Accepting request 226335 from network

- re-enabling the GSSAPI Key Exchange patch 
!!! currently breaks anythng else than Factory (forwarded request 226334 from pcerny)

OBS-URL: https://build.opensuse.org/request/show/226335
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=93
This commit is contained in:
Stephan Kulow 2014-03-18 15:21:25 +00:00 committed by Git OBS Bridge
commit 08c1d7d9f8
7 changed files with 152 additions and 221 deletions

View File

@ -1,5 +1,5 @@
# HG changeset patch # HG changeset patch
# Parent d7526bd96e81981aa3c94b7695a3f4009a2c176b # Parent bb0162afc928b3eeb69f11419e214e0737bb8034
Do not throw away already open sockets for X11 forwarding if another socket Do not throw away already open sockets for X11 forwarding if another socket
family is not available for bind() family is not available for bind()

View File

@ -2,12 +2,12 @@
# when OpenSSL is detected to be running in FIPS mode # when OpenSSL is detected to be running in FIPS mode
# #
# HG changeset patch # HG changeset patch
# Parent 2a4df1014f286ec93a3e4dcf036f054745e4fee8 # Parent df8b01308484dd9227b64c8bb820e52b56b89b4d
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.5p1/Makefile.in --- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in +++ b/openssh-6.5p1/Makefile.in
@@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o @@ -76,17 +76,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \

View File

@ -1,5 +1,5 @@
# HG changeset patch # HG changeset patch
# Parent a72dad36a987a441e9c92807b1d654e43ddee409 # Parent fd62140898f5f8bfaa6d0b527c5893001322a662
diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi
new file mode 100644 new file mode 100644
@ -122,7 +122,7 @@ new file mode 100644
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.5p1/Makefile.in --- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in +++ b/openssh-6.5p1/Makefile.in
@@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o @@ -71,16 +71,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
canohost.o channels.o cipher.o cipher-aes.o \ canohost.o channels.o cipher.o cipher-aes.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
@ -133,13 +133,14 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
+ kexgssc.o \ + kexgssc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
auditstub.o \
fips.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ @@ -92,17 +93,17 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
roaming_common.o roaming_client.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \ audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \ sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth1.o auth2.o auth-options.o session.o \ auth.o auth1.o auth2.o auth-options.o session.o \
@ -147,21 +148,21 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
auth-krb5.o \ kexc25519s.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \ sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \ roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-seccomp-filter.o sandbox-capsicum.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5 MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
--- a/openssh-6.5p1/auth-krb5.c --- a/openssh-6.5p1/auth-krb5.c
+++ b/openssh-6.5p1/auth-krb5.c +++ b/openssh-6.5p1/auth-krb5.c
@@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c @@ -177,18 +177,23 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem) if (problem)
goto out; goto out;
#endif #endif
@ -185,7 +186,7 @@ diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
out: out:
restore_uid(); restore_uid();
@@ -224,35 +229,42 @@ krb5_cleanup_proc(Authctxt *authctxt) @@ -238,35 +243,42 @@ krb5_cleanup_proc(Authctxt *authctxt)
} }
#ifndef HEIMDAL #ifndef HEIMDAL
@ -233,7 +234,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
--- a/openssh-6.5p1/auth2-gss.c --- a/openssh-6.5p1/auth2-gss.c
+++ b/openssh-6.5p1/auth2-gss.c +++ b/openssh-6.5p1/auth2-gss.c
@@ -1,12 +1,12 @@ @@ -1,12 +1,12 @@
/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
/* /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -297,7 +298,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
userauth_gssapi(Authctxt *authctxt) userauth_gssapi(Authctxt *authctxt)
{ {
gss_OID_desc goid = {0, NULL}; gss_OID_desc goid = {0, NULL};
@@ -248,17 +282,18 @@ input_gssapi_exchange_complete(int type, @@ -244,17 +278,18 @@ input_gssapi_exchange_complete(int type,
/* /*
* We don't need to check the status, because we're only enabled in * We don't need to check the status, because we're only enabled in
@ -317,7 +318,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
} }
@@ -283,31 +318,38 @@ input_gssapi_mic(int type, u_int32_t ple @@ -279,31 +314,38 @@ input_gssapi_mic(int type, u_int32_t ple
ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
"gssapi-with-mic"); "gssapi-with-mic");
@ -414,7 +415,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
/* Flag indicating that no shell has been requested */ /* Flag indicating that no shell has been requested */
extern int no_shell_flag; extern int no_shell_flag;
@@ -1594,16 +1598,25 @@ client_loop(int have_pty, int escape_cha @@ -1603,16 +1607,25 @@ client_loop(int have_pty, int escape_cha
&max_fd2, &nalloc, rekeying); &max_fd2, &nalloc, rekeying);
if (quit_pending) if (quit_pending)
@ -443,7 +444,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.5p1/configure.ac --- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.5p1/configure.ac +++ b/openssh-6.5p1/configure.ac
@@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary(" @@ -579,16 +579,40 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect]) AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1], AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
[Define if your resolver libs need this for getrrsetbyname]) [Define if your resolver libs need this for getrrsetbyname])
@ -488,7 +489,7 @@ diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c
--- a/openssh-6.5p1/gss-genr.c --- a/openssh-6.5p1/gss-genr.c
+++ b/openssh-6.5p1/gss-genr.c +++ b/openssh-6.5p1/gss-genr.c
@@ -1,12 +1,12 @@ @@ -1,12 +1,12 @@
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
/* /*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@ -878,7 +879,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
--- a/openssh-6.5p1/gss-serv-krb5.c --- a/openssh-6.5p1/gss-serv-krb5.c
+++ b/openssh-6.5p1/gss-serv-krb5.c +++ b/openssh-6.5p1/gss-serv-krb5.c
@@ -1,12 +1,12 @@ @@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
/* /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -891,8 +892,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
* notice, this list of conditions and the following disclaimer. * notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright * 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the * notice, this list of conditions and the following disclaimer in the
@@ -115,16 +115,17 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client @@ -117,16 +117,17 @@ static void
static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{ {
krb5_ccache ccache; krb5_ccache ccache;
@ -900,6 +900,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
krb5_principal princ; krb5_principal princ;
OM_uint32 maj_status, min_status; OM_uint32 maj_status, min_status;
int len; int len;
const char *errmsg;
+ const char *new_ccname; + const char *new_ccname;
if (client->creds == NULL) { if (client->creds == NULL) {
@ -909,7 +910,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
if (ssh_gssapi_krb5_init() == 0) if (ssh_gssapi_krb5_init() == 0)
return; return;
@@ -163,37 +164,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl @@ -175,37 +176,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
if ((maj_status = gss_krb5_copy_ccache(&min_status, if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) { client->creds, ccache))) {
@ -1027,7 +1028,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
--- a/openssh-6.5p1/gss-serv.c --- a/openssh-6.5p1/gss-serv.c
+++ b/openssh-6.5p1/gss-serv.c +++ b/openssh-6.5p1/gss-serv.c
@@ -1,12 +1,12 @@ @@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
/* /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -1059,8 +1060,8 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
static ssh_gssapi_client gssapi_client = static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0}; + GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL, NULL, NULL}, 0, 0};
ssh_gssapi_mech gssapi_null_mech = ssh_gssapi_mech gssapi_null_mech =
- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; - { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
@ -1415,19 +1416,15 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.5p1/kex.c --- a/openssh-6.5p1/kex.c
+++ b/openssh-6.5p1/kex.c +++ b/openssh-6.5p1/kex.c
@@ -46,16 +46,24 @@ @@ -47,16 +47,20 @@
#include "log.h"
#include "mac.h" #include "mac.h"
#include "match.h" #include "match.h"
#include "dispatch.h" #include "dispatch.h"
#include "monitor.h" #include "monitor.h"
#include "roaming.h" #include "roaming.h"
#include "digest.h"
#include "audit.h" #include "audit.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+
+#ifdef GSSAPI +#ifdef GSSAPI
+#include "ssh-gss.h" +#include "ssh-gss.h"
+#endif +#endif
@ -1440,42 +1437,32 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
# endif # endif
#endif #endif
@@ -377,16 +385,30 @@ choose_kex(Kex *k, char *client, char *s @@ -86,16 +90,21 @@ static const struct kexalg kexalgs[] = {
} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) { { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
k->kex_type = KEX_DH_GEX_SHA256; SSH_DIGEST_SHA512 },
k->evp_md = evp_ssh_sha256(); # endif
} else if (strncmp(k->name, KEX_ECDH_SHA2_STEM, #endif
sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) { { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
k->kex_type = KEX_ECDH_SHA2; #ifdef HAVE_EVP_SHA256
k->evp_md = kex_ecdh_name_to_evpmd(k->name); { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif #endif
+#ifdef GSSAPI +#ifdef GSSAPI
+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) { + { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
+ k->kex_type = KEX_GSS_GEX_SHA1; + { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+ k->evp_md = EVP_sha1();
+ } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
+ k->kex_type = KEX_GSS_GRP1_SHA1;
+ k->evp_md = EVP_sha1();
+ } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
+ k->kex_type = KEX_GSS_GRP14_SHA1;
+ k->evp_md = EVP_sha1();
+#endif +#endif
} else { NULL, -1, -1, -1},
fatal("bad kex alg %s", k->name); };
}
static void char *
choose_hostkeyalg(Kex *k, char *client, char *server) kex_alg_list(char sep)
{ {
char *hostkeyalg = match_list(client, server, NULL); char *ret = NULL;
size_t nlen, rlen = 0;
diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
--- a/openssh-6.5p1/kex.h --- a/openssh-6.5p1/kex.h
+++ b/openssh-6.5p1/kex.h +++ b/openssh-6.5p1/kex.h
@@ -68,16 +68,19 @@ enum kex_modes { @@ -71,16 +71,19 @@ enum kex_modes {
};
enum kex_exchange { enum kex_exchange {
KEX_DH_GRP1_SHA1, KEX_DH_GRP1_SHA1,
@ -1483,6 +1470,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
KEX_DH_GEX_SHA1, KEX_DH_GEX_SHA1,
KEX_DH_GEX_SHA256, KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2, KEX_ECDH_SHA2,
KEX_C25519_SHA256,
+ KEX_GSS_GRP1_SHA1, + KEX_GSS_GRP1_SHA1,
+ KEX_GSS_GRP14_SHA1, + KEX_GSS_GRP14_SHA1,
+ KEX_GSS_GEX_SHA1, + KEX_GSS_GEX_SHA1,
@ -1494,15 +1482,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
typedef struct Kex Kex; typedef struct Kex Kex;
typedef struct Mac Mac; typedef struct Mac Mac;
typedef struct Comp Comp; typedef struct Comp Comp;
@@ -126,16 +129,22 @@ struct Kex { @@ -131,16 +134,22 @@ struct Kex {
int hostkey_type;
int kex_type; int kex_type;
int roaming; int roaming;
Buffer my; Buffer my;
Buffer peer; Buffer peer;
sig_atomic_t done; sig_atomic_t done;
int flags; int flags;
const EVP_MD *evp_md; int hash_alg;
int ec_nid;
+#ifdef GSSAPI +#ifdef GSSAPI
+ int gss_deleg_creds; + int gss_deleg_creds;
+ int gss_trust_dns; + int gss_trust_dns;
@ -1515,15 +1503,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
Key *(*load_host_public_key)(int); Key *(*load_host_public_key)(int);
Key *(*load_host_private_key)(int); Key *(*load_host_private_key)(int);
int (*host_key_index)(Key *); int (*host_key_index)(Key *);
void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int);
void (*kex[KEX_MAX])(Kex *); void (*kex[KEX_MAX])(Kex *);
}; @@ -164,16 +173,21 @@ void kexdh_server(Kex *);
@@ -154,16 +163,21 @@ Newkeys *kex_get_newkeys(int);
void kexdh_client(Kex *);
void kexdh_server(Kex *);
void kexgex_client(Kex *); void kexgex_client(Kex *);
void kexgex_server(Kex *); void kexgex_server(Kex *);
void kexecdh_client(Kex *); void kexecdh_client(Kex *);
void kexecdh_server(Kex *); void kexecdh_server(Kex *);
void kexc25519_client(Kex *);
void kexc25519_server(Kex *);
void newkeys_destroy(Newkeys *newkeys); void newkeys_destroy(Newkeys *newkeys);
