[gsi-openssh/f20] Based on openssh-6.4p1-8.fc20
Mattias Ellert
ellert at fedoraproject.org
Thu Jan 15 21:03:20 UTC 2015
commit ad74d68b5933003c5fafc8513aba1d5d8f341a18
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Thu Jan 15 21:48:15 2015 +0100
Based on openssh-6.4p1-8.fc20
gsi-openssh.spec | 23 ++-
gsisshd.service | 1 +
gsisshd.socket | 1 +
gsisshd at .service | 1 +
openssh-6.3p1-ldap.patch | 4 +-
openssh-6.4p1-GSSAPIEnablek5users.patch | 137 ++++++++++++
openssh-6.4p1-audit.patch | 2 +-
openssh-6.4p1-cisco-dh-keys.patch | 67 ++++++
openssh-6.4p1-gsissh.patch | 229 ++++++++++----------
openssh-6.4p1-ip-port-config-parser.patch | 24 ++
openssh-6.4p1-scp-non-existing-directory.patch | 14 ++
...6.4p1-sftp-symlink-prepend-relative-links.patch | 15 ++
12 files changed, 400 insertions(+), 118 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 0cf6ff1..3705c3e 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -122,6 +122,9 @@ Patch713: openssh-6.3p1-ctr-cavstest.patch
Patch800: openssh-6.3p1-gsskex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
Patch801: openssh-6.3p1-force_krb.patch
+# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
+# CVE-2014-9278
+Patch802: openssh-6.4p1-GSSAPIEnablek5users.patch
Patch900: openssh-6.1p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch901: openssh-6.4p1-kuserok.patch
@@ -160,6 +163,14 @@ Patch914: openssh-6.4p1-servconf-parser.patch
# Ignore SIGXFSZ in postauth monitor
# https://bugzilla.mindrot.org/show_bug.cgi?id=2263
Patch915: openssh-6.4p1-ignore-SIGXFSZ-in-postauth.patch
+# use different values for DH for Cisco servers (#1026430)
+Patch916: openssh-6.4p1-cisco-dh-keys.patch
+# sftp: remote directory always prepended to relative symbolic links (#825538)
+Patch917: openssh-6.4p1-sftp-symlink-prepend-relative-links.patch
+# scp file into non-existing directory (#1142223)
+Patch918: openssh-6.4p1-scp-non-existing-directory.patch
+# Config parser shouldn't accept ip/port syntax (#1130733)
+Patch919: openssh-6.4p1-ip-port-config-parser.patch
# This is the patch that adds GSI support
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.4p1.patch
@@ -321,6 +332,11 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch913 -p1 -b .partial-success
%patch914 -p1 -b .servconf
%patch915 -p1 -b .SIGXFSZ
+%patch916 -p1 -b .cisco-dh
+%patch917 -p1 -b .sftp
+%patch918 -p1 -b .scp
+%patch919 -p1 -b .config
+%patch802 -p1 -b .GSSAPIEnablek5users
%patch98 -p1 -b .gsi
@@ -369,7 +385,7 @@ fi
--with-default-path=/usr/local/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/gsisshd \
- --enable-vendor-patchlevel="FC-%{version}-%{release}" \
+ --enable-vendor-patchlevel="FC-%{openssh_ver}-%{openssh_rel}" \
--disable-strip \
--without-zlib-version-check \
--with-ssl-engine \
@@ -478,7 +494,7 @@ getent passwd sshd >/dev/null || \
%systemd_preun gsisshd.service gsisshd.socket
%postun server
-%systemd_postun_with_restart gsisshd.service gsisshd.socket
+%systemd_postun_with_restart gsisshd.service
%triggerun server -- gsi-openssh-server < 5.8p2-1
/usr/bin/systemd-sysv-convert --save gsisshd >/dev/null 2>&1 || :
@@ -534,6 +550,9 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/gsisshd-keygen.service
%changelog
+* Thu Jan 15 2015 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.4p1-5
+- Based on openssh-6.4p1-8.fc20
+
* Mon Nov 24 2014 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.4p1-5
- Based on openssh-6.4p1-6.fc20
diff --git a/gsisshd.service b/gsisshd.service
index 2d685f9..d381a8d 100644
--- a/gsisshd.service
+++ b/gsisshd.service
@@ -1,5 +1,6 @@
[Unit]
Description=gsissh server daemon
+Documentation=man:gsisshd(8) man:gsisshd_config(5)
After=syslog.target network.target auditd.service
[Service]
diff --git a/gsisshd.socket b/gsisshd.socket
index eb295f5..28e40d1 100644
--- a/gsisshd.socket
+++ b/gsisshd.socket
@@ -1,5 +1,6 @@
[Unit]
Description=gsissh Server Socket
+Documentation=man:gsisshd(8) man:gsisshd_config(5)
Conflicts=gsisshd.service
[Socket]
diff --git a/gsisshd at .service b/gsisshd at .service
index 2030d9f..c160bfd 100644
--- a/gsisshd at .service
+++ b/gsisshd at .service
@@ -1,5 +1,6 @@
[Unit]
Description=gsissh per-connection server daemon
+Documentation=man:gsisshd(8) man:gsisshd_config(5)
Wants=gsisshd-keygen.service
After=auditd.service gsisshd-keygen.service
diff --git a/openssh-6.3p1-ldap.patch b/openssh-6.3p1-ldap.patch
index 052973c..bc5331e 100644
--- a/openssh-6.3p1-ldap.patch
+++ b/openssh-6.3p1-ldap.patch
@@ -761,7 +761,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
+
--- openssh-6.4p1/ldapconf.c.ldap 2013-11-26 10:31:03.513794385 +0100
+++ openssh-6.4p1/ldapconf.c 2013-11-26 10:38:15.474635149 +0100
-@@ -0,0 +1,720 @@
+@@ -0,0 +1,722 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@@ -1078,6 +1078,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
+ else
+ fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
+ if (*intptr == -1)
++ *intptr = value;
+ break;
+
+ case lSSLPath:
@@ -1142,6 +1143,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
+ else
+ fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
+ if (*intptr == -1)
++ *intptr = value;
+ break;
+
+ case lTLS_CaCertFile:
diff --git a/openssh-6.4p1-GSSAPIEnablek5users.patch b/openssh-6.4p1-GSSAPIEnablek5users.patch
new file mode 100644
index 0000000..d450f69
--- /dev/null
+++ b/openssh-6.4p1-GSSAPIEnablek5users.patch
@@ -0,0 +1,137 @@
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+index 0a4930e..a7c0c5f 100644
+--- a/gss-serv-krb5.c
++++ b/gss-serv-krb5.c
+@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+ FILE *fp;
+ char file[MAXPATHLEN];
+ char line[BUFSIZ];
+- char kuser[65]; /* match krb5_kuserok() */
+ struct stat st;
+ struct passwd *pw = the_authctxt->pw;
+ int found_principal = 0;
+@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+
+ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
+ /* If both .k5login and .k5users DNE, self-login is ok. */
+- if (!k5login_exists && (access(file, F_OK) == -1)) {
++ if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
+ return ssh_krb5_kuserok(krb_context, principal, luser,
+ k5login_exists);
+ }
+diff --git a/servconf.c b/servconf.c
+index d482e79..ad5869b 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options)
+ options->ip_qos_bulk = -1;
+ options->version_addendum = NULL;
+ options->use_kuserok = -1;
++ options->enable_k5users = -1;
+ }
+
+ void
+@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
+ options->show_patchlevel = 0;
+ if (options->use_kuserok == -1)
+ options->use_kuserok = 1;
++ if (options->enable_k5users == -1)
++ options->enable_k5users = 0;
+
+ /* Turn privilege separation on by default */
+ if (use_privsep == -1)
+@@ -356,7 +359,7 @@ typedef enum {
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
+ sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+ sClientAliveCountMax, sAuthorizedKeysFile,
+- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
++ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
+ sGssKeyEx, sGssStoreRekey,
+ sAcceptEnv, sPermitTunnel,
+ sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+@@ -430,6 +433,7 @@ static struct {
+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
++ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
+ #else
+ { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+@@ -437,6 +441,7 @@ static struct {
+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
++ { "gssapienablek5users", sUnsupported, SSHCFG_ALL },
+ #endif
+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
+@@ -1536,6 +1541,10 @@ process_server_config_line(ServerOptions *options, char *line,
+ intptr = &options->use_kuserok;
+ goto parse_flag;
+
++ case sGssEnablek5users:
++ intptr = &options->enable_k5users;
++ goto parse_flag;
++
+ case sPermitOpen:
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+@@ -1824,6 +1833,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+ M_CP_INTOPT(ip_qos_interactive);
+ M_CP_INTOPT(ip_qos_bulk);
+ M_CP_INTOPT(use_kuserok);
++ M_CP_INTOPT(enable_k5users);
+ M_CP_INTOPT(rekey_limit);
+ M_CP_INTOPT(rekey_interval);
+
+@@ -2076,6 +2086,7 @@ dump_config(ServerOptions *o)
+ dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
++ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
+
+ /* string arguments */
+ dump_cfg_string(sPidFile, o->pid_file);
+diff --git a/servconf.h b/servconf.h
+index 5117dfa..d63cb71 100644
+--- a/servconf.h
++++ b/servconf.h
+@@ -173,7 +173,8 @@ typedef struct {
+
+ int num_permitted_opens;
+
+- int use_kuserok;
++ int use_kuserok;
++ int enable_k5users;
+ char *chroot_directory;
+ char *revoked_keys_file;
+ char *trusted_user_ca_keys;
+diff --git a/sshd_config b/sshd_config
+index 43671f6..6ab00ed 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
+ GSSAPICleanupCredentials no
+ #GSSAPIStrictAcceptorCheck yes
+ #GSSAPIKeyExchange no
++#GSSAPIEnablek5users no
+
+ # Set this to 'yes' to enable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+diff --git a/sshd_config.5 b/sshd_config.5
+index e0e5fff..aa9525d 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -505,6 +505,12 @@ on logout.
+ The default is
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
++.It Cm GSSAPIEnablek5users
++Specifies whether to look at .k5users file for GSSAPI authentication
++access control. Further details are described in
++.Xr ksu 1 .
++The default is
++.Dq no .
+ .It Cm GSSAPIStrictAcceptorCheck
+ Determines whether to be strict about the identity of the GSSAPI acceptor
+ a client authenticates against. If
diff --git a/openssh-6.4p1-audit.patch b/openssh-6.4p1-audit.patch
index c1e7dfd..4ea6ea5 100644
--- a/openssh-6.4p1-audit.patch
+++ b/openssh-6.4p1-audit.patch
@@ -110,7 +110,7 @@ index b3ee2f4..946f7fa 100644
+#include "packet.h"
+#include "cipher.h"
-+#define AUDIT_LOG_SIZE 128
++#define AUDIT_LOG_SIZE 256
+
+extern ServerOptions options;
+extern Authctxt *the_authctxt;
diff --git a/openssh-6.4p1-cisco-dh-keys.patch b/openssh-6.4p1-cisco-dh-keys.patch
new file mode 100644
index 0000000..9da99a4
--- /dev/null
+++ b/openssh-6.4p1-cisco-dh-keys.patch
@@ -0,0 +1,67 @@
+diff -up openssh-6.4p1/compat.c.cisco-dh openssh-6.4p1/compat.c
+--- openssh-6.4p1/compat.c.cisco-dh 2013-06-01 23:31:18.000000000 +0200
++++ openssh-6.4p1/compat.c 2014-12-04 13:28:03.717787655 +0100
+@@ -164,6 +164,7 @@ compat_datafellows(const char *version)
+ SSH_BUG_SCANNER },
+ { "Probe-*",
+ SSH_BUG_PROBE },
++ { "Cisco-*", SSH_BUG_MAX4096DH },
+ { NULL, 0 }
+ };
+
+diff -up openssh-6.4p1/compat.h.cisco-dh openssh-6.4p1/compat.h
+--- openssh-6.4p1/compat.h.cisco-dh 2014-12-04 13:28:03.717787655 +0100
++++ openssh-6.4p1/compat.h 2014-12-04 13:28:36.579658095 +0100
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR 0x02000000
+ #define SSH_NEW_OPENSSH 0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT 0x08000000
++#define SSH_BUG_MAX4096DH 0x20000000
+
+ void enable_compat13(void);
+ void enable_compat20(void);
+diff -up openssh-6.4p1/kexgexc.c.cisco-dh openssh-6.4p1/kexgexc.c
+--- openssh-6.4p1/kexgexc.c.cisco-dh 2014-12-04 13:28:03.717787655 +0100
++++ openssh-6.4p1/kexgexc.c 2014-12-04 13:31:03.270079756 +0100
+@@ -60,20 +60,36 @@ kexgex_client(Kex *kex)
+ int min, max, nbits;
+ DH *dh;
+
++ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
++ max = DH_GRP_MAX;
++
++ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
++ * We need to also ensure that min < nbits < max */
++
++ if (datafellows & SSH_BUG_MAX4096DH) {
++ /* The largest min for these servers is 4096 */
++ min = MIN(min, 4096);
++ }
++
+ nbits = dh_estimate(kex->we_need * 8);
++ nbits = MIN(nbits, max);
++ nbits = MAX(nbits, min);
++
++ if (datafellows & SSH_BUG_MAX4096DH) {
++ /* Cannot have a nbits > 4096 for these servers */
++ nbits = MIN(nbits, 4096);
++ /* nbits has to be powers of two */
++ if (nbits == 3072)
++ nbits = 4096;
++ }
+
+ if (datafellows & SSH_OLD_DHGEX) {
+ /* Old GEX request */
+ packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
+ packet_put_int(nbits);
+- min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+- max = DH_GRP_MAX;
+-
+ debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
+ } else {
+ /* New GEX request */
+- min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+- max = DH_GRP_MAX;
+ packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
+ packet_put_int(min);
+ packet_put_int(nbits);
diff --git a/openssh-6.4p1-gsissh.patch b/openssh-6.4p1-gsissh.patch
index 0e23d7f..717b3a1 100644
--- a/openssh-6.4p1-gsissh.patch
+++ b/openssh-6.4p1-gsissh.patch
@@ -1,6 +1,6 @@
diff -Nur openssh-6.4p1.orig/auth2.c openssh-6.4p1/auth2.c
---- openssh-6.4p1.orig/auth2.c 2013-11-26 14:25:47.969371747 +0100
-+++ openssh-6.4p1/auth2.c 2013-11-26 14:26:35.169803216 +0100
+--- openssh-6.4p1.orig/auth2.c 2015-01-15 21:21:22.097268760 +0100
++++ openssh-6.4p1/auth2.c 2015-01-15 21:22:11.921733961 +0100
@@ -234,7 +234,27 @@
user = packet_get_cstring(NULL);
service = packet_get_cstring(NULL);
@@ -97,8 +97,8 @@ diff -Nur openssh-6.4p1.orig/auth2.c openssh-6.4p1/auth2.c
authctxt->user, authctxt->service, user, service);
}
diff -Nur openssh-6.4p1.orig/auth2-gss.c openssh-6.4p1/auth2-gss.c
---- openssh-6.4p1.orig/auth2-gss.c 2013-11-26 14:25:47.969371747 +0100
-+++ openssh-6.4p1/auth2-gss.c 2013-11-26 14:26:35.169803216 +0100
+--- openssh-6.4p1.orig/auth2-gss.c 2015-01-15 21:21:22.023268069 +0100
++++ openssh-6.4p1/auth2-gss.c 2015-01-15 21:22:11.922733970 +0100
@@ -47,6 +47,7 @@
extern ServerOptions options;
@@ -280,8 +280,8 @@ diff -Nur openssh-6.4p1.orig/auth2-gss.c openssh-6.4p1/auth2-gss.c
"gssapi-keyex",
userauth_gsskeyex,
diff -Nur openssh-6.4p1.orig/auth.c openssh-6.4p1/auth.c
---- openssh-6.4p1.orig/auth.c 2013-11-26 14:25:47.970371735 +0100
-+++ openssh-6.4p1/auth.c 2013-11-26 14:26:35.170803204 +0100
+--- openssh-6.4p1.orig/auth.c 2015-01-15 21:21:21.901266930 +0100
++++ openssh-6.4p1/auth.c 2015-01-15 21:22:11.922733970 +0100
@@ -74,6 +74,9 @@
#include "krl.h"
#include "compat.h"
@@ -346,8 +346,8 @@ diff -Nur openssh-6.4p1.orig/auth.c openssh-6.4p1/auth.c
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
diff -Nur openssh-6.4p1.orig/auth.h openssh-6.4p1/auth.h
---- openssh-6.4p1.orig/auth.h 2013-11-26 14:25:47.970371735 +0100
-+++ openssh-6.4p1/auth.h 2013-11-26 14:26:35.170803204 +0100
+--- openssh-6.4p1.orig/auth.h 2015-01-15 21:21:21.913267042 +0100
++++ openssh-6.4p1/auth.h 2015-01-15 21:22:11.923733979 +0100
@@ -160,6 +160,7 @@
void auth_log(Authctxt *, int, int, const char *, const char *);
void userauth_finish(Authctxt *, int, const char *, const char *);
@@ -357,8 +357,8 @@ diff -Nur openssh-6.4p1.orig/auth.h openssh-6.4p1/auth.h
void userauth_send_banner(const char *);
diff -Nur openssh-6.4p1.orig/auth-pam.c openssh-6.4p1/auth-pam.c
---- openssh-6.4p1.orig/auth-pam.c 2013-11-26 14:25:47.971371723 +0100
-+++ openssh-6.4p1/auth-pam.c 2013-11-26 14:26:35.171803192 +0100
+--- openssh-6.4p1.orig/auth-pam.c 2015-01-15 21:21:21.913267042 +0100
++++ openssh-6.4p1/auth-pam.c 2015-01-15 21:22:11.924733989 +0100
@@ -122,6 +122,10 @@
*/
typedef pthread_t sp_pthread_t;
@@ -509,8 +509,8 @@ diff -Nur openssh-6.4p1.orig/auth-pam.c openssh-6.4p1/auth-pam.c
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
diff -Nur openssh-6.4p1.orig/auth-pam.h openssh-6.4p1/auth-pam.h
---- openssh-6.4p1.orig/auth-pam.h 2013-11-26 14:25:47.971371723 +0100
-+++ openssh-6.4p1/auth-pam.h 2013-11-26 14:26:35.171803192 +0100
+--- openssh-6.4p1.orig/auth-pam.h 2015-01-15 21:21:21.913267042 +0100
++++ openssh-6.4p1/auth-pam.h 2015-01-15 21:22:11.924733989 +0100
@@ -46,5 +46,6 @@
void sshpam_cleanup(void);
int sshpam_auth_passwd(Authctxt *, const char *);
@@ -519,8 +519,8 @@ diff -Nur openssh-6.4p1.orig/auth-pam.h openssh-6.4p1/auth-pam.h
#endif /* USE_PAM */
diff -Nur openssh-6.4p1.orig/canohost.c openssh-6.4p1/canohost.c
---- openssh-6.4p1.orig/canohost.c 2013-11-26 14:25:47.972371711 +0100
-+++ openssh-6.4p1/canohost.c 2013-11-26 14:26:35.171803192 +0100
+--- openssh-6.4p1.orig/canohost.c 2015-01-15 21:21:22.088268676 +0100
++++ openssh-6.4p1/canohost.c 2015-01-15 21:22:11.924733989 +0100
@@ -16,6 +16,7 @@
#include <sys/types.h>
@@ -529,7 +529,7 @@ diff -Nur openssh-6.4p1.orig/canohost.c openssh-6.4p1/canohost.c
#include <netinet/in.h>
#include <arpa/inet.h>
-@@ -451,3 +452,33 @@
+@@ -458,3 +459,33 @@
{
return get_port(1);
}
@@ -564,9 +564,9 @@ diff -Nur openssh-6.4p1.orig/canohost.c openssh-6.4p1/canohost.c
+ }
+}
diff -Nur openssh-6.4p1.orig/canohost.h openssh-6.4p1/canohost.h
---- openssh-6.4p1.orig/canohost.h 2013-11-26 14:25:47.972371711 +0100
-+++ openssh-6.4p1/canohost.h 2013-11-26 14:26:35.172803180 +0100
-@@ -26,4 +26,6 @@
+--- openssh-6.4p1.orig/canohost.h 2015-01-15 21:21:22.088268676 +0100
++++ openssh-6.4p1/canohost.h 2015-01-15 21:22:11.925733998 +0100
+@@ -27,4 +27,6 @@
int get_sock_port(int, int);
void clear_cached_addr(void);
@@ -574,8 +574,8 @@ diff -Nur openssh-6.4p1.orig/canohost.h openssh-6.4p1/canohost.h
+
void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
diff -Nur openssh-6.4p1.orig/configure.ac openssh-6.4p1/configure.ac
---- openssh-6.4p1.orig/configure.ac 2013-11-26 14:25:47.973371699 +0100
-+++ openssh-6.4p1/configure.ac 2013-11-26 14:26:35.173803168 +0100
+--- openssh-6.4p1.orig/configure.ac 2015-01-15 21:21:22.026268097 +0100
++++ openssh-6.4p1/configure.ac 2015-01-15 21:22:11.927734017 +0100
@@ -3902,6 +3902,14 @@
AC_CHECK_HEADER([gssapi_krb5.h], ,
[ CPPFLAGS="$oldCPP" ])
@@ -643,8 +643,8 @@ diff -Nur openssh-6.4p1.orig/configure.ac openssh-6.4p1/configure.ac
PRIVSEP_PATH=/var/empty
diff -Nur openssh-6.4p1.orig/gss-genr.c openssh-6.4p1/gss-genr.c
---- openssh-6.4p1.orig/gss-genr.c 2013-11-26 14:25:47.974371687 +0100
-+++ openssh-6.4p1/gss-genr.c 2013-11-26 14:26:35.173803168 +0100
+--- openssh-6.4p1.orig/gss-genr.c 2015-01-15 21:21:22.027268106 +0100
++++ openssh-6.4p1/gss-genr.c 2015-01-15 21:22:11.928734026 +0100
@@ -38,6 +38,7 @@
#include "xmalloc.h"
#include "buffer.h"
@@ -682,8 +682,8 @@ diff -Nur openssh-6.4p1.orig/gss-genr.c openssh-6.4p1/gss-genr.c
return (ctx->major);
}
diff -Nur openssh-6.4p1.orig/gss-serv.c openssh-6.4p1/gss-serv.c
---- openssh-6.4p1.orig/gss-serv.c 2013-11-26 14:25:47.974371687 +0100
-+++ openssh-6.4p1/gss-serv.c 2013-11-26 14:47:37.394667653 +0100
+--- openssh-6.4p1.orig/gss-serv.c 2015-01-15 21:21:22.083268629 +0100
++++ openssh-6.4p1/gss-serv.c 2015-01-15 21:22:11.928734026 +0100
@@ -52,10 +52,12 @@
#include "monitor_wrap.h"
@@ -928,7 +928,7 @@ diff -Nur openssh-6.4p1.orig/gss-serv.c openssh-6.4p1/gss-serv.c
#endif
diff -Nur openssh-6.4p1.orig/gss-serv-gsi.c openssh-6.4p1/gss-serv-gsi.c
--- openssh-6.4p1.orig/gss-serv-gsi.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.4p1/gss-serv-gsi.c 2013-11-26 14:26:35.175803144 +0100
++++ openssh-6.4p1/gss-serv-gsi.c 2015-01-15 21:22:11.929734035 +0100
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1169,9 +1169,9 @@ diff -Nur openssh-6.4p1.orig/gss-serv-gsi.c openssh-6.4p1/gss-serv-gsi.c
+#endif /* GSI */
+#endif /* GSSAPI */
diff -Nur openssh-6.4p1.orig/gss-serv-krb5.c openssh-6.4p1/gss-serv-krb5.c
---- openssh-6.4p1.orig/gss-serv-krb5.c 2013-11-26 14:25:47.976371663 +0100
-+++ openssh-6.4p1/gss-serv-krb5.c 2013-11-26 14:26:35.175803144 +0100
-@@ -263,6 +263,34 @@
+--- openssh-6.4p1.orig/gss-serv-krb5.c 2015-01-15 21:21:22.117268947 +0100
++++ openssh-6.4p1/gss-serv-krb5.c 2015-01-15 21:22:11.929734035 +0100
+@@ -359,6 +359,34 @@
return found_principal;
}
@@ -1206,7 +1206,7 @@ diff -Nur openssh-6.4p1.orig/gss-serv-krb5.c openssh-6.4p1/gss-serv-krb5.c
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
-@@ -361,7 +389,7 @@
+@@ -457,7 +485,7 @@
return;
}
@@ -1215,7 +1215,7 @@ diff -Nur openssh-6.4p1.orig/gss-serv-krb5.c openssh-6.4p1/gss-serv-krb5.c
ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
ssh_gssapi_client *client)
{
-@@ -432,7 +460,7 @@
+@@ -528,7 +556,7 @@
{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
NULL,
&ssh_gssapi_krb5_userok,
@@ -1225,8 +1225,8 @@ diff -Nur openssh-6.4p1.orig/gss-serv-krb5.c openssh-6.4p1/gss-serv-krb5.c
&ssh_gssapi_krb5_updatecreds
};
diff -Nur openssh-6.4p1.orig/kexgsss.c openssh-6.4p1/kexgsss.c
---- openssh-6.4p1.orig/kexgsss.c 2013-11-26 14:25:47.976371663 +0100
-+++ openssh-6.4p1/kexgsss.c 2013-11-26 14:26:35.176803132 +0100
+--- openssh-6.4p1.orig/kexgsss.c 2015-01-15 21:21:22.030268134 +0100
++++ openssh-6.4p1/kexgsss.c 2015-01-15 21:22:11.931734054 +0100
@@ -44,6 +44,7 @@
#include "monitor_wrap.h"
#include "servconf.h"
@@ -1288,7 +1288,7 @@ diff -Nur openssh-6.4p1.orig/kexgsss.c openssh-6.4p1/kexgsss.c
#endif /* GSSAPI */
diff -Nur openssh-6.4p1.orig/LICENSE.globus_usage openssh-6.4p1/LICENSE.globus_usage
--- openssh-6.4p1.orig/LICENSE.globus_usage 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.4p1/LICENSE.globus_usage 2013-11-26 14:26:35.176803132 +0100
++++ openssh-6.4p1/LICENSE.globus_usage 2015-01-15 21:22:11.931734054 +0100
@@ -0,0 +1,18 @@
+/*
+ * Portions of the Usage Metrics suport code are derived from the
@@ -1309,8 +1309,8 @@ diff -Nur openssh-6.4p1.orig/LICENSE.globus_usage openssh-6.4p1/LICENSE.globus_u
+ * limitations under the License.
+ */
diff -Nur openssh-6.4p1.orig/Makefile.in openssh-6.4p1/Makefile.in
---- openssh-6.4p1.orig/Makefile.in 2013-11-26 14:25:47.977371651 +0100
-+++ openssh-6.4p1/Makefile.in 2013-11-26 14:26:35.177803120 +0100
+--- openssh-6.4p1.orig/Makefile.in 2015-01-15 21:21:22.092268713 +0100
++++ openssh-6.4p1/Makefile.in 2015-01-15 21:22:11.931734054 +0100
@@ -95,8 +95,10 @@
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
auth-krb5.o \
@@ -1323,8 +1323,8 @@ diff -Nur openssh-6.4p1.orig/Makefile.in openssh-6.4p1/Makefile.in
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o
diff -Nur openssh-6.4p1.orig/misc.c openssh-6.4p1/misc.c
---- openssh-6.4p1.orig/misc.c 2013-11-26 14:25:47.977371651 +0100
-+++ openssh-6.4p1/misc.c 2013-11-26 14:26:35.177803120 +0100
+--- openssh-6.4p1.orig/misc.c 2015-01-15 21:21:22.115268928 +0100
++++ openssh-6.4p1/misc.c 2015-01-15 21:22:11.932734063 +0100
@@ -158,11 +158,14 @@
#define WHITESPACE " \t\r\n"
#define QUOTE "\""
@@ -1385,8 +1385,8 @@ diff -Nur openssh-6.4p1.orig/misc.c openssh-6.4p1/misc.c
* Convert ASCII string to TCP/IP port number.
* Port must be >=0 and <=65535.
diff -Nur openssh-6.4p1.orig/misc.h openssh-6.4p1/misc.h
---- openssh-6.4p1.orig/misc.h 2013-11-26 14:25:47.977371651 +0100
-+++ openssh-6.4p1/misc.h 2013-11-26 14:26:35.177803120 +0100
+--- openssh-6.4p1.orig/misc.h 2015-01-15 21:21:22.092268713 +0100
++++ openssh-6.4p1/misc.h 2015-01-15 21:22:11.932734063 +0100
@@ -39,6 +39,7 @@
void sock_set_v6only(int);
@@ -1396,8 +1396,8 @@ diff -Nur openssh-6.4p1.orig/misc.h openssh-6.4p1/misc.h
typedef struct arglist arglist;
diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
---- openssh-6.4p1.orig/monitor.c 2013-11-26 14:25:47.978371639 +0100
-+++ openssh-6.4p1/monitor.c 2013-11-26 14:26:35.178803108 +0100
+--- openssh-6.4p1.orig/monitor.c 2015-01-15 21:21:22.103268816 +0100
++++ openssh-6.4p1/monitor.c 2015-01-15 21:22:11.933734073 +0100
@@ -188,6 +188,9 @@
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -1463,7 +1463,7 @@ diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
#endif
} else {
mon_dispatch = mon_dispatch_proto15;
-@@ -535,6 +545,8 @@
+@@ -538,6 +548,8 @@
#ifdef GSSAPI
/* and for the GSSAPI key exchange */
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
@@ -1472,7 +1472,7 @@ diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
#endif
} else {
mon_dispatch = mon_dispatch_postauth15;
-@@ -805,14 +817,17 @@
+@@ -808,14 +820,17 @@
debug3("%s", __func__);
@@ -1493,7 +1493,7 @@ diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
setproctitle("%s [priv]", pwent ? username : "unknown");
free(username);
-@@ -2306,12 +2321,15 @@
+@@ -2309,12 +2324,15 @@
mm_answer_gss_userok(int sock, Buffer *m)
{
int authenticated;
@@ -1510,7 +1510,7 @@ diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
buffer_clear(m);
buffer_put_int(m, authenticated);
-@@ -2319,12 +2337,77 @@
+@@ -2322,12 +2340,77 @@
debug3("%s: sending result %d", __func__, authenticated);
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
@@ -1590,8 +1590,8 @@ diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
mm_answer_gss_sign(int socket, Buffer *m)
{
diff -Nur openssh-6.4p1.orig/monitor.h openssh-6.4p1/monitor.h
---- openssh-6.4p1.orig/monitor.h 2013-11-26 14:25:47.978371639 +0100
-+++ openssh-6.4p1/monitor.h 2013-11-26 14:26:35.178803108 +0100
+--- openssh-6.4p1.orig/monitor.h 2015-01-15 21:21:22.032268153 +0100
++++ openssh-6.4p1/monitor.h 2015-01-15 21:22:11.933734073 +0100
@@ -79,8 +79,10 @@
MONITOR_REQ_AUDIT_UNSUPPORTED = 118, MONITOR_ANS_AUDIT_UNSUPPORTED = 119,
MONITOR_REQ_AUDIT_KEX = 120, MONITOR_ANS_AUDIT_KEX = 121,
@@ -1606,8 +1606,8 @@ diff -Nur openssh-6.4p1.orig/monitor.h openssh-6.4p1/monitor.h
struct mm_master;
diff -Nur openssh-6.4p1.orig/monitor_wrap.c openssh-6.4p1/monitor_wrap.c
---- openssh-6.4p1.orig/monitor_wrap.c 2013-11-26 14:25:47.979371627 +0100
-+++ openssh-6.4p1/monitor_wrap.c 2013-11-26 14:26:35.179803095 +0100
+--- openssh-6.4p1.orig/monitor_wrap.c 2015-01-15 21:21:22.032268153 +0100
++++ openssh-6.4p1/monitor_wrap.c 2015-01-15 21:22:11.934734082 +0100
@@ -1329,12 +1329,13 @@
}
@@ -1708,8 +1708,8 @@ diff -Nur openssh-6.4p1.orig/monitor_wrap.c openssh-6.4p1/monitor_wrap.c
mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
{
diff -Nur openssh-6.4p1.orig/monitor_wrap.h openssh-6.4p1/monitor_wrap.h
---- openssh-6.4p1.orig/monitor_wrap.h 2013-11-26 14:25:47.979371627 +0100
-+++ openssh-6.4p1/monitor_wrap.h 2013-11-26 14:26:35.179803095 +0100
+--- openssh-6.4p1.orig/monitor_wrap.h 2015-01-15 21:21:22.033268162 +0100
++++ openssh-6.4p1/monitor_wrap.h 2015-01-15 21:22:11.934734082 +0100
@@ -62,9 +62,13 @@
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@@ -1726,8 +1726,8 @@ diff -Nur openssh-6.4p1.orig/monitor_wrap.h openssh-6.4p1/monitor_wrap.h
#endif
diff -Nur openssh-6.4p1.orig/readconf.c openssh-6.4p1/readconf.c
---- openssh-6.4p1.orig/readconf.c 2013-11-26 14:25:47.979371627 +0100
-+++ openssh-6.4p1/readconf.c 2013-11-26 14:26:35.179803095 +0100
+--- openssh-6.4p1.orig/readconf.c 2015-01-15 21:21:22.033268162 +0100
++++ openssh-6.4p1/readconf.c 2015-01-15 21:22:11.935734091 +0100
@@ -1303,13 +1303,13 @@
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
@@ -1747,8 +1747,8 @@ diff -Nur openssh-6.4p1.orig/readconf.c openssh-6.4p1/readconf.c
options->gss_renewal_rekey = 0;
if (options->password_authentication == -1)
diff -Nur openssh-6.4p1.orig/readconf.h openssh-6.4p1/readconf.h
---- openssh-6.4p1.orig/readconf.h 2013-11-26 14:25:47.980371615 +0100
-+++ openssh-6.4p1/readconf.h 2013-11-26 14:26:35.179803095 +0100
+--- openssh-6.4p1.orig/readconf.h 2015-01-15 21:21:22.033268162 +0100
++++ openssh-6.4p1/readconf.h 2015-01-15 21:22:11.935734091 +0100
@@ -88,6 +88,8 @@
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
char *proxy_command; /* Proxy command for connecting the host. */
@@ -1759,8 +1759,8 @@ diff -Nur openssh-6.4p1.orig/readconf.h openssh-6.4p1/readconf.h
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
---- openssh-6.4p1.orig/servconf.c 2013-11-26 14:25:47.980371615 +0100
-+++ openssh-6.4p1/servconf.c 2013-11-26 14:26:35.180803083 +0100
+--- openssh-6.4p1.orig/servconf.c 2015-01-15 21:21:22.118268956 +0100
++++ openssh-6.4p1/servconf.c 2015-01-15 21:28:16.004109681 +0100
@@ -71,6 +71,7 @@
/* Portable-specific options */
@@ -1790,7 +1790,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
options->authorized_principals_file = NULL;
-@@ -166,6 +171,8 @@
+@@ -167,6 +172,8 @@
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
@@ -1799,7 +1799,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -244,13 +251,17 @@
+@@ -245,13 +252,17 @@
if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
@@ -1819,7 +1819,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
if (options->gss_store_rekey == -1)
options->gss_store_rekey = 0;
if (options->password_authentication == -1)
-@@ -333,7 +344,7 @@
+@@ -336,7 +347,7 @@
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
@@ -1828,14 +1828,14 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
/* Standard Options */
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sLogFacility, sLogLevel,
-@@ -354,11 +365,15 @@
+@@ -357,11 +368,15 @@
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
+ sGssDelegateCreds,
+ sGssCredsPath,
+ sGsiAllowLimitedProxy,
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
sGssKeyEx, sGssStoreRekey,
sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
@@ -1844,7 +1844,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sVersionAddendum,
-@@ -380,8 +395,10 @@
+@@ -383,8 +398,10 @@
/* Portable-specific options */
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
@@ -1855,7 +1855,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
-@@ -424,15 +441,25 @@
+@@ -427,16 +444,26 @@
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
@@ -1871,6 +1871,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
+ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ { "gssapidelegatecredentials", sUnsupported, SSHCFG_ALL },
@@ -1881,7 +1882,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
-@@ -497,6 +524,8 @@
+@@ -502,6 +529,8 @@
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
@@ -1890,7 +1891,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
-@@ -889,6 +918,10 @@
+@@ -894,6 +923,10 @@
intptr = &options->use_pam;
goto parse_flag;
@@ -1901,7 +1902,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
/* Standard Options */
case sBadOption:
return -1;
-@@ -1104,6 +1137,10 @@
+@@ -1109,6 +1142,10 @@
intptr = &options->gss_authentication;
goto parse_flag;
@@ -1912,7 +1913,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
case sGssKeyEx:
intptr = &options->gss_keyex;
goto parse_flag;
-@@ -1112,6 +1149,10 @@
+@@ -1117,6 +1154,10 @@
intptr = &options->gss_cleanup_creds;
goto parse_flag;
@@ -1923,7 +1924,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
case sGssStrictAcceptor:
intptr = &options->gss_strict_acceptor;
goto parse_flag;
-@@ -1120,6 +1161,12 @@
+@@ -1125,6 +1166,12 @@
intptr = &options->gss_store_rekey;
goto parse_flag;
@@ -1936,7 +1937,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -1581,6 +1628,18 @@
+@@ -1590,6 +1637,18 @@
*charptr = xstrdup(arg);
break;
@@ -1955,7 +1956,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
case sTrustedUserCAKeys:
charptr = &options->trusted_user_ca_keys;
goto parse_filename;
-@@ -1801,6 +1860,7 @@
+@@ -1812,6 +1871,7 @@
{
M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication);
@@ -1964,8 +1965,8 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
M_CP_INTOPT(pubkey_authentication);
M_CP_INTOPT(kerberos_authentication);
diff -Nur openssh-6.4p1.orig/servconf.h openssh-6.4p1/servconf.h
---- openssh-6.4p1.orig/servconf.h 2013-11-26 14:25:47.980371615 +0100
-+++ openssh-6.4p1/servconf.h 2013-11-26 14:26:35.180803083 +0100
+--- openssh-6.4p1.orig/servconf.h 2015-01-15 21:21:22.119268965 +0100
++++ openssh-6.4p1/servconf.h 2015-01-15 21:22:11.937734110 +0100
@@ -110,9 +110,12 @@
* file on logout. */
int kerberos_get_afs_token; /* If true, try to get AFS token if
@@ -1987,9 +1988,9 @@ diff -Nur openssh-6.4p1.orig/servconf.h openssh-6.4p1/servconf.h
int permit_tun;
-@@ -176,6 +180,10 @@
-
- int use_kuserok;
+@@ -177,6 +181,10 @@
+ int use_kuserok;
+ int enable_k5users;
char *chroot_directory;
+
+ int disable_usage_stats;
@@ -1999,8 +2000,8 @@ diff -Nur openssh-6.4p1.orig/servconf.h openssh-6.4p1/servconf.h
char *trusted_user_ca_keys;
char *authorized_principals_file;
diff -Nur openssh-6.4p1.orig/ssh.1 openssh-6.4p1/ssh.1
---- openssh-6.4p1.orig/ssh.1 2013-11-26 14:25:47.981371603 +0100
-+++ openssh-6.4p1/ssh.1 2013-11-26 14:26:35.181803071 +0100
+--- openssh-6.4p1.orig/ssh.1 2015-01-15 21:21:22.004267891 +0100
++++ openssh-6.4p1/ssh.1 2015-01-15 21:22:11.938734119 +0100
@@ -1281,6 +1281,18 @@
on to new connections).
.It Ev USER
@@ -2021,8 +2022,8 @@ diff -Nur openssh-6.4p1.orig/ssh.1 openssh-6.4p1/ssh.1
.Pp
Additionally,
diff -Nur openssh-6.4p1.orig/ssh.c openssh-6.4p1/ssh.c
---- openssh-6.4p1.orig/ssh.c 2013-11-26 14:25:47.981371603 +0100
-+++ openssh-6.4p1/ssh.c 2013-11-26 14:26:35.181803071 +0100
+--- openssh-6.4p1.orig/ssh.c 2015-01-15 21:21:21.974267611 +0100
++++ openssh-6.4p1/ssh.c 2015-01-15 21:22:11.938734119 +0100
@@ -718,6 +718,32 @@
fatal("Can't open user config file %.100s: "
"%.100s", config, strerror(errno));
@@ -2071,8 +2072,8 @@ diff -Nur openssh-6.4p1.orig/ssh.c openssh-6.4p1/ssh.c
/* Get default port if port has not been set. */
if (options.port == 0) {
diff -Nur openssh-6.4p1.orig/ssh_config openssh-6.4p1/ssh_config
---- openssh-6.4p1.orig/ssh_config 2013-11-26 14:25:47.981371603 +0100
-+++ openssh-6.4p1/ssh_config 2013-11-26 14:26:35.181803071 +0100
+--- openssh-6.4p1.orig/ssh_config 2015-01-15 21:21:22.035268181 +0100
++++ openssh-6.4p1/ssh_config 2015-01-15 21:22:11.938734119 +0100
@@ -24,10 +24,10 @@
# RSAAuthentication yes
# PasswordAuthentication yes
@@ -2089,8 +2090,8 @@ diff -Nur openssh-6.4p1.orig/ssh_config openssh-6.4p1/ssh_config
# CheckHostIP yes
# AddressFamily any
diff -Nur openssh-6.4p1.orig/ssh_config.5 openssh-6.4p1/ssh_config.5
---- openssh-6.4p1.orig/ssh_config.5 2013-11-26 14:25:47.982371591 +0100
-+++ openssh-6.4p1/ssh_config.5 2013-11-26 14:26:35.182803059 +0100
+--- openssh-6.4p1.orig/ssh_config.5 2015-01-15 21:21:22.035268181 +0100
++++ openssh-6.4p1/ssh_config.5 2015-01-15 21:22:11.939734129 +0100
@@ -55,6 +55,12 @@
user's configuration file
.Pq Pa ~/.ssh/config
@@ -2105,9 +2106,9 @@ diff -Nur openssh-6.4p1.orig/ssh_config.5 openssh-6.4p1/ssh_config.5
.Pq Pa /etc/ssh/ssh_config
.El
diff -Nur openssh-6.4p1.orig/sshconnect2.c openssh-6.4p1/sshconnect2.c
---- openssh-6.4p1.orig/sshconnect2.c 2013-11-26 14:25:47.982371591 +0100
-+++ openssh-6.4p1/sshconnect2.c 2013-11-26 14:26:35.182803059 +0100
-@@ -700,6 +700,11 @@
+--- openssh-6.4p1.orig/sshconnect2.c 2015-01-15 21:21:22.093268722 +0100
++++ openssh-6.4p1/sshconnect2.c 2015-01-15 21:22:11.939734129 +0100
+@@ -734,6 +734,11 @@
int ok = 0;
const char *gss_host = NULL;
@@ -2119,7 +2120,7 @@ diff -Nur openssh-6.4p1.orig/sshconnect2.c openssh-6.4p1/sshconnect2.c
if (options.gss_server_identity)
gss_host = options.gss_server_identity;
else if (options.gss_trust_dns) {
-@@ -933,6 +938,15 @@
+@@ -967,6 +972,15 @@
free(lang);
}
@@ -2135,7 +2136,7 @@ diff -Nur openssh-6.4p1.orig/sshconnect2.c openssh-6.4p1/sshconnect2.c
int
userauth_gsskeyex(Authctxt *authctxt)
{
-@@ -950,8 +964,16 @@
+@@ -984,8 +998,16 @@
return (0);
}
@@ -2152,7 +2153,7 @@ diff -Nur openssh-6.4p1.orig/sshconnect2.c openssh-6.4p1/sshconnect2.c
gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b);
-@@ -962,7 +984,15 @@
+@@ -996,7 +1018,15 @@
}
packet_start(SSH2_MSG_USERAUTH_REQUEST);
@@ -2169,8 +2170,8 @@ diff -Nur openssh-6.4p1.orig/sshconnect2.c openssh-6.4p1/sshconnect2.c
packet_put_cstring(authctxt->method->name);
packet_put_string(mic.value, mic.length);
diff -Nur openssh-6.4p1.orig/sshd.8 openssh-6.4p1/sshd.8
---- openssh-6.4p1.orig/sshd.8 2013-11-26 14:25:47.983371579 +0100
-+++ openssh-6.4p1/sshd.8 2013-11-26 14:26:35.183803047 +0100
+--- openssh-6.4p1.orig/sshd.8 2015-01-15 21:21:22.041268237 +0100
++++ openssh-6.4p1/sshd.8 2015-01-15 21:22:11.940734138 +0100
@@ -763,6 +763,44 @@
# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
@@ -2217,8 +2218,8 @@ diff -Nur openssh-6.4p1.orig/sshd.8 openssh-6.4p1/sshd.8
.Bl -tag -width Ds -compact
.It Pa ~/.hushlogin
diff -Nur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c
---- openssh-6.4p1.orig/sshd.c 2013-11-26 14:25:47.983371579 +0100
-+++ openssh-6.4p1/sshd.c 2013-11-26 14:26:35.183803047 +0100
+--- openssh-6.4p1.orig/sshd.c 2015-01-15 21:21:22.063268442 +0100
++++ openssh-6.4p1/sshd.c 2015-01-15 21:22:11.940734138 +0100
@@ -124,6 +124,7 @@
#include "audit.h"
#include "ssh-sandbox.h"
@@ -2227,7 +2228,7 @@ diff -Nur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c
#ifdef USE_SECURITY_SESSION_API
#include <Security/AuthSession.h>
-@@ -1681,6 +1682,13 @@
+@@ -1685,6 +1686,13 @@
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -2241,7 +2242,7 @@ diff -Nur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
-@@ -2266,7 +2274,7 @@
+@@ -2270,7 +2278,7 @@
#endif
#ifdef GSSAPI
@@ -2251,8 +2252,8 @@ diff -Nur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c
ssh_gssapi_storecreds();
restore_uid();
diff -Nur openssh-6.4p1.orig/sshd_config openssh-6.4p1/sshd_config
---- openssh-6.4p1.orig/sshd_config 2013-11-26 14:25:47.983371579 +0100
-+++ openssh-6.4p1/sshd_config 2013-11-26 14:26:35.183803047 +0100
+--- openssh-6.4p1.orig/sshd_config 2015-01-15 21:21:22.119268965 +0100
++++ openssh-6.4p1/sshd_config 2015-01-15 21:24:59.805301455 +0100
@@ -89,12 +89,12 @@
#KerberosUseKuserok yes
@@ -2266,10 +2267,10 @@ diff -Nur openssh-6.4p1.orig/sshd_config openssh-6.4p1/sshd_config
#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
+#GSSAPIKeyExchange yes
+ #GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
-@@ -110,6 +109,10 @@
+@@ -111,6 +111,10 @@
#UsePAM no
UsePAM yes
@@ -2280,7 +2281,7 @@ diff -Nur openssh-6.4p1.orig/sshd_config openssh-6.4p1/sshd_config
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-@@ -155,3 +158,7 @@
+@@ -156,3 +160,7 @@
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
@@ -2289,8 +2290,8 @@ diff -Nur openssh-6.4p1.orig/sshd_config openssh-6.4p1/sshd_config
+#UsageStatsTargets usage-stats.cilogon.org:4810
+#DisableUsageStats no
diff -Nur openssh-6.4p1.orig/sshd_config.5 openssh-6.4p1/sshd_config.5
---- openssh-6.4p1.orig/sshd_config.5 2013-11-26 14:25:47.984371567 +0100
-+++ openssh-6.4p1/sshd_config.5 2013-11-26 14:26:35.184803035 +0100
+--- openssh-6.4p1.orig/sshd_config.5 2015-01-15 21:21:22.119268965 +0100
++++ openssh-6.4p1/sshd_config.5 2015-01-15 21:23:37.940537101 +0100
@@ -440,6 +440,15 @@
See PATTERNS in
.Xr ssh_config 5
@@ -2318,10 +2319,10 @@ diff -Nur openssh-6.4p1.orig/sshd_config.5 openssh-6.4p1/sshd_config.5
.It Cm GSSAPIKeyExchange
Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
doesn't rely on ssh keys to verify host identity.
