diff --git a/openssh-5.9p1-null-xcrypt.patch b/openssh-5.9p1-null-xcrypt.patch deleted file mode 100644 index 50f32ff..0000000 --- a/openssh-5.9p1-null-xcrypt.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: auth-passwd.c -=================================================================== -RCS file: /cvs/openssh/auth-passwd.c,v -retrieving revision 1.90 -retrieving revision 1.91 -diff -u -r1.90 -r1.91 ---- auth-passwd.c 8 Mar 2009 00:40:28 -0000 1.90 -+++ auth-passwd.c 25 Apr 2012 23:51:28 -0000 1.91 -@@ -209,6 +209,7 @@ - * Authentication is accepted if the encrypted passwords - * are identical. - */ -- return (strcmp(encrypted_password, pw_password) == 0); -+ return encrypted_password != NULL && -+ strcmp(encrypted_password, pw_password) == 0; - } - #endif diff --git a/openssh-5.9p1-akc.patch b/openssh-6.1p1-akc.patch similarity index 81% rename from openssh-5.9p1-akc.patch rename to openssh-6.1p1-akc.patch index e50098f..49fa169 100644 --- a/openssh-5.9p1-akc.patch +++ b/openssh-6.1p1-akc.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c ---- openssh-5.9p1/auth2-pubkey.c.akc 2012-02-06 20:47:36.641814218 +0100 -+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 20:47:36.665095838 +0100 +diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c +--- openssh-6.1p1/auth2-pubkey.c.akc 2012-09-14 20:20:48.459445650 +0200 ++++ openssh-6.1p1/auth2-pubkey.c 2012-09-14 20:20:48.520446072 +0200 @@ -27,6 +27,7 @@ #include @@ -9,7 +9,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c #include #include -@@ -276,27 +277,15 @@ match_principals_file(char *file, struct +@@ -277,27 +278,15 @@ match_principals_file(char *file, struct /* return 1 if user allows given key */ static int @@ -38,7 +38,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c found_key = 0; found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); -@@ -389,8 +378,6 @@ user_key_allowed2(struct passwd *pw, Key +@@ -390,8 +379,6 @@ user_key_allowed2(struct passwd *pw, Key break; } } @@ -47,7 +47,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c key_free(found); if (!found_key) debug2("key not found"); -@@ -452,13 +439,191 @@ user_cert_trusted_ca(struct passwd *pw, +@@ -453,13 +440,191 @@ user_cert_trusted_ca(struct passwd *pw, return ret; } @@ -240,10 +240,10 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c if (auth_key_is_revoked(key)) return 0; if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) -diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac ---- openssh-5.9p1/configure.ac.akc 2012-02-06 20:47:36.656046570 +0100 -+++ openssh-5.9p1/configure.ac 2012-02-06 20:47:36.666095176 +0100 -@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit], +diff -up openssh-6.1p1/configure.ac.akc openssh-6.1p1/configure.ac +--- openssh-6.1p1/configure.ac.akc 2012-07-06 03:49:29.000000000 +0200 ++++ openssh-6.1p1/configure.ac 2012-09-14 20:20:48.525446106 +0200 +@@ -1512,6 +1512,18 @@ AC_ARG_WITH([audit], esac ] ) @@ -262,7 +262,7 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS([ \ arc4random \ -@@ -4239,6 +4251,7 @@ echo " SELinux support +@@ -4407,6 +4419,7 @@ echo " SELinux support echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" @@ -270,10 +270,10 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" -diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c ---- openssh-5.9p1/servconf.c.akc 2012-02-06 20:47:36.573033521 +0100 -+++ openssh-5.9p1/servconf.c 2012-02-06 20:47:36.667106367 +0100 -@@ -136,6 +136,8 @@ initialize_server_options(ServerOptions +diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c +--- openssh-6.1p1/servconf.c.akc 2012-09-14 20:20:48.138443423 +0200 ++++ openssh-6.1p1/servconf.c 2012-09-14 20:27:34.546107295 +0200 +@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions options->num_permitted_opens = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; @@ -282,18 +282,18 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c options->zero_knowledge_password_authentication = -1; options->revoked_keys_file = NULL; options->trusted_user_ca_keys = NULL; -@@ -329,6 +331,7 @@ typedef enum { +@@ -334,6 +336,7 @@ typedef enum { sZeroKnowledgePasswordAuthentication, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, - sKexAlgorithms, sIPQoS, + sKexAlgorithms, sIPQoS, sVersionAddendum, + sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs, sDeprecated, sUnsupported } ServerOpCodes; -@@ -455,6 +458,13 @@ static struct { - { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL }, +@@ -461,6 +464,14 @@ static struct { { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL }, + { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, +#ifdef WITH_AUTHORIZED_KEYS_COMMAND + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, + { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL }, @@ -301,12 +301,13 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c + { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL }, + { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL }, +#endif ++ { NULL, sBadOption, 0 } }; -@@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions +@@ -1532,6 +1543,24 @@ process_server_config_line(ServerOptions } - break; + return 0; + case sAuthorizedKeysCommand: + len = strspn(cp, WHITESPACE); @@ -329,7 +330,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); -@@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d +@@ -1682,6 +1711,8 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(hostbased_uses_name_from_packet_only); M_CP_INTOPT(kbd_interactive_authentication); M_CP_INTOPT(zero_knowledge_password_authentication); @@ -338,30 +339,30 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c M_CP_INTOPT(permit_root_login); M_CP_INTOPT(permit_empty_passwd); -@@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o) - dump_cfg_string(sRevokedKeys, o->revoked_keys_file); +@@ -1942,6 +1973,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sAuthorizedPrincipalsFile, o->authorized_principals_file); + dump_cfg_string(sVersionAddendum, o->version_addendum); + dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); + dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); -diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h ---- openssh-5.9p1/servconf.h.akc 2012-02-06 20:47:36.574033734 +0100 -+++ openssh-5.9p1/servconf.h 2012-02-06 20:47:36.668096740 +0100 +diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h +--- openssh-6.1p1/servconf.h.akc 2012-09-14 20:20:48.000000000 +0200 ++++ openssh-6.1p1/servconf.h 2012-09-14 20:23:16.691844577 +0200 @@ -169,6 +169,8 @@ typedef struct { char *revoked_keys_file; char *trusted_user_ca_keys; char *authorized_principals_file; + char *authorized_keys_command; + char *authorized_keys_command_runas; - } ServerOptions; - /* -diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config ---- openssh-5.9p1/sshd_config.akc 2011-05-29 13:39:39.000000000 +0200 -+++ openssh-5.9p1/sshd_config 2012-02-06 20:47:36.669067546 +0100 + char *version_addendum; /* Appended to SSH banner */ + } ServerOptions; +diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config +--- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200 ++++ openssh-6.1p1/sshd_config 2012-09-14 20:30:46.950095769 +0200 @@ -49,6 +49,9 @@ # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys @@ -369,12 +370,12 @@ diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config +#AuthorizedKeysCommand none +#AuthorizedKeysCommandRunAs nobody + + #AuthorizedPrincipalsFile none + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts - #RhostsRSAAuthentication no - # similar for protocol version 2 -diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0 ---- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200 -+++ openssh-5.9p1/sshd_config.0 2012-02-06 20:47:36.669067546 +0100 +diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0 +--- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200 ++++ openssh-6.1p1/sshd_config.0 2012-09-14 20:32:23.539624859 +0200 @@ -71,6 +71,23 @@ DESCRIPTION See PATTERNS in ssh_config(5) for more information on patterns. @@ -399,19 +400,19 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0 AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. The format is described in the -@@ -401,7 +418,8 @@ DESCRIPTION - +@@ -402,7 +419,8 @@ DESCRIPTION Only a subset of keywords may be used on the lines following a - Match keyword. Available keywords are AllowAgentForwarding, -- AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile, -+ AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand, -+ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, - Banner, ChrootDirectory, ForceCommand, GatewayPorts, - GSSAPIAuthentication, HostbasedAuthentication, + Match keyword. Available keywords are AcceptEnv, + AllowAgentForwarding, AllowGroups, AllowTcpForwarding, +- AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, ++ AllowUsers, AuthorizedKeysFile, AuthorizedKeysCommand, ++ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, Banner, + ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, + GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, -diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5 ---- openssh-5.9p1/sshd_config.5.akc 2012-02-06 20:47:36.574891218 +0100 -+++ openssh-5.9p1/sshd_config.5 2012-02-06 20:49:58.913878595 +0100 +diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5 +--- openssh-6.1p1/sshd_config.5.akc 2012-09-14 20:20:48.142443448 +0200 ++++ openssh-6.1p1/sshd_config.5 2012-09-14 20:29:56.003873873 +0200 @@ -151,6 +151,19 @@ See in .Xr ssh_config 5 @@ -432,16 +433,16 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5 .It Cm AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. -@@ -706,6 +719,8 @@ Available keywords are - .Cm AllowAgentForwarding , +@@ -712,6 +725,8 @@ Available keywords are .Cm AllowTcpForwarding , + .Cm AllowUsers , .Cm AuthorizedKeysFile , +.Cm AuthorizedKeysCommand , +.Cm AuthorizedKeysCommandRunAs , .Cm AuthorizedPrincipalsFile , .Cm Banner , .Cm ChrootDirectory , -@@ -718,6 +733,7 @@ Available keywords are +@@ -726,6 +741,7 @@ Available keywords are .Cm KerberosAuthentication , .Cm MaxAuthTries , .Cm MaxSessions , diff --git a/openssh-5.8p2-askpass-ld.patch b/openssh-6.1p1-askpass-ld.patch similarity index 53% rename from openssh-5.8p2-askpass-ld.patch rename to openssh-6.1p1-askpass-ld.patch index 5b85c80..f7a7fac 100644 --- a/openssh-5.8p2-askpass-ld.patch +++ b/openssh-6.1p1-askpass-ld.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefile ---- openssh-5.8p2/contrib/Makefile.askpass-ld 2011-08-08 22:54:06.050546199 +0200 -+++ openssh-5.8p2/contrib/Makefile 2011-08-08 22:54:43.364420118 +0200 -@@ -2,12 +2,12 @@ all: +diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile +--- openssh-6.1p1/contrib/Makefile.askpass-ld 2012-05-19 07:24:37.000000000 +0200 ++++ openssh-6.1p1/contrib/Makefile 2012-09-14 20:35:47.565704718 +0200 +@@ -4,12 +4,12 @@ all: @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2" gnome-ssh-askpass1: gnome-ssh-askpass1.c @@ -11,8 +11,8 @@ diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefil `gnome-config --libs gnome gnomeui` gnome-ssh-askpass2: gnome-ssh-askpass2.c -- $(CC) `pkg-config --cflags gtk+-2.0` \ -+ $(CC) ${CFLAGS} `pkg-config --cflags gtk+-2.0` \ +- $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \ ++ $(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \ gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ - `pkg-config --libs gtk+-2.0 x11` + `$(PKG_CONFIG) --libs gtk+-2.0 x11` diff --git a/openssh-5.9p1-coverity.patch b/openssh-6.1p1-coverity.patch similarity index 73% rename from openssh-5.9p1-coverity.patch rename to openssh-6.1p1-coverity.patch index f3524e3..0c8fb23 100644 --- a/openssh-5.9p1-coverity.patch +++ b/openssh-6.1p1-coverity.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c ---- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200 -+++ openssh-5.9p1/auth-pam.c 2011-09-14 08:09:47.074520582 +0200 +diff -up openssh-6.1p1/auth-pam.c.coverity openssh-6.1p1/auth-pam.c +--- openssh-6.1p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200 ++++ openssh-6.1p1/auth-pam.c 2012-09-14 21:16:41.264906486 +0200 @@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void * if (sshpam_thread_status != -1) return (sshpam_thread_status); @@ -15,43 +15,10 @@ diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c return (status); } #endif -diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c ---- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200 -+++ openssh-5.9p1/channels.c 2011-09-14 08:09:47.556582810 +0200 -@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd - channel_max_fd = MAX(channel_max_fd, wfd); - channel_max_fd = MAX(channel_max_fd, efd); - -- if (rfd != -1) -+ if (rfd >= 0) - fcntl(rfd, F_SETFD, FD_CLOEXEC); -- if (wfd != -1 && wfd != rfd) -+ if (wfd >= 0 && wfd != rfd) - fcntl(wfd, F_SETFD, FD_CLOEXEC); -- if (efd != -1 && efd != rfd && efd != wfd) -+ if (efd >= 0 && efd != rfd && efd != wfd) - fcntl(efd, F_SETFD, FD_CLOEXEC); - - c->rfd = rfd; -@@ -248,11 +248,11 @@ channel_register_fds(Channel *c, int rfd - - /* enable nonblocking mode */ - if (nonblock) { -- if (rfd != -1) -+ if (rfd >= 0) - set_nonblock(rfd); -- if (wfd != -1) -+ if (wfd >= 0) - set_nonblock(wfd); -- if (efd != -1) -+ if (efd >= 0) - set_nonblock(efd); - } - } -diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c ---- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200 -+++ openssh-5.9p1/clientloop.c 2011-09-14 08:17:41.556521887 +0200 -@@ -1970,14 +1970,15 @@ client_input_global_request(int type, u_ +diff -up openssh-6.1p1/clientloop.c.coverity openssh-6.1p1/clientloop.c +--- openssh-6.1p1/clientloop.c.coverity 2012-06-20 14:31:27.000000000 +0200 ++++ openssh-6.1p1/clientloop.c 2012-09-14 21:16:41.267906501 +0200 +@@ -2006,14 +2006,15 @@ client_input_global_request(int type, u_ char *rtype; int want_reply; int success = 0; @@ -69,10 +36,43 @@ diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c packet_send(); packet_write_wait(); } -diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c ---- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200 -+++ openssh-5.9p1/key.c 2011-09-14 08:09:47.803458435 +0200 -@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp) +diff -up openssh-6.1p1/channels.c.coverity openssh-6.1p1/channels.c +--- openssh-6.1p1/channels.c.coverity 2012-04-23 10:21:05.000000000 +0200 ++++ openssh-6.1p1/channels.c 2012-09-14 21:16:41.272906528 +0200 +@@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd + channel_max_fd = MAX(channel_max_fd, wfd); + channel_max_fd = MAX(channel_max_fd, efd); + +- if (rfd != -1) ++ if (rfd >= 0) + fcntl(rfd, F_SETFD, FD_CLOEXEC); +- if (wfd != -1 && wfd != rfd) ++ if (wfd >= 0 && wfd != rfd) + fcntl(wfd, F_SETFD, FD_CLOEXEC); +- if (efd != -1 && efd != rfd && efd != wfd) ++ if (efd >= 0 && efd != rfd && efd != wfd) + fcntl(efd, F_SETFD, FD_CLOEXEC); + + c->rfd = rfd; +@@ -251,11 +251,11 @@ channel_register_fds(Channel *c, int rfd + + /* enable nonblocking mode */ + if (nonblock) { +- if (rfd != -1) ++ if (rfd >= 0) + set_nonblock(rfd); +- if (wfd != -1) ++ if (wfd >= 0) + set_nonblock(wfd); +- if (efd != -1) ++ if (efd >= 0) + set_nonblock(efd); + } + } +diff -up openssh-6.1p1/key.c.coverity openssh-6.1p1/key.c +--- openssh-6.1p1/key.c.coverity 2012-06-30 12:05:02.000000000 +0200 ++++ openssh-6.1p1/key.c 2012-09-14 21:16:41.274906537 +0200 +@@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp) success = 1; /*XXXX*/ key_free(k); @@ -83,10 +83,9 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c /* advance cp: skip whitespace and data */ while (*cp == ' ' || *cp == '\t') cp++; -diff -up openssh-5.9p1/misc.c.coverity openssh-5.9p1/misc.c -diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c ---- openssh-5.9p1/monitor.c.coverity 2011-08-05 22:15:18.000000000 +0200 -+++ openssh-5.9p1/monitor.c 2011-09-14 08:09:47.914584009 +0200 +diff -up openssh-6.1p1/monitor.c.coverity openssh-6.1p1/monitor.c +--- openssh-6.1p1/monitor.c.coverity 2012-06-30 00:33:17.000000000 +0200 ++++ openssh-6.1p1/monitor.c 2012-09-14 21:16:41.277906552 +0200 @@ -420,7 +420,7 @@ monitor_child_preauth(Authctxt *_authctx } @@ -96,7 +95,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c ; if (!authctxt->valid) -@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m +@@ -1159,6 +1159,10 @@ mm_answer_keyallowed(int sock, Buffer *m break; } } @@ -107,7 +106,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c if (key != NULL) key_free(key); -@@ -1182,9 +1186,6 @@ mm_answer_keyallowed(int sock, Buffer *m +@@ -1180,9 +1184,6 @@ mm_answer_keyallowed(int sock, Buffer *m xfree(chost); } @@ -117,9 +116,9 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c buffer_clear(m); buffer_put_int(m, allowed); buffer_put_int(m, forced_command != NULL); -diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c ---- openssh-5.9p1/monitor_wrap.c.coverity 2011-09-14 08:11:36.480500123 +0200 -+++ openssh-5.9p1/monitor_wrap.c 2011-09-14 08:14:11.279520598 +0200 +diff -up openssh-6.1p1/monitor_wrap.c.coverity openssh-6.1p1/monitor_wrap.c +--- openssh-6.1p1/monitor_wrap.c.coverity 2011-06-20 06:42:23.000000000 +0200 ++++ openssh-6.1p1/monitor_wrap.c 2012-09-14 21:16:41.280906568 +0200 @@ -707,10 +707,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || (tmp2 = dup(pmonitor->m_recvfd)) == -1) { @@ -134,9 +133,9 @@ diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c return 0; } close(tmp1); -diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c ---- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100 -+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-14 08:09:48.084459344 +0200 +diff -up openssh-6.1p1/openbsd-compat/bindresvport.c.coverity openssh-6.1p1/openbsd-compat/bindresvport.c +--- openssh-6.1p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100 ++++ openssh-6.1p1/openbsd-compat/bindresvport.c 2012-09-14 21:16:41.281906573 +0200 @@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr struct sockaddr_in6 *in6; u_int16_t *portp; @@ -146,9 +145,9 @@ diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/open int i; if (sa == NULL) { -diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c ---- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200 -+++ openssh-5.9p1/packet.c 2011-09-14 08:09:48.184587842 +0200 +diff -up openssh-6.1p1/packet.c.coverity openssh-6.1p1/packet.c +--- openssh-6.1p1/packet.c.coverity 2012-03-09 00:28:07.000000000 +0100 ++++ openssh-6.1p1/packet.c 2012-09-14 21:16:41.284906588 +0200 @@ -1177,6 +1177,7 @@ packet_read_poll1(void) case DEATTACK_DETECTED: packet_disconnect("crc32 compensation attack: " @@ -157,7 +156,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c case DEATTACK_DOS_DETECTED: packet_disconnect("deattack denial of " "service detected"); -@@ -1684,7 +1685,7 @@ void +@@ -1678,7 +1679,7 @@ void packet_write_wait(void) { fd_set *setp; @@ -166,9 +165,9 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c struct timeval start, timeout, *timeoutp = NULL; setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1, -diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c ---- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-5.9p1/progressmeter.c 2011-09-14 08:09:48.300586004 +0200 +diff -up openssh-6.1p1/progressmeter.c.coverity openssh-6.1p1/progressmeter.c +--- openssh-6.1p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200 ++++ openssh-6.1p1/progressmeter.c 2012-09-14 21:16:41.285906593 +0200 @@ -65,7 +65,7 @@ static void update_progress_meter(int); static time_t start; /* start progress */ @@ -187,9 +186,9 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c { start = last_update = time(NULL); file = f; -diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h ---- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200 -+++ openssh-5.9p1/progressmeter.h 2011-09-14 08:09:48.420645724 +0200 +diff -up openssh-6.1p1/progressmeter.h.coverity openssh-6.1p1/progressmeter.h +--- openssh-6.1p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200 ++++ openssh-6.1p1/progressmeter.h 2012-09-14 21:16:41.286906598 +0200 @@ -23,5 +23,5 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ @@ -197,9 +196,9 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h -void start_progress_meter(char *, off_t, off_t *); +void start_progress_meter(const char *, off_t, off_t *); void stop_progress_meter(void); -diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c ---- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100 -+++ openssh-5.9p1/scp.c 2011-09-14 08:09:48.531505457 +0200 +diff -up openssh-6.1p1/scp.c.coverity openssh-6.1p1/scp.c +--- openssh-6.1p1/scp.c.coverity 2011-09-22 13:38:01.000000000 +0200 ++++ openssh-6.1p1/scp.c 2012-09-14 21:16:41.288906608 +0200 @@ -155,7 +155,7 @@ killchild(int signo) { if (do_cmd_pid > 1) { @@ -209,19 +208,10 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c } if (signo) -diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c ---- openssh-5.9p1/servconf.c.coverity 2011-06-23 00:30:03.000000000 +0200 -+++ openssh-5.9p1/servconf.c 2011-09-14 08:30:17.557468182 +0200 -@@ -609,7 +609,7 @@ match_cfg_line(char **condition, int lin - debug3("checking syntax for 'Match %s'", cp); - else - debug3("checking match for '%s' user %s host %s addr %s", cp, -- user ? user : "(null)", host ? host : "(null)", -+ user /* User is not NULL ? user : "(null)" */, host ? host : "(null)", - address ? address : "(null)"); - - while ((attrib = strdelim(&cp)) && *attrib != '\0') { -@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions +diff -up openssh-6.1p1/servconf.c.coverity openssh-6.1p1/servconf.c +--- openssh-6.1p1/servconf.c.coverity 2012-07-31 04:22:38.000000000 +0200 ++++ openssh-6.1p1/servconf.c 2012-09-14 21:16:41.291906623 +0200 +@@ -1249,7 +1249,7 @@ process_server_config_line(ServerOptions fatal("%s line %d: Missing subsystem name.", filename, linenum); if (!*activep) { @@ -230,7 +220,7 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c break; } for (i = 0; i < options->num_subsystems; i++) -@@ -1262,8 +1262,9 @@ process_server_config_line(ServerOptions +@@ -1340,8 +1340,9 @@ process_server_config_line(ServerOptions if (*activep && *charptr == NULL) { *charptr = tilde_expand_filename(arg, getuid()); /* increase optional counter */ @@ -242,9 +232,9 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c } break; -diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c ---- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200 -+++ openssh-5.9p1/serverloop.c 2011-09-14 08:09:48.793586380 +0200 +diff -up openssh-6.1p1/serverloop.c.coverity openssh-6.1p1/serverloop.c +--- openssh-6.1p1/serverloop.c.coverity 2012-06-20 14:31:27.000000000 +0200 ++++ openssh-6.1p1/serverloop.c 2012-09-14 21:16:41.294906638 +0200 @@ -147,13 +147,13 @@ notify_setup(void) static void notify_parent(void) @@ -272,7 +262,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c debug2("notify_done: reading"); } -@@ -330,7 +330,7 @@ wait_until_can_do_something(fd_set **rea +@@ -336,7 +336,7 @@ wait_until_can_do_something(fd_set **rea * If we have buffered data, try to write some of that data * to the program. */ @@ -281,7 +271,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c FD_SET(fdin, *writesetp); } notify_prepare(*readsetp); -@@ -470,7 +470,7 @@ process_output(fd_set *writeset) +@@ -476,7 +476,7 @@ process_output(fd_set *writeset) int len; /* Write buffered data to program stdin. */ @@ -290,7 +280,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c data = buffer_ptr(&stdin_buffer); dlen = buffer_len(&stdin_buffer); len = write(fdin, data, dlen); -@@ -583,7 +583,7 @@ server_loop(pid_t pid, int fdin_arg, int +@@ -589,7 +589,7 @@ server_loop(pid_t pid, int fdin_arg, int set_nonblock(fdin); set_nonblock(fdout); /* we don't have stderr for interactive terminal sessions, see below */ @@ -299,7 +289,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c set_nonblock(fderr); if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin)) -@@ -607,7 +607,7 @@ server_loop(pid_t pid, int fdin_arg, int +@@ -613,7 +613,7 @@ server_loop(pid_t pid, int fdin_arg, int max_fd = MAX(connection_in, connection_out); max_fd = MAX(max_fd, fdin); max_fd = MAX(max_fd, fdout); @@ -308,7 +298,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c max_fd = MAX(max_fd, fderr); #endif -@@ -637,7 +637,7 @@ server_loop(pid_t pid, int fdin_arg, int +@@ -643,7 +643,7 @@ server_loop(pid_t pid, int fdin_arg, int * If we have received eof, and there is no more pending * input data, cause a real eof by closing fdin. */ @@ -317,7 +307,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c if (fdin != fdout) close(fdin); else -@@ -735,15 +735,15 @@ server_loop(pid_t pid, int fdin_arg, int +@@ -741,15 +741,15 @@ server_loop(pid_t pid, int fdin_arg, int buffer_free(&stderr_buffer); /* Close the file descriptors. */ @@ -336,7 +326,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c close(fdin); fdin = -1; -@@ -937,7 +937,7 @@ server_input_window_size(int type, u_int +@@ -943,7 +943,7 @@ server_input_window_size(int type, u_int debug("Window change received."); packet_check_eom(); @@ -345,7 +335,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c pty_change_window_size(fdin, row, col, xpixel, ypixel); } -@@ -990,7 +990,7 @@ server_request_tun(void) +@@ -996,7 +996,7 @@ server_request_tun(void) } tun = packet_get_int(); @@ -354,9 +344,111 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c if (tun != SSH_TUNID_ANY && forced_tun_device != tun) goto done; tun = forced_tun_device; -diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c ---- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100 -+++ openssh-5.9p1/sftp-client.c 2011-09-14 08:09:48.910470343 +0200 +diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c +--- openssh-6.1p1/sftp.c.coverity 2012-06-30 00:33:32.000000000 +0200 ++++ openssh-6.1p1/sftp.c 2012-09-14 21:16:41.297906653 +0200 +@@ -206,7 +206,7 @@ killchild(int signo) + { + if (sshpid > 1) { + kill(sshpid, SIGTERM); +- waitpid(sshpid, NULL, 0); ++ (void) waitpid(sshpid, NULL, 0); + } + + _exit(1); +@@ -316,7 +316,7 @@ local_do_ls(const char *args) + + /* Strip one path (usually the pwd) from the start of another */ + static char * +-path_strip(char *path, char *strip) ++path_strip(const char *path, const char *strip) + { + size_t len; + +@@ -334,7 +334,7 @@ path_strip(char *path, char *strip) + } + + static char * +-make_absolute(char *p, char *pwd) ++make_absolute(char *p, const char *pwd) + { + char *abs_str; + +@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a + } + + static int +-is_dir(char *path) ++is_dir(const char *path) + { + struct stat sb; + +@@ -494,7 +494,7 @@ is_dir(char *path) + } + + static int +-remote_is_dir(struct sftp_conn *conn, char *path) ++remote_is_dir(struct sftp_conn *conn, const char *path) + { + Attrib *a; + +@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch + + /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */ + static int +-pathname_is_dir(char *pathname) ++pathname_is_dir(const char *pathname) + { + size_t l = strlen(pathname); + +@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname) + } + + static int +-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, ++process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd, + int pflag, int rflag) + { + char *abs_src = NULL; +@@ -590,7 +590,7 @@ out: + } + + static int +-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, ++process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd, + int pflag, int rflag) + { + char *tmp_dst = NULL; +@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void + + /* sftp ls.1 replacement for directories */ + static int +-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) ++do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag) + { + int n; + u_int c = 1, colspace = 0, columns = 1; +@@ -780,7 +780,7 @@ do_ls_dir(struct sftp_conn *conn, char * + + /* sftp ls.1 replacement which handles path globs */ + static int +-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, ++do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path, + int lflag) + { + char *fname, *lname; +@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch + } + + static int +-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag) ++do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag) + { + struct sftp_statvfs st; + char s_used[FMT_SCALED_STRSIZE]; +diff -up openssh-6.1p1/sftp-client.c.coverity openssh-6.1p1/sftp-client.c +--- openssh-6.1p1/sftp-client.c.coverity 2012-07-02 14:15:39.000000000 +0200 ++++ openssh-6.1p1/sftp-client.c 2012-09-14 21:18:16.891332281 +0200 @@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer * } @@ -393,7 +485,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c SFTP_DIRENT ***dir) { Buffer msg; -@@ -571,7 +571,7 @@ do_lsreaddir(struct sftp_conn *conn, cha +@@ -572,7 +572,7 @@ do_lsreaddir(struct sftp_conn *conn, cha } int @@ -402,7 +494,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { return(do_lsreaddir(conn, path, 0, dir)); } -@@ -589,7 +589,7 @@ void free_sftp_dirents(SFTP_DIRENT **s) +@@ -590,7 +590,7 @@ void free_sftp_dirents(SFTP_DIRENT **s) } int @@ -411,7 +503,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { u_int status, id; -@@ -604,7 +604,7 @@ do_rm(struct sftp_conn *conn, char *path +@@ -605,7 +605,7 @@ do_rm(struct sftp_conn *conn, char *path } int @@ -420,7 +512,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { u_int status, id; -@@ -620,7 +620,7 @@ do_mkdir(struct sftp_conn *conn, char *p +@@ -621,7 +621,7 @@ do_mkdir(struct sftp_conn *conn, char *p } int @@ -429,7 +521,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { u_int status, id; -@@ -636,7 +636,7 @@ do_rmdir(struct sftp_conn *conn, char *p +@@ -637,7 +637,7 @@ do_rmdir(struct sftp_conn *conn, char *p } Attrib * @@ -438,7 +530,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { u_int id; -@@ -650,7 +650,7 @@ do_stat(struct sftp_conn *conn, char *pa +@@ -651,7 +651,7 @@ do_stat(struct sftp_conn *conn, char *pa } Attrib * @@ -447,7 +539,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { u_int id; -@@ -684,7 +684,7 @@ do_fstat(struct sftp_conn *conn, char *h +@@ -685,7 +685,7 @@ do_fstat(struct sftp_conn *conn, char *h #endif int @@ -456,7 +548,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { u_int status, id; -@@ -701,7 +701,7 @@ do_setstat(struct sftp_conn *conn, char +@@ -702,7 +702,7 @@ do_setstat(struct sftp_conn *conn, char } int @@ -465,7 +557,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c Attrib *a) { u_int status, id; -@@ -718,12 +718,12 @@ do_fsetstat(struct sftp_conn *conn, char +@@ -719,7 +719,7 @@ do_fsetstat(struct sftp_conn *conn, char } char * @@ -474,22 +566,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { Buffer msg; u_int type, expected_id, count, id; - char *filename, *longname; -- Attrib *a; -+/*UNUSED Attrib *a; */ - - expected_id = id = conn->msg_id++; - send_string_request(conn, id, SSH2_FXP_REALPATH, path, -@@ -754,7 +754,7 @@ do_realpath(struct sftp_conn *conn, char - - filename = buffer_get_string(&msg, NULL); - longname = buffer_get_string(&msg, NULL); -- a = decode_attrib(&msg); -+ /*a =*/ (void) decode_attrib(&msg); - - debug3("SSH_FXP_REALPATH %s -> %s", path, filename); - -@@ -766,7 +766,7 @@ do_realpath(struct sftp_conn *conn, char +@@ -768,7 +768,7 @@ do_realpath(struct sftp_conn *conn, char } int @@ -498,7 +575,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { Buffer msg; u_int status, id; -@@ -800,7 +800,7 @@ do_rename(struct sftp_conn *conn, char * +@@ -802,7 +802,7 @@ do_rename(struct sftp_conn *conn, char * } int @@ -507,7 +584,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { Buffer msg; u_int status, id; -@@ -833,7 +833,7 @@ do_hardlink(struct sftp_conn *conn, char +@@ -835,7 +835,7 @@ do_hardlink(struct sftp_conn *conn, char } int @@ -516,7 +593,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { Buffer msg; u_int status, id; -@@ -984,7 +984,7 @@ send_read_request(struct sftp_conn *conn +@@ -987,7 +987,7 @@ send_read_request(struct sftp_conn *conn } int @@ -525,7 +602,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c Attrib *a, int pflag) { Attrib junk; -@@ -1223,7 +1223,7 @@ do_download(struct sftp_conn *conn, char +@@ -1226,7 +1226,7 @@ do_download(struct sftp_conn *conn, char } static int @@ -534,7 +611,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c Attrib *dirattrib, int pflag, int printflag, int depth) { int i, ret = 0; -@@ -1313,7 +1313,7 @@ download_dir_internal(struct sftp_conn * +@@ -1316,7 +1316,7 @@ download_dir_internal(struct sftp_conn * } int @@ -543,7 +620,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c Attrib *dirattrib, int pflag, int printflag) { char *src_canon; -@@ -1331,7 +1331,7 @@ download_dir(struct sftp_conn *conn, cha +@@ -1334,7 +1334,7 @@ download_dir(struct sftp_conn *conn, cha } int @@ -552,7 +629,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c int pflag) { int local_fd; -@@ -1514,7 +1514,7 @@ do_upload(struct sftp_conn *conn, char * +@@ -1517,7 +1517,7 @@ do_upload(struct sftp_conn *conn, char * } static int @@ -561,7 +638,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c int pflag, int printflag, int depth) { int ret = 0, status; -@@ -1605,7 +1605,7 @@ upload_dir_internal(struct sftp_conn *co +@@ -1608,7 +1608,7 @@ upload_dir_internal(struct sftp_conn *co } int @@ -570,7 +647,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c int pflag) { char *dst_canon; -@@ -1622,7 +1622,7 @@ upload_dir(struct sftp_conn *conn, char +@@ -1625,7 +1625,7 @@ upload_dir(struct sftp_conn *conn, char } char * @@ -579,9 +656,9 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c { char *ret; size_t len = strlen(p1) + strlen(p2) + 2; -diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h ---- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100 -+++ openssh-5.9p1/sftp-client.h 2011-09-14 08:09:49.021583940 +0200 +diff -up openssh-6.1p1/sftp-client.h.coverity openssh-6.1p1/sftp-client.h +--- openssh-6.1p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100 ++++ openssh-6.1p1/sftp-client.h 2012-09-14 21:16:41.301906674 +0200 @@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in u_int sftp_proto_version(struct sftp_conn *); @@ -679,124 +756,9 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h +char *path_append(const char *, const char *); #endif -diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c ---- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100 -+++ openssh-5.9p1/sftp.c 2011-09-14 08:09:49.468493585 +0200 -@@ -206,7 +206,7 @@ killchild(int signo) - { - if (sshpid > 1) { - kill(sshpid, SIGTERM); -- waitpid(sshpid, NULL, 0); -+ (void) waitpid(sshpid, NULL, 0); - } - - _exit(1); -@@ -316,7 +316,7 @@ local_do_ls(const char *args) - - /* Strip one path (usually the pwd) from the start of another */ - static char * --path_strip(char *path, char *strip) -+path_strip(const char *path, const char *strip) - { - size_t len; - -@@ -334,7 +334,7 @@ path_strip(char *path, char *strip) - } - - static char * --make_absolute(char *p, char *pwd) -+make_absolute(char *p, const char *pwd) - { - char *abs_str; - -@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a - } - - static int --is_dir(char *path) -+is_dir(const char *path) - { - struct stat sb; - -@@ -494,7 +494,7 @@ is_dir(char *path) - } - - static int --remote_is_dir(struct sftp_conn *conn, char *path) -+remote_is_dir(struct sftp_conn *conn, const char *path) - { - Attrib *a; - -@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch - - /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */ - static int --pathname_is_dir(char *pathname) -+pathname_is_dir(const char *pathname) - { - size_t l = strlen(pathname); - -@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname) - } - - static int --process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, -+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd, - int pflag, int rflag) - { - char *abs_src = NULL; -@@ -590,7 +590,7 @@ out: - } - - static int --process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, -+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd, - int pflag, int rflag) - { - char *tmp_dst = NULL; -@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void - - /* sftp ls.1 replacement for directories */ - static int --do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) -+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag) - { - int n; - u_int c = 1, colspace = 0, columns = 1; -@@ -780,10 +780,10 @@ do_ls_dir(struct sftp_conn *conn, char * - - /* sftp ls.1 replacement which handles path globs */ - static int --do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, -+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path, - int lflag) - { -- Attrib *a = NULL; -+/*UNUSED Attrib *a = NULL;*/ - char *fname, *lname; - glob_t g; - int err; -@@ -828,7 +828,7 @@ do_globbed_ls(struct sftp_conn *conn, ch - colspace = width / columns; - } - -- for (i = 0; g.gl_pathv[i] && !interrupted; i++, a = NULL) { -+ for (i = 0; g.gl_pathv[i] && !interrupted; i++/*, a = NULL*/) { - fname = path_strip(g.gl_pathv[i], strip_path); - if (lflag & LS_LONG_VIEW) { - if (g.gl_statv[i] == NULL) { -@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch - } - - static int --do_df(struct sftp_conn *conn, char *path, int hflag, int iflag) -+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag) - { - struct sftp_statvfs st; - char s_used[FMT_SCALED_STRSIZE]; -diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c ---- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200 -+++ openssh-5.9p1/ssh-agent.c 2011-09-14 08:09:49.572460295 +0200 +diff -up openssh-6.1p1/ssh-agent.c.coverity openssh-6.1p1/ssh-agent.c +--- openssh-6.1p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200 ++++ openssh-6.1p1/ssh-agent.c 2012-09-14 21:16:41.303906683 +0200 @@ -1147,8 +1147,8 @@ main(int ac, char **av) sanitise_stdfd(); @@ -808,10 +770,10 @@ diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ -diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c ---- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200 -+++ openssh-5.9p1/sshd.c 2011-09-14 08:09:49.687509968 +0200 -@@ -676,8 +676,10 @@ privsep_preauth(Authctxt *authctxt) +diff -up openssh-6.1p1/sshd.c.coverity openssh-6.1p1/sshd.c +--- openssh-6.1p1/sshd.c.coverity 2012-07-31 04:21:34.000000000 +0200 ++++ openssh-6.1p1/sshd.c 2012-09-14 21:16:41.307906705 +0200 +@@ -682,8 +682,10 @@ privsep_preauth(Authctxt *authctxt) if (getuid() == 0 || geteuid() == 0) privsep_preauth_child(); setproctitle("%s", "[net]"); @@ -823,7 +785,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c return 0; } -@@ -1302,6 +1304,9 @@ server_accept_loop(int *sock_in, int *so +@@ -1311,6 +1313,9 @@ server_accept_loop(int *sock_in, int *so if (num_listen_socks < 0) break; } @@ -833,7 +795,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c } -@@ -1774,7 +1779,7 @@ main(int ac, char **av) +@@ -1768,7 +1773,7 @@ main(int ac, char **av) /* Chdir to the root directory so that the current disk can be unmounted if desired. */ diff --git a/openssh-6.0p1-gsskex.patch b/openssh-6.1p1-gsskex.patch similarity index 91% rename from openssh-6.0p1-gsskex.patch rename to openssh-6.1p1-gsskex.patch index be2aed2..b580a6d 100644 --- a/openssh-6.0p1-gsskex.patch +++ b/openssh-6.1p1-gsskex.patch @@ -1,6 +1,115 @@ -diff -up openssh-6.0p1/auth2.c.gsskex openssh-6.0p1/auth2.c ---- openssh-6.0p1/auth2.c.gsskex 2012-09-12 15:32:19.110689080 +0200 -+++ openssh-6.0p1/auth2.c 2012-09-12 15:32:28.309651601 +0200 +diff -up openssh-6.1p1/auth-krb5.c.gsskex openssh-6.1p1/auth-krb5.c +--- openssh-6.1p1/auth-krb5.c.gsskex 2012-04-26 01:52:15.000000000 +0200 ++++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:07:19.695203206 +0200 +@@ -50,6 +50,7 @@ + #include + #include + #include ++#include + #include + + extern ServerOptions options; +@@ -170,8 +171,13 @@ auth_krb5_password(Authctxt *authctxt, c + + len = strlen(authctxt->krb5_ticket_file) + 6; + authctxt->krb5_ccname = xmalloc(len); +- snprintf(authctxt->krb5_ccname, len, "FILE:%s", ++#ifdef USE_CCAPI ++ snprintf(authctxt->krb5_ccname, len, "API:%s", + authctxt->krb5_ticket_file); ++#else ++ snprintf(authctxt->krb5_ccname, len, "DIR:%s", ++ authctxt->krb5_ticket_file); ++#endif + + #ifdef USE_PAM + if (options.use_pam) +@@ -208,10 +214,33 @@ auth_krb5_password(Authctxt *authctxt, c + void + krb5_cleanup_proc(Authctxt *authctxt) + { ++ struct stat krb5_ccname_stat; ++ char krb5_ccname[128], *krb5_ccname_dir_end; ++ + debug("krb5_cleanup_proc called"); + if (authctxt->krb5_fwd_ccache) { + krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); + authctxt->krb5_fwd_ccache = NULL; ++ ++ /* assume ticket cache type DIR - DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */ ++ strncpy(krb5_ccname, authctxt->krb5_ccname + strlen("DIR::"), sizeof(krb5_ccname) - 10); ++ ++ krb5_ccname_dir_end = strrchr(krb5_ccname, '/'); ++ if (krb5_ccname_dir_end != NULL) { ++ strcpy(krb5_ccname_dir_end, "/primary"); ++ ++ if (stat(krb5_ccname, &krb5_ccname_stat) == 0) { ++ if (unlink(krb5_ccname) == 0) { ++ *krb5_ccname_dir_end = '\0'; ++ if (rmdir(krb5_ccname) == -1) ++ debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno)); ++ } ++ else ++ debug("cache primary file '%s', remove failed: %s", ++ krb5_ccname, strerror(errno) ++ ); ++ } ++ } + } + if (authctxt->krb5_user) { + krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user); +@@ -226,31 +255,37 @@ krb5_cleanup_proc(Authctxt *authctxt) + #ifndef HEIMDAL + krb5_error_code + ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { +- int tmpfd, ret, oerrno; +- char ccname[40]; ++ int ret, oerrno; ++ char ccname[128]; + mode_t old_umask; ++#ifdef USE_CCAPI ++ char cctemplate[] = "API:krb5cc_%d"; ++#else ++ char cctemplate[] = "DIR:/tmp/krb5cc_%d_XXXXXXXXXX"; ++ char *tmpdir; ++#endif + + ret = snprintf(ccname, sizeof(ccname), +- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); ++ cctemplate, geteuid()); + if (ret < 0 || (size_t)ret >= sizeof(ccname)) + return ENOMEM; + +- old_umask = umask(0177); +- tmpfd = mkstemp(ccname + strlen("FILE:")); ++#ifndef USE_CCAPI ++ old_umask = umask(0077); ++ tmpdir = mkdtemp(ccname + strlen("DIR:")); + oerrno = errno; + umask(old_umask); +- if (tmpfd == -1) { +- logit("mkstemp(): %.100s", strerror(oerrno)); ++ if (tmpdir == NULL) { ++ logit("mkdtemp(): %.100s", strerror(oerrno)); + return oerrno; + } + +- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { ++ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) { + oerrno = errno; +- logit("fchmod(): %.100s", strerror(oerrno)); +- close(tmpfd); ++ logit("chmod(): %.100s", strerror(oerrno)); + return oerrno; + } +- close(tmpfd); ++#endif + + return (krb5_cc_resolve(ctx, ccname, ccache)); + } +diff -up openssh-6.1p1/auth2.c.gsskex openssh-6.1p1/auth2.c +--- openssh-6.1p1/auth2.c.gsskex 2012-09-14 20:57:55.291263269 +0200 ++++ openssh-6.1p1/auth2.c 2012-09-14 20:57:55.853266860 +0200 @@ -69,6 +69,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -17,9 +126,9 @@ diff -up openssh-6.0p1/auth2.c.gsskex openssh-6.0p1/auth2.c &method_gssapi, #endif #ifdef JPAKE -diff -up openssh-6.0p1/auth2-gss.c.gsskex openssh-6.0p1/auth2-gss.c ---- openssh-6.0p1/auth2-gss.c.gsskex 2012-09-12 15:32:19.126689015 +0200 -+++ openssh-6.0p1/auth2-gss.c 2012-09-12 15:32:28.309651601 +0200 +diff -up openssh-6.1p1/auth2-gss.c.gsskex openssh-6.1p1/auth2-gss.c +--- openssh-6.1p1/auth2-gss.c.gsskex 2012-09-14 20:57:55.292263276 +0200 ++++ openssh-6.1p1/auth2-gss.c 2012-09-14 20:57:55.855266873 +0200 @@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); static void input_gssapi_errtok(int, u_int32_t, void *); @@ -94,233 +203,9 @@ diff -up openssh-6.0p1/auth2-gss.c.gsskex openssh-6.0p1/auth2-gss.c Authmethod method_gssapi = { "gssapi-with-mic", userauth_gssapi, -diff -up openssh-6.0p1/auth-krb5.c.gsskex openssh-6.0p1/auth-krb5.c ---- openssh-6.0p1/auth-krb5.c.gsskex 2012-09-12 15:32:19.118689046 +0200 -+++ openssh-6.0p1/auth-krb5.c 2012-09-12 16:03:22.216097657 +0200 -@@ -50,6 +50,7 @@ - #include - #include - #include -+#include - #include - - extern ServerOptions options; -@@ -170,8 +171,13 @@ auth_krb5_password(Authctxt *authctxt, c - - len = strlen(authctxt->krb5_ticket_file) + 6; - authctxt->krb5_ccname = xmalloc(len); -- snprintf(authctxt->krb5_ccname, len, "FILE:%s", -+#ifdef USE_CCAPI -+ snprintf(authctxt->krb5_ccname, len, "API:%s", - authctxt->krb5_ticket_file); -+#else -+ snprintf(authctxt->krb5_ccname, len, "DIR:%s", -+ authctxt->krb5_ticket_file); -+#endif - - #ifdef USE_PAM - if (options.use_pam) -@@ -208,10 +214,33 @@ auth_krb5_password(Authctxt *authctxt, c - void - krb5_cleanup_proc(Authctxt *authctxt) - { -+ struct stat krb5_ccname_stat; -+ char krb5_ccname[128], *krb5_ccname_dir_end; -+ - debug("krb5_cleanup_proc called"); - if (authctxt->krb5_fwd_ccache) { - krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); - authctxt->krb5_fwd_ccache = NULL; -+ -+ /* assume ticket cache type DIR - DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */ -+ strncpy(krb5_ccname, authctxt->krb5_ccname + strlen("DIR::"), sizeof(krb5_ccname) - 10); -+ -+ krb5_ccname_dir_end = strrchr(krb5_ccname, '/'); -+ if (krb5_ccname_dir_end != NULL) { -+ strcpy(krb5_ccname_dir_end, "/primary"); -+ -+ if (stat(krb5_ccname, &krb5_ccname_stat) == 0) { -+ if (unlink(krb5_ccname) == 0) { -+ *krb5_ccname_dir_end = '\0'; -+ if (rmdir(krb5_ccname) == -1) -+ debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno)); -+ } -+ else -+ debug("cache primary file '%s', remove failed: %s", -+ krb5_ccname, strerror(errno) -+ ); -+ } -+ } - } - if (authctxt->krb5_user) { - krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user); -@@ -226,29 +255,35 @@ krb5_cleanup_proc(Authctxt *authctxt) - #ifndef HEIMDAL - krb5_error_code - ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { -- int tmpfd, ret; -+ int ret; - char ccname[40]; - mode_t old_umask; -+#ifdef USE_CCAPI -+ char cctemplate[] = "API:krb5cc_%d"; -+#else -+ char cctemplate[] = "DIR:/tmp/krb5cc_%d_XXXXXXXXXX"; -+ char *tmpdir; -+#endif - - ret = snprintf(ccname, sizeof(ccname), -- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); -+ cctemplate, geteuid()); - if (ret < 0 || (size_t)ret >= sizeof(ccname)) - return ENOMEM; - -- old_umask = umask(0177); -- tmpfd = mkstemp(ccname + strlen("FILE:")); -+#ifndef USE_CCAPI -+ old_umask = umask(0077); -+ tmpdir = mkdtemp(ccname + strlen("DIR:")); - umask(old_umask); -- if (tmpfd == -1) { -- logit("mkstemp(): %.100s", strerror(errno)); -+ if (tmpdir == NULL) { -+ logit("mkdtemp(): %.100s", strerror(errno)); - return errno; - } -- -- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { -- logit("fchmod(): %.100s", strerror(errno)); -- close(tmpfd); -+ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) { -+ logit("chmod(): %.100s", strerror(errno)); - return errno; - } -- close(tmpfd); -+ -+#endif - - return (krb5_cc_resolve(ctx, ccname, ccache)); - } -diff -up openssh-6.0p1/ChangeLog.gssapi.gsskex openssh-6.0p1/ChangeLog.gssapi ---- openssh-6.0p1/ChangeLog.gssapi.gsskex 2012-09-12 15:32:19.106689094 +0200 -+++ openssh-6.0p1/ChangeLog.gssapi 2012-09-12 15:32:28.310651598 +0200 -@@ -0,0 +1,113 @@ -+20110101 -+ - Finally update for OpenSSH 5.6p1 -+ - Add GSSAPIServerIdentity option from Jim Basney -+ -+20100308 -+ - [ Makefile.in, key.c, key.h ] -+ Updates for OpenSSH 5.4p1 -+ - [ servconf.c ] -+ Include GSSAPI options in the sshd -T configuration dump, and flag -+ some older configuration options as being unsupported. Thanks to Colin -+ Watson. -+ - -+ -+20100124 -+ - [ sshconnect2.c ] -+ Adapt to deal with additional element in Authmethod structure. Thanks to -+ Colin Watson -+ -+20090615 -+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c -+ sshd.c ] -+ Fix issues identified by Greg Hudson following a code review -+ Check return value of gss_indicate_mechs -+ Protect GSSAPI calls in monitor, so they can only be used if enabled -+ Check return values of bignum functions in key exchange -+ Use BN_clear_free to clear other side's DH value -+ Make ssh_gssapi_id_kex more robust -+ Only configure kex table pointers if GSSAPI is enabled -+ Don't leak mechanism list, or gss mechanism list -+ Cast data.length before printing -+ If serverkey isn't provided, use an empty string, rather than NULL -+ -+20090201 -+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h -+ ssh_config.5 sshconnet2.c ] -+ Add support for the GSSAPIClientIdentity option, which allows the user -+ to specify which GSSAPI identity to use to contact a given server -+ -+20080404 -+ - [ gss-serv.c ] -+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow -+ been omitted from a previous version of this patch. Reported by Borislav -+ Stoichkov -+ -+20070317 -+ - [ gss-serv-krb5.c ] -+ Remove C99ism, where new_ccname was being declared in the middle of a -+ function -+ -+20061220 -+ - [ servconf.c ] -+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and -+ documented, behaviour. Reported by Dan Watson. -+ -+20060910 -+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c -+ ssh-gss.h ] -+ add support for gss-group14-sha1 key exchange mechanisms -+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ] -+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of -+ acceptor principal checking on multi-homed machines. -+ -+ - [ sshd_config ssh_config ] -+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample -+ configuration files -+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ] -+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf() -+ Limit length of error messages displayed by client -+ -+20060909 -+ - [ gss-genr.c gss-serv.c ] -+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server -+ only, where they belong -+ -+ -+20060829 -+ - [ gss-serv-krb5.c ] -+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment -+ variable -+ -+20060828 -+ - [ gss-genr.c ] -+ Avoid Heimdal context freeing problem -+ -+ -+20060818 -+ - [ gss-genr.c ssh-gss.h sshconnect2.c ] -+ Make sure that SPENGO is disabled -+ -+ -+20060421 -+ - [ gssgenr.c, sshconnect2.c ] -+ a few type changes (signed versus unsigned, int versus size_t) to -+ fix compiler errors/warnings -+ (from jbasney AT ncsa.uiuc.edu) -+ - [ kexgssc.c, sshconnect2.c ] -+ fix uninitialized variable warnings -+ (from jbasney AT ncsa.uiuc.edu) -+ - [ gssgenr.c ] -+ pass oid to gss_display_status (helpful when using GSSAPI mechglue) -+ (from jbasney AT ncsa.uiuc.edu) -+ -+ - [ gss-serv-krb5.c ] -+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H -+ (from jbasney AT ncsa.uiuc.edu) -+ -+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c -+ add client-side GssapiKeyExchange option -+ (from jbasney AT ncsa.uiuc.edu) -+ - [ sshconnect2.c ] -+ add support for GssapiTrustDns option for gssapi-with-mic -+ (from jbasney AT ncsa.uiuc.edu) -+ -diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c ---- openssh-6.0p1/clientloop.c.gsskex 2012-09-12 15:32:19.113689067 +0200 -+++ openssh-6.0p1/clientloop.c 2012-09-12 15:32:28.311651595 +0200 +diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c +--- openssh-6.1p1/clientloop.c.gsskex 2012-09-14 20:57:54.862260529 +0200 ++++ openssh-6.1p1/clientloop.c 2012-09-14 20:57:55.861266911 +0200 @@ -111,6 +111,10 @@ #include "msg.h" #include "roaming.h" @@ -332,7 +217,7 @@ diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c /* import options */ extern Options options; -@@ -1540,6 +1544,15 @@ client_loop(int have_pty, int escape_cha +@@ -1544,6 +1548,15 @@ client_loop(int have_pty, int escape_cha /* Do channel operations unless rekeying in progress. */ if (!rekeying) { channel_after_select(readset, writeset); @@ -348,9 +233,9 @@ diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c if (need_rekeying || packet_need_rekeying()) { debug("need rekeying"); xxx_kex->done = 0; -diff -up openssh-6.0p1/configure.ac.gsskex openssh-6.0p1/configure.ac ---- openssh-6.0p1/configure.ac.gsskex 2012-09-12 15:32:19.085689183 +0200 -+++ openssh-6.0p1/configure.ac 2012-09-12 15:32:28.312651591 +0200 +diff -up openssh-6.1p1/configure.ac.gsskex openssh-6.1p1/configure.ac +--- openssh-6.1p1/configure.ac.gsskex 2012-09-14 20:57:55.756266240 +0200 ++++ openssh-6.1p1/configure.ac 2012-09-14 20:57:55.865266937 +0200 @@ -545,6 +545,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], @@ -382,9 +267,9 @@ diff -up openssh-6.0p1/configure.ac.gsskex openssh-6.0p1/configure.ac m4_pattern_allow([AU_IPv]) AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) -diff -up openssh-6.0p1/gss-genr.c.gsskex openssh-6.0p1/gss-genr.c ---- openssh-6.0p1/gss-genr.c.gsskex 2012-09-12 15:32:19.097689132 +0200 -+++ openssh-6.0p1/gss-genr.c 2012-09-12 15:32:28.313651587 +0200 +diff -up openssh-6.1p1/gss-genr.c.gsskex openssh-6.1p1/gss-genr.c +--- openssh-6.1p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 ++++ openssh-6.1p1/gss-genr.c 2012-09-14 20:57:55.867266949 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ @@ -732,9 +617,9 @@ diff -up openssh-6.0p1/gss-genr.c.gsskex openssh-6.0p1/gss-genr.c +} + #endif /* GSSAPI */ -diff -up openssh-6.0p1/gss-serv.c.gsskex openssh-6.0p1/gss-serv.c ---- openssh-6.0p1/gss-serv.c.gsskex 2012-09-12 15:32:19.123689027 +0200 -+++ openssh-6.0p1/gss-serv.c 2012-09-12 15:53:27.719520213 +0200 +diff -up openssh-6.1p1/gss-serv.c.gsskex openssh-6.1p1/gss-serv.c +--- openssh-6.1p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200 ++++ openssh-6.1p1/gss-serv.c 2012-09-14 20:57:55.870266969 +0200 @@ -45,15 +45,20 @@ #include "channels.h" #include "session.h" @@ -1073,9 +958,9 @@ diff -up openssh-6.0p1/gss-serv.c.gsskex openssh-6.0p1/gss-serv.c } #endif -diff -up openssh-6.0p1/gss-serv-krb5.c.gsskex openssh-6.0p1/gss-serv-krb5.c ---- openssh-6.0p1/gss-serv-krb5.c.gsskex 2012-09-12 15:32:19.115689059 +0200 -+++ openssh-6.0p1/gss-serv-krb5.c 2012-09-12 16:36:15.768054426 +0200 +diff -up openssh-6.1p1/gss-serv-krb5.c.gsskex openssh-6.1p1/gss-serv-krb5.c +--- openssh-6.1p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 ++++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 20:57:55.872266981 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ @@ -1198,9 +1083,126 @@ diff -up openssh-6.0p1/gss-serv-krb5.c.gsskex openssh-6.0p1/gss-serv-krb5.c }; #endif /* KRB5 */ -diff -up openssh-6.0p1/kex.c.gsskex openssh-6.0p1/kex.c ---- openssh-6.0p1/kex.c.gsskex 2012-09-12 15:32:19.096689136 +0200 -+++ openssh-6.0p1/kex.c 2012-09-12 15:32:28.315651579 +0200 +diff -up openssh-6.1p1/ChangeLog.gssapi.gsskex openssh-6.1p1/ChangeLog.gssapi +--- openssh-6.1p1/ChangeLog.gssapi.gsskex 2012-09-14 20:57:55.858266892 +0200 ++++ openssh-6.1p1/ChangeLog.gssapi 2012-09-14 20:57:55.859266899 +0200 +@@ -0,0 +1,113 @@ ++20110101 ++ - Finally update for OpenSSH 5.6p1 ++ - Add GSSAPIServerIdentity option from Jim Basney ++ ++20100308 ++ - [ Makefile.in, key.c, key.h ] ++ Updates for OpenSSH 5.4p1 ++ - [ servconf.c ] ++ Include GSSAPI options in the sshd -T configuration dump, and flag ++ some older configuration options as being unsupported. Thanks to Colin ++ Watson. ++ - ++ ++20100124 ++ - [ sshconnect2.c ] ++ Adapt to deal with additional element in Authmethod structure. Thanks to ++ Colin Watson ++ ++20090615 ++ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c ++ sshd.c ] ++ Fix issues identified by Greg Hudson following a code review ++ Check return value of gss_indicate_mechs ++ Protect GSSAPI calls in monitor, so they can only be used if enabled ++ Check return values of bignum functions in key exchange ++ Use BN_clear_free to clear other side's DH value ++ Make ssh_gssapi_id_kex more robust ++ Only configure kex table pointers if GSSAPI is enabled ++ Don't leak mechanism list, or gss mechanism list ++ Cast data.length before printing ++ If serverkey isn't provided, use an empty string, rather than NULL ++ ++20090201 ++ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h ++ ssh_config.5 sshconnet2.c ] ++ Add support for the GSSAPIClientIdentity option, which allows the user ++ to specify which GSSAPI identity to use to contact a given server ++ ++20080404 ++ - [ gss-serv.c ] ++ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow ++ been omitted from a previous version of this patch. Reported by Borislav ++ Stoichkov ++ ++20070317 ++ - [ gss-serv-krb5.c ] ++ Remove C99ism, where new_ccname was being declared in the middle of a ++ function ++ ++20061220 ++ - [ servconf.c ] ++ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and ++ documented, behaviour. Reported by Dan Watson. ++ ++20060910 ++ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c ++ ssh-gss.h ] ++ add support for gss-group14-sha1 key exchange mechanisms ++ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ] ++ Add GSSAPIStrictAcceptorCheck option to allow the disabling of ++ acceptor principal checking on multi-homed machines. ++ ++ - [ sshd_config ssh_config ] ++ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample ++ configuration files ++ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ] ++ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf() ++ Limit length of error messages displayed by client ++ ++20060909 ++ - [ gss-genr.c gss-serv.c ] ++ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server ++ only, where they belong ++ ++ ++20060829 ++ - [ gss-serv-krb5.c ] ++ Fix CCAPI credentials cache name when creating KRB5CCNAME environment ++ variable ++ ++20060828 ++ - [ gss-genr.c ] ++ Avoid Heimdal context freeing problem ++ ++ ++20060818 ++ - [ gss-genr.c ssh-gss.h sshconnect2.c ] ++ Make sure that SPENGO is disabled ++ ++ ++20060421 ++ - [ gssgenr.c, sshconnect2.c ] ++ a few type changes (signed versus unsigned, int versus size_t) to ++ fix compiler errors/warnings ++ (from jbasney AT ncsa.uiuc.edu) ++ - [ kexgssc.c, sshconnect2.c ] ++ fix uninitialized variable warnings ++ (from jbasney AT ncsa.uiuc.edu) ++ - [ gssgenr.c ] ++ pass oid to gss_display_status (helpful when using GSSAPI mechglue) ++ (from jbasney AT ncsa.uiuc.edu) ++ ++ - [ gss-serv-krb5.c ] ++ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H ++ (from jbasney AT ncsa.uiuc.edu) ++ ++ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c ++ add client-side GssapiKeyExchange option ++ (from jbasney AT ncsa.uiuc.edu) ++ - [ sshconnect2.c ] ++ add support for GssapiTrustDns option for gssapi-with-mic ++ (from jbasney AT ncsa.uiuc.edu) ++ +diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c +--- openssh-6.1p1/kex.c.gsskex 2012-09-14 20:57:55.139262298 +0200 ++++ openssh-6.1p1/kex.c 2012-09-14 20:57:55.874266995 +0200 @@ -51,6 +51,10 @@ #include "roaming.h" #include "audit.h" @@ -1233,9 +1235,9 @@ diff -up openssh-6.0p1/kex.c.gsskex openssh-6.0p1/kex.c } else fatal("bad kex alg %s", k->name); } -diff -up openssh-6.0p1/kexgssc.c.gsskex openssh-6.0p1/kexgssc.c ---- openssh-6.0p1/kexgssc.c.gsskex 2012-09-12 15:32:19.105689098 +0200 -+++ openssh-6.0p1/kexgssc.c 2012-09-12 15:32:28.315651579 +0200 +diff -up openssh-6.1p1/kexgssc.c.gsskex openssh-6.1p1/kexgssc.c +--- openssh-6.1p1/kexgssc.c.gsskex 2012-09-14 20:57:55.875267001 +0200 ++++ openssh-6.1p1/kexgssc.c 2012-09-14 20:57:55.875267001 +0200 @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1571,9 +1573,9 @@ diff -up openssh-6.0p1/kexgssc.c.gsskex openssh-6.0p1/kexgssc.c +} + +#endif /* GSSAPI */ -diff -up openssh-6.0p1/kexgsss.c.gsskex openssh-6.0p1/kexgsss.c ---- openssh-6.0p1/kexgsss.c.gsskex 2012-09-12 15:32:19.116689055 +0200 -+++ openssh-6.0p1/kexgsss.c 2012-09-12 15:32:28.316651574 +0200 +diff -up openssh-6.1p1/kexgsss.c.gsskex openssh-6.1p1/kexgsss.c +--- openssh-6.1p1/kexgsss.c.gsskex 2012-09-14 20:57:55.876267007 +0200 ++++ openssh-6.1p1/kexgsss.c 2012-09-14 20:57:55.876267007 +0200 @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1863,9 +1865,9 @@ diff -up openssh-6.0p1/kexgsss.c.gsskex openssh-6.0p1/kexgsss.c + ssh_gssapi_rekey_creds(); +} +#endif /* GSSAPI */ -diff -up openssh-6.0p1/kex.h.gsskex openssh-6.0p1/kex.h ---- openssh-6.0p1/kex.h.gsskex 2012-09-12 15:32:19.093689148 +0200 -+++ openssh-6.0p1/kex.h 2012-09-12 15:32:28.316651574 +0200 +diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h +--- openssh-6.1p1/kex.h.gsskex 2012-09-14 20:57:55.141262312 +0200 ++++ openssh-6.1p1/kex.h 2012-09-14 20:57:55.878267019 +0200 @@ -73,6 +73,9 @@ enum kex_exchange { KEX_DH_GEX_SHA1, KEX_DH_GEX_SHA256, @@ -1901,10 +1903,10 @@ diff -up openssh-6.0p1/kex.h.gsskex openssh-6.0p1/kex.h void newkeys_destroy(Newkeys *newkeys); void -diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c ---- openssh-6.0p1/key.c.gsskex 2012-09-12 15:32:19.103689108 +0200 -+++ openssh-6.0p1/key.c 2012-09-12 15:32:28.317651570 +0200 -@@ -1006,6 +1006,8 @@ key_ssh_name_from_type_nid(int type, int +diff -up openssh-6.1p1/key.c.gsskex openssh-6.1p1/key.c +--- openssh-6.1p1/key.c.gsskex 2012-09-14 20:57:55.593265199 +0200 ++++ openssh-6.1p1/key.c 2012-09-14 20:57:55.881267039 +0200 +@@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int } break; #endif /* OPENSSL_HAS_ECC */ @@ -1913,7 +1915,7 @@ diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c } return "ssh-unknown"; } -@@ -1311,6 +1313,8 @@ key_type_from_name(char *name) +@@ -1316,6 +1318,8 @@ key_type_from_name(char *name) strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { return KEY_ECDSA_CERT; #endif @@ -1922,9 +1924,9 @@ diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c } debug2("key_type_from_name: unknown key type '%s'", name); -diff -up openssh-6.0p1/key.h.gsskex openssh-6.0p1/key.h ---- openssh-6.0p1/key.h.gsskex 2012-09-12 15:32:19.094689144 +0200 -+++ openssh-6.0p1/key.h 2012-09-12 15:32:28.318651566 +0200 +diff -up openssh-6.1p1/key.h.gsskex openssh-6.1p1/key.h +--- openssh-6.1p1/key.h.gsskex 2012-09-14 20:57:55.184262586 +0200 ++++ openssh-6.1p1/key.h 2012-09-14 20:57:55.882267045 +0200 @@ -44,6 +44,7 @@ enum types { KEY_ECDSA_CERT, KEY_RSA_CERT_V00, @@ -1933,9 +1935,9 @@ diff -up openssh-6.0p1/key.h.gsskex openssh-6.0p1/key.h KEY_UNSPEC }; enum fp_type { -diff -up openssh-6.0p1/Makefile.in.gsskex openssh-6.0p1/Makefile.in ---- openssh-6.0p1/Makefile.in.gsskex 2012-09-12 15:32:19.128689006 +0200 -+++ openssh-6.0p1/Makefile.in 2012-09-12 15:32:28.318651566 +0200 +diff -up openssh-6.1p1/Makefile.in.gsskex openssh-6.1p1/Makefile.in +--- openssh-6.1p1/Makefile.in.gsskex 2012-09-14 20:57:55.832266726 +0200 ++++ openssh-6.1p1/Makefile.in 2012-09-14 20:57:55.884267058 +0200 @@ -75,6 +75,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ @@ -1953,9 +1955,9 @@ diff -up openssh-6.0p1/Makefile.in.gsskex openssh-6.0p1/Makefile.in loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ -diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c ---- openssh-6.0p1/monitor.c.gsskex 2012-09-12 15:32:19.112689072 +0200 -+++ openssh-6.0p1/monitor.c 2012-09-12 15:32:28.319651562 +0200 +diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c +--- openssh-6.1p1/monitor.c.gsskex 2012-09-14 20:57:55.299263321 +0200 ++++ openssh-6.1p1/monitor.c 2012-09-14 20:57:55.888267083 +0200 @@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); @@ -2008,7 +2010,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1942,6 +1959,13 @@ mm_get_kex(Buffer *m) +@@ -1939,6 +1956,13 @@ mm_get_kex(Buffer *m) kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; @@ -2022,7 +2024,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -@@ -2165,6 +2189,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer +@@ -2162,6 +2186,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer OM_uint32 major; u_int len; @@ -2032,7 +2034,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -2192,6 +2219,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2189,6 +2216,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -2042,7 +2044,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -2209,6 +2239,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2206,6 +2236,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -2050,7 +2052,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c } return (0); } -@@ -2220,6 +2251,9 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -2217,6 +2248,9 @@ mm_answer_gss_checkmic(int sock, Buffer OM_uint32 ret; u_int len; @@ -2060,7 +2062,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2246,7 +2280,11 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2243,7 +2277,11 @@ mm_answer_gss_userok(int sock, Buffer *m { int authenticated; @@ -2073,7 +2075,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2260,6 +2298,74 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2257,6 +2295,74 @@ mm_answer_gss_userok(int sock, Buffer *m /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2148,9 +2150,9 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-6.0p1/monitor.h.gsskex openssh-6.0p1/monitor.h ---- openssh-6.0p1/monitor.h.gsskex 2012-09-12 15:32:19.119689041 +0200 -+++ openssh-6.0p1/monitor.h 2012-09-12 15:32:28.319651562 +0200 +diff -up openssh-6.1p1/monitor.h.gsskex openssh-6.1p1/monitor.h +--- openssh-6.1p1/monitor.h.gsskex 2012-09-14 20:57:55.300263327 +0200 ++++ openssh-6.1p1/monitor.h 2012-09-14 20:57:55.889267090 +0200 @@ -56,6 +56,8 @@ enum monitor_reqtype { MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, @@ -2160,9 +2162,9 @@ diff -up openssh-6.0p1/monitor.h.gsskex openssh-6.0p1/monitor.h MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, -diff -up openssh-6.0p1/monitor_wrap.c.gsskex openssh-6.0p1/monitor_wrap.c ---- openssh-6.0p1/monitor_wrap.c.gsskex 2012-09-12 15:32:19.122689031 +0200 -+++ openssh-6.0p1/monitor_wrap.c 2012-09-12 15:32:28.320651557 +0200 +diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c +--- openssh-6.1p1/monitor_wrap.c.gsskex 2012-09-14 20:57:55.302263340 +0200 ++++ openssh-6.1p1/monitor_wrap.c 2012-09-14 20:57:55.892267109 +0200 @@ -1326,7 +1326,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } @@ -2224,9 +2226,9 @@ diff -up openssh-6.0p1/monitor_wrap.c.gsskex openssh-6.0p1/monitor_wrap.