[openssh] - improoved kuserok patch

Jan F. Chadima jfch2222 at fedoraproject.org
Mon Nov 15 09:35:44 UTC 2010 

commit 82036abfa2828a06363c21aa45c13324174d5c61
Author: Jan F <jfch at hagar.bobr>
Date:   Mon Nov 15 10:35:33 2010 +0100

    - improoved kuserok patch

 openssh-5.6p1-kuserok.patch |  111 +++++++++++++++++++-----------------------
 openssh.spec                |    5 ++-
 2 files changed, 54 insertions(+), 62 deletions(-)
---
diff --git a/openssh-5.6p1-kuserok.patch b/openssh-5.6p1-kuserok.patch
index 3a9f680..7376a85 100644
--- a/openssh-5.6p1-kuserok.patch
+++ b/openssh-5.6p1-kuserok.patch
@@ -1,70 +1,59 @@
 diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c
---- openssh-5.6p1/auth-krb5.c.kuserok	2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/auth-krb5.c	2010-09-15 15:39:48.000000000 +0200
-@@ -146,9 +146,21 @@ auth_krb5_password(Authctxt *authctxt, c
+--- openssh-5.6p1/auth-krb5.c.kuserok	2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/auth-krb5.c	2010-11-15 10:11:02.000000000 +0100
+@@ -54,6 +54,20 @@
+ 
+ extern ServerOptions	 options;
+ 
++int
++ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
++{
++	if (options.use_kuserok)
++		return krb5_kuserok(krb5_ctx, krb5_user, client);
++	else {
++		char kuser[65];
++
++		if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
++			return 0;
++		return strcmp(kuser, client) == 0;
++	}
++}
++
+ static int
+ krb5_init(void *context)
+ {
+@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c
  	if (problem)
  		goto out;
  
 -	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
--		problem = -1;
--		goto out;
-+	if (options.use_kuserok) {
-+		if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
-+			problem = -1;
-+			goto out;
-+		}
-+	} else {
-+		char kuser[65];
-+		if (krb5_aname_to_localname(authctxt->krb5_ctx, authctxt->krb5_user, sizeof(kuser), kuser)) {
-+			problem = -1;
-+			goto out;
-+		}
-+		if (strcmp(kuser, client)) {
-+			problem = -1;
-+			goto out;
-+		}
++	if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+ 		problem = -1;
+ 		goto out;
  	}
- 
- 	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
 diff -up openssh-5.6p1/gss-serv-krb5.c.kuserok openssh-5.6p1/gss-serv-krb5.c
---- openssh-5.6p1/gss-serv-krb5.c.kuserok	2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/gss-serv-krb5.c	2010-09-15 15:49:43.000000000 +0200
-@@ -97,13 +97,25 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+--- openssh-5.6p1/gss-serv-krb5.c.kuserok	2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/gss-serv-krb5.c	2010-11-15 10:12:35.000000000 +0100
+@@ -57,6 +57,7 @@ extern ServerOptions options;
+ #endif
+ 
+ static krb5_context krb_context = NULL;
++extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
+ 
+ /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
+ 
+@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
  		    krb5_get_err_text(krb_context, retval));
  		return 0;
  	}
 -	if (krb5_kuserok(krb_context, princ, name)) {
--		retval = 1;
--		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
--		    name, (char *)client->displayname.value);
--	} else
--		retval = 0;
--
-+	if (options.use_kuserok) {
-+		if (krb5_kuserok(krb_context, princ, name)) {
-+			retval = 1;
-+			logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
-+			    name, (char *)client->displayname.value);
-+		} else
-+			retval = 0;
-+	} else {
-+		char kuser[65];
-+		if (krb5_aname_to_localname(krb_context, princ, sizeof(kuser), kuser))
-+			retval = 0;
-+		else if (strcmp(kuser, client))
-+			retval = 0;
-+		else {
-+			retval = 1;
-+			logit("Authorized to %s, krb5 principal %s (krb5)",
-+			    name, (char *)client->displayname.value);
-+		}
-+	}
- 	krb5_free_principal(krb_context, princ);
- 	return retval;
- }
++	if (ssh_krb5_kuserok(krb_context, princ, name)) {
+ 		retval = 1;
+ 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
+ 		    name, (char *)client->displayname.value);
 diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
---- openssh-5.6p1/servconf.c.kuserok	2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/servconf.c	2010-09-15 15:39:48.000000000 +0200
+--- openssh-5.6p1/servconf.c.kuserok	2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/servconf.c	2010-11-15 10:08:05.000000000 +0100
 @@ -138,6 +138,7 @@ initialize_server_options(ServerOptions 
  	options->revoked_keys_file = NULL;
  	options->trusted_user_ca_keys = NULL;
@@ -133,8 +122,8 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
  	/* string arguments */
  	dump_cfg_string(sPidFile, o->pid_file);
 diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
---- openssh-5.6p1/servconf.h.kuserok	2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/servconf.h	2010-09-15 15:39:48.000000000 +0200
+--- openssh-5.6p1/servconf.h.kuserok	2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/servconf.h	2010-11-15 10:08:05.000000000 +0100
 @@ -157,6 +157,7 @@ typedef struct {
  
  	int	num_permitted_opens;
@@ -144,8 +133,8 @@ diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
  	char   *revoked_keys_file;
  	char   *trusted_user_ca_keys;
 diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
---- openssh-5.6p1/sshd_config.5.kuserok	2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/sshd_config.5	2010-09-15 15:39:48.000000000 +0200
+--- openssh-5.6p1/sshd_config.5.kuserok	2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/sshd_config.5	2010-11-15 10:08:05.000000000 +0100
 @@ -564,6 +564,10 @@ Specifies whether to automatically destr
  file on logout.
  The default is
@@ -166,8 +155,8 @@ diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
  .Cm MaxSessions ,
  .Cm PubkeyAuthentication ,
 diff -up openssh-5.6p1/sshd_config.kuserok openssh-5.6p1/sshd_config
---- openssh-5.6p1/sshd_config.kuserok	2010-09-15 15:39:48.000000000 +0200
-+++ openssh-5.6p1/sshd_config	2010-09-15 15:39:48.000000000 +0200
+--- openssh-5.6p1/sshd_config.kuserok	2010-11-15 10:08:05.000000000 +0100
++++ openssh-5.6p1/sshd_config	2010-11-15 10:08:05.000000000 +0100
 @@ -72,6 +72,7 @@ ChallengeResponseAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
diff --git a/openssh.spec b/openssh.spec
index 815ca54..cd386cf 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -71,7 +71,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.6p1
-%define openssh_rel 16
+%define openssh_rel 17
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 27
 
@@ -589,6 +589,9 @@ fi
 %endif
 
 %changelog
+* Mon Nov 15 2010 Jan F. Chadima <jchadima at redhat.com> - 5.6p1-17 + 0.9.2-27
+- improoved kuserok patch
+
 * Fri Nov  5 2010 Jan F. Chadima <jchadima at redhat.com> - 5.6p1-16 + 0.9.2-27
 - add auditing the host based key ussage
 - repait X11 abstract layer socket (#648896)

More information about the scm-commits mailing list