17 # When we upgrade Kerberos in Solaris to future version 1.15, we will use |
17 # When we upgrade Kerberos in Solaris to future version 1.15, we will use |
18 # krb5_expand_hostname for hostname canonicalization instead. |
18 # krb5_expand_hostname for hostname canonicalization instead. |
19 # |
19 # |
20 # Upstream rejected GSS-API key exchange several times before. |
20 # Upstream rejected GSS-API key exchange several times before. |
21 # |
21 # |
22 diff -rupN old/Makefile.in new/Makefile.in |
22 diff -pur old/Makefile.in new/Makefile.in |
23 --- old/Makefile.in 2016-09-21 19:40:34.495262333 -0700 |
23 --- old/Makefile.in |
24 +++ new/Makefile.in 2016-09-21 20:20:17.560532505 -0700 |
24 +++ new/Makefile.in |
25 @@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
25 @@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
26 atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \ |
26 atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \ |
27 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
27 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
28 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
28 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
29 + kexgssc.o \ |
29 + kexgssc.o \ |
|
30 sftp_provider.o \ |
30 ssh-pkcs11.o smult_curve25519_ref.o \ |
31 ssh-pkcs11.o smult_curve25519_ref.o \ |
31 poly1305.o chacha.o cipher-chachapoly.o \ |
32 poly1305.o chacha.o cipher-chachapoly.o \ |
32 ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \ |
33 @@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw |
33 @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw |
|
34 auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ |
34 auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ |
35 auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
35 auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
36 monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ |
36 monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ |
37 - auth2-gss.o gss-serv.o gss-serv-krb5.o \ |
37 - auth2-gss.o gss-serv.o gss-serv-krb5.o \ |
38 + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ |
38 + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ |
39 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
39 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
40 sftp-server.o sftp-common.o \ |
40 sftp-server.o sftp-common.o sftp_provider.o \ |
41 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
41 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
42 diff -rupN old/auth.c new/auth.c |
42 diff -pur old/auth.c new/auth.c |
43 --- old/auth.c 2017-01-11 18:18:17.172126803 -0800 |
43 --- old/auth.c |
44 +++ new/auth.c 2017-01-11 18:21:06.506811958 -0800 |
44 +++ new/auth.c |
45 @@ -363,6 +363,7 @@ auth_root_allowed(const char *method) |
45 @@ -363,6 +363,7 @@ auth_root_allowed(const char *method) |
46 case PERMIT_NO_PASSWD: |
46 case PERMIT_NO_PASSWD: |
47 if (strcmp(method, "publickey") == 0 || |
47 if (strcmp(method, "publickey") == 0 || |
48 strcmp(method, "hostbased") == 0 || |
48 strcmp(method, "hostbased") == 0 || |
49 + strcmp(method, "gssapi-keyex") == 0 || |
49 + strcmp(method, "gssapi-keyex") == 0 || |
148 - |
148 - |
149 -/* |
149 -/* |
150 * Return the canonical name of the host in the other side of the current |
150 * Return the canonical name of the host in the other side of the current |
151 * connection. The host name is cached, so it is efficient to call this |
151 * connection. The host name is cached, so it is efficient to call this |
152 * several times. |
152 * several times. |
153 diff -rupN old/auth2-gss.c new/auth2-gss.c |
153 diff -pur old/auth2-gss.c new/auth2-gss.c |
154 --- old/auth2-gss.c 2016-09-21 19:40:20.290128383 -0700 |
154 --- old/auth2-gss.c |
155 +++ new/auth2-gss.c 2016-09-21 19:25:47.855250807 -0700 |
155 +++ new/auth2-gss.c |
156 @@ -1,7 +1,7 @@ |
156 @@ -1,7 +1,7 @@ |
157 /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */ |
157 /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */ |
158 |
158 |
159 /* |
159 /* |
160 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
160 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
213 +}; |
213 +}; |
214 + |
214 + |
215 Authmethod method_gssapi = { |
215 Authmethod method_gssapi = { |
216 "gssapi-with-mic", |
216 "gssapi-with-mic", |
217 userauth_gssapi, |
217 userauth_gssapi, |
218 diff -rupN old/auth2.c new/auth2.c |
218 diff -pur old/auth2.c new/auth2.c |
219 --- old/auth2.c 2016-09-21 19:40:20.293020496 -0700 |
219 --- old/auth2.c |
220 +++ new/auth2.c 2016-09-21 19:25:47.497355321 -0700 |
220 +++ new/auth2.c |
221 @@ -70,6 +70,7 @@ extern Authmethod method_passwd; |
221 @@ -70,6 +70,7 @@ extern Authmethod method_passwd; |
222 extern Authmethod method_kbdint; |
222 extern Authmethod method_kbdint; |
223 extern Authmethod method_hostbased; |
223 extern Authmethod method_hostbased; |
224 #ifdef GSSAPI |
224 #ifdef GSSAPI |
225 +extern Authmethod method_gsskeyex; |
225 +extern Authmethod method_gsskeyex; |
333 + "map back to the address.", ntop, name); |
333 + "map back to the address.", ntop, name); |
334 + return strdup(ntop); |
334 + return strdup(ntop); |
335 + } |
335 + } |
336 + return strdup(name); |
336 + return strdup(name); |
337 +} |
337 +} |
338 diff -rupN old/canohost.h new/canohost.h |
338 diff -pur old/canohost.h new/canohost.h |
339 --- old/canohost.h 2016-09-21 19:40:20.298804941 -0700 |
339 --- old/canohost.h |
340 +++ new/canohost.h 2016-09-21 19:25:47.335129267 -0700 |
340 +++ new/canohost.h |
341 @@ -21,6 +21,9 @@ char *get_local_ipaddr(int); |
341 @@ -21,6 +21,9 @@ char *get_local_ipaddr(int); |
342 char *get_local_name(int); |
342 char *get_local_name(int); |
343 int get_local_port(int); |
343 int get_local_port(int); |
344 |
344 |
345 +#include "packet.h" |
345 +#include "packet.h" |
346 +char *remote_hostname(struct ssh *); |
346 +char *remote_hostname(struct ssh *); |
347 + |
347 + |
348 #endif /* _CANOHOST_H */ |
348 #endif /* _CANOHOST_H */ |
349 |
349 |
350 void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *); |
350 void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *); |
351 diff -rupN old/gss-genr.c new/gss-genr.c |
351 diff -pur old/gss-genr.c new/gss-genr.c |
352 --- old/gss-genr.c 2016-09-21 19:40:20.301650203 -0700 |
352 --- old/gss-genr.c |
353 +++ new/gss-genr.c 2016-09-21 19:25:47.301737088 -0700 |
353 +++ new/gss-genr.c |
354 @@ -1,7 +1,7 @@ |
354 @@ -1,7 +1,7 @@ |
355 /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */ |
355 /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */ |
356 |
356 |
357 /* |
357 /* |
358 - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
358 - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
576 - if (GSS_ERROR(major)) |
576 - if (GSS_ERROR(major)) |
577 + if (GSS_ERROR(major) || intctx != NULL) |
577 + if (GSS_ERROR(major) || intctx != NULL) |
578 ssh_gssapi_delete_ctx(ctx); |
578 ssh_gssapi_delete_ctx(ctx); |
579 |
579 |
580 return (!GSS_ERROR(major)); |
580 return (!GSS_ERROR(major)); |
581 diff -rupN old/gss-serv.c new/gss-serv.c |
581 diff -pur old/gss-serv.c new/gss-serv.c |
582 --- old/gss-serv.c 2016-09-21 19:40:20.304525100 -0700 |
582 --- old/gss-serv.c |
583 +++ new/gss-serv.c 2016-09-21 19:25:47.229908522 -0700 |
583 +++ new/gss-serv.c |
584 @@ -1,7 +1,7 @@ |
584 @@ -1,7 +1,7 @@ |
585 /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */ |
585 /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */ |
586 |
586 |
587 /* |
587 /* |
588 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
588 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
686 - if (strcmp(k->name, name) == 0) |
686 - if (strcmp(k->name, name) == 0) |
687 + if (strncmp(k->name, name, strlen(k->name)) == 0) |
687 + if (strncmp(k->name, name, strlen(k->name)) == 0) |
688 return k; |
688 return k; |
689 } |
689 } |
690 return NULL; |
690 return NULL; |
691 diff -rupN old/kex.h new/kex.h |
691 diff -pur old/kex.h new/kex.h |
692 --- old/kex.h 2016-09-21 19:40:20.310245128 -0700 |
692 --- old/kex.h |
693 +++ new/kex.h 2016-09-21 19:25:47.142516186 -0700 |
693 +++ new/kex.h |
694 @@ -98,6 +98,9 @@ enum kex_exchange { |
694 @@ -98,6 +98,9 @@ enum kex_exchange { |
695 KEX_DH_GEX_SHA256, |
695 KEX_DH_GEX_SHA256, |
696 KEX_ECDH_SHA2, |
696 KEX_ECDH_SHA2, |
697 KEX_C25519_SHA256, |
697 KEX_C25519_SHA256, |
698 + KEX_GSS_GRP1_SHA1, |
698 + KEX_GSS_GRP1_SHA1, |
721 +int kexgss_server(struct ssh *); |
721 +int kexgss_server(struct ssh *); |
722 +#endif |
722 +#endif |
723 |
723 |
724 int kex_dh_hash(int, const char *, const char *, |
724 int kex_dh_hash(int, const char *, const char *, |
725 const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, |
725 const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, |
726 diff -rupN old/monitor.c new/monitor.c |
726 diff -pur old/monitor.c new/monitor.c |
727 --- old/monitor.c 2016-09-21 19:40:20.313190151 -0700 |
727 --- old/monitor.c |
728 +++ new/monitor.c 2016-09-21 19:25:47.525137447 -0700 |
728 +++ new/monitor.c |
729 @@ -161,6 +161,7 @@ int mm_answer_gss_setup_ctx(int, Buffer |
729 @@ -161,6 +161,7 @@ int mm_answer_gss_setup_ctx(int, Buffer |
730 int mm_answer_gss_accept_ctx(int, Buffer *); |
730 int mm_answer_gss_accept_ctx(int, Buffer *); |
731 int mm_answer_gss_userok(int, Buffer *); |
731 int mm_answer_gss_userok(int, Buffer *); |
732 int mm_answer_gss_checkmic(int, Buffer *); |
732 int mm_answer_gss_checkmic(int, Buffer *); |
733 +int mm_answer_gss_sign(int, Buffer *); |
733 +int mm_answer_gss_sign(int, Buffer *); |
882 + return (0); |
882 + return (0); |
883 +} |
883 +} |
884 + |
884 + |
885 #endif /* GSSAPI */ |
885 #endif /* GSSAPI */ |
886 |
886 |
887 diff -rupN old/monitor.h new/monitor.h |
887 diff -pur old/monitor.h new/monitor.h |
888 --- old/monitor.h 2016-09-21 19:40:20.316049455 -0700 |
888 --- old/monitor.h |
889 +++ new/monitor.h 2016-09-21 19:25:47.113344203 -0700 |
889 +++ new/monitor.h |
890 @@ -68,6 +68,9 @@ enum monitor_reqtype { |
890 @@ -68,6 +68,9 @@ enum monitor_reqtype { |
891 #ifdef PAM_ENHANCEMENT |
891 #ifdef PAM_ENHANCEMENT |
892 MONITOR_REQ_AUTHMETHOD = 114, |
892 MONITOR_REQ_AUTHMETHOD = 114, |
893 #endif |
893 #endif |
894 +#ifdef GSSAPI |
894 +#ifdef GSSAPI |
895 + MONITOR_REQ_GSSSIGN = 130, MONITOR_ANS_GSSSIGN = 131, |
895 + MONITOR_REQ_GSSSIGN = 130, MONITOR_ANS_GSSSIGN = 131, |
896 +#endif |
896 +#endif |
897 }; |
897 }; |
898 |
898 |
899 struct mm_master; |
899 struct mm_master; |
900 diff -rupN old/monitor_wrap.c new/monitor_wrap.c |
900 diff -pur old/monitor_wrap.c new/monitor_wrap.c |
901 --- old/monitor_wrap.c 2016-09-21 19:40:20.318913737 -0700 |
901 --- old/monitor_wrap.c |
902 +++ new/monitor_wrap.c 2016-09-21 19:25:47.668505812 -0700 |
902 +++ new/monitor_wrap.c |
903 @@ -1108,5 +1108,28 @@ mm_ssh_gssapi_userok(char *user) |
903 @@ -1108,5 +1108,28 @@ mm_ssh_gssapi_userok(char *user) |
904 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
904 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
905 return (authenticated); |
905 return (authenticated); |
906 } |
906 } |
907 + |
907 + |
927 + return(major); |
927 + return(major); |
928 +} |
928 +} |
929 + |
929 + |
930 #endif /* GSSAPI */ |
930 #endif /* GSSAPI */ |
931 |
931 |
932 diff -rupN old/monitor_wrap.h new/monitor_wrap.h |
932 diff -pur old/monitor_wrap.h new/monitor_wrap.h |
933 --- old/monitor_wrap.h 2016-09-21 19:40:20.321783476 -0700 |
933 --- old/monitor_wrap.h |
934 +++ new/monitor_wrap.h 2016-09-21 19:25:47.026452744 -0700 |
934 +++ new/monitor_wrap.h |
935 @@ -62,6 +62,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct |
935 @@ -62,6 +62,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct |
936 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); |
936 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); |
937 int mm_ssh_gssapi_userok(char *user); |
937 int mm_ssh_gssapi_userok(char *user); |
938 OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); |
938 OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); |
939 +OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
939 +OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
940 #endif |
940 #endif |
941 |
941 |
942 #ifdef USE_PAM |
942 #ifdef USE_PAM |
943 diff -rupN old/readconf.c new/readconf.c |
943 diff -pur old/readconf.c new/readconf.c |
944 --- old/readconf.c 2016-09-21 19:40:20.324827120 -0700 |
944 --- old/readconf.c |
945 +++ new/readconf.c 2016-09-21 19:25:47.885753634 -0700 |
945 +++ new/readconf.c |
946 @@ -160,6 +160,7 @@ typedef enum { |
946 @@ -160,6 +160,7 @@ typedef enum { |
947 oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
947 oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
948 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
948 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
949 oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
949 oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
950 + oGssKeyEx, |
950 + oGssKeyEx, |
997 + options->gss_keyex = 0; |
997 + options->gss_keyex = 0; |
998 +#endif |
998 +#endif |
999 if (options->gss_deleg_creds == -1) |
999 if (options->gss_deleg_creds == -1) |
1000 options->gss_deleg_creds = 0; |
1000 options->gss_deleg_creds = 0; |
1001 if (options->password_authentication == -1) |
1001 if (options->password_authentication == -1) |
1002 diff -rupN old/readconf.h new/readconf.h |
1002 diff -pur old/readconf.h new/readconf.h |
1003 --- old/readconf.h 2016-09-21 19:40:20.327689956 -0700 |
1003 --- old/readconf.h |
1004 +++ new/readconf.h 2016-09-21 19:25:47.449284716 -0700 |
1004 +++ new/readconf.h |
1005 @@ -45,6 +45,7 @@ typedef struct { |
1005 @@ -45,6 +45,7 @@ typedef struct { |
1006 int challenge_response_authentication; |
1006 int challenge_response_authentication; |
1007 /* Try S/Key or TIS, authentication. */ |
1007 /* Try S/Key or TIS, authentication. */ |
1008 int gss_authentication; /* Try GSS authentication */ |
1008 int gss_authentication; /* Try GSS authentication */ |
1009 + int gss_keyex; /* Try GSS key exchange */ |
1009 + int gss_keyex; /* Try GSS key exchange */ |
1010 int gss_deleg_creds; /* Delegate GSS credentials */ |
1010 int gss_deleg_creds; /* Delegate GSS credentials */ |
1011 int password_authentication; /* Try password |
1011 int password_authentication; /* Try password |
1012 * authentication. */ |
1012 * authentication. */ |
1013 diff -rupN old/servconf.c new/servconf.c |
1013 diff -pur old/servconf.c new/servconf.c |
1014 --- old/servconf.c 2016-09-21 19:40:20.330699306 -0700 |
1014 --- old/servconf.c |
1015 +++ new/servconf.c 2016-09-21 19:25:47.054209571 -0700 |
1015 +++ new/servconf.c |
1016 @@ -117,6 +117,7 @@ initialize_server_options(ServerOptions |
1016 @@ -117,6 +117,7 @@ initialize_server_options(ServerOptions |
1017 options->kerberos_ticket_cleanup = -1; |
1017 options->kerberos_ticket_cleanup = -1; |
1018 options->kerberos_get_afs_token = -1; |
1018 options->kerberos_get_afs_token = -1; |
1019 options->gss_authentication=-1; |
1019 options->gss_authentication=-1; |
1020 + options->gss_keyex = -1; |
1020 + options->gss_keyex = -1; |
1077 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
1077 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
1078 + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); |
1078 + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); |
1079 #ifndef USE_GSS_STORE_CRED |
1079 #ifndef USE_GSS_STORE_CRED |
1080 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); |
1080 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); |
1081 #endif /* !USE_GSS_STORE_CRED */ |
1081 #endif /* !USE_GSS_STORE_CRED */ |
1082 diff -rupN old/servconf.h new/servconf.h |
1082 diff -pur old/servconf.h new/servconf.h |
1083 --- old/servconf.h 2016-09-21 19:40:20.333544958 -0700 |
1083 --- old/servconf.h |
1084 +++ new/servconf.h 2016-09-21 19:25:47.739063955 -0700 |
1084 +++ new/servconf.h |
1085 @@ -122,6 +122,7 @@ typedef struct { |
1085 @@ -122,6 +122,7 @@ typedef struct { |
1086 int kerberos_get_afs_token; /* If true, try to get AFS token if |
1086 int kerberos_get_afs_token; /* If true, try to get AFS token if |
1087 * authenticated with Kerberos. */ |
1087 * authenticated with Kerberos. */ |
1088 int gss_authentication; /* If true, permit GSSAPI authentication */ |
1088 int gss_authentication; /* If true, permit GSSAPI authentication */ |
1089 + int gss_keyex; /* If true, permit GSSAPI key exchange */ |
1089 + int gss_keyex; /* If true, permit GSSAPI key exchange */ |
1090 int gss_cleanup_creds; /* If true, destroy cred cache on logout */ |
1090 int gss_cleanup_creds; /* If true, destroy cred cache on logout */ |
1091 int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ |
1091 int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ |
1092 int password_authentication; /* If true, permit password |
1092 int password_authentication; /* If true, permit password |
1093 diff -rupN old/ssh-gss.h new/ssh-gss.h |
1093 diff -pur old/ssh-gss.h new/ssh-gss.h |
1094 --- old/ssh-gss.h 2016-09-21 19:40:20.336386442 -0700 |
1094 --- old/ssh-gss.h |
1095 +++ new/ssh-gss.h 2016-09-21 19:25:47.600702960 -0700 |
1095 +++ new/ssh-gss.h |
1096 @@ -61,6 +61,17 @@ |
1096 @@ -61,6 +61,17 @@ |
1097 |
1097 |
1098 #define SSH_GSS_OIDTYPE 0x06 |
1098 #define SSH_GSS_OIDTYPE 0x06 |
1099 |
1099 |
1100 +#define SSH2_MSG_KEXGSS_INIT 30 |
1100 +#define SSH2_MSG_KEXGSS_INIT 30 |
1138 +char *ssh_gssapi_server_mechanisms(void); |
1138 +char *ssh_gssapi_server_mechanisms(void); |
1139 +int ssh_gssapi_oid_table_ok(); |
1139 +int ssh_gssapi_oid_table_ok(); |
1140 #endif /* GSSAPI */ |
1140 #endif /* GSSAPI */ |
1141 |
1141 |
1142 #endif /* _SSH_GSS_H */ |
1142 #endif /* _SSH_GSS_H */ |
1143 diff -rupN old/ssh_config.5 new/ssh_config.5 |
1143 diff -pur old/ssh_config.5 new/ssh_config.5 |
1144 --- old/ssh_config.5 2016-09-21 19:40:20.339307715 -0700 |
1144 --- old/ssh_config.5 |
1145 +++ new/ssh_config.5 2016-09-21 19:25:47.188814608 -0700 |
1145 +++ new/ssh_config.5 |
1146 @@ -834,6 +834,12 @@ The default is |
1146 @@ -834,6 +834,12 @@ The default is |
1147 Specifies whether user authentication based on GSSAPI is allowed. |
1147 Specifies whether user authentication based on GSSAPI is allowed. |
1148 The default on Solaris is |
1148 The default on Solaris is |
1149 .Dq yes . |
1149 .Dq yes . |
1150 +.It Cm GSSAPIKeyExchange |
1150 +.It Cm GSSAPIKeyExchange |
1154 +.Dq yes . |
1154 +.Dq yes . |
1155 +Note that this option applies to protocol version 2 only. |
1155 +Note that this option applies to protocol version 2 only. |
1156 .It Cm GSSAPIDelegateCredentials |
1156 .It Cm GSSAPIDelegateCredentials |
1157 Forward (delegate) credentials to the server. |
1157 Forward (delegate) credentials to the server. |
1158 The default is |
1158 The default is |
1159 diff -rupN old/sshconnect2.c new/sshconnect2.c |
1159 diff -pur old/sshconnect2.c new/sshconnect2.c |
1160 --- old/sshconnect2.c 2016-09-21 19:40:20.342249196 -0700 |
1160 --- old/sshconnect2.c |
1161 +++ new/sshconnect2.c 2016-09-21 19:25:47.810679787 -0700 |
1161 +++ new/sshconnect2.c |
1162 @@ -165,11 +165,35 @@ ssh_kex2(char *host, struct sockaddr *ho |
1162 @@ -165,11 +165,35 @@ ssh_kex2(char *host, struct sockaddr *ho |
1163 char *s; |
1163 char *s; |
1164 struct kex *kex; |
1164 struct kex *kex; |
1165 int r; |
1165 int r; |
1166 +#ifdef GSSAPI |
1166 +#ifdef GSSAPI |
1407 + } |
1407 + } |
1408 +#endif |
1408 +#endif |
1409 kex->server = 1; |
1409 kex->server = 1; |
1410 kex->client_version_string=client_version_string; |
1410 kex->client_version_string=client_version_string; |
1411 kex->server_version_string=server_version_string; |
1411 kex->server_version_string=server_version_string; |
1412 diff -rupN old/sshd_config.5 new/sshd_config.5 |
1412 diff -pur old/sshd_config.5 new/sshd_config.5 |
1413 --- old/sshd_config.5 2016-09-21 19:40:20.348225013 -0700 |
1413 --- old/sshd_config.5 |
1414 +++ new/sshd_config.5 2016-09-21 19:25:47.433470021 -0700 |
1414 +++ new/sshd_config.5 |
1415 @@ -632,6 +632,11 @@ The default is |
1415 @@ -632,6 +632,11 @@ The default is |
1416 Specifies whether user authentication based on GSSAPI is allowed. |
1416 Specifies whether user authentication based on GSSAPI is allowed. |
1417 The default on Solaris is |
1417 The default on Solaris is |
1418 .Dq yes . |
1418 .Dq yes . |
1419 +.It Cm GSSAPIKeyExchange |
1419 +.It Cm GSSAPIKeyExchange |
1422 +The default on Solaris is |
1422 +The default on Solaris is |
1423 +.Dq yes . |
1423 +.Dq yes . |
1424 .It Cm GSSAPICleanupCredentials |
1424 .It Cm GSSAPICleanupCredentials |
1425 Specifies whether to automatically destroy the user's credentials cache |
1425 Specifies whether to automatically destroy the user's credentials cache |
1426 on logout. |
1426 on logout. |
1427 diff -rupN old/sshkey.c new/sshkey.c |
1427 diff -pur old/sshkey.c new/sshkey.c |
1428 --- old/sshkey.c 2016-09-21 19:40:20.351243462 -0700 |
1428 --- old/sshkey.c |
1429 +++ new/sshkey.c 2016-09-21 19:25:47.271519675 -0700 |
1429 +++ new/sshkey.c |
1430 @@ -115,6 +115,7 @@ static const struct keytype keytypes[] = |
1430 @@ -115,6 +115,7 @@ static const struct keytype keytypes[] = |
1431 # endif /* OPENSSL_HAS_NISTP521 */ |
1431 # endif /* OPENSSL_HAS_NISTP521 */ |
1432 # endif /* OPENSSL_HAS_ECC */ |
1432 # endif /* OPENSSL_HAS_ECC */ |
1433 #endif /* WITH_OPENSSL */ |
1433 #endif /* WITH_OPENSSL */ |
1434 + { "null", "null", KEY_NULL, 0, 0 }, |
1434 + { "null", "null", KEY_NULL, 0, 0 }, |
1435 { NULL, NULL, -1, -1, 0, 0 } |
1435 { NULL, NULL, -1, -1, 0, 0 } |
1436 }; |
1436 }; |
1437 |
1437 |
1438 diff -rupN old/sshkey.h new/sshkey.h |
1438 diff -pur old/sshkey.h new/sshkey.h |
1439 --- old/sshkey.h 2016-09-21 19:40:20.354147713 -0700 |
1439 --- old/sshkey.h |
1440 +++ new/sshkey.h 2016-09-21 19:25:47.934179627 -0700 |
1440 +++ new/sshkey.h |
1441 @@ -62,6 +62,7 @@ enum sshkey_types { |
1441 @@ -62,6 +62,7 @@ enum sshkey_types { |
1442 KEY_DSA_CERT, |
1442 KEY_DSA_CERT, |
1443 KEY_ECDSA_CERT, |
1443 KEY_ECDSA_CERT, |
1444 KEY_ED25519_CERT, |
1444 KEY_ED25519_CERT, |
1445 + KEY_NULL, |
1445 + KEY_NULL, |