vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Source Code
GIT

Blame openssh-6.6p1-GSSAPIEnablek5users.patch

c10s-sig-hyperscale c10s-sig-hyperscale-2 c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   ab7f9474c70d2a3dd7fcb86be7c168b467e74297
  2.   openssh-6.6p1-GSSAPIEnablek5users.patch
Blob History Raw
Jakub Jelen 6cf9b8 
diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
Jakub Jelen 6cf9b8 
--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
Jakub Jelen 6cf9b8 
+++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 15:18:40.628216102 +0100
Jakub Jelen 6cf9b8 
@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Lautrbach 140e5c 
 	FILE *fp;
Petr Lautrbach 140e5c 
 	char file[MAXPATHLEN];
Jakub Jelen 580f98 
 	char line[BUFSIZ] = "";
Petr Lautrbach 140e5c 
-	char kuser[65]; /* match krb5_kuserok() */
Petr Lautrbach 140e5c 
 	struct stat st;
Petr Lautrbach 140e5c 
 	struct passwd *pw = the_authctxt->pw;
Petr Lautrbach 140e5c 
 	int found_principal = 0;
Jakub Jelen 6cf9b8 
@@ -288,7 +287,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Lautrbach 140e5c
Petr Lautrbach 140e5c 
 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
Petr Lautrbach 140e5c 
 	/* If both .k5login and .k5users DNE, self-login is ok. */
Petr Lautrbach 140e5c 
-	if (!k5login_exists && (access(file, F_OK) == -1)) {
Petr Lautrbach 140e5c 
+	if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
Petr Lautrbach 140e5c 
                 return ssh_krb5_kuserok(krb_context, principal, luser,
Petr Lautrbach 140e5c 
                                         k5login_exists);
Petr Lautrbach 140e5c 
 	}
Jakub Jelen 6cf9b8 
diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
Jakub Jelen 6cf9b8 
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
Jakub Jelen 6cf9b8 
+++ openssh-7.4p1/servconf.c	2016-12-23 15:35:36.354401156 +0100
Jakub Jelen 6cf9b8 
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
Petr Lautrbach 190035 
 	options->fingerprint_hash = -1;
Jakub Jelen 6cf9b8 
 	options->disable_forwarding = -1;
Petr Lautrbach 140e5c 
 	options->use_kuserok = -1;
Petr Lautrbach 140e5c 
+	options->enable_k5users = -1;
Petr Lautrbach 140e5c 
 }
Petr Lautrbach 140e5c
Jakub Jelen 132f8f 
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
Jakub Jelen 6cf9b8 
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
Jakub Jelen 6cf9b8 
 		options->disable_forwarding = 0;
Jakub Jelen 3f5513 
 	if (options->use_kuserok == -1)
Jakub Jelen 3f5513 
 		options->use_kuserok = 1;
Jakub Jelen 6cf9b8 
+	if (options->enable_k5users == -1)
Jakub Jelen 6cf9b8 
+		options->enable_k5users = 0;
Jakub Jelen 6cf9b8
Jakub Jelen 6cf9b8 
 	assemble_algorithms(options);
Jakub Jelen 3f5513
Jakub Jelen 6cf9b8 
@@ -418,7 +421,7 @@ typedef enum {
Jakub Jelen 132f8f 
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
Jakub Jelen 3f5513 
 	sHostKeyAlgorithms,
Jakub Jelen 132f8f 
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
Petr Lautrbach 140e5c 
-	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
Petr Lautrbach 140e5c 
+	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
Petr Lautrbach 140e5c 
 	sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
Petr Lautrbach 140e5c 
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
Petr Lautrbach 140e5c 
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
Jakub Jelen 6cf9b8 
@@ -497,12 +500,14 @@ static struct {
Petr Lautrbach 140e5c 
 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c 
 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c 
 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c 
+	{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
Petr Lautrbach 140e5c 
 #else
Petr Lautrbach 140e5c 
 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
Petr Lautrbach 140e5c 
 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c 
 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c 
 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c 
 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c 
+	{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
