From d9e6186c71e777376d809e54eef19812df6b2d42 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Feb 06 2012 21:16:38 +0000 Subject: replace TwoFactorAuth with RequiredAuthentications[12] https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- diff --git a/openssh-5.9p1-akc.patch b/openssh-5.9p1-akc.patch index 62a478b..e50098f 100644 --- a/openssh-5.9p1-akc.patch +++ b/openssh-5.9p1-akc.patch @@ -1,6 +1,6 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c ---- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-14 07:24:40.876512251 +0200 -+++ openssh-5.9p1/auth2-pubkey.c 2011-09-14 07:24:43.318458515 +0200 +--- openssh-5.9p1/auth2-pubkey.c.akc 2012-02-06 20:47:36.641814218 +0100 ++++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 20:47:36.665095838 +0100 @@ -27,6 +27,7 @@ #include @@ -136,7 +136,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c + do { + if ((cp = strrchr(progname, '/')) == NULL) + break; -+ else ++ else + *cp = '\0'; + + debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname)); @@ -241,8 +241,8 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c return 0; if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac ---- openssh-5.9p1/configure.ac.akc 2011-09-14 07:24:42.863494886 +0200 -+++ openssh-5.9p1/configure.ac 2011-09-14 07:24:43.441583848 +0200 +--- openssh-5.9p1/configure.ac.akc 2012-02-06 20:47:36.656046570 +0100 ++++ openssh-5.9p1/configure.ac 2012-02-06 20:47:36.666095176 +0100 @@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit], esac ] ) @@ -271,9 +271,9 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c ---- openssh-5.9p1/servconf.c.akc 2011-09-14 07:24:29.402475399 +0200 -+++ openssh-5.9p1/servconf.c 2011-09-14 07:56:27.158585590 +0200 -@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions +--- openssh-5.9p1/servconf.c.akc 2012-02-06 20:47:36.573033521 +0100 ++++ openssh-5.9p1/servconf.c 2012-02-06 20:47:36.667106367 +0100 +@@ -136,6 +136,8 @@ initialize_server_options(ServerOptions options->num_permitted_opens = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; @@ -282,7 +282,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c options->zero_knowledge_password_authentication = -1; options->revoked_keys_file = NULL; options->trusted_user_ca_keys = NULL; -@@ -348,6 +350,7 @@ typedef enum { +@@ -329,6 +331,7 @@ typedef enum { sZeroKnowledgePasswordAuthentication, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, @@ -290,9 +290,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c sDeprecated, sUnsupported } ServerOpCodes; -@@ -487,6 +490,13 @@ static struct { - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, +@@ -455,6 +458,13 @@ static struct { + { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL }, + { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL }, +#ifdef WITH_AUTHORIZED_KEYS_COMMAND + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, @@ -304,7 +304,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c { NULL, sBadOption, 0 } }; -@@ -1462,6 +1472,24 @@ process_server_config_line(ServerOptions +@@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions } break; @@ -329,16 +329,16 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); -@@ -1573,6 +1601,8 @@ copy_set_server_options(ServerOptions *d +@@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d + M_CP_INTOPT(hostbased_uses_name_from_packet_only); + M_CP_INTOPT(kbd_interactive_authentication); M_CP_INTOPT(zero_knowledge_password_authentication); - M_CP_INTOPT(second_zero_knowledge_password_authentication); - M_CP_INTOPT(two_factor_authentication); + M_CP_STROPT(authorized_keys_command); + M_CP_STROPT(authorized_keys_command_runas); M_CP_INTOPT(permit_root_login); M_CP_INTOPT(permit_empty_passwd); -@@ -1839,6 +1869,8 @@ dump_config(ServerOptions *o) +@@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sRevokedKeys, o->revoked_keys_file); dump_cfg_string(sAuthorizedPrincipalsFile, o->authorized_principals_file); @@ -348,9 +348,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h ---- openssh-5.9p1/servconf.h.akc 2011-09-14 07:24:29.511480441 +0200 -+++ openssh-5.9p1/servconf.h 2011-09-14 07:24:43.678459183 +0200 -@@ -174,6 +174,8 @@ typedef struct { +--- openssh-5.9p1/servconf.h.akc 2012-02-06 20:47:36.574033734 +0100 ++++ openssh-5.9p1/servconf.h 2012-02-06 20:47:36.668096740 +0100 +@@ -169,6 +169,8 @@ typedef struct { char *revoked_keys_file; char *trusted_user_ca_keys; char *authorized_principals_file; @@ -359,9 +359,22 @@ diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h } ServerOptions; /* +diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config +--- openssh-5.9p1/sshd_config.akc 2011-05-29 13:39:39.000000000 +0200 ++++ openssh-5.9p1/sshd_config 2012-02-06 20:47:36.669067546 +0100 +@@ -49,6 +49,9 @@ + # but this is overridden so installations will only check .ssh/authorized_keys + AuthorizedKeysFile .ssh/authorized_keys + ++#AuthorizedKeysCommand none ++#AuthorizedKeysCommandRunAs nobody ++ + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts + #RhostsRSAAuthentication no + # similar for protocol version 2 diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0 --- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200 -+++ openssh-5.9p1/sshd_config.0 2011-09-14 07:24:43.791460201 +0200 ++++ openssh-5.9p1/sshd_config.0 2012-02-06 20:47:36.669067546 +0100 @@ -71,6 +71,23 @@ DESCRIPTION See PATTERNS in ssh_config(5) for more information on patterns. @@ -370,8 +383,8 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0 + + Specifies a program to be used for lookup of the user's + public keys. The program will be invoked with its first -+ argument the name of the user being authorized, and should produce -+ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS ++ argument the name of the user being authorized, and should produce ++ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS + in sshd(8)). By default (or when set to the empty string) there is no + AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully + authorize the user, authorization falls through to the @@ -397,9 +410,29 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0 GSSAPIAuthentication, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5 ---- openssh-5.9p1/sshd_config.5.akc 2011-09-14 07:24:29.793520372 +0200 -+++ openssh-5.9p1/sshd_config.5 2011-09-14 07:24:43.912583678 +0200 -@@ -706,6 +706,8 @@ Available keywords are +--- openssh-5.9p1/sshd_config.5.akc 2012-02-06 20:47:36.574891218 +0100 ++++ openssh-5.9p1/sshd_config.5 2012-02-06 20:49:58.913878595 +0100 +@@ -151,6 +151,19 @@ See + in + .Xr ssh_config 5 + for more information on patterns. ++.It Cm AuthorizedKeysCommand ++Specifies a program to be used for lookup of the user's ++public keys. The program will be invoked with its first ++argument the name of the user being authorized, and should produce ++on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS ++in sshd(8)). By default (or when set to the empty string) there is no ++AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully ++authorize the user, authorization falls through to the ++AuthorizedKeysFile. Note that this option has an effect ++only with PubkeyAuthentication turned on. ++.It Cm AuthorizedKeysCommandRunAs ++Specifies the user under whose account the AuthorizedKeysCommand is run. Empty ++string (the default value) means the user being authorized is used. + .It Cm AuthorizedKeysFile + Specifies the file that contains the public keys that can be used + for user authentication. +@@ -706,6 +719,8 @@ Available keywords are .Cm AllowAgentForwarding , .Cm AllowTcpForwarding , .Cm AuthorizedKeysFile , @@ -408,7 +441,7 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5 .Cm AuthorizedPrincipalsFile , .Cm Banner , .Cm ChrootDirectory , -@@ -718,6 +720,7 @@ Available keywords are +@@ -718,6 +733,7 @@ Available keywords are .Cm KerberosAuthentication , .Cm MaxAuthTries , .Cm MaxSessions , @@ -416,37 +449,3 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5 .Cm PasswordAuthentication , .Cm PermitEmptyPasswords , .Cm PermitOpen , -@@ -926,6 +929,20 @@ Specifies a list of revoked public keys. - Keys listed in this file will be refused for public key authentication. - Note that if this file is not readable, then public key authentication will - be refused for all users. -+.It Cm AuthorizedKeysCommand -+Specifies a program to be used for lookup of the user's -+public keys. The program will be invoked with its first -+argument the name of the user being authorized, and should produce -+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS -+in sshd(8)). By default (or when set to the empty string) there is no -+AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully -+authorize the user, authorization falls through to the -+AuthorizedKeysFile. Note that this option has an effect -+only with PubkeyAuthentication turned on. -+.It Cm AuthorizedKeysCommandRunAs -+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty -+string (the default value) means the user being authorized is used. -+.Dq - .It Cm RhostsRSAAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication together - with successful RSA host authentication is allowed. -diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config ---- openssh-5.9p1/sshd_config.akc 2011-09-14 07:24:29.620461608 +0200 -+++ openssh-5.9p1/sshd_config 2011-09-14 07:24:44.034462546 +0200 -@@ -49,6 +49,9 @@ - # but this is overridden so installations will only check .ssh/authorized_keys - AuthorizedKeysFile .ssh/authorized_keys - -+#AuthorizedKeysCommand none -+#AuthorizedKeysCommandRunAs nobody -+ - # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts - #RhostsRSAAuthentication no - # similar for protocol version 2 diff --git a/openssh-5.9p1-audit4.patch b/openssh-5.9p1-audit4.patch index 0594a63..88dd403 100644 --- a/openssh-5.9p1-audit4.patch +++ b/openssh-5.9p1-audit4.patch @@ -1,6 +1,6 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c ---- openssh-5.9p1/audit-bsm.c.audit4 2011-09-18 05:13:24.922458521 +0200 -+++ openssh-5.9p1/audit-bsm.c 2011-09-18 05:13:26.808459314 +0200 +--- openssh-5.9p1/audit-bsm.c.audit4 2012-02-06 17:15:01.574908126 +0100 ++++ openssh-5.9p1/audit-bsm.c 2012-02-06 17:15:21.656095559 +0100 @@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char { /* not implemented */ @@ -12,9 +12,52 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ +diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c +--- openssh-5.9p1/audit.c.audit4 2012-02-06 17:15:01.576787216 +0100 ++++ openssh-5.9p1/audit.c 2012-02-06 17:15:21.690032906 +0100 +@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac + PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid())); + } + ++void ++audit_session_key_free(int ctos) ++{ ++ PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid())); ++} ++ + # ifndef CUSTOM_SSH_AUDIT_EVENTS + /* + * Null implementations of audit functions. +@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char + (unsigned)geteuid(), ctos, enc, mac, compress, (long)pid, + (unsigned)uid); + } ++ ++/* ++ * This will be called on succesfull session key discard ++ */ ++void ++audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) ++{ ++ debug("audit session key discard euid %u direction %d from pid %ld uid %u", ++ (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid); ++} + # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ + #endif /* SSH_AUDIT_EVENTS */ +diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h +--- openssh-5.9p1/audit.h.audit4 2012-02-06 17:15:01.576787216 +0100 ++++ openssh-5.9p1/audit.h 2012-02-06 17:15:21.690876254 +0100 +@@ -62,5 +62,7 @@ void audit_unsupported(int); + void audit_kex(int, char *, char *, char *); + void audit_unsupported_body(int); + void audit_kex_body(int, char *, char *, char *, pid_t, uid_t); ++void audit_session_key_free(int ctos); ++void audit_session_key_free_body(int ctos, pid_t, uid_t); + + #endif /* _SSH_AUDIT_H */ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c ---- openssh-5.9p1/audit-linux.c.audit4 2011-09-18 05:13:25.041460630 +0200 -+++ openssh-5.9p1/audit-linux.c 2011-09-18 05:13:26.897563551 +0200 +--- openssh-5.9p1/audit-linux.c.audit4 2012-02-06 17:15:01.575908525 +0100 ++++ openssh-5.9p1/audit-linux.c 2012-02-06 17:15:21.682001323 +0100 @@ -294,6 +294,8 @@ audit_unsupported_body(int what) #endif } @@ -65,52 +108,9 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c +} + #endif /* USE_LINUX_AUDIT */ -diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c ---- openssh-5.9p1/audit.c.audit4 2011-09-18 05:13:25.151459504 +0200 -+++ openssh-5.9p1/audit.c 2011-09-18 05:13:26.995548664 +0200 -@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac - PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid())); - } - -+void -+audit_session_key_free(int ctos) -+{ -+ PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid())); -+} -+ - # ifndef CUSTOM_SSH_AUDIT_EVENTS - /* - * Null implementations of audit functions. -@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char - (unsigned)geteuid(), ctos, enc, mac, compress, (long)pid, - (unsigned)uid); - } -+ -+/* -+ * This will be called on succesfull session key discard -+ */ -+void -+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) -+{ -+ debug("audit session key discard euid %u direction %d from pid %ld uid %u", -+ (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid); -+} - # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ - #endif /* SSH_AUDIT_EVENTS */ -diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h ---- openssh-5.9p1/audit.h.audit4 2011-09-18 05:13:25.247587021 +0200 -+++ openssh-5.9p1/audit.h 2011-09-18 05:13:27.107531553 +0200 -@@ -62,5 +62,7 @@ void audit_unsupported(int); - void audit_kex(int, char *, char *, char *); - void audit_unsupported_body(int); - void audit_kex_body(int, char *, char *, char *, pid_t, uid_t); -+void audit_session_key_free(int ctos); -+void audit_session_key_free_body(int ctos, pid_t, uid_t); - - #endif /* _SSH_AUDIT_H */ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c ---- openssh-5.9p1/auditstub.c.audit4 2011-09-18 05:13:25.350459598 +0200 -+++ openssh-5.9p1/auditstub.c 2011-09-18 05:13:27.209523920 +0200 +--- openssh-5.9p1/auditstub.c.audit4 2012-02-06 17:15:01.576787216 +0100 ++++ openssh-5.9p1/auditstub.c 2012-02-06 17:15:21.690876254 +0100 @@ -27,6 +27,8 @@ * Red Hat author: Jan F. Chadima */ @@ -134,8 +134,8 @@ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c +{ +} diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c ---- openssh-5.9p1/kex.c.audit4 2011-09-18 05:13:25.656459960 +0200 -+++ openssh-5.9p1/kex.c 2011-09-18 05:13:27.309500951 +0200 +--- openssh-5.9p1/kex.c.audit4 2012-02-06 17:15:01.578907640 +0100 ++++ openssh-5.9p1/kex.c 2012-02-06 17:15:21.691785656 +0100 @@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i fprintf(stderr, "\n"); } @@ -173,7 +173,7 @@ diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c + diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h --- openssh-5.9p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200 -+++ openssh-5.9p1/kex.h 2011-09-18 05:13:27.419492884 +0200 ++++ openssh-5.9p1/kex.h 2012-02-06 17:15:21.691785656 +0100 @@ -156,6 +156,8 @@ void kexgex_server(Kex *); void kexecdh_client(Kex *); void kexecdh_server(Kex *); @@ -185,7 +185,7 @@ diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c --- openssh-5.9p1/mac.c.audit4 2011-08-17 02:29:03.000000000 +0200 -+++ openssh-5.9p1/mac.c 2011-09-18 05:13:27.545464964 +0200 ++++ openssh-5.9p1/mac.c 2012-02-06 17:15:21.692918961 +0100 @@ -168,6 +168,20 @@ mac_clear(Mac *mac) mac->umac_ctx = NULL; } @@ -209,16 +209,16 @@ diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c int diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h --- openssh-5.9p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200 -+++ openssh-5.9p1/mac.h 2011-09-18 05:13:27.675473027 +0200 ++++ openssh-5.9p1/mac.h 2012-02-06 17:15:21.692918961 +0100 @@ -28,3 +28,4 @@ int mac_setup(Mac *, char *); int mac_init(Mac *); u_char *mac_compute(Mac *, u_int32_t, u_char *, int); void mac_clear(Mac *); +void mac_destroy(Mac *); diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c ---- openssh-5.9p1/monitor.c.audit4 2011-09-18 05:13:25.778584691 +0200 -+++ openssh-5.9p1/monitor.c 2011-09-18 05:15:22.786522699 +0200 -@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer +--- openssh-5.9p1/monitor.c.audit4 2012-02-06 17:15:01.579896475 +0100 ++++ openssh-5.9p1/monitor.c 2012-02-06 17:16:32.405783810 +0100 +@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer int mm_answer_audit_end_command(int, Buffer *); int mm_answer_audit_unsupported_body(int, Buffer *); int mm_answer_audit_kex_body(int, Buffer *); @@ -226,7 +226,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c #endif static int monitor_read_log(struct monitor *); -@@ -241,6 +242,7 @@ struct mon_table mon_dispatch_proto20[] +@@ -242,6 +243,7 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, @@ -234,7 +234,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, -@@ -280,6 +282,7 @@ struct mon_table mon_dispatch_postauth20 +@@ -281,6 +283,7 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, @@ -242,7 +242,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c #endif {0, 0, NULL} }; -@@ -313,6 +316,7 @@ struct mon_table mon_dispatch_proto15[] +@@ -314,6 +317,7 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, @@ -250,7 +250,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c #endif {0, 0, NULL} }; -@@ -327,6 +331,7 @@ struct mon_table mon_dispatch_postauth15 +@@ -328,6 +332,7 @@ struct mon_table mon_dispatch_postauth15 {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, @@ -258,8 +258,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c #endif {0, 0, NULL} }; -@@ -437,10 +442,6 @@ monitor_child_preauth(Authctxt *_authctx - } +@@ -451,10 +456,6 @@ monitor_child_preauth(Authctxt *_authctx + #endif } - /* Drain any buffered messages from the child */ @@ -269,7 +269,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c if (!authctxt->valid) fatal("%s: authenticated invalid user", __func__); if (strcmp(auth_method, "unknown") == 0) -@@ -1927,11 +1928,13 @@ mm_get_keystate(struct monitor *pmonitor +@@ -1954,11 +1955,13 @@ mm_get_keystate(struct monitor *pmonitor blob = buffer_get_string(&m, &bloblen); current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); @@ -283,7 +283,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c xfree(blob); /* Now get sequence numbers for the packets */ -@@ -1977,6 +1980,21 @@ mm_get_keystate(struct monitor *pmonitor +@@ -2004,6 +2007,21 @@ mm_get_keystate(struct monitor *pmonitor } buffer_free(&m); @@ -305,7 +305,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c } -@@ -2421,4 +2439,22 @@ mm_answer_audit_kex_body(int sock, Buffe +@@ -2450,4 +2468,22 @@ mm_answer_audit_kex_body(int sock, Buffe return 0; } @@ -329,8 +329,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c +} #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h ---- openssh-5.9p1/monitor.h.audit4 2011-09-18 05:13:25.887586033 +0200 -+++ openssh-5.9p1/monitor.h 2011-09-18 05:13:27.934522919 +0200 +--- openssh-5.9p1/monitor.h.audit4 2012-02-06 17:15:01.580908188 +0100 ++++ openssh-5.9p1/monitor.h 2012-02-06 17:15:21.695033617 +0100 @@ -63,6 +63,7 @@ enum monitor_reqtype { MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND, MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED, @@ -340,8 +340,8 @@ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c ---- openssh-5.9p1/monitor_wrap.c.audit4 2011-09-18 05:13:26.013583317 +0200 -+++ openssh-5.9p1/monitor_wrap.c 2011-09-18 05:13:28.049519981 +0200 +--- openssh-5.9p1/monitor_wrap.c.audit4 2012-02-06 17:15:01.581802928 +0100 ++++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:15:21.696033353 +0100 @@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor fatal("%s: conversion of newkeys failed", __func__); @@ -378,8 +378,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c +} #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h ---- openssh-5.9p1/monitor_wrap.h.audit4 2011-09-18 05:13:26.119474152 +0200 -+++ openssh-5.9p1/monitor_wrap.h 2011-09-18 05:13:28.151521539 +0200 +--- openssh-5.9p1/monitor_wrap.h.audit4 2012-02-06 17:15:01.582908343 +0100 ++++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:15:21.696033353 +0100 @@ -79,6 +79,7 @@ int mm_audit_run_command(const char *); void mm_audit_end_command(int, const char *); void mm_audit_unsupported_body(int); @@ -389,8 +389,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h struct Session; diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c ---- openssh-5.9p1/packet.c.audit4 2011-09-18 05:13:20.417548627 +0200 -+++ openssh-5.9p1/packet.c 2011-09-18 05:13:28.278520968 +0200 +--- openssh-5.9p1/packet.c.audit4 2012-02-06 17:15:01.545908387 +0100 ++++ openssh-5.9p1/packet.c 2012-02-06 17:15:21.696886524 +0100 @@ -60,6 +60,7 @@ #include @@ -584,7 +584,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c + diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h --- openssh-5.9p1/packet.h.audit4 2011-05-15 00:43:13.000000000 +0200 -+++ openssh-5.9p1/packet.h 2011-09-18 05:13:28.385521238 +0200 ++++ openssh-5.9p1/packet.h 2012-02-06 17:15:21.697874825 +0100 @@ -124,4 +124,5 @@ void packet_restore_state(void); void *packet_get_input(void); void *packet_get_output(void); @@ -592,8 +592,8 @@ diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h +void packet_destroy_all(int, int); #endif /* PACKET_H */ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c ---- openssh-5.9p1/session.c.audit4 2011-09-18 05:13:22.842504192 +0200 -+++ openssh-5.9p1/session.c 2011-09-18 05:13:28.511522576 +0200 +--- openssh-5.9p1/session.c.audit4 2012-02-06 17:15:01.562908533 +0100 ++++ openssh-5.9p1/session.c 2012-02-06 17:15:21.697874825 +0100 @@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command /* remove hostkey from the child's memory */ @@ -605,8 +605,8 @@ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c /* Force a password change */ if (s->authctxt->force_pwchange) { diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c ---- openssh-5.9p1/sshd.c.audit4 2011-09-18 05:13:26.617460032 +0200 -+++ openssh-5.9p1/sshd.c 2011-09-18 05:13:28.621521065 +0200 +--- openssh-5.9p1/sshd.c.audit4 2012-02-06 17:15:01.583866459 +0100 ++++ openssh-5.9p1/sshd.c 2012-02-06 17:15:21.699033720 +0100 @@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt) } } diff --git a/openssh-5.9p1-gsskex.patch b/openssh-5.9p1-gsskex.patch index c7ac7e2..52418e0 100644 --- a/openssh-5.9p1-gsskex.patch +++ b/openssh-5.9p1-gsskex.patch @@ -1,143 +1,6 @@ -diff -up openssh-5.9p0/ChangeLog.gssapi.gsskex openssh-5.9p0/ChangeLog.gssapi ---- openssh-5.9p0/ChangeLog.gssapi.gsskex 2011-09-03 20:30:47.817440618 +0200 -+++ openssh-5.9p0/ChangeLog.gssapi 2011-09-03 20:30:47.843489156 +0200 -@@ -0,0 +1,113 @@ -+20110101 -+ - Finally update for OpenSSH 5.6p1 -+ - Add GSSAPIServerIdentity option from Jim Basney -+ -+20100308 -+ - [ Makefile.in, key.c, key.h ] -+ Updates for OpenSSH 5.4p1 -+ - [ servconf.c ] -+ Include GSSAPI options in the sshd -T configuration dump, and flag -+ some older configuration options as being unsupported. Thanks to Colin -+ Watson. -+ - -+ -+20100124 -+ - [ sshconnect2.c ] -+ Adapt to deal with additional element in Authmethod structure. Thanks to -+ Colin Watson -+ -+20090615 -+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c -+ sshd.c ] -+ Fix issues identified by Greg Hudson following a code review -+ Check return value of gss_indicate_mechs -+ Protect GSSAPI calls in monitor, so they can only be used if enabled -+ Check return values of bignum functions in key exchange -+ Use BN_clear_free to clear other side's DH value -+ Make ssh_gssapi_id_kex more robust -+ Only configure kex table pointers if GSSAPI is enabled -+ Don't leak mechanism list, or gss mechanism list -+ Cast data.length before printing -+ If serverkey isn't provided, use an empty string, rather than NULL -+ -+20090201 -+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h -+ ssh_config.5 sshconnet2.c ] -+ Add support for the GSSAPIClientIdentity option, which allows the user -+ to specify which GSSAPI identity to use to contact a given server -+ -+20080404 -+ - [ gss-serv.c ] -+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow -+ been omitted from a previous version of this patch. Reported by Borislav -+ Stoichkov -+ -+20070317 -+ - [ gss-serv-krb5.c ] -+ Remove C99ism, where new_ccname was being declared in the middle of a -+ function -+ -+20061220 -+ - [ servconf.c ] -+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and -+ documented, behaviour. Reported by Dan Watson. -+ -+20060910 -+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c -+ ssh-gss.h ] -+ add support for gss-group14-sha1 key exchange mechanisms -+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ] -+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of -+ acceptor principal checking on multi-homed machines. -+ -+ - [ sshd_config ssh_config ] -+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample -+ configuration files -+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ] -+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf() -+ Limit length of error messages displayed by client -+ -+20060909 -+ - [ gss-genr.c gss-serv.c ] -+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server -+ only, where they belong -+ -+ -+20060829 -+ - [ gss-serv-krb5.c ] -+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment -+ variable -+ -+20060828 -+ - [ gss-genr.c ] -+ Avoid Heimdal context freeing problem -+ -+ -+20060818 -+ - [ gss-genr.c ssh-gss.h sshconnect2.c ] -+ Make sure that SPENGO is disabled -+ -+ -+20060421 -+ - [ gssgenr.c, sshconnect2.c ] -+ a few type changes (signed versus unsigned, int versus size_t) to -+ fix compiler errors/warnings -+ (from jbasney AT ncsa.uiuc.edu) -+ - [ kexgssc.c, sshconnect2.c ] -+ fix uninitialized variable warnings -+ (from jbasney AT ncsa.uiuc.edu) -+ - [ gssgenr.c ] -+ pass oid to gss_display_status (helpful when using GSSAPI mechglue) -+ (from jbasney AT ncsa.uiuc.edu) -+ -+ - [ gss-serv-krb5.c ] -+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H -+ (from jbasney AT ncsa.uiuc.edu) -+ -+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c -+ add client-side GssapiKeyExchange option -+ (from jbasney AT ncsa.uiuc.edu) -+ - [ sshconnect2.c ] -+ add support for GssapiTrustDns option for gssapi-with-mic -+ (from jbasney AT ncsa.uiuc.edu) -+ -diff -up openssh-5.9p0/Makefile.in.gsskex openssh-5.9p0/Makefile.in ---- openssh-5.9p0/Makefile.in.gsskex 2011-09-03 20:30:41.636439385 +0200 -+++ openssh-5.9p0/Makefile.in 2011-09-03 20:30:47.923501149 +0200 -@@ -74,6 +74,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b - atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ - monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ - kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ -+ kexgssc.o \ - msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ - schnorr.o ssh-pkcs11.o auditstub.o - -@@ -90,7 +91,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ - monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ - auth-krb5.o \ -- auth2-gss.o gss-serv.o gss-serv-krb5.o \ -+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o \ -diff -up openssh-5.9p0/auth-krb5.c.gsskex openssh-5.9p0/auth-krb5.c ---- openssh-5.9p0/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 -+++ openssh-5.9p0/auth-krb5.c 2011-09-03 20:30:48.038503119 +0200 +diff -up openssh-5.9p1/auth-krb5.c.gsskex openssh-5.9p1/auth-krb5.c +--- openssh-5.9p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 ++++ openssh-5.9p1/auth-krb5.c 2012-02-06 17:38:19.166867405 +0100 @@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c len = strlen(authctxt->krb5_ticket_file) + 6; @@ -185,9 +48,28 @@ diff -up openssh-5.9p0/auth-krb5.c.gsskex openssh-5.9p0/auth-krb5.c return (krb5_cc_resolve(ctx, ccname, ccache)); } -diff -up openssh-5.9p0/auth2-gss.c.gsskex openssh-5.9p0/auth2-gss.c ---- openssh-5.9p0/auth2-gss.c.gsskex 2011-09-03 20:30:32.938448441 +0200 -+++ openssh-5.9p0/auth2-gss.c 2011-09-03 20:30:48.173461037 +0200 +diff -up openssh-5.9p1/auth2.c.gsskex openssh-5.9p1/auth2.c +--- openssh-5.9p1/auth2.c.gsskex 2012-02-06 17:38:19.046907913 +0100 ++++ openssh-5.9p1/auth2.c 2012-02-06 17:38:19.169220866 +0100 +@@ -69,6 +69,7 @@ extern Authmethod method_passwd; + extern Authmethod method_kbdint; + extern Authmethod method_hostbased; + #ifdef GSSAPI ++extern Authmethod method_gsskeyex; + extern Authmethod method_gssapi; + #endif + #ifdef JPAKE +@@ -79,6 +80,7 @@ Authmethod *authmethods[] = { + &method_none, + &method_pubkey, + #ifdef GSSAPI ++ &method_gsskeyex, + &method_gssapi, + #endif + #ifdef JPAKE +diff -up openssh-5.9p1/auth2-gss.c.gsskex openssh-5.9p1/auth2-gss.c +--- openssh-5.9p1/auth2-gss.c.gsskex 2012-02-06 17:38:19.046907913 +0100 ++++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:41:33.656381846 +0100 @@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); static void input_gssapi_errtok(int, u_int32_t, void *); @@ -250,7 +132,7 @@ diff -up openssh-5.9p0/auth2-gss.c.gsskex openssh-5.9p0/auth2-gss.c logit("GSSAPI MIC check failed"); @@ -303,6 +339,12 @@ input_gssapi_mic(int type, u_int32_t ple - userauth_finish(authctxt, authenticated, "gssapi-with-mic"); + userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); } +Authmethod method_gsskeyex = { @@ -262,28 +144,9 @@ diff -up openssh-5.9p0/auth2-gss.c.gsskex openssh-5.9p0/auth2-gss.c Authmethod method_gssapi = { "gssapi-with-mic", userauth_gssapi, -diff -up openssh-5.9p0/auth2.c.gsskex openssh-5.9p0/auth2.c ---- openssh-5.9p0/auth2.c.gsskex 2011-09-03 20:30:33.358627098 +0200 -+++ openssh-5.9p0/auth2.c 2011-09-03 20:30:48.386436741 +0200 -@@ -69,6 +69,7 @@ extern Authmethod method_passwd; - extern Authmethod method_kbdint; - extern Authmethod method_hostbased; - #ifdef GSSAPI -+extern Authmethod method_gsskeyex; - extern Authmethod method_gssapi; - #endif - #ifdef JPAKE -@@ -79,6 +80,7 @@ Authmethod *authmethods[] = { - &method_none, - &method_pubkey, - #ifdef GSSAPI -+ &method_gsskeyex, - &method_gssapi, - #endif - #ifdef JPAKE -diff -up openssh-5.9p0/clientloop.c.gsskex openssh-5.9p0/clientloop.c ---- openssh-5.9p0/clientloop.c.gsskex 2011-06-23 00:31:58.000000000 +0200 -+++ openssh-5.9p0/clientloop.c 2011-09-03 20:30:48.595502066 +0200 +diff -up openssh-5.9p1/clientloop.c.gsskex openssh-5.9p1/clientloop.c +--- openssh-5.9p1/clientloop.c.gsskex 2012-02-06 17:38:18.919095717 +0100 ++++ openssh-5.9p1/clientloop.c 2012-02-06 17:38:19.170220176 +0100 @@ -111,6 +111,10 @@ #include "msg.h" #include "roaming.h" @@ -311,9 +174,9 @@ diff -up openssh-5.9p0/clientloop.c.gsskex openssh-5.9p0/clientloop.c if (need_rekeying || packet_need_rekeying()) { debug("need rekeying"); xxx_kex->done = 0; -diff -up openssh-5.9p0/configure.ac.gsskex openssh-5.9p0/configure.ac ---- openssh-5.9p0/configure.ac.gsskex 2011-09-03 20:30:46.489501732 +0200 -+++ openssh-5.9p0/configure.ac 2011-09-03 20:30:48.783501901 +0200 +diff -up openssh-5.9p1/configure.ac.gsskex openssh-5.9p1/configure.ac +--- openssh-5.9p1/configure.ac.gsskex 2012-02-06 17:38:19.151008987 +0100 ++++ openssh-5.9p1/configure.ac 2012-02-06 17:38:19.171220137 +0100 @@ -515,6 +515,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], @@ -345,9 +208,9 @@ diff -up openssh-5.9p0/configure.ac.gsskex openssh-5.9p0/configure.ac m4_pattern_allow([AU_IPv]) AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) -diff -up openssh-5.9p0/gss-genr.c.gsskex openssh-5.9p0/gss-genr.c ---- openssh-5.9p0/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-5.9p0/gss-genr.c 2011-09-03 20:30:48.951554007 +0200 +diff -up openssh-5.9p1/gss-genr.c.gsskex openssh-5.9p1/gss-genr.c +--- openssh-5.9p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 ++++ openssh-5.9p1/gss-genr.c 2012-02-06 17:38:19.172078790 +0100 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ @@ -695,132 +558,9 @@ diff -up openssh-5.9p0/gss-genr.c.gsskex openssh-5.9p0/gss-genr.c +} + #endif /* GSSAPI */ -diff -up openssh-5.9p0/gss-serv-krb5.c.gsskex openssh-5.9p0/gss-serv-krb5.c ---- openssh-5.9p0/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.9p0/gss-serv-krb5.c 2011-09-03 20:30:49.134564925 +0200 -@@ -1,7 +1,7 @@ - /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ - - /* -- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. -+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -120,6 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl - krb5_principal princ; - OM_uint32 maj_status, min_status; - int len; -+ const char *new_ccname; - - if (client->creds == NULL) { - debug("No credentials stored"); -@@ -168,11 +169,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl - return; - } - -- client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); -+ new_ccname = krb5_cc_get_name(krb_context, ccache); -+ - client->store.envvar = "KRB5CCNAME"; -- len = strlen(client->store.filename) + 6; -- client->store.envval = xmalloc(len); -- snprintf(client->store.envval, len, "FILE:%s", client->store.filename); -+#ifdef USE_CCAPI -+ xasprintf(&client->store.envval, "API:%s", new_ccname); -+ client->store.filename = NULL; -+#else -+ xasprintf(&client->store.envval, "FILE:%s", new_ccname); -+ client->store.filename = xstrdup(new_ccname); -+#endif - - #ifdef USE_PAM - if (options.use_pam) -@@ -184,6 +190,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl - return; - } - -+int -+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, -+ ssh_gssapi_client *client) -+{ -+ krb5_ccache ccache = NULL; -+ krb5_principal principal = NULL; -+ char *name = NULL; -+ krb5_error_code problem; -+ OM_uint32 maj_status, min_status; -+ -+ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) { -+ logit("krb5_cc_resolve(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ return 0; -+ } -+ -+ /* Find out who the principal in this cache is */ -+ if ((problem = krb5_cc_get_principal(krb_context, ccache, -+ &principal))) { -+ logit("krb5_cc_get_principal(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ if ((problem = krb5_unparse_name(krb_context, principal, &name))) { -+ logit("krb5_unparse_name(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ krb5_free_principal(krb_context, principal); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ -+ if (strcmp(name,client->exportedname.value)!=0) { -+ debug("Name in local credentials cache differs. Not storing"); -+ krb5_free_principal(krb_context, principal); -+ krb5_cc_close(krb_context, ccache); -+ krb5_free_unparsed_name(krb_context, name); -+ return 0; -+ } -+ krb5_free_unparsed_name(krb_context, name); -+ -+ /* Name matches, so lets get on with it! */ -+ -+ if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) { -+ logit("krb5_cc_initialize(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ krb5_free_principal(krb_context, principal); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ krb5_free_principal(krb_context, principal); -+ -+ if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, -+ ccache))) { -+ logit("gss_krb5_copy_ccache() failed. Sorry!"); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ return 1; -+} -+ - ssh_gssapi_mech gssapi_kerberos_mech = { - "toWM5Slw5Ew8Mqkay+al2g==", - "Kerberos", -@@ -191,7 +262,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { - NULL, - &ssh_gssapi_krb5_userok, - NULL, -- &ssh_gssapi_krb5_storecreds -+ &ssh_gssapi_krb5_storecreds, -+ &ssh_gssapi_krb5_updatecreds - }; - - #endif /* KRB5 */ -diff -up openssh-5.9p0/gss-serv.c.gsskex openssh-5.9p0/gss-serv.c ---- openssh-5.9p0/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200 -+++ openssh-5.9p0/gss-serv.c 2011-09-03 20:30:49.261439762 +0200 +diff -up openssh-5.9p1/gss-serv.c.gsskex openssh-5.9p1/gss-serv.c +--- openssh-5.9p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200 ++++ openssh-5.9p1/gss-serv.c 2012-02-06 17:38:19.174112917 +0100 @@ -45,15 +45,20 @@ #include "channels.h" #include "session.h" @@ -1005,7 +745,7 @@ diff -up openssh-5.9p0/gss-serv.c.gsskex openssh-5.9p0/gss-serv.c /* We can't copy this structure, so we just move the pointer to it */ client->creds = ctx->client_creds; ctx->client_creds = GSS_C_NO_CREDENTIAL; -@@ -329,7 +415,7 @@ ssh_gssapi_do_child(char ***envp, u_int +@@ -329,7 +415,7 @@ ssh_gssapi_do_child(char ***envp, u_int /* Privileged */ int @@ -1043,91 +783,331 @@ diff -up openssh-5.9p0/gss-serv.c.gsskex openssh-5.9p0/gss-serv.c + * *) If it succeeds, maybe do a PAM update + */ + -+/* Stuff for PAM */ ++/* Stuff for PAM */ ++ ++#ifdef USE_PAM ++static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg, ++ struct pam_response **resp, void *data) + { +- ctx->major = gss_verify_mic(&ctx->minor, ctx->context, +- gssbuf, gssmic, NULL); ++ return (PAM_CONV_ERR); ++} ++#endif + +- return (ctx->major); ++void ++ssh_gssapi_rekey_creds() { ++ int ok; ++ int ret; ++#ifdef USE_PAM ++ pam_handle_t *pamh = NULL; ++ struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL}; ++ char *envstr; ++#endif ++ ++ if (gssapi_client.store.filename == NULL && ++ gssapi_client.store.envval == NULL && ++ gssapi_client.store.envvar == NULL) ++ return; ++ ++ ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store)); ++ ++ if (!ok) ++ return; ++ ++ debug("Rekeyed credentials stored successfully"); ++ ++ /* Actually managing to play with the ssh pam stack from here will ++ * be next to impossible. In any case, we may want different options ++ * for rekeying. So, use our own :) ++ */ ++#ifdef USE_PAM ++ if (!use_privsep) { ++ debug("Not even going to try and do PAM with privsep disabled"); ++ return; ++ } ++ ++ ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name, ++ &pamconv, &pamh); ++ if (ret) ++ return; ++ ++ xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, ++ gssapi_client.store.envval); ++ ++ ret = pam_putenv(pamh, envstr); ++ if (!ret) ++ pam_setcred(pamh, PAM_REINITIALIZE_CRED); ++ pam_end(pamh, PAM_SUCCESS); ++#endif ++} ++ ++int ++ssh_gssapi_update_creds(ssh_gssapi_ccache *store) { ++ int ok = 0; ++ ++ /* Check we've got credentials to store */ ++ if (!gssapi_client.updated) ++ return 0; ++ ++ gssapi_client.updated = 0; ++ ++ temporarily_use_uid(gssapi_client.store.owner); ++ if (gssapi_client.mech && gssapi_client.mech->updatecreds) ++ ok = (*gssapi_client.mech->updatecreds)(store, &gssapi_client); ++ else ++ debug("No update function for this mechanism"); ++ ++ restore_uid(); ++ ++ return ok; + } + + #endif +diff -up openssh-5.9p1/gss-serv-krb5.c.gsskex openssh-5.9p1/gss-serv-krb5.c +--- openssh-5.9p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 ++++ openssh-5.9p1/gss-serv-krb5.c 2012-02-06 17:38:19.173095956 +0100 +@@ -1,7 +1,7 @@ + /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ + + /* +- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. ++ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -120,6 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl + krb5_principal princ; + OM_uint32 maj_status, min_status; + int len; ++ const char *new_ccname; + + if (client->creds == NULL) { + debug("No credentials stored"); +@@ -168,11 +169,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl + return; + } + +- client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); ++ new_ccname = krb5_cc_get_name(krb_context, ccache); ++ + client->store.envvar = "KRB5CCNAME"; +- len = strlen(client->store.filename) + 6; +- client->store.envval = xmalloc(len); +- snprintf(client->store.envval, len, "FILE:%s", client->store.filename); ++#ifdef USE_CCAPI ++ xasprintf(&client->store.envval, "API:%s", new_ccname); ++ client->store.filename = NULL; ++#else ++ xasprintf(&client->store.envval, "FILE:%s", new_ccname); ++ client->store.filename = xstrdup(new_ccname); ++#endif + + #ifdef USE_PAM + if (options.use_pam) +@@ -184,6 +190,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl + return; + } + ++int ++ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, ++ ssh_gssapi_client *client) ++{ ++ krb5_ccache ccache = NULL; ++ krb5_principal principal = NULL; ++ char *name = NULL; ++ krb5_error_code problem; ++ OM_uint32 maj_status, min_status; ++ ++ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) { ++ logit("krb5_cc_resolve(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ return 0; ++ } ++ ++ /* Find out who the principal in this cache is */ ++ if ((problem = krb5_cc_get_principal(krb_context, ccache, ++ &principal))) { ++ logit("krb5_cc_get_principal(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } ++ ++ if ((problem = krb5_unparse_name(krb_context, principal, &name))) { ++ logit("krb5_unparse_name(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ krb5_free_principal(krb_context, principal); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } ++ ++ ++ if (strcmp(name,client->exportedname.value)!=0) { ++ debug("Name in local credentials cache differs. Not storing"); ++ krb5_free_principal(krb_context, principal); ++ krb5_cc_close(krb_context, ccache); ++ krb5_free_unparsed_name(krb_context, name); ++ return 0; ++ } ++ krb5_free_unparsed_name(krb_context, name); ++ ++ /* Name matches, so lets get on with it! */ ++ ++ if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) { ++ logit("krb5_cc_initialize(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ krb5_free_principal(krb_context, principal); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } ++ ++ krb5_free_principal(krb_context, principal); ++ ++ if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, ++ ccache))) { ++ logit("gss_krb5_copy_ccache() failed. Sorry!"); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } + -+#ifdef USE_PAM -+static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg, -+ struct pam_response **resp, void *data) - { -- ctx->major = gss_verify_mic(&ctx->minor, ctx->context, -- gssbuf, gssmic, NULL); -+ return (PAM_CONV_ERR); ++ return 1; +} -+#endif - -- return (ctx->major); -+void -+ssh_gssapi_rekey_creds() { -+ int ok; -+ int ret; -+#ifdef USE_PAM -+ pam_handle_t *pamh = NULL; -+ struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL}; -+ char *envstr; -+#endif + -+ if (gssapi_client.store.filename == NULL && -+ gssapi_client.store.envval == NULL && -+ gssapi_client.store.envvar == NULL) -+ return; + ssh_gssapi_mech gssapi_kerberos_mech = { + "toWM5Slw5Ew8Mqkay+al2g==", + "Kerberos", +@@ -191,7 +262,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { + NULL, + &ssh_gssapi_krb5_userok, + NULL, +- &ssh_gssapi_krb5_storecreds ++ &ssh_gssapi_krb5_storecreds, ++ &ssh_gssapi_krb5_updatecreds + }; + + #endif /* KRB5 */ +diff -up openssh-5.9p1/ChangeLog.gssapi.gsskex openssh-5.9p1/ChangeLog.gssapi +--- openssh-5.9p1/ChangeLog.gssapi.gsskex 2012-02-06 17:38:19.166867405 +0100 ++++ openssh-5.9p1/ChangeLog.gssapi 2012-02-06 17:38:19.166867405 +0100 +@@ -0,0 +1,113 @@ ++20110101 ++ - Finally update for OpenSSH 5.6p1 ++ - Add GSSAPIServerIdentity option from Jim Basney + -+ ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store)); ++20100308 ++ - [ Makefile.in, key.c, key.h ] ++ Updates for OpenSSH 5.4p1 ++ - [ servconf.c ] ++ Include GSSAPI options in the sshd -T configuration dump, and flag ++ some older configuration options as being unsupported. Thanks to Colin ++ Watson. ++ - + -+ if (!ok) -+ return; ++20100124 ++ - [ sshconnect2.c ] ++ Adapt to deal with additional element in Authmethod structure. Thanks to ++ Colin Watson + -+ debug("Rekeyed credentials stored successfully"); ++20090615 ++ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c ++ sshd.c ] ++ Fix issues identified by Greg Hudson following a code review ++ Check return value of gss_indicate_mechs ++ Protect GSSAPI calls in monitor, so they can only be used if enabled ++ Check return values of bignum functions in key exchange ++ Use BN_clear_free to clear other side's DH value ++ Make ssh_gssapi_id_kex more robust ++ Only configure kex table pointers if GSSAPI is enabled ++ Don't leak mechanism list, or gss mechanism list ++ Cast data.length before printing ++ If serverkey isn't provided, use an empty string, rather than NULL + -+ /* Actually managing to play with the ssh pam stack from here will -+ * be next to impossible. In any case, we may want different options -+ * for rekeying. So, use our own :) -+ */ -+#ifdef USE_PAM -+ if (!use_privsep) { -+ debug("Not even going to try and do PAM with privsep disabled"); -+ return; -+ } ++20090201 ++ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h ++ ssh_config.5 sshconnet2.c ] ++ Add support for the GSSAPIClientIdentity option, which allows the user ++ to specify which GSSAPI identity to use to contact a given server + -+ ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name, -+ &pamconv, &pamh); -+ if (ret) -+ return; ++20080404 ++ - [ gss-serv.c ] ++ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow ++ been omitted from a previous version of this patch. Reported by Borislav ++ Stoichkov + -+ xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, -+ gssapi_client.store.envval); ++20070317 ++ - [ gss-serv-krb5.c ] ++ Remove C99ism, where new_ccname was being declared in the middle of a ++ function + -+ ret = pam_putenv(pamh, envstr); -+ if (!ret) -+ pam_setcred(pamh, PAM_REINITIALIZE_CRED); -+ pam_end(pamh, PAM_SUCCESS); -+#endif -+} ++20061220 ++ - [ servconf.c ] ++ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and ++ documented, behaviour. Reported by Dan Watson. + -+int -+ssh_gssapi_update_creds(ssh_gssapi_ccache *store) { -+ int ok = 0; ++20060910 ++ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c ++ ssh-gss.h ] ++ add support for gss-group14-sha1 key exchange mechanisms ++ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ] ++ Add GSSAPIStrictAcceptorCheck option to allow the disabling of ++ acceptor principal checking on multi-homed machines. ++ ++ - [ sshd_config ssh_config ] ++ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample ++ configuration files ++ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ] ++ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf() ++ Limit length of error messages displayed by client + -+ /* Check we've got credentials to store */ -+ if (!gssapi_client.updated) -+ return 0; ++20060909 ++ - [ gss-genr.c gss-serv.c ] ++ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server ++ only, where they belong ++ + -+ gssapi_client.updated = 0; ++20060829 ++ - [ gss-serv-krb5.c ] ++ Fix CCAPI credentials cache name when creating KRB5CCNAME environment ++ variable + -+ temporarily_use_uid(gssapi_client.store.owner); -+ if (gssapi_client.mech && gssapi_client.mech->updatecreds) -+ ok = (*gssapi_client.mech->updatecreds)(store, &gssapi_client); -+ else -+ debug("No update function for this mechanism"); ++20060828 ++ - [ gss-genr.c ] ++ Avoid Heimdal context freeing problem ++ + -+ restore_uid(); ++20060818 ++ - [ gss-genr.c ssh-gss.h sshconnect2.c ] ++ Make sure that SPENGO is disabled ++ + -+ return ok; - } - - #endif -diff -up openssh-5.9p0/kex.c.gsskex openssh-5.9p0/kex.c ---- openssh-5.9p0/kex.c.gsskex 2011-09-03 20:30:28.322627701 +0200 -+++ openssh-5.9p0/kex.c 2011-09-03 20:30:49.522466612 +0200 ++20060421 ++ - [ gssgenr.c, sshconnect2.c ] ++ a few type changes (signed versus unsigned, int versus size_t) to ++ fix compiler errors/warnings ++ (from jbasney AT ncsa.uiuc.edu) ++ - [ kexgssc.c, sshconnect2.c ] ++ fix uninitialized variable warnings ++ (from jbasney AT ncsa.uiuc.edu) ++ - [ gssgenr.c ] ++ pass oid to gss_display_status (helpful when using GSSAPI mechglue) ++ (from jbasney AT ncsa.uiuc.edu) ++ ++ - [ gss-serv-krb5.c ] ++ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H ++ (from jbasney AT ncsa.uiuc.edu) ++ ++ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c ++ add client-side GssapiKeyExchange option ++ (from jbasney AT ncsa.uiuc.edu) ++ - [ sshconnect2.c ] ++ add support for GssapiTrustDns option for gssapi-with-mic ++ (from jbasney AT ncsa.uiuc.edu) ++ +diff -up openssh-5.9p1/kex.c.gsskex openssh-5.9p1/kex.c +--- openssh-5.9p1/kex.c.gsskex 2012-02-06 17:38:19.014845863 +0100 ++++ openssh-5.9p1/kex.c 2012-02-06 17:38:19.174112917 +0100 @@ -51,6 +51,10 @@ #include "roaming.h" #include "audit.h" @@ -1160,47 +1140,9 @@ diff -up openssh-5.9p0/kex.c.gsskex openssh-5.9p0/kex.c } else fatal("bad kex alg %s", k->name); } -diff -up openssh-5.9p0/kex.h.gsskex openssh-5.9p0/kex.h ---- openssh-5.9p0/kex.h.gsskex 2011-09-03 20:30:28.429502160 +0200 -+++ openssh-5.9p0/kex.h 2011-09-03 20:30:49.719501645 +0200 -@@ -73,6 +73,9 @@ enum kex_exchange { - KEX_DH_GEX_SHA1, - KEX_DH_GEX_SHA256, - KEX_ECDH_SHA2, -+ KEX_GSS_GRP1_SHA1, -+ KEX_GSS_GRP14_SHA1, -+ KEX_GSS_GEX_SHA1, - KEX_MAX - }; - -@@ -129,6 +132,12 @@ struct Kex { - sig_atomic_t done; - int flags; - const EVP_MD *evp_md; -+#ifdef GSSAPI -+ int gss_deleg_creds; -+ int gss_trust_dns; -+ char *gss_host; -+ char *gss_client; -+#endif - char *client_version_string; - char *server_version_string; - int (*verify_host_key)(Key *); -@@ -156,6 +165,11 @@ void kexgex_server(Kex *); - void kexecdh_client(Kex *); - void kexecdh_server(Kex *); - -+#ifdef GSSAPI -+void kexgss_client(Kex *); -+void kexgss_server(Kex *); -+#endif -+ - void newkeys_destroy(Newkeys *newkeys); - - void -diff -up openssh-5.9p0/kexgssc.c.gsskex openssh-5.9p0/kexgssc.c ---- openssh-5.9p0/kexgssc.c.gsskex 2011-09-03 20:30:49.951501851 +0200 -+++ openssh-5.9p0/kexgssc.c 2011-09-03 20:30:49.956501669 +0200 +diff -up openssh-5.9p1/kexgssc.c.gsskex openssh-5.9p1/kexgssc.c +--- openssh-5.9p1/kexgssc.c.gsskex 2012-02-06 17:38:19.175129606 +0100 ++++ openssh-5.9p1/kexgssc.c 2012-02-06 17:38:19.175129606 +0100 @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1536,9 +1478,9 @@ diff -up openssh-5.9p0/kexgssc.c.gsskex openssh-5.9p0/kexgssc.c +} + +#endif /* GSSAPI */ -diff -up openssh-5.9p0/kexgsss.c.gsskex openssh-5.9p0/kexgsss.c ---- openssh-5.9p0/kexgsss.c.gsskex 2011-09-03 20:30:50.062501851 +0200 -+++ openssh-5.9p0/kexgsss.c 2011-09-03 20:30:50.067500552 +0200 +diff -up openssh-5.9p1/kexgsss.c.gsskex openssh-5.9p1/kexgsss.c +--- openssh-5.9p1/kexgsss.c.gsskex 2012-02-06 17:38:19.176145304 +0100 ++++ openssh-5.9p1/kexgsss.c 2012-02-06 17:38:19.176145304 +0100 @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1822,16 +1764,54 @@ diff -up openssh-5.9p0/kexgsss.c.gsskex openssh-5.9p0/kexgsss.c + BN_clear_free(shared_secret); + kex_finish(kex); + -+ /* If this was a rekey, then save out any delegated credentials we -+ * just exchanged. */ -+ if (options.gss_store_rekey) -+ ssh_gssapi_rekey_creds(); -+} -+#endif /* GSSAPI */ -diff -up openssh-5.9p0/key.c.gsskex openssh-5.9p0/key.c ---- openssh-5.9p0/key.c.gsskex 2011-09-03 20:30:42.237461404 +0200 -+++ openssh-5.9p0/key.c 2011-09-03 20:30:50.257564328 +0200 -@@ -1004,6 +1004,8 @@ key_ssh_name_from_type_nid(int type, int ++ /* If this was a rekey, then save out any delegated credentials we ++ * just exchanged. */ ++ if (options.gss_store_rekey) ++ ssh_gssapi_rekey_creds(); ++} ++#endif /* GSSAPI */ +diff -up openssh-5.9p1/kex.h.gsskex openssh-5.9p1/kex.h +--- openssh-5.9p1/kex.h.gsskex 2012-02-06 17:38:19.015845746 +0100 ++++ openssh-5.9p1/kex.h 2012-02-06 17:38:19.175129606 +0100 +@@ -73,6 +73,9 @@ enum kex_exchange { + KEX_DH_GEX_SHA1, + KEX_DH_GEX_SHA256, + KEX_ECDH_SHA2, ++ KEX_GSS_GRP1_SHA1, ++ KEX_GSS_GRP14_SHA1, ++ KEX_GSS_GEX_SHA1, + KEX_MAX + }; + +@@ -129,6 +132,12 @@ struct Kex { + sig_atomic_t done; + int flags; + const EVP_MD *evp_md; ++#ifdef GSSAPI ++ int gss_deleg_creds; ++ int gss_trust_dns; ++ char *gss_host; ++ char *gss_client; ++#endif + char *client_version_string; + char *server_version_string; + int (*verify_host_key)(Key *); +@@ -156,6 +165,11 @@ void kexgex_server(Kex *); + void kexecdh_client(Kex *); + void kexecdh_server(Kex *); + ++#ifdef GSSAPI ++void kexgss_client(Kex *); ++void kexgss_server(Kex *); ++#endif ++ + void newkeys_destroy(Newkeys *newkeys); + + void +diff -up openssh-5.9p1/key.c.gsskex openssh-5.9p1/key.c +--- openssh-5.9p1/key.c.gsskex 2012-02-06 17:38:19.121787795 +0100 ++++ openssh-5.9p1/key.c 2012-02-06 17:38:19.176793341 +0100 +@@ -1006,6 +1006,8 @@ key_ssh_name_from_type_nid(int type, int } break; #endif /* OPENSSL_HAS_ECC */ @@ -1840,7 +1820,7 @@ diff -up openssh-5.9p0/key.c.gsskex openssh-5.9p0/key.c } return "ssh-unknown"; } -@@ -1309,6 +1311,8 @@ key_type_from_name(char *name) +@@ -1311,6 +1313,8 @@ key_type_from_name(char *name) strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { return KEY_ECDSA_CERT; #endif @@ -1849,9 +1829,9 @@ diff -up openssh-5.9p0/key.c.gsskex openssh-5.9p0/key.c } debug2("key_type_from_name: unknown key type '%s'", name); -diff -up openssh-5.9p0/key.h.gsskex openssh-5.9p0/key.h ---- openssh-5.9p0/key.h.gsskex 2011-09-03 20:30:30.877627339 +0200 -+++ openssh-5.9p0/key.h 2011-09-03 20:30:50.364564076 +0200 +diff -up openssh-5.9p1/key.h.gsskex openssh-5.9p1/key.h +--- openssh-5.9p1/key.h.gsskex 2012-02-06 17:38:19.029850894 +0100 ++++ openssh-5.9p1/key.h 2012-02-06 17:38:19.177807852 +0100 @@ -44,6 +44,7 @@ enum types { KEY_ECDSA_CERT, KEY_RSA_CERT_V00, @@ -1860,10 +1840,30 @@ diff -up openssh-5.9p0/key.h.gsskex openssh-5.9p0/key.h KEY_UNSPEC }; enum fp_type { -diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c ---- openssh-5.9p0/monitor.c.gsskex 2011-09-03 20:30:33.495451533 +0200 -+++ openssh-5.9p0/monitor.c 2011-09-03 20:30:50.494501810 +0200 -@@ -187,6 +187,8 @@ int mm_answer_gss_setup_ctx(int, Buffer +diff -up openssh-5.9p1/Makefile.in.gsskex openssh-5.9p1/Makefile.in +--- openssh-5.9p1/Makefile.in.gsskex 2012-02-06 17:38:19.164220442 +0100 ++++ openssh-5.9p1/Makefile.in 2012-02-06 17:38:19.166867405 +0100 +@@ -75,6 +75,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b + atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ + monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ + kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ ++ kexgssc.o \ + msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ + schnorr.o ssh-pkcs11.o auditstub.o + +@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw + auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ + monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ + auth-krb5.o \ +- auth2-gss.o gss-serv.o gss-serv-krb5.o \ ++ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ + sftp-server.o sftp-common.o \ + roaming_common.o roaming_serv.o \ +diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c +--- openssh-5.9p1/monitor.c.gsskex 2012-02-06 17:38:19.048914842 +0100 ++++ openssh-5.9p1/monitor.c 2012-02-06 17:48:43.113815884 +0100 +@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); @@ -1872,7 +1872,7 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c #endif #ifdef SSH_AUDIT_EVENTS -@@ -270,6 +272,7 @@ struct mon_table mon_dispatch_proto20[] +@@ -270,6 +272,7 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, @@ -1880,7 +1880,7 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c #endif #ifdef JPAKE {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, -@@ -283,6 +286,12 @@ struct mon_table mon_dispatch_proto20[] +@@ -282,6 +285,12 @@ struct mon_table mon_dispatch_proto20[] }; struct mon_table mon_dispatch_postauth20[] = { @@ -1893,7 +1893,7 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_SIGN, 0, mm_answer_sign}, {MONITOR_REQ_PTY, 0, mm_answer_pty}, -@@ -405,6 +414,10 @@ monitor_child_preauth(Authctxt *_authctx +@@ -406,6 +415,10 @@ monitor_child_preauth(Authctxt *_authctx /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -1903,8 +1903,8 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c +#endif } else { mon_dispatch = mon_dispatch_proto15; - -@@ -505,6 +518,10 @@ monitor_child_postauth(struct monitor *p + req_auth = &options.required_auth1; +@@ -514,6 +527,10 @@ monitor_child_postauth(struct monitor *p monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -1915,7 +1915,7 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1920,6 +1937,13 @@ mm_get_kex(Buffer *m) +@@ -1943,6 +1960,13 @@ mm_get_kex(Buffer *m) kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; @@ -1929,7 +1929,7 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -@@ -2151,6 +2175,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer +@@ -2166,6 +2190,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer OM_uint32 major; u_int len; @@ -1939,7 +1939,7 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -2178,6 +2205,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2193,6 +2220,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -1949,7 +1949,7 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -2195,6 +2225,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2210,6 +2240,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -1957,7 +1957,7 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c } return (0); } -@@ -2206,6 +2237,9 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -2221,6 +2252,9 @@ mm_answer_gss_checkmic(int sock, Buffer OM_uint32 ret; u_int len; @@ -1967,7 +1967,7 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2232,7 +2266,11 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2247,7 +2281,11 @@ mm_answer_gss_userok(int sock, Buffer *m { int authenticated; @@ -1980,7 +1980,7 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2245,6 +2283,74 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2261,6 +2299,74 @@ mm_answer_gss_userok(int sock, Buffer *m /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2055,9 +2055,9 @@ diff -up openssh-5.9p0/monitor.c.gsskex openssh-5.9p0/monitor.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-5.9p0/monitor.h.gsskex openssh-5.9p0/monitor.h ---- openssh-5.9p0/monitor.h.gsskex 2011-09-03 20:30:33.604501395 +0200 -+++ openssh-5.9p0/monitor.h 2011-09-03 20:30:50.619494143 +0200 +diff -up openssh-5.9p1/monitor.h.gsskex openssh-5.9p1/monitor.h +--- openssh-5.9p1/monitor.h.gsskex 2012-02-06 17:38:19.049917992 +0100 ++++ openssh-5.9p1/monitor.h 2012-02-06 17:38:19.178823232 +0100 @@ -56,6 +56,8 @@ enum monitor_reqtype { MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, @@ -2067,10 +2067,10 @@ diff -up openssh-5.9p0/monitor.h.gsskex openssh-5.9p0/monitor.h MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, -diff -up openssh-5.9p0/monitor_wrap.c.gsskex openssh-5.9p0/monitor_wrap.c ---- openssh-5.9p0/monitor_wrap.c.gsskex 2011-09-03 20:30:33.751439358 +0200 -+++ openssh-5.9p0/monitor_wrap.c 2011-09-03 20:30:50.775502083 +0200 -@@ -1346,7 +1346,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss +diff -up openssh-5.9p1/monitor_wrap.c.gsskex openssh-5.9p1/monitor_wrap.c +--- openssh-5.9p1/monitor_wrap.c.gsskex 2012-02-06 17:38:19.050803985 +0100 ++++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:38:19.179838373 +0100 +@@ -1326,7 +1326,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } int @@ -2079,7 +2079,7 @@ diff -up openssh-5.9p0/monitor_wrap.c.gsskex openssh-5.9p0/monitor_wrap.c { Buffer m; int authenticated = 0; -@@ -1363,6 +1363,51 @@ mm_ssh_gssapi_userok(char *user) +@@ -1343,6 +1343,51 @@ mm_ssh_gssapi_userok(char *user) debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); return (authenticated); } @@ -2131,10 +2131,10 @@ diff -up openssh-5.9p0/monitor_wrap.c.gsskex openssh-5.9p0/monitor_wrap.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-5.9p0/monitor_wrap.h.gsskex openssh-5.9p0/monitor_wrap.h ---- openssh-5.9p0/monitor_wrap.h.gsskex 2011-09-03 20:30:33.849563456 +0200 -+++ openssh-5.9p0/monitor_wrap.h 2011-09-03 20:30:50.888502327 +0200 -@@ -63,8 +63,10 @@ void mm_userauth_restart(const char *); +diff -up openssh-5.9p1/monitor_wrap.h.gsskex openssh-5.9p1/monitor_wrap.h +--- openssh-5.9p1/monitor_wrap.h.gsskex 2012-02-06 17:38:19.050803985 +0100 ++++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:38:19.180853859 +0100 +@@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); @@ -2146,9 +2146,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.gsskex openssh-5.9p0/monitor_wrap.h #endif #ifdef USE_PAM -diff -up openssh-5.9p0/readconf.c.gsskex openssh-5.9p0/readconf.c ---- openssh-5.9p0/readconf.c.gsskex 2011-05-29 13:42:31.000000000 +0200 -+++ openssh-5.9p0/readconf.c 2011-09-03 20:30:51.018475602 +0200 +diff -up openssh-5.9p1/readconf.c.gsskex openssh-5.9p1/readconf.c +--- openssh-5.9p1/readconf.c.gsskex 2011-05-29 13:42:31.000000000 +0200 ++++ openssh-5.9p1/readconf.c 2012-02-06 17:38:19.181868712 +0100 @@ -129,6 +129,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, @@ -2237,9 +2237,9 @@ diff -up openssh-5.9p0/readconf.c.gsskex openssh-5.9p0/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh-5.9p0/readconf.h.gsskex openssh-5.9p0/readconf.h ---- openssh-5.9p0/readconf.h.gsskex 2011-05-29 13:42:33.000000000 +0200 -+++ openssh-5.9p0/readconf.h 2011-09-03 20:30:51.121501216 +0200 +diff -up openssh-5.9p1/readconf.h.gsskex openssh-5.9p1/readconf.h +--- openssh-5.9p1/readconf.h.gsskex 2011-05-29 13:42:33.000000000 +0200 ++++ openssh-5.9p1/readconf.h 2012-02-06 17:38:19.181868712 +0100 @@ -47,7 +47,12 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2253,10 +2253,10 @@ diff -up openssh-5.9p0/readconf.h.gsskex openssh-5.9p0/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff -up openssh-5.9p0/servconf.c.gsskex openssh-5.9p0/servconf.c ---- openssh-5.9p0/servconf.c.gsskex 2011-09-03 20:30:46.652622175 +0200 -+++ openssh-5.9p0/servconf.c 2011-09-03 20:33:28.089540342 +0200 -@@ -104,7 +104,10 @@ initialize_server_options(ServerOptions +diff -up openssh-5.9p1/servconf.c.gsskex openssh-5.9p1/servconf.c +--- openssh-5.9p1/servconf.c.gsskex 2012-02-06 17:38:19.152024134 +0100 ++++ openssh-5.9p1/servconf.c 2012-02-06 17:51:50.815868372 +0100 +@@ -99,7 +99,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -2267,7 +2267,7 @@ diff -up openssh-5.9p0/servconf.c.gsskex openssh-5.9p0/servconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -235,8 +238,14 @@ fill_default_server_options(ServerOption +@@ -232,8 +235,14 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2282,18 +2282,18 @@ diff -up openssh-5.9p0/servconf.c.gsskex openssh-5.9p0/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -347,7 +356,9 @@ typedef enum { - sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication, - sSecondZeroKnowledgePasswordAuthentication, sSecondHostbasedAuthentication, - sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, +@@ -327,7 +336,9 @@ typedef enum { + sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, + sGssKeyEx, sGssStoreRekey, + sAcceptEnv, sPermitTunnel, + sRequiredAuthentications1, sRequiredAuthentications2, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, sHostCertificate, -@@ -412,10 +423,20 @@ static struct { +@@ -393,10 +404,20 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -2314,7 +2314,7 @@ diff -up openssh-5.9p0/servconf.c.gsskex openssh-5.9p0/servconf.c { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -1015,10 +1036,22 @@ process_server_config_line(ServerOptions +@@ -983,10 +1004,22 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -2337,9 +2337,9 @@ diff -up openssh-5.9p0/servconf.c.gsskex openssh-5.9p0/servconf.c case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -1830,6 +1863,9 @@ dump_config(ServerOptions *o) +@@ -1794,6 +1827,9 @@ dump_config(ServerOptions *o) + #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); - dump_cfg_fmtint(sSecondGssAuthentication, o->second_gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); + dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); @@ -2347,9 +2347,9 @@ diff -up openssh-5.9p0/servconf.c.gsskex openssh-5.9p0/servconf.c #endif #ifdef JPAKE dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, -diff -up openssh-5.9p0/servconf.h.gsskex openssh-5.9p0/servconf.h ---- openssh-5.9p0/servconf.h.gsskex 2011-09-03 20:30:46.822603704 +0200 -+++ openssh-5.9p0/servconf.h 2011-09-03 20:30:51.430501923 +0200 +diff -up openssh-5.9p1/servconf.h.gsskex openssh-5.9p1/servconf.h +--- openssh-5.9p1/servconf.h.gsskex 2012-02-06 17:38:19.153039971 +0100 ++++ openssh-5.9p1/servconf.h 2012-02-06 17:38:19.183899042 +0100 @@ -103,7 +103,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -2361,109 +2361,21 @@ diff -up openssh-5.9p0/servconf.h.gsskex openssh-5.9p0/servconf.h int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff -up openssh-5.9p0/ssh-gss.h.gsskex openssh-5.9p0/ssh-gss.h ---- openssh-5.9p0/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 -+++ openssh-5.9p0/ssh-gss.h 2011-09-03 20:30:51.703513904 +0200 -@@ -1,6 +1,6 @@ - /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ - /* -- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. -+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -60,10 +60,22 @@ - - #define SSH_GSS_OIDTYPE 0x06 - -+#define SSH2_MSG_KEXGSS_INIT 30 -+#define SSH2_MSG_KEXGSS_CONTINUE 31 -+#define SSH2_MSG_KEXGSS_COMPLETE 32 -+#define SSH2_MSG_KEXGSS_HOSTKEY 33 -+#define SSH2_MSG_KEXGSS_ERROR 34 -+#define SSH2_MSG_KEXGSS_GROUPREQ 40 -+#define SSH2_MSG_KEXGSS_GROUP 41 -+#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-" -+#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-" -+#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-" -+ - typedef struct { - char *filename; - char *envvar; - char *envval; -+ struct passwd *owner; - void *data; - } ssh_gssapi_ccache; - -@@ -71,8 +83,11 @@ typedef struct { - gss_buffer_desc displayname; - gss_buffer_desc exportedname; - gss_cred_id_t creds; -+ gss_name_t name; - struct ssh_gssapi_mech_struct *mech; - ssh_gssapi_ccache store; -+ int used; -+ int updated; - } ssh_gssapi_client; - - typedef struct ssh_gssapi_mech_struct { -@@ -83,6 +98,7 @@ typedef struct ssh_gssapi_mech_struct { - int (*userok) (ssh_gssapi_client *, char *); - int (*localname) (ssh_gssapi_client *, char **); - void (*storecreds) (ssh_gssapi_client *); -+ int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *); - } ssh_gssapi_mech; - - typedef struct { -@@ -93,10 +109,11 @@ typedef struct { - gss_OID oid; /* client */ - gss_cred_id_t creds; /* server */ - gss_name_t client; /* server */ -- gss_cred_id_t client_creds; /* server */ -+ gss_cred_id_t client_creds; /* both */ - } Gssctxt; - - extern ssh_gssapi_mech *supported_mechs[]; -+extern Gssctxt *gss_kex_context; - - int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); - void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); -@@ -116,16 +133,30 @@ void ssh_gssapi_build_ctx(Gssctxt **); - void ssh_gssapi_delete_ctx(Gssctxt **); - OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); - void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); --int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); -+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *); -+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *); -+int ssh_gssapi_credentials_updated(Gssctxt *); - - /* In the server */ -+typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *, -+ const char *); -+char *ssh_gssapi_client_mechanisms(const char *, const char *); -+char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *, -+ const char *); -+gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int); -+int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, -+ const char *); - OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); --int ssh_gssapi_userok(char *name); -+int ssh_gssapi_userok(char *name, struct passwd *); - OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); - void ssh_gssapi_do_child(char ***, u_int *); - void ssh_gssapi_cleanup_creds(void); - void ssh_gssapi_storecreds(void); - -+char *ssh_gssapi_server_mechanisms(void); -+int ssh_gssapi_oid_table_ok(); -+ -+int ssh_gssapi_update_creds(ssh_gssapi_ccache *store); - #endif /* GSSAPI */ - - #endif /* _SSH_GSS_H */ -diff -up openssh-5.9p0/ssh_config.5.gsskex openssh-5.9p0/ssh_config.5 ---- openssh-5.9p0/ssh_config.5.gsskex 2011-08-05 22:17:32.000000000 +0200 -+++ openssh-5.9p0/ssh_config.5 2011-09-03 20:30:51.838501958 +0200 +diff -up openssh-5.9p1/ssh_config.gsskex openssh-5.9p1/ssh_config +--- openssh-5.9p1/ssh_config.gsskex 2012-02-06 17:38:19.140228679 +0100 ++++ openssh-5.9p1/ssh_config 2012-02-06 17:38:19.185931798 +0100 +@@ -26,6 +26,8 @@ + # HostbasedAuthentication no + # GSSAPIAuthentication no + # GSSAPIDelegateCredentials no ++# GSSAPIKeyExchange no ++# GSSAPITrustDNS no + # BatchMode no + # CheckHostIP yes + # AddressFamily any +diff -up openssh-5.9p1/ssh_config.5.gsskex openssh-5.9p1/ssh_config.5 +--- openssh-5.9p1/ssh_config.5.gsskex 2011-08-05 22:17:32.000000000 +0200 ++++ openssh-5.9p1/ssh_config.5 2012-02-06 17:38:19.184919538 +0100 @@ -527,11 +527,43 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2509,21 +2421,9 @@ diff -up openssh-5.9p0/ssh_config.5.gsskex openssh-5.9p0/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff -up openssh-5.9p0/ssh_config.gsskex openssh-5.9p0/ssh_config ---- openssh-5.9p0/ssh_config.gsskex 2011-09-03 20:30:44.855596300 +0200 -+++ openssh-5.9p0/ssh_config 2011-09-03 20:30:51.978439644 +0200 -@@ -26,6 +26,8 @@ - # HostbasedAuthentication no - # GSSAPIAuthentication no - # GSSAPIDelegateCredentials no -+# GSSAPIKeyExchange no -+# GSSAPITrustDNS no - # BatchMode no - # CheckHostIP yes - # AddressFamily any -diff -up openssh-5.9p0/sshconnect2.c.gsskex openssh-5.9p0/sshconnect2.c ---- openssh-5.9p0/sshconnect2.c.gsskex 2011-09-03 20:30:42.893440087 +0200 -+++ openssh-5.9p0/sshconnect2.c 2011-09-03 20:30:52.147454994 +0200 +diff -up openssh-5.9p1/sshconnect2.c.gsskex openssh-5.9p1/sshconnect2.c +--- openssh-5.9p1/sshconnect2.c.gsskex 2012-02-06 17:38:19.125220406 +0100 ++++ openssh-5.9p1/sshconnect2.c 2012-02-06 17:38:19.186899323 +0100 @@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho { Kex *kex; @@ -2722,9 +2622,9 @@ diff -up openssh-5.9p0/sshconnect2.c.gsskex openssh-5.9p0/sshconnect2.c #endif /* GSSAPI */ int -diff -up openssh-5.9p0/sshd.c.gsskex openssh-5.9p0/sshd.c ---- openssh-5.9p0/sshd.c.gsskex 2011-09-03 20:30:46.968587856 +0200 -+++ openssh-5.9p0/sshd.c 2011-09-03 20:30:52.340449797 +0200 +diff -up openssh-5.9p1/sshd.c.gsskex openssh-5.9p1/sshd.c +--- openssh-5.9p1/sshd.c.gsskex 2012-02-06 17:38:19.160220812 +0100 ++++ openssh-5.9p1/sshd.c 2012-02-06 17:38:19.187965866 +0100 @@ -124,6 +124,10 @@ #include "ssh-sandbox.h" #include "version.h" @@ -2736,7 +2636,7 @@ diff -up openssh-5.9p0/sshd.c.gsskex openssh-5.9p0/sshd.c #ifdef LIBWRAP #include #include -@@ -1680,10 +1684,13 @@ main(int ac, char **av) +@@ -1691,10 +1695,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } @@ -2750,7 +2650,7 @@ diff -up openssh-5.9p0/sshd.c.gsskex openssh-5.9p0/sshd.c if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { logit("sshd: no hostkeys available -- exiting."); exit(1); -@@ -2016,6 +2023,60 @@ main(int ac, char **av) +@@ -2027,6 +2034,60 @@ main(int ac, char **av) /* Log the connection. */ verbose("Connection from %.500s port %d", remote_ip, remote_port); @@ -2811,7 +2711,7 @@ diff -up openssh-5.9p0/sshd.c.gsskex openssh-5.9p0/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2414,6 +2475,48 @@ do_ssh2_kex(void) +@@ -2425,6 +2486,48 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); @@ -2860,7 +2760,7 @@ diff -up openssh-5.9p0/sshd.c.gsskex openssh-5.9p0/sshd.c /* start key exchange */ kex = kex_setup(myproposal); kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; -@@ -2421,6 +2524,13 @@ do_ssh2_kex(void) +@@ -2432,6 +2535,13 @@ do_ssh2_kex(void) kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; @@ -2874,9 +2774,21 @@ diff -up openssh-5.9p0/sshd.c.gsskex openssh-5.9p0/sshd.c kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; -diff -up openssh-5.9p0/sshd_config.5.gsskex openssh-5.9p0/sshd_config.5 ---- openssh-5.9p0/sshd_config.5.gsskex 2011-09-03 20:30:47.419537225 +0200 -+++ openssh-5.9p0/sshd_config.5 2011-09-03 20:30:52.608440675 +0200 +diff -up openssh-5.9p1/sshd_config.gsskex openssh-5.9p1/sshd_config +--- openssh-5.9p1/sshd_config.gsskex 2012-02-06 17:38:19.160220812 +0100 ++++ openssh-5.9p1/sshd_config 2012-02-06 17:38:19.189998533 +0100 +@@ -83,6 +83,8 @@ ChallengeResponseAuthentication no + GSSAPIAuthentication yes + #GSSAPICleanupCredentials yes + GSSAPICleanupCredentials yes ++#GSSAPIStrictAcceptorCheck yes ++#GSSAPIKeyExchange no + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +diff -up openssh-5.9p1/sshd_config.5.gsskex openssh-5.9p1/sshd_config.5 +--- openssh-5.9p1/sshd_config.5.gsskex 2012-02-06 17:38:19.154809764 +0100 ++++ openssh-5.9p1/sshd_config.5 2012-02-06 17:38:19.188982680 +0100 @@ -424,12 +424,40 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2918,15 +2830,103 @@ diff -up openssh-5.9p0/sshd_config.5.gsskex openssh-5.9p0/sshd_config.5 .It Cm HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed -diff -up openssh-5.9p0/sshd_config.gsskex openssh-5.9p0/sshd_config ---- openssh-5.9p0/sshd_config.gsskex 2011-09-03 20:30:47.604456790 +0200 -+++ openssh-5.9p0/sshd_config 2011-09-03 20:30:52.720566647 +0200 -@@ -85,6 +85,8 @@ ChallengeResponseAuthentication no - GSSAPIAuthentication yes - #GSSAPICleanupCredentials yes - GSSAPICleanupCredentials yes -+#GSSAPIStrictAcceptorCheck yes -+#GSSAPIKeyExchange no +diff -up openssh-5.9p1/ssh-gss.h.gsskex openssh-5.9p1/ssh-gss.h +--- openssh-5.9p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 ++++ openssh-5.9p1/ssh-gss.h 2012-02-06 17:38:19.184919538 +0100 +@@ -1,6 +1,6 @@ + /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ + /* +- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. ++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -60,10 +60,22 @@ - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will + #define SSH_GSS_OIDTYPE 0x06 + ++#define SSH2_MSG_KEXGSS_INIT 30 ++#define SSH2_MSG_KEXGSS_CONTINUE 31 ++#define SSH2_MSG_KEXGSS_COMPLETE 32 ++#define SSH2_MSG_KEXGSS_HOSTKEY 33 ++#define SSH2_MSG_KEXGSS_ERROR 34 ++#define SSH2_MSG_KEXGSS_GROUPREQ 40 ++#define SSH2_MSG_KEXGSS_GROUP 41 ++#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-" ++#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-" ++#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-" ++ + typedef struct { + char *filename; + char *envvar; + char *envval; ++ struct passwd *owner; + void *data; + } ssh_gssapi_ccache; + +@@ -71,8 +83,11 @@ typedef struct { + gss_buffer_desc displayname; + gss_buffer_desc exportedname; + gss_cred_id_t creds; ++ gss_name_t name; + struct ssh_gssapi_mech_struct *mech; + ssh_gssapi_ccache store; ++ int used; ++ int updated; + } ssh_gssapi_client; + + typedef struct ssh_gssapi_mech_struct { +@@ -83,6 +98,7 @@ typedef struct ssh_gssapi_mech_struct { + int (*userok) (ssh_gssapi_client *, char *); + int (*localname) (ssh_gssapi_client *, char **); + void (*storecreds) (ssh_gssapi_client *); ++ int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *); + } ssh_gssapi_mech; + + typedef struct { +@@ -93,10 +109,11 @@ typedef struct { + gss_OID oid; /* client */ + gss_cred_id_t creds; /* server */ + gss_name_t client; /* server */ +- gss_cred_id_t client_creds; /* server */ ++ gss_cred_id_t client_creds; /* both */ + } Gssctxt; + + extern ssh_gssapi_mech *supported_mechs[]; ++extern Gssctxt *gss_kex_context; + + int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); + void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); +@@ -116,16 +133,30 @@ void ssh_gssapi_build_ctx(Gssctxt **); + void ssh_gssapi_delete_ctx(Gssctxt **); + OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); + void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); +-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); ++int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *); ++OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *); ++int ssh_gssapi_credentials_updated(Gssctxt *); + + /* In the server */ ++typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *, ++ const char *); ++char *ssh_gssapi_client_mechanisms(const char *, const char *); ++char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *, ++ const char *); ++gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int); ++int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, ++ const char *); + OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); +-int ssh_gssapi_userok(char *name); ++int ssh_gssapi_userok(char *name, struct passwd *); + OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); + void ssh_gssapi_do_child(char ***, u_int *); + void ssh_gssapi_cleanup_creds(void); + void ssh_gssapi_storecreds(void); + ++char *ssh_gssapi_server_mechanisms(void); ++int ssh_gssapi_oid_table_ok(); ++ ++int ssh_gssapi_update_creds(ssh_gssapi_ccache *store); + #endif /* GSSAPI */ + + #endif /* _SSH_GSS_H */ diff --git a/openssh-5.9p1-redhat.patch b/openssh-5.9p1-redhat.patch index cdb49c6..6a564de 100644 --- a/openssh-5.9p1-redhat.patch +++ b/openssh-5.9p1-redhat.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config ---- openssh-5.9p0/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 -+++ openssh-5.9p0/ssh_config 2011-09-05 14:48:16.386439023 +0200 +diff -up openssh-5.9p1/ssh_config.redhat openssh-5.9p1/ssh_config +--- openssh-5.9p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 ++++ openssh-5.9p1/ssh_config 2012-02-06 17:32:43.428032471 +0100 @@ -45,3 +45,14 @@ # PermitLocalCommand no # VisualHostKey no @@ -16,37 +16,9 @@ diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS -diff -up openssh-5.9p0/sshd_config.0.redhat openssh-5.9p0/sshd_config.0 ---- openssh-5.9p0/sshd_config.0.redhat 2011-09-05 14:48:08.522441255 +0200 -+++ openssh-5.9p0/sshd_config.0 2011-09-05 14:48:16.477443868 +0200 -@@ -581,9 +581,9 @@ DESCRIPTION - - SyslogFacility - Gives the facility code that is used when logging messages from -- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, -- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The -- default is AUTH. -+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, -+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. -+ The default is AUTH. - - TCPKeepAlive - Specifies whether the system should send TCP keepalive messages -diff -up openssh-5.9p0/sshd_config.5.redhat openssh-5.9p0/sshd_config.5 ---- openssh-5.9p0/sshd_config.5.redhat 2011-09-05 14:48:08.657564688 +0200 -+++ openssh-5.9p0/sshd_config.5 2011-09-05 14:48:16.589501736 +0200 -@@ -1029,7 +1029,7 @@ Note that this option applies to protoco - .It Cm SyslogFacility - Gives the facility code that is used when logging messages from - .Xr sshd 8 . --The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, -+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, - LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. - The default is AUTH. - .It Cm TCPKeepAlive -diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config ---- openssh-5.9p0/sshd_config.redhat 2011-09-05 14:48:16.250626793 +0200 -+++ openssh-5.9p0/sshd_config 2011-09-05 15:06:01.513443553 +0200 +diff -up openssh-5.9p1/sshd_config.redhat openssh-5.9p1/sshd_config +--- openssh-5.9p1/sshd_config.redhat 2012-02-06 17:32:43.427032448 +0100 ++++ openssh-5.9p1/sshd_config 2012-02-06 17:35:15.356783832 +0100 @@ -32,6 +32,7 @@ # Logging # obsoletes QuietMode and FascistLogging @@ -77,15 +49,13 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -@@ -89,6 +94,7 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -89,11 +94,13 @@ AuthorizedKeysFile .ssh/authorized_keys # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no +UsePAM yes - #TwoFactorAuthentication no - #SecondPubkeyAuthentication yes -@@ -101,6 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys + #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no @@ -93,7 +63,7 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes -@@ -121,6 +128,12 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -114,6 +121,12 @@ AuthorizedKeysFile .ssh/authorized_keys # no default banner path #Banner none @@ -106,3 +76,31 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server +diff -up openssh-5.9p1/sshd_config.0.redhat openssh-5.9p1/sshd_config.0 +--- openssh-5.9p1/sshd_config.0.redhat 2012-02-06 17:32:43.302970171 +0100 ++++ openssh-5.9p1/sshd_config.0 2012-02-06 17:32:43.428032471 +0100 +@@ -581,9 +581,9 @@ DESCRIPTION + + SyslogFacility + Gives the facility code that is used when logging messages from +- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, +- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The +- default is AUTH. ++ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, ++ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. ++ The default is AUTH. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages +diff -up openssh-5.9p1/sshd_config.5.redhat openssh-5.9p1/sshd_config.5 +--- openssh-5.9p1/sshd_config.5.redhat 2012-02-06 17:32:43.303971959 +0100 ++++ openssh-5.9p1/sshd_config.5 2012-02-06 17:32:43.429032398 +0100 +@@ -1019,7 +1019,7 @@ Note that this option applies to protoco + .It Cm SyslogFacility + Gives the facility code that is used when logging messages from + .Xr sshd 8 . +-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, ++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, + LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. + .It Cm TCPKeepAlive diff --git a/openssh-5.9p1-required-authentications.patch b/openssh-5.9p1-required-authentications.patch new file mode 100644 index 0000000..b5bf087 --- /dev/null +++ b/openssh-5.9p1-required-authentications.patch @@ -0,0 +1,827 @@ +diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c +--- openssh-5.9p1/auth.c.required-authentication 2012-02-06 17:03:51.034158031 +0100 ++++ openssh-5.9p1/auth.c 2012-02-06 17:03:55.007830206 +0100 +@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw) + } + + void +-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) ++auth_log(Authctxt *authctxt, int authenticated, const char *method, ++ const char *submethod, const char *info) + { + void (*authlog) (const char *fmt,...) = verbose; + char *authmsg; +@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent + else + authmsg = authenticated ? "Accepted" : "Failed"; + +- authlog("%s %s for %s%.100s from %.200s port %d%s", ++ authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", + authmsg, + method, ++ submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod, + authctxt->valid ? "" : "invalid user ", + authctxt->user, + get_remote_ipaddr(), +@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent + * Check whether root logins are disallowed. + */ + int +-auth_root_allowed(char *method) ++auth_root_allowed(const char *method) + { + switch (options.permit_root_login) { + case PERMIT_YES: +@@ -694,3 +696,57 @@ fakepw(void) + + return (&fake); + } ++ ++int ++auth_method_in_list(const char *list, const char *method) ++{ ++ char *cp; ++ ++ cp = match_list(method, list, NULL); ++ if (cp != NULL) { ++ xfree(cp); ++ return 1; ++ } ++ ++ return 0; ++} ++ ++#define DELIM "," ++int ++auth_remove_from_list(char **list, const char *method) ++{ ++ char *oldlist, *cp, *newlist = NULL; ++ u_int len = 0, ret = 0; ++ ++ if (list == NULL || *list == NULL) ++ return (0); ++ ++ oldlist = *list; ++ len = strlen(oldlist) + 1; ++ newlist = xmalloc(len); ++ memset(newlist, '\0', len); ++ ++ /* Remove method from list, if present */ ++ for (;;) { ++ if ((cp = strsep(&oldlist, DELIM)) == NULL) ++ break; ++ if (*cp == '\0') ++ continue; ++ if (strcmp(cp, method) != 0) { ++ if (*newlist != '\0') ++ strlcat(newlist, DELIM, len); ++ strlcat(newlist, cp, len); ++ } else ++ ret++; ++ } ++ ++ /* Return NULL instead of empty list */ ++ if (*newlist == '\0') { ++ xfree(newlist); ++ newlist = NULL; ++ } ++ xfree(*list); ++ *list = newlist; ++ ++ return (ret); ++} +diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h +--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200 ++++ openssh-5.9p1/auth.h 2012-02-06 17:03:55.008839468 +0100 +@@ -142,10 +142,11 @@ void disable_forwarding(void); + void do_authentication(Authctxt *); + void do_authentication2(Authctxt *); + +-void auth_log(Authctxt *, int, char *, char *); +-void userauth_finish(Authctxt *, int, char *); ++void auth_log(Authctxt *, int, const char *, const char *, const char *); ++void userauth_finish(Authctxt *, int, const char *, const char *); ++int auth_root_allowed(const char *); ++ + void userauth_send_banner(const char *); +-int auth_root_allowed(char *); + + char *auth2_read_banner(void); + +@@ -192,6 +193,11 @@ void auth_debug_send(void); + void auth_debug_reset(void); + + struct passwd *fakepw(void); ++int auth_method_in_list(const char *, const char *); ++int auth_remove_from_list(char **, const char *); ++ ++int auth1_check_required(const char *); ++int auth2_check_required(const char *); + + int sys_auth_passwd(Authctxt *, const char *); + +diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c +--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200 ++++ openssh-5.9p1/auth1.c 2012-02-06 17:03:55.055811924 +0100 +@@ -98,6 +98,54 @@ static const struct AuthMethod1 + return (NULL); + } + ++static const struct AuthMethod1 * ++lookup_authmethod1_by_name(const char *name) ++{ ++ int i; ++ ++ for (i = 0; auth1_methods[i].name != NULL; i++) ++ if (strcmp(auth1_methods[i].name, name) == 0) ++ return (&(auth1_methods[i])); ++ ++ return NULL; ++} ++ ++#define DELIM "," ++int ++auth1_check_required(const char *list) ++{ ++ char *orig_methods, *methods, *cp; ++ static const struct AuthMethod1 *m; ++ int ret = 0; ++ ++ orig_methods = methods = xstrdup(list); ++ for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */ ++ if ((cp = strsep(&methods, DELIM)) == NULL) ++ break; ++ debug2("auth1_check_required: method \"%s\"", cp); ++ if (*cp == '\0') { ++ debug("auth1_check_required: empty method"); ++ ret = -1; ++ } ++ if ((m = lookup_authmethod1_by_name(cp)) == NULL) { ++ debug("auth1_check_required: unknown method " ++ "\"%s\"", cp); ++ ret = -1; ++ } ++ if (*(m->enabled) == 0) { ++ debug("auth1_check_required: method %s explicitly " ++ "disabled", cp); ++ ret = -1; ++ } ++ /* Activate method if it isn't already */ ++ if (*(m->enabled) == -1) ++ *(m->enabled) = 1; ++ } ++ xfree(orig_methods); ++ return (ret); ++} ++ ++ + static char * + get_authname(int type) + { +@@ -237,6 +285,7 @@ do_authloop(Authctxt *authctxt) + { + int authenticated = 0; + char info[1024]; ++ const char *meth_name; + int prev = 0, type = 0; + const struct AuthMethod1 *meth; + +@@ -244,7 +293,7 @@ do_authloop(Authctxt *authctxt) + authctxt->valid ? "" : "invalid user ", authctxt->user); + + /* If the user has no password, accept authentication immediately. */ +- if (options.permit_empty_passwd && options.password_authentication && ++ if (options.permit_empty_passwd && options.password_authentication && options.password_authentication && + #ifdef KRB5 + (!options.kerberos_authentication || options.kerberos_or_local_passwd) && + #endif +@@ -253,7 +302,7 @@ do_authloop(Authctxt *authctxt) + if (options.use_pam && (PRIVSEP(do_pam_account()))) + #endif + { +- auth_log(authctxt, 1, "without authentication", ""); ++ auth_log(authctxt, 1, "without authentication", NULL, ""); + return; + } + } +@@ -272,6 +321,7 @@ do_authloop(Authctxt *authctxt) + /* Get a packet from the client. */ + prev = type; + type = packet_read(); ++ meth_name = get_authname(type); + + /* + * If we started challenge-response authentication but the +@@ -287,8 +337,8 @@ do_authloop(Authctxt *authctxt) + if (authctxt->failures >= options.max_authtries) + goto skip; + if ((meth = lookup_authmethod1(type)) == NULL) { +- logit("Unknown message during authentication: " +- "type %d", type); ++ logit("Unknown message during authentication: type %d", ++ type); + goto skip; + } + +@@ -297,6 +347,17 @@ do_authloop(Authctxt *authctxt) + goto skip; + } + ++ /* ++ * Skip methods not in required list, until all the required ++ * ones are done ++ */ ++ if (options.required_auth1 != NULL && ++ !auth_method_in_list(options.required_auth1, meth_name)) { ++ debug("Skipping method \"%s\" until required " ++ "authentication completed", meth_name); ++ goto skip; ++ } ++ + authenticated = meth->method(authctxt, info, sizeof(info)); + if (authenticated == -1) + continue; /* "postponed" */ +@@ -352,7 +413,29 @@ do_authloop(Authctxt *authctxt) + + skip: + /* Log before sending the reply */ +- auth_log(authctxt, authenticated, get_authname(type), info); ++ auth_log(authctxt, authenticated, meth_name, NULL, info); ++ ++ /* Loop until the required authmethods are done */ ++ if (authenticated && options.required_auth1 != NULL) { ++ if (auth_remove_from_list(&options.required_auth1, ++ meth_name) != 1) ++ fatal("INTERNAL ERROR: authenticated method " ++ "\"%s\" not in required list \"%s\"", ++ meth_name, options.required_auth1); ++ debug2("do_authloop: required list now: %s", ++ options.required_auth1 == NULL ? ++ "DONE" : options.required_auth1); ++ if (options.required_auth1 == NULL) ++ return; ++ authenticated = 0; ++ /* ++ * Disable method so client can't authenticate with it ++ * after the required authentications are complete. ++ */ ++ *(meth->enabled) = 0; ++ packet_send_debug("Further authentication required"); ++ goto send_fail; ++ } + + if (client_user != NULL) { + xfree(client_user); +@@ -368,6 +451,7 @@ do_authloop(Authctxt *authctxt) + #endif + packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + } ++ send_fail: + + packet_start(SSH_SMSG_FAILURE); + packet_send(); +diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c +--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200 ++++ openssh-5.9p1/auth2.c 2012-02-06 17:03:55.100896430 +0100 +@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32 + { + Authctxt *authctxt = ctxt; + Authmethod *m = NULL; +- char *user, *service, *method, *style = NULL; ++ char *user, *service, *method, *active_methods, *style = NULL; + int authenticated = 0; + + if (authctxt == NULL) +@@ -277,22 +277,31 @@ input_userauth_request(int type, u_int32 + authctxt->server_caused_failure = 0; + + /* try to authenticate user */ +- m = authmethod_lookup(method); +- if (m != NULL && authctxt->failures < options.max_authtries) { +- debug2("input_userauth_request: try method %s", method); +- authenticated = m->userauth(authctxt); +- } +- userauth_finish(authctxt, authenticated, method); ++ active_methods = authmethods_get(); ++ if (strcmp(method, "none") == 0 || ++ auth_method_in_list(active_methods, method)) { ++ m = authmethod_lookup(method); ++ if (m != NULL) { ++ debug2("input_userauth_request: try method %s", method); ++ authenticated = m->userauth(authctxt); ++ } + ++ } ++ xfree(active_methods); ++ userauth_finish(authctxt, authenticated, method, NULL); ++ + xfree(service); + xfree(user); + xfree(method); + } + + void +-userauth_finish(Authctxt *authctxt, int authenticated, char *method) ++userauth_finish(Authctxt *authctxt, int authenticated, const char *method, ++ const char *submethod) + { + char *methods; ++ Authmethod *m = NULL; ++ u_int partial = 0; + + if (!authctxt->valid && authenticated) + fatal("INTERNAL ERROR: authenticated invalid user %s", +@@ -330,12 +339,42 @@ userauth_finish(Authctxt *authctxt, int + #endif /* _UNICOS */ + + /* Log before sending the reply */ +- auth_log(authctxt, authenticated, method, " ssh2"); ++ auth_log(authctxt, authenticated, method, submethod, " ssh2"); + + if (authctxt->postponed) + return; + +- /* XXX todo: check if multiple auth methods are needed */ ++ /* Handle RequiredAuthentications2: loop until required methods done */ ++ if (authenticated && options.required_auth2 != NULL) { ++ if ((m = authmethod_lookup(method)) == NULL) ++ fatal("INTERNAL ERROR: authenticated method " ++ "\"%s\" unknown", method); ++ if (auth_remove_from_list(&options.required_auth2, method) != 1) ++ fatal("INTERNAL ERROR: authenticated method " ++ "\"%s\" not in required list \"%s\"", ++ method, options.required_auth2); ++ debug2("userauth_finish: required list now: %s", ++ options.required_auth2 == NULL ? ++ "DONE" : options.required_auth2); ++ /* ++ * if authenticated and no more required methods ++ * then declare success ++ */ ++ if ( authenticated && options.required_auth2 == NULL ) { ++ debug2("userauth_finish: authenticated and no more required methods"); ++ } else { ++ /* ++ * Disable method so client can't authenticate with it after ++ * the required authentications are complete. ++ */ ++ if (m->enabled != NULL) ++ *(m->enabled) = 0; ++ authenticated = 0; ++ partial = 1; ++ goto send_fail; ++ } ++ } ++ + if (authenticated == 1) { + /* turn off userauth */ + dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); +@@ -345,7 +384,6 @@ userauth_finish(Authctxt *authctxt, int + /* now we can break out */ + authctxt->success = 1; + } else { +- + /* Allow initial try of "none" auth without failure penalty */ + if (!authctxt->server_caused_failure && + (authctxt->attempt > 1 || strcmp(method, "none") != 0)) +@@ -356,10 +394,11 @@ userauth_finish(Authctxt *authctxt, int + #endif + packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + } ++ send_fail: + methods = authmethods_get(); + packet_start(SSH2_MSG_USERAUTH_FAILURE); + packet_put_cstring(methods); +- packet_put_char(0); /* XXX partial success, unused */ ++ packet_put_char(partial); + packet_send(); + packet_write_wait(); + xfree(methods); +@@ -373,6 +412,9 @@ authmethods_get(void) + char *list; + int i; + ++ if (options.required_auth2 != NULL) ++ return xstrdup(options.required_auth2); ++ + buffer_init(&b); + for (i = 0; authmethods[i] != NULL; i++) { + if (strcmp(authmethods[i]->name, "none") == 0) +@@ -407,3 +449,43 @@ authmethod_lookup(const char *name) + return NULL; + } + ++#define DELIM "," ++ ++int ++auth2_check_required(const char *list) ++{ ++ char *orig_methods, *methods, *cp; ++ struct Authmethod *m; ++ int i, ret = 0; ++ ++ orig_methods = methods = xstrdup(list); ++ for(;;) { ++ if ((cp = strsep(&methods, DELIM)) == NULL) ++ break; ++ debug2("auth2_check_required: method \"%s\"", cp); ++ if (*cp == '\0') { ++ debug("auth2_check_required: empty method"); ++ ret = -1; ++ } ++ for (i = 0; authmethods[i] != NULL; i++) ++ if (strcmp(cp, authmethods[i]->name) == 0) ++ break; ++ if ((m = authmethods[i]) == NULL) { ++ debug("auth2_check_required: unknown method " ++ "\"%s\"", cp); ++ ret = -1; ++ break; ++ } ++ if (m->enabled == NULL || *(m->enabled) == 0) { ++ debug("auth2_check_required: method %s explicitly " ++ "disabled", cp); ++ ret = -1; ++ } ++ /* Activate method if it isn't already */ ++ if (*(m->enabled) == -1) ++ *(m->enabled) = 1; ++ } ++ xfree(orig_methods); ++ return (ret); ++} ++ +diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c +--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200 ++++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:03:55.098862514 +0100 +@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p + } + authctxt->postponed = 0; + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); +- userauth_finish(authctxt, 0, "gssapi-with-mic"); ++ userauth_finish(authctxt, 0, "gssapi-with-mic", NULL); + } else { + if (send_tok.length != 0) { + packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); +@@ -251,7 +251,7 @@ input_gssapi_exchange_complete(int type, + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); +- userauth_finish(authctxt, authenticated, "gssapi-with-mic"); ++ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); + } + + static void +@@ -291,7 +291,7 @@ input_gssapi_mic(int type, u_int32_t ple + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); +- userauth_finish(authctxt, authenticated, "gssapi-with-mic"); ++ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); + } + + Authmethod method_gssapi = { +diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c +--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100 ++++ openssh-5.9p1/auth2-chall.c 2012-02-06 17:03:55.098862514 +0100 +@@ -341,8 +341,8 @@ input_userauth_info_response(int type, u + auth2_challenge_start(authctxt); + } + } +- userauth_finish(authctxt, authenticated, method); +- xfree(method); ++ userauth_finish(authctxt, authenticated, "keyboard-interactive", ++ kbdintctxt->device?kbdintctxt->device->name:NULL); + } + + void +diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c +--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200 ++++ openssh-5.9p1/auth2-none.c 2012-02-06 17:03:55.099879104 +0100 +@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt) + { + none_enabled = 0; + packet_check_eom(); +- if (options.permit_empty_passwd && options.password_authentication) ++ if (options.permit_empty_passwd && options.password_authentication && options.required_auth2 == NULL) + return (PRIVSEP(auth_password(authctxt, ""))); + return (0); + } +diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c +--- openssh-5.9p1/monitor.c.required-authentication 2012-02-06 17:03:51.020095446 +0100 ++++ openssh-5.9p1/monitor.c 2012-02-06 17:03:55.101912924 +0100 +@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY; + static char *hostbased_cuser = NULL; + static char *hostbased_chost = NULL; + static char *auth_method = "unknown"; ++static char *auth_submethod = NULL; + static u_int session_id2_len = 0; + static u_char *session_id2 = NULL; + static pid_t monitor_child_pid; +@@ -352,7 +353,8 @@ void + monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) + { + struct mon_table *ent; +- int authenticated = 0; ++ int no_increment, authenticated = 0; ++ char **req_auth; + + debug3("preauth child monitor started"); + +@@ -367,12 +369,14 @@ monitor_child_preauth(Authctxt *_authctx + + if (compat20) { + mon_dispatch = mon_dispatch_proto20; ++ req_auth = &options.required_auth2; + + /* Permit requests for moduli and signatures */ + monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); + } else { + mon_dispatch = mon_dispatch_proto15; ++ req_auth = &options.required_auth1; + + monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); + } +@@ -380,6 +384,8 @@ monitor_child_preauth(Authctxt *_authctx + /* The first few requests do not require asynchronous access */ + while (!authenticated) { + auth_method = "unknown"; ++ auth_submethod = NULL; ++ no_increment = 1; + authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); + if (authenticated) { + if (!(ent->flags & MON_AUTHDECIDE)) +@@ -401,11 +407,23 @@ monitor_child_preauth(Authctxt *_authctx + } + #endif + } ++ /* Loop until the required authmethods are done */ ++ if (authenticated && *req_auth != NULL) { ++ if (auth_remove_from_list(req_auth, auth_method) != 1) ++ fatal("INTERNAL ERROR: authenticated method " ++ "\"%s\" not in required list \"%s\"", ++ auth_method, *req_auth); ++ debug2("monitor_child_preauth: required list now: %s", ++ *req_auth == NULL ? "DONE" : *req_auth); ++ if (*req_auth != NULL) ++ authenticated = 0; ++ no_increment = 1; ++ } + + if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { + auth_log(authctxt, authenticated, auth_method, +- compat20 ? " ssh2" : ""); +- if (!authenticated) ++ auth_submethod, compat20 ? " ssh2" : ""); ++ if (!authenticated && !no_increment) + authctxt->failures++; + } + #ifdef JPAKE +@@ -862,6 +880,7 @@ mm_answer_authpassword(int sock, Buffer + auth_method = "none"; + else + auth_method = "password"; ++ auth_submethod = NULL; + + /* Causes monitor loop to terminate if authenticated */ + return (authenticated); +@@ -921,6 +940,7 @@ mm_answer_bsdauthrespond(int sock, Buffe + mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); + + auth_method = "bsdauth"; ++ auth_submethod = NULL; + + return (authok != 0); + } +@@ -970,6 +990,7 @@ mm_answer_skeyrespond(int sock, Buffer * + mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m); + + auth_method = "skey"; ++ auth_submethod = NULL; + + return (authok != 0); + } +@@ -1059,7 +1080,8 @@ mm_answer_pam_query(int sock, Buffer *m) + xfree(prompts); + if (echo_on != NULL) + xfree(echo_on); +- auth_method = "keyboard-interactive/pam"; ++ auth_method = "keyboard-interactive"; ++ auth_submethod = "pam"; + mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); + return (0); + } +@@ -1088,7 +1110,8 @@ mm_answer_pam_respond(int sock, Buffer * + buffer_clear(m); + buffer_put_int(m, ret); + mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); +- auth_method = "keyboard-interactive/pam"; ++ auth_method = "keyboard-interactive"; ++ auth_submethod = "pam"; + if (ret == 0) + sshpam_authok = sshpam_ctxt; + return (0); +@@ -1102,7 +1125,8 @@ mm_answer_pam_free_ctx(int sock, Buffer + (sshpam_device.free_ctx)(sshpam_ctxt); + buffer_clear(m); + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); +- auth_method = "keyboard-interactive/pam"; ++ auth_method = "keyboard-interactive"; ++ auth_submethod = "pam"; + return (sshpam_authok == sshpam_ctxt); + } + #endif +@@ -1138,6 +1162,7 @@ mm_answer_keyallowed(int sock, Buffer *m + allowed = options.pubkey_authentication && + user_key_allowed(authctxt->pw, key); + auth_method = "publickey"; ++ auth_submethod = NULL; + if (options.pubkey_authentication && allowed != 1) + auth_clear_options(); + break; +@@ -1146,6 +1171,7 @@ mm_answer_keyallowed(int sock, Buffer *m + hostbased_key_allowed(authctxt->pw, + cuser, chost, key); + auth_method = "hostbased"; ++ auth_submethod = NULL; + break; + case MM_RSAHOSTKEY: + key->type = KEY_RSA1; /* XXX */ +@@ -1155,6 +1181,7 @@ mm_answer_keyallowed(int sock, Buffer *m + if (options.rhosts_rsa_authentication && allowed != 1) + auth_clear_options(); + auth_method = "rsa"; ++ auth_submethod = NULL; + break; + default: + fatal("%s: unknown key type %d", __func__, type); +@@ -1180,7 +1207,8 @@ mm_answer_keyallowed(int sock, Buffer *m + hostbased_chost = chost; + } else { + /* Log failed attempt */ +- auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); ++ auth_log(authctxt, 0, auth_method, auth_submethod, ++ compat20 ? " ssh2" : ""); + xfree(blob); + xfree(cuser); + xfree(chost); +@@ -1356,6 +1384,7 @@ mm_answer_keyverify(int sock, Buffer *m) + xfree(data); + + auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; ++ auth_submethod = NULL; + + monitor_reset_key_state(); + +@@ -1545,6 +1574,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe + debug3("%s entering", __func__); + + auth_method = "rsa"; ++ auth_submethod = NULL; + if (options.rsa_authentication && authctxt->valid) { + if ((client_n = BN_new()) == NULL) + fatal("%s: BN_new", __func__); +@@ -1650,6 +1680,7 @@ mm_answer_rsa_response(int sock, Buffer + xfree(response); + + auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa"; ++ auth_submethod = NULL; + + /* reset state */ + BN_clear_free(ssh1_challenge); +@@ -2099,6 +2130,7 @@ mm_answer_gss_userok(int sock, Buffer *m + mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); + + auth_method = "gssapi-with-mic"; ++ auth_submethod = NULL; + + /* Monitor loop will terminate if authenticated */ + return (authenticated); +@@ -2303,6 +2335,7 @@ mm_answer_jpake_check_confirm(int sock, + monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1); + + auth_method = "jpake-01@openssh.com"; ++ auth_submethod = NULL; + return authenticated; + } + +diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c +--- openssh-5.9p1/servconf.c.required-authentication 2012-02-06 17:03:51.024963230 +0100 ++++ openssh-5.9p1/servconf.c 2012-02-06 17:03:55.102929716 +0100 +@@ -42,6 +42,8 @@ + #include "key.h" + #include "kex.h" + #include "mac.h" ++#include "hostfile.h" ++#include "auth.h" + #include "match.h" + #include "channels.h" + #include "groupaccess.h" +@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions + options->num_authkeys_files = 0; + options->num_accept_env = 0; + options->permit_tun = -1; ++ options->required_auth1 = NULL; ++ options->required_auth2 = NULL; + options->num_permitted_opens = -1; + options->adm_forced_command = NULL; + options->chroot_directory = NULL; +@@ -319,6 +323,7 @@ typedef enum { + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, ++ sRequiredAuthentications1, sRequiredAuthentications2, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, + sZeroKnowledgePasswordAuthentication, sHostCertificate, +@@ -447,6 +452,8 @@ static struct { + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, + { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, + { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, ++ { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL }, ++ { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL }, + { "ipqos", sIPQoS, SSHCFG_ALL }, + { NULL, sBadOption, 0 } + }; +@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions + options->max_startups = options->max_startups_begin; + break; + ++ ++ case sRequiredAuthentications1: ++ charptr = &options->required_auth1; ++ arg = strdelim(&cp); ++ if (auth1_check_required(arg) != 0) ++ fatal("%.200s line %d: Invalid required authentication " ++ "list", filename, linenum); ++ if (!arg || *arg == '\0') ++ fatal("%.200s line %d: Missing argument.", ++ filename, linenum); ++ if (*charptr == NULL) ++ *charptr = xstrdup(arg); ++ break; ++ ++ case sRequiredAuthentications2: ++ charptr = &options->required_auth2; ++ arg = strdelim(&cp); ++ if (auth2_check_required(arg) != 0) ++ fatal("%.200s line %d: Invalid required authentication " ++ "list", filename, linenum); ++ if (!arg || *arg == '\0') ++ fatal("%.200s line %d: Missing argument.", ++ filename, linenum); ++ if (*charptr == NULL) ++ *charptr = xstrdup(arg); ++ break; ++ + case sMaxAuthTries: + intptr = &options->max_authtries; + goto parse_int; +diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h +--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200 ++++ openssh-5.9p1/servconf.h 2012-02-06 17:03:55.102929716 +0100 +@@ -154,6 +154,9 @@ typedef struct { + u_int num_authkeys_files; /* Files containing public keys */ + char *authorized_keys_files[MAX_AUTHKEYS_FILES]; + ++ char *required_auth1; /* Required, but not sufficient */ ++ char *required_auth2; ++ + char *adm_forced_command; + + int use_pam; /* Enable auth via PAM */ +diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5 +--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200 ++++ openssh-5.9p1/sshd_config.5 2012-02-06 17:09:39.038871798 +0100 +@@ -723,6 +723,8 @@ Available keywords are + .Cm PermitOpen , + .Cm PermitRootLogin , + .Cm PermitTunnel , ++.Cm RequiredAuthentications1, ++.Cm RequiredAuthentications2, + .Cm PubkeyAuthentication , + .Cm RhostsRSAAuthentication , + .Cm RSAAuthentication , +@@ -920,6 +937,21 @@ Specifies a list of revoked public keys. + Keys listed in this file will be refused for public key authentication. + Note that if this file is not readable, then public key authentication will + be refused for all users. ++.It Cm RequiredAuthentications[12] ++ Requires two authentication methods to succeed before authorizing the connection. ++ (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2) ++ ++ RequiredAuthentications1 method[,method...] ++ RequiredAuthentications2 method[,method...] ++ ++.Pp ++Example 1: ++ ++ RequiredAuthentications2 password,hostbased ++ ++Example 2: ++ RequiredAuthentications2 publickey,password ++ + .It Cm RhostsRSAAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication together + with successful RSA host authentication is allowed. diff --git a/openssh-5.9p1-role.patch b/openssh-5.9p1-role.patch index 8a26bdf..e090f38 100644 --- a/openssh-5.9p1-role.patch +++ b/openssh-5.9p1-role.patch @@ -1,7 +1,20 @@ -diff -up openssh-5.9p0/auth-pam.c.role openssh-5.9p0/auth-pam.c ---- openssh-5.9p0/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200 -+++ openssh-5.9p0/auth-pam.c 2011-08-31 11:42:54.870087433 +0200 -@@ -1069,7 +1069,7 @@ is_pam_session_open(void) +diff -up openssh-5.9p1/auth.h.role openssh-5.9p1/auth.h +--- openssh-5.9p1/auth.h.role 2012-02-06 17:21:26.038970656 +0100 ++++ openssh-5.9p1/auth.h 2012-02-06 17:21:59.477033401 +0100 +@@ -59,6 +59,9 @@ struct Authctxt { + char *service; + struct passwd *pw; /* set if 'valid' */ + char *style; ++#ifdef WITH_SELINUX ++ char *role; ++#endif + void *kbdintctxt; + void *jpake_ctx; + #ifdef BSD_AUTH +diff -up openssh-5.9p1/auth-pam.c.role openssh-5.9p1/auth-pam.c +--- openssh-5.9p1/auth-pam.c.role 2012-02-06 17:21:25.983793983 +0100 ++++ openssh-5.9p1/auth-pam.c 2012-02-06 17:21:59.476038868 +0100 +@@ -1074,7 +1074,7 @@ is_pam_session_open(void) * during the ssh authentication process. */ int @@ -10,9 +23,9 @@ diff -up openssh-5.9p0/auth-pam.c.role openssh-5.9p0/auth-pam.c { int ret = 1; #ifdef HAVE_PAM_PUTENV -diff -up openssh-5.9p0/auth-pam.h.role openssh-5.9p0/auth-pam.h ---- openssh-5.9p0/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200 -+++ openssh-5.9p0/auth-pam.h 2011-08-31 11:42:54.979086333 +0200 +diff -up openssh-5.9p1/auth-pam.h.role openssh-5.9p1/auth-pam.h +--- openssh-5.9p1/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200 ++++ openssh-5.9p1/auth-pam.h 2012-02-06 17:21:59.477033401 +0100 @@ -38,7 +38,7 @@ void do_pam_session(void); void do_pam_set_tty(const char *); void do_pam_setcred(int ); @@ -22,23 +35,10 @@ diff -up openssh-5.9p0/auth-pam.h.role openssh-5.9p0/auth-pam.h char ** fetch_pam_environment(void); char ** fetch_pam_child_environment(void); void free_pam_environment(char **); -diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h ---- openssh-5.9p0/auth.h.role 2011-08-31 11:42:47.760024631 +0200 -+++ openssh-5.9p0/auth.h 2011-08-31 11:42:55.090151027 +0200 -@@ -59,6 +59,9 @@ struct Authctxt { - char *service; - struct passwd *pw; /* set if 'valid' */ - char *style; -+#ifdef WITH_SELINUX -+ char *role; -+#endif - void *kbdintctxt; - void *jpake_ctx; - #ifdef BSD_AUTH -diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c ---- openssh-5.9p0/auth1.c.role 2010-08-31 14:36:39.000000000 +0200 -+++ openssh-5.9p0/auth1.c 2011-08-31 11:42:55.215033075 +0200 -@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt) +diff -up openssh-5.9p1/auth1.c.role openssh-5.9p1/auth1.c +--- openssh-5.9p1/auth1.c.role 2012-02-06 17:21:26.016845827 +0100 ++++ openssh-5.9p1/auth1.c 2012-02-06 17:21:59.478033396 +0100 +@@ -468,6 +468,9 @@ do_authentication(Authctxt *authctxt) { u_int ulen; char *user, *style = NULL; @@ -48,7 +48,7 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); -@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt) +@@ -476,11 +479,24 @@ do_authentication(Authctxt *authctxt) user = packet_get_cstring(&ulen); packet_check_eom(); @@ -73,9 +73,51 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) -diff -up openssh-5.9p0/auth2-gss.c.role openssh-5.9p0/auth2-gss.c ---- openssh-5.9p0/auth2-gss.c.role 2011-05-05 06:04:11.000000000 +0200 -+++ openssh-5.9p0/auth2-gss.c 2011-08-31 11:42:55.313025576 +0200 +diff -up openssh-5.9p1/auth2.c.role openssh-5.9p1/auth2.c +--- openssh-5.9p1/auth2.c.role 2012-02-06 17:21:26.024976386 +0100 ++++ openssh-5.9p1/auth2.c 2012-02-06 17:23:14.127811737 +0100 +@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32 + Authctxt *authctxt = ctxt; + Authmethod *m = NULL; + char *user, *service, *method, *active_methods, *style = NULL; ++#ifdef WITH_SELINUX ++ char *role = NULL; ++#endif + int authenticated = 0; + + if (authctxt == NULL) +@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32 + debug("userauth-request for user %s service %s method %s", user, service, method); + debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); + ++#ifdef WITH_SELINUX ++ if ((role = strchr(user, '/')) != NULL) ++ *role++ = 0; ++#endif ++ + if ((style = strchr(user, ':')) != NULL) + *style++ = 0; + +@@ -249,8 +257,15 @@ input_userauth_request(int type, u_int32 + use_privsep ? " [net]" : ""); + authctxt->service = xstrdup(service); + authctxt->style = style ? xstrdup(style) : NULL; +- if (use_privsep) ++#ifdef WITH_SELINUX ++ authctxt->role = role ? xstrdup(role) : NULL; ++#endif ++ if (use_privsep) { + mm_inform_authserv(service, style); ++#ifdef WITH_SELINUX ++ mm_inform_authrole(role); ++#endif ++ } + userauth_banner(); + } else if (strcmp(user, authctxt->user) != 0 || + strcmp(service, authctxt->service) != 0) { +diff -up openssh-5.9p1/auth2-gss.c.role openssh-5.9p1/auth2-gss.c +--- openssh-5.9p1/auth2-gss.c.role 2012-02-06 17:21:26.017853239 +0100 ++++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:21:59.479096211 +0100 @@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple Authctxt *authctxt = ctxt; Gssctxt *gssctxt; @@ -108,9 +150,9 @@ diff -up openssh-5.9p0/auth2-gss.c.role openssh-5.9p0/auth2-gss.c xfree(mic.value); authctxt->postponed = 0; -diff -up openssh-5.9p0/auth2-hostbased.c.role openssh-5.9p0/auth2-hostbased.c ---- openssh-5.9p0/auth2-hostbased.c.role 2011-08-31 11:42:47.863023264 +0200 -+++ openssh-5.9p0/auth2-hostbased.c 2011-08-31 11:42:55.421024814 +0200 +diff -up openssh-5.9p1/auth2-hostbased.c.role openssh-5.9p1/auth2-hostbased.c +--- openssh-5.9p1/auth2-hostbased.c.role 2012-02-06 17:21:26.038970656 +0100 ++++ openssh-5.9p1/auth2-hostbased.c 2012-02-06 17:21:59.479096211 +0100 @@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt) buffer_put_string(&b, session_id2, session_id2_len); /* reconstruct packet */ @@ -128,9 +170,9 @@ diff -up openssh-5.9p0/auth2-hostbased.c.role openssh-5.9p0/auth2-hostbased.c buffer_put_cstring(&b, service); buffer_put_cstring(&b, "hostbased"); buffer_put_string(&b, pkalg, alen); -diff -up openssh-5.9p0/auth2-pubkey.c.role openssh-5.9p0/auth2-pubkey.c ---- openssh-5.9p0/auth2-pubkey.c.role 2011-08-31 11:42:47.978087418 +0200 -+++ openssh-5.9p0/auth2-pubkey.c 2011-08-31 11:42:55.551025263 +0200 +diff -up openssh-5.9p1/auth2-pubkey.c.role openssh-5.9p1/auth2-pubkey.c +--- openssh-5.9p1/auth2-pubkey.c.role 2012-02-06 17:21:26.039787441 +0100 ++++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 17:21:59.480096032 +0100 @@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt) } /* reconstruct packet */ @@ -148,51 +190,9 @@ diff -up openssh-5.9p0/auth2-pubkey.c.role openssh-5.9p0/auth2-pubkey.c buffer_put_cstring(&b, datafellows & SSH_BUG_PKSERVICE ? "ssh-userauth" : -diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c ---- openssh-5.9p0/auth2.c.role 2011-08-31 11:42:45.409026065 +0200 -+++ openssh-5.9p0/auth2.c 2011-08-31 11:42:55.676024869 +0200 -@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32 - Authctxt *authctxt = ctxt; - Authmethod *m = NULL; - char *user, *service, *method, *style = NULL; -+#ifdef WITH_SELINUX -+ char *role = NULL; -+#endif - int authenticated = 0; - - if (authctxt == NULL) -@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32 - debug("userauth-request for user %s service %s method %s", user, service, method); - debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); - -+#ifdef WITH_SELINUX -+ if ((role = strchr(user, '/')) != NULL) -+ *role++ = 0; -+#endif -+ - if ((style = strchr(user, ':')) != NULL) - *style++ = 0; - -@@ -249,8 +257,15 @@ input_userauth_request(int type, u_int32 - use_privsep ? " [net]" : ""); - authctxt->service = xstrdup(service); - authctxt->style = style ? xstrdup(style) : NULL; -- if (use_privsep) -+#ifdef WITH_SELINUX -+ authctxt->role = role ? xstrdup(role) : NULL; -+#endif -+ if (use_privsep) { - mm_inform_authserv(service, style); -+#ifdef WITH_SELINUX -+ mm_inform_authrole(role); -+#endif -+ } - userauth_banner(); - } else if (strcmp(user, authctxt->user) != 0 || - strcmp(service, authctxt->service) != 0) { -diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c ---- openssh-5.9p0/monitor.c.role 2011-08-31 11:42:53.301024819 +0200 -+++ openssh-5.9p0/monitor.c 2011-08-31 11:42:55.796025812 +0200 +diff -up openssh-5.9p1/monitor.c.role openssh-5.9p1/monitor.c +--- openssh-5.9p1/monitor.c.role 2012-02-06 17:21:26.071220592 +0100 ++++ openssh-5.9p1/monitor.c 2012-02-06 17:21:59.481783500 +0100 @@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *); @@ -203,7 +203,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); -@@ -231,6 +234,9 @@ struct mon_table mon_dispatch_proto20[] +@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -213,7 +213,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -819,6 +825,9 @@ mm_answer_pwnamallow(int sock, Buffer *m +@@ -833,6 +839,9 @@ mm_answer_pwnamallow(int sock, Buffer *m else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -223,7 +223,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } #ifdef USE_PAM -@@ -862,6 +871,25 @@ mm_answer_authserv(int sock, Buffer *m) +@@ -876,6 +885,25 @@ mm_answer_authserv(int sock, Buffer *m) return (0); } @@ -249,7 +249,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c int mm_answer_authpassword(int sock, Buffer *m) { -@@ -1227,7 +1255,7 @@ static int +@@ -1252,7 +1280,7 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; @@ -258,7 +258,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c u_int len; int fail = 0; -@@ -1253,6 +1281,8 @@ monitor_valid_userblob(u_char *data, u_i +@@ -1278,6 +1306,8 @@ monitor_valid_userblob(u_char *data, u_i if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_string(&b, NULL); @@ -267,7 +267,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c if (strcmp(authctxt->user, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", authctxt->user, p); -@@ -1284,7 +1314,7 @@ monitor_valid_hostbasedblob(u_char *data +@@ -1309,7 +1339,7 @@ monitor_valid_hostbasedblob(u_char *data char *chost) { Buffer b; @@ -276,7 +276,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c u_int len; int fail = 0; -@@ -1301,6 +1331,8 @@ monitor_valid_hostbasedblob(u_char *data +@@ -1326,6 +1356,8 @@ monitor_valid_hostbasedblob(u_char *data if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_string(&b, NULL); @@ -285,9 +285,9 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c if (strcmp(authctxt->user, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", authctxt->user, p); -diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h ---- openssh-5.9p0/monitor.h.role 2011-08-31 11:42:53.409025333 +0200 -+++ openssh-5.9p0/monitor.h 2011-08-31 11:42:55.889024801 +0200 +diff -up openssh-5.9p1/monitor.h.role openssh-5.9p1/monitor.h +--- openssh-5.9p1/monitor.h.role 2012-02-06 17:21:26.071852220 +0100 ++++ openssh-5.9p1/monitor.h 2012-02-06 17:21:59.482846081 +0100 @@ -31,6 +31,9 @@ enum monitor_reqtype { MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, @@ -298,9 +298,9 @@ diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, -diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c ---- openssh-5.9p0/monitor_wrap.c.role 2011-08-31 11:42:53.548024503 +0200 -+++ openssh-5.9p0/monitor_wrap.c 2011-08-31 11:42:56.029024553 +0200 +diff -up openssh-5.9p1/monitor_wrap.c.role openssh-5.9p1/monitor_wrap.c +--- openssh-5.9p1/monitor_wrap.c.role 2012-02-06 17:21:26.071852220 +0100 ++++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:21:59.483845610 +0100 @@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char * buffer_free(&m); } @@ -327,9 +327,9 @@ diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) -diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h ---- openssh-5.9p0/monitor_wrap.h.role 2011-08-31 11:42:53.660025271 +0200 -+++ openssh-5.9p0/monitor_wrap.h 2011-08-31 11:42:56.131025748 +0200 +diff -up openssh-5.9p1/monitor_wrap.h.role openssh-5.9p1/monitor_wrap.h +--- openssh-5.9p1/monitor_wrap.h.role 2012-02-06 17:21:26.073192915 +0100 ++++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:21:59.483845610 +0100 @@ -42,6 +42,9 @@ int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); @@ -340,9 +340,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); -diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-compat/Makefile.in ---- openssh-5.9p0/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200 -+++ openssh-5.9p0/openbsd-compat/Makefile.in 2011-08-31 11:48:02.404091479 +0200 +diff -up openssh-5.9p1/openbsd-compat/Makefile.in.role openssh-5.9p1/openbsd-compat/Makefile.in +--- openssh-5.9p1/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200 ++++ openssh-5.9p1/openbsd-compat/Makefile.in 2012-02-06 17:21:59.484846191 +0100 @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o @@ -352,9 +352,9 @@ diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-com .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-compat/port-linux.c ---- openssh-5.9p0/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200 -+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-31 11:42:56.492087969 +0200 +diff -up openssh-5.9p1/openbsd-compat/port-linux.c.role openssh-5.9p1/openbsd-compat/port-linux.c +--- openssh-5.9p1/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200 ++++ openssh-5.9p1/openbsd-compat/port-linux.c 2012-02-06 17:21:59.484846191 +0100 @@ -31,7 +31,11 @@ #include "log.h" @@ -532,9 +532,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-co #endif /* WITH_SELINUX */ #ifdef LINUX_OOM_ADJUST -diff -up openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role openssh-5.9p0/openbsd-compat/port-linux_part_2.c ---- openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role 2011-08-31 11:42:56.583047619 +0200 -+++ openssh-5.9p0/openbsd-compat/port-linux_part_2.c 2011-08-31 11:42:56.586178005 +0200 +diff -up openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role openssh-5.9p1/openbsd-compat/port-linux_part_2.c +--- openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role 2012-02-06 17:21:59.485846294 +0100 ++++ openssh-5.9p1/openbsd-compat/port-linux_part_2.c 2012-02-06 17:21:59.485846294 +0100 @@ -0,0 +1,75 @@ +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ + diff --git a/openssh-5.9p1-vendor.patch b/openssh-5.9p1-vendor.patch index 3e63d3b..1413fa6 100644 --- a/openssh-5.9p1-vendor.patch +++ b/openssh-5.9p1-vendor.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac ---- openssh-5.9p0/configure.ac.vendor 2011-09-03 20:24:29.899501572 +0200 -+++ openssh-5.9p0/configure.ac 2011-09-03 20:24:39.153501595 +0200 -@@ -4131,6 +4131,12 @@ AC_ARG_WITH([lastlog], +diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac +--- openssh-5.9p1/configure.ac.vendor 2012-02-06 17:35:37.439855272 +0100 ++++ openssh-5.9p1/configure.ac 2012-02-06 17:35:37.510219862 +0100 +@@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog], fi ] ) @@ -14,7 +14,7 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac dnl lastlog, [uw]tmpx? detection dnl NOTE: set the paths in the platform section to avoid the -@@ -4357,6 +4363,7 @@ echo " Translate v4 in v6 hack +@@ -4361,6 +4367,7 @@ echo " Translate v4 in v6 hack echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" echo " Privsep sandbox style: $SANDBOX_STYLE" @@ -22,10 +22,10 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac echo "" -diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c ---- openssh-5.9p0/servconf.c.vendor 2011-09-03 20:24:29.080500853 +0200 -+++ openssh-5.9p0/servconf.c 2011-09-03 20:27:15.727564566 +0200 -@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions +diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c +--- openssh-5.9p1/servconf.c.vendor 2012-02-06 17:35:37.432972267 +0100 ++++ openssh-5.9p1/servconf.c 2012-02-06 17:37:58.806272833 +0100 +@@ -125,6 +125,7 @@ initialize_server_options(ServerOptions options->max_authtries = -1; options->max_sessions = -1; options->banner = NULL; @@ -33,7 +33,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c options->use_dns = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; -@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption +@@ -283,6 +284,8 @@ fill_default_server_options(ServerOption options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) options->ip_qos_bulk = IPTOS_THROUGHPUT; @@ -42,16 +42,16 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c /* Turn privilege separation on by default */ if (use_privsep == -1) -@@ -338,7 +341,7 @@ typedef enum { +@@ -321,7 +324,7 @@ typedef enum { sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, - sBanner, sUseDNS, sHostbasedAuthentication, + sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, - sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication, - sSecondPubkeyAuthentication, sSecondGssAuthentication, - sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication, -@@ -470,6 +473,7 @@ static struct { + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, +@@ -436,6 +439,7 @@ static struct { { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, @@ -59,7 +59,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, -@@ -1152,6 +1156,10 @@ process_server_config_line(ServerOptions +@@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions multistate_ptr = multistate_privsep; goto parse_multistate; @@ -70,7 +70,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) -@@ -1849,6 +1857,7 @@ dump_config(ServerOptions *o) +@@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); @@ -78,10 +78,10 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); -diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h ---- openssh-5.9p0/servconf.h.vendor 2011-09-03 20:24:29.179632045 +0200 -+++ openssh-5.9p0/servconf.h 2011-09-03 20:24:39.426502323 +0200 -@@ -148,6 +148,7 @@ typedef struct { +diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h +--- openssh-5.9p1/servconf.h.vendor 2012-02-06 17:35:37.434095467 +0100 ++++ openssh-5.9p1/servconf.h 2012-02-06 17:35:37.512225786 +0100 +@@ -140,6 +140,7 @@ typedef struct { int max_authtries; int max_sessions; char *banner; /* SSH-2 banner message */ @@ -89,31 +89,20 @@ diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h int use_dns; int client_alive_interval; /* * poke the client this often to -diff -up openssh-5.9p0/sshd.c.vendor openssh-5.9p0/sshd.c ---- openssh-5.9p0/sshd.c.vendor 2011-09-03 20:24:35.987501565 +0200 -+++ openssh-5.9p0/sshd.c 2011-09-03 20:24:39.542501643 +0200 -@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in - minor = PROTOCOL_MINOR_1; - } - snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, -- SSH_VERSION, newline); -+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline); - server_version_string = xstrdup(buf); - - /* Send our protocol version identification. */ -@@ -1627,7 +1627,8 @@ main(int ac, char **av) - exit(1); - } - -- debug("sshd version %.100s", SSH_RELEASE); -+ debug("sshd version %.100s", -+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE); - - /* Store privilege separation user for later use if required. */ - if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { -diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0 ---- openssh-5.9p0/sshd_config.0.vendor 2011-09-03 20:24:37.524438185 +0200 -+++ openssh-5.9p0/sshd_config.0 2011-09-03 20:24:39.677508255 +0200 +diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config +--- openssh-5.9p1/sshd_config.vendor 2012-02-06 17:35:37.499226201 +0100 ++++ openssh-5.9p1/sshd_config 2012-02-06 17:35:37.515220444 +0100 +@@ -112,6 +112,7 @@ X11Forwarding yes + #Compression delayed + #ClientAliveInterval 0 + #ClientAliveCountMax 3 ++#ShowPatchLevel no + #UseDNS yes + #PidFile /var/run/sshd.pid + #MaxStartups 10 +diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0 +--- openssh-5.9p1/sshd_config.0.vendor 2012-02-06 17:35:37.500225787 +0100 ++++ openssh-5.9p1/sshd_config.0 2012-02-06 17:35:37.513225808 +0100 @@ -556,6 +556,11 @@ DESCRIPTION Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024. @@ -126,10 +115,10 @@ diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0 StrictModes Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login. -diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5 ---- openssh-5.9p0/sshd_config.5.vendor 2011-09-03 20:24:37.640442022 +0200 -+++ openssh-5.9p0/sshd_config.5 2011-09-03 20:24:40.176544206 +0200 -@@ -952,6 +952,14 @@ This option applies to protocol version +diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5 +--- openssh-5.9p1/sshd_config.5.vendor 2012-02-06 17:35:37.500225787 +0100 ++++ openssh-5.9p1/sshd_config.5 2012-02-06 17:35:37.514220449 +0100 +@@ -982,6 +982,14 @@ This option applies to protocol version .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024. @@ -144,14 +133,25 @@ diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5 .It Cm StrictModes Specifies whether .Xr sshd 8 -diff -up openssh-5.9p0/sshd_config.vendor openssh-5.9p0/sshd_config ---- openssh-5.9p0/sshd_config.vendor 2011-09-03 20:24:37.770439735 +0200 -+++ openssh-5.9p0/sshd_config 2011-09-03 20:24:40.278628002 +0200 -@@ -120,6 +120,7 @@ X11Forwarding yes - #Compression delayed - #ClientAliveInterval 0 - #ClientAliveCountMax 3 -+#ShowPatchLevel no - #UseDNS yes - #PidFile /var/run/sshd.pid - #MaxStartups 10 +diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c +--- openssh-5.9p1/sshd.c.vendor 2012-02-06 17:35:37.485230832 +0100 ++++ openssh-5.9p1/sshd.c 2012-02-06 17:35:37.513225808 +0100 +@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in + minor = PROTOCOL_MINOR_1; + } + snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, +- SSH_VERSION, newline); ++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline); + server_version_string = xstrdup(buf); + + /* Send our protocol version identification. */ +@@ -1634,7 +1634,8 @@ main(int ac, char **av) + exit(1); + } + +- debug("sshd version %.100s", SSH_RELEASE); ++ debug("sshd version %.100s", ++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE); + + /* Store privilege separation user for later use if required. */ + if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { diff --git a/openssh.spec b/openssh.spec index 0927ddc..47b925c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -116,7 +116,8 @@ Patch102: openssh-5.8p1-getaddrinfo.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1889 Patch103: openssh-5.8p1-packet.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=983 -Patch104: openssh-5.9p1-2auth.patch +#Patch104: openssh-5.9p1-2auth.patch +Patch104: openssh-5.9p1-required-authentications.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1402 Patch200: openssh-5.8p1-audit0.patch @@ -395,7 +396,7 @@ The module is most useful for su and sudo service stacks. %patch101 -p1 -b .fingerprint %patch102 -p1 -b .getaddrinfo %patch103 -p1 -b .packet -%patch104 -p1 -b .2auth +%patch104 -p1 -b .required-authentication %patch200 -p1 -b .audit0 %patch201 -p1 -b .audit1