diff options
author | Mike Hammill <mike@kth.se> | 2012-01-10 00:35:12 +0100 |
---|---|---|
committer | Mike Hammill <mike@kth.se> | 2012-01-10 00:35:12 +0100 |
commit | 320e86b3030512a041890ca1349735601434b979 (patch) | |
tree | 52d84ef237d935f7ea94c777833a5fa46af62e21 | |
parent | Add Weaver Projects' "update" script. (diff) | |
download | mhammill-320e86b3030512a041890ca1349735601434b979.tar.gz mhammill-320e86b3030512a041890ca1349735601434b979.tar.bz2 mhammill-320e86b3030512a041890ca1349735601434b979.zip |
Modernize openssh ebuild already containing S. Wilkinson's patch
Modernization includes updating options for openrc's new standards.
Clean up includes removing unused ebuilds (openssh-5.3p1, and any
greater than openssh-5.8_p1) since Simon does not have patches for
those.
-rw-r--r-- | net-misc/openssh/ChangeLog | 159 | ||||
-rw-r--r-- | net-misc/openssh/Manifest | 28 | ||||
-rw-r--r-- | net-misc/openssh/files/openssh-5.3p1-gsskex-all-20100124.patch | 2975 | ||||
-rw-r--r-- | net-misc/openssh/files/openssh-5.8_p1-selinux.patch | 18 | ||||
-rw-r--r-- | net-misc/openssh/files/openssh-5.8_p1-x509-hpn-glue.patch | 61 | ||||
-rw-r--r-- | net-misc/openssh/files/sshd.rc6 | 7 | ||||
-rw-r--r-- | net-misc/openssh/files/sshd.rc6.1 | 7 | ||||
-rw-r--r-- | net-misc/openssh/files/sshd.rc6.2 | 21 | ||||
-rwxr-xr-x | net-misc/openssh/files/sshd.rc6.3 | 85 | ||||
-rw-r--r-- | net-misc/openssh/files/sshd.service | 10 | ||||
-rw-r--r-- | net-misc/openssh/files/sshd.socket | 10 | ||||
-rw-r--r-- | net-misc/openssh/files/sshd_at.service | 8 | ||||
-rw-r--r-- | net-misc/openssh/metadata.xml | 11 | ||||
-rw-r--r-- | net-misc/openssh/openssh-5.3_p1-r1.ebuild | 274 | ||||
-rw-r--r-- | net-misc/openssh/openssh-5.6_p1-r2.ebuild | 3 | ||||
-rw-r--r-- | net-misc/openssh/openssh-5.7_p1-r1.ebuild | 3 |
16 files changed, 304 insertions, 3376 deletions
diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog index 3cf841d..b24f8cc 100644 --- a/net-misc/openssh/ChangeLog +++ b/net-misc/openssh/ChangeLog @@ -1,5 +1,162 @@ # ChangeLog for net-misc/openssh -# Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 +# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.431 2011/12/14 19:52:12 mgorny Exp $ + + 09 Jan 2012; Mike Hammill <michael@hammill.name> openssh-5.7_p1-r1.ebuild: + Make compatible with Simon Wilkinson's kext patch. See + http://www.sxw.org.uk/computing/patches/openssh.html + + 14 Dec 2011; Michał Górny <mgorny@gentoo.org> openssh-5.9_p1-r3.ebuild, + +files/sshd.service, +files/sshd.socket, +files/sshd_at.service: + Install systemd unit files. + + 04 Dec 2011; Sven Wegener <swegener@gentoo.org> files/sshd.rc6, + files/sshd.rc6.1, files/sshd.rc6.2: + move reload to extra_started_commands + + 26 Nov 2011; Mike Frysinger <vapier@gentoo.org> openssh-5.9_p1-r3.ebuild: + Move enew{user,group} to pkg_preinst so `die` works. + + 03 Nov 2011; Mike Frysinger <vapier@gentoo.org> openssh-5.5_p1-r2.ebuild, + openssh-5.6_p1-r2.ebuild, openssh-5.7_p1-r1.ebuild, openssh-5.8_p1-r1.ebuild, + openssh-5.8_p2.ebuild, openssh-5.8_p2-r1.ebuild, openssh-5.9_p1-r3.ebuild: + Use new egetshell helper rather than calling getent directly. + + 02 Nov 2011; Mike Frysinger <vapier@gentoo.org> openssh-5.5_p1-r2.ebuild, + openssh-5.6_p1-r2.ebuild, openssh-5.7_p1-r1.ebuild, openssh-5.8_p1-r1.ebuild, + openssh-5.8_p2.ebuild, openssh-5.8_p2-r1.ebuild, openssh-5.9_p1-r3.ebuild: + Use egetent rather than getent. + +*openssh-5.9_p1-r3 (26 Sep 2011) + + 26 Sep 2011; Mike Frysinger <vapier@gentoo.org> -openssh-5.9_p1.ebuild, + -openssh-5.9_p1-r2.ebuild, +openssh-5.9_p1-r3.ebuild, + +files/openssh-5.9_p1-x509-glue.patch: + Add x509 patch and release. + +*openssh-5.9_p1-r2 (14 Sep 2011) +*openssh-5.8_p2-r1 (14 Sep 2011) + + 14 Sep 2011; Lars Wendler <polynomial-c@gentoo.org> + +openssh-5.8_p2-r1.ebuild, -openssh-5.9_p1-r1.ebuild, + +openssh-5.9_p1-r2.ebuild, files/sshd.rc6.3: + non-maintainer commit: Replaced deprecated opts variable (bug #382227) and + removed --stop option from reload function (bug #382975). Bot changes and + revbumps were done with kind permission from vapier. + + 12 Sep 2011; Mike Frysinger <vapier@gentoo.org> openssh-5.9_p1-r1.ebuild: + Simplify test homedir logic a bit, and fix quoting. + +*openssh-5.9_p1-r1 (07 Sep 2011) + + 07 Sep 2011; Robin H. Johnson <robbat2@gentoo.org> +openssh-5.9_p1-r1.ebuild: + Add complete port of HPN+LPK patches, also adjust the HOMEDIR setting for + src_test to complete in more cases. + + 07 Sep 2011; Mike Frysinger <vapier@gentoo.org> openssh-5.9_p1.ebuild: + Retain default AuthorizedKeysFile behavior. + +*openssh-5.9_p1 (07 Sep 2011) + + 07 Sep 2011; Mike Frysinger <vapier@gentoo.org> +openssh-5.9_p1.ebuild, + +files/openssh-5.9_p1-sshd-gssapi-multihomed.patch, +files/sshd.rc6.3: + Version bump. Drop --oknodo in init.d #377771 by Michael Mair-Keimberger. Add + GSSAPI/Kerberos fix #378361 by Kevan Carstensen. + + 28 May 2011; Mike Frysinger <vapier@gentoo.org> files/sshd.rc6.2: + Move custom opts to checkconfig and include those when verifying config + sanity #367303 by Horst Prote. + + 16 May 2011; Robin H. Johnson <robbat2@gentoo.org> openssh-5.8_p2.ebuild: + Bug #366643: rediff the LPK patch for LDAP usage. Also merge the Mozilla uid + customization LPK change. + +*openssh-5.8_p2 (09 May 2011) + + 09 May 2011; Mike Frysinger <vapier@gentoo.org> +openssh-5.8_p2.ebuild: + Version bump. + + 16 Apr 2011; Ulrich Mueller <ulm@gentoo.org> openssh-5.5_p1-r2.ebuild, + openssh-5.6_p1-r2.ebuild, openssh-5.7_p1-r1.ebuild, openssh-5.8_p1-r1.ebuild: + Don't PROVIDE virtual/ssh, bug 361121. + + 19 Feb 2011; Mike Frysinger <vapier@gentoo.org> openssh-5.8_p1-r1.ebuild: + Encourage people to update their stored ssh key lists #355223 by Pacho Ramos. + + 19 Feb 2011; Mike Frysinger <vapier@gentoo.org> -openssh-5.8_p1.ebuild, + openssh-5.8_p1-r1.ebuild: + We want openssh-5.8_p1-r1 going stable. + + 13 Feb 2011; Raúl Porcel <armin76@gentoo.org> openssh-5.8_p1.ebuild: + arm/ia64/m68k/s390/sh/sparc stable wrt #353673 + + 11 Feb 2011; Pawel Hajdan jr <phajdan.jr@gentoo.org> + openssh-5.8_p1.ebuild: + x86 stable wrt security bug #353673 + + 11 Feb 2011; Kacper Kowalik <xarthisius@gentoo.org> openssh-5.8_p1.ebuild: + ppc stable wrt 353673 + + 10 Feb 2011; Markos Chandras <hwoarang@gentoo.org> openssh-5.8_p1.ebuild: + Stable on amd64 wrt bug #353673 + + 10 Feb 2011; Robin H. Johnson <robbat2@gentoo.org> openssh-5.5_p1-r2.ebuild, + openssh-5.6_p1-r2.ebuild, openssh-5.7_p1-r1.ebuild, openssh-5.8_p1.ebuild, + openssh-5.8_p1-r1.ebuild: + Revamp AES-CTR-MT disable comment, with explicit reference to upstream + documentation and testcase reference (bug #354113, comment 6). + + 10 Feb 2011; Mike Frysinger <vapier@gentoo.org> openssh-5.8_p1-r1.ebuild, + +files/openssh-5.8_p1-selinux.patch: + Drop openssl build patch since it doesn't seem to be needed anymore, and + apply simple build fix for selinux from upstream #354247 by MarisN. + + 10 Feb 2011; Robin H. Johnson <robbat2@gentoo.org> openssh-5.8_p1.ebuild: + Also add AES-CTR fix to 5.8_p1 presently under stabilization. + alpha/hppa/ppc64 are the only stable arches with the broken HPN version at + present. + +*openssh-5.8_p1-r1 (10 Feb 2011) + + 10 Feb 2011; Robin H. Johnson <robbat2@gentoo.org> openssh-5.6_p1-r2.ebuild, + openssh-5.7_p1-r1.ebuild, +openssh-5.8_p1-r1.ebuild: + Bug #354113: AES-CTR workaround was dropped from 5.7 and 5.8 when it is still + required. + + 08 Feb 2011; Kacper Kowalik <xarthisius@gentoo.org> openssh-5.8_p1.ebuild: + ppc64 stable wrt #353673 + + 08 Feb 2011; Tobias Klausmann <klausman@gentoo.org> openssh-5.8_p1.ebuild: + Stable on alpha, bug #353673 + + 08 Feb 2011; Jeroen Roovers <jer@gentoo.org> openssh-5.8_p1.ebuild: + Stable for HPPA (bug #353673). + +*openssh-5.8_p1 (05 Feb 2011) + + 05 Feb 2011; Mike Frysinger <vapier@gentoo.org> +openssh-5.8_p1.ebuild, + +files/openssh-5.8_p1-x509-hpn-glue.patch: + Version bump #353673. Default HPN to on when available #347193 by Jeremy + Olexa. + +*openssh-5.7_p1-r1 (25 Jan 2011) + + 25 Jan 2011; Mike Frysinger <vapier@gentoo.org> +openssh-5.7_p1-r1.ebuild, + +files/openssh-5.7_p1-x509-hpn-glue.patch: + Add x509/ldap/hpn support back in. Auto-remove ecdsa support from init.d if + openssl lacks support #352645 by William Throwe. + +*openssh-5.7_p1 (24 Jan 2011) + + 24 Jan 2011; Mike Frysinger <vapier@gentoo.org> +openssh-5.7_p1.ebuild, + +files/sshd.rc6.2: + Version bump. + + 10 Dec 2010; Robin H. Johnson <robbat2@gentoo.org> metadata.xml: + Update restrict in metadata per mgorny's request to use DEPEND syntax. + + 04 Dec 2010; Raúl Porcel <armin76@gentoo.org> openssh-5.6_p1-r2.ebuild: + alpha/ia64/m68k/s390/sh stable wrt #346395 15 Feb 2011; Mike Hammill <michael@hammill.name> openssh-5.6_p1-r2.ebuild: Make compatible with Simon Wilkinson's kext patch. See diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index c18c110..7168ea9 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -3,37 +3,31 @@ AUX openssh-5.2_p1-autoconf.patch 386 RMD160 8e57ae97df0b2483f826a7aba00bc0622b9 AUX openssh-5.2_p1-gsskex-fix.patch 408 RMD160 6a6296cd1c8acc52af4e0d8b6238b326d5d41e77 SHA1 b31e5294c68e6af9a75987a1c3ece5e52f56e9a5 SHA256 8190db31ed2e8dc6ce79030e5c648d04610b06dd8366df5948ef6e990314ee96 AUX openssh-5.2_p1-x509-hpn-glue.patch 2851 RMD160 2c3fbb549976f9004e89bcfb58dadf2186f64517 SHA1 ff666fb2a0ef3fc7d703f99438ca4c39ee2eafdf SHA256 a21336a892b61e29a556d16e9f0a67ee08ad04dd61e3963a201fdf032ce55f75 AUX openssh-5.2p1-ldap-stdargs.diff 252 RMD160 7bf89a0946446b43ce3026b7b01a9a4c637f388a SHA1 7b62038dc3060b1e77df213c85874ba80acd8f64 SHA256 97281375efa33e9ce70a55bfa95b6b426208175e7e3ff493012bc25d9b012f45 -AUX openssh-5.3p1-gsskex-all-20100124.patch 90320 RMD160 fbd0437fa89720756f55c164c2c1dffc3a618000 SHA1 0e49443fc3c005465275b8052f326500f7f0b45c SHA256 8f75e1e84a569cb200a8fcc81c35cde722e57efde147c875c966c01381be818a AUX openssh-5.4_p1-openssl.patch 255 RMD160 6d495664c5d94058cb4aa8a0011a070cb27a8fb9 SHA1 9e78702afc936a478f64c73bada9e85f7dbd8081 SHA256 f83627039491e9969f1ed5d77fe816465ce75809e8c2f2bfb07012bc21384347 AUX openssh-5.6_p1-hpn-progressmeter.patch 334 RMD160 024480c0f7ccac80905ae4b4ae6adfa21428cf97 SHA1 446cfaa4be26fefbabd8f8933d91b5d5783f196c SHA256 eaa98f954934364a1994111f5a422d0730b6e224822cef03efe6d6fc0c7f056f AUX openssh-5.6_p1-x509-hpn-glue.patch 1974 RMD160 bccefdc9ee8e923968c6dac5d470466b1b7e78b9 SHA1 8f882f22d2c85967d3d54c250a11077b67f9a1a9 SHA256 164db7af08e0565821d6d609b1beadab39777521bfff143a83acc1e097ad60f1 AUX openssh-5.6p1-gsskex-all-20110101.patch 91929 RMD160 bdf9d194aeb2c37f19e1b8f2ef7dced8a00674ff SHA1 1daacdeaaba55a95faad12c41a56f8dc8fe59ad7 SHA256 93a3a4b3935919cff8e8216fc8026069dceca0aa840c84e1fe74a2da24d6d632 AUX openssh-5.7_p1-x509-hpn-glue.patch 1888 RMD160 d0af977ecc3b89fc6efbd554f8bb3680acd88c32 SHA1 185e0f56db550cdc0f76d359296681bef55920f3 SHA256 30f63dea0e810d92790ddaf9813f0b8dec1e827a39e1752faff6bb41382f3c1b AUX openssh-5.7p1-gsskex-all-20110125.patch 91889 RMD160 ffd77d9c7e1d4c2692728973c1683f5debc37093 SHA1 8aefb2e1ac4ba60dfc513694d75f10be88590f52 SHA256 bfdc72c3d7d5d4f9f8a78b649988dff8fad780cfa72bad4a69eb94c54de9a359 -AUX openssh-5.8_p1-selinux.patch 433 RMD160 ec21b74785b475264d8dece2f10102d730684f21 SHA1 db97948d0e54194ad5a00b7d08982b05c2b502b2 SHA256 0de250c75f4dae78406e5151f563bd104b8e7792a825515510e095fb47462cfd -AUX openssh-5.8_p1-x509-hpn-glue.patch 1907 RMD160 954bfc141bf780e0c36712ee2f0f211bb7147e59 SHA1 a332690d47c18b2ae88a7381a177cc28a098d984 SHA256 7ab452c02b141645b764d404aa3de0754ab240a64601a6bb587919673f957682 AUX sshd.confd 396 RMD160 029680b2281961130a815ef599750c4fc4e84987 SHA1 23c283d0967944b6125be26ed4628f49abf586b2 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 AUX sshd.pam 294 RMD160 1d4499a7de54188e51e87a240ec7a1b3b1af583d SHA1 4cd17fb40793fa9ca77ac93698129f2c8cafd7b8 SHA256 f01cc51c624b21a815fb6c0be35edc590e2e6f8a5ffbdcabc220a9630517972f AUX sshd.pam_include.2 156 RMD160 c4f6ba6e3a705eef63e571189e28de71e7d61178 SHA1 1223f7a43a5e124521d48852b2d23bb8ba0a788f SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c -AUX sshd.rc6 2159 RMD160 961c7222fe809d81dc04c1f62e14c8292c0e3452 SHA1 d9853a50ff89d4359cc813a0f5ec936659941646 SHA256 83b94fed859ab3a00861969f97c166bd3b2fdd217f26468153e17005dfd55828 -AUX sshd.rc6.1 2244 RMD160 112f62244a4654d706fa3892da514df8130dabf3 SHA1 4a561034f7376bf10dc4601f2b847f247b83bf53 SHA256 09b7f29890fd0c28e364637236518c7ee4fea018af94dd72b8682a548678cd73 -AUX sshd.rc6.2 2051 RMD160 026c92ef4c0926ca1d5ab91a55b4d12028ba800d SHA1 246ffa14a9636f843c9314a32f11dacdc67cd52f SHA256 c8f8fd4789188c43259c7351cb3d666b24b1703e45129ba09e1b849192967d08 -DIST openssh-5.2pkcs11-0.26.tar.bz2 18642 RMD160 07093fb2ad47247b2f028fae4fe1b80edf4ddaf8 SHA1 755793398e1b04ee6c15458a69ce4ad68d2abee0 SHA256 9655f118c614f76cfdd3164b5c0e3e430f20a4ce16c65df0dc1b594648cf1c07 -DIST openssh-5.3p1+x509-6.2.1.diff.gz 154130 RMD160 d16e9d4fd7f6e64091c7b421df7bbd7c21b40c4e SHA1 52182f3a3f84b5ce5e9fada5669776abb851a3fd SHA256 e7e122e74498a0db4253e4a2a43b55688685381066fbad69ad1beafd27b62523 -DIST openssh-5.3p1-hpn13v6-gentoo.diff.gz 23262 RMD160 f4a99017f658d5b803b966cb3711f246be6344f9 SHA1 a30568339458976933e770900a933f013e8ce2c2 SHA256 3f3861ca5e58134dc3f3f7a042d53b9d652b7e4232fcadd45c7fba2d98f5bf63 -DIST openssh-5.3p1.tar.gz 1027130 RMD160 f8c98b4b91b7e0e02b33837ef6978e8b7570cf9e SHA1 d411fde2584ef6022187f565360b2c63a05602b5 SHA256 d0c917462896974480b14454a8e1cb8b809291f67e5b9779c9b4dc4156c5ef12 +AUX sshd.rc6 2189 RMD160 1eced6306aa17094da80dba9259a5b7c2a071ea8 SHA1 42f528dc564cb861ba6ef140fa7a42bd28ebe679 SHA256 627125378ccfdd81289531f527346980da249d35499cb71518f88f1452f4c098 +AUX sshd.rc6.1 2270 RMD160 5c81454773e5c17c386fe8ad29d28b9048b9a6f6 SHA1 ae183a58f07af37f4c1c2ea46d0d7b83ab70c03d SHA256 153119116208d328c496d29b7cb9f85991df93020cc50c83b05ed498b10a2126 +AUX sshd.rc6.2 2069 RMD160 92a457dcd2dcfac5453956a76a1be9df66b38313 SHA1 74d0fdf9bf52ddd700a6eadd459ab56d48ad385c SHA256 94b1fc0d608464fd4a6c7ed23f0b9c44aada3404982d8fd25b8bfe202baffaa6 +AUX sshd.rc6.3 2057 RMD160 800875a8e8c61d8453033c7b069d0b0268f8a8fd SHA1 15d6d486749fade1e8bfb219f3226fb119f8b6e2 SHA256 43d95b495440ed6b3c1eb82b81712d7f6e58246527605c11d733cb5eb5523254 +AUX sshd.service 206 RMD160 c4942b6dac3a334ecee7a8ebe9bbb2b4b3918da2 SHA1 f8180cdbf17213c7535ae2c97cab4047149e07bd SHA256 093d4f526e740cbec46ad6a69207407daf01e74da44599d75b979f294c9b0a7b +AUX sshd.socket 136 RMD160 c237a8fde92ae5e8528db59cf28e0018ba8086a5 SHA1 33a73159bce16bb87b2395a8d74605e53693d4f6 SHA256 c055abcd10c5d372119cbc3708661ddffccdee7a1de1282559c54d03e2f109d9 +AUX sshd_at.service 176 RMD160 e8a795680a2836d5f228848707a0ad128cd1a2a6 SHA1 d56d13de4f60dd3e633bd7f5e4079ce86c18a77f SHA256 332f5ffc30456fe2494095c2aabd1e6e02075ce224e2d49708ac7ccf6d341998 DIST openssh-5.6p1+x509-6.2.3.diff.gz 168109 RMD160 d2a0bb07ede384a7fd752d0a1a2b7750101c5fe3 SHA1 319992226b8109c3f6ce9bbe5884635edb2349cf SHA256 90977eded2ae5e71bc3b84aad8597442074742d78d471087d020e58dd58342ad DIST openssh-5.6p1-hpn13v10.diff.gz 22988 RMD160 9c62cd1520a69f10b85496450130a9fd0a5f5954 SHA1 71f5a346b297330c50b324cdc19e361070a31776 SHA256 6a9ee815e8ffcc9068c3dce4ad4f2898fc0db6b768a3152280aceb8c06c8b450 DIST openssh-5.6p1.tar.gz 1117952 RMD160 e3e1229cc0efa7cb534c83e61fade8371fc24a23 SHA1 347dd39c91c3529f41dae63714d452fb95efea1e SHA256 538af53b2b8162c21a293bb004ae2bdb141abd250f61b4cea55244749f3c6c2b DIST openssh-5.7p1+x509-6.2.4.diff.gz 170001 RMD160 7fa25e7a28f0277b68dbda57584449dc42bb08f3 SHA1 9b4bf151bca8e96cec5773ba23c55b9a36c47b94 SHA256 86af445d27be112318e95c4a188593b171a34b100e2187ef12a116c95e36c51d