rebase gssKex patch to 6.9
This commit is contained in:
parent
b03894d4b8
commit
7eedf13e93
|
@ -1,6 +1,6 @@
|
||||||
diff -up openssh/cipher.c.fips openssh/cipher.c
|
diff -up openssh-6.9p1/cipher.c.fips openssh-6.9p1/cipher.c
|
||||||
--- openssh/cipher.c.fips 2015-06-24 12:00:58.730242500 +0200
|
--- openssh-6.9p1/cipher.c.fips 2015-08-20 11:57:44.962287011 +0200
|
||||||
+++ openssh/cipher.c 2015-06-24 12:00:58.737242482 +0200
|
+++ openssh-6.9p1/cipher.c 2015-08-20 11:57:44.968286988 +0200
|
||||||
@@ -39,6 +39,8 @@
|
@@ -39,6 +39,8 @@
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
@ -73,9 +73,9 @@ diff -up openssh/cipher.c.fips openssh/cipher.c
|
||||||
if (strcasecmp(c->name, name) == 0)
|
if (strcasecmp(c->name, name) == 0)
|
||||||
return c->number;
|
return c->number;
|
||||||
return -1;
|
return -1;
|
||||||
diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c
|
diff -up openssh-6.9p1/cipher-ctr.c.fips openssh-6.9p1/cipher-ctr.c
|
||||||
--- openssh/cipher-ctr.c.fips 2015-06-24 12:00:58.669242656 +0200
|
--- openssh-6.9p1/cipher-ctr.c.fips 2015-08-20 11:57:44.894287276 +0200
|
||||||
+++ openssh/cipher-ctr.c 2015-06-24 12:00:58.736242484 +0200
|
+++ openssh-6.9p1/cipher-ctr.c 2015-08-20 11:57:44.969286984 +0200
|
||||||
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
||||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||||
#ifndef SSH_OLD_EVP
|
#ifndef SSH_OLD_EVP
|
||||||
|
@ -86,9 +86,9 @@ diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c
|
||||||
#endif
|
#endif
|
||||||
return (&aes_ctr);
|
return (&aes_ctr);
|
||||||
}
|
}
|
||||||
diff -up openssh/dh.h.fips openssh/dh.h
|
diff -up openssh-6.9p1/dh.h.fips openssh-6.9p1/dh.h
|
||||||
--- openssh/dh.h.fips 2015-06-23 02:34:47.000000000 +0200
|
--- openssh-6.9p1/dh.h.fips 2015-07-01 04:35:31.000000000 +0200
|
||||||
+++ openssh/dh.h 2015-06-24 12:00:58.737242482 +0200
|
+++ openssh-6.9p1/dh.h 2015-08-20 11:57:44.969286984 +0200
|
||||||
@@ -46,6 +46,7 @@ u_int dh_estimate(int);
|
@@ -46,6 +46,7 @@ u_int dh_estimate(int);
|
||||||
|
|
||||||
/* Min and max values from RFC4419. */
|
/* Min and max values from RFC4419. */
|
||||||
|
@ -97,9 +97,9 @@ diff -up openssh/dh.h.fips openssh/dh.h
|
||||||
#define DH_GRP_MAX 8192
|
#define DH_GRP_MAX 8192
|
||||||
|
|
||||||
/*
|
/*
|
||||||
diff -up openssh/entropy.c.fips openssh/entropy.c
|
diff -up openssh-6.9p1/entropy.c.fips openssh-6.9p1/entropy.c
|
||||||
--- openssh/entropy.c.fips 2015-06-24 12:00:58.662242674 +0200
|
--- openssh-6.9p1/entropy.c.fips 2015-08-20 11:57:44.887287304 +0200
|
||||||
+++ openssh/entropy.c 2015-06-24 12:00:58.737242482 +0200
|
+++ openssh-6.9p1/entropy.c 2015-08-20 11:57:44.969286984 +0200
|
||||||
@@ -217,6 +217,9 @@ seed_rng(void)
|
@@ -217,6 +217,9 @@ seed_rng(void)
|
||||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||||
|
@ -110,9 +110,9 @@ diff -up openssh/entropy.c.fips openssh/entropy.c
|
||||||
#ifndef OPENSSL_PRNG_ONLY
|
#ifndef OPENSSL_PRNG_ONLY
|
||||||
if (RAND_status() == 1) {
|
if (RAND_status() == 1) {
|
||||||
debug3("RNG is ready, skipping seeding");
|
debug3("RNG is ready, skipping seeding");
|
||||||
diff -up openssh/kex.c.fips openssh/kex.c
|
diff -up openssh-6.9p1/kex.c.fips openssh-6.9p1/kex.c
|
||||||
--- openssh/kex.c.fips 2015-06-24 12:00:58.730242500 +0200
|
--- openssh-6.9p1/kex.c.fips 2015-08-20 11:57:44.963287007 +0200
|
||||||
+++ openssh/kex.c 2015-06-24 12:00:58.737242482 +0200
|
+++ openssh-6.9p1/kex.c 2015-08-20 11:57:44.969286984 +0200
|
||||||
@@ -35,6 +35,7 @@
|
@@ -35,6 +35,7 @@
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
|
@ -168,9 +168,9 @@ diff -up openssh/kex.c.fips openssh/kex.c
|
||||||
free(s);
|
free(s);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
diff -up openssh/kexgexc.c.fips openssh/kexgexc.c
|
diff -up openssh-6.9p1/kexgexc.c.fips openssh-6.9p1/kexgexc.c
|
||||||
--- openssh/kexgexc.c.fips 2015-06-24 12:00:58.737242482 +0200
|
--- openssh-6.9p1/kexgexc.c.fips 2015-07-01 04:35:31.000000000 +0200
|
||||||
+++ openssh/kexgexc.c 2015-06-24 12:02:26.996015709 +0200
|
+++ openssh-6.9p1/kexgexc.c 2015-08-20 11:57:44.969286984 +0200
|
||||||
