Accepting request 226334 from home:pcerny:factory

- re-enabling the GSSAPI Key Exchange patch 
!!! currently breaks anythng else than Factory

OBS-URL: https://build.opensuse.org/request/show/226334
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=72
This commit is contained in:
Petr Cerny 2014-03-17 02:46:40 +00:00 committed by Git OBS Bridge
parent 25f021b853
commit 5d4cc441c8
7 changed files with 152 additions and 221 deletions

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent d7526bd96e81981aa3c94b7695a3f4009a2c176b
# Parent bb0162afc928b3eeb69f11419e214e0737bb8034
Do not throw away already open sockets for X11 forwarding if another socket
family is not available for bind()

View File

@ -2,12 +2,12 @@
# when OpenSSL is detected to be running in FIPS mode
#
# HG changeset patch
# Parent 2a4df1014f286ec93a3e4dcf036f054745e4fee8
# Parent df8b01308484dd9227b64c8bb820e52b56b89b4d
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
@@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
@@ -76,17 +76,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent a72dad36a987a441e9c92807b1d654e43ddee409
# Parent fd62140898f5f8bfaa6d0b527c5893001322a662
diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi
new file mode 100644
@ -122,7 +122,7 @@ new file mode 100644
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
@@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
@@ -71,16 +71,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
canohost.o channels.o cipher.o cipher-aes.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
@ -133,13 +133,14 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
+ kexgssc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
auditstub.o \
fips.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
roaming_common.o roaming_client.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
@@ -92,17 +93,17 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth1.o auth2.o auth-options.o session.o \
@ -147,21 +148,21 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
auth-krb5.o \
kexc25519s.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o
sandbox-seccomp-filter.o sandbox-capsicum.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
--- a/openssh-6.5p1/auth-krb5.c
+++ b/openssh-6.5p1/auth-krb5.c
@@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c
@@ -177,18 +177,23 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
#endif
@ -185,7 +186,7 @@ diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
out:
restore_uid();
@@ -224,35 +229,42 @@ krb5_cleanup_proc(Authctxt *authctxt)
@@ -238,35 +243,42 @@ krb5_cleanup_proc(Authctxt *authctxt)
}
#ifndef HEIMDAL
@ -233,7 +234,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
--- a/openssh-6.5p1/auth2-gss.c
+++ b/openssh-6.5p1/auth2-gss.c
@@ -1,12 +1,12 @@
/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -297,7 +298,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
userauth_gssapi(Authctxt *authctxt)
{
gss_OID_desc goid = {0, NULL};
@@ -248,17 +282,18 @@ input_gssapi_exchange_complete(int type,
@@ -244,17 +278,18 @@ input_gssapi_exchange_complete(int type,
/*
* We don't need to check the status, because we're only enabled in
@ -317,7 +318,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}
@@ -283,31 +318,38 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -279,31 +314,38 @@ input_gssapi_mic(int type, u_int32_t ple
ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
"gssapi-with-mic");
@ -414,7 +415,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
/* Flag indicating that no shell has been requested */
extern int no_shell_flag;
@@ -1594,16 +1598,25 @@ client_loop(int have_pty, int escape_cha
@@ -1603,16 +1607,25 @@ client_loop(int have_pty, int escape_cha
&max_fd2, &nalloc, rekeying);
if (quit_pending)
@ -443,7 +444,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.5p1/configure.ac
@@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary("
@@ -579,16 +579,40 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
[Define if your resolver libs need this for getrrsetbyname])
@ -488,7 +489,7 @@ diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c
--- a/openssh-6.5p1/gss-genr.c
+++ b/openssh-6.5p1/gss-genr.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
/* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
/*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@ -878,7 +879,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
--- a/openssh-6.5p1/gss-serv-krb5.c
+++ b/openssh-6.5p1/gss-serv-krb5.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -891,8 +892,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
@@ -115,16 +115,17 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
static void
@@ -117,16 +117,17 @@ static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
@ -900,6 +900,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
krb5_principal princ;
OM_uint32 maj_status, min_status;
int len;
const char *errmsg;
+ const char *new_ccname;
if (client->creds == NULL) {
@ -909,7 +910,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
if (ssh_gssapi_krb5_init() == 0)
return;
@@ -163,37 +164,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
@@ -175,37 +176,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
@ -1027,7 +1028,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
--- a/openssh-6.5p1/gss-serv.c
+++ b/openssh-6.5p1/gss-serv.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -1059,8 +1060,8 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0};
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL, NULL, NULL}, 0, 0};
ssh_gssapi_mech gssapi_null_mech =
- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
@ -1415,19 +1416,15 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.5p1/kex.c
+++ b/openssh-6.5p1/kex.c
@@ -46,16 +46,24 @@
#include "log.h"
@@ -47,16 +47,20 @@
#include "mac.h"
#include "match.h"
#include "dispatch.h"
#include "monitor.h"
#include "roaming.h"
#include "digest.h"
#include "audit.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
@ -1440,42 +1437,32 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
# endif
#endif
@@ -377,16 +385,30 @@ choose_kex(Kex *k, char *client, char *s
} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
k->kex_type = KEX_DH_GEX_SHA256;
k->evp_md = evp_ssh_sha256();
} else if (strncmp(k->name, KEX_ECDH_SHA2_STEM,
sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) {
k->kex_type = KEX_ECDH_SHA2;
k->evp_md = kex_ecdh_name_to_evpmd(k->name);
@@ -86,16 +90,21 @@ static const struct kexalg kexalgs[] = {
{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
SSH_DIGEST_SHA512 },
# endif
#endif
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
#ifdef HAVE_EVP_SHA256
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif
+#ifdef GSSAPI
+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) {
+ k->kex_type = KEX_GSS_GEX_SHA1;
+ k->evp_md = EVP_sha1();
+ } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
+ k->kex_type = KEX_GSS_GRP1_SHA1;
+ k->evp_md = EVP_sha1();
+ } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
+ k->kex_type = KEX_GSS_GRP14_SHA1;
+ k->evp_md = EVP_sha1();
+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+#endif
} else
fatal("bad kex alg %s", k->name);
}
{ NULL, -1, -1, -1},
};
static void
choose_hostkeyalg(Kex *k, char *client, char *server)
char *
kex_alg_list(char sep)
{
char *hostkeyalg = match_list(client, server, NULL);
char *ret = NULL;
size_t nlen, rlen = 0;
diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
--- a/openssh-6.5p1/kex.h
+++ b/openssh-6.5p1/kex.h
@@ -68,16 +68,19 @@ enum kex_modes {
};
@@ -71,16 +71,19 @@ enum kex_modes {
enum kex_exchange {
KEX_DH_GRP1_SHA1,
@ -1483,6 +1470,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
KEX_DH_GEX_SHA1,
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
KEX_C25519_SHA256,
+ KEX_GSS_GRP1_SHA1,
+ KEX_GSS_GRP14_SHA1,
+ KEX_GSS_GEX_SHA1,
@ -1494,15 +1482,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
typedef struct Kex Kex;
typedef struct Mac Mac;
typedef struct Comp Comp;
@@ -126,16 +129,22 @@ struct Kex {
int hostkey_type;
@@ -131,16 +134,22 @@ struct Kex {
int kex_type;
int roaming;
Buffer my;
Buffer peer;
sig_atomic_t done;
int flags;
const EVP_MD *evp_md;
int hash_alg;
int ec_nid;
+#ifdef GSSAPI
+ int gss_deleg_creds;
+ int gss_trust_dns;
@ -1515,15 +1503,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
Key *(*load_host_public_key)(int);
Key *(*load_host_private_key)(int);
int (*host_key_index)(Key *);
void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int);
void (*kex[KEX_MAX])(Kex *);
};
@@ -154,16 +163,21 @@ Newkeys *kex_get_newkeys(int);
void kexdh_client(Kex *);
void kexdh_server(Kex *);
@@ -164,16 +173,21 @@ void kexdh_server(Kex *);
void kexgex_client(Kex *);
void kexgex_server(Kex *);
void kexecdh_client(Kex *);
void kexecdh_server(Kex *);
void kexc25519_client(Kex *);
void kexc25519_server(Kex *);
void newkeys_destroy(Newkeys *newkeys);
+
@ -1536,7 +1524,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
void
kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
kexgex_hash(int, char *, char *, char *, int, char *,
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, u_char **, u_int *);
diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c
@ -1825,7 +1813,7 @@ new file mode 100644
+ break;
+ case KEX_GSS_GEX_SHA1:
+ kexgex_hash(
+ kex->evp_md,
+ kex->hash_alg,
+ kex->client_version_string,
+ kex->server_version_string,
+ buffer_ptr(&kex->my), buffer_len(&kex->my),
@ -1872,7 +1860,7 @@ new file mode 100644
+ else
+ ssh_gssapi_delete_ctx(&ctxt);
+
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret);
+ kex_finish(kex);
+}
@ -2108,7 +2096,7 @@ new file mode 100644
+ break;
+ case KEX_GSS_GEX_SHA1:
+ kexgex_hash(
+ kex->evp_md,
+ kex->hash_alg,
+ kex->client_version_string, kex->server_version_string,
+ buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+ buffer_ptr(&kex->my), buffer_len(&kex->my),
@ -2161,7 +2149,7 @@ new file mode 100644
+
+ DH_free(dh);
+
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret);
+ kex_finish(kex);
+
@ -2174,54 +2162,35 @@ new file mode 100644
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.5p1/key.c
+++ b/openssh-6.5p1/key.c
@@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int
return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
case NID_secp521r1:
return "ecdsa-sha2-nistp521-cert-v01@openssh.com";
default:
break;
}
break;
@@ -1052,16 +1052,18 @@ static const struct keytype keytypes[] =
# endif
#endif /* OPENSSL_HAS_ECC */
+ case KEY_NULL:
+ return "null";
}
return "ssh-unknown";
}
{ "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
KEY_RSA_CERT_V00, 0, 1 },
{ "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
KEY_DSA_CERT_V00, 0, 1 },
{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
KEY_ED25519_CERT, 0, 1 },
+ { "null", "null",
+ KEY_NULL, 0, 0 },
{ NULL, NULL, -1, -1, 0 }
};
const char *
key_ssh_name(const Key *k)
key_type(const Key *k)
{
return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
@@ -1343,16 +1345,18 @@ key_type_from_name(char *name)
} else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
return KEY_DSA_CERT;
#ifdef OPENSSL_HAS_ECC
} else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 ||
strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 ||
strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
return KEY_ECDSA_CERT;
#endif
+ } else if (strcmp(name, "null") == 0) {
+ return KEY_NULL;
}
const struct keytype *kt;
debug2("key_type_from_name: unknown key type '%s'", name);
return KEY_UNSPEC;
}
int
key_ecdsa_nid_from_name(const char *name)
diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.5p1/key.h
+++ b/openssh-6.5p1/key.h
@@ -39,16 +39,17 @@ enum types {
KEY_RSA,
KEY_DSA,
@@ -41,16 +41,17 @@ enum types {
KEY_ECDSA,
KEY_ED25519,
KEY_RSA_CERT,
KEY_DSA_CERT,
KEY_ECDSA_CERT,
KEY_ED25519_CERT,
KEY_RSA_CERT_V00,
KEY_DSA_CERT_V00,
+ KEY_NULL,
@ -2236,7 +2205,7 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *)
@@ -179,16 +179,18 @@ int mm_answer_pam_respond(int, Buffer *)
int mm_answer_pam_free_ctx(int, Buffer *);
#endif
@ -2255,7 +2224,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
int mm_answer_audit_end_command(int, Buffer *);
int mm_answer_audit_unsupported_body(int, Buffer *);
int mm_answer_audit_kex_body(int, Buffer *);
@@ -259,28 +261,35 @@ struct mon_table mon_dispatch_proto20[]
@@ -260,28 +262,35 @@ struct mon_table mon_dispatch_proto20[]
#endif
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
@ -2291,7 +2260,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@@ -393,16 +402,20 @@ monitor_child_preauth(Authctxt *_authctx
@@ -394,16 +403,20 @@ monitor_child_preauth(Authctxt *_authctx
authctxt->loginmsg = &loginmsg;
if (compat20) {
@ -2333,8 +2302,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
}
@@ -1912,16 +1929,23 @@ mm_get_kex(Buffer *m)
timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0)
@@ -1931,16 +1948,23 @@ mm_get_kex(Buffer *m)
fatal("mm_get_get: internal error: bad session id");
kex->we_need = buffer_get_int(m);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
@ -2342,6 +2310,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@ -2357,7 +2326,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
buffer_append(&kex->my, blob, bloblen);
free(blob);
blob = buffer_get_string(m, &bloblen);
@@ -2135,16 +2159,19 @@ monitor_reinit(struct monitor *mon)
@@ -2155,16 +2179,19 @@ monitor_reinit(struct monitor *mon)
#ifdef GSSAPI
int
mm_answer_gss_setup_ctx(int sock, Buffer *m)
@ -2377,7 +2346,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
free(goid.elements);
buffer_clear(m);
@@ -2162,16 +2189,19 @@ int
@@ -2182,16 +2209,19 @@ int
mm_answer_gss_accept_ctx(int sock, Buffer *m)
{
gss_buffer_desc in;
@ -2397,7 +2366,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
buffer_clear(m);
buffer_put_int(m, major);
buffer_put_string(m, out.value, out.length);
@@ -2179,27 +2209,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
@@ -2199,27 +2229,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
gss_release_buffer(&minor, &out);
@ -2429,7 +2398,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
free(gssbuf.value);
@@ -2216,29 +2250,101 @@ mm_answer_gss_checkmic(int sock, Buffer
@@ -2236,29 +2270,101 @@ mm_answer_gss_checkmic(int sock, Buffer
return (0);
}
@ -2558,7 +2527,7 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
@@ -1305,33 +1305,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
&m);
major = buffer_get_int(&m);
@ -2666,7 +2635,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
--- a/openssh-6.5p1/readconf.c
+++ b/openssh-6.5p1/readconf.c
@@ -124,16 +124,18 @@ typedef enum {
@@ -135,16 +135,18 @@ typedef enum {
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
@ -2682,10 +2651,10 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oKexAlgorithms, oIPQoS, oRequestTTY,
oDeprecated, oUnsupported
} OpCodes;
@@ -164,22 +166,31 @@ static struct {
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
@@ -177,22 +179,31 @@ static struct {
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
@ -2717,7 +2686,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
{ "identitiesonly", oIdentitiesOnly },
{ "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias },
@@ -500,24 +511,44 @@ parse_flag:
@@ -836,24 +847,44 @@ parse_time:
case oChallengeResponseAuthentication:
intptr = &options->challenge_response_authentication;
goto parse_flag;
@ -2762,7 +2731,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
intptr = &options->check_host_ip;
goto parse_flag;
@@ -1159,18 +1190,23 @@ initialize_options(Options * options)
@@ -1489,18 +1520,23 @@ initialize_options(Options * options)
options->exit_on_forward_failure = -1;
options->xauth_location = NULL;
options->gateway_ports = -1;
@ -2786,7 +2755,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
options->batch_mode = -1;
options->check_host_ip = -1;
options->strict_host_key_checking = -1;
@@ -1260,20 +1296,26 @@ fill_default_options(Options * options)
@@ -1596,20 +1632,26 @@ fill_default_options(Options * options)
if (options->rsa_authentication == -1)
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
@ -2816,7 +2785,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
--- a/openssh-6.5p1/readconf.h
+++ b/openssh-6.5p1/readconf.h
@@ -43,18 +43,23 @@ typedef struct {
@@ -49,18 +49,23 @@ typedef struct {
int rhosts_rsa_authentication; /* Try rhosts with RSA
* authentication. */
int rsa_authentication; /* Try RSA authentication. */
@ -2843,7 +2812,7 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.5p1/servconf.c
+++ b/openssh-6.5p1/servconf.c
@@ -98,18 +98,21 @@ initialize_server_options(ServerOptions
@@ -104,18 +104,21 @@ initialize_server_options(ServerOptions
options->hostbased_uses_name_from_packet_only = -1;
options->rsa_authentication = -1;
options->pubkey_authentication = -1;
@ -2864,8 +2833,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->permit_user_env = -1;
options->use_login = -1;
options->compression = -1;
options->allow_tcp_forwarding = -1;
@@ -232,20 +235,26 @@ fill_default_server_options(ServerOption
options->rekey_limit = -1;
@@ -244,20 +247,26 @@ fill_default_server_options(ServerOption
if (options->kerberos_or_local_passwd == -1)
options->kerberos_or_local_passwd = 1;
if (options->kerberos_ticket_cleanup == -1)
@ -2892,8 +2861,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->challenge_response_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
@@ -329,16 +338,17 @@ typedef enum {
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
@@ -345,16 +354,17 @@ typedef enum {
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions,
@ -2908,9 +2877,9 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods,
sAuthenticationMethods, sHostKeyAgent,
sDeprecated, sUnsupported
@@ -397,21 +407,31 @@ static struct {
@@ -414,21 +424,31 @@ static struct {
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
@ -2942,7 +2911,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
#else
{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
@@ -1057,24 +1077,36 @@ process_server_config_line(ServerOptions
@@ -1102,24 +1122,36 @@ process_server_config_line(ServerOptions
case sKerberosGetAFSToken:
intptr = &options->kerberos_get_afs_token;
goto parse_flag;
@ -2979,7 +2948,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
intptr = &options->zero_knowledge_password_authentication;
goto parse_flag;
@@ -1939,17 +1971,20 @@ dump_config(ServerOptions *o)
@@ -2020,17 +2052,20 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
# ifdef USE_AFS
@ -3003,7 +2972,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.5p1/servconf.h
+++ b/openssh-6.5p1/servconf.h
@@ -105,18 +105,21 @@ typedef struct {
@@ -107,18 +107,21 @@ typedef struct {
* authentication mechanism,
* such as SecurID or
* /etc/passwd */
@ -3176,7 +3145,7 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
--- a/openssh-6.5p1/ssh_config.5
+++ b/openssh-6.5p1/ssh_config.5
@@ -525,21 +525,53 @@ host key database, separated by whitespa
@@ -671,21 +671,53 @@ host key database, separated by whitespa
The default is
.Pa /etc/ssh/ssh_known_hosts ,
.Pa /etc/ssh/ssh_known_hosts2 .
@ -3234,7 +3203,7 @@ diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc
@@ -156,19 +156,44 @@ order_hostkeyalgs(char *host, struct soc
return ret;
}
@ -3278,12 +3247,12 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
}
@@ -192,30 +217,61 @@ ssh_kex2(char *host, struct sockaddr *ho
else {
} else if (fips_mode()) {
@@ -204,32 +229,63 @@ ssh_kex2(char *host, struct sockaddr *ho
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
order_hostkeyalgs(host, hostaddr, port);
compat_pkalg_proposal(
order_hostkeyalgs(host, hostaddr, port));
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@ -3299,8 +3268,9 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
+ }
+#endif
+
if (options.rekey_limit)
packet_set_rekey_limit((u_int32_t)options.rekey_limit);
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
/* start key exchange */
kex = kex_setup(myproposal);
@ -3309,6 +3279,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
kex->kex[KEX_C25519_SHA256] = kexc25519_client;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@ -3341,7 +3312,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
debug("Roaming not allowed by server");
options.use_roaming = 0;
}
@@ -301,31 +357,37 @@ void userauth_jpake_cleanup(Authctxt *);
@@ -315,31 +371,37 @@ void userauth_jpake_cleanup(Authctxt *);
#ifdef GSSAPI
int userauth_gssapi(Authctxt *authctxt);
@ -3379,7 +3350,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
{"gssapi",
userauth_gssapi,
NULL,
@@ -627,29 +689,41 @@ done:
@@ -638,29 +700,41 @@ done:
int
userauth_gssapi(Authctxt *authctxt)
{
@ -3423,7 +3394,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
if (!ok)
return 0;
@@ -738,18 +812,18 @@ process_gssapi_token(void *ctxt, gss_buf
@@ -749,18 +823,18 @@ process_gssapi_token(void *ctxt, gss_buf
}
/* ARGSUSED */
@ -3444,7 +3415,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
/* Setup our OID */
oidv = packet_get_string(&oidlen);
@@ -849,16 +923,58 @@ input_gssapi_error(int type, u_int32_t p
@@ -859,16 +933,58 @@ input_gssapi_error(int type, u_int32_t p
lang=packet_get_string(NULL);
packet_check_eom();
@ -3506,19 +3477,15 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -119,16 +119,24 @@
#include "ssh-gss.h"
@@ -121,16 +121,20 @@
#endif
#include "monitor_wrap.h"
#include "roaming.h"
#include "audit.h"
#include "ssh-sandbox.h"
#include "version.h"
#include "fips.h"
+#ifdef USE_SECURITY_SESSION_API
+#include <Security/AuthSession.h>
+#endif
+
+#ifdef USE_SECURITY_SESSION_API
+#include <Security/AuthSession.h>
+#endif
@ -3531,10 +3498,10 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#endif /* LIBWRAP */
#ifndef O_NOCTTY
@@ -1715,20 +1723,23 @@ main(int ac, char **av)
}
debug("private host key: #%d type %d %s", i, key->type,
key_type(key));
@@ -1795,20 +1799,23 @@ main(int ac, char **av)
if ((options.protocol & SSH_PROTO_1) && fips_mode()) {
logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
options.protocol &= ~SSH_PROTO_1;
}
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
@ -3555,7 +3522,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
/*
* Load certificates. They are stored in an array at identical
* indices to the public keys that they relate to.
@@ -1920,16 +1931,70 @@ main(int ac, char **av)
@@ -1998,16 +2005,70 @@ main(int ac, char **av)
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);
@ -3626,14 +3593,14 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#if !defined(SSHD_ACQUIRES_CTTY)
/*
* If setsid is called, on some platforms sshd will later acquire a
@@ -2046,16 +2111,70 @@ main(int ac, char **av)
fatal("libwrap refuse returns");
}
@@ -2125,16 +2186,70 @@ main(int ac, char **av)
}
#endif /* LIBWRAP */
/* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port);
verbose("Connection from %s port %d on %s port %d",
remote_ip, remote_port,
get_local_ipaddr(sock_in), get_local_port());
+#ifdef USE_SECURITY_SESSION_API
+ /*
@ -3697,57 +3664,15 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
* mode; it is just annoying to have the server exit just when you
* are about to discover the bug.
*/
@@ -2435,23 +2554,114 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@@ -2544,24 +2659,73 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
+#ifdef GSSAPI
+ {
+ char *orig;
+ char *gss = NULL;
+ char *newstr = NULL;
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
+ /*
+ * If we don't have a host key, then there's no point advertising
+ * the other key exchange algorithms
+ */
+
+ if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
+ orig = NULL;
+
+ if (options.gss_keyex)
+ gss = ssh_gssapi_server_mechanisms();
+ else
+ gss = NULL;
+
+ if (gss && orig)
+ xasprintf(&newstr, "%s,%s", gss, orig);
+ else if (gss)
+ newstr = gss;
+ else if (orig)
+ newstr = orig;
+
+ /*
+ * If we've got GSSAPI mechanisms, then we've got the 'null' host
+ * key alg, but we can't tell people about it unless its the only
+ * host key algorithm we support
+ */
+ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
+
+ if (newstr)
+ myproposal[PROPOSAL_KEX_ALGS] = newstr;
+ else
+ fatal("No supported key exchange algorithms");
+ }
+#endif
+
+#ifdef GSSAPI
+ {
+ char *orig;
@ -3797,6 +3722,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@ -3810,12 +3736,12 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index;
kex->sign = sshd_hostkey_sign;
xxx_kex = kex;
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
@@ -75,16 +75,18 @@ PasswordAuthentication no
@@ -79,16 +79,18 @@ PasswordAuthentication no
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
@ -3837,7 +3763,7 @@ diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
@@ -475,22 +475,50 @@ to force remote port forwardings to bind
@@ -487,22 +487,50 @@ to force remote port forwardings to bind
to allow the client to select the address to which the forwarding is bound.
The default is
.Dq no .

View File

@ -7,7 +7,7 @@
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.5p1/configure.ac
@@ -695,16 +695,18 @@ main() { if (NSVersionOfRunTimeLibrary("
@@ -719,16 +719,18 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
;;

View File

@ -3,7 +3,7 @@
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -1973,17 +1973,17 @@ main(int ac, char **av)
@@ -1985,17 +1985,17 @@ main(int ac, char **av)
signal(SIGCHLD, main_sigchld_handler);
signal(SIGTERM, sigterm_handler);
signal(SIGQUIT, sigterm_handler);

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Mon Mar 17 02:21:13 UTC 2014 - pcerny@suse.com
- re-enabling the GSSAPI Key Exchange patch
-------------------------------------------------------------------
Fri Feb 28 12:59:27 UTC 2014 - pcerny@suse.com

View File

@ -198,7 +198,7 @@ Helper applications for OpenSSH which retrieve keys from various sources.
%if 0%{?suse_version} > 1310
%patch27 -p2
%endif
#patch28 -p2
%patch28 -p2
%patch29 -p2
%patch30 -p2
%patch31 -p2