[gsi-openssh] Drop openssh-5.8p2-unblock-signals.patch - not needed for GT >= 5.2 Based on openssh-5.9p1-16.fc17
Mattias Ellert
ellert at fedoraproject.org
Sun Jan 22 18:06:47 UTC 2012
commit 634cb6d982db0b465b7e55381654e1651028e30a
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Sun Jan 22 17:29:44 2012 +0100
Drop openssh-5.8p2-unblock-signals.patch - not needed for GT >= 5.2
Based on openssh-5.9p1-16.fc17
gsi-openssh.spec | 29 +++--
openssh-5.8p2-unblock-signals.patch | 76 -----------
openssh-5.9p1-ctr-cavstest.patch | 250 +++++++++++++++++++++++++++++++++++
openssh-5.9p1-ctr-evp-fast.patch | 101 ++++++++++++++
openssh-5.9p1-gsissh.patch | 9 +-
openssh-5.9p1-log-usepam-no.patch | 28 ++++
6 files changed, 405 insertions(+), 88 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 8202859..42d748f 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -32,12 +32,12 @@
%global nologin 1
%global openssh_ver 5.9p1
-%global openssh_rel 3
+%global openssh_rel 4
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}.1
+Release: %{openssh_rel}%{?dist}
Provides: gsissh = %{version}-%{release}
Obsoletes: gsissh < 5.8p2-2
URL: http://www.openssh.com/portable.html
@@ -138,6 +138,12 @@ Patch708: openssh-5.9p1-entropy.patch
Patch709: openssh-5.9p1-vendor.patch
#?
Patch710: openssh-5.9p1-copy-id-restorecon.patch
+# warn users for unsupported UsePAM=no (#757545)
+Patch711: openssh-5.9p1-log-usepam-no.patch
+# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
+Patch712: openssh-5.9p1-ctr-evp-fast.patch
+# add cavs test binary for the aes-ctr
+Patch713: openssh-5.9p1-ctr-cavstest.patch
#http://www.sxw.org.uk/computing/patches/openssh.html
Patch800: openssh-5.9p1-gsskex.patch
@@ -157,10 +163,6 @@ Patch901: openssh-5.9p1-kuserok.patch
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-5.9p1.patch
Patch98: openssh-5.9p1-gsissh.patch
-# The gsissh server has problems with blocked signals in threaded globus libs
-# This patch from OSG resolves these problems
-Patch99: openssh-5.8p2-unblock-signals.patch
-
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -184,8 +186,10 @@ BuildRequires: krb5-devel
%endif
%if %{gsi}
-BuildRequires: globus-gss-assist-devel
-BuildRequires: globus-usage-devel
+BuildRequires: globus-gss-assist-devel >= 8
+BuildRequires: globus-gssapi-gsi >= 10
+BuildRequires: globus-common >= 14
+BuildRequires: globus-usage-devel >= 3
%endif
%if %{libedit}
@@ -309,6 +313,9 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch708 -p1 -b .entropy
%patch709 -p1 -b .vendor
%patch710 -p1 -b .restorecon
+%patch711 -p1 -b .log-usepam-no
+%patch712 -p1 -b .evp-ctr
+%patch713 -p1 -b .ctr-cavs
%patch800 -p1 -b .gsskex
%patch801 -p1 -b .force_krb
@@ -317,7 +324,6 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch901 -p1 -b .kuserok
%patch98 -p1 -b .gsi
-%patch99 -p1 -b .signals
sed 's/sshd.pid/gsisshd.pid/' -i pathnames.h
sed 's!$(piddir)/sshd.pid!$(piddir)/gsisshd.pid!' -i Makefile.in
@@ -503,6 +509,7 @@ fi
%attr(0644,root,root) %{_mandir}/man1/gsissh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/gsissh
%attr(2755,root,ssh_keys) %{_libexecdir}/gsissh/ssh-keysign
+%attr(0755,root,root) %{_libexecdir}/gsissh/ctr-cavstest
%attr(0644,root,root) %{_mandir}/man8/gsissh-keysign.8*
%files clients
@@ -537,6 +544,10 @@ fi
%attr(0644,root,root) %{_unitdir}/gsisshd.service
%changelog
+* Sun Jan 22 2012 Mattias Ellert <mattias.ellert at fysast.uu.se> - 5.9p1-4
+- Drop openssh-5.8p2-unblock-signals.patch - not needed for GT >= 5.2
+- Based on openssh-5.9p1-16.fc17
+
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 5.9p1-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
diff --git a/openssh-5.9p1-ctr-cavstest.patch b/openssh-5.9p1-ctr-cavstest.patch
