net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch - mirrors/cros/chromiumos/overlays/portage-stable - Git at Google

 Index: gss-serv.c
 ===================================================================
 RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v
 retrieving revision 1.22
 diff -u -p -r1.22 gss-serv.c
 --- gss-serv.c	8 May 2008 12:02:23 -0000	1.22
 +++ gss-serv.c	11 Jan 2010 05:38:29 -0000
 @@ -41,9 +41,12 @@
  #include "channels.h"
  #include "session.h"
  #include "misc.h"
 +#include "servconf.h"

  #include "ssh-gss.h"

 +extern ServerOptions options;
 +
  static ssh_gssapi_client gssapi_client =
      { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
      GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
 @@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
  	char lname[MAXHOSTNAMELEN];
  	gss_OID_set oidset;

 -	gss_create_empty_oid_set(&status, &oidset);
 -	gss_add_oid_set_member(&status, ctx->oid, &oidset);
 -
 -	if (gethostname(lname, MAXHOSTNAMELEN)) {
 -		gss_release_oid_set(&status, &oidset);
 -		return (-1);
 -	}
 +	if (options.gss_strict_acceptor) {
 +		gss_create_empty_oid_set(&status, &oidset);
 +		gss_add_oid_set_member(&status, ctx->oid, &oidset);
 +
 +		if (gethostname(lname, MAXHOSTNAMELEN)) {
 +			gss_release_oid_set(&status, &oidset);
 +			return (-1);
 +		}
 +
 +		if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
 +			gss_release_oid_set(&status, &oidset);
 +			return (ctx->major);
 +		}
 +
 +		if ((ctx->major = gss_acquire_cred(&ctx->minor,
 +		    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
 +		    NULL, NULL)))
 +			ssh_gssapi_error(ctx);

 -	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
  		gss_release_oid_set(&status, &oidset);
  		return (ctx->major);
 +	} else {
 +		ctx->name = GSS_C_NO_NAME;
 +		ctx->creds = GSS_C_NO_CREDENTIAL;
  	}
 -
 -	if ((ctx->major = gss_acquire_cred(&ctx->minor,
 -	    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
 -		ssh_gssapi_error(ctx);
 -
 -	gss_release_oid_set(&status, &oidset);
 -	return (ctx->major);
 +	return GSS_S_COMPLETE;
  }

  /* Privileged */
 Index: servconf.c
 ===================================================================
 RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
 retrieving revision 1.201
 diff -u -p -r1.201 servconf.c
 --- servconf.c	10 Jan 2010 03:51:17 -0000	1.201
 +++ servconf.c	11 Jan 2010 05:34:56 -0000
 @@ -86,6 +86,7 @@ initialize_server_options(ServerOptions
  	options->kerberos_get_afs_token = -1;
  	options->gss_authentication=-1;
  	options->gss_cleanup_creds = -1;
 +	options->gss_strict_acceptor = -1;
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->challenge_response_authentication = -1;
 @@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
  		options->gss_authentication = 0;
  	if (options->gss_cleanup_creds == -1)
  		options->gss_cleanup_creds = 1;
 +	if (options->gss_strict_acceptor == -1)
 +		options->gss_strict_acceptor = 0;
  	if (options->password_authentication == -1)
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
 @@ -277,7 +280,8 @@ typedef enum {
  	sBanner, sUseDNS, sHostbasedAuthentication,
  	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
  	sClientAliveCountMax, sAuthorizedKeysFile,
 -	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
 +	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
 +	sAcceptEnv, sPermitTunnel,
  	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
  	sUsePrivilegeSeparation, sAllowAgentForwarding,
  	sZeroKnowledgePasswordAuthentication, sHostCertificate,
 @@ -327,9 +331,11 @@ static struct {
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
  	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
 +	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
  #else
  	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
  	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
 +	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
  #endif
  	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
  	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
 @@ -850,6 +856,10 @@ process_server_config_line(ServerOptions

  	case sGssCleanupCreds:
  		intptr = &options->gss_cleanup_creds;
 +		goto parse_flag;
 +
 +	case sGssStrictAcceptor:
 +		intptr = &options->gss_strict_acceptor;
  		goto parse_flag;

  	case sPasswordAuthentication:
 Index: servconf.h
 ===================================================================
 RCS file: /cvs/src/usr.bin/ssh/servconf.h,v
 retrieving revision 1.89
 diff -u -p -r1.89 servconf.h
 --- servconf.h	9 Jan 2010 23:04:13 -0000	1.89
 +++ servconf.h	11 Jan 2010 05:32:28 -0000
 @@ -92,6 +92,7 @@ typedef struct {
  						 * authenticated with Kerberos. */
  	int     gss_authentication;	/* If true, permit GSSAPI authentication */
  	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
 +	int 	gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
  	int     password_authentication;	/* If true, permit password
  						 * authentication. */
  	int     kbd_interactive_authentication;	/* If true, permit */
 Index: sshd_config
 ===================================================================
 RCS file: /cvs/src/usr.bin/ssh/sshd_config,v
 retrieving revision 1.81
 diff -u -p -r1.81 sshd_config
 --- sshd_config	8 Oct 2009 14:03:41 -0000	1.81
 +++ sshd_config	11 Jan 2010 05:32:28 -0000
 @@ -69,6 +69,7 @@
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
 +#GSSAPIStrictAcceptorCheck yes

  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
 Index: sshd_config.5
 ===================================================================
 RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
 retrieving revision 1.116
 diff -u -p -r1.116 sshd_config.5
 --- sshd_config.5	9 Jan 2010 23:04:13 -0000	1.116
 +++ sshd_config.5	11 Jan 2010 05:37:20 -0000
 @@ -386,6 +386,21 @@ on logout.
  The default is
  .Dq yes .
  Note that this option applies to protocol version 2 only.
 +.It Cm GSSAPIStrictAcceptorCheck
 +Determines whether to be strict about the identity of the GSSAPI acceptor
 +a client authenticates against.
 +If set to
 +.Dq yes
 +then the client must authenticate against the
 +.Pa host
 +service on the current hostname.
 +If set to
 +.Dq no
 +then the client may authenticate against any service key stored in the
 +machine's default store.
 +This facility is provided to assist with operation on multi homed machines.
 +The default is
 +.Dq yes .
  .It Cm HostbasedAuthentication
  Specifies whether rhosts or /etc/hosts.equiv authentication together
  with successful public key client host authentication is allowed
	Index: gss-serv.c
	===================================================================
	RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v
	retrieving revision 1.22
	diff -u -p -r1.22 gss-serv.c
	--- gss-serv.c 8 May 2008 12:02:23 -0000 1.22
	+++ gss-serv.c 11 Jan 2010 05:38:29 -0000
	@@ -41,9 +41,12 @@
	#include "channels.h"
	#include "session.h"
	#include "misc.h"
	+#include "servconf.h"

	#include "ssh-gss.h"

	+extern ServerOptions options;
	+
	static ssh_gssapi_client gssapi_client =
	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
	GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
	@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
	char lname[MAXHOSTNAMELEN];
	gss_OID_set oidset;

	- gss_create_empty_oid_set(&status, &oidset);
	- gss_add_oid_set_member(&status, ctx->oid, &oidset);
	-
	- if (gethostname(lname, MAXHOSTNAMELEN)) {
	- gss_release_oid_set(&status, &oidset);
	- return (-1);
	- }
	+ if (options.gss_strict_acceptor) {
	+ gss_create_empty_oid_set(&status, &oidset);
	+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
	+
	+ if (gethostname(lname, MAXHOSTNAMELEN)) {
	+ gss_release_oid_set(&status, &oidset);
	+ return (-1);
	+ }
	+
	+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
	+ gss_release_oid_set(&status, &oidset);
	+ return (ctx->major);
	+ }
	+
	+ if ((ctx->major = gss_acquire_cred(&ctx->minor,
	+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
	+ NULL, NULL)))
	+ ssh_gssapi_error(ctx);

	- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
	gss_release_oid_set(&status, &oidset);
	return (ctx->major);
	+ } else {
	+ ctx->name = GSS_C_NO_NAME;
	+ ctx->creds = GSS_C_NO_CREDENTIAL;
	}
	-
	- if ((ctx->major = gss_acquire_cred(&ctx->minor,
	- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
	- ssh_gssapi_error(ctx);
	-
	- gss_release_oid_set(&status, &oidset);
	- return (ctx->major);
	+ return GSS_S_COMPLETE;
	}

	/* Privileged */
	Index: servconf.c
	===================================================================
	RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
	retrieving revision 1.201
	diff -u -p -r1.201 servconf.c
	--- servconf.c 10 Jan 2010 03:51:17 -0000 1.201
	+++ servconf.c 11 Jan 2010 05:34:56 -0000
	@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions
	options->kerberos_get_afs_token = -1;
	options->gss_authentication=-1;
	options->gss_cleanup_creds = -1;
	+ options->gss_strict_acceptor = -1;
	options->password_authentication = -1;
	options->kbd_interactive_authentication = -1;
	options->challenge_response_authentication = -1;
	@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
	options->gss_authentication = 0;
	if (options->gss_cleanup_creds == -1)
	options->gss_cleanup_creds = 1;
	+ if (options->gss_strict_acceptor == -1)
	+ options->gss_strict_acceptor = 0;
	if (options->password_authentication == -1)
	options->password_authentication = 1;
	if (options->kbd_interactive_authentication == -1)
	@@ -277,7 +280,8 @@ typedef enum {
	sBanner, sUseDNS, sHostbasedAuthentication,
	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
	sClientAliveCountMax, sAuthorizedKeysFile,
	- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
	+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
	+ sAcceptEnv, sPermitTunnel,
	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
	sUsePrivilegeSeparation, sAllowAgentForwarding,
	sZeroKnowledgePasswordAuthentication, sHostCertificate,
	@@ -327,9 +331,11 @@ static struct {
	#ifdef GSSAPI
	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
	+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
	#else
	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
	+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
	#endif
	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
	@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions

	case sGssCleanupCreds:
	intptr = &options->gss_cleanup_creds;
	+ goto parse_flag;
	+
	+ case sGssStrictAcceptor:
	+ intptr = &options->gss_strict_acceptor;
	goto parse_flag;

	case sPasswordAuthentication:
	Index: servconf.h
	===================================================================
	RCS file: /cvs/src/usr.bin/ssh/servconf.h,v
	retrieving revision 1.89
	diff -u -p -r1.89 servconf.h
	--- servconf.h 9 Jan 2010 23:04:13 -0000 1.89
	+++ servconf.h 11 Jan 2010 05:32:28 -0000
	@@ -92,6 +92,7 @@ typedef struct {
	* authenticated with Kerberos. */
	int gss_authentication; /* If true, permit GSSAPI authentication */
	int gss_cleanup_creds; /* If true, destroy cred cache on logout */
	+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
	int password_authentication; /* If true, permit password
	* authentication. */
	int kbd_interactive_authentication; /* If true, permit */
	Index: sshd_config
	===================================================================
	RCS file: /cvs/src/usr.bin/ssh/sshd_config,v
	retrieving revision 1.81
	diff -u -p -r1.81 sshd_config
	--- sshd_config 8 Oct 2009 14:03:41 -0000 1.81
	+++ sshd_config 11 Jan 2010 05:32:28 -0000
	@@ -69,6 +69,7 @@
	# GSSAPI options
	#GSSAPIAuthentication no
	#GSSAPICleanupCredentials yes
	+#GSSAPIStrictAcceptorCheck yes

	# Set this to 'yes' to enable PAM authentication, account processing,
	# and session processing. If this is enabled, PAM authentication will
	Index: sshd_config.5
	===================================================================
	RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
	retrieving revision 1.116
	diff -u -p -r1.116 sshd_config.5
	--- sshd_config.5 9 Jan 2010 23:04:13 -0000 1.116
	+++ sshd_config.5 11 Jan 2010 05:37:20 -0000
	@@ -386,6 +386,21 @@ on logout.
	The default is
	.Dq yes .
	Note that this option applies to protocol version 2 only.
	+.It Cm GSSAPIStrictAcceptorCheck
	+Determines whether to be strict about the identity of the GSSAPI acceptor
	+a client authenticates against.
	+If set to
	+.Dq yes
	+then the client must authenticate against the
	+.Pa host
	+service on the current hostname.
	+If set to
	+.Dq no
	+then the client may authenticate against any service key stored in the
	+machine's default store.
	+This facility is provided to assist with operation on multi homed machines.
	+The default is
	+.Dq yes .
	.It Cm HostbasedAuthentication
	Specifies whether rhosts or /etc/hosts.equiv authentication together
	with successful public key client host authentication is allowed