+ +
@ -1536,7 +1524,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
void void
kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *, kexgex_hash(int, char *, char *, char *, int, char *,
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, u_char **, u_int *); BIGNUM *, BIGNUM *, u_char **, u_int *);
diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c
@ -1825,7 +1813,7 @@ new file mode 100644
+ break; + break;
+ case KEX_GSS_GEX_SHA1: + case KEX_GSS_GEX_SHA1:
+ kexgex_hash( + kexgex_hash(
+ kex->evp_md, + kex->hash_alg,
+ kex->client_version_string, + kex->client_version_string,
+ kex->server_version_string, + kex->server_version_string,
+ buffer_ptr(&kex->my), buffer_len(&kex->my), + buffer_ptr(&kex->my), buffer_len(&kex->my),
@ -1872,7 +1860,7 @@ new file mode 100644
+ else + else
+ ssh_gssapi_delete_ctx(&ctxt); + ssh_gssapi_delete_ctx(&ctxt);
+ +
+ kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret); + BN_clear_free(shared_secret);
+ kex_finish(kex); + kex_finish(kex);
+} +}
@ -2108,7 +2096,7 @@ new file mode 100644
+ break; + break;
+ case KEX_GSS_GEX_SHA1: + case KEX_GSS_GEX_SHA1:
+ kexgex_hash( + kexgex_hash(
+ kex->evp_md, + kex->hash_alg,
+ kex->client_version_string, kex->server_version_string, + kex->client_version_string, kex->server_version_string,
+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), + buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+ buffer_ptr(&kex->my), buffer_len(&kex->my), + buffer_ptr(&kex->my), buffer_len(&kex->my),
@ -2161,7 +2149,7 @@ new file mode 100644
+ +
+ DH_free(dh); + DH_free(dh);
+ +
+ kex_derive_keys(kex, hash, hashlen, shared_secret); + kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret); + BN_clear_free(shared_secret);
+ kex_finish(kex); + kex_finish(kex);
+ +
@ -2174,54 +2162,35 @@ new file mode 100644
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.5p1/key.c --- a/openssh-6.5p1/key.c
+++ b/openssh-6.5p1/key.c +++ b/openssh-6.5p1/key.c
@@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int @@ -1052,16 +1052,18 @@ static const struct keytype keytypes[] =
return "ecdsa-sha2-nistp384-cert-v01@openssh.com"; # endif
case NID_secp521r1:
return "ecdsa-sha2-nistp521-cert-v01@openssh.com";
default:
break;
}
break;
#endif /* OPENSSL_HAS_ECC */ #endif /* OPENSSL_HAS_ECC */
+ case KEY_NULL: { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
+ return "null"; KEY_RSA_CERT_V00, 0, 1 },
} { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
return "ssh-unknown"; KEY_DSA_CERT_V00, 0, 1 },
} { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
KEY_ED25519_CERT, 0, 1 },
+ { "null", "null",
+ KEY_NULL, 0, 0 },
{ NULL, NULL, -1, -1, 0 }
};
const char * const char *
key_ssh_name(const Key *k) key_type(const Key *k)
{ {
return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid); const struct keytype *kt;
@@ -1343,16 +1345,18 @@ key_type_from_name(char *name)
} else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
return KEY_DSA_CERT;
#ifdef OPENSSL_HAS_ECC
} else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 ||
strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 ||
strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
return KEY_ECDSA_CERT;
#endif
+ } else if (strcmp(name, "null") == 0) {
+ return KEY_NULL;
}
debug2("key_type_from_name: unknown key type '%s'", name);
return KEY_UNSPEC;
}
int
key_ecdsa_nid_from_name(const char *name)
diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.5p1/key.h --- a/openssh-6.5p1/key.h
+++ b/openssh-6.5p1/key.h +++ b/openssh-6.5p1/key.h
@@ -39,16 +39,17 @@ enum types { @@ -41,16 +41,17 @@ enum types {
KEY_RSA,
KEY_DSA,
KEY_ECDSA, KEY_ECDSA,
KEY_ED25519,
KEY_RSA_CERT, KEY_RSA_CERT,
KEY_DSA_CERT, KEY_DSA_CERT,
KEY_ECDSA_CERT, KEY_ECDSA_CERT,
KEY_ED25519_CERT,
KEY_RSA_CERT_V00, KEY_RSA_CERT_V00,
KEY_DSA_CERT_V00, KEY_DSA_CERT_V00,
+ KEY_NULL, + KEY_NULL,
@ -2236,7 +2205,7 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c --- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c +++ b/openssh-6.5p1/monitor.c
@@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *) @@ -179,16 +179,18 @@ int mm_answer_pam_respond(int, Buffer *)
int mm_answer_pam_free_ctx(int, Buffer *); int mm_answer_pam_free_ctx(int, Buffer *);
#endif #endif
@ -2255,7 +2224,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
int mm_answer_audit_end_command(int, Buffer *); int mm_answer_audit_end_command(int, Buffer *);
int mm_answer_audit_unsupported_body(int, Buffer *); int mm_answer_audit_unsupported_body(int, Buffer *);
int mm_answer_audit_kex_body(int, Buffer *); int mm_answer_audit_kex_body(int, Buffer *);
@@ -259,28 +261,35 @@ struct mon_table mon_dispatch_proto20[] @@ -260,28 +262,35 @@ struct mon_table mon_dispatch_proto20[]
#endif #endif
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
@ -2291,7 +2260,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@@ -393,16 +402,20 @@ monitor_child_preauth(Authctxt *_authctx @@ -394,16 +403,20 @@ monitor_child_preauth(Authctxt *_authctx
authctxt->loginmsg = &loginmsg; authctxt->loginmsg = &loginmsg;
if (compat20) { if (compat20) {
@ -2333,8 +2302,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
} }
@@ -1912,16 +1929,23 @@ mm_get_kex(Buffer *m) @@ -1931,16 +1948,23 @@ mm_get_kex(Buffer *m)
timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0)
fatal("mm_get_get: internal error: bad session id"); fatal("mm_get_get: internal error: bad session id");
kex->we_need = buffer_get_int(m); kex->we_need = buffer_get_int(m);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
@ -2342,6 +2310,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_keyex) { + if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@ -2357,7 +2326,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
