rebase to openssh-6.1p1 (#852651)

This commit is contained in:
Petr Lautrbach 2012-09-14 22:18:22 +02:00
parent 51ca3be245
commit 9fe1afc163
10 changed files with 791 additions and 847 deletions

View File

@ -1,17 +0,0 @@
Index: auth-passwd.c
===================================================================
RCS file: /cvs/openssh/auth-passwd.c,v
retrieving revision 1.90
retrieving revision 1.91
diff -u -r1.90 -r1.91
--- auth-passwd.c 8 Mar 2009 00:40:28 -0000 1.90
+++ auth-passwd.c 25 Apr 2012 23:51:28 -0000 1.91
@@ -209,6 +209,7 @@
* Authentication is accepted if the encrypted passwords
* are identical.
*/
- return (strcmp(encrypted_password, pw_password) == 0);
+ return encrypted_password != NULL &&
+ strcmp(encrypted_password, pw_password) == 0;
}
#endif

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
--- openssh-5.9p1/auth2-pubkey.c.akc 2012-02-06 20:47:36.641814218 +0100
+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 20:47:36.665095838 +0100
diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
--- openssh-6.1p1/auth2-pubkey.c.akc 2012-09-14 20:20:48.459445650 +0200
+++ openssh-6.1p1/auth2-pubkey.c 2012-09-14 20:20:48.520446072 +0200
@@ -27,6 +27,7 @@
#include <sys/types.h>
@ -9,7 +9,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
#include <fcntl.h>
#include <pwd.h>
@@ -276,27 +277,15 @@ match_principals_file(char *file, struct
@@ -277,27 +278,15 @@ match_principals_file(char *file, struct
/* return 1 if user allows given key */
static int
@ -38,7 +38,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
found_key = 0;
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@@ -389,8 +378,6 @@ user_key_allowed2(struct passwd *pw, Key
@@ -390,8 +379,6 @@ user_key_allowed2(struct passwd *pw, Key
break;
}
}
@ -47,7 +47,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
key_free(found);
if (!found_key)
debug2("key not found");
@@ -452,13 +439,191 @@ user_cert_trusted_ca(struct passwd *pw,
@@ -453,13 +440,191 @@ user_cert_trusted_ca(struct passwd *pw,
return ret;
}
@ -240,10 +240,10 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
if (auth_key_is_revoked(key))
return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
--- openssh-5.9p1/configure.ac.akc 2012-02-06 20:47:36.656046570 +0100
+++ openssh-5.9p1/configure.ac 2012-02-06 20:47:36.666095176 +0100
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
diff -up openssh-6.1p1/configure.ac.akc openssh-6.1p1/configure.ac
--- openssh-6.1p1/configure.ac.akc 2012-07-06 03:49:29.000000000 +0200
+++ openssh-6.1p1/configure.ac 2012-09-14 20:20:48.525446106 +0200
@@ -1512,6 +1512,18 @@ AC_ARG_WITH([audit],
esac ]
)
@ -262,7 +262,7 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS([ \
arc4random \
@@ -4239,6 +4251,7 @@ echo " SELinux support
@@ -4407,6 +4419,7 @@ echo " SELinux support
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
@ -270,10 +270,10 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.akc 2012-02-06 20:47:36.573033521 +0100
+++ openssh-5.9p1/servconf.c 2012-02-06 20:47:36.667106367 +0100
@@ -136,6 +136,8 @@ initialize_server_options(ServerOptions
diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
--- openssh-6.1p1/servconf.c.akc 2012-09-14 20:20:48.138443423 +0200
+++ openssh-6.1p1/servconf.c 2012-09-14 20:27:34.546107295 +0200
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
@ -282,18 +282,18 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
@@ -329,6 +331,7 @@ typedef enum {
@@ -334,6 +336,7 @@ typedef enum {
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS,
sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -455,6 +458,13 @@ static struct {
{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
@@ -461,6 +464,14 @@ static struct {
{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
@ -301,12 +301,13 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
+ { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL },
+ { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
+#endif
+
{ NULL, sBadOption, 0 }
};
@@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions
@@ -1532,6 +1543,24 @@ process_server_config_line(ServerOptions
}
break;
return 0;
+ case sAuthorizedKeysCommand:
+ len = strspn(cp, WHITESPACE);
@ -329,7 +330,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d
@@ -1682,6 +1711,8 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
M_CP_INTOPT(kbd_interactive_authentication);
M_CP_INTOPT(zero_knowledge_password_authentication);
@ -338,30 +339,30 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
M_CP_INTOPT(permit_root_login);
M_CP_INTOPT(permit_empty_passwd);
@@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
@@ -1942,6 +1973,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file);
dump_cfg_string(sVersionAddendum, o->version_addendum);
+ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
+ dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.akc 2012-02-06 20:47:36.574033734 +0100
+++ openssh-5.9p1/servconf.h 2012-02-06 20:47:36.668096740 +0100
diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
--- openssh-6.1p1/servconf.h.akc 2012-09-14 20:20:48.000000000 +0200
+++ openssh-6.1p1/servconf.h 2012-09-14 20:23:16.691844577 +0200
@@ -169,6 +169,8 @@ typedef struct {
char *revoked_keys_file;
char *trusted_user_ca_keys;
char *authorized_principals_file;
+ char *authorized_keys_command;
+ char *authorized_keys_command_runas;
} ServerOptions;
/*
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.akc 2011-05-29 13:39:39.000000000 +0200
+++ openssh-5.9p1/sshd_config 2012-02-06 20:47:36.669067546 +0100
char *version_addendum; /* Appended to SSH banner */
} ServerOptions;
diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
--- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200
+++ openssh-6.1p1/sshd_config 2012-09-14 20:30:46.950095769 +0200
@@ -49,6 +49,9 @@
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
@ -369,12 +370,12 @@ diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+
#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
+++ openssh-5.9p1/sshd_config.0 2012-02-06 20:47:36.669067546 +0100
diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
--- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200
+++ openssh-6.1p1/sshd_config.0 2012-09-14 20:32:23.539624859 +0200
@@ -71,6 +71,23 @@ DESCRIPTION
See PATTERNS in ssh_config(5) for more information on patterns.
@ -399,19 +400,19 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication. The format is described in the
@@ -401,7 +418,8 @@ DESCRIPTION
@@ -402,7 +419,8 @@ DESCRIPTION
Only a subset of keywords may be used on the lines following a
Match keyword. Available keywords are AllowAgentForwarding,
- AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile,
+ AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand,
+ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile,
Banner, ChrootDirectory, ForceCommand, GatewayPorts,
GSSAPIAuthentication, HostbasedAuthentication,
Match keyword. Available keywords are AcceptEnv,
AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
- AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner,
+ AllowUsers, AuthorizedKeysFile, AuthorizedKeysCommand,
+ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, Banner,
ChrootDirectory, DenyGroups, DenyUsers, ForceCommand,
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.akc 2012-02-06 20:47:36.574891218 +0100
+++ openssh-5.9p1/sshd_config.5 2012-02-06 20:49:58.913878595 +0100
diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.akc 2012-09-14 20:20:48.142443448 +0200
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:29:56.003873873 +0200
@@ -151,6 +151,19 @@ See
in
.Xr ssh_config 5
@ -432,16 +433,16 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
.It Cm AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication.
@@ -706,6 +719,8 @@ Available keywords are
.Cm AllowAgentForwarding ,
@@ -712,6 +725,8 @@ Available keywords are
.Cm AllowTcpForwarding ,
.Cm AllowUsers ,
.Cm AuthorizedKeysFile ,
+.Cm AuthorizedKeysCommand ,
+.Cm AuthorizedKeysCommandRunAs ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
@@ -718,6 +733,7 @@ Available keywords are
@@ -726,6 +741,7 @@ Available keywords are
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,

View File

@ -1,7 +1,7 @@
diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefile
--- openssh-5.8p2/contrib/Makefile.askpass-ld 2011-08-08 22:54:06.050546199 +0200
+++ openssh-5.8p2/contrib/Makefile 2011-08-08 22:54:43.364420118 +0200
@@ -2,12 +2,12 @@ all:
diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile
--- openssh-6.1p1/contrib/Makefile.askpass-ld 2012-05-19 07:24:37.000000000 +0200
+++ openssh-6.1p1/contrib/Makefile 2012-09-14 20:35:47.565704718 +0200
@@ -4,12 +4,12 @@ all:
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
gnome-ssh-askpass1: gnome-ssh-askpass1.c
@ -11,8 +11,8 @@ diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefil
`gnome-config --libs gnome gnomeui`
gnome-ssh-askpass2: gnome-ssh-askpass2.c
- $(CC) `pkg-config --cflags gtk+-2.0` \
+ $(CC) ${CFLAGS} `pkg-config --cflags gtk+-2.0` \
- $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
+ $(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
`pkg-config --libs gtk+-2.0 x11`
`$(PKG_CONFIG) --libs gtk+-2.0 x11`

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
--- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
+++ openssh-5.9p1/auth-pam.c 2011-09-14 08:09:47.074520582 +0200
diff -up openssh-6.1p1/auth-pam.c.coverity openssh-6.1p1/auth-pam.c
--- openssh-6.1p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
+++ openssh-6.1p1/auth-pam.c 2012-09-14 21:16:41.264906486 +0200
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
if (sshpam_thread_status != -1)
return (sshpam_thread_status);
@ -15,43 +15,10 @@ diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
return (status);
}
#endif
diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
--- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200
+++ openssh-5.9p1/channels.c 2011-09-14 08:09:47.556582810 +0200
@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
- if (rfd != -1)
+ if (rfd >= 0)
fcntl(rfd, F_SETFD, FD_CLOEXEC);
- if (wfd != -1 && wfd != rfd)
+ if (wfd >= 0 && wfd != rfd)
fcntl(wfd, F_SETFD, FD_CLOEXEC);
- if (efd != -1 && efd != rfd && efd != wfd)
+ if (efd >= 0 && efd != rfd && efd != wfd)
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
@@ -248,11 +248,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */
if (nonblock) {
- if (rfd != -1)
+ if (rfd >= 0)
set_nonblock(rfd);
- if (wfd != -1)
+ if (wfd >= 0)
set_nonblock(wfd);
- if (efd != -1)
+ if (efd >= 0)
set_nonblock(efd);
}
}
diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
--- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200
+++ openssh-5.9p1/clientloop.c 2011-09-14 08:17:41.556521887 +0200
@@ -1970,14 +1970,15 @@ client_input_global_request(int type, u_
diff -up openssh-6.1p1/clientloop.c.coverity openssh-6.1p1/clientloop.c
--- openssh-6.1p1/clientloop.c.coverity 2012-06-20 14:31:27.000000000 +0200
+++ openssh-6.1p1/clientloop.c 2012-09-14 21:16:41.267906501 +0200
@@ -2006,14 +2006,15 @@ client_input_global_request(int type, u_
char *rtype;
int want_reply;
int success = 0;
@ -69,10 +36,43 @@ diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
packet_send();
packet_write_wait();
}
diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
--- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200
+++ openssh-5.9p1/key.c 2011-09-14 08:09:47.803458435 +0200
@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp)
diff -up openssh-6.1p1/channels.c.coverity openssh-6.1p1/channels.c
--- openssh-6.1p1/channels.c.coverity 2012-04-23 10:21:05.000000000 +0200
+++ openssh-6.1p1/channels.c 2012-09-14 21:16:41.272906528 +0200
@@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
- if (rfd != -1)
+ if (rfd >= 0)
fcntl(rfd, F_SETFD, FD_CLOEXEC);
- if (wfd != -1 && wfd != rfd)
+ if (wfd >= 0 && wfd != rfd)
fcntl(wfd, F_SETFD, FD_CLOEXEC);
- if (efd != -1 && efd != rfd && efd != wfd)
+ if (efd >= 0 && efd != rfd && efd != wfd)
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
@@ -251,11 +251,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */
if (nonblock) {
- if (rfd != -1)
+ if (rfd >= 0)
set_nonblock(rfd);
- if (wfd != -1)
+ if (wfd >= 0)
set_nonblock(wfd);
- if (efd != -1)
+ if (efd >= 0)
set_nonblock(efd);
}
}
diff -up openssh-6.1p1/key.c.coverity openssh-6.1p1/key.c
--- openssh-6.1p1/key.c.coverity 2012-06-30 12:05:02.000000000 +0200
+++ openssh-6.1p1/key.c 2012-09-14 21:16:41.274906537 +0200
@@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp)
success = 1;
/*XXXX*/
key_free(k);
@ -83,10 +83,9 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
/* advance cp: skip whitespace and data */
while (*cp == ' ' || *cp == '\t')
cp++;
diff -up openssh-5.9p1/misc.c.coverity openssh-5.9p1/misc.c
diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.coverity 2011-08-05 22:15:18.000000000 +0200
+++ openssh-5.9p1/monitor.c 2011-09-14 08:09:47.914584009 +0200
diff -up openssh-6.1p1/monitor.c.coverity openssh-6.1p1/monitor.c
--- openssh-6.1p1/monitor.c.coverity 2012-06-30 00:33:17.000000000 +0200
+++ openssh-6.1p1/monitor.c 2012-09-14 21:16:41.277906552 +0200
@@ -420,7 +420,7 @@ monitor_child_preauth(Authctxt *_authctx
}
@ -96,7 +95,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
;
if (!authctxt->valid)
@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m
@@ -1159,6 +1159,10 @@ mm_answer_keyallowed(int sock, Buffer *m
break;
}
}
@ -107,7 +106,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
if (key != NULL)
key_free(key);
@@ -1182,9 +1186,6 @@ mm_answer_keyallowed(int sock, Buffer *m
@@ -1180,9 +1184,6 @@ mm_answer_keyallowed(int sock, Buffer *m
xfree(chost);
}
@ -117,9 +116,9 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
buffer_clear(m);
buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL);
diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.coverity 2011-09-14 08:11:36.480500123 +0200
+++ openssh-5.9p1/monitor_wrap.c 2011-09-14 08:14:11.279520598 +0200
diff -up openssh-6.1p1/monitor_wrap.c.coverity openssh-6.1p1/monitor_wrap.c
--- openssh-6.1p1/monitor_wrap.c.coverity 2011-06-20 06:42:23.000000000 +0200
+++ openssh-6.1p1/monitor_wrap.c 2012-09-14 21:16:41.280906568 +0200
@@ -707,10 +707,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
@ -134,9 +133,9 @@ diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
return 0;
}
close(tmp1);
diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c
--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-14 08:09:48.084459344 +0200
diff -up openssh-6.1p1/openbsd-compat/bindresvport.c.coverity openssh-6.1p1/openbsd-compat/bindresvport.c
--- openssh-6.1p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
+++ openssh-6.1p1/openbsd-compat/bindresvport.c 2012-09-14 21:16:41.281906573 +0200
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6;
u_int16_t *portp;
@ -146,9 +145,9 @@ diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/open
int i;
if (sa == NULL) {
diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
--- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200
+++ openssh-5.9p1/packet.c 2011-09-14 08:09:48.184587842 +0200
diff -up openssh-6.1p1/packet.c.coverity openssh-6.1p1/packet.c
--- openssh-6.1p1/packet.c.coverity 2012-03-09 00:28:07.000000000 +0100
+++ openssh-6.1p1/packet.c 2012-09-14 21:16:41.284906588 +0200
@@ -1177,6 +1177,7 @@ packet_read_poll1(void)
case DEATTACK_DETECTED:
packet_disconnect("crc32 compensation attack: "
@ -157,7 +156,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
case DEATTACK_DOS_DETECTED:
packet_disconnect("deattack denial of "
"service detected");
@@ -1684,7 +1685,7 @@ void
@@ -1678,7 +1679,7 @@ void
packet_write_wait(void)
{
fd_set *setp;
@ -166,9 +165,9 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
struct timeval start, timeout, *timeoutp = NULL;
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
--- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
+++ openssh-5.9p1/progressmeter.c 2011-09-14 08:09:48.300586004 +0200
diff -up openssh-6.1p1/progressmeter.c.coverity openssh-6.1p1/progressmeter.c
--- openssh-6.1p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
+++ openssh-6.1p1/progressmeter.c 2012-09-14 21:16:41.285906593 +0200
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */
@ -187,9 +186,9 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
{
start = last_update = time(NULL);
file = f;
diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
--- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
+++ openssh-5.9p1/progressmeter.h 2011-09-14 08:09:48.420645724 +0200
diff -up openssh-6.1p1/progressmeter.h.coverity openssh-6.1p1/progressmeter.h
--- openssh-6.1p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
+++ openssh-6.1p1/progressmeter.h 2012-09-14 21:16:41.286906598 +0200
@@ -23,5 +23,5 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
@ -197,9 +196,9 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
-void start_progress_meter(char *, off_t, off_t *);
+void start_progress_meter(const char *, off_t, off_t *);
void stop_progress_meter(void);
diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
--- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100
+++ openssh-5.9p1/scp.c 2011-09-14 08:09:48.531505457 +0200
diff -up openssh-6.1p1/scp.c.coverity openssh-6.1p1/scp.c
--- openssh-6.1p1/scp.c.coverity 2011-09-22 13:38:01.000000000 +0200
+++ openssh-6.1p1/scp.c 2012-09-14 21:16:41.288906608 +0200
@@ -155,7 +155,7 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
@ -209,19 +208,10 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
}
if (signo)
diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.coverity 2011-06-23 00:30:03.000000000 +0200
+++ openssh-5.9p1/servconf.c 2011-09-14 08:30:17.557468182 +0200
@@ -609,7 +609,7 @@ match_cfg_line(char **condition, int lin
debug3("checking syntax for 'Match %s'", cp);
else
debug3("checking match for '%s' user %s host %s addr %s", cp,
- user ? user : "(null)", host ? host : "(null)",
+ user /* User is not NULL ? user : "(null)" */, host ? host : "(null)",
address ? address : "(null)");
while ((attrib = strdelim(&cp)) && *attrib != '\0') {
@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
diff -up openssh-6.1p1/servconf.c.coverity openssh-6.1p1/servconf.c
--- openssh-6.1p1/servconf.c.coverity 2012-07-31 04:22:38.000000000 +0200
+++ openssh-6.1p1/servconf.c 2012-09-14 21:16:41.291906623 +0200
@@ -1249,7 +1249,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
@ -230,7 +220,7 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
break;
}
for (i = 0; i < options->num_subsystems; i++)
@@ -1262,8 +1262,9 @@ process_server_config_line(ServerOptions
@@ -1340,8 +1340,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
@ -242,9 +232,9 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
}
break;
diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
--- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200
+++ openssh-5.9p1/serverloop.c 2011-09-14 08:09:48.793586380 +0200
diff -up openssh-6.1p1/serverloop.c.coverity openssh-6.1p1/serverloop.c
--- openssh-6.1p1/serverloop.c.coverity 2012-06-20 14:31:27.000000000 +0200
+++ openssh-6.1p1/serverloop.c 2012-09-14 21:16:41.294906638 +0200
@@ -147,13 +147,13 @@ notify_setup(void)
static void
notify_parent(void)
@ -272,7 +262,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
debug2("notify_done: reading");
}
@@ -330,7 +330,7 @@ wait_until_can_do_something(fd_set **rea
@@ -336,7 +336,7 @@ wait_until_can_do_something(fd_set **rea
* If we have buffered data, try to write some of that data
* to the program.
*/
@ -281,7 +271,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
FD_SET(fdin, *writesetp);
}
notify_prepare(*readsetp);
@@ -470,7 +470,7 @@ process_output(fd_set *writeset)
@@ -476,7 +476,7 @@ process_output(fd_set *writeset)
int len;
/* Write buffered data to program stdin. */
@ -290,7 +280,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
data = buffer_ptr(&stdin_buffer);
dlen = buffer_len(&stdin_buffer);
len = write(fdin, data, dlen);
@@ -583,7 +583,7 @@ server_loop(pid_t pid, int fdin_arg, int
@@ -589,7 +589,7 @@ server_loop(pid_t pid, int fdin_arg, int
set_nonblock(fdin);
set_nonblock(fdout);
/* we don't have stderr for interactive terminal sessions, see below */
@ -299,7 +289,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
set_nonblock(fderr);
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
@@ -607,7 +607,7 @@ server_loop(pid_t pid, int fdin_arg, int
@@ -613,7 +613,7 @@ server_loop(pid_t pid, int fdin_arg, int
max_fd = MAX(connection_in, connection_out);
max_fd = MAX(max_fd, fdin);
max_fd = MAX(max_fd, fdout);
@ -308,7 +298,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
max_fd = MAX(max_fd, fderr);
#endif
@@ -637,7 +637,7 @@ server_loop(pid_t pid, int fdin_arg, int
@@ -643,7 +643,7 @@ server_loop(pid_t pid, int fdin_arg, int
* If we have received eof, and there is no more pending
* input data, cause a real eof by closing fdin.
*/
@ -317,7 +307,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
if (fdin != fdout)
close(fdin);
else
@@ -735,15 +735,15 @@ server_loop(pid_t pid, int fdin_arg, int
@@ -741,15 +741,15 @@ server_loop(pid_t pid, int fdin_arg, int
buffer_free(&stderr_buffer);
