|
|
@ -1,5 +1,5 @@
|
|
|
|
# HG changeset patch
|
|
|
|
# HG changeset patch
|
|
|
|
# Parent a72dad36a987a441e9c92807b1d654e43ddee409
|
|
|
|
# Parent fd62140898f5f8bfaa6d0b527c5893001322a662
|
|
|
|
|
|
|
|
|
|
|
|
diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi
|
|
|
|
diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi
|
|
|
|
new file mode 100644
|
|
|
|
new file mode 100644
|
|
|
@ -122,7 +122,7 @@ new file mode 100644
|
|
|
|
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
|
|
|
|
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
|
|
|
|
--- a/openssh-6.5p1/Makefile.in
|
|
|
|
--- a/openssh-6.5p1/Makefile.in
|
|
|
|
+++ b/openssh-6.5p1/Makefile.in
|
|
|
|
+++ b/openssh-6.5p1/Makefile.in
|
|
|
|
@@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
|
|
|
|
@@ -71,16 +71,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
|
|
|
|
canohost.o channels.o cipher.o cipher-aes.o \
|
|
|
|
canohost.o channels.o cipher.o cipher-aes.o \
|
|
|
|
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
|
|
|
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
|
|
|
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
|
|
|
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
|
|
@ -133,13 +133,14 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
|
|
|
|
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
|
|
|
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
|
|
|
+ kexgssc.o \
|
|
|
|
+ kexgssc.o \
|
|
|
|
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
|
|
|
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
|
|
|
jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
|
|
|
|
jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
|
|
|
|
|
|
|
|
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
|
|
|
|
|
|
|
|
ssh-ed25519.o digest.o \
|
|
|
|
|
|
|
|
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
|
|
|
|
|
|
|
|
auditstub.o \
|
|
|
|
|
|
|
|
fips.o
|
|
|
|
|
|
|
|
|
|
|
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
|
|
|
@@ -92,17 +93,17 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
|
|
|
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
|
|
|
|
|
|
|
roaming_common.o roaming_client.o
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
|
|
|
|
|
|
|
audit.o audit-bsm.o audit-linux.o platform.o \
|
|
|
|
audit.o audit-bsm.o audit-linux.o platform.o \
|
|
|
|
sshpty.o sshlogin.o servconf.o serverloop.o \
|
|
|
|
sshpty.o sshlogin.o servconf.o serverloop.o \
|
|
|
|
auth.o auth1.o auth2.o auth-options.o session.o \
|
|
|
|
auth.o auth1.o auth2.o auth-options.o session.o \
|
|
|
@ -147,21 +148,21 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
|
|
|
|
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
|
|
|
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
|
|
|
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
|
|
|
|
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
|
|
|
|
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
|
|
|
|
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
|
|
|
|
auth-krb5.o \
|
|
|
|
kexc25519s.o auth-krb5.o \
|
|
|
|
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
|
|
|
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
|
|
|
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
|
|
|
|
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
|
|
|
|
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
|
|
|
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
|
|
|
sftp-server.o sftp-common.o \
|
|
|
|
sftp-server.o sftp-common.o \
|
|
|
|
roaming_common.o roaming_serv.o \
|
|
|
|
roaming_common.o roaming_serv.o \
|
|
|
|
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
|
|
|
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
|
|
|
sandbox-seccomp-filter.o
|
|
|
|
sandbox-seccomp-filter.o sandbox-capsicum.o
|
|
|
|
|
|
|
|
|
|
|
|
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
|
|
|
|
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
|
|
|
|
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
|
|
|
|
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
|
|
|
|
diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
|
|
|
|
diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
|
|
|
|
--- a/openssh-6.5p1/auth-krb5.c
|
|
|
|
--- a/openssh-6.5p1/auth-krb5.c
|
|
|
|
+++ b/openssh-6.5p1/auth-krb5.c
|
|
|
|
+++ b/openssh-6.5p1/auth-krb5.c
|
|
|
|
@@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c
|
|
|
|
@@ -177,18 +177,23 @@ auth_krb5_password(Authctxt *authctxt, c
|
|
|
|
if (problem)
|
|
|
|
if (problem)
|
|
|
|
goto out;
|
|
|
|
goto out;
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
@ -185,7 +186,7 @@ diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
|
|
|
|
|
|
|
|
|
|
|
|
out:
|
|
|
|
out:
|
|
|
|
restore_uid();
|
|
|
|
restore_uid();
|
|
|
|
@@ -224,35 +229,42 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
|
|
|
@@ -238,35 +243,42 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#ifndef HEIMDAL
|
|
|
|
#ifndef HEIMDAL
|
|
|
@ -233,7 +234,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
|
|
|
|
--- a/openssh-6.5p1/auth2-gss.c
|
|
|
|
--- a/openssh-6.5p1/auth2-gss.c
|
|
|
|
+++ b/openssh-6.5p1/auth2-gss.c
|
|
|
|
+++ b/openssh-6.5p1/auth2-gss.c
|
|
|
|
@@ -1,12 +1,12 @@
|
|
|
|
@@ -1,12 +1,12 @@
|
|
|
|
/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
|
|
|
|
/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
/*
|
|
|
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
|
|
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
|
|
@ -297,7 +298,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
|
|
|
|
userauth_gssapi(Authctxt *authctxt)
|
|
|
|
userauth_gssapi(Authctxt *authctxt)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
gss_OID_desc goid = {0, NULL};
|
|
|
|
gss_OID_desc goid = {0, NULL};
|
|
|
|
@@ -248,17 +282,18 @@ input_gssapi_exchange_complete(int type,
|
|
|
|
@@ -244,17 +278,18 @@ input_gssapi_exchange_complete(int type,
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
/*
|
|
|
|
* We don't need to check the status, because we're only enabled in
|
|
|
|
* We don't need to check the status, because we're only enabled in
|
|
|
@ -317,7 +318,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
|
|
|
|
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
|
|
|
|
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
|
|
|
|
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
|
|
|
|
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@@ -283,31 +318,38 @@ input_gssapi_mic(int type, u_int32_t ple
|
|
|
|
@@ -279,31 +314,38 @@ input_gssapi_mic(int type, u_int32_t ple
|
|
|
|
|
|
|
|
|
|
|
|
ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
|
|
|
ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
|
|
|
"gssapi-with-mic");
|
|
|
|
"gssapi-with-mic");
|
|
|
@ -414,7 +415,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
|
|
|
|
|
|
|
|
|
|
|
|
/* Flag indicating that no shell has been requested */
|
|
|
|
/* Flag indicating that no shell has been requested */
|
|
|
|
extern int no_shell_flag;
|
|
|
|
extern int no_shell_flag;
|
|
|
|
@@ -1594,16 +1598,25 @@ client_loop(int have_pty, int escape_cha
|
|
|
|
@@ -1603,16 +1607,25 @@ client_loop(int have_pty, int escape_cha
|
|
|
|
&max_fd2, &nalloc, rekeying);
|
|
|
|
&max_fd2, &nalloc, rekeying);
|
|
|
|
|
|
|
|
|
|
|
|
if (quit_pending)
|
|
|
|
if (quit_pending)
|
|
|
@ -443,7 +444,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
|
|
|
|
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
|
|
|
|
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
|
|
|
|
--- a/openssh-6.5p1/configure.ac
|
|
|
|
--- a/openssh-6.5p1/configure.ac
|
|
|
|
+++ b/openssh-6.5p1/configure.ac
|
|
|
|
+++ b/openssh-6.5p1/configure.ac
|
|
|
|
@@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary("
|
|
|
|
@@ -579,16 +579,40 @@ main() { if (NSVersionOfRunTimeLibrary("
|
|
|
|
AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
|
|
|
|
AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
|
|
|
|
AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
|
|
|
|
AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
|
|
|
|
[Define if your resolver libs need this for getrrsetbyname])
|
|
|
|
[Define if your resolver libs need this for getrrsetbyname])
|
|
|
@ -488,7 +489,7 @@ diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c
|
|
|
|
--- a/openssh-6.5p1/gss-genr.c
|
|
|
|
--- a/openssh-6.5p1/gss-genr.c
|
|
|
|
+++ b/openssh-6.5p1/gss-genr.c
|
|
|
|
+++ b/openssh-6.5p1/gss-genr.c
|
|
|
|
@@ -1,12 +1,12 @@
|
|
|
|
@@ -1,12 +1,12 @@
|
|
|
|
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
|
|
|
|
/* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
/*
|
|
|
|
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
|
|
|
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
|
|
@ -878,7 +879,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
|
|
|
|
--- a/openssh-6.5p1/gss-serv-krb5.c
|
|
|
|
--- a/openssh-6.5p1/gss-serv-krb5.c
|
|
|
|
+++ b/openssh-6.5p1/gss-serv-krb5.c
|
|
|
|
+++ b/openssh-6.5p1/gss-serv-krb5.c
|
|
|
|
@@ -1,12 +1,12 @@
|
|
|
|
@@ -1,12 +1,12 @@
|
|
|
|
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
|
|
|
|
/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
/*
|
|
|
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
|
|
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
|
|
@ -891,8 +892,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
@@ -115,16 +115,17 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
|
|
|
@@ -117,16 +117,17 @@ static void
|
|
|
|
static void
|
|
|
|
|
|
|
|
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
|
|
|
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
krb5_ccache ccache;
|
|
|
|
krb5_ccache ccache;
|
|
|
@ -900,6 +900,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
|
|
|
|
krb5_principal princ;
|
|
|
|
krb5_principal princ;
|
|
|
|
OM_uint32 maj_status, min_status;
|
|
|
|
OM_uint32 maj_status, min_status;
|
|
|
|
int len;
|
|
|
|
int len;
|
|
|
|
|
|
|
|
const char *errmsg;
|
|
|
|
+ const char *new_ccname;
|
|
|
|
+ const char *new_ccname;
|
|
|
|
|
|
|
|
|
|
|
|
if (client->creds == NULL) {
|
|
|
|
if (client->creds == NULL) {
|
|
|
@ -909,7 +910,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
|
|
|
|
|
|
|
|
|
|
|
|
if (ssh_gssapi_krb5_init() == 0)
|
|
|
|
if (ssh_gssapi_krb5_init() == 0)
|
|
|
|
return;
|
|
|
|
return;
|
|
|
|
@@ -163,37 +164,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
|
|
|
@@ -175,37 +176,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
|
|
|
|
|
|
|
|
|
|
|
if ((maj_status = gss_krb5_copy_ccache(&min_status,
|
|
|
|
if ((maj_status = gss_krb5_copy_ccache(&min_status,
|
|
|
|
client->creds, ccache))) {
|
|
|
|
client->creds, ccache))) {
|
|
|
@ -1027,7 +1028,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
|
|
|
|
--- a/openssh-6.5p1/gss-serv.c
|
|
|
|
--- a/openssh-6.5p1/gss-serv.c
|
|
|
|
+++ b/openssh-6.5p1/gss-serv.c
|
|
|
|
+++ b/openssh-6.5p1/gss-serv.c
|
|
|
|
@@ -1,12 +1,12 @@
|
|
|
|
@@ -1,12 +1,12 @@
|
|
|
|
/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
|
|
|
|
/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
/*
|
|
|
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
|
|
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
|
|
@ -1059,8 +1060,8 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
|
|
|
|
|
|
|
|
|
|
|
|
static ssh_gssapi_client gssapi_client =
|
|
|
|
static ssh_gssapi_client gssapi_client =
|
|
|
|
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
|
|
|
|
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
|
|
|
|
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
|
|
|
|
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
|
|
|
|
+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0};
|
|
|
|
+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL, NULL, NULL}, 0, 0};
|
|
|
|
|
|
|
|
|
|
|
|
ssh_gssapi_mech gssapi_null_mech =
|
|
|
|
ssh_gssapi_mech gssapi_null_mech =
|
|
|
|
- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
|
|
|
|
- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
|
|
|
@ -1415,19 +1416,15 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
|
|
|
|
diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
|
|
|
|
diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
|
|
|
|
--- a/openssh-6.5p1/kex.c
|
|
|
|
--- a/openssh-6.5p1/kex.c
|
|
|
|
+++ b/openssh-6.5p1/kex.c
|
|
|
|
+++ b/openssh-6.5p1/kex.c
|
|
|
|
@@ -46,16 +46,24 @@
|
|
|
|
@@ -47,16 +47,20 @@
|
|
|
|
#include "log.h"
|
|
|
|
|
|
|
|
#include "mac.h"
|
|
|
|
#include "mac.h"
|
|
|
|
#include "match.h"
|
|
|
|
#include "match.h"
|
|
|
|
#include "dispatch.h"
|
|
|
|
#include "dispatch.h"
|
|
|
|
#include "monitor.h"
|
|
|
|
#include "monitor.h"
|
|
|
|
#include "roaming.h"
|
|
|
|
#include "roaming.h"
|
|
|
|
|
|
|
|
#include "digest.h"
|
|
|
|
#include "audit.h"
|
|
|
|
#include "audit.h"
|
|
|
|
|
|
|
|
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
|
|
|
|
+#include "ssh-gss.h"
|
|
|
|
|
|
|
|
+#endif
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+#include "ssh-gss.h"
|
|
|
|
+#include "ssh-gss.h"
|
|
|
|
+#endif
|
|
|
|
+#endif
|
|
|
@ -1440,42 +1437,32 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
|
|
|
|
# endif
|
|
|
|
# endif
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
@@ -377,16 +385,30 @@ choose_kex(Kex *k, char *client, char *s
|
|
|
|
@@ -86,16 +90,21 @@ static const struct kexalg kexalgs[] = {
|
|
|
|
} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
|
|
|
|
{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
|
|
|
|
k->kex_type = KEX_DH_GEX_SHA256;
|
|
|
|
SSH_DIGEST_SHA512 },
|
|
|
|
k->evp_md = evp_ssh_sha256();
|
|
|
|
# endif
|
|
|
|
} else if (strncmp(k->name, KEX_ECDH_SHA2_STEM,
|
|
|
|
#endif
|
|
|
|
sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) {
|
|
|
|
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
|
|
|
k->kex_type = KEX_ECDH_SHA2;
|
|
|
|
#ifdef HAVE_EVP_SHA256
|
|
|
|
k->evp_md = kex_ecdh_name_to_evpmd(k->name);
|
|
|
|
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
|
|
|
|
+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
|
|
|
|
+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) {
|
|
|
|
+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
|
|
|
+ k->kex_type = KEX_GSS_GEX_SHA1;
|
|
|
|
+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
|
|
|
+ k->evp_md = EVP_sha1();
|
|
|
|
|
|
|
|
+ } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
|
|
|
|
|
|
|
|
+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
|
|
|
|
|
|
|
|
+ k->kex_type = KEX_GSS_GRP1_SHA1;
|
|
|
|
|
|
|
|
+ k->evp_md = EVP_sha1();
|
|
|
|
|
|
|
|
+ } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
|
|
|
|
|
|
|
|
+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
|
|
|
|
|
|
|
|
+ k->kex_type = KEX_GSS_GRP14_SHA1;
|
|
|
|
|
|
|
|
+ k->evp_md = EVP_sha1();
|
|
|
|
|
|
|
|
+#endif
|
|
|
|
+#endif
|
|
|
|
} else
|
|
|
|
{ NULL, -1, -1, -1},
|
|
|
|
fatal("bad kex alg %s", k->name);
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
char *
|
|
|
|
choose_hostkeyalg(Kex *k, char *client, char *server)
|
|
|
|
kex_alg_list(char sep)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
char *hostkeyalg = match_list(client, server, NULL);
|
|
|
|
char *ret = NULL;
|
|
|
|
|
|
|
|
size_t nlen, rlen = 0;
|
|
|
|
diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
|
|
|
|
diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
|
|
|
|
--- a/openssh-6.5p1/kex.h
|
|
|
|
--- a/openssh-6.5p1/kex.h
|
|
|
|
+++ b/openssh-6.5p1/kex.h
|
|
|
|
+++ b/openssh-6.5p1/kex.h
|
|
|
|
@@ -68,16 +68,19 @@ enum kex_modes {
|
|
|
|
@@ -71,16 +71,19 @@ enum kex_modes {
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
enum kex_exchange {
|
|
|
|
enum kex_exchange {
|
|
|
|
KEX_DH_GRP1_SHA1,
|
|
|
|
KEX_DH_GRP1_SHA1,
|
|
|
@ -1483,6 +1470,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
|
|
|
|
KEX_DH_GEX_SHA1,
|
|
|
|
KEX_DH_GEX_SHA1,
|
|
|
|
KEX_DH_GEX_SHA256,
|
|
|
|
KEX_DH_GEX_SHA256,
|
|
|
|
KEX_ECDH_SHA2,
|
|
|
|
KEX_ECDH_SHA2,
|
|
|
|
|
|
|
|
KEX_C25519_SHA256,
|
|
|
|
+ KEX_GSS_GRP1_SHA1,
|
|
|
|
+ KEX_GSS_GRP1_SHA1,
|
|
|
|
+ KEX_GSS_GRP14_SHA1,
|
|
|
|
+ KEX_GSS_GRP14_SHA1,
|
|
|
|
+ KEX_GSS_GEX_SHA1,
|
|
|
|
+ KEX_GSS_GEX_SHA1,
|
|
|
@ -1494,15 +1482,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
|
|
|
|
typedef struct Kex Kex;
|
|
|
|
typedef struct Kex Kex;
|
|
|
|
typedef struct Mac Mac;
|
|
|
|
typedef struct Mac Mac;
|
|
|
|
typedef struct Comp Comp;
|
|
|
|
typedef struct Comp Comp;
|
|
|
|
@@ -126,16 +129,22 @@ struct Kex {
|
|
|
|
@@ -131,16 +134,22 @@ struct Kex {
|
|
|
|
int hostkey_type;
|
|
|
|
|
|
|
|
int kex_type;
|
|
|
|
int kex_type;
|
|
|
|
int roaming;
|
|
|
|
int roaming;
|
|
|
|
Buffer my;
|
|
|
|
Buffer my;
|
|
|
|
Buffer peer;
|
|
|
|
Buffer peer;
|
|
|
|
sig_atomic_t done;
|
|
|
|
sig_atomic_t done;
|
|
|
|
int flags;
|
|
|
|
int flags;
|
|
|
|
const EVP_MD *evp_md;
|
|
|
|
int hash_alg;
|
|
|
|
|
|
|
|
int ec_nid;
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+ int gss_deleg_creds;
|
|
|
|
+ int gss_deleg_creds;
|
|
|
|
+ int gss_trust_dns;
|
|
|
|
+ int gss_trust_dns;
|
|
|
@ -1515,15 +1503,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
|
|
|
|
Key *(*load_host_public_key)(int);
|
|
|
|
Key *(*load_host_public_key)(int);
|
|
|
|
Key *(*load_host_private_key)(int);
|
|
|
|
Key *(*load_host_private_key)(int);
|
|
|
|
int (*host_key_index)(Key *);
|
|
|
|
int (*host_key_index)(Key *);
|
|
|
|
|
|
|
|
void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int);
|
|
|
|
void (*kex[KEX_MAX])(Kex *);
|
|
|
|
void (*kex[KEX_MAX])(Kex *);
|
|
|
|
};
|
|
|
|
@@ -164,16 +173,21 @@ void kexdh_server(Kex *);
|
|
|
|
@@ -154,16 +163,21 @@ Newkeys *kex_get_newkeys(int);
|
|
|
|
|
|
|
|
void kexdh_client(Kex *);
|
|
|
|
|
|
|
|
void kexdh_server(Kex *);
|
|
|
|
|
|
|
|
void kexgex_client(Kex *);
|
|
|
|
void kexgex_client(Kex *);
|
|
|
|
void kexgex_server(Kex *);
|
|
|
|
void kexgex_server(Kex *);
|
|
|
|
void kexecdh_client(Kex *);
|
|
|
|
void kexecdh_client(Kex *);
|
|
|
|
void kexecdh_server(Kex *);
|
|
|
|
void kexecdh_server(Kex *);
|
|
|
|
|
|
|
|
void kexc25519_client(Kex *);
|
|
|
|
|
|
|
|
void kexc25519_server(Kex *);
|
|
|
|
|
|
|
|
|
|
|
|
void newkeys_destroy(Newkeys *newkeys);
|
|
|
|
void newkeys_destroy(Newkeys *newkeys);
|
|
|
|
+
|
|
|
|
+
|
|
|
@ -1536,7 +1524,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
|
|
|
|
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
|
|
|
|
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
|
|
|
|
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
|
|
|
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
|
|
|
void
|
|
|
|
void
|
|
|
|
kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
|
|
|
|
kexgex_hash(int, char *, char *, char *, int, char *,
|
|
|
|
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
|
|
|
|
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
|
|
|
|
BIGNUM *, BIGNUM *, u_char **, u_int *);
|
|
|
|
BIGNUM *, BIGNUM *, u_char **, u_int *);
|
|
|
|
diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c
|
|
|
|
diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c
|
|
|
@ -1825,7 +1813,7 @@ new file mode 100644
|
|
|
|
+ break;
|
|
|
|
+ break;
|
|
|
|
+ case KEX_GSS_GEX_SHA1:
|
|
|
|
+ case KEX_GSS_GEX_SHA1:
|
|
|
|
+ kexgex_hash(
|
|
|
|
+ kexgex_hash(
|
|
|
|
+ kex->evp_md,
|
|
|
|
+ kex->hash_alg,
|
|
|
|
+ kex->client_version_string,
|
|
|
|
+ kex->client_version_string,
|
|
|
|
+ kex->server_version_string,
|
|
|
|
+ kex->server_version_string,
|
|
|
|
+ buffer_ptr(&kex->my), buffer_len(&kex->my),
|
|
|
|
+ buffer_ptr(&kex->my), buffer_len(&kex->my),
|
|
|
@ -1872,7 +1860,7 @@ new file mode 100644
|
|
|
|
+ else
|
|
|
|
+ else
|
|
|
|
+ ssh_gssapi_delete_ctx(&ctxt);
|
|
|
|
+ ssh_gssapi_delete_ctx(&ctxt);
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
|
|
|
|
+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
|
|
|
|
+ BN_clear_free(shared_secret);
|
|
|
|
+ BN_clear_free(shared_secret);
|
|
|
|
+ kex_finish(kex);
|
|
|
|
+ kex_finish(kex);
|
|
|
|
+}
|
|
|
|
+}
|
|
|
@ -2108,7 +2096,7 @@ new file mode 100644
|
|
|
|
+ break;
|
|
|
|
+ break;
|
|
|
|
+ case KEX_GSS_GEX_SHA1:
|
|
|
|
+ case KEX_GSS_GEX_SHA1:
|
|
|
|
+ kexgex_hash(
|
|
|
|
+ kexgex_hash(
|
|
|
|
+ kex->evp_md,
|
|
|
|
+ kex->hash_alg,
|
|
|
|
+ kex->client_version_string, kex->server_version_string,
|
|
|
|
+ kex->client_version_string, kex->server_version_string,
|
|
|
|
+ buffer_ptr(&kex->peer), buffer_len(&kex->peer),
|
|
|
|
+ buffer_ptr(&kex->peer), buffer_len(&kex->peer),
|
|
|
|
+ buffer_ptr(&kex->my), buffer_len(&kex->my),
|
|
|
|
+ buffer_ptr(&kex->my), buffer_len(&kex->my),
|
|
|
@ -2161,7 +2149,7 @@ new file mode 100644
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ DH_free(dh);
