diff --git a/openssh-6.4p1-GSSAPIEnablek5users.patch b/openssh-6.4p1-GSSAPIEnablek5users.patch new file mode 100644 index 0000000..d450f69 --- /dev/null +++ b/openssh-6.4p1-GSSAPIEnablek5users.patch @@ -0,0 +1,137 @@ +diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c +index 0a4930e..a7c0c5f 100644 +--- a/gss-serv-krb5.c ++++ b/gss-serv-krb5.c +@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name, + FILE *fp; + char file[MAXPATHLEN]; + char line[BUFSIZ]; +- char kuser[65]; /* match krb5_kuserok() */ + struct stat st; + struct passwd *pw = the_authctxt->pw; + int found_principal = 0; +@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name, + + snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir); + /* If both .k5login and .k5users DNE, self-login is ok. */ +- if (!k5login_exists && (access(file, F_OK) == -1)) { ++ if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) { + return ssh_krb5_kuserok(krb_context, principal, luser, + k5login_exists); + } +diff --git a/servconf.c b/servconf.c +index d482e79..ad5869b 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options) + options->ip_qos_bulk = -1; + options->version_addendum = NULL; + options->use_kuserok = -1; ++ options->enable_k5users = -1; + } + + void +@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options) + options->show_patchlevel = 0; + if (options->use_kuserok == -1) + options->use_kuserok = 1; ++ if (options->enable_k5users == -1) ++ options->enable_k5users = 0; + + /* Turn privilege separation on by default */ + if (use_privsep == -1) +@@ -356,7 +359,7 @@ typedef enum { + sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, +- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, ++ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, + sGssKeyEx, sGssStoreRekey, + sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, +@@ -430,6 +433,7 @@ static struct { + { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, + { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, + { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, ++ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL }, + #else + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, +@@ -437,6 +441,7 @@ static struct { + { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, + { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, + { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapienablek5users", sUnsupported, SSHCFG_ALL }, + #endif + { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, +@@ -1536,6 +1541,10 @@ process_server_config_line(ServerOptions *options, char *line, + intptr = &options->use_kuserok; + goto parse_flag; + ++ case sGssEnablek5users: ++ intptr = &options->enable_k5users; ++ goto parse_flag; ++ + case sPermitOpen: + arg = strdelim(&cp); + if (!arg || *arg == '\0') +@@ -1824,6 +1833,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) + M_CP_INTOPT(ip_qos_interactive); + M_CP_INTOPT(ip_qos_bulk); + M_CP_INTOPT(use_kuserok); ++ M_CP_INTOPT(enable_k5users); + M_CP_INTOPT(rekey_limit); + M_CP_INTOPT(rekey_interval); + +@@ -2076,6 +2086,7 @@ dump_config(ServerOptions *o) + dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); + dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); + dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); ++ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users); + + /* string arguments */ + dump_cfg_string(sPidFile, o->pid_file); +diff --git a/servconf.h b/servconf.h +index 5117dfa..d63cb71 100644 +--- a/servconf.h ++++ b/servconf.h +@@ -173,7 +173,8 @@ typedef struct { + + int num_permitted_opens; + +- int use_kuserok; ++ int use_kuserok; ++ int enable_k5users; + char *chroot_directory; + char *revoked_keys_file; + char *trusted_user_ca_keys; +diff --git a/sshd_config b/sshd_config +index 43671f6..6ab00ed 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -94,6 +94,7 @@ GSSAPIAuthentication yes + GSSAPICleanupCredentials no + #GSSAPIStrictAcceptorCheck yes + #GSSAPIKeyExchange no ++#GSSAPIEnablek5users no + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +diff --git a/sshd_config.5 b/sshd_config.5 +index e0e5fff..aa9525d 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -505,6 +505,12 @@ on logout. + The default is + .Dq yes . + Note that this option applies to protocol version 2 only. ++.It Cm GSSAPIEnablek5users ++Specifies whether to look at .k5users file for GSSAPI authentication ++access control. Further details are described in ++.Xr ksu 1 . ++The default is ++.Dq no . + .It Cm GSSAPIStrictAcceptorCheck + Determines whether to be strict about the identity of the GSSAPI acceptor + a client authenticates against. If diff --git a/openssh.spec b/openssh.spec index 225d9c7..3fb6d80 100644 --- a/openssh.spec +++ b/openssh.spec @@ -175,6 +175,9 @@ Patch713: openssh-6.3p1-ctr-cavstest.patch Patch800: openssh-6.3p1-gsskex.patch #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html Patch801: openssh-6.3p1-force_krb.patch +# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843) +# CVE-2014-9278 +Patch802: openssh-6.4p1-GSSAPIEnablek5users.patch Patch900: openssh-6.1p1-gssapi-canohost.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1780 Patch901: openssh-6.4p1-kuserok.patch @@ -458,6 +461,7 @@ popd %patch917 -p1 -b .sftp %patch918 -p1 -b .scp %patch919 -p1 -b .config +%patch802 -p1 -b .GSSAPIEnablek5users %if 0