rebase to openssh-6.1p1 (#852651)

This commit is contained in:
Petr Lautrbach 2012-09-14 22:18:22 +02:00
parent 51ca3be245
commit 9fe1afc163
10 changed files with 791 additions and 847 deletions

View File

@ -1,17 +0,0 @@
Index: auth-passwd.c
===================================================================
RCS file: /cvs/openssh/auth-passwd.c,v
retrieving revision 1.90
retrieving revision 1.91
diff -u -r1.90 -r1.91
--- auth-passwd.c 8 Mar 2009 00:40:28 -0000 1.90
+++ auth-passwd.c 25 Apr 2012 23:51:28 -0000 1.91
@@ -209,6 +209,7 @@
* Authentication is accepted if the encrypted passwords
* are identical.
*/
- return (strcmp(encrypted_password, pw_password) == 0);
+ return encrypted_password != NULL &&
+ strcmp(encrypted_password, pw_password) == 0;
}
#endif

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
--- openssh-5.9p1/auth2-pubkey.c.akc 2012-02-06 20:47:36.641814218 +0100 --- openssh-6.1p1/auth2-pubkey.c.akc 2012-09-14 20:20:48.459445650 +0200
+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 20:47:36.665095838 +0100 +++ openssh-6.1p1/auth2-pubkey.c 2012-09-14 20:20:48.520446072 +0200
@@ -27,6 +27,7 @@ @@ -27,6 +27,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -9,7 +9,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
#include <fcntl.h> #include <fcntl.h>
#include <pwd.h> #include <pwd.h>
@@ -276,27 +277,15 @@ match_principals_file(char *file, struct @@ -277,27 +278,15 @@ match_principals_file(char *file, struct
/* return 1 if user allows given key */ /* return 1 if user allows given key */
static int static int
@ -38,7 +38,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
found_key = 0; found_key = 0;
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@@ -389,8 +378,6 @@ user_key_allowed2(struct passwd *pw, Key @@ -390,8 +379,6 @@ user_key_allowed2(struct passwd *pw, Key
break; break;
} }
} }
@ -47,7 +47,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
key_free(found); key_free(found);
if (!found_key) if (!found_key)
debug2("key not found"); debug2("key not found");
@@ -452,13 +439,191 @@ user_cert_trusted_ca(struct passwd *pw, @@ -453,13 +440,191 @@ user_cert_trusted_ca(struct passwd *pw,
return ret; return ret;
} }
@ -240,10 +240,10 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
if (auth_key_is_revoked(key)) if (auth_key_is_revoked(key))
return 0; return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac diff -up openssh-6.1p1/configure.ac.akc openssh-6.1p1/configure.ac
--- openssh-5.9p1/configure.ac.akc 2012-02-06 20:47:36.656046570 +0100 --- openssh-6.1p1/configure.ac.akc 2012-07-06 03:49:29.000000000 +0200
+++ openssh-5.9p1/configure.ac 2012-02-06 20:47:36.666095176 +0100 +++ openssh-6.1p1/configure.ac 2012-09-14 20:20:48.525446106 +0200
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit], @@ -1512,6 +1512,18 @@ AC_ARG_WITH([audit],
esac ] esac ]
) )
@ -262,7 +262,7 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
dnl Checks for library functions. Please keep in alphabetical order dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS([ \ AC_CHECK_FUNCS([ \
arc4random \ arc4random \
@@ -4239,6 +4251,7 @@ echo " SELinux support @@ -4407,6 +4419,7 @@ echo " SELinux support
echo " Smartcard support: $SCARD_MSG" echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG" echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG" echo " TCP Wrappers support: $TCPW_MSG"
@ -270,10 +270,10 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
echo " MD5 password support: $MD5_MSG" echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG" echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG" echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
--- openssh-5.9p1/servconf.c.akc 2012-02-06 20:47:36.573033521 +0100 --- openssh-6.1p1/servconf.c.akc 2012-09-14 20:20:48.138443423 +0200
+++ openssh-5.9p1/servconf.c 2012-02-06 20:47:36.667106367 +0100 +++ openssh-6.1p1/servconf.c 2012-09-14 20:27:34.546107295 +0200
@@ -136,6 +136,8 @@ initialize_server_options(ServerOptions @@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1; options->num_permitted_opens = -1;
options->adm_forced_command = NULL; options->adm_forced_command = NULL;
options->chroot_directory = NULL; options->chroot_directory = NULL;
@ -282,18 +282,18 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
options->zero_knowledge_password_authentication = -1; options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL; options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL; options->trusted_user_ca_keys = NULL;
@@ -329,6 +331,7 @@ typedef enum { @@ -334,6 +336,7 @@ typedef enum {
sZeroKnowledgePasswordAuthentication, sHostCertificate, sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs, + sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
sDeprecated, sUnsupported sDeprecated, sUnsupported
} ServerOpCodes; } ServerOpCodes;
@@ -455,6 +458,13 @@ static struct { @@ -461,6 +464,14 @@ static struct {
{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL }, { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL },
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND +#ifdef WITH_AUTHORIZED_KEYS_COMMAND
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL }, + { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
@ -301,12 +301,13 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
+ { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL }, + { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL },
+ { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL }, + { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
+#endif +#endif
+
{ NULL, sBadOption, 0 } { NULL, sBadOption, 0 }
}; };
@@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions @@ -1532,6 +1543,24 @@ process_server_config_line(ServerOptions
} }
break; return 0;
+ case sAuthorizedKeysCommand: + case sAuthorizedKeysCommand:
+ len = strspn(cp, WHITESPACE); + len = strspn(cp, WHITESPACE);
@ -329,7 +330,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
case sDeprecated: case sDeprecated:
logit("%s line %d: Deprecated option %s", logit("%s line %d: Deprecated option %s",
filename, linenum, arg); filename, linenum, arg);
@@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d @@ -1682,6 +1711,8 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(hostbased_uses_name_from_packet_only); M_CP_INTOPT(hostbased_uses_name_from_packet_only);
M_CP_INTOPT(kbd_interactive_authentication); M_CP_INTOPT(kbd_interactive_authentication);
M_CP_INTOPT(zero_knowledge_password_authentication); M_CP_INTOPT(zero_knowledge_password_authentication);
@ -338,30 +339,30 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
M_CP_INTOPT(permit_root_login); M_CP_INTOPT(permit_root_login);
M_CP_INTOPT(permit_empty_passwd); M_CP_INTOPT(permit_empty_passwd);
@@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o) @@ -1942,6 +1973,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sAuthorizedPrincipalsFile, dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file); o->authorized_principals_file);
dump_cfg_string(sVersionAddendum, o->version_addendum);
+ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); + dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
+ dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas); + dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
/* string arguments requiring a lookup */ /* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level)); dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
--- openssh-5.9p1/servconf.h.akc 2012-02-06 20:47:36.574033734 +0100 --- openssh-6.1p1/servconf.h.akc 2012-09-14 20:20:48.000000000 +0200
+++ openssh-5.9p1/servconf.h 2012-02-06 20:47:36.668096740 +0100 +++ openssh-6.1p1/servconf.h 2012-09-14 20:23:16.691844577 +0200
@@ -169,6 +169,8 @@ typedef struct { @@ -169,6 +169,8 @@ typedef struct {
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
char *authorized_principals_file; char *authorized_principals_file;
+ char *authorized_keys_command; + char *authorized_keys_command;
+ char *authorized_keys_command_runas; + char *authorized_keys_command_runas;
} ServerOptions;
/* char *version_addendum; /* Appended to SSH banner */
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config } ServerOptions;
--- openssh-5.9p1/sshd_config.akc 2011-05-29 13:39:39.000000000 +0200 diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
+++ openssh-5.9p1/sshd_config 2012-02-06 20:47:36.669067546 +0100 --- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200
+++ openssh-6.1p1/sshd_config 2012-09-14 20:30:46.950095769 +0200
@@ -49,6 +49,9 @@ @@ -49,6 +49,9 @@
# but this is overridden so installations will only check .ssh/authorized_keys # but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys
@ -369,12 +370,12 @@ diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
+#AuthorizedKeysCommand none +#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody +#AuthorizedKeysCommandRunAs nobody
+ +
#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
# similar for protocol version 2 --- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200
diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0 +++ openssh-6.1p1/sshd_config.0 2012-09-14 20:32:23.539624859 +0200
--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
+++ openssh-5.9p1/sshd_config.0 2012-02-06 20:47:36.669067546 +0100
@@ -71,6 +71,23 @@ DESCRIPTION @@ -71,6 +71,23 @@ DESCRIPTION
See PATTERNS in ssh_config(5) for more information on patterns. See PATTERNS in ssh_config(5) for more information on patterns.
@ -399,19 +400,19 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
AuthorizedKeysFile AuthorizedKeysFile
Specifies the file that contains the public keys that can be used Specifies the file that contains the public keys that can be used
for user authentication. The format is described in the for user authentication. The format is described in the
@@ -401,7 +418,8 @@ DESCRIPTION @@ -402,7 +419,8 @@ DESCRIPTION
Only a subset of keywords may be used on the lines following a Only a subset of keywords may be used on the lines following a
Match keyword. Available keywords are AllowAgentForwarding, Match keyword. Available keywords are AcceptEnv,
- AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile, AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
+ AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand, - AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner,
+ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, + AllowUsers, AuthorizedKeysFile, AuthorizedKeysCommand,
Banner, ChrootDirectory, ForceCommand, GatewayPorts, + AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, Banner,
GSSAPIAuthentication, HostbasedAuthentication, ChrootDirectory, DenyGroups, DenyUsers, ForceCommand,
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5 diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.akc 2012-02-06 20:47:36.574891218 +0100 --- openssh-6.1p1/sshd_config.5.akc 2012-09-14 20:20:48.142443448 +0200
+++ openssh-5.9p1/sshd_config.5 2012-02-06 20:49:58.913878595 +0100 +++ openssh-6.1p1/sshd_config.5 2012-09-14 20:29:56.003873873 +0200
@@ -151,6 +151,19 @@ See @@ -151,6 +151,19 @@ See
in in
.Xr ssh_config 5 .Xr ssh_config 5
@ -432,16 +433,16 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
.It Cm AuthorizedKeysFile .It Cm AuthorizedKeysFile
Specifies the file that contains the public keys that can be used Specifies the file that contains the public keys that can be used
for user authentication. for user authentication.
@@ -706,6 +719,8 @@ Available keywords are @@ -712,6 +725,8 @@ Available keywords are
.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding , .Cm AllowTcpForwarding ,
.Cm AllowUsers ,
.Cm AuthorizedKeysFile , .Cm AuthorizedKeysFile ,
+.Cm AuthorizedKeysCommand , +.Cm AuthorizedKeysCommand ,
+.Cm AuthorizedKeysCommandRunAs , +.Cm AuthorizedKeysCommandRunAs ,
.Cm AuthorizedPrincipalsFile , .Cm AuthorizedPrincipalsFile ,
.Cm Banner , .Cm Banner ,
.Cm ChrootDirectory , .Cm ChrootDirectory ,
@@ -718,6 +733,7 @@ Available keywords are @@ -726,6 +741,7 @@ Available keywords are
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,
.Cm MaxAuthTries , .Cm MaxAuthTries ,
.Cm MaxSessions , .Cm MaxSessions ,

View File

@ -1,7 +1,7 @@
diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefile diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile
--- openssh-5.8p2/contrib/Makefile.askpass-ld 2011-08-08 22:54:06.050546199 +0200 --- openssh-6.1p1/contrib/Makefile.askpass-ld 2012-05-19 07:24:37.000000000 +0200
+++ openssh-5.8p2/contrib/Makefile 2011-08-08 22:54:43.364420118 +0200 +++ openssh-6.1p1/contrib/Makefile 2012-09-14 20:35:47.565704718 +0200
@@ -2,12 +2,12 @@ all: @@ -4,12 +4,12 @@ all:
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2" @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
gnome-ssh-askpass1: gnome-ssh-askpass1.c gnome-ssh-askpass1: gnome-ssh-askpass1.c
@ -11,8 +11,8 @@ diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefil
`gnome-config --libs gnome gnomeui` `gnome-config --libs gnome gnomeui`
gnome-ssh-askpass2: gnome-ssh-askpass2.c gnome-ssh-askpass2: gnome-ssh-askpass2.c
- $(CC) `pkg-config --cflags gtk+-2.0` \ - $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
+ $(CC) ${CFLAGS} `pkg-config --cflags gtk+-2.0` \ + $(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
`pkg-config --libs gtk+-2.0 x11` `$(PKG_CONFIG) --libs gtk+-2.0 x11`