|
|
|
|
+ DH_free(dh);
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
|
|
|
|
+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
|
|
|
|
+ BN_clear_free(shared_secret);
|
|
|
|
+ BN_clear_free(shared_secret);
|
|
|
|
+ kex_finish(kex);
|
|
|
|
+ kex_finish(kex);
|
|
|
|
+
|
|
|
|
+
|
|
|
@ -2174,54 +2162,35 @@ new file mode 100644
|
|
|
|
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
|
|
|
|
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
|
|
|
|
--- a/openssh-6.5p1/key.c
|
|
|
|
--- a/openssh-6.5p1/key.c
|
|
|
|
+++ b/openssh-6.5p1/key.c
|
|
|
|
+++ b/openssh-6.5p1/key.c
|
|
|
|
@@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int
|
|
|
|
@@ -1052,16 +1052,18 @@ static const struct keytype keytypes[] =
|
|
|
|
return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
|
|
|
|
# endif
|
|
|
|
case NID_secp521r1:
|
|
|
|
|
|
|
|
return "ecdsa-sha2-nistp521-cert-v01@openssh.com";
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
#endif /* OPENSSL_HAS_ECC */
|
|
|
|
#endif /* OPENSSL_HAS_ECC */
|
|
|
|
+ case KEY_NULL:
|
|
|
|
{ "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
|
|
|
|
+ return "null";
|
|
|
|
KEY_RSA_CERT_V00, 0, 1 },
|
|
|
|
}
|
|
|
|
{ "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
|
|
|
|
return "ssh-unknown";
|
|
|
|
KEY_DSA_CERT_V00, 0, 1 },
|
|
|
|
}
|
|
|
|
{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
|
|
|
|
|
|
|
|
KEY_ED25519_CERT, 0, 1 },
|
|
|
|
|
|
|
|
+ { "null", "null",
|
|
|
|
|
|
|
|
+ KEY_NULL, 0, 0 },
|
|
|
|
|
|
|
|
{ NULL, NULL, -1, -1, 0 }
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
const char *
|
|
|
|
const char *
|
|
|
|
key_ssh_name(const Key *k)
|
|
|
|
key_type(const Key *k)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
|
|
|
|
const struct keytype *kt;
|
|
|
|
@@ -1343,16 +1345,18 @@ key_type_from_name(char *name)
|
|
|
|
|
|
|
|
} else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
|
|
|
|
|
|
|
|
return KEY_DSA_CERT;
|
|
|
|
|
|
|
|
#ifdef OPENSSL_HAS_ECC
|
|
|
|
|
|
|
|
} else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 ||
|
|
|
|
|
|
|
|
strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 ||
|
|
|
|
|
|
|
|
strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
|
|
|
|
|
|
|
|
return KEY_ECDSA_CERT;
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
+ } else if (strcmp(name, "null") == 0) {
|
|
|
|
|
|
|
|
+ return KEY_NULL;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
debug2("key_type_from_name: unknown key type '%s'", name);
|
|
|
|
|
|
|
|
return KEY_UNSPEC;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
|
|
|
key_ecdsa_nid_from_name(const char *name)
|
|
|
|
|
|
|
|
diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
|
|
|
|
diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
|
|
|
|
--- a/openssh-6.5p1/key.h
|
|
|
|
--- a/openssh-6.5p1/key.h
|
|
|
|
+++ b/openssh-6.5p1/key.h
|
|
|
|
+++ b/openssh-6.5p1/key.h
|
|
|
|
@@ -39,16 +39,17 @@ enum types {
|
|
|
|
@@ -41,16 +41,17 @@ enum types {
|
|
|
|
KEY_RSA,
|
|
|
|
|
|
|
|
KEY_DSA,
|
|
|
|
|
|
|
|
KEY_ECDSA,
|
|
|
|
KEY_ECDSA,
|
|
|
|
|
|
|
|
KEY_ED25519,
|
|
|
|
KEY_RSA_CERT,
|
|
|
|
KEY_RSA_CERT,
|
|
|
|
KEY_DSA_CERT,
|
|
|
|
KEY_DSA_CERT,
|
|
|
|
KEY_ECDSA_CERT,
|
|
|
|
KEY_ECDSA_CERT,
|
|
|
|
|
|
|
|
KEY_ED25519_CERT,
|
|
|
|
KEY_RSA_CERT_V00,
|
|
|
|
KEY_RSA_CERT_V00,
|
|
|
|
KEY_DSA_CERT_V00,
|
|
|
|
KEY_DSA_CERT_V00,
|
|
|
|
+ KEY_NULL,
|
|
|
|
+ KEY_NULL,
|
|
|
@ -2236,7 +2205,7 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
|
|
|
|
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
|
|
|
|
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
|
|
|
|
--- a/openssh-6.5p1/monitor.c
|
|
|
|
--- a/openssh-6.5p1/monitor.c
|
|
|
|
+++ b/openssh-6.5p1/monitor.c
|
|
|
|
+++ b/openssh-6.5p1/monitor.c
|
|
|
|
@@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *)
|
|
|
|
@@ -179,16 +179,18 @@ int mm_answer_pam_respond(int, Buffer *)
|
|
|
|
int mm_answer_pam_free_ctx(int, Buffer *);
|
|
|
|
int mm_answer_pam_free_ctx(int, Buffer *);
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
@ -2255,7 +2224,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
|
|
|
|
int mm_answer_audit_end_command(int, Buffer *);
|
|
|
|
int mm_answer_audit_end_command(int, Buffer *);
|
|
|
|
int mm_answer_audit_unsupported_body(int, Buffer *);
|
|
|
|
int mm_answer_audit_unsupported_body(int, Buffer *);
|
|
|
|
int mm_answer_audit_kex_body(int, Buffer *);
|
|
|
|
int mm_answer_audit_kex_body(int, Buffer *);
|
|
|
|
@@ -259,28 +261,35 @@ struct mon_table mon_dispatch_proto20[]
|
|
|
|
@@ -260,28 +262,35 @@ struct mon_table mon_dispatch_proto20[]
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
|
|
|
|
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
|
|
|
|
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
|
|
|
|
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
|
|
|
@ -2291,7 +2260,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
|
|
|
|
#ifdef SSH_AUDIT_EVENTS
|
|
|
|
#ifdef SSH_AUDIT_EVENTS
|
|
|
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
|
|
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
|
|
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
|
|
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
|
|
|
@@ -393,16 +402,20 @@ monitor_child_preauth(Authctxt *_authctx
|
|
|
|
@@ -394,16 +403,20 @@ monitor_child_preauth(Authctxt *_authctx
|
|
|
|
authctxt->loginmsg = &loginmsg;
|
|
|
|
authctxt->loginmsg = &loginmsg;
|
|
|
|
|
|
|
|
|
|
|
|
if (compat20) {
|
|
|
|
if (compat20) {
|
|
|
@ -2333,8 +2302,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
|
|
|
|
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
|
|
|
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
|
|
|
monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
|
|
|
|
monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@@ -1912,16 +1929,23 @@ mm_get_kex(Buffer *m)
|
|
|
|
@@ -1931,16 +1948,23 @@ mm_get_kex(Buffer *m)
|
|
|
|
timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0)
|
|
|
|
|
|
|
|
fatal("mm_get_get: internal error: bad session id");
|
|
|
|
fatal("mm_get_get: internal error: bad session id");
|
|
|
|
kex->we_need = buffer_get_int(m);
|
|
|
|
kex->we_need = buffer_get_int(m);
|
|
|
|
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
|
|
|
|
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
|
|
|
@ -2342,6 +2310,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
|
|
|
|
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
|
|
|
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
|
|
|
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
|
|
|
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
|
|
|
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
|
|
|
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
|
|
|
|
|
|
|
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+ if (options.gss_keyex) {
|
|
|
|
+ if (options.gss_keyex) {
|
|
|
|
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
|
|
|
|
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
|
|
|
@ -2357,7 +2326,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
|
|
|
|
buffer_append(&kex->my, blob, bloblen);
|
|
|
|
buffer_append(&kex->my, blob, bloblen);
|
|
|
|
free(blob);
|
|
|
|
free(blob);
|
|
|
|
blob = buffer_get_string(m, &bloblen);
|
|
|
|
blob = buffer_get_string(m, &bloblen);
|
|
|
|
@@ -2135,16 +2159,19 @@ monitor_reinit(struct monitor *mon)
|
|
|
|
@@ -2155,16 +2179,19 @@ monitor_reinit(struct monitor *mon)
|
|
|
|
#ifdef GSSAPI
|
|
|
|
#ifdef GSSAPI
|
|
|
|
int
|
|
|
|
int
|
|
|
|
mm_answer_gss_setup_ctx(int sock, Buffer *m)
|
|
|
|
mm_answer_gss_setup_ctx(int sock, Buffer *m)
|
|
|
@ -2377,7 +2346,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
|
|
|
|
free(goid.elements);
|
|
|
|
free(goid.elements);
|
|
|
|
|
|
|
|
|
|
|
|
buffer_clear(m);
|
|
|
|
buffer_clear(m);
|
|
|
|
@@ -2162,16 +2189,19 @@ int
|
|
|
|
@@ -2182,16 +2209,19 @@ int
|
|
|
|
mm_answer_gss_accept_ctx(int sock, Buffer *m)
|
|
|
|
mm_answer_gss_accept_ctx(int sock, Buffer *m)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
gss_buffer_desc in;
|
|
|
|
gss_buffer_desc in;
|
|
|
@ -2397,7 +2366,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
|
|
|
|
buffer_clear(m);
|
|
|
|
buffer_clear(m);
|
|
|
|
buffer_put_int(m, major);
|
|
|
|
buffer_put_int(m, major);
|
|
|
|
buffer_put_string(m, out.value, out.length);
|
|
|
|
buffer_put_string(m, out.value, out.length);
|
|
|
|
@@ -2179,27 +2209,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
|
|
|
@@ -2199,27 +2229,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
|
|
|
mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
|
|
|
|
mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
|
|
|
|
|
|
|
|
|
|
|
|
gss_release_buffer(&minor, &out);
|
|
|
|
gss_release_buffer(&minor, &out);
|
|
|
@ -2429,7 +2398,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
|
|
|
|
ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
|
|
|
|
ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
|
|
|
|
|
|
|
|
|
|
|
|
free(gssbuf.value);
|
|
|
|
free(gssbuf.value);
|
|
|
|
@@ -2216,29 +2250,101 @@ mm_answer_gss_checkmic(int sock, Buffer
|
|
|
|
@@ -2236,29 +2270,101 @@ mm_answer_gss_checkmic(int sock, Buffer
|
|
|
|
return (0);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -2558,7 +2527,7 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
|
|
|
|
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
|
|
|
|
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
|
|
|
|
--- a/openssh-6.5p1/monitor_wrap.c
|
|
|
|
--- a/openssh-6.5p1/monitor_wrap.c
|
|
|
|
+++ b/openssh-6.5p1/monitor_wrap.c
|
|
|
|
+++ b/openssh-6.5p1/monitor_wrap.c
|
|
|
|
@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
|
|
|
@@ -1305,33 +1305,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
|
|
|
&m);
|
|
|
|
&m);
|
|
|
|
|
|
|
|
|
|
|
|
major = buffer_get_int(&m);
|
|
|
|
major = buffer_get_int(&m);
|
|
|
@ -2666,7 +2635,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
|
|
|
|
diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
|
|
|
|
diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
|
|
|
|
--- a/openssh-6.5p1/readconf.c
|
|
|
|
--- a/openssh-6.5p1/readconf.c
|
|
|
|
+++ b/openssh-6.5p1/readconf.c
|
|
|
|
+++ b/openssh-6.5p1/readconf.c
|
|
|
|
@@ -124,16 +124,18 @@ typedef enum {
|
|
|
|
@@ -135,16 +135,18 @@ typedef enum {
|
|
|
|
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
|
|
|
|
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
|
|
|
|
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
|
|
|
|
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
|
|
|
|
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
|
|
|
|
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
|
|
|
@ -2682,10 +2651,10 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
|
|
|
|
oHashKnownHosts,
|
|
|
|
oHashKnownHosts,
|
|
|
|
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
|
|
|
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
|
|
|
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
|
|
|
|
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
|
|
|
|
oKexAlgorithms, oIPQoS, oRequestTTY,
|
|
|
|
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
|
|
|
oDeprecated, oUnsupported
|
|
|
|
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
|
|
|
} OpCodes;
|
|
|
|
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
|
|
|
@@ -164,22 +166,31 @@ static struct {
|
|
|
|
@@ -177,22 +179,31 @@ static struct {
|
|
|
|
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
|
|
|
|
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
|
|
|
|
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
|
|
|
|
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
|
|
|
|
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
|
|
|
|
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
|
|
|
@ -2717,7 +2686,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
|
|
|
|
{ "identitiesonly", oIdentitiesOnly },
|
|
|
|
{ "identitiesonly", oIdentitiesOnly },
|
|
|
|
{ "hostname", oHostName },
|
|
|
|
{ "hostname", oHostName },
|
|
|
|
{ "hostkeyalias", oHostKeyAlias },
|
|
|
|
{ "hostkeyalias", oHostKeyAlias },
|
|
|
|
@@ -500,24 +511,44 @@ parse_flag:
|
|
|
|
@@ -836,24 +847,44 @@ parse_time:
|
|
|
|
case oChallengeResponseAuthentication:
|
|
|
|
case oChallengeResponseAuthentication:
|
|
|
|
intptr = &options->challenge_response_authentication;
|
|
|
|
intptr = &options->challenge_response_authentication;
|
|
|
|
goto parse_flag;
|
|
|
|
goto parse_flag;
|
|
|
@ -2762,7 +2731,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
|
|
|
|
intptr = &options->check_host_ip;
|
|
|
|
intptr = &options->check_host_ip;
|
|
|
|
goto parse_flag;
|
|
|
|
goto parse_flag;
|
|
|
|
|
|
|
|
|
|
|
|
@@ -1159,18 +1190,23 @@ initialize_options(Options * options)
|
|
|
|
@@ -1489,18 +1520,23 @@ initialize_options(Options * options)
|
|
|
|
options->exit_on_forward_failure = -1;
|
|
|
|
options->exit_on_forward_failure = -1;
|
|
|
|
options->xauth_location = NULL;
|
|
|
|
options->xauth_location = NULL;
|
|
|
|
options->gateway_ports = -1;
|
|
|
|
options->gateway_ports = -1;
|
|
|
@ -2786,7 +2755,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
|
|
|
|
options->batch_mode = -1;
|
|
|
|
options->batch_mode = -1;
|
|
|
|
options->check_host_ip = -1;
|
|
|
|
options->check_host_ip = -1;
|
|
|
|
options->strict_host_key_checking = -1;
|
|
|
|
options->strict_host_key_checking = -1;
|
|
|
|
@@ -1260,20 +1296,26 @@ fill_default_options(Options * options)
|
|
|
|
@@ -1596,20 +1632,26 @@ fill_default_options(Options * options)
|
|
|
|
if (options->rsa_authentication == -1)
|
|
|
|
if (options->rsa_authentication == -1)
|
|
|
|
options->rsa_authentication = 1;
|
|
|
|
options->rsa_authentication = 1;
|
|
|
|
if (options->pubkey_authentication == -1)
|
|
|
|
if (options->pubkey_authentication == -1)
|
|
|
@ -2816,7 +2785,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
|
|
|
|
diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
|
|
|
|
diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
|
|
|
|
--- a/openssh-6.5p1/readconf.h
|
|
|
|
--- a/openssh-6.5p1/readconf.h
|
|
|
|
+++ b/openssh-6.5p1/readconf.h
|
|
|
|
+++ b/openssh-6.5p1/readconf.h
|
|
|
|
@@ -43,18 +43,23 @@ typedef struct {
|
|
|
|
@@ -49,18 +49,23 @@ typedef struct {
|
|
|
|
int rhosts_rsa_authentication; /* Try rhosts with RSA
|
|
|
|
int rhosts_rsa_authentication; /* Try rhosts with RSA
|
|
|
|
* authentication. */
|
|
|
|
* authentication. */
|
|
|
|
int rsa_authentication; /* Try RSA authentication. */
|
|
|
|
int rsa_authentication; /* Try RSA authentication. */
|
|
|
@ -2843,7 +2812,7 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
|
|
|
|
diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
|
|
|
|
diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
|
|
|
|
--- a/openssh-6.5p1/servconf.c
|
|
|
|
--- a/openssh-6.5p1/servconf.c
|
|
|
|
+++ b/openssh-6.5p1/servconf.c
|
|
|
|
+++ b/openssh-6.5p1/servconf.c
|
|
|
|
@@ -98,18 +98,21 @@ initialize_server_options(ServerOptions
|
|
|
|
@@ -104,18 +104,21 @@ initialize_server_options(ServerOptions
|
|
|
|
options->hostbased_uses_name_from_packet_only = -1;
|
|
|
|
options->hostbased_uses_name_from_packet_only = -1;
|
|
|
|
options->rsa_authentication = -1;
|
|
|
|
options->rsa_authentication = -1;
|
|
|
|
options->pubkey_authentication = -1;
|
|
|
|
options->pubkey_authentication = -1;
|
|
|
@ -2864,8 +2833,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
|
|
|
|
options->permit_user_env = -1;
|
|
|
|
options->permit_user_env = -1;
|
|
|
|
options->use_login = -1;
|
|
|
|
options->use_login = -1;
|
|
|
|
options->compression = -1;
|
|
|
|
options->compression = -1;
|
|
|
|
options->allow_tcp_forwarding = -1;
|
|
|
|
options->rekey_limit = -1;
|
|
|
|
@@ -232,20 +235,26 @@ fill_default_server_options(ServerOption
|
|
|
|
@@ -244,20 +247,26 @@ fill_default_server_options(ServerOption
|
|
|
|
if (options->kerberos_or_local_passwd == -1)
|
|
|
|
if (options->kerberos_or_local_passwd == -1)
|
|
|
|
options->kerberos_or_local_passwd = 1;
|
|
|
|
options->kerberos_or_local_passwd = 1;
|
|
|
|
if (options->kerberos_ticket_cleanup == -1)
|
|
|
|
if (options->kerberos_ticket_cleanup == -1)
|
|
|
@ -2892,8 +2861,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
|
|
|
|
options->challenge_response_authentication = 1;
|
|
|
|
options->challenge_response_authentication = 1;
|
|
|
|
if (options->permit_empty_passwd == -1)
|
|
|
|
if (options->permit_empty_passwd == -1)
|
|
|
|
options->permit_empty_passwd = 0;
|
|
|
|
options->permit_empty_passwd = 0;
|
|
|
|
@@ -329,16 +338,17 @@ typedef enum {
|
|
|
|
@@ -345,16 +354,17 @@ typedef enum {
|
|
|
|
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
|
|
|
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
|
|
|
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
|
|
|
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
|
|
|
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
|
|
|
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
|
|
|
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
|
|
|
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
|
|
@ -2908,9 +2877,9 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
|
|
|
|
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
|
|
|
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
|
|
|
sKexAlgorithms, sIPQoS, sVersionAddendum,
|
|
|
|
sKexAlgorithms, sIPQoS, sVersionAddendum,
|
|
|
|
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
|
|
|
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
|
|
|
sAuthenticationMethods,
|
|
|
|
sAuthenticationMethods, sHostKeyAgent,
|
|
|
|
sDeprecated, sUnsupported
|
|
|
|
sDeprecated, sUnsupported
|
|
|
|
@@ -397,21 +407,31 @@ static struct {
|
|
|
|
@@ -414,21 +424,31 @@ static struct {
|
|
|
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
|
|
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
|
|
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
|
|
@ -2942,7 +2911,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
|
|
|
|
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
|
|
|
|
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
|
|
|
|
#else
|
|
|
|
#else
|
|
|
|
{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
|
|
|
|
{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
|
|
|
|
@@ -1057,24 +1077,36 @@ process_server_config_line(ServerOptions
|
|
|
|
@@ -1102,24 +1122,36 @@ process_server_config_line(ServerOptions
|
|
|
|
case sKerberosGetAFSToken:
|
|
|
|
case sKerberosGetAFSToken:
|
|
|
|
intptr = &options->kerberos_get_afs_token;
|
|
|
|
intptr = &options->kerberos_get_afs_token;
|
|
|
|
goto parse_flag;
|
|
|
|
goto parse_flag;
|
|
|
@ -2979,7 +2948,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
|
|
|
|
intptr = &options->zero_knowledge_password_authentication;
|
|
|
|
intptr = &options->zero_knowledge_password_authentication;
|
|
|
|
goto parse_flag;
|
|
|
|
goto parse_flag;
|
|
|
|
|
|
|
|
|
|
|
|
@@ -1939,17 +1971,20 @@ dump_config(ServerOptions *o)
|
|
|
|
@@ -2020,17 +2052,20 @@ dump_config(ServerOptions *o)
|
|
|
|
dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
|
|
|
|
dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
|
|
|
|
dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
|
|
|
|
dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
|
|
|
|
# ifdef USE_AFS
|
|
|
|
# ifdef USE_AFS
|
|
|
@ -3003,7 +2972,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
|
|
|
|
diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
|
|
|
|
diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
|
|
|
|
--- a/openssh-6.5p1/servconf.h
|
|
|
|
--- a/openssh-6.5p1/servconf.h
|
|
|
|
+++ b/openssh-6.5p1/servconf.h
|
|
|
|
+++ b/openssh-6.5p1/servconf.h
|
|
|
|
@@ -105,18 +105,21 @@ typedef struct {
|
|
|
|
@@ -107,18 +107,21 @@ typedef struct {
|
|
|
|
* authentication mechanism,
|
|
|
|
* authentication mechanism,
|
|
|
|
* such as SecurID or
|
|
|
|
* such as SecurID or
|
|
|
|
* /etc/passwd */
|
|
|
|
* /etc/passwd */
|
|
|
@ -3176,7 +3145,7 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
|
|
|
|
diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
|
|
|
|
diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
|
|
|
|
--- a/openssh-6.5p1/ssh_config.5
|
|
|
|
--- a/openssh-6.5p1/ssh_config.5
|
|
|
|
+++ b/openssh-6.5p1/ssh_config.5
|
|
|
|
+++ b/openssh-6.5p1/ssh_config.5
|
|
|
|
@@ -525,21 +525,53 @@ host key database, separated by whitespa
|
|
|
|
@@ -671,21 +671,53 @@ host key database, separated by whitespa
|
|
|
|
The default is
|
|
|
|
The default is
|
|
|
|
.Pa /etc/ssh/ssh_known_hosts ,
|
|
|
|
.Pa /etc/ssh/ssh_known_hosts ,
|
|
|
|
.Pa /etc/ssh/ssh_known_hosts2 .
|
|
|
|
.Pa /etc/ssh/ssh_known_hosts2 .
|
|
|
@ -3234,7 +3203,7 @@ diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
|
|
|
|
diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
|
|
|
|
diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
|
|
|
|
--- a/openssh-6.5p1/sshconnect2.c
|
|
|
|
--- a/openssh-6.5p1/sshconnect2.c
|
|
|
|
+++ b/openssh-6.5p1/sshconnect2.c
|
|
|
|
+++ b/openssh-6.5p1/sshconnect2.c
|
|
|
|
@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc
|
|
|
|
@@ -156,19 +156,44 @@ order_hostkeyalgs(char *host, struct soc
|
|
|
|
return ret;
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -3278,12 +3247,12 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
|
|
|
|
if (options.ciphers != NULL) {
|
|
|
|
if (options.ciphers != NULL) {
|
|
|
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
|
|
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
|
|
|
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
|
|
|
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
|
|
|
}
|
|
|
|
} else if (fips_mode()) {
|
|
|
|
@@ -192,30 +217,61 @@ ssh_kex2(char *host, struct sockaddr *ho
|
|
|
|
@@ -204,32 +229,63 @@ ssh_kex2(char *host, struct sockaddr *ho
|
|
|
|
else {
|
|
|
|
|
|
|
|
/* Prefer algorithms that we already have keys for */
|
|
|
|
/* Prefer algorithms that we already have keys for */
|
|
|
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
|
|
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
|
|
|
order_hostkeyalgs(host, hostaddr, port);
|
|
|
|
compat_pkalg_proposal(
|
|
|
|
|
|
|
|
order_hostkeyalgs(host, hostaddr, port));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (options.kex_algorithms != NULL)
|
|
|
|
if (options.kex_algorithms != NULL)
|
|
|
|
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
|
|
|
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
|
|
@ -3299,8 +3268,9 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+#endif
|
|
|
|
+#endif
|
|
|
|
+
|
|
|
|
+
|
|
|
|
if (options.rekey_limit)
|
|
|
|
if (options.rekey_limit || options.rekey_interval)
|
|
|
|
packet_set_rekey_limit((u_int32_t)options.rekey_limit);
|
|
|
|
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
|
|
|
|
|
|
|
|
(time_t)options.rekey_interval);
|
|
|
|
|
|
|
|
|
|
|
|
/* start key exchange */
|
|
|
|
/* start key exchange */
|
|
|
|
kex = kex_setup(myproposal);
|
|
|
|
kex = kex_setup(myproposal);
|
|
|
@ -3309,6 +3279,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
|
|
|
|
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
|
|
|
|
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
|
|
|
|
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
|
|
|
|
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
|
|
|
|
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
|
|
|
|
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
|
|
|
|
|
|
|
|
kex->kex[KEX_C25519_SHA256] = kexc25519_client;
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+ if (options.gss_keyex) {
|
|
|
|
+ if (options.gss_keyex) {
|
|
|
|
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
|
|
|
|
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
|
|
|
@ -3341,7 +3312,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
|
|
|
|
debug("Roaming not allowed by server");
|
|
|
|
debug("Roaming not allowed by server");
|
|
|
|
options.use_roaming = 0;
|
|
|
|
options.use_roaming = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@@ -301,31 +357,37 @@ void userauth_jpake_cleanup(Authctxt *);
|
|
|
|
@@ -315,31 +371,37 @@ void userauth_jpake_cleanup(Authctxt *);
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef GSSAPI
|
|
|
|
#ifdef GSSAPI
|
|
|
|
int userauth_gssapi(Authctxt *authctxt);
|
|
|
|
int userauth_gssapi(Authctxt *authctxt);
|
|
|
@ -3379,7 +3350,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
|
|
|
|
{"gssapi",
|
|
|
|
{"gssapi",
|
|
|
|
userauth_gssapi,
|
|
|
|
userauth_gssapi,
|
|
|
|
NULL,
|
|
|
|
NULL,
|
|
|
|
@@ -627,29 +689,41 @@ done:
|
|
|
|
@@ -638,29 +700,41 @@ done:
|
|
|
|
int
|
|
|
|
int
|
|
|
|
userauth_gssapi(Authctxt *authctxt)
|
|
|
|
userauth_gssapi(Authctxt *authctxt)
|
|
|
|
{
|
|
|
|
{
|
|
|
@ -3423,7 +3394,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
|
|
|
|
|
|
|
|
|
|
|
|
if (!ok)
|
|
|
|
if (!ok)
|
|
|
|
return 0;
|
|
|
|
return 0;
|
|
|
|
@@ -738,18 +812,18 @@ process_gssapi_token(void *ctxt, gss_buf
|
|
|
|
@@ -749,18 +823,18 @@ process_gssapi_token(void *ctxt, gss_buf
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* ARGSUSED */
|
|
|
|
/* ARGSUSED */
|
|
|
@ -3444,7 +3415,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
|
|
|
|
/* Setup our OID */
|
|
|
|
/* Setup our OID */
|
|
|
|
oidv = packet_get_string(&oidlen);
|
|
|
|
oidv = packet_get_string(&oidlen);
|
|
|
|
|
|
|
|
|
|
|
|
@@ -849,16 +923,58 @@ input_gssapi_error(int type, u_int32_t p
|
|
|
|
@@ -859,16 +933,58 @@ input_gssapi_error(int type, u_int32_t p
|
|
|
|
lang=packet_get_string(NULL);
|
|
|
|
lang=packet_get_string(NULL);
|
|
|
|
|
|
|
|
|
|
|
|
packet_check_eom();
|
|
|
|
packet_check_eom();
|
|
|
@ -3506,19 +3477,15 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
|
|
|
|
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
|
|
|
|
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
|
|
|
|
--- a/openssh-6.5p1/sshd.c
|
|
|
|
--- a/openssh-6.5p1/sshd.c
|
|
|
|
+++ b/openssh-6.5p1/sshd.c
|
|
|
|
+++ b/openssh-6.5p1/sshd.c
|
|
|
|
@@ -119,16 +119,24 @@
|
|
|
|
@@ -121,16 +121,20 @@
|
|
|
|
#include "ssh-gss.h"
|
|
|
|
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
#include "monitor_wrap.h"
|
|
|
|
#include "monitor_wrap.h"
|
|
|
|
#include "roaming.h"
|
|
|
|
#include "roaming.h"
|
|
|
|
#include "audit.h"
|
|
|
|
#include "audit.h"
|
|
|
|
#include "ssh-sandbox.h"
|
|
|
|
#include "ssh-sandbox.h"
|
|
|
|
#include "version.h"
|
|
|
|
#include "version.h"
|
|
|
|
|
|
|
|
#include "fips.h"
|
|
|
|
|
|
|
|
|
|
|
|
+#ifdef USE_SECURITY_SESSION_API
|
|
|
|
|
|
|
|
+#include <Security/AuthSession.h>
|
|
|
|
|
|
|
|
+#endif
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
|
|
+#ifdef USE_SECURITY_SESSION_API
|
|
|
|
+#ifdef USE_SECURITY_SESSION_API
|
|
|
|
+#include <Security/AuthSession.h>
|
|
|
|
+#include <Security/AuthSession.h>
|
|
|
|
+#endif
|
|
|
|
+#endif
|
|
|
@ -3531,10 +3498,10 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
|
|
|
|
#endif /* LIBWRAP */
|
|
|
|
#endif /* LIBWRAP */
|
|
|
|
|
|
|
|
|
|
|
|
#ifndef O_NOCTTY
|
|
|
|
#ifndef O_NOCTTY
|
|
|
|
@@ -1715,20 +1723,23 @@ main(int ac, char **av)
|
|
|
|
@@ -1795,20 +1799,23 @@ main(int ac, char **av)
|
|
|
|
}
|
|
|
|
if ((options.protocol & SSH_PROTO_1) && fips_mode()) {
|
|
|
|
debug("private host key: #%d type %d %s", i, key->type,
|
|
|
|
logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
|
|
|
|
key_type(key));
|
|
|
|
options.protocol &= ~SSH_PROTO_1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
|
|
|
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
|
|
|
logit("Disabling protocol version 1. Could not load host key");
|
|
|
|
logit("Disabling protocol version 1. Could not load host key");
|
|
|
@ -3555,7 +3522,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
|
|
|
|
/*
|
|
|
|
/*
|
|
|
|
* Load certificates. They are stored in an array at identical
|
|
|
|
* Load certificates. They are stored in an array at identical
|
|
|
|
* indices to the public keys that they relate to.
|
|
|
|
* indices to the public keys that they relate to.
