--- a/components/openssh/patches/044-gss_use_default_ccache.patch Mon Feb 06 13:54:36 2017 -0800
+++ b/components/openssh/patches/044-gss_use_default_ccache.patch Mon Feb 06 22:51:03 2017 -0800
@@ -1,3 +1,14 @@
+#
+# Provide per-session credential cache support in OpenSSH in Solaris by
+# introducing new sshd_config option GSSAPIUseDefaultCCache.
+#
+# In the future we plan to provide proper per-session credential cache support
+# in Kerberos in Solaris. When that happens, GSSAPIUseDefaultCCache option
+# will no longer be relevant and we will mark it as deprecated.
+#
+# Patch source: in-house
+# Solaris specific, upstream already has per-session ccache.
+#
diff -pur old/gss-serv.c new/gss-serv.c
--- old/gss-serv.c
+++ new/gss-serv.c
@@ -109,33 +120,33 @@
diff -pur old/servconf.c new/servconf.c
--- old/servconf.c
+++ new/servconf.c
-@@ -170,6 +170,7 @@ initialize_server_options(ServerOptions
- options->ip_qos_bulk = -1;
- options->version_addendum = NULL;
- options->fingerprint_hash = -1;
+@@ -169,6 +169,7 @@ initialize_server_options(ServerOptions
+ */
+ options->pam_service_per_authmethod = 1;
+ #endif
+ options->gss_use_default_ccache = -1;
- #ifdef PAM_ENHANCEMENT
- options->pam_service_name = NULL;
- options->pam_service_prefix = NULL;
-@@ -391,6 +392,8 @@ fill_default_server_options(ServerOption
- options->fwd_opts.streamlocal_bind_unlink = 0;
- if (options->fingerprint_hash == -1)
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ options->authorized_principals_file = NULL;
+ options->authorized_principals_command = NULL;
+ options->authorized_principals_command_user = NULL;
+@@ -363,6 +364,8 @@ fill_default_server_options(ServerOption
+ options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX;
+ #endif
+
+ if (options->gss_use_default_ccache == -1)
+ options->gss_use_default_ccache = 1;
-
- assemble_algorithms(options);
-
-@@ -483,7 +486,7 @@ typedef enum {
+ if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+ options->fwd_opts.streamlocal_bind_mask = 0177;
+ if (options->fwd_opts.streamlocal_bind_unlink == -1)
+@@ -467,7 +470,7 @@ typedef enum {
+ #endif
+ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+ sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
+- sKexAlgorithms, sIPQoS, sVersionAddendum,
++ sKexAlgorithms, sIPQoS, sVersionAddendum, sGssUseDefaultCCache,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
-- sAllowStreamLocalForwarding, sFingerprintHash,
-+ sAllowStreamLocalForwarding, sFingerprintHash, sGssUseDefaultCCache,
- sDeprecated, sUnsupported
- } ServerOpCodes;
-
-@@ -548,11 +551,7 @@ static struct {
+@@ -536,11 +539,7 @@ static struct {
{ "gssauthentication", sGssAuthentication, SSHCFG_ALL }, /* alias */
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_ALL },
{ "gsskeyex", sGssKeyEx, SSHCFG_ALL }, /* alias */
@@ -147,15 +158,15 @@
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
-@@ -664,6 +663,7 @@ static struct {
- { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
- { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
- { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+@@ -646,6 +645,7 @@ static struct {
+ { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
+ { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
+ { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
+ { "gssapiusedefaultccache", sGssUseDefaultCCache, SSHCFG_GLOBAL },
- { NULL, sBadOption, 0 }
- };
-
-@@ -1359,6 +1359,10 @@ process_server_config_line(ServerOptions
+ { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+ { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
+ { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
+@@ -1324,6 +1324,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_strict_acceptor;
goto parse_flag;
@@ -166,8 +177,8 @@
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -2436,6 +2440,7 @@ dump_config(ServerOptions *o)
- dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
+@@ -2420,6 +2424,7 @@ dump_config(ServerOptions *o)
+ dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
+ dump_cfg_fmtint(sGssUseDefaultCCache, o->gss_use_default_ccache);
@@ -177,7 +188,7 @@
diff -pur old/servconf.h new/servconf.h
--- old/servconf.h
+++ new/servconf.h
-@@ -206,6 +206,7 @@ typedef struct {
+@@ -200,6 +200,7 @@ typedef struct {
#endif
int fingerprint_hash;
@@ -191,7 +202,7 @@
@@ -640,6 +640,18 @@ Specifies whether to automatically destr
on logout.
The default is
- .Dq yes .
+ .Cm yes .
+.It Cm GSSAPIUseDefaultCCache
+Specifies whether delegated GSSAPI credentials are stored in default credential
+cache file (eg. /tmp/krb5cc_100 for a user with UID 100) or in per-session
@@ -203,7 +214,7 @@
+setting however default credential
+caches are never automatically destroyed by sshd on session logout.
+The default is
-+.Dq yes .
++.Cm yes .
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against.