new file mode 100644
index 0000000..c260925
--- /dev/null
+++ b/openssh-5.9p1-ctr-cavstest.patch
@@ -0,0 +1,250 @@
+diff -up openssh-5.9p1/ctr-cavstest.c.ctr-cavs openssh-5.9p1/ctr-cavstest.c
+--- openssh-5.9p1/ctr-cavstest.c.ctr-cavs 2012-01-13 15:59:06.584283289 +0100
++++ openssh-5.9p1/ctr-cavstest.c 2012-01-13 18:21:33.791941027 +0100
+@@ -0,0 +1,208 @@
++/*
++ *
++ * invocation (all of the following are equal):
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
++ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
++ */
++
++#include "includes.h"
++
++#include <sys/types.h>
++#include <sys/param.h>
++#include <stdarg.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <ctype.h>
++
++#include "xmalloc.h"
++#include "log.h"
++#include "cipher.h"
++
++/* compatibility with old or broken OpenSSL versions */
++#include "openbsd-compat/openssl-compat.h"
++
++void usage(void) {
++ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
++ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
++ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
++ "Hexadecimal output is printed to stdout.\n"
++ "Hexadecimal input data can be alternatively read from stdin.\n");
++ exit(1);
++}
++
++void *fromhex(char *hex, size_t *len)
++{
++ unsigned char *bin;
++ char *p;
++ size_t n = 0;
++ int shift = 4;
++ unsigned char out = 0;
++ unsigned char *optr;
++
++ bin = xmalloc(strlen(hex)/2);
++ optr = bin;
++
++ for (p = hex; *p != '\0'; ++p) {
++ unsigned char c;
++
++ c = *p;
++ if (isspace(c))
++ continue;
++
++ if (c >= '0' && c <= '9') {
++ c = c - '0';
++ } else if (c >= 'A' && c <= 'F') {
++ c = c - 'A' + 10;
++ } else if (c >= 'a' && c <= 'f') {
++ c = c - 'a' + 10;
++ } else {
++ /* truncate on nonhex cipher */
++ break;
++ }
++
++ out |= c << shift;
++ shift = (shift + 4) % 8;
++
++ if (shift) {
++ *(optr++) = out;
++ out = 0;
++ ++n;
++ }
++ }
++
++ *len = n;
++ return bin;
++}
++
++#define READ_CHUNK 4096
++#define MAX_READ_SIZE 1024*1024*100
++char *read_stdin(void)
++{
++ char *buf;
++ size_t n, total = 0;
++
++ buf = xmalloc(READ_CHUNK);
++
++ do {
++ n = fread(buf + total, 1, READ_CHUNK, stdin);
++ if (n < READ_CHUNK) /* terminate on short read */
++ break;
++
++ total += n;
++ buf = xrealloc(buf, total + READ_CHUNK, 1);
++ } while(total < MAX_READ_SIZE);
++ return buf;
++}
++
++int main (int argc, char *argv[])
++{
++
++ Cipher *c;
++ CipherContext cc;
++ char *algo = "aes128-ctr";
++ char *hexkey = NULL;
++ char *hexiv = "00000000000000000000000000000000";
++ char *hexdata = NULL;
++ char *p;
++ int i;
++ int encrypt = 1;
++ void *key;
++ size_t keylen;
++ void *iv;
++ size_t ivlen;
++ void *data;
++ size_t datalen;
++ void *outdata;
++
++ for (i = 1; i < argc; ++i) {
++ if (strcmp(argv[i], "--algo") == 0) {
++ algo = argv[++i];
++ } else if (strcmp(argv[i], "--key") == 0) {
++ hexkey = argv[++i];
++ } else if (strcmp(argv[i], "--mode") == 0) {
++ ++i;
++ if (argv[i] == NULL) {
++ usage();
++ }
++ if (strncmp(argv[i], "enc", 3) == 0) {
++ encrypt = 1;
++ } else if (strncmp(argv[i], "dec", 3) == 0) {
++ encrypt = 0;
++ } else {
++ usage();
++ }
++ } else if (strcmp(argv[i], "--iv") == 0) {
++ hexiv = argv[++i];
++ } else if (strcmp(argv[i], "--data") == 0) {
++ hexdata = argv[++i];
++ }
++ }
++
++ if (hexkey == NULL || algo == NULL) {
++ usage();
++ }
++
++ SSLeay_add_all_algorithms();
++
++ c = cipher_by_name(algo);
++ if (c == NULL) {
++ fprintf(stderr, "Error: unknown algorithm\n");
++ return 2;
++ }
++
++ if (hexdata == NULL) {
++ hexdata = read_stdin();
++ } else {
++ hexdata = xstrdup(hexdata);
++ }
++
++ key = fromhex(hexkey, &keylen);
++
++ if (keylen != 16 && keylen != 24 && keylen == 32) {
++ fprintf(stderr, "Error: unsupported key length\n");
++ return 2;
++ }
++
++ iv = fromhex(hexiv, &ivlen);
++
++ if (ivlen != 16) {
++ fprintf(stderr, "Error: unsupported iv length\n");
++ return 2;
++ }
++
++ data = fromhex(hexdata, &datalen);
++
++ if (data == NULL || datalen == 0) {
++ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
++ return 2;
++ }
++
++ cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt);
++
++ xfree(key);
++ xfree(iv);
++
++ outdata = malloc(datalen);
++ if(outdata == NULL) {
++ fprintf(stderr, "Error: memory allocation failure\n");
++ return 2;
++ }
++
++ cipher_crypt(&cc, outdata, data, datalen);
++
++ xfree(data);
++
++ cipher_cleanup(&cc);
++
++ for (p = outdata; datalen > 0; ++p, --datalen) {
++ printf("%02X", (unsigned char)*p);
++ }
++
++ xfree(outdata);
++
++ printf("\n");
++ return 0;
++}
++
+diff -up openssh-5.9p1/Makefile.in.ctr-cavs openssh-5.9p1/Makefile.in
+--- openssh-5.9p1/Makefile.in.ctr-cavs 2012-01-13 15:59:06.539282357 +0100
++++ openssh-5.9p1/Makefile.in 2012-01-13 15:59:06.588283373 +0100
+@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
+ SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+ SSH_KEYCAT=$(libexecdir)/ssh-keycat
++CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ PRIVSEP_PATH=@PRIVSEP_PATH@
+ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
+@@ -63,7 +64,7 @@ EXEEXT=@EXEEXT@
+ MANFMT=@MANFMT@
+ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
+
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
+
+ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
+ canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
+@@ -171,6 +172,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
+ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o
+ $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
+
++ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
++ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
++
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+
+@@ -271,6 +275,7 @@ install-files:
+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
+ fi
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff --git a/openssh-5.9p1-ctr-evp-fast.patch b/openssh-5.9p1-ctr-evp-fast.patch
new file mode 100644
index 0000000..5d17aab
--- /dev/null
+++ b/openssh-5.9p1-ctr-evp-fast.patch
@@ -0,0 +1,101 @@
+diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c
+--- openssh-5.9p1/cipher-ctr.c.ctr-evp 2012-01-11 09:24:06.000000000 +0100
++++ openssh-5.9p1/cipher-ctr.c 2012-01-11 15:54:04.675956600 +0100
+@@ -38,7 +38,7 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, in
+
+ struct ssh_aes_ctr_ctx
+ {
+- AES_KEY aes_ctx;
++ EVP_CIPHER_CTX ecbctx;
+ u_char aes_counter[AES_BLOCK_SIZE];
+ };
+
+@@ -63,21 +63,42 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char
+ {
+ struct ssh_aes_ctr_ctx *c;
+ size_t n = 0;
+- u_char buf[AES_BLOCK_SIZE];
++ u_char ctrbuf[AES_BLOCK_SIZE*256];
++ u_char buf[AES_BLOCK_SIZE*256];
+
+ if (len == 0)
+ return (1);
+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
+ return (0);
+
+- while ((len--) > 0) {
++ for (; len > 0; len -= sizeof(u_int)) {
++ u_int r,a,b;
++
+ if (n == 0) {
+- AES_encrypt(c->aes_counter, buf, &c->aes_ctx);
+- ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
++ int outl, i, buflen;
++
++ buflen = MIN(len, sizeof(ctrbuf));
++
++ for(i = 0; i < buflen; i += AES_BLOCK_SIZE) {
++ memcpy(&ctrbuf[i], c->aes_counter, AES_BLOCK_SIZE);
++ ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
++ }
++
++ EVP_EncryptUpdate(&c->ecbctx, buf, &outl,
++ ctrbuf, buflen);
+ }
+- *(dest++) = *(src++) ^ buf[n];
+- n = (n + 1) % AES_BLOCK_SIZE;
++
++ memcpy(&a, src, sizeof(a));
++ memcpy(&b, &buf[n], sizeof(b));
++ r = a ^ b;
++ memcpy(dest, &r, sizeof(r));
++ src += sizeof(a);
++ dest += sizeof(r);
++
++ n = (n + sizeof(b)) % sizeof(buf);
+ }
++ memset(ctrbuf, '\0', sizeof(ctrbuf));
++ memset(buf, '\0', sizeof(buf));
+ return (1);
+ }
+
+@@ -91,9 +112,28 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, co
+ c = xmalloc(sizeof(*c));
+ EVP_CIPHER_CTX_set_app_data(ctx, c);
+ }
+- if (key != NULL)
+- AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
+- &c->aes_ctx);
++
++ EVP_CIPHER_CTX_init(&c->ecbctx);
++
++ if (key != NULL) {
++ const EVP_CIPHER *cipher;
++ switch(EVP_CIPHER_CTX_key_length(ctx)*8) {
++ case 128:
++ cipher = EVP_aes_128_ecb();
++ break;
++ case 192:
++ cipher = EVP_aes_192_ecb();
++ break;
++ case 256:
++ cipher = EVP_aes_256_ecb();
++ break;
++ default:
++ fatal("ssh_aes_ctr_init: wrong aes key length");
++ }
++ if(!EVP_EncryptInit_ex(&c->ecbctx, cipher, NULL, key, NULL))
++ fatal("ssh_aes_ctr_init: cannot initialize aes encryption");
++ EVP_CIPHER_CTX_set_padding(&c->ecbctx, 0);
++ }
+ if (iv != NULL)
+ memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
+ return (1);
+@@ -105,6 +145,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
+ struct ssh_aes_ctr_ctx *c;
+
+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
++ EVP_CIPHER_CTX_cleanup(&c->ecbctx);
+ memset(c, 0, sizeof(*c));
+ xfree(c);
+ EVP_CIPHER_CTX_set_app_data(ctx, NULL);
diff --git a/openssh-5.9p1-gsissh.patch b/openssh-5.9p1-gsissh.patch
index 57cc6d8..4150256 100644
--- a/openssh-5.9p1-gsissh.patch
+++ b/openssh-5.9p1-gsissh.patch
@@ -597,8 +597,8 @@ diff -Nur openssh-5.9p1.orig/configure.ac openssh-5.9p1/configure.ac
+ GSSAPI="GSI"
+ fi
+
-+ LIBS="$LIBS `pkg-config --libs globus-gss-assist`"
-+ CPPFLAGS="$CPPFLAGS `pkg-config --cflags globus-gss-assist`"
++ LIBS="$LIBS `pkg-config --libs globus-gss-assist globus-gssapi-gsi globus-common`"
++ CPPFLAGS="$CPPFLAGS `pkg-config --cflags globus-gss-assist globus-gssapi-gsi globus-common`"
+
+ AC_DEFINE(GSSAPI)
+ AC_DEFINE(HAVE_GSSAPI_H)
@@ -2923,7 +2923,7 @@ diff -Nur openssh-5.9p1.orig/ssh-gss.h openssh-5.9p1/ssh-gss.h
diff -Nur openssh-5.9p1.orig/version.h openssh-5.9p1/version.h
--- openssh-5.9p1.orig/version.h 2011-09-07 01:11:20.000000000 +0200
+++ openssh-5.9p1/version.h 2011-11-17 16:59:47.520790935 +0100
-@@ -1,5 +1,19 @@
+@@ -1,6 +1,21 @@
/* $OpenBSD: version.h,v 1.62 2011/08/02 23:13:01 djm Exp $ */
+#ifdef GSI
@@ -2943,3 +2943,6 @@ diff -Nur openssh-5.9p1.orig/version.h openssh-5.9p1/version.h
#define SSH_VERSION "OpenSSH_5.9"
#define SSH_PORTABLE "p1"
+-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
++#define SSH_RELEASE SSH_VERSION SSH_PORTABLE \
++ NCSA_VERSION GSI_VERSION KRB5_VERSION
diff --git a/openssh-5.9p1-log-usepam-no.patch b/openssh-5.9p1-log-usepam-no.patch
new file mode 100644
index 0000000..614d2cd
--- /dev/null
+++ b/openssh-5.9p1-log-usepam-no.patch
@@ -0,0 +1,28 @@
+diff --git a/sshd.c b/sshd.c
+index 8dcfdf2..95b63ad 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -1592,6 +1592,10 @@ main(int ac, char **av)
+ parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
+ &cfg, NULL, NULL, NULL);
+
++ /* 'UsePAM no' is not supported in Fedora */
++ if (! options.use_pam)
++ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
++
+ seed_rng();
+
+ /* Fill in default values for those options not explicitly set. */
+diff --git a/sshd_config b/sshd_config
+index 8c16754..9f28b04 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -92,6 +92,8 @@ GSSAPICleanupCredentials yes
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and ChallengeResponseAuthentication to 'no'.
++# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
++# problems.
+ #UsePAM no
+ UsePAM yes
+
More information about the scm-commits
mailing list