bmh10 / rpms / openssh

Forked from rpms/openssh 13 days ago
Clone

Blame SOURCES/openssh-7.4p1-gssKexAlgorithms.patch

b58e57
diff -up openssh-7.4p1/gss-genr.c.gsskexalg openssh-7.4p1/gss-genr.c
b58e57
--- openssh-7.4p1/gss-genr.c.gsskexalg	2017-02-09 10:46:50.417893132 +0100
b58e57
+++ openssh-7.4p1/gss-genr.c	2017-02-09 10:46:50.448893107 +0100
b58e57
@@ -77,7 +77,8 @@ ssh_gssapi_oid_table_ok() {
b58e57
  */
b58e57
 
b58e57
 char *
b58e57
-ssh_gssapi_client_mechanisms(const char *host, const char *client) {
b58e57
+ssh_gssapi_client_mechanisms(const char *host, const char *client,
b58e57
+    const char *kex) {
b58e57
 	gss_OID_set gss_supported;
b58e57
 	OM_uint32 min_status;
b58e57
 
b58e57
@@ -85,12 +86,12 @@ ssh_gssapi_client_mechanisms(const char
b58e57
 		return NULL;
b58e57
 
b58e57
 	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
b58e57
-	    host, client));
b58e57
+	    host, client, kex));
b58e57
 }
b58e57
 
b58e57
 char *
b58e57
 ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
b58e57
-    const char *host, const char *client) {
b58e57
+    const char *host, const char *client, const char *kex) {
b58e57
 	Buffer buf;
b58e57
 	size_t i;
b58e57
 	int oidpos, enclen;
b58e57
@@ -99,6 +100,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
b58e57
 	char deroid[2];
b58e57
 	const EVP_MD *evp_md = EVP_md5();
b58e57
 	EVP_MD_CTX md;
b58e57
+	char *s, *cp, *p;
b58e57
 
b58e57
 	if (gss_enc2oid != NULL) {
b58e57
 		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
b58e57
@@ -112,6 +114,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
b58e57
 	buffer_init(&buf;;
b58e57
 
b58e57
 	oidpos = 0;
b58e57
+	s = cp = strdup(kex);
b58e57
 	for (i = 0; i < gss_supported->count; i++) {
b58e57
 		if (gss_supported->elements[i].length < 128 &&
b58e57
 		    (*check)(NULL, &(gss_supported->elements[i]), host, client)) {
b58e57
@@ -130,26 +133,22 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
b58e57
 			enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
b58e57
 			    encoded, EVP_MD_size(evp_md) * 2);
b58e57
 
b58e57
-			if (oidpos != 0)
b58e57
-				buffer_put_char(&buf, ',');
b58e57
-
b58e57
-			buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
b58e57
-			    sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
b58e57
-			buffer_append(&buf, encoded, enclen);
b58e57
-			buffer_put_char(&buf, ',');
b58e57
-			buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 
b58e57
-			    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
b58e57
-			buffer_append(&buf, encoded, enclen);
b58e57
-			buffer_put_char(&buf, ',');
b58e57
-			buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
b58e57
-			    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
b58e57
-			buffer_append(&buf, encoded, enclen);
b58e57
+			cp = strncpy(s, kex, strlen(kex));
b58e57
+			for ((p = strsep(&cp, ",")); p && *p != '\0';
b58e57
+				(p = strsep(&cp, ","))) {
b58e57
+				if (buffer_len(&buf) != 0)
b58e57
+					buffer_put_char(&buf, ',');
b58e57
+				buffer_append(&buf, p,
b58e57
+				    strlen(p));
b58e57
+				buffer_append(&buf, encoded, enclen);
b58e57
+			}
b58e57
 
b58e57
 			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
b58e57
 			gss_enc2oid[oidpos].encoded = encoded;
b58e57
 			oidpos++;
b58e57
 		}
b58e57
 	}
b58e57
+	free(s);
b58e57
 	gss_enc2oid[oidpos].oid = NULL;
b58e57
 	gss_enc2oid[oidpos].encoded = NULL;
b58e57
 
b58e57
diff -up openssh-7.4p1/gss-serv.c.gsskexalg openssh-7.4p1/gss-serv.c
b58e57
--- openssh-7.4p1/gss-serv.c.gsskexalg	2017-02-09 10:46:50.449893106 +0100
b58e57
+++ openssh-7.4p1/gss-serv.c	2017-02-09 10:55:12.189422901 +0100
b58e57
@@ -149,7 +149,7 @@ ssh_gssapi_server_mechanisms() {
b58e57
 	if (supported_oids == NULL)
b58e57
 		ssh_gssapi_prepare_supported_oids();
b58e57
 	return (ssh_gssapi_kex_mechs(supported_oids,
b58e57
-	    &ssh_gssapi_server_check_mech, NULL, NULL));
b58e57
+	    &ssh_gssapi_server_check_mech, NULL, NULL, options.gss_kex_algorithms));
b58e57
 }
b58e57
 
b58e57
 /* Unprivileged */
b58e57
diff -up openssh-7.4p1/kex.c.gsskexalg openssh-7.4p1/kex.c
b58e57
--- openssh-7.4p1/kex.c.gsskexalg	2017-02-09 10:46:50.449893106 +0100
b58e57
+++ openssh-7.4p1/kex.c	2017-02-09 10:55:44.008393539 +0100
b58e57
@@ -248,6 +248,29 @@ kex_assemble_names(const char *def, char
b58e57
 	return 0;
b58e57
 }
b58e57
 
b58e57
+/* Validate GSS KEX method name list */
b58e57
+int
b58e57
+gss_kex_names_valid(const char *names)
b58e57
+{
b58e57
+	char *s, *cp, *p;
b58e57
+
b58e57
+	if (names == NULL || *names == '\0')
b58e57
+		return 0;
b58e57
+	s = cp = strdup(names);
b58e57
+	for ((p = strsep(&cp, ",")); p && *p != '\0';
b58e57
+	    (p = strsep(&cp, ","))) {
b58e57
+		if (strncmp(p, "gss-", 4) != 0
b58e57
+		  || kex_alg_by_name(p) == NULL) {
b58e57
+			error("Unsupported KEX algorithm \"%.100s\"", p);
b58e57
+			free(s);
b58e57
+			return 0;
b58e57
+		}
b58e57
+	}
b58e57
+	debug3("gss kex names ok: [%s]", names);
b58e57
+	free(s);
b58e57
+	return 1;
b58e57
+}
b58e57
+
b58e57
 /* put algorithm proposal into buffer */
b58e57
 int
b58e57
 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
b58e57
diff -up openssh-7.4p1/kex.h.gsskexalg openssh-7.4p1/kex.h
b58e57
--- openssh-7.4p1/kex.h.gsskexalg	2017-02-09 10:46:50.452893104 +0100
b58e57
+++ openssh-7.4p1/kex.h	2017-02-09 11:02:35.313012903 +0100
b58e57
@@ -179,6 +179,7 @@ struct kex {
b58e57
 char	*kex_alg_list(char);
b58e57
 char	*kex_names_cat(const char *, const char *);
b58e57
 int	 kex_assemble_names(const char *, char **);
b58e57
+int	 gss_kex_names_valid(const char *);
b58e57
 
b58e57
 int	 kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
b58e57
 int	 kex_setup(struct ssh *, char *[PROPOSAL_MAX]);
b58e57
diff -up openssh-7.4p1/readconf.c.gsskexalg openssh-7.4p1/readconf.c
b58e57
--- openssh-7.4p1/readconf.c.gsskexalg	2017-02-09 10:46:50.420893129 +0100
b58e57
+++ openssh-7.4p1/readconf.c	2017-02-09 10:56:06.759372540 +0100
b58e57
@@ -64,6 +64,7 @@
b58e57
 #include "uidswap.h"
b58e57
 #include "myproposal.h"
b58e57
 #include "digest.h"
b58e57
+#include "ssh-gss.h"
b58e57
 
b58e57
 /* Format of the configuration file:
b58e57
 
b58e57
@@ -161,7 +162,7 @@ typedef enum {
b58e57
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
b58e57
 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
b58e57
 	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
b58e57
-	oGssServerIdentity, 
b58e57
+	oGssServerIdentity, oGssKexAlgorithms,
b58e57
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
b58e57
 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
b58e57
 	oHashKnownHosts,
b58e57
@@ -213,6 +214,7 @@ static struct {
b58e57
 	{ "gssapiclientidentity", oGssClientIdentity },
b58e57
 	{ "gssapiserveridentity", oGssServerIdentity },
b58e57
 	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
b58e57
+	{ "gssapikexalgorithms", oGssKexAlgorithms },
b58e57
 #else
b58e57
 	{ "gssapiauthentication", oUnsupported },
b58e57
 	{ "gssapikeyexchange", oUnsupported },
b58e57
@@ -220,6 +222,7 @@ static struct {
b58e57
 	{ "gssapitrustdns", oUnsupported },
b58e57
 	{ "gssapiclientidentity", oUnsupported },
b58e57
 	{ "gssapirenewalforcesrekey", oUnsupported },
b58e57
+	{ "gssapikexalgorithms", oUnsupported },
b58e57
 #endif
b58e57
 	{ "fallbacktorsh", oDeprecated },
b58e57
 	{ "usersh", oDeprecated },
b58e57
@@ -996,6 +999,18 @@ parse_time:
b58e57
 		intptr = &options->gss_renewal_rekey;
b58e57
 		goto parse_flag;
b58e57
 
b58e57
+	case oGssKexAlgorithms:
b58e57
+		arg = strdelim(&s);
b58e57
+		if (!arg || *arg == '\0')
b58e57
+			fatal("%.200s line %d: Missing argument.",
b58e57
+			    filename, linenum);
b58e57
+		if (!gss_kex_names_valid(arg))
b58e57
+			fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
b58e57
+			    filename, linenum, arg ? arg : "<NONE>");
b58e57
+		if (*activep && options->gss_kex_algorithms == NULL)
b58e57
+			options->gss_kex_algorithms = strdup(arg);
b58e57
+		break;
b58e57
+
b58e57
 	case oBatchMode:
b58e57
 		intptr = &options->batch_mode;
b58e57
 		goto parse_flag;
b58e57
@@ -1813,6 +1828,7 @@ initialize_options(Options * options)
b58e57
 	options->gss_renewal_rekey = -1;
b58e57
 	options->gss_client_identity = NULL;
b58e57
 	options->gss_server_identity = NULL;
b58e57
+	options->gss_kex_algorithms = NULL;
b58e57
 	options->password_authentication = -1;
b58e57
 	options->kbd_interactive_authentication = -1;
b58e57
 	options->kbd_interactive_devices = NULL;
b58e57
@@ -1964,6 +1980,10 @@ fill_default_options(Options * options)
b58e57
 		options->gss_trust_dns = 0;
b58e57
 	if (options->gss_renewal_rekey == -1)
b58e57
 		options->gss_renewal_rekey = 0;
b58e57
+#ifdef GSSAPI
b58e57
+	if (options->gss_kex_algorithms == NULL)
b58e57
+		options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
b58e57
+#endif
b58e57
 	if (options->password_authentication == -1)
b58e57
 		options->password_authentication = 1;
b58e57
 	if (options->kbd_interactive_authentication == -1)
b58e57
diff -up openssh-7.4p1/readconf.h.gsskexalg openssh-7.4p1/readconf.h
b58e57
--- openssh-7.4p1/readconf.h.gsskexalg	2017-02-09 10:46:50.420893129 +0100
b58e57
+++ openssh-7.4p1/readconf.h	2017-02-09 10:46:50.450893106 +0100
b58e57
@@ -51,6 +51,7 @@ typedef struct {
b58e57
 	int	gss_renewal_rekey;	/* Credential renewal forces rekey */
b58e57
 	char    *gss_client_identity;   /* Principal to initiate GSSAPI with */
b58e57
 	char    *gss_server_identity;   /* GSSAPI target principal */
b58e57
+	char   *gss_kex_algorithms;	/* GSSAPI kex methods to be offered by client. */
b58e57
 	int     password_authentication;	/* Try password
b58e57
 						 * authentication. */
b58e57
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
b58e57
diff -up openssh-7.4p1/servconf.c.gsskexalg openssh-7.4p1/servconf.c
b58e57
--- openssh-7.4p1/servconf.c.gsskexalg	2017-02-09 10:46:50.446893109 +0100
b58e57
+++ openssh-7.4p1/servconf.c	2017-02-09 10:57:15.784309297 +0100
b58e57
@@ -57,6 +57,7 @@
b58e57
 #include "auth.h"
b58e57
 #include "myproposal.h"
b58e57
 #include "digest.h"
b58e57
+#include "ssh-gss.h"
b58e57
 
b58e57
 static void add_listen_addr(ServerOptions *, char *, int);
b58e57
 static void add_one_listen_addr(ServerOptions *, char *, int);
b58e57
@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
b58e57
 	options->gss_cleanup_creds = -1;
b58e57
 	options->gss_strict_acceptor = -1;
b58e57
 	options->gss_store_rekey = -1;
b58e57
+	options->gss_kex_algorithms = NULL;
b58e57
 	options->password_authentication = -1;
b58e57
 	options->kbd_interactive_authentication = -1;
b58e57
 	options->challenge_response_authentication = -1;
b58e57
@@ -280,6 +281,10 @@ fill_default_server_options(ServerOption
b58e57
 		options->gss_strict_acceptor = 1;
b58e57
 	if (options->gss_store_rekey == -1)
b58e57
 		options->gss_store_rekey = 0;
b58e57
+#ifdef GSSAPI
b58e57
+	if (options->gss_kex_algorithms == NULL)
b58e57
+		options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
b58e57
+#endif
b58e57
 	if (options->password_authentication == -1)
b58e57
 		options->password_authentication = 1;
b58e57
 	if (options->kbd_interactive_authentication == -1)
b58e57
@@ -422,7 +425,7 @@ typedef enum {
b58e57
 	sHostKeyAlgorithms,
b58e57
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
b58e57
 	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
b58e57
-	sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
b58e57
+	sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sPermitTunnel,
b58e57
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
b58e57
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
b58e57
 	sHostCertificate,
b58e57
@@ -501,6 +504,7 @@ static struct {
b58e57
 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
b58e57
 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
b58e57
 	{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
b58e57
+	{ "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
b58e57
 #else
b58e57
 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
b58e57
 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
b58e57
@@ -508,6 +512,7 @@ static struct {
b58e57
 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
b58e57
 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
b58e57
 	{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
b58e57
+	{ "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
b58e57
 #endif
b58e57
 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
b58e57
 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
b58e57
@@ -1249,6 +1254,18 @@ process_server_config_line(ServerOptions
b58e57
 		intptr = &options->gss_store_rekey;
b58e57
 		goto parse_flag;
b58e57
 
b58e57
+	case sGssKexAlgorithms:
b58e57
+		arg = strdelim(&cp;;
b58e57
+		if (!arg || *arg == '\0')
b58e57
+			fatal("%.200s line %d: Missing argument.",
b58e57
+			    filename, linenum);
b58e57
+		if (!gss_kex_names_valid(arg))
b58e57
+			fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
b58e57
+			    filename, linenum, arg ? arg : "<NONE>");
b58e57
+		if (*activep && options->gss_kex_algorithms == NULL)
b58e57
+			options->gss_kex_algorithms = strdup(arg);
b58e57
+		break;
b58e57
+
b58e57
 	case sPasswordAuthentication:
b58e57
 		intptr = &options->password_authentication;
b58e57
 		goto parse_flag;
b58e57
@@ -2304,6 +2321,7 @@ dump_config(ServerOptions *o)
b58e57
 	dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
b58e57
 	dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
b58e57
 	dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
b58e57
+	dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
b58e57
 #endif
b58e57
 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
b58e57
 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
b58e57
diff -up openssh-7.4p1/servconf.h.gsskexalg openssh-7.4p1/servconf.h
b58e57
--- openssh-7.4p1/servconf.h.gsskexalg	2017-02-09 10:46:50.450893106 +0100
b58e57
+++ openssh-7.4p1/servconf.h	2017-02-09 10:57:33.717292870 +0100
b58e57
@@ -116,6 +116,7 @@ typedef struct {
b58e57
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
b58e57
 	int     gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
b58e57
 	int 	gss_store_rekey;
b58e57
+	char   *gss_kex_algorithms;	/* GSSAPI kex methods to be offered by client. */
b58e57
 	int     password_authentication;	/* If true, permit password
b58e57
 						 * authentication. */
b58e57
 	int     kbd_interactive_authentication;	/* If true, permit */
b58e57
diff -up openssh-7.4p1/ssh.1.gsskexalg openssh-7.4p1/ssh.1
b58e57
--- openssh-7.4p1/ssh.1.gsskexalg	2017-02-09 10:46:50.443893111 +0100
b58e57
+++ openssh-7.4p1/ssh.1	2017-02-09 10:46:50.451893105 +0100
b58e57
@@ -517,6 +517,7 @@ For full details of the options listed b
b58e57
 .It GSSAPIDelegateCredentials
b58e57
 .It GSSAPIRenewalForcesRekey
b58e57
 .It GSSAPITrustDns
b58e57
+.It GSSAPIKexAlgorithms
b58e57
 .It HashKnownHosts
b58e57
 .It Host
b58e57
 .It HostbasedAuthentication
b58e57
diff -up openssh-7.4p1/ssh_config.5.gsskexalg openssh-7.4p1/ssh_config.5
b58e57
--- openssh-7.4p1/ssh_config.5.gsskexalg	2017-02-09 10:46:50.452893104 +0100
b58e57
+++ openssh-7.4p1/ssh_config.5	2017-02-09 11:00:39.053122745 +0100
b58e57
@@ -782,6 +782,18 @@ the name of the host being connected to.
b58e57
 command line will be passed untouched to the GSSAPI library.
b58e57
 The default is
b58e57
 .Dq no .
b58e57
+.It Cm GSSAPIKexAlgorithms
b58e57
+The list of key exchange algorithms that are offered for GSSAPI
b58e57
+key exchange. Possible values are
b58e57
+.Bd -literal -offset 3n
b58e57
+gss-gex-sha1-,
b58e57
+gss-group1-sha1-,
b58e57
+gss-group14-sha1-
b58e57
+.Ed
b58e57
+.Pp
b58e57
+The default is
b58e57
+.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- .
b58e57
+This option only applies to protocol version 2 connections using GSSAPI.
b58e57
 .It Cm HashKnownHosts
b58e57
 Indicates that
b58e57
 .Xr ssh 1
b58e57
diff -up openssh-7.4p1/sshconnect2.c.gsskexalg openssh-7.4p1/sshconnect2.c
b58e57
--- openssh-7.4p1/sshconnect2.c.gsskexalg	2017-02-09 10:46:50.451893105 +0100
b58e57
+++ openssh-7.4p1/sshconnect2.c	2017-02-09 10:58:08.533260973 +0100
b58e57
@@ -181,7 +181,8 @@ ssh_kex2(char *host, struct sockaddr *ho
b58e57
 		else
b58e57
 			gss_host = host;
b58e57
 
b58e57
-		gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
b58e57
+		gss = ssh_gssapi_client_mechanisms(gss_host,
b58e57
+		    options.gss_client_identity, options.gss_kex_algorithms);
b58e57
 		if (gss) {
b58e57
 			debug("Offering GSSAPI proposal: %s", gss);
b58e57
 			xasprintf(&options.kex_algorithms,
b58e57
diff -up openssh-7.4p1/sshd_config.5.gsskexalg openssh-7.4p1/sshd_config.5
b58e57
--- openssh-7.4p1/sshd_config.5.gsskexalg	2017-02-09 10:46:50.452893104 +0100
b58e57
+++ openssh-7.4p1/sshd_config.5	2017-02-09 11:01:55.141050861 +0100
b58e57
@@ -666,6 +666,18 @@ Controls whether the user's GSSAPI crede
b58e57
 successful connection rekeying. This option can be used to accepted renewed 
b58e57
 or updated credentials from a compatible client. The default is
b58e57
 .Dq no .
b58e57
+.It Cm GSSAPIKexAlgorithms
b58e57
+The list of key exchange algorithms that are accepted by GSSAPI
b58e57
+key exchange. Possible values are
b58e57
+.Bd -literal -offset 3n
b58e57
+gss-gex-sha1-,
b58e57
+gss-group1-sha1-,
b58e57
+gss-group14-sha1-
b58e57
+.Ed
b58e57
+.Pp
b58e57
+The default is
b58e57
+.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- .
b58e57
+This option only applies to protocol version 2 connections using GSSAPI.
b58e57
 .It Cm HostbasedAcceptedKeyTypes
b58e57
 Specifies the key types that will be accepted for hostbased authentication
b58e57
 as a comma-separated pattern list.
b58e57
diff -up openssh-7.4p1/ssh-gss.h.gsskexalg openssh-7.4p1/ssh-gss.h
b58e57
--- openssh-7.4p1/ssh-gss.h.gsskexalg	2017-02-09 10:46:50.425893125 +0100
b58e57
+++ openssh-7.4p1/ssh-gss.h	2017-02-09 10:46:50.451893105 +0100
b58e57
@@ -76,6 +76,11 @@ extern char **k5users_allowed_cmds;
b58e57
 #define KEX_GSS_GRP14_SHA1_ID				"gss-group14-sha1-"
b58e57
 #define KEX_GSS_GEX_SHA1_ID				"gss-gex-sha1-"
b58e57
 
b58e57
+#define        GSS_KEX_DEFAULT_KEX \
b58e57
+	KEX_GSS_GEX_SHA1_ID "," \
b58e57
+	KEX_GSS_GRP1_SHA1_ID "," \
b58e57
+	KEX_GSS_GRP14_SHA1_ID
b58e57
+
b58e57
 typedef struct {
b58e57
 	char *filename;
b58e57
 	char *envvar;
b58e57
@@ -147,9 +152,9 @@ int ssh_gssapi_credentials_updated(Gssct
b58e57
 /* In the server */
b58e57
 typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *, 
b58e57
     const char *);
b58e57
-char *ssh_gssapi_client_mechanisms(const char *, const char *);
b58e57
+char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
b58e57
 char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
b58e57
-    const char *);
b58e57
+    const char *, const char *);
b58e57
 gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
b58e57
 int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, 
b58e57
     const char *);