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-6.0p1/monitor_wrap.h.gsskex openssh-6.0p1/monitor_wrap.h ---- openssh-6.0p1/monitor_wrap.h.gsskex 2012-09-12 15:32:19.107689091 +0200 -+++ openssh-6.0p1/monitor_wrap.h 2012-09-12 15:32:28.321651552 +0200 +diff -up openssh-6.1p1/monitor_wrap.h.gsskex openssh-6.1p1/monitor_wrap.h +--- openssh-6.1p1/monitor_wrap.h.gsskex 2012-09-14 20:57:55.304263353 +0200 ++++ openssh-6.1p1/monitor_wrap.h 2012-09-14 20:57:55.893267116 +0200 @@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -2239,9 +2241,9 @@ diff -up openssh-6.0p1/monitor_wrap.h.gsskex openssh-6.0p1/monitor_wrap.h #endif #ifdef USE_PAM -diff -up openssh-6.0p1/readconf.c.gsskex openssh-6.0p1/readconf.c ---- openssh-6.0p1/readconf.c.gsskex 2012-09-12 15:32:19.100689120 +0200 -+++ openssh-6.0p1/readconf.c 2012-09-12 15:32:28.321651552 +0200 +diff -up openssh-6.1p1/readconf.c.gsskex openssh-6.1p1/readconf.c +--- openssh-6.1p1/readconf.c.gsskex 2011-10-02 09:59:03.000000000 +0200 ++++ openssh-6.1p1/readconf.c 2012-09-14 20:57:55.896267134 +0200 @@ -129,6 +129,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, @@ -2330,9 +2332,9 @@ diff -up openssh-6.0p1/readconf.c.gsskex openssh-6.0p1/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh-6.0p1/readconf.h.gsskex openssh-6.0p1/readconf.h ---- openssh-6.0p1/readconf.h.gsskex 2012-09-12 15:32:19.125689019 +0200 -+++ openssh-6.0p1/readconf.h 2012-09-12 15:32:28.322651548 +0200 +diff -up openssh-6.1p1/readconf.h.gsskex openssh-6.1p1/readconf.h +--- openssh-6.1p1/readconf.h.gsskex 2011-10-02 09:59:03.000000000 +0200 ++++ openssh-6.1p1/readconf.h 2012-09-14 20:57:55.897267141 +0200 @@ -48,7 +48,12 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2346,10 +2348,10 @@ diff -up openssh-6.0p1/readconf.h.gsskex openssh-6.0p1/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c ---- openssh-6.0p1/servconf.c.gsskex 2012-09-12 15:32:19.088689170 +0200 -+++ openssh-6.0p1/servconf.c 2012-09-12 15:32:28.323651545 +0200 -@@ -99,7 +99,10 @@ initialize_server_options(ServerOptions +diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c +--- openssh-6.1p1/servconf.c.gsskex 2012-09-14 20:57:55.760266266 +0200 ++++ openssh-6.1p1/servconf.c 2012-09-14 20:57:55.900267160 +0200 +@@ -102,7 +102,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -2360,7 +2362,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -232,8 +235,14 @@ fill_default_server_options(ServerOption +@@ -236,8 +239,14 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2375,7 +2377,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -327,7 +336,9 @@ typedef enum { +@@ -333,7 +342,9 @@ typedef enum { sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, @@ -2386,7 +2388,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c sRequiredAuthentications1, sRequiredAuthentications2, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, -@@ -393,10 +404,20 @@ static struct { +@@ -399,10 +410,20 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -2407,7 +2409,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -983,10 +1004,22 @@ process_server_config_line(ServerOptions +@@ -1054,10 +1075,22 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -2430,7 +2432,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -1794,6 +1827,9 @@ dump_config(ServerOptions *o) +@@ -1944,6 +1977,9 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); @@ -2440,9 +2442,9 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c #endif #ifdef JPAKE dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, -diff -up openssh-6.0p1/servconf.h.gsskex openssh-6.0p1/servconf.h ---- openssh-6.0p1/servconf.h.gsskex 2012-09-12 15:32:19.121689034 +0200 -+++ openssh-6.0p1/servconf.h 2012-09-12 15:32:28.323651545 +0200 +diff -up openssh-6.1p1/servconf.h.gsskex openssh-6.1p1/servconf.h +--- openssh-6.1p1/servconf.h.gsskex 2012-09-14 20:57:55.762266278 +0200 ++++ openssh-6.1p1/servconf.h 2012-09-14 20:57:55.902267173 +0200 @@ -103,7 +103,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -2454,9 +2456,21 @@ diff -up openssh-6.0p1/servconf.h.gsskex openssh-6.0p1/servconf.h int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff -up openssh-6.0p1/ssh_config.5.gsskex openssh-6.0p1/ssh_config.5 ---- openssh-6.0p1/ssh_config.5.gsskex 2012-09-12 15:32:19.091689156 +0200 -+++ openssh-6.0p1/ssh_config.5 2012-09-12 15:32:28.324651542 +0200 +diff -up openssh-6.1p1/ssh_config.gsskex openssh-6.1p1/ssh_config +--- openssh-6.1p1/ssh_config.gsskex 2012-09-14 20:57:55.707265928 +0200 ++++ openssh-6.1p1/ssh_config 2012-09-14 20:57:55.906267198 +0200 +@@ -26,6 +26,8 @@ + # HostbasedAuthentication no + # GSSAPIAuthentication no + # GSSAPIDelegateCredentials no ++# GSSAPIKeyExchange no ++# GSSAPITrustDNS no + # BatchMode no + # CheckHostIP yes + # AddressFamily any +diff -up openssh-6.1p1/ssh_config.5.gsskex openssh-6.1p1/ssh_config.5 +--- openssh-6.1p1/ssh_config.5.gsskex 2012-07-02 10:53:38.000000000 +0200 ++++ openssh-6.1p1/ssh_config.5 2012-09-14 20:57:55.904267186 +0200 @@ -527,11 +527,43 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2502,21 +2516,9 @@ diff -up openssh-6.0p1/ssh_config.5.gsskex openssh-6.0p1/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff -up openssh-6.0p1/ssh_config.gsskex openssh-6.0p1/ssh_config ---- openssh-6.0p1/ssh_config.gsskex 2012-09-12 15:32:19.087689174 +0200 -+++ openssh-6.0p1/ssh_config 2012-09-12 15:32:28.324651542 +0200 -@@ -26,6 +26,8 @@ - # HostbasedAuthentication no - # GSSAPIAuthentication no - # GSSAPIDelegateCredentials no -+# GSSAPIKeyExchange no -+# GSSAPITrustDNS no - # BatchMode no - # CheckHostIP yes - # AddressFamily any -diff -up openssh-6.0p1/sshconnect2.c.gsskex openssh-6.0p1/sshconnect2.c ---- openssh-6.0p1/sshconnect2.c.gsskex 2012-09-12 15:32:19.099689124 +0200 -+++ openssh-6.0p1/sshconnect2.c 2012-09-12 15:32:28.325651538 +0200 +diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c +--- openssh-6.1p1/sshconnect2.c.gsskex 2012-09-14 20:57:55.605265275 +0200 ++++ openssh-6.1p1/sshconnect2.c 2012-09-14 20:57:55.909267218 +0200 @@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho { Kex *kex; @@ -2715,9 +2717,9 @@ diff -up openssh-6.0p1/sshconnect2.c.gsskex openssh-6.0p1/sshconnect2.c #endif /* GSSAPI */ int -diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c ---- openssh-6.0p1/sshd.c.gsskex 2012-09-12 15:32:19.130688998 +0200 -+++ openssh-6.0p1/sshd.c 2012-09-12 15:32:28.326651534 +0200 +diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c +--- openssh-6.1p1/sshd.c.gsskex 2012-09-14 20:57:55.799266515 +0200 ++++ openssh-6.1p1/sshd.c 2012-09-14 20:57:55.912267237 +0200 @@ -124,6 +124,10 @@ #include "ssh-sandbox.h" #include "version.h" @@ -2729,7 +2731,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c #ifdef LIBWRAP #include #include -@@ -1701,10 +1705,13 @@ main(int ac, char **av) +@@ -1692,10 +1696,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } @@ -2743,7 +2745,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { logit("sshd: no hostkeys available -- exiting."); exit(1); -@@ -2037,6 +2044,60 @@ main(int ac, char **av) +@@ -2027,6 +2034,60 @@ main(int ac, char **av) /* Log the connection. */ verbose("Connection from %.500s port %d", remote_ip, remote_port); @@ -2804,7 +2806,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2435,6 +2496,48 @@ do_ssh2_kex(void) +@@ -2425,6 +2486,48 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); @@ -2853,7 +2855,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c /* start key exchange */ kex = kex_setup(myproposal); kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; -@@ -2442,6 +2545,13 @@ do_ssh2_kex(void) +@@ -2432,6 +2535,13 @@ do_ssh2_kex(void) kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; @@ -2867,10 +2869,22 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; -diff -up openssh-6.0p1/sshd_config.5.gsskex openssh-6.0p1/sshd_config.5 ---- openssh-6.0p1/sshd_config.5.gsskex 2012-09-12 15:32:19.109689084 +0200 -+++ openssh-6.0p1/sshd_config.5 2012-09-12 15:32:28.327651530 +0200 -@@ -437,12 +437,40 @@ Specifies whether user authentication ba +diff -up openssh-6.1p1/sshd_config.gsskex openssh-6.1p1/sshd_config +--- openssh-6.1p1/sshd_config.gsskex 2012-09-14 20:57:55.801266528 +0200 ++++ openssh-6.1p1/sshd_config 2012-09-14 20:57:55.916267263 +0200 +@@ -85,6 +85,8 @@ ChallengeResponseAuthentication no + GSSAPIAuthentication yes + #GSSAPICleanupCredentials yes + GSSAPICleanupCredentials yes ++#GSSAPIStrictAcceptorCheck yes ++#GSSAPIKeyExchange no + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +diff -up openssh-6.1p1/sshd_config.5.gsskex openssh-6.1p1/sshd_config.5 +--- openssh-6.1p1/sshd_config.5.gsskex 2012-09-14 20:57:55.767266310 +0200 ++++ openssh-6.1p1/sshd_config.5 2012-09-14 20:57:55.915267256 +0200 +@@ -439,12 +439,40 @@ Specifies whether user authentication ba The default is .Dq no . Note that this option applies to protocol version 2 only. @@ -2911,21 +2925,9 @@ diff -up openssh-6.0p1/sshd_config.5.gsskex openssh-6.0p1/sshd_config.5 .It Cm HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed -diff -up openssh-6.0p1/sshd_config.gsskex openssh-6.0p1/sshd_config ---- openssh-6.0p1/sshd_config.gsskex 2012-09-12 15:32:19.102689112 +0200 -+++ openssh-6.0p1/sshd_config 2012-09-12 15:32:28.327651530 +0200 -@@ -83,6 +83,8 @@ ChallengeResponseAuthentication no - GSSAPIAuthentication yes - #GSSAPICleanupCredentials yes - GSSAPICleanupCredentials yes -+#GSSAPIStrictAcceptorCheck yes -+#GSSAPIKeyExchange no - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -diff -up openssh-6.0p1/ssh-gss.h.gsskex openssh-6.0p1/ssh-gss.h ---- openssh-6.0p1/ssh-gss.h.gsskex 2012-09-12 15:32:19.090689160 +0200 -+++ openssh-6.0p1/ssh-gss.h 2012-09-12 15:32:28.328651526 +0200 +diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h +--- openssh-6.1p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 ++++ openssh-6.1p1/ssh-gss.h 2012-09-14 20:57:55.918267275 +0200 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* diff --git a/openssh-5.9p1-kuserok.patch b/openssh-6.1p1-kuserok.patch similarity index 67% rename from openssh-5.9p1-kuserok.patch rename to openssh-6.1p1-kuserok.patch index 11f38a5..7b695e0 100644 --- a/openssh-5.9p1-kuserok.patch +++ b/openssh-6.1p1-kuserok.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c ---- openssh-5.9p0/auth-krb5.c.kuserok 2011-08-30 16:37:32.651150128 +0200 -+++ openssh-5.9p0/auth-krb5.c 2011-08-30 16:37:37.549087368 +0200 -@@ -54,6 +54,20 @@ +diff -up openssh-6.1p1/auth-krb5.c.kuserok openssh-6.1p1/auth-krb5.c +--- openssh-6.1p1/auth-krb5.c.kuserok 2012-09-14 21:08:16.941496194 +0200 ++++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:08:17.063496896 +0200 +@@ -55,6 +55,20 @@ extern ServerOptions options; @@ -22,7 +22,7 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c static int krb5_init(void *context) { -@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c +@@ -147,7 +161,7 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; @@ -31,9 +31,9 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c problem = -1; goto out; } -diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c ---- openssh-5.9p0/gss-serv-krb5.c.kuserok 2011-08-30 16:37:36.988024804 +0200 -+++ openssh-5.9p0/gss-serv-krb5.c 2011-08-30 16:37:37.659088030 +0200 +diff -up openssh-6.1p1/gss-serv-krb5.c.kuserok openssh-6.1p1/gss-serv-krb5.c +--- openssh-6.1p1/gss-serv-krb5.c.kuserok 2012-09-14 21:08:17.019496642 +0200 ++++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 21:08:17.065496906 +0200 @@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr int); @@ -51,27 +51,27 @@ diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c retval = 1; logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", luser, (char *)client->displayname.value); -diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c ---- openssh-5.9p0/servconf.c.kuserok 2011-08-30 16:37:35.093073603 +0200 -+++ openssh-5.9p0/servconf.c 2011-08-30 16:41:13.568087145 +0200 -@@ -144,6 +144,7 @@ initialize_server_options(ServerOptions - options->authorized_principals_file = NULL; +diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c +--- openssh-6.1p1/servconf.c.kuserok 2012-09-14 21:08:16.989496471 +0200 ++++ openssh-6.1p1/servconf.c 2012-09-14 21:09:30.864868698 +0200 +@@ -152,6 +152,7 @@ initialize_server_options(ServerOptions options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; + options->version_addendum = NULL; + options->use_kuserok = -1; } void -@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption - options->ip_qos_bulk = IPTOS_THROUGHPUT; +@@ -301,6 +302,8 @@ fill_default_server_options(ServerOption + options->version_addendum = xstrdup(""); if (options->show_patchlevel == -1) - options->show_patchlevel = 0; + options->show_patchlevel = 0; + if (options->use_kuserok == -1) + options->use_kuserok = 1; /* Turn privilege separation on by default */ if (use_privsep == -1) -@@ -317,7 +320,7 @@ typedef enum { +@@ -327,7 +330,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, @@ -80,7 +80,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, -@@ -388,11 +391,13 @@ static struct { +@@ -399,11 +402,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -94,7 +94,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1371,6 +1376,10 @@ process_server_config_line(ServerOptions +@@ -1486,6 +1491,10 @@ process_server_config_line(ServerOptions *activep = value; break; @@ -105,7 +105,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -1580,6 +1589,7 @@ copy_set_server_options(ServerOptions *d +@@ -1769,6 +1778,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); @@ -113,7 +113,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c /* See comment in servconf.h */ COPY_MATCH_STRING_OPTS(); -@@ -1816,6 +1826,7 @@ dump_config(ServerOptions *o) +@@ -2005,6 +2015,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); @@ -121,10 +121,10 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h ---- openssh-5.9p0/servconf.h.kuserok 2011-08-30 16:37:35.201051957 +0200 -+++ openssh-5.9p0/servconf.h 2011-08-30 16:37:37.926087431 +0200 -@@ -166,6 +166,7 @@ typedef struct { +diff -up openssh-6.1p1/servconf.h.kuserok openssh-6.1p1/servconf.h +--- openssh-6.1p1/servconf.h.kuserok 2012-09-14 21:08:16.990496476 +0200 ++++ openssh-6.1p1/servconf.h 2012-09-14 21:08:17.071496942 +0200 +@@ -169,6 +169,7 @@ typedef struct { int num_permitted_opens; @@ -132,10 +132,21 @@ diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5 ---- openssh-5.9p0/sshd_config.5.kuserok 2011-08-30 16:37:35.979024607 +0200 -+++ openssh-5.9p0/sshd_config.5 2011-08-30 16:37:38.040087843 +0200 -@@ -603,6 +603,10 @@ Specifies whether to automatically destr +diff -up openssh-6.1p1/sshd_config.kuserok openssh-6.1p1/sshd_config +--- openssh-6.1p1/sshd_config.kuserok 2012-09-14 21:08:17.002496545 +0200 ++++ openssh-6.1p1/sshd_config 2012-09-14 21:08:17.074496957 +0200 +@@ -79,6 +79,7 @@ ChallengeResponseAuthentication no + #KerberosOrLocalPasswd yes + #KerberosTicketCleanup yes + #KerberosGetAFSToken no ++#KerberosUseKuserok yes + + # GSSAPI options + #GSSAPIAuthentication no +diff -up openssh-6.1p1/sshd_config.5.kuserok openssh-6.1p1/sshd_config.5 +--- openssh-6.1p1/sshd_config.5.kuserok 2012-09-14 21:08:17.004496556 +0200 ++++ openssh-6.1p1/sshd_config.5 2012-09-14 21:08:17.073496952 +0200 +@@ -618,6 +618,10 @@ Specifies whether to automatically destr file on logout. The default is .Dq yes . @@ -146,7 +157,7 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5 .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -@@ -746,6 +750,7 @@ Available keywords are +@@ -767,6 +771,7 @@ Available keywords are .Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , @@ -154,14 +165,3 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5 .Cm MaxAuthTries , .Cm MaxSessions , .Cm PubkeyAuthentication , -diff -up openssh-5.9p0/sshd_config.kuserok openssh-5.9p0/sshd_config ---- openssh-5.9p0/sshd_config.kuserok 2011-08-30 16:37:36.808026328 +0200 -+++ openssh-5.9p0/sshd_config 2011-08-30 16:37:38.148071520 +0200 -@@ -77,6 +77,7 @@ ChallengeResponseAuthentication no - #KerberosOrLocalPasswd yes - #KerberosTicketCleanup yes - #KerberosGetAFSToken no -+#KerberosUseKuserok yes - - # GSSAPI options - #GSSAPIAuthentication no diff --git a/openssh-5.9p1-log-usepam-no.patch b/openssh-6.1p1-log-usepam-no.patch similarity index 54% rename from openssh-5.9p1-log-usepam-no.patch rename to openssh-6.1p1-log-usepam-no.patch index 614d2cd..4ed52b1 100644 --- a/openssh-5.9p1-log-usepam-no.patch +++ b/openssh-6.1p1-log-usepam-no.patch @@ -1,10 +1,9 @@ -diff --git a/sshd.c b/sshd.c -index 8dcfdf2..95b63ad 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -1592,6 +1592,10 @@ main(int ac, char **av) +diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c +--- openssh-6.1p1/sshd.c.log-usepam-no 2012-09-14 20:54:58.000000000 +0200 ++++ openssh-6.1p1/sshd.c 2012-09-14 20:55:42.289477749 +0200 +@@ -1617,6 +1617,10 @@ main(int ac, char **av) parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, - &cfg, NULL, NULL, NULL); + &cfg, NULL); + /* 'UsePAM no' is not supported in Fedora */ + if (! options.use_pam) @@ -13,11 +12,10 @@ index 8dcfdf2..95b63ad 100644 seed_rng(); /* Fill in default values for those options not explicitly set. */ -diff --git a/sshd_config b/sshd_config -index 8c16754..9f28b04 100644 ---- a/sshd_config -+++ b/sshd_config -@@ -92,6 +92,8 @@ GSSAPICleanupCredentials yes +diff -up openssh-6.1p1/sshd_config.log-usepam-no openssh-6.1p1/sshd_config +--- openssh-6.1p1/sshd_config.log-usepam-no 2012-09-14 20:54:58.514255748 +0200 ++++ openssh-6.1p1/sshd_config 2012-09-14 20:54:58.551255954 +0200 +@@ -95,6 +95,8 @@ GSSAPICleanupCredentials yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. diff --git a/openssh-5.9p1-required-authentications.patch b/openssh-6.1p1-required-authentications.patch similarity index 85% rename from openssh-5.9p1-required-authentications.patch rename to openssh-6.1p1-required-authentications.patch index cecbffc..d10606a 100644 --- a/openssh-5.9p1-required-authentications.patch +++ b/openssh-6.1p1-required-authentications.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c ---- openssh-5.9p1/auth.c.required-authentication 2012-07-27 12:21:41.181601972 +0200 -+++ openssh-5.9p1/auth.c 2012-07-27 12:21:41.203602020 +0200 +diff -up openssh-6.1p1/auth.c.required-authentication openssh-6.1p1/auth.c +--- openssh-6.1p1/auth.c.required-authentication 2012-09-14 20:17:56.730488188 +0200 ++++ openssh-6.1p1/auth.c 2012-09-14 20:17:56.795488498 +0200 @@ -251,7 +251,8 @@ allowed_user(struct passwd * pw) } @@ -32,7 +32,7 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c { switch (options.permit_root_login) { case PERMIT_YES: -@@ -694,3 +696,57 @@ fakepw(void) +@@ -696,3 +698,57 @@ fakepw(void) return (&fake); } @@ -90,9 +90,9 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c + + return (ret); +} -diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h ---- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200 -+++ openssh-5.9p1/auth.h 2012-07-27 12:21:41.204602022 +0200 +diff -up openssh-6.1p1/auth.h.required-authentication openssh-6.1p1/auth.h +--- openssh-6.1p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200 ++++ openssh-6.1p1/auth.h 2012-09-14 20:17:56.796488502 +0200 @@ -142,10 +142,11 @@ void disable_forwarding(void); void do_authentication(Authctxt *); void do_authentication2(Authctxt *); @@ -120,9 +120,9 @@ diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h int sys_auth_passwd(Authctxt *, const char *); -diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c ---- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200 -+++ openssh-5.9p1/auth1.c 2012-07-27 12:50:50.708706675 +0200 +diff -up openssh-6.1p1/auth1.c.required-authentication openssh-6.1p1/auth1.c +--- openssh-6.1p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200 ++++ openssh-6.1p1/auth1.c 2012-09-14 20:17:56.798488515 +0200 @@ -98,6 +98,55 @@ static const struct AuthMethod1 return (NULL); } @@ -281,9 +281,9 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c packet_start(SSH_SMSG_FAILURE); packet_send(); -diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c ---- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200 -+++ openssh-5.9p1/auth2.c 2012-07-27 12:51:59.048241612 +0200 +diff -up openssh-6.1p1/auth2.c.required-authentication openssh-6.1p1/auth2.c +--- openssh-6.1p1/auth2.c.required-authentication 2011-12-19 00:52:51.000000000 +0100 ++++ openssh-6.1p1/auth2.c 2012-09-14 20:17:56.799488520 +0200 @@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32 { Authctxt *authctxt = ctxt; @@ -452,9 +452,9 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c + return (ret); +} + -diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c ---- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200 -+++ openssh-5.9p1/auth2-gss.c 2012-07-27 12:21:41.206602026 +0200 +diff -up openssh-6.1p1/auth2-gss.c.required-authentication openssh-6.1p1/auth2-gss.c +--- openssh-6.1p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200 ++++ openssh-6.1p1/auth2-gss.c 2012-09-14 20:17:56.801488528 +0200 @@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p } authctxt->postponed = 0; @@ -482,9 +482,9 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g } Authmethod method_gssapi = { -diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c ---- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100 -+++ openssh-5.9p1/auth2-chall.c 2012-07-27 12:21:41.206602026 +0200 +diff -up openssh-6.1p1/auth2-chall.c.required-authentication openssh-6.1p1/auth2-chall.c +--- openssh-6.1p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100 ++++ openssh-6.1p1/auth2-chall.c 2012-09-14 20:17:56.802488532 +0200 @@ -341,7 +341,8 @@ input_userauth_info_response(int type, u auth2_challenge_start(authctxt); } @@ -495,9 +495,9 @@ diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2 xfree(method); } -diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c ---- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200 -+++ openssh-5.9p1/auth2-none.c 2012-07-27 12:21:41.207602028 +0200 +diff -up openssh-6.1p1/auth2-none.c.required-authentication openssh-6.1p1/auth2-none.c +--- openssh-6.1p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200 ++++ openssh-6.1p1/auth2-none.c 2012-09-14 20:17:56.803488537 +0200 @@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt) { none_enabled = 0; @@ -507,9 +507,9 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2- return (PRIVSEP(auth_password(authctxt, ""))); return (0); } -diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c ---- openssh-5.9p1/monitor.c.required-authentication 2012-07-27 12:21:41.161601930 +0200 -+++ openssh-5.9p1/monitor.c 2012-07-27 12:51:18.884927066 +0200 +diff -up openssh-6.1p1/monitor.c.required-authentication openssh-6.1p1/monitor.c +--- openssh-6.1p1/monitor.c.required-authentication 2012-09-14 20:17:56.685487974 +0200 ++++ openssh-6.1p1/monitor.c 2012-09-14 20:17:56.806488552 +0200 @@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY; static char *hostbased_cuser = NULL; static char *hostbased_chost = NULL; @@ -579,7 +579,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c } /* Drain any buffered messages from the child */ -@@ -862,6 +878,7 @@ mm_answer_authpassword(int sock, Buffer +@@ -860,6 +876,7 @@ mm_answer_authpassword(int sock, Buffer auth_method = "none"; else auth_method = "password"; @@ -587,7 +587,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c /* Causes monitor loop to terminate if authenticated */ return (authenticated); -@@ -921,6 +938,7 @@ mm_answer_bsdauthrespond(int sock, Buffe +@@ -919,6 +936,7 @@ mm_answer_bsdauthrespond(int sock, Buffe mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); auth_method = "bsdauth"; @@ -595,7 +595,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c return (authok != 0); } -@@ -970,6 +988,7 @@ mm_answer_skeyrespond(int sock, Buffer * +@@ -968,6 +986,7 @@ mm_answer_skeyrespond(int sock, Buffer * mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m); auth_method = "skey"; @@ -603,7 +603,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c return (authok != 0); } -@@ -1059,7 +1078,8 @@ mm_answer_pam_query(int sock, Buffer *m) +@@ -1057,7 +1076,8 @@ mm_answer_pam_query(int sock, Buffer *m) xfree(prompts); if (echo_on != NULL) xfree(echo_on); @@ -613,7 +613,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); return (0); } -@@ -1088,7 +1108,8 @@ mm_answer_pam_respond(int sock, Buffer * +@@ -1086,7 +1106,8 @@ mm_answer_pam_respond(int sock, Buffer * buffer_clear(m); buffer_put_int(m, ret); mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); @@ -623,7 +623,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c if (ret == 0) sshpam_authok = sshpam_ctxt; return (0); -@@ -1102,7 +1123,8 @@ mm_answer_pam_free_ctx(int sock, Buffer +@@ -1100,7 +1121,8 @@ mm_answer_pam_free_ctx(int sock, Buffer (sshpam_device.free_ctx)(sshpam_ctxt); buffer_clear(m); mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); @@ -633,7 +633,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c return (sshpam_authok == sshpam_ctxt); } #endif -@@ -1138,6 +1160,7 @@ mm_answer_keyallowed(int sock, Buffer *m +@@ -1136,6 +1158,7 @@ mm_answer_keyallowed(int sock, Buffer *m allowed = options.pubkey_authentication && user_key_allowed(authctxt->pw, key); auth_method = "publickey"; @@ -641,7 +641,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c if (options.pubkey_authentication && allowed != 1) auth_clear_options(); break; -@@ -1146,6 +1169,7 @@ mm_answer_keyallowed(int sock, Buffer *m +@@ -1144,6 +1167,7 @@ mm_answer_keyallowed(int sock, Buffer *m hostbased_key_allowed(authctxt->pw, cuser, chost, key); auth_method = "hostbased"; @@ -649,7 +649,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c break; case MM_RSAHOSTKEY: key->type = KEY_RSA1; /* XXX */ -@@ -1155,6 +1179,7 @@ mm_answer_keyallowed(int sock, Buffer *m +@@ -1153,6 +1177,7 @@ mm_answer_keyallowed(int sock, Buffer *m if (options.rhosts_rsa_authentication && allowed != 1) auth_clear_options(); auth_method = "rsa"; @@ -657,7 +657,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c break; default: fatal("%s: unknown key type %d", __func__, type); -@@ -1180,7 +1205,8 @@ mm_answer_keyallowed(int sock, Buffer *m +@@ -1178,7 +1203,8 @@ mm_answer_keyallowed(int sock, Buffer *m hostbased_chost = chost; } else { /* Log failed attempt */ @@ -667,7 +667,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c xfree(blob); xfree(cuser); xfree(chost); -@@ -1356,6 +1382,7 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1354,6 +1380,7 @@ mm_answer_keyverify(int sock, Buffer *m) xfree(data); auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; @@ -675,7 +675,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c monitor_reset_key_state(); -@@ -1545,6 +1572,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe +@@ -1543,6 +1570,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe debug3("%s entering", __func__); auth_method = "rsa"; @@ -683,7 +683,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c if (options.rsa_authentication && authctxt->valid) { if ((client_n = BN_new()) == NULL) fatal("%s: BN_new", __func__); -@@ -1650,6 +1678,7 @@ mm_answer_rsa_response(int sock, Buffer +@@ -1648,6 +1676,7 @@ mm_answer_rsa_response(int sock, Buffer xfree(response); auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa"; @@ -691,7 +691,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c /* reset state */ BN_clear_free(ssh1_challenge); -@@ -2099,6 +2128,7 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2097,6 +2126,7 @@ mm_answer_gss_userok(int sock, Buffer *m mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); auth_method = "gssapi-with-mic"; @@ -699,7 +699,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c /* Monitor loop will terminate if authenticated */ return (authenticated); -@@ -2303,6 +2333,7 @@ mm_answer_jpake_check_confirm(int sock, +@@ -2301,6 +2331,7 @@ mm_answer_jpake_check_confirm(int sock, monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1); auth_method = "jpake-01@openssh.com"; @@ -707,10 +707,10 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c return authenticated; } -diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c ---- openssh-5.9p1/servconf.c.required-authentication 2012-07-27 12:21:41.167601942 +0200 -+++ openssh-5.9p1/servconf.c 2012-07-27 12:21:41.209602032 +0200 -@@ -42,6 +42,8 @@ +diff -up openssh-6.1p1/servconf.c.required-authentication openssh-6.1p1/servconf.c +--- openssh-6.1p1/servconf.c.required-authentication 2012-09-14 20:17:56.699488040 +0200 ++++ openssh-6.1p1/servconf.c 2012-09-14 20:19:49.179983651 +0200 +@@ -43,6 +43,8 @@ #include "key.h" #include "kex.h" #include "mac.h" @@ -719,7 +719,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf #include "match.h" #include "channels.h" #include "groupaccess.h" -@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions +@@ -132,6 +134,8 @@ initialize_server_options(ServerOptions options->num_authkeys_files = 0; options->num_accept_env = 0; options->permit_tun = -1; @@ -728,7 +728,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf options->num_permitted_opens = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; -@@ -319,6 +323,7 @@ typedef enum { +@@ -324,6 +328,7 @@ typedef enum { sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, @@ -736,16 +736,16 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, -@@ -447,6 +452,8 @@ static struct { +@@ -452,6 +457,8 @@ static struct { { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL }, + { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL }, + { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } - }; -@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions +@@ -1298,6 +1305,33 @@ process_server_config_line(ServerOptions options->max_startups = options->max_startups_begin; break; @@ -779,9 +779,9 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf case sMaxAuthTries: intptr = &options->max_authtries; goto parse_int; -diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h ---- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200 -+++ openssh-5.9p1/servconf.h 2012-07-27 12:21:41.210602035 +0200 +diff -up openssh-6.1p1/servconf.h.required-authentication openssh-6.1p1/servconf.h +--- openssh-6.1p1/servconf.h.required-authentication 2012-07-31 04:21:34.000000000 +0200 ++++ openssh-6.1p1/servconf.h 2012-09-14 20:17:56.810488571 +0200 @@ -154,6 +154,9 @@ typedef struct { u_int num_authkeys_files; /* Files containing public keys */ char *authorized_keys_files[MAX_AUTHKEYS_FILES]; @@ -792,10 +792,10 @@ diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf char *adm_forced_command; int use_pam; /* Enable auth via PAM */ -diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5 ---- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200 -+++ openssh-5.9p1/sshd_config.5 2012-07-27 12:38:47.607222070 +0200 -@@ -723,6 +723,8 @@ Available keywords are +diff -up openssh-6.1p1/sshd_config.5.required-authentication openssh-6.1p1/sshd_config.5 +--- openssh-6.1p1/sshd_config.5.required-authentication 2012-07-02 10:53:38.000000000 +0200 ++++ openssh-6.1p1/sshd_config.5 2012-09-14 20:17:56.812488582 +0200 +@@ -731,6 +731,8 @@ Available keywords are .Cm PermitOpen , .Cm PermitRootLogin , .Cm PermitTunnel , @@ -804,7 +804,7 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_ .Cm PubkeyAuthentication , .Cm RhostsRSAAuthentication , .Cm RSAAuthentication , -@@ -920,6 +922,21 @@ Specifies a list of revoked public keys. +@@ -931,6 +933,21 @@ Specifies a list of revoked public keys. Keys listed in this file will be refused for public key authentication. Note that if this file is not readable, then public key authentication will be refused for all users. diff --git a/openssh-5.9p1-vendor.patch b/openssh-6.1p1-vendor.patch similarity index 63% rename from openssh-5.9p1-vendor.patch rename to openssh-6.1p1-vendor.patch index 1413fa6..9cb326d 100644 --- a/openssh-5.9p1-vendor.patch +++ b/openssh-6.1p1-vendor.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac ---- openssh-5.9p1/configure.ac.vendor 2012-02-06 17:35:37.439855272 +0100 -+++ openssh-5.9p1/configure.ac 2012-02-06 17:35:37.510219862 +0100 -@@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog], +diff -up openssh-6.1p1/configure.ac.vendor openssh-6.1p1/configure.ac +--- openssh-6.1p1/configure.ac.vendor 2012-09-14 20:36:49.153085211 +0200 ++++ openssh-6.1p1/configure.ac 2012-09-14 20:36:49.559088133 +0200 +@@ -4303,6 +4303,12 @@ AC_ARG_WITH([lastlog], fi ] ) @@ -14,7 +14,7 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac dnl lastlog, [uw]tmpx? detection dnl NOTE: set the paths in the platform section to avoid the -@@ -4361,6 +4367,7 @@ echo " Translate v4 in v6 hack +@@ -4529,6 +4535,7 @@ echo " Translate v4 in v6 hack echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" echo " Privsep sandbox style: $SANDBOX_STYLE" @@ -22,10 +22,10 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac echo "" -diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c ---- openssh-5.9p1/servconf.c.vendor 2012-02-06 17:35:37.432972267 +0100 -+++ openssh-5.9p1/servconf.c 2012-02-06 17:37:58.806272833 +0100 -@@ -125,6 +125,7 @@ initialize_server_options(ServerOptions +diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c +--- openssh-6.1p1/servconf.c.vendor 2012-09-14 20:36:49.124085002 +0200 ++++ openssh-6.1p1/servconf.c 2012-09-14 20:50:34.995972516 +0200 +@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions options->max_authtries = -1; options->max_sessions = -1; options->banner = NULL; @@ -33,16 +33,17 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c options->use_dns = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; -@@ -283,6 +284,8 @@ fill_default_server_options(ServerOption - options->ip_qos_interactive = IPTOS_LOWDELAY; - if (options->ip_qos_bulk == -1) +@@ -289,6 +290,9 @@ fill_default_server_options(ServerOption options->ip_qos_bulk = IPTOS_THROUGHPUT; + if (options->version_addendum == NULL) + options->version_addendum = xstrdup(""); + if (options->show_patchlevel == -1) -+ options->show_patchlevel = 0; - ++ options->show_patchlevel = 0; ++ /* Turn privilege separation on by default */ if (use_privsep == -1) -@@ -321,7 +324,7 @@ typedef enum { + use_privsep = PRIVSEP_NOSANDBOX; +@@ -326,7 +330,7 @@ typedef enum { sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, @@ -51,7 +52,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, -@@ -436,6 +439,7 @@ static struct { +@@ -441,6 +445,7 @@ static struct { { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, @@ -59,7 +60,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, -@@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions +@@ -1162,6 +1167,10 @@ process_server_config_line(ServerOptions multistate_ptr = multistate_privsep; goto parse_multistate; @@ -70,7 +71,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) -@@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o) +@@ -1956,6 +1965,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); @@ -78,9 +79,9 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); -diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h ---- openssh-5.9p1/servconf.h.vendor 2012-02-06 17:35:37.434095467 +0100 -+++ openssh-5.9p1/servconf.h 2012-02-06 17:35:37.512225786 +0100 +diff -up openssh-6.1p1/servconf.h.vendor openssh-6.1p1/servconf.h +--- openssh-6.1p1/servconf.h.vendor 2012-09-14 20:36:49.125085009 +0200 ++++ openssh-6.1p1/servconf.h 2012-09-14 20:36:49.564088168 +0200 @@ -140,6 +140,7 @@ typedef struct { int max_authtries; int max_sessions; @@ -89,10 +90,10 @@ diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h int use_dns; int client_alive_interval; /* * poke the client this often to -diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config ---- openssh-5.9p1/sshd_config.vendor 2012-02-06 17:35:37.499226201 +0100 -+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:37.515220444 +0100 -@@ -112,6 +112,7 @@ X11Forwarding yes +diff -up openssh-6.1p1/sshd_config.vendor openssh-6.1p1/sshd_config +--- openssh-6.1p1/sshd_config.vendor 2012-09-14 20:36:49.507087759 +0200 ++++ openssh-6.1p1/sshd_config 2012-09-14 20:36:49.565088175 +0200 +@@ -114,6 +114,7 @@ UsePrivilegeSeparation sandbox # Defaul #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 @@ -100,10 +101,10 @@ diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 -diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0 ---- openssh-5.9p1/sshd_config.0.vendor 2012-02-06 17:35:37.500225787 +0100 -+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:35:37.513225808 +0100 -@@ -556,6 +556,11 @@ DESCRIPTION +diff -up openssh-6.1p1/sshd_config.0.vendor openssh-6.1p1/sshd_config.0 +--- openssh-6.1p1/sshd_config.0.vendor 2012-09-14 20:36:49.510087780 +0200 ++++ openssh-6.1p1/sshd_config.0 2012-09-14 20:36:49.567088190 +0200 +@@ -558,6 +558,11 @@ DESCRIPTION Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024. @@ -115,10 +116,10 @@ diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0 StrictModes Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login. -diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5 ---- openssh-5.9p1/sshd_config.5.vendor 2012-02-06 17:35:37.500225787 +0100 -+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:35:37.514220449 +0100 -@@ -982,6 +982,14 @@ This option applies to protocol version +diff -up openssh-6.1p1/sshd_config.5.vendor openssh-6.1p1/sshd_config.5 +--- openssh-6.1p1/sshd_config.5.vendor 2012-09-14 20:36:49.512087794 +0200 ++++ openssh-6.1p1/sshd_config.5 2012-09-14 20:36:49.568088198 +0200 +@@ -978,6 +978,14 @@ This option applies to protocol version .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024. @@ -133,19 +134,19 @@ diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5 .It Cm StrictModes Specifies whether .Xr sshd 8 -diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c ---- openssh-5.9p1/sshd.c.vendor 2012-02-06 17:35:37.485230832 +0100 -+++ openssh-5.9p1/sshd.c 2012-02-06 17:35:37.513225808 +0100 -@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in - minor = PROTOCOL_MINOR_1; +diff -up openssh-6.1p1/sshd.c.vendor openssh-6.1p1/sshd.c +--- openssh-6.1p1/sshd.c.vendor 2012-09-14 20:36:49.399086981 +0200 ++++ openssh-6.1p1/sshd.c 2012-09-14 20:47:30.696088744 +0200 +@@ -433,7 +433,7 @@ sshd_exchange_identification(int sock_in } - snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, -- SSH_VERSION, newline); -+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline); - server_version_string = xstrdup(buf); - /* Send our protocol version identification. */ -@@ -1634,7 +1634,8 @@ main(int ac, char **av) + xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +- major, minor, SSH_VERSION, ++ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + +@@ -1635,7 +1635,8 @@ main(int ac, char **av) exit(1); } diff --git a/openssh.spec b/openssh.spec index c909026..87f8fe5 100644 --- a/openssh.spec +++ b/openssh.spec @@ -108,7 +108,7 @@ Source13: sshd-keygen Patch0: openssh-5.9p1-wIm.patch #? -Patch100: openssh-5.9p1-coverity.patch +Patch100: openssh-6.1p1-coverity.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Patch101: openssh-5.8p1-fingerprint.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1894 @@ -118,7 +118,7 @@ Patch102: openssh-5.8p1-getaddrinfo.patch Patch103: openssh-5.8p1-packet.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=983 #Patch104: openssh-5.9p1-2auth.patch -Patch104: openssh-5.9p1-required-authentications.patch +Patch104: openssh-6.1p1-required-authentications.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1402 Patch200: openssh-5.8p1-audit0.patch @@ -150,7 +150,7 @@ Patch402: openssh-5.9p1-sftp-chroot.patch Patch404: openssh-5.9p1-privsep-selinux.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1663 -Patch500: openssh-5.9p1-akc.patch +Patch500: openssh-6.1p1-akc.patch #?-- unwanted child :( Patch501: openssh-6.0p1-ldap.patch #? @@ -173,7 +173,7 @@ Patch606: openssh-5.9p1-ipv6man.patch #? Patch607: openssh-5.8p2-sigpipe.patch #? -Patch608: openssh-5.8p2-askpass-ld.patch +Patch608: openssh-6.1p1-askpass-ld.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1789 Patch609: openssh-5.5p1-x11.patch @@ -196,29 +196,27 @@ Patch707: openssh-5.9p1-redhat.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :) Patch708: openssh-6.0p1-entropy.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) -Patch709: openssh-5.9p1-vendor.patch +Patch709: openssh-6.1p1-vendor.patch #? Patch710: openssh-5.9p1-copy-id-restorecon.patch # warn users for unsupported UsePAM=no (#757545) -Patch711: openssh-5.9p1-log-usepam-no.patch +Patch711: openssh-6.1p1-log-usepam-no.patch # make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL Patch712: openssh-5.9p1-ctr-evp-fast.patch # add cavs test binary for the aes-ctr Patch713: openssh-5.9p1-ctr-cavstest.patch -#https://bugzilla.redhat.com/show_bug.cgi?id=815993 -Patch714: openssh-5.9p1-null-xcrypt.patch #http://www.sxw.org.uk/computing/patches/openssh.html #changed cache storage type - #848228 -Patch800: openssh-6.0p1-gsskex.patch +Patch800: openssh-6.1p1-gsskex.patch #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html Patch801: openssh-5.8p2-force_krb.patch #? Patch900: openssh-5.8p1-gssapi-canohost.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1780 -Patch901: openssh-5.9p1-kuserok.patch +Patch901: openssh-6.1p1-kuserok.patch #--- #https://bugzilla.mindrot.org/show_bug.cgi?id=1604 # sctp @@ -459,7 +457,6 @@ popd %patch711 -p1 -b .log-usepam-no %patch712 -p1 -b .evp-ctr %patch713 -p1 -b .ctr-cavs -%patch714 -p0 -b .null-xcrypt %patch800 -p1 -b .gsskex %patch801 -p1 -b .force_krb