buffer_append(&kex->my, blob, bloblen); buffer_append(&kex->my, blob, bloblen);
free(blob); free(blob);
blob = buffer_get_string(m, &bloblen); blob = buffer_get_string(m, &bloblen);
@@ -2135,16 +2159,19 @@ monitor_reinit(struct monitor *mon) @@ -2155,16 +2179,19 @@ monitor_reinit(struct monitor *mon)
#ifdef GSSAPI #ifdef GSSAPI
int int
mm_answer_gss_setup_ctx(int sock, Buffer *m) mm_answer_gss_setup_ctx(int sock, Buffer *m)
@ -2377,7 +2346,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
free(goid.elements); free(goid.elements);
buffer_clear(m); buffer_clear(m);
@@ -2162,16 +2189,19 @@ int @@ -2182,16 +2209,19 @@ int
mm_answer_gss_accept_ctx(int sock, Buffer *m) mm_answer_gss_accept_ctx(int sock, Buffer *m)
{ {
gss_buffer_desc in; gss_buffer_desc in;
@ -2397,7 +2366,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
buffer_clear(m); buffer_clear(m);
buffer_put_int(m, major); buffer_put_int(m, major);
buffer_put_string(m, out.value, out.length); buffer_put_string(m, out.value, out.length);
@@ -2179,27 +2209,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe @@ -2199,27 +2229,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
mm_request_send(sock, MONITOR_ANS_GSSSTEP, m); mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
gss_release_buffer(&minor, &out); gss_release_buffer(&minor, &out);
@ -2429,7 +2398,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
free(gssbuf.value); free(gssbuf.value);
@@ -2216,29 +2250,101 @@ mm_answer_gss_checkmic(int sock, Buffer @@ -2236,29 +2270,101 @@ mm_answer_gss_checkmic(int sock, Buffer
return (0); return (0);
} }
@ -2558,7 +2527,7 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c --- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c +++ b/openssh-6.5p1/monitor_wrap.c
@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss @@ -1305,33 +1305,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
&m); &m);
major = buffer_get_int(&m); major = buffer_get_int(&m);
@ -2666,7 +2635,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
--- a/openssh-6.5p1/readconf.c --- a/openssh-6.5p1/readconf.c
+++ b/openssh-6.5p1/readconf.c +++ b/openssh-6.5p1/readconf.c
@@ -124,16 +124,18 @@ typedef enum { @@ -135,16 +135,18 @@ typedef enum {
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
@ -2682,10 +2651,10 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
oHashKnownHosts, oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oKexAlgorithms, oIPQoS, oRequestTTY, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oDeprecated, oUnsupported oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
} OpCodes; oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
@@ -164,22 +166,31 @@ static struct { @@ -177,22 +179,31 @@ static struct {
{ "challengeresponseauthentication", oChallengeResponseAuthentication }, { "challengeresponseauthentication", oChallengeResponseAuthentication },
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
@ -2717,7 +2686,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
{ "identitiesonly", oIdentitiesOnly }, { "identitiesonly", oIdentitiesOnly },
{ "hostname", oHostName }, { "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias }, { "hostkeyalias", oHostKeyAlias },
@@ -500,24 +511,44 @@ parse_flag: @@ -836,24 +847,44 @@ parse_time:
case oChallengeResponseAuthentication: case oChallengeResponseAuthentication:
intptr = &options->challenge_response_authentication; intptr = &options->challenge_response_authentication;
goto parse_flag; goto parse_flag;
@ -2762,7 +2731,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
intptr = &options->check_host_ip; intptr = &options->check_host_ip;
goto parse_flag; goto parse_flag;
@@ -1159,18 +1190,23 @@ initialize_options(Options * options) @@ -1489,18 +1520,23 @@ initialize_options(Options * options)
options->exit_on_forward_failure = -1; options->exit_on_forward_failure = -1;
options->xauth_location = NULL; options->xauth_location = NULL;
options->gateway_ports = -1; options->gateway_ports = -1;
@ -2786,7 +2755,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
options->batch_mode = -1; options->batch_mode = -1;
options->check_host_ip = -1; options->check_host_ip = -1;
options->strict_host_key_checking = -1; options->strict_host_key_checking = -1;
@@ -1260,20 +1296,26 @@ fill_default_options(Options * options) @@ -1596,20 +1632,26 @@ fill_default_options(Options * options)
if (options->rsa_authentication == -1) if (options->rsa_authentication == -1)
options->rsa_authentication = 1; options->rsa_authentication = 1;
if (options->pubkey_authentication == -1) if (options->pubkey_authentication == -1)
@ -2816,7 +2785,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
--- a/openssh-6.5p1/readconf.h --- a/openssh-6.5p1/readconf.h
+++ b/openssh-6.5p1/readconf.h +++ b/openssh-6.5p1/readconf.h
@@ -43,18 +43,23 @@ typedef struct { @@ -49,18 +49,23 @@ typedef struct {
int rhosts_rsa_authentication; /* Try rhosts with RSA int rhosts_rsa_authentication; /* Try rhosts with RSA
* authentication. */ * authentication. */
int rsa_authentication; /* Try RSA authentication. */ int rsa_authentication; /* Try RSA authentication. */
@ -2843,7 +2812,7 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.5p1/servconf.c --- a/openssh-6.5p1/servconf.c
+++ b/openssh-6.5p1/servconf.c +++ b/openssh-6.5p1/servconf.c
@@ -98,18 +98,21 @@ initialize_server_options(ServerOptions @@ -104,18 +104,21 @@ initialize_server_options(ServerOptions
options->hostbased_uses_name_from_packet_only = -1; options->hostbased_uses_name_from_packet_only = -1;
options->rsa_authentication = -1; options->rsa_authentication = -1;
options->pubkey_authentication = -1; options->pubkey_authentication = -1;
@ -2864,8 +2833,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->permit_user_env = -1; options->permit_user_env = -1;
