From 5d4cc441c89332f3dd5ff97cfa5ada0d647aff75f8f40654dd3390e8a4244a57 Mon Sep 17 00:00:00 2001 From: Petr Cerny Date: Mon, 17 Mar 2014 02:46:40 +0000 Subject: [PATCH] Accepting request 226334 from home:pcerny:factory - re-enabling the GSSAPI Key Exchange patch !!! currently breaks anythng else than Factory OBS-URL: https://build.opensuse.org/request/show/226334 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=72 --- ...h-6.5p1-X_forward_with_disabled_ipv6.patch | 2 +- openssh-6.5p1-fips.patch | 4 +- openssh-6.5p1-gssapi_key_exchange.patch | 356 +++++++----------- openssh-6.5p1-login_options.patch | 2 +- openssh-6.5p1-no_fork-no_pid_file.patch | 2 +- openssh.changes | 5 + openssh.spec | 2 +- 7 files changed, 152 insertions(+), 221 deletions(-) diff --git a/openssh-6.5p1-X_forward_with_disabled_ipv6.patch b/openssh-6.5p1-X_forward_with_disabled_ipv6.patch index fa5983e..3f4843c 100644 --- a/openssh-6.5p1-X_forward_with_disabled_ipv6.patch +++ b/openssh-6.5p1-X_forward_with_disabled_ipv6.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent d7526bd96e81981aa3c94b7695a3f4009a2c176b +# Parent bb0162afc928b3eeb69f11419e214e0737bb8034 Do not throw away already open sockets for X11 forwarding if another socket family is not available for bind() diff --git a/openssh-6.5p1-fips.patch b/openssh-6.5p1-fips.patch index 729f36d..bd44946 100644 --- a/openssh-6.5p1-fips.patch +++ b/openssh-6.5p1-fips.patch @@ -2,12 +2,12 @@ # when OpenSSL is detected to be running in FIPS mode # # HG changeset patch -# Parent 2a4df1014f286ec93a3e4dcf036f054745e4fee8 +# Parent df8b01308484dd9227b64c8bb820e52b56b89b4d diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in --- a/openssh-6.5p1/Makefile.in +++ b/openssh-6.5p1/Makefile.in -@@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o +@@ -76,17 +76,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ diff --git a/openssh-6.5p1-gssapi_key_exchange.patch b/openssh-6.5p1-gssapi_key_exchange.patch index 5b62617..4b8746f 100644 --- a/openssh-6.5p1-gssapi_key_exchange.patch +++ b/openssh-6.5p1-gssapi_key_exchange.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent a72dad36a987a441e9c92807b1d654e43ddee409 +# Parent fd62140898f5f8bfaa6d0b527c5893001322a662 diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi new file mode 100644 @@ -122,7 +122,7 @@ new file mode 100644 diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in --- a/openssh-6.5p1/Makefile.in +++ b/openssh-6.5p1/Makefile.in -@@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o +@@ -71,16 +71,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o canohost.o channels.o cipher.o cipher-aes.o \ cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ @@ -133,13 +133,14 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ + kexgssc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o + jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ + kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ + ssh-ed25519.o digest.o \ + sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ + auditstub.o \ + fips.o - SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect1.o sshconnect2.o mux.o \ - roaming_common.o roaming_client.o - - SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ +@@ -92,17 +93,17 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw audit.o audit-bsm.o audit-linux.o platform.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ auth.o auth1.o auth2.o auth-options.o session.o \ @@ -147,21 +148,21 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ - auth-krb5.o \ + kexc25519s.o auth-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ - sandbox-seccomp-filter.o + sandbox-seccomp-filter.o sandbox-capsicum.