summaryrefslogtreecommitdiff
path: root/net-misc/openssh-x/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc/openssh-x/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch')
-rw-r--r--net-misc/openssh-x/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch184
1 files changed, 0 insertions, 184 deletions
diff --git a/net-misc/openssh-x/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh-x/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
deleted file mode 100644
index 6377d036..00000000
--- a/net-misc/openssh-x/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-Index: gss-serv.c
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v
-retrieving revision 1.22
-diff -u -p -r1.22 gss-serv.c
---- gss-serv.c 8 May 2008 12:02:23 -0000 1.22
-+++ gss-serv.c 11 Jan 2010 05:38:29 -0000
-@@ -41,9 +41,12 @@
- #include "channels.h"
- #include "session.h"
- #include "misc.h"
-+#include "servconf.h"
-
- #include "ssh-gss.h"
-
-+extern ServerOptions options;
-+
- static ssh_gssapi_client gssapi_client =
- { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
-@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- char lname[MAXHOSTNAMELEN];
- gss_OID_set oidset;
-
-- gss_create_empty_oid_set(&status, &oidset);
-- gss_add_oid_set_member(&status, ctx->oid, &oidset);
--
-- if (gethostname(lname, MAXHOSTNAMELEN)) {
-- gss_release_oid_set(&status, &oidset);
-- return (-1);
-- }
-+ if (options.gss_strict_acceptor) {
-+ gss_create_empty_oid_set(&status, &oidset);
-+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
-+
-+ if (gethostname(lname, MAXHOSTNAMELEN)) {
-+ gss_release_oid_set(&status, &oidset);
-+ return (-1);
-+ }
-+
-+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
-+ gss_release_oid_set(&status, &oidset);
-+ return (ctx->major);
-+ }
-+
-+ if ((ctx->major = gss_acquire_cred(&ctx->minor,
-+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
-+ NULL, NULL)))
-+ ssh_gssapi_error(ctx);
-
-- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
- gss_release_oid_set(&status, &oidset);
- return (ctx->major);
-+ } else {
-+ ctx->name = GSS_C_NO_NAME;
-+ ctx->creds = GSS_C_NO_CREDENTIAL;
- }
--
-- if ((ctx->major = gss_acquire_cred(&ctx->minor,
-- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
-- ssh_gssapi_error(ctx);
--
-- gss_release_oid_set(&status, &oidset);
-- return (ctx->major);
-+ return GSS_S_COMPLETE;
- }
-
- /* Privileged */
-Index: servconf.c
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
-retrieving revision 1.201
-diff -u -p -r1.201 servconf.c
---- servconf.c 10 Jan 2010 03:51:17 -0000 1.201
-+++ servconf.c 11 Jan 2010 05:34:56 -0000
-@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions
- options->kerberos_get_afs_token = -1;
- options->gss_authentication=-1;
- options->gss_cleanup_creds = -1;
-+ options->gss_strict_acceptor = -1;
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->challenge_response_authentication = -1;
-@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
- options->gss_authentication = 0;
- if (options->gss_cleanup_creds == -1)
- options->gss_cleanup_creds = 1;
-+ if (options->gss_strict_acceptor == -1)
-+ options->gss_strict_acceptor = 0;
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
-@@ -277,7 +280,8 @@ typedef enum {
- sBanner, sUseDNS, sHostbasedAuthentication,
- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
- sClientAliveCountMax, sAuthorizedKeysFile,
-- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
-+ sAcceptEnv, sPermitTunnel,
- sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- sUsePrivilegeSeparation, sAllowAgentForwarding,
- sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -327,9 +331,11 @@ static struct {
- #ifdef GSSAPI
- { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
- { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
-+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
- #else
- { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
- { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
- #endif
- { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
- { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
-
- case sGssCleanupCreds:
- intptr = &options->gss_cleanup_creds;
-+ goto parse_flag;
-+
-+ case sGssStrictAcceptor:
-+ intptr = &options->gss_strict_acceptor;
- goto parse_flag;
-
- case sPasswordAuthentication:
-Index: servconf.h
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/servconf.h,v
-retrieving revision 1.89
-diff -u -p -r1.89 servconf.h
---- servconf.h 9 Jan 2010 23:04:13 -0000 1.89
-+++ servconf.h 11 Jan 2010 05:32:28 -0000
-@@ -92,6 +92,7 @@ typedef struct {
- * authenticated with Kerberos. */
- int gss_authentication; /* If true, permit GSSAPI authentication */
- int gss_cleanup_creds; /* If true, destroy cred cache on logout */
-+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
- int password_authentication; /* If true, permit password
- * authentication. */
- int kbd_interactive_authentication; /* If true, permit */
-Index: sshd_config
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/sshd_config,v
-retrieving revision 1.81
-diff -u -p -r1.81 sshd_config
---- sshd_config 8 Oct 2009 14:03:41 -0000 1.81
-+++ sshd_config 11 Jan 2010 05:32:28 -0000
-@@ -69,6 +69,7 @@
- # GSSAPI options
- #GSSAPIAuthentication no
- #GSSAPICleanupCredentials yes
-+#GSSAPIStrictAcceptorCheck yes
-
- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
-Index: sshd_config.5
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
-retrieving revision 1.116
-diff -u -p -r1.116 sshd_config.5
---- sshd_config.5 9 Jan 2010 23:04:13 -0000 1.116
-+++ sshd_config.5 11 Jan 2010 05:37:20 -0000
-@@ -386,6 +386,21 @@ on logout.
- The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
-+.It Cm GSSAPIStrictAcceptorCheck
-+Determines whether to be strict about the identity of the GSSAPI acceptor
-+a client authenticates against.
-+If set to
-+.Dq yes
-+then the client must authenticate against the
-+.Pa host
-+service on the current hostname.
-+If set to
-+.Dq no
-+then the client may authenticate against any service key stored in the
-+machine's default store.
-+This facility is provided to assist with operation on multi homed machines.
-+The default is
-+.Dq yes .
- .It Cm HostbasedAuthentication
- Specifies whether rhosts or /etc/hosts.equiv authentication together
- with successful public key client host authentication is allowed
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 22:53:28 +0000