diff --git a/openssh-5.6p1-kuserok.patch b/openssh-5.6p1-kuserok.patch index 3a9f680..7376a85 100644 --- a/openssh-5.6p1-kuserok.patch +++ b/openssh-5.6p1-kuserok.patch @@ -1,70 +1,59 @@ diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c ---- openssh-5.6p1/auth-krb5.c.kuserok 2010-09-15 15:39:48.000000000 +0200 -+++ openssh-5.6p1/auth-krb5.c 2010-09-15 15:39:48.000000000 +0200 -@@ -146,9 +146,21 @@ auth_krb5_password(Authctxt *authctxt, c +--- openssh-5.6p1/auth-krb5.c.kuserok 2010-11-15 10:08:05.000000000 +0100 ++++ openssh-5.6p1/auth-krb5.c 2010-11-15 10:11:02.000000000 +0100 +@@ -54,6 +54,20 @@ + + extern ServerOptions options; + ++int ++ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client) ++{ ++ if (options.use_kuserok) ++ return krb5_kuserok(krb5_ctx, krb5_user, client); ++ else { ++ char kuser[65]; ++ ++ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser)) ++ return 0; ++ return strcmp(kuser, client) == 0; ++ } ++} ++ + static int + krb5_init(void *context) + { +@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { -- problem = -1; -- goto out; -+ if (options.use_kuserok) { -+ if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { -+ problem = -1; -+ goto out; -+ } -+ } else { -+ char kuser[65]; -+ if (krb5_aname_to_localname(authctxt->krb5_ctx, authctxt->krb5_user, sizeof(kuser), kuser)) { -+ problem = -1; -+ goto out; -+ } -+ if (strcmp(kuser, client)) { -+ problem = -1; -+ goto out; -+ } ++ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { + problem = -1; + goto out; } - - problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); diff -up openssh-5.6p1/gss-serv-krb5.c.kuserok openssh-5.6p1/gss-serv-krb5.c ---- openssh-5.6p1/gss-serv-krb5.c.kuserok 2010-09-15 15:39:48.000000000 +0200 -+++ openssh-5.6p1/gss-serv-krb5.c 2010-09-15 15:49:43.000000000 +0200 -@@ -97,13 +97,25 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client +--- openssh-5.6p1/gss-serv-krb5.c.kuserok 2010-11-15 10:08:05.000000000 +0100 ++++ openssh-5.6p1/gss-serv-krb5.c 2010-11-15 10:12:35.000000000 +0100 +@@ -57,6 +57,7 @@ extern ServerOptions options; + #endif + + static krb5_context krb_context = NULL; ++extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *); + + /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ + +@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client krb5_get_err_text(krb_context, retval)); return 0; } - if (krb5_kuserok(krb_context, princ, name)) { -- retval = 1; -- logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", -- name, (char *)client->displayname.value); -- } else -- retval = 0; -- -+ if (options.use_kuserok) { -+ if (krb5_kuserok(krb_context, princ, name)) { -+ retval = 1; -+ logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", -+ name, (char *)client->displayname.value); -+ } else -+ retval = 0; -+ } else { -+ char kuser[65]; -+ if (krb5_aname_to_localname(krb_context, princ, sizeof(kuser), kuser)) -+ retval = 0; -+ else if (strcmp(kuser, client)) -+ retval = 0; -+ else { -+ retval = 1; -+ logit("Authorized to %s, krb5 principal %s (krb5)", -+ name, (char *)client->displayname.value); -+ } -+ } - krb5_free_principal(krb_context, princ); - return retval; - } ++ if (ssh_krb5_kuserok(krb_context, princ, name)) { + retval = 1; + logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", + name, (char *)client->displayname.value); diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c ---- openssh-5.6p1/servconf.c.kuserok 2010-09-15 15:39:48.000000000 +0200 -+++ openssh-5.6p1/servconf.c 2010-09-15 15:39:48.000000000 +0200 +--- openssh-5.6p1/servconf.c.kuserok 2010-11-15 10:08:05.000000000 +0100 ++++ openssh-5.6p1/servconf.c 2010-11-15 10:08:05.000000000 +0100 @@ -138,6 +138,7 @@ initialize_server_options(ServerOptions options->revoked_keys_file = NULL; options->trusted_user_ca_keys = NULL; @@ -133,8 +122,8 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h ---- openssh-5.6p1/servconf.h.kuserok 2010-09-15 15:39:48.000000000 +0200 -+++ openssh-5.6p1/servconf.h 2010-09-15 15:39:48.000000000 +0200 +--- openssh-5.6p1/servconf.h.kuserok 2010-11-15 10:08:05.000000000 +0100 ++++ openssh-5.6p1/servconf.h 2010-11-15 10:08:05.000000000 +0100 @@ -157,6 +157,7 @@ typedef struct { int num_permitted_opens; @@ -144,8 +133,8 @@ diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h char *revoked_keys_file; char *trusted_user_ca_keys; diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5 ---- openssh-5.6p1/sshd_config.5.kuserok 2010-09-15 15:39:48.000000000 +0200 -+++ openssh-5.6p1/sshd_config.5 2010-09-15 15:39:48.000000000 +0200 +--- openssh-5.6p1/sshd_config.5.kuserok 2010-11-15 10:08:05.000000000 +0100 ++++ openssh-5.6p1/sshd_config.5 2010-11-15 10:08:05.000000000 +0100 @@ -564,6 +564,10 @@ Specifies whether to automatically destr file on logout. The default is @@ -166,8 +155,8 @@ diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5 .Cm MaxSessions , .Cm PubkeyAuthentication , diff -up openssh-5.6p1/sshd_config.kuserok openssh-5.6p1/sshd_config ---- openssh-5.6p1/sshd_config.kuserok 2010-09-15 15:39:48.000000000 +0200 -+++ openssh-5.6p1/sshd_config 2010-09-15 15:39:48.000000000 +0200 +--- openssh-5.6p1/sshd_config.kuserok 2010-11-15 10:08:05.000000000 +0100 ++++ openssh-5.6p1/sshd_config 2010-11-15 10:08:05.000000000 +0100 @@ -72,6 +72,7 @@ ChallengeResponseAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes diff --git a/openssh.spec b/openssh.spec index 815ca54..cd386cf 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.6p1 -%define openssh_rel 16 +%define openssh_rel 17 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 27 @@ -589,6 +589,9 @@ fi %endif %changelog +* Mon Nov 15 2010 Jan F. Chadima - 5.6p1-17 + 0.9.2-27 +- improoved kuserok patch + * Fri Nov 5 2010 Jan F. Chadima - 5.6p1-16 + 0.9.2-27 - add auditing the host based key ussage - repait X11 abstract layer socket (#648896)