[90892] trunk/dports/net/openssh
jwa at macports.org
jwa at macports.org
Sat Mar 17 06:42:39 PDT 2012
Revision: 90892
https://trac.macports.org/changeset/90892
Author: jwa at macports.org
Date: 2012-03-17 06:42:34 -0700 (Sat, 17 Mar 2012)
Log Message:
-----------
add variant gss_api_trust_dns to close #32475
Modified Paths:
--------------
trunk/dports/net/openssh/Portfile
Added Paths:
-----------
trunk/dports/net/openssh/files/GSSAPITrustDNS.patch
Modified: trunk/dports/net/openssh/Portfile
===================================================================
--- trunk/dports/net/openssh/Portfile 2012-03-17 09:58:50 UTC (rev 90891)
+++ trunk/dports/net/openssh/Portfile 2012-03-17 13:42:34 UTC (rev 90892)
@@ -85,6 +85,10 @@
variant mute_fake_xauth description "Do not print (typically due to XQuartz) 'using fake authentication data' warning messages" {
patchfiles-append patch-clientloop.c.diff
}
+
+variant gss_api_trust_dns description "Enable GSSAPITrustDNS SSH configuration keyword" {
+ patchfiles-append GSSAPITrustDNS.patch
+}
platform darwin {
# create link to /usr/include/pam because 'security' was renamed to 'pam'
Added: trunk/dports/net/openssh/files/GSSAPITrustDNS.patch
===================================================================
--- trunk/dports/net/openssh/files/GSSAPITrustDNS.patch (rev 0)
+++ trunk/dports/net/openssh/files/GSSAPITrustDNS.patch 2012-03-17 13:42:34 UTC (rev 90892)
@@ -0,0 +1,124 @@
+Index: readconf.c
+===================================================================
+RCS file: /cvs/openssh/readconf.c,v
+retrieving revision 1.135
+diff -u -r1.135 readconf.c
+--- readconf.c 5 Aug 2006 02:39:40 -0000 1.135
++++ readconf.c 19 Aug 2006 11:59:52 -0000
+@@ -126,6 +126,7 @@
+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++ oGssTrustDns,
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
+ oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+@@ -163,9 +164,11 @@
+ #if defined(GSSAPI)
+ { "gssapiauthentication", oGssAuthentication },
+ { "gssapidelegatecredentials", oGssDelegateCreds },
++ { "gssapitrustdns", oGssTrustDns },
+ #else
+ { "gssapiauthentication", oUnsupported },
+ { "gssapidelegatecredentials", oUnsupported },
++ { "gssapitrustdns", oUnsupported },
+ #endif
+ { "fallbacktorsh", oDeprecated },
+ { "usersh", oDeprecated },
+@@ -444,6 +447,10 @@
+ intptr = &options->gss_deleg_creds;
+ goto parse_flag;
+
++ case oGssTrustDns:
++ intptr = &options->gss_trust_dns;
++ goto parse_flag;
++
+ case oBatchMode:
+ intptr = &options->batch_mode;
+ goto parse_flag;
+@@ -1010,6 +1017,7 @@
+ options->challenge_response_authentication = -1;
+ options->gss_authentication = -1;
+ options->gss_deleg_creds = -1;
++ options->gss_trust_dns = -1;
+ options->password_authentication = -1;
+ options->kbd_interactive_authentication = -1;
+ options->kbd_interactive_devices = NULL;
+@@ -1100,6 +1108,8 @@
+ options->gss_authentication = 0;
+ if (options->gss_deleg_creds == -1)
+ options->gss_deleg_creds = 0;
++ if (options->gss_trust_dns == -1)
++ options->gss_trust_dns = 0;
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)
+Index: readconf.h
+===================================================================
+RCS file: /cvs/openssh/readconf.h,v
+retrieving revision 1.63
+diff -u -r1.63 readconf.h
+--- readconf.h 5 Aug 2006 02:39:40 -0000 1.63
++++ readconf.h 19 Aug 2006 11:59:52 -0000
+@@ -45,6 +45,7 @@
+ /* Try S/Key or TIS, authentication. */
+ int gss_authentication; /* Try GSS authentication */
+ int gss_deleg_creds; /* Delegate GSS credentials */
++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
+ int password_authentication; /* Try password
+ * authentication. */
+ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+Index: ssh_config.5
+===================================================================
+RCS file: /cvs/openssh/ssh_config.5,v
+retrieving revision 1.97
+diff -u -r1.97 ssh_config.5
+--- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97
++++ ssh_config.5 19 Aug 2006 11:59:53 -0000
+@@ -483,7 +483,16 @@
+ Forward (delegate) credentials to the server.
+ The default is
+ .Dq no .
+-Note that this option applies to protocol version 2 only.
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+Index: sshconnect2.c
+===================================================================
+RCS file: /cvs/openssh/sshconnect2.c,v
+retrieving revision 1.151
+diff -u -r1.151 sshconnect2.c
+--- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151
++++ sshconnect2.c 19 Aug 2006 11:59:53 -0000
+@@ -499,6 +499,12 @@
+ static u_int mech = 0;
+ OM_uint32 min;
+ int ok = 0;
++ const char *gss_host;
++
++ if (options.gss_trust_dns)
++ gss_host = get_canonical_hostname(1);
++ else
++ gss_host = authctxt->host;
+
+ /* Try one GSSAPI method at a time, rather than sending them all at
+ * once. */
+@@ -511,7 +517,7 @@
+ /* My DER encoding requires length<128 */
+ if (gss_supported->elements[mech].length < 128 &&
+ ssh_gssapi_check_mechanism(&gssctxt,
+- &gss_supported->elements[mech], authctxt->host)) {
++ &gss_supported->elements[mech], gss_host)) {
+ ok = 1; /* Mechanism works */
+ } else {
+ mech++;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20120317/867ebeaa/attachment.html>
More information about the macports-changes
mailing list