/* Close the file descriptors. */
@ -336,7 +326,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
close(fdin);
fdin = -1;
@@ -937,7 +937,7 @@ server_input_window_size(int type, u_int
@@ -943,7 +943,7 @@ server_input_window_size(int type, u_int
debug("Window change received.");
packet_check_eom();
@ -345,7 +335,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
pty_change_window_size(fdin, row, col, xpixel, ypixel);
}
@@ -990,7 +990,7 @@ server_request_tun(void)
@@ -996,7 +996,7 @@ server_request_tun(void)
}
tun = packet_get_int();
@ -354,9 +344,111 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done;
tun = forced_tun_device;
diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
--- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100
+++ openssh-5.9p1/sftp-client.c 2011-09-14 08:09:48.910470343 +0200
diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
--- openssh-6.1p1/sftp.c.coverity 2012-06-30 00:33:32.000000000 +0200
+++ openssh-6.1p1/sftp.c 2012-09-14 21:16:41.297906653 +0200
@@ -206,7 +206,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
- waitpid(sshpid, NULL, 0);
+ (void) waitpid(sshpid, NULL, 0);
}
_exit(1);
@@ -316,7 +316,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
static char *
-path_strip(char *path, char *strip)
+path_strip(const char *path, const char *strip)
{
size_t len;
@@ -334,7 +334,7 @@ path_strip(char *path, char *strip)
}
static char *
-make_absolute(char *p, char *pwd)
+make_absolute(char *p, const char *pwd)
{
char *abs_str;
@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a
}
static int
-is_dir(char *path)
+is_dir(const char *path)
{
struct stat sb;
@@ -494,7 +494,7 @@ is_dir(char *path)
}
static int
-remote_is_dir(struct sftp_conn *conn, char *path)
+remote_is_dir(struct sftp_conn *conn, const char *path)
{
Attrib *a;
@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
-pathname_is_dir(char *pathname)
+pathname_is_dir(const char *pathname)
{
size_t l = strlen(pathname);
@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname)
}
static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *abs_src = NULL;
@@ -590,7 +590,7 @@ out:
}
static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *tmp_dst = NULL;
@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */
static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
{
int n;
u_int c = 1, colspace = 0, columns = 1;
@@ -780,7 +780,7 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */
static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
int lflag)
{
char *fname, *lname;
@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
}
static int
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
diff -up openssh-6.1p1/sftp-client.c.coverity openssh-6.1p1/sftp-client.c
--- openssh-6.1p1/sftp-client.c.coverity 2012-07-02 14:15:39.000000000 +0200
+++ openssh-6.1p1/sftp-client.c 2012-09-14 21:18:16.891332281 +0200
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
}
@ -393,7 +485,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
SFTP_DIRENT ***dir)
{
Buffer msg;
@@ -571,7 +571,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
@@ -572,7 +572,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
}
int
@ -402,7 +494,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
return(do_lsreaddir(conn, path, 0, dir));
}
@@ -589,7 +589,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
@@ -590,7 +590,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
}
int
@ -411,7 +503,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int status, id;
@@ -604,7 +604,7 @@ do_rm(struct sftp_conn *conn, char *path
@@ -605,7 +605,7 @@ do_rm(struct sftp_conn *conn, char *path
}
int
@ -420,7 +512,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int status, id;
@@ -620,7 +620,7 @@ do_mkdir(struct sftp_conn *conn, char *p
@@ -621,7 +621,7 @@ do_mkdir(struct sftp_conn *conn, char *p
}
int
@ -429,7 +521,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int status, id;
@@ -636,7 +636,7 @@ do_rmdir(struct sftp_conn *conn, char *p
@@ -637,7 +637,7 @@ do_rmdir(struct sftp_conn *conn, char *p
}
Attrib *
@ -438,7 +530,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int id;
@@ -650,7 +650,7 @@ do_stat(struct sftp_conn *conn, char *pa
@@ -651,7 +651,7 @@ do_stat(struct sftp_conn *conn, char *pa
}
Attrib *
@ -447,7 +539,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int id;
@@ -684,7 +684,7 @@ do_fstat(struct sftp_conn *conn, char *h
@@ -685,7 +685,7 @@ do_fstat(struct sftp_conn *conn, char *h
#endif
int
@ -456,7 +548,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int status, id;
@@ -701,7 +701,7 @@ do_setstat(struct sftp_conn *conn, char
@@ -702,7 +702,7 @@ do_setstat(struct sftp_conn *conn, char
}
int
@ -465,7 +557,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *a)
{
u_int status, id;
@@ -718,12 +718,12 @@ do_fsetstat(struct sftp_conn *conn, char
@@ -719,7 +719,7 @@ do_fsetstat(struct sftp_conn *conn, char
}
char *
@ -474,22 +566,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
Buffer msg;
u_int type, expected_id, count, id;
char *filename, *longname;
- Attrib *a;
+/*UNUSED Attrib *a; */
expected_id = id = conn->msg_id++;
send_string_request(conn, id, SSH2_FXP_REALPATH, path,
@@ -754,7 +754,7 @@ do_realpath(struct sftp_conn *conn, char
filename = buffer_get_string(&msg, NULL);
longname = buffer_get_string(&msg, NULL);
- a = decode_attrib(&msg);
+ /*a =*/ (void) decode_attrib(&msg);
debug3("SSH_FXP_REALPATH %s -> %s", path, filename);
@@ -766,7 +766,7 @@ do_realpath(struct sftp_conn *conn, char
@@ -768,7 +768,7 @@ do_realpath(struct sftp_conn *conn, char
}
int
@ -498,7 +575,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
Buffer msg;
u_int status, id;
@@ -800,7 +800,7 @@ do_rename(struct sftp_conn *conn, char *
@@ -802,7 +802,7 @@ do_rename(struct sftp_conn *conn, char *
}
int
@ -507,7 +584,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
Buffer msg;
u_int status, id;
@@ -833,7 +833,7 @@ do_hardlink(struct sftp_conn *conn, char
@@ -835,7 +835,7 @@ do_hardlink(struct sftp_conn *conn, char
}
int
@ -516,7 +593,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
Buffer msg;
u_int status, id;
@@ -984,7 +984,7 @@ send_read_request(struct sftp_conn *conn
@@ -987,7 +987,7 @@ send_read_request(struct sftp_conn *conn
}
int
@ -525,7 +602,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *a, int pflag)
{
Attrib junk;
@@ -1223,7 +1223,7 @@ do_download(struct sftp_conn *conn, char
@@ -1226,7 +1226,7 @@ do_download(struct sftp_conn *conn, char
}
static int
@ -534,7 +611,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *dirattrib, int pflag, int printflag, int depth)
{
int i, ret = 0;
@@ -1313,7 +1313,7 @@ download_dir_internal(struct sftp_conn *
@@ -1316,7 +1316,7 @@ download_dir_internal(struct sftp_conn *
}
int
@ -543,7 +620,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *dirattrib, int pflag, int printflag)
{
char *src_canon;
@@ -1331,7 +1331,7 @@ download_dir(struct sftp_conn *conn, cha
@@ -1334,7 +1334,7 @@ download_dir(struct sftp_conn *conn, cha
}
int
@ -552,7 +629,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
int pflag)
{
int local_fd;
@@ -1514,7 +1514,7 @@ do_upload(struct sftp_conn *conn, char *
@@ -1517,7 +1517,7 @@ do_upload(struct sftp_conn *conn, char *
}
static int
@ -561,7 +638,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
int pflag, int printflag, int depth)
{
int ret = 0, status;
@@ -1605,7 +1605,7 @@ upload_dir_internal(struct sftp_conn *co
@@ -1608,7 +1608,7 @@ upload_dir_internal(struct sftp_conn *co
}
int
@ -570,7 +647,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
int pflag)
{
char *dst_canon;
@@ -1622,7 +1622,7 @@ upload_dir(struct sftp_conn *conn, char
@@ -1625,7 +1625,7 @@ upload_dir(struct sftp_conn *conn, char
}
char *
@ -579,9 +656,9 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
char *ret;
size_t len = strlen(p1) + strlen(p2) + 2;
diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
--- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
+++ openssh-5.9p1/sftp-client.h 2011-09-14 08:09:49.021583940 +0200
diff -up openssh-6.1p1/sftp-client.h.coverity openssh-6.1p1/sftp-client.h
--- openssh-6.1p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
+++ openssh-6.1p1/sftp-client.h 2012-09-14 21:16:41.301906674 +0200
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
u_int sftp_proto_version(struct sftp_conn *);
@ -679,124 +756,9 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
+char *path_append(const char *, const char *);
#endif
diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
--- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100
+++ openssh-5.9p1/sftp.c 2011-09-14 08:09:49.468493585 +0200
@@ -206,7 +206,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
- waitpid(sshpid, NULL, 0);
+ (void) waitpid(sshpid, NULL, 0);
}
_exit(1);
@@ -316,7 +316,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
static char *
-path_strip(char *path, char *strip)
+path_strip(const char *path, const char *strip)
{
size_t len;
@@ -334,7 +334,7 @@ path_strip(char *path, char *strip)
}
static char *
-make_absolute(char *p, char *pwd)
+make_absolute(char *p, const char *pwd)
{
char *abs_str;
@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a
}
static int
-is_dir(char *path)
+is_dir(const char *path)
{
struct stat sb;
@@ -494,7 +494,7 @@ is_dir(char *path)
}
static int
-remote_is_dir(struct sftp_conn *conn, char *path)
+remote_is_dir(struct sftp_conn *conn, const char *path)
{
Attrib *a;
@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
-pathname_is_dir(char *pathname)
+pathname_is_dir(const char *pathname)
{
size_t l = strlen(pathname);
@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname)
}
static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *abs_src = NULL;
@@ -590,7 +590,7 @@ out:
}
static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *tmp_dst = NULL;
@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */
static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
{
int n;
u_int c = 1, colspace = 0, columns = 1;
@@ -780,10 +780,10 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */
static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
int lflag)
{
- Attrib *a = NULL;
+/*UNUSED Attrib *a = NULL;*/
char *fname, *lname;
glob_t g;
int err;
@@ -828,7 +828,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
colspace = width / columns;
}
- for (i = 0; g.gl_pathv[i] && !interrupted; i++, a = NULL) {
+ for (i = 0; g.gl_pathv[i] && !interrupted; i++/*, a = NULL*/) {
fname = path_strip(g.gl_pathv[i], strip_path);
if (lflag & LS_LONG_VIEW) {
if (g.gl_statv[i] == NULL) {
@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
}
static int
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
--- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
+++ openssh-5.9p1/ssh-agent.c 2011-09-14 08:09:49.572460295 +0200
diff -up openssh-6.1p1/ssh-agent.c.coverity openssh-6.1p1/ssh-agent.c
--- openssh-6.1p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
+++ openssh-6.1p1/ssh-agent.c 2012-09-14 21:16:41.303906683 +0200
@@ -1147,8 +1147,8 @@ main(int ac, char **av)
sanitise_stdfd();
@ -808,10 +770,10 @@ diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200
+++ openssh-5.9p1/sshd.c 2011-09-14 08:09:49.687509968 +0200
@@ -676,8 +676,10 @@ privsep_preauth(Authctxt *authctxt)
diff -up openssh-6.1p1/sshd.c.coverity openssh-6.1p1/sshd.c
--- openssh-6.1p1/sshd.c.coverity 2012-07-31 04:21:34.000000000 +0200
+++ openssh-6.1p1/sshd.c 2012-09-14 21:16:41.307906705 +0200
@@ -682,8 +682,10 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child();
setproctitle("%s", "[net]");
@ -823,7 +785,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
return 0;
}
@@ -1302,6 +1304,9 @@ server_accept_loop(int *sock_in, int *so
@@ -1311,6 +1313,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0)
break;
}
@ -833,7 +795,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
}
@@ -1774,7 +1779,7 @@ main(int ac, char **av)
@@ -1768,7 +1773,7 @@ main(int ac, char **av)
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */

View File

@ -1,6 +1,115 @@
diff -up openssh-6.0p1/auth2.c.gsskex openssh-6.0p1/auth2.c
--- openssh-6.0p1/auth2.c.gsskex 2012-09-12 15:32:19.110689080 +0200
+++ openssh-6.0p1/auth2.c 2012-09-12 15:32:28.309651601 +0200
diff -up openssh-6.1p1/auth-krb5.c.gsskex openssh-6.1p1/auth-krb5.c
--- openssh-6.1p1/auth-krb5.c.gsskex 2012-04-26 01:52:15.000000000 +0200
+++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:07:19.695203206 +0200
@@ -50,6 +50,7 @@
#include <errno.h>
#include <unistd.h>
#include <string.h>
+#include <sys/stat.h>
#include <krb5.h>
extern ServerOptions options;
@@ -170,8 +171,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+#ifdef USE_CCAPI
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
authctxt->krb5_ticket_file);
+#else
+ snprintf(authctxt->krb5_ccname, len, "DIR:%s",
+ authctxt->krb5_ticket_file);
+#endif
#ifdef USE_PAM
if (options.use_pam)
@@ -208,10 +214,33 @@ auth_krb5_password(Authctxt *authctxt, c
void
krb5_cleanup_proc(Authctxt *authctxt)
{
+ struct stat krb5_ccname_stat;
+ char krb5_ccname[128], *krb5_ccname_dir_end;
+
debug("krb5_cleanup_proc called");
if (authctxt->krb5_fwd_ccache) {
krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
authctxt->krb5_fwd_ccache = NULL;
+
+ /* assume ticket cache type DIR - DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */
+ strncpy(krb5_ccname, authctxt->krb5_ccname + strlen("DIR::"), sizeof(krb5_ccname) - 10);
+
+ krb5_ccname_dir_end = strrchr(krb5_ccname, '/');
+ if (krb5_ccname_dir_end != NULL) {
+ strcpy(krb5_ccname_dir_end, "/primary");
+
+ if (stat(krb5_ccname, &krb5_ccname_stat) == 0) {
+ if (unlink(krb5_ccname) == 0) {
+ *krb5_ccname_dir_end = '\0';
+ if (rmdir(krb5_ccname) == -1)
+ debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno));
+ }
+ else
+ debug("cache primary file '%s', remove failed: %s",
+ krb5_ccname, strerror(errno)
+ );
+ }
+ }
}
if (authctxt->krb5_user) {
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
@@ -226,31 +255,37 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret, oerrno;
- char ccname[40];
+ int ret, oerrno;
+ char ccname[128];
mode_t old_umask;
+#ifdef USE_CCAPI
+ char cctemplate[] = "API:krb5cc_%d";
+#else
+ char cctemplate[] = "DIR:/tmp/krb5cc_%d_XXXXXXXXXX";
+ char *tmpdir;
+#endif
ret = snprintf(ccname, sizeof(ccname),
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+ cctemplate, geteuid());
if (ret < 0 || (size_t)ret >= sizeof(ccname))
return ENOMEM;
- old_umask = umask(0177);
- tmpfd = mkstemp(ccname + strlen("FILE:"));
+#ifndef USE_CCAPI
+ old_umask = umask(0077);
+ tmpdir = mkdtemp(ccname + strlen("DIR:"));
oerrno = errno;
umask(old_umask);
- if (tmpfd == -1) {
- logit("mkstemp(): %.100s", strerror(oerrno));
+ if (tmpdir == NULL) {
+ logit("mkdtemp(): %.100s", strerror(oerrno));
return oerrno;
}
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {
oerrno = errno;
- logit("fchmod(): %.100s", strerror(oerrno));
- close(tmpfd);
+ logit("chmod(): %.100s", strerror(oerrno));
return oerrno;
}
- close(tmpfd);
+#endif
return (krb5_cc_resolve(ctx, ccname, ccache));
}
diff -up openssh-6.1p1/auth2.c.gsskex openssh-6.1p1/auth2.c
--- openssh-6.1p1/auth2.c.gsskex 2012-09-14 20:57:55.291263269 +0200
+++ openssh-6.1p1/auth2.c 2012-09-14 20:57:55.853266860 +0200
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
@ -17,9 +126,9 @@ diff -up openssh-6.0p1/auth2.c.gsskex openssh-6.0p1/auth2.c
&method_gssapi,
#endif
#ifdef JPAKE
diff -up openssh-6.0p1/auth2-gss.c.gsskex openssh-6.0p1/auth2-gss.c
--- openssh-6.0p1/auth2-gss.c.gsskex 2012-09-12 15:32:19.126689015 +0200
+++ openssh-6.0p1/auth2-gss.c 2012-09-12 15:32:28.309651601 +0200
diff -up openssh-6.1p1/auth2-gss.c.gsskex openssh-6.1p1/auth2-gss.c
--- openssh-6.1p1/auth2-gss.c.gsskex 2012-09-14 20:57:55.292263276 +0200
+++ openssh-6.1p1/auth2-gss.c 2012-09-14 20:57:55.855266873 +0200
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_errtok(int, u_int32_t, void *);
@ -94,233 +203,9 @@ diff -up openssh-6.0p1/auth2-gss.c.gsskex openssh-6.0p1/auth2-gss.c
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
diff -up openssh-6.0p1/auth-krb5.c.gsskex openssh-6.0p1/auth-krb5.c
--- openssh-6.0p1/auth-krb5.c.gsskex 2012-09-12 15:32:19.118689046 +0200
+++ openssh-6.0p1/auth-krb5.c 2012-09-12 16:03:22.216097657 +0200
@@ -50,6 +50,7 @@
#include <errno.h>
#include <unistd.h>
#include <string.h>
+#include <sys/stat.h>
#include <krb5.h>
extern ServerOptions options;
@@ -170,8 +171,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+#ifdef USE_CCAPI
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
authctxt->krb5_ticket_file);
+#else
+ snprintf(authctxt->krb5_ccname, len, "DIR:%s",
+ authctxt->krb5_ticket_file);
+#endif
#ifdef USE_PAM
if (options.use_pam)
@@ -208,10 +214,33 @@ auth_krb5_password(Authctxt *authctxt, c
void
krb5_cleanup_proc(Authctxt *authctxt)
{
+ struct stat krb5_ccname_stat;
+ char krb5_ccname[128], *krb5_ccname_dir_end;
+
debug("krb5_cleanup_proc called");
if (authctxt->krb5_fwd_ccache) {
krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
authctxt->krb5_fwd_ccache = NULL;
+
+ /* assume ticket cache type DIR - DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */
+ strncpy(krb5_ccname, authctxt->krb5_ccname + strlen("DIR::"), sizeof(krb5_ccname) - 10);
+
+ krb5_ccname_dir_end = strrchr(krb5_ccname, '/');
+ if (krb5_ccname_dir_end != NULL) {
+ strcpy(krb5_ccname_dir_end, "/primary");
+
+ if (stat(krb5_ccname, &krb5_ccname_stat) == 0) {
+ if (unlink(krb5_ccname) == 0) {
+ *krb5_ccname_dir_end = '\0';
+ if (rmdir(krb5_ccname) == -1)
+ debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno));
+ }
+ else
+ debug("cache primary file '%s', remove failed: %s",
+ krb5_ccname, strerror(errno)
+ );
+ }
+ }
}
if (authctxt->krb5_user) {
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
@@ -226,29 +255,35 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret;
+ int ret;
char ccname[40];
mode_t old_umask;
+#ifdef USE_CCAPI
+ char cctemplate[] = "API:krb5cc_%d";
+#else
+ char cctemplate[] = "DIR:/tmp/krb5cc_%d_XXXXXXXXXX";
+ char *tmpdir;
+#endif
ret = snprintf(ccname, sizeof(ccname),
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+ cctemplate, geteuid());
if (ret < 0 || (size_t)ret >= sizeof(ccname))
return ENOMEM;
- old_umask = umask(0177);
- tmpfd = mkstemp(ccname + strlen("FILE:"));
+#ifndef USE_CCAPI
+ old_umask = umask(0077);
+ tmpdir = mkdtemp(ccname + strlen("DIR:"));
umask(old_umask);
- if (tmpfd == -1) {
- logit("mkstemp(): %.100s", strerror(errno));
+ if (tmpdir == NULL) {
+ logit("mkdtemp(): %.100s", strerror(errno));
return errno;
}
-
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
- logit("fchmod(): %.100s", strerror(errno));
- close(tmpfd);
+ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {
+ logit("chmod(): %.100s", strerror(errno));
return errno;
}
- close(tmpfd);
+
+#endif
return (krb5_cc_resolve(ctx, ccname, ccache));
}
diff -up openssh-6.0p1/ChangeLog.gssapi.gsskex openssh-6.0p1/ChangeLog.gssapi
--- openssh-6.0p1/ChangeLog.gssapi.gsskex 2012-09-12 15:32:19.106689094 +0200
+++ openssh-6.0p1/ChangeLog.gssapi 2012-09-12 15:32:28.310651598 +0200
@@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
+ - Add GSSAPIServerIdentity option from Jim Basney
+
+20100308
+ - [ Makefile.in, key.c, key.h ]
+ Updates for OpenSSH 5.4p1
+ - [ servconf.c ]
+ Include GSSAPI options in the sshd -T configuration dump, and flag
+ some older configuration options as being unsupported. Thanks to Colin
+ Watson.
+ -
+
+20100124
+ - [ sshconnect2.c ]
+ Adapt to deal with additional element in Authmethod structure. Thanks to
+ Colin Watson
+
+20090615
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
+ sshd.c ]
+ Fix issues identified by Greg Hudson following a code review
+ Check return value of gss_indicate_mechs
+ Protect GSSAPI calls in monitor, so they can only be used if enabled
+ Check return values of bignum functions in key exchange
+ Use BN_clear_free to clear other side's DH value
+ Make ssh_gssapi_id_kex more robust
+ Only configure kex table pointers if GSSAPI is enabled
+ Don't leak mechanism list, or gss mechanism list
+ Cast data.length before printing
+ If serverkey isn't provided, use an empty string, rather than NULL
+
+20090201
+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
+ ssh_config.5 sshconnet2.c ]
+ Add support for the GSSAPIClientIdentity option, which allows the user
+ to specify which GSSAPI identity to use to contact a given server
+
+20080404
+ - [ gss-serv.c ]
+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
+ been omitted from a previous version of this patch. Reported by Borislav
+ Stoichkov
+
+20070317
+ - [ gss-serv-krb5.c ]
+ Remove C99ism, where new_ccname was being declared in the middle of a
+ function
+
+20061220
+ - [ servconf.c ]
+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
+ documented, behaviour. Reported by Dan Watson.
+
+20060910
+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
+ ssh-gss.h ]
+ add support for gss-group14-sha1 key exchange mechanisms
+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
+ acceptor principal checking on multi-homed machines.
+ <Bugzilla #928>
+ - [ sshd_config ssh_config ]
+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
+ configuration files
+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
+ Limit length of error messages displayed by client
+
+20060909
+ - [ gss-genr.c gss-serv.c ]
+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
+ only, where they belong
+ <Bugzilla #1225>
+
+20060829
+ - [ gss-serv-krb5.c ]
+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
+ variable
+
+20060828
+ - [ gss-genr.c ]
+ Avoid Heimdal context freeing problem
+ <Fixed upstream 20060829>
+
+20060818
+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
+ Make sure that SPENGO is disabled
+ <Bugzilla #1218 - Fixed upstream 20060818>
+
+20060421
+ - [ gssgenr.c, sshconnect2.c ]
+ a few type changes (signed versus unsigned, int versus size_t) to
+ fix compiler errors/warnings
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ kexgssc.c, sshconnect2.c ]
+ fix uninitialized variable warnings
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ gssgenr.c ]
+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
+ (from jbasney AT ncsa.uiuc.edu)
+ <Bugzilla #1220 >
+ - [ gss-serv-krb5.c ]
+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
+ (from jbasney AT ncsa.uiuc.edu)
+ <Fixed upstream 20060304>
+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
+ add client-side GssapiKeyExchange option
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ sshconnect2.c ]
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
--- openssh-6.0p1/clientloop.c.gsskex 2012-09-12 15:32:19.113689067 +0200
+++ openssh-6.0p1/clientloop.c 2012-09-12 15:32:28.311651595 +0200
diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c
--- openssh-6.1p1/clientloop.c.gsskex 2012-09-14 20:57:54.862260529 +0200
+++ openssh-6.1p1/clientloop.c 2012-09-14 20:57:55.861266911 +0200
@@ -111,6 +111,10 @@
#include "msg.h"
#include "roaming.h"
@ -332,7 +217,7 @@ diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
/* import options */
extern Options options;
@@ -1540,6 +1544,15 @@ client_loop(int have_pty, int escape_cha
@@ -1544,6 +1548,15 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */
if (!rekeying) {
channel_after_select(readset, writeset);
@ -348,9 +233,9 @@ diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying");
xxx_kex->done = 0;
