[gsi-openssh/f20] Based on openssh-6.4p1-2.fc20
Mattias Ellert
ellert at fedoraproject.org
Tue Nov 26 19:12:23 UTC 2013
commit 915819d1b2e5a4b970e0f157d3c08e5c9b160a96
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Tue Nov 26 15:23:57 2013 +0100
Based on openssh-6.4p1-2.fc20
gsi-openssh.spec | 19 +-
gsisshd-keygen | 23 ++
openssh-6.3p1-fips.patch | 54 ++++
openssh-6.3p1-gsskex.patch | 238 ++++------------
openssh-6.3p1-increase-size-of-DF-groups.patch | 65 +++++
openssh-6.3p1-keycat.patch | 2 +-
openssh-6.3p1-krb5-use-default_ccache_name.patch | 247 ++++++++++++++++
openssh-6.3p1-ldap.patch | 60 +++-
...-6.3p1-audit.patch => openssh-6.4p1-audit.patch | 26 +-
....3p1-gsissh.patch => openssh-6.4p1-gsissh.patch | 303 +++++++++++---------
10 files changed, 682 insertions(+), 355 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 408bdcc..d2b1396 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -28,8 +28,8 @@
# Do we want LDAP support
%global ldap 1
-%global openssh_ver 6.3p1
-%global openssh_rel 2
+%global openssh_ver 6.4p1
+%global openssh_rel 1
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
@@ -59,7 +59,7 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
-Patch200: openssh-6.3p1-audit.patch
+Patch200: openssh-6.4p1-audit.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
Patch400: openssh-6.3p1-role-mls.patch
@@ -125,10 +125,14 @@ Patch801: openssh-6.3p1-force_krb.patch
Patch900: openssh-6.1p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch901: openssh-6.3p1-kuserok.patch
+# use default_ccache_name from /etc/krb5.conf (#991186)
+Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
+# increase the size of the Diffie-Hellman groups (#1010607)
+Patch903: openssh-6.3p1-increase-size-of-DF-groups.patch
# This is the patch that adds GSI support
-# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.3p1.patch
-Patch98: openssh-6.3p1-gsissh.patch
+# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.4p1.patch
+Patch98: openssh-6.4p1-gsissh.patch
License: BSD
Group: Applications/Internet
@@ -272,6 +276,8 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch900 -p1 -b .canohost
%patch901 -p1 -b .kuserok
+%patch902 -p1 -b .ccache_name
+%patch903 -p1 -b .dh
%patch98 -p1 -b .gsi
@@ -485,6 +491,9 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/gsisshd-keygen.service
%changelog
+* Tue Nov 26 2013 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.4p1-1
+- Based on openssh-6.4p1-2.fc20
+
* Mon Oct 21 2013 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.3p1-2
- Add obsoletes for -fips packages
diff --git a/gsisshd-keygen b/gsisshd-keygen
index 3d0bbe6..c944449 100644
--- a/gsisshd-keygen
+++ b/gsisshd-keygen
@@ -14,6 +14,7 @@ KEYGEN=/usr/bin/gsissh-keygen
RSA1_KEY=/etc/gsissh/ssh_host_key
RSA_KEY=/etc/gsissh/ssh_host_rsa_key
DSA_KEY=/etc/gsissh/ssh_host_dsa_key
+ECDSA_KEY=/etc/gsissh/ssh_host_ecdsa_key
# pull in sysconfig settings
[ -f /etc/sysconfig/gsisshd ] && . /etc/sysconfig/gsisshd
@@ -89,11 +90,33 @@ do_dsa_keygen() {
fi
}
+do_ecdsa_keygen() {
+ if [ ! -s $ECDSA_KEY ]; then
+ echo -n $"Generating SSH2 ECDSA host key: "
+ rm -f $ECDSA_KEY
+ if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
+ chgrp ssh_keys $ECDSA_KEY
+ chmod 600 $ECDSA_KEY
+ chmod 644 $ECDSA_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $ECDSA_KEY.pub
+ fi
+ success $"ECDSA key generation"
+ echo
+ else
+ failure $"ECDSA key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
# Create keys if necessary
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
do_rsa_keygen
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
do_rsa1_keygen
do_dsa_keygen
+ do_ecdsa_keygen
fi
fi
diff --git a/openssh-6.3p1-fips.patch b/openssh-6.3p1-fips.patch
index f216d6e..acf4e82 100644
--- a/openssh-6.3p1-fips.patch
+++ b/openssh-6.3p1-fips.patch
@@ -42,6 +42,39 @@ diff -up openssh-6.3p1/Makefile.in.fips openssh-6.3p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+diff -up openssh-6.3p1/auth-rsa.c.fips openssh-6.3p1/auth-rsa.c
+--- openssh-6.3p1/auth-rsa.c.fips 2013-10-24 15:43:46.019999906 +0200
++++ openssh-6.3p1/auth-rsa.c 2013-10-24 15:44:09.262890686 +0200
+@@ -240,7 +240,7 @@ rsa_key_allowed_in_file(struct passwd *p
+ "actual %d vs. announced %d.",
+ file, linenum, BN_num_bits(key->rsa->n), bits);
+
+- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
+ debug("matching key found: file %s, line %lu %s %s",
+ file, linenum, key_type(key), fp);
+ free(fp);
+diff -up openssh-6.3p1/auth2-pubkey.c.fips openssh-6.3p1/auth2-pubkey.c
+--- openssh-6.3p1/auth2-pubkey.c.fips 2013-10-24 15:39:05.008319990 +0200
++++ openssh-6.3p1/auth2-pubkey.c 2013-10-24 15:39:05.029319892 +0200
+@@ -209,7 +209,7 @@ pubkey_auth_info(Authctxt *authctxt, con
+
+ if (key_is_cert(key)) {
+ fp = key_fingerprint(key->cert->signature_key,
+- SSH_FP_MD5, SSH_FP_HEX);
++ FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
+ auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
+ key_type(key), key->cert->key_id,
+ (unsigned long long)key->cert->serial,
+@@ -217,7 +217,7 @@ pubkey_auth_info(Authctxt *authctxt, con
+ extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
+ free(fp);
+ } else {
+- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
+ auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
+ extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
+ free(fp);
diff -up openssh-6.3p1/authfile.c.fips openssh-6.3p1/authfile.c
--- openssh-6.3p1/authfile.c.fips 2013-10-11 22:24:32.857031153 +0200
+++ openssh-6.3p1/authfile.c 2013-10-11 22:24:32.870031092 +0200
@@ -370,6 +403,27 @@ diff -up openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.3p1/openbs
}
#endif /* !HAVE_ARC4RANDOM */
+diff -up openssh-6.3p1/ssh-keygen.c.fips openssh-6.3p1/ssh-keygen.c
+--- openssh-6.3p1/ssh-keygen.c.fips 2013-10-24 15:45:06.055623916 +0200
++++ openssh-6.3p1/ssh-keygen.c 2013-10-24 15:45:36.906478986 +0200
+@@ -730,7 +730,7 @@ do_download(struct passwd *pw)
+ enum fp_type fptype;
+ char *fp, *ra;
+
+- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
++ fptype = print_bubblebabble ? SSH_FP_SHA1 : (FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5);
+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
+
+ pkcs11_init(0);
+@@ -740,7 +740,7 @@ do_download(struct passwd *pw)
+ for (i = 0; i < nkeys; i++) {
+ if (print_fingerprint) {
+ fp = key_fingerprint(keys[i], fptype, rep);
+- ra = key_fingerprint(keys[i], SSH_FP_MD5,
++ ra = key_fingerprint(keys[i], FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
+ SSH_FP_RANDOMART);
+ printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
+ fp, key_type(keys[i]));
diff -up openssh-6.3p1/ssh.c.fips openssh-6.3p1/ssh.c
--- openssh-6.3p1/ssh.c.fips 2013-07-25 03:55:53.000000000 +0200
+++ openssh-6.3p1/ssh.c 2013-10-11 22:24:32.872031082 +0200
diff --git a/openssh-6.3p1-gsskex.patch b/openssh-6.3p1-gsskex.patch
index 7161b34..eefd792 100644
--- a/openssh-6.3p1-gsskex.patch
+++ b/openssh-6.3p1-gsskex.patch
@@ -135,147 +135,6 @@ diff -up openssh-6.3p1/Makefile.in.gsskex openssh-6.3p1/Makefile.in
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
-diff -up openssh-6.3p1/auth-krb5.c.gsskex openssh-6.3p1/auth-krb5.c
---- openssh-6.3p1/auth-krb5.c.gsskex 2013-08-04 13:48:41.000000000 +0200
-+++ openssh-6.3p1/auth-krb5.c 2013-10-11 15:43:50.261299742 +0200
-@@ -50,6 +50,7 @@
- #include <errno.h>
- #include <unistd.h>
- #include <string.h>
-+#include <sys/stat.h>
- #include <krb5.h>
-
- extern ServerOptions options;
-@@ -77,6 +78,7 @@ auth_krb5_password(Authctxt *authctxt, c
- #endif
- krb5_error_code problem;
- krb5_ccache ccache = NULL;
-+ const char *ccache_type;
- int len;
- char *client, *platform_client;
- const char *errmsg;
-@@ -177,12 +179,30 @@ auth_krb5_password(Authctxt *authctxt, c
- goto out;
- #endif
-
-+ ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
- authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-
-- len = strlen(authctxt->krb5_ticket_file) + 6;
-+ if (authctxt->krb5_ticket_file[0] == ':')
-+ authctxt->krb5_ticket_file++;
-+
-+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type);
- authctxt->krb5_ccname = xmalloc(len);
-- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
-+
-+#ifdef USE_CCAPI
-+ snprintf(authctxt->krb5_ccname, len, "API:%s",
- authctxt->krb5_ticket_file);
-+#else
-+ snprintf(authctxt->krb5_ccname, len, "%s:%s",
-+ ccache_type, authctxt->krb5_ticket_file);
-+#endif
-+
-+ if (strcmp(ccache_type, "DIR") == 0) {
-+ char *p;
-+ p = strrchr(authctxt->krb5_ccname, '/');
-+ if (p)
-+ *p = '\0';
-+ }
-+
-
- #ifdef USE_PAM
- if (options.use_pam)
-@@ -221,10 +241,30 @@ auth_krb5_password(Authctxt *authctxt, c
- void
- krb5_cleanup_proc(Authctxt *authctxt)
- {
-+ struct stat krb5_ccname_stat;
-+ char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end;
-+
- debug("krb5_cleanup_proc called");
- if (authctxt->krb5_fwd_ccache) {
- krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
- authctxt->krb5_fwd_ccache = NULL;
-+
-+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
-+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
-+ strcat(krb5_ccname_dir_start, "/primary");
-+
-+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
-+ if (unlink(krb5_ccname_dir_start) == 0) {
-+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
-+ *krb5_ccname_dir_end = '\0';
-+ if (rmdir(krb5_ccname_dir_start) == -1)
-+ debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
-+ }
-+ else
-+ debug("cache primary file '%s', remove failed: %s",
-+ krb5_ccname_dir_start, strerror(errno)
-+ );
-+ }
- }
- if (authctxt->krb5_user) {
- krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
-@@ -239,31 +279,45 @@ krb5_cleanup_proc(Authctxt *authctxt)
- #ifndef HEIMDAL
- krb5_error_code
- ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
-- int tmpfd, ret, oerrno;
-- char ccname[40];
-+ int ret, oerrno;
-+ char ccname[128];
-+#ifdef USE_CCAPI
-+ char cctemplate[] = "API:krb5cc_%d";
-+#else
- mode_t old_umask;
-+ char cctemplate[] = "DIR:/run/user/%d/krb5cc_XXXXXXXXXX";
-+ char *tmpdir;
-+#endif
-
-- ret = snprintf(ccname, sizeof(ccname),
-- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
-+ ret = snprintf(ccname, sizeof(ccname), cctemplate, geteuid());
- if (ret < 0 || (size_t)ret >= sizeof(ccname))
- return ENOMEM;
-
-- old_umask = umask(0177);
-- tmpfd = mkstemp(ccname + strlen("FILE:"));
-+#ifndef USE_CCAPI
-+ old_umask = umask(0077);
-+ tmpdir = mkdtemp(ccname + strlen("DIR:"));
- oerrno = errno;
-+ if (tmpdir == NULL && errno == ENOENT) {
-+ /* /run/user/uid doesn't exist -> fallback to /tmp */
-+ ret = snprintf(ccname, sizeof(ccname), "DIR:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
-+ if (ret < 0 || (size_t)ret >= sizeof(ccname))
-+ return ENOMEM;
-+ tmpdir = mkdtemp(ccname + strlen("DIR:"));
-+ oerrno = errno;
-+ }
-+
- umask(old_umask);
-- if (tmpfd == -1) {
-- logit("mkstemp(): %.100s", strerror(oerrno));
-+ if (tmpdir == NULL) {
-+ logit("mkdtemp(): %s - %.100s", ccname, strerror(oerrno));
- return oerrno;
- }
-
-- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
-+ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {
- oerrno = errno;
-- logit("fchmod(): %.100s", strerror(oerrno));
-- close(tmpfd);
-+ logit("chmod(): %s - %.100s", ccname, strerror(oerrno));
- return oerrno;
- }
-- close(tmpfd);
-+#endif
-
- return (krb5_cc_resolve(ctx, ccname, ccache));
- }
diff -up openssh-6.3p1/auth2-gss.c.gsskex openssh-6.3p1/auth2-gss.c
--- openssh-6.3p1/auth2-gss.c.gsskex 2013-10-11 15:15:17.213216506 +0200
+++ openssh-6.3p1/auth2-gss.c 2013-10-11 15:15:17.283216181 +0200
@@ -779,7 +638,7 @@ diff -up openssh-6.3p1/gss-genr.c.gsskex openssh-6.3p1/gss-genr.c
#endif /* GSSAPI */
diff -up openssh-6.3p1/gss-serv-krb5.c.gsskex openssh-6.3p1/gss-serv-krb5.c
--- openssh-6.3p1/gss-serv-krb5.c.gsskex 2013-07-20 05:35:45.000000000 +0200
-+++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 15:26:02.165189578 +0200
++++ openssh-6.3p1/gss-serv-krb5.c 2013-10-23 21:48:20.558346236 +0200
@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
krb5_error_code problem;
krb5_principal princ;
@@ -789,7 +648,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.gsskex openssh-6.3p1/gss-serv-krb5.c
const char *errmsg;
if (client->creds == NULL) {
-@@ -174,11 +174,25 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+@@ -174,11 +174,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
return;
}
@@ -814,12 +673,18 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.gsskex openssh-6.3p1/gss-serv-krb5.c
+ if (p)
+ *p = '\0';
+ }
-+ client->store.filename = xstrdup(new_ccname);
++ if ((strcmp(new_cctype, "FILE") == 0) || (strcmp(new_cctype, "DIR") == 0))
++ client->store.filename = xstrdup(new_ccname);
+#endif
#ifdef USE_PAM
if (options.use_pam)
-@@ -190,6 +204,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+@@ -187,9 +202,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+
+ krb5_cc_close(krb_context, ccache);
+
++ client->store.data = krb_context;
++
return;
}
@@ -891,7 +756,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.gsskex openssh-6.3p1/gss-serv-krb5.c
ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==",
"Kerberos",
-@@ -197,7 +276,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
+@@ -197,7 +279,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
NULL,
&ssh_gssapi_krb5_userok,
NULL,
@@ -903,7 +768,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.gsskex openssh-6.3p1/gss-serv-krb5.c
#endif /* KRB5 */
diff -up openssh-6.3p1/gss-serv.c.gsskex openssh-6.3p1/gss-serv.c
--- openssh-6.3p1/gss-serv.c.gsskex 2013-07-20 05:35:45.000000000 +0200
-+++ openssh-6.3p1/gss-serv.c 2013-10-11 15:27:32.889763132 +0200
++++ openssh-6.3p1/gss-serv.c 2013-10-23 21:51:52.212347754 +0200
@@ -45,15 +45,20 @@
#include "channels.h"
#include "session.h"
@@ -1037,11 +902,11 @@ diff -up openssh-6.3p1/gss-serv.c.gsskex openssh-6.3p1/gss-serv.c
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
+ }
-
-- gss_buffer_desc ename;
++
+ ctx->major = gss_compare_name(&ctx->minor, client->name,
+ new_name, &equal);
-+
+
+- gss_buffer_desc ename;
+ if (GSS_ERROR(ctx->major)) {
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
@@ -1088,41 +953,33 @@ diff -up openssh-6.3p1/gss-serv.c.gsskex openssh-6.3p1/gss-serv.c
/* We can't copy this structure, so we just move the pointer to it */
client->creds = ctx->client_creds;
ctx->client_creds = GSS_C_NO_CREDENTIAL;
-@@ -292,11 +378,33 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
+@@ -292,11 +378,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
void
ssh_gssapi_cleanup_creds(void)
{
-+ struct stat krb5_ccname_stat;
-+ char krb5_ccname[128], *krb5_ccname_dir_end;
-+
- if (gssapi_client.store.filename != NULL) {
- /* Unlink probably isn't sufficient */
- debug("removing gssapi cred file\"%s\"",
- gssapi_client.store.filename);
- unlink(gssapi_client.store.filename);
-+
-+ /* Ticket cache: DIR::/run/user/13558/krb5cc_T9eDKSQvzb/tkt */
-+ /* same code as in auth-krb5.c:krb5_cleanup_proc */
-+ strncpy(krb5_ccname, gssapi_client.store.filename, sizeof(krb5_ccname) - 10);
-+ krb5_ccname_dir_end = strrchr(krb5_ccname, '/');
-+ if (krb5_ccname_dir_end != NULL)
-+ strcpy(krb5_ccname_dir_end, "/primary");
-+
-+ if (stat(krb5_ccname, &krb5_ccname_stat) == 0) {
-+ if (unlink(krb5_ccname) == 0) {
-+ *krb5_ccname_dir_end = '\0';
-+ if (rmdir(krb5_ccname) == -1)
-+ debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno));
-+ }
-+ else
-+ debug("cache primary file '%s', remove failed: %s",
-+ krb5_ccname, strerror(errno)
-+ );
+- if (gssapi_client.store.filename != NULL) {
+- /* Unlink probably isn't sufficient */
+- debug("removing gssapi cred file\"%s\"",
+- gssapi_client.store.filename);
+- unlink(gssapi_client.store.filename);
++ krb5_ccache ccache = NULL;
++ krb5_error_code problem;
++
++ if (gssapi_client.store.data != NULL) {
++ if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {
++ debug("%s: krb5_cc_resolve(): %.100s", __func__,
++ krb5_get_err_text(gssapi_client.store.data, problem));
++ } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
++ debug("%s: krb5_cc_resolve(): %.100s", __func__,
++ krb5_get_err_text(gssapi_client.store.data, problem));
++ } else {
++ krb5_free_context(gssapi_client.store.data);
++ gssapi_client.store.data = NULL;
+ }
}
}
-@@ -329,7 +437,7 @@ ssh_gssapi_do_child(char ***envp, u_int
+@@ -329,7 +424,7 @@ ssh_gssapi_do_child(char ***envp, u_int
/* Privileged */
int
@@ -1131,7 +988,7 @@ diff -up openssh-6.3p1/gss-serv.c.gsskex openssh-6.3p1/gss-serv.c
{
OM_uint32 lmin;
-@@ -339,9 +447,11 @@ ssh_gssapi_userok(char *user)
+@@ -339,9 +434,11 @@ ssh_gssapi_userok(char *user)
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1145,7 +1002,7 @@ diff -up openssh-6.3p1/gss-serv.c.gsskex openssh-6.3p1/gss-serv.c
/* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
-@@ -354,14 +464,90 @@ ssh_gssapi_userok(char *user)
+@@ -354,14 +451,90 @@ ssh_gssapi_userok(char *user)
return (0);
}
@@ -1243,8 +1100,8 @@ diff -up openssh-6.3p1/gss-serv.c.gsskex openssh-6.3p1/gss-serv.c
#endif
diff -up openssh-6.3p1/kex.c.gsskex openssh-6.3p1/kex.c
---- openssh-6.3p1/kex.c.gsskex 2013-10-11 15:15:17.197216581 +0200
-+++ openssh-6.3p1/kex.c 2013-10-11 15:47:41.629242975 +0200
+--- openssh-6.3p1/kex.c.gsskex 2013-10-30 15:26:39.339608716 +0100
++++ openssh-6.3p1/kex.c 2013-10-31 10:50:41.254535382 +0100
@@ -51,6 +51,10 @@
#include "roaming.h"
#include "audit.h"
@@ -1256,16 +1113,31 @@ diff -up openssh-6.3p1/kex.c.gsskex openssh-6.3p1/kex.c
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256
-@@ -81,6 +85,9 @@ static const struct kexalg kexalgs[] = {
+@@ -81,6 +85,11 @@ static const struct kexalg kexalgs[] = {
{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 },
{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 },
#endif
++#ifdef GSSAPI
+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
++#endif
{ NULL, -1, -1, NULL},
};
+@@ -110,6 +119,12 @@ kex_alg_by_name(const char *name)
+ for (k = kexalgs; k->name != NULL; k++) {
+ if (strcmp(k->name, name) == 0)
+ return k;
++#ifdef GSSAPI
++ if (strncmp(name, "gss-", 4) == 0) {
++ if (strncmp(k->name, name, strlen(k->name)) == 0)
++ return k;
++ }
++#endif
+ }
+ return NULL;
+ }
diff -up openssh-6.3p1/kex.h.gsskex openssh-6.3p1/kex.h
--- openssh-6.3p1/kex.h.gsskex 2013-10-11 15:15:17.197216581 +0200
+++ openssh-6.3p1/kex.h 2013-10-11 15:43:21.757429309 +0200
diff --git a/openssh-6.3p1-increase-size-of-DF-groups.patch b/openssh-6.3p1-increase-size-of-DF-groups.patch
new file mode 100644
index 0000000..941aa72
--- /dev/null
+++ b/openssh-6.3p1-increase-size-of-DF-groups.patch
@@ -0,0 +1,65 @@
+diff -U0 openssh-6.3p1/ChangeLog.df openssh-6.3p1/ChangeLog
+--- openssh-6.3p1/ChangeLog.df 2013-10-23 22:38:03.476272461 +0200
++++ openssh-6.3p1/ChangeLog 2013-10-23 22:39:46.051788366 +0200
+@@ -0,0 +1,8 @@
++20131010
++ - dtucker at cvs.openbsd.org 2013/10/08 11:42:13
++ [dh.c dh.h]
++ Increase the size of the Diffie-Hellman groups requested for a each
++ symmetric key size. New values from NIST Special Publication 800-57 with
++ the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
++ djm at .
++
+diff -up openssh-6.3p1/dh.c.df openssh-6.3p1/dh.c
+--- openssh-6.3p1/dh.c.df 2013-07-18 08:12:07.000000000 +0200
++++ openssh-6.3p1/dh.c 2013-10-23 22:38:03.476272461 +0200
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */
++/* $OpenBSD: dh.c,v 1.52 2013/10/08 11:42:13 dtucker Exp $ */
+ /*
+ * Copyright (c) 2000 Niels Provos. All rights reserved.
+ *
+@@ -352,17 +352,20 @@ dh_new_group14(void)
+
+ /*
+ * Estimates the group order for a Diffie-Hellman group that has an
+- * attack complexity approximately the same as O(2**bits). Estimate
+- * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
++ * attack complexity approximately the same as O(2**bits).
++ * Values from NIST Special Publication 800-57: Recommendation for Key
++ * Management Part 1 (rev 3) limited by the recommended maximum value
++ * from RFC4419 section 3.
+ */
+
+ int
+ dh_estimate(int bits)
+ {
+-
++ if (bits <= 112)
++ return 2048;
+ if (bits <= 128)
+- return (1024); /* O(2**86) */
++ return 3072;
+ if (bits <= 192)
+- return (2048); /* O(2**116) */
+- return (4096); /* O(2**156) */
++ return 7680;
++ return 8192;
+ }
+diff -up openssh-6.3p1/dh.h.df openssh-6.3p1/dh.h
+--- openssh-6.3p1/dh.h.df 2008-06-29 14:47:04.000000000 +0200
++++ openssh-6.3p1/dh.h 2013-10-23 22:38:03.476272461 +0200
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
++/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
+
+ /*
+ * Copyright (c) 2000 Niels Provos. All rights reserved.
+@@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *);
+
+ int dh_estimate(int);
+
++/* Min and max values from RFC4419. */
+ #define DH_GRP_MIN 1024
+ #define DH_GRP_MAX 8192
+
diff --git a/openssh-6.3p1-keycat.patch b/openssh-6.3p1-keycat.patch
index 90cfb7e..6105d09 100644
--- a/openssh-6.3p1-keycat.patch
+++ b/openssh-6.3p1-keycat.patch
@@ -8,7 +8,7 @@ diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
+
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
-+ AuthorizedKeysCommandRunAs root
++ AuthorizedKeysCommandUser root
+
+Do not forget to enable public key authentication:
+ PubkeyAuthentication yes
diff --git a/openssh-6.3p1-krb5-use-default_ccache_name.patch b/openssh-6.3p1-krb5-use-default_ccache_name.patch
new file mode 100644
index 0000000..b9c8000
--- /dev/null
+++ b/openssh-6.3p1-krb5-use-default_ccache_name.patch
@@ -0,0 +1,247 @@
+diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
+--- openssh-6.3p1/auth-krb5.c.ccache_name 2013-10-23 22:03:52.322950759 +0200
++++ openssh-6.3p1/auth-krb5.c 2013-10-23 22:04:24.295799873 +0200
+@@ -50,7 +50,9 @@
+ #include <errno.h>
+ #include <unistd.h>
+ #include <string.h>
++#include <sys/stat.h>
+ #include <krb5.h>
++#include <profile.h>
+
+ extern ServerOptions options;
+
+@@ -91,6 +93,7 @@ auth_krb5_password(Authctxt *authctxt, c
+ #endif
+ krb5_error_code problem;
+ krb5_ccache ccache = NULL;
++ const char *ccache_type;
+ int len;
+ char *client, *platform_client;
+ const char *errmsg;
+@@ -191,12 +194,30 @@ auth_krb5_password(Authctxt *authctxt, c
+ goto out;
+ #endif
+
++ ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+ authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+
+- len = strlen(authctxt->krb5_ticket_file) + 6;
++ if (authctxt->krb5_ticket_file[0] == ':')
++ authctxt->krb5_ticket_file++;
++
++ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type);
+ authctxt->krb5_ccname = xmalloc(len);
+- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
++
++#ifdef USE_CCAPI
++ snprintf(authctxt->krb5_ccname, len, "API:%s",
+ authctxt->krb5_ticket_file);
++#else
++ snprintf(authctxt->krb5_ccname, len, "%s:%s",
++ ccache_type, authctxt->krb5_ticket_file);
++#endif
++
++ if (strcmp(ccache_type, "DIR") == 0) {
++ char *p;
++ p = strrchr(authctxt->krb5_ccname, '/');
++ if (p)
++ *p = '\0';
++ }
++
+
+ #ifdef USE_PAM
+ if (options.use_pam)
+@@ -235,10 +256,34 @@ auth_krb5_password(Authctxt *authctxt, c
+ void
+ krb5_cleanup_proc(Authctxt *authctxt)
+ {
++ struct stat krb5_ccname_stat;
++ char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end;
++
+ debug("krb5_cleanup_proc called");
+ if (authctxt->krb5_fwd_ccache) {
+ krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+ authctxt->krb5_fwd_ccache = NULL;
++
++ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
++ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
++ *krb5_ccname_dir_start++ = '\0';
++ if (strcmp(krb5_ccname, "DIR") == 0) {
++
++ strcat(krb5_ccname_dir_start, "/primary");
++
++ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
++ if (unlink(krb5_ccname_dir_start) == 0) {
++ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
++ *krb5_ccname_dir_end = '\0';
++ if (rmdir(krb5_ccname_dir_start) == -1)
++ debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
++ }
++ else
++ debug("cache primary file '%s', remove failed: %s",
++ krb5_ccname_dir_start, strerror(errno)
++ );
++ }
++ }
+ }
+ if (authctxt->krb5_user) {
+ krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
+@@ -250,34 +295,139 @@ krb5_cleanup_proc(Authctxt *authctxt)
+ }
+ }
+
++int
++ssh_asprintf_append(char **dsc, const char *fmt, ...) {
++ char *src, *old;
++ va_list ap;
++ int i;
++
++ va_start(ap, fmt);
++ i = vasprintf(&src, fmt, ap);
++ va_end(ap);
++
++ if (i == -1 || src == NULL)
++ return -1;
++
++ old = *dsc;
++
++ i = asprintf(dsc, "%s%s", *dsc, src);
++ if (i == -1 || src == NULL) {
++ free(src);
++ return -1;
++ }
++
++ free(old);
++ free(src);
++
++ return i;
++}
++
++int
++ssh_krb5_expand_template(char **result, const char *template) {
++ char *p_n, *p_o, *r, *tmp_template;
++
++ if (template == NULL)
++ return -1;
++
++ tmp_template = p_n = p_o = xstrdup(template);
++ r = xstrdup("");
++
++ while ((p_n = strstr(p_o, "%{")) != NULL) {
++
++ *p_n++ = '\0';
++ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
++ goto cleanup;
++
++ if (strncmp(p_n, "{uid}", 5) == 0 || strncmp(p_n, "{euid}", 6) == 0 ||
++ strncmp(p_n, "{USERID}", 8) == 0) {
++ p_o = strchr(p_n, '}') + 1;
++ if (ssh_asprintf_append(&r, "%d", geteuid()) == -1)
++ goto cleanup;
++ continue;
++ }
++ else if (strncmp(p_n, "{TEMP}", 6) == 0) {
++ p_o = strchr(p_n, '}') + 1;
++ if (ssh_asprintf_append(&r, "/tmp") == -1)
++ goto cleanup;
++ continue;
++ } else {
++ p_o = strchr(p_n, '}') + 1;
++ p_o = '\0';
++ debug("%s: unsupported token %s in %s", __func__, p_n, template);
++ /* unknown token, fallback to the default */
++ goto cleanup;
++ }
++ }
++
++ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
++ goto cleanup;
++
++ *result = r;
++ free(tmp_template);
++ return 0;
++
++cleanup:
++ free(r);
++ free(tmp_template);
++ return -1;
++}
++
++krb5_error_code
++ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
++ profile_t p;
++ int ret = 0;
++ char *value = NULL;
++
++ ret = krb5_get_profile(ctx, &p);
++ if (ret)
++ return ret;
++
++ ret = profile_get_string(p, "libdefaults", "default_ccache_name", NULL, NULL, &value);
++ if (ret)
++ return ret;
++
++ ret = ssh_krb5_expand_template(ccname, value);
++
++ return ret;
++}
++
+ #ifndef HEIMDAL
+ krb5_error_code
+ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+ int tmpfd, ret, oerrno;
+- char ccname[40];
++ char *ccname;
++#ifdef USE_CCAPI
++ char cctemplate[] = "API:krb5cc_%d";
++#else
+ mode_t old_umask;
++ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
+
+- ret = snprintf(ccname, sizeof(ccname),
+- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+- if (ret < 0 || (size_t)ret >= sizeof(ccname))
+- return ENOMEM;
+-
+- old_umask = umask(0177);
+- tmpfd = mkstemp(ccname + strlen("FILE:"));
+- oerrno = errno;
+- umask(old_umask);
+- if (tmpfd == -1) {
+- logit("mkstemp(): %.100s", strerror(oerrno));
+- return oerrno;
+- }
++#endif
++
++ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
+
+- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
++ if (ret) {
++ ret = asprintf(&ccname, cctemplate, geteuid());
++ if (ret == -1)
++ return ENOMEM;
++ old_umask = umask(0177);
++ tmpfd = mkstemp(ccname + strlen("FILE:"));
+ oerrno = errno;
+- logit("fchmod(): %.100s", strerror(oerrno));
++ umask(old_umask);
++ if (tmpfd == -1) {
++ logit("mkstemp(): %.100s", strerror(oerrno));
++ return oerrno;
++ }
++
++ if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
++ oerrno = errno;
++ logit("fchmod(): %.100s", strerror(oerrno));
++ close(tmpfd);
++ return oerrno;
++ }
+ close(tmpfd);
+- return oerrno;
+ }
+- close(tmpfd);
++ debug("%s: Setting ccname to %s", __func__, ccname);
+
+ return (krb5_cc_resolve(ctx, ccname, ccache));
+ }
diff --git a/openssh-6.3p1-ldap.patch b/openssh-6.3p1-ldap.patch
index 994ef59..052973c 100644
--- a/openssh-6.3p1-ldap.patch
+++ b/openssh-6.3p1-ldap.patch
@@ -759,10 +759,9 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
+
+#endif /* LDAPBODY_H */
+
-diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
---- openssh-6.2p2/ldapconf.c.ldap 2013-06-07 15:10:05.601942693 +0200
-+++ openssh-6.2p2/ldapconf.c 2013-06-07 15:10:24.928857566 +0200
-@@ -0,0 +1,691 @@
+--- openssh-6.4p1/ldapconf.c.ldap 2013-11-26 10:31:03.513794385 +0100
++++ openssh-6.4p1/ldapconf.c 2013-11-26 10:38:15.474635149 +0100
+@@ -0,0 +1,720 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@@ -886,6 +885,35 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ return lBadOption;
+}
+
++/* Characters considered whitespace in strsep calls. */
++#define WHITESPACE " \t\r\n"
++
++/* return next token in configuration line */
++static char *
++ldap_strdelim(char **s)
++{
++ char *old;
++ int wspace = 0;
++
++ if (*s == NULL)
++ return NULL;
++
++ old = *s;
++
++ *s = strpbrk(*s, WHITESPACE);
++ if (*s == NULL)
++ return (old);
++
++ *s[0] = '\0';
++
++ /* Skip any extra whitespace after first token */
++ *s += strspn(*s + 1, WHITESPACE) + 1;
++ if (*s[0] == '=' && !wspace)
++ *s += strspn(*s + 1, WHITESPACE) + 1;
++
++ return (old);
++}
++
+/*
+ * Processes a single option line as used in the configuration files. This
+ * only sets those values that have not already been set.
@@ -909,11 +937,11 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ s = line;
+ /* Get the keyword. (Each line is supposed to begin with a keyword). */
-+ if ((keyword = strdelim(&s)) == NULL)
++ if ((keyword = ldap_strdelim(&s)) == NULL)
+ return 0;
+ /* Ignore leading whitespace. */
+ if (*keyword == '\0')
-+ keyword = strdelim(&s);
++ keyword = ldap_strdelim(&s);
+ if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
+ return 0;
+
@@ -949,7 +977,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ case lBindPW:
+ charptr = &options.bindpw;
+parse_string:
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
+ if (*charptr == NULL)
@@ -962,7 +990,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ case lScope:
+ intptr = &options.scope;
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -980,7 +1008,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ case lDeref:
+ intptr = &options.scope;
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -1001,7 +1029,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ case lPort:
+ intptr = &options.port;
+parse_int:
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
+ if (arg[0] < '0' || arg[0] > '9')
@@ -1018,7 +1046,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ case lTimeLimit:
+ intptr = &options.timelimit;
+parse_time:
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing time value.",
+ filename, linenum);
@@ -1039,7 +1067,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ case lBind_Policy:
+ intptr = &options.bind_policy;
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -1058,7 +1086,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ case lSSL:
+ intptr = &options.ssl;
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -1077,7 +1105,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ case lReferrals:
+ intptr = &options.referrals;
+parse_flag:
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -1097,7 +1125,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ case lTLS_CheckPeer:
+ intptr = &options.tls_checkpeer;
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -1171,7 +1199,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ }
+
+ /* Check that there is no garbage at end of line. */
-+ if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
++ if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
+ fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
+ filename, linenum, arg);
+ }
diff --git a/openssh-6.3p1-audit.patch b/openssh-6.4p1-audit.patch
similarity index 99%
rename from openssh-6.3p1-audit.patch
rename to openssh-6.4p1-audit.patch
index 39296c1..77a6fa4 100644
--- a/openssh-6.3p1-audit.patch
+++ b/openssh-6.4p1-audit.patch
@@ -1440,9 +1440,9 @@ diff -up openssh-6.3p1/monitor.h.audit openssh-6.3p1/monitor.h
};
-diff -up openssh-6.3p1/monitor_wrap.c.audit openssh-6.3p1/monitor_wrap.c
---- openssh-6.3p1/monitor_wrap.c.audit 2013-10-07 15:53:34.217717411 +0200
-+++ openssh-6.3p1/monitor_wrap.c 2013-10-07 16:03:16.190993304 +0200
+diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
+--- openssh-6.4p1/monitor_wrap.c.audit 2013-11-08 13:26:47.062595006 +0100
++++ openssh-6.4p1/monitor_wrap.c 2013-11-08 13:26:47.089594877 +0100
@@ -433,7 +433,7 @@ mm_key_allowed(enum mm_keytype type, cha
*/
@@ -1480,15 +1480,6 @@ diff -up openssh-6.3p1/monitor_wrap.c.audit openssh-6.3p1/monitor_wrap.c
/* Export key state after authentication */
Newkeys *
mm_newkeys_from_blob(u_char *blob, int blen)
-@@ -482,7 +496,7 @@ mm_newkeys_from_blob(u_char *blob, int b
- buffer_init(&b);
- buffer_append(&b, blob, blen);
-
-- newkey = xmalloc(sizeof(*newkey));
-+ newkey = xcalloc(1, sizeof(*newkey));
- enc = &newkey->enc;
- mac = &newkey->mac;
- comp = &newkey->comp;
@@ -642,12 +656,14 @@ mm_send_keystate(struct monitor *monitor
fatal("%s: conversion of newkeys failed", __func__);
@@ -2157,6 +2148,15 @@ diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c
}
/* Certs do not need demotion */
}
+@@ -652,7 +703,7 @@ privsep_preauth(Authctxt *authctxt)
+
+ if (use_privsep == PRIVSEP_ON)
+ box = ssh_sandbox_init();
+- pid = fork();
++ pmonitor->m_pid = pid = fork();
+ if (pid == -1) {
+ fatal("fork of unprivileged child failed");
+ } else if (pid != 0) {
@@ -708,6 +759,8 @@ privsep_preauth(Authctxt *authctxt)
}
}
@@ -2253,7 +2253,7 @@ diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c
pmonitor->m_pid, strerror(errno));
}
}
-+ is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor();
++ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
+ if (sensitive_data.host_keys != NULL)
+ destroy_sensitive_data(is_privsep_child);
+ packet_destroy_all(1, is_privsep_child);
diff --git a/openssh-6.3p1-gsissh.patch b/openssh-6.4p1-gsissh.patch
similarity index 90%
rename from openssh-6.3p1-gsissh.patch
rename to openssh-6.4p1-gsissh.patch
index 78cb329..edd513a 100644
--- a/openssh-6.3p1-gsissh.patch
+++ b/openssh-6.4p1-gsissh.patch
@@ -1,6 +1,6 @@
-diff -Nur openssh-6.3p1.orig/auth2.c openssh-6.3p1/auth2.c
---- openssh-6.3p1.orig/auth2.c 2013-10-15 09:20:49.442204554 +0200
-+++ openssh-6.3p1/auth2.c 2013-10-15 09:37:13.858290808 +0200
+diff -Nur openssh-6.4p1.orig/auth2.c openssh-6.4p1/auth2.c
+--- openssh-6.4p1.orig/auth2.c 2013-11-26 14:25:47.969371747 +0100
++++ openssh-6.4p1/auth2.c 2013-11-26 14:26:35.169803216 +0100
@@ -234,7 +234,27 @@
user = packet_get_cstring(NULL);
service = packet_get_cstring(NULL);
@@ -96,9 +96,9 @@ diff -Nur openssh-6.3p1.orig/auth2.c openssh-6.3p1/auth2.c
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
-diff -Nur openssh-6.3p1.orig/auth2-gss.c openssh-6.3p1/auth2-gss.c
---- openssh-6.3p1.orig/auth2-gss.c 2013-10-15 09:20:49.442204554 +0200
-+++ openssh-6.3p1/auth2-gss.c 2013-10-15 09:49:52.037113175 +0200
+diff -Nur openssh-6.4p1.orig/auth2-gss.c openssh-6.4p1/auth2-gss.c
+--- openssh-6.4p1.orig/auth2-gss.c 2013-11-26 14:25:47.969371747 +0100
++++ openssh-6.4p1/auth2-gss.c 2013-11-26 14:26:35.169803216 +0100
@@ -47,6 +47,7 @@
extern ServerOptions options;
@@ -279,9 +279,9 @@ diff -Nur openssh-6.3p1.orig/auth2-gss.c openssh-6.3p1/auth2-gss.c
Authmethod method_gsskeyex = {
"gssapi-keyex",
userauth_gsskeyex,
-diff -Nur openssh-6.3p1.orig/auth.c openssh-6.3p1/auth.c
---- openssh-6.3p1.orig/auth.c 2013-10-15 09:20:49.348205691 +0200
-+++ openssh-6.3p1/auth.c 2013-10-15 09:21:48.388491376 +0200
+diff -Nur openssh-6.4p1.orig/auth.c openssh-6.4p1/auth.c
+--- openssh-6.4p1.orig/auth.c 2013-11-26 14:25:47.970371735 +0100
++++ openssh-6.4p1/auth.c 2013-11-26 14:26:35.170803204 +0100
@@ -74,6 +74,9 @@
#include "krl.h"
#include "compat.h"
@@ -345,9 +345,9 @@ diff -Nur openssh-6.3p1.orig/auth.c openssh-6.3p1/auth.c
#ifdef CUSTOM_FAILED_LOGIN
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
-diff -Nur openssh-6.3p1.orig/auth.h openssh-6.3p1/auth.h
---- openssh-6.3p1.orig/auth.h 2013-10-15 09:20:49.370205425 +0200
-+++ openssh-6.3p1/auth.h 2013-10-15 09:21:48.388491376 +0200
+diff -Nur openssh-6.4p1.orig/auth.h openssh-6.4p1/auth.h
+--- openssh-6.4p1.orig/auth.h 2013-11-26 14:25:47.970371735 +0100
++++ openssh-6.4p1/auth.h 2013-11-26 14:26:35.170803204 +0100
@@ -160,6 +160,7 @@
void auth_log(Authctxt *, int, int, const char *, const char *);
void userauth_finish(Authctxt *, int, const char *, const char *);
@@ -356,9 +356,9 @@ diff -Nur openssh-6.3p1.orig/auth.h openssh-6.3p1/auth.h
void userauth_send_banner(const char *);
-diff -Nur openssh-6.3p1.orig/auth-pam.c openssh-6.3p1/auth-pam.c
---- openssh-6.3p1.orig/auth-pam.c 2013-10-15 09:20:49.369205437 +0200
-+++ openssh-6.3p1/auth-pam.c 2013-10-15 09:37:13.865290723 +0200
+diff -Nur openssh-6.4p1.orig/auth-pam.c openssh-6.4p1/auth-pam.c
+--- openssh-6.4p1.orig/auth-pam.c 2013-11-26 14:25:47.971371723 +0100
++++ openssh-6.4p1/auth-pam.c 2013-11-26 14:26:35.171803192 +0100
@@ -122,6 +122,10 @@
*/
typedef pthread_t sp_pthread_t;
@@ -508,9 +508,9 @@ diff -Nur openssh-6.3p1.orig/auth-pam.c openssh-6.3p1/auth-pam.c
sshpam_password = NULL;
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
-diff -Nur openssh-6.3p1.orig/auth-pam.h openssh-6.3p1/auth-pam.h
---- openssh-6.3p1.orig/auth-pam.h 2013-10-15 09:20:49.369205437 +0200
-+++ openssh-6.3p1/auth-pam.h 2013-10-15 09:21:48.389491364 +0200
+diff -Nur openssh-6.4p1.orig/auth-pam.h openssh-6.4p1/auth-pam.h
+--- openssh-6.4p1.orig/auth-pam.h 2013-11-26 14:25:47.971371723 +0100
++++ openssh-6.4p1/auth-pam.h 2013-11-26 14:26:35.171803192 +0100
@@ -46,5 +46,6 @@
void sshpam_cleanup(void);
int sshpam_auth_passwd(Authctxt *, const char *);
@@ -518,9 +518,9 @@ diff -Nur openssh-6.3p1.orig/auth-pam.h openssh-6.3p1/auth-pam.h
+struct passwd *sshpam_getpw(const char *);
#endif /* USE_PAM */
-diff -Nur openssh-6.3p1.orig/canohost.c openssh-6.3p1/canohost.c
---- openssh-6.3p1.orig/canohost.c 2013-10-15 09:20:49.388205207 +0200
-+++ openssh-6.3p1/canohost.c 2013-10-15 09:37:13.844290977 +0200
+diff -Nur openssh-6.4p1.orig/canohost.c openssh-6.4p1/canohost.c
+--- openssh-6.4p1.orig/canohost.c 2013-11-26 14:25:47.972371711 +0100
++++ openssh-6.4p1/canohost.c 2013-11-26 14:26:35.171803192 +0100
@@ -16,6 +16,7 @@
#include <sys/types.h>
@@ -563,9 +563,9 @@ diff -Nur openssh-6.3p1.orig/canohost.c openssh-6.3p1/canohost.c
+ }
+ }
+}
-diff -Nur openssh-6.3p1.orig/canohost.h openssh-6.3p1/canohost.h
---- openssh-6.3p1.orig/canohost.h 2009-06-21 11:50:08.000000000 +0200
-+++ openssh-6.3p1/canohost.h 2013-10-15 09:21:48.390491352 +0200
+diff -Nur openssh-6.4p1.orig/canohost.h openssh-6.4p1/canohost.h
+--- openssh-6.4p1.orig/canohost.h 2013-11-26 14:25:47.972371711 +0100
++++ openssh-6.4p1/canohost.h 2013-11-26 14:26:35.172803180 +0100
@@ -26,4 +26,6 @@
int get_sock_port(int, int);
void clear_cached_addr(void);
@@ -573,9 +573,9 @@ diff -Nur openssh-6.3p1.orig/canohost.h openssh-6.3p1/canohost.h
+void resolve_localhost(char **host);
+
void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
-diff -Nur openssh-6.3p1.orig/configure.ac openssh-6.3p1/configure.ac
---- openssh-6.3p1.orig/configure.ac 2013-10-15 09:20:49.443204542 +0200
-+++ openssh-6.3p1/configure.ac 2013-10-15 09:21:48.391491340 +0200
+diff -Nur openssh-6.4p1.orig/configure.ac openssh-6.4p1/configure.ac
+--- openssh-6.4p1.orig/configure.ac 2013-11-26 14:25:47.973371699 +0100
++++ openssh-6.4p1/configure.ac 2013-11-26 14:26:35.173803168 +0100
@@ -3902,6 +3902,14 @@
AC_CHECK_HEADER([gssapi_krb5.h], ,
[ CPPFLAGS="$oldCPP" ])
@@ -642,9 +642,9 @@ diff -Nur openssh-6.3p1.orig/configure.ac openssh-6.3p1/configure.ac
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
-diff -Nur openssh-6.3p1.orig/gss-genr.c openssh-6.3p1/gss-genr.c
---- openssh-6.3p1.orig/gss-genr.c 2013-10-15 09:20:49.443204542 +0200
-+++ openssh-6.3p1/gss-genr.c 2013-10-15 09:28:56.674309793 +0200
+diff -Nur openssh-6.4p1.orig/gss-genr.c openssh-6.4p1/gss-genr.c
+--- openssh-6.4p1.orig/gss-genr.c 2013-11-26 14:25:47.974371687 +0100
++++ openssh-6.4p1/gss-genr.c 2013-11-26 14:26:35.173803168 +0100
@@ -38,6 +38,7 @@
#include "xmalloc.h"
#include "buffer.h"
@@ -681,10 +681,10 @@ diff -Nur openssh-6.3p1.orig/gss-genr.c openssh-6.3p1/gss-genr.c
free(gssbuf.value);
return (ctx->major);
}
-diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
---- openssh-6.3p1.orig/gss-serv.c 2013-10-15 09:20:49.444204530 +0200
-+++ openssh-6.3p1/gss-serv.c 2013-10-15 09:21:48.392491328 +0200
-@@ -52,6 +52,7 @@
+diff -Nur openssh-6.4p1.orig/gss-serv.c openssh-6.4p1/gss-serv.c
+--- openssh-6.4p1.orig/gss-serv.c 2013-11-26 14:25:47.974371687 +0100
++++ openssh-6.4p1/gss-serv.c 2013-11-26 14:47:37.394667653 +0100
+@@ -52,10 +52,12 @@
#include "monitor_wrap.h"
extern ServerOptions options;
@@ -692,7 +692,13 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-@@ -63,14 +64,23 @@
+- GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0};
++ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL, NULL, NULL},
++ GSS_C_NO_CONTEXT, 0, 0};
+
+ ssh_gssapi_mech gssapi_null_mech =
+ { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};
+@@ -63,14 +65,23 @@
#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
#endif
@@ -716,7 +722,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
/*
* Acquire credentials for a server running on the current host.
-@@ -159,7 +169,8 @@
+@@ -159,7 +170,8 @@
gss_create_empty_oid_set(&min_status, oidset);
@@ -726,7 +732,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
return;
while (supported_mechs[i]->name != NULL) {
-@@ -212,6 +223,10 @@
+@@ -212,6 +224,10 @@
(*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
if (ssh_gssapi_getclient(ctx, &gssapi_client))
fatal("Couldn't convert client name");
@@ -737,7 +743,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
}
return (status);
-@@ -231,6 +246,17 @@
+@@ -231,6 +247,17 @@
tok = ename->value;
@@ -755,7 +761,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
/*
* Check that ename is long enough for all of the fixed length
* header, and that the initial ID bytes are correct
-@@ -298,8 +324,11 @@
+@@ -298,8 +325,11 @@
return GSS_S_COMPLETE;
}
@@ -769,7 +775,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
NULL, NULL, NULL))) {
ssh_gssapi_error(ctx);
return (ctx->major);
-@@ -342,9 +371,12 @@
+@@ -342,9 +372,12 @@
if (client->mech == NULL)
return GSS_S_FAILURE;
@@ -784,7 +790,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
ssh_gssapi_error(ctx);
return (ctx->major);
}
-@@ -371,6 +403,10 @@
+@@ -371,6 +404,10 @@
/* We can't copy this structure, so we just move the pointer to it */
client->creds = ctx->client_creds;
ctx->client_creds = GSS_C_NO_CREDENTIAL;
@@ -795,7 +801,30 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
return (ctx->major);
}
-@@ -413,6 +449,11 @@
+@@ -378,6 +415,7 @@
+ void
+ ssh_gssapi_cleanup_creds(void)
+ {
++#ifdef KRB5
+ krb5_ccache ccache = NULL;
+ krb5_error_code problem;
+
+@@ -393,6 +431,14 @@
+ gssapi_client.store.data = NULL;
+ }
+ }
++#else
++ if (gssapi_client.store.filename != NULL) {
++ /* Unlink probably isn't sufficient */
++ debug("removing gssapi cred file\"%s\"",
++ gssapi_client.store.filename);
++ unlink(gssapi_client.store.filename);
++ }
++#endif
+ }
+
+ /* As user */
+@@ -400,6 +446,11 @@
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
@@ -807,7 +836,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
(*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
-@@ -436,8 +477,9 @@
+@@ -423,8 +474,9 @@
}
/* Privileged */
@@ -818,7 +847,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
{
OM_uint32 lmin;
-@@ -446,6 +488,12 @@
+@@ -433,6 +485,12 @@
debug("No suitable client data");
return 0;
}
@@ -831,7 +860,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
if (gssapi_client.mech && gssapi_client.mech->userok)
if ((*gssapi_client.mech->userok)(&gssapi_client, user)) {
gssapi_client.used = 1;
-@@ -464,6 +512,24 @@
+@@ -451,6 +509,24 @@
return (0);
}
@@ -856,7 +885,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
/* These bits are only used for rekeying. The unpriviledged child is running
* as the user, the monitor is root.
*
-@@ -490,6 +556,7 @@
+@@ -477,6 +553,7 @@
pam_handle_t *pamh = NULL;
struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
char *envstr;
@@ -864,7 +893,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
#endif
if (gssapi_client.store.filename == NULL &&
-@@ -519,6 +586,18 @@
+@@ -506,6 +583,18 @@
if (ret)
return;
@@ -883,7 +912,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar,
gssapi_client.store.envval);
-@@ -550,4 +629,13 @@
+@@ -537,4 +626,13 @@
return ok;
}
@@ -897,9 +926,9 @@ diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
+}
+
#endif
-diff -Nur openssh-6.3p1.orig/gss-serv-gsi.c openssh-6.3p1/gss-serv-gsi.c
---- openssh-6.3p1.orig/gss-serv-gsi.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.3p1/gss-serv-gsi.c 2013-10-15 09:37:13.856290832 +0200
+diff -Nur openssh-6.4p1.orig/gss-serv-gsi.c openssh-6.4p1/gss-serv-gsi.c
+--- openssh-6.4p1.orig/gss-serv-gsi.c 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.4p1/gss-serv-gsi.c 2013-11-26 14:26:35.175803144 +0100
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1139,9 +1168,9 @@ diff -Nur openssh-6.3p1.orig/gss-serv-gsi.c openssh-6.3p1/gss-serv-gsi.c
+
+#endif /* GSI */
+#endif /* GSSAPI */
-diff -Nur openssh-6.3p1.orig/gss-serv-krb5.c openssh-6.3p1/gss-serv-krb5.c
---- openssh-6.3p1.orig/gss-serv-krb5.c 2013-10-15 09:20:49.457204372 +0200
-+++ openssh-6.3p1/gss-serv-krb5.c 2013-10-15 09:37:13.862290759 +0200
+diff -Nur openssh-6.4p1.orig/gss-serv-krb5.c openssh-6.4p1/gss-serv-krb5.c
+--- openssh-6.4p1.orig/gss-serv-krb5.c 2013-11-26 14:25:47.976371663 +0100
++++ openssh-6.4p1/gss-serv-krb5.c 2013-11-26 14:26:35.175803144 +0100
@@ -263,6 +263,34 @@
return found_principal;
}
@@ -1177,7 +1206,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv-krb5.c openssh-6.3p1/gss-serv-krb5.c
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
-@@ -358,7 +386,7 @@
+@@ -361,7 +389,7 @@
return;
}
@@ -1186,7 +1215,7 @@ diff -Nur openssh-6.3p1.orig/gss-serv-krb5.c openssh-6.3p1/gss-serv-krb5.c
ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
ssh_gssapi_client *client)
{
-@@ -429,7 +457,7 @@
+@@ -432,7 +460,7 @@
{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
NULL,
&ssh_gssapi_krb5_userok,
@@ -1195,9 +1224,9 @@ diff -Nur openssh-6.3p1.orig/gss-serv-krb5.c openssh-6.3p1/gss-serv-krb5.c
&ssh_gssapi_krb5_storecreds,
&ssh_gssapi_krb5_updatecreds
};
-diff -Nur openssh-6.3p1.orig/kexgsss.c openssh-6.3p1/kexgsss.c
---- openssh-6.3p1.orig/kexgsss.c 2013-10-15 09:20:49.445204518 +0200
-+++ openssh-6.3p1/kexgsss.c 2013-10-15 09:37:13.859290795 +0200
+diff -Nur openssh-6.4p1.orig/kexgsss.c openssh-6.4p1/kexgsss.c
+--- openssh-6.4p1.orig/kexgsss.c 2013-11-26 14:25:47.976371663 +0100
++++ openssh-6.4p1/kexgsss.c 2013-11-26 14:26:35.176803132 +0100
@@ -44,6 +44,7 @@
#include "monitor_wrap.h"
#include "servconf.h"
@@ -1257,9 +1286,9 @@ diff -Nur openssh-6.3p1.orig/kexgsss.c openssh-6.3p1/kexgsss.c
+ }
+}
#endif /* GSSAPI */
-diff -Nur openssh-6.3p1.orig/LICENSE.globus_usage openssh-6.3p1/LICENSE.globus_usage
---- openssh-6.3p1.orig/LICENSE.globus_usage 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.3p1/LICENSE.globus_usage 2013-10-15 09:21:48.393491316 +0200
+diff -Nur openssh-6.4p1.orig/LICENSE.globus_usage openssh-6.4p1/LICENSE.globus_usage
+--- openssh-6.4p1.orig/LICENSE.globus_usage 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.4p1/LICENSE.globus_usage 2013-11-26 14:26:35.176803132 +0100
@@ -0,0 +1,18 @@
+/*
+ * Portions of the Usage Metrics suport code are derived from the
@@ -1279,9 +1308,9 @@ diff -Nur openssh-6.3p1.orig/LICENSE.globus_usage openssh-6.3p1/LICENSE.globus_u
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
-diff -Nur openssh-6.3p1.orig/Makefile.in openssh-6.3p1/Makefile.in
---- openssh-6.3p1.orig/Makefile.in 2013-10-15 09:20:49.441204566 +0200
-+++ openssh-6.3p1/Makefile.in 2013-10-15 09:21:48.393491316 +0200
+diff -Nur openssh-6.4p1.orig/Makefile.in openssh-6.4p1/Makefile.in
+--- openssh-6.4p1.orig/Makefile.in 2013-11-26 14:25:47.977371651 +0100
++++ openssh-6.4p1/Makefile.in 2013-11-26 14:26:35.177803120 +0100
@@ -95,8 +95,10 @@
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
auth-krb5.o \
@@ -1293,9 +1322,9 @@ diff -Nur openssh-6.3p1.orig/Makefile.in openssh-6.3p1/Makefile.in
roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o
-diff -Nur openssh-6.3p1.orig/misc.c openssh-6.3p1/misc.c
---- openssh-6.3p1.orig/misc.c 2013-10-15 09:20:49.371205413 +0200
-+++ openssh-6.3p1/misc.c 2013-10-15 09:37:13.855290844 +0200
+diff -Nur openssh-6.4p1.orig/misc.c openssh-6.4p1/misc.c
+--- openssh-6.4p1.orig/misc.c 2013-11-26 14:25:47.977371651 +0100
++++ openssh-6.4p1/misc.c 2013-11-26 14:26:35.177803120 +0100
@@ -158,11 +158,14 @@
#define WHITESPACE " \t\r\n"
#define QUOTE "\""
@@ -1355,9 +1384,9 @@ diff -Nur openssh-6.3p1.orig/misc.c openssh-6.3p1/misc.c
/*
* Convert ASCII string to TCP/IP port number.
* Port must be >=0 and <=65535.
-diff -Nur openssh-6.3p1.orig/misc.h openssh-6.3p1/misc.h
---- openssh-6.3p1.orig/misc.h 2013-06-01 23:46:16.000000000 +0200
-+++ openssh-6.3p1/misc.h 2013-10-15 09:21:48.394491304 +0200
+diff -Nur openssh-6.4p1.orig/misc.h openssh-6.4p1/misc.h
+--- openssh-6.4p1.orig/misc.h 2013-11-26 14:25:47.977371651 +0100
++++ openssh-6.4p1/misc.h 2013-11-26 14:26:35.177803120 +0100
@@ -39,6 +39,7 @@
void sock_set_v6only(int);
@@ -1366,9 +1395,9 @@ diff -Nur openssh-6.3p1.orig/misc.h openssh-6.3p1/misc.h
const char *ssh_gai_strerror(int);
typedef struct arglist arglist;
-diff -Nur openssh-6.3p1.orig/monitor.c openssh-6.3p1/monitor.c
---- openssh-6.3p1.orig/monitor.c 2013-10-15 09:20:49.446204506 +0200
-+++ openssh-6.3p1/monitor.c 2013-10-15 09:37:13.852290880 +0200
+diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
+--- openssh-6.4p1.orig/monitor.c 2013-11-26 14:25:47.978371639 +0100
++++ openssh-6.4p1/monitor.c 2013-11-26 14:26:35.178803108 +0100
@@ -188,6 +188,9 @@
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -1560,9 +1589,9 @@ diff -Nur openssh-6.3p1.orig/monitor.c openssh-6.3p1/monitor.c
int
mm_answer_gss_sign(int socket, Buffer *m)
{
-diff -Nur openssh-6.3p1.orig/monitor.h openssh-6.3p1/monitor.h
---- openssh-6.3p1.orig/monitor.h 2013-10-15 09:20:49.446204506 +0200
-+++ openssh-6.3p1/monitor.h 2013-10-15 09:21:48.395491292 +0200
+diff -Nur openssh-6.4p1.orig/monitor.h openssh-6.4p1/monitor.h
+--- openssh-6.4p1.orig/monitor.h 2013-11-26 14:25:47.978371639 +0100
++++ openssh-6.4p1/monitor.h 2013-11-26 14:26:35.178803108 +0100
@@ -79,8 +79,10 @@
MONITOR_REQ_AUDIT_UNSUPPORTED = 118, MONITOR_ANS_AUDIT_UNSUPPORTED = 119,
MONITOR_REQ_AUDIT_KEX = 120, MONITOR_ANS_AUDIT_KEX = 121,
@@ -1576,9 +1605,9 @@ diff -Nur openssh-6.3p1.orig/monitor.h openssh-6.3p1/monitor.h
};
struct mm_master;
-diff -Nur openssh-6.3p1.orig/monitor_wrap.c openssh-6.3p1/monitor_wrap.c
---- openssh-6.3p1.orig/monitor_wrap.c 2013-10-15 09:20:49.447204493 +0200
-+++ openssh-6.3p1/monitor_wrap.c 2013-10-15 09:21:48.396491279 +0200
+diff -Nur openssh-6.4p1.orig/monitor_wrap.c openssh-6.4p1/monitor_wrap.c
+--- openssh-6.4p1.orig/monitor_wrap.c 2013-11-26 14:25:47.979371627 +0100
++++ openssh-6.4p1/monitor_wrap.c 2013-11-26 14:26:35.179803095 +0100
@@ -1329,12 +1329,13 @@
}
@@ -1678,9 +1707,9 @@ diff -Nur openssh-6.3p1.orig/monitor_wrap.c openssh-6.3p1/monitor_wrap.c
OM_uint32
mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
{
-diff -Nur openssh-6.3p1.orig/monitor_wrap.h openssh-6.3p1/monitor_wrap.h
---- openssh-6.3p1.orig/monitor_wrap.h 2013-10-15 09:20:49.447204493 +0200
-+++ openssh-6.3p1/monitor_wrap.h 2013-10-15 09:21:48.396491279 +0200
+diff -Nur openssh-6.4p1.orig/monitor_wrap.h openssh-6.4p1/monitor_wrap.h
+--- openssh-6.4p1.orig/monitor_wrap.h 2013-11-26 14:25:47.979371627 +0100
++++ openssh-6.4p1/monitor_wrap.h 2013-11-26 14:26:35.179803095 +0100
@@ -62,9 +62,13 @@
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@@ -1696,9 +1725,9 @@ diff -Nur openssh-6.3p1.orig/monitor_wrap.h openssh-6.3p1/monitor_wrap.h
int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *);
#endif
-diff -Nur openssh-6.3p1.orig/readconf.c openssh-6.3p1/readconf.c
---- openssh-6.3p1.orig/readconf.c 2013-10-15 09:20:49.447204493 +0200
-+++ openssh-6.3p1/readconf.c 2013-10-15 09:21:48.397491267 +0200
+diff -Nur openssh-6.4p1.orig/readconf.c openssh-6.4p1/readconf.c
+--- openssh-6.4p1.orig/readconf.c 2013-11-26 14:25:47.979371627 +0100
++++ openssh-6.4p1/readconf.c 2013-11-26 14:26:35.179803095 +0100
@@ -1303,13 +1303,13 @@
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
@@ -1717,9 +1746,9 @@ diff -Nur openssh-6.3p1.orig/readconf.c openssh-6.3p1/readconf.c
if (options->gss_renewal_rekey == -1)
options->gss_renewal_rekey = 0;
if (options->password_authentication == -1)
-diff -Nur openssh-6.3p1.orig/readconf.h openssh-6.3p1/readconf.h
---- openssh-6.3p1.orig/readconf.h 2013-10-15 09:20:49.448204481 +0200
-+++ openssh-6.3p1/readconf.h 2013-10-15 09:21:48.397491267 +0200
+diff -Nur openssh-6.4p1.orig/readconf.h openssh-6.4p1/readconf.h
+--- openssh-6.4p1.orig/readconf.h 2013-11-26 14:25:47.980371615 +0100
++++ openssh-6.4p1/readconf.h 2013-11-26 14:26:35.179803095 +0100
@@ -88,6 +88,8 @@
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
char *proxy_command; /* Proxy command for connecting the host. */
@@ -1729,9 +1758,9 @@ diff -Nur openssh-6.3p1.orig/readconf.h openssh-6.3p1/readconf.h
int escape_char; /* Escape character; -2 = none */
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
-diff -Nur openssh-6.3p1.orig/servconf.c openssh-6.3p1/servconf.c
---- openssh-6.3p1.orig/servconf.c 2013-10-15 09:20:49.458204360 +0200
-+++ openssh-6.3p1/servconf.c 2013-10-15 09:21:48.398491255 +0200
+diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
+--- openssh-6.4p1.orig/servconf.c 2013-11-26 14:25:47.980371615 +0100
++++ openssh-6.4p1/servconf.c 2013-11-26 14:26:35.180803083 +0100
@@ -71,6 +71,7 @@
/* Portable-specific options */
@@ -1934,9 +1963,9 @@ diff -Nur openssh-6.3p1.orig/servconf.c openssh-6.3p1/servconf.c
M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication);
M_CP_INTOPT(kerberos_authentication);
-diff -Nur openssh-6.3p1.orig/servconf.h openssh-6.3p1/servconf.h
---- openssh-6.3p1.orig/servconf.h 2013-10-15 09:20:49.458204360 +0200
-+++ openssh-6.3p1/servconf.h 2013-10-15 09:21:48.398491255 +0200
+diff -Nur openssh-6.4p1.orig/servconf.h openssh-6.4p1/servconf.h
+--- openssh-6.4p1.orig/servconf.h 2013-11-26 14:25:47.980371615 +0100
++++ openssh-6.4p1/servconf.h 2013-11-26 14:26:35.180803083 +0100
@@ -110,9 +110,12 @@
* file on logout. */
int kerberos_get_afs_token; /* If true, try to get AFS token if
@@ -1969,9 +1998,9 @@ diff -Nur openssh-6.3p1.orig/servconf.h openssh-6.3p1/servconf.h
char *revoked_keys_file;
char *trusted_user_ca_keys;
char *authorized_principals_file;
-diff -Nur openssh-6.3p1.orig/ssh.1 openssh-6.3p1/ssh.1
---- openssh-6.3p1.orig/ssh.1 2013-10-15 09:20:49.427204735 +0200
-+++ openssh-6.3p1/ssh.1 2013-10-15 09:21:48.399491243 +0200
+diff -Nur openssh-6.4p1.orig/ssh.1 openssh-6.4p1/ssh.1
+--- openssh-6.4p1.orig/ssh.1 2013-11-26 14:25:47.981371603 +0100
++++ openssh-6.4p1/ssh.1 2013-11-26 14:26:35.181803071 +0100
@@ -1281,6 +1281,18 @@
on to new connections).
.It Ev USER
@@ -1991,9 +2020,9 @@ diff -Nur openssh-6.3p1.orig/ssh.1 openssh-6.3p1/ssh.1
.El
.Pp
Additionally,
-diff -Nur openssh-6.3p1.orig/ssh.c openssh-6.3p1/ssh.c
---- openssh-6.3p1.orig/ssh.c 2013-10-15 09:20:49.408204965 +0200
-+++ openssh-6.3p1/ssh.c 2013-10-15 09:21:48.400491231 +0200
+diff -Nur openssh-6.4p1.orig/ssh.c openssh-6.4p1/ssh.c
+--- openssh-6.4p1.orig/ssh.c 2013-11-26 14:25:47.981371603 +0100
++++ openssh-6.4p1/ssh.c 2013-11-26 14:26:35.181803071 +0100
@@ -718,6 +718,32 @@
fatal("Can't open user config file %.100s: "
"%.100s", config, strerror(errno));
@@ -2041,9 +2070,9 @@ diff -Nur openssh-6.3p1.orig/ssh.c openssh-6.3p1/ssh.c
/* Get default port if port has not been set. */
if (options.port == 0) {
-diff -Nur openssh-6.3p1.orig/ssh_config openssh-6.3p1/ssh_config
---- openssh-6.3p1.orig/ssh_config 2013-10-15 09:20:49.449204469 +0200
-+++ openssh-6.3p1/ssh_config 2013-10-15 09:21:48.400491231 +0200
+diff -Nur openssh-6.4p1.orig/ssh_config openssh-6.4p1/ssh_config
+--- openssh-6.4p1.orig/ssh_config 2013-11-26 14:25:47.981371603 +0100
++++ openssh-6.4p1/ssh_config 2013-11-26 14:26:35.181803071 +0100
@@ -24,10 +24,10 @@
# RSAAuthentication yes
# PasswordAuthentication yes
@@ -2059,9 +2088,9 @@ diff -Nur openssh-6.3p1.orig/ssh_config openssh-6.3p1/ssh_config
# BatchMode no
# CheckHostIP yes
# AddressFamily any
-diff -Nur openssh-6.3p1.orig/ssh_config.5 openssh-6.3p1/ssh_config.5
---- openssh-6.3p1.orig/ssh_config.5 2013-10-15 09:20:49.449204469 +0200
-+++ openssh-6.3p1/ssh_config.5 2013-10-15 09:21:48.400491231 +0200
+diff -Nur openssh-6.4p1.orig/ssh_config.5 openssh-6.4p1/ssh_config.5
+--- openssh-6.4p1.orig/ssh_config.5 2013-11-26 14:25:47.982371591 +0100
++++ openssh-6.4p1/ssh_config.5 2013-11-26 14:26:35.182803059 +0100
@@ -55,6 +55,12 @@
user's configuration file
.Pq Pa ~/.ssh/config
@@ -2075,9 +2104,9 @@ diff -Nur openssh-6.3p1.orig/ssh_config.5 openssh-6.3p1/ssh_config.5
system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
.El
-diff -Nur openssh-6.3p1.orig/sshconnect2.c openssh-6.3p1/sshconnect2.c
---- openssh-6.3p1.orig/sshconnect2.c 2013-10-15 09:20:49.456204385 +0200
-+++ openssh-6.3p1/sshconnect2.c 2013-10-15 09:21:48.401491219 +0200
+diff -Nur openssh-6.4p1.orig/sshconnect2.c openssh-6.4p1/sshconnect2.c
+--- openssh-6.4p1.orig/sshconnect2.c 2013-11-26 14:25:47.982371591 +0100
++++ openssh-6.4p1/sshconnect2.c 2013-11-26 14:26:35.182803059 +0100
@@ -700,6 +700,11 @@
int ok = 0;
const char *gss_host = NULL;
@@ -2139,9 +2168,9 @@ diff -Nur openssh-6.3p1.orig/sshconnect2.c openssh-6.3p1/sshconnect2.c
packet_put_cstring(authctxt->service);
packet_put_cstring(authctxt->method->name);
packet_put_string(mic.value, mic.length);
-diff -Nur openssh-6.3p1.orig/sshd.8 openssh-6.3p1/sshd.8
---- openssh-6.3p1.orig/sshd.8 2013-10-15 09:20:49.454204409 +0200
-+++ openssh-6.3p1/sshd.8 2013-10-15 09:21:48.402491207 +0200
+diff -Nur openssh-6.4p1.orig/sshd.8 openssh-6.4p1/sshd.8
+--- openssh-6.4p1.orig/sshd.8 2013-11-26 14:25:47.983371579 +0100
++++ openssh-6.4p1/sshd.8 2013-11-26 14:26:35.183803047 +0100
@@ -763,6 +763,44 @@
# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
@@ -2187,9 +2216,9 @@ diff -Nur openssh-6.3p1.orig/sshd.8 openssh-6.3p1/sshd.8
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.hushlogin
-diff -Nur openssh-6.3p1.orig/sshd.c openssh-6.3p1/sshd.c
---- openssh-6.3p1.orig/sshd.c 2013-10-15 09:20:49.450204457 +0200
-+++ openssh-6.3p1/sshd.c 2013-10-15 09:21:48.402491207 +0200
+diff -Nur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c
+--- openssh-6.4p1.orig/sshd.c 2013-11-26 14:25:47.983371579 +0100
++++ openssh-6.4p1/sshd.c 2013-11-26 14:26:35.183803047 +0100
@@ -124,6 +124,7 @@
#include "audit.h"
#include "ssh-sandbox.h"
@@ -2221,9 +2250,9 @@ diff -Nur openssh-6.3p1.orig/sshd.c openssh-6.3p1/sshd.c
temporarily_use_uid(authctxt->pw);
ssh_gssapi_storecreds();
restore_uid();
-diff -Nur openssh-6.3p1.orig/sshd_config openssh-6.3p1/sshd_config
---- openssh-6.3p1.orig/sshd_config 2013-10-15 09:20:49.458204360 +0200
-+++ openssh-6.3p1/sshd_config 2013-10-15 09:21:48.403491195 +0200
+diff -Nur openssh-6.4p1.orig/sshd_config openssh-6.4p1/sshd_config
+--- openssh-6.4p1.orig/sshd_config 2013-11-26 14:25:47.983371579 +0100
++++ openssh-6.4p1/sshd_config 2013-11-26 14:26:35.183803047 +0100
@@ -89,12 +89,11 @@
#KerberosUseKuserok yes
@@ -2259,9 +2288,9 @@ diff -Nur openssh-6.3p1.orig/sshd_config openssh-6.3p1/sshd_config
+# Usage Metrics
+#UsageStatsTargets usage-stats.cilogon.org:4810
+#DisableUsageStats no
-diff -Nur openssh-6.3p1.orig/sshd_config.5 openssh-6.3p1/sshd_config.5
---- openssh-6.3p1.orig/sshd_config.5 2013-10-15 09:20:49.458204360 +0200
-+++ openssh-6.3p1/sshd_config.5 2013-10-15 09:21:48.404491183 +0200
+diff -Nur openssh-6.4p1.orig/sshd_config.5 openssh-6.4p1/sshd_config.5
+--- openssh-6.4p1.orig/sshd_config.5 2013-11-26 14:25:47.984371567 +0100
++++ openssh-6.4p1/sshd_config.5 2013-11-26 14:26:35.184803035 +0100
@@ -440,6 +440,15 @@
See PATTERNS in
.Xr ssh_config 5
@@ -2447,9 +2476,9 @@ diff -Nur openssh-6.3p1.orig/sshd_config.5 openssh-6.3p1/sshd_config.5
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
-diff -Nur openssh-6.3p1.orig/ssh-globus-usage.c openssh-6.3p1/ssh-globus-usage.c
---- openssh-6.3p1.orig/ssh-globus-usage.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.3p1/ssh-globus-usage.c 2013-10-15 09:21:48.404491183 +0200
+diff -Nur openssh-6.4p1.orig/ssh-globus-usage.c openssh-6.4p1/ssh-globus-usage.c
+--- openssh-6.4p1.orig/ssh-globus-usage.c 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.4p1/ssh-globus-usage.c 2013-11-26 14:26:35.184803035 +0100
@@ -0,0 +1,396 @@
+/*
+ * Copyright 2009 The Board of Trustees of the University
@@ -2847,9 +2876,9 @@ diff -Nur openssh-6.3p1.orig/ssh-globus-usage.c openssh-6.3p1/ssh-globus-usage.c
+
+#endif /* HAVE_GLOBUS_USAGE */
+}
-diff -Nur openssh-6.3p1.orig/ssh-globus-usage.h openssh-6.3p1/ssh-globus-usage.h
---- openssh-6.3p1.orig/ssh-globus-usage.h 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.3p1/ssh-globus-usage.h 2013-10-15 09:21:48.404491183 +0200
+diff -Nur openssh-6.4p1.orig/ssh-globus-usage.h openssh-6.4p1/ssh-globus-usage.h
+--- openssh-6.4p1.orig/ssh-globus-usage.h 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.4p1/ssh-globus-usage.h 2013-11-26 14:26:35.184803035 +0100
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2009 The Board of Trustees of the University
@@ -2897,9 +2926,9 @@ diff -Nur openssh-6.3p1.orig/ssh-globus-usage.h openssh-6.3p1/ssh-globus-usage.h
+ char *username, char *userdn);
+
+#endif /* __SSH_GLOBUS_USAGE_H */
-diff -Nur openssh-6.3p1.orig/ssh-gss.h openssh-6.3p1/ssh-gss.h
---- openssh-6.3p1.orig/ssh-gss.h 2013-10-15 09:20:49.453204421 +0200
-+++ openssh-6.3p1/ssh-gss.h 2013-10-15 09:21:48.404491183 +0200
+diff -Nur openssh-6.4p1.orig/ssh-gss.h openssh-6.4p1/ssh-gss.h
+--- openssh-6.4p1.orig/ssh-gss.h 2013-11-26 14:25:47.985371555 +0100
++++ openssh-6.4p1/ssh-gss.h 2013-11-26 14:26:35.185803023 +0100
@@ -91,6 +91,7 @@
gss_name_t name;
struct ssh_gssapi_mech_struct *mech;
@@ -2944,11 +2973,11 @@ diff -Nur openssh-6.3p1.orig/ssh-gss.h openssh-6.3p1/ssh-gss.h
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
-diff -Nur openssh-6.3p1.orig/version.h openssh-6.3p1/version.h
---- openssh-6.3p1.orig/version.h 2013-07-25 03:57:15.000000000 +0200
-+++ openssh-6.3p1/version.h 2013-10-15 09:30:36.116106161 +0200
+diff -Nur openssh-6.4p1.orig/version.h openssh-6.4p1/version.h
+--- openssh-6.4p1.orig/version.h 2013-11-26 14:25:47.985371555 +0100
++++ openssh-6.4p1/version.h 2013-11-26 14:26:35.185803023 +0100
@@ -1,6 +1,21 @@
- /* $OpenBSD: version.h,v 1.67 2013/07/25 00:57:37 djm Exp $ */
+ /* $OpenBSD: version.h,v 1.68 2013/11/08 01:38:11 djm Exp $ */
+#ifdef GSI
+#define GSI_VERSION " GSI"
@@ -2962,9 +2991,9 @@ diff -Nur openssh-6.3p1.orig/version.h openssh-6.3p1/version.h
+#define KRB5_VERSION ""
+#endif
+
-+#define NCSA_VERSION " GSI_GSSAPI_20130916"
++#define NCSA_VERSION " GSI_GSSAPI_20131109"
+
- #define SSH_VERSION "OpenSSH_6.3"
+ #define SSH_VERSION "OpenSSH_6.4"
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
More information about the scm-commits
mailing list