40 sftp-server.o sftp-common.o sftp_provider.o \ |
40 sftp-server.o sftp-common.o sftp_provider.o \ |
41 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
41 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
42 diff -pur old/auth.c new/auth.c |
42 diff -pur old/auth.c new/auth.c |
43 --- old/auth.c |
43 --- old/auth.c |
44 +++ new/auth.c |
44 +++ new/auth.c |
45 @@ -786,99 +786,6 @@ fakepw(void) |
45 @@ -363,6 +363,7 @@ auth_root_allowed(const char *method) |
|
46 case PERMIT_NO_PASSWD: |
|
47 if (strcmp(method, "publickey") == 0 || |
|
48 strcmp(method, "hostbased") == 0 || |
|
49 + strcmp(method, "gssapi-keyex") == 0 || |
|
50 strcmp(method, "gssapi-with-mic") == 0) |
|
51 return 1; |
|
52 break; |
|
53 @@ -786,99 +787,6 @@ fakepw(void) |
46 } |
54 } |
47 |
55 |
48 /* |
56 /* |
49 - * Returns the remote DNS hostname as a string. The returned string must not |
57 - * Returns the remote DNS hostname as a string. The returned string must not |
50 - * be freed. NB. this will usually trigger a DNS query the first time it is |
58 - * be freed. NB. this will usually trigger a DNS query the first time it is |
1402 kex->client_version_string=client_version_string; |
1410 kex->client_version_string=client_version_string; |
1403 kex->server_version_string=server_version_string; |
1411 kex->server_version_string=server_version_string; |
1404 diff -pur old/sshd_config.5 new/sshd_config.5 |
1412 diff -pur old/sshd_config.5 new/sshd_config.5 |
1405 --- old/sshd_config.5 |
1413 --- old/sshd_config.5 |
1406 +++ new/sshd_config.5 |
1414 +++ new/sshd_config.5 |
1407 @@ -632,6 +632,11 @@ The default is |
1415 @@ -632,6 +632,22 @@ The default is |
1408 Specifies whether user authentication based on GSSAPI is allowed. |
1416 Specifies whether user authentication based on GSSAPI is allowed. |
1409 The default on Solaris is |
1417 The default on Solaris is |
1410 .Dq yes . |
1418 .Dq yes . |
1411 +.It Cm GSSAPIKeyExchange |
1419 +.It Cm GSSAPIKeyExchange |
1412 +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange |
1420 +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange |
1413 +doesn't rely on ssh keys to verify host identity. |
1421 +doesn't rely on ssh keys to verify host identity. |
1414 +The default on Solaris is |
1422 +The default on Solaris is |
1415 +.Dq yes . |
1423 +.Dq yes . |
|
1424 +.Pp |
|
1425 +By default the server only offers the GSSAPI key exchange, if it can acquire |
|
1426 +acceptor credentials for |
|
1427 +.Pa host |
|
1428 +service on the current hostname. But when |
|
1429 +.Cm GSSAPIStrictAcceptorCheck |
|
1430 +is set to |
|
1431 +.Dq no , |
|
1432 +the server will always offer GSSAPI key |
|
1433 +exchange, although it may not be able to accept security context (which will |
|
1434 +cause the key exchange to fail). |
1416 .It Cm GSSAPICleanupCredentials |
1435 .It Cm GSSAPICleanupCredentials |
1417 Specifies whether to automatically destroy the user's credentials cache |
1436 Specifies whether to automatically destroy the user's credentials cache |
1418 on logout. |
1437 on logout. |
1419 diff -pur old/sshkey.c new/sshkey.c |
1438 diff -pur old/sshkey.c new/sshkey.c |
1420 --- old/sshkey.c |
1439 --- old/sshkey.c |