|
|
|
|
@@ -1920,16 +1931,70 @@ main(int ac, char **av)
|
|
|
|
@@ -1998,16 +2005,70 @@ main(int ac, char **av)
|
|
|
|
/* Accept a connection and return in a forked child */
|
|
|
|
/* Accept a connection and return in a forked child */
|
|
|
|
server_accept_loop(&sock_in, &sock_out,
|
|
|
|
server_accept_loop(&sock_in, &sock_out,
|
|
|
|
&newsock, config_s);
|
|
|
|
&newsock, config_s);
|
|
|
@ -3626,14 +3593,14 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
|
|
|
|
#if !defined(SSHD_ACQUIRES_CTTY)
|
|
|
|
#if !defined(SSHD_ACQUIRES_CTTY)
|
|
|
|
/*
|
|
|
|
/*
|
|
|
|
* If setsid is called, on some platforms sshd will later acquire a
|
|
|
|
* If setsid is called, on some platforms sshd will later acquire a
|
|
|
|
@@ -2046,16 +2111,70 @@ main(int ac, char **av)
|
|
|
|
@@ -2125,16 +2186,70 @@ main(int ac, char **av)
|
|
|
|
fatal("libwrap refuse returns");
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif /* LIBWRAP */
|
|
|
|
#endif /* LIBWRAP */
|
|
|
|
|
|
|
|
|
|
|
|
/* Log the connection. */
|
|
|
|
/* Log the connection. */
|
|
|
|
verbose("Connection from %.500s port %d", remote_ip, remote_port);
|
|
|
|
verbose("Connection from %s port %d on %s port %d",
|
|
|
|
|
|
|
|
remote_ip, remote_port,
|
|
|
|
|
|
|
|
get_local_ipaddr(sock_in), get_local_port());
|
|
|
|
|
|
|
|
|
|
|
|
+#ifdef USE_SECURITY_SESSION_API
|
|
|
|
+#ifdef USE_SECURITY_SESSION_API
|
|
|
|
+ /*
|
|
|
|
+ /*
|
|
|
@ -3697,57 +3664,15 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
|
|
|
|
* mode; it is just annoying to have the server exit just when you
|
|
|
|
* mode; it is just annoying to have the server exit just when you
|
|
|
|
* are about to discover the bug.
|
|
|
|
* are about to discover the bug.
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
@@ -2435,23 +2554,114 @@ do_ssh2_kex(void)
|
|
|
|
@@ -2544,24 +2659,73 @@ do_ssh2_kex(void)
|
|
|
|
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
|
|
|
|
|
|
|
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (options.kex_algorithms != NULL)
|
|
|
|
|
|
|
|
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
|
|
|
|
if (options.rekey_limit || options.rekey_interval)
|
|
|
|
|
|
|
|
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
|
|
|
|
|
|
|
|
(time_t)options.rekey_interval);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
|
|
|
|
|
|
|
list_hostkey_types());
|
|
|
|
|
|
|
|
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
|
|
|
|
+ {
|
|
|
|
|
|
|
|
+ char *orig;
|
|
|
|
|
|
|
|
+ char *gss = NULL;
|
|
|
|
|
|
|
|
+ char *newstr = NULL;
|
|
|
|
|
|
|
|
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
|
|
+ /*
|
|
|
|
|
|
|
|
+ * If we don't have a host key, then there's no point advertising
|
|
|
|
|
|
|
|
+ * the other key exchange algorithms
|
|
|
|
|
|
|
|
+ */
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
|
|
+ if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
|
|
|
|
|
|
|
+ orig = NULL;
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
|
|
+ if (options.gss_keyex)
|
|
|
|
|
|
|
|
+ gss = ssh_gssapi_server_mechanisms();
|
|
|
|
|
|
|
|
+ else
|
|
|
|
|
|
|
|
+ gss = NULL;
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
|
|
+ if (gss && orig)
|
|
|
|
|
|
|
|
+ xasprintf(&newstr, "%s,%s", gss, orig);
|
|
|
|
|
|
|
|
+ else if (gss)
|
|
|
|
|
|
|
|
+ newstr = gss;
|
|
|
|
|
|
|
|
+ else if (orig)
|
|
|
|
|
|
|
|
+ newstr = orig;
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
|
|
+ /*
|
|
|
|
|
|
|
|
+ * If we've got GSSAPI mechanisms, then we've got the 'null' host
|
|
|
|
|
|
|
|
+ * key alg, but we can't tell people about it unless its the only
|
|
|
|
|
|
|
|
+ * host key algorithm we support
|
|
|
|
|
|
|
|
+ */
|
|
|
|
|
|
|
|
+ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
|
|
|
|
|
|
|
|
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
|
|
+ if (newstr)
|
|
|
|
|
|
|
|
+ myproposal[PROPOSAL_KEX_ALGS] = newstr;
|
|
|
|
|
|
|
|
+ else
|
|
|
|
|
|
|
|
+ fatal("No supported key exchange algorithms");
|
|
|
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
+#endif
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+ {
|
|
|
|
+ {
|
|
|
|
+ char *orig;
|
|
|
|
+ char *orig;
|
|
|
@ -3797,6 +3722,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
|
|
|
|
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
|
|
|
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
|
|
|
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
|
|
|
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
|
|
|
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
|
|
|
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
|
|
|
|
|
|
|
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+#ifdef GSSAPI
|
|
|
|
+ if (options.gss_keyex) {
|
|
|
|
+ if (options.gss_keyex) {
|
|
|
|
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
|
|
|
|
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
|
|
|
@ -3810,12 +3736,12 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
|
|
|
|
kex->load_host_public_key=&get_hostkey_public_by_type;
|
|
|
|
kex->load_host_public_key=&get_hostkey_public_by_type;
|
|
|
|
kex->load_host_private_key=&get_hostkey_private_by_type;
|
|
|
|
kex->load_host_private_key=&get_hostkey_private_by_type;
|
|
|
|
kex->host_key_index=&get_hostkey_index;
|
|
|
|
kex->host_key_index=&get_hostkey_index;
|
|
|
|
|
|
|
|
kex->sign = sshd_hostkey_sign;
|
|
|
|
|
|
|
|
|
|
|
|
xxx_kex = kex;
|
|
|
|
|
|
|
|
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
|
|
|
|
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
|
|
|
|
--- a/openssh-6.5p1/sshd_config
|
|
|
|
--- a/openssh-6.5p1/sshd_config
|
|
|
|
+++ b/openssh-6.5p1/sshd_config
|
|
|
|
+++ b/openssh-6.5p1/sshd_config
|
|
|
|
@@ -75,16 +75,18 @@ PasswordAuthentication no
|
|
|
|
@@ -79,16 +79,18 @@ PasswordAuthentication no
|
|
|
|
#KerberosAuthentication no
|
|
|
|
#KerberosAuthentication no
|
|
|
|
#KerberosOrLocalPasswd yes
|
|
|
|
#KerberosOrLocalPasswd yes
|
|
|
|
#KerberosTicketCleanup yes
|
|
|
|
#KerberosTicketCleanup yes
|
|
|
@ -3837,7 +3763,7 @@ diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
|
|
|
|
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
|
|
|
|
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
|
|
|
|
--- a/openssh-6.5p1/sshd_config.5
|
|
|
|
--- a/openssh-6.5p1/sshd_config.5
|
|
|
|
+++ b/openssh-6.5p1/sshd_config.5
|
|
|
|
+++ b/openssh-6.5p1/sshd_config.5
|
|
|
|
@@ -475,22 +475,50 @@ to force remote port forwardings to bind
|
|
|
|
@@ -487,22 +487,50 @@ to force remote port forwardings to bind
|
|
|
|
to allow the client to select the address to which the forwarding is bound.
|
|
|
|
to allow the client to select the address to which the forwarding is bound.
|
|
|
|
The default is
|
|
|
|
The default is
|
|
|
|
.Dq no .
|
|
|
|
.Dq no .
|
|
|
|