From 7eedf13e932b25c1aaa8c044c11dce556ee7e8bf Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 20 Aug 2015 12:12:57 +0200 Subject: [PATCH] rebase gssKex patch to 6.9 --- openssh-6.7p1-fips.patch | 110 +++++++++++----------- openssh-6.9p1-gssKexAlgorithms.patch | 132 +++++++++++++-------------- 2 files changed, 122 insertions(+), 120 deletions(-) diff --git a/openssh-6.7p1-fips.patch b/openssh-6.7p1-fips.patch index bd43f1c..6dabbdf 100644 --- a/openssh-6.7p1-fips.patch +++ b/openssh-6.7p1-fips.patch @@ -1,6 +1,6 @@ -diff -up openssh/cipher.c.fips openssh/cipher.c ---- openssh/cipher.c.fips 2015-06-24 12:00:58.730242500 +0200 -+++ openssh/cipher.c 2015-06-24 12:00:58.737242482 +0200 +diff -up openssh-6.9p1/cipher.c.fips openssh-6.9p1/cipher.c +--- openssh-6.9p1/cipher.c.fips 2015-08-20 11:57:44.962287011 +0200 ++++ openssh-6.9p1/cipher.c 2015-08-20 11:57:44.968286988 +0200 @@ -39,6 +39,8 @@ #include @@ -73,9 +73,9 @@ diff -up openssh/cipher.c.fips openssh/cipher.c if (strcasecmp(c->name, name) == 0) return c->number; return -1; -diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c ---- openssh/cipher-ctr.c.fips 2015-06-24 12:00:58.669242656 +0200 -+++ openssh/cipher-ctr.c 2015-06-24 12:00:58.736242484 +0200 +diff -up openssh-6.9p1/cipher-ctr.c.fips openssh-6.9p1/cipher-ctr.c +--- openssh-6.9p1/cipher-ctr.c.fips 2015-08-20 11:57:44.894287276 +0200 ++++ openssh-6.9p1/cipher-ctr.c 2015-08-20 11:57:44.969286984 +0200 @@ -179,7 +179,8 @@ evp_aes_128_ctr(void) aes_ctr.do_cipher = ssh_aes_ctr; #ifndef SSH_OLD_EVP @@ -86,9 +86,9 @@ diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c #endif return (&aes_ctr); } -diff -up openssh/dh.h.fips openssh/dh.h ---- openssh/dh.h.fips 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/dh.h 2015-06-24 12:00:58.737242482 +0200 +diff -up openssh-6.9p1/dh.h.fips openssh-6.9p1/dh.h +--- openssh-6.9p1/dh.h.fips 2015-07-01 04:35:31.000000000 +0200 ++++ openssh-6.9p1/dh.h 2015-08-20 11:57:44.969286984 +0200 @@ -46,6 +46,7 @@ u_int dh_estimate(int); /* Min and max values from RFC4419. */ @@ -97,9 +97,9 @@ diff -up openssh/dh.h.fips openssh/dh.h #define DH_GRP_MAX 8192 /* -diff -up openssh/entropy.c.fips openssh/entropy.c ---- openssh/entropy.c.fips 2015-06-24 12:00:58.662242674 +0200 -+++ openssh/entropy.c 2015-06-24 12:00:58.737242482 +0200 +diff -up openssh-6.9p1/entropy.c.fips openssh-6.9p1/entropy.c +--- openssh-6.9p1/entropy.c.fips 2015-08-20 11:57:44.887287304 +0200 ++++ openssh-6.9p1/entropy.c 2015-08-20 11:57:44.969286984 +0200 @@ -217,6 +217,9 @@ seed_rng(void) fatal("OpenSSL version mismatch. Built against %lx, you " "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); @@ -110,9 +110,9 @@ diff -up openssh/entropy.c.fips openssh/entropy.c #ifndef OPENSSL_PRNG_ONLY if (RAND_status() == 1) { debug3("RNG is ready, skipping seeding"); -diff -up openssh/kex.c.fips openssh/kex.c ---- openssh/kex.c.fips 2015-06-24 12:00:58.730242500 +0200 -+++ openssh/kex.c 2015-06-24 12:00:58.737242482 +0200 +diff -up openssh-6.9p1/kex.c.fips openssh-6.9p1/kex.c +--- openssh-6.9p1/kex.c.fips 2015-08-20 11:57:44.963287007 +0200 ++++ openssh-6.9p1/kex.c 2015-08-20 11:57:44.969286984 +0200 @@ -35,6 +35,7 @@ #ifdef WITH_OPENSSL @@ -168,9 +168,9 @@ diff -up openssh/kex.c.fips openssh/kex.c free(s); return 0; } -diff -up openssh/kexgexc.c.fips openssh/kexgexc.c ---- openssh/kexgexc.c.fips 2015-06-24 12:00:58.737242482 +0200 -+++ openssh/kexgexc.c 2015-06-24 12:02:26.996015709 +0200 +diff -up openssh-6.9p1/kexgexc.c.fips openssh-6.9p1/kexgexc.c +--- openssh-6.9p1/kexgexc.c.fips 2015-07-01 04:35:31.000000000 +0200 ++++ openssh-6.9p1/kexgexc.c 2015-08-20 11:57:44.969286984 +0200 @@ -28,6 +28,7 @@ #ifdef WITH_OPENSSL @@ -188,9 +188,9 @@ diff -up openssh/kexgexc.c.fips openssh/kexgexc.c kex->max = DH_GRP_MAX; kex->nbits = nbits; if (datafellows & SSH_BUG_DHGEX_LARGE) -diff -up openssh/kexgexs.c.fips openssh/kexgexs.c ---- openssh/kexgexs.c.fips 2015-06-24 12:00:58.738242479 +0200 -+++ openssh/kexgexs.c 2015-06-24 13:48:23.735320199 +0200 +diff -up openssh-6.9p1/kexgexs.c.fips openssh-6.9p1/kexgexs.c +--- openssh-6.9p1/kexgexs.c.fips 2015-07-01 04:35:31.000000000 +0200 ++++ openssh-6.9p1/kexgexs.c 2015-08-20 11:57:44.970286980 +0200 @@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int (r = sshpkt_get_end(ssh)) != 0) goto out; @@ -206,9 +206,9 @@ diff -up openssh/kexgexs.c.fips openssh/kexgexs.c nbits = MIN(DH_GRP_MAX, nbits); if (kex->max < kex->min || kex->nbits < kex->min || -diff -up openssh/mac.c.fips openssh/mac.c ---- openssh/mac.c.fips 2015-06-24 12:00:58.731242497 +0200 -+++ openssh/mac.c 2015-06-24 12:00:58.738242479 +0200 +diff -up openssh-6.9p1/mac.c.fips openssh-6.9p1/mac.c +--- openssh-6.9p1/mac.c.fips 2015-08-20 11:57:44.963287007 +0200 ++++ openssh-6.9p1/mac.c 2015-08-20 11:57:44.970286980 +0200 @@ -27,6 +27,8 @@ #include @@ -270,9 +270,9 @@ diff -up openssh/mac.c.fips openssh/mac.c if (strcmp(name, m->name) != 0) continue; if (mac != NULL) -diff -up openssh/Makefile.in.fips openssh/Makefile.in ---- openssh/Makefile.in.fips 2015-06-24 12:00:58.731242497 +0200 -+++ openssh/Makefile.in 2015-06-24 12:00:58.736242484 +0200 +diff -up openssh-6.9p1/Makefile.in.fips openssh-6.9p1/Makefile.in +--- openssh-6.9p1/Makefile.in.fips 2015-08-20 11:57:44.963287007 +0200 ++++ openssh-6.9p1/Makefile.in 2015-08-20 11:57:44.970286980 +0200 @@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ @@ -314,9 +314,9 @@ diff -up openssh/Makefile.in.fips openssh/Makefile.in sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff -up openssh/myproposal.h.fips openssh/myproposal.h ---- openssh/myproposal.h.fips 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/myproposal.h 2015-06-24 12:00:58.738242479 +0200 +diff -up openssh-6.9p1/myproposal.h.fips openssh-6.9p1/myproposal.h +--- openssh-6.9p1/myproposal.h.fips 2015-07-01 04:35:31.000000000 +0200 ++++ openssh-6.9p1/myproposal.h 2015-08-20 11:57:44.971286976 +0200 @@ -143,6 +143,28 @@ "hmac-sha1-96," \ "hmac-md5-96" @@ -346,10 +346,10 @@ diff -up openssh/myproposal.h.fips openssh/myproposal.h #else #define KEX_SERVER_KEX \ -diff -up openssh/servconf.c.fips openssh/servconf.c ---- openssh/servconf.c.fips 2015-06-24 12:00:58.726242510 +0200 -+++ openssh/servconf.c 2015-06-24 13:49:40.164085648 +0200 -@@ -2319,8 +2319,10 @@ dump_config(ServerOptions *o) +diff -up openssh-6.9p1/servconf.c.fips openssh-6.9p1/servconf.c +--- openssh-6.9p1/servconf.c.fips 2015-08-20 11:57:44.958287027 +0200 ++++ openssh-6.9p1/servconf.c 2015-08-20 11:57:44.971286976 +0200 +@@ -2338,8 +2338,10 @@ dump_config(ServerOptions *o) /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sXAuthLocation, o->xauth_location); @@ -362,7 +362,7 @@ diff -up openssh/servconf.c.fips openssh/servconf.c dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none"); dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sChrootDirectory, o->chroot_directory); -@@ -2335,8 +2337,8 @@ dump_config(ServerOptions *o) +@@ -2354,8 +2356,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); dump_cfg_string(sHostKeyAgent, o->host_key_agent); @@ -373,9 +373,9 @@ diff -up openssh/servconf.c.fips openssh/servconf.c dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? o->hostbased_key_types : KEX_DEFAULT_PK_ALG); dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? -diff -up openssh/ssh.c.fips openssh/ssh.c ---- openssh/ssh.c.fips 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/ssh.c 2015-06-24 12:00:58.738242479 +0200 +diff -up openssh-6.9p1/ssh.c.fips openssh-6.9p1/ssh.c +--- openssh-6.9p1/ssh.c.fips 2015-07-01 04:35:31.000000000 +0200 ++++ openssh-6.9p1/ssh.c 2015-08-20 11:57:44.972286972 +0200 @@ -75,6 +75,8 @@ #include #include @@ -442,10 +442,10 @@ diff -up openssh/ssh.c.fips openssh/ssh.c /* Open a connection to the remote host. */ if (ssh_connect(host, addrs, &hostaddr, options.port, options.address_family, options.connection_attempts, -diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c ---- openssh/sshconnect2.c.fips 2015-06-24 12:00:58.698242582 +0200 -+++ openssh/sshconnect2.c 2015-06-24 12:00:58.739242477 +0200 -@@ -46,6 +46,8 @@ +diff -up openssh-6.9p1/sshconnect2.c.fips openssh-6.9p1/sshconnect2.c +--- openssh-6.9p1/sshconnect2.c.fips 2015-08-20 11:57:44.959287023 +0200 ++++ openssh-6.9p1/sshconnect2.c 2015-08-20 12:00:06.049736762 +0200 +@@ -44,6 +44,8 @@ #include #endif @@ -454,7 +454,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -@@ -172,20 +174,25 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -170,21 +172,26 @@ ssh_kex2(char *host, struct sockaddr *ho #ifdef GSSAPI if (options.gss_keyex) { @@ -467,7 +467,8 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c - else - gss_host = host; - -- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); +- gss = ssh_gssapi_client_mechanisms(gss_host, +- options.gss_client_identity, options.gss_kex_algorithms); - if (gss) { - debug("Offering GSSAPI proposal: %s", gss); - xasprintf(&myproposal[PROPOSAL_KEX_ALGS], @@ -485,7 +486,8 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c + else + gss_host = host; + -+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); ++ gss = ssh_gssapi_client_mechanisms(gss_host, ++ options.gss_client_identity, options.gss_kex_algorithms); + if (gss) { + debug("Offering GSSAPI proposal: %s", gss); + xasprintf(&myproposal[PROPOSAL_KEX_ALGS], @@ -494,7 +496,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c } } #endif -@@ -197,6 +204,10 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *ho if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -505,7 +507,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -212,7 +223,11 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *ho if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -517,7 +519,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(options.hostkeyalgorithms); -@@ -224,9 +239,11 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *ho } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; @@ -530,9 +532,9 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c #ifdef GSSAPI /* If we've got GSSAPI algorithms, then we also support the * 'null' hostkey, as a last resort */ -diff -up openssh/sshd.c.fips openssh/sshd.c ---- openssh/sshd.c.fips 2015-06-24 12:00:58.734242489 +0200 -+++ openssh/sshd.c 2015-06-24 12:00:58.739242477 +0200 +diff -up openssh-6.9p1/sshd.c.fips openssh-6.9p1/sshd.c +--- openssh-6.9p1/sshd.c.fips 2015-08-20 11:57:44.966286996 +0200 ++++ openssh-6.9p1/sshd.c 2015-08-20 11:57:44.973286968 +0200 @@ -66,6 +66,7 @@ #include #include @@ -648,9 +650,9 @@ diff -up openssh/sshd.c.fips openssh/sshd.c if (gss && orig) xasprintf(&newstr, "%s,%s", gss, orig); -diff -up openssh/sshkey.c.fips openssh/sshkey.c ---- openssh/sshkey.c.fips 2015-06-24 12:00:58.735242487 +0200 -+++ openssh/sshkey.c 2015-06-24 12:00:58.740242474 +0200 +diff -up openssh-6.9p1/sshkey.c.fips openssh-6.9p1/sshkey.c +--- openssh-6.9p1/sshkey.c.fips 2015-08-20 11:57:44.967286992 +0200 ++++ openssh-6.9p1/sshkey.c 2015-08-20 11:57:44.974286964 +0200 @@ -35,6 +35,7 @@ #include #include diff --git a/openssh-6.9p1-gssKexAlgorithms.patch b/openssh-6.9p1-gssKexAlgorithms.patch index b7cf20b..487ea37 100644 --- a/openssh-6.9p1-gssKexAlgorithms.patch +++ b/openssh-6.9p1-gssKexAlgorithms.patch @@ -1,6 +1,6 @@ -diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c ---- openssh-7.0p1/gss-genr.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200 -+++ openssh-7.0p1/gss-genr.c 2015-08-19 12:28:38.078518839 +0200 +diff -up openssh-6.9p1/gss-genr.c.gsskexalg openssh-6.9p1/gss-genr.c +--- openssh-6.9p1/gss-genr.c.gsskexalg 2015-08-20 11:54:50.468693843 +0200 ++++ openssh-6.9p1/gss-genr.c 2015-08-20 11:54:50.525693732 +0200 @@ -78,7 +78,8 @@ ssh_gssapi_oid_table_ok() { */ @@ -79,9 +79,9 @@ diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c gss_enc2oid[oidpos].oid = NULL; gss_enc2oid[oidpos].encoded = NULL; -diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c ---- openssh-7.0p1/gss-serv.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200 -+++ openssh-7.0p1/gss-serv.c 2015-08-19 12:28:38.078518839 +0200 +diff -up openssh-6.9p1/gss-serv.c.gsskexalg openssh-6.9p1/gss-serv.c +--- openssh-6.9p1/gss-serv.c.gsskexalg 2015-08-20 11:54:50.468693843 +0200 ++++ openssh-6.9p1/gss-serv.c 2015-08-20 11:54:50.525693732 +0200 @@ -150,7 +150,7 @@ ssh_gssapi_server_mechanisms() { ssh_gssapi_supported_oids(&supported); @@ -91,11 +91,11 @@ diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c } /* Unprivileged */ -diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c ---- openssh-7.0p1/kex.c.gsskexalg 2015-08-19 12:28:38.078518839 +0200 -+++ openssh-7.0p1/kex.c 2015-08-19 12:30:13.249306371 +0200 -@@ -232,6 +232,29 @@ kex_assemble_names(const char *def, char - return 0; +diff -up openssh-6.9p1/kex.c.gsskexalg openssh-6.9p1/kex.c +--- openssh-6.9p1/kex.c.gsskexalg 2015-08-20 11:54:50.526693730 +0200 ++++ openssh-6.9p1/kex.c 2015-08-20 11:56:10.413537466 +0200 +@@ -170,6 +170,29 @@ kex_names_valid(const char *names) + return 1; } +/* Validate GSS KEX method name list */ @@ -124,20 +124,20 @@ diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c /* put algorithm proposal into buffer */ int kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) -diff -up openssh-7.0p1/kex.h.gsskexalg openssh-7.0p1/kex.h ---- openssh-7.0p1/kex.h.gsskexalg 2015-08-19 12:28:38.078518839 +0200 -+++ openssh-7.0p1/kex.h 2015-08-19 12:30:52.404218958 +0200 -@@ -173,6 +173,7 @@ int kex_names_valid(const char *); - char *kex_alg_list(char); - char *kex_names_cat(const char *, const char *); - int kex_assemble_names(const char *, char **); +diff -up openssh-6.9p1/kex.h.gsskexalg openssh-6.9p1/kex.h +--- openssh-6.9p1/kex.h.gsskexalg 2015-08-20 11:54:50.526693730 +0200 ++++ openssh-6.9p1/kex.h 2015-08-20 11:56:28.588501914 +0200 +@@ -169,6 +169,7 @@ struct kex { + }; + + int kex_names_valid(const char *); +int gss_kex_names_valid(const char *); + char *kex_alg_list(char); int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **); - int kex_setup(struct ssh *, char *[PROPOSAL_MAX]); -diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c ---- openssh-7.0p1/readconf.c.gsskexalg 2015-08-19 12:28:38.026518955 +0200 -+++ openssh-7.0p1/readconf.c 2015-08-19 12:31:28.333138747 +0200 +diff -up openssh-6.9p1/readconf.c.gsskexalg openssh-6.9p1/readconf.c +--- openssh-6.9p1/readconf.c.gsskexalg 2015-08-20 11:54:50.523693736 +0200 ++++ openssh-6.9p1/readconf.c 2015-08-20 11:54:50.527693728 +0200 @@ -61,6 +61,7 @@ #include "uidswap.h" #include "myproposal.h" @@ -155,7 +155,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -200,6 +201,7 @@ static struct { +@@ -199,6 +200,7 @@ static struct { { "gssapiclientidentity", oGssClientIdentity }, { "gssapiserveridentity", oGssServerIdentity }, { "gssapirenewalforcesrekey", oGssRenewalRekey }, @@ -163,7 +163,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c #else { "gssapiauthentication", oUnsupported }, { "gssapikeyexchange", oUnsupported }, -@@ -207,6 +209,7 @@ static struct { +@@ -206,6 +208,7 @@ static struct { { "gssapitrustdns", oUnsupported }, { "gssapiclientidentity", oUnsupported }, { "gssapirenewalforcesrekey", oUnsupported }, @@ -171,7 +171,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -929,6 +932,18 @@ parse_time: +@@ -927,6 +930,18 @@ parse_time: intptr = &options->gss_renewal_rekey; goto parse_flag; @@ -190,7 +190,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1638,6 +1653,7 @@ initialize_options(Options * options) +@@ -1640,6 +1655,7 @@ initialize_options(Options * options) options->gss_renewal_rekey = -1; options->gss_client_identity = NULL; options->gss_server_identity = NULL; @@ -198,7 +198,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1773,6 +1789,8 @@ fill_default_options(Options * options) +@@ -1774,6 +1790,8 @@ fill_default_options(Options * options) options->gss_trust_dns = 0; if (options->gss_renewal_rekey == -1) options->gss_renewal_rekey = 0; @@ -207,10 +207,10 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh-7.0p1/readconf.h.gsskexalg openssh-7.0p1/readconf.h ---- openssh-7.0p1/readconf.h.gsskexalg 2015-08-19 12:28:38.026518955 +0200 -+++ openssh-7.0p1/readconf.h 2015-08-19 12:28:38.079518836 +0200 -@@ -51,6 +51,7 @@ typedef struct { +diff -up openssh-6.9p1/readconf.h.gsskexalg openssh-6.9p1/readconf.h +--- openssh-6.9p1/readconf.h.gsskexalg 2015-08-20 11:54:50.523693736 +0200 ++++ openssh-6.9p1/readconf.h 2015-08-20 11:54:50.527693728 +0200 +@@ -52,6 +52,7 @@ typedef struct { int gss_renewal_rekey; /* Credential renewal forces rekey */ char *gss_client_identity; /* Principal to initiate GSSAPI with */ char *gss_server_identity; /* GSSAPI target principal */ @@ -218,10 +218,10 @@ diff -up openssh-7.0p1/readconf.h.gsskexalg openssh-7.0p1/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c ---- openssh-7.0p1/servconf.c.gsskexalg 2015-08-19 12:28:38.074518847 +0200 -+++ openssh-7.0p1/servconf.c 2015-08-19 12:33:13.599902732 +0200 -@@ -57,6 +57,7 @@ +diff -up openssh-6.9p1/servconf.c.gsskexalg openssh-6.9p1/servconf.c +--- openssh-6.9p1/servconf.c.gsskexalg 2015-08-20 11:54:50.515693751 +0200 ++++ openssh-6.9p1/servconf.c 2015-08-20 11:57:16.443398237 +0200 +@@ -56,6 +56,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" @@ -229,7 +229,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); -@@ -121,6 +122,7 @@ initialize_server_options(ServerOptions +@@ -119,6 +120,7 @@ initialize_server_options(ServerOptions options->gss_cleanup_creds = -1; options->gss_strict_acceptor = -1; options->gss_store_rekey = -1; @@ -246,8 +246,8 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -427,7 +431,7 @@ typedef enum { - sHostKeyAlgorithms, +@@ -416,7 +420,7 @@ typedef enum { + sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, - sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel, @@ -255,7 +255,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, -@@ -506,6 +510,7 @@ static struct { +@@ -494,6 +498,7 @@ static struct { { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL }, @@ -263,7 +263,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c #else { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, -@@ -513,6 +518,7 @@ static struct { +@@ -501,6 +506,7 @@ static struct { { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, { "gssapienablek5users", sUnsupported, SSHCFG_ALL }, @@ -271,7 +271,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c #endif { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, -@@ -1273,6 +1279,18 @@ process_server_config_line(ServerOptions +@@ -1256,6 +1262,18 @@ process_server_config_line(ServerOptions intptr = &options->gss_store_rekey; goto parse_flag; @@ -290,7 +290,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -2304,6 +2322,7 @@ dump_config(ServerOptions *o) +@@ -2287,6 +2305,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey); @@ -298,10 +298,10 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c #endif dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, -diff -up openssh-7.0p1/servconf.h.gsskexalg openssh-7.0p1/servconf.h ---- openssh-7.0p1/servconf.h.gsskexalg 2015-08-19 12:28:38.080518834 +0200 -+++ openssh-7.0p1/servconf.h 2015-08-19 12:34:46.328693944 +0200 -@@ -122,6 +122,7 @@ typedef struct { +diff -up openssh-6.9p1/servconf.h.gsskexalg openssh-6.9p1/servconf.h +--- openssh-6.9p1/servconf.h.gsskexalg 2015-08-20 11:54:50.501693779 +0200 ++++ openssh-6.9p1/servconf.h 2015-08-20 11:54:50.528693726 +0200 +@@ -121,6 +121,7 @@ typedef struct { int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ int gss_store_rekey; @@ -309,10 +309,10 @@ diff -up openssh-7.0p1/servconf.h.gsskexalg openssh-7.0p1/servconf.h int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff -up openssh-7.0p1/ssh.1.gsskexalg openssh-7.0p1/ssh.1 ---- openssh-7.0p1/ssh.1.gsskexalg 2015-08-19 12:28:38.081518832 +0200 -+++ openssh-7.0p1/ssh.1 2015-08-19 12:35:31.741591692 +0200 -@@ -496,6 +496,7 @@ For full details of the options listed b +diff -up openssh-6.9p1/ssh.1.gsskexalg openssh-6.9p1/ssh.1 +--- openssh-6.9p1/ssh.1.gsskexalg 2015-08-20 11:54:50.505693771 +0200 ++++ openssh-6.9p1/ssh.1 2015-08-20 11:54:50.528693726 +0200 +@@ -446,6 +446,7 @@ For full details of the options listed b .It GSSAPIDelegateCredentials .It GSSAPIRenewalForcesRekey .It GSSAPITrustDNS @@ -320,10 +320,10 @@ diff -up openssh-7.0p1/ssh.1.gsskexalg openssh-7.0p1/ssh.1 .It HashKnownHosts .It Host .It HostbasedAuthentication -diff -up openssh-7.0p1/ssh_config.5.gsskexalg openssh-7.0p1/ssh_config.5 ---- openssh-7.0p1/ssh_config.5.gsskexalg 2015-08-19 12:28:38.028518950 +0200 -+++ openssh-7.0p1/ssh_config.5 2015-08-19 12:28:38.082518830 +0200 -@@ -786,6 +786,18 @@ command line will be passed untouched to +diff -up openssh-6.9p1/ssh_config.5.gsskexalg openssh-6.9p1/ssh_config.5 +--- openssh-6.9p1/ssh_config.5.gsskexalg 2015-08-20 11:54:50.523693736 +0200 ++++ openssh-6.9p1/ssh_config.5 2015-08-20 11:54:50.528693726 +0200 +@@ -781,6 +781,18 @@ command line will be passed untouched to The default is .Dq no . This option only applies to protocol version 2 connections using GSSAPI. @@ -342,9 +342,9 @@ diff -up openssh-7.0p1/ssh_config.5.gsskexalg openssh-7.0p1/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c ---- openssh-7.0p1/sshconnect2.c.gsskexalg 2015-08-19 12:28:38.045518912 +0200 -+++ openssh-7.0p1/sshconnect2.c 2015-08-19 12:28:38.081518832 +0200 +diff -up openssh-6.9p1/sshconnect2.c.gsskexalg openssh-6.9p1/sshconnect2.c +--- openssh-6.9p1/sshconnect2.c.gsskexalg 2015-08-20 11:54:50.523693736 +0200 ++++ openssh-6.9p1/sshconnect2.c 2015-08-20 11:54:50.529693724 +0200 @@ -179,7 +179,8 @@ ssh_kex2(char *host, struct sockaddr *ho else gss_host = host; @@ -355,10 +355,10 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c if (gss) { debug("Offering GSSAPI proposal: %s", gss); xasprintf(&myproposal[PROPOSAL_KEX_ALGS], -diff -up openssh-7.0p1/sshd_config.5.gsskexalg openssh-7.0p1/sshd_config.5 ---- openssh-7.0p1/sshd_config.5.gsskexalg 2015-08-19 12:28:38.082518830 +0200 -+++ openssh-7.0p1/sshd_config.5 2015-08-19 12:36:25.121471501 +0200 -@@ -659,6 +659,18 @@ Controls whether the user's GSSAPI crede +diff -up openssh-6.9p1/sshd_config.5.gsskexalg openssh-6.9p1/sshd_config.5 +--- openssh-6.9p1/sshd_config.5.gsskexalg 2015-08-20 11:54:50.517693747 +0200 ++++ openssh-6.9p1/sshd_config.5 2015-08-20 11:54:50.529693724 +0200 +@@ -654,6 +654,18 @@ Controls whether the user's GSSAPI crede successful connection rekeying. This option can be used to accepted renewed or updated credentials from a compatible client. The default is .Dq no . @@ -377,22 +377,22 @@ diff -up openssh-7.0p1/sshd_config.5.gsskexalg openssh-7.0p1/sshd_config.5 .It Cm HostbasedAcceptedKeyTypes Specifies the key types that will be accepted for hostbased authentication as a comma-separated pattern list. -diff -up openssh-7.0p1/ssh-gss.h.gsskexalg openssh-7.0p1/ssh-gss.h ---- openssh-7.0p1/ssh-gss.h.gsskexalg 2015-08-19 12:28:38.031518944 +0200 -+++ openssh-7.0p1/ssh-gss.h 2015-08-19 12:28:38.081518832 +0200 +diff -up openssh-6.9p1/ssh-gss.h.gsskexalg openssh-6.9p1/ssh-gss.h +--- openssh-6.9p1/ssh-gss.h.gsskexalg 2015-08-20 11:54:50.475693830 +0200 ++++ openssh-6.9p1/ssh-gss.h 2015-08-20 11:54:50.529693724 +0200 @@ -76,6 +76,11 @@ extern char **k5users_allowed_cmds; #define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-" #define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-" +#define GSS_KEX_DEFAULT_KEX \ + KEX_GSS_GEX_SHA1_ID "," \ -+ KEX_GSS_GRP1_SHA1_ID "," ++ KEX_GSS_GRP1_SHA1_ID "," \ + KEX_GSS_GRP14_SHA1_ID + typedef struct { char *filename; char *envvar; -@@ -147,9 +151,9 @@ int ssh_gssapi_credentials_updated(Gssct +@@ -147,9 +152,9 @@ int ssh_gssapi_credentials_updated(Gssct /* In the server */ typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *, const char *);