From: "Mike Frysinger (vapier)" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] gentoo-x86 commit in net-misc/openssh/files: openssh-6.8_p1-ssl-engine-configure.patch openssh-6.8_p1-sshd-gssapi-multihomed.patch
Date: Wed, 18 Mar 2015 20:24:48 +0000 (UTC) [thread overview]
Message-ID: <20150318202450.BAE741406B@oystercatcher.gentoo.org> (raw)
vapier 15/03/18 20:24:48
Added: openssh-6.8_p1-ssl-engine-configure.patch
openssh-6.8_p1-sshd-gssapi-multihomed.patch
Log:
Version bump #543694 by Jason A. Donenfeld.
(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key D2E96200)
Revision Changes Path
1.1 net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch?rev=1.1&content-type=text/plain
Index: openssh-6.8_p1-ssl-engine-configure.patch
===================================================================
From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Wed, 18 Mar 2015 12:37:24 -0400
Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is
set
---
configure.ac | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index b4d6598..7806d20 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2276,10 +2276,10 @@ openssl_engine=no
AC_ARG_WITH([ssl-engine],
[ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
[
- if test "x$openssl" = "xno" ; then
- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
- fi
if test "x$withval" != "xno" ; then
+ if test "x$openssl" = "xno" ; then
+ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
+ fi
openssl_engine=yes
fi
]
--
2.3.2
1.1 net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch?rev=1.1&content-type=text/plain
Index: openssh-6.8_p1-sshd-gssapi-multihomed.patch
===================================================================
https://bugs.gentoo.org/378361
https://bugzilla.mindrot.org/show_bug.cgi?id=928
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -41,9 +41,12 @@
#include "channels.h"
#include "session.h"
#include "misc.h"
+#include "servconf.h"
#include "ssh-gss.h"
+extern ServerOptions options;
+
static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
char lname[NI_MAXHOST];
gss_OID_set oidset;
- gss_create_empty_oid_set(&status, &oidset);
- gss_add_oid_set_member(&status, ctx->oid, &oidset);
-
- if (gethostname(lname, sizeof(lname))) {
- gss_release_oid_set(&status, &oidset);
- return (-1);
- }
+ if (options.gss_strict_acceptor) {
+ gss_create_empty_oid_set(&status, &oidset);
+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
+
+ if (gethostname(lname, MAXHOSTNAMELEN)) {
+ gss_release_oid_set(&status, &oidset);
+ return (-1);
+ }
+
+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+ gss_release_oid_set(&status, &oidset);
+ return (ctx->major);
+ }
+
+ if ((ctx->major = gss_acquire_cred(&ctx->minor,
+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
+ NULL, NULL)))
+ ssh_gssapi_error(ctx);
- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
gss_release_oid_set(&status, &oidset);
return (ctx->major);
+ } else {
+ ctx->name = GSS_C_NO_NAME;
+ ctx->creds = GSS_C_NO_CREDENTIAL;
}
-
- if ((ctx->major = gss_acquire_cred(&ctx->minor,
- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
- ssh_gssapi_error(ctx);
-
- gss_release_oid_set(&status, &oidset);
- return (ctx->major);
+ return GSS_S_COMPLETE;
}
/* Privileged */
--- a/servconf.c
+++ b/servconf.c
@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
options->gss_cleanup_creds = -1;
+ options->gss_strict_acceptor = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
options->gss_authentication = 0;
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
+ if (options->gss_strict_acceptor == -1)
+ options->gss_strict_acceptor = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -277,7 +280,8 @@ typedef enum {
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
@@ -327,9 +331,11 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
+ goto parse_flag;
+
+ case sGssStrictAcceptor:
+ intptr = &options->gss_strict_acceptor;
goto parse_flag;
case sPasswordAuthentication:
--- a/servconf.h
+++ b/servconf.h
@@ -92,6 +92,7 @@ typedef struct {
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
--- a/sshd_config
+++ b/sshd_config
@@ -69,6 +69,7 @@
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -386,6 +386,21 @@ on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor
+a client authenticates against.
+If set to
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname.
+If set to
+.Dq no
+then the client may authenticate against any service key stored in the
+machine's default store.
+This facility is provided to assist with operation on multi homed machines.
+The default is
+.Dq yes .
.It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
as a comma-separated pattern list.
reply other threads:[~2015-03-18 20:24 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150318202450.BAE741406B@oystercatcher.gentoo.org \
--to=vapier@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox