rpms/openssh
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Restore gssapi-canohost.patch (#1749862)

Browse Source 
This is useful when connecting through proxyjump in combination with
GSSAPITrustDNS yes, because we can not get remote address of such socket.

https://src.fedoraproject.org/rpms/openssh/blob/f29/f/openssh-6.1p1-gssapi-canohost.patch
This commit is contained in:
Jakub Jelen 2020-03-16 19:26:01 +01:00
parent 3e611d91bb
commit 57ba1bd853
2 changed files with 44 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
openssh-7.7p1-fips.patch
View File

@ -325,7 +325,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st
@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
#if defined(GSSAPI) && defined(WITH_OPENSSL)
if (options.gss_keyex) {
@ -333,12 +333,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
- * client to the key exchange algorithm proposal */
- orig = myproposal[PROPOSAL_KEX_ALGS];
-
- if (options.gss_server_identity)
- if (options.gss_server_identity) {
- gss_host = xstrdup(options.gss_server_identity);
- else if (options.gss_trust_dns)
- } else if (options.gss_trust_dns) {
- gss_host = remote_hostname(ssh);
- else
- /* Fall back to specified host if we are using proxy command
- * and can not use DNS on that socket */
- if (strcmp(gss_host, "UNKNOWN") == 0) {
- free(gss_host);
- gss_host = xstrdup(host);
- }
- } else {
- gss_host = xstrdup(host);
- }
-
- gss = ssh_gssapi_client_mechanisms(gss_host,
- options.gss_client_identity, options.gss_kex_algorithms);
@ -360,12 +367,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
+ if (options.gss_server_identity)
+ if (options.gss_server_identity) {
+ gss_host = xstrdup(options.gss_server_identity);
+ else if (options.gss_trust_dns)
+ } else if (options.gss_trust_dns) {
+ gss_host = remote_hostname(ssh);
+ else
+ /* Fall back to specified host if we are using proxy command
+ * and can not use DNS on that socket */
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
+ free(gss_host);
+ gss_host = xstrdup(host);
+ }
+ } else {
+ gss_host = xstrdup(host);
+ }
+
+ gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms);

32
openssh-8.0p1-gssapi-keyex.patch
View File

@ -3522,7 +3522,7 @@ index af00fb30..03bc87eb 100644
xxx_host = host;
xxx_hostaddr = hostaddr;
@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
compat_pkalg_proposal(options.hostkeyalgorithms);
}
@ -3532,12 +3532,19 @@ index af00fb30..03bc87eb 100644
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
+ if (options.gss_server_identity)
+ if (options.gss_server_identity) {
+ gss_host = xstrdup(options.gss_server_identity);
+ else if (options.gss_trust_dns)
+ } else if (options.gss_trust_dns) {
+ gss_host = remote_hostname(ssh);
+ else
+ /* Fall back to specified host if we are using proxy command
+ * and can not use DNS on that socket */
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
+ free(gss_host);
+ gss_host = xstrdup(host);
+ }
+ } else {
+ gss_host = xstrdup(host);
+ }
+
+ gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms);
@ -3626,18 +3633,25 @@ index af00fb30..03bc87eb 100644
{"gssapi-with-mic",
userauth_gssapi,
userauth_gssapi_cleanup,
@@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh)
@@ -716,12 +784,32 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
+ char *gss_host;
+ char *gss_host = NULL;
+
+ if (options.gss_server_identity)
+ if (options.gss_server_identity) {
+ gss_host = xstrdup(options.gss_server_identity);
+ else if (options.gss_trust_dns)
+ } else if (options.gss_trust_dns) {
+ gss_host = remote_hostname(ssh);
+ else
+ /* Fall back to specified host if we are using proxy command
+ * and can not use DNS on that socket */
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
+ free(gss_host);
+ gss_host = xstrdup(authctxt->host);
+ }
+ } else {
+ gss_host = xstrdup(authctxt->host);
+ }
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */