[117112] trunk/dports/net/openssh/files
cal at macports.org
cal at macports.org
Sun Feb 16 13:57:11 PST 2014
Revision: 117112
https://trac.macports.org/changeset/117112
Author: cal at macports.org
Date: 2014-02-16 13:57:11 -0800 (Sun, 16 Feb 2014)
Log Message:
-----------
openssh: Fix +gsskex variant, closes #42523, #42479
Modified Paths:
--------------
trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch
trunk/dports/net/openssh/files/openssh-6.3p1-gsskex-all-20130920.patch
Modified: trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch
===================================================================
--- trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch 2014-02-16 21:40:49 UTC (rev 117111)
+++ trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch 2014-02-16 21:57:11 UTC (rev 117112)
@@ -1,26 +1,7 @@
-# HG changeset patch
-# User Sean Farley <sean.michael.farley at gmail.com>
-# Date 1382624667 -28800
-# Thu Oct 24 22:24:27 2013 +0800
-# Node ID dd6d51b7e12be5fab94a8779e890c5558e4d4001
-# Parent 86a3bc5c8ff689a291e86950a3d8fd327f42b870
-partial import
-
-
-wiggled scp
-
-
-wiggled readconf
-
-
-wiggled readconf.c
-
-diff --git a/Makefile.in b/Makefile.in
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -56,10 +56,11 @@
- PERL=@PERL@
- SED=@SED@
+diff -urp openssh-6.5p1/Makefile.in openssh-6.5p1.patched/Makefile.in
+--- openssh-6.5p1/Makefile.in 2014-01-26 22:35:04.000000000 -0800
++++ openssh-6.5p1.patched/Makefile.in 2014-02-15 16:27:53.000000000 -0800
+@@ -58,6 +58,7 @@ SED=@SED@
ENT=@ENT@
XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
@@ -28,24 +9,16 @@
EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
- TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-
-@@ -93,10 +94,12 @@
- sftp-server.o sftp-common.o \
- roaming_common.o roaming_serv.o \
+@@ -98,6 +99,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
- sandbox-seccomp-filter.o
+ sandbox-seccomp-filter.o sandbox-capsicum.o
+KEYCHAINOBJS=keychain.o
+
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
MANTYPE = @MANTYPE@
-
- CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -127,10 +130,11 @@
- all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
-
+@@ -133,6 +136,7 @@ all: $(CONFIGFILES) $(MANPAGES) $(TARGET
$(LIBSSH_OBJS): Makefile.in config.h
$(SSHOBJS): Makefile.in config.h
$(SSHDOBJS): Makefile.in config.h
@@ -53,11 +26,7 @@
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-
- LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
-@@ -140,24 +144,24 @@
-
- libssh.a: $(LIBSSH_OBJS)
+@@ -146,8 +150,8 @@ libssh.a: $(LIBSSH_OBJS)
$(AR) rv $@ $(LIBSSH_OBJS)
$(RANLIB) $@
@@ -68,7 +37,7 @@
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
-
+@@ -155,11 +159,11 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(S
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -84,11 +53,7 @@
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
-@@ -265,11 +269,11 @@
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
+@@ -271,7 +275,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
@@ -97,14 +62,12 @@
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
- $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
- $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-diff --git a/audit-bsm.c b/audit-bsm.c
---- a/audit-bsm.c
-+++ b/audit-bsm.c
-@@ -261,11 +261,16 @@
- uid_t uid = -1;
- gid_t gid = -1;
+Only in openssh-6.5p1.patched: Makefile.in.orig
+Only in openssh-6.5p1.patched: Makefile.in.rej
+diff -urp openssh-6.5p1/audit-bsm.c openssh-6.5p1.patched/audit-bsm.c
+--- openssh-6.5p1/audit-bsm.c 2012-02-23 15:40:43.000000000 -0800
++++ openssh-6.5p1.patched/audit-bsm.c 2014-02-15 16:25:56.000000000 -0800
+@@ -263,7 +263,12 @@ bsm_audit_record(int typ, char *string,
pid_t pid = getpid();
AuditInfoTermID tid = ssh_bsm_tid;
@@ -118,14 +81,10 @@
uid = the_authctxt->pw->pw_uid;
gid = the_authctxt->pw->pw_gid;
}
-
- rc = (typ == 0) ? 0 : -1;
-diff --git a/auth-pam.c b/auth-pam.c
---- a/auth-pam.c
-+++ b/auth-pam.c
-@@ -789,14 +789,15 @@
- **echo_on = 0;
- ctxt->pam_done = 1;
+diff -urp openssh-6.5p1/auth-pam.c openssh-6.5p1.patched/auth-pam.c
+--- openssh-6.5p1/auth-pam.c 2013-12-18 16:31:45.000000000 -0800
++++ openssh-6.5p1.patched/auth-pam.c 2014-02-15 16:25:56.000000000 -0800
+@@ -793,10 +793,11 @@ sshpam_query(void *ctx, char **name, cha
free(msg);
return (0);
}
@@ -139,14 +98,11 @@
/* FALLTHROUGH */
default:
*num = 0;
- **echo_on = 0;
- free(msg);
-diff --git a/auth.c b/auth.c
---- a/auth.c
-+++ b/auth.c
-@@ -209,11 +209,11 @@
- return 0;
- }
+Only in openssh-6.5p1.patched: auth-pam.c.orig
+diff -urp openssh-6.5p1/auth.c openssh-6.5p1.patched/auth.c
+--- openssh-6.5p1/auth.c 2013-06-01 14:41:51.000000000 -0700
++++ openssh-6.5p1.patched/auth.c 2014-02-15 16:25:56.000000000 -0800
+@@ -211,7 +211,7 @@ allowed_user(struct passwd * pw)
}
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
/* Get the user's group access list (primary and supplementary) */
@@ -155,14 +111,10 @@
logit("User %.100s from %.100s not allowed because "
"not in any group", pw->pw_name, hostname);
return 0;
- }
-
-diff --git a/authfd.c b/authfd.c
---- a/authfd.c
-+++ b/authfd.c
-@@ -687,10 +687,33 @@
- type = buffer_get_char(&msg);
- buffer_free(&msg);
+diff -urp openssh-6.5p1/authfd.c openssh-6.5p1.patched/authfd.c
+--- openssh-6.5p1/authfd.c 2013-12-28 22:49:56.000000000 -0800
++++ openssh-6.5p1.patched/authfd.c 2014-02-15 16:25:56.000000000 -0800
+@@ -638,6 +638,29 @@ ssh_remove_all_identities(Authentication
return decode_reply(type);
}
@@ -192,14 +144,11 @@
int
decode_reply(int type)
{
- switch (type) {
- case SSH_AGENT_FAILURE:
-diff --git a/authfd.h b/authfd.h
---- a/authfd.h
-+++ b/authfd.h
-@@ -47,10 +47,13 @@
- /* add key with constraints */
- #define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24
+Only in openssh-6.5p1.patched: authfd.c.orig
+diff -urp openssh-6.5p1/authfd.h openssh-6.5p1.patched/authfd.h
+--- openssh-6.5p1/authfd.h 2009-10-06 14:47:02.000000000 -0700
++++ openssh-6.5p1.patched/authfd.h 2014-02-15 16:25:56.000000000 -0800
+@@ -49,6 +49,9 @@
#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
@@ -209,15 +158,11 @@
#define SSH_AGENT_CONSTRAIN_LIFETIME 1
#define SSH_AGENT_CONSTRAIN_CONFIRM 2
- /* extended failure messages */
- #define SSH2_AGENT_FAILURE 30
-diff --git a/config.h.in b/config.h.in
---- a/config.h.in
-+++ b/config.h.in
-@@ -75,10 +75,22 @@
- #undef BROKEN_SNPRINTF
-
- /* FreeBSD strnvis does not do what we need */
+diff -urp openssh-6.5p1/config.h.in openssh-6.5p1.patched/config.h.in
+--- openssh-6.5p1/config.h.in 2014-01-29 17:52:44.000000000 -0800
++++ openssh-6.5p1.patched/config.h.in 2014-02-15 16:28:51.000000000 -0800
+@@ -81,6 +81,18 @@
+ /* FreeBSD strnvis argument order is swapped compared to OpenBSD */
#undef BROKEN_STRNVIS
+/* platform uses an in-memory credentials cache */
@@ -235,14 +180,12 @@
/* tcgetattr with ICANON may hang */
#undef BROKEN_TCGETATTR_ICANON
- /* updwtmpx is broken (if present) */
- #undef BROKEN_UPDWTMPX
-diff --git a/configure.ac b/configure.ac
---- a/configure.ac
-+++ b/configure.ac
-@@ -4548,14 +4548,44 @@
- #ifdef HAVE_LASTLOG_H
- #include <lastlog.h>
+Only in openssh-6.5p1.patched: config.h.in.orig
+Only in openssh-6.5p1.patched: config.h.in.rej
+diff -urp openssh-6.5p1/configure.ac openssh-6.5p1.patched/configure.ac
+--- openssh-6.5p1/configure.ac 2014-01-29 16:26:46.000000000 -0800
++++ openssh-6.5p1.patched/configure.ac 2014-02-15 16:25:56.000000000 -0800
+@@ -4779,10 +4779,40 @@ AC_CHECK_MEMBER([struct utmp.ut_line], [
#endif
])
@@ -283,14 +226,11 @@
if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
TEST_SSH_IPV6=no
else
- TEST_SSH_IPV6=yes
- fi
-diff --git a/groupaccess.c b/groupaccess.c
---- a/groupaccess.c
-+++ b/groupaccess.c
-@@ -32,62 +32,107 @@
- #include <unistd.h>
- #include <stdarg.h>
+Only in openssh-6.5p1.patched: configure.ac.orig
+diff -urp openssh-6.5p1/groupaccess.c openssh-6.5p1.patched/groupaccess.c
+--- openssh-6.5p1/groupaccess.c 2013-06-01 15:07:32.000000000 -0700
++++ openssh-6.5p1.patched/groupaccess.c 2014-02-15 16:25:56.000000000 -0800
+@@ -34,38 +34,67 @@
#include <stdlib.h>
#include <string.h>
@@ -340,17 +280,17 @@
ngroups = NGROUPS_MAX;
#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
+-#endif
+-
+#endif
-+ groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
+ groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
+#else
+ if (-1 == (ngroups = getgrouplist_2(pw->pw_name, pw->pw_gid,
+ &groups_bygid))) {
+ logit("getgrouplist_2 failed");
+ return 0;
+ }
- #endif
--
-- groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
++#endif
groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
-
- if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
@@ -365,10 +305,7 @@
for (i = 0, j = 0; i < ngroups; i++)
if ((gr = getgrgid(groups_bygid[i])) != NULL)
groups_byname[j++] = xstrdup(gr->gr_name);
- free(groups_bygid);
- return (ngroups = j);
- }
-
+@@ -76,16 +105,32 @@ ga_init(const char *user, gid_t base)
/*
* Return 1 if one of user's groups is contained in groups.
* Return 0 otherwise. Use match_pattern() for string comparison.
@@ -401,14 +338,10 @@
return 0;
}
- /*
- * Return 1 if one of user's groups matches group_pattern list.
-diff --git a/groupaccess.h b/groupaccess.h
---- a/groupaccess.h
-+++ b/groupaccess.h
-@@ -25,11 +25,11 @@
- */
-
+diff -urp openssh-6.5p1/groupaccess.h openssh-6.5p1.patched/groupaccess.h
+--- openssh-6.5p1/groupaccess.h 2008-07-03 20:51:12.000000000 -0700
++++ openssh-6.5p1.patched/groupaccess.h 2014-02-15 16:25:56.000000000 -0800
+@@ -27,7 +27,7 @@
#ifndef GROUPACCESS_H
#define GROUPACCESS_H
@@ -417,8 +350,6 @@
int ga_match(char * const *, int);
int ga_match_pattern_list(const char *);
void ga_free(void);
-
- #endif
diff --git a/keychain.c b/keychain.c
new file mode 100644
--- /dev/null
@@ -1168,41 +1099,30 @@
+int add_identities_using_keychain(
+ int (*add_identity)(const char *, const char *));
+char *keychain_read_passphrase(const char *filename, int oAskPassGUI);
-diff --git a/readconf.c b/readconf.c
---- a/readconf.c
-+++ b/readconf.c
-@@ -136,10 +136,13 @@
- oSendEnv, oControlPath, oControlMaster, oControlPersist,
- oHashKnownHosts,
- oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
+diff -urp openssh-6.5p1/readconf.c openssh-6.5p1.patched/readconf.c
+--- openssh-6.5p1/readconf.c 2014-01-17 05:03:57.000000000 -0800
++++ openssh-6.5p1.patched/readconf.c 2014-02-15 16:30:49.000000000 -0800
+@@ -148,6 +148,9 @@ typedef enum {
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+ oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
+#ifdef __APPLE_KEYCHAIN__
+ oAskPassGUI,
+#endif
oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
- /* Textual representations of the tokens. */
-
-@@ -248,11 +251,13 @@
- #endif
- { "kexalgorithms", oKexAlgorithms },
- { "ipqos", oIPQoS },
- { "requesttty", oRequestTTY },
+@@ -267,6 +270,9 @@ static struct {
+ { "canonicalizemaxdots", oCanonicalizeMaxDots },
+ { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
{ "ignoreunknown", oIgnoreUnknown },
--
+#ifdef __APPLE_KEYCHAIN__
+ { "askpassgui", oAskPassGUI },
+#endif
+
{ NULL, oBadOption }
};
-
- /*
- * Adds a local TCP/IP port forward to options. Never returns if there is an
-@@ -1070,10 +1075,16 @@
-
- case oIgnoreUnknown:
+@@ -1332,6 +1338,12 @@ parse_int:
charptr = &options->ignored_unknown;
goto parse_string;
@@ -1212,28 +1132,20 @@
+ goto parse_flag;
+#endif
+
- case oDeprecated:
- debug("%s line %d: Deprecated option \"%s\"",
- filename, linenum, keyword);
- return 0;
-
-@@ -1232,10 +1243,13 @@
- options->zero_knowledge_password_authentication = -1;
- options->ip_qos_interactive = -1;
- options->ip_qos_bulk = -1;
+ case oProxyUseFdpass:
+ intptr = &options->proxy_use_fdpass;
+ goto parse_flag;
+@@ -1555,6 +1567,9 @@ initialize_options(Options * options)
options->request_tty = -1;
+ options->proxy_use_fdpass = -1;
options->ignored_unknown = NULL;
+#ifdef __APPLE_KEYCHAIN__
+ options->ask_pass_gui = -1;
+#endif
- }
-
- /*
- * Called after processing other sources of option data, this fills those
- * options for which no value has been specified with their default values.
-@@ -1383,10 +1397,14 @@
- options->ip_qos_interactive = IPTOS_LOWDELAY;
- if (options->ip_qos_bulk == -1)
+ options->num_canonical_domains = 0;
+ options->num_permitted_cnames = 0;
+ options->canonicalize_max_dots = -1;
+@@ -1713,6 +1728,10 @@ fill_default_options(Options * options)
options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->request_tty == -1)
options->request_tty = REQUEST_TTY_AUTO;
@@ -1241,19 +1153,17 @@
+ if (options->ask_pass_gui == -1)
+ options->ask_pass_gui = 1;
+#endif
- /* options->local_command should not be set by default */
- /* options->proxy_command should not be set by default */
- /* options->user will be set in the main program if appropriate */
- /* options->hostname will be set in the main program if appropriate */
- /* options->host_key_alias should not be set by default */
-diff --git a/readconf.h b/readconf.h
---- a/readconf.h
-+++ b/readconf.h
-@@ -137,10 +137,14 @@
- int use_roaming;
+ if (options->proxy_use_fdpass == -1)
+ options->proxy_use_fdpass = 0;
+ if (options->canonicalize_max_dots == -1)
+Only in openssh-6.5p1.patched: readconf.c.orig
+Only in openssh-6.5p1.patched: readconf.c.rej
+diff -urp openssh-6.5p1/readconf.h openssh-6.5p1.patched/readconf.h
+--- openssh-6.5p1/readconf.h 2013-10-16 17:48:14.000000000 -0700
++++ openssh-6.5p1.patched/readconf.h 2014-02-15 16:31:29.000000000 -0800
+@@ -155,6 +155,10 @@ typedef struct {
+ struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
- int request_tty;
-
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
+
+#ifdef __APPLE_KEYCHAIN__
@@ -1261,15 +1171,13 @@
+#endif
} Options;
- #define SSHCTL_MASTER_NO 0
- #define SSHCTL_MASTER_YES 1
- #define SSHCTL_MASTER_AUTO 2
-diff --git a/scp.1 b/scp.1
---- a/scp.1
-+++ b/scp.1
-@@ -17,11 +17,11 @@
- .Nm scp
- .Nd secure copy (remote file copy program)
+ #define SSH_CANONICALISE_NO 0
+Only in openssh-6.5p1.patched: readconf.h.orig
+Only in openssh-6.5p1.patched: readconf.h.rej
+diff -urp openssh-6.5p1/scp.1 openssh-6.5p1.patched/scp.1
+--- openssh-6.5p1/scp.1 2013-10-22 22:30:00.000000000 -0700
++++ openssh-6.5p1.patched/scp.1 2014-02-15 16:25:56.000000000 -0800
+@@ -19,7 +19,7 @@
.Sh SYNOPSIS
.Nm scp
.Bk -words
@@ -1278,11 +1186,7 @@
.Op Fl c Ar cipher
.Op Fl F Ar ssh_config
.Op Fl i Ar identity_file
- .Op Fl l Ar limit
- .Op Fl o Ar ssh_option
-@@ -95,10 +95,12 @@
- Passes the
- .Fl C
+@@ -97,6 +97,8 @@ Passes the
flag to
.Xr ssh 1
to enable compression.
@@ -1291,14 +1195,10 @@
.It Fl c Ar cipher
Selects the cipher to use for encrypting the data transfer.
This option is directly passed to
- .Xr ssh 1 .
- .It Fl F Ar ssh_config
-diff --git a/scp.c b/scp.c
---- a/scp.c
-+++ b/scp.c
-@@ -76,10 +76,13 @@
- #include <sys/types.h>
- #include <sys/param.h>
+diff -urp openssh-6.5p1/scp.c openssh-6.5p1.patched/scp.c
+--- openssh-6.5p1/scp.c 2013-11-20 18:56:49.000000000 -0800
++++ openssh-6.5p1.patched/scp.c 2014-02-15 16:25:56.000000000 -0800
+@@ -78,6 +78,9 @@
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
#endif
@@ -1308,11 +1208,7 @@
#ifdef HAVE_POLL_H
#include <poll.h>
#else
- # ifdef HAVE_SYS_POLL_H
- # include <sys/poll.h>
-@@ -112,10 +115,15 @@
- #include "pathnames.h"
- #include "log.h"
+@@ -114,6 +117,11 @@
#include "misc.h"
#include "progressmeter.h"
@@ -1324,11 +1220,7 @@
extern char *__progname;
#define COPY_BUFLEN 16384
-
- int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout);
-@@ -148,10 +156,16 @@
- char *ssh_program = _PATH_SSH_PROGRAM;
-
+@@ -150,6 +158,12 @@ char *ssh_program = _PATH_SSH_PROGRAM;
/* This is used to store the pid of ssh_program */
pid_t do_cmd_pid = -1;
@@ -1341,11 +1233,7 @@
static void
killchild(int signo)
{
- if (do_cmd_pid > 1) {
- kill(do_cmd_pid, signo ? signo : SIGTERM);
-@@ -393,11 +407,15 @@
- addargs(&args, "-oForwardAgent=no");
- addargs(&args, "-oPermitLocalCommand=no");
+@@ -395,7 +409,11 @@ main(int argc, char **argv)
addargs(&args, "-oClearAllForwardings=yes");
fflag = tflag = 0;
@@ -1357,11 +1245,7 @@
switch (ch) {
/* User-visible flags. */
case '1':
- case '2':
- case '4':
-@@ -454,10 +472,15 @@
- addargs(&args, "-q");
- addargs(&remote_remote_args, "-q");
+@@ -456,6 +474,11 @@ main(int argc, char **argv)
showprogress = 0;
break;
@@ -1373,11 +1257,7 @@
/* Server options. */
case 'd':
targetshouldbedirectory = 1;
- break;
- case 'f': /* "from" */
-@@ -503,11 +526,16 @@
- targetshouldbedirectory = 1;
-
+@@ -505,7 +528,12 @@ main(int argc, char **argv)
remin = remout = -1;
do_cmd_pid = -1;
/* Command to be executed on remote system using "ssh". */
@@ -1390,11 +1270,7 @@
verbose_mode ? " -v" : "",
iamrecursive ? " -r" : "", pflag ? " -p" : "",
targetshouldbedirectory ? " -d" : "");
-
- (void) signal(SIGPIPE, lostconn);
-@@ -749,23 +777,41 @@
- off_t i, statbytes;
- size_t amt;
+@@ -751,6 +779,10 @@ source(int argc, char **argv)
int fd = -1, haderr, indx;
char *last, *name, buf[2048], encname[MAXPATHLEN];
int len;
@@ -1405,7 +1281,7 @@
for (indx = 0; indx < argc; ++indx) {
name = argv[indx];
- statbytes = 0;
+@@ -758,12 +790,26 @@ source(int argc, char **argv)
len = strlen(name);
while (len > 1 && name[len-1] == '/')
name[--len] = '\0';
@@ -1432,11 +1308,7 @@
if (fstat(fd, &stb) < 0) {
syserr: run_err("%s: %s", name, strerror(errno));
goto next;
- }
- if (stb.st_size < 0) {
-@@ -844,10 +890,40 @@
- if (!haderr)
- (void) atomicio(vwrite, remout, "", 1);
+@@ -846,6 +892,36 @@ next: if (fd != -1) {
else
run_err("%s: %s", name, strerror(haderr));
(void) response();
@@ -1473,11 +1345,7 @@
}
}
- void
- rsource(char *name, struct stat *statp)
-@@ -935,10 +1011,14 @@
-
- (void) atomicio(vwrite, remout, "", 1);
+@@ -937,6 +1013,10 @@ sink(int argc, char **argv)
if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
targisdir = 1;
for (first = 1;; first = 0) {
@@ -1488,11 +1356,7 @@
cp = buf;
if (atomicio(read, remin, cp, 1) != 1)
return;
- if (*cp++ == '\n')
- SCREWUP("unexpected <newline>");
-@@ -1080,14 +1160,55 @@
- free(vect[0]);
- continue;
+@@ -1082,10 +1162,51 @@ sink(int argc, char **argv)
}
omode = mode;
mode |= S_IWUSR;
@@ -1544,11 +1408,7 @@
(void) atomicio(vwrite, remout, "", 1);
if ((bp = allocbuf(&buffer, ofd, COPY_BUFLEN)) == NULL) {
(void) close(ofd);
- continue;
- }
-@@ -1168,10 +1289,33 @@
- if (close(ofd) == -1) {
- wrerr = YES;
+@@ -1170,6 +1291,29 @@ bad: run_err("%s: %s", np, strerror(er
wrerrno = errno;
}
(void) response();
@@ -1578,11 +1438,7 @@
if (setimes && wrerr == NO) {
setimes = 0;
if (utimes(np, tv) < 0) {
- run_err("%s: set times: %s",
- np, strerror(errno));
-@@ -1229,11 +1373,15 @@
-
- void
+@@ -1231,7 +1375,11 @@ void
usage(void)
{
(void) fprintf(stderr,
@@ -1594,27 +1450,10 @@
" [-l limit] [-o ssh_option] [-P port] [-S program]\n"
" [[user@]host1:]file1 ... [[user@]host2:]file2\n");
exit(1);
- }
-
-diff --git a/servconf.c b/servconf.c
---- a/servconf.c
-+++ b/servconf.c
-@@ -158,11 +158,11 @@
- void
- fill_default_server_options(ServerOptions *options)
- {
- /* Portable-specific options */
- if (options->use_pam == -1)
-- options->use_pam = 0;
-+ options->use_pam = 1;
-
- /* Standard Options */
- if (options->protocol == SSH_PROTO_UNKNOWN)
- options->protocol = SSH_PROTO_2;
- if (options->num_host_key_files == 0) {
