rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
Petr Šabata 81d24c
diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
Petr Šabata 81d24c
--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
Petr Šabata 81d24c
+++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 15:18:40.628216102 +0100
Petr Šabata 81d24c
@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Šabata 81d24c
 	FILE *fp;
Petr Šabata 81d24c
 	char file[MAXPATHLEN];
Petr Šabata 81d24c
 	char *line = NULL;
Petr Šabata 81d24c
-	char kuser[65]; /* match krb5_kuserok() */
Petr Šabata 81d24c
 	struct stat st;
Petr Šabata 81d24c
 	struct passwd *pw = the_authctxt->pw;
Petr Šabata 81d24c
 	int found_principal = 0;
Petr Šabata 81d24c
@@ -288,7 +287,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
Petr Šabata 81d24c
 	/* If both .k5login and .k5users DNE, self-login is ok. */
Petr Šabata 81d24c
-	if (!k5login_exists && (access(file, F_OK) == -1)) {
Petr Šabata 81d24c
+	if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
Petr Šabata 81d24c
                 return ssh_krb5_kuserok(krb_context, principal, luser,
Petr Šabata 81d24c
                                         k5login_exists);
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
Petr Šabata 81d24c
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
Petr Šabata 81d24c
+++ openssh-7.4p1/servconf.c	2016-12-23 15:35:36.354401156 +0100
Petr Šabata 81d24c
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
Petr Šabata 81d24c
 	options->gss_store_rekey = -1;
Petr Šabata 81d24c
 	options->gss_kex_algorithms = NULL;
Petr Šabata 81d24c
 	options->use_kuserok = -1;
Petr Šabata 81d24c
+	options->enable_k5users = -1;
Petr Šabata 81d24c
 	options->password_authentication = -1;
Petr Šabata 81d24c
 	options->kbd_interactive_authentication = -1;
Petr Šabata 81d24c
 	options->challenge_response_authentication = -1;
Petr Šabata 81d24c
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
 	if (options->use_kuserok == -1)
Petr Šabata 81d24c
 		options->use_kuserok = 1;
Petr Šabata 81d24c
+	if (options->enable_k5users == -1)
Petr Šabata 81d24c
+		options->enable_k5users = 0;
Petr Šabata 81d24c
 	if (options->password_authentication == -1)
Petr Šabata 81d24c
 		options->password_authentication = 1;
Petr Šabata 81d24c
 	if (options->kbd_interactive_authentication == -1)
Petr Šabata 81d24c
@@ -418,7 +421,7 @@ typedef enum {
DistroBaker d029bb
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
DistroBaker d029bb
 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
Petr Šabata 81d24c
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
Petr Šabata 81d24c
-	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
Petr Šabata 81d24c
+	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
Petr Šabata 81d24c
 	sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
Petr Šabata 81d24c
 	sAcceptEnv, sSetEnv, sPermitTunnel,
Petr Šabata 81d24c
 	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
Petr Šabata 81d24c
@@ -497,14 +500,16 @@ static struct {
Petr Šabata 81d24c
 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
Petr Šabata 81d24c
+	{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
Petr Šabata 81d24c
 #else
Petr Šabata 81d24c
 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
Petr Šabata 81d24c
 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
+	{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
Petr Šabata 81d24c
 		intptr = &options->use_kuserok;
Petr Šabata 81d24c
 		goto parse_flag;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
+	case sGssEnablek5users:
Petr Šabata 81d24c
+		intptr = &options->enable_k5users;
Petr Šabata 81d24c
+		goto parse_flag;
Petr Šabata 81d24c
+
Petr Šabata 81d24c
 	case sPermitListen:
Petr Šabata 81d24c
 	case sPermitOpen:
Petr Šabata 81d24c
 		if (opcode == sPermitListen) {
Petr Šabata 81d24c
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
Petr Šabata 81d24c
 	M_CP_INTOPT(ip_qos_interactive);
Petr Šabata 81d24c
 	M_CP_INTOPT(ip_qos_bulk);
Petr Šabata 81d24c
 	M_CP_INTOPT(use_kuserok);
Petr Šabata 81d24c
+	M_CP_INTOPT(enable_k5users);
Petr Šabata 81d24c
 	M_CP_INTOPT(rekey_limit);
Petr Šabata 81d24c
 	M_CP_INTOPT(rekey_interval);
Petr Šabata 81d24c
 	M_CP_INTOPT(log_level);
Petr Šabata 81d24c
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
Petr Šabata 81d24c
 # endif
Petr Šabata 81d24c
 	dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
Petr Šabata 81d24c
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
Petr Šabata 81d24c
+	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
 #ifdef GSSAPI
Petr Šabata 81d24c
 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
Petr Šabata 81d24c
diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
Petr Šabata 81d24c
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
Petr Šabata 81d24c
+++ openssh-7.4p1/servconf.h	2016-12-23 15:18:40.629216102 +0100
Petr Šabata 81d24c
@@ -174,6 +174,7 @@ typedef struct {
Petr Šabata 81d24c
	int     kerberos_unique_ccache;		/* If true, the acquired ticket will
Petr Šabata 81d24c
						 * be stored in per-session ccache */
Petr Šabata 81d24c
 	int	use_kuserok;
Petr Šabata 81d24c
+	int		enable_k5users;
Petr Šabata 81d24c
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
Petr Šabata 81d24c
 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
Petr Šabata 81d24c
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
Petr Šabata 81d24c
diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
Petr Šabata 81d24c
--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users	2016-12-23 15:18:40.630216103 +0100
Petr Šabata 81d24c
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:36:21.607408435 +0100
Petr Šabata 81d24c
@@ -628,6 +628,12 @@ Specifies whether to automatically destr
Petr Šabata 81d24c
 on logout.
Petr Šabata 81d24c
 The default is
Petr Šabata 81d24c
 .Cm yes .
Petr Šabata 81d24c
+.It Cm GSSAPIEnablek5users
Petr Šabata 81d24c
+Specifies whether to look at .k5users file for GSSAPI authentication
Petr Šabata 81d24c
+access control. Further details are described in
Petr Šabata 81d24c
+.Xr ksu 1 .
Petr Šabata 81d24c
+The default is
Petr Šabata 81d24c
+.Cm no .
Petr Šabata 81d24c
 .It Cm GSSAPIKeyExchange
Petr Šabata 81d24c
 Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
Petr Šabata 81d24c
 doesn't rely on ssh keys to verify host identity.
Petr Šabata 81d24c
diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
Petr Šabata 81d24c
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
Petr Šabata 81d24c
+++ openssh-7.4p1/sshd_config	2016-12-23 15:18:40.631216103 +0100
Petr Šabata 81d24c
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
Petr Šabata 81d24c
 #GSSAPICleanupCredentials yes
Petr Šabata 81d24c
 #GSSAPIStrictAcceptorCheck yes
Petr Šabata 81d24c
 #GSSAPIKeyExchange no
Petr Šabata 81d24c
+#GSSAPIEnablek5users no
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 # Set this to 'yes' to enable PAM authentication, account processing,
Petr Šabata 81d24c
 # and session processing. If this is enabled, PAM authentication will