@@ -28,6 +28,7 @@
|
@@ -28,6 +28,7 @@
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
|
@ -188,9 +188,9 @@ diff -up openssh/kexgexc.c.fips openssh/kexgexc.c
|
||||||
kex->max = DH_GRP_MAX;
|
kex->max = DH_GRP_MAX;
|
||||||
kex->nbits = nbits;
|
kex->nbits = nbits;
|
||||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||||
diff -up openssh/kexgexs.c.fips openssh/kexgexs.c
|
diff -up openssh-6.9p1/kexgexs.c.fips openssh-6.9p1/kexgexs.c
|
||||||
--- openssh/kexgexs.c.fips 2015-06-24 12:00:58.738242479 +0200
|
--- openssh-6.9p1/kexgexs.c.fips 2015-07-01 04:35:31.000000000 +0200
|
||||||
+++ openssh/kexgexs.c 2015-06-24 13:48:23.735320199 +0200
|
+++ openssh-6.9p1/kexgexs.c 2015-08-20 11:57:44.970286980 +0200
|
||||||
@@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int
|
@@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int
|
||||||
(r = sshpkt_get_end(ssh)) != 0)
|
(r = sshpkt_get_end(ssh)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
@ -206,9 +206,9 @@ diff -up openssh/kexgexs.c.fips openssh/kexgexs.c
|
||||||
nbits = MIN(DH_GRP_MAX, nbits);
|
nbits = MIN(DH_GRP_MAX, nbits);
|
||||||
|
|
||||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||||
diff -up openssh/mac.c.fips openssh/mac.c
|
diff -up openssh-6.9p1/mac.c.fips openssh-6.9p1/mac.c
|
||||||
--- openssh/mac.c.fips 2015-06-24 12:00:58.731242497 +0200
|
--- openssh-6.9p1/mac.c.fips 2015-08-20 11:57:44.963287007 +0200
|
||||||
+++ openssh/mac.c 2015-06-24 12:00:58.738242479 +0200
|
+++ openssh-6.9p1/mac.c 2015-08-20 11:57:44.970286980 +0200
|
||||||
@@ -27,6 +27,8 @@
|
@@ -27,6 +27,8 @@
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
@ -270,9 +270,9 @@ diff -up openssh/mac.c.fips openssh/mac.c
|
||||||
if (strcmp(name, m->name) != 0)
|
if (strcmp(name, m->name) != 0)
|
||||||
continue;
|
continue;
|
||||||
if (mac != NULL)
|
if (mac != NULL)
|
||||||
diff -up openssh/Makefile.in.fips openssh/Makefile.in
|
diff -up openssh-6.9p1/Makefile.in.fips openssh-6.9p1/Makefile.in
|
||||||
--- openssh/Makefile.in.fips 2015-06-24 12:00:58.731242497 +0200
|
--- openssh-6.9p1/Makefile.in.fips 2015-08-20 11:57:44.963287007 +0200
|
||||||
+++ openssh/Makefile.in 2015-06-24 12:00:58.736242484 +0200
|
+++ openssh-6.9p1/Makefile.in 2015-08-20 11:57:44.970286980 +0200
|
||||||
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
|
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||||
$(RANLIB) $@
|
$(RANLIB) $@
|
||||||
|
|
||||||
|
@ -314,9 +314,9 @@ diff -up openssh/Makefile.in.fips openssh/Makefile.in
|
||||||
|
|
||||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
diff -up openssh/myproposal.h.fips openssh/myproposal.h
|
diff -up openssh-6.9p1/myproposal.h.fips openssh-6.9p1/myproposal.h
|
||||||
--- openssh/myproposal.h.fips 2015-06-23 02:34:47.000000000 +0200
|
--- openssh-6.9p1/myproposal.h.fips 2015-07-01 04:35:31.000000000 +0200
|
||||||
+++ openssh/myproposal.h 2015-06-24 12:00:58.738242479 +0200
|
+++ openssh-6.9p1/myproposal.h 2015-08-20 11:57:44.971286976 +0200
|
||||||
@@ -143,6 +143,28 @@
|
@@ -143,6 +143,28 @@
|
||||||
"hmac-sha1-96," \
|
"hmac-sha1-96," \
|
||||||
"hmac-md5-96"
|
"hmac-md5-96"
|
||||||
|
@ -346,10 +346,10 @@ diff -up openssh/myproposal.h.fips openssh/myproposal.h
|
||||||
#else
|
#else
|
||||||
|
|
||||||
#define KEX_SERVER_KEX \
|
#define KEX_SERVER_KEX \
|
||||||
diff -up openssh/servconf.c.fips openssh/servconf.c
|
diff -up openssh-6.9p1/servconf.c.fips openssh-6.9p1/servconf.c
|
||||||
--- openssh/servconf.c.fips 2015-06-24 12:00:58.726242510 +0200
|
--- openssh-6.9p1/servconf.c.fips 2015-08-20 11:57:44.958287027 +0200
|
||||||
+++ openssh/servconf.c 2015-06-24 13:49:40.164085648 +0200
|
+++ openssh-6.9p1/servconf.c 2015-08-20 11:57:44.971286976 +0200
|
||||||
@@ -2319,8 +2319,10 @@ dump_config(ServerOptions *o)
|
@@ -2338,8 +2338,10 @@ dump_config(ServerOptions *o)
|
||||||
/* string arguments */
|
/* string arguments */
|
||||||
dump_cfg_string(sPidFile, o->pid_file);
|
dump_cfg_string(sPidFile, o->pid_file);
|
||||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||||
|
@ -362,7 +362,7 @@ diff -up openssh/servconf.c.fips openssh/servconf.c
|
||||||
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
||||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||||
@@ -2335,8 +2337,8 @@ dump_config(ServerOptions *o)
|
@@ -2354,8 +2356,8 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
|
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
|
||||||
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
|
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
|
||||||
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
||||||
|
@ -373,9 +373,9 @@ diff -up openssh/servconf.c.fips openssh/servconf.c
|
||||||
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
||||||
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
||||||
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
|
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
|
||||||
diff -up openssh/ssh.c.fips openssh/ssh.c
|
diff -up openssh-6.9p1/ssh.c.fips openssh-6.9p1/ssh.c
|
||||||
--- openssh/ssh.c.fips 2015-06-23 02:34:47.000000000 +0200
|
--- openssh-6.9p1/ssh.c.fips 2015-07-01 04:35:31.000000000 +0200
|
||||||
+++ openssh/ssh.c 2015-06-24 12:00:58.738242479 +0200
|
+++ openssh-6.9p1/ssh.c 2015-08-20 11:57:44.972286972 +0200
|
||||||
@@ -75,6 +75,8 @@
|
@@ -75,6 +75,8 @@
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
|
@ -442,10 +442,10 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
|
||||||
/* Open a connection to the remote host. */
|
/* Open a connection to the remote host. */
|
||||||
if (ssh_connect(host, addrs, &hostaddr, options.port,
|
if (ssh_connect(host, addrs, &hostaddr, options.port,
|
||||||
options.address_family, options.connection_attempts,
|
options.address_family, options.connection_attempts,
|
||||||
diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
diff -up openssh-6.9p1/sshconnect2.c.fips openssh-6.9p1/sshconnect2.c
|
||||||
--- openssh/sshconnect2.c.fips 2015-06-24 12:00:58.698242582 +0200
|
--- openssh-6.9p1/sshconnect2.c.fips 2015-08-20 11:57:44.959287023 +0200
|
||||||
+++ openssh/sshconnect2.c 2015-06-24 12:00:58.739242477 +0200
|
+++ openssh-6.9p1/sshconnect2.c 2015-08-20 12:00:06.049736762 +0200
|
||||||
@@ -46,6 +46,8 @@
|
@@ -44,6 +44,8 @@
|
||||||
#include <vis.h>
|
#include <vis.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -454,7 +454,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
@@ -172,20 +174,25 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -170,21 +172,26 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
if (options.gss_keyex) {
|
if (options.gss_keyex) {
|
||||||
|
@ -467,7 +467,8 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
||||||
- else
|
- else
|
||||||
- gss_host = host;
|
- gss_host = host;
|
||||||
-
|
-
|
||||||
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
|
- options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
- if (gss) {
|
- if (gss) {
|
||||||
- debug("Offering GSSAPI proposal: %s", gss);
|
- debug("Offering GSSAPI proposal: %s", gss);
|
||||||
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||||
|
@ -485,7 +486,8 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
||||||
+ else
|
+ else
|
||||||
+ gss_host = host;
|
+ gss_host = host;
|
||||||
+
|
+
|
||||||
+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
|
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
+ if (gss) {
|
+ if (gss) {
|
||||||
+ debug("Offering GSSAPI proposal: %s", gss);
|
+ debug("Offering GSSAPI proposal: %s", gss);
|
||||||
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||||
|
@ -494,7 +496,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
@@ -197,6 +204,10 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
if (options.ciphers != NULL) {
|
if (options.ciphers != NULL) {
|
||||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||||
|
@ -505,7 +507,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
||||||
}
|
}
|
||||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||||
@@ -212,7 +223,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
if (options.macs != NULL) {
|
if (options.macs != NULL) {
|
||||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||||
|
@ -517,7 +519,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
||||||
if (options.hostkeyalgorithms != NULL)
|
if (options.hostkeyalgorithms != NULL)
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
compat_pkalg_proposal(options.hostkeyalgorithms);
|
||||||
@@ -224,9 +239,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
}
|
}
|
||||||
if (options.kex_algorithms != NULL)
|
if (options.kex_algorithms != NULL)
|
||||||
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
||||||
|
@ -530,9 +532,9 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
/* If we've got GSSAPI algorithms, then we also support the
|
/* If we've got GSSAPI algorithms, then we also support the
|
||||||
* 'null' hostkey, as a last resort */
|
* 'null' hostkey, as a last resort */
|
||||||
diff -up openssh/sshd.c.fips openssh/sshd.c
|
diff -up openssh-6.9p1/sshd.c.fips openssh-6.9p1/sshd.c
|
||||||
--- openssh/sshd.c.fips 2015-06-24 12:00:58.734242489 +0200
|
--- openssh-6.9p1/sshd.c.fips 2015-08-20 11:57:44.966286996 +0200
|
||||||
+++ openssh/sshd.c 2015-06-24 12:00:58.739242477 +0200
|
+++ openssh-6.9p1/sshd.c 2015-08-20 11:57:44.973286968 +0200
|
||||||
@@ -66,6 +66,7 @@
|
@@ -66,6 +66,7 @@
|
||||||
#include <grp.h>
|
#include <grp.h>
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
|
@ -648,9 +650,9 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
|
||||||
|
|
||||||
if (gss && orig)
|
if (gss && orig)
|
||||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||||
diff -up openssh/sshkey.c.fips openssh/sshkey.c
|
diff -up openssh-6.9p1/sshkey.c.fips openssh-6.9p1/sshkey.c
|
||||||
--- openssh/sshkey.c.fips 2015-06-24 12:00:58.735242487 +0200
|
--- openssh-6.9p1/sshkey.c.fips 2015-08-20 11:57:44.967286992 +0200
|
||||||
+++ openssh/sshkey.c 2015-06-24 12:00:58.740242474 +0200
|
+++ openssh-6.9p1/sshkey.c 2015-08-20 11:57:44.974286964 +0200
|
||||||
@@ -35,6 +35,7 @@
|
@@ -35,6 +35,7 @@
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
|
diff -up openssh-6.9p1/gss-genr.c.gsskexalg openssh-6.9p1/gss-genr.c
|
||||||
--- openssh-7.0p1/gss-genr.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
|
--- openssh-6.9p1/gss-genr.c.gsskexalg 2015-08-20 11:54:50.468693843 +0200
|
||||||
+++ openssh-7.0p1/gss-genr.c 2015-08-19 12:28:38.078518839 +0200
|
+++ openssh-6.9p1/gss-genr.c 2015-08-20 11:54:50.525693732 +0200
|
||||||
@@ -78,7 +78,8 @@ ssh_gssapi_oid_table_ok() {
|
@@ -78,7 +78,8 @@ ssh_gssapi_oid_table_ok() {
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
@ -79,9 +79,9 @@ diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
|
||||||
gss_enc2oid[oidpos].oid = NULL;
|
gss_enc2oid[oidpos].oid = NULL;
|
||||||
gss_enc2oid[oidpos].encoded = NULL;
|
gss_enc2oid[oidpos].encoded = NULL;
|
||||||
|
|
||||||
diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c
|
diff -up openssh-6.9p1/gss-serv.c.gsskexalg openssh-6.9p1/gss-serv.c
|
||||||
--- openssh-7.0p1/gss-serv.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
|
--- openssh-6.9p1/gss-serv.c.gsskexalg 2015-08-20 11:54:50.468693843 +0200
|
||||||
+++ openssh-7.0p1/gss-serv.c 2015-08-19 12:28:38.078518839 +0200
|
+++ openssh-6.9p1/gss-serv.c 2015-08-20 11:54:50.525693732 +0200
|
||||||
@@ -150,7 +150,7 @@ ssh_gssapi_server_mechanisms() {
|
@@ -150,7 +150,7 @@ ssh_gssapi_server_mechanisms() {
|
||||||
|
|
||||||
ssh_gssapi_supported_oids(&supported);
|
ssh_gssapi_supported_oids(&supported);
|
||||||
|
@ -91,11 +91,11 @@ diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Unprivileged */
|
/* Unprivileged */
|
||||||
diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c
|
diff -up openssh-6.9p1/kex.c.gsskexalg openssh-6.9p1/kex.c
|
||||||
--- openssh-7.0p1/kex.c.gsskexalg 2015-08-19 12:28:38.078518839 +0200
|
--- openssh-6.9p1/kex.c.gsskexalg 2015-08-20 11:54:50.526693730 +0200
|
||||||
+++ openssh-7.0p1/kex.c 2015-08-19 12:30:13.249306371 +0200
|
+++ openssh-6.9p1/kex.c 2015-08-20 11:56:10.413537466 +0200
|
||||||
@@ -232,6 +232,29 @@ kex_assemble_names(const char *def, char
|
@@ -170,6 +170,29 @@ kex_names_valid(const char *names)
|
||||||
return 0;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
+/* Validate GSS KEX method name list */
|
+/* Validate GSS KEX method name list */
|
||||||
