http://bugs.gentoo.org/165444 https://bugzilla.mindrot.org/show_bug.cgi?id=1008 Index: readconf.c =================================================================== RCS file: /cvs/openssh/readconf.c,v retrieving revision 1.135 diff -u -r1.135 readconf.c --- readconf.c 5 Aug 2006 02:39:40 -0000 1.135 +++ readconf.c 19 Aug 2006 11:59:52 -0000 @@ -126,6 +126,7 @@ oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, + oGssTrustDns, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, @@ -163,9 +164,11 @@ #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, + { "gssapitrustdns", oGssTrustDns }, #else { "gssapiauthentication", oUnsupported }, { "gssapidelegatecredentials", oUnsupported }, + { "gssapitrustdns", oUnsupported }, #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, @@ -444,6 +447,10 @@ intptr = &options->gss_deleg_creds; goto parse_flag; + case oGssTrustDns: + intptr = &options->gss_trust_dns; + goto parse_flag; + case oBatchMode: intptr = &options->batch_mode; goto parse_flag; @@ -1010,6 +1017,7 @@ options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; + options->gss_trust_dns = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -1100,6 +1108,8 @@ options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; + if (options->gss_trust_dns == -1) + options->gss_trust_dns = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) Index: readconf.h =================================================================== RCS file: /cvs/openssh/readconf.h,v retrieving revision 1.63 diff -u -r1.63 readconf.h --- readconf.h 5 Aug 2006 02:39:40 -0000 1.63 +++ readconf.h 19 Aug 2006 11:59:52 -0000 @@ -45,6 +45,7 @@ /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ + int gss_trust_dns; /* Trust DNS for GSS canonicalization */ int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ Index: ssh_config.5 =================================================================== RCS file: /cvs/openssh/ssh_config.5,v retrieving revision 1.97 diff -u -r1.97 ssh_config.5 --- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97 +++ ssh_config.5 19 Aug 2006 11:59:53 -0000 @@ -483,7 +483,16 @@ Forward (delegate) credentials to the server. The default is .Dq no . -Note that this option applies to protocol version 2 only. +Note that this option applies to protocol version 2 connections using GSSAPI. +.It Cm GSSAPITrustDns +Set to +.Dq yes to indicate that the DNS is trusted to securely canonicalize +the name of the host being connected to. If +.Dq no, the hostname entered on the +command line will be passed untouched to the GSSAPI library. +The default is +.Dq no . +This option only applies to protocol version 2 connections using GSSAPI. .It Cm HashKnownHosts Indicates that .Xr ssh 1 Index: sshconnect2.c =================================================================== RCS file: /cvs/openssh/sshconnect2.c,v retrieving revision 1.151 diff -u -r1.151 sshconnect2.c --- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151 +++ sshconnect2.c 19 Aug 2006 11:59:53 -0000 @@ -499,6 +499,12 @@ static u_int mech = 0; OM_uint32 min; int ok = 0; + const char *gss_host; + + if (options.gss_trust_dns) + gss_host = get_canonical_hostname(1); + else + gss_host = authctxt->host; /* Try one GSSAPI method at a time, rather than sending them all at * once. */ @@ -511,7 +517,7 @@ /* My DER encoding requires length<128 */ if (gss_supported->elements[mech].length < 128 && ssh_gssapi_check_mechanism(&gssctxt, - &gss_supported->elements[mech], authctxt->host)) { + &gss_supported->elements[mech], gss_host)) { ok = 1; /* Mechanism works */ } else { mech++;