From 993dd1a3dbca74155e6c45c6cf4a27fdf07f0e44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Thu, 3 Jan 2008 17:45:59 +0000 Subject: [PATCH] - fix gssapi auth with explicit selinux role requested (#427303) - patch by Nalin Dahyabhai --- openssh-4.7p1-gssapi-role.patch | 34 +++++++++++++++++++++++++++++++++ openssh.spec | 8 +++++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 openssh-4.7p1-gssapi-role.patch diff --git a/openssh-4.7p1-gssapi-role.patch b/openssh-4.7p1-gssapi-role.patch new file mode 100644 index 0000000..baecc6f --- /dev/null +++ b/openssh-4.7p1-gssapi-role.patch @@ -0,0 +1,34 @@ +Written-by: Nalin Dahyabhai +Reviewed-by: Tomas Mraz +--- auth2-gss.c 2008-01-02 16:34:03.000000000 -0500 ++++ auth2-gss.c 2008-01-02 16:33:19.000000000 -0500 +@@ -258,6 +258,7 @@ + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt; + int authenticated = 0; ++ char *micuser; + Buffer b; + gss_buffer_desc mic, gssbuf; + u_int len; +@@ -270,7 +271,11 @@ + mic.value = packet_get_string(&len); + mic.length = len; + +- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, ++ if (authctxt->role && (strlen(authctxt->role) > 0)) ++ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role); ++ else ++ micuser = authctxt->user; ++ ssh_gssapi_buildmic(&b, micuser, authctxt->service, + "gssapi-with-mic"); + + gssbuf.value = buffer_ptr(&b); +@@ -285,6 +290,8 @@ + } + + buffer_free(&b); ++ if (micuser != authctxt->user) ++ xfree(micuser); + xfree(mic.value); + + authctxt->postponed = 0; diff --git a/openssh.spec b/openssh.spec index d315d82..2819f4d 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh Version: 4.7p1 -Release: 6%{?dist}%{?rescue_rel} +Release: 7%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -96,6 +96,7 @@ Patch49: openssh-4.3p2-gssapi-canohost.patch Patch51: openssh-4.7p1-nss-keys.patch Patch52: openssh-4.7p1-sftp-drain-acks.patch Patch53: openssh-4.7p1-revert-wsize.patch +Patch54: openssh-4.7p1-gssapi-role.patch License: BSD Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -230,6 +231,7 @@ an X11 passphrase dialog for OpenSSH. %patch51 -p1 -b .nss-keys %patch52 -p1 -b .drain-acks %patch53 -p1 -b .revert-wsize +%patch54 -p0 -b .gssapi-role autoreconf @@ -480,6 +482,10 @@ fi %endif %changelog +* Thu Jan 3 2008 Tomas Mraz - 4.7p1-7 +- fix gssapi auth with explicit selinux role requested (#427303) - patch + by Nalin Dahyabhai + * Tue Dec 4 2007 Tomas Mraz - 4.7p1-6 - explicitly source krb5-devel profile script