From 93bba24965f07a2a6a5a71c506bfe0c27d833c29 Mon Sep 17 00:00:00 2001 From: Jan F Date: Fri, 22 Oct 2010 16:27:17 +0200 Subject: [PATCH] - update gsskex patch (#645389) --- openssh-5.4p1-gsskex.patch | 147 +++++++++++++++++++------------------ openssh.spec | 5 +- 2 files changed, 78 insertions(+), 74 deletions(-) diff --git a/openssh-5.4p1-gsskex.patch b/openssh-5.4p1-gsskex.patch index 8a626a4..b227c92 100644 --- a/openssh-5.4p1-gsskex.patch +++ b/openssh-5.4p1-gsskex.patch @@ -1,6 +1,6 @@ diff -up openssh-5.4p1/auth2.c.gsskex openssh-5.4p1/auth2.c ---- openssh-5.4p1/auth2.c.gsskex 2010-03-01 18:14:24.000000000 +0100 -+++ openssh-5.4p1/auth2.c 2010-03-01 18:14:28.000000000 +0100 +--- openssh-5.4p1/auth2.c.gsskex 2010-10-22 16:20:00.000000000 +0200 ++++ openssh-5.4p1/auth2.c 2010-10-22 16:20:02.000000000 +0200 @@ -69,6 +69,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -36,8 +36,8 @@ diff -up openssh-5.4p1/auth2.c.gsskex openssh-5.4p1/auth2.c if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS diff -up openssh-5.4p1/auth2-gss.c.gsskex openssh-5.4p1/auth2-gss.c ---- openssh-5.4p1/auth2-gss.c.gsskex 2010-03-01 18:14:24.000000000 +0100 -+++ openssh-5.4p1/auth2-gss.c 2010-03-01 18:14:28.000000000 +0100 +--- openssh-5.4p1/auth2-gss.c.gsskex 2010-10-22 16:20:00.000000000 +0200 ++++ openssh-5.4p1/auth2-gss.c 2010-10-22 16:20:02.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ @@ -138,8 +138,8 @@ diff -up openssh-5.4p1/auth2-gss.c.gsskex openssh-5.4p1/auth2-gss.c "gssapi-with-mic", userauth_gssapi, diff -up openssh-5.4p1/auth.h.gsskex openssh-5.4p1/auth.h ---- openssh-5.4p1/auth.h.gsskex 2010-03-01 18:14:25.000000000 +0100 -+++ openssh-5.4p1/auth.h 2010-03-01 18:14:28.000000000 +0100 +--- openssh-5.4p1/auth.h.gsskex 2010-10-22 16:20:00.000000000 +0200 ++++ openssh-5.4p1/auth.h 2010-10-22 16:20:02.000000000 +0200 @@ -53,6 +53,7 @@ struct Authctxt { int valid; /* user exists and is allowed to login */ int attempt; @@ -150,7 +150,7 @@ diff -up openssh-5.4p1/auth.h.gsskex openssh-5.4p1/auth.h char *service; diff -up openssh-5.4p1/auth-krb5.c.gsskex openssh-5.4p1/auth-krb5.c --- openssh-5.4p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 -+++ openssh-5.4p1/auth-krb5.c 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/auth-krb5.c 2010-10-22 16:20:02.000000000 +0200 @@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c len = strlen(authctxt->krb5_ticket_file) + 6; @@ -199,8 +199,8 @@ diff -up openssh-5.4p1/auth-krb5.c.gsskex openssh-5.4p1/auth-krb5.c return (krb5_cc_resolve(ctx, ccname, ccache)); } diff -up openssh-5.4p1/ChangeLog.gssapi.gsskex openssh-5.4p1/ChangeLog.gssapi ---- openssh-5.4p1/ChangeLog.gssapi.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/ChangeLog.gssapi 2010-03-01 18:14:28.000000000 +0100 +--- openssh-5.4p1/ChangeLog.gssapi.gsskex 2010-10-22 16:20:02.000000000 +0200 ++++ openssh-5.4p1/ChangeLog.gssapi 2010-10-22 16:20:02.000000000 +0200 @@ -0,0 +1,95 @@ +20090615 + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c @@ -299,7 +299,7 @@ diff -up openssh-5.4p1/ChangeLog.gssapi.gsskex openssh-5.4p1/ChangeLog.gssapi + diff -up openssh-5.4p1/clientloop.c.gsskex openssh-5.4p1/clientloop.c --- openssh-5.4p1/clientloop.c.gsskex 2010-01-30 07:28:35.000000000 +0100 -+++ openssh-5.4p1/clientloop.c 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/clientloop.c 2010-10-22 16:20:02.000000000 +0200 @@ -111,6 +111,10 @@ #include "msg.h" #include "roaming.h" @@ -326,8 +326,8 @@ diff -up openssh-5.4p1/clientloop.c.gsskex openssh-5.4p1/clientloop.c debug("need rekeying"); xxx_kex->done = 0; diff -up openssh-5.4p1/configure.ac.gsskex openssh-5.4p1/configure.ac ---- openssh-5.4p1/configure.ac.gsskex 2010-03-01 18:14:27.000000000 +0100 -+++ openssh-5.4p1/configure.ac 2010-03-01 18:14:28.000000000 +0100 +--- openssh-5.4p1/configure.ac.gsskex 2010-10-22 16:20:02.000000000 +0200 ++++ openssh-5.4p1/configure.ac 2010-10-22 16:20:02.000000000 +0200 @@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE(SSH_TUN_PREPEND_AF, 1, @@ -361,7 +361,7 @@ diff -up openssh-5.4p1/configure.ac.gsskex openssh-5.4p1/configure.ac AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) diff -up openssh-5.4p1/gss-genr.c.gsskex openssh-5.4p1/gss-genr.c --- openssh-5.4p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-5.4p1/gss-genr.c 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/gss-genr.c 2010-10-22 16:20:02.000000000 +0200 @@ -39,12 +39,167 @@ #include "buffer.h" #include "log.h" @@ -702,7 +702,7 @@ diff -up openssh-5.4p1/gss-genr.c.gsskex openssh-5.4p1/gss-genr.c #endif /* GSSAPI */ diff -up openssh-5.4p1/gss-serv.c.gsskex openssh-5.4p1/gss-serv.c --- openssh-5.4p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 -+++ openssh-5.4p1/gss-serv.c 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/gss-serv.c 2010-10-22 16:20:02.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ @@ -1018,7 +1018,7 @@ diff -up openssh-5.4p1/gss-serv.c.gsskex openssh-5.4p1/gss-serv.c #endif diff -up openssh-5.4p1/gss-serv-krb5.c.gsskex openssh-5.4p1/gss-serv-krb5.c --- openssh-5.4p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.4p1/gss-serv-krb5.c 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/gss-serv-krb5.c 2010-10-22 16:20:02.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ @@ -1141,7 +1141,7 @@ diff -up openssh-5.4p1/gss-serv-krb5.c.gsskex openssh-5.4p1/gss-serv-krb5.c #endif /* KRB5 */ diff -up openssh-5.4p1/kex.c.gsskex openssh-5.4p1/kex.c --- openssh-5.4p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100 -+++ openssh-5.4p1/kex.c 2010-03-01 18:18:42.000000000 +0100 ++++ openssh-5.4p1/kex.c 2010-10-22 16:20:02.000000000 +0200 @@ -50,6 +50,10 @@ #include "monitor.h" #include "roaming.h" @@ -1175,8 +1175,8 @@ diff -up openssh-5.4p1/kex.c.gsskex openssh-5.4p1/kex.c fatal("bad kex alg %s", k->name); } diff -up openssh-5.4p1/kexgssc.c.gsskex openssh-5.4p1/kexgssc.c ---- openssh-5.4p1/kexgssc.c.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/kexgssc.c 2010-03-01 18:14:28.000000000 +0100 +--- openssh-5.4p1/kexgssc.c.gsskex 2010-10-22 16:20:02.000000000 +0200 ++++ openssh-5.4p1/kexgssc.c 2010-10-22 16:20:02.000000000 +0200 @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1513,8 +1513,8 @@ diff -up openssh-5.4p1/kexgssc.c.gsskex openssh-5.4p1/kexgssc.c + +#endif /* GSSAPI */ diff -up openssh-5.4p1/kexgsss.c.gsskex openssh-5.4p1/kexgsss.c ---- openssh-5.4p1/kexgsss.c.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/kexgsss.c 2010-03-01 18:14:28.000000000 +0100 +--- openssh-5.4p1/kexgsss.c.gsskex 2010-10-22 16:20:02.000000000 +0200 ++++ openssh-5.4p1/kexgsss.c 2010-10-22 16:20:02.000000000 +0200 @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1806,7 +1806,7 @@ diff -up openssh-5.4p1/kexgsss.c.gsskex openssh-5.4p1/kexgsss.c +#endif /* GSSAPI */ diff -up openssh-5.4p1/kex.h.gsskex openssh-5.4p1/kex.h --- openssh-5.4p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100 -+++ openssh-5.4p1/kex.h 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/kex.h 2010-10-22 16:20:02.000000000 +0200 @@ -67,6 +67,9 @@ enum kex_exchange { KEX_DH_GRP14_SHA1, KEX_DH_GEX_SHA1, @@ -1843,8 +1843,8 @@ diff -up openssh-5.4p1/kex.h.gsskex openssh-5.4p1/kex.h kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); diff -up openssh-5.4p1/key.c.gsskex openssh-5.4p1/key.c ---- openssh-5.4p1/key.c.gsskex 2010-02-26 21:55:05.000000000 +0100 -+++ openssh-5.4p1/key.c 2010-03-01 18:20:43.000000000 +0100 +--- openssh-5.4p1/key.c.gsskex 2010-03-04 11:52:18.000000000 +0100 ++++ openssh-5.4p1/key.c 2010-10-22 16:20:02.000000000 +0200 @@ -969,6 +969,8 @@ key_type_from_name(char *name) return KEY_RSA_CERT; } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { @@ -1856,7 +1856,7 @@ diff -up openssh-5.4p1/key.c.gsskex openssh-5.4p1/key.c return KEY_UNSPEC; diff -up openssh-5.4p1/key.h.gsskex openssh-5.4p1/key.h --- openssh-5.4p1/key.h.gsskex 2010-02-26 21:55:05.000000000 +0100 -+++ openssh-5.4p1/key.h 2010-03-01 18:21:22.000000000 +0100 ++++ openssh-5.4p1/key.h 2010-10-22 16:20:02.000000000 +0200 @@ -37,6 +37,7 @@ enum types { KEY_DSA, KEY_RSA_CERT, @@ -1866,9 +1866,9 @@ diff -up openssh-5.4p1/key.h.gsskex openssh-5.4p1/key.h }; enum fp_type { diff -up openssh-5.4p1/Makefile.in.gsskex openssh-5.4p1/Makefile.in ---- openssh-5.4p1/Makefile.in.gsskex 2010-03-01 18:14:27.000000000 +0100 -+++ openssh-5.4p1/Makefile.in 2010-03-01 18:23:31.000000000 +0100 -@@ -74,11 +74,11 @@ +--- openssh-5.4p1/Makefile.in.gsskex 2010-10-22 16:20:01.000000000 +0200 ++++ openssh-5.4p1/Makefile.in 2010-10-22 16:22:14.000000000 +0200 +@@ -74,11 +74,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ entropy.o gss-genr.o umac.o jpake.o schnorr.o \ @@ -1882,7 +1882,7 @@ diff -up openssh-5.4p1/Makefile.in.gsskex openssh-5.4p1/Makefile.in SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ -@@ -91,7 +91,7 @@ +@@ -91,7 +91,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ @@ -1892,8 +1892,8 @@ diff -up openssh-5.4p1/Makefile.in.gsskex openssh-5.4p1/Makefile.in MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c ---- openssh-5.4p1/monitor.c.gsskex 2010-03-01 18:14:25.000000000 +0100 -+++ openssh-5.4p1/monitor.c 2010-03-01 18:14:29.000000000 +0100 +--- openssh-5.4p1/monitor.c.gsskex 2010-10-22 16:20:00.000000000 +0200 ++++ openssh-5.4p1/monitor.c 2010-10-22 16:20:02.000000000 +0200 @@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); @@ -1946,7 +1946,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1738,6 +1755,13 @@ mm_get_kex(Buffer *m) +@@ -1723,6 +1740,13 @@ mm_get_kex(Buffer *m) kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; @@ -1960,7 +1960,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -@@ -1944,6 +1968,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer +@@ -1929,6 +1953,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer OM_uint32 major; u_int len; @@ -1970,7 +1970,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -1971,6 +1998,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -1956,6 +1983,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -1980,7 +1980,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -1988,6 +2018,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -1973,6 +2003,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -1988,7 +1988,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c } return (0); } -@@ -1999,6 +2030,9 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -1984,6 +2015,9 @@ mm_answer_gss_checkmic(int sock, Buffer OM_uint32 ret; u_int len; @@ -1998,7 +1998,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2025,7 +2059,11 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2010,7 +2044,11 @@ mm_answer_gss_userok(int sock, Buffer *m { int authenticated; @@ -2011,7 +2011,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2038,6 +2076,74 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2023,6 +2061,74 @@ mm_answer_gss_userok(int sock, Buffer *m /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2087,8 +2087,8 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c #ifdef JPAKE diff -up openssh-5.4p1/monitor.h.gsskex openssh-5.4p1/monitor.h ---- openssh-5.4p1/monitor.h.gsskex 2010-03-01 18:14:25.000000000 +0100 -+++ openssh-5.4p1/monitor.h 2010-03-01 18:14:29.000000000 +0100 +--- openssh-5.4p1/monitor.h.gsskex 2010-10-22 16:20:01.000000000 +0200 ++++ openssh-5.4p1/monitor.h 2010-10-22 16:20:02.000000000 +0200 @@ -56,6 +56,8 @@ enum monitor_reqtype { MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, @@ -2099,9 +2099,9 @@ diff -up openssh-5.4p1/monitor.h.gsskex openssh-5.4p1/monitor.h MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c ---- openssh-5.4p1/monitor_wrap.c.gsskex 2010-03-01 18:14:25.000000000 +0100 -+++ openssh-5.4p1/monitor_wrap.c 2010-03-01 18:14:29.000000000 +0100 -@@ -1267,7 +1267,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss +--- openssh-5.4p1/monitor_wrap.c.gsskex 2010-10-22 16:20:01.000000000 +0200 ++++ openssh-5.4p1/monitor_wrap.c 2010-10-22 16:20:02.000000000 +0200 +@@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } int @@ -2110,7 +2110,7 @@ diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c { Buffer m; int authenticated = 0; -@@ -1284,6 +1284,51 @@ mm_ssh_gssapi_userok(char *user) +@@ -1267,6 +1267,51 @@ mm_ssh_gssapi_userok(char *user) debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); return (authenticated); } @@ -2163,8 +2163,8 @@ diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c #ifdef JPAKE diff -up openssh-5.4p1/monitor_wrap.h.gsskex openssh-5.4p1/monitor_wrap.h ---- openssh-5.4p1/monitor_wrap.h.gsskex 2010-03-01 18:14:25.000000000 +0100 -+++ openssh-5.4p1/monitor_wrap.h 2010-03-01 18:14:29.000000000 +0100 +--- openssh-5.4p1/monitor_wrap.h.gsskex 2010-10-22 16:20:01.000000000 +0200 ++++ openssh-5.4p1/monitor_wrap.h 2010-10-22 16:20:02.000000000 +0200 @@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -2179,7 +2179,7 @@ diff -up openssh-5.4p1/monitor_wrap.h.gsskex openssh-5.4p1/monitor_wrap.h #ifdef USE_PAM diff -up openssh-5.4p1/readconf.c.gsskex openssh-5.4p1/readconf.c --- openssh-5.4p1/readconf.c.gsskex 2010-02-11 23:21:03.000000000 +0100 -+++ openssh-5.4p1/readconf.c 2010-03-01 18:14:29.000000000 +0100 ++++ openssh-5.4p1/readconf.c 2010-10-22 16:20:02.000000000 +0200 @@ -127,6 +127,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, @@ -2263,7 +2263,7 @@ diff -up openssh-5.4p1/readconf.c.gsskex openssh-5.4p1/readconf.c if (options->kbd_interactive_authentication == -1) diff -up openssh-5.4p1/readconf.h.gsskex openssh-5.4p1/readconf.h --- openssh-5.4p1/readconf.h.gsskex 2010-02-11 23:21:03.000000000 +0100 -+++ openssh-5.4p1/readconf.h 2010-03-01 18:14:29.000000000 +0100 ++++ openssh-5.4p1/readconf.h 2010-10-22 16:20:02.000000000 +0200 @@ -44,7 +44,11 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2277,8 +2277,8 @@ diff -up openssh-5.4p1/readconf.h.gsskex openssh-5.4p1/readconf.h * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c ---- openssh-5.4p1/servconf.c.