|
@ -124,20 +124,20 @@ diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c
|
||||||
/* put algorithm proposal into buffer */
|
/* put algorithm proposal into buffer */
|
||||||
int
|
int
|
||||||
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
||||||
diff -up openssh-7.0p1/kex.h.gsskexalg openssh-7.0p1/kex.h
|
diff -up openssh-6.9p1/kex.h.gsskexalg openssh-6.9p1/kex.h
|
||||||
--- openssh-7.0p1/kex.h.gsskexalg 2015-08-19 12:28:38.078518839 +0200
|
--- openssh-6.9p1/kex.h.gsskexalg 2015-08-20 11:54:50.526693730 +0200
|
||||||
+++ openssh-7.0p1/kex.h 2015-08-19 12:30:52.404218958 +0200
|
+++ openssh-6.9p1/kex.h 2015-08-20 11:56:28.588501914 +0200
|
||||||
@@ -173,6 +173,7 @@ int kex_names_valid(const char *);
|
@@ -169,6 +169,7 @@ struct kex {
|
||||||
char *kex_alg_list(char);
|
};
|
||||||
char *kex_names_cat(const char *, const char *);
|
|
||||||
int kex_assemble_names(const char *, char **);
|
int kex_names_valid(const char *);
|
||||||
+int gss_kex_names_valid(const char *);
|
+int gss_kex_names_valid(const char *);
|
||||||
|
char *kex_alg_list(char);
|
||||||
|
|
||||||
int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
|
int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
|
||||||
int kex_setup(struct ssh *, char *[PROPOSAL_MAX]);
|
diff -up openssh-6.9p1/readconf.c.gsskexalg openssh-6.9p1/readconf.c
|
||||||
diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
--- openssh-6.9p1/readconf.c.gsskexalg 2015-08-20 11:54:50.523693736 +0200
|
||||||
--- openssh-7.0p1/readconf.c.gsskexalg 2015-08-19 12:28:38.026518955 +0200
|
+++ openssh-6.9p1/readconf.c 2015-08-20 11:54:50.527693728 +0200
|
||||||
+++ openssh-7.0p1/readconf.c 2015-08-19 12:31:28.333138747 +0200
|
|
||||||
@@ -61,6 +61,7 @@
|
@@ -61,6 +61,7 @@
|
||||||
#include "uidswap.h"
|
#include "uidswap.h"
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
|
@ -155,7 +155,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
||||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||||
oHashKnownHosts,
|
oHashKnownHosts,
|
||||||
@@ -200,6 +201,7 @@ static struct {
|
@@ -199,6 +200,7 @@ static struct {
|
||||||
{ "gssapiclientidentity", oGssClientIdentity },
|
{ "gssapiclientidentity", oGssClientIdentity },
|
||||||
{ "gssapiserveridentity", oGssServerIdentity },
|
{ "gssapiserveridentity", oGssServerIdentity },
|
||||||
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
|
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
|
||||||
|
@ -163,7 +163,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
||||||
#else
|
#else
|
||||||
{ "gssapiauthentication", oUnsupported },
|
{ "gssapiauthentication", oUnsupported },
|
||||||
{ "gssapikeyexchange", oUnsupported },
|
{ "gssapikeyexchange", oUnsupported },
|
||||||
@@ -207,6 +209,7 @@ static struct {
|
@@ -206,6 +208,7 @@ static struct {
|
||||||
{ "gssapitrustdns", oUnsupported },
|
{ "gssapitrustdns", oUnsupported },
|
||||||
{ "gssapiclientidentity", oUnsupported },
|
{ "gssapiclientidentity", oUnsupported },
|
||||||
{ "gssapirenewalforcesrekey", oUnsupported },
|
{ "gssapirenewalforcesrekey", oUnsupported },
|
||||||
|
@ -171,7 +171,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
||||||
#endif
|
#endif
|
||||||
{ "fallbacktorsh", oDeprecated },
|
{ "fallbacktorsh", oDeprecated },
|
||||||
{ "usersh", oDeprecated },
|
{ "usersh", oDeprecated },
|
||||||
@@ -929,6 +932,18 @@ parse_time:
|
@@ -927,6 +930,18 @@ parse_time:
|
||||||
intptr = &options->gss_renewal_rekey;
|
intptr = &options->gss_renewal_rekey;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
|
@ -190,7 +190,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
||||||
case oBatchMode:
|
case oBatchMode:
|
||||||
intptr = &options->batch_mode;
|
intptr = &options->batch_mode;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -1638,6 +1653,7 @@ initialize_options(Options * options)
|
@@ -1640,6 +1655,7 @@ initialize_options(Options * options)
|
||||||
options->gss_renewal_rekey = -1;
|
options->gss_renewal_rekey = -1;
|
||||||
options->gss_client_identity = NULL;
|
options->gss_client_identity = NULL;
|
||||||
options->gss_server_identity = NULL;
|
options->gss_server_identity = NULL;
|
||||||
|
@ -198,7 +198,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->kbd_interactive_devices = NULL;
|
options->kbd_interactive_devices = NULL;
|
||||||
@@ -1773,6 +1789,8 @@ fill_default_options(Options * options)
|
@@ -1774,6 +1790,8 @@ fill_default_options(Options * options)
|
||||||
options->gss_trust_dns = 0;
|
options->gss_trust_dns = 0;
|
||||||
if (options->gss_renewal_rekey == -1)
|
if (options->gss_renewal_rekey == -1)
|
||||||
options->gss_renewal_rekey = 0;
|
options->gss_renewal_rekey = 0;
|
||||||
|
@ -207,10 +207,10 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
diff -up openssh-7.0p1/readconf.h.gsskexalg openssh-7.0p1/readconf.h
|
diff -up openssh-6.9p1/readconf.h.gsskexalg openssh-6.9p1/readconf.h
|
||||||
--- openssh-7.0p1/readconf.h.gsskexalg 2015-08-19 12:28:38.026518955 +0200
|
--- openssh-6.9p1/readconf.h.gsskexalg 2015-08-20 11:54:50.523693736 +0200
|
||||||
+++ openssh-7.0p1/readconf.h 2015-08-19 12:28:38.079518836 +0200
|
+++ openssh-6.9p1/readconf.h 2015-08-20 11:54:50.527693728 +0200
|
||||||
@@ -51,6 +51,7 @@ typedef struct {
|
@@ -52,6 +52,7 @@ typedef struct {
|
||||||
int gss_renewal_rekey; /* Credential renewal forces rekey */
|
int gss_renewal_rekey; /* Credential renewal forces rekey */
|
||||||
char *gss_client_identity; /* Principal to initiate GSSAPI with */
|
char *gss_client_identity; /* Principal to initiate GSSAPI with */
|
||||||
char *gss_server_identity; /* GSSAPI target principal */
|
char *gss_server_identity; /* GSSAPI target principal */
|
||||||
|
@ -218,10 +218,10 @@ diff -up openssh-7.0p1/readconf.h.gsskexalg openssh-7.0p1/readconf.h
|
||||||
int password_authentication; /* Try password
|
int password_authentication; /* Try password
|
||||||
* authentication. */
|
* authentication. */
|
||||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||||
diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
diff -up openssh-6.9p1/servconf.c.gsskexalg openssh-6.9p1/servconf.c
|
||||||
--- openssh-7.0p1/servconf.c.gsskexalg 2015-08-19 12:28:38.074518847 +0200
|
--- openssh-6.9p1/servconf.c.gsskexalg 2015-08-20 11:54:50.515693751 +0200
|
||||||
+++ openssh-7.0p1/servconf.c 2015-08-19 12:33:13.599902732 +0200
|
+++ openssh-6.9p1/servconf.c 2015-08-20 11:57:16.443398237 +0200
|
||||||
@@ -57,6 +57,7 @@
|
@@ -56,6 +56,7 @@
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
|
@ -229,7 +229,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
||||||
|
|
||||||
static void add_listen_addr(ServerOptions *, char *, int);
|
static void add_listen_addr(ServerOptions *, char *, int);
|
||||||
static void add_one_listen_addr(ServerOptions *, char *, int);
|
static void add_one_listen_addr(ServerOptions *, char *, int);
|
||||||
@@ -121,6 +122,7 @@ initialize_server_options(ServerOptions
|
@@ -119,6 +120,7 @@ initialize_server_options(ServerOptions
|
||||||
options->gss_cleanup_creds = -1;
|
options->gss_cleanup_creds = -1;
|
||||||
options->gss_strict_acceptor = -1;
|
options->gss_strict_acceptor = -1;
|
||||||
options->gss_store_rekey = -1;
|
options->gss_store_rekey = -1;
|
||||||
|
@ -246,8 +246,8 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -427,7 +431,7 @@ typedef enum {
|
@@ -416,7 +420,7 @@ typedef enum {
|
||||||
sHostKeyAlgorithms,
|
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||||
- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
||||||
|
@ -255,7 +255,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
||||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||||
sHostCertificate,
|
sHostCertificate,
|
||||||
@@ -506,6 +510,7 @@ static struct {
|
@@ -494,6 +498,7 @@ static struct {
|
||||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||||
{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
||||||
|
@ -263,7 +263,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
||||||
#else
|
#else
|
||||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||||
@@ -513,6 +518,7 @@ static struct {
|
@@ -501,6 +506,7 @@ static struct {
|
||||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
||||||
|
@ -271,7 +271,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
||||||
#endif
|
#endif
|
||||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||||
@@ -1273,6 +1279,18 @@ process_server_config_line(ServerOptions
|
@@ -1256,6 +1262,18 @@ process_server_config_line(ServerOptions
|
||||||
intptr = &options->gss_store_rekey;
|
intptr = &options->gss_store_rekey;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
|
@ -290,7 +290,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
||||||
case sPasswordAuthentication:
|
case sPasswordAuthentication:
|
||||||
intptr = &options->password_authentication;
|
intptr = &options->password_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -2304,6 +2322,7 @@ dump_config(ServerOptions *o)
|
@@ -2287,6 +2305,7 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
|
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
|
||||||
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
|
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
|
||||||
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
|
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
|
||||||
|
@ -298,10 +298,10 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
||||||
#endif
|
#endif
|
||||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||||
diff -up openssh-7.0p1/servconf.h.gsskexalg openssh-7.0p1/servconf.h
|
diff -up openssh-6.9p1/servconf.h.gsskexalg openssh-6.9p1/servconf.h
|
||||||
--- openssh-7.0p1/servconf.h.gsskexalg 2015-08-19 12:28:38.080518834 +0200
|
--- openssh-6.9p1/servconf.h.gsskexalg 2015-08-20 11:54:50.501693779 +0200
|
||||||
+++ openssh-7.0p1/servconf.h 2015-08-19 12:34:46.328693944 +0200
|
+++ openssh-6.9p1/servconf.h 2015-08-20 11:54:50.528693726 +0200
|
||||||
@@ -122,6 +122,7 @@ typedef struct {
|
@@ -121,6 +121,7 @@ typedef struct {
|
||||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||||
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
|
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
|
||||||
int gss_store_rekey;
|
int gss_store_rekey;
|
||||||
|
@ -309,10 +309,10 @@ diff -up openssh-7.0p1/servconf.h.gsskexalg openssh-7.0p1/servconf.h
|
||||||
int password_authentication; /* If true, permit password
|
int password_authentication; /* If true, permit password
|
||||||
* authentication. */
|
* authentication. */
|
||||||
int kbd_interactive_authentication; /* If true, permit */
|
int kbd_interactive_authentication; /* If true, permit */
|
||||||
diff -up openssh-7.0p1/ssh.1.gsskexalg openssh-7.0p1/ssh.1
|
diff -up openssh-6.9p1/ssh.1.gsskexalg openssh-6.9p1/ssh.1
|
||||||
--- openssh-7.0p1/ssh.1.gsskexalg 2015-08-19 12:28:38.081518832 +0200
|
--- openssh-6.9p1/ssh.1.gsskexalg 2015-08-20 11:54:50.505693771 +0200
|
||||||
+++ openssh-7.0p1/ssh.1 2015-08-19 12:35:31.741591692 +0200
|
+++ openssh-6.9p1/ssh.1 2015-08-20 11:54:50.528693726 +0200
|
||||||
@@ -496,6 +496,7 @@ For full details of the options listed b
|
@@ -446,6 +446,7 @@ For full details of the options listed b
|
||||||
.It GSSAPIDelegateCredentials
|
.It GSSAPIDelegateCredentials
|
||||||
.It GSSAPIRenewalForcesRekey
|
.It GSSAPIRenewalForcesRekey
|
||||||
.It GSSAPITrustDNS
|
.It GSSAPITrustDNS
|
||||||
|
@ -320,10 +320,10 @@ diff -up openssh-7.0p1/ssh.1.gsskexalg openssh-7.0p1/ssh.1
|
||||||
.It HashKnownHosts
|
.It HashKnownHosts
|
||||||
.It Host
|
.It Host
|
||||||
.It HostbasedAuthentication
|
.It HostbasedAuthentication
|
||||||
diff -up openssh-7.0p1/ssh_config.5.gsskexalg openssh-7.0p1/ssh_config.5
|
diff -up openssh-6.9p1/ssh_config.5.gsskexalg openssh-6.9p1/ssh_config.5
|
||||||
--- openssh-7.0p1/ssh_config.5.gsskexalg 2015-08-19 12:28:38.028518950 +0200
|
--- openssh-6.9p1/ssh_config.5.gsskexalg 2015-08-20 11:54:50.523693736 +0200
|
||||||
+++ openssh-7.0p1/ssh_config.5 2015-08-19 12:28:38.082518830 +0200
|
+++ openssh-6.9p1/ssh_config.5 2015-08-20 11:54:50.528693726 +0200
|
||||||
@@ -786,6 +786,18 @@ command line will be passed untouched to
|
@@ -781,6 +781,18 @@ command line will be passed untouched to
|
||||||
The default is
|
The default is
|
||||||
.Dq no .
|
.Dq no .
|
||||||
This option only applies to protocol version 2 connections using GSSAPI.
|
This option only applies to protocol version 2 connections using GSSAPI.
|
||||||
|
@ -342,9 +342,9 @@ diff -up openssh-7.0p1/ssh_config.5.gsskexalg openssh-7.0p1/ssh_config.5
|
||||||
.It Cm HashKnownHosts
|
.It Cm HashKnownHosts
|
||||||
Indicates that
|
Indicates that
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c
|
diff -up openssh-6.9p1/sshconnect2.c.gsskexalg openssh-6.9p1/sshconnect2.c
|
||||||
--- openssh-7.0p1/sshconnect2.c.gsskexalg 2015-08-19 12:28:38.045518912 +0200
|
--- openssh-6.9p1/sshconnect2.c.gsskexalg 2015-08-20 11:54:50.523693736 +0200
|
||||||
+++ openssh-7.0p1/sshconnect2.c 2015-08-19 12:28:38.081518832 +0200
|
+++ openssh-6.9p1/sshconnect2.c 2015-08-20 11:54:50.529693724 +0200
|
||||||
@@ -179,7 +179,8 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -179,7 +179,8 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
else
|
else
|
||||||
gss_host = host;
|
gss_host = host;
|
||||||
|
@ -355,10 +355,10 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c
|
||||||
if (gss) {
|
if (gss) {
|
||||||
debug("Offering GSSAPI proposal: %s", gss);
|
debug("Offering GSSAPI proposal: %s", gss);
|
||||||
xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||||
diff -up openssh-7.0p1/sshd_config.5.gsskexalg openssh-7.0p1/sshd_config.5
|
diff -up openssh-6.9p1/sshd_config.5.gsskexalg openssh-6.9p1/sshd_config.5
|
||||||
--- openssh-7.0p1/sshd_config.5.gsskexalg 2015-08-19 12:28:38.082518830 +0200
|
--- openssh-6.9p1/sshd_config.5.gsskexalg 2015-08-20 11:54:50.517693747 +0200
|
||||||
+++ openssh-7.0p1/sshd_config.5 2015-08-19 12:36:25.121471501 +0200
|
+++ openssh-6.9p1/sshd_config.5 2015-08-20 11:54:50.529693724 +0200
|
||||||
@@ -659,6 +659,18 @@ Controls whether the user's GSSAPI crede
|
@@ -654,6 +654,18 @@ Controls whether the user's GSSAPI crede
|
||||||
successful connection rekeying. This option can be used to accepted renewed
|
successful connection rekeying. This option can be used to accepted renewed
|
||||||
or updated credentials from a compatible client. The default is
|
or updated credentials from a compatible client. The default is
|
||||||
.Dq no .
|
.Dq no .
|
||||||
|
@ -377,22 +377,22 @@ diff -up openssh-7.0p1/sshd_config.5.gsskexalg openssh-7.0p1/sshd_config.5
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
as a comma-separated pattern list.
|
as a comma-separated pattern list.
|
||||||
diff -up openssh-7.0p1/ssh-gss.h.gsskexalg openssh-7.0p1/ssh-gss.h
|
diff -up openssh-6.9p1/ssh-gss.h.gsskexalg openssh-6.9p1/ssh-gss.h
|
||||||
--- openssh-7.0p1/ssh-gss.h.gsskexalg 2015-08-19 12:28:38.031518944 +0200
|
--- openssh-6.9p1/ssh-gss.h.gsskexalg 2015-08-20 11:54:50.475693830 +0200
|
||||||
+++ openssh-7.0p1/ssh-gss.h 2015-08-19 12:28:38.081518832 +0200
|
+++ openssh-6.9p1/ssh-gss.h 2015-08-20 11:54:50.529693724 +0200
|
||||||
@@ -76,6 +76,11 @@ extern char **k5users_allowed_cmds;
|
@@ -76,6 +76,11 @@ extern char **k5users_allowed_cmds;
|
||||||
#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
|
#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
|
||||||
#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
|
#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
|
||||||
|
|
||||||
+#define GSS_KEX_DEFAULT_KEX \
|
+#define GSS_KEX_DEFAULT_KEX \
|
||||||
+ KEX_GSS_GEX_SHA1_ID "," \
|
+ KEX_GSS_GEX_SHA1_ID "," \
|
||||||
+ KEX_GSS_GRP1_SHA1_ID ","
|
+ KEX_GSS_GRP1_SHA1_ID "," \
|
||||||
+ KEX_GSS_GRP14_SHA1_ID
|
+ KEX_GSS_GRP14_SHA1_ID
|
||||||
+
|
+
|
||||||
typedef struct {
|
typedef struct {
|
||||||
char *filename;
|
char *filename;
|
||||||
char *envvar;
|
char *envvar;
|
||||||
@@ -147,9 +151,9 @@ int ssh_gssapi_credentials_updated(Gssct
|
@@ -147,9 +152,9 @@ int ssh_gssapi_credentials_updated(Gssct
|
||||||
/* In the server */
|
/* In the server */
|
||||||
typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
|
typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
|
||||||
const char *);
|
const char *);
|
||||||
|
|
Loading…
Reference in New Issue