diff -up openssh-6.0p1/configure.ac.gsskex openssh-6.0p1/configure.ac
--- openssh-6.0p1/configure.ac.gsskex 2012-09-12 15:32:19.085689183 +0200
+++ openssh-6.0p1/configure.ac 2012-09-12 15:32:28.312651591 +0200
diff -up openssh-6.1p1/configure.ac.gsskex openssh-6.1p1/configure.ac
--- openssh-6.1p1/configure.ac.gsskex 2012-09-14 20:57:55.756266240 +0200
+++ openssh-6.1p1/configure.ac 2012-09-14 20:57:55.865266937 +0200
@@ -545,6 +545,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
@ -382,9 +267,9 @@ diff -up openssh-6.0p1/configure.ac.gsskex openssh-6.0p1/configure.ac
m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
diff -up openssh-6.0p1/gss-genr.c.gsskex openssh-6.0p1/gss-genr.c
--- openssh-6.0p1/gss-genr.c.gsskex 2012-09-12 15:32:19.097689132 +0200
+++ openssh-6.0p1/gss-genr.c 2012-09-12 15:32:28.313651587 +0200
diff -up openssh-6.1p1/gss-genr.c.gsskex openssh-6.1p1/gss-genr.c
--- openssh-6.1p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
+++ openssh-6.1p1/gss-genr.c 2012-09-14 20:57:55.867266949 +0200
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
@ -732,9 +617,9 @@ diff -up openssh-6.0p1/gss-genr.c.gsskex openssh-6.0p1/gss-genr.c
+}
+
#endif /* GSSAPI */
diff -up openssh-6.0p1/gss-serv.c.gsskex openssh-6.0p1/gss-serv.c
--- openssh-6.0p1/gss-serv.c.gsskex 2012-09-12 15:32:19.123689027 +0200
+++ openssh-6.0p1/gss-serv.c 2012-09-12 15:53:27.719520213 +0200
diff -up openssh-6.1p1/gss-serv.c.gsskex openssh-6.1p1/gss-serv.c
--- openssh-6.1p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200
+++ openssh-6.1p1/gss-serv.c 2012-09-14 20:57:55.870266969 +0200
@@ -45,15 +45,20 @@
#include "channels.h"
#include "session.h"
@ -1073,9 +958,9 @@ diff -up openssh-6.0p1/gss-serv.c.gsskex openssh-6.0p1/gss-serv.c
}
#endif
diff -up openssh-6.0p1/gss-serv-krb5.c.gsskex openssh-6.0p1/gss-serv-krb5.c
--- openssh-6.0p1/gss-serv-krb5.c.gsskex 2012-09-12 15:32:19.115689059 +0200
+++ openssh-6.0p1/gss-serv-krb5.c 2012-09-12 16:36:15.768054426 +0200
diff -up openssh-6.1p1/gss-serv-krb5.c.gsskex openssh-6.1p1/gss-serv-krb5.c
--- openssh-6.1p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
+++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 20:57:55.872266981 +0200
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1198,9 +1083,126 @@ diff -up openssh-6.0p1/gss-serv-krb5.c.gsskex openssh-6.0p1/gss-serv-krb5.c
};
#endif /* KRB5 */
diff -up openssh-6.0p1/kex.c.gsskex openssh-6.0p1/kex.c
--- openssh-6.0p1/kex.c.gsskex 2012-09-12 15:32:19.096689136 +0200
+++ openssh-6.0p1/kex.c 2012-09-12 15:32:28.315651579 +0200
diff -up openssh-6.1p1/ChangeLog.gssapi.gsskex openssh-6.1p1/ChangeLog.gssapi
--- openssh-6.1p1/ChangeLog.gssapi.gsskex 2012-09-14 20:57:55.858266892 +0200
+++ openssh-6.1p1/ChangeLog.gssapi 2012-09-14 20:57:55.859266899 +0200
@@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
+ - Add GSSAPIServerIdentity option from Jim Basney
+
+20100308
+ - [ Makefile.in, key.c, key.h ]
+ Updates for OpenSSH 5.4p1
+ - [ servconf.c ]
+ Include GSSAPI options in the sshd -T configuration dump, and flag
+ some older configuration options as being unsupported. Thanks to Colin
+ Watson.
+ -
+
+20100124
+ - [ sshconnect2.c ]
+ Adapt to deal with additional element in Authmethod structure. Thanks to
+ Colin Watson
+
+20090615
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
+ sshd.c ]
+ Fix issues identified by Greg Hudson following a code review
+ Check return value of gss_indicate_mechs
+ Protect GSSAPI calls in monitor, so they can only be used if enabled
+ Check return values of bignum functions in key exchange
+ Use BN_clear_free to clear other side's DH value
+ Make ssh_gssapi_id_kex more robust
+ Only configure kex table pointers if GSSAPI is enabled
+ Don't leak mechanism list, or gss mechanism list
+ Cast data.length before printing
+ If serverkey isn't provided, use an empty string, rather than NULL
+
+20090201
+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
+ ssh_config.5 sshconnet2.c ]
+ Add support for the GSSAPIClientIdentity option, which allows the user
+ to specify which GSSAPI identity to use to contact a given server
+
+20080404
+ - [ gss-serv.c ]
+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
+ been omitted from a previous version of this patch. Reported by Borislav
+ Stoichkov
+
+20070317
+ - [ gss-serv-krb5.c ]
+ Remove C99ism, where new_ccname was being declared in the middle of a
+ function
+
+20061220
+ - [ servconf.c ]
+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
+ documented, behaviour. Reported by Dan Watson.
+
+20060910
+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
+ ssh-gss.h ]
+ add support for gss-group14-sha1 key exchange mechanisms
+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
+ acceptor principal checking on multi-homed machines.
+ <Bugzilla #928>
+ - [ sshd_config ssh_config ]
+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
+ configuration files
+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
+ Limit length of error messages displayed by client
+
+20060909
+ - [ gss-genr.c gss-serv.c ]
+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
+ only, where they belong
+ <Bugzilla #1225>
+
+20060829
+ - [ gss-serv-krb5.c ]
+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
+ variable
+
+20060828
+ - [ gss-genr.c ]
+ Avoid Heimdal context freeing problem
+ <Fixed upstream 20060829>
+
+20060818
+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
+ Make sure that SPENGO is disabled
+ <Bugzilla #1218 - Fixed upstream 20060818>
+
+20060421
+ - [ gssgenr.c, sshconnect2.c ]
+ a few type changes (signed versus unsigned, int versus size_t) to
+ fix compiler errors/warnings
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ kexgssc.c, sshconnect2.c ]
+ fix uninitialized variable warnings
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ gssgenr.c ]
+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
+ (from jbasney AT ncsa.uiuc.edu)
+ <Bugzilla #1220 >
+ - [ gss-serv-krb5.c ]
+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
+ (from jbasney AT ncsa.uiuc.edu)
+ <Fixed upstream 20060304>
+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
+ add client-side GssapiKeyExchange option
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ sshconnect2.c ]
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c
--- openssh-6.1p1/kex.c.gsskex 2012-09-14 20:57:55.139262298 +0200
+++ openssh-6.1p1/kex.c 2012-09-14 20:57:55.874266995 +0200
@@ -51,6 +51,10 @@
#include "roaming.h"
#include "audit.h"
@ -1233,9 +1235,9 @@ diff -up openssh-6.0p1/kex.c.gsskex openssh-6.0p1/kex.c
} else
fatal("bad kex alg %s", k->name);
}
diff -up openssh-6.0p1/kexgssc.c.gsskex openssh-6.0p1/kexgssc.c
--- openssh-6.0p1/kexgssc.c.gsskex 2012-09-12 15:32:19.105689098 +0200
+++ openssh-6.0p1/kexgssc.c 2012-09-12 15:32:28.315651579 +0200
diff -up openssh-6.1p1/kexgssc.c.gsskex openssh-6.1p1/kexgssc.c
--- openssh-6.1p1/kexgssc.c.gsskex 2012-09-14 20:57:55.875267001 +0200
+++ openssh-6.1p1/kexgssc.c 2012-09-14 20:57:55.875267001 +0200
@@ -0,0 +1,334 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1571,9 +1573,9 @@ diff -up openssh-6.0p1/kexgssc.c.gsskex openssh-6.0p1/kexgssc.c
+}
+
+#endif /* GSSAPI */
diff -up openssh-6.0p1/kexgsss.c.gsskex openssh-6.0p1/kexgsss.c
--- openssh-6.0p1/kexgsss.c.gsskex 2012-09-12 15:32:19.116689055 +0200
+++ openssh-6.0p1/kexgsss.c 2012-09-12 15:32:28.316651574 +0200
diff -up openssh-6.1p1/kexgsss.c.gsskex openssh-6.1p1/kexgsss.c
--- openssh-6.1p1/kexgsss.c.gsskex 2012-09-14 20:57:55.876267007 +0200
+++ openssh-6.1p1/kexgsss.c 2012-09-14 20:57:55.876267007 +0200
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1863,9 +1865,9 @@ diff -up openssh-6.0p1/kexgsss.c.gsskex openssh-6.0p1/kexgsss.c
+ ssh_gssapi_rekey_creds();
+}
+#endif /* GSSAPI */
diff -up openssh-6.0p1/kex.h.gsskex openssh-6.0p1/kex.h
--- openssh-6.0p1/kex.h.gsskex 2012-09-12 15:32:19.093689148 +0200
+++ openssh-6.0p1/kex.h 2012-09-12 15:32:28.316651574 +0200
diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h
--- openssh-6.1p1/kex.h.gsskex 2012-09-14 20:57:55.141262312 +0200
+++ openssh-6.1p1/kex.h 2012-09-14 20:57:55.878267019 +0200
@@ -73,6 +73,9 @@ enum kex_exchange {
KEX_DH_GEX_SHA1,
KEX_DH_GEX_SHA256,
@ -1901,10 +1903,10 @@ diff -up openssh-6.0p1/kex.h.gsskex openssh-6.0p1/kex.h
void newkeys_destroy(Newkeys *newkeys);
void
diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c
--- openssh-6.0p1/key.c.gsskex 2012-09-12 15:32:19.103689108 +0200
+++ openssh-6.0p1/key.c 2012-09-12 15:32:28.317651570 +0200
@@ -1006,6 +1006,8 @@ key_ssh_name_from_type_nid(int type, int
diff -up openssh-6.1p1/key.c.gsskex openssh-6.1p1/key.c
--- openssh-6.1p1/key.c.gsskex 2012-09-14 20:57:55.593265199 +0200
+++ openssh-6.1p1/key.c 2012-09-14 20:57:55.881267039 +0200
@@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int
}
break;
#endif /* OPENSSL_HAS_ECC */
@ -1913,7 +1915,7 @@ diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c
}
return "ssh-unknown";
}
@@ -1311,6 +1313,8 @@ key_type_from_name(char *name)
@@ -1316,6 +1318,8 @@ key_type_from_name(char *name)
strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
return KEY_ECDSA_CERT;
#endif
@ -1922,9 +1924,9 @@ diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c
}
debug2("key_type_from_name: unknown key type '%s'", name);
diff -up openssh-6.0p1/key.h.gsskex openssh-6.0p1/key.h
--- openssh-6.0p1/key.h.gsskex 2012-09-12 15:32:19.094689144 +0200
+++ openssh-6.0p1/key.h 2012-09-12 15:32:28.318651566 +0200
diff -up openssh-6.1p1/key.h.gsskex openssh-6.1p1/key.h
--- openssh-6.1p1/key.h.gsskex 2012-09-14 20:57:55.184262586 +0200
+++ openssh-6.1p1/key.h 2012-09-14 20:57:55.882267045 +0200
@@ -44,6 +44,7 @@ enum types {
KEY_ECDSA_CERT,
KEY_RSA_CERT_V00,
@ -1933,9 +1935,9 @@ diff -up openssh-6.0p1/key.h.gsskex openssh-6.0p1/key.h
KEY_UNSPEC
};
enum fp_type {
diff -up openssh-6.0p1/Makefile.in.gsskex openssh-6.0p1/Makefile.in
--- openssh-6.0p1/Makefile.in.gsskex 2012-09-12 15:32:19.128689006 +0200
+++ openssh-6.0p1/Makefile.in 2012-09-12 15:32:28.318651566 +0200
diff -up openssh-6.1p1/Makefile.in.gsskex openssh-6.1p1/Makefile.in
--- openssh-6.1p1/Makefile.in.gsskex 2012-09-14 20:57:55.832266726 +0200
+++ openssh-6.1p1/Makefile.in 2012-09-14 20:57:55.884267058 +0200
@@ -75,6 +75,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
@ -1953,9 +1955,9 @@ diff -up openssh-6.0p1/Makefile.in.gsskex openssh-6.0p1/Makefile.in
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
--- openssh-6.0p1/monitor.c.gsskex 2012-09-12 15:32:19.112689072 +0200
+++ openssh-6.0p1/monitor.c 2012-09-12 15:32:28.319651562 +0200
diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
--- openssh-6.1p1/monitor.c.gsskex 2012-09-14 20:57:55.299263321 +0200
+++ openssh-6.1p1/monitor.c 2012-09-14 20:57:55.888267083 +0200
@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
@ -2008,7 +2010,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1942,6 +1959,13 @@ mm_get_kex(Buffer *m)
@@ -1939,6 +1956,13 @@ mm_get_kex(Buffer *m)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@ -2022,7 +2024,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m);
@@ -2165,6 +2189,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
@@ -2162,6 +2186,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major;
u_int len;
@ -2032,7 +2034,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
goid.elements = buffer_get_string(m, &len);
goid.length = len;
@@ -2192,6 +2219,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
@@ -2189,6 +2216,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@ -2042,7 +2044,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2209,6 +2239,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
@@ -2206,6 +2236,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -2050,7 +2052,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
}
return (0);
}
@@ -2220,6 +2251,9 @@ mm_answer_gss_checkmic(int sock, Buffer
@@ -2217,6 +2248,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret;
u_int len;
@ -2060,7 +2062,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
@@ -2246,7 +2280,11 @@ mm_answer_gss_userok(int sock, Buffer *m
@@ -2243,7 +2277,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{
int authenticated;
@ -2073,7 +2075,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
buffer_clear(m);
buffer_put_int(m, authenticated);
@@ -2260,6 +2298,74 @@ mm_answer_gss_userok(int sock, Buffer *m
@@ -2257,6 +2295,74 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@ -2148,9 +2150,9 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
#endif /* GSSAPI */
#ifdef JPAKE
diff -up openssh-6.0p1/monitor.h.gsskex openssh-6.0p1/monitor.h
--- openssh-6.0p1/monitor.h.gsskex 2012-09-12 15:32:19.119689041 +0200
+++ openssh-6.0p1/monitor.h 2012-09-12 15:32:28.319651562 +0200
diff -up openssh-6.1p1/monitor.h.gsskex openssh-6.1p1/monitor.h
--- openssh-6.1p1/monitor.h.gsskex 2012-09-14 20:57:55.300263327 +0200
+++ openssh-6.1p1/monitor.h 2012-09-14 20:57:55.889267090 +0200
@@ -56,6 +56,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@ -2160,9 +2162,9 @@ diff -up openssh-6.0p1/monitor.h.gsskex openssh-6.0p1/monitor.h
MONITOR_REQ_PAM_START,
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
diff -up openssh-6.0p1/monitor_wrap.c.gsskex openssh-6.0p1/monitor_wrap.c
--- openssh-6.0p1/monitor_wrap.c.gsskex 2012-09-12 15:32:19.122689031 +0200
+++ openssh-6.0p1/monitor_wrap.c 2012-09-12 15:32:28.320651557 +0200
diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c
--- openssh-6.1p1/monitor_wrap.c.gsskex 2012-09-14 20:57:55.302263340 +0200
+++ openssh-6.1p1/monitor_wrap.c 2012-09-14 20:57:55.892267109 +0200
@@ -1326,7 +1326,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
}
@ -2224,9 +2226,9 @@ diff -up openssh-6.0p1/monitor_wrap.c.gsskex openssh-6.0p1/monitor_wrap.c
#endif /* GSSAPI */
#ifdef JPAKE
diff -up openssh-6.0p1/monitor_wrap.h.gsskex openssh-6.0p1/monitor_wrap.h
--- openssh-6.0p1/monitor_wrap.h.gsskex 2012-09-12 15:32:19.107689091 +0200
+++ openssh-6.0p1/monitor_wrap.h 2012-09-12 15:32:28.321651552 +0200
diff -up openssh-6.1p1/monitor_wrap.h.gsskex openssh-6.1p1/monitor_wrap.h
--- openssh-6.1p1/monitor_wrap.h.gsskex 2012-09-14 20:57:55.304263353 +0200
+++ openssh-6.1p1/monitor_wrap.h 2012-09-14 20:57:55.893267116 +0200
@@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2239,9 +2241,9 @@ diff -up openssh-6.0p1/monitor_wrap.h.gsskex openssh-6.0p1/monitor_wrap.h
#endif
#ifdef USE_PAM
diff -up openssh-6.0p1/readconf.c.gsskex openssh-6.0p1/readconf.c
--- openssh-6.0p1/readconf.c.gsskex 2012-09-12 15:32:19.100689120 +0200
+++ openssh-6.0p1/readconf.c 2012-09-12 15:32:28.321651552 +0200
diff -up openssh-6.1p1/readconf.c.gsskex openssh-6.1p1/readconf.c
--- openssh-6.1p1/readconf.c.gsskex 2011-10-02 09:59:03.000000000 +0200
+++ openssh-6.1p1/readconf.c 2012-09-14 20:57:55.896267134 +0200
@@ -129,6 +129,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@ -2330,9 +2332,9 @@ diff -up openssh-6.0p1/readconf.c.gsskex openssh-6.0p1/readconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff -up openssh-6.0p1/readconf.h.gsskex openssh-6.0p1/readconf.h
--- openssh-6.0p1/readconf.h.gsskex 2012-09-12 15:32:19.125689019 +0200
+++ openssh-6.0p1/readconf.h 2012-09-12 15:32:28.322651548 +0200
diff -up openssh-6.1p1/readconf.h.gsskex openssh-6.1p1/readconf.h
--- openssh-6.1p1/readconf.h.gsskex 2011-10-02 09:59:03.000000000 +0200
+++ openssh-6.1p1/readconf.h 2012-09-14 20:57:55.897267141 +0200
@@ -48,7 +48,12 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@ -2346,10 +2348,10 @@ diff -up openssh-6.0p1/readconf.h.gsskex openssh-6.0p1/readconf.h
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
--- openssh-6.0p1/servconf.c.gsskex 2012-09-12 15:32:19.088689170 +0200
+++ openssh-6.0p1/servconf.c 2012-09-12 15:32:28.323651545 +0200
@@ -99,7 +99,10 @@ initialize_server_options(ServerOptions
diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
--- openssh-6.1p1/servconf.c.gsskex 2012-09-14 20:57:55.760266266 +0200
+++ openssh-6.1p1/servconf.c 2012-09-14 20:57:55.900267160 +0200
@@ -102,7 +102,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@ -2360,7 +2362,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -232,8 +235,14 @@ fill_default_server_options(ServerOption
@@ -236,8 +239,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@ -2375,7 +2377,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -327,7 +336,9 @@ typedef enum {
@@ -333,7 +342,9 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
@ -2386,7 +2388,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
sRequiredAuthentications1, sRequiredAuthentications2,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -393,10 +404,20 @@ static struct {
@@ -399,10 +410,20 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -2407,7 +2409,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -983,10 +1004,22 @@ process_server_config_line(ServerOptions
@@ -1054,10 +1075,22 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@ -2430,7 +2432,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
@@ -1794,6 +1827,9 @@ dump_config(ServerOptions *o)
@@ -1944,6 +1977,9 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@ -2440,9 +2442,9 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
#endif
#ifdef JPAKE
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
diff -up openssh-6.0p1/servconf.h.gsskex openssh-6.0p1/servconf.h
--- openssh-6.0p1/servconf.h.gsskex 2012-09-12 15:32:19.121689034 +0200
+++ openssh-6.0p1/servconf.h 2012-09-12 15:32:28.323651545 +0200
diff -up openssh-6.1p1/servconf.h.gsskex openssh-6.1p1/servconf.h
--- openssh-6.1p1/servconf.h.gsskex 2012-09-14 20:57:55.762266278 +0200
+++ openssh-6.1p1/servconf.h 2012-09-14 20:57:55.902267173 +0200
@@ -103,7 +103,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
@ -2454,9 +2456,21 @@ diff -up openssh-6.0p1/servconf.h.gsskex openssh-6.0p1/servconf.h
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-6.0p1/ssh_config.5.gsskex openssh-6.0p1/ssh_config.5
--- openssh-6.0p1/ssh_config.5.gsskex 2012-09-12 15:32:19.091689156 +0200
+++ openssh-6.0p1/ssh_config.5 2012-09-12 15:32:28.324651542 +0200
diff -up openssh-6.1p1/ssh_config.gsskex openssh-6.1p1/ssh_config
--- openssh-6.1p1/ssh_config.gsskex 2012-09-14 20:57:55.707265928 +0200
+++ openssh-6.1p1/ssh_config 2012-09-14 20:57:55.906267198 +0200
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
+# GSSAPIKeyExchange no
+# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
diff -up openssh-6.1p1/ssh_config.5.gsskex openssh-6.1p1/ssh_config.5
--- openssh-6.1p1/ssh_config.5.gsskex 2012-07-02 10:53:38.000000000 +0200
+++ openssh-6.1p1/ssh_config.5 2012-09-14 20:57:55.904267186 +0200
@@ -527,11 +527,43 @@ Specifies whether user authentication ba
The default is
.Dq no .
@ -2502,21 +2516,9 @@ diff -up openssh-6.0p1/ssh_config.5.gsskex openssh-6.0p1/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
diff -up openssh-6.0p1/ssh_config.gsskex openssh-6.0p1/ssh_config
--- openssh-6.0p1/ssh_config.gsskex 2012-09-12 15:32:19.087689174 +0200
+++ openssh-6.0p1/ssh_config 2012-09-12 15:32:28.324651542 +0200
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
+# GSSAPIKeyExchange no
+# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
diff -up openssh-6.0p1/sshconnect2.c.gsskex openssh-6.0p1/sshconnect2.c
--- openssh-6.0p1/sshconnect2.c.gsskex 2012-09-12 15:32:19.099689124 +0200
+++ openssh-6.0p1/sshconnect2.c 2012-09-12 15:32:28.325651538 +0200
diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
--- openssh-6.1p1/sshconnect2.c.gsskex 2012-09-14 20:57:55.605265275 +0200
+++ openssh-6.1p1/sshconnect2.c 2012-09-14 20:57:55.909267218 +0200
@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
{
Kex *kex;
@ -2715,9 +2717,9 @@ diff -up openssh-6.0p1/sshconnect2.c.gsskex openssh-6.0p1/sshconnect2.c
#endif /* GSSAPI */
int
diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
--- openssh-6.0p1/sshd.c.gsskex 2012-09-12 15:32:19.130688998 +0200
+++ openssh-6.0p1/sshd.c 2012-09-12 15:32:28.326651534 +0200
diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
--- openssh-6.1p1/sshd.c.gsskex 2012-09-14 20:57:55.799266515 +0200
+++ openssh-6.1p1/sshd.c 2012-09-14 20:57:55.912267237 +0200
@@ -124,6 +124,10 @@
#include "ssh-sandbox.h"
#include "version.h"
@ -2729,7 +2731,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
@@ -1701,10 +1705,13 @@ main(int ac, char **av)
@@ -1692,10 +1696,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@ -2743,7 +2745,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
@@ -2037,6 +2044,60 @@ main(int ac, char **av)
@@ -2027,6 +2034,60 @@ main(int ac, char **av)
/* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port);
@ -2804,7 +2806,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
@@ -2435,6 +2496,48 @@ do_ssh2_kex(void)
@@ -2425,6 +2486,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
@ -2853,7 +2855,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
/* start key exchange */
kex = kex_setup(myproposal);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
@@ -2442,6 +2545,13 @@ do_ssh2_kex(void)
@@ -2432,6 +2535,13 @@ do_ssh2_kex(void)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@ -2867,10 +2869,22 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
diff -up openssh-6.0p1/sshd_config.5.gsskex openssh-6.0p1/sshd_config.5
--- openssh-6.0p1/sshd_config.5.gsskex 2012-09-12 15:32:19.109689084 +0200
+++ openssh-6.0p1/sshd_config.5 2012-09-12 15:32:28.327651530 +0200
@@ -437,12 +437,40 @@ Specifies whether user authentication ba
diff -up openssh-6.1p1/sshd_config.gsskex openssh-6.1p1/sshd_config
--- openssh-6.1p1/sshd_config.gsskex 2012-09-14 20:57:55.801266528 +0200
+++ openssh-6.1p1/sshd_config 2012-09-14 20:57:55.916267263 +0200
@@ -85,6 +85,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -up openssh-6.1p1/sshd_config.5.gsskex openssh-6.1p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.gsskex 2012-09-14 20:57:55.767266310 +0200
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:57:55.915267256 +0200
@@ -439,12 +439,40 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@ -2911,21 +2925,9 @@ diff -up openssh-6.0p1/sshd_config.5.gsskex openssh-6.0p1/sshd_config.5
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
diff -up openssh-6.0p1/sshd_config.gsskex openssh-6.0p1/sshd_config
--- openssh-6.0p1/sshd_config.gsskex 2012-09-12 15:32:19.102689112 +0200
+++ openssh-6.0p1/sshd_config 2012-09-12 15:32:28.327651530 +0200
@@ -83,6 +83,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -up openssh-6.0p1/ssh-gss.h.gsskex openssh-6.0p1/ssh-gss.h
--- openssh-6.0p1/ssh-gss.h.gsskex 2012-09-12 15:32:19.090689160 +0200
+++ openssh-6.0p1/ssh-gss.h 2012-09-12 15:32:28.328651526 +0200
diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
--- openssh-6.1p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
+++ openssh-6.1p1/ssh-gss.h 2012-09-14 20:57:55.918267275 +0200
@@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*

View File

@ -1,7 +1,7 @@
diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
--- openssh-5.9p0/auth-krb5.c.kuserok 2011-08-30 16:37:32.651150128 +0200
+++ openssh-5.9p0/auth-krb5.c 2011-08-30 16:37:37.549087368 +0200
@@ -54,6 +54,20 @@
diff -up openssh-6.1p1/auth-krb5.c.kuserok openssh-6.1p1/auth-krb5.c
--- openssh-6.1p1/auth-krb5.c.kuserok 2012-09-14 21:08:16.941496194 +0200
+++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:08:17.063496896 +0200
@@ -55,6 +55,20 @@
extern ServerOptions options;
@ -22,7 +22,7 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
static int
krb5_init(void *context)
{
@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c
@@ -147,7 +161,7 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
@ -31,9 +31,9 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
problem = -1;
goto out;
}
diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c
--- openssh-5.9p0/gss-serv-krb5.c.kuserok 2011-08-30 16:37:36.988024804 +0200
+++ openssh-5.9p0/gss-serv-krb5.c 2011-08-30 16:37:37.659088030 +0200
diff -up openssh-6.1p1/gss-serv-krb5.c.kuserok openssh-6.1p1/gss-serv-krb5.c
--- openssh-6.1p1/gss-serv-krb5.c.kuserok 2012-09-14 21:08:17.019496642 +0200
+++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 21:08:17.065496906 +0200
@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int);
@ -51,27 +51,27 @@ diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
luser, (char *)client->displayname.value);
diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
--- openssh-5.9p0/servconf.c.kuserok 2011-08-30 16:37:35.093073603 +0200
+++ openssh-5.9p0/servconf.c 2011-08-30 16:41:13.568087145 +0200
@@ -144,6 +144,7 @@ initialize_server_options(ServerOptions
options->authorized_principals_file = NULL;
diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
--- openssh-6.1p1/servconf.c.kuserok 2012-09-14 21:08:16.989496471 +0200
+++ openssh-6.1p1/servconf.c 2012-09-14 21:09:30.864868698 +0200
@@ -152,6 +152,7 @@ initialize_server_options(ServerOptions
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
+ options->use_kuserok = -1;
}
void
@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT;
@@ -301,6 +302,8 @@ fill_default_server_options(ServerOption
options->version_addendum = xstrdup("");
if (options->show_patchlevel == -1)
options->show_patchlevel = 0;
options->show_patchlevel = 0;
+ if (options->use_kuserok == -1)
+ options->use_kuserok = 1;
/* Turn privilege separation on by default */
if (use_privsep == -1)
@@ -317,7 +320,7 @@ typedef enum {
@@ -327,7 +330,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -80,7 +80,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -388,11 +391,13 @@ static struct {
@@ -399,11 +402,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@ -94,7 +94,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1371,6 +1376,10 @@ process_server_config_line(ServerOptions
@@ -1486,6 +1491,10 @@ process_server_config_line(ServerOptions
*activep = value;
break;
@ -105,7 +105,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
@@ -1580,6 +1589,7 @@ copy_set_server_options(ServerOptions *d
@@ -1769,6 +1778,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
@ -113,7 +113,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
/* See comment in servconf.h */
COPY_MATCH_STRING_OPTS();
@@ -1816,6 +1826,7 @@ dump_config(ServerOptions *o)
@@ -2005,6 +2015,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@ -121,10 +121,10 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h
--- openssh-5.9p0/servconf.h.kuserok 2011-08-30 16:37:35.201051957 +0200
+++ openssh-5.9p0/servconf.h 2011-08-30 16:37:37.926087431 +0200
@@ -166,6 +166,7 @@ typedef struct {
diff -up openssh-6.1p1/servconf.h.kuserok openssh-6.1p1/servconf.h
--- openssh-6.1p1/servconf.h.kuserok 2012-09-14 21:08:16.990496476 +0200
+++ openssh-6.1p1/servconf.h 2012-09-14 21:08:17.071496942 +0200
@@ -169,6 +169,7 @@ typedef struct {
int num_permitted_opens;
@ -132,10 +132,21 @@ diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
--- openssh-5.9p0/sshd_config.5.kuserok 2011-08-30 16:37:35.979024607 +0200
+++ openssh-5.9p0/sshd_config.5 2011-08-30 16:37:38.040087843 +0200
@@ -603,6 +603,10 @@ Specifies whether to automatically destr
diff -up openssh-6.1p1/sshd_config.kuserok openssh-6.1p1/sshd_config
--- openssh-6.1p1/sshd_config.kuserok 2012-09-14 21:08:17.002496545 +0200
+++ openssh-6.1p1/sshd_config 2012-09-14 21:08:17.074496957 +0200
@@ -79,6 +79,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
diff -up openssh-6.1p1/sshd_config.5.kuserok openssh-6.1p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.kuserok 2012-09-14 21:08:17.004496556 +0200
+++ openssh-6.1p1/sshd_config.5 2012-09-14 21:08:17.073496952 +0200
@@ -618,6 +618,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Dq yes .
@ -146,7 +157,7 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
@@ -746,6 +750,7 @@ Available keywords are
@@ -767,6 +771,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
@ -154,14 +165,3 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PubkeyAuthentication ,
diff -up openssh-5.9p0/sshd_config.kuserok openssh-5.9p0/sshd_config
--- openssh-5.9p0/sshd_config.kuserok 2011-08-30 16:37:36.808026328 +0200
+++ openssh-5.9p0/sshd_config 2011-08-30 16:37:38.148071520 +0200
@@ -77,6 +77,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no

View File

@ -1,10 +1,9 @@
diff --git a/sshd.c b/sshd.c
index 8dcfdf2..95b63ad 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1592,6 +1592,10 @@ main(int ac, char **av)
diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c
--- openssh-6.1p1/sshd.c.log-usepam-no 2012-09-14 20:54:58.000000000 +0200
+++ openssh-6.1p1/sshd.c 2012-09-14 20:55:42.289477749 +0200
@@ -1617,6 +1617,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
&cfg, NULL, NULL, NULL);
&cfg, NULL);
+ /* 'UsePAM no' is not supported in Fedora */
+ if (! options.use_pam)
@ -13,11 +12,10 @@ index 8dcfdf2..95b63ad 100644
seed_rng();
/* Fill in default values for those options not explicitly set. */
diff --git a/sshd_config b/sshd_config
index 8c16754..9f28b04 100644
--- a/sshd_config
+++ b/sshd_config
@@ -92,6 +92,8 @@ GSSAPICleanupCredentials yes
diff -up openssh-6.1p1/sshd_config.log-usepam-no openssh-6.1p1/sshd_config
--- openssh-6.1p1/sshd_config.log-usepam-no 2012-09-14 20:54:58.514255748 +0200
+++ openssh-6.1p1/sshd_config 2012-09-14 20:54:58.551255954 +0200
@@ -95,6 +95,8 @@ GSSAPICleanupCredentials yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
--- openssh-5.9p1/auth.c.required-authentication 2012-07-27 12:21:41.181601972 +0200
+++ openssh-5.9p1/auth.c 2012-07-27 12:21:41.203602020 +0200
diff -up openssh-6.1p1/auth.c.required-authentication openssh-6.1p1/auth.c
--- openssh-6.1p1/auth.c.required-authentication 2012-09-14 20:17:56.730488188 +0200
+++ openssh-6.1p1/auth.c 2012-09-14 20:17:56.795488498 +0200
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
}
@ -32,7 +32,7 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
{
switch (options.permit_root_login) {
case PERMIT_YES:
@@ -694,3 +696,57 @@ fakepw(void)
@@ -696,3 +698,57 @@ fakepw(void)
return (&fake);
}
@ -90,9 +90,9 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
+
+ return (ret);
+}
diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
+++ openssh-5.9p1/auth.h 2012-07-27 12:21:41.204602022 +0200
diff -up openssh-6.1p1/auth.h.required-authentication openssh-6.1p1/auth.h
--- openssh-6.1p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
+++ openssh-6.1p1/auth.h 2012-09-14 20:17:56.796488502 +0200
@@ -142,10 +142,11 @@ void disable_forwarding(void);
void do_authentication(Authctxt *);
void do_authentication2(Authctxt *);
@ -120,9 +120,9 @@ diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
int sys_auth_passwd(Authctxt *, const char *);
diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
+++ openssh-5.9p1/auth1.c 2012-07-27 12:50:50.708706675 +0200
diff -up openssh-6.1p1/auth1.c.required-authentication openssh-6.1p1/auth1.c
--- openssh-6.1p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
+++ openssh-6.1p1/auth1.c 2012-09-14 20:17:56.798488515 +0200
@@ -98,6 +98,55 @@ static const struct AuthMethod1
return (NULL);
}
@ -281,9 +281,9 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
packet_start(SSH_SMSG_FAILURE);
packet_send();
diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
+++ openssh-5.9p1/auth2.c 2012-07-27 12:51:59.048241612 +0200
diff -up openssh-6.1p1/auth2.c.required-authentication openssh-6.1p1/auth2.c
--- openssh-6.1p1/auth2.c.required-authentication 2011-12-19 00:52:51.000000000 +0100
+++ openssh-6.1p1/auth2.c 2012-09-14 20:17:56.799488520 +0200
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
{
Authctxt *authctxt = ctxt;
@ -452,9 +452,9 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
+ return (ret);
+}
+
diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
+++ openssh-5.9p1/auth2-gss.c 2012-07-27 12:21:41.206602026 +0200
diff -up openssh-6.1p1/auth2-gss.c.required-authentication openssh-6.1p1/auth2-gss.c
--- openssh-6.1p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
+++ openssh-6.1p1/auth2-gss.c 2012-09-14 20:17:56.801488528 +0200
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
}
authctxt->postponed = 0;
@ -482,9 +482,9 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
}
Authmethod method_gssapi = {
diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
+++ openssh-5.9p1/auth2-chall.c 2012-07-27 12:21:41.206602026 +0200
diff -up openssh-6.1p1/auth2-chall.c.required-authentication openssh-6.1p1/auth2-chall.c
--- openssh-6.1p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
+++ openssh-6.1p1/auth2-chall.c 2012-09-14 20:17:56.802488532 +0200
@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
auth2_challenge_start(authctxt);
}
@ -495,9 +495,9 @@ diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2
xfree(method);
}
diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
+++ openssh-5.9p1/auth2-none.c 2012-07-27 12:21:41.207602028 +0200
diff -up openssh-6.1p1/auth2-none.c.required-authentication openssh-6.1p1/auth2-none.c
--- openssh-6.1p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
+++ openssh-6.1p1/auth2-none.c 2012-09-14 20:17:56.803488537 +0200
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
{
none_enabled = 0;
@ -507,9 +507,9 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
return (PRIVSEP(auth_password(authctxt, "")));
return (0);
}
diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.required-authentication 2012-07-27 12:21:41.161601930 +0200
+++ openssh-5.9p1/monitor.c 2012-07-27 12:51:18.884927066 +0200
diff -up openssh-6.1p1/monitor.c.required-authentication openssh-6.1p1/monitor.c
--- openssh-6.1p1/monitor.c.required-authentication 2012-09-14 20:17:56.685487974 +0200
+++ openssh-6.1p1/monitor.c 2012-09-14 20:17:56.806488552 +0200
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
static char *hostbased_cuser = NULL;
static char *hostbased_chost = NULL;
@ -579,7 +579,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
}
/* Drain any buffered messages from the child */
@@ -862,6 +878,7 @@ mm_answer_authpassword(int sock, Buffer
@@ -860,6 +876,7 @@ mm_answer_authpassword(int sock, Buffer
auth_method = "none";
else
auth_method = "password";
@ -587,7 +587,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* Causes monitor loop to terminate if authenticated */
return (authenticated);
@@ -921,6 +938,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
@@ -919,6 +936,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
auth_method = "bsdauth";
@ -595,7 +595,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (authok != 0);
}
@@ -970,6 +988,7 @@ mm_answer_skeyrespond(int sock, Buffer *
@@ -968,6 +986,7 @@ mm_answer_skeyrespond(int sock, Buffer *
mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
auth_method = "skey";
@ -603,7 +603,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (authok != 0);
}
@@ -1059,7 +1078,8 @@ mm_answer_pam_query(int sock, Buffer *m)
@@ -1057,7 +1076,8 @@ mm_answer_pam_query(int sock, Buffer *m)
xfree(prompts);
if (echo_on != NULL)
xfree(echo_on);
@ -613,7 +613,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
return (0);
}
@@ -1088,7 +1108,8 @@ mm_answer_pam_respond(int sock, Buffer *
@@ -1086,7 +1106,8 @@ mm_answer_pam_respond(int sock, Buffer *
buffer_clear(m);
buffer_put_int(m, ret);
mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
@ -623,7 +623,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (ret == 0)
sshpam_authok = sshpam_ctxt;
return (0);
@@ -1102,7 +1123,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
@@ -1100,7 +1121,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
(sshpam_device.free_ctx)(sshpam_ctxt);
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
@ -633,7 +633,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (sshpam_authok == sshpam_ctxt);
}
#endif
@@ -1138,6 +1160,7 @@ mm_answer_keyallowed(int sock, Buffer *m
@@ -1136,6 +1158,7 @@ mm_answer_keyallowed(int sock, Buffer *m
allowed = options.pubkey_authentication &&
user_key_allowed(authctxt->pw, key);
auth_method = "publickey";
@ -641,7 +641,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (options.pubkey_authentication && allowed != 1)
auth_clear_options();
break;
@@ -1146,6 +1169,7 @@ mm_answer_keyallowed(int sock, Buffer *m
@@ -1144,6 +1167,7 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_key_allowed(authctxt->pw,
cuser, chost, key);
auth_method = "hostbased";
@ -649,7 +649,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
break;
case MM_RSAHOSTKEY:
key->type = KEY_RSA1; /* XXX */
@@ -1155,6 +1179,7 @@ mm_answer_keyallowed(int sock, Buffer *m
@@ -1153,6 +1177,7 @@ mm_answer_keyallowed(int sock, Buffer *m
if (options.rhosts_rsa_authentication && allowed != 1)
auth_clear_options();
auth_method = "rsa";
@ -657,7 +657,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
break;
default:
fatal("%s: unknown key type %d", __func__, type);
@@ -1180,7 +1205,8 @@ mm_answer_keyallowed(int sock, Buffer *m
@@ -1178,7 +1203,8 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_chost = chost;
} else {
/* Log failed attempt */
@ -667,7 +667,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
xfree(blob);
xfree(cuser);
xfree(chost);
@@ -1356,6 +1382,7 @@ mm_answer_keyverify(int sock, Buffer *m)
@@ -1354,6 +1380,7 @@ mm_answer_keyverify(int sock, Buffer *m)
xfree(data);
auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
@ -675,7 +675,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
monitor_reset_key_state();
@@ -1545,6 +1572,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
@@ -1543,6 +1570,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
debug3("%s entering", __func__);
auth_method = "rsa";
@ -683,7 +683,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (options.rsa_authentication && authctxt->valid) {
if ((client_n = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
@@ -1650,6 +1678,7 @@ mm_answer_rsa_response(int sock, Buffer
@@ -1648,6 +1676,7 @@ mm_answer_rsa_response(int sock, Buffer
xfree(response);
auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
@ -691,7 +691,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* reset state */
BN_clear_free(ssh1_challenge);
@@ -2099,6 +2128,7 @@ mm_answer_gss_userok(int sock, Buffer *m
@@ -2097,6 +2126,7 @@ mm_answer_gss_userok(int sock, Buffer *m
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
auth_method = "gssapi-with-mic";
@ -699,7 +699,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* Monitor loop will terminate if authenticated */
return (authenticated);
@@ -2303,6 +2333,7 @@ mm_answer_jpake_check_confirm(int sock,
@@ -2301,6 +2331,7 @@ mm_answer_jpake_check_confirm(int sock,
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
auth_method = "jpake-01@openssh.com";
@ -707,10 +707,10 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return authenticated;
}
diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.required-authentication 2012-07-27 12:21:41.167601942 +0200
+++ openssh-5.9p1/servconf.c 2012-07-27 12:21:41.209602032 +0200
@@ -42,6 +42,8 @@
diff -up openssh-6.1p1/servconf.c.required-authentication openssh-6.1p1/servconf.c
--- openssh-6.1p1/servconf.c.required-authentication 2012-09-14 20:17:56.699488040 +0200
+++ openssh-6.1p1/servconf.c 2012-09-14 20:19:49.179983651 +0200
@@ -43,6 +43,8 @@
#include "key.h"
#include "kex.h"
#include "mac.h"
@ -719,7 +719,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
#include "match.h"
#include "channels.h"
#include "groupaccess.h"
@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions
@@ -132,6 +134,8 @@ initialize_server_options(ServerOptions
options->num_authkeys_files = 0;
options->num_accept_env = 0;
options->permit_tun = -1;
@ -728,7 +728,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
@@ -319,6 +323,7 @@ typedef enum {
@@ -324,6 +328,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@ -736,16 +736,16 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -447,6 +452,8 @@ static struct {
@@ -452,6 +457,8 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
+ { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
};
@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
@@ -1298,6 +1305,33 @@ process_server_config_line(ServerOptions
options->max_startups = options->max_startups_begin;
break;
@ -779,9 +779,9 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
case sMaxAuthTries:
intptr = &options->max_authtries;
goto parse_int;
diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200
+++ openssh-5.9p1/servconf.h 2012-07-27 12:21:41.210602035 +0200
diff -up openssh-6.1p1/servconf.h.required-authentication openssh-6.1p1/servconf.h
--- openssh-6.1p1/servconf.h.required-authentication 2012-07-31 04:21:34.000000000 +0200
+++ openssh-6.1p1/servconf.h 2012-09-14 20:17:56.810488571 +0200
@@ -154,6 +154,9 @@ typedef struct {
u_int num_authkeys_files; /* Files containing public keys */
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
@ -792,10 +792,10 @@ diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200
+++ openssh-5.9p1/sshd_config.5 2012-07-27 12:38:47.607222070 +0200
@@ -723,6 +723,8 @@ Available keywords are
diff -up openssh-6.1p1/sshd_config.5.required-authentication openssh-6.1p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.required-authentication 2012-07-02 10:53:38.000000000 +0200
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:17:56.812488582 +0200
@@ -731,6 +731,8 @@ Available keywords are
.Cm PermitOpen ,
.Cm PermitRootLogin ,
.Cm PermitTunnel ,
@ -804,7 +804,7 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
.Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
@@ -920,6 +922,21 @@ Specifies a list of revoked public keys.
@@ -931,6 +933,21 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.

