author | Tomas Kuthan <tomas.kuthan@oracle.com> |
Wed, 11 Jan 2017 12:12:15 -0800 | |
changeset 7560 | 9732971b7855 |
permissions | -rw-r--r-- |
7560
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
1 |
# |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
2 |
# GSSAPIStrictAcceptorCheck should default to yes as documented |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
3 |
# |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
4 |
# When GSSAPIStrictAcceptorCheck is not explicitely specified in sshd_config, |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
5 |
# the default value should be yes. It is documented in sshd_config(5) this |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
6 |
# way and it preserves original behavior. |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
7 |
# |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
8 |
# Also GSSAPIStrictAcceptorCheck=no interacts poorly with GSSAPIKeyExchange, |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
9 |
# where it make the server willing to negotiate GSS-API key exchange, although |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
10 |
# no keytab was provided. |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
11 |
# |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
12 |
# Patch source: in-house |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
13 |
# Reported upstream: |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
14 |
# https://bugzilla.mindrot.org/show_bug.cgi?id=2637 |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
15 |
# |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
16 |
diff -pur old/servconf.c new/servconf.c |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
17 |
--- old/servconf.c |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
18 |
+++ new/servconf.c |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
19 |
@@ -323,7 +323,7 @@ fill_default_server_options(ServerOption |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
20 |
if (options->gss_cleanup_creds == -1) |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
21 |
options->gss_cleanup_creds = 1; |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
22 |
if (options->gss_strict_acceptor == -1) |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
23 |
- options->gss_strict_acceptor = 0; |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
24 |
+ options->gss_strict_acceptor = 1; |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
25 |
if (options->password_authentication == -1) |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
26 |
options->password_authentication = 1; |
9732971b7855
23227315 sshd offers GSS-API key exchange despite having no keytab
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
27 |
if (options->kbd_interactive_authentication == -1) |