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/servconf.c 2010-03-01 18:25:32.000000000 +0100 +--- openssh-5.4p1/servconf.c.gsskex 2010-10-22 16:20:02.000000000 +0200 ++++ openssh-5.4p1/servconf.c 2010-10-22 16:20:02.000000000 +0200 @@ -93,7 +93,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; @@ -2290,7 +2290,7 @@ diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -215,8 +218,14 @@ fill_default_server_options(ServerOption +@@ -217,8 +220,14 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2305,7 +2305,7 @@ diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -310,7 +319,9 @@ typedef enum { +@@ -312,7 +321,9 @@ typedef enum { sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -2316,7 +2316,7 @@ diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, -@@ -373,9 +384,15 @@ static struct { +@@ -376,9 +387,15 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -2332,7 +2332,7 @@ diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -935,10 +952,22 @@ process_server_config_line(ServerOptions +@@ -940,10 +957,22 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -2356,8 +2356,8 @@ diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c intptr = &options->password_authentication; goto parse_flag; diff -up openssh-5.4p1/servconf.h.gsskex openssh-5.4p1/servconf.h ---- openssh-5.4p1/servconf.h.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/servconf.h 2010-03-01 18:14:29.000000000 +0100 +--- openssh-5.4p1/servconf.h.gsskex 2010-10-22 16:20:02.000000000 +0200 ++++ openssh-5.4p1/servconf.h 2010-10-22 16:20:02.000000000 +0200 @@ -94,7 +94,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -2370,8 +2370,8 @@ diff -up openssh-5.4p1/servconf.h.gsskex openssh-5.4p1/servconf.h * authentication. */ int kbd_interactive_authentication; /* If true, permit */ diff -up openssh-5.4p1/ssh_config.5.gsskex openssh-5.4p1/ssh_config.5 ---- openssh-5.4p1/ssh_config.5.gsskex 2010-02-11 23:26:02.000000000 +0100 -+++ openssh-5.4p1/ssh_config.5 2010-03-01 18:14:29.000000000 +0100 +--- openssh-5.4p1/ssh_config.5.gsskex 2010-03-05 11:31:12.000000000 +0100 ++++ openssh-5.4p1/ssh_config.5 2010-10-22 16:20:02.000000000 +0200 @@ -478,11 +478,38 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2413,8 +2413,8 @@ diff -up openssh-5.4p1/ssh_config.5.gsskex openssh-5.4p1/ssh_config.5 Indicates that .Xr ssh 1 diff -up openssh-5.4p1/ssh_config.gsskex openssh-5.4p1/ssh_config ---- openssh-5.4p1/ssh_config.gsskex 2010-03-01 18:14:24.000000000 +0100 -+++ openssh-5.4p1/ssh_config 2010-03-01 18:14:29.000000000 +0100 +--- openssh-5.4p1/ssh_config.gsskex 2010-10-22 16:20:00.000000000 +0200 ++++ openssh-5.4p1/ssh_config 2010-10-22 16:20:02.000000000 +0200 @@ -26,6 +26,8 @@ # HostbasedAuthentication no # GSSAPIAuthentication no @@ -2425,8 +2425,8 @@ diff -up openssh-5.4p1/ssh_config.gsskex openssh-5.4p1/ssh_config # CheckHostIP yes # AddressFamily any diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c ---- openssh-5.4p1/sshconnect2.c.gsskex 2010-03-01 18:14:27.000000000 +0100 -+++ openssh-5.4p1/sshconnect2.c 2010-03-01 18:14:29.000000000 +0100 +--- openssh-5.4p1/sshconnect2.c.gsskex 2010-10-22 16:20:01.000000000 +0200 ++++ openssh-5.4p1/sshconnect2.c 2010-10-22 16:20:02.000000000 +0200 @@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho { Kex *kex; @@ -2515,18 +2515,19 @@ diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c #endif void userauth(Authctxt *, char *); -@@ -268,6 +321,10 @@ static char *authmethods_get(void); +@@ -268,6 +321,11 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI + {"gssapi-keyex", + userauth_gsskeyex, ++ NULL, + &options.gss_authentication, + NULL}, {"gssapi-with-mic", userauth_gssapi, NULL, -@@ -576,23 +633,35 @@ userauth_gssapi(Authctxt *authctxt) +@@ -576,23 +634,35 @@ userauth_gssapi(Authctxt *authctxt) int ok = 0; char* remotehost = NULL; const char* canonicalhost = get_canonical_hostname(1); @@ -2564,7 +2565,7 @@ diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c ok = 1; /* Mechanism works */ } else { mech++; -@@ -689,8 +758,8 @@ input_gssapi_response(int type, u_int32_ +@@ -689,8 +759,8 @@ input_gssapi_response(int type, u_int32_ { Authctxt *authctxt = ctxt; Gssctxt *gssctxt; @@ -2575,7 +2576,7 @@ diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); -@@ -800,6 +869,48 @@ input_gssapi_error(int type, u_int32_t p +@@ -800,6 +870,48 @@ input_gssapi_error(int type, u_int32_t p xfree(msg); xfree(lang); } @@ -2625,8 +2626,8 @@ diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c int diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c ---- openssh-5.4p1/sshd.c.gsskex 2010-03-01 18:14:27.000000000 +0100 -+++ openssh-5.4p1/sshd.c 2010-03-01 18:14:29.000000000 +0100 +--- openssh-5.4p1/sshd.c.gsskex 2010-10-22 16:20:01.000000000 +0200 ++++ openssh-5.4p1/sshd.c 2010-10-22 16:20:02.000000000 +0200 @@ -129,6 +129,10 @@ int allow_severity; int deny_severity; #endif /* LIBWRAP */ @@ -2713,7 +2714,7 @@ diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2314,12 +2375,61 @@ do_ssh2_kex(void) +@@ -2315,12 +2376,61 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); @@ -2776,8 +2777,8 @@ diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; diff -up openssh-5.4p1/sshd_config.5.gsskex openssh-5.4p1/sshd_config.5 ---- openssh-5.4p1/sshd_config.5.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/sshd_config.5 2010-03-01 18:14:29.000000000 +0100 +--- openssh-5.4p1/sshd_config.5.gsskex 2010-10-22 16:20:02.000000000 +0200 ++++ openssh-5.4p1/sshd_config.5 2010-10-22 16:20:02.000000000 +0200 @@ -379,12 +379,40 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2820,8 +2821,8 @@ diff -up openssh-5.4p1/sshd_config.5.gsskex openssh-5.4p1/sshd_config.5 Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed diff -up openssh-5.4p1/sshd_config.gsskex openssh-5.4p1/sshd_config ---- openssh-5.4p1/sshd_config.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/sshd_config 2010-03-01 18:14:29.000000000 +0100 +--- openssh-5.4p1/sshd_config.gsskex 2010-10-22 16:20:02.000000000 +0200 ++++ openssh-5.4p1/sshd_config 2010-10-22 16:20:02.000000000 +0200 @@ -78,6 +78,8 @@ ChallengeResponseAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes @@ -2833,7 +2834,7 @@ diff -up openssh-5.4p1/sshd_config.gsskex openssh-5.4p1/sshd_config # and session processing. If this is enabled, PAM authentication will diff -up openssh-5.4p1/ssh-gss.h.gsskex openssh-5.4p1/ssh-gss.h --- openssh-5.4p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 -+++ openssh-5.4p1/ssh-gss.h 2010-03-01 18:14:30.000000000 +0100 ++++ openssh-5.4p1/ssh-gss.h 2010-10-22 16:20:02.000000000 +0200 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* diff --git a/openssh.spec b/openssh.spec index 6b8840b..a1be665 100644 --- a/openssh.spec +++ b/openssh.spec @@ -67,7 +67,7 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%define openssh_rel 3 +%define openssh_rel 4 %define pam_ssh_agent_rel 24 %define pam_ssh_agent_ver 0.9.2 @@ -529,6 +529,9 @@ fi %endif %changelog +* Fri Oct 20 2010 Jan F. Chadima - 5.4p1-4 +- update gsskex patch (#645389) + * Mon May 31 2010 Jan F. Chadima - 5.4p1-3 - parsing authorised file (#595935)