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5 diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c --- a/openssh-6.5p1/auth-krb5.c +++ b/openssh-6.5p1/auth-krb5.c -@@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c +@@ -177,18 +177,23 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; #endif @@ -185,7 +186,7 @@ diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c out: restore_uid(); -@@ -224,35 +229,42 @@ krb5_cleanup_proc(Authctxt *authctxt) +@@ -238,35 +243,42 @@ krb5_cleanup_proc(Authctxt *authctxt) } #ifndef HEIMDAL @@ -233,7 +234,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c --- a/openssh-6.5p1/auth2-gss.c +++ b/openssh-6.5p1/auth2-gss.c @@ -1,12 +1,12 @@ - /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ + /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -297,7 +298,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c userauth_gssapi(Authctxt *authctxt) { gss_OID_desc goid = {0, NULL}; -@@ -248,17 +282,18 @@ input_gssapi_exchange_complete(int type, +@@ -244,17 +278,18 @@ input_gssapi_exchange_complete(int type, /* * We don't need to check the status, because we're only enabled in @@ -317,7 +318,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); } -@@ -283,31 +318,38 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -279,31 +314,38 @@ input_gssapi_mic(int type, u_int32_t ple ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, "gssapi-with-mic"); @@ -414,7 +415,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c /* Flag indicating that no shell has been requested */ extern int no_shell_flag; -@@ -1594,16 +1598,25 @@ client_loop(int have_pty, int escape_cha +@@ -1603,16 +1607,25 @@ client_loop(int have_pty, int escape_cha &max_fd2, &nalloc, rekeying); if (quit_pending) @@ -443,7 +444,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac --- a/openssh-6.5p1/configure.ac +++ b/openssh-6.5p1/configure.ac -@@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary(" +@@ -579,16 +579,40 @@ main() { if (NSVersionOfRunTimeLibrary(" AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect]) AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1], [Define if your resolver libs need this for getrrsetbyname]) @@ -488,7 +489,7 @@ diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c --- a/openssh-6.5p1/gss-genr.c +++ b/openssh-6.5p1/gss-genr.c @@ -1,12 +1,12 @@ - /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ + /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */ /* - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. @@ -878,7 +879,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c --- a/openssh-6.5p1/gss-serv-krb5.c +++ b/openssh-6.5p1/gss-serv-krb5.c @@ -1,12 +1,12 @@ - /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ + /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -891,8 +892,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the -@@ -115,16 +115,17 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client - static void +@@ -117,16 +117,17 @@ static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) { krb5_ccache ccache; @@ -900,6 +900,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c krb5_principal princ; OM_uint32 maj_status, min_status; int len; + const char *errmsg; + const char *new_ccname; if (client->creds == NULL) { @@ -909,7 +910,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c if (ssh_gssapi_krb5_init() == 0) return; -@@ -163,37 +164,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl +@@ -175,37 +176,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, ccache))) { @@ -1027,7 +1028,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c --- a/openssh-6.5p1/gss-serv.c +++ b/openssh-6.5p1/gss-serv.c @@ -1,12 +1,12 @@ - /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ + /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -1059,8 +1060,8 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c static ssh_gssapi_client gssapi_client = { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, -- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; -+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0}; +- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; ++ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL, NULL, NULL}, 0, 0}; ssh_gssapi_mech gssapi_null_mech = - { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; @@ -1415,19 +1416,15 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c --- a/openssh-6.5p1/kex.c +++ b/openssh-6.5p1/kex.c -@@ -46,16 +46,24 @@ - #include "log.h" +@@ -47,16 +47,20 @@ #include "mac.h" #include "match.h" #include "dispatch.h" #include "monitor.h" #include "roaming.h" + #include "digest.h" #include "audit.h" -+#ifdef GSSAPI -+#include "ssh-gss.h" -+#endif -+ +#ifdef GSSAPI +#include "ssh-gss.h" +#endif @@ -1440,42 +1437,32 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c # endif #endif -@@ -377,16 +385,30 @@ choose_kex(Kex *k, char *client, char *s - } else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) { - k->kex_type = KEX_DH_GEX_SHA256; - k->evp_md = evp_ssh_sha256(); - } else if (strncmp(k->name, KEX_ECDH_SHA2_STEM, - sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) { - k->kex_type = KEX_ECDH_SHA2; - k->evp_md = kex_ecdh_name_to_evpmd(k->name); +@@ -86,16 +90,21 @@ static const struct kexalg kexalgs[] = { + { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, + SSH_DIGEST_SHA512 }, + # endif + #endif + { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, + #ifdef HAVE_EVP_SHA256 + { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #endif +#ifdef GSSAPI -+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, -+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) { -+ k->kex_type = KEX_GSS_GEX_SHA1; -+ k->evp_md = EVP_sha1(); -+ } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID, -+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) { -+ k->kex_type = KEX_GSS_GRP1_SHA1; -+ k->evp_md = EVP_sha1(); -+ } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID, -+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) { -+ k->kex_type = KEX_GSS_GRP14_SHA1; -+ k->evp_md = EVP_sha1(); ++ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, ++ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, ++ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, +#endif - } else - fatal("bad kex alg %s", k->name); - } + { NULL, -1, -1, -1}, + }; - static void - choose_hostkeyalg(Kex *k, char *client, char *server) + char * + kex_alg_list(char sep) { - char *hostkeyalg = match_list(client, server, NULL); + char *ret = NULL; + size_t nlen, rlen = 0; diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h --- a/openssh-6.5p1/kex.h +++ b/openssh-6.5p1/kex.h -@@ -68,16 +68,19 @@ enum kex_modes { - }; +@@ -71,16 +71,19 @@ enum kex_modes { enum kex_exchange { KEX_DH_GRP1_SHA1, @@ -1483,6 +1470,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h KEX_DH_GEX_SHA1, KEX_DH_GEX_SHA256, KEX_ECDH_SHA2, + KEX_C25519_SHA256, + KEX_GSS_GRP1_SHA1, + KEX_GSS_GRP14_SHA1, + KEX_GSS_GEX_SHA1, @@ -1494,15 +1482,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h typedef struct Kex Kex; typedef struct Mac Mac; typedef struct Comp Comp; -@@ -126,16 +129,22 @@ struct Kex { - int hostkey_type; +@@ -131,16 +134,22 @@ struct Kex { int kex_type; int roaming; Buffer my; Buffer peer; sig_atomic_t done; int flags; - const EVP_MD *evp_md; + int hash_alg; + int ec_nid; +#ifdef GSSAPI + int gss_deleg_creds; + int gss_trust_dns; @@ -1515,15 +1503,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h Key *(*load_host_public_key)(int); Key *(*load_host_private_key)(int); int (*host_key_index)(Key *); + void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int); void (*kex[KEX_MAX])(Kex *); - }; -@@ -154,16 +163,21 @@ Newkeys *kex_get_newkeys(int); - void kexdh_client(Kex *); - void kexdh_server(Kex *); +@@ -164,16 +173,21 @@ void kexdh_server(Kex *); void kexgex_client(Kex *); void kexgex_server(Kex *); void kexecdh_client(Kex *); void kexecdh_server(Kex *); + void kexc25519_client(Kex *); + void kexc25519_server(Kex *); void newkeys_destroy(Newkeys *newkeys); + @@ -1536,7 +1524,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); void - kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *, + kexgex_hash(int, char *, char *, char *, int, char *, int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c @@ -1825,7 +1813,7 @@ new file mode 100644 + break; + case KEX_GSS_GEX_SHA1: + kexgex_hash( -+ kex->evp_md, ++ kex->hash_alg, + kex->client_version_string, + kex->server_version_string, + buffer_ptr(&kex->my), buffer_len(&kex->my), @@ -1872,7 +1860,7 @@ new file mode 100644 + else + ssh_gssapi_delete_ctx(&ctxt); + -+ kex_derive_keys(kex, hash, hashlen, shared_secret); ++ kex_derive_keys_bn(kex, hash, hashlen, shared_secret); + BN_clear_free(shared_secret); + kex_finish(kex); +} @@ -2108,7 +2096,7 @@ new file mode 100644 + break; + case KEX_GSS_GEX_SHA1: + kexgex_hash( -+ kex->evp_md, ++ kex->hash_alg, + kex->client_version_string, kex->server_version_string, + buffer_ptr(&kex->peer), buffer_len(&kex->peer), + buffer_ptr(&kex->my), buffer_len(&kex->my), @@ -2161,7 +2149,7 @@ new file mode 100644 + + DH_free(dh); + -+ kex_derive_keys(kex, hash, hashlen, shared_secret); ++ kex_derive_keys_bn(kex, hash, hashlen, shared_secret); + BN_clear_free(shared_secret); + kex_finish(kex); + @@ -2174,54 +2162,35 @@ new file mode 100644 diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c --- a/openssh-6.5p1/key.c +++ b/openssh-6.5p1/key.c -@@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int - return "ecdsa-sha2-nistp384-cert-v01@openssh.com"; - case NID_secp521r1: - return "ecdsa-sha2-nistp521-cert-v01@openssh.com"; - default: - break; - } - break; +@@ -1052,16 +1052,18 @@ static const struct keytype keytypes[] = + # endif #endif /* OPENSSL_HAS_ECC */ -+ case KEY_NULL: -+ return "null"; - } - return "ssh-unknown"; - } + { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", + KEY_RSA_CERT_V00, 0, 1 }, + { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", + KEY_DSA_CERT_V00, 0, 1 }, + { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", + KEY_ED25519_CERT, 0, 1 }, ++ { "null", "null", ++ KEY_NULL, 0, 0 }, + { NULL, NULL, -1, -1, 0 } + }; const char * - key_ssh_name(const Key *k) + key_type(const Key *k) { - return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid); -@@ -1343,16 +1345,18 @@ key_type_from_name(char *name) - } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { - return KEY_DSA_CERT; - #ifdef OPENSSL_HAS_ECC - } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 || - strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 || - strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { - return KEY_ECDSA_CERT; - #endif -+ } else if (strcmp(name, "null") == 0) { -+ return KEY_NULL; - } + const struct keytype *kt; - debug2("key_type_from_name: unknown key type '%s'", name); - return KEY_UNSPEC; - } - - int - key_ecdsa_nid_from_name(const char *name) diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h --- a/openssh-6.5p1/key.h +++ b/openssh-6.5p1/key.h -@@ -39,16 +39,17 @@ enum types { - KEY_RSA, - KEY_DSA, +@@ -41,16 +41,17 @@ enum types { KEY_ECDSA, + KEY_ED25519, KEY_RSA_CERT, KEY_DSA_CERT, KEY_ECDSA_CERT, + KEY_ED25519_CERT, KEY_RSA_CERT_V00, KEY_DSA_CERT_V00, + KEY_NULL, @@ -2236,7 +2205,7 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c --- a/openssh-6.5p1/monitor.c +++ b/openssh-6.5p1/monitor.c -@@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *) +@@ -179,16 +179,18 @@ int mm_answer_pam_respond(int, Buffer *) int mm_answer_pam_free_ctx(int, Buffer *); #endif @@ -2255,7 +2224,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c int mm_answer_audit_end_command(int, Buffer *); int mm_answer_audit_unsupported_body(int, Buffer *); int mm_answer_audit_kex_body(int, Buffer *); -@@ -259,28 +261,35 @@ struct mon_table mon_dispatch_proto20[] +@@ -260,28 +262,35 @@ struct mon_table mon_dispatch_proto20[] #endif {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, @@ -2291,7 +2260,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, -@@ -393,16 +402,20 @@ monitor_child_preauth(Authctxt *_authctx +@@ -394,16 +403,20 @@ monitor_child_preauth(Authctxt *_authctx authctxt->loginmsg = &loginmsg; if (compat20) { @@ -2333,8 +2302,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); } -@@ -1912,16 +1929,23 @@ mm_get_kex(Buffer *m) - timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0) +@@ -1931,16 +1948,23 @@ mm_get_kex(Buffer *m) fatal("mm_get_get: internal error: bad session id"); kex->we_need = buffer_get_int(m); kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; @@ -2342,6 +2310,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; + kex->kex[KEX_C25519_SHA256] = kexc25519_server; +#ifdef GSSAPI + if (options.gss_keyex) { + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; @@ -2357,7 +2326,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c buffer_append(&kex->my, blob, bloblen); free(blob); blob = buffer_get_string(m, &bloblen); -@@ -2135,16 +2159,19 @@ monitor_reinit(struct monitor *mon) +@@ -2155,16 +2179,19 @@ monitor_reinit(struct monitor *mon) #ifdef GSSAPI int mm_answer_gss_setup_ctx(int sock, Buffer *m) @@ -2377,7 +2346,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c free(goid.elements); buffer_clear(m); -@@ -2162,16 +2189,19 @@ int +@@ -2182,16 +2209,19 @@ int mm_answer_gss_accept_ctx(int sock, Buffer *m) { gss_buffer_desc in; @@ -2397,7 +2366,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c buffer_clear(m); buffer_put_int(m, major); buffer_put_string(m, out.value, out.length); -@@ -2179,27 +2209,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2199,27 +2229,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe mm_request_send(sock, MONITOR_ANS_GSSSTEP, m); gss_release_buffer(&minor, &out); @@ -2429,7 +2398,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); free(gssbuf.value); -@@ -2216,29 +2250,101 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -2236,29 +2270,101 @@ mm_answer_gss_checkmic(int sock, Buffer return (0); } @@ -2558,7 +2527,7 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c --- a/openssh-6.5p1/monitor_wrap.c +++ b/openssh-6.5p1/monitor_wrap.c -@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss +@@ -1305,33 +1305,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss &m); major = buffer_get_int(&m); @@ -2666,7 +2635,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c --- a/openssh-6.5p1/readconf.c +++ b/openssh-6.5p1/readconf.c -@@ -124,16 +124,18 @@ typedef enum { +@@ -135,16 +135,18 @@ typedef enum { oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, @@ -2682,10 +2651,10 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, - oKexAlgorithms, oIPQoS, oRequestTTY, - oDeprecated, oUnsupported - } OpCodes; -@@ -164,22 +166,31 @@ static struct { + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, + oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, + oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, +@@ -177,22 +179,31 @@ static struct { { "challengeresponseauthentication", oChallengeResponseAuthentication }, { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ @@ -2717,7 +2686,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c { "identitiesonly", oIdentitiesOnly }, { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, -@@ -500,24 +511,44 @@ parse_flag: +@@ -836,24 +847,44 @@ parse_time: case oChallengeResponseAuthentication: intptr = &options->challenge_response_authentication; goto parse_flag; @@ -2762,7 +2731,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c intptr = &options->check_host_ip; goto parse_flag; -@@ -1159,18 +1190,23 @@ initialize_options(Options * options) +@@ -1489,18 +1520,23 @@ initialize_options(Options * options) options->exit_on_forward_failure = -1; options->xauth_location = NULL; options->gateway_ports = -1; @@ -2786,7 +2755,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c options->batch_mode = -1; options->check_host_ip = -1; options->strict_host_key_checking = -1; -@@ -1260,20 +1296,26 @@ fill_default_options(Options * options) +@@ -1596,20 +1632,26 @@ fill_default_options(Options * options) if (options->rsa_authentication == -1) options->rsa_authentication = 1; if (options->pubkey_authentication == -1) @@ -2816,7 +2785,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h --- a/openssh-6.5p1/readconf.h +++ b/openssh-6.5p1/readconf.h -@@ -43,18 +43,23 @@ typedef struct { +@@ -49,18 +49,23 @@ typedef struct { int rhosts_rsa_authentication; /* Try rhosts with RSA * authentication. */ int rsa_authentication; /* Try RSA authentication. */ @@ -2843,7 +2812,7 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c --- a/openssh-6.5p1/servconf.c +++ b/openssh-6.5p1/servconf.c -@@ -98,18 +98,21 @@ initialize_server_options(ServerOptions +@@ -104,18 +104,21 @@ initialize_server_options(ServerOptions options->hostbased_uses_name_from_packet_only = -1; options->rsa_authentication = -1; options->pubkey_authentication = -1; @@ -2864,8 +2833,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c options->permit_user_env = -1; options->use_login = -1; options->compression = -1; - options->allow_tcp_forwarding = -1; -@@ -232,20 +235,26 @@ fill_default_server_options(ServerOption + options->rekey_limit = -1; +@@ -244,20 +247,26 @@ fill_default_server_options(ServerOption if (options->kerberos_or_local_passwd == -1) options->kerberos_or_local_passwd = 1; if (options->kerberos_ticket_cleanup == -1) @@ -2892,8 +2861,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c options->challenge_response_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; -@@ -329,16 +338,17 @@ typedef enum { - sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, +@@ -345,16 +354,17 @@ typedef enum { + sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, @@ -2908,9 +2877,9 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, + sAuthenticationMethods, sHostKeyAgent, sDeprecated, sUnsupported -@@ -397,21 +407,31 @@ static struct { +@@ -414,21 +424,31 @@ static struct { { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, @@ -2942,7 +2911,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, #else { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, -@@ -1057,24 +1077,36 @@ process_server_config_line(ServerOptions +@@ -1102,24 +1122,36 @@ process_server_config_line(ServerOptions case sKerberosGetAFSToken: intptr = &options->kerberos_get_afs_token; goto parse_flag; @@ -2979,7 +2948,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c intptr = &options->zero_knowledge_password_authentication; goto parse_flag; -@@ -1939,17 +1971,20 @@ dump_config(ServerOptions *o) +@@ -2020,17 +2052,20 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); # ifdef USE_AFS @@ -3003,7 +2972,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h --- a/openssh-6.5p1/servconf.h +++ b/openssh-6.5p1/servconf.h -@@ -105,18 +105,21 @@ typedef struct { +@@ -107,18 +107,21 @@ typedef struct { * authentication mechanism, * such as SecurID or * /etc/passwd */ @@ -3176,7 +3145,7 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5 --- a/openssh-6.5p1/ssh_config.5 +++ b/openssh-6.5p1/ssh_config.5 -@@ -525,21 +525,53 @@ host key database, separated by whitespa +@@ -671,21 +671,53 @@ host key database, separated by whitespa The default is .Pa /etc/ssh/ssh_known_hosts , .Pa /etc/ssh/ssh_known_hosts2 . @@ -3234,7 +3203,7 @@ diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5 diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c --- a/openssh-6.5p1/sshconnect2.c +++ b/openssh-6.5p1/sshconnect2.c -@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc +@@ -156,19 +156,44 @@ order_hostkeyalgs(char *host, struct soc return ret; } @@ -3278,12 +3247,12 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; - } -@@ -192,30 +217,61 @@ ssh_kex2(char *host, struct sockaddr *ho - else { + } else if (fips_mode()) { +@@ -204,32 +229,63 @@ ssh_kex2(char *host, struct sockaddr *ho /* Prefer algorithms that we already have keys for */ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - order_hostkeyalgs(host, hostaddr, port); + compat_pkalg_proposal( + order_hostkeyalgs(host, hostaddr, port)); } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; @@ -3299,8 +3268,9 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c + } +#endif + - if (options.rekey_limit) - packet_set_rekey_limit((u_int32_t)options.rekey_limit); + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); /* start key exchange */ kex = kex_setup(myproposal); @@ -3309,6 +3279,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; kex->kex[KEX_ECDH_SHA2] = kexecdh_client; + kex->kex[KEX_C25519_SHA256] = kexc25519_client; +#ifdef GSSAPI + if (options.gss_keyex) { + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; @@ -3341,7 +3312,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c debug("Roaming not allowed by server"); options.use_roaming = 0; } -@@ -301,31 +357,37 @@ void userauth_jpake_cleanup(Authctxt *); +@@ -315,31 +371,37 @@ void userauth_jpake_cleanup(Authctxt *); #ifdef GSSAPI int userauth_gssapi(Authctxt *authctxt); @@ -3379,7 +3350,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c {"gssapi", userauth_gssapi, NULL, -@@ -627,29 +689,41 @@ done: +@@ -638,29 +700,41 @@ done: int userauth_gssapi(Authctxt *authctxt) { @@ -3423,7 +3394,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c if (!ok) return 0; -@@ -738,18 +812,18 @@ process_gssapi_token(void *ctxt, gss_buf +@@ -749,18 +823,18 @@ process_gssapi_token(void *ctxt, gss_buf } /* ARGSUSED */ @@ -3444,7 +3415,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c /* Setup our OID */ oidv = packet_get_string(&oidlen); -@@ -849,16 +923,58 @@ input_gssapi_error(int type, u_int32_t p +@@ -859,16 +933,58 @@ input_gssapi_error(int type, u_int32_t p lang=packet_get_string(NULL); packet_check_eom(); @@ -3506,19 +3477,15 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c --- a/openssh-6.5p1/sshd.c +++ b/openssh-6.5p1/sshd.c -@@ -119,16 +119,24 @@ - #include "ssh-gss.h" +@@ -121,16 +121,20 @@ #endif #include "monitor_wrap.h" #include "roaming.h" #include "audit.h" #include "ssh-sandbox.h" #include "version.h" + #include "fips.h" -+#ifdef USE_SECURITY_SESSION_API -+#include -+#endif -+ +#ifdef USE_SECURITY_SESSION_API +#include +#endif @@ -3531,10 +3498,10 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c #endif /* LIBWRAP */ #ifndef O_NOCTTY -@@ -1715,20 +1723,23 @@ main(int ac, char **av) - } - debug("private host key: #%d type %d %s", i, key->type, - key_type(key)); +@@ -1795,20 +1799,23 @@ main(int ac, char **av) + if ((options.protocol & SSH_PROTO_1) && fips_mode()) { + logit("Disabling protocol version 1. Not allowed in the FIPS mode."); + options.protocol &= ~SSH_PROTO_1; } if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); @@ -3555,7 +3522,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c /* * Load certificates. They are stored in an array at identical * indices to the public keys that they relate to. -@@ -1920,16 +1931,70 @@ main(int ac, char **av) +@@ -1998,16 +2005,70 @@ main(int ac, char **av) /* Accept a connection and return in a forked child */ server_accept_loop(&sock_in, &sock_out, &newsock, config_s); @@ -3626,14 +3593,14 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c #if !defined(SSHD_ACQUIRES_CTTY) /* * If setsid is called, on some platforms sshd will later acquire a -@@ -2046,16 +2111,70 @@ main(int ac, char **av) - fatal("libwrap refuse returns"); - } +@@ -2125,16 +2186,70 @@ main(int ac, char **av) } #endif /* LIBWRAP */ /* Log the connection. */ - verbose("Connection from %.500s port %d", remote_ip, remote_port); + verbose("Connection from %s port %d on %s port %d", + remote_ip, remote_port, + get_local_ipaddr(sock_in), get_local_port()); +#ifdef USE_SECURITY_SESSION_API + /* @@ -3697,57 +3664,15 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c * mode; it is just annoying to have the server exit just when you * are about to discover the bug. */ -@@ -2435,23 +2554,114 @@ do_ssh2_kex(void) - myproposal[PROPOSAL_COMP_ALGS_CTOS] = - myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; - } - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; +@@ -2544,24 +2659,73 @@ do_ssh2_kex(void) - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); + + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( + list_hostkey_types()); -+#ifdef GSSAPI -+ { -+ char *orig; -+ char *gss = NULL; -+ char *newstr = NULL; -+ orig = myproposal[PROPOSAL_KEX_ALGS]; -+ -+ /* -+ * If we don't have a host key, then there's no point advertising -+ * the other key exchange algorithms -+ */ -+ -+ if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) -+ orig = NULL; -+ -+ if (options.gss_keyex) -+ gss = ssh_gssapi_server_mechanisms(); -+ else -+ gss = NULL; -+ -+ if (gss && orig) -+ xasprintf(&newstr, "%s,%s", gss, orig); -+ else if (gss) -+ newstr = gss; -+ else if (orig) -+ newstr = orig; -+ -+ /* -+ * If we've got GSSAPI mechanisms, then we've got the 'null' host -+ * key alg, but we can't tell people about it unless its the only -+ * host key algorithm we support -+ */ -+ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0) -+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null"; -+ -+ if (newstr) -+ myproposal[PROPOSAL_KEX_ALGS] = newstr; -+ else -+ fatal("No supported key exchange algorithms"); -+ } -+#endif -+ +#ifdef GSSAPI + { + char *orig; @@ -3797,6 +3722,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; + kex->kex[KEX_C25519_SHA256] = kexc25519_server; +#ifdef GSSAPI + if (options.gss_keyex) { + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; @@ -3810,12 +3736,12 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_private_key=&get_hostkey_private_by_type; kex->host_key_index=&get_hostkey_index; + kex->sign = sshd_hostkey_sign; - xxx_kex = kex; diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config --- a/openssh-6.5p1/sshd_config +++ b/openssh-6.5p1/sshd_config -@@ -75,16 +75,18 @@ PasswordAuthentication no +@@ -79,16 +79,18 @@ PasswordAuthentication no #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes @@ -3837,7 +3763,7 @@ diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5 --- a/openssh-6.5p1/sshd_config.5 +++ b/openssh-6.5p1/sshd_config.5 -@@ -475,22 +475,50 @@ to force remote port forwardings to bind +@@ -487,22 +487,50 @@ to force remote port forwardings to bind to allow the client to select the address to which the forwarding is bound. The default is .Dq no . diff --git a/openssh-6.5p1-login_options.patch b/openssh-6.5p1-login_options.patch index 80bd6cb..5dcdcf9 100644 --- a/openssh-6.5p1-login_options.patch +++ b/openssh-6.5p1-login_options.patch @@ -7,7 +7,7 @@ diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac --- a/openssh-6.5p1/configure.ac +++ b/openssh-6.5p1/configure.ac -@@ -695,16 +695,18 @@ main() { if (NSVersionOfRunTimeLibrary(" +@@ -719,16 +719,18 @@ main() { if (NSVersionOfRunTimeLibrary(" AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) ;; diff --git a/openssh-6.5p1-no_fork-no_pid_file.patch b/openssh-6.5p1-no_fork-no_pid_file.patch index d4b8c2b..3638d3b 100644 --- a/openssh-6.5p1-no_fork-no_pid_file.patch +++ b/openssh-6.5p1-no_fork-no_pid_file.patch @@ -3,7 +3,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c --- a/openssh-6.5p1/sshd.c +++ b/openssh-6.5p1/sshd.c -@@ -1973,17 +1973,17 @@ main(int ac, char **av) +@@ -1985,17 +1985,17 @@ main(int ac, char **av) signal(SIGCHLD, main_sigchld_handler); signal(SIGTERM, sigterm_handler); signal(SIGQUIT, sigterm_handler); diff --git a/openssh.changes b/openssh.changes index b8b8c1d..32fa829 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Mar 17 02:21:13 UTC 2014 - pcerny@suse.com + +- re-enabling the GSSAPI Key Exchange patch + ------------------------------------------------------------------- Fri Feb 28 12:59:27 UTC 2014 - pcerny@suse.com diff --git a/openssh.spec b/openssh.spec index 1d1d1c5..28e7bbd 100644 --- a/openssh.spec +++ b/openssh.spec @@ -198,7 +198,7 @@ Helper applications for OpenSSH which retrieve keys from various sources. %if 0%{?suse_version} > 1310 %patch27 -p2 %endif -#patch28 -p2 +%patch28 -p2 %patch29 -p2 %patch30 -p2 %patch31 -p2