Update gssapi-keyex patch for OpenSSH 9.0+
userauth_gsskeyex must have the same argument as userauth_gssapi method_gsskeyex must have the same members as method_gssapi
This commit is contained in:
parent
c3494feffe
commit
c04e468b07
@ -160,7 +160,7 @@ index 9351e042..d6446c0c 100644
|
||||
+ * The 'gssapi_keyex' userauth mechanism.
|
||||
+ */
|
||||
+static int
|
||||
+userauth_gsskeyex(struct ssh *ssh)
|
||||
+userauth_gsskeyex(struct ssh *ssh, const char *method)
|
||||
+{
|
||||
+ Authctxt *authctxt = ssh->authctxt;
|
||||
+ int r, authenticated = 0;
|
||||
@ -221,19 +221,20 @@ index 9351e042..d6446c0c 100644
|
||||
else
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
@@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
|
||||
@@ -326,6 +370,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+Authmethod method_gsskeyex = {
|
||||
+ "gssapi-keyex",
|
||||
+ NULL,
|
||||
+ userauth_gsskeyex,
|
||||
+ &options.gss_authentication
|
||||
+};
|
||||
+
|
||||
Authmethod method_gssapi = {
|
||||
"gssapi-with-mic",
|
||||
NULL,
|
||||
NULL,
|
||||
diff --git a/auth2.c b/auth2.c
|
||||
index 0e776224..1c217268 100644
|
||||
--- a/auth2.c
|
||||
@ -400,8 +401,8 @@ index ebd0dbca..1bdac6a4 100644
|
||||
+#endif
|
||||
+
|
||||
/* Buffer input from the connection. */
|
||||
if (conn_in_ready)
|
||||
client_process_net_input(ssh);
|
||||
if (conn_in_ready)
|
||||
client_process_net_input(ssh);
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index b689db4b..efafb6bd 100644
|
||||
--- a/configure.ac
|
||||
@ -1368,8 +1369,8 @@ index ce85f043..574c7609 100644
|
||||
+#ifdef GSSAPI
|
||||
+ free(kex->gss_host);
|
||||
+#endif /* GSSAPI */
|
||||
sshbuf_free(kex->initial_sig);
|
||||
sshkey_free(kex->initial_hostkey);
|
||||
sshbuf_free(kex->initial_sig);
|
||||
sshkey_free(kex->initial_hostkey);
|
||||
free(kex->failed_choice);
|
||||
diff --git a/kex.h b/kex.h
|
||||
index a5ae6ac0..fe714141 100644
|
||||
@ -3584,7 +3585,7 @@ index af00fb30..03bc87eb 100644
|
||||
+# endif
|
||||
+#endif /* WITH_OPENSSL */
|
||||
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
||||
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||
ssh->kex->verify_host_key=&verify_host_key_callback;
|
||||
|
||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||
|
@ -47,14 +47,14 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 9.3p1
|
||||
%global openssh_rel 5
|
||||
%global openssh_rel 6
|
||||
%global pam_ssh_agent_ver 0.10.4
|
||||
%global pam_ssh_agent_rel 9
|
||||
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
Version: %{openssh_ver}
|
||||
Release: %{openssh_rel}%{?dist}.1
|
||||
Release: %{openssh_rel}%{?dist}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
|
||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
@ -304,7 +304,7 @@ Requires: openssh = %{version}-%{release}
|
||||
%package -n pam_ssh_agent_auth
|
||||
Summary: PAM module for authentication with ssh-agent
|
||||
Version: %{pam_ssh_agent_ver}
|
||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1
|
||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
|
||||
License: BSD
|
||||
|
||||
%description
|
||||
@ -739,6 +739,9 @@ test -f %{sysconfig_anaconda} && \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jul 26 2023 Mattias Ellert <mattias.ellert@physics.uu.se> - 9.3p1-6
|
||||
- Update gssapi-keyex patch for OpenSSH 9.0+
|
||||
|
||||
* Fri Jul 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.3p1-5
|
||||
- Fix remote code execution in ssh-agent PKCS#11 support
|
||||
Resolves: CVE-2023-38408
|
||||
|
Loading…
Reference in New Issue
Block a user