diff -up openssh-6.3p1/ChangeLog.gssapi.gsskex openssh-6.3p1/ChangeLog.gssapi

--- openssh-6.3p1/ChangeLog.gssapi.gsskex	2013-10-11 15:15:17.284216176 +0200

+++ openssh-6.3p1/ChangeLog.gssapi	2013-10-11 15:15:17.284216176 +0200

@@ -0,0 +1,113 @@

+20110101

+  - Finally update for OpenSSH 5.6p1

+  - Add GSSAPIServerIdentity option from Jim Basney

+ 

+20100308

+  - [ Makefile.in, key.c, key.h ]

+    Updates for OpenSSH 5.4p1

+  - [ servconf.c ]

+    Include GSSAPI options in the sshd -T configuration dump, and flag

+    some older configuration options as being unsupported. Thanks to Colin 

+    Watson.

+  -

+

+20100124

+  - [ sshconnect2.c ]

+    Adapt to deal with additional element in Authmethod structure. Thanks to

+    Colin Watson

+

+20090615

+  - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c

+      sshd.c ]

+    Fix issues identified by Greg Hudson following a code review

+	Check return value of gss_indicate_mechs

+	Protect GSSAPI calls in monitor, so they can only be used if enabled

+	Check return values of bignum functions in key exchange

+	Use BN_clear_free to clear other side's DH value

+	Make ssh_gssapi_id_kex more robust

+	Only configure kex table pointers if GSSAPI is enabled

+	Don't leak mechanism list, or gss mechanism list

+	Cast data.length before printing

+	If serverkey isn't provided, use an empty string, rather than NULL

+

+20090201

+  - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h

+      ssh_config.5 sshconnet2.c ]

+    Add support for the GSSAPIClientIdentity option, which allows the user

+    to specify which GSSAPI identity to use to contact a given server

+

+20080404

+  - [ gss-serv.c ]

+    Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow

+    been omitted from a previous version of this patch. Reported by Borislav

+    Stoichkov

+

+20070317

+  - [ gss-serv-krb5.c ]

+    Remove C99ism, where new_ccname was being declared in the middle of a 

+    function

+

+20061220

+  - [ servconf.c ]

+    Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and 

+    documented, behaviour. Reported by Dan Watson.

+

+20060910

+  - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c

+      ssh-gss.h ]

+    add support for gss-group14-sha1 key exchange mechanisms

+  - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]

+    Add GSSAPIStrictAcceptorCheck option to allow the disabling of

+    acceptor principal checking on multi-homed machines.

+    <Bugzilla #928>

+  - [ sshd_config ssh_config ]

+    Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample

+    configuration files

+  - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]

+    Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()

+    Limit length of error messages displayed by client

+

+20060909

+  - [ gss-genr.c gss-serv.c ]

+    move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server

+    only, where they belong 

+    <Bugzilla #1225>

+

+20060829

+  - [ gss-serv-krb5.c ]

+    Fix CCAPI credentials cache name when creating KRB5CCNAME environment 

+    variable

+

+20060828

+  - [ gss-genr.c ]

+    Avoid Heimdal context freeing problem

+    <Fixed upstream 20060829>

+

+20060818

+  - [ gss-genr.c ssh-gss.h sshconnect2.c ]

+    Make sure that SPENGO is disabled 

+    <Bugzilla #1218 - Fixed upstream 20060818>

+

+20060421

+  - [ gssgenr.c, sshconnect2.c ]

+    a few type changes (signed versus unsigned, int versus size_t) to

+    fix compiler errors/warnings 

+    (from jbasney AT ncsa.uiuc.edu)

+  - [ kexgssc.c, sshconnect2.c ]

+    fix uninitialized variable warnings

+    (from jbasney AT ncsa.uiuc.edu)

+  - [ gssgenr.c ]

+    pass oid to gss_display_status (helpful when using GSSAPI mechglue)

+    (from jbasney AT ncsa.uiuc.edu)

+    <Bugzilla #1220 >

+  - [ gss-serv-krb5.c ]

+    #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H

+    (from jbasney AT ncsa.uiuc.edu)

+    <Fixed upstream 20060304>

+  - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c 

+    add client-side GssapiKeyExchange option

+    (from jbasney AT ncsa.uiuc.edu)

+  - [ sshconnect2.c ]

+    add support for GssapiTrustDns option for gssapi-with-mic

+    (from jbasney AT ncsa.uiuc.edu)

+    <gssapi-with-mic support is Bugzilla #1008>

diff -up openssh-6.3p1/Makefile.in.gsskex openssh-6.3p1/Makefile.in

--- openssh-6.3p1/Makefile.in.gsskex	2013-10-11 15:15:17.281216190 +0200

+++ openssh-6.3p1/Makefile.in	2013-10-11 15:15:17.289216153 +0200

@@ -77,6 +77,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o

 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \

 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \

 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \

+	kexgssc.o \

 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \

 	jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o

@@ -93,7 +94,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw

 	auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \

 	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \

 	auth-krb5.o \

-	auth2-gss.o gss-serv.o gss-serv-krb5.o \

+	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\

 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \

 	sftp-server.o sftp-common.o \

 	roaming_common.o roaming_serv.o \

diff -up openssh-6.3p1/auth2-gss.c.gsskex openssh-6.3p1/auth2-gss.c

--- openssh-6.3p1/auth2-gss.c.gsskex	2013-10-11 15:15:17.213216506 +0200

+++ openssh-6.3p1/auth2-gss.c	2013-10-11 15:15:17.283216181 +0200

@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u

 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);

 static void input_gssapi_errtok(int, u_int32_t, void *);

+/* 

+ * The 'gssapi_keyex' userauth mechanism.

+ */

+static int

+userauth_gsskeyex(Authctxt *authctxt)

+{

+	int authenticated = 0;

+	Buffer b;

+	gss_buffer_desc mic, gssbuf;

+	u_int len;

+

+	mic.value = packet_get_string(&len;;

+	mic.length = len;

+

+	packet_check_eom();

+

+	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,

+	    "gssapi-keyex");

+

+	gssbuf.value = buffer_ptr(&b);

+	gssbuf.length = buffer_len(&b);

+

+	/* gss_kex_context is NULL with privsep, so we can't check it here */

+	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 

+	    &gssbuf, &mic))))

+		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,

+		    authctxt->pw));

+	

+	buffer_free(&b);

+	free(mic.value);

+

+	return (authenticated);

+}

+

 /*

  * We only support those mechanisms that we know about (ie ones that we know

  * how to check local user kuserok and the like)

@@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type,

 	packet_check_eom();

-	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

+	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,

+	    authctxt->pw));

 	authctxt->postponed = 0;

 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);

@@ -282,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t ple

 	gssbuf.length = buffer_len(&b);

 	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))

-		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

+		authenticated = 

+		    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));

 	else

 		logit("GSSAPI MIC check failed");

@@ -299,6 +335,12 @@ input_gssapi_mic(int type, u_int32_t ple

 	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);

 }

+Authmethod method_gsskeyex = {

+	"gssapi-keyex",

+	userauth_gsskeyex,

+	&options.gss_authentication

+};

+

 Authmethod method_gssapi = {

 	"gssapi-with-mic",

 	userauth_gssapi,

diff -up openssh-6.3p1/auth2.c.gsskex openssh-6.3p1/auth2.c

--- openssh-6.3p1/auth2.c.gsskex	2013-10-11 15:15:17.214216502 +0200

+++ openssh-6.3p1/auth2.c	2013-10-11 15:15:17.283216181 +0200

@@ -69,6 +69,7 @@ extern Authmethod method_passwd;

 extern Authmethod method_kbdint;

 extern Authmethod method_hostbased;

 #ifdef GSSAPI

+extern Authmethod method_gsskeyex;

 extern Authmethod method_gssapi;

