25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless s11u3-sru
authorJan Parcel <jan.parcel@oracle.com>
Mon, 23 Jan 2017 15:33:59 -0800
branchs11u3-sru
changeset 7594 022a611ded2d
parent 7592 12dea84f307b
child 7595 a454f5e35b4c
25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless 25044066 sshd error: session_by_pid: unknown pid when root ssh session exits
components/openssh/patches/023-gsskex.patch
components/openssh/patches/047-login_grace_time_watchdog.patch
--- a/components/openssh/patches/023-gsskex.patch	Mon Jan 23 11:25:04 2017 -0800
+++ b/components/openssh/patches/023-gsskex.patch	Mon Jan 23 15:33:59 2017 -0800
@@ -40,9 +40,17 @@
  	sftp-server.o sftp-common.o \
  	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
 diff -rupN old/auth.c new/auth.c
---- old/auth.c	2016-09-21 19:40:20.287164940 -0700
-+++ new/auth.c	2016-09-21 19:25:47.928961550 -0700
[email protected]@ -786,99 +786,6 @@ fakepw(void)
+--- old/auth.c	2017-01-11 18:18:17.172126803 -0800
++++ new/auth.c	2017-01-11 18:21:06.506811958 -0800
[email protected]@ -363,6 +363,7 @@ auth_root_allowed(const char *method)
+ 	case PERMIT_NO_PASSWD:
+ 		if (strcmp(method, "publickey") == 0 ||
+ 		    strcmp(method, "hostbased") == 0 ||
++		    strcmp(method, "gssapi-keyex") == 0 ||
+ 		    strcmp(method, "gssapi-with-mic") == 0)
+ 			return 1;
+ 		break;
[email protected]@ -786,99 +787,6 @@ fakepw(void)
  }
  
  /*
--- a/components/openssh/patches/047-login_grace_time_watchdog.patch	Mon Jan 23 11:25:04 2017 -0800
+++ b/components/openssh/patches/047-login_grace_time_watchdog.patch	Mon Jan 23 15:33:59 2017 -0800
@@ -36,7 +36,7 @@
  
  #ifdef WITH_SSH1
  static void do_ssh1_kex(void);
[email protected]@ -369,12 +376,98 @@ grace_alarm_handler(int sig)
[email protected]@ -369,12 +376,102 @@ grace_alarm_handler(int sig)
  		signal(SIGTERM, SIG_IGN);
  		kill(0, SIGTERM);
  	}
@@ -128,6 +128,10 @@
 +	}
 +
 +	kill(grace_watchdog_pid, SIGTERM);
++	while (waitpid(grace_watchdog_pid, NULL, 0) < 0) {
++		if (errno == EINTR)
++			continue;
++	}
 +	grace_watchdog_pid = -1;
 +}
 +
@@ -135,7 +139,7 @@
  /*
   * Signal handler for the key regeneration alarm.  Note that this
   * alarm only occurs in the daemon waiting for connections, and it does not
[email protected]@ -723,6 +816,7 @@ privsep_preauth(Authctxt *authctxt)
[email protected]@ -723,6 +820,7 @@ privsep_preauth(Authctxt *authctxt)
  		/* child */
  		close(pmonitor->m_sendfd);
  		close(pmonitor->m_log_recvfd);
@@ -143,7 +147,7 @@
  
  		/* Arrange for logging to be sent to the monitor */
  		set_log_handler(mm_log_handler, pmonitor);
[email protected]@ -2235,8 +2329,10 @@ main(int ac, char **av)
[email protected]@ -2235,8 +2333,10 @@ main(int ac, char **av)
  	 * are about to discover the bug.
  	 */
  	signal(SIGALRM, grace_alarm_handler);
@@ -155,7 +159,7 @@
  
  	sshd_exchange_identification(ssh, sock_in, sock_out);
  
[email protected]@ -2302,6 +2398,7 @@ main(int ac, char **av)
[email protected]@ -2302,6 +2402,7 @@ main(int ac, char **av)
  	 */
  	alarm(0);
  	signal(SIGALRM, SIG_DFL);