From 8089081fa9a0b367c487e62dccfde2a8781c5939 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 12 Oct 2018 13:34:58 +0200 Subject: [PATCH] Improve the naming of the new kerberos configuration option --- openssh-6.6p1-GSSAPIEnablek5users.patch | 4 +-- openssh-6.6p1-kuserok.patch | 18 ++++++------ openssh-7.7p1-gssapi-new-unique.patch | 38 +++++++++++++------------ 3 files changed, 31 insertions(+), 29 deletions(-) diff --git a/openssh-6.6p1-GSSAPIEnablek5users.patch b/openssh-6.6p1-GSSAPIEnablek5users.patch index 37e010d..c33bdac 100644 --- a/openssh-6.6p1-GSSAPIEnablek5users.patch +++ b/openssh-6.6p1-GSSAPIEnablek5users.patch @@ -83,7 +83,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c M_CP_INTOPT(log_level); @@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o) # endif - dump_cfg_fmtint(sKerberosUniqueTicket, o->kerberos_unique_ticket); + dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache); dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); + dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users); #endif @@ -93,7 +93,7 @@ diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h --- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100 +++ openssh-7.4p1/servconf.h 2016-12-23 15:18:40.629216102 +0100 @@ -174,6 +174,7 @@ typedef struct { - int kerberos_unique_ticket; /* If true, the aquired ticket will + int kerberos_unique_ccache; /* If true, the acquired ticket will * be stored in per-session ccache */ int use_kuserok; + int enable_k5users; diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index 81ec2a4..4b681ff 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -196,22 +196,22 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, -- sKerberosGetAFSToken, sKerberosUniqueTicket, -+ sKerberosGetAFSToken, sKerberosUniqueTicket, sKerberosUseKuserok, +- sKerberosGetAFSToken, sKerberosUniqueCCache, ++ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, @@ -478,12 +481,14 @@ static struct { { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif - { "kerberosuniqueticket", sKerberosUniqueTicket, SSHCFG_GLOBAL }, + { "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL }, + { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL }, #else { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, - { "kerberosuniqueticket", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosusekuserok", sUnsupported, SSHCFG_ALL }, #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, @@ -238,7 +238,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c @@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); # endif - dump_cfg_fmtint(sKerberosUniqueTicket, o->kerberos_unique_ticket); + dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache); + dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); #endif #ifdef GSSAPI @@ -248,7 +248,7 @@ diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h +++ openssh-7.4p1/servconf.h 2016-12-23 14:36:07.645465936 +0100 @@ -118,6 +118,7 @@ typedef struct { * authenticated with Kerberos. */ - int kerberos_unique_ticket; /* If true, the aquired ticket will + int kerberos_unique_ccache; /* If true, the acquired ticket will * be stored in per-session ccache */ + int use_kuserok; int gss_authentication; /* If true, permit GSSAPI authentication */ @@ -258,9 +258,9 @@ diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5 --- openssh-7.4p1/sshd_config.5.kuserok 2016-12-23 14:36:07.637465940 +0100 +++ openssh-7.4p1/sshd_config.5 2016-12-23 15:14:03.117162222 +0100 @@ -850,6 +850,10 @@ Specifies whether to automatically destr - tickets aquired in different sessions of the same user. - The default is - .Cm no . + .Cm no + can lead to overwriting previous tickets by subseqent connections to the same + user account. +.It Cm KerberosUseKuserok +Specifies whether to look at .k5login file for user's aliases. +The default is diff --git a/openssh-7.7p1-gssapi-new-unique.patch b/openssh-7.7p1-gssapi-new-unique.patch index 49c7e86..6ab5e2c 100644 --- a/openssh-7.7p1-gssapi-new-unique.patch +++ b/openssh-7.7p1-gssapi-new-unique.patch @@ -248,7 +248,7 @@ index a5a81ed2..63f877f2 100644 + if (need_environment) + *need_environment = 0; + ret = ssh_krb5_get_cctemplate(ctx, &ccname); -+ if (ret || !ccname || options.kerberos_unique_ticket) { ++ if (ret || !ccname || options.kerberos_unique_ccache) { + /* Otherwise, go with the old method */ + if (ccname) + free(ccname); @@ -494,7 +494,7 @@ index cb578658..a6e01df2 100644 options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; -+ options->kerberos_unique_ticket = -1; ++ options->kerberos_unique_ccache = -1; options->gss_authentication=-1; options->gss_keyex = -1; options->gss_cleanup_creds = -1; @@ -502,8 +502,8 @@ index cb578658..a6e01df2 100644 options->kerberos_ticket_cleanup = 1; if (options->kerberos_get_afs_token == -1) options->kerberos_get_afs_token = 0; -+ if (options->kerberos_unique_ticket == -1) -+ options->kerberos_unique_ticket = 0; ++ if (options->kerberos_unique_ccache == -1) ++ options->kerberos_unique_ccache = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_keyex == -1) @@ -512,7 +512,7 @@ index cb578658..a6e01df2 100644 sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosGetAFSToken, sChallengeResponseAuthentication, -+ sKerberosGetAFSToken, sKerberosUniqueTicket, ++ sKerberosGetAFSToken, sKerberosUniqueCCache, + sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, @@ -521,13 +521,13 @@ index cb578658..a6e01df2 100644 #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif -+ { "kerberosuniqueticket", sKerberosUniqueTicket, SSHCFG_GLOBAL }, ++ { "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL }, #else { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, -+ { "kerberosuniqueticket", sUnsupported, SSHCFG_GLOBAL }, ++ { "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL }, #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, @@ -535,8 +535,8 @@ index cb578658..a6e01df2 100644 intptr = &options->kerberos_get_afs_token; goto parse_flag; -+ case sKerberosUniqueTicket: -+ intptr = &options->kerberos_unique_ticket; ++ case sKerberosUniqueCCache: ++ intptr = &options->kerberos_unique_ccache; + goto parse_flag; + case sGssAuthentication: @@ -546,7 +546,7 @@ index cb578658..a6e01df2 100644 # ifdef USE_AFS dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); # endif -+ dump_cfg_fmtint(sKerberosUniqueTicket, o->kerberos_unique_ticket); ++ dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache); #endif #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); @@ -558,7 +558,7 @@ index db8362c6..4fa42d64 100644 * file on logout. */ int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ -+ int kerberos_unique_ticket; /* If true, the aquired ticket will ++ int kerberos_unique_ccache; /* If true, the acquired ticket will + * be stored in per-session ccache */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_keyex; /* If true, permit GSSAPI key exchange */ @@ -633,16 +633,18 @@ diff --git a/sshd_config.5 b/sshd_config.5 index c0683d4a..2349f477 100644 --- a/sshd_config.5 +++ b/sshd_config.5 -@@ -860,6 +860,12 @@ Specifies whether to automatically destroy the user's ticket cache +@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache file on logout. The default is .Cm yes . -+.It Cm KerberosUniqueTicket -+Specifies whether to store the aquired tickets in the per-session credential -+cache or whether to use per-user credential cache, which might overwrite -+tickets aquired in different sessions of the same user. -+The default is -+.Cm no . ++.It Cm KerberosUniqueCCache ++Specifies whether to store the acquired tickets in the per-session credential ++cache under /tmp/ or whether to use per-user credential cache as configured in ++.Pa /etc/krb5.conf . ++The default value ++.Cm no ++can lead to overwriting previous tickets by subseqent connections to the same ++user account. .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated.