From f00e4a3ddca9ff37e8af762d19b284a0eb55358c Mon Sep 17 00:00:00 2001 From: Jan F Date: Tue, 25 Jan 2011 14:06:13 +0100 Subject: [PATCH] - clean the data structures before exit net process --- openssh-5.6p1-audit5.patch | 203 +++++++++++++++++++++++++++++++++---- openssh-5.6p1-gsskex.patch | 140 ++++++++++++------------- openssh.spec | 5 +- 3 files changed, 256 insertions(+), 92 deletions(-) diff --git a/openssh-5.6p1-audit5.patch b/openssh-5.6p1-audit5.patch index ca3ce9a..471c211 100644 --- a/openssh-5.6p1-audit5.patch +++ b/openssh-5.6p1-audit5.patch @@ -1,6 +1,6 @@ diff -up openssh-5.6p1/audit-bsm.c.audit5 openssh-5.6p1/audit-bsm.c ---- openssh-5.6p1/audit-bsm.c.audit5 2011-01-14 10:14:08.000000000 +0100 -+++ openssh-5.6p1/audit-bsm.c 2011-01-14 10:04:56.000000000 +0100 +--- openssh-5.6p1/audit-bsm.c.audit5 2011-01-24 23:31:17.000000000 +0100 ++++ openssh-5.6p1/audit-bsm.c 2011-01-24 23:31:17.000000000 +0100 @@ -401,4 +401,10 @@ audit_session_key_free_body(int ctos) { /* not implemented */ @@ -13,8 +13,8 @@ diff -up openssh-5.6p1/audit-bsm.c.audit5 openssh-5.6p1/audit-bsm.c +} #endif /* BSM */ diff -up openssh-5.6p1/audit.c.audit5 openssh-5.6p1/audit.c ---- openssh-5.6p1/audit.c.audit5 2011-01-14 10:14:08.000000000 +0100 -+++ openssh-5.6p1/audit.c 2011-01-14 10:07:57.000000000 +0100 +--- openssh-5.6p1/audit.c.audit5 2011-01-24 23:31:17.000000000 +0100 ++++ openssh-5.6p1/audit.c 2011-01-24 23:31:17.000000000 +0100 @@ -268,5 +268,14 @@ audit_session_key_free_body(int ctos) { debug("audit session key discard euid %d direction %d", geteuid(), ctos); @@ -31,8 +31,8 @@ diff -up openssh-5.6p1/audit.c.audit5 openssh-5.6p1/audit.c # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.6p1/audit.h.audit5 openssh-5.6p1/audit.h ---- openssh-5.6p1/audit.h.audit5 2011-01-14 10:14:08.000000000 +0100 -+++ openssh-5.6p1/audit.h 2011-01-14 10:14:08.000000000 +0100 +--- openssh-5.6p1/audit.h.audit5 2011-01-24 23:31:17.000000000 +0100 ++++ openssh-5.6p1/audit.h 2011-01-24 23:31:17.000000000 +0100 @@ -62,5 +62,6 @@ void audit_unsupported_body(int); void audit_kex_body(int, char *, char *, char *); void audit_session_key_free(int ctos); @@ -41,8 +41,8 @@ diff -up openssh-5.6p1/audit.h.audit5 openssh-5.6p1/audit.h #endif /* _SSH_AUDIT_H */ diff -up openssh-5.6p1/audit-linux.c.audit5 openssh-5.6p1/audit-linux.c ---- openssh-5.6p1/audit-linux.c.audit5 2011-01-14 10:14:08.000000000 +0100 -+++ openssh-5.6p1/audit-linux.c 2011-01-14 10:14:08.000000000 +0100 +--- openssh-5.6p1/audit-linux.c.audit5 2011-01-24 23:31:17.000000000 +0100 ++++ openssh-5.6p1/audit-linux.c 2011-01-24 23:31:17.000000000 +0100 @@ -226,4 +226,26 @@ audit_session_key_free_body(int ctos) error("cannot write into audit"); } @@ -70,9 +70,93 @@ diff -up openssh-5.6p1/audit-linux.c.audit5 openssh-5.6p1/audit-linux.c +} + #endif /* USE_LINUX_AUDIT */ +diff -up openssh-5.6p1/kex.c.audit5 openssh-5.6p1/kex.c +--- openssh-5.6p1/kex.c.audit5 2011-01-24 23:31:17.000000000 +0100 ++++ openssh-5.6p1/kex.c 2011-01-24 23:31:17.000000000 +0100 +@@ -592,3 +592,34 @@ dump_digest(char *msg, u_char *digest, i + fprintf(stderr, "\n"); + } + #endif ++ ++static void ++enc_destroy(Enc *enc) ++{ ++ if (enc == NULL) ++ return; ++ ++ if (enc->key) { ++ memset(enc->key, 0, enc->key_len); ++ xfree(enc->key); ++ } ++ ++ if (enc->iv) { ++ memset(enc->iv, 0, enc->block_size); ++ xfree(enc->iv); ++ } ++ ++ memset(enc, 0, sizeof(*enc)); ++} ++ ++void ++newkeys_destroy(Newkeys *newkeys) ++{ ++ if (newkeys == NULL) ++ return; ++ ++ enc_destroy(&newkeys->enc); ++ mac_destroy(&newkeys->mac); ++ memset(&newkeys->comp, 0, sizeof(newkeys->comp)); ++} ++ +diff -up openssh-5.6p1/kex.h.audit5 openssh-5.6p1/kex.h +--- openssh-5.6p1/kex.h.audit5 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.6p1/kex.h 2011-01-24 23:31:17.000000000 +0100 +@@ -146,6 +146,8 @@ void kexdh_server(Kex *); + void kexgex_client(Kex *); + void kexgex_server(Kex *); + ++void newkeys_destroy(Newkeys *newkeys); ++ + void + kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, + BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); +diff -up openssh-5.6p1/mac.c.audit5 openssh-5.6p1/mac.c +--- openssh-5.6p1/mac.c.audit5 2008-06-13 02:58:50.000000000 +0200 ++++ openssh-5.6p1/mac.c 2011-01-24 23:31:17.000000000 +0100 +@@ -162,6 +162,22 @@ mac_clear(Mac *mac) + mac->umac_ctx = NULL; + } + ++void ++mac_destroy(Mac *mac) ++{ ++ if (mac == NULL) ++ return; ++ ++ mac_clear(mac); ++ ++ if (mac->key) { ++ memset(mac->key, 0, mac->key_len); ++ xfree(mac->key); ++ } ++ ++ memset(mac, 0, sizeof(*mac)); ++} ++ + /* XXX copied from ciphers_valid */ + #define MAC_SEP "," + int +diff -up openssh-5.6p1/mac.h.audit5 openssh-5.6p1/mac.h +--- openssh-5.6p1/mac.h.audit5 2007-06-11 06:01:42.000000000 +0200 ++++ openssh-5.6p1/mac.h 2011-01-24 23:31:17.000000000 +0100 +@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *); + int mac_init(Mac *); + u_char *mac_compute(Mac *, u_int32_t, u_char *, int); + void mac_clear(Mac *); ++void mac_destroy(Mac *); diff -up openssh-5.6p1/monitor.c.audit5 openssh-5.6p1/monitor.c ---- openssh-5.6p1/monitor.c.audit5 2011-01-14 10:14:08.000000000 +0100 -+++ openssh-5.6p1/monitor.c 2011-01-14 10:14:08.000000000 +0100 +--- openssh-5.6p1/monitor.c.audit5 2011-01-24 23:31:17.000000000 +0100 ++++ openssh-5.6p1/monitor.c 2011-01-24 23:31:17.000000000 +0100 @@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer int mm_answer_audit_unsupported_body(int, Buffer *); int mm_answer_audit_kex_body(int, Buffer *); @@ -130,8 +214,8 @@ diff -up openssh-5.6p1/monitor.c.audit5 openssh-5.6p1/monitor.c +} #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.6p1/monitor.h.audit5 openssh-5.6p1/monitor.h ---- openssh-5.6p1/monitor.h.audit5 2011-01-14 10:14:08.000000000 +0100 -+++ openssh-5.6p1/monitor.h 2011-01-14 10:14:08.000000000 +0100 +--- openssh-5.6p1/monitor.h.audit5 2011-01-24 23:31:17.000000000 +0100 ++++ openssh-5.6p1/monitor.h 2011-01-24 23:31:17.000000000 +0100 @@ -69,6 +69,7 @@ enum monitor_reqtype { MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED, MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX, @@ -141,8 +225,8 @@ diff -up openssh-5.6p1/monitor.h.audit5 openssh-5.6p1/monitor.h struct mm_master; diff -up openssh-5.6p1/monitor_wrap.c.audit5 openssh-5.6p1/monitor_wrap.c ---- openssh-5.6p1/monitor_wrap.c.audit5 2011-01-14 10:14:08.000000000 +0100 -+++ openssh-5.6p1/monitor_wrap.c 2011-01-14 10:14:08.000000000 +0100 +--- openssh-5.6p1/monitor_wrap.c.audit5 2011-01-24 23:31:17.000000000 +0100 ++++ openssh-5.6p1/monitor_wrap.c 2011-01-24 23:31:17.000000000 +0100 @@ -1458,4 +1458,16 @@ mm_audit_session_key_free_body(int ctos) &m); buffer_free(&m); @@ -161,8 +245,8 @@ diff -up openssh-5.6p1/monitor_wrap.c.audit5 openssh-5.6p1/monitor_wrap.c +} #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.6p1/monitor_wrap.h.audit5 openssh-5.6p1/monitor_wrap.h ---- openssh-5.6p1/monitor_wrap.h.audit5 2011-01-14 10:14:08.000000000 +0100 -+++ openssh-5.6p1/monitor_wrap.h 2011-01-14 10:14:08.000000000 +0100 +--- openssh-5.6p1/monitor_wrap.h.audit5 2011-01-24 23:31:17.000000000 +0100 ++++ openssh-5.6p1/monitor_wrap.h 2011-01-24 23:31:17.000000000 +0100 @@ -77,6 +77,7 @@ void mm_audit_run_command(const char *); void mm_audit_unsupported_body(int); void mm_audit_kex_body(int, char *, char *, char *); @@ -171,9 +255,77 @@ diff -up openssh-5.6p1/monitor_wrap.h.audit5 openssh-5.6p1/monitor_wrap.h #endif struct Session; +diff -up openssh-5.6p1/packet.c.audit5 openssh-5.6p1/packet.c +--- openssh-5.6p1/packet.c.audit5 2011-01-24 23:31:17.000000000 +0100 ++++ openssh-5.6p1/packet.c 2011-01-24 23:40:06.000000000 +0100 +@@ -60,6 +60,7 @@ + #include + + #include "xmalloc.h" ++#include "audit.h" + #include "buffer.h" + #include "packet.h" + #include "crc32.h" +@@ -495,9 +496,9 @@ packet_close(void) + buffer_free(&active_state->compression_buffer); + buffer_compress_uninit(); + } +- audit_session_key_free(2); + cipher_cleanup(&active_state->send_context); + cipher_cleanup(&active_state->receive_context); ++ audit_session_key_free(2); + } + + /* Sets remote side protocol flags. */ +@@ -1939,3 +1940,36 @@ packet_restore_state(void) + add_recv_bytes(len); + } + } ++ ++static void ++packet_destroy_state(struct session_state *state) ++{ ++ if (state == NULL) ++ return; ++ ++ if (state->connection_in >= 0) ++ close(state->connection_in); ++ if ((state->connection_in != state->connection_out) && (state->connection_out >= 0)) ++ close(state->connection_out); ++ ++ cipher_cleanup(&state->receive_context); ++ cipher_cleanup(&state->send_context); ++ ++ buffer_free(&state->input); ++ buffer_free(&state->output); ++ buffer_free(&state->outgoing_packet); ++ buffer_free(&state->incoming_packet); ++ buffer_free(&state->compression_buffer); ++ newkeys_destroy(state->newkeys[MODE_IN]); ++ newkeys_destroy(state->newkeys[MODE_OUT]); ++ mac_destroy(state->packet_discard_mac); ++// TAILQ_HEAD(, packet) outgoing; ++ memset(state, 0, sizeof(state)); ++} ++ ++void ++packet_destroy_all(void) ++{ ++ packet_destroy_state(active_state); ++ packet_destroy_state(backup_state); ++} +diff -up openssh-5.6p1/packet.h.audit5 openssh-5.6p1/packet.h +--- openssh-5.6p1/packet.h.audit5 2009-07-05 23:11:13.000000000 +0200 ++++ openssh-5.6p1/packet.h 2011-01-24 23:31:17.000000000 +0100 +@@ -115,4 +115,5 @@ void packet_restore_state(void); + void *packet_get_input(void); + void *packet_get_output(void); + ++void packet_destroy_all(void); + #endif /* PACKET_H */ diff -up openssh-5.6p1/session.c.audit5 openssh-5.6p1/session.c --- openssh-5.6p1/session.c.audit5 2010-06-26 02:00:15.000000000 +0200 -+++ openssh-5.6p1/session.c 2011-01-14 10:14:08.000000000 +0100 ++++ openssh-5.6p1/session.c 2011-01-24 23:31:17.000000000 +0100 @@ -1677,6 +1677,7 @@ do_child(Session *s, const char *command /* remove hostkey from the child's memory */ @@ -183,8 +335,8 @@ diff -up openssh-5.6p1/session.c.audit5 openssh-5.6p1/session.c /* Force a password change */ if (s->authctxt->force_pwchange) { diff -up openssh-5.6p1/sshd.c.audit5 openssh-5.6p1/sshd.c ---- openssh-5.6p1/sshd.c.audit5 2011-01-14 10:14:08.000000000 +0100 -+++ openssh-5.6p1/sshd.c 2011-01-14 10:14:08.000000000 +0100 +--- openssh-5.6p1/sshd.c.audit5 2011-01-24 23:31:17.000000000 +0100 ++++ openssh-5.6p1/sshd.c 2011-01-24 23:42:47.000000000 +0100 @@ -579,6 +579,7 @@ demote_sensitive_data(void) } /* Certs do not need demotion */ @@ -193,7 +345,16 @@ diff -up openssh-5.6p1/sshd.c.audit5 openssh-5.6p1/sshd.c /* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */ } -@@ -2011,8 +2012,10 @@ main(int ac, char **av) +@@ -1970,6 +1971,8 @@ main(int ac, char **av) + */ + if (use_privsep) { + mm_send_keystate(pmonitor); ++ packet_destroy_all(); ++ audit_session_key_free(2); + exit(0); + } + +@@ -2011,8 +2014,10 @@ main(int ac, char **av) if (use_privsep) { privsep_postauth(authctxt); /* the monitor process [priv] will not return */ @@ -205,7 +366,7 @@ diff -up openssh-5.6p1/sshd.c.audit5 openssh-5.6p1/sshd.c } packet_set_timeout(options.client_alive_interval, -@@ -2249,6 +2252,7 @@ do_ssh1_kex(void) +@@ -2249,6 +2254,7 @@ do_ssh1_kex(void) } /* Destroy the private and public keys. No longer. */ destroy_sensitive_data(); diff --git a/openssh-5.6p1-gsskex.patch b/openssh-5.6p1-gsskex.patch index 34da324..53211b0 100644 --- a/openssh-5.6p1-gsskex.patch +++ b/openssh-5.6p1-gsskex.patch @@ -1,6 +1,6 @@ diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c ---- openssh-5.6p1/auth2.c.gsskex 2010-11-02 22:23:46.000000000 +0100 -+++ openssh-5.6p1/auth2.c 2010-11-02 22:23:49.000000000 +0100 +--- openssh-5.6p1/auth2.c.