vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
Jakub Jelen 6cf9b8
--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 15:18:40.628216102 +0100
Jakub Jelen 6cf9b8
@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Lautrbach 140e5c
 	FILE *fp;
Petr Lautrbach 140e5c
 	char file[MAXPATHLEN];
Jakub Jelen bbf61d
 	char *line = NULL;
Petr Lautrbach 140e5c
-	char kuser[65]; /* match krb5_kuserok() */
Petr Lautrbach 140e5c
 	struct stat st;
Petr Lautrbach 140e5c
 	struct passwd *pw = the_authctxt->pw;
Petr Lautrbach 140e5c
 	int found_principal = 0;
Jakub Jelen 6cf9b8
@@ -288,7 +287,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Lautrbach 140e5c
 
Petr Lautrbach 140e5c
 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
Petr Lautrbach 140e5c
 	/* If both .k5login and .k5users DNE, self-login is ok. */
Petr Lautrbach 140e5c
-	if (!k5login_exists && (access(file, F_OK) == -1)) {
Petr Lautrbach 140e5c
+	if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
Petr Lautrbach 140e5c
                 return ssh_krb5_kuserok(krb_context, principal, luser,
Petr Lautrbach 140e5c
                                         k5login_exists);
Petr Lautrbach 140e5c
 	}
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
Jakub Jelen 6cf9b8
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/servconf.c	2016-12-23 15:35:36.354401156 +0100
Jakub Jelen 6cf9b8
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
Jakub Jelen 5b55d0
 	options->gss_store_rekey = -1;
Jakub Jelen def1de
 	options->gss_kex_algorithms = NULL;
Petr Lautrbach 140e5c
 	options->use_kuserok = -1;
Petr Lautrbach 140e5c
+	options->enable_k5users = -1;
Jakub Jelen 5b55d0
 	options->password_authentication = -1;
Jakub Jelen 5b55d0
 	options->kbd_interactive_authentication = -1;
Dmitry Belyavskiy 8f4d19
	options->permit_empty_passwd = -1;
Jakub Jelen 6cf9b8
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
Jakub Jelen def1de
 #endif
Jakub Jelen 3f5513
 	if (options->use_kuserok == -1)
Jakub Jelen 3f5513
 		options->use_kuserok = 1;
Jakub Jelen 6cf9b8
+	if (options->enable_k5users == -1)
Jakub Jelen 6cf9b8
+		options->enable_k5users = 0;
Jakub Jelen 5b55d0
 	if (options->password_authentication == -1)
Jakub Jelen 5b55d0
 		options->password_authentication = 1;
Jakub Jelen 5b55d0
 	if (options->kbd_interactive_authentication == -1)
Jakub Jelen 6cf9b8
@@ -418,7 +421,7 @@ typedef enum {
Jakub Jelen 25c16c
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
Jakub Jelen 25c16c
 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
Jakub Jelen 132f8f
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
Petr Lautrbach 140e5c
-	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
Petr Lautrbach 140e5c
+	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
Jakub Jelen def1de
 	sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
Jakub Jelen def1de
 	sAcceptEnv, sSetEnv, sPermitTunnel,
Jakub Jelen bbf61d
 	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
Jakub Jelen def1de
@@ -497,14 +500,16 @@ static struct {
Petr Lautrbach 140e5c
 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
Jakub Jelen def1de
 	{ "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
+	{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
Petr Lautrbach 140e5c
 #else
Petr Lautrbach 140e5c
 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
Petr Lautrbach 140e5c
 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
Jakub Jelen def1de
 	{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
Jakub Jelen def1de
 	{ "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
+	{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
Petr Lautrbach 140e5c
 #endif
Petr Lautrbach 140e5c
 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
Jakub Jelen 6cf9b8
@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
Petr Lautrbach 140e5c
 		intptr = &options->use_kuserok;
Petr Lautrbach 140e5c
 		goto parse_flag;
Petr Lautrbach 140e5c
 
Petr Lautrbach 140e5c
+	case sGssEnablek5users:
Petr Lautrbach 140e5c
+		intptr = &options->enable_k5users;
Petr Lautrbach 140e5c
+		goto parse_flag;
Petr Lautrbach 140e5c
+
Dmitry Belyavskiy 8f4d19
	case sMatch:
Dmitry Belyavskiy 8f4d19
		if (cmdline)
Dmitry Belyavskiy 8f4d19
			fatal("Match directive not supported as a command-line "
Jakub Jelen 6cf9b8
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
Petr Lautrbach 140e5c
 	M_CP_INTOPT(ip_qos_interactive);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(ip_qos_bulk);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(use_kuserok);
Petr Lautrbach 140e5c
+	M_CP_INTOPT(enable_k5users);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(rekey_limit);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(rekey_interval);
Jakub Jelen 5b55d0
 	M_CP_INTOPT(log_level);
Jakub Jelen 6cf9b8
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
Jakub Jelen 5b55d0
 # endif
Jakub Jelen 808908
 	dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
Petr Lautrbach 140e5c
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
Petr Lautrbach 140e5c
+	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
Jakub Jelen 5b55d0
 #endif
Jakub Jelen 5b55d0
 #ifdef GSSAPI
Jakub Jelen 5b55d0
 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
Jakub Jelen 6cf9b8
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/servconf.h	2016-12-23 15:18:40.629216102 +0100
Jakub Jelen 5b55d0
@@ -174,6 +174,7 @@ typedef struct {
Jakub Jelen 808908
	int     kerberos_unique_ccache;		/* If true, the acquired ticket will
Jakub Jelen 117678
						 * be stored in per-session ccache */
Jakub Jelen 5b55d0
 	int	use_kuserok;
Petr Lautrbach 140e5c
+	int		enable_k5users;
Jakub Jelen 5b55d0
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
Jakub Jelen 5b55d0
 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
Jakub Jelen 5b55d0
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
Jakub Jelen 6cf9b8
--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users	2016-12-23 15:18:40.630216103 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:36:21.607408435 +0100
Jakub Jelen 6cf9b8
@@ -628,6 +628,12 @@ Specifies whether to automatically destr
Jakub Jelen 13073f
 on logout.
Petr Lautrbach 140e5c
 The default is
Jakub Jelen 6cf9b8
 .Cm yes .
Petr Lautrbach 140e5c
+.It Cm GSSAPIEnablek5users
Petr Lautrbach 140e5c
+Specifies whether to look at .k5users file for GSSAPI authentication
Petr Lautrbach 140e5c
+access control. Further details are described in
Petr Lautrbach 140e5c
+.Xr ksu 1 .
Petr Lautrbach 140e5c
+The default is
Jakub Jelen 6cf9b8
+.Cm no .
Jakub Jelen 6cf9b8
 .It Cm GSSAPIKeyExchange
Jakub Jelen 6cf9b8
 Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
Jakub Jelen 6cf9b8
 doesn't rely on ssh keys to verify host identity.
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
Jakub Jelen 6cf9b8
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/sshd_config	2016-12-23 15:18:40.631216103 +0100
Jakub Jelen 6cf9b8
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
Jakub Jelen 51f5c1
 #GSSAPICleanupCredentials yes
Jakub Jelen 535d34
 #GSSAPIStrictAcceptorCheck yes
Jakub Jelen 535d34
 #GSSAPIKeyExchange no
Jakub Jelen 535d34
+#GSSAPIEnablek5users no
Jakub Jelen 535d34
 
Jakub Jelen 535d34
 # Set this to 'yes' to enable PAM authentication, account processing,
Jakub Jelen 535d34
 # and session processing. If this is enabled, PAM authentication will