23227315 sshd offers GSS-API key exchange despite having no keytab
25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless
--- a/components/openssh/patches/023-gsskex.patch Wed Jan 11 10:37:16 2017 -0800
+++ b/components/openssh/patches/023-gsskex.patch Wed Jan 11 12:12:15 2017 -0800
@@ -42,7 +42,15 @@
diff -pur old/auth.c new/auth.c
--- old/auth.c
+++ new/auth.c
-@@ -786,99 +786,6 @@ fakepw(void)
+@@ -363,6 +363,7 @@ auth_root_allowed(const char *method)
+ case PERMIT_NO_PASSWD:
+ if (strcmp(method, "publickey") == 0 ||
+ strcmp(method, "hostbased") == 0 ||
++ strcmp(method, "gssapi-keyex") == 0 ||
+ strcmp(method, "gssapi-with-mic") == 0)
+ return 1;
+ break;
+@@ -786,99 +787,6 @@ fakepw(void)
}
/*
@@ -1404,7 +1412,7 @@
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5
+++ new/sshd_config.5
-@@ -632,6 +632,11 @@ The default is
+@@ -632,6 +632,22 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default on Solaris is
.Dq yes .
@@ -1413,6 +1421,17 @@
+doesn't rely on ssh keys to verify host identity.
+The default on Solaris is
+.Dq yes .
++.Pp
++By default the server only offers the GSSAPI key exchange, if it can acquire
++acceptor credentials for
++.Pa host
++service on the current hostname. But when
++.Cm GSSAPIStrictAcceptorCheck
++is set to
++.Dq no ,
++the server will always offer GSSAPI key
++exchange, although it may not be able to accept security context (which will
++cause the key exchange to fail).
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/051-GSSAPIStrictAcceptorCheck_yes.patch Wed Jan 11 12:12:15 2017 -0800
@@ -0,0 +1,27 @@
+#
+# GSSAPIStrictAcceptorCheck should default to yes as documented
+#
+# When GSSAPIStrictAcceptorCheck is not explicitely specified in sshd_config,
+# the default value should be yes. It is documented in sshd_config(5) this
+# way and it preserves original behavior.
+#
+# Also GSSAPIStrictAcceptorCheck=no interacts poorly with GSSAPIKeyExchange,
+# where it make the server willing to negotiate GSS-API key exchange, although
+# no keytab was provided.
+#
+# Patch source: in-house
+# Reported upstream:
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2637
+#
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
+@@ -323,7 +323,7 @@ fill_default_server_options(ServerOption
+ if (options->gss_cleanup_creds == -1)
+ options->gss_cleanup_creds = 1;
+ if (options->gss_strict_acceptor == -1)
+- options->gss_strict_acceptor = 0;
++ options->gss_strict_acceptor = 1;
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)