options->use_login = -1; options->use_login = -1;
options->compression = -1; options->compression = -1;
options->allow_tcp_forwarding = -1; options->rekey_limit = -1;
@@ -232,20 +235,26 @@ fill_default_server_options(ServerOption @@ -244,20 +247,26 @@ fill_default_server_options(ServerOption
if (options->kerberos_or_local_passwd == -1) if (options->kerberos_or_local_passwd == -1)
options->kerberos_or_local_passwd = 1; options->kerberos_or_local_passwd = 1;
if (options->kerberos_ticket_cleanup == -1) if (options->kerberos_ticket_cleanup == -1)
@ -2892,8 +2861,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->challenge_response_authentication = 1; options->challenge_response_authentication = 1;
if (options->permit_empty_passwd == -1) if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0; options->permit_empty_passwd = 0;
@@ -329,16 +338,17 @@ typedef enum { @@ -345,16 +354,17 @@ typedef enum {
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions, sMaxStartups, sMaxAuthTries, sMaxSessions,
@ -2908,9 +2877,9 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sVersionAddendum, sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sAuthenticationMethods, sHostKeyAgent,
sDeprecated, sUnsupported sDeprecated, sUnsupported
@@ -397,21 +407,31 @@ static struct { @@ -414,21 +424,31 @@ static struct {
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
@ -2942,7 +2911,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
#else #else
{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
@@ -1057,24 +1077,36 @@ process_server_config_line(ServerOptions @@ -1102,24 +1122,36 @@ process_server_config_line(ServerOptions
case sKerberosGetAFSToken: case sKerberosGetAFSToken:
intptr = &options->kerberos_get_afs_token; intptr = &options->kerberos_get_afs_token;
goto parse_flag; goto parse_flag;
@ -2979,7 +2948,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
intptr = &options->zero_knowledge_password_authentication; intptr = &options->zero_knowledge_password_authentication;
goto parse_flag; goto parse_flag;
@@ -1939,17 +1971,20 @@ dump_config(ServerOptions *o) @@ -2020,17 +2052,20 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
# ifdef USE_AFS # ifdef USE_AFS
@ -3003,7 +2972,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.5p1/servconf.h --- a/openssh-6.5p1/servconf.h
+++ b/openssh-6.5p1/servconf.h +++ b/openssh-6.5p1/servconf.h
@@ -105,18 +105,21 @@ typedef struct { @@ -107,18 +107,21 @@ typedef struct {
* authentication mechanism, * authentication mechanism,
* such as SecurID or * such as SecurID or
* /etc/passwd */ * /etc/passwd */
@ -3176,7 +3145,7 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5 diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
--- a/openssh-6.5p1/ssh_config.5 --- a/openssh-6.5p1/ssh_config.5
+++ b/openssh-6.5p1/ssh_config.5 +++ b/openssh-6.5p1/ssh_config.5
@@ -525,21 +525,53 @@ host key database, separated by whitespa @@ -671,21 +671,53 @@ host key database, separated by whitespa
The default is The default is
.Pa /etc/ssh/ssh_known_hosts , .Pa /etc/ssh/ssh_known_hosts ,
.Pa /etc/ssh/ssh_known_hosts2 . .Pa /etc/ssh/ssh_known_hosts2 .
@ -3234,7 +3203,7 @@ diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.5p1/sshconnect2.c --- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c +++ b/openssh-6.5p1/sshconnect2.c
@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc @@ -156,19 +156,44 @@ order_hostkeyalgs(char *host, struct soc
return ret; return ret;
} }
@ -3278,12 +3247,12 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
if (options.ciphers != NULL) { if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
} } else if (fips_mode()) {
@@ -192,30 +217,61 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -204,32 +229,63 @@ ssh_kex2(char *host, struct sockaddr *ho
else {
/* Prefer algorithms that we already have keys for */ /* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
order_hostkeyalgs(host, hostaddr, port); compat_pkalg_proposal(
order_hostkeyalgs(host, hostaddr, port));
} }
if (options.kex_algorithms != NULL) if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@ -3299,8 +3268,9 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
+ } + }
+#endif +#endif
+ +
if (options.rekey_limit) if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limit((u_int32_t)options.rekey_limit); packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
/* start key exchange */ /* start key exchange */
kex = kex_setup(myproposal); kex = kex_setup(myproposal);
@ -3309,6 +3279,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
kex->kex[KEX_ECDH_SHA2] = kexecdh_client; kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
kex->kex[KEX_C25519_SHA256] = kexc25519_client;
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_keyex) { + if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@ -3341,7 +3312,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
debug("Roaming not allowed by server"); debug("Roaming not allowed by server");
options.use_roaming = 0; options.use_roaming = 0;
} }
@@ -301,31 +357,37 @@ void userauth_jpake_cleanup(Authctxt *); @@ -315,31 +371,37 @@ void userauth_jpake_cleanup(Authctxt *);
#ifdef GSSAPI #ifdef GSSAPI
int userauth_gssapi(Authctxt *authctxt); int userauth_gssapi(Authctxt *authctxt);
@ -3379,7 +3350,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
{"gssapi", {"gssapi",
userauth_gssapi, userauth_gssapi,
NULL, NULL,
@@ -627,29 +689,41 @@ done: @@ -638,29 +700,41 @@ done:
int int
userauth_gssapi(Authctxt *authctxt) userauth_gssapi(Authctxt *authctxt)
{ {
@ -3423,7 +3394,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
if (!ok) if (!ok)
return 0; return 0;
@@ -738,18 +812,18 @@ process_gssapi_token(void *ctxt, gss_buf @@ -749,18 +823,18 @@ process_gssapi_token(void *ctxt, gss_buf
} }
/* ARGSUSED */ /* ARGSUSED */
@ -3444,7 +3415,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
/* Setup our OID */ /* Setup our OID */
oidv = packet_get_string(&oidlen); oidv = packet_get_string(&oidlen);
@@ -849,16 +923,58 @@ input_gssapi_error(int type, u_int32_t p @@ -859,16 +933,58 @@ input_gssapi_error(int type, u_int32_t p
lang=packet_get_string(NULL); lang=packet_get_string(NULL);
packet_check_eom(); packet_check_eom();
@ -3506,19 +3477,15 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c --- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c +++ b/openssh-6.5p1/sshd.c
@@ -119,16 +119,24 @@ @@ -121,16 +121,20 @@
#include "ssh-gss.h"
#endif #endif
#include "monitor_wrap.h" #include "monitor_wrap.h"
#include "roaming.h" #include "roaming.h"
#include "audit.h" #include "audit.h"
#include "ssh-sandbox.h" #include "ssh-sandbox.h"
#include "version.h" #include "version.h"
#include "fips.h"
+#ifdef USE_SECURITY_SESSION_API
+#include <Security/AuthSession.h>
+#endif
+
+#ifdef USE_SECURITY_SESSION_API +#ifdef USE_SECURITY_SESSION_API
+#include <Security/AuthSession.h> +#include <Security/AuthSession.h>
+#endif +#endif
@ -3531,10 +3498,10 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#endif /* LIBWRAP */ #endif /* LIBWRAP */
#ifndef O_NOCTTY #ifndef O_NOCTTY
@@ -1715,20 +1723,23 @@ main(int ac, char **av) @@ -1795,20 +1799,23 @@ main(int ac, char **av)
} if ((options.protocol & SSH_PROTO_1) && fips_mode()) {
debug("private host key: #%d type %d %s", i, key->type, logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
key_type(key)); options.protocol &= ~SSH_PROTO_1;
} }
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
@ -3555,7 +3522,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
/* /*
* Load certificates. They are stored in an array at identical * Load certificates. They are stored in an array at identical
* indices to the public keys that they relate to. * indices to the public keys that they relate to.
@@ -1920,16 +1931,70 @@ main(int ac, char **av) @@ -1998,16 +2005,70 @@ main(int ac, char **av)
/* Accept a connection and return in a forked child */ /* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out, server_accept_loop(&sock_in, &sock_out,
&newsock, config_s); &newsock, config_s);
@ -3626,14 +3593,14 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#if !defined(SSHD_ACQUIRES_CTTY) #if !defined(SSHD_ACQUIRES_CTTY)
/* /*
* If setsid is called, on some platforms sshd will later acquire a * If setsid is called, on some platforms sshd will later acquire a
@@ -2046,16 +2111,70 @@ main(int ac, char **av) @@ -2125,16 +2186,70 @@ main(int ac, char **av)
fatal("libwrap refuse returns");
}
} }
#endif /* LIBWRAP */ #endif /* LIBWRAP */
/* Log the connection. */ /* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port); verbose("Connection from %s port %d on %s port %d",
remote_ip, remote_port,
get_local_ipaddr(sock_in), get_local_port());
+#ifdef USE_SECURITY_SESSION_API +#ifdef USE_SECURITY_SESSION_API
+ /* + /*
@ -3697,57 +3664,15 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
* mode; it is just annoying to have the server exit just when you * mode; it is just annoying to have the server exit just when you
* are about to discover the bug. * are about to discover the bug.
*/ */
@@ -2435,23 +2554,114 @@ do_ssh2_kex(void) @@ -2544,24 +2659,73 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
+#ifdef GSSAPI
+ {
+ char *orig;
+ char *gss = NULL;
+ char *newstr = NULL;
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
+ /*
+ * If we don't have a host key, then there's no point advertising
+ * the other key exchange algorithms
+ */
+
+ if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
+ orig = NULL;
+
+ if (options.gss_keyex)
+ gss = ssh_gssapi_server_mechanisms();
+ else
+ gss = NULL;
+
+ if (gss && orig)
+ xasprintf(&newstr, "%s,%s", gss, orig);
+ else if (gss)
+ newstr = gss;
+ else if (orig)
+ newstr = orig;
+
+ /*
+ * If we've got GSSAPI mechanisms, then we've got the 'null' host
+ * key alg, but we can't tell people about it unless its the only
+ * host key algorithm we support
+ */
+ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
+
+ if (newstr)
+ myproposal[PROPOSAL_KEX_ALGS] = newstr;
+ else
+ fatal("No supported key exchange algorithms");
+ }
+#endif
+
+#ifdef GSSAPI +#ifdef GSSAPI
+ { + {
+ char *orig; + char *orig;
@ -3797,6 +3722,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_keyex) { + if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@ -3810,12 +3736,12 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type; kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index; kex->host_key_index=&get_hostkey_index;
kex->sign = sshd_hostkey_sign;
xxx_kex = kex;
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config --- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config +++ b/openssh-6.5p1/sshd_config
@@ -75,16 +75,18 @@ PasswordAuthentication no @@ -79,16 +79,18 @@ PasswordAuthentication no
#KerberosAuthentication no #KerberosAuthentication no
#KerberosOrLocalPasswd yes #KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes #KerberosTicketCleanup yes
@ -3837,7 +3763,7 @@ diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5 diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.5p1/sshd_config.5 --- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5 +++ b/openssh-6.5p1/sshd_config.5
@@ -475,22 +475,50 @@ to force remote port forwardings to bind @@ -487,22 +487,50 @@ to force remote port forwardings to bind
to allow the client to select the address to which the forwarding is bound. to allow the client to select the address to which the forwarding is bound.
The default is The default is
.Dq no . .Dq no .

