Merge gssapi-keyex and gssapi-auth
Signed-off-by: Norbert Pocs <npocs@redhat.com>
This commit is contained in:
parent
2b67ec48c2
commit
c5082a3f81
@ -2611,6 +2611,23 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
|
|
||||||
/* The first few requests do not require asynchronous access */
|
/* The first few requests do not require asynchronous access */
|
||||||
while (!authenticated) {
|
while (!authenticated) {
|
||||||
|
@@ -376,8 +376,15 @@ monitor_child_preauth(struct ssh *ssh, s
|
||||||
|
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
|
||||||
|
auth_log(ssh, authenticated, partial,
|
||||||
|
auth_method, auth_submethod);
|
||||||
|
- if (!partial && !authenticated)
|
||||||
|
+ if (!partial && !authenticated) {
|
||||||
|
+#ifdef GSSAPI
|
||||||
|
+ /* If gssapi-with-mic failed, MONITOR_REQ_GSSCHECKMIC is disabled.
|
||||||
|
+ * We have to reenable it to try again for gssapi-keyex */
|
||||||
|
+ if (strcmp(auth_method, "gssapi-with-mic") == 0 && options.gss_keyex)
|
||||||
|
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||||
|
+#endif
|
||||||
|
authctxt->failures++;
|
||||||
|
+ }
|
||||||
|
if (authenticated || partial) {
|
||||||
|
auth2_update_session_info(authctxt,
|
||||||
|
auth_method, auth_submethod);
|
||||||
@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
|
@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||||
|
@ -1,20 +0,0 @@
|
|||||||
diff --color -rup a/monitor.c b/monitor.c
|
|
||||||
--- a/monitor.c 2022-07-11 15:11:28.146863144 +0200
|
|
||||||
+++ b/monitor.c 2022-07-11 15:15:35.726655877 +0200
|
|
||||||
@@ -376,8 +376,15 @@ monitor_child_preauth(struct ssh *ssh, s
|
|
||||||
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
|
|
||||||
auth_log(ssh, authenticated, partial,
|
|
||||||
auth_method, auth_submethod);
|
|
||||||
- if (!partial && !authenticated)
|
|
||||||
+ if (!partial && !authenticated) {
|
|
||||||
+#ifdef GSSAPI
|
|
||||||
+ /* If gssapi-with-mic failed, MONITOR_REQ_GSSCHECKMIC is disabled.
|
|
||||||
+ * We have to reenable it to try again for gssapi-keyex */
|
|
||||||
+ if (strcmp(auth_method, "gssapi-with-mic") == 0 && options.gss_keyex)
|
|
||||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
|
||||||
+#endif
|
|
||||||
authctxt->failures++;
|
|
||||||
+ }
|
|
||||||
if (authenticated || partial) {
|
|
||||||
auth2_update_session_info(authctxt,
|
|
||||||
auth_method, auth_submethod);
|
|
@ -137,6 +137,10 @@ Patch711: openssh-7.8p1-UsePAM-warning.patch
|
|||||||
|
|
||||||
# GSSAPI Key Exchange (RFC 4462 + RFC 8732)
|
# GSSAPI Key Exchange (RFC 4462 + RFC 8732)
|
||||||
# from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
|
# from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
|
||||||
|
# and
|
||||||
|
# Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
|
||||||
|
# upstream MR:
|
||||||
|
# https://github.com/openssh-gsskex/openssh-gsskex/pull/21
|
||||||
Patch800: openssh-8.0p1-gssapi-keyex.patch
|
Patch800: openssh-8.0p1-gssapi-keyex.patch
|
||||||
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
||||||
Patch801: openssh-6.6p1-force_krb.patch
|
Patch801: openssh-6.6p1-force_krb.patch
|
||||||
@ -215,10 +219,6 @@ Patch984: openssh-8.7p1-ibmca.patch
|
|||||||
# upstream bug:
|
# upstream bug:
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=3455
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=3455
|
||||||
Patch1002: openssh-8.7p1-ssh-manpage.patch
|
Patch1002: openssh-8.7p1-ssh-manpage.patch
|
||||||
# Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
|
|
||||||
# upstream MR:
|
|
||||||
# https://github.com/openssh-gsskex/openssh-gsskex/pull/21
|
|
||||||
Patch1004: openssh-8.7p1-gssapi-auth.patch
|
|
||||||
|
|
||||||
# Don't propose disallowed algorithms during hostkey negotiation
|
# Don't propose disallowed algorithms during hostkey negotiation
|
||||||
# upstream MR:
|
# upstream MR:
|
||||||
@ -424,7 +424,6 @@ popd
|
|||||||
%patch -P 700 -p1 -b .fips
|
%patch -P 700 -p1 -b .fips
|
||||||
|
|
||||||
%patch -P 1002 -p1 -b .ssh-manpage
|
%patch -P 1002 -p1 -b .ssh-manpage
|
||||||
%patch -P 1004 -p1 -b .gssapi-auth
|
|
||||||
|
|
||||||
%patch -P 1006 -p1 -b .negotiate-supported-algs
|
%patch -P 1006 -p1 -b .negotiate-supported-algs
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user