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c diff -up openssh-6.1p1/auth-pam.c.coverity openssh-6.1p1/auth-pam.c
--- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200 --- openssh-6.1p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
+++ openssh-5.9p1/auth-pam.c 2011-09-14 08:09:47.074520582 +0200 +++ openssh-6.1p1/auth-pam.c 2012-09-14 21:16:41.264906486 +0200
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void * @@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
if (sshpam_thread_status != -1) if (sshpam_thread_status != -1)
return (sshpam_thread_status); return (sshpam_thread_status);
@ -15,43 +15,10 @@ diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
return (status); return (status);
} }
#endif #endif
diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c diff -up openssh-6.1p1/clientloop.c.coverity openssh-6.1p1/clientloop.c
--- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200 --- openssh-6.1p1/clientloop.c.coverity 2012-06-20 14:31:27.000000000 +0200
+++ openssh-5.9p1/channels.c 2011-09-14 08:09:47.556582810 +0200 +++ openssh-6.1p1/clientloop.c 2012-09-14 21:16:41.267906501 +0200
@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd @@ -2006,14 +2006,15 @@ client_input_global_request(int type, u_
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
- if (rfd != -1)
+ if (rfd >= 0)
fcntl(rfd, F_SETFD, FD_CLOEXEC);
- if (wfd != -1 && wfd != rfd)
+ if (wfd >= 0 && wfd != rfd)
fcntl(wfd, F_SETFD, FD_CLOEXEC);
- if (efd != -1 && efd != rfd && efd != wfd)
+ if (efd >= 0 && efd != rfd && efd != wfd)
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
@@ -248,11 +248,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */
if (nonblock) {
- if (rfd != -1)
+ if (rfd >= 0)
set_nonblock(rfd);
- if (wfd != -1)
+ if (wfd >= 0)
set_nonblock(wfd);
- if (efd != -1)
+ if (efd >= 0)
set_nonblock(efd);
}
}
diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
--- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200
+++ openssh-5.9p1/clientloop.c 2011-09-14 08:17:41.556521887 +0200
@@ -1970,14 +1970,15 @@ client_input_global_request(int type, u_
char *rtype; char *rtype;
int want_reply; int want_reply;
int success = 0; int success = 0;
@ -69,10 +36,43 @@ diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
packet_send(); packet_send();
packet_write_wait(); packet_write_wait();
} }
diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c diff -up openssh-6.1p1/channels.c.coverity openssh-6.1p1/channels.c
--- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200 --- openssh-6.1p1/channels.c.coverity 2012-04-23 10:21:05.000000000 +0200
+++ openssh-5.9p1/key.c 2011-09-14 08:09:47.803458435 +0200 +++ openssh-6.1p1/channels.c 2012-09-14 21:16:41.272906528 +0200
@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp) @@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
- if (rfd != -1)
+ if (rfd >= 0)
fcntl(rfd, F_SETFD, FD_CLOEXEC);
- if (wfd != -1 && wfd != rfd)
+ if (wfd >= 0 && wfd != rfd)
fcntl(wfd, F_SETFD, FD_CLOEXEC);
- if (efd != -1 && efd != rfd && efd != wfd)
+ if (efd >= 0 && efd != rfd && efd != wfd)
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
@@ -251,11 +251,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */
if (nonblock) {
- if (rfd != -1)
+ if (rfd >= 0)
set_nonblock(rfd);
- if (wfd != -1)
+ if (wfd >= 0)
set_nonblock(wfd);
- if (efd != -1)
+ if (efd >= 0)
set_nonblock(efd);
}
}
diff -up openssh-6.1p1/key.c.coverity openssh-6.1p1/key.c
--- openssh-6.1p1/key.c.coverity 2012-06-30 12:05:02.000000000 +0200
+++ openssh-6.1p1/key.c 2012-09-14 21:16:41.274906537 +0200
@@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp)
success = 1; success = 1;
/*XXXX*/ /*XXXX*/
key_free(k); key_free(k);
@ -83,10 +83,9 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
/* advance cp: skip whitespace and data */ /* advance cp: skip whitespace and data */
while (*cp == ' ' || *cp == '\t') while (*cp == ' ' || *cp == '\t')
cp++; cp++;
diff -up openssh-5.9p1/misc.c.coverity openssh-5.9p1/misc.c diff -up openssh-6.1p1/monitor.c.coverity openssh-6.1p1/monitor.c
diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c --- openssh-6.1p1/monitor.c.coverity 2012-06-30 00:33:17.000000000 +0200
--- openssh-5.9p1/monitor.c.coverity 2011-08-05 22:15:18.000000000 +0200 +++ openssh-6.1p1/monitor.c 2012-09-14 21:16:41.277906552 +0200
+++ openssh-5.9p1/monitor.c 2011-09-14 08:09:47.914584009 +0200
@@ -420,7 +420,7 @@ monitor_child_preauth(Authctxt *_authctx @@ -420,7 +420,7 @@ monitor_child_preauth(Authctxt *_authctx
} }
@ -96,7 +95,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
; ;
if (!authctxt->valid) if (!authctxt->valid)
@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m @@ -1159,6 +1159,10 @@ mm_answer_keyallowed(int sock, Buffer *m
break; break;
} }
} }
@ -107,7 +106,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
if (key != NULL) if (key != NULL)
key_free(key); key_free(key);
@@ -1182,9 +1186,6 @@ mm_answer_keyallowed(int sock, Buffer *m @@ -1180,9 +1184,6 @@ mm_answer_keyallowed(int sock, Buffer *m
xfree(chost); xfree(chost);
} }
@ -117,9 +116,9 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
buffer_clear(m); buffer_clear(m);
buffer_put_int(m, allowed); buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL); buffer_put_int(m, forced_command != NULL);
diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c diff -up openssh-6.1p1/monitor_wrap.c.coverity openssh-6.1p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.coverity 2011-09-14 08:11:36.480500123 +0200 --- openssh-6.1p1/monitor_wrap.c.coverity 2011-06-20 06:42:23.000000000 +0200
+++ openssh-5.9p1/monitor_wrap.c 2011-09-14 08:14:11.279520598 +0200 +++ openssh-6.1p1/monitor_wrap.c 2012-09-14 21:16:41.280906568 +0200
@@ -707,10 +707,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, @@ -707,10 +707,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) { (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
@ -134,9 +133,9 @@ diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
return 0; return 0;
} }
close(tmp1); close(tmp1);
diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c diff -up openssh-6.1p1/openbsd-compat/bindresvport.c.coverity openssh-6.1p1/openbsd-compat/bindresvport.c
--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100 --- openssh-6.1p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-14 08:09:48.084459344 +0200 +++ openssh-6.1p1/openbsd-compat/bindresvport.c 2012-09-14 21:16:41.281906573 +0200
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr @@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6; struct sockaddr_in6 *in6;
u_int16_t *portp; u_int16_t *portp;
@ -146,9 +145,9 @@ diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/open
int i; int i;
if (sa == NULL) { if (sa == NULL) {
diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c diff -up openssh-6.1p1/packet.c.coverity openssh-6.1p1/packet.c
--- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200 --- openssh-6.1p1/packet.c.coverity 2012-03-09 00:28:07.000000000 +0100
+++ openssh-5.9p1/packet.c 2011-09-14 08:09:48.184587842 +0200 +++ openssh-6.1p1/packet.c 2012-09-14 21:16:41.284906588 +0200
@@ -1177,6 +1177,7 @@ packet_read_poll1(void) @@ -1177,6 +1177,7 @@ packet_read_poll1(void)
case DEATTACK_DETECTED: case DEATTACK_DETECTED:
packet_disconnect("crc32 compensation attack: " packet_disconnect("crc32 compensation attack: "
@ -157,7 +156,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
case DEATTACK_DOS_DETECTED: case DEATTACK_DOS_DETECTED:
packet_disconnect("deattack denial of " packet_disconnect("deattack denial of "
"service detected"); "service detected");
@@ -1684,7 +1685,7 @@ void @@ -1678,7 +1679,7 @@ void
packet_write_wait(void) packet_write_wait(void)
{ {
fd_set *setp; fd_set *setp;
@ -166,9 +165,9 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
struct timeval start, timeout, *timeoutp = NULL; struct timeval start, timeout, *timeoutp = NULL;
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1, setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c diff -up openssh-6.1p1/progressmeter.c.coverity openssh-6.1p1/progressmeter.c
--- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200 --- openssh-6.1p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
+++ openssh-5.9p1/progressmeter.c 2011-09-14 08:09:48.300586004 +0200 +++ openssh-6.1p1/progressmeter.c 2012-09-14 21:16:41.285906593 +0200
@@ -65,7 +65,7 @@ static void update_progress_meter(int); @@ -65,7 +65,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */ static time_t start; /* start progress */
@ -187,9 +186,9 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
{ {
start = last_update = time(NULL); start = last_update = time(NULL);
file = f; file = f;
diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h diff -up openssh-6.1p1/progressmeter.h.coverity openssh-6.1p1/progressmeter.h
--- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200 --- openssh-6.1p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
+++ openssh-5.9p1/progressmeter.h 2011-09-14 08:09:48.420645724 +0200 +++ openssh-6.1p1/progressmeter.h 2012-09-14 21:16:41.286906598 +0200
@@ -23,5 +23,5 @@ @@ -23,5 +23,5 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/ */
@ -197,9 +196,9 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
-void start_progress_meter(char *, off_t, off_t *); -void start_progress_meter(char *, off_t, off_t *);
+void start_progress_meter(const char *, off_t, off_t *); +void start_progress_meter(const char *, off_t, off_t *);
void stop_progress_meter(void); void stop_progress_meter(void);
diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c diff -up openssh-6.1p1/scp.c.coverity openssh-6.1p1/scp.c
--- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100 --- openssh-6.1p1/scp.c.coverity 2011-09-22 13:38:01.000000000 +0200
+++ openssh-5.9p1/scp.c 2011-09-14 08:09:48.531505457 +0200 +++ openssh-6.1p1/scp.c 2012-09-14 21:16:41.288906608 +0200
@@ -155,7 +155,7 @@ killchild(int signo) @@ -155,7 +155,7 @@ killchild(int signo)
{ {
if (do_cmd_pid > 1) { if (do_cmd_pid > 1) {
@ -209,19 +208,10 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
} }
if (signo) if (signo)
diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c diff -up openssh-6.1p1/servconf.c.coverity openssh-6.1p1/servconf.c
--- openssh-5.9p1/servconf.c.coverity 2011-06-23 00:30:03.000000000 +0200 --- openssh-6.1p1/servconf.c.coverity 2012-07-31 04:22:38.000000000 +0200
+++ openssh-5.9p1/servconf.c 2011-09-14 08:30:17.557468182 +0200 +++ openssh-6.1p1/servconf.c 2012-09-14 21:16:41.291906623 +0200
@@ -609,7 +609,7 @@ match_cfg_line(char **condition, int lin @@ -1249,7 +1249,7 @@ process_server_config_line(ServerOptions
debug3("checking syntax for 'Match %s'", cp);
else
debug3("checking match for '%s' user %s host %s addr %s", cp,
- user ? user : "(null)", host ? host : "(null)",
+ user /* User is not NULL ? user : "(null)" */, host ? host : "(null)",
address ? address : "(null)");
while ((attrib = strdelim(&cp)) && *attrib != '\0') {
@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.", fatal("%s line %d: Missing subsystem name.",
filename, linenum); filename, linenum);
if (!*activep) { if (!*activep) {
@ -230,7 +220,7 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
break; break;
} }
for (i = 0; i < options->num_subsystems; i++) for (i = 0; i < options->num_subsystems; i++)
@@ -1262,8 +1262,9 @@ process_server_config_line(ServerOptions @@ -1340,8 +1340,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) { if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid()); *charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */ /* increase optional counter */
@ -242,9 +232,9 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
} }
break; break;
diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c diff -up openssh-6.1p1/serverloop.c.coverity openssh-6.1p1/serverloop.c
--- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200 --- openssh-6.1p1/serverloop.c.coverity 2012-06-20 14:31:27.000000000 +0200
+++ openssh-5.9p1/serverloop.c 2011-09-14 08:09:48.793586380 +0200 +++ openssh-6.1p1/serverloop.c 2012-09-14 21:16:41.294906638 +0200
@@ -147,13 +147,13 @@ notify_setup(void) @@ -147,13 +147,13 @@ notify_setup(void)
static void static void
notify_parent(void) notify_parent(void)
@ -272,7 +262,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
debug2("notify_done: reading"); debug2("notify_done: reading");
} }
@@ -330,7 +330,7 @@ wait_until_can_do_something(fd_set **rea @@ -336,7 +336,7 @@ wait_until_can_do_something(fd_set **rea
* If we have buffered data, try to write some of that data * If we have buffered data, try to write some of that data
* to the program. * to the program.
*/ */
@ -281,7 +271,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
FD_SET(fdin, *writesetp); FD_SET(fdin, *writesetp);
} }
notify_prepare(*readsetp); notify_prepare(*readsetp);
@@ -470,7 +470,7 @@ process_output(fd_set *writeset) @@ -476,7 +476,7 @@ process_output(fd_set *writeset)
int len; int len;
/* Write buffered data to program stdin. */ /* Write buffered data to program stdin. */
@ -290,7 +280,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
data = buffer_ptr(&stdin_buffer); data = buffer_ptr(&stdin_buffer);
dlen = buffer_len(&stdin_buffer); dlen = buffer_len(&stdin_buffer);
len = write(fdin, data, dlen); len = write(fdin, data, dlen);
@@ -583,7 +583,7 @@ server_loop(pid_t pid, int fdin_arg, int @@ -589,7 +589,7 @@ server_loop(pid_t pid, int fdin_arg, int
set_nonblock(fdin); set_nonblock(fdin);
set_nonblock(fdout); set_nonblock(fdout);
/* we don't have stderr for interactive terminal sessions, see below */ /* we don't have stderr for interactive terminal sessions, see below */
@ -299,7 +289,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
set_nonblock(fderr); set_nonblock(fderr);
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin)) if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
@@ -607,7 +607,7 @@ server_loop(pid_t pid, int fdin_arg, int @@ -613,7 +613,7 @@ server_loop(pid_t pid, int fdin_arg, int
max_fd = MAX(connection_in, connection_out); max_fd = MAX(connection_in, connection_out);
max_fd = MAX(max_fd, fdin); max_fd = MAX(max_fd, fdin);
max_fd = MAX(max_fd, fdout); max_fd = MAX(max_fd, fdout);
@ -308,7 +298,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
max_fd = MAX(max_fd, fderr); max_fd = MAX(max_fd, fderr);
#endif #endif
@@ -637,7 +637,7 @@ server_loop(pid_t pid, int fdin_arg, int @@ -643,7 +643,7 @@ server_loop(pid_t pid, int fdin_arg, int
