From d9d9575f0065dc0cf84743fa8c163df70c0623b8 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 10 Dec 2015 15:37:46 +0100 Subject: [PATCH] GSSAPI Key Exchange documentation improvements from Debian patches: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655 --- openssh-7.0p1-gssKexAlgorithms.patch | 13 +++---- openssh-7.1p1-gssapi-documentation.patch | 47 ++++++++++++++++++++++++ openssh.spec | 5 +++ 3 files changed, 58 insertions(+), 7 deletions(-) create mode 100644 openssh-7.1p1-gssapi-documentation.patch diff --git a/openssh-7.0p1-gssKexAlgorithms.patch b/openssh-7.0p1-gssKexAlgorithms.patch index 8ecc207..38bd869 100644 --- a/openssh-7.0p1-gssKexAlgorithms.patch +++ b/openssh-7.0p1-gssKexAlgorithms.patch @@ -363,13 +363,12 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c if (gss) { debug("Offering GSSAPI proposal: %s", gss); xasprintf(&options.kex_algorithms, -diff -up openssh-7.0p1/sshd_config.5.gsskexalg openssh-7.0p1/sshd_config.5 ---- openssh-7.0p1/sshd_config.5.gsskexalg 2015-08-19 12:28:38.082518830 +0200 -+++ openssh-7.0p1/sshd_config.5 2015-08-19 12:36:25.121471501 +0200 -@@ -659,6 +659,18 @@ Controls whether the user's GSSAPI crede - successful connection rekeying. This option can be used to accepted renewed - or updated credentials from a compatible client. The default is - .Dq no . +--- openssh-7.1p1/sshd_config.5.gsskexalg 2015-12-10 15:32:48.105418092 +0100 ++++ openssh-7.1p1/sshd_config.5 2015-12-10 15:33:47.771279548 +0100 +@@ -663,6 +663,18 @@ or updated credentials from a compatible + For this to work + .Cm GSSAPIKeyExchange + needs to be enabled in the server and also used by the client. +.It Cm GSSAPIKexAlgorithms +The list of key exchange algorithms that are accepted by GSSAPI +key exchange. Possible values are diff --git a/openssh-7.1p1-gssapi-documentation.patch b/openssh-7.1p1-gssapi-documentation.patch new file mode 100644 index 0000000..4887cc0 --- /dev/null +++ b/openssh-7.1p1-gssapi-documentation.patch @@ -0,0 +1,47 @@ +diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5 +--- openssh-7.1p1/ssh_config.5.gss-docs 2015-12-10 15:28:47.451966457 +0100 ++++ openssh-7.1p1/ssh_config.5 2015-12-10 15:30:28.070738047 +0100 +@@ -773,15 +773,26 @@ Note that this option applies to protoco + If set to + .Dq yes + then renewal of the client's GSSAPI credentials will force the rekeying of the +-ssh connection. With a compatible server, this can delegate the renewed ++ssh connection. With a compatible server, this will delegate the renewed + credentials to a session on the server. ++.Pp ++Checks are made to ensure that credentials are only propagated when the new ++credentials match the old ones on the originating client and where the ++receiving server still has the old set in its cache. ++.Pp + The default is + .Dq no . ++.Pp ++For this to work ++.Cm GSSAPIKeyExchange ++needs to be enabled in the server and also used by the client. + .It Cm GSSAPITrustDns + Set to +-.Dq yes to indicate that the DNS is trusted to securely canonicalize ++.Dq yes ++to indicate that the DNS is trusted to securely canonicalize + the name of the host being connected to. If +-.Dq no, the hostname entered on the ++.Dq no , ++the hostname entered on the + command line will be passed untouched to the GSSAPI library. + The default is + .Dq no . +diff -up openssh-7.1p1/sshd_config.5.gss-docs openssh-7.1p1/sshd_config.5 +--- openssh-7.1p1/sshd_config.5.gss-docs 2015-12-10 15:28:47.453966452 +0100 ++++ openssh-7.1p1/sshd_config.5 2015-12-10 15:28:47.461966434 +0100 +@@ -653,6 +653,10 @@ Controls whether the user's GSSAPI crede + successful connection rekeying. This option can be used to accepted renewed + or updated credentials from a compatible client. The default is + .Dq no . ++.Pp ++For this to work ++.Cm GSSAPIKeyExchange ++needs to be enabled in the server and also used by the client. + .It Cm HostbasedAcceptedKeyTypes + Specifies the key types that will be accepted for hostbased authentication + as a comma-separated pattern list. diff --git a/openssh.spec b/openssh.spec index 7c872d3..af102e5 100644 --- a/openssh.spec +++ b/openssh.spec @@ -176,6 +176,10 @@ Patch801: openssh-6.6p1-force_krb.patch # add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843) # CVE-2014-9278 Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch +# Documentation about GSSAPI +# from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655 +Patch803: openssh-7.1p1-gssapi-documentation.patch + Patch900: openssh-6.1p1-gssapi-canohost.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1780 Patch901: openssh-6.6p1-kuserok.patch @@ -443,6 +447,7 @@ popd # %patch800 -p1 -b .gsskex %patch801 -p1 -b .force_krb +%patch803 -p1 -b .gss-docs # %patch900 -p1 -b .canohost %patch901 -p1 -b .kuserok