 #endif

 #ifdef JPAKE

@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {

 	&method_none,

 	&method_pubkey,

 #ifdef GSSAPI

+	&method_gsskeyex,

 	&method_gssapi,

 #endif

 #ifdef JPAKE

diff -up openssh-6.3p1/clientloop.c.gsskex openssh-6.3p1/clientloop.c

--- openssh-6.3p1/clientloop.c.gsskex	2013-10-11 15:15:17.178216669 +0200

+++ openssh-6.3p1/clientloop.c	2013-10-11 15:15:17.284216176 +0200

@@ -111,6 +111,10 @@

 #include "msg.h"

 #include "roaming.h"

+#ifdef GSSAPI

+#include "ssh-gss.h"

+#endif

+

 /* import options */

 extern Options options;

@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_cha

 		/* Do channel operations unless rekeying in progress. */

 		if (!rekeying) {

 			channel_after_select(readset, writeset);

+

+#ifdef GSSAPI

+			if (options.gss_renewal_rekey &&

+			    ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {

+				debug("credentials updated - forcing rekey");

+				need_rekeying = 1;

+			}

+#endif

+

 			if (need_rekeying || packet_need_rekeying()) {

 				debug("need rekeying");

 				xxx_kex->done = 0;

diff -up openssh-6.3p1/configure.ac.gsskex openssh-6.3p1/configure.ac

--- openssh-6.3p1/configure.ac.gsskex	2013-10-11 15:15:17.273216227 +0200

+++ openssh-6.3p1/configure.ac	2013-10-11 15:15:17.285216171 +0200

@@ -548,6 +548,30 @@ main() { if (NSVersionOfRunTimeLibrary("

 	    [Use tunnel device compatibility to OpenBSD])

 	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],

 	    [Prepend the address family to IP tunnel traffic])

+	AC_MSG_CHECKING(if we have the Security Authorization Session API)

+	AC_TRY_COMPILE([#include <Security/AuthSession.h>],

+		[SessionCreate(0, 0);],

+		[ac_cv_use_security_session_api="yes"

+		 AC_DEFINE(USE_SECURITY_SESSION_API, 1, 

+			[platform has the Security Authorization Session API])

+		 LIBS="$LIBS -framework Security"

+		 AC_MSG_RESULT(yes)],

+		[ac_cv_use_security_session_api="no"

+		 AC_MSG_RESULT(no)])

+	AC_MSG_CHECKING(if we have an in-memory credentials cache)

+	AC_TRY_COMPILE(

+		[#include <Kerberos/Kerberos.h>],

+		[cc_context_t c;

+		 (void) cc_initialize (&c, 0, NULL, NULL);],

+		[AC_DEFINE(USE_CCAPI, 1, 

+			[platform uses an in-memory credentials cache])

+		 LIBS="$LIBS -framework Security"

+		 AC_MSG_RESULT(yes)

+		 if test "x$ac_cv_use_security_session_api" = "xno"; then

+			AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***)

+		fi],

+		[AC_MSG_RESULT(no)]

+	)

 	m4_pattern_allow([AU_IPv])

 	AC_CHECK_DECL([AU_IPv4], [], 

 	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])

diff -up openssh-6.3p1/gss-genr.c.gsskex openssh-6.3p1/gss-genr.c

--- openssh-6.3p1/gss-genr.c.gsskex	2013-06-01 23:31:18.000000000 +0200

+++ openssh-6.3p1/gss-genr.c	2013-10-11 15:15:17.286216167 +0200

@@ -39,12 +39,167 @@

 #include "buffer.h"

 #include "log.h"

 #include "ssh2.h"

+#include "cipher.h"

+#include "key.h"

+#include "kex.h"

+#include <openssl/evp.h>

 #include "ssh-gss.h"

 extern u_char *session_id2;

 extern u_int session_id2_len;

+typedef struct {

+	char *encoded;

+	gss_OID oid;

+} ssh_gss_kex_mapping;

+

+/*

+ * XXX - It would be nice to find a more elegant way of handling the

+ * XXX   passing of the key exchange context to the userauth routines

+ */

+

+Gssctxt *gss_kex_context = NULL;

+

+static ssh_gss_kex_mapping *gss_enc2oid = NULL;