-@@ -241,11 +241,11 @@
- if (options->gss_authentication == -1)
- options->gss_authentication = 0;
+diff -urp openssh-6.5p1/servconf.c openssh-6.5p1.patched/servconf.c
+--- openssh-6.5p1/servconf.c 2013-12-06 16:24:02.000000000 -0800
++++ openssh-6.5p1.patched/servconf.c 2014-02-15 16:25:56.000000000 -0800
+@@ -248,7 +248,7 @@ fill_default_server_options(ServerOption
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->password_authentication == -1)
@@ -1623,11 +1462,7 @@
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
- options->challenge_response_authentication = 1;
- if (options->permit_empty_passwd == -1)
-@@ -621,11 +621,11 @@
- goto out;
-
+@@ -629,7 +629,7 @@ match_cfg_line_group(const char *grps, i
if ((pw = getpwnam(user)) == NULL) {
debug("Can't match group at line %d because user %.100s does "
"not exist", line, user);
@@ -1636,14 +1471,11 @@
debug("Can't Match group because user %.100s not in any group "
"at line %d", user, line);
} else if (ga_match_pattern_list(grps) != 1) {
- debug("user %.100s does not match group list %.100s at line %d",
- user, grps, line);
-diff --git a/session.c b/session.c
---- a/session.c
-+++ b/session.c
-@@ -2081,12 +2081,14 @@
- /* for SSH1 the tty modes length is not given */
- if (!compat20)
+Only in openssh-6.5p1.patched: servconf.c.orig
+diff -urp openssh-6.5p1/session.c openssh-6.5p1.patched/session.c
+--- openssh-6.5p1/session.c 2014-01-22 19:16:10.000000000 -0800
++++ openssh-6.5p1.patched/session.c 2014-02-15 16:25:56.000000000 -0800
+@@ -2111,8 +2111,10 @@ session_pty_req(Session *s)
n_bytes = packet_remaining();
tty_parse_modes(s->ttyfd, &n_bytes);
@@ -1654,11 +1486,7 @@
/* Set window size from the packet. */
pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
-
- packet_check_eom();
-@@ -2322,13 +2324,15 @@
-
- /* Record that the user has logged out. */
+@@ -2352,9 +2354,11 @@ session_pty_cleanup2(Session *s)
if (s->pid != 0)
record_logout(s->pid, s->tty, s->pw->pw_name);
@@ -1670,14 +1498,11 @@
/*
* Close the server side of the socket pairs. We must do this after
- * the pty cleanup, so that another process doesn't get this pty
- * while we're still cleaning up.
-diff --git a/ssh-add.0 b/ssh-add.0
---- a/ssh-add.0
-+++ b/ssh-add.0
-@@ -2,11 +2,11 @@
-
- NAME
+Only in openssh-6.5p1.patched: session.c.orig
+diff -urp openssh-6.5p1/ssh-add.0 openssh-6.5p1.patched/ssh-add.0
+--- openssh-6.5p1/ssh-add.0 2014-01-29 17:52:47.000000000 -0800
++++ openssh-6.5p1.patched/ssh-add.0 2014-02-15 16:25:56.000000000 -0800
+@@ -4,7 +4,7 @@ NAME
ssh-add - adds private key identities to the authentication agent
SYNOPSIS
@@ -1686,11 +1511,7 @@
ssh-add -s pkcs11
ssh-add -e pkcs11
- DESCRIPTION
- ssh-add adds private key identities to the authentication agent,
-@@ -53,10 +53,17 @@
- represented by the agent.
-
+@@ -55,6 +55,13 @@ DESCRIPTION
-l Lists fingerprints of all identities currently represented by the
agent.
@@ -1704,14 +1525,10 @@
-s pkcs11
Add keys provided by the PKCS#11 shared library pkcs11.
- -t life
- Set a maximum lifetime when adding identities to an agent. The
-diff --git a/ssh-add.1 b/ssh-add.1
---- a/ssh-add.1
-+++ b/ssh-add.1
-@@ -41,11 +41,11 @@
- .Sh NAME
- .Nm ssh-add
+diff -urp openssh-6.5p1/ssh-add.1 openssh-6.5p1.patched/ssh-add.1
+--- openssh-6.5p1/ssh-add.1 2013-12-17 22:46:28.000000000 -0800
++++ openssh-6.5p1.patched/ssh-add.1 2014-02-15 16:25:56.000000000 -0800
+@@ -43,7 +43,7 @@
.Nd adds private key identities to the authentication agent
.Sh SYNOPSIS
.Nm ssh-add
@@ -1720,11 +1537,7 @@
.Op Fl t Ar life
.Op Ar
.Nm ssh-add
- .Fl s Ar pkcs11
- .Nm ssh-add
-@@ -116,10 +116,17 @@
- .It Fl L
- Lists public key parameters of all identities currently represented
+@@ -119,6 +119,13 @@ Lists public key parameters of all ident
by the agent.
.It Fl l
Lists fingerprints of all identities currently represented by the agent.
@@ -1738,14 +1551,11 @@
.It Fl s Ar pkcs11
Add keys provided by the PKCS#11 shared library
.Ar pkcs11 .
- .It Fl t Ar life
- Set a maximum lifetime when adding identities to an agent.
-diff --git a/ssh-add.c b/ssh-add.c
---- a/ssh-add.c
-+++ b/ssh-add.c
-@@ -60,10 +60,11 @@
- #include "buffer.h"
- #include "authfd.h"
+Only in openssh-6.5p1.patched: ssh-add.1.orig
+diff -urp openssh-6.5p1/ssh-add.c openssh-6.5p1.patched/ssh-add.c
+--- openssh-6.5p1/ssh-add.c 2013-12-28 22:44:07.000000000 -0800
++++ openssh-6.5p1.patched/ssh-add.c 2014-02-15 16:25:56.000000000 -0800
+@@ -62,6 +62,7 @@
#include "authfile.h"
#include "pathnames.h"
#include "misc.h"
@@ -1753,11 +1563,7 @@
/* argv0 */
extern char *__progname;
-
- /* Default files to add */
-@@ -94,16 +95,28 @@
- pass = NULL;
- }
+@@ -97,12 +98,24 @@ clear_pass(void)
}
static int
@@ -1783,11 +1589,7 @@
public = key_load_public(filename, &comment);
if (public == NULL) {
printf("Bad key file %s\n", filename);
- return -1;
- }
-@@ -162,11 +175,11 @@
-
- return ret;
+@@ -165,7 +178,7 @@ delete_all(AuthenticationConnection *ac)
}
static int
@@ -1796,11 +1598,7 @@
{
Key *private, *cert;
char *comment = NULL;
- char msg[1024], *certpath = NULL;
- int fd, perms_ok, ret = -1;
-@@ -199,15 +212,20 @@
- }
- close(fd);
+@@ -202,11 +215,16 @@ add_file(AuthenticationConnection *ac, c
/* At first, try empty passphrase */
private = key_parse_private(&keyblob, filename, "", &comment);
@@ -1818,11 +1616,7 @@
if (private == NULL) {
/* clear passphrase since it did not work */
clear_pass();
- snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
- comment);
-@@ -219,12 +237,15 @@
- buffer_free(&keyblob);
- return -1;
+@@ -222,8 +240,11 @@ add_file(AuthenticationConnection *ac, c
}
private = key_parse_private(&keyblob, filename, pass,
&comment);
@@ -1835,11 +1629,7 @@
clear_pass();
snprintf(msg, sizeof msg,
"Bad passphrase, try again for %.200s: ", comment);
- }
- }
-@@ -374,17 +395,17 @@
- free(p1);
- return (ret);
+@@ -380,13 +401,13 @@ lock_agent(AuthenticationConnection *ac,
}
static int
@@ -1856,11 +1646,7 @@
return -1;
}
return 0;
- }
-
-@@ -402,20 +423,26 @@
- fprintf(stderr, " -D Delete all identities.\n");
- fprintf(stderr, " -x Lock agent.\n");
+@@ -408,6 +429,11 @@ usage(void)
fprintf(stderr, " -X Unlock agent.\n");
fprintf(stderr, " -s pkcs11 Add keys from PKCS#11 provider.\n");
fprintf(stderr, " -e pkcs11 Remove keys provided by PKCS#11 provider.\n");
@@ -1872,10 +1658,7 @@
}
int
- main(int argc, char **argv)
- {
- extern char *optarg;
- extern int optind;
+@@ -418,6 +444,7 @@ main(int argc, char **argv)
AuthenticationConnection *ac = NULL;
char *pkcs11provider = NULL;
int i, ch, deleting = 0, ret = 0, key_only = 0;
@@ -1883,11 +1666,7 @@
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
-
- __progname = ssh_get_progname(argv[0]);
-@@ -428,11 +455,11 @@
- if (ac == NULL) {
- fprintf(stderr,
+@@ -434,7 +461,7 @@ main(int argc, char **argv)
"Could not open a connection to your authentication agent.\n");
exit(2);
}
@@ -1896,11 +1675,7 @@
switch (ch) {
case 'k':
key_only = 1;
- break;
- case 'l':
-@@ -467,10 +494,17 @@
- fprintf(stderr, "Invalid lifetime\n");
- ret = 1;
+@@ -473,6 +500,13 @@ main(int argc, char **argv)
goto done;
}
break;
@@ -1914,11 +1689,7 @@
default:
usage();
ret = 1;
- goto done;
- }
-@@ -498,20 +532,20 @@
- for (i = 0; default_files[i]; i++) {
- snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
+@@ -504,7 +538,7 @@ main(int argc, char **argv)
default_files[i]);
if (stat(buf, &st) < 0)
continue;
@@ -1927,8 +1698,7 @@
ret = 1;
else
count++;
- }
- if (count == 0)
+@@ -513,7 +547,7 @@ main(int argc, char **argv)
ret = 1;
} else {
for (i = 0; i < argc; i++) {
@@ -1937,14 +1707,11 @@
ret = 1;
}
}
- clear_pass();
-
-diff --git a/ssh-agent.c b/ssh-agent.c
---- a/ssh-agent.c
-+++ b/ssh-agent.c
-@@ -63,20 +63,25 @@
- #include <stdio.h>
- #include <stdlib.h>
+Only in openssh-6.5p1.patched: ssh-add.c.orig
+diff -urp openssh-6.5p1/ssh-agent.c openssh-6.5p1.patched/ssh-agent.c
+--- openssh-6.5p1/ssh-agent.c 2013-12-28 22:45:52.000000000 -0800
++++ openssh-6.5p1.patched/ssh-agent.c 2014-02-15 16:25:56.000000000 -0800
+@@ -65,6 +65,9 @@
#include <time.h>
#include <string.h>
#include <unistd.h>
@@ -1954,7 +1721,7 @@
#include "xmalloc.h"
#include "ssh.h"
- #include "rsa.h"
+@@ -72,9 +75,11 @@
#include "buffer.h"
#include "key.h"
#include "authfd.h"
@@ -1966,11 +1733,7 @@
#ifdef ENABLE_PKCS11
#include "ssh-pkcs11.h"
- #endif
-
-@@ -788,10 +793,65 @@
- buffer_put_char(&e->output,
- success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+@@ -682,6 +687,61 @@ process_remove_smartcard_key(SocketEntry
}
#endif /* ENABLE_PKCS11 */
@@ -2032,11 +1795,7 @@
/* dispatch incoming messages */
static void
- process_message(SocketEntry *e)
- {
-@@ -880,10 +940,13 @@
- break;
- case SSH_AGENTC_REMOVE_SMARTCARD_KEY:
+@@ -774,6 +834,9 @@ process_message(SocketEntry *e)
process_remove_smartcard_key(e);
break;
#endif /* ENABLE_PKCS11 */
@@ -2046,11 +1805,7 @@
default:
/* Unknown message. Respond with failure. */
error("Unknown message %d", type);
- buffer_clear(&e->request);
- buffer_put_int(&e->output, 1);
-@@ -1120,11 +1183,15 @@
- }
-
+@@ -1014,7 +1077,11 @@ usage(void)
int
main(int ac, char **av)
{
@@ -2062,11 +1817,7 @@
int sock, fd, ch, result, saved_errno;
u_int nalloc;
char *shell, *format, *pidstr, *agentsocket = NULL;
- fd_set *readsetp = NULL, *writesetp = NULL;
- struct sockaddr_un sunaddr;
-@@ -1154,20 +1221,29 @@
- OpenSSL_add_all_algorithms();
-
+@@ -1048,7 +1115,11 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
@@ -2078,9 +1829,7 @@
switch (ch) {
case 'c':
if (s_flag)
- usage();
- c_flag++;
- break;
+@@ -1058,6 +1129,11 @@ main(int ac, char **av)
case 'k':
k_flag++;
break;
@@ -2092,11 +1841,7 @@
case 's':
if (c_flag)
usage();
- s_flag++;
- break;
-@@ -1190,11 +1266,15 @@
- }
- }
+@@ -1084,7 +1160,11 @@ main(int ac, char **av)
ac -= optind;
av += optind;
@@ -2108,11 +1853,7 @@
usage();
if (ac == 0 && !c_flag && !s_flag) {
- shell = getenv("SHELL");
- if (shell != NULL && (len = strlen(shell)) > 2 &&
-@@ -1246,10 +1326,57 @@
-
- /*
+@@ -1140,6 +1220,53 @@ main(int ac, char **av)
* Create socket early so it will exist before command gets run from
* the parent.
*/
@@ -2166,11 +1907,7 @@
sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock < 0) {
perror("socket");
- *socket_name = '\0'; /* Don't unlink any existing file */
- cleanup_exit(1);
-@@ -1267,10 +1394,18 @@
- umask(prev_mask);
- if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
+@@ -1161,6 +1288,14 @@ main(int ac, char **av)
perror("listen");
cleanup_exit(1);
}
@@ -2185,11 +1922,7 @@
/*
* Fork, and have the parent execute the command, if any, or present
- * the socket data. The child continues as the authentication agent.
- */
-@@ -1339,19 +1474,24 @@
-
- #ifdef ENABLE_PKCS11
+@@ -1233,6 +1368,7 @@ skip:
pkcs11_init(0);
#endif
new_socket(AUTH_SOCKET, sock);
@@ -2197,9 +1930,7 @@
if (ac > 0)
parent_alive_interval = 10;
idtab_init();
- signal(SIGPIPE, SIG_IGN);
- signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
- signal(SIGHUP, cleanup_handler);
+@@ -1242,6 +1378,10 @@ skip:
signal(SIGTERM, cleanup_handler);
nalloc = 0;
@@ -2210,14 +1941,11 @@
while (1) {
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
- saved_errno = errno;
- if (parent_alive_interval != 0)
-diff --git a/ssh-keysign.8 b/ssh-keysign.8
---- a/ssh-keysign.8
-+++ b/ssh-keysign.8
-@@ -69,10 +69,13 @@
- They should be owned by root, readable only by root, and not
- accessible to others.
+Only in openssh-6.5p1.patched: ssh-agent.c.orig
+diff -urp openssh-6.5p1/ssh-keysign.8 openssh-6.5p1.patched/ssh-keysign.8
+--- openssh-6.5p1/ssh-keysign.8 2013-12-17 22:46:28.000000000 -0800
++++ openssh-6.5p1.patched/ssh-keysign.8 2014-02-15 16:25:56.000000000 -0800
+@@ -72,6 +72,9 @@ accessible to others.
Since they are readable only by root,
.Nm
must be set-uid root if host-based authentication is used.
@@ -2227,14 +1955,11 @@
.Pp
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
- .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
- If these files exist they are assumed to contain public certificate
-diff --git a/sshconnect1.c b/sshconnect1.c
---- a/sshconnect1.c
-+++ b/sshconnect1.c
-@@ -45,10 +45,11 @@
- #include "authfile.h"
- #include "misc.h"
+Only in openssh-6.5p1.patched: ssh-keysign.8.orig
+diff -urp openssh-6.5p1/sshconnect1.c openssh-6.5p1.patched/sshconnect1.c
+--- openssh-6.5p1/sshconnect1.c 2013-10-25 16:05:47.000000000 -0700
++++ openssh-6.5p1.patched/sshconnect1.c 2014-02-15 16:25:56.000000000 -0800
+@@ -47,6 +47,7 @@
#include "canohost.h"
#include "hostfile.h"
#include "auth.h"
@@ -2242,11 +1967,7 @@
/* Session id for the current session. */
u_char session_id[16];
- u_int supported_authentications = 0;
-
-@@ -258,10 +259,14 @@
- &perm_ok);
- if (private == NULL && !options.batch_mode && perm_ok) {
+@@ -260,6 +261,10 @@ try_rsa_authentication(int idx)
snprintf(buf, sizeof(buf),
"Enter passphrase for RSA key '%.100s': ", comment);
for (i = 0; i < options.number_of_password_prompts; i++) {
@@ -2257,14 +1978,10 @@
passphrase = read_passphrase(buf, 0);
if (strcmp(passphrase, "") != 0) {
private = key_load_private_type(KEY_RSA1,
- authfile, passphrase, NULL, NULL);
- quit = 0;
-diff --git a/sshconnect2.c b/sshconnect2.c
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -70,10 +70,11 @@
- #include "pathnames.h"
- #include "uidswap.h"
+diff -urp openssh-6.5p1/sshconnect2.c openssh-6.5p1.patched/sshconnect2.c
+--- openssh-6.5p1/sshconnect2.c 2014-01-09 15:58:53.000000000 -0800
++++ openssh-6.5p1.patched/sshconnect2.c 2014-02-15 16:25:56.000000000 -0800
+@@ -72,6 +72,7 @@
#include "hostfile.h"
#include "schnorr.h"
#include "jpake.h"
@@ -2272,11 +1989,7 @@
#ifdef GSSAPI
#include "ssh-gss.h"
- #endif
-
-@@ -1331,10 +1332,14 @@
- if (options.batch_mode)
- return NULL;
+@@ -1335,6 +1336,10 @@ load_identity_file(char *filename, int u
snprintf(prompt, sizeof prompt,
"Enter passphrase for key '%.100s': ", filename);
for (i = 0; i < options.number_of_password_prompts; i++) {
@@ -2287,14 +2000,11 @@
passphrase = read_passphrase(prompt, 0);
if (strcmp(passphrase, "") != 0) {
private = key_load_private_type(KEY_UNSPEC,
- filename, passphrase, NULL, NULL);
- quit = 0;
-diff --git a/sshd.0 b/sshd.0
---- a/sshd.0
-+++ b/sshd.0
-@@ -620,12 +620,12 @@
- The content of this file is not sensitive; it can be world-
- readable.
+Only in openssh-6.5p1.patched: sshconnect2.c.orig
+diff -urp openssh-6.5p1/sshd.0 openssh-6.5p1.patched/sshd.0
+--- openssh-6.5p1/sshd.0 2014-01-29 17:52:47.000000000 -0800
++++ openssh-6.5p1.patched/sshd.0 2014-02-15 16:25:56.000000000 -0800
+@@ -625,8 +625,8 @@ FILES
SEE ALSO
scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
@@ -2305,14 +2015,11 @@
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
- Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
- de Raadt and Dug Song removed many bugs, re-added newer features and
-diff --git a/sshd.8 b/sshd.8
---- a/sshd.8
-+++ b/sshd.8
-@@ -954,14 +954,11 @@
- .Xr ssh-agent 1 ,
- .Xr ssh-keygen 1 ,
+Only in openssh-6.5p1.patched: sshd.0.orig
+diff -urp openssh-6.5p1/sshd.8 openssh-6.5p1.patched/sshd.8
+--- openssh-6.5p1/sshd.8 2013-12-17 22:46:28.000000000 -0800
++++ openssh-6.5p1.patched/sshd.8 2014-02-15 16:25:56.000000000 -0800
+@@ -961,10 +961,7 @@ The content of this file is not sensitiv
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
@@ -2323,14 +2030,11 @@
.Xr sftp-server 8
.Sh AUTHORS
OpenSSH is a derivative of the original and free
- ssh 1.2.12 release by Tatu Ylonen.
- Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-diff --git a/sshd.c b/sshd.c
---- a/sshd.c
-+++ b/sshd.c
-@@ -2106,23 +2106,23 @@
-
- #ifdef SSH_AUDIT_EVENTS
+Only in openssh-6.5p1.patched: sshd.8.orig
+diff -urp openssh-6.5p1/sshd.c openssh-6.5p1.patched/sshd.c
+--- openssh-6.5p1/sshd.c 2014-01-27 20:08:13.000000000 -0800
++++ openssh-6.5p1.patched/sshd.c 2014-02-15 16:25:56.000000000 -0800
+@@ -2124,6 +2124,12 @@ main(int ac, char **av)
audit_event(SSH_AUTH_SUCCESS);
#endif
@@ -2343,7 +2047,7 @@
#ifdef GSSAPI
if (options.gss_authentication) {
temporarily_use_uid(authctxt->pw);
- ssh_gssapi_storecreds();
+@@ -2131,12 +2137,6 @@ main(int ac, char **av)
restore_uid();
}
#endif
@@ -2356,14 +2060,11 @@
/*
* In privilege separation, we fork another child and prepare
- * file descriptor passing.
- */
-diff --git a/sshd_config b/sshd_config
---- a/sshd_config
-+++ b/sshd_config
-@@ -32,11 +32,11 @@
- # Ciphers and keying
- #RekeyLimit default none
+Only in openssh-6.5p1.patched: sshd.c.orig
+diff -urp openssh-6.5p1/sshd_config openssh-6.5p1.patched/sshd_config
+--- openssh-6.5p1/sshd_config 2014-01-12 00:20:47.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config 2014-02-15 16:25:56.000000000 -0800
+@@ -35,7 +35,7 @@
# Logging
# obsoletes QuietMode and FascistLogging
@@ -2372,11 +2073,7 @@
#LogLevel INFO
# Authentication:
-
- #LoginGraceTime 2m
-@@ -65,12 +65,13 @@
- # RhostsRSAAuthentication and HostbasedAuthentication
- #IgnoreUserKnownHosts no
+@@ -68,8 +68,9 @@ AuthorizedKeysFile .ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -2388,11 +2085,7 @@
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
- #ChallengeResponseAuthentication yes
-
-@@ -91,11 +92,14 @@
- # PAM authentication via ChallengeResponseAuthentication may bypass
- # the setting of "PermitRootLogin without-password".
+@@ -94,7 +95,10 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
@@ -2404,14 +2097,10 @@
#AllowAgentForwarding yes
#AllowTcpForwarding yes
- #GatewayPorts no
- #X11Forwarding no
-diff --git a/sshd_config.0 b/sshd_config.0
---- a/sshd_config.0
-+++ b/sshd_config.0
-@@ -505,11 +505,11 @@
- increases linearly and all connection attempts are refused if the
- number of unauthenticated connections reaches ``full'' (60).
+diff -urp openssh-6.5p1/sshd_config.0 openssh-6.5p1.patched/sshd_config.0
+--- openssh-6.5p1/sshd_config.0 2014-01-29 17:52:48.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config.0 2014-02-15 16:25:56.000000000 -0800
+@@ -517,7 +517,7 @@ DESCRIPTION
PasswordAuthentication
Specifies whether password authentication is allowed. The
@@ -2420,11 +2109,7 @@
PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
- server allows login to accounts with empty password strings. The
- default is ``no''.
-@@ -707,11 +707,11 @@
- Because PAM challenge-response authentication usually serves an
- equivalent role to password authentication, you should disable
+@@ -723,7 +723,7 @@ DESCRIPTION
either PasswordAuthentication or ChallengeResponseAuthentication.
If UsePAM is enabled, you will not be able to run sshd(8) as a
@@ -2433,14 +2118,11 @@
UsePrivilegeSeparation
Specifies whether sshd(8) separates privileges by creating an
- unprivileged child process to deal with incoming network traffic.
- After successful authentication, another process will be created
-diff --git a/sshd_config.5 b/sshd_config.5
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -854,11 +854,11 @@
- .Dq full
- (60).
+Only in openssh-6.5p1.patched: sshd_config.0.orig
+diff -urp openssh-6.5p1/sshd_config.5 openssh-6.5p1.patched/sshd_config.5
+--- openssh-6.5p1/sshd_config.5 2013-12-17 22:47:03.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config.5 2014-02-15 16:25:56.000000000 -0800
+@@ -871,7 +871,7 @@ are refused if the number of unauthentic
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
@@ -2449,11 +2131,7 @@
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
- The default is
- .Dq no .
-@@ -1181,11 +1181,11 @@
- .Cm UsePAM
- is enabled, you will not be able to run
+@@ -1204,7 +1204,7 @@ is enabled, you will not be able to run
.Xr sshd 8
as a non-root user.
The default is
@@ -2462,5 +2140,5 @@
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
- separates privileges by creating an unprivileged child process
- to deal with incoming network traffic.
+Only in openssh-6.5p1.patched: sshd_config.5.orig
+Only in openssh-6.5p1.patched: sshd_config.orig
Modified: trunk/dports/net/openssh/files/openssh-6.3p1-gsskex-all-20130920.patch
===================================================================
--- trunk/dports/net/openssh/files/openssh-6.3p1-gsskex-all-20130920.patch 2014-02-16 21:40:49 UTC (rev 117111)
+++ trunk/dports/net/openssh/files/openssh-6.3p1-gsskex-all-20130920.patch 2014-02-16 21:57:11 UTC (rev 117112)
@@ -1,6 +1,6 @@
-diff --speed-large-files --minimal -Nru openssh-5.8p1/ChangeLog.gssapi openssh-5.8p1.new/ChangeLog.gssapi
---- openssh-5.8p1/ChangeLog.gssapi 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-5.8p1.new/ChangeLog.gssapi 2011-02-12 18:07:10.948345760 +0100
+diff -Nrup openssh-6.5p1/ChangeLog.gssapi openssh-6.5p1.patched/ChangeLog.gssapi
+--- openssh-6.5p1/ChangeLog.gssapi 1969-12-31 16:00:00.000000000 -0800
++++ openssh-6.5p1.patched/ChangeLog.gssapi 2014-02-15 16:50:46.000000000 -0800
@@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
@@ -115,30 +115,30 @@
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
-diff --speed-large-files --minimal -Nru openssh-5.8p1/Makefile.in openssh-5.8p1.new/Makefile.in
---- openssh-5.8p1/Makefile.in 2011-02-04 01:42:13.000000000 +0100
-+++ openssh-5.8p1.new/Makefile.in 2011-02-12 18:07:10.990611445 +0100
-@@ -75,6 +75,7 @@
+diff -Nrup openssh-6.5p1/Makefile.in openssh-6.5p1.patched/Makefile.in
+--- openssh-6.5p1/Makefile.in 2014-01-26 22:35:04.000000000 -0800
++++ openssh-6.5p1.patched/Makefile.in 2014-02-15 16:51:24.000000000 -0800
+@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
+ kexgssc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
- jpake.o schnorr.o ssh-pkcs11.o kr1.o
-
-@@ -91,7 +92,7 @@
+ jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
+ kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
+@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
- auth-krb5.o \
+ kexc25519s.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
-+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
++ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
- roaming_common.o roaming_serv.o
-diff --speed-large-files --minimal -Nru openssh-5.8p1/auth-krb5.c openssh-5.8p1.new/auth-krb5.c
---- openssh-5.8p1/auth-krb5.c 2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.8p1.new/auth-krb5.c 2011-02-12 18:07:11.002529804 +0100
-@@ -170,8 +170,13 @@
+ roaming_common.o roaming_serv.o \
+diff -Nrup openssh-6.5p1/auth-krb5.c openssh-6.5p1.patched/auth-krb5.c
+--- openssh-6.5p1/auth-krb5.c 2013-10-23 16:53:02.000000000 -0700
++++ openssh-6.5p1.patched/auth-krb5.c 2014-02-15 16:50:46.000000000 -0800
+@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
@@ -152,7 +152,7 @@
#ifdef USE_PAM
if (options.use_pam)
-@@ -226,15 +231,22 @@
+@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -177,7 +177,7 @@
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
oerrno = errno;
-@@ -249,6 +261,7 @@
+@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
return oerrno;
}
close(tmpfd);
@@ -185,11 +185,11 @@
return (krb5_cc_resolve(ctx, ccname, ccache));
}
-diff --speed-large-files --minimal -Nru openssh-5.8p1/auth2-gss.c openssh-5.8p1.new/auth2-gss.c
---- openssh-5.8p1/auth2-gss.c 2007-12-02 12:59:45.000000000 +0100
-+++ openssh-5.8p1.new/auth2-gss.c 2011-02-12 18:07:11.030761708 +0100
+diff -Nrup openssh-6.5p1/auth2-gss.c openssh-6.5p1.patched/auth2-gss.c
+--- openssh-6.5p1/auth2-gss.c 2013-06-01 14:31:18.000000000 -0700
++++ openssh-6.5p1.patched/auth2-gss.c 2014-02-15 16:50:46.000000000 -0800
@@ -1,7 +1,7 @@
- /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
+ /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -197,7 +197,7 @@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
-@@ -52,6 +52,40 @@
+@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_errtok(int, u_int32_t, void *);
@@ -238,7 +238,7 @@
/*
* We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like)
-@@ -242,7 +278,8 @@
+@@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type,
packet_check_eom();
@@ -248,7 +248,7 @@
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-@@ -277,7 +314,8 @@
+@@ -275,7 +310,8 @@ input_gssapi_mic(int type, u_int32_t ple
gssbuf.length = buffer_len(&b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -258,8 +258,8 @@
else
logit("GSSAPI MIC check failed");
-@@ -292,6 +330,12 @@
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
+@@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t ple
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}
+Authmethod method_gsskeyex = {
@@ -271,10 +271,10 @@
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
-diff --speed-large-files --minimal -Nru openssh-5.8p1/auth2.c openssh-5.8p1.new/auth2.c
---- openssh-5.8p1/auth2.c 2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.8p1.new/auth2.c 2011-02-12 18:07:11.043418162 +0100
-@@ -69,6 +69,7 @@
+diff -Nrup openssh-6.5p1/auth2.c openssh-6.5p1.patched/auth2.c
+--- openssh-6.5p1/auth2.c 2013-06-01 14:41:51.000000000 -0700
++++ openssh-6.5p1.patched/auth2.c 2014-02-15 16:50:46.000000000 -0800
+@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
#ifdef GSSAPI
@@ -282,7 +282,7 @@
extern Authmethod method_gssapi;
#endif
#ifdef JPAKE
-@@ -79,6 +80,7 @@
+@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
&method_none,
&method_pubkey,
#ifdef GSSAPI
@@ -290,9 +290,9 @@
&method_gssapi,
#endif
#ifdef JPAKE
-diff --speed-large-files --minimal -Nru openssh-5.8p1/clientloop.c openssh-5.8p1.new/clientloop.c
---- openssh-5.8p1/clientloop.c 2011-01-16 13:18:35.000000000 +0100
-+++ openssh-5.8p1.new/clientloop.c 2011-02-12 18:07:11.063578136 +0100
+diff -Nrup openssh-6.5p1/clientloop.c openssh-6.5p1.patched/clientloop.c
+--- openssh-6.5p1/clientloop.c 2013-11-20 18:57:15.000000000 -0800
++++ openssh-6.5p1.patched/clientloop.c 2014-02-15 16:50:46.000000000 -0800
@@ -111,6 +111,10 @@
#include "msg.h"
#include "roaming.h"
@@ -304,7 +304,7 @@
/* import options */
extern Options options;
-@@ -1483,6 +1487,15 @@
+@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */
if (!rekeying) {
channel_after_select(readset, writeset);
@@ -320,10 +320,10 @@
if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying");
xxx_kex->done = 0;
-diff --speed-large-files --minimal -Nru openssh-5.8p1/configure.ac openssh-5.8p1.new/configure.ac
---- openssh-5.8p1/configure.ac 2011-02-04 01:42:14.000000000 +0100
-+++ openssh-5.8p1.new/configure.ac 2011-02-12 18:07:11.092748915 +0100
-@@ -514,6 +514,30 @@
+diff -Nrup openssh-6.5p1/configure.ac openssh-6.5p1.patched/configure.ac
+--- openssh-6.5p1/configure.ac 2014-01-29 16:26:46.000000000 -0800
++++ openssh-6.5p1.patched/configure.ac 2014-02-15 16:50:46.000000000 -0800
+@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
@@ -353,12 +353,12 @@
+ )
m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [],
- AC_DEFINE([AU_IPv4], 0, [System only supports IPv4 audit records])
-diff --speed-large-files --minimal -Nru openssh-5.8p1/gss-genr.c openssh-5.8p1.new/gss-genr.c
---- openssh-5.8p1/gss-genr.c 2009-06-22 08:11:07.000000000 +0200
-+++ openssh-5.8p1.new/gss-genr.c 2011-02-12 18:07:11.108432434 +0100
+ AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
+diff -Nrup openssh-6.5p1/gss-genr.c openssh-6.5p1.patched/gss-genr.c
+--- openssh-6.5p1/gss-genr.c 2013-11-07 17:19:57.000000000 -0800
++++ openssh-6.5p1.patched/gss-genr.c 2014-02-15 17:23:28.000000000 -0800
@@ -1,7 +1,7 @@
- /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
+ /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
/*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -534,7 +534,7 @@
/* Check that the OID in a data stream matches that in the context */
int
ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
-@@ -197,7 +352,7 @@
+@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
}
ctx->major = gss_init_sec_context(&ctx->minor,
@@ -543,7 +543,7 @@
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
0, NULL, recv_tok, NULL, send_tok, flags, NULL);
-@@ -227,8 +382,42 @@
+@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
}
OM_uint32
@@ -586,7 +586,7 @@
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
GSS_C_QOP_DEFAULT, buffer, hash)))
ssh_gssapi_error(ctx);
-@@ -236,6 +425,19 @@
+@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
return (ctx->major);
}
@@ -606,7 +606,7 @@
void
ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
const char *context)
-@@ -249,11 +451,16 @@
+@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
}
int
@@ -624,7 +624,7 @@
/* RFC 4462 says we MUST NOT do SPNEGO */
if (oid->length == spnego_oid.length &&
-@@ -263,6 +470,10 @@
+@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
major = ssh_gssapi_import_name(*ctx, host);
@@ -635,7 +635,7 @@
if (!GSS_ERROR(major)) {
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
NULL);
-@@ -272,10 +483,67 @@
+@@ -272,10 +483,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
GSS_C_NO_BUFFER);
}
@@ -655,8 +655,7 @@
+ static OM_uint32 last_call = 0;
+ OM_uint32 lifetime, now, major, minor;
+ int equal;
-+ gss_cred_usage_t usage = GSS_C_INITIATE;
-+
++
+ now = time(NULL);
+
+ if (ctxt) {
@@ -704,11 +703,11 @@
+}
+
#endif /* GSSAPI */
-diff --speed-large-files --minimal -Nru openssh-5.8p1/gss-serv-krb5.c openssh-5.8p1.new/gss-serv-krb5.c
---- openssh-5.8p1/gss-serv-krb5.c 2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.8p1.new/gss-serv-krb5.c 2011-02-12 18:07:11.123072516 +0100
+diff -Nrup openssh-6.5p1/gss-serv-krb5.c openssh-6.5p1.patched/gss-serv-krb5.c
+--- openssh-6.5p1/gss-serv-krb5.c 2014-01-19 18:18:09.000000000 -0800
++++ openssh-6.5p1.patched/gss-serv-krb5.c 2014-02-15 16:50:46.000000000 -0800
@@ -1,7 +1,7 @@
- /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
+ /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -716,15 +715,15 @@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
-@@ -120,6 +120,7 @@
+@@ -122,6 +122,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
OM_uint32 maj_status, min_status;
int len;
- const char *errmsg;
+ const char *errmsg;
+ const char *new_ccname;
if (client->creds == NULL) {
debug("No credentials stored");
-@@ -168,11 +169,16 @@
+@@ -180,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
return;
}
@@ -745,7 +744,7 @@
#ifdef USE_PAM
if (options.use_pam)
-@@ -184,6 +190,71 @@
+@@ -196,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
return;
}
@@ -817,7 +816,7 @@
ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==",
"Kerberos",
-@@ -191,7 +262,8 @@
+@@ -203,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
NULL,
&ssh_gssapi_krb5_userok,
NULL,
@@ -827,11 +826,11 @@
};
#endif /* KRB5 */
-diff --speed-large-files --minimal -Nru openssh-5.8p1/gss-serv.c openssh-5.8p1.new/gss-serv.c
---- openssh-5.8p1/gss-serv.c 2008-05-19 07:05:07.000000000 +0200
-+++ openssh-5.8p1.new/gss-serv.c 2011-02-12 18:07:11.135178913 +0100
+diff -Nrup openssh-6.5p1/gss-serv.c openssh-6.5p1.patched/gss-serv.c
+--- openssh-6.5p1/gss-serv.c 2013-07-19 20:35:45.000000000 -0700
++++ openssh-6.5p1.patched/gss-serv.c 2014-02-15 16:50:46.000000000 -0800
@@ -1,7 +1,7 @@
- /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
+ /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -862,7 +861,7 @@
#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
-@@ -81,25 +86,32 @@
+@@ -81,25 +86,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
char lname[MAXHOSTNAMELEN];
gss_OID_set oidset;
@@ -871,16 +870,16 @@
+ if (options.gss_strict_acceptor) {
+ gss_create_empty_oid_set(&status, &oidset);
+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
++
++ if (gethostname(lname, MAXHOSTNAMELEN)) {
++ gss_release_oid_set(&status, &oidset);
++ return (-1);
++ }
- if (gethostname(lname, MAXHOSTNAMELEN)) {
- gss_release_oid_set(&status, &oidset);
- return (-1);
- }
-+ if (gethostname(lname, MAXHOSTNAMELEN)) {
-+ gss_release_oid_set(&status, &oidset);
-+ return (-1);
-+ }
-+
+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+ gss_release_oid_set(&status, &oidset);
+ return (ctx->major);
@@ -909,7 +908,7 @@
}
/* Privileged */
-@@ -114,6 +126,29 @@
+@@ -114,6 +126,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
}
/* Unprivileged */
@@ -939,7 +938,7 @@
void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
{
-@@ -123,7 +158,9 @@
+@@ -123,7 +158,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
gss_OID_set supported;
gss_create_empty_oid_set(&min_status, oidset);
@@ -950,15 +949,14 @@
while (supported_mechs[i]->name != NULL) {
if (GSS_ERROR(gss_test_oid_set_member(&min_status,
-@@ -247,8 +284,48 @@
+@@ -249,8 +286,48 @@ OM_uint32
ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
{
int i = 0;
+ int equal = 0;
+ gss_name_t new_name = GSS_C_NO_NAME;
+ gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
-
-- gss_buffer_desc ename;
++
+ if (options.gss_store_rekey && client->used && ctx->client_creds) {
+ if (client->mech->oid.length != ctx->oid->length ||
+ (memcmp(client->mech->oid.elements,
@@ -976,7 +974,8 @@
+
+ ctx->major = gss_compare_name(&ctx->minor, client->name,
+ new_name, &equal);
-+
+
+- gss_buffer_desc ename;
+ if (GSS_ERROR(ctx->major)) {
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
@@ -1000,7 +999,7 @@
client->mech = NULL;
-@@ -263,6 +340,13 @@
+@@ -265,6 +342,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
if (client->mech == NULL)
return GSS_S_FAILURE;
@@ -1014,7 +1013,7 @@
if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
&client->displayname, NULL))) {
ssh_gssapi_error(ctx);
-@@ -280,6 +364,8 @@
+@@ -282,6 +366,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
return (ctx->major);
}
@@ -1023,7 +1022,7 @@
/* We can't copy this structure, so we just move the pointer to it */
client->creds = ctx->client_creds;
ctx->client_creds = GSS_C_NO_CREDENTIAL;
-@@ -327,7 +413,7 @@
+@@ -329,7 +415,7 @@ ssh_gssapi_do_child(char ***envp, u_int
/* Privileged */
int
@@ -1032,7 +1031,7 @@
{
OM_uint32 lmin;
-@@ -337,9 +423,11 @@
+@@ -339,9 +425,11 @@ ssh_gssapi_userok(char *user)
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1046,7 +1045,7 @@
/* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
-@@ -352,14 +440,90 @@
+@@ -354,14 +442,90 @@ ssh_gssapi_userok(char *user)
return (0);
}
@@ -1143,12 +1142,12 @@
}
#endif
-diff --speed-large-files --minimal -Nru openssh-5.8p1/kex.c openssh-5.8p1.new/kex.c
---- openssh-5.8p1/kex.c 2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.8p1.new/kex.c 2011-02-12 18:07:11.149564726 +0100
-@@ -50,6 +50,10 @@
- #include "monitor.h"
+diff -Nrup openssh-6.5p1/kex.c openssh-6.5p1.patched/kex.c
+--- openssh-6.5p1/kex.c 2014-01-25 14:38:04.000000000 -0800
++++ openssh-6.5p1.patched/kex.c 2014-02-15 17:24:33.000000000 -0800
+@@ -51,6 +51,10 @@
#include "roaming.h"
+ #include "digest.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
@@ -1157,34 +1156,34 @@
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256
-@@ -80,6 +84,11 @@
- { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 },
- { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 },
+@@ -90,6 +94,11 @@ static const struct kexalg kexalgs[] = {
+ #ifdef HAVE_EVP_SHA256
+ { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif
+#ifdef GSSAPI
-+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
-+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
-+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
++ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
++ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
++ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+#endif
- { NULL, -1, -1, NULL},
+ { NULL, -1, -1, -1},
};
-diff --speed-large-files --minimal -Nru openssh-5.8p1/kex.h openssh-5.8p1.new/kex.h
---- openssh-5.8p1/kex.h 2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.8p1.new/kex.h 2011-02-12 18:07:11.161650596 +0100
-@@ -73,6 +73,9 @@
- KEX_DH_GEX_SHA1,
+diff -Nrup openssh-6.5p1/kex.h openssh-6.5p1.patched/kex.h
+--- openssh-6.5p1/kex.h 2014-01-25 14:37:26.000000000 -0800
++++ openssh-6.5p1.patched/kex.h 2014-02-15 16:52:30.000000000 -0800
+@@ -76,6 +76,9 @@ enum kex_exchange {
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
+ KEX_C25519_SHA256,
+ KEX_GSS_GRP1_SHA1,
+ KEX_GSS_GRP14_SHA1,
+ KEX_GSS_GEX_SHA1,
KEX_MAX
};
-@@ -129,6 +132,12 @@
+@@ -136,6 +139,12 @@ struct Kex {
int flags;
- const EVP_MD *evp_md;
+ int hash_alg;
int ec_nid;
+#ifdef GSSAPI
+ int gss_deleg_creds;
@@ -1195,9 +1194,9 @@
char *client_version_string;
char *server_version_string;
int (*verify_host_key)(Key *);
-@@ -156,6 +165,11 @@
- void kexecdh_client(Kex *);
- void kexecdh_server(Kex *);
+@@ -168,6 +177,11 @@ void kexecdh_server(Kex *);
+ void kexc25519_client(Kex *);
+ void kexc25519_server(Kex *);
+#ifdef GSSAPI
+void kexgss_client(Kex *);
@@ -1207,10 +1206,10 @@
void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
-diff --speed-large-files --minimal -Nru openssh-5.8p1/kexgssc.c openssh-5.8p1.new/kexgssc.c
---- openssh-5.8p1/kexgssc.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-5.8p1.new/kexgssc.c 2011-02-12 18:07:11.176741991 +0100
-@@ -0,0 +1,334 @@
+diff -Nrup openssh-6.5p1/kexgssc.c openssh-6.5p1.patched/kexgssc.c
+--- openssh-6.5p1/kexgssc.c 1969-12-31 16:00:00.000000000 -0800
++++ openssh-6.5p1.patched/kexgssc.c 2014-02-15 17:17:35.000000000 -0800
+@@ -0,0 +1,339 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@@ -1268,6 +1267,7 @@
+ DH *dh;
+ BIGNUM *dh_server_pub = NULL;
+ BIGNUM *shared_secret = NULL;
++ Buffer shared_secret_buffer;
+ BIGNUM *p = NULL;
+ BIGNUM *g = NULL;
+ u_char *kbuf, *hash;
@@ -1492,7 +1492,7 @@
+ break;
+ case KEX_GSS_GEX_SHA1:
+ kexgex_hash(
-+ kex->evp_md,
++ kex->hash_alg,
+ kex->client_version_string,
+ kex->server_version_string,
+ buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -1539,16 +1539,20 @@
+ else
+ ssh_gssapi_delete_ctx(&ctxt);
+
-+ kex_derive_keys(kex, hash, hashlen, shared_secret);
++ buffer_init(&shared_secret_buffer);
++ buffer_put_bignum2(&shared_secret_buffer, shared_secret);
++ kex_derive_keys(kex, hash, hashlen, buffer_ptr(&shared_secret_buffer),
++ buffer_len(&shared_secret_buffer));
++ buffer_free(&shared_secret_buffer);
+ BN_clear_free(shared_secret);
+ kex_finish(kex);
+}
+
+#endif /* GSSAPI */
-diff --speed-large-files --minimal -Nru openssh-5.8p1/kexgsss.c openssh-5.8p1.new/kexgsss.c
---- openssh-5.8p1/kexgsss.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-5.8p1.new/kexgsss.c 2011-02-12 18:07:11.186584789 +0100
-@@ -0,0 +1,288 @@
+diff -Nrup openssh-6.5p1/kexgsss.c openssh-6.5p1.patched/kexgsss.c
+--- openssh-6.5p1/kexgsss.c 1969-12-31 16:00:00.000000000 -0800
++++ openssh-6.5p1.patched/kexgsss.c 2014-02-15 17:31:24.000000000 -0800
+@@ -0,0 +1,293 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@@ -1618,6 +1622,7 @@
+ DH *dh;
+ int min = -1, max = -1, nbits = -1;
+ BIGNUM *shared_secret = NULL;
++ Buffer shared_secret_buffer;
+ BIGNUM *dh_client_pub = NULL;
+ int type = 0;
+ gss_OID oid;
@@ -1774,7 +1779,7 @@
+ break;
+ case KEX_GSS_GEX_SHA1:
+ kexgex_hash(
-+ kex->evp_md,
++ kex->hash_alg,
+ kex->client_version_string, kex->server_version_string,
+ buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+ buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -1827,7 +1832,11 @@
+
+ DH_free(dh);
+
-+ kex_derive_keys(kex, hash, hashlen, shared_secret);
++ buffer_init(&shared_secret_buffer);
++ buffer_put_bignum2(&shared_secret_buffer, shared_secret);
++ kex_derive_keys(kex, hash, hashlen, buffer_ptr(&shared_secret_buffer),
++ buffer_len(&shared_secret_buffer));
++ buffer_free(&shared_secret_buffer);
+ BN_clear_free(shared_secret);
+ kex_finish(kex);
+
@@ -1837,32 +1846,32 @@
+ ssh_gssapi_rekey_creds();
+}
+#endif /* GSSAPI */
-diff --speed-large-files --minimal -Nru openssh-5.8p1/key.c openssh-5.8p1.new/key.c
---- openssh-5.8p1/key.c 2011-02-04 01:48:34.000000000 +0100
-+++ openssh-5.8p1.new/key.c 2011-02-12 18:07:11.202089386 +0100
-@@ -929,6 +929,7 @@
- { "ecdsa-sha2-nistp521-cert-v01 at openssh.com", "ECDSA-CERT",
+diff -Nrup openssh-6.5p1/key.c openssh-6.5p1.patched/key.c
+--- openssh-6.5p1/key.c 2014-01-09 15:58:53.000000000 -0800
++++ openssh-6.5p1.patched/key.c 2014-02-15 16:50:46.000000000 -0800
+@@ -979,6 +979,7 @@ static const struct keytype keytypes[] =
KEY_ECDSA_CERT, NID_secp521r1, 1 },
+ # endif
#endif /* OPENSSL_HAS_ECC */
+ { "null", "null", KEY_NULL, 0, 0 },
{ "ssh-rsa-cert-v00 at openssh.com", "RSA-CERT-V00",
KEY_RSA_CERT_V00, 0, 1 },
{ "ssh-dss-cert-v00 at openssh.com", "DSA-CERT-V00",
-diff --speed-large-files --minimal -Nru openssh-5.8p1/key.h openssh-5.8p1.new/key.h
---- openssh-5.8p1/key.h 2010-11-05 00:19:49.000000000 +0100
-+++ openssh-5.8p1.new/key.h 2011-02-12 18:07:11.216270794 +0100
-@@ -44,6 +44,7 @@
- KEY_ECDSA_CERT,
+diff -Nrup openssh-6.5p1/key.h openssh-6.5p1.patched/key.h
+--- openssh-6.5p1/key.h 2014-01-09 15:58:53.000000000 -0800
++++ openssh-6.5p1.patched/key.h 2014-02-15 16:50:46.000000000 -0800
+@@ -46,6 +46,7 @@ enum types {
+ KEY_ED25519_CERT,
KEY_RSA_CERT_V00,
KEY_DSA_CERT_V00,
+ KEY_NULL,
KEY_UNSPEC
};
enum fp_type {
-diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor.c openssh-5.8p1.new/monitor.c
---- openssh-5.8p1/monitor.c 2010-09-10 03:23:34.000000000 +0200
-+++ openssh-5.8p1.new/monitor.c 2011-02-12 18:07:11.241713537 +0100
-@@ -172,6 +172,8 @@
+diff -Nrup openssh-6.5p1/monitor.c openssh-6.5p1.patched/monitor.c
+--- openssh-6.5p1/monitor.c 2013-11-06 18:32:52.000000000 -0800
++++ openssh-6.5p1.patched/monitor.c 2014-02-15 16:53:04.000000000 -0800
+@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -1871,7 +1880,7 @@
#endif
#ifdef SSH_AUDIT_EVENTS
-@@ -241,6 +243,7 @@
+@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -1879,7 +1888,7 @@
#endif
#ifdef JPAKE
{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
-@@ -253,6 +256,12 @@
+@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[]
};
struct mon_table mon_dispatch_postauth20[] = {
@@ -1892,7 +1901,7 @@
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
{MONITOR_REQ_PTY, 0, mm_answer_pty},
-@@ -357,6 +366,10 @@
+@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctx
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -1903,7 +1912,7 @@
} else {
mon_dispatch = mon_dispatch_proto15;
-@@ -443,6 +456,10 @@
+@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *p
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1914,10 +1923,10 @@
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1692,6 +1709,13 @@
- kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+@@ -1856,6 +1873,13 @@ mm_get_kex(Buffer *m)
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+ kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -1928,7 +1937,7 @@
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m);
-@@ -1898,6 +1922,9 @@
+@@ -2063,6 +2087,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major;
u_int len;
@@ -1938,7 +1947,7 @@
goid.elements = buffer_get_string(m, &len);
goid.length = len;
-@@ -1925,6 +1952,9 @@
+@@ -2090,6 +2117,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@@ -1948,7 +1957,7 @@
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -1942,6 +1972,7 @@
+@@ -2107,6 +2137,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -1956,7 +1965,7 @@
}
return (0);
}
-@@ -1953,6 +1984,9 @@
+@@ -2118,6 +2149,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret;
u_int len;
@@ -1966,7 +1975,7 @@
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
-@@ -1979,7 +2013,11 @@
+@@ -2144,7 +2178,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{
int authenticated;
@@ -1979,7 +1988,7 @@
buffer_clear(m);
buffer_put_int(m, authenticated);
-@@ -1992,6 +2030,74 @@
+@@ -2157,6 +2195,74 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@@ -2054,24 +2063,23 @@
#endif /* GSSAPI */
#ifdef JPAKE
-diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor.h openssh-5.8p1.new/monitor.h
---- openssh-5.8p1/monitor.h 2008-11-05 06:20:46.000000000 +0100
-+++ openssh-5.8p1.new/monitor.h 2011-02-12 18:07:11.311728071 +0100
-@@ -53,6 +53,9 @@
- MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
- MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
- MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
-+
+diff -Nrup openssh-6.5p1/monitor.h openssh-6.5p1.patched/monitor.h
+--- openssh-6.5p1/monitor.h 2012-12-02 14:53:21.000000000 -0800
++++ openssh-6.5p1.patched/monitor.h 2014-02-15 16:50:46.000000000 -0800
+@@ -62,6 +62,9 @@ enum monitor_reqtype {
+ MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
+ MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
+
+ MONITOR_REQ_GSSSIGN = 62, MONITOR_ANS_GSSSIGN = 63,
+ MONITOR_REQ_GSSUPCREDS = 64, MONITOR_ANS_GSSUPCREDS = 65,
-
- MONITOR_REQ_PAM_START = 100,
- MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
- MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
-diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor_wrap.c openssh-5.8p1.new/monitor_wrap.c
---- openssh-5.8p1/monitor_wrap.c 2010-08-31 14:41:14.000000000 +0200
-+++ openssh-5.8p1.new/monitor_wrap.c 2011-02-12 18:07:11.359631731 +0100
-@@ -1232,7 +1232,7 @@
++
+ MONITOR_REQ_PAM_START = 100,
+ MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
+ MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
+diff -Nrup openssh-6.5p1/monitor_wrap.c openssh-6.5p1.patched/monitor_wrap.c
+--- openssh-6.5p1/monitor_wrap.c 2013-11-06 18:35:39.000000000 -0800
++++ openssh-6.5p1.patched/monitor_wrap.c 2014-02-15 16:50:46.000000000 -0800
+@@ -1273,7 +1273,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
}
int
@@ -2080,7 +2088,7 @@
{
Buffer m;
int authenticated = 0;
-@@ -1249,6 +1249,51 @@
+@@ -1290,6 +1290,51 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
@@ -2132,10 +2140,10 @@
#endif /* GSSAPI */
#ifdef JPAKE
-diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor_wrap.h openssh-5.8p1.new/monitor_wrap.h
---- openssh-5.8p1/monitor_wrap.h 2009-03-05 14:58:22.000000000 +0100
-+++ openssh-5.8p1.new/monitor_wrap.h 2011-02-12 18:07:11.407619296 +0100
-@@ -57,8 +57,10 @@
+diff -Nrup openssh-6.5p1/monitor_wrap.h openssh-6.5p1.patched/monitor_wrap.h
+--- openssh-6.5p1/monitor_wrap.h 2011-06-19 21:42:23.000000000 -0700
++++ openssh-6.5p1.patched/monitor_wrap.h 2014-02-15 16:50:46.000000000 -0800
+@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2147,10 +2155,10 @@
#endif
#ifdef USE_PAM
-diff --speed-large-files --minimal -Nru openssh-5.8p1/readconf.c openssh-5.8p1.new/readconf.c
---- openssh-5.8p1/readconf.c 2010-11-20 05:19:38.000000000 +0100
-+++ openssh-5.8p1.new/readconf.c 2011-02-12 18:07:11.460306621 +0100
-@@ -129,6 +129,8 @@
+diff -Nrup openssh-6.5p1/readconf.c openssh-6.5p1.patched/readconf.c
+--- openssh-6.5p1/readconf.c 2014-01-17 05:03:57.000000000 -0800
++++ openssh-6.5p1.patched/readconf.c 2014-02-15 16:50:46.000000000 -0800
+@@ -140,6 +140,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2159,7 +2167,7 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -169,10 +171,19 @@
+@@ -182,10 +184,19 @@ static struct {
{ "afstokenpassing", oUnsupported },
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
@@ -2179,7 +2187,7 @@
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
-@@ -479,10 +490,30 @@
+@@ -839,10 +850,30 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2210,7 +2218,7 @@
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -1092,7 +1123,12 @@
+@@ -1488,7 +1519,12 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@@ -2223,7 +2231,7 @@
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -1193,8 +1229,14 @@
+@@ -1594,8 +1630,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -2238,10 +2246,10 @@
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-diff --speed-large-files --minimal -Nru openssh-5.8p1/readconf.h openssh-5.8p1.new/readconf.h
---- openssh-5.8p1/readconf.h 2010-11-20 05:19:38.000000000 +0100
-+++ openssh-5.8p1.new/readconf.h 2011-02-12 18:07:11.507187275 +0100
-@@ -46,7 +46,12 @@
+diff -Nrup openssh-6.5p1/readconf.h openssh-6.5p1.patched/readconf.h
+--- openssh-6.5p1/readconf.h 2013-10-16 17:48:14.000000000 -0700
++++ openssh-6.5p1.patched/readconf.h 2014-02-15 16:50:46.000000000 -0800
+@@ -54,7 +54,12 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
@@ -2254,10 +2262,10 @@
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --speed-large-files --minimal -Nru openssh-5.8p1/servconf.c openssh-5.8p1.new/servconf.c
---- openssh-5.8p1/servconf.c 2010-11-20 05:19:38.000000000 +0100
-+++ openssh-5.8p1.new/servconf.c 2011-02-12 18:07:11.533252334 +0100
-@@ -97,7 +97,10 @@
+diff -Nrup openssh-6.5p1/servconf.c openssh-6.5p1.patched/servconf.c
+--- openssh-6.5p1/servconf.c 2013-12-06 16:24:02.000000000 -0800
++++ openssh-6.5p1.patched/servconf.c 2014-02-15 16:50:46.000000000 -0800
+@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@@ -2268,7 +2276,7 @@
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
-@@ -226,8 +229,14 @@
+@@ -245,8 +248,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -2283,7 +2291,7 @@
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-@@ -322,7 +331,9 @@
+@@ -343,7 +352,9 @@ typedef enum {
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2294,7 +2302,7 @@
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -386,10 +397,20 @@
+@@ -410,10 +421,20 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2315,7 +2323,7 @@
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -944,10 +965,22 @@
+@@ -1094,10 +1115,22 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2338,7 +2346,7 @@
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -1704,7 +1737,10 @@
+@@ -2008,7 +2041,10 @@ dump_config(ServerOptions *o)
#endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2349,10 +2357,10 @@
#endif
#ifdef JPAKE
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
-diff --speed-large-files --minimal -Nru openssh-5.8p1/servconf.h openssh-5.8p1.new/servconf.h
---- openssh-5.8p1/servconf.h 2010-11-20 05:19:38.000000000 +0100
-+++ openssh-5.8p1.new/servconf.h 2011-02-12 18:07:11.548572408 +0100
-@@ -97,7 +97,10 @@
+diff -Nrup openssh-6.5p1/servconf.h openssh-6.5p1.patched/servconf.h
+--- openssh-6.5p1/servconf.h 2013-12-04 19:07:28.000000000 -0800
++++ openssh-6.5p1.patched/servconf.h 2014-02-15 16:50:46.000000000 -0800
+@@ -112,7 +112,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2363,9 +2371,9 @@
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
-diff --speed-large-files --minimal -Nru openssh-5.8p1/ssh-gss.h openssh-5.8p1.new/ssh-gss.h
---- openssh-5.8p1/ssh-gss.h 2007-06-12 15:40:39.000000000 +0200
-+++ openssh-5.8p1.new/ssh-gss.h 2011-02-12 18:07:11.567306608 +0100
+diff -Nrup openssh-6.5p1/ssh-gss.h openssh-6.5p1.patched/ssh-gss.h
+--- openssh-6.5p1/ssh-gss.h 2013-02-24 16:24:44.000000000 -0800
++++ openssh-6.5p1.patched/ssh-gss.h 2014-02-15 16:50:46.000000000 -0800
@@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*
@@ -2374,7 +2382,7 @@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
-@@ -60,10 +60,22 @@
+@@ -61,10 +61,22 @@
#define SSH_GSS_OIDTYPE 0x06
@@ -2397,7 +2405,7 @@
void *data;
} ssh_gssapi_ccache;
-@@ -71,8 +83,11 @@
+@@ -72,8 +84,11 @@ typedef struct {
gss_buffer_desc displayname;
gss_buffer_desc exportedname;
gss_cred_id_t creds;
@@ -2409,7 +2417,7 @@
} ssh_gssapi_client;
typedef struct ssh_gssapi_mech_struct {
-@@ -83,6 +98,7 @@
+@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
void (*storecreds) (ssh_gssapi_client *);
@@ -2417,7 +2425,7 @@
} ssh_gssapi_mech;
typedef struct {
-@@ -93,10 +109,11 @@
+@@ -94,10 +110,11 @@ typedef struct {
gss_OID oid; /* client */
gss_cred_id_t creds; /* server */
gss_name_t client; /* server */
@@ -2430,7 +2438,7 @@
int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
-@@ -116,16 +133,30 @@
+@@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **);
void ssh_gssapi_delete_ctx(Gssctxt **);
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
@@ -2463,9 +2471,9 @@
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
-diff --speed-large-files --minimal -Nru openssh-5.8p1/ssh_config openssh-5.8p1.new/ssh_config
---- openssh-5.8p1/ssh_config 2010-01-12 09:40:27.000000000 +0100
-+++ openssh-5.8p1.new/ssh_config 2011-02-12 18:07:11.580240516 +0100
+diff -Nrup openssh-6.5p1/ssh_config openssh-6.5p1.patched/ssh_config
+--- openssh-6.5p1/ssh_config 2013-10-09 16:24:12.000000000 -0700
++++ openssh-6.5p1.patched/ssh_config 2014-02-15 16:50:46.000000000 -0800
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
@@ -2475,10 +2483,10 @@
# BatchMode no
# CheckHostIP yes
# AddressFamily any
-diff --speed-large-files --minimal -Nru openssh-5.8p1/ssh_config.5 openssh-5.8p1.new/ssh_config.5
---- openssh-5.8p1/ssh_config.5 2010-12-26 04:26:48.000000000 +0100
-+++ openssh-5.8p1.new/ssh_config.5 2011-02-12 18:07:11.600266821 +0100
-@@ -508,11 +508,43 @@
+diff -Nrup openssh-6.5p1/ssh_config.5 openssh-6.5p1.patched/ssh_config.5
+--- openssh-6.5p1/ssh_config.5 2014-01-19 03:36:14.000000000 -0800
++++ openssh-6.5p1.patched/ssh_config.5 2014-02-15 16:50:46.000000000 -0800
+@@ -676,11 +676,43 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@@ -2523,10 +2531,10 @@
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
-diff --speed-large-files --minimal -Nru openssh-5.8p1/sshconnect2.c openssh-5.8p1.new/sshconnect2.c
---- openssh-5.8p1/sshconnect2.c 2010-12-01 02:21:51.000000000 +0100
-+++ openssh-5.8p1.new/sshconnect2.c 2011-02-12 18:07:11.623078773 +0100
-@@ -159,9 +159,34 @@
+diff -Nrup openssh-6.5p1/sshconnect2.c openssh-6.5p1.patched/sshconnect2.c
+--- openssh-6.5p1/sshconnect2.c 2014-01-09 15:58:53.000000000 -0800
++++ openssh-6.5p1.patched/sshconnect2.c 2014-02-15 16:54:12.000000000 -0800
+@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho
{
Kex *kex;
@@ -2561,7 +2569,7 @@
if (options.ciphers == (char *)-1) {
logit("No valid ciphers for protocol version 2 given, using defaults.");
options.ciphers = NULL;
-@@ -196,6 +221,17 @@
+@@ -198,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@@ -2578,8 +2586,8 @@
+
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
-
-@@ -206,10 +242,30 @@
+ (time_t)options.rekey_interval);
+@@ -209,11 +245,31 @@ ssh_kex2(char *host, struct sockaddr *ho
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
@@ -2590,6 +2598,7 @@
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
+ }
+#endif
+ kex->kex[KEX_C25519_SHA256] = kexc25519_client;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
kex->verify_host_key=&verify_host_key_callback;
@@ -2603,14 +2612,14 @@
+ kex->gss_host = options.gss_server_identity;
+ } else {
+ kex->gss_host = gss_host;
-+ }
++ }
+ }
+#endif
+
xxx_kex = kex;
dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -304,6 +360,7 @@
+@@ -309,6 +365,7 @@ void input_gssapi_token(int type, u_int3
void input_gssapi_hash(int type, u_int32_t, void *);
void input_gssapi_error(int, u_int32_t, void *);
void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2618,7 +2627,7 @@
#endif
void userauth(Authctxt *, char *);
-@@ -319,6 +376,11 @@
+@@ -324,6 +381,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@@ -2630,7 +2639,7 @@
{"gssapi-with-mic",
userauth_gssapi,
NULL,
-@@ -625,19 +687,31 @@
+@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
@@ -2664,7 +2673,7 @@
ok = 1; /* Mechanism works */
} else {
mech++;
-@@ -734,8 +808,8 @@
+@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@@ -2675,7 +2684,7 @@
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
-@@ -845,6 +919,48 @@
+@@ -846,6 +920,48 @@ input_gssapi_error(int type, u_int32_t p
free(msg);
free(lang);
}
@@ -2724,11 +2733,11 @@
#endif /* GSSAPI */
int
-diff --speed-large-files --minimal -Nru openssh-5.8p1/sshd.c openssh-5.8p1.new/sshd.c
---- openssh-5.8p1/sshd.c 2011-01-11 07:20:31.000000000 +0100
-+++ openssh-5.8p1.new/sshd.c 2011-02-12 18:07:11.656005267 +0100
-@@ -120,6 +120,10 @@
- #include "roaming.h"
+diff -Nrup openssh-6.5p1/sshd.c openssh-6.5p1.patched/sshd.c
+--- openssh-6.5p1/sshd.c 2014-01-27 20:08:13.000000000 -0800
++++ openssh-6.5p1.patched/sshd.c 2014-02-15 16:54:54.000000000 -0800
+@@ -122,6 +122,10 @@
+ #include "ssh-sandbox.h"
#include "version.h"
+#ifdef USE_SECURITY_SESSION_API
@@ -2738,7 +2747,7 @@
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
-@@ -1590,10 +1594,13 @@
+@@ -1721,10 +1725,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@@ -2752,9 +2761,9 @@
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
-@@ -1922,6 +1929,60 @@
- /* Log the connection. */
- verbose("Connection from %.500s port %d", remote_ip, remote_port);
+@@ -2051,6 +2058,60 @@ main(int ac, char **av)
+ remote_ip, remote_port,
+ get_local_ipaddr(sock_in), get_local_port());
+#ifdef USE_SECURITY_SESSION_API
+ /*
@@ -2813,10 +2822,10 @@
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
-@@ -2303,6 +2364,48 @@
+@@ -2456,6 +2517,48 @@ do_ssh2_kex(void)
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
+ list_hostkey_types());
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
-
+#ifdef GSSAPI
+ {
+ char *orig;
@@ -2862,10 +2871,10 @@
/* start key exchange */
kex = kex_setup(myproposal);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2310,6 +2413,13 @@
- kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+@@ -2464,6 +2567,13 @@ do_ssh2_kex(void)
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+ kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -2876,22 +2885,22 @@
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
-diff --speed-large-files --minimal -Nru openssh-5.8p1/sshd_config openssh-5.8p1.new/sshd_config
---- openssh-5.8p1/sshd_config 2010-09-10 03:20:12.000000000 +0200
-+++ openssh-5.8p1.new/sshd_config 2011-02-12 18:07:11.668077725 +0100
-@@ -72,6 +72,8 @@
+diff -Nrup openssh-6.5p1/sshd_config openssh-6.5p1.patched/sshd_config
+--- openssh-6.5p1/sshd_config 2014-01-12 00:20:47.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config 2014-02-15 16:50:46.000000000 -0800
+@@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
-diff --speed-large-files --minimal -Nru openssh-5.8p1/sshd_config.5 openssh-5.8p1.new/sshd_config.5
---- openssh-5.8p1/sshd_config.5 2010-12-26 04:26:48.000000000 +0100
-+++ openssh-5.8p1.new/sshd_config.5 2011-02-12 18:07:11.685676774 +0100
-@@ -423,12 +423,40 @@
+ # Set this to 'yes' to enable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+diff -Nrup openssh-6.5p1/sshd_config.5 openssh-6.5p1.patched/sshd_config.5
+--- openssh-6.5p1/sshd_config.5 2013-12-17 22:47:03.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config.5 2014-02-15 16:50:46.000000000 -0800
+@@ -493,12 +493,40 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-changes/attachments/20140216/31a5f637/attachment-0001.html>
More information about the macports-changes
mailing list