Improve the naming of the new kerberos configuration option
This commit is contained in:
Jakub Jelen
parent
6c9d993869
commit
8089081fa9
@ -83,7 +83,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
|||||||
M_CP_INTOPT(log_level);
|
M_CP_INTOPT(log_level);
|
||||||
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
|
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
|
||||||
# endif
|
# endif
|
||||||
dump_cfg_fmtint(sKerberosUniqueTicket, o->kerberos_unique_ticket);
|
dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
|
||||||
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||||
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
||||||
#endif
|
#endif
|
||||||
@ -93,7 +93,7 @@ diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
|
|||||||
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
||||||
+++ openssh-7.4p1/servconf.h 2016-12-23 15:18:40.629216102 +0100
|
+++ openssh-7.4p1/servconf.h 2016-12-23 15:18:40.629216102 +0100
|
||||||
@@ -174,6 +174,7 @@ typedef struct {
|
@@ -174,6 +174,7 @@ typedef struct {
|
||||||
int kerberos_unique_ticket; /* If true, the aquired ticket will
|
int kerberos_unique_ccache; /* If true, the acquired ticket will
|
||||||
* be stored in per-session ccache */
|
* be stored in per-session ccache */
|
||||||
int use_kuserok;
|
int use_kuserok;
|
||||||
+ int enable_k5users;
|
+ int enable_k5users;
|
||||||
|
|||||||
@ -196,22 +196,22 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sKerberosUniqueTicket,
|
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||||
+ sKerberosGetAFSToken, sKerberosUniqueTicket, sKerberosUseKuserok,
|
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
|
||||||
sChallengeResponseAuthentication,
|
sChallengeResponseAuthentication,
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||||
sListenAddress, sAddressFamily,
|
sListenAddress, sAddressFamily,
|
||||||
@@ -478,12 +481,14 @@ static struct {
|
@@ -478,12 +481,14 @@ static struct {
|
||||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
#endif
|
#endif
|
||||||
{ "kerberosuniqueticket", sKerberosUniqueTicket, SSHCFG_GLOBAL },
|
{ "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL },
|
||||||
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
|
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
|
||||||
#else
|
#else
|
||||||
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
||||||
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "kerberosuniqueticket", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL },
|
||||||
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
|
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
|
||||||
#endif
|
#endif
|
||||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
@ -238,7 +238,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
|
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
||||||
# endif
|
# endif
|
||||||
dump_cfg_fmtint(sKerberosUniqueTicket, o->kerberos_unique_ticket);
|
dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
|
||||||
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||||
#endif
|
#endif
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
@ -248,7 +248,7 @@ diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
|
|||||||
+++ openssh-7.4p1/servconf.h 2016-12-23 14:36:07.645465936 +0100
|
+++ openssh-7.4p1/servconf.h 2016-12-23 14:36:07.645465936 +0100
|
||||||
@@ -118,6 +118,7 @@ typedef struct {
|
@@ -118,6 +118,7 @@ typedef struct {
|
||||||
* authenticated with Kerberos. */
|
* authenticated with Kerberos. */
|
||||||
int kerberos_unique_ticket; /* If true, the aquired ticket will
|
int kerberos_unique_ccache; /* If true, the acquired ticket will
|
||||||
* be stored in per-session ccache */
|
* be stored in per-session ccache */
|
||||||
+ int use_kuserok;
|
+ int use_kuserok;
|
||||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
@ -258,9 +258,9 @@ diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
|
|||||||
--- openssh-7.4p1/sshd_config.5.kuserok 2016-12-23 14:36:07.637465940 +0100
|
--- openssh-7.4p1/sshd_config.5.kuserok 2016-12-23 14:36:07.637465940 +0100
|
||||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:14:03.117162222 +0100
|
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:14:03.117162222 +0100
|
||||||
@@ -850,6 +850,10 @@ Specifies whether to automatically destr
|
@@ -850,6 +850,10 @@ Specifies whether to automatically destr
|
||||||
tickets aquired in different sessions of the same user.
|
.Cm no
|
||||||
The default is
|
can lead to overwriting previous tickets by subseqent connections to the same
|
||||||
.Cm no .
|
user account.
|
||||||
+.It Cm KerberosUseKuserok
|
+.It Cm KerberosUseKuserok
|
||||||
+Specifies whether to look at .k5login file for user's aliases.
|
+Specifies whether to look at .k5login file for user's aliases.
|
||||||
+The default is
|
+The default is
|
||||||
|
|||||||
@ -248,7 +248,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ if (need_environment)
|
+ if (need_environment)
|
||||||
+ *need_environment = 0;
|
+ *need_environment = 0;
|
||||||
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
||||||
+ if (ret || !ccname || options.kerberos_unique_ticket) {
|
+ if (ret || !ccname || options.kerberos_unique_ccache) {
|
||||||
+ /* Otherwise, go with the old method */
|
+ /* Otherwise, go with the old method */
|
||||||
+ if (ccname)
|
+ if (ccname)
|
||||||
+ free(ccname);
|
+ free(ccname);
|
||||||
@ -494,7 +494,7 @@ index cb578658..a6e01df2 100644
|
|||||||
options->kerberos_or_local_passwd = -1;
|
options->kerberos_or_local_passwd = -1;
|
||||||
options->kerberos_ticket_cleanup = -1;
|
options->kerberos_ticket_cleanup = -1;
|
||||||
options->kerberos_get_afs_token = -1;
|
options->kerberos_get_afs_token = -1;
|
||||||
+ options->kerberos_unique_ticket = -1;
|
+ options->kerberos_unique_ccache = -1;
|
||||||
options->gss_authentication=-1;
|
options->gss_authentication=-1;
|
||||||
options->gss_keyex = -1;
|
options->gss_keyex = -1;
|
||||||
options->gss_cleanup_creds = -1;
|
options->gss_cleanup_creds = -1;
|
||||||
@ -502,8 +502,8 @@ index cb578658..a6e01df2 100644
|
|||||||
options->kerberos_ticket_cleanup = 1;
|
options->kerberos_ticket_cleanup = 1;
|
||||||
if (options->kerberos_get_afs_token == -1)
|
if (options->kerberos_get_afs_token == -1)
|
||||||
options->kerberos_get_afs_token = 0;
|
options->kerberos_get_afs_token = 0;
|
||||||
+ if (options->kerberos_unique_ticket == -1)
|
+ if (options->kerberos_unique_ccache == -1)
|
||||||
+ options->kerberos_unique_ticket = 0;
|
+ options->kerberos_unique_ccache = 0;
|
||||||
if (options->gss_authentication == -1)
|
if (options->gss_authentication == -1)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
if (options->gss_keyex == -1)
|
if (options->gss_keyex == -1)
|
||||||
@ -512,7 +512,7 @@ index cb578658..a6e01df2 100644
|
|||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
||||||
+ sKerberosGetAFSToken, sKerberosUniqueTicket,
|
+ sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||||
+ sChallengeResponseAuthentication,
|
+ sChallengeResponseAuthentication,
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||||
sListenAddress, sAddressFamily,
|
sListenAddress, sAddressFamily,
|
||||||
@ -521,13 +521,13 @@ index cb578658..a6e01df2 100644
|
|||||||
#else
|
#else
|
||||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
#endif
|
#endif
|
||||||
+ { "kerberosuniqueticket", sKerberosUniqueTicket, SSHCFG_GLOBAL },
|
+ { "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL },
|
||||||
#else
|
#else
|
||||||
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
||||||
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
+ { "kerberosuniqueticket", sUnsupported, SSHCFG_GLOBAL },
|
+ { "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL },
|
||||||
#endif
|
#endif
|
||||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
@ -535,8 +535,8 @@ index cb578658..a6e01df2 100644
|
|||||||
intptr = &options->kerberos_get_afs_token;
|
intptr = &options->kerberos_get_afs_token;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
+ case sKerberosUniqueTicket:
|
+ case sKerberosUniqueCCache:
|
||||||
+ intptr = &options->kerberos_unique_ticket;
|
+ intptr = &options->kerberos_unique_ccache;
|
||||||
+ goto parse_flag;
|
+ goto parse_flag;
|
||||||
+
|
+
|
||||||
case sGssAuthentication:
|
case sGssAuthentication:
|
||||||
@ -546,7 +546,7 @@ index cb578658..a6e01df2 100644
|
|||||||
# ifdef USE_AFS
|
# ifdef USE_AFS
|
||||||
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
||||||
# endif
|
# endif
|
||||||
+ dump_cfg_fmtint(sKerberosUniqueTicket, o->kerberos_unique_ticket);
|
+ dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
|
||||||
#endif
|
#endif
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||||
@ -558,7 +558,7 @@ index db8362c6..4fa42d64 100644
|
|||||||
* file on logout. */
|
* file on logout. */
|
||||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||||
* authenticated with Kerberos. */
|
* authenticated with Kerberos. */
|
||||||
+ int kerberos_unique_ticket; /* If true, the aquired ticket will
|
+ int kerberos_unique_ccache; /* If true, the acquired ticket will
|
||||||
+ * be stored in per-session ccache */
|
+ * be stored in per-session ccache */
|
||||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
||||||
@ -633,16 +633,18 @@ diff --git a/sshd_config.5 b/sshd_config.5
|
|||||||
index c0683d4a..2349f477 100644
|
index c0683d4a..2349f477 100644
|
||||||
--- a/sshd_config.5
|
--- a/sshd_config.5
|
||||||
+++ b/sshd_config.5
|
+++ b/sshd_config.5
|
||||||
@@ -860,6 +860,12 @@ Specifies whether to automatically destroy the user's ticket cache
|
@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
|
||||||
file on logout.
|
file on logout.
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
+.It Cm KerberosUniqueTicket
|
+.It Cm KerberosUniqueCCache
|
||||||
+Specifies whether to store the aquired tickets in the per-session credential
|
+Specifies whether to store the acquired tickets in the per-session credential
|
||||||
+cache or whether to use per-user credential cache, which might overwrite
|
+cache under /tmp/ or whether to use per-user credential cache as configured in
|
||||||
+tickets aquired in different sessions of the same user.
|
+.Pa /etc/krb5.conf .
|
||||||
+The default is
|
+The default value
|
||||||
+.Cm no .
|
+.Cm no
|
||||||
|
+can lead to overwriting previous tickets by subseqent connections to the same
|
||||||
|
+user account.
|
||||||
.It Cm KexAlgorithms
|
.It Cm KexAlgorithms
|
||||||
Specifies the available KEX (Key Exchange) algorithms.
|
Specifies the available KEX (Key Exchange) algorithms.
|
||||||
Multiple algorithms must be comma-separated.
|
Multiple algorithms must be comma-separated.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user