int len;
int fail = 0;
@@ -1128,6 +1156,8 @@ monitor_valid_userblob(u_char *data, u_i
@@ -1130,6 +1158,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
@ -255,7 +255,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
@@ -1159,7 +1189,7 @@ monitor_valid_hostbasedblob(u_char *data
@@ -1161,7 +1191,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{
Buffer b;
@ -264,7 +264,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
u_int len;
int fail = 0;
@@ -1176,6 +1206,8 @@ monitor_valid_hostbasedblob(u_char *data
@@ -1178,6 +1208,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
@ -273,9 +273,9 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h
--- openssh-5.2p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100
+++ openssh-5.2p1/monitor.h 2009-08-11 22:43:07.935612930 +0200
diff -up openssh-5.4p1/monitor.h.selinux openssh-5.4p1/monitor.h
--- openssh-5.4p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100
+++ openssh-5.4p1/monitor.h 2010-03-01 15:19:57.000000000 +0100
@@ -31,6 +31,9 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
@ -286,9 +286,9 @@ diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c
--- openssh-5.2p1/monitor_wrap.c.selinux 2008-11-05 06:20:47.000000000 +0100
+++ openssh-5.2p1/monitor_wrap.c 2009-08-11 22:43:07.937212340 +0200
diff -up openssh-5.4p1/monitor_wrap.c.selinux openssh-5.4p1/monitor_wrap.c
--- openssh-5.4p1/monitor_wrap.c.selinux 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.4p1/monitor_wrap.c 2010-03-01 15:19:57.000000000 +0100
@@ -297,6 +297,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
@ -315,9 +315,9 @@ diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h
--- openssh-5.2p1/monitor_wrap.h.selinux 2008-11-05 06:20:47.000000000 +0100
+++ openssh-5.2p1/monitor_wrap.h 2009-08-11 22:43:07.938268752 +0200
diff -up openssh-5.4p1/monitor_wrap.h.selinux openssh-5.4p1/monitor_wrap.h
--- openssh-5.4p1/monitor_wrap.h.selinux 2009-03-05 14:58:22.000000000 +0100
+++ openssh-5.4p1/monitor_wrap.h 2010-03-01 15:19:57.000000000 +0100
@@ -41,6 +41,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@ -328,17 +328,18 @@ diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd-compat/port-linux.c
--- openssh-5.2p1/openbsd-compat/port-linux.c.selinux 2008-03-26 21:27:21.000000000 +0100
+++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-11 22:44:14.529196220 +0200
@@ -30,11 +30,16 @@
#ifdef WITH_SELINUX
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.selinux openssh-5.4p1/openbsd-compat/port-linux.c
--- openssh-5.4p1/openbsd-compat/port-linux.c.selinux 2010-03-01 05:52:50.000000000 +0100
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:22:19.000000000 +0100
@@ -32,12 +32,17 @@
#include "log.h"
#include "xmalloc.h"
#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
#include <selinux/get_context_list.h>
@ -348,7 +349,7 @@ diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
ssh_selinux_enabled(void)
@@ -53,23 +58,36 @@ ssh_selinux_enabled(void)
@@ -56,23 +61,36 @@ ssh_selinux_enabled(void)
static security_context_t
ssh_selinux_getctxbyname(char *pwname)
{

View File

@ -27,7 +27,8 @@
%define libedit 1
# Do we want NSS tokens support
%define nss 1
#NSS support is broken from 5.4p1
%define nss 0
# Whether or not /sbin/nologin exists.
%define nologin 1
@ -68,10 +69,10 @@
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 5.3p1
Version: 5.4p1
# Do not rewind release to 1 on version upgrades unless the pam_ssh_agent_auth
# is updated as well.
Release: 22%{?dist}%{?rescue_rel}
Release: 0.snap20100302.1%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#URL1: http://pamsshagentauth.sourceforge.net
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -79,39 +80,37 @@ URL: http://www.openssh.com/portable.html
# This package differs from the upstream OpenSSH tarball in that
# the ACSS cipher is removed by running openssh-nukeacss.sh in
# the unpacked source directory.
Source0: openssh-%{version}-noacss.tar.bz2
Source0: openssh-%{version}-snap20100302-noacss.tar.bz2
Source1: openssh-nukeacss.sh
Source2: sshd.pam
Source3: sshd.init
Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
Source5: pam_ssh_agent-rmheaders
Patch0: openssh-5.2p1-redhat.patch
Patch0: openssh-5.4p1-redhat.patch
Patch2: openssh-5.3p1-skip-initial.patch
Patch4: openssh-5.2p1-vendor.patch
Patch5: openssh-5.2p1-engine.patch
Patch10: pam_ssh_agent_auth-0.9-build.patch
Patch12: openssh-5.2p1-selinux.patch
Patch13: openssh-5.3p1-mls.patch
Patch12: openssh-5.4p1-selinux.patch
Patch13: openssh-5.4p1-mls.patch
Patch16: openssh-5.3p1-audit.patch
Patch18: openssh-5.0p1-pam_selinux.patch
Patch19: openssh-5.2p1-sesftp.patch
Patch22: openssh-3.9p1-askpass-keep-above.patch
Patch18: openssh-5.4p1-pam_selinux.patch
Patch24: openssh-4.3p1-fromto-remote.patch
Patch27: openssh-5.1p1-log-in-chroot.patch
Patch30: openssh-4.0p1-exit-deadlock.patch
Patch35: openssh-5.1p1-askpass-progress.patch
Patch38: openssh-4.3p2-askpass-grab-info.patch
#??? - 201594
Patch39: openssh-4.3p2-no-v6only.patch
Patch44: openssh-5.2p1-allow-ip-opts.patch
Patch49: openssh-4.3p2-gssapi-canohost.patch
Patch51: openssh-5.3p1-nss-keys.patch
Patch55: openssh-5.1p1-cloexec.patch
#???
Patch51: openssh-5.4p1-nss-keys.patch
Patch62: openssh-5.1p1-scp-manpage.patch
Patch65: openssh-5.3p1-fips.patch
Patch65: openssh-5.4p1-fips.patch
Patch69: openssh-5.3p1-selabel.patch
Patch71: openssh-5.2p1-edns.patch
Patch72: openssh-5.3p1-pka.patch
Patch73: openssh-5.3p1-gsskex.patch
Patch72: openssh-5.4p1-pka.patch
Patch73: openssh-5.4p1-gsskex.patch
Patch74: openssh-5.3p1-randclean.patch
Patch75: openssh-5.3p1-dso.patch
@ -189,6 +188,7 @@ Provides: openssh-askpass-gnome
Summary: PAM module for authentication with ssh-agent
Group: System Environment/Base
Version: %{pam_ssh_agent_ver}
Release: 23%{?dist}%{?rescue_rel}
License: BSD
%description
@ -234,7 +234,6 @@ The module is most useful for su and sudo service stacks.
%patch0 -p1 -b .redhat
%patch2 -p1 -b .skip-initial
%patch4 -p1 -b .vendor
%patch5 -p1 -b .engine
%if %{pam_ssh_agent}
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -250,20 +249,17 @@ popd
%patch13 -p1 -b .mls
%patch16 -p1 -b .audit
%patch18 -p1 -b .pam_selinux
%patch19 -p1 -b .sesftp
%endif
%patch22 -p1 -b .keep-above
%patch24 -p1 -b .fromto-remote
%patch27 -p1 -b .log-chroot
%patch30 -p1 -b .exit-deadlock
%patch35 -p1 -b .progress
%patch38 -p1 -b .grab-info
%patch39 -p1 -b .no-v6only
#???%patch39 -p1 -b .no-v6only
%patch44 -p1 -b .ip-opts
%patch49 -p1 -b .canohost
%patch51 -p1 -b .nss-keys
%patch55 -p1 -b .cloexec
#???%patch51 -p1 -b .nss-keys
%patch62 -p1 -b .manpage
%patch65 -p1 -b .fips
%patch69 -p1 -b .selabel
@ -316,6 +312,7 @@ fi
--disable-strip \
--without-zlib-version-check \
--with-ssl-engine \
--with-pka \
%if %{nss}
--with-nss \
%endif
@ -489,11 +486,13 @@ fi
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0755,root,root) %{_bindir}/ssh-copy-id
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%endif
%if ! %{rescue}
@ -529,6 +528,9 @@ fi
%endif
%changelog
* Wed Mar 3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-0.snap20100302.1
- Prepare update to 5.4p1
* Mon Feb 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-22
- ImplicitDSOLinking (#564824)

View File

@ -1,3 +1,2 @@
89f85c1da83c24ca0b10c05344f7c93c openssh-5.3p1-noacss.tar.bz2
b68f1c385d7885fbe2c3626bf77aa3d6 pam_ssh_agent_auth-0.9.2.tar.bz2
fea6e6ac9b5dda1d48af3f2676e8166c openssh-5.4p1-snap20100302-noacss.tar.bz2