diff --git a/openssh-5.5p1-kuserok.patch b/openssh-5.5p1-kuserok.patch new file mode 100644 index 0000000..a43cb39 --- /dev/null +++ b/openssh-5.5p1-kuserok.patch @@ -0,0 +1,132 @@ +diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c +--- openssh-5.5p1/auth-krb5.c.kuserok 2010-06-08 11:40:10.000000000 +0200 ++++ openssh-5.5p1/auth-krb5.c 2010-06-08 11:40:11.000000000 +0200 +@@ -146,9 +146,11 @@ auth_krb5_password(Authctxt *authctxt, c + if (problem) + goto out; + +- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { +- problem = -1; +- goto out; ++ if (options.use_kuserok) { ++ if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { ++ problem = -1; ++ goto out; ++ } + } + + problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); +diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c +--- openssh-5.5p1/servconf.c.kuserok 2010-06-08 11:40:10.000000000 +0200 ++++ openssh-5.5p1/servconf.c 2010-06-08 11:46:20.000000000 +0200 +@@ -137,6 +137,7 @@ initialize_server_options(ServerOptions + options->zero_knowledge_password_authentication = -1; + options->revoked_keys_file = NULL; + options->trusted_user_ca_keys = NULL; ++ options->use_kuserok = -1; + } + + void +@@ -285,6 +286,8 @@ fill_default_server_options(ServerOption + if (use_privsep == -1) + use_privsep = 1; + ++ if (options->use_kuserok == -1) ++ options->use_kuserok = 1; + #ifndef HAVE_MMAP + if (use_privsep && options->compression == 1) { + error("This platform does not support both privilege " +@@ -306,7 +309,7 @@ typedef enum { + sPermitRootLogin, sLogFacility, sLogLevel, + sRhostsRSAAuthentication, sRSAAuthentication, + sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, +- sKerberosGetAFSToken, ++ sKerberosGetAFSToken, sKerberosUseKuserok, + sKerberosTgtPassing, sChallengeResponseAuthentication, + sPasswordAuthentication, sKbdInteractiveAuthentication, + sListenAddress, sAddressFamily, +@@ -376,11 +379,13 @@ static struct { + #else + { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, + #endif ++ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL }, + #else + { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, + { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, ++ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL }, + #endif + { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, + { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, +@@ -1335,6 +1340,10 @@ process_server_config_line(ServerOptions + *activep = value; + break; + ++ case sKerberosUseKuserok: ++ intptr = &options->use_kuserok; ++ goto parse_flag; ++ + case sPermitOpen: + arg = strdelim(&cp); + if (!arg || *arg == '\0') +@@ -1517,6 +1526,7 @@ copy_set_server_options(ServerOptions *d + M_CP_INTOPT(x11_use_localhost); + M_CP_INTOPT(max_sessions); + M_CP_INTOPT(max_authtries); ++ M_CP_INTOPT(use_kuserok); + + M_CP_STROPT(banner); + if (preauth) +@@ -1734,6 +1744,7 @@ dump_config(ServerOptions *o) + dump_cfg_fmtint(sUseDNS, o->use_dns); + dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); + dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); ++ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); + + /* string arguments */ + dump_cfg_string(sPidFile, o->pid_file); +diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h +--- openssh-5.5p1/servconf.h.kuserok 2010-06-08 11:40:10.000000000 +0200 ++++ openssh-5.5p1/servconf.h 2010-06-08 11:40:11.000000000 +0200 +@@ -157,6 +157,7 @@ typedef struct { + + int num_permitted_opens; + ++ int use_kuserok; + char *chroot_directory; + char *revoked_keys_file; + char *trusted_user_ca_keys; +diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5 +--- openssh-5.5p1/sshd_config.5.kuserok 2010-06-08 11:40:10.000000000 +0200 ++++ openssh-5.5p1/sshd_config.5 2010-06-08 11:40:11.000000000 +0200 +@@ -519,6 +519,10 @@ Specifies whether to automatically destr + file on logout. + The default is + .Dq yes . ++.It Cm KerberosUseKuserok ++Specifies whether to look at .k5login file for user's aliases. ++The default is ++.Dq yes . + .It Cm KeyRegenerationInterval + In protocol version 1, the ephemeral server key is automatically regenerated + after this many seconds (if it has been used). +@@ -644,6 +648,7 @@ Available keywords are + .Cm HostbasedAuthentication , + .Cm KbdInteractiveAuthentication , + .Cm KerberosAuthentication , ++.Cm KerberosUseKuserok , + .Cm MaxAuthTries , + .Cm MaxSessions , + .Cm PasswordAuthentication , +diff -up openssh-5.5p1/sshd_config.kuserok openssh-5.5p1/sshd_config +--- openssh-5.5p1/sshd_config.kuserok 2010-06-08 11:40:10.000000000 +0200 ++++ openssh-5.5p1/sshd_config 2010-06-08 11:40:11.000000000 +0200 +@@ -72,6 +72,7 @@ ChallengeResponseAuthentication no + #KerberosOrLocalPasswd yes + #KerberosTicketCleanup yes + #KerberosGetAFSToken no ++#KerberosUseKuserok yes + + # GSSAPI options + #GSSAPIAuthentication no diff --git a/openssh.spec b/openssh.spec index 6031a38..5970f29 100644 --- a/openssh.spec +++ b/openssh.spec @@ -70,7 +70,7 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%define openssh_rel 12 +%define openssh_rel 13 %define openssh_ver 5.5p1 %define pam_ssh_agent_rel 26 %define pam_ssh_agent_ver 0.9.2 @@ -130,6 +130,7 @@ Patch74: openssh-5.3p1-randclean.patch Patch76: openssh-5.5p1-staterr.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1750 Patch77: openssh-5.5p1-stderr.patch +Patch78: openssh-5.5p1-kuserok.patch License: BSD Group: Applications/Internet @@ -301,6 +302,7 @@ popd %patch74 -p1 -b .randclean %patch76 -p1 -b .staterr %patch77 -p1 -b .stderr +%patch78 -p1 -b .kuserok autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -582,6 +584,9 @@ fi %endif %changelog +* Tue Jun 8 2010 Jan F. Chadima - 5.5p1-13 + 0.9.2-26 +- add option to switch out krb5_kuserok + * Fri May 21 2010 Jan F. Chadima - 5.5p1-12 + 0.9.2-26 - synchronize uid and gid for the user sshd