View File

@ -1,7 +1,7 @@
diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
--- openssh-5.9p1/configure.ac.vendor 2012-02-06 17:35:37.439855272 +0100
+++ openssh-5.9p1/configure.ac 2012-02-06 17:35:37.510219862 +0100
@@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog],
diff -up openssh-6.1p1/configure.ac.vendor openssh-6.1p1/configure.ac
--- openssh-6.1p1/configure.ac.vendor 2012-09-14 20:36:49.153085211 +0200
+++ openssh-6.1p1/configure.ac 2012-09-14 20:36:49.559088133 +0200
@@ -4303,6 +4303,12 @@ AC_ARG_WITH([lastlog],
fi
]
)
@ -14,7 +14,7 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the
@@ -4361,6 +4367,7 @@ echo " Translate v4 in v6 hack
@@ -4529,6 +4535,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
echo ""
diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.vendor 2012-02-06 17:35:37.432972267 +0100
+++ openssh-5.9p1/servconf.c 2012-02-06 17:37:58.806272833 +0100
@@ -125,6 +125,7 @@ initialize_server_options(ServerOptions
diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c
--- openssh-6.1p1/servconf.c.vendor 2012-09-14 20:36:49.124085002 +0200
+++ openssh-6.1p1/servconf.c 2012-09-14 20:50:34.995972516 +0200
@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
@ -33,16 +33,17 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
@@ -283,6 +284,8 @@ fill_default_server_options(ServerOption
options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
@@ -289,6 +290,9 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
+ if (options->show_patchlevel == -1)
+ options->show_patchlevel = 0;
+ options->show_patchlevel = 0;
+
/* Turn privilege separation on by default */
if (use_privsep == -1)
@@ -321,7 +324,7 @@ typedef enum {
use_privsep = PRIVSEP_NOSANDBOX;
@@ -326,7 +330,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions,
@ -51,7 +52,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -436,6 +439,7 @@ static struct {
@@ -441,6 +445,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
@ -59,7 +60,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions
@@ -1162,6 +1167,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep;
goto parse_multistate;
@ -70,7 +71,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o)
@@ -1956,6 +1965,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
@ -78,9 +79,9 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.vendor 2012-02-06 17:35:37.434095467 +0100
+++ openssh-5.9p1/servconf.h 2012-02-06 17:35:37.512225786 +0100
diff -up openssh-6.1p1/servconf.h.vendor openssh-6.1p1/servconf.h
--- openssh-6.1p1/servconf.h.vendor 2012-09-14 20:36:49.125085009 +0200
+++ openssh-6.1p1/servconf.h 2012-09-14 20:36:49.564088168 +0200
@@ -140,6 +140,7 @@ typedef struct {
int max_authtries;
int max_sessions;
@ -89,10 +90,10 @@ diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
int use_dns;
int client_alive_interval; /*
* poke the client this often to
diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.vendor 2012-02-06 17:35:37.499226201 +0100
+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:37.515220444 +0100
@@ -112,6 +112,7 @@ X11Forwarding yes
diff -up openssh-6.1p1/sshd_config.vendor openssh-6.1p1/sshd_config
--- openssh-6.1p1/sshd_config.vendor 2012-09-14 20:36:49.507087759 +0200
+++ openssh-6.1p1/sshd_config 2012-09-14 20:36:49.565088175 +0200
@@ -114,6 +114,7 @@ UsePrivilegeSeparation sandbox # Defaul
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
@ -100,10 +101,10 @@ diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
--- openssh-5.9p1/sshd_config.0.vendor 2012-02-06 17:35:37.500225787 +0100
+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:35:37.513225808 +0100
@@ -556,6 +556,11 @@ DESCRIPTION
diff -up openssh-6.1p1/sshd_config.0.vendor openssh-6.1p1/sshd_config.0
--- openssh-6.1p1/sshd_config.0.vendor 2012-09-14 20:36:49.510087780 +0200
+++ openssh-6.1p1/sshd_config.0 2012-09-14 20:36:49.567088190 +0200
@@ -558,6 +558,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024.
@ -115,10 +116,10 @@ diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
StrictModes
Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login.
diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.vendor 2012-02-06 17:35:37.500225787 +0100
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:35:37.514220449 +0100
@@ -982,6 +982,14 @@ This option applies to protocol version
diff -up openssh-6.1p1/sshd_config.5.vendor openssh-6.1p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.vendor 2012-09-14 20:36:49.512087794 +0200
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:36:49.568088198 +0200
@@ -978,6 +978,14 @@ This option applies to protocol version
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024.
@ -133,19 +134,19 @@ diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
.It Cm StrictModes
Specifies whether
.Xr sshd 8
diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.vendor 2012-02-06 17:35:37.485230832 +0100
+++ openssh-5.9p1/sshd.c 2012-02-06 17:35:37.513225808 +0100
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
minor = PROTOCOL_MINOR_1;
diff -up openssh-6.1p1/sshd.c.vendor openssh-6.1p1/sshd.c
--- openssh-6.1p1/sshd.c.vendor 2012-09-14 20:36:49.399086981 +0200
+++ openssh-6.1p1/sshd.c 2012-09-14 20:47:30.696088744 +0200
@@ -433,7 +433,7 @@ sshd_exchange_identification(int sock_in
}
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
- SSH_VERSION, newline);
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
server_version_string = xstrdup(buf);
/* Send our protocol version identification. */
@@ -1634,7 +1634,8 @@ main(int ac, char **av)
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
- major, minor, SSH_VERSION,
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
@@ -1635,7 +1635,8 @@ main(int ac, char **av)
exit(1);
}

View File

@ -108,7 +108,7 @@ Source13: sshd-keygen
Patch0: openssh-5.9p1-wIm.patch
#?
Patch100: openssh-5.9p1-coverity.patch
Patch100: openssh-6.1p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
Patch101: openssh-5.8p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
@ -118,7 +118,7 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=983
#Patch104: openssh-5.9p1-2auth.patch
Patch104: openssh-5.9p1-required-authentications.patch
Patch104: openssh-6.1p1-required-authentications.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch200: openssh-5.8p1-audit0.patch
@ -150,7 +150,7 @@ Patch402: openssh-5.9p1-sftp-chroot.patch
Patch404: openssh-5.9p1-privsep-selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
Patch500: openssh-5.9p1-akc.patch
Patch500: openssh-6.1p1-akc.patch
#?-- unwanted child :(
Patch501: openssh-6.0p1-ldap.patch
#?
@ -173,7 +173,7 @@ Patch606: openssh-5.9p1-ipv6man.patch
#?
Patch607: openssh-5.8p2-sigpipe.patch
#?
Patch608: openssh-5.8p2-askpass-ld.patch
Patch608: openssh-6.1p1-askpass-ld.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Patch609: openssh-5.5p1-x11.patch
@ -196,29 +196,27 @@ Patch707: openssh-5.9p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
Patch708: openssh-6.0p1-entropy.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
Patch709: openssh-5.9p1-vendor.patch
Patch709: openssh-6.1p1-vendor.patch
#?
Patch710: openssh-5.9p1-copy-id-restorecon.patch
# warn users for unsupported UsePAM=no (#757545)
Patch711: openssh-5.9p1-log-usepam-no.patch
Patch711: openssh-6.1p1-log-usepam-no.patch
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
Patch712: openssh-5.9p1-ctr-evp-fast.patch
# add cavs test binary for the aes-ctr
Patch713: openssh-5.9p1-ctr-cavstest.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=815993
Patch714: openssh-5.9p1-null-xcrypt.patch
#http://www.sxw.org.uk/computing/patches/openssh.html
#changed cache storage type - #848228
Patch800: openssh-6.0p1-gsskex.patch
Patch800: openssh-6.1p1-gsskex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
Patch801: openssh-5.8p2-force_krb.patch
#?
Patch900: openssh-5.8p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch901: openssh-5.9p1-kuserok.patch
Patch901: openssh-6.1p1-kuserok.patch
#---
#https://bugzilla.mindrot.org/show_bug.cgi?id=1604
# sctp
@ -459,7 +457,6 @@ popd
%patch711 -p1 -b .log-usepam-no
%patch712 -p1 -b .evp-ctr
%patch713 -p1 -b .ctr-cavs
%patch714 -p0 -b .null-xcrypt
%patch800 -p1 -b .gsskex
%patch801 -p1 -b .force_krb