[openssh] - improoved kuserok patch
Jan F. Chadima
jfch2222 at fedoraproject.org
Mon Nov 15 09:35:44 UTC 2010
commit 82036abfa2828a06363c21aa45c13324174d5c61
Author: Jan F <jfch at hagar.bobr>
Date: Mon Nov 15 10:35:33 2010 +0100
- improoved kuserok patch
openssh-5.6p1-kuserok.patch | 111 +++++++++++++++++++-----------------------
openssh.spec | 5 ++-
2 files changed, 54 insertions(+), 62 deletions(-)
---
diff --git a/openssh-5.6p1-kuserok.patch b/openssh-5.6p1-kuserok.patch
index 3a9f680..7376a85 100644
--- a/openssh-5.6p1-kuserok.patch
+++ b/openssh-5.6p1-kuserok.patch
@@ -1,70 +1,59 @@
diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c
---- openssh-5.6p1/auth-krb5.c.kuserok 2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/auth-krb5.c 2010-09-15 15:39:48.000000000 +0200
-@@ -146,9 +146,21 @@ auth_krb5_password(Authctxt *authctxt, c
+--- openssh-5.6p1/auth-krb5.c.kuserok 2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/auth-krb5.c 2010-11-15 10:11:02.000000000 +0100
+@@ -54,6 +54,20 @@
+
+ extern ServerOptions options;
+
++int
++ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
++{
++ if (options.use_kuserok)
++ return krb5_kuserok(krb5_ctx, krb5_user, client);
++ else {
++ char kuser[65];
++
++ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
++ return 0;
++ return strcmp(kuser, client) == 0;
++ }
++}
++
+ static int
+ krb5_init(void *context)
+ {
+@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
-- problem = -1;
-- goto out;
-+ if (options.use_kuserok) {
-+ if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
-+ problem = -1;
-+ goto out;
-+ }
-+ } else {
-+ char kuser[65];
-+ if (krb5_aname_to_localname(authctxt->krb5_ctx, authctxt->krb5_user, sizeof(kuser), kuser)) {
-+ problem = -1;
-+ goto out;
-+ }
-+ if (strcmp(kuser, client)) {
-+ problem = -1;
-+ goto out;
-+ }
++ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+ problem = -1;
+ goto out;
}
-
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
diff -up openssh-5.6p1/gss-serv-krb5.c.kuserok openssh-5.6p1/gss-serv-krb5.c
---- openssh-5.6p1/gss-serv-krb5.c.kuserok 2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/gss-serv-krb5.c 2010-09-15 15:49:43.000000000 +0200
-@@ -97,13 +97,25 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+--- openssh-5.6p1/gss-serv-krb5.c.kuserok 2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/gss-serv-krb5.c 2010-11-15 10:12:35.000000000 +0100
+@@ -57,6 +57,7 @@ extern ServerOptions options;
+ #endif
+
+ static krb5_context krb_context = NULL;
++extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
+
+ /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
+
+@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
krb5_get_err_text(krb_context, retval));
return 0;
}
- if (krb5_kuserok(krb_context, princ, name)) {
-- retval = 1;
-- logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
-- name, (char *)client->displayname.value);
-- } else
-- retval = 0;
--
-+ if (options.use_kuserok) {
-+ if (krb5_kuserok(krb_context, princ, name)) {
-+ retval = 1;
-+ logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
-+ name, (char *)client->displayname.value);
-+ } else
-+ retval = 0;
-+ } else {
-+ char kuser[65];
-+ if (krb5_aname_to_localname(krb_context, princ, sizeof(kuser), kuser))
-+ retval = 0;
-+ else if (strcmp(kuser, client))
-+ retval = 0;
-+ else {
-+ retval = 1;
-+ logit("Authorized to %s, krb5 principal %s (krb5)",
-+ name, (char *)client->displayname.value);
-+ }
-+ }
- krb5_free_principal(krb_context, princ);
- return retval;
- }
++ if (ssh_krb5_kuserok(krb_context, princ, name)) {
+ retval = 1;
+ logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
+ name, (char *)client->displayname.value);
diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
---- openssh-5.6p1/servconf.c.kuserok 2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/servconf.c 2010-09-15 15:39:48.000000000 +0200
+--- openssh-5.6p1/servconf.c.kuserok 2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/servconf.c 2010-11-15 10:08:05.000000000 +0100
@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
@@ -133,8 +122,8 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
---- openssh-5.6p1/servconf.h.kuserok 2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/servconf.h 2010-09-15 15:39:48.000000000 +0200
+--- openssh-5.6p1/servconf.h.kuserok 2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/servconf.h 2010-11-15 10:08:05.000000000 +0100
@@ -157,6 +157,7 @@ typedef struct {
int num_permitted_opens;
@@ -144,8 +133,8 @@ diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
---- openssh-5.6p1/sshd_config.5.kuserok 2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/sshd_config.5 2010-09-15 15:39:48.000000000 +0200
+--- openssh-5.6p1/sshd_config.5.kuserok 2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/sshd_config.5 2010-11-15 10:08:05.000000000 +0100
@@ -564,6 +564,10 @@ Specifies whether to automatically destr
file on logout.
The default is
@@ -166,8 +155,8 @@ diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
.Cm MaxSessions ,
.Cm PubkeyAuthentication ,
diff -up openssh-5.6p1/sshd_config.kuserok openssh-5.6p1/sshd_config
---- openssh-5.6p1/sshd_config.kuserok 2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/sshd_config 2010-09-15 15:39:48.000000000 +0200
+--- openssh-5.6p1/sshd_config.kuserok 2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/sshd_config 2010-11-15 10:08:05.000000000 +0100
@@ -72,6 +72,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
diff --git a/openssh.spec b/openssh.spec
index 815ca54..cd386cf 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -71,7 +71,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.6p1
-%define openssh_rel 16
+%define openssh_rel 17
%define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 27
@@ -589,6 +589,9 @@ fi
%endif
%changelog
+* Mon Nov 15 2010 Jan F. Chadima <jchadima at redhat.com> - 5.6p1-17 + 0.9.2-27
+- improoved kuserok patch
+
* Fri Nov 5 2010 Jan F. Chadima <jchadima at redhat.com> - 5.6p1-16 + 0.9.2-27
- add auditing the host based key ussage
- repait X11 abstract layer socket (#648896)
More information about the scm-commits
mailing list