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/auth2.c 2011-01-24 23:51:08.000000000 +0100 @@ -69,6 +69,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -36,8 +36,8 @@ diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c ---- openssh-5.6p1/auth2-gss.c.gsskex 2010-11-02 22:23:46.000000000 +0100 -+++ openssh-5.6p1/auth2-gss.c 2010-11-02 22:23:49.000000000 +0100 +--- openssh-5.6p1/auth2-gss.c.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/auth2-gss.c 2011-01-24 23:51:08.000000000 +0100 @@ -1,7 +1,7 @@ /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ @@ -138,8 +138,8 @@ diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c "gssapi-with-mic", userauth_gssapi, diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h ---- openssh-5.6p1/auth.h.gsskex 2010-11-02 22:23:46.000000000 +0100 -+++ openssh-5.6p1/auth.h 2010-11-02 22:23:49.000000000 +0100 +--- openssh-5.6p1/auth.h.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/auth.h 2011-01-24 23:51:08.000000000 +0100 @@ -53,6 +53,7 @@ struct Authctxt { int valid; /* user exists and is allowed to login */ int attempt; @@ -150,7 +150,7 @@ diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h char *service; diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c --- openssh-5.6p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 -+++ openssh-5.6p1/auth-krb5.c 2010-11-02 22:23:49.000000000 +0100 ++++ openssh-5.6p1/auth-krb5.c 2011-01-24 23:51:08.000000000 +0100 @@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c len = strlen(authctxt->krb5_ticket_file) + 6; @@ -199,8 +199,8 @@ diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c return (krb5_cc_resolve(ctx, ccname, ccache)); } diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi ---- openssh-5.6p1/ChangeLog.gssapi.gsskex 2010-11-02 22:23:49.000000000 +0100 -+++ openssh-5.6p1/ChangeLog.gssapi 2010-11-02 22:23:49.000000000 +0100 +--- openssh-5.6p1/ChangeLog.gssapi.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/ChangeLog.gssapi 2011-01-24 23:51:08.000000000 +0100 @@ -0,0 +1,95 @@ +20090615 + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c @@ -299,7 +299,7 @@ diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi + diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c --- openssh-5.6p1/clientloop.c.gsskex 2010-08-03 08:04:46.000000000 +0200 -+++ openssh-5.6p1/clientloop.c 2010-11-02 22:23:49.000000000 +0100 ++++ openssh-5.6p1/clientloop.c 2011-01-24 23:51:08.000000000 +0100 @@ -111,6 +111,10 @@ #include "msg.h" #include "roaming.h" @@ -326,8 +326,8 @@ diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c debug("need rekeying"); xxx_kex->done = 0; diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac ---- openssh-5.6p1/configure.ac.gsskex 2010-11-02 22:23:49.000000000 +0100 -+++ openssh-5.6p1/configure.ac 2010-11-02 22:23:49.000000000 +0100 +--- openssh-5.6p1/configure.ac.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/configure.ac 2011-01-24 23:51:09.000000000 +0100 @@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE(SSH_TUN_PREPEND_AF, 1, @@ -361,7 +361,7 @@ diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c --- openssh-5.6p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-5.6p1/gss-genr.c 2010-11-02 22:23:49.000000000 +0100 ++++ openssh-5.6p1/gss-genr.c 2011-01-24 23:51:09.000000000 +0100 @@ -39,12 +39,167 @@ #include "buffer.h" #include "log.h" @@ -702,7 +702,7 @@ diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c #endif /* GSSAPI */ diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c --- openssh-5.6p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 -+++ openssh-5.6p1/gss-serv.c 2010-11-02 22:23:49.000000000 +0100 ++++ openssh-5.6p1/gss-serv.c 2011-01-24 23:51:09.000000000 +0100 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ @@ -1018,7 +1018,7 @@ diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c #endif diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c --- openssh-5.6p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.6p1/gss-serv-krb5.c 2010-11-02 22:23:49.000000000 +0100 ++++ openssh-5.6p1/gss-serv-krb5.c 2011-01-24 23:51:09.000000000 +0100 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ @@ -1140,8 +1140,8 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c #endif /* KRB5 */ diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c ---- openssh-5.6p1/kex.c.gsskex 2010-11-02 22:23:46.000000000 +0100 -+++ openssh-5.6p1/kex.c 2010-11-02 22:27:07.000000000 +0100 +--- openssh-5.6p1/kex.c.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/kex.c 2011-01-24 23:51:09.000000000 +0100 @@ -51,6 +51,10 @@ #include "roaming.h" #include "audit.h" @@ -1175,8 +1175,8 @@ diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c fatal("bad kex alg %s", k->name); } diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c ---- openssh-5.6p1/kexgssc.c.gsskex 2010-11-02 22:23:49.000000000 +0100 -+++ openssh-5.6p1/kexgssc.c 2010-11-02 22:23:49.000000000 +0100 +--- openssh-5.6p1/kexgssc.c.gsskex 2011-01-24 23:51:09.000000000 +0100 ++++ openssh-5.6p1/kexgssc.c 2011-01-24 23:51:09.000000000 +0100 @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1513,8 +1513,8 @@ diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c + +#endif /* GSSAPI */ diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c ---- openssh-5.6p1/kexgsss.c.gsskex 2010-11-02 22:23:49.000000000 +0100 -+++ openssh-5.6p1/kexgsss.c 2010-11-02 22:23:49.000000000 +0100 +--- openssh-5.6p1/kexgsss.c.gsskex 2011-01-24 23:51:09.000000000 +0100 ++++ openssh-5.6p1/kexgsss.c 2011-01-24 23:51:09.000000000 +0100 @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1805,8 +1805,8 @@ diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c +} +#endif /* GSSAPI */ diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h ---- openssh-5.6p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100 -+++ openssh-5.6p1/kex.h 2010-11-02 22:23:49.000000000 +0100 +--- openssh-5.6p1/kex.h.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/kex.h 2011-01-24 23:52:26.000000000 +0100 @@ -67,6 +67,9 @@ enum kex_exchange { KEX_DH_GRP14_SHA1, KEX_DH_GEX_SHA1, @@ -1830,9 +1830,9 @@ diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h char *client_version_string; char *server_version_string; int (*verify_host_key)(Key *); -@@ -146,6 +155,11 @@ void kexdh_server(Kex *); - void kexgex_client(Kex *); - void kexgex_server(Kex *); +@@ -148,6 +157,11 @@ void kexgex_server(Kex *); + + void newkeys_destroy(Newkeys *newkeys); +#ifdef GSSAPI +void kexgss_client(Kex *); @@ -1844,7 +1844,7 @@ diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); diff -up openssh-5.6p1/key.c.gsskex openssh-5.6p1/key.c --- openssh-5.6p1/key.c.gsskex 2010-07-16 05:58:37.000000000 +0200 -+++ openssh-5.6p1/key.c 2010-11-02 22:23:49.000000000 +0100 ++++ openssh-5.6p1/key.c 2011-01-24 23:51:09.000000000 +0100 @@ -1020,6 +1020,8 @@ key_type_from_name(char *name) return KEY_RSA_CERT; } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { @@ -1856,7 +1856,7 @@ diff -up openssh-5.6p1/key.c.gsskex openssh-5.6p1/key.c return KEY_UNSPEC; diff -up openssh-5.6p1/key.h.gsskex openssh-5.6p1/key.h --- openssh-5.6p1/key.h.gsskex 2010-04-16 07:56:22.000000000 +0200 -+++ openssh-5.6p1/key.h 2010-11-02 22:23:49.000000000 +0100 ++++ openssh-5.6p1/key.h 2011-01-24 23:51:09.000000000 +0100 @@ -39,6 +39,7 @@ enum types { KEY_DSA_CERT, KEY_RSA_CERT_V00, @@ -1866,8 +1866,8 @@ diff -up openssh-5.6p1/key.h.gsskex openssh-5.6p1/key.h }; enum fp_type { diff -up openssh-5.6p1/Makefile.in.gsskex openssh-5.6p1/Makefile.in ---- openssh-5.6p1/Makefile.in.gsskex 2010-11-02 22:23:49.000000000 +0100 -+++ openssh-5.6p1/Makefile.in 2010-11-02 22:26:34.000000000 +0100 +--- openssh-5.6p1/Makefile.in.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/Makefile.in 2011-01-24 23:51:09.000000000 +0100 @@ -77,11 +77,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ @@ -1892,8 +1892,8 @@ diff -up openssh-5.6p1/Makefile.in.gsskex openssh-5.6p1/Makefile.in MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c ---- openssh-5.6p1/monitor.c.gsskex 2010-11-02 22:23:47.000000000 +0100 -+++ openssh-5.6p1/monitor.c 2010-11-02 22:23:49.000000000 +0100 +--- openssh-5.6p1/monitor.c.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/monitor.c 2011-01-24 23:51:09.000000000 +0100 @@ -176,6 +176,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); @@ -1903,7 +1903,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c #endif #ifdef SSH_AUDIT_EVENTS -@@ -252,6 +254,7 @@ struct mon_table mon_dispatch_proto20[] +@@ -256,6 +258,7 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, @@ -1911,7 +1911,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c #endif #ifdef JPAKE {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, -@@ -264,6 +267,12 @@ struct mon_table mon_dispatch_proto20[] +@@ -268,6 +271,12 @@ struct mon_table mon_dispatch_proto20[] }; struct mon_table mon_dispatch_postauth20[] = { @@ -1924,7 +1924,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_SIGN, 0, mm_answer_sign}, {MONITOR_REQ_PTY, 0, mm_answer_pty}, -@@ -370,6 +379,10 @@ monitor_child_preauth(Authctxt *_authctx +@@ -384,6 +393,10 @@ monitor_child_preauth(Authctxt *_authctx /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -1935,7 +1935,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c } else { mon_dispatch = mon_dispatch_proto15; -@@ -456,6 +469,10 @@ monitor_child_postauth(struct monitor *p +@@ -470,6 +483,10 @@ monitor_child_postauth(struct monitor *p monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -1946,7 +1946,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1742,6 +1759,13 @@ mm_get_kex(Buffer *m) +@@ -1754,6 +1771,13 @@ mm_get_kex(Buffer *m) kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; @@ -1960,7 +1960,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -@@ -1948,6 +1972,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer +@@ -1960,6 +1984,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer OM_uint32 major; u_int len; @@ -1970,7 +1970,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -1975,6 +2002,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -1987,6 +2014,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -1980,7 +1980,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -1992,6 +2022,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2004,6 +2034,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -1988,7 +1988,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c } return (0); } -@@ -2003,6 +2034,9 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -2015,6 +2046,9 @@ mm_answer_gss_checkmic(int sock, Buffer OM_uint32 ret; u_int len; @@ -1998,7 +1998,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2029,7 +2063,11 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2041,7 +2075,11 @@ mm_answer_gss_userok(int sock, Buffer *m { int authenticated; @@ -2011,7 +2011,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2042,6 +2080,74 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2054,6 +2092,74 @@ mm_answer_gss_userok(int sock, Buffer *m /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2087,8 +2087,8 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c #ifdef JPAKE diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h ---- openssh-5.6p1/monitor.h.gsskex 2010-11-02 22:23:47.000000000 +0100 -+++ openssh-5.6p1/monitor.h 2010-11-02 22:23:50.000000000 +0100 +--- openssh-5.6p1/monitor.h.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/monitor.h 2011-01-24 23:51:09.000000000 +0100 @@ -56,6 +56,8 @@ enum monitor_reqtype { MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, @@ -2099,8 +2099,8 @@ diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c ---- openssh-5.6p1/monitor_wrap.c.gsskex 2010-11-02 22:23:47.000000000 +0100 -+++ openssh-5.6p1/monitor_wrap.c 2010-11-02 22:23:50.000000000 +0100 +--- openssh-5.6p1/monitor_wrap.c.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/monitor_wrap.c 2011-01-24 23:51:09.000000000 +0100 @@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } @@ -2163,8 +2163,8 @@ diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c #ifdef JPAKE diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h ---- openssh-5.6p1/monitor_wrap.h.gsskex 2010-11-02 22:23:47.000000000 +0100 -+++ openssh-5.6p1/monitor_wrap.h 2010-11-02 22:23:50.000000000 +0100 +--- openssh-5.6p1/monitor_wrap.h.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/monitor_wrap.h 2011-01-24 23:51:09.000000000 +0100 @@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -2179,7 +2179,7 @@ diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h #ifdef USE_PAM diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c --- openssh-5.6p1/readconf.c.gsskex 2010-08-03 08:04:46.000000000 +0200 -+++ openssh-5.6p1/readconf.c 2010-11-02 22:23:50.000000000 +0100 ++++ openssh-5.6p1/readconf.c 2011-01-24 23:51:09.000000000 +0100 @@ -127,6 +127,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, @@ -2263,7 +2263,7 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c if (options->kbd_interactive_authentication == -1) diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h --- openssh-5.6p1/readconf.h.gsskex 2010-08-03 08:04:46.000000000 +0200 -+++ openssh-5.6p1/readconf.h 2010-11-02 22:23:50.000000000 +0100 ++++ openssh-5.6p1/readconf.h 2011-01-24 23:51:09.000000000 +0100 @@ -46,7 +46,11 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2277,8 +2277,8 @@ diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c ---- openssh-5.6p1/servconf.c.gsskex 2010-11-02 22:23:47.000000000 +0100 -+++ openssh-5.6p1/servconf.c 2010-11-02 22:23:50.000000000 +0100 +--- openssh-5.6p1/servconf.c.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/servconf.c 2011-01-24 23:51:09.000000000 +0100 @@ -93,7 +93,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; @@ -2356,8 +2356,8 @@ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c intptr = &options->password_authentication; goto parse_flag; diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h ---- openssh-5.6p1/servconf.h.gsskex 2010-11-02 22:23:47.000000000 +0100 -+++ openssh-5.6p1/servconf.h 2010-11-02 22:23:50.000000000 +0100 +--- openssh-5.6p1/servconf.h.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/servconf.h 2011-01-24 23:51:09.000000000 +0100 @@ -94,7 +94,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -2371,7 +2371,7 @@ diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h int kbd_interactive_authentication; /* If true, permit */ diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5 --- openssh-5.6p1/ssh_config.5.gsskex 2010-08-05 05:03:13.000000000 +0200 -+++ openssh-5.6p1/ssh_config.5 2010-11-02 22:23:50.000000000 +0100 ++++ openssh-5.6p1/ssh_config.5 2011-01-24 23:51:09.000000000 +0100 @@ -509,11 +509,38 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2413,8 +2413,8 @@ diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5 Indicates that .Xr ssh 1 diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config ---- openssh-5.6p1/ssh_config.gsskex 2010-11-02 22:23:45.000000000 +0100 -+++ openssh-5.6p1/ssh_config 2010-11-02 22:23:50.000000000 +0100 +--- openssh-5.6p1/ssh_config.gsskex 2011-01-24 23:51:07.000000000 +0100 ++++ openssh-5.6p1/ssh_config 2011-01-24 23:51:09.000000000 +0100 @@ -26,6 +26,8 @@ # HostbasedAuthentication no # GSSAPIAuthentication no @@ -2425,8 +2425,8 @@ diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config # CheckHostIP yes # AddressFamily any diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c ---- openssh-5.6p1/sshconnect2.c.gsskex 2010-11-02 22:23:49.000000000 +0100 -+++ openssh-5.6p1/sshconnect2.c 2010-11-02 22:23:50.000000000 +0100 +--- openssh-5.6p1/sshconnect2.c.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/sshconnect2.c 2011-01-24 23:51:09.000000000 +0100 @@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho { Kex *kex; @@ -2629,8 +2629,8 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c int diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c ---- openssh-5.6p1/sshd.c.gsskex 2010-11-02 22:23:49.000000000 +0100 -+++ openssh-5.6p1/sshd.c 2010-11-02 22:23:50.000000000 +0100 +--- openssh-5.6p1/sshd.c.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/sshd.c 2011-01-24 23:51:09.000000000 +0100 @@ -130,6 +130,10 @@ int allow_severity; int deny_severity; #endif /* LIBWRAP */ @@ -2642,7 +2642,7 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c #ifndef O_NOCTTY #define O_NOCTTY 0 #endif -@@ -1602,10 +1606,13 @@ main(int ac, char **av) +@@ -1603,10 +1607,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } @@ -2656,7 +2656,7 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { logit("sshd: no hostkeys available -- exiting."); exit(1); -@@ -1938,6 +1945,60 @@ main(int ac, char **av) +@@ -1939,6 +1946,60 @@ main(int ac, char **av) /* Log the connection. */ verbose("Connection from %.500s port %d", remote_ip, remote_port); @@ -2717,7 +2717,7 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2329,12 +2390,61 @@ do_ssh2_kex(void) +@@ -2335,12 +2396,61 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); @@ -2780,8 +2780,8 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5 ---- openssh-5.6p1/sshd_config.5.gsskex 2010-11-02 22:23:47.000000000 +0100 -+++ openssh-5.6p1/sshd_config.5 2010-11-02 22:23:50.000000000 +0100 +--- openssh-5.6p1/sshd_config.5.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/sshd_config.5 2011-01-24 23:51:09.000000000 +0100 @@ -424,12 +424,40 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2824,8 +2824,8 @@ diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5 Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config ---- openssh-5.6p1/sshd_config.gsskex 2010-11-02 22:23:47.000000000 +0100 -+++ openssh-5.6p1/sshd_config 2010-11-02 22:23:50.000000000 +0100 +--- openssh-5.6p1/sshd_config.gsskex 2011-01-24 23:51:08.000000000 +0100 ++++ openssh-5.6p1/sshd_config 2011-01-24 23:51:09.000000000 +0100 @@ -78,6 +78,8 @@ ChallengeResponseAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes @@ -2837,7 +2837,7 @@ diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config # and session processing. If this is enabled, PAM authentication will diff -up openssh-5.6p1/ssh-gss.h.gsskex openssh-5.6p1/ssh-gss.h --- openssh-5.6p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 -+++ openssh-5.6p1/ssh-gss.h 2010-11-02 22:23:50.000000000 +0100 ++++ openssh-5.6p1/ssh-gss.h 2011-01-24 23:51:09.000000000 +0100 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* diff --git a/openssh.spec b/openssh.spec index 1aacf9e..f294bca 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.6p1 -%define openssh_rel 24 +%define openssh_rel 25 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 29 @@ -603,6 +603,9 @@ fi %endif %changelog +* Tue Jan 25 2011 Jan F. Chadima - 5.6p1-25 + 0.9.2-29 +- clean the data structures before exit net process + * Mon Jan 17 2011 Jan F. Chadima - 5.6p1-24 + 0.9.2-29 - make audit compatible with the fips mode