vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
Jakub Jelen 6cf9b8
--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 15:18:40.628216102 +0100
Jakub Jelen 6cf9b8
@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Lautrbach 140e5c
 	FILE *fp;
Petr Lautrbach 140e5c
 	char file[MAXPATHLEN];
Jakub Jelen 580f98
 	char line[BUFSIZ] = "";
Petr Lautrbach 140e5c
-	char kuser[65]; /* match krb5_kuserok() */
Petr Lautrbach 140e5c
 	struct stat st;
Petr Lautrbach 140e5c
 	struct passwd *pw = the_authctxt->pw;
Petr Lautrbach 140e5c
 	int found_principal = 0;
Jakub Jelen 6cf9b8
@@ -288,7 +287,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Lautrbach 140e5c
 
Petr Lautrbach 140e5c
 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
Petr Lautrbach 140e5c
 	/* If both .k5login and .k5users DNE, self-login is ok. */
Petr Lautrbach 140e5c
-	if (!k5login_exists && (access(file, F_OK) == -1)) {
Petr Lautrbach 140e5c
+	if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
Petr Lautrbach 140e5c
                 return ssh_krb5_kuserok(krb_context, principal, luser,
Petr Lautrbach 140e5c
                                         k5login_exists);
Petr Lautrbach 140e5c
 	}
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
Jakub Jelen 6cf9b8
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/servconf.c	2016-12-23 15:35:36.354401156 +0100
Jakub Jelen 6cf9b8
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
Petr Lautrbach 190035
 	options->fingerprint_hash = -1;
Jakub Jelen 6cf9b8
 	options->disable_forwarding = -1;
Petr Lautrbach 140e5c
 	options->use_kuserok = -1;
Petr Lautrbach 140e5c
+	options->enable_k5users = -1;
Petr Lautrbach 140e5c
 }
Petr Lautrbach 140e5c
 
Jakub Jelen 132f8f
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
Jakub Jelen 6cf9b8
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
Jakub Jelen 6cf9b8
 		options->disable_forwarding = 0;
Jakub Jelen 3f5513
 	if (options->use_kuserok == -1)
Jakub Jelen 3f5513
 		options->use_kuserok = 1;
Jakub Jelen 6cf9b8
+	if (options->enable_k5users == -1)
Jakub Jelen 6cf9b8
+		options->enable_k5users = 0;
Jakub Jelen 6cf9b8
 
Jakub Jelen 6cf9b8
 	assemble_algorithms(options);
Jakub Jelen 3f5513
 
Jakub Jelen 6cf9b8
@@ -418,7 +421,7 @@ typedef enum {
Jakub Jelen 132f8f
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
Jakub Jelen 3f5513
 	sHostKeyAlgorithms,
Jakub Jelen 132f8f
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
Petr Lautrbach 140e5c
-	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
Petr Lautrbach 140e5c
+	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
Petr Lautrbach 140e5c
 	sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
Petr Lautrbach 140e5c
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
Petr Lautrbach 140e5c
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
Jakub Jelen 6cf9b8
@@ -497,12 +500,14 @@ static struct {
Petr Lautrbach 140e5c
 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
+	{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
Petr Lautrbach 140e5c
 #else
Petr Lautrbach 140e5c
 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
Petr Lautrbach 140e5c
 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
+	{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
Petr Lautrbach 140e5c
 #endif
Petr Lautrbach 140e5c
 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
Petr Lautrbach 140e5c
 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
Jakub Jelen 6cf9b8
@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
Petr Lautrbach 140e5c
 		intptr = &options->use_kuserok;
Petr Lautrbach 140e5c
 		goto parse_flag;
Petr Lautrbach 140e5c
 
Petr Lautrbach 140e5c
+	case sGssEnablek5users:
Petr Lautrbach 140e5c
+		intptr = &options->enable_k5users;
Petr Lautrbach 140e5c
+		goto parse_flag;
Petr Lautrbach 140e5c
+
Petr Lautrbach 140e5c
 	case sPermitOpen:
Petr Lautrbach 140e5c
 		arg = strdelim(&cp;;
Petr Lautrbach 140e5c
 		if (!arg || *arg == '\0')
Jakub Jelen 6cf9b8
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
Petr Lautrbach 140e5c
 	M_CP_INTOPT(ip_qos_interactive);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(ip_qos_bulk);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(use_kuserok);
Petr Lautrbach 140e5c
+	M_CP_INTOPT(enable_k5users);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(rekey_limit);
Petr Lautrbach 140e5c
 	M_CP_INTOPT(rekey_interval);
Petr Lautrbach 140e5c
 
Jakub Jelen 6cf9b8
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
Jakub Jelen 17b491
 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
Petr Lautrbach 190035
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
Petr Lautrbach 140e5c
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
Petr Lautrbach 140e5c
+	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
Petr Lautrbach 140e5c
 
Petr Lautrbach 140e5c
 	/* string arguments */
Petr Lautrbach 140e5c
 	dump_cfg_string(sPidFile, o->pid_file);
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
Jakub Jelen 6cf9b8
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/servconf.h	2016-12-23 15:18:40.629216102 +0100
Jakub Jelen 6cf9b8
@@ -174,7 +174,8 @@ typedef struct {
Petr Lautrbach 140e5c
 
Petr Lautrbach 140e5c
 	int	num_permitted_opens;
Petr Lautrbach 140e5c
 
Petr Lautrbach 140e5c
-	int	use_kuserok;
Petr Lautrbach 140e5c
+	int		use_kuserok;
Petr Lautrbach 140e5c
+	int		enable_k5users;
Petr Lautrbach 140e5c
 	char   *chroot_directory;
Petr Lautrbach 140e5c
 	char   *revoked_keys_file;
Petr Lautrbach 140e5c
 	char   *trusted_user_ca_keys;
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
Jakub Jelen 6cf9b8
--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users	2016-12-23 15:18:40.630216103 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:36:21.607408435 +0100
Jakub Jelen 6cf9b8
@@ -628,6 +628,12 @@ Specifies whether to automatically destr
Jakub Jelen 13073f
 on logout.
Petr Lautrbach 140e5c
 The default is
Jakub Jelen 6cf9b8
 .Cm yes .
Petr Lautrbach 140e5c
+.It Cm GSSAPIEnablek5users
Petr Lautrbach 140e5c
+Specifies whether to look at .k5users file for GSSAPI authentication
Petr Lautrbach 140e5c
+access control. Further details are described in
Petr Lautrbach 140e5c
+.Xr ksu 1 .
Petr Lautrbach 140e5c
+The default is
Jakub Jelen 6cf9b8
+.Cm no .
Jakub Jelen 6cf9b8
 .It Cm GSSAPIKeyExchange
Jakub Jelen 6cf9b8
 Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
Jakub Jelen 6cf9b8
 doesn't rely on ssh keys to verify host identity.
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
Jakub Jelen 6cf9b8
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/sshd_config	2016-12-23 15:18:40.631216103 +0100
Jakub Jelen 6cf9b8
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
Jakub Jelen 535d34
 GSSAPICleanupCredentials no
Jakub Jelen 535d34
 #GSSAPIStrictAcceptorCheck yes
Jakub Jelen 535d34
 #GSSAPIKeyExchange no
Jakub Jelen 535d34
+#GSSAPIEnablek5users no
Jakub Jelen 535d34
 
Jakub Jelen 535d34
 # Set this to 'yes' to enable PAM authentication, account processing,
Jakub Jelen 535d34
 # and session processing. If this is enabled, PAM authentication will