Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openssh/patches/051-GSSAPIStrictAcceptorCheck_yes.patch
author Tomas Kuthan <tomas.kuthan@oracle.com>
Wed, 11 Jan 2017 12:12:15 -0800
changeset 7560 9732971b7855
permissions -rw-r--r--
23227315 sshd offers GSS-API key exchange despite having no keytab 25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless

#
# GSSAPIStrictAcceptorCheck should default to yes as documented
#
# When GSSAPIStrictAcceptorCheck is not explicitely specified in sshd_config,
# the default value should be yes. It is documented in sshd_config(5) this
# way and it preserves original behavior.
#
# Also GSSAPIStrictAcceptorCheck=no interacts poorly with GSSAPIKeyExchange,
# where it make the server willing to negotiate GSS-API key exchange, although
# no keytab was provided.
#
# Patch source: in-house
# Reported upstream:
# https://bugzilla.mindrot.org/show_bug.cgi?id=2637
#
diff -pur old/servconf.c new/servconf.c
--- old/servconf.c
+++ new/servconf.c
@@ -323,7 +323,7 @@ fill_default_server_options(ServerOption
 	if (options->gss_cleanup_creds == -1)
 		options->gss_cleanup_creds = 1;
 	if (options->gss_strict_acceptor == -1)
-		options->gss_strict_acceptor = 0;
+		options->gss_strict_acceptor = 1;
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
upstream/oracle/userland-gate