-@@ -496,6 +509,22 @@
+@@ -502,6 +515,22 @@
+ .Xr ksu 1 .
The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
+ .Dq no .
+.It Cm GSSAPICredentialsPath
+If specified, the delegated GSSAPI credential is stored in the
+given path, overwriting any existing credentials.
@@ -2341,7 +2342,7 @@ diff -Nur openssh-6.4p1.orig/sshd_config.5 openssh-6.4p1/sshd_config.5
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against. If
-@@ -1160,6 +1189,121 @@
+@@ -1166,6 +1195,121 @@
.Pp
To disable TCP keepalive messages, the value should be set to
.Dq no .
@@ -2463,7 +2464,7 @@ diff -Nur openssh-6.4p1.orig/sshd_config.5 openssh-6.4p1/sshd_config.5
.It Cm TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted to sign user certificates for authentication.
-@@ -1225,6 +1369,12 @@
+@@ -1231,6 +1375,12 @@
as a non-root user.
The default is
.Dq no .
@@ -2478,7 +2479,7 @@ diff -Nur openssh-6.4p1.orig/sshd_config.5 openssh-6.4p1/sshd_config.5
.Xr sshd 8
diff -Nur openssh-6.4p1.orig/ssh-globus-usage.c openssh-6.4p1/ssh-globus-usage.c
--- openssh-6.4p1.orig/ssh-globus-usage.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.4p1/ssh-globus-usage.c 2013-11-26 14:26:35.184803035 +0100
++++ openssh-6.4p1/ssh-globus-usage.c 2015-01-15 21:22:11.942734157 +0100
@@ -0,0 +1,396 @@
+/*
+ * Copyright 2009 The Board of Trustees of the University
@@ -2878,7 +2879,7 @@ diff -Nur openssh-6.4p1.orig/ssh-globus-usage.c openssh-6.4p1/ssh-globus-usage.c
+}
diff -Nur openssh-6.4p1.orig/ssh-globus-usage.h openssh-6.4p1/ssh-globus-usage.h
--- openssh-6.4p1.orig/ssh-globus-usage.h 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.4p1/ssh-globus-usage.h 2013-11-26 14:26:35.184803035 +0100
++++ openssh-6.4p1/ssh-globus-usage.h 2015-01-15 21:22:11.943734166 +0100
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2009 The Board of Trustees of the University
@@ -2927,8 +2928,8 @@ diff -Nur openssh-6.4p1.orig/ssh-globus-usage.h openssh-6.4p1/ssh-globus-usage.h
+
+#endif /* __SSH_GLOBUS_USAGE_H */
diff -Nur openssh-6.4p1.orig/ssh-gss.h openssh-6.4p1/ssh-gss.h
---- openssh-6.4p1.orig/ssh-gss.h 2013-11-26 14:25:47.985371555 +0100
-+++ openssh-6.4p1/ssh-gss.h 2013-11-26 14:26:35.185803023 +0100
+--- openssh-6.4p1.orig/ssh-gss.h 2015-01-15 21:21:22.041268237 +0100
++++ openssh-6.4p1/ssh-gss.h 2015-01-15 21:22:11.943734166 +0100
@@ -91,6 +91,7 @@
gss_name_t name;
struct ssh_gssapi_mech_struct *mech;
@@ -2974,8 +2975,8 @@ diff -Nur openssh-6.4p1.orig/ssh-gss.h openssh-6.4p1/ssh-gss.h
#endif /* _SSH_GSS_H */
diff -Nur openssh-6.4p1.orig/version.h openssh-6.4p1/version.h
---- openssh-6.4p1.orig/version.h 2013-11-26 14:25:47.985371555 +0100
-+++ openssh-6.4p1/version.h 2013-11-26 14:26:35.185803023 +0100
+--- openssh-6.4p1.orig/version.h 2013-11-08 02:40:07.000000000 +0100
++++ openssh-6.4p1/version.h 2015-01-15 21:22:11.943734166 +0100
@@ -1,6 +1,21 @@
/* $OpenBSD: version.h,v 1.68 2013/11/08 01:38:11 djm Exp $ */
diff --git a/openssh-6.4p1-ip-port-config-parser.patch b/openssh-6.4p1-ip-port-config-parser.patch
new file mode 100644
index 0000000..d2746bf
--- /dev/null
+++ b/openssh-6.4p1-ip-port-config-parser.patch
@@ -0,0 +1,24 @@
+diff --git a/misc.c b/misc.c
+index 2f11de4..36402d1 100644
+--- a/misc.c
++++ b/misc.c
+@@ -396,7 +396,7 @@ hpdelim(char **cp)
+ return NULL;
+ else
+ s++;
+- } else if ((s = strpbrk(s, ":/")) == NULL)
++ } else if ((s = strpbrk(s, ":")) == NULL)
+ s = *cp + strlen(*cp); /* skip to end (see first case below) */
+
+ switch (*s) {
+@@ -405,7 +405,6 @@ hpdelim(char **cp)
+ break;
+
+ case ':':
+- case '/':
+ *s = '\0'; /* terminate */
+ *cp = s + 1;
+ break;
+--
+2.1.0
+
diff --git a/openssh-6.4p1-scp-non-existing-directory.patch b/openssh-6.4p1-scp-non-existing-directory.patch
new file mode 100644
index 0000000..5412bc5
--- /dev/null
+++ b/openssh-6.4p1-scp-non-existing-directory.patch
@@ -0,0 +1,14 @@
+--- a/scp.c
++++ a/scp.c
+@@ -1084,6 +1084,10 @@ sink(int argc, char **argv)
+ free(vect[0]);
+ continue;
+ }
++ if (buf[0] == 'C' && ! exists && np[strlen(np)-1] == '/') {
++ errno = ENOTDIR;
++ goto bad;
++ }
+ omode = mode;
+ mode |= S_IWUSR;
+ if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
+--
diff --git a/openssh-6.4p1-sftp-symlink-prepend-relative-links.patch b/openssh-6.4p1-sftp-symlink-prepend-relative-links.patch
new file mode 100644
index 0000000..ba40655
--- /dev/null
+++ b/openssh-6.4p1-sftp-symlink-prepend-relative-links.patch
@@ -0,0 +1,15 @@
+diff --git a/sftp.c b/sftp.c
+index 4e1a026..6f16f7c 100644
+--- a/sftp.c
++++ b/sftp.c
+@@ -1356,7 +1356,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
+ case I_SYMLINK:
+ sflag = 1;
+ case I_LINK:
+- path1 = make_absolute(path1, *pwd);
++ if (!sflag)
++ path1 = make_absolute(path1, *pwd);
+ path2 = make_absolute(path2, *pwd);
+ err = (sflag ? do_symlink : do_hardlink)(conn, path1, path2);
+ break;
+--
More information about the scm-commits
mailing list