vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
Jakub Jelen 6cf9b8
--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 15:18:40.628216102 +0100
Jakub Jelen 6cf9b8
@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Lautrbach 140e5c
 	FILE *fp;
Petr Lautrbach 140e5c
 	char file[MAXPATHLEN];
Jakub Jelen 580f98
 	char line[BUFSIZ] = "";
Petr Lautrbach 140e5c
-	char kuser[65]; /* match krb5_kuserok() */
Petr Lautrbach 140e5c
 	struct stat st;
Petr Lautrbach 140e5c
 	struct passwd *pw = the_authctxt->pw;
Petr Lautrbach 140e5c
 	int found_principal = 0;
Jakub Jelen 6cf9b8
@@ -288,7 +287,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Lautrbach 140e5c
 
Petr Lautrbach 140e5c
 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
Petr Lautrbach 140e5c
 	/* If both .k5login and .k5users DNE, self-login is ok. */
Petr Lautrbach 140e5c
-	if (!k5login_exists && (access(file, F_OK) == -1)) {
Petr Lautrbach 140e5c
+	if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
Petr Lautrbach 140e5c
                 return ssh_krb5_kuserok(krb_context, principal, luser,
Petr Lautrbach 140e5c
                                         k5login_exists);
Petr Lautrbach 140e5c
 	}
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
Jakub Jelen 6cf9b8
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/servconf.c	2016-12-23 15:35:36.354401156 +0100
Jakub Jelen 6cf9b8
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
Jakub Jelen 5b55d0
 	options->gss_strict_acceptor = -1;
Jakub Jelen 5b55d0
 	options->gss_store_rekey = -1;
Petr Lautrbach 140e5c
 	options->use_kuserok = -1;
Petr Lautrbach 140e5c
+	options->enable_k5users = -1;
Jakub Jelen 5b55d0
 	options->password_authentication = -1;
Jakub Jelen 5b55d0
 	options->kbd_interactive_authentication = -1;
Jakub Jelen 5b55d0
 	options->challenge_response_authentication = -1;
Jakub Jelen 6cf9b8
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
Jakub Jelen 5b55d0
 		options->gss_store_rekey = 0;
Jakub Jelen 3f5513
 	if (options->use_kuserok == -1)
Jakub Jelen 3f5513
 		options->use_kuserok = 1;
Jakub Jelen 6cf9b8
+	if (options->enable_k5users == -1)
Jakub Jelen 6cf9b8
+		options->enable_k5users = 0;
Jakub Jelen 5b55d0
 	if (options->password_authentication == -1)
Jakub Jelen 5b55d0
 		options->password_authentication = 1;
Jakub Jelen 5b55d0
 	if (options->kbd_interactive_authentication == -1)
Jakub Jelen 6cf9b8
@@ -418,7 +421,7 @@ typedef enum {
Jakub Jelen 132f8f
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
Jakub Jelen 3f5513
 	sHostKeyAlgorithms,
Jakub Jelen 132f8f
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
Petr Lautrbach 140e5c
-	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
Petr Lautrbach 140e5c
+	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
Petr Lautrbach 140e5c
 	sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
Petr Lautrbach 140e5c
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
Petr Lautrbach 140e5c
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
Jakub Jelen 6cf9b8
@@ -497,12 +500,14 @@ static struct {
Petr Lautrbach 140e5c
 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
+	{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
Petr Lautrbach 140e5c
 #else
Petr Lautrbach 140e5c
 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
Petr Lautrbach 140e5c
 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
+	{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
Petr Lautrbach 140e5c
 #endif
Petr Lautrbach 140e5c
 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
Jakub Jelen 6cf9b8
@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
Petr Lautrbach 140e5c
 		intptr = &options->use_kuserok;
Petr Lautrbach 140e5c
 		goto parse_flag;
Petr Lautrbach 140e5c
 
Petr Lautrbach 140e5c
+	case sGssEnablek5users:
Petr Lautrbach 140e5c
+		intptr = &options->enable_k5users;
Petr Lautrbach 140e5c
+		goto parse_flag;
Petr Lautrbach 140e5c
+
Petr Lautrbach 140e5c
 	case sPermitOpen:
Petr Lautrbach 140e5c
 		arg = strdelim(&cp;;
Petr Lautrbach 140e5c
 		if (!arg || *arg == '\0')
Jakub Jelen 6cf9b8
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
Petr Lautrbach 140e5c
 	M_CP_INTOPT(ip_qos_interactive);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(ip_qos_bulk);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(use_kuserok);
Petr Lautrbach 140e5c
+	M_CP_INTOPT(enable_k5users);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(rekey_limit);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(rekey_interval);
Jakub Jelen 5b55d0
 	M_CP_INTOPT(log_level);
Jakub Jelen 6cf9b8
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
Jakub Jelen 5b55d0
 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
Jakub Jelen 5b55d0
 # endif
Petr Lautrbach 140e5c
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
Petr Lautrbach 140e5c
+	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
Jakub Jelen 5b55d0
 #endif
Jakub Jelen 5b55d0
 #ifdef GSSAPI
Jakub Jelen 5b55d0
 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
Jakub Jelen 6cf9b8
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/servconf.h	2016-12-23 15:18:40.629216102 +0100
Jakub Jelen 5b55d0
@@ -174,6 +174,7 @@ typedef struct {
Jakub Jelen 5b55d0
 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
Jakub Jelen 5b55d0
 						 * authenticated with Kerberos. */
Jakub Jelen 5b55d0
 	int	use_kuserok;
Petr Lautrbach 140e5c
+	int		enable_k5users;
Jakub Jelen 5b55d0
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
Jakub Jelen 5b55d0
 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
Jakub Jelen 5b55d0
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
Jakub Jelen 6cf9b8
--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users	2016-12-23 15:18:40.630216103 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:36:21.607408435 +0100
Jakub Jelen 6cf9b8
@@ -628,6 +628,12 @@ Specifies whether to automatically destr
Jakub Jelen 13073f
 on logout.
Petr Lautrbach 140e5c
 The default is
Jakub Jelen 6cf9b8
 .Cm yes .
Petr Lautrbach 140e5c
+.It Cm GSSAPIEnablek5users
Petr Lautrbach 140e5c
+Specifies whether to look at .k5users file for GSSAPI authentication
Petr Lautrbach 140e5c
+access control. Further details are described in
Petr Lautrbach 140e5c
+.Xr ksu 1 .
Petr Lautrbach 140e5c
+The default is
Jakub Jelen 6cf9b8
+.Cm no .
Jakub Jelen 6cf9b8
 .It Cm GSSAPIKeyExchange
Jakub Jelen 6cf9b8
 Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
Jakub Jelen 6cf9b8
 doesn't rely on ssh keys to verify host identity.
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
Jakub Jelen 6cf9b8
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/sshd_config	2016-12-23 15:18:40.631216103 +0100
Jakub Jelen 6cf9b8
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
Jakub Jelen 535d34
 GSSAPICleanupCredentials no
Jakub Jelen 535d34
 #GSSAPIStrictAcceptorCheck yes
Jakub Jelen 535d34
 #GSSAPIKeyExchange no
Jakub Jelen 535d34
+#GSSAPIEnablek5users no
Jakub Jelen 535d34
 
Jakub Jelen 535d34
 # Set this to 'yes' to enable PAM authentication, account processing,
Jakub Jelen 535d34
 # and session processing. If this is enabled, PAM authentication will