* If we have received eof, and there is no more pending * If we have received eof, and there is no more pending
* input data, cause a real eof by closing fdin. * input data, cause a real eof by closing fdin.
*/ */
@ -317,7 +307,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
if (fdin != fdout) if (fdin != fdout)
close(fdin); close(fdin);
else else
@@ -735,15 +735,15 @@ server_loop(pid_t pid, int fdin_arg, int @@ -741,15 +741,15 @@ server_loop(pid_t pid, int fdin_arg, int
buffer_free(&stderr_buffer); buffer_free(&stderr_buffer);
/* Close the file descriptors. */ /* Close the file descriptors. */
@ -336,7 +326,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
close(fdin); close(fdin);
fdin = -1; fdin = -1;
@@ -937,7 +937,7 @@ server_input_window_size(int type, u_int @@ -943,7 +943,7 @@ server_input_window_size(int type, u_int
debug("Window change received."); debug("Window change received.");
packet_check_eom(); packet_check_eom();
@ -345,7 +335,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
pty_change_window_size(fdin, row, col, xpixel, ypixel); pty_change_window_size(fdin, row, col, xpixel, ypixel);
} }
@@ -990,7 +990,7 @@ server_request_tun(void) @@ -996,7 +996,7 @@ server_request_tun(void)
} }
tun = packet_get_int(); tun = packet_get_int();
@ -354,9 +344,111 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
if (tun != SSH_TUNID_ANY && forced_tun_device != tun) if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done; goto done;
tun = forced_tun_device; tun = forced_tun_device;
diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
--- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100 --- openssh-6.1p1/sftp.c.coverity 2012-06-30 00:33:32.000000000 +0200
+++ openssh-5.9p1/sftp-client.c 2011-09-14 08:09:48.910470343 +0200 +++ openssh-6.1p1/sftp.c 2012-09-14 21:16:41.297906653 +0200
@@ -206,7 +206,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
- waitpid(sshpid, NULL, 0);
+ (void) waitpid(sshpid, NULL, 0);
}
_exit(1);
@@ -316,7 +316,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
static char *
-path_strip(char *path, char *strip)
+path_strip(const char *path, const char *strip)
{
size_t len;
@@ -334,7 +334,7 @@ path_strip(char *path, char *strip)
}
static char *
-make_absolute(char *p, char *pwd)
+make_absolute(char *p, const char *pwd)
{
char *abs_str;
@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a
}
static int
-is_dir(char *path)
+is_dir(const char *path)
{
struct stat sb;
@@ -494,7 +494,7 @@ is_dir(char *path)
}
static int
-remote_is_dir(struct sftp_conn *conn, char *path)
+remote_is_dir(struct sftp_conn *conn, const char *path)
{
Attrib *a;
@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
-pathname_is_dir(char *pathname)
+pathname_is_dir(const char *pathname)
{
size_t l = strlen(pathname);
@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname)
}
static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *abs_src = NULL;
@@ -590,7 +590,7 @@ out:
}
static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *tmp_dst = NULL;
@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */
static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
{
int n;
u_int c = 1, colspace = 0, columns = 1;
@@ -780,7 +780,7 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */
static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
int lflag)
{
char *fname, *lname;
@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
}
static int
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
diff -up openssh-6.1p1/sftp-client.c.coverity openssh-6.1p1/sftp-client.c
--- openssh-6.1p1/sftp-client.c.coverity 2012-07-02 14:15:39.000000000 +0200
+++ openssh-6.1p1/sftp-client.c 2012-09-14 21:18:16.891332281 +0200
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer * @@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
} }
@ -393,7 +485,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
SFTP_DIRENT ***dir) SFTP_DIRENT ***dir)
{ {
Buffer msg; Buffer msg;
@@ -571,7 +571,7 @@ do_lsreaddir(struct sftp_conn *conn, cha @@ -572,7 +572,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
} }
int int
@ -402,7 +494,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
return(do_lsreaddir(conn, path, 0, dir)); return(do_lsreaddir(conn, path, 0, dir));
} }
@@ -589,7 +589,7 @@ void free_sftp_dirents(SFTP_DIRENT **s) @@ -590,7 +590,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
} }
int int
@ -411,7 +503,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
u_int status, id; u_int status, id;
@@ -604,7 +604,7 @@ do_rm(struct sftp_conn *conn, char *path @@ -605,7 +605,7 @@ do_rm(struct sftp_conn *conn, char *path
} }
int int
@ -420,7 +512,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
u_int status, id; u_int status, id;
@@ -620,7 +620,7 @@ do_mkdir(struct sftp_conn *conn, char *p @@ -621,7 +621,7 @@ do_mkdir(struct sftp_conn *conn, char *p
} }
int int
@ -429,7 +521,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
u_int status, id; u_int status, id;
@@ -636,7 +636,7 @@ do_rmdir(struct sftp_conn *conn, char *p @@ -637,7 +637,7 @@ do_rmdir(struct sftp_conn *conn, char *p
} }
Attrib * Attrib *
@ -438,7 +530,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
u_int id; u_int id;
@@ -650,7 +650,7 @@ do_stat(struct sftp_conn *conn, char *pa @@ -651,7 +651,7 @@ do_stat(struct sftp_conn *conn, char *pa
} }
Attrib * Attrib *
@ -447,7 +539,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
u_int id; u_int id;
@@ -684,7 +684,7 @@ do_fstat(struct sftp_conn *conn, char *h @@ -685,7 +685,7 @@ do_fstat(struct sftp_conn *conn, char *h
#endif #endif
int int
@ -456,7 +548,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
u_int status, id; u_int status, id;
@@ -701,7 +701,7 @@ do_setstat(struct sftp_conn *conn, char @@ -702,7 +702,7 @@ do_setstat(struct sftp_conn *conn, char
} }
int int
@ -465,7 +557,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *a) Attrib *a)
{ {
u_int status, id; u_int status, id;
@@ -718,12 +718,12 @@ do_fsetstat(struct sftp_conn *conn, char @@ -719,7 +719,7 @@ do_fsetstat(struct sftp_conn *conn, char
} }
char * char *
@ -474,22 +566,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
Buffer msg; Buffer msg;
u_int type, expected_id, count, id; u_int type, expected_id, count, id;
char *filename, *longname; @@ -768,7 +768,7 @@ do_realpath(struct sftp_conn *conn, char
- Attrib *a;
+/*UNUSED Attrib *a; */
expected_id = id = conn->msg_id++;
send_string_request(conn, id, SSH2_FXP_REALPATH, path,
@@ -754,7 +754,7 @@ do_realpath(struct sftp_conn *conn, char
filename = buffer_get_string(&msg, NULL);
longname = buffer_get_string(&msg, NULL);
- a = decode_attrib(&msg);
+ /*a =*/ (void) decode_attrib(&msg);
debug3("SSH_FXP_REALPATH %s -> %s", path, filename);
@@ -766,7 +766,7 @@ do_realpath(struct sftp_conn *conn, char
} }
int int
@ -498,7 +575,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
Buffer msg; Buffer msg;
u_int status, id; u_int status, id;
@@ -800,7 +800,7 @@ do_rename(struct sftp_conn *conn, char * @@ -802,7 +802,7 @@ do_rename(struct sftp_conn *conn, char *
} }
int int
@ -507,7 +584,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
Buffer msg; Buffer msg;
u_int status, id; u_int status, id;
@@ -833,7 +833,7 @@ do_hardlink(struct sftp_conn *conn, char @@ -835,7 +835,7 @@ do_hardlink(struct sftp_conn *conn, char
} }
int int
@ -516,7 +593,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
Buffer msg; Buffer msg;
u_int status, id; u_int status, id;
@@ -984,7 +984,7 @@ send_read_request(struct sftp_conn *conn @@ -987,7 +987,7 @@ send_read_request(struct sftp_conn *conn
} }
int int
@ -525,7 +602,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *a, int pflag) Attrib *a, int pflag)
{ {
Attrib junk; Attrib junk;
@@ -1223,7 +1223,7 @@ do_download(struct sftp_conn *conn, char @@ -1226,7 +1226,7 @@ do_download(struct sftp_conn *conn, char
} }
static int static int
@ -534,7 +611,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *dirattrib, int pflag, int printflag, int depth) Attrib *dirattrib, int pflag, int printflag, int depth)
{ {
int i, ret = 0; int i, ret = 0;
@@ -1313,7 +1313,7 @@ download_dir_internal(struct sftp_conn * @@ -1316,7 +1316,7 @@ download_dir_internal(struct sftp_conn *
} }
int int
@ -543,7 +620,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *dirattrib, int pflag, int printflag) Attrib *dirattrib, int pflag, int printflag)
{ {
char *src_canon; char *src_canon;
@@ -1331,7 +1331,7 @@ download_dir(struct sftp_conn *conn, cha @@ -1334,7 +1334,7 @@ download_dir(struct sftp_conn *conn, cha
} }
int int
@ -552,7 +629,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
int pflag) int pflag)
{ {
int local_fd; int local_fd;
@@ -1514,7 +1514,7 @@ do_upload(struct sftp_conn *conn, char * @@ -1517,7 +1517,7 @@ do_upload(struct sftp_conn *conn, char *
} }
static int static int
@ -561,7 +638,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
int pflag, int printflag, int depth) int pflag, int printflag, int depth)
{ {
int ret = 0, status; int ret = 0, status;
@@ -1605,7 +1605,7 @@ upload_dir_internal(struct sftp_conn *co @@ -1608,7 +1608,7 @@ upload_dir_internal(struct sftp_conn *co
} }
int int
@ -570,7 +647,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
int pflag) int pflag)
{ {
char *dst_canon; char *dst_canon;
@@ -1622,7 +1622,7 @@ upload_dir(struct sftp_conn *conn, char @@ -1625,7 +1625,7 @@ upload_dir(struct sftp_conn *conn, char
} }
char * char *
@ -579,9 +656,9 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{ {
char *ret; char *ret;
size_t len = strlen(p1) + strlen(p2) + 2; size_t len = strlen(p1) + strlen(p2) + 2;
diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h diff -up openssh-6.1p1/sftp-client.h.coverity openssh-6.1p1/sftp-client.h
--- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100 --- openssh-6.1p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
+++ openssh-5.9p1/sftp-client.h 2011-09-14 08:09:49.021583940 +0200 +++ openssh-6.1p1/sftp-client.h 2012-09-14 21:16:41.301906674 +0200
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in @@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
u_int sftp_proto_version(struct sftp_conn *); u_int sftp_proto_version(struct sftp_conn *);
@ -679,124 +756,9 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
+char *path_append(const char *, const char *); +char *path_append(const char *, const char *);
#endif #endif
diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c diff -up openssh-6.1p1/ssh-agent.c.coverity openssh-6.1p1/ssh-agent.c
--- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100 --- openssh-6.1p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
+++ openssh-5.9p1/sftp.c 2011-09-14 08:09:49.468493585 +0200 +++ openssh-6.1p1/ssh-agent.c 2012-09-14 21:16:41.303906683 +0200
@@ -206,7 +206,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
- waitpid(sshpid, NULL, 0);
+ (void) waitpid(sshpid, NULL, 0);
}
_exit(1);
@@ -316,7 +316,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
static char *
-path_strip(char *path, char *strip)
+path_strip(const char *path, const char *strip)
{
size_t len;
@@ -334,7 +334,7 @@ path_strip(char *path, char *strip)
}
static char *
-make_absolute(char *p, char *pwd)
+make_absolute(char *p, const char *pwd)
{
char *abs_str;
@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a
}
static int
-is_dir(char *path)
+is_dir(const char *path)
{
struct stat sb;
@@ -494,7 +494,7 @@ is_dir(char *path)
}
static int
-remote_is_dir(struct sftp_conn *conn, char *path)
+remote_is_dir(struct sftp_conn *conn, const char *path)
{
Attrib *a;
@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
-pathname_is_dir(char *pathname)
+pathname_is_dir(const char *pathname)
{
size_t l = strlen(pathname);
@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname)
}
static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *abs_src = NULL;
@@ -590,7 +590,7 @@ out:
}
static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *tmp_dst = NULL;
@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */
static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
{
int n;
u_int c = 1, colspace = 0, columns = 1;
@@ -780,10 +780,10 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */
static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
int lflag)
{
- Attrib *a = NULL;
+/*UNUSED Attrib *a = NULL;*/
char *fname, *lname;
glob_t g;
int err;
@@ -828,7 +828,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
colspace = width / columns;
}
- for (i = 0; g.gl_pathv[i] && !interrupted; i++, a = NULL) {
+ for (i = 0; g.gl_pathv[i] && !interrupted; i++/*, a = NULL*/) {
fname = path_strip(g.gl_pathv[i], strip_path);
if (lflag & LS_LONG_VIEW) {
if (g.gl_statv[i] == NULL) {
@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
}
static int
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
--- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
+++ openssh-5.9p1/ssh-agent.c 2011-09-14 08:09:49.572460295 +0200
@@ -1147,8 +1147,8 @@ main(int ac, char **av) @@ -1147,8 +1147,8 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
@ -808,10 +770,10 @@ diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */ /* Disable ptrace on Linux without sgid bit */
diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c diff -up openssh-6.1p1/sshd.c.coverity openssh-6.1p1/sshd.c
--- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200 --- openssh-6.1p1/sshd.c.coverity 2012-07-31 04:21:34.000000000 +0200
+++ openssh-5.9p1/sshd.c 2011-09-14 08:09:49.687509968 +0200 +++ openssh-6.1p1/sshd.c 2012-09-14 21:16:41.307906705 +0200
@@ -676,8 +676,10 @@ privsep_preauth(Authctxt *authctxt) @@ -682,8 +682,10 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0) if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child(); privsep_preauth_child();
setproctitle("%s", "[net]"); setproctitle("%s", "[net]");
@ -823,7 +785,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
return 0; return 0;
} }
@@ -1302,6 +1304,9 @@ server_accept_loop(int *sock_in, int *so @@ -1311,6 +1313,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0) if (num_listen_socks < 0)
break; break;
} }
@ -833,7 +795,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
} }
@@ -1774,7 +1779,7 @@ main(int ac, char **av) @@ -1768,7 +1773,7 @@ main(int ac, char **av)
/* Chdir to the root directory so that the current disk can be /* Chdir to the root directory so that the current disk can be
unmounted if desired. */ unmounted if desired. */

View File

@ -1,6 +1,115 @@
diff -up openssh-6.0p1/auth2.c.gsskex openssh-6.0p1/auth2.c diff -up openssh-6.1p1/auth-krb5.c.gsskex openssh-6.1p1/auth-krb5.c
--- openssh-6.0p1/auth2.c.gsskex 2012-09-12 15:32:19.110689080 +0200 --- openssh-6.1p1/auth-krb5.c.gsskex 2012-04-26 01:52:15.000000000 +0200
+++ openssh-6.0p1/auth2.c 2012-09-12 15:32:28.309651601 +0200 +++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:07:19.695203206 +0200
@@ -50,6 +50,7 @@
#include <errno.h>
#include <unistd.h>
#include <string.h>
+#include <sys/stat.h>
#include <krb5.h>
extern ServerOptions options;
@@ -170,8 +171,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+#ifdef USE_CCAPI
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
authctxt->krb5_ticket_file);
+#else
+ snprintf(authctxt->krb5_ccname, len, "DIR:%s",
+ authctxt->krb5_ticket_file);
+#endif
#ifdef USE_PAM
if (options.use_pam)
@@ -208,10 +214,33 @@ auth_krb5_password(Authctxt *authctxt, c
void
krb5_cleanup_proc(Authctxt *authctxt)
{
+ struct stat krb5_ccname_stat;
+ char krb5_ccname[128], *krb5_ccname_dir_end;
+
debug("krb5_cleanup_proc called");
if (authctxt->krb5_fwd_ccache) {
krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
authctxt->krb5_fwd_ccache = NULL;
+
+ /* assume ticket cache type DIR - DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */
+ strncpy(krb5_ccname, authctxt->krb5_ccname + strlen("DIR::"), sizeof(krb5_ccname) - 10);
+
+ krb5_ccname_dir_end = strrchr(krb5_ccname, '/');
+ if (krb5_ccname_dir_end != NULL) {
+ strcpy(krb5_ccname_dir_end, "/primary");
+
+ if (stat(krb5_ccname, &krb5_ccname_stat) == 0) {
+ if (unlink(krb5_ccname) == 0) {
+ *krb5_ccname_dir_end = '\0';
+ if (rmdir(krb5_ccname) == -1)
+ debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno));
+ }
+ else
+ debug("cache primary file '%s', remove failed: %s",
+ krb5_ccname, strerror(errno)
+ );
+ }
+ }
}
if (authctxt->krb5_user) {
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
@@ -226,31 +255,37 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret, oerrno;
- char ccname[40];
+ int ret, oerrno;
+ char ccname[128];
mode_t old_umask;
+#ifdef USE_CCAPI
+ char cctemplate[] = "API:krb5cc_%d";
+#else
+ char cctemplate[] = "DIR:/tmp/krb5cc_%d_XXXXXXXXXX";
+ char *tmpdir;
+#endif
ret = snprintf(ccname, sizeof(ccname),
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+ cctemplate, geteuid());
if (ret < 0 || (size_t)ret >= sizeof(ccname))
return ENOMEM;
- old_umask = umask(0177);
- tmpfd = mkstemp(ccname + strlen("FILE:"));
+#ifndef USE_CCAPI
+ old_umask = umask(0077);
+ tmpdir = mkdtemp(ccname + strlen("DIR:"));
oerrno = errno;
umask(old_umask);
- if (tmpfd == -1) {
- logit("mkstemp(): %.100s", strerror(oerrno));
+ if (tmpdir == NULL) {
+ logit("mkdtemp(): %.100s", strerror(oerrno));
return oerrno;
}
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {
oerrno = errno;
- logit("fchmod(): %.100s", strerror(oerrno));
- close(tmpfd);
+ logit("chmod(): %.100s", strerror(oerrno));
return oerrno;
}
- close(tmpfd);
+#endif
return (krb5_cc_resolve(ctx, ccname, ccache));
}
diff -up openssh-6.1p1/auth2.c.gsskex openssh-6.1p1/auth2.c
--- openssh-6.1p1/auth2.c.gsskex 2012-09-14 20:57:55.291263269 +0200
+++ openssh-6.1p1/auth2.c 2012-09-14 20:57:55.853266860 +0200
@@ -69,6 +69,7 @@ extern Authmethod method_passwd; @@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint; extern Authmethod method_kbdint;
extern Authmethod method_hostbased; extern Authmethod method_hostbased;
@ -17,9 +126,9 @@ diff -up openssh-6.0p1/auth2.c.gsskex openssh-6.0p1/auth2.c
&method_gssapi, &method_gssapi,
#endif #endif
#ifdef JPAKE #ifdef JPAKE
diff -up openssh-6.0p1/auth2-gss.c.gsskex openssh-6.0p1/auth2-gss.c diff -up openssh-6.1p1/auth2-gss.c.gsskex openssh-6.1p1/auth2-gss.c
--- openssh-6.0p1/auth2-gss.c.gsskex 2012-09-12 15:32:19.126689015 +0200 --- openssh-6.1p1/auth2-gss.c.gsskex 2012-09-14 20:57:55.292263276 +0200
+++ openssh-6.0p1/auth2-gss.c 2012-09-12 15:32:28.309651601 +0200 +++ openssh-6.1p1/auth2-gss.c 2012-09-14 20:57:55.855266873 +0200
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u @@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_errtok(int, u_int32_t, void *); static void input_gssapi_errtok(int, u_int32_t, void *);
@ -94,233 +203,9 @@ diff -up openssh-6.0p1/auth2-gss.c.gsskex openssh-6.0p1/auth2-gss.c
Authmethod method_gssapi = { Authmethod method_gssapi = {
"gssapi-with-mic", "gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
diff -up openssh-6.0p1/auth-krb5.c.gsskex openssh-6.0p1/auth-krb5.c diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c
--- openssh-6.0p1/auth-krb5.c.gsskex 2012-09-12 15:32:19.118689046 +0200 --- openssh-6.1p1/clientloop.c.gsskex 2012-09-14 20:57:54.862260529 +0200
+++ openssh-6.0p1/auth-krb5.c 2012-09-12 16:03:22.216097657 +0200 +++ openssh-6.1p1/clientloop.c 2012-09-14 20:57:55.861266911 +0200
@@ -50,6 +50,7 @@
#include <errno.h>
#include <unistd.h>
#include <string.h>
+#include <sys/stat.h>
#include <krb5.h>
extern ServerOptions options;
@@ -170,8 +171,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+#ifdef USE_CCAPI
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
authctxt->krb5_ticket_file);
+#else
+ snprintf(authctxt->krb5_ccname, len, "DIR:%s",
+ authctxt->krb5_ticket_file);
+#endif
#ifdef USE_PAM
if (options.use_pam)
@@ -208,10 +214,33 @@ auth_krb5_password(Authctxt *authctxt, c
void
krb5_cleanup_proc(Authctxt *authctxt)
{
+ struct stat krb5_ccname_stat;
+ char krb5_ccname[128], *krb5_ccname_dir_end;
+
debug("krb5_cleanup_proc called");
if (authctxt->krb5_fwd_ccache) {
krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
authctxt->krb5_fwd_ccache = NULL;
+
+ /* assume ticket cache type DIR - DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */
+ strncpy(krb5_ccname, authctxt->krb5_ccname + strlen("DIR::"), sizeof(krb5_ccname) - 10);
+
+ krb5_ccname_dir_end = strrchr(krb5_ccname, '/');
+ if (krb5_ccname_dir_end != NULL) {
+ strcpy(krb5_ccname_dir_end, "/primary");
+
+ if (stat(krb5_ccname, &krb5_ccname_stat) == 0) {
+ if (unlink(krb5_ccname) == 0) {
+ *krb5_ccname_dir_end = '\0';
+ if (rmdir(krb5_ccname) == -1)
+ debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno));
+ }
+ else
+ debug("cache primary file '%s', remove failed: %s",
+ krb5_ccname, strerror(errno)
+ );
+ }
+ }
}
if (authctxt->krb5_user) {
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
@@ -226,29 +255,35 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret;
+ int ret;
char ccname[40];
mode_t old_umask;
+#ifdef USE_CCAPI
+ char cctemplate[] = "API:krb5cc_%d";
+#else
+ char cctemplate[] = "DIR:/tmp/krb5cc_%d_XXXXXXXXXX";
+ char *tmpdir;
+#endif
ret = snprintf(ccname, sizeof(ccname),
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+ cctemplate, geteuid());
if (ret < 0 || (size_t)ret >= sizeof(ccname))
return ENOMEM;
- old_umask = umask(0177);
- tmpfd = mkstemp(ccname + strlen("FILE:"));
+#ifndef USE_CCAPI
+ old_umask = umask(0077);
+ tmpdir = mkdtemp(ccname + strlen("DIR:"));
umask(old_umask);
- if (tmpfd == -1) {
- logit("mkstemp(): %.100s", strerror(errno));
+ if (tmpdir == NULL) {
+ logit("mkdtemp(): %.100s", strerror(errno));
return errno;
}
-
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
- logit("fchmod(): %.100s", strerror(errno));
- close(tmpfd);
+ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {
+ logit("chmod(): %.100s", strerror(errno));
return errno;
}
- close(tmpfd);
+
+#endif
return (krb5_cc_resolve(ctx, ccname, ccache));
}
diff -up openssh-6.0p1/ChangeLog.gssapi.gsskex openssh-6.0p1/ChangeLog.gssapi
--- openssh-6.0p1/ChangeLog.gssapi.gsskex 2012-09-12 15:32:19.106689094 +0200
+++ openssh-6.0p1/ChangeLog.gssapi 2012-09-12 15:32:28.310651598 +0200
@@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
+ - Add GSSAPIServerIdentity option from Jim Basney
+
+20100308
+ - [ Makefile.in, key.c, key.h ]
+ Updates for OpenSSH 5.4p1
+ - [ servconf.c ]
+ Include GSSAPI options in the sshd -T configuration dump, and flag
+ some older configuration options as being unsupported. Thanks to Colin
+ Watson.
+ -
+
+20100124
+ - [ sshconnect2.c ]
+ Adapt to deal with additional element in Authmethod structure. Thanks to
+ Colin Watson
+
+20090615
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
+ sshd.c ]
+ Fix issues identified by Greg Hudson following a code review
+ Check return value of gss_indicate_mechs
+ Protect GSSAPI calls in monitor, so they can only be used if enabled
+ Check return values of bignum functions in key exchange
+ Use BN_clear_free to clear other side's DH value
+ Make ssh_gssapi_id_kex more robust
+ Only configure kex table pointers if GSSAPI is enabled
+ Don't leak mechanism list, or gss mechanism list
+ Cast data.length before printing
+ If serverkey isn't provided, use an empty string, rather than NULL
+
+20090201
+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
+ ssh_config.5 sshconnet2.c ]
+ Add support for the GSSAPIClientIdentity option, which allows the user
+ to specify which GSSAPI identity to use to contact a given server
+
+20080404
+ - [ gss-serv.c ]
+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
+ been omitted from a previous version of this patch. Reported by Borislav
+ Stoichkov
+
+20070317
+ - [ gss-serv-krb5.c ]
+ Remove C99ism, where new_ccname was being declared in the middle of a
+ function
+
+20061220
+ - [ servconf.c ]
+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
+ documented, behaviour. Reported by Dan Watson.
+
+20060910
+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
+ ssh-gss.h ]
+ add support for gss-group14-sha1 key exchange mechanisms
+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
+ acceptor principal checking on multi-homed machines.
+ <Bugzilla #928>
+ - [ sshd_config ssh_config ]
+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
+ configuration files
+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
+ Limit length of error messages displayed by client
+
+20060909
+ - [ gss-genr.c gss-serv.c ]
+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
+ only, where they belong
+ <Bugzilla #1225>
+
+20060829
+ - [ gss-serv-krb5.c ]
+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
+ variable
+
+20060828
+ - [ gss-genr.c ]
+ Avoid Heimdal context freeing problem
+ <Fixed upstream 20060829>
+
+20060818
+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
+ Make sure that SPENGO is disabled
+ <Bugzilla #1218 - Fixed upstream 20060818>
+
+20060421
+ - [ gssgenr.c, sshconnect2.c ]
+ a few type changes (signed versus unsigned, int versus size_t) to
+ fix compiler errors/warnings
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ kexgssc.c, sshconnect2.c ]
+ fix uninitialized variable warnings
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ gssgenr.c ]
+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
+ (from jbasney AT ncsa.uiuc.edu)
+ <Bugzilla #1220 >
+ - [ gss-serv-krb5.c ]
+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
+ (from jbasney AT ncsa.uiuc.edu)
+ <Fixed upstream 20060304>
+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
+ add client-side GssapiKeyExchange option
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ sshconnect2.c ]
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
--- openssh-6.0p1/clientloop.c.gsskex 2012-09-12 15:32:19.113689067 +0200
+++ openssh-6.0p1/clientloop.c 2012-09-12 15:32:28.311651595 +0200
@@ -111,6 +111,10 @@ @@ -111,6 +111,10 @@
#include "msg.h" #include "msg.h"
#include "roaming.h" #include "roaming.h"
@ -332,7 +217,7 @@ diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
/* import options */ /* import options */
extern Options options; extern Options options;
@@ -1540,6 +1544,15 @@ client_loop(int have_pty, int escape_cha @@ -1544,6 +1548,15 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */ /* Do channel operations unless rekeying in progress. */
if (!rekeying) { if (!rekeying) {
channel_after_select(readset, writeset); channel_after_select(readset, writeset);
@ -348,9 +233,9 @@ diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
if (need_rekeying || packet_need_rekeying()) { if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying"); debug("need rekeying");
xxx_kex->done = 0; xxx_kex->done = 0;
diff -up openssh-6.0p1/configure.ac.gsskex openssh-6.0p1/configure.ac diff -up openssh-6.1p1/configure.ac.gsskex openssh-6.1p1/configure.ac
--- openssh-6.0p1/configure.ac.gsskex 2012-09-12 15:32:19.085689183 +0200 --- openssh-6.1p1/configure.ac.gsskex 2012-09-14 20:57:55.756266240 +0200
+++ openssh-6.0p1/configure.ac 2012-09-12 15:32:28.312651591 +0200 +++ openssh-6.1p1/configure.ac 2012-09-14 20:57:55.865266937 +0200
@@ -545,6 +545,30 @@ main() { if (NSVersionOfRunTimeLibrary(" @@ -545,6 +545,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD]) [Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1], AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
@ -382,9 +267,9 @@ diff -up openssh-6.0p1/configure.ac.gsskex openssh-6.0p1/configure.ac
m4_pattern_allow([AU_IPv]) m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [], AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
diff -up openssh-6.0p1/gss-genr.c.gsskex openssh-6.0p1/gss-genr.c diff -up openssh-6.1p1/gss-genr.c.gsskex openssh-6.1p1/gss-genr.c
--- openssh-6.0p1/gss-genr.c.gsskex 2012-09-12 15:32:19.097689132 +0200 --- openssh-6.1p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
+++ openssh-6.0p1/gss-genr.c 2012-09-12 15:32:28.313651587 +0200 +++ openssh-6.1p1/gss-genr.c 2012-09-14 20:57:55.867266949 +0200
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
@ -732,9 +617,9 @@ diff -up openssh-6.0p1/gss-genr.c.gsskex openssh-6.0p1/gss-genr.c
+} +}
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff -up openssh-6.0p1/gss-serv.c.gsskex openssh-6.0p1/gss-serv.c diff -up openssh-6.1p1/gss-serv.c.gsskex openssh-6.1p1/gss-serv.c
--- openssh-6.0p1/gss-serv.c.gsskex 2012-09-12 15:32:19.123689027 +0200 --- openssh-6.1p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200
+++ openssh-6.0p1/gss-serv.c 2012-09-12 15:53:27.719520213 +0200 +++ openssh-6.1p1/gss-serv.c 2012-09-14 20:57:55.870266969 +0200
@@ -45,15 +45,20 @@ @@ -45,15 +45,20 @@
#include "channels.h" #include "channels.h"
#include "session.h" #include "session.h"
@ -1073,9 +958,9 @@ diff -up openssh-6.0p1/gss-serv.c.gsskex openssh-6.0p1/gss-serv.c
} }
#endif #endif
diff -up openssh-6.0p1/gss-serv-krb5.c.gsskex openssh-6.0p1/gss-serv-krb5.c diff -up openssh-6.1p1/gss-serv-krb5.c.gsskex openssh-6.1p1/gss-serv-krb5.c
--- openssh-6.0p1/gss-serv-krb5.c.gsskex 2012-09-12 15:32:19.115689059 +0200 --- openssh-6.1p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
+++ openssh-6.0p1/gss-serv-krb5.c 2012-09-12 16:36:15.768054426 +0200 +++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 20:57:55.872266981 +0200
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1198,9 +1083,126 @@ diff -up openssh-6.0p1/gss-serv-krb5.c.gsskex openssh-6.0p1/gss-serv-krb5.c
}; };
#endif /* KRB5 */ #endif /* KRB5 */
diff -up openssh-6.0p1/kex.c.gsskex openssh-6.0p1/kex.c diff -up openssh-6.1p1/ChangeLog.gssapi.gsskex openssh-6.1p1/ChangeLog.gssapi
--- openssh-6.0p1/kex.c.gsskex 2012-09-12 15:32:19.096689136 +0200 --- openssh-6.1p1/ChangeLog.gssapi.gsskex 2012-09-14 20:57:55.858266892 +0200
+++ openssh-6.0p1/kex.c 2012-09-12 15:32:28.315651579 +0200 +++ openssh-6.1p1/ChangeLog.gssapi 2012-09-14 20:57:55.859266899 +0200
@@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
+ - Add GSSAPIServerIdentity option from Jim Basney
+
+20100308
+ - [ Makefile.in, key.c, key.h ]
+ Updates for OpenSSH 5.4p1
+ - [ servconf.c ]
+ Include GSSAPI options in the sshd -T configuration dump, and flag
+ some older configuration options as being unsupported. Thanks to Colin
+ Watson.
+ -
+
+20100124
+ - [ sshconnect2.c ]
+ Adapt to deal with additional element in Authmethod structure. Thanks to
+ Colin Watson
+
+20090615
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
+ sshd.c ]
+ Fix issues identified by Greg Hudson following a code review
+ Check return value of gss_indicate_mechs
+ Protect GSSAPI calls in monitor, so they can only be used if enabled
+ Check return values of bignum functions in key exchange
+ Use BN_clear_free to clear other side's DH value
+ Make ssh_gssapi_id_kex more robust
+ Only configure kex table pointers if GSSAPI is enabled
+ Don't leak mechanism list, or gss mechanism list
+ Cast data.length before printing
+ If serverkey isn't provided, use an empty string, rather than NULL
+
+20090201
+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
+ ssh_config.5 sshconnet2.c ]
+ Add support for the GSSAPIClientIdentity option, which allows the user
+ to specify which GSSAPI identity to use to contact a given server
+
+20080404
+ - [ gss-serv.c ]
+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
+ been omitted from a previous version of this patch. Reported by Borislav
+ Stoichkov
+
+20070317
+ - [ gss-serv-krb5.c ]
+ Remove C99ism, where new_ccname was being declared in the middle of a
+ function
+
+20061220
+ - [ servconf.c ]
+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
+ documented, behaviour. Reported by Dan Watson.
+
+20060910
+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
+ ssh-gss.h ]
+ add support for gss-group14-sha1 key exchange mechanisms
+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
+ acceptor principal checking on multi-homed machines.
+ <Bugzilla #928>
+ - [ sshd_config ssh_config ]
+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
+ configuration files
+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
+ Limit length of error messages displayed by client
+
+20060909
+ - [ gss-genr.c gss-serv.c ]
+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
+ only, where they belong
+ <Bugzilla #1225>
+
+20060829
+ - [ gss-serv-krb5.c ]
+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
+ variable
+
+20060828
+ - [ gss-genr.c ]
+ Avoid Heimdal context freeing problem
+ <Fixed upstream 20060829>
+
+20060818
+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
+ Make sure that SPENGO is disabled
+ <Bugzilla #1218 - Fixed upstream 20060818>
+
+20060421
+ - [ gssgenr.c, sshconnect2.c ]
+ a few type changes (signed versus unsigned, int versus size_t) to
+ fix compiler errors/warnings
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ kexgssc.c, sshconnect2.c ]
+ fix uninitialized variable warnings
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ gssgenr.c ]
+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
+ (from jbasney AT ncsa.uiuc.edu)
+ <Bugzilla #1220 >
+ - [ gss-serv-krb5.c ]
+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
+ (from jbasney AT ncsa.uiuc.edu)
+ <Fixed upstream 20060304>
+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
+ add client-side GssapiKeyExchange option
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ sshconnect2.c ]
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c
--- openssh-6.1p1/kex.c.gsskex 2012-09-14 20:57:55.139262298 +0200
+++ openssh-6.1p1/kex.c 2012-09-14 20:57:55.874266995 +0200
@@ -51,6 +51,10 @@ @@ -51,6 +51,10 @@
#include "roaming.h" #include "roaming.h"
#include "audit.h" #include "audit.h"
@ -1233,9 +1235,9 @@ diff -up openssh-6.0p1/kex.c.gsskex openssh-6.0p1/kex.c
} else } else
fatal("bad kex alg %s", k->name); fatal("bad kex alg %s", k->name);
} }
diff -up openssh-6.0p1/kexgssc.c.gsskex openssh-6.0p1/kexgssc.c diff -up openssh-6.1p1/kexgssc.c.gsskex openssh-6.1p1/kexgssc.c
--- openssh-6.0p1/kexgssc.c.gsskex 2012-09-12 15:32:19.105689098 +0200 --- openssh-6.1p1/kexgssc.c.gsskex 2012-09-14 20:57:55.875267001 +0200
+++ openssh-6.0p1/kexgssc.c 2012-09-12 15:32:28.315651579 +0200 +++ openssh-6.1p1/kexgssc.c 2012-09-14 20:57:55.875267001 +0200
@@ -0,0 +1,334 @@ @@ -0,0 +1,334 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1571,9 +1573,9 @@ diff -up openssh-6.0p1/kexgssc.c.gsskex openssh-6.0p1/kexgssc.c
+} +}
+ +
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-6.0p1/kexgsss.c.gsskex openssh-6.0p1/kexgsss.c diff -up openssh-6.1p1/kexgsss.c.gsskex openssh-6.1p1/kexgsss.c
--- openssh-6.0p1/kexgsss.c.gsskex 2012-09-12 15:32:19.116689055 +0200 --- openssh-6.1p1/kexgsss.c.gsskex 2012-09-14 20:57:55.876267007 +0200
+++ openssh-6.0p1/kexgsss.c 2012-09-12 15:32:28.316651574 +0200 +++ openssh-6.1p1/kexgsss.c 2012-09-14 20:57:55.876267007 +0200
@@ -0,0 +1,288 @@ @@ -0,0 +1,288 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1863,9 +1865,9 @@ diff -up openssh-6.0p1/kexgsss.c.gsskex openssh-6.0p1/kexgsss.c
+ ssh_gssapi_rekey_creds(); + ssh_gssapi_rekey_creds();
+} +}
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-6.0p1/kex.h.gsskex openssh-6.0p1/kex.h diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h
--- openssh-6.0p1/kex.h.gsskex 2012-09-12 15:32:19.093689148 +0200 --- openssh-6.1p1/kex.h.gsskex 2012-09-14 20:57:55.141262312 +0200
+++ openssh-6.0p1/kex.h 2012-09-12 15:32:28.316651574 +0200 +++ openssh-6.1p1/kex.h 2012-09-14 20:57:55.878267019 +0200
@@ -73,6 +73,9 @@ enum kex_exchange { @@ -73,6 +73,9 @@ enum kex_exchange {
KEX_DH_GEX_SHA1, KEX_DH_GEX_SHA1,
KEX_DH_GEX_SHA256, KEX_DH_GEX_SHA256,
@ -1901,10 +1903,10 @@ diff -up openssh-6.0p1/kex.h.gsskex openssh-6.0p1/kex.h
void newkeys_destroy(Newkeys *newkeys); void newkeys_destroy(Newkeys *newkeys);
void void
diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c diff -up openssh-6.1p1/key.c.gsskex openssh-6.1p1/key.c
--- openssh-6.0p1/key.c.gsskex 2012-09-12 15:32:19.103689108 +0200 --- openssh-6.1p1/key.c.gsskex 2012-09-14 20:57:55.593265199 +0200
+++ openssh-6.0p1/key.c 2012-09-12 15:32:28.317651570 +0200 +++ openssh-6.1p1/key.c 2012-09-14 20:57:55.881267039 +0200
@@ -1006,6 +1006,8 @@ key_ssh_name_from_type_nid(int type, int @@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int
} }
break; break;
#endif /* OPENSSL_HAS_ECC */ #endif /* OPENSSL_HAS_ECC */
@ -1913,7 +1915,7 @@ diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c
} }
return "ssh-unknown"; return "ssh-unknown";
} }
@@ -1311,6 +1313,8 @@ key_type_from_name(char *name) @@ -1316,6 +1318,8 @@ key_type_from_name(char *name)
strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
return KEY_ECDSA_CERT; return KEY_ECDSA_CERT;
#endif #endif
@ -1922,9 +1924,9 @@ diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c
} }
debug2("key_type_from_name: unknown key type '%s'", name); debug2("key_type_from_name: unknown key type '%s'", name);
diff -up openssh-6.0p1/key.h.gsskex openssh-6.0p1/key.h diff -up openssh-6.1p1/key.h.gsskex openssh-6.1p1/key.h
--- openssh-6.0p1/key.h.gsskex 2012-09-12 15:32:19.094689144 +0200 --- openssh-6.1p1/key.h.gsskex 2012-09-14 20:57:55.184262586 +0200
+++ openssh-6.0p1/key.h 2012-09-12 15:32:28.318651566 +0200 +++ openssh-6.1p1/key.h 2012-09-14 20:57:55.882267045 +0200
@@ -44,6 +44,7 @@ enum types { @@ -44,6 +44,7 @@ enum types {
KEY_ECDSA_CERT, KEY_ECDSA_CERT,
KEY_RSA_CERT_V00, KEY_RSA_CERT_V00,
@ -1933,9 +1935,9 @@ diff -up openssh-6.0p1/key.h.gsskex openssh-6.0p1/key.h
KEY_UNSPEC KEY_UNSPEC
}; };
enum fp_type { enum fp_type {
diff -up openssh-6.0p1/Makefile.in.gsskex openssh-6.0p1/Makefile.in diff -up openssh-6.1p1/Makefile.in.gsskex openssh-6.1p1/Makefile.in
--- openssh-6.0p1/Makefile.in.gsskex 2012-09-12 15:32:19.128689006 +0200 --- openssh-6.1p1/Makefile.in.gsskex 2012-09-14 20:57:55.832266726 +0200
+++ openssh-6.0p1/Makefile.in 2012-09-12 15:32:28.318651566 +0200 +++ openssh-6.1p1/Makefile.in 2012-09-14 20:57:55.884267058 +0200
@@ -75,6 +75,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b @@ -75,6 +75,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
@ -1953,9 +1955,9 @@ diff -up openssh-6.0p1/Makefile.in.gsskex openssh-6.0p1/Makefile.in
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \ sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \ roaming_common.o roaming_serv.o \
diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
--- openssh-6.0p1/monitor.c.gsskex 2012-09-12 15:32:19.112689072 +0200 --- openssh-6.1p1/monitor.c.gsskex 2012-09-14 20:57:55.299263321 +0200
+++ openssh-6.0p1/monitor.c 2012-09-12 15:32:28.319651562 +0200 +++ openssh-6.1p1/monitor.c 2012-09-14 20:57:55.888267083 +0200
@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer @@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_userok(int, Buffer *);
@ -2008,7 +2010,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
} else { } else {
mon_dispatch = mon_dispatch_postauth15; mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1942,6 +1959,13 @@ mm_get_kex(Buffer *m) @@ -1939,6 +1956,13 @@ mm_get_kex(Buffer *m)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@ -2022,7 +2024,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
kex->server = 1; kex->server = 1;
kex->hostkey_type = buffer_get_int(m); kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m);
@@ -2165,6 +2189,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer @@ -2162,6 +2186,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major; OM_uint32 major;
u_int len; u_int len;
@ -2032,7 +2034,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
goid.elements = buffer_get_string(m, &len); goid.elements = buffer_get_string(m, &len);
goid.length = len; goid.length = len;
@@ -2192,6 +2219,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe @@ -2189,6 +2216,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */ OM_uint32 flags = 0; /* GSI needs this */
u_int len; u_int len;
@ -2042,7 +2044,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
in.value = buffer_get_string(m, &len); in.value = buffer_get_string(m, &len);
in.length = len; in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2209,6 +2239,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe @@ -2206,6 +2236,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -2050,7 +2052,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
} }
return (0); return (0);
} }
@@ -2220,6 +2251,9 @@ mm_answer_gss_checkmic(int sock, Buffer @@ -2217,6 +2248,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret; OM_uint32 ret;
u_int len; u_int len;
@ -2060,7 +2062,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
gssbuf.value = buffer_get_string(m, &len); gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len; gssbuf.length = len;
mic.value = buffer_get_string(m, &len); mic.value = buffer_get_string(m, &len);
@@ -2246,7 +2280,11 @@ mm_answer_gss_userok(int sock, Buffer *m @@ -2243,7 +2277,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{ {
int authenticated; int authenticated;
@ -2073,7 +2075,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
buffer_clear(m); buffer_clear(m);
buffer_put_int(m, authenticated); buffer_put_int(m, authenticated);
@@ -2260,6 +2298,74 @@ mm_answer_gss_userok(int sock, Buffer *m @@ -2257,6 +2295,74 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */ /* Monitor loop will terminate if authenticated */
return (authenticated); return (authenticated);
} }
@ -2148,9 +2150,9 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
#endif /* GSSAPI */ #endif /* GSSAPI */
#ifdef JPAKE #ifdef JPAKE
diff -up openssh-6.0p1/monitor.h.gsskex openssh-6.0p1/monitor.h diff -up openssh-6.1p1/monitor.h.gsskex openssh-6.1p1/monitor.h
--- openssh-6.0p1/monitor.h.gsskex 2012-09-12 15:32:19.119689041 +0200 --- openssh-6.1p1/monitor.h.gsskex 2012-09-14 20:57:55.300263327 +0200
+++ openssh-6.0p1/monitor.h 2012-09-12 15:32:28.319651562 +0200 +++ openssh-6.1p1/monitor.h 2012-09-14 20:57:55.889267090 +0200
@@ -56,6 +56,8 @@ enum monitor_reqtype { @@ -56,6 +56,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@ -2160,9 +2162,9 @@ diff -up openssh-6.0p1/monitor.h.gsskex openssh-6.0p1/monitor.h
MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_START,
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
diff -up openssh-6.0p1/monitor_wrap.c.gsskex openssh-6.0p1/monitor_wrap.c diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c
--- openssh-6.0p1/monitor_wrap.c.gsskex 2012-09-12 15:32:19.122689031 +0200 --- openssh-6.1p1/monitor_wrap.c.gsskex 2012-09-14 20:57:55.302263340 +0200
+++ openssh-6.0p1/monitor_wrap.c 2012-09-12 15:32:28.320651557 +0200 +++ openssh-6.1p1/monitor_wrap.c 2012-09-14 20:57:55.892267109 +0200
@@ -1326,7 +1326,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss @@ -1326,7 +1326,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
} }
@ -2224,9 +2226,9 @@ diff -up openssh-6.0p1/monitor_wrap.c.gsskex openssh-6.0p1/monitor_wrap.c
#endif /* GSSAPI */ #endif /* GSSAPI */
#ifdef JPAKE #ifdef JPAKE
diff -up openssh-6.0p1/monitor_wrap.h.gsskex openssh-6.0p1/monitor_wrap.h diff -up openssh-6.1p1/monitor_wrap.h.gsskex openssh-6.1p1/monitor_wrap.h
--- openssh-6.0p1/monitor_wrap.h.gsskex 2012-09-12 15:32:19.107689091 +0200 --- openssh-6.1p1/monitor_wrap.h.gsskex 2012-09-14 20:57:55.304263353 +0200
+++ openssh-6.0p1/monitor_wrap.h 2012-09-12 15:32:28.321651552 +0200 +++ openssh-6.1p1/monitor_wrap.h 2012-09-14 20:57:55.893267116 +0200
@@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K @@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2239,9 +2241,9 @@ diff -up openssh-6.0p1/monitor_wrap.h.gsskex openssh-6.0p1/monitor_wrap.h
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM
diff -up openssh-6.0p1/readconf.c.gsskex openssh-6.0p1/readconf.c diff -up openssh-6.1p1/readconf.c.gsskex openssh-6.1p1/readconf.c
--- openssh-6.0p1/readconf.c.gsskex 2012-09-12 15:32:19.100689120 +0200 --- openssh-6.1p1/readconf.c.gsskex 2011-10-02 09:59:03.000000000 +0200
+++ openssh-6.0p1/readconf.c 2012-09-12 15:32:28.321651552 +0200 +++ openssh-6.1p1/readconf.c 2012-09-14 20:57:55.896267134 +0200
@@ -129,6 +129,8 @@ typedef enum { @@ -129,6 +129,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost, oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@ -2330,9 +2332,9 @@ diff -up openssh-6.0p1/readconf.c.gsskex openssh-6.0p1/readconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
diff -up openssh-6.0p1/readconf.h.gsskex openssh-6.0p1/readconf.h diff -up openssh-6.1p1/readconf.h.gsskex openssh-6.1p1/readconf.h
--- openssh-6.0p1/readconf.h.gsskex 2012-09-12 15:32:19.125689019 +0200 --- openssh-6.1p1/readconf.h.gsskex 2011-10-02 09:59:03.000000000 +0200
+++ openssh-6.0p1/readconf.h 2012-09-12 15:32:28.322651548 +0200 +++ openssh-6.1p1/readconf.h 2012-09-14 20:57:55.897267141 +0200
@@ -48,7 +48,12 @@ typedef struct { @@ -48,7 +48,12 @@ typedef struct {
int challenge_response_authentication; int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */ /* Try S/Key or TIS, authentication. */
@ -2346,10 +2348,10 @@ diff -up openssh-6.0p1/readconf.h.gsskex openssh-6.0p1/readconf.h
int password_authentication; /* Try password int password_authentication; /* Try password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
--- openssh-6.0p1/servconf.c.gsskex 2012-09-12 15:32:19.088689170 +0200 --- openssh-6.1p1/servconf.c.gsskex 2012-09-14 20:57:55.760266266 +0200
+++ openssh-6.0p1/servconf.c 2012-09-12 15:32:28.323651545 +0200 +++ openssh-6.1p1/servconf.c 2012-09-14 20:57:55.900267160 +0200
@@ -99,7 +99,10 @@ initialize_server_options(ServerOptions @@ -102,7 +102,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
options->gss_authentication=-1; options->gss_authentication=-1;
@ -2360,7 +2362,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
@@ -232,8 +235,14 @@ fill_default_server_options(ServerOption @@ -236,8 +239,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0; options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -2375,7 +2377,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -327,7 +336,9 @@ typedef enum { @@ -333,7 +342,9 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveCountMax, sAuthorizedKeysFile,
@ -2386,7 +2388,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
sRequiredAuthentications1, sRequiredAuthentications2, sRequiredAuthentications1, sRequiredAuthentications2,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -393,10 +404,20 @@ static struct { @@ -399,10 +410,20 @@ static struct {
#ifdef GSSAPI #ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -2407,7 +2409,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -983,10 +1004,22 @@ process_server_config_line(ServerOptions @@ -1054,10 +1075,22 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2430,7 +2432,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
case sPasswordAuthentication: case sPasswordAuthentication:
intptr = &options->password_authentication; intptr = &options->password_authentication;
goto parse_flag; goto parse_flag;
@@ -1794,6 +1827,9 @@ dump_config(ServerOptions *o) @@ -1944,6 +1977,9 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@ -2440,9 +2442,9 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
#endif #endif
#ifdef JPAKE #ifdef JPAKE
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
diff -up openssh-6.0p1/servconf.h.gsskex openssh-6.0p1/servconf.h diff -up openssh-6.1p1/servconf.h.gsskex openssh-6.1p1/servconf.h
--- openssh-6.0p1/servconf.h.gsskex 2012-09-12 15:32:19.121689034 +0200 --- openssh-6.1p1/servconf.h.gsskex 2012-09-14 20:57:55.762266278 +0200
+++ openssh-6.0p1/servconf.h 2012-09-12 15:32:28.323651545 +0200 +++ openssh-6.1p1/servconf.h 2012-09-14 20:57:55.902267173 +0200
@@ -103,7 +103,10 @@ typedef struct { @@ -103,7 +103,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */ * authenticated with Kerberos. */
@ -2454,9 +2456,21 @@ diff -up openssh-6.0p1/servconf.h.gsskex openssh-6.0p1/servconf.h
int password_authentication; /* If true, permit password int password_authentication; /* If true, permit password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* If true, permit */ int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-6.0p1/ssh_config.5.gsskex openssh-6.0p1/ssh_config.5 diff -up openssh-6.1p1/ssh_config.gsskex openssh-6.1p1/ssh_config
--- openssh-6.0p1/ssh_config.5.gsskex 2012-09-12 15:32:19.091689156 +0200 --- openssh-6.1p1/ssh_config.gsskex 2012-09-14 20:57:55.707265928 +0200
+++ openssh-6.0p1/ssh_config.5 2012-09-12 15:32:28.324651542 +0200 +++ openssh-6.1p1/ssh_config 2012-09-14 20:57:55.906267198 +0200
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
+# GSSAPIKeyExchange no
+# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
diff -up openssh-6.1p1/ssh_config.5.gsskex openssh-6.1p1/ssh_config.5
--- openssh-6.1p1/ssh_config.5.gsskex 2012-07-02 10:53:38.000000000 +0200
+++ openssh-6.1p1/ssh_config.5 2012-09-14 20:57:55.904267186 +0200
@@ -527,11 +527,43 @@ Specifies whether user authentication ba @@ -527,11 +527,43 @@ Specifies whether user authentication ba
The default is The default is
.Dq no . .Dq no .
@ -2502,21 +2516,9 @@ diff -up openssh-6.0p1/ssh_config.5.gsskex openssh-6.0p1/ssh_config.5
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
.Xr ssh 1 .Xr ssh 1
diff -up openssh-6.0p1/ssh_config.gsskex openssh-6.0p1/ssh_config diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
--- openssh-6.0p1/ssh_config.gsskex 2012-09-12 15:32:19.087689174 +0200 --- openssh-6.1p1/sshconnect2.c.gsskex 2012-09-14 20:57:55.605265275 +0200
+++ openssh-6.0p1/ssh_config 2012-09-12 15:32:28.324651542 +0200 +++ openssh-6.1p1/sshconnect2.c 2012-09-14 20:57:55.909267218 +0200
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
+# GSSAPIKeyExchange no
+# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
diff -up openssh-6.0p1/sshconnect2.c.gsskex openssh-6.0p1/sshconnect2.c
--- openssh-6.0p1/sshconnect2.c.gsskex 2012-09-12 15:32:19.099689124 +0200
+++ openssh-6.0p1/sshconnect2.c 2012-09-12 15:32:28.325651538 +0200
@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
{ {
Kex *kex; Kex *kex;
@ -2715,9 +2717,9 @@ diff -up openssh-6.0p1/sshconnect2.c.gsskex openssh-6.0p1/sshconnect2.c
#endif /* GSSAPI */ #endif /* GSSAPI */
int int
diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
--- openssh-6.0p1/sshd.c.gsskex 2012-09-12 15:32:19.130688998 +0200 --- openssh-6.1p1/sshd.c.gsskex 2012-09-14 20:57:55.799266515 +0200
+++ openssh-6.0p1/sshd.c 2012-09-12 15:32:28.326651534 +0200 +++ openssh-6.1p1/sshd.c 2012-09-14 20:57:55.912267237 +0200
@@ -124,6 +124,10 @@ @@ -124,6 +124,10 @@
#include "ssh-sandbox.h" #include "ssh-sandbox.h"
#include "version.h" #include "version.h"
@ -2729,7 +2731,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
#ifdef LIBWRAP #ifdef LIBWRAP
#include <tcpd.h> #include <tcpd.h>
#include <syslog.h> #include <syslog.h>
@@ -1701,10 +1705,13 @@ main(int ac, char **av) @@ -1692,10 +1696,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
} }
@ -2743,7 +2745,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting."); logit("sshd: no hostkeys available -- exiting.");
exit(1); exit(1);
@@ -2037,6 +2044,60 @@ main(int ac, char **av) @@ -2027,6 +2034,60 @@ main(int ac, char **av)
/* Log the connection. */ /* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port); verbose("Connection from %.500s port %d", remote_ip, remote_port);
@ -2804,7 +2806,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
/* /*
* We don't want to listen forever unless the other side * We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is * successfully authenticates itself. So we set up an alarm which is
@@ -2435,6 +2496,48 @@ do_ssh2_kex(void) @@ -2425,6 +2486,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
@ -2853,7 +2855,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
/* start key exchange */ /* start key exchange */
kex = kex_setup(myproposal); kex = kex_setup(myproposal);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
@@ -2442,6 +2545,13 @@ do_ssh2_kex(void) @@ -2432,6 +2535,13 @@ do_ssh2_kex(void)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@ -2867,10 +2869,22 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
kex->server = 1; kex->server = 1;
kex->client_version_string=client_version_string; kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string; kex->server_version_string=server_version_string;
diff -up openssh-6.0p1/sshd_config.5.gsskex openssh-6.0p1/sshd_config.5 diff -up openssh-6.1p1/sshd_config.gsskex openssh-6.1p1/sshd_config
--- openssh-6.0p1/sshd_config.5.gsskex 2012-09-12 15:32:19.109689084 +0200 --- openssh-6.1p1/sshd_config.gsskex 2012-09-14 20:57:55.801266528 +0200
+++ openssh-6.0p1/sshd_config.5 2012-09-12 15:32:28.327651530 +0200 +++ openssh-6.1p1/sshd_config 2012-09-14 20:57:55.916267263 +0200
@@ -437,12 +437,40 @@ Specifies whether user authentication ba @@ -85,6 +85,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -up openssh-6.1p1/sshd_config.5.gsskex openssh-6.1p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.gsskex 2012-09-14 20:57:55.767266310 +0200
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:57:55.915267256 +0200
@@ -439,12 +439,40 @@ Specifies whether user authentication ba
The default is The default is
.Dq no . .Dq no .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.
@ -2911,21 +2925,9 @@ diff -up openssh-6.0p1/sshd_config.5.gsskex openssh-6.0p1/sshd_config.5
.It Cm HostbasedAuthentication .It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed with successful public key client host authentication is allowed
diff -up openssh-6.0p1/sshd_config.gsskex openssh-6.0p1/sshd_config diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
--- openssh-6.0p1/sshd_config.gsskex 2012-09-12 15:32:19.102689112 +0200 --- openssh-6.1p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
+++ openssh-6.0p1/sshd_config 2012-09-12 15:32:28.327651530 +0200 +++ openssh-6.1p1/ssh-gss.h 2012-09-14 20:57:55.918267275 +0200
@@ -83,6 +83,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -up openssh-6.0p1/ssh-gss.h.gsskex openssh-6.0p1/ssh-gss.h
--- openssh-6.0p1/ssh-gss.h.gsskex 2012-09-12 15:32:19.090689160 +0200
+++ openssh-6.0p1/ssh-gss.h 2012-09-12 15:32:28.328651526 +0200
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/* /*

View File

@ -1,7 +1,7 @@
diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c diff -up openssh-6.1p1/auth-krb5.c.kuserok openssh-6.1p1/auth-krb5.c
--- openssh-5.9p0/auth-krb5.c.kuserok 2011-08-30 16:37:32.651150128 +0200 --- openssh-6.1p1/auth-krb5.c.kuserok 2012-09-14 21:08:16.941496194 +0200
+++ openssh-5.9p0/auth-krb5.c 2011-08-30 16:37:37.549087368 +0200 +++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:08:17.063496896 +0200
@@ -54,6 +54,20 @@ @@ -55,6 +55,20 @@
extern ServerOptions options; extern ServerOptions options;
@ -22,7 +22,7 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
static int static int
krb5_init(void *context) krb5_init(void *context)
{ {
@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c @@ -147,7 +161,7 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem) if (problem)
goto out; goto out;
@ -31,9 +31,9 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
problem = -1; problem = -1;
goto out; goto out;
} }
diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c diff -up openssh-6.1p1/gss-serv-krb5.c.kuserok openssh-6.1p1/gss-serv-krb5.c
--- openssh-5.9p0/gss-serv-krb5.c.kuserok 2011-08-30 16:37:36.988024804 +0200 --- openssh-6.1p1/gss-serv-krb5.c.kuserok 2012-09-14 21:08:17.019496642 +0200
+++ openssh-5.9p0/gss-serv-krb5.c 2011-08-30 16:37:37.659088030 +0200 +++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 21:08:17.065496906 +0200
@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr @@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int); int);
@ -51,27 +51,27 @@ diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c
retval = 1; retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
luser, (char *)client->displayname.value); luser, (char *)client->displayname.value);
diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
--- openssh-5.9p0/servconf.c.kuserok 2011-08-30 16:37:35.093073603 +0200 --- openssh-6.1p1/servconf.c.kuserok 2012-09-14 21:08:16.989496471 +0200
+++ openssh-5.9p0/servconf.c 2011-08-30 16:41:13.568087145 +0200 +++ openssh-6.1p1/servconf.c 2012-09-14 21:09:30.864868698 +0200
@@ -144,6 +144,7 @@ initialize_server_options(ServerOptions @@ -152,6 +152,7 @@ initialize_server_options(ServerOptions
options->authorized_principals_file = NULL;
options->ip_qos_interactive = -1; options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1; options->ip_qos_bulk = -1;
options->version_addendum = NULL;
+ options->use_kuserok = -1; + options->use_kuserok = -1;
} }
void void
@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption @@ -301,6 +302,8 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT; options->version_addendum = xstrdup("");
if (options->show_patchlevel == -1) if (options->show_patchlevel == -1)
options->show_patchlevel = 0; options->show_patchlevel = 0;
+ if (options->use_kuserok == -1) + if (options->use_kuserok == -1)
+ options->use_kuserok = 1; + options->use_kuserok = 1;
/* Turn privilege separation on by default */ /* Turn privilege separation on by default */
if (use_privsep == -1) if (use_privsep == -1)
@@ -317,7 +320,7 @@ typedef enum { @@ -327,7 +330,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -80,7 +80,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
sKerberosTgtPassing, sChallengeResponseAuthentication, sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
@@ -388,11 +391,13 @@ static struct { @@ -399,11 +402,13 @@ static struct {
#else #else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -94,7 +94,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
#endif #endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1371,6 +1376,10 @@ process_server_config_line(ServerOptions @@ -1486,6 +1491,10 @@ process_server_config_line(ServerOptions
*activep = value; *activep = value;
break; break;
@ -105,7 +105,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); arg = strdelim(&cp);
if (!arg || *arg == '\0') if (!arg || *arg == '\0')
@@ -1580,6 +1589,7 @@ copy_set_server_options(ServerOptions *d @@ -1769,6 +1778,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries); M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);
@ -113,7 +113,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
/* See comment in servconf.h */ /* See comment in servconf.h */
COPY_MATCH_STRING_OPTS(); COPY_MATCH_STRING_OPTS();
@@ -1816,6 +1826,7 @@ dump_config(ServerOptions *o) @@ -2005,6 +2015,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@ -121,10 +121,10 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h diff -up openssh-6.1p1/servconf.h.kuserok openssh-6.1p1/servconf.h
--- openssh-5.9p0/servconf.h.kuserok 2011-08-30 16:37:35.201051957 +0200 --- openssh-6.1p1/servconf.h.kuserok 2012-09-14 21:08:16.990496476 +0200
+++ openssh-5.9p0/servconf.h 2011-08-30 16:37:37.926087431 +0200 +++ openssh-6.1p1/servconf.h 2012-09-14 21:08:17.071496942 +0200
@@ -166,6 +166,7 @@ typedef struct { @@ -169,6 +169,7 @@ typedef struct {
int num_permitted_opens; int num_permitted_opens;
@ -132,10 +132,21 @@ diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h
char *chroot_directory; char *chroot_directory;
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5 diff -up openssh-6.1p1/sshd_config.kuserok openssh-6.1p1/sshd_config
--- openssh-5.9p0/sshd_config.5.kuserok 2011-08-30 16:37:35.979024607 +0200 --- openssh-6.1p1/sshd_config.kuserok 2012-09-14 21:08:17.002496545 +0200
+++ openssh-5.9p0/sshd_config.5 2011-08-30 16:37:38.040087843 +0200 +++ openssh-6.1p1/sshd_config 2012-09-14 21:08:17.074496957 +0200
@@ -603,6 +603,10 @@ Specifies whether to automatically destr @@ -79,6 +79,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
diff -up openssh-6.1p1/sshd_config.5.kuserok openssh-6.1p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.kuserok 2012-09-14 21:08:17.004496556 +0200
+++ openssh-6.1p1/sshd_config.5 2012-09-14 21:08:17.073496952 +0200
@@ -618,6 +618,10 @@ Specifies whether to automatically destr
file on logout. file on logout.
The default is The default is
.Dq yes . .Dq yes .
@ -146,7 +157,7 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
@@ -746,6 +750,7 @@ Available keywords are @@ -767,6 +771,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly , .Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication , .Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,
@ -154,14 +165,3 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
.Cm MaxAuthTries , .Cm MaxAuthTries ,
.Cm MaxSessions , .Cm MaxSessions ,
.Cm PubkeyAuthentication , .Cm PubkeyAuthentication ,
diff -up openssh-5.9p0/sshd_config.kuserok openssh-5.9p0/sshd_config
--- openssh-5.9p0/sshd_config.kuserok 2011-08-30 16:37:36.808026328 +0200
+++ openssh-5.9p0/sshd_config 2011-08-30 16:37:38.148071520 +0200
@@ -77,6 +77,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no

View File

@ -1,10 +1,9 @@
diff --git a/sshd.c b/sshd.c diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c
index 8dcfdf2..95b63ad 100644 --- openssh-6.1p1/sshd.c.log-usepam-no 2012-09-14 20:54:58.000000000 +0200
--- a/sshd.c +++ openssh-6.1p1/sshd.c 2012-09-14 20:55:42.289477749 +0200
+++ b/sshd.c @@ -1617,6 +1617,10 @@ main(int ac, char **av)
@@ -1592,6 +1592,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
&cfg, NULL, NULL, NULL); &cfg, NULL);
+ /* 'UsePAM no' is not supported in Fedora */ + /* 'UsePAM no' is not supported in Fedora */
+ if (! options.use_pam) + if (! options.use_pam)
@ -13,11 +12,10 @@ index 8dcfdf2..95b63ad 100644
seed_rng(); seed_rng();
/* Fill in default values for those options not explicitly set. */ /* Fill in default values for those options not explicitly set. */
diff --git a/sshd_config b/sshd_config diff -up openssh-6.1p1/sshd_config.log-usepam-no openssh-6.1p1/sshd_config
index 8c16754..9f28b04 100644 --- openssh-6.1p1/sshd_config.log-usepam-no 2012-09-14 20:54:58.514255748 +0200
--- a/sshd_config +++ openssh-6.1p1/sshd_config 2012-09-14 20:54:58.551255954 +0200
+++ b/sshd_config @@ -95,6 +95,8 @@ GSSAPICleanupCredentials yes
@@ -92,6 +92,8 @@ GSSAPICleanupCredentials yes
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c diff -up openssh-6.1p1/auth.c.required-authentication openssh-6.1p1/auth.c
--- openssh-5.9p1/auth.c.required-authentication 2012-07-27 12:21:41.181601972 +0200 --- openssh-6.1p1/auth.c.required-authentication 2012-09-14 20:17:56.730488188 +0200
+++ openssh-5.9p1/auth.c 2012-07-27 12:21:41.203602020 +0200 +++ openssh-6.1p1/auth.c 2012-09-14 20:17:56.795488498 +0200
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw) @@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
} }
@ -32,7 +32,7 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
{ {
switch (options.permit_root_login) { switch (options.permit_root_login) {
case PERMIT_YES: case PERMIT_YES:
@@ -694,3 +696,57 @@ fakepw(void) @@ -696,3 +698,57 @@ fakepw(void)
return (&fake); return (&fake);
} }
@ -90,9 +90,9 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
+ +
+ return (ret); + return (ret);
+} +}
diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h diff -up openssh-6.1p1/auth.h.required-authentication openssh-6.1p1/auth.h
--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200 --- openssh-6.1p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
+++ openssh-5.9p1/auth.h 2012-07-27 12:21:41.204602022 +0200 +++ openssh-6.1p1/auth.h 2012-09-14 20:17:56.796488502 +0200
@@ -142,10 +142,11 @@ void disable_forwarding(void); @@ -142,10 +142,11 @@ void disable_forwarding(void);
void do_authentication(Authctxt *); void do_authentication(Authctxt *);
void do_authentication2(Authctxt *); void do_authentication2(Authctxt *);
@ -120,9 +120,9 @@ diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
int sys_auth_passwd(Authctxt *, const char *); int sys_auth_passwd(Authctxt *, const char *);
diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c diff -up openssh-6.1p1/auth1.c.required-authentication openssh-6.1p1/auth1.c
--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200 --- openssh-6.1p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
+++ openssh-5.9p1/auth1.c 2012-07-27 12:50:50.708706675 +0200 +++ openssh-6.1p1/auth1.c 2012-09-14 20:17:56.798488515 +0200
@@ -98,6 +98,55 @@ static const struct AuthMethod1 @@ -98,6 +98,55 @@ static const struct AuthMethod1
return (NULL); return (NULL);
} }
@ -281,9 +281,9 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
packet_start(SSH_SMSG_FAILURE); packet_start(SSH_SMSG_FAILURE);
packet_send(); packet_send();
diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c diff -up openssh-6.1p1/auth2.c.required-authentication openssh-6.1p1/auth2.c
--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200 --- openssh-6.1p1/auth2.c.required-authentication 2011-12-19 00:52:51.000000000 +0100
+++ openssh-5.9p1/auth2.c 2012-07-27 12:51:59.048241612 +0200 +++ openssh-6.1p1/auth2.c 2012-09-14 20:17:56.799488520 +0200
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32 @@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
{ {
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
@ -452,9 +452,9 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
+ return (ret); + return (ret);
+} +}
+ +
diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c diff -up openssh-6.1p1/auth2-gss.c.required-authentication openssh-6.1p1/auth2-gss.c
--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200 --- openssh-6.1p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
+++ openssh-5.9p1/auth2-gss.c 2012-07-27 12:21:41.206602026 +0200 +++ openssh-6.1p1/auth2-gss.c 2012-09-14 20:17:56.801488528 +0200
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p @@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
} }
authctxt->postponed = 0; authctxt->postponed = 0;
@ -482,9 +482,9 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
} }
Authmethod method_gssapi = { Authmethod method_gssapi = {
diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c diff -up openssh-6.1p1/auth2-chall.c.required-authentication openssh-6.1p1/auth2-chall.c
--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100 --- openssh-6.1p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
+++ openssh-5.9p1/auth2-chall.c 2012-07-27 12:21:41.206602026 +0200 +++ openssh-6.1p1/auth2-chall.c 2012-09-14 20:17:56.802488532 +0200
@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u @@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
auth2_challenge_start(authctxt); auth2_challenge_start(authctxt);
} }
@ -495,9 +495,9 @@ diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2
xfree(method); xfree(method);
} }
diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c diff -up openssh-6.1p1/auth2-none.c.required-authentication openssh-6.1p1/auth2-none.c
--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200 --- openssh-6.1p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
+++ openssh-5.9p1/auth2-none.c 2012-07-27 12:21:41.207602028 +0200 +++ openssh-6.1p1/auth2-none.c 2012-09-14 20:17:56.803488537 +0200
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt) @@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
{ {
none_enabled = 0; none_enabled = 0;
@ -507,9 +507,9 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
return (PRIVSEP(auth_password(authctxt, ""))); return (PRIVSEP(auth_password(authctxt, "")));
return (0); return (0);
} }
diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c diff -up openssh-6.1p1/monitor.c.required-authentication openssh-6.1p1/monitor.c
--- openssh-5.9p1/monitor.c.required-authentication 2012-07-27 12:21:41.161601930 +0200 --- openssh-6.1p1/monitor.c.required-authentication 2012-09-14 20:17:56.685487974 +0200
+++ openssh-5.9p1/monitor.c 2012-07-27 12:51:18.884927066 +0200 +++ openssh-6.1p1/monitor.c 2012-09-14 20:17:56.806488552 +0200
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY; @@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
static char *hostbased_cuser = NULL; static char *hostbased_cuser = NULL;
static char *hostbased_chost = NULL; static char *hostbased_chost = NULL;
@ -579,7 +579,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
} }
/* Drain any buffered messages from the child */ /* Drain any buffered messages from the child */
@@ -862,6 +878,7 @@ mm_answer_authpassword(int sock, Buffer @@ -860,6 +876,7 @@ mm_answer_authpassword(int sock, Buffer
auth_method = "none"; auth_method = "none";
else else
auth_method = "password"; auth_method = "password";
@ -587,7 +587,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* Causes monitor loop to terminate if authenticated */ /* Causes monitor loop to terminate if authenticated */
return (authenticated); return (authenticated);
@@ -921,6 +938,7 @@ mm_answer_bsdauthrespond(int sock, Buffe @@ -919,6 +936,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
auth_method = "bsdauth"; auth_method = "bsdauth";
@ -595,7 +595,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (authok != 0); return (authok != 0);
} }
@@ -970,6 +988,7 @@ mm_answer_skeyrespond(int sock, Buffer * @@ -968,6 +986,7 @@ mm_answer_skeyrespond(int sock, Buffer *
mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m); mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
auth_method = "skey"; auth_method = "skey";
@ -603,7 +603,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (authok != 0); return (authok != 0);
} }
@@ -1059,7 +1078,8 @@ mm_answer_pam_query(int sock, Buffer *m) @@ -1057,7 +1076,8 @@ mm_answer_pam_query(int sock, Buffer *m)
xfree(prompts); xfree(prompts);
if (echo_on != NULL) if (echo_on != NULL)
xfree(echo_on); xfree(echo_on);
@ -613,7 +613,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
return (0); return (0);
} }
@@ -1088,7 +1108,8 @@ mm_answer_pam_respond(int sock, Buffer * @@ -1086,7 +1106,8 @@ mm_answer_pam_respond(int sock, Buffer *
buffer_clear(m); buffer_clear(m);
buffer_put_int(m, ret); buffer_put_int(m, ret);
mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
@ -623,7 +623,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (ret == 0) if (ret == 0)
sshpam_authok = sshpam_ctxt; sshpam_authok = sshpam_ctxt;
return (0); return (0);
@@ -1102,7 +1123,8 @@ mm_answer_pam_free_ctx(int sock, Buffer @@ -1100,7 +1121,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
(sshpam_device.free_ctx)(sshpam_ctxt); (sshpam_device.free_ctx)(sshpam_ctxt);
buffer_clear(m); buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
@ -633,7 +633,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (sshpam_authok == sshpam_ctxt); return (sshpam_authok == sshpam_ctxt);
} }
#endif #endif
@@ -1138,6 +1160,7 @@ mm_answer_keyallowed(int sock, Buffer *m @@ -1136,6 +1158,7 @@ mm_answer_keyallowed(int sock, Buffer *m
allowed = options.pubkey_authentication && allowed = options.pubkey_authentication &&
user_key_allowed(authctxt->pw, key); user_key_allowed(authctxt->pw, key);
auth_method = "publickey"; auth_method = "publickey";
@ -641,7 +641,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (options.pubkey_authentication && allowed != 1) if (options.pubkey_authentication && allowed != 1)
auth_clear_options(); auth_clear_options();
break; break;
@@ -1146,6 +1169,7 @@ mm_answer_keyallowed(int sock, Buffer *m @@ -1144,6 +1167,7 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_key_allowed(authctxt->pw, hostbased_key_allowed(authctxt->pw,
cuser, chost, key); cuser, chost, key);
auth_method = "hostbased"; auth_method = "hostbased";
@ -649,7 +649,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
break; break;
case MM_RSAHOSTKEY: case MM_RSAHOSTKEY:
key->type = KEY_RSA1; /* XXX */ key->type = KEY_RSA1; /* XXX */
@@ -1155,6 +1179,7 @@ mm_answer_keyallowed(int sock, Buffer *m @@ -1153,6 +1177,7 @@ mm_answer_keyallowed(int sock, Buffer *m
if (options.rhosts_rsa_authentication && allowed != 1) if (options.rhosts_rsa_authentication && allowed != 1)
auth_clear_options(); auth_clear_options();
auth_method = "rsa"; auth_method = "rsa";
@ -657,7 +657,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
break; break;
default: default:
fatal("%s: unknown key type %d", __func__, type); fatal("%s: unknown key type %d", __func__, type);
@@ -1180,7 +1205,8 @@ mm_answer_keyallowed(int sock, Buffer *m @@ -1178,7 +1203,8 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_chost = chost; hostbased_chost = chost;
} else { } else {
/* Log failed attempt */ /* Log failed attempt */
@ -667,7 +667,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
xfree(blob); xfree(blob);
xfree(cuser); xfree(cuser);
xfree(chost); xfree(chost);
@@ -1356,6 +1382,7 @@ mm_answer_keyverify(int sock, Buffer *m) @@ -1354,6 +1380,7 @@ mm_answer_keyverify(int sock, Buffer *m)
xfree(data); xfree(data);
auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
@ -675,7 +675,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
monitor_reset_key_state(); monitor_reset_key_state();
@@ -1545,6 +1572,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe @@ -1543,6 +1570,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
debug3("%s entering", __func__); debug3("%s entering", __func__);
auth_method = "rsa"; auth_method = "rsa";
@ -683,7 +683,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (options.rsa_authentication && authctxt->valid) { if (options.rsa_authentication && authctxt->valid) {
if ((client_n = BN_new()) == NULL) if ((client_n = BN_new()) == NULL)
fatal("%s: BN_new", __func__); fatal("%s: BN_new", __func__);
@@ -1650,6 +1678,7 @@ mm_answer_rsa_response(int sock, Buffer @@ -1648,6 +1676,7 @@ mm_answer_rsa_response(int sock, Buffer
xfree(response); xfree(response);
auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa"; auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
@ -691,7 +691,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* reset state */ /* reset state */
BN_clear_free(ssh1_challenge); BN_clear_free(ssh1_challenge);
@@ -2099,6 +2128,7 @@ mm_answer_gss_userok(int sock, Buffer *m @@ -2097,6 +2126,7 @@ mm_answer_gss_userok(int sock, Buffer *m
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
auth_method = "gssapi-with-mic"; auth_method = "gssapi-with-mic";
@ -699,7 +699,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* Monitor loop will terminate if authenticated */ /* Monitor loop will terminate if authenticated */
return (authenticated); return (authenticated);
@@ -2303,6 +2333,7 @@ mm_answer_jpake_check_confirm(int sock, @@ -2301,6 +2331,7 @@ mm_answer_jpake_check_confirm(int sock,
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
auth_method = "jpake-01@openssh.com"; auth_method = "jpake-01@openssh.com";
@ -707,10 +707,10 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return authenticated; return authenticated;
} }
diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c diff -up openssh-6.1p1/servconf.c.required-authentication openssh-6.1p1/servconf.c
--- openssh-5.9p1/servconf.c.required-authentication 2012-07-27 12:21:41.167601942 +0200 --- openssh-6.1p1/servconf.c.required-authentication 2012-09-14 20:17:56.699488040 +0200
+++ openssh-5.9p1/servconf.c 2012-07-27 12:21:41.209602032 +0200 +++ openssh-6.1p1/servconf.c 2012-09-14 20:19:49.179983651 +0200
@@ -42,6 +42,8 @@ @@ -43,6 +43,8 @@
#include "key.h" #include "key.h"
#include "kex.h" #include "kex.h"
#include "mac.h" #include "mac.h"
@ -719,7 +719,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
#include "match.h" #include "match.h"
#include "channels.h" #include "channels.h"
#include "groupaccess.h" #include "groupaccess.h"
@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions @@ -132,6 +134,8 @@ initialize_server_options(ServerOptions
options->num_authkeys_files = 0; options->num_authkeys_files = 0;
options->num_accept_env = 0; options->num_accept_env = 0;
options->permit_tun = -1; options->permit_tun = -1;
@ -728,7 +728,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
options->num_permitted_opens = -1; options->num_permitted_opens = -1;
options->adm_forced_command = NULL; options->adm_forced_command = NULL;
options->chroot_directory = NULL; options->chroot_directory = NULL;
@@ -319,6 +323,7 @@ typedef enum { @@ -324,6 +328,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@ -736,16 +736,16 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate, sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -447,6 +452,8 @@ static struct { @@ -452,6 +457,8 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL }, + { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
+ { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL }, + { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL },
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 } { NULL, sBadOption, 0 }
}; @@ -1298,6 +1305,33 @@ process_server_config_line(ServerOptions
@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
options->max_startups = options->max_startups_begin; options->max_startups = options->max_startups_begin;
break; break;
@ -779,9 +779,9 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
case sMaxAuthTries: case sMaxAuthTries:
intptr = &options->max_authtries; intptr = &options->max_authtries;
goto parse_int; goto parse_int;
diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h diff -up openssh-6.1p1/servconf.h.required-authentication openssh-6.1p1/servconf.h
--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200 --- openssh-6.1p1/servconf.h.required-authentication 2012-07-31 04:21:34.000000000 +0200
+++ openssh-5.9p1/servconf.h 2012-07-27 12:21:41.210602035 +0200 +++ openssh-6.1p1/servconf.h 2012-09-14 20:17:56.810488571 +0200
@@ -154,6 +154,9 @@ typedef struct { @@ -154,6 +154,9 @@ typedef struct {
u_int num_authkeys_files; /* Files containing public keys */ u_int num_authkeys_files; /* Files containing public keys */
char *authorized_keys_files[MAX_AUTHKEYS_FILES]; char *authorized_keys_files[MAX_AUTHKEYS_FILES];
@ -792,10 +792,10 @@ diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf
char *adm_forced_command; char *adm_forced_command;
int use_pam; /* Enable auth via PAM */ int use_pam; /* Enable auth via PAM */
diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5 diff -up openssh-6.1p1/sshd_config.5.required-authentication openssh-6.1p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200 --- openssh-6.1p1/sshd_config.5.required-authentication 2012-07-02 10:53:38.000000000 +0200
+++ openssh-5.9p1/sshd_config.5 2012-07-27 12:38:47.607222070 +0200 +++ openssh-6.1p1/sshd_config.5 2012-09-14 20:17:56.812488582 +0200
@@ -723,6 +723,8 @@ Available keywords are @@ -731,6 +731,8 @@ Available keywords are
.Cm PermitOpen , .Cm PermitOpen ,
.Cm PermitRootLogin , .Cm PermitRootLogin ,
.Cm PermitTunnel , .Cm PermitTunnel ,
@ -804,7 +804,7 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
.Cm PubkeyAuthentication , .Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication , .Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication , .Cm RSAAuthentication ,
@@ -920,6 +922,21 @@ Specifies a list of revoked public keys. @@ -931,6 +933,21 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication. Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will Note that if this file is not readable, then public key authentication will
be refused for all users. be refused for all users.

View File

@ -1,7 +1,7 @@
diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac diff -up openssh-6.1p1/configure.ac.vendor openssh-6.1p1/configure.ac
--- openssh-5.9p1/configure.ac.vendor 2012-02-06 17:35:37.439855272 +0100 --- openssh-6.1p1/configure.ac.vendor 2012-09-14 20:36:49.153085211 +0200
+++ openssh-5.9p1/configure.ac 2012-02-06 17:35:37.510219862 +0100 +++ openssh-6.1p1/configure.ac 2012-09-14 20:36:49.559088133 +0200
@@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog], @@ -4303,6 +4303,12 @@ AC_ARG_WITH([lastlog],
fi fi
] ]
) )
@ -14,7 +14,7 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
dnl lastlog, [uw]tmpx? detection dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the dnl NOTE: set the paths in the platform section to avoid the
@@ -4361,6 +4367,7 @@ echo " Translate v4 in v6 hack @@ -4529,6 +4535,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG" echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG" echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE" echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
echo "" echo ""
diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c
--- openssh-5.9p1/servconf.c.vendor 2012-02-06 17:35:37.432972267 +0100 --- openssh-6.1p1/servconf.c.vendor 2012-09-14 20:36:49.124085002 +0200
+++ openssh-5.9p1/servconf.c 2012-02-06 17:37:58.806272833 +0100 +++ openssh-6.1p1/servconf.c 2012-09-14 20:50:34.995972516 +0200
@@ -125,6 +125,7 @@ initialize_server_options(ServerOptions @@ -128,6 +128,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1; options->max_authtries = -1;
options->max_sessions = -1; options->max_sessions = -1;
options->banner = NULL; options->banner = NULL;
@ -33,16 +33,17 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
options->use_dns = -1; options->use_dns = -1;
options->client_alive_interval = -1; options->client_alive_interval = -1;
options->client_alive_count_max = -1; options->client_alive_count_max = -1;
@@ -283,6 +284,8 @@ fill_default_server_options(ServerOption @@ -289,6 +290,9 @@ fill_default_server_options(ServerOption
options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
options->ip_qos_bulk = IPTOS_THROUGHPUT; options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
+ if (options->show_patchlevel == -1) + if (options->show_patchlevel == -1)
+ options->show_patchlevel = 0; + options->show_patchlevel = 0;
+
/* Turn privilege separation on by default */ /* Turn privilege separation on by default */
if (use_privsep == -1) if (use_privsep == -1)
@@ -321,7 +324,7 @@ typedef enum { use_privsep = PRIVSEP_NOSANDBOX;
@@ -326,7 +330,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions, sMaxStartups, sMaxAuthTries, sMaxSessions,
@ -51,7 +52,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -436,6 +439,7 @@ static struct { @@ -441,6 +445,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL },
@ -59,7 +60,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL }, { "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions @@ -1162,6 +1167,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep; multistate_ptr = multistate_privsep;
goto parse_multistate; goto parse_multistate;
@ -70,7 +71,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
case sAllowUsers: case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') { while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS) if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o) @@ -1956,6 +1965,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
@ -78,9 +79,9 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h diff -up openssh-6.1p1/servconf.h.vendor openssh-6.1p1/servconf.h
--- openssh-5.9p1/servconf.h.vendor 2012-02-06 17:35:37.434095467 +0100 --- openssh-6.1p1/servconf.h.vendor 2012-09-14 20:36:49.125085009 +0200
+++ openssh-5.9p1/servconf.h 2012-02-06 17:35:37.512225786 +0100 +++ openssh-6.1p1/servconf.h 2012-09-14 20:36:49.564088168 +0200
@@ -140,6 +140,7 @@ typedef struct { @@ -140,6 +140,7 @@ typedef struct {
int max_authtries; int max_authtries;
int max_sessions; int max_sessions;
@ -89,10 +90,10 @@ diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
int use_dns; int use_dns;
int client_alive_interval; /* int client_alive_interval; /*
* poke the client this often to * poke the client this often to
diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config diff -up openssh-6.1p1/sshd_config.vendor openssh-6.1p1/sshd_config
--- openssh-5.9p1/sshd_config.vendor 2012-02-06 17:35:37.499226201 +0100 --- openssh-6.1p1/sshd_config.vendor 2012-09-14 20:36:49.507087759 +0200
+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:37.515220444 +0100 +++ openssh-6.1p1/sshd_config 2012-09-14 20:36:49.565088175 +0200
@@ -112,6 +112,7 @@ X11Forwarding yes @@ -114,6 +114,7 @@ UsePrivilegeSeparation sandbox # Defaul
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
#ClientAliveCountMax 3 #ClientAliveCountMax 3
@ -100,10 +101,10 @@ diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
#UseDNS yes #UseDNS yes
#PidFile /var/run/sshd.pid #PidFile /var/run/sshd.pid
#MaxStartups 10 #MaxStartups 10
diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0 diff -up openssh-6.1p1/sshd_config.0.vendor openssh-6.1p1/sshd_config.0
--- openssh-5.9p1/sshd_config.0.vendor 2012-02-06 17:35:37.500225787 +0100 --- openssh-6.1p1/sshd_config.0.vendor 2012-09-14 20:36:49.510087780 +0200
+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:35:37.513225808 +0100 +++ openssh-6.1p1/sshd_config.0 2012-09-14 20:36:49.567088190 +0200
@@ -556,6 +556,11 @@ DESCRIPTION @@ -558,6 +558,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1 Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024. server key. The minimum value is 512, and the default is 1024.
@ -115,10 +116,10 @@ diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
StrictModes StrictModes
Specifies whether sshd(8) should check file modes and ownership Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login. of the user's files and home directory before accepting login.
diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5 diff -up openssh-6.1p1/sshd_config.5.vendor openssh-6.1p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.vendor 2012-02-06 17:35:37.500225787 +0100 --- openssh-6.1p1/sshd_config.5.vendor 2012-09-14 20:36:49.512087794 +0200
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:35:37.514220449 +0100 +++ openssh-6.1p1/sshd_config.5 2012-09-14 20:36:49.568088198 +0200
@@ -982,6 +982,14 @@ This option applies to protocol version @@ -978,6 +978,14 @@ This option applies to protocol version
.It Cm ServerKeyBits .It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key. Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024. The minimum value is 512, and the default is 1024.
@ -133,19 +134,19 @@ diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
.It Cm StrictModes .It Cm StrictModes
Specifies whether Specifies whether
.Xr sshd 8 .Xr sshd 8
diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c diff -up openssh-6.1p1/sshd.c.vendor openssh-6.1p1/sshd.c
--- openssh-5.9p1/sshd.c.vendor 2012-02-06 17:35:37.485230832 +0100 --- openssh-6.1p1/sshd.c.vendor 2012-09-14 20:36:49.399086981 +0200
+++ openssh-5.9p1/sshd.c 2012-02-06 17:35:37.513225808 +0100 +++ openssh-6.1p1/sshd.c 2012-09-14 20:47:30.696088744 +0200
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in @@ -433,7 +433,7 @@ sshd_exchange_identification(int sock_in
minor = PROTOCOL_MINOR_1;
} }
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
- SSH_VERSION, newline);
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
server_version_string = xstrdup(buf);
/* Send our protocol version identification. */ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -1634,7 +1634,8 @@ main(int ac, char **av) - major, minor, SSH_VERSION,
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
@@ -1635,7 +1635,8 @@ main(int ac, char **av)
exit(1); exit(1);
} }

View File

@ -108,7 +108,7 @@ Source13: sshd-keygen
Patch0: openssh-5.9p1-wIm.patch Patch0: openssh-5.9p1-wIm.patch
#? #?
Patch100: openssh-5.9p1-coverity.patch Patch100: openssh-6.1p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872 #https://bugzilla.mindrot.org/show_bug.cgi?id=1872
Patch101: openssh-5.8p1-fingerprint.patch Patch101: openssh-5.8p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894 #https://bugzilla.mindrot.org/show_bug.cgi?id=1894
@ -118,7 +118,7 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
Patch103: openssh-5.8p1-packet.patch Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=983 #https://bugzilla.mindrot.org/show_bug.cgi?id=983
#Patch104: openssh-5.9p1-2auth.patch #Patch104: openssh-5.9p1-2auth.patch
Patch104: openssh-5.9p1-required-authentications.patch Patch104: openssh-6.1p1-required-authentications.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch200: openssh-5.8p1-audit0.patch Patch200: openssh-5.8p1-audit0.patch
@ -150,7 +150,7 @@ Patch402: openssh-5.9p1-sftp-chroot.patch
Patch404: openssh-5.9p1-privsep-selinux.patch Patch404: openssh-5.9p1-privsep-selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663 #https://bugzilla.mindrot.org/show_bug.cgi?id=1663
Patch500: openssh-5.9p1-akc.patch Patch500: openssh-6.1p1-akc.patch
#?-- unwanted child :( #?-- unwanted child :(
Patch501: openssh-6.0p1-ldap.patch Patch501: openssh-6.0p1-ldap.patch
#? #?
@ -173,7 +173,7 @@ Patch606: openssh-5.9p1-ipv6man.patch
#? #?
Patch607: openssh-5.8p2-sigpipe.patch Patch607: openssh-5.8p2-sigpipe.patch
#? #?
Patch608: openssh-5.8p2-askpass-ld.patch Patch608: openssh-6.1p1-askpass-ld.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789 #https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Patch609: openssh-5.5p1-x11.patch Patch609: openssh-5.5p1-x11.patch
@ -196,29 +196,27 @@ Patch707: openssh-5.9p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :) #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
Patch708: openssh-6.0p1-entropy.patch Patch708: openssh-6.0p1-entropy.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
Patch709: openssh-5.9p1-vendor.patch Patch709: openssh-6.1p1-vendor.patch
#? #?
Patch710: openssh-5.9p1-copy-id-restorecon.patch Patch710: openssh-5.9p1-copy-id-restorecon.patch
# warn users for unsupported UsePAM=no (#757545) # warn users for unsupported UsePAM=no (#757545)
Patch711: openssh-5.9p1-log-usepam-no.patch Patch711: openssh-6.1p1-log-usepam-no.patch
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL # make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
Patch712: openssh-5.9p1-ctr-evp-fast.patch Patch712: openssh-5.9p1-ctr-evp-fast.patch
# add cavs test binary for the aes-ctr # add cavs test binary for the aes-ctr
Patch713: openssh-5.9p1-ctr-cavstest.patch Patch713: openssh-5.9p1-ctr-cavstest.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=815993
Patch714: openssh-5.9p1-null-xcrypt.patch
#http://www.sxw.org.uk/computing/patches/openssh.html #http://www.sxw.org.uk/computing/patches/openssh.html
#changed cache storage type - #848228 #changed cache storage type - #848228
Patch800: openssh-6.0p1-gsskex.patch Patch800: openssh-6.1p1-gsskex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
Patch801: openssh-5.8p2-force_krb.patch Patch801: openssh-5.8p2-force_krb.patch
#? #?
Patch900: openssh-5.8p1-gssapi-canohost.patch Patch900: openssh-5.8p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch901: openssh-5.9p1-kuserok.patch Patch901: openssh-6.1p1-kuserok.patch
#--- #---
#https://bugzilla.mindrot.org/show_bug.cgi?id=1604 #https://bugzilla.mindrot.org/show_bug.cgi?id=1604
# sctp # sctp
@ -459,7 +457,6 @@ popd
%patch711 -p1 -b .log-usepam-no %patch711 -p1 -b .log-usepam-no
%patch712 -p1 -b .evp-ctr %patch712 -p1 -b .evp-ctr
%patch713 -p1 -b .ctr-cavs %patch713 -p1 -b .ctr-cavs
%patch714 -p0 -b .null-xcrypt
%patch800 -p1 -b .gsskex %patch800 -p1 -b .gsskex
%patch801 -p1 -b .force_krb %patch801 -p1 -b .force_krb