View File

@ -7,7 +7,7 @@
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.5p1/configure.ac --- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.5p1/configure.ac +++ b/openssh-6.5p1/configure.ac
@@ -695,16 +695,18 @@ main() { if (NSVersionOfRunTimeLibrary(" @@ -719,16 +719,18 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
;; ;;

View File

@ -3,7 +3,7 @@
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c --- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c +++ b/openssh-6.5p1/sshd.c
@@ -1973,17 +1973,17 @@ main(int ac, char **av) @@ -1985,17 +1985,17 @@ main(int ac, char **av)
signal(SIGCHLD, main_sigchld_handler); signal(SIGCHLD, main_sigchld_handler);
signal(SIGTERM, sigterm_handler); signal(SIGTERM, sigterm_handler);
signal(SIGQUIT, sigterm_handler); signal(SIGQUIT, sigterm_handler);

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Mon Mar 17 02:21:13 UTC 2014 - pcerny@suse.com
- re-enabling the GSSAPI Key Exchange patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Feb 28 12:59:27 UTC 2014 - pcerny@suse.com Fri Feb 28 12:59:27 UTC 2014 - pcerny@suse.com

View File

@ -198,7 +198,7 @@ Helper applications for OpenSSH which retrieve keys from various sources.
%if 0%{?suse_version} > 1310 %if 0%{?suse_version} > 1310
%patch27 -p2 %patch27 -p2
%endif %endif
#patch28 -p2 %patch28 -p2
%patch29 -p2 %patch29 -p2
%patch30 -p2 %patch30 -p2
%patch31 -p2 %patch31 -p2