Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openssh/patches/044-gss_use_default_ccache.patch
changeset 7649 69d7508f0d66
parent 6187 6a58453cea53 
--- a/components/openssh/patches/044-gss_use_default_ccache.patch	Mon Feb 06 13:54:36 2017 -0800
+++ b/components/openssh/patches/044-gss_use_default_ccache.patch	Mon Feb 06 22:51:03 2017 -0800
@@ -1,3 +1,14 @@
+#
+# Provide per-session credential cache support in OpenSSH in Solaris by
+# introducing new sshd_config option GSSAPIUseDefaultCCache.
+#
+# In the future we plan to provide proper per-session credential cache support
+# in Kerberos in Solaris. When that happens, GSSAPIUseDefaultCCache option
+# will no longer be relevant and we will mark it as deprecated.
+#
+# Patch source: in-house
+# Solaris specific, upstream already has per-session ccache.
+#
 diff -pur old/gss-serv.c new/gss-serv.c
 --- old/gss-serv.c
 +++ new/gss-serv.c
@@ -109,33 +120,33 @@
 diff -pur old/servconf.c new/servconf.c
 --- old/servconf.c
 +++ new/servconf.c
-@@ -170,6 +170,7 @@ initialize_server_options(ServerOptions
- 	options->ip_qos_bulk = -1;
- 	options->version_addendum = NULL;
- 	options->fingerprint_hash = -1;
+@@ -169,6 +169,7 @@ initialize_server_options(ServerOptions
+ 	 */
+ 	options->pam_service_per_authmethod = 1;
+ #endif
 +	options->gss_use_default_ccache = -1;
- #ifdef PAM_ENHANCEMENT
- 	options->pam_service_name = NULL;
- 	options->pam_service_prefix = NULL;
-@@ -391,6 +392,8 @@ fill_default_server_options(ServerOption
- 		options->fwd_opts.streamlocal_bind_unlink = 0;
- 	if (options->fingerprint_hash == -1)
- 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ 	options->authorized_principals_file = NULL;
+ 	options->authorized_principals_command = NULL;
+ 	options->authorized_principals_command_user = NULL;
+@@ -363,6 +364,8 @@ fill_default_server_options(ServerOption
+ 		options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX;
+ #endif
+ 
 +	if (options->gss_use_default_ccache == -1)
 +		options->gss_use_default_ccache = 1;
- 
- 	assemble_algorithms(options);
- 
-@@ -483,7 +486,7 @@ typedef enum {
+ 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+ 		options->fwd_opts.streamlocal_bind_mask = 0177;
+ 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
+@@ -467,7 +470,7 @@ typedef enum {
+ #endif
+ 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+ 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
+-	sKexAlgorithms, sIPQoS, sVersionAddendum,
++	sKexAlgorithms, sIPQoS, sVersionAddendum, sGssUseDefaultCCache,
  	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
  	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
  	sStreamLocalBindMask, sStreamLocalBindUnlink,
--	sAllowStreamLocalForwarding, sFingerprintHash,
-+	sAllowStreamLocalForwarding, sFingerprintHash, sGssUseDefaultCCache,
- 	sDeprecated, sUnsupported
- } ServerOpCodes;
- 
-@@ -548,11 +551,7 @@ static struct {
+@@ -536,11 +539,7 @@ static struct {
  	{ "gssauthentication", sGssAuthentication, SSHCFG_ALL },   /* alias */
  	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_ALL },
  	{ "gsskeyex", sGssKeyEx, SSHCFG_ALL },                     /* alias */
@@ -147,15 +158,15 @@
  	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
  #else
  	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
-@@ -664,6 +663,7 @@ static struct {
- 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
- 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
- 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+@@ -646,6 +645,7 @@ static struct {
+ 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
+ 	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
+ 	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
 +	{ "gssapiusedefaultccache", sGssUseDefaultCCache, SSHCFG_GLOBAL },
- 	{ NULL, sBadOption, 0 }
- };
- 
-@@ -1359,6 +1359,10 @@ process_server_config_line(ServerOptions
+ 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+ 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
+ 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
+@@ -1324,6 +1324,10 @@ process_server_config_line(ServerOptions
  		intptr = &options->gss_strict_acceptor;
  		goto parse_flag;
  
@@ -166,8 +177,8 @@
  	case sPasswordAuthentication:
  		intptr = &options->password_authentication;
  		goto parse_flag;
-@@ -2436,6 +2440,7 @@ dump_config(ServerOptions *o)
- 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
+@@ -2420,6 +2424,7 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
  	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
  	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
 +	dump_cfg_fmtint(sGssUseDefaultCCache, o->gss_use_default_ccache);
@@ -177,7 +188,7 @@
 diff -pur old/servconf.h new/servconf.h
 --- old/servconf.h
 +++ new/servconf.h
-@@ -206,6 +206,7 @@ typedef struct {
+@@ -200,6 +200,7 @@ typedef struct {
  #endif
          
  	int	fingerprint_hash;
@@ -191,7 +202,7 @@
 @@ -640,6 +640,18 @@ Specifies whether to automatically destr
  on logout.
  The default is
- .Dq yes .
+ .Cm yes .
 +.It Cm GSSAPIUseDefaultCCache
 +Specifies whether delegated GSSAPI credentials are stored in default credential
 +cache file (eg. /tmp/krb5cc_100 for a user with UID 100) or in per-session
@@ -203,7 +214,7 @@
 +setting however default credential
 +caches are never automatically destroyed by sshd on session logout.
 +The default is 
-+.Dq yes .
++.Cm yes .
  .It Cm GSSAPIStrictAcceptorCheck
  Determines whether to be strict about the identity of the GSSAPI acceptor
  a client authenticates against.
upstream/oracle/userland-gate