+

+int 

+ssh_gssapi_oid_table_ok() {

+	return (gss_enc2oid != NULL);

+}

+

+/*

+ * Return a list of the gss-group1-sha1 mechanisms supported by this program

+ *

+ * We test mechanisms to ensure that we can use them, to avoid starting

+ * a key exchange with a bad mechanism

+ */

+

+char *

+ssh_gssapi_client_mechanisms(const char *host, const char *client) {

+	gss_OID_set gss_supported;

+	OM_uint32 min_status;

+

+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))

+		return NULL;

+

+	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,

+	    host, client));

+}

+

+char *

+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,

+    const char *host, const char *client) {

+	Buffer buf;

+	size_t i;

+	int oidpos, enclen;

+	char *mechs, *encoded;

+	u_char digest[EVP_MAX_MD_SIZE];

+	char deroid[2];

+	const EVP_MD *evp_md = EVP_md5();

+	EVP_MD_CTX md;

+

+	if (gss_enc2oid != NULL) {

+		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)

+			free(gss_enc2oid[i].encoded);

+		free(gss_enc2oid);

+	}

+

+	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *

+	    (gss_supported->count + 1));

+

+	buffer_init(&buf;;

+

+	oidpos = 0;

+	for (i = 0; i < gss_supported->count; i++) {

+		if (gss_supported->elements[i].length < 128 &&

+		    (*check)(NULL, &(gss_supported->elements[i]), host, client)) {

+

+			deroid[0] = SSH_GSS_OIDTYPE;

+			deroid[1] = gss_supported->elements[i].length;

+

+			EVP_DigestInit(&md, evp_md);

+			EVP_DigestUpdate(&md, deroid, 2);

+			EVP_DigestUpdate(&md,

+			    gss_supported->elements[i].elements,

+			    gss_supported->elements[i].length);

+			EVP_DigestFinal(&md, digest, NULL);

+

+			encoded = xmalloc(EVP_MD_size(evp_md) * 2);

+			enclen = __b64_ntop(digest, EVP_MD_size(evp_md),

+			    encoded, EVP_MD_size(evp_md) * 2);

+

+			if (oidpos != 0)

+				buffer_put_char(&buf, ',');

+

+			buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,

+			    sizeof(KEX_GSS_GEX_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 

+			    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,

+			    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+

+			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);

+			gss_enc2oid[oidpos].encoded = encoded;

+			oidpos++;

+		}

+	}

+	gss_enc2oid[oidpos].oid = NULL;

+	gss_enc2oid[oidpos].encoded = NULL;

+

+	buffer_put_char(&buf, '\0');

+

+	mechs = xmalloc(buffer_len(&buf));

+	buffer_get(&buf, mechs, buffer_len(&buf));

+	buffer_free(&buf;;

+

+	if (strlen(mechs) == 0) {

+		free(mechs);

+		mechs = NULL;

+	}

+	

+	return (mechs);

+}

+

+gss_OID

+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {

+	int i = 0;

+	

+	switch (kex_type) {

+	case KEX_GSS_GRP1_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GRP14_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GEX_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;

+		break;

+	default:

+		return GSS_C_NO_OID;

+	}

+

+	while (gss_enc2oid[i].encoded != NULL &&

+	    strcmp(name, gss_enc2oid[i].encoded) != 0)

+		i++;

+

+	if (gss_enc2oid[i].oid != NULL && ctx != NULL)

+		ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);

+

+	return gss_enc2oid[i].oid;

+}

+

 /* Check that the OID in a data stream matches that in the context */

 int

 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)

@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de

 	}

 	ctx->major = gss_init_sec_context(&ctx->minor,

-	    GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,

+	    ctx->client_creds, &ctx->context, ctx->name, ctx->oid,

 	    GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,

 	    0, NULL, recv_tok, NULL, send_tok, flags, NULL);

@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con

 }

 OM_uint32

+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)

+{

+	gss_buffer_desc gssbuf;

+	gss_name_t gssname;

+	OM_uint32 status;

+	gss_OID_set oidset;

+

+	gssbuf.value = (void *) name;

+	gssbuf.length = strlen(gssbuf.value);

+

+	gss_create_empty_oid_set(&status, &oidset);

+	gss_add_oid_set_member(&status, ctx->oid, &oidset);

+

+	ctx->major = gss_import_name(&ctx->minor, &gssbuf,

+	    GSS_C_NT_USER_NAME, &gssname);

+

+	if (!ctx->major)

+		ctx->major = gss_acquire_cred(&ctx->minor, 

+		    gssname, 0, oidset, GSS_C_INITIATE, 

+		    &ctx->client_creds, NULL, NULL);

+

+	gss_release_name(&status, &gssname);

+	gss_release_oid_set(&status, &oidset);

+

+	if (ctx->major)

+		ssh_gssapi_error(ctx);

+

+	return(ctx->major);

+}

+

+OM_uint32

 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)

 {

+	if (ctx == NULL) 

+		return -1;

+

 	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,

 	    GSS_C_QOP_DEFAULT, buffer, hash)))

 		ssh_gssapi_error(ctx);

@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer

 	return (ctx->major);

 }

+/* Priviledged when used by server */

+OM_uint32

+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)

+{

+	if (ctx == NULL)

+		return -1;

+

+	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,

+	    gssbuf, gssmic, NULL);

+

+	return (ctx->major);

+}

+

 void

 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,

     const char *context)

@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha

 }

 int

-ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)

+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host, 

+    const char *client)

 {

 	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;

 	OM_uint32 major, minor;

 	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};

+	Gssctxt *intctx = NULL;

+

+	if (ctx == NULL)

+		ctx = &intct;;

 	/* RFC 4462 says we MUST NOT do SPNEGO */

 	if (oid->length == spnego_oid.length && 

@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx

 	ssh_gssapi_build_ctx(ctx);

 	ssh_gssapi_set_oid(*ctx, oid);

 	major = ssh_gssapi_import_name(*ctx, host);

+

+	if (!GSS_ERROR(major) && client)

+		major = ssh_gssapi_client_identity(*ctx, client);

+

 	if (!GSS_ERROR(major)) {

 		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 

 		    NULL);

@@ -272,10 +483,67 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx

 			    GSS_C_NO_BUFFER);

 	}

-	if (GSS_ERROR(major)) 

+	if (GSS_ERROR(major) || intctx != NULL) 

 		ssh_gssapi_delete_ctx(ctx);

 	return (!GSS_ERROR(major));

 }

+int

+ssh_gssapi_credentials_updated(Gssctxt *ctxt) {

+	static gss_name_t saved_name = GSS_C_NO_NAME;

+	static OM_uint32 saved_lifetime = 0;

+	static gss_OID saved_mech = GSS_C_NO_OID;

+	static gss_name_t name;

+	static OM_uint32 last_call = 0;

+	OM_uint32 lifetime, now, major, minor;

+	int equal;

+	gss_cred_usage_t usage = GSS_C_INITIATE;

+	

+	now = time(NULL);

+

+	if (ctxt) {

+		debug("Rekey has happened - updating saved versions");

+

+		if (saved_name != GSS_C_NO_NAME)

+			gss_release_name(&minor, &saved_name);

+

+		major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,

+		    &saved_name, &saved_lifetime, NULL, NULL);

+

+		if (!GSS_ERROR(major)) {

+			saved_mech = ctxt->oid;

+		        saved_lifetime+= now;

+		} else {

+			/* Handle the error */

+		}

+		return 0;

+	}

+

+	if (now - last_call < 10)

+		return 0;

+

+	last_call = now;

+

+	if (saved_mech == GSS_C_NO_OID)

+		return 0;

+	

+	major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, 

+	    &name, &lifetime, NULL, NULL);

+	if (major == GSS_S_CREDENTIALS_EXPIRED)

+		return 0;

+	else if (GSS_ERROR(major))

+		return 0;

+

+	major = gss_compare_name(&minor, saved_name, name, &equal);

+	gss_release_name(&minor, &name);

+	if (GSS_ERROR(major))

+		return 0;

+

+	if (equal && (saved_lifetime < lifetime + now - 10))

+		return 1;

+

+	return 0;

+}

+

 #endif /* GSSAPI */

diff -up openssh-6.3p1/gss-serv-krb5.c.gsskex openssh-6.3p1/gss-serv-krb5.c

--- openssh-6.3p1/gss-serv-krb5.c.gsskex	2013-07-20 05:35:45.000000000 +0200

+++ openssh-6.3p1/gss-serv-krb5.c	2013-10-23 21:48:20.558346236 +0200

@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl

 	krb5_error_code problem;

 	krb5_principal princ;

 	OM_uint32 maj_status, min_status;

-	int len;

+	const char *new_ccname, *new_cctype;

 	const char *errmsg;

 	if (client->creds == NULL) {

@@ -174,11 +174,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl

 		return;

 	}

-	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));

+	new_cctype = krb5_cc_get_type(krb_context, ccache);

+	new_ccname = krb5_cc_get_name(krb_context, ccache);

+

 	client->store.envvar = "KRB5CCNAME";

-	len = strlen(client->store.filename) + 6;

-	client->store.envval = xmalloc(len);

-	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);

+#ifdef USE_CCAPI

+	xasprintf(&client->store.envval, "API:%s", new_ccname);

+	client->store.filename = NULL;

+#else

+	if (new_ccname[0] == ':')

+		new_ccname++;

+	xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);

+	if (strcmp(new_cctype, "DIR") == 0) {

+		char *p;

+		p = strrchr(client->store.envval, '/');

+		if (p)

+			*p = '\0';

+	}

+	if ((strcmp(new_cctype, "FILE") == 0) || (strcmp(new_cctype, "DIR") == 0))

+		client->store.filename = xstrdup(new_ccname);

+#endif

 #ifdef USE_PAM

 	if (options.use_pam)

@@ -187,9 +202,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl

 	krb5_cc_close(krb_context, ccache);

+	client->store.data = krb_context;

+

 	return;

 }

+int

+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, 

+    ssh_gssapi_client *client)

+{

+	krb5_ccache ccache = NULL;

+	krb5_principal principal = NULL;

+	char *name = NULL;

+	krb5_error_code problem;

+	OM_uint32 maj_status, min_status;

+

+   	if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {

+                logit("krb5_cc_resolve(): %.100s",

+                    krb5_get_err_text(krb_context, problem));

+                return 0;

+       	}

+	

+	/* Find out who the principal in this cache is */

+	if ((problem = krb5_cc_get_principal(krb_context, ccache, 

+	    &principal))) {

+		logit("krb5_cc_get_principal(): %.100s",

+		    krb5_get_err_text(krb_context, problem));

+		krb5_cc_close(krb_context, ccache);

+		return 0;

+	}

+

+	if ((problem = krb5_unparse_name(krb_context, principal, &name))) {

+		logit("krb5_unparse_name(): %.100s",

+		    krb5_get_err_text(krb_context, problem));

+		krb5_free_principal(krb_context, principal);

+		krb5_cc_close(krb_context, ccache);

+		return 0;

+	}

+

+

+	if (strcmp(name,client->exportedname.value)!=0) {

+		debug("Name in local credentials cache differs. Not storing");

+		krb5_free_principal(krb_context, principal);

+		krb5_cc_close(krb_context, ccache);

+		krb5_free_unparsed_name(krb_context, name);

+		return 0;

+	}

+	krb5_free_unparsed_name(krb_context, name);

+

+	/* Name matches, so lets get on with it! */

+

+	if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {

+		logit("krb5_cc_initialize(): %.100s",

+		    krb5_get_err_text(krb_context, problem));

+		krb5_free_principal(krb_context, principal);

+		krb5_cc_close(krb_context, ccache);

+		return 0;

+	}

+

+	krb5_free_principal(krb_context, principal);

+

+	if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,

+	    ccache))) {

+		logit("gss_krb5_copy_ccache() failed. Sorry!");

+		krb5_cc_close(krb_context, ccache);

+		return 0;

+	}

+

+	return 1;

+}

+

 ssh_gssapi_mech gssapi_kerberos_mech = {

 	"toWM5Slw5Ew8Mqkay+al2g==",

 	"Kerberos",

@@ -197,7 +279,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {

 	NULL,

 	&ssh_gssapi_krb5_userok,

 	NULL,

-	&ssh_gssapi_krb5_storecreds

+	&ssh_gssapi_krb5_storecreds,

+	&ssh_gssapi_krb5_updatecreds

 };

 #endif /* KRB5 */

diff -up openssh-6.3p1/gss-serv.c.gsskex openssh-6.3p1/gss-serv.c

--- openssh-6.3p1/gss-serv.c.gsskex	2013-07-20 05:35:45.000000000 +0200

+++ openssh-6.3p1/gss-serv.c	2013-10-23 21:51:52.212347754 +0200

@@ -45,15 +45,20 @@

 #include "channels.h"

 #include "session.h"

 #include "misc.h"

+#include "servconf.h"

+#include "uidswap.h"

 #include "ssh-gss.h"

+#include "monitor_wrap.h"

+

+extern ServerOptions options;

 static ssh_gssapi_client gssapi_client =

     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,

-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};

+    GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,  NULL, {NULL, NULL, NULL}, 0, 0};

 ssh_gssapi_mech gssapi_null_mech =

-    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};

+    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};

 #ifdef KRB5

 extern ssh_gssapi_mech gssapi_kerberos_mech;

@@ -81,25 +86,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)

 	char lname[MAXHOSTNAMELEN];

 	gss_OID_set oidset;

-	gss_create_empty_oid_set(&status, &oidset);

-	gss_add_oid_set_member(&status, ctx->oid, &oidset);

+	if (options.gss_strict_acceptor) {

+		gss_create_empty_oid_set(&status, &oidset);

+		gss_add_oid_set_member(&status, ctx->oid, &oidset);

+

+		if (gethostname(lname, MAXHOSTNAMELEN)) {

+			gss_release_oid_set(&status, &oidset);

+			return (-1);

+		}

-	if (gethostname(lname, MAXHOSTNAMELEN)) {

-		gss_release_oid_set(&status, &oidset);

-		return (-1);

-	}

+		if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {

+			gss_release_oid_set(&status, &oidset);

+			return (ctx->major);

+		}

+

+		if ((ctx->major = gss_acquire_cred(&ctx->minor,

+		    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, 

+		    NULL, NULL)))

+			ssh_gssapi_error(ctx);

-	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {

 		gss_release_oid_set(&status, &oidset);

 		return (ctx->major);

+	} else {

+		ctx->name = GSS_C_NO_NAME;

+		ctx->creds = GSS_C_NO_CREDENTIAL;

 	}

-

-	if ((ctx->major = gss_acquire_cred(&ctx->minor,

-	    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))

-		ssh_gssapi_error(ctx);

-

-	gss_release_oid_set(&status, &oidset);

-	return (ctx->major);

+	return GSS_S_COMPLETE;

 }

 /* Privileged */

@@ -114,6 +126,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss

 }

 /* Unprivileged */

+char *

+ssh_gssapi_server_mechanisms() {

+	gss_OID_set	supported;

+

+	ssh_gssapi_supported_oids(&supported);

+	return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,

+	    NULL, NULL));

+}

+

+/* Unprivileged */

+int

+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data,

+    const char *dummy) {

+	Gssctxt *ctx = NULL;

+	int res;

+ 

+	res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));

+	ssh_gssapi_delete_ctx(&ctx;;

+

+	return (res);

+}

+

+/* Unprivileged */

 void

 ssh_gssapi_supported_oids(gss_OID_set *oidset)

 {

@@ -123,7 +158,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o

 	gss_OID_set supported;

 	gss_create_empty_oid_set(&min_status, oidset);

-	gss_indicate_mechs(&min_status, &supported);

+

+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported)))

+		return;