Petr Lautrbach 140e5c 
 #endif
Petr Lautrbach 140e5c 
 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c 
 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
Jakub Jelen 6cf9b8 
@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
Petr Lautrbach 140e5c 
 		intptr = &options->use_kuserok;
Petr Lautrbach 140e5c 
 		goto parse_flag;
Petr Lautrbach 140e5c
Petr Lautrbach 140e5c 
+	case sGssEnablek5users:
Petr Lautrbach 140e5c 
+		intptr = &options->enable_k5users;
Petr Lautrbach 140e5c 
+		goto parse_flag;
Petr Lautrbach 140e5c 
+
Petr Lautrbach 140e5c 
 	case sPermitOpen:
Petr Lautrbach 140e5c 
 		arg = strdelim(&cp;;
Petr Lautrbach 140e5c 
 		if (!arg || *arg == '\0')
Jakub Jelen 6cf9b8 
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
Petr Lautrbach 140e5c 
 	M_CP_INTOPT(ip_qos_interactive);
Petr Lautrbach 140e5c 
 	M_CP_INTOPT(ip_qos_bulk);
Petr Lautrbach 140e5c 
 	M_CP_INTOPT(use_kuserok);
Petr Lautrbach 140e5c 
+	M_CP_INTOPT(enable_k5users);
Petr Lautrbach 140e5c 
 	M_CP_INTOPT(rekey_limit);
Petr Lautrbach 140e5c 
 	M_CP_INTOPT(rekey_interval);
Petr Lautrbach 140e5c
Jakub Jelen 6cf9b8 
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
Petr Lautrbach 140e5c 
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
Petr Lautrbach 190035 
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
Petr Lautrbach 140e5c 
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
Petr Lautrbach 140e5c 
+	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
Petr Lautrbach 140e5c
Petr Lautrbach 140e5c 
 	/* string arguments */
Petr Lautrbach 140e5c 
 	dump_cfg_string(sPidFile, o->pid_file);
Jakub Jelen 6cf9b8 
diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
Jakub Jelen 6cf9b8 
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
Jakub Jelen 6cf9b8 
+++ openssh-7.4p1/servconf.h	2016-12-23 15:18:40.629216102 +0100
Jakub Jelen 6cf9b8 
@@ -174,7 +174,8 @@ typedef struct {
Petr Lautrbach 140e5c
Petr Lautrbach 140e5c 
 	int	num_permitted_opens;
Petr Lautrbach 140e5c
Petr Lautrbach 140e5c 
-	int	use_kuserok;
Petr Lautrbach 140e5c 
+	int		use_kuserok;
Petr Lautrbach 140e5c 
+	int		enable_k5users;
Petr Lautrbach 140e5c 
 	char   *chroot_directory;
Petr Lautrbach 140e5c 
 	char   *revoked_keys_file;
Petr Lautrbach 140e5c 
 	char   *trusted_user_ca_keys;
Jakub Jelen 6cf9b8 
diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
Jakub Jelen 6cf9b8 
--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users	2016-12-23 15:18:40.630216103 +0100
Jakub Jelen 6cf9b8 
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:36:21.607408435 +0100
Jakub Jelen 6cf9b8 
@@ -628,6 +628,12 @@ Specifies whether to automatically destr
Jakub Jelen 13073f 
 on logout.
Petr Lautrbach 140e5c 
 The default is
Jakub Jelen 6cf9b8 
 .Cm yes .
Petr Lautrbach 140e5c 
+.It Cm GSSAPIEnablek5users
Petr Lautrbach 140e5c 
+Specifies whether to look at .k5users file for GSSAPI authentication
Petr Lautrbach 140e5c 
+access control. Further details are described in
Petr Lautrbach 140e5c 
+.Xr ksu 1 .
Petr Lautrbach 140e5c 
+The default is
Jakub Jelen 6cf9b8 
+.Cm no .
Jakub Jelen 6cf9b8 
 .It Cm GSSAPIKeyExchange
Jakub Jelen 6cf9b8 
 Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
Jakub Jelen 6cf9b8 
 doesn't rely on ssh keys to verify host identity.
Jakub Jelen 6cf9b8 
diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
Jakub Jelen 6cf9b8 
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
Jakub Jelen 6cf9b8 
+++ openssh-7.4p1/sshd_config	2016-12-23 15:18:40.631216103 +0100
Jakub Jelen 6cf9b8 
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
Jakub Jelen 535d34 
 GSSAPICleanupCredentials no
Jakub Jelen 535d34 
 #GSSAPIStrictAcceptorCheck yes
Jakub Jelen 535d34 
 #GSSAPIKeyExchange no
Jakub Jelen 535d34 
+#GSSAPIEnablek5users no
Jakub Jelen 535d34
Jakub Jelen 535d34 
 # Set this to 'yes' to enable PAM authentication, account processing,
Jakub Jelen 535d34 
 # and session processing. If this is enabled, PAM authentication will

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation