From 3ae9c1b0c1f4b68c5db96b12cfe7fe34b82bd884 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 14 Nov 2018 09:44:48 +0100 Subject: [PATCH] Dump missing GSS options from client configuration --- openssh-7.0p1-gssKexAlgorithms.patch | 17 +++++-- openssh-7.8p1-gsskex.patch | 68 ++++++++++++++-------------- 2 files changed, 47 insertions(+), 38 deletions(-) diff --git a/openssh-7.0p1-gssKexAlgorithms.patch b/openssh-7.0p1-gssKexAlgorithms.patch index 1497049..099c72d 100644 --- a/openssh-7.0p1-gssKexAlgorithms.patch +++ b/openssh-7.0p1-gssKexAlgorithms.patch @@ -223,10 +223,19 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh-7.0p1/readconf.h.gsskexalg openssh-7.0p1/readconf.h ---- openssh-7.0p1/readconf.h.gsskexalg 2015-08-19 12:28:38.026518955 +0200 -+++ openssh-7.0p1/readconf.h 2015-08-19 12:28:38.079518836 +0200 -@@ -51,6 +51,7 @@ typedef struct { +@@ -2651,6 +2671,8 @@ dump_client_config(Options *o, const cha + dump_cfg_string(oGssClientIdentity, o->gss_client_identity); + dump_cfg_string(oGssServerIdentity, o->gss_client_identity); + dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey); ++ dump_cfg_string(oKexAlgorithms, o->gss_kex_algorithms ? ++ o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX); + #endif /* GSSAPI */ + dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); + dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); +diff -up openssh-7.9p1/readconf.h.gsskexalg openssh-7.9p1/readconf.h +--- openssh-7.9p1/readconf.h.gsskexalg 2018-11-14 09:20:06.616350574 +0100 ++++ openssh-7.9p1/readconf.h 2018-11-14 09:20:06.647350828 +0100 +@@ -46,6 +46,7 @@ typedef struct { int gss_renewal_rekey; /* Credential renewal forces rekey */ char *gss_client_identity; /* Principal to initiate GSSAPI with */ char *gss_server_identity; /* GSSAPI target principal */ diff --git a/openssh-7.8p1-gsskex.patch b/openssh-7.8p1-gsskex.patch index 2903b69..cba36dc 100644 --- a/openssh-7.8p1-gsskex.patch +++ b/openssh-7.8p1-gsskex.patch @@ -2069,9 +2069,22 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh/readconf.h.gsskex openssh/readconf.h ---- openssh/readconf.h.gsskex 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/readconf.h 2018-08-22 11:47:33.314216481 +0200 +@@ -2603,7 +2645,12 @@ dump_client_config(Options *o, const cha + dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); + #ifdef GSSAPI + dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); ++ dump_cfg_fmtint(oGssKeyEx, o->gss_keyex); + dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds); ++ dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns); ++ dump_cfg_string(oGssClientIdentity, o->gss_client_identity); ++ dump_cfg_string(oGssServerIdentity, o->gss_client_identity); ++ dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey); + #endif /* GSSAPI */ + dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); + dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); +diff -up openssh-7.9p1/readconf.h.gsskex openssh-7.9p1/readconf.h +--- openssh-7.9p1/readconf.h.gsskex 2018-10-17 02:01:20.000000000 +0200 ++++ openssh-7.9p1/readconf.h 2018-11-14 09:14:06.277379857 +0100 @@ -40,7 +40,12 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2468,7 +2481,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) fatal("%s: kex_names_cat", __func__); myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); -@@ -194,6 +337,17 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -194,6 +339,16 @@ ssh_kex2(char *host, struct sockaddr *ho order_hostkeyalgs(host, hostaddr, port)); } @@ -2479,14 +2492,13 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c + orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; + xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], + "%s,null", orig); -+ free(gss); + } +#endif + if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits(options.rekey_limit, options.rekey_interval); -@@ -214,11 +368,31 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -214,16 +369,46 @@ ssh_kex2(char *host, struct sockaddr *ho kex->kex[KEX_ECDH_SHA2] = kexecdh_client; # endif #endif @@ -2518,7 +2530,22 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done); /* remove ext-info from the KEX proposals for rekeying */ -@@ -314,6 +488,7 @@ int input_gssapi_token(int type, u_int32 + myproposal[PROPOSAL_KEX_ALGS] = + compat_kex_proposal(options.kex_algorithms); ++#ifdef GSSAPI ++ /* repair myproposal after it was crumpled by the */ ++ /* ext-info removal above */ ++ if (gss) { ++ orig = myproposal[PROPOSAL_KEX_ALGS]; ++ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], ++ "%s,%s", gss, orig); ++ free(gss); ++ } ++#endif + if ((r = kex_prop2buf(kex->my, myproposal)) != 0) + fatal("kex_prop2buf: %s", ssh_err(r)); + +@@ -314,6 +499,7 @@ int input_gssapi_token(int type, u_int32 int input_gssapi_hash(int type, u_int32_t, struct ssh *); int input_gssapi_error(int, u_int32_t, struct ssh *); int input_gssapi_errtok(int, u_int32_t, struct ssh *); @@ -2875,31 +2902,4 @@ diff -up openssh/sshkey.h.gsskex openssh/sshkey.h + KEY_NULL, KEY_UNSPEC }; - ---- openssh/sshconnect2.c.orig 2017-01-04 19:47:10.000000000 +0100 -+++ openssh/sshconnect2.c 2017-01-05 04:13:08.977425272 +0100 -@@ -344,7 +344,6 @@ - orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; - xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], - "%s,null", orig); -- free(gss); - } - #endif - -@@ -398,6 +397,16 @@ - /* remove ext-info from the KEX proposals for rekeying */ - myproposal[PROPOSAL_KEX_ALGS] = - compat_kex_proposal(options.kex_algorithms); -+#ifdef GSSAPI -+ /* repair myproposal after it was crumpled by the */ -+ /* ext-info removal above */ -+ if (gss) { -+ orig = myproposal[PROPOSAL_KEX_ALGS]; -+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], -+ "%s,%s", gss, orig); -+ free(gss); -+ } -+#endif - if ((r = kex_prop2buf(kex->my, myproposal)) != 0) - fatal("kex_prop2buf: %s", ssh_err(r));