DIST openssh-5.7p1-hpn13v10.diff.bz2 20132 RMD160 2c34ca34fbe19468254fe0d4fa6344f23f5da4cd SHA1 d743cc499e0e9ccfbc518bfb1718e1611603983c SHA256 fc6518ea065841cec96a503207bd6f927c65234862ec13a44c3c13cb978bfa57 DIST openssh-5.7p1.tar.gz 1113345 RMD160 7f2ee186d5b99e1b40b90669b681b49da962b8f8 SHA1 423e27475f06e1055847dfff7f61e1ac632b5372 SHA256 59057d727d902d8b04b2ce0ba8f288c6e02cb65aca183cc8d559a4a66426581b -DIST openssh-lpk-5.3p1-0.3.11.patch.gz 18137 RMD160 3e316722d521e163a82d661465abef7f128d736b SHA1 870a703e2cafa744681733766e48faf3229e3b7e SHA256 34d8dbccde3b1fedb6b75d7a725ade8b37389c46f5b13a2e5a80d8cd8e6ffaaa DIST openssh-lpk-5.6p1-0.3.13.patch.gz 18376 RMD160 c928a22d890de17c43ac8a71ac0a551fbe38a831 SHA1 477ef82043278ba9e314e14e7a487f1541fbc48b SHA256 42a76b67c390c3ed28efd6e1734ca5a7edfefc635c35086dbd610999130678e9 DIST openssh-lpk-5.7p1-0.3.13.patch.gz 18392 RMD160 9ca299e2c05c97528ecbea5cc30fe604904daa2c SHA1 5581a12eee5d5e739b77927ce7ddb00625ab03c4 SHA256 739fa32e267f2c30362bb953d597bcbb55b58d76e13f644004fa63ded81522f7 -EBUILD openssh-5.3_p1-r1.ebuild 8666 RMD160 6edf7608fe3085af2e6355ab48401891ab677b8c SHA1 f770b419dd2f43a8dbb4aa1c1543c0562a40279e SHA256 f1ee06ef18cea7703e8771d9bf9df55655f835a1dbe904afb5ce2aa9d7ed070c -EBUILD openssh-5.6_p1-r2.ebuild 8467 RMD160 cd1e0a8f49594845d7d7dae6c1ac5a371b414b85 SHA1 32e47857889600d55ce94a72368dd493645758d5 SHA256 a3539cec23105f17b1f8dbb419aa1ce61fd31b1419721584b4f103827ebafec3 -EBUILD openssh-5.7_p1-r1.ebuild 8317 RMD160 63426be0d5499834538e1884df5e79be5efead8b SHA1 6716f7bd8b72fc99ece9ff07bce791443d523c5b SHA256 a49c1a38ccc478d6b00cce3050203ccc23cd920dc3c18629007461431e27ec93 -MISC ChangeLog 62362 RMD160 01250419a933c4cc39d427eb50d52c96f1453366 SHA1 b883f590066a9e85a44fef6b2653d544ebd48107 SHA256 edafdd990dce05eceea08413999be4e528e5ac14a27c6ef644a2084d99db1dcc -MISC metadata.xml 2060 RMD160 5210e6965ed72944c6a3e5ee88994497915c6f25 SHA1 89f42abb4b7ac69bccd0c5cc3fb933563dcd8689 SHA256 293c43174c14d1ba03818492004a844d4418df3b67fc9633bcee04f19ba255e3 -MISC openssh-5.7_p1-r1.ebuild~ 8257 RMD160 6126ed9ef31f3ba2fe8d5bab996d71164160fbd5 SHA1 8d2e76cedc2b05cf6ba73aa1191a735fcd337a21 SHA256 42ffdb6f51664911af79106c9d83da64cb495fc353bc2c8fc805430401c22753 +EBUILD openssh-5.6_p1-r2.ebuild 8427 RMD160 69a1fd251f82026521229f93fa84b5474e893e10 SHA1 e6bad48f5beb54c178775dc45cc55ce1546f348c SHA256 1927827db57ecee7591e95b16cbaa4d6d9c9d621d25e0d6a7d96ea482d54085a +EBUILD openssh-5.7_p1-r1.ebuild 8277 RMD160 66a4a5119a20e49c5caae8b4bc73fec8edee3321 SHA1 bb5a80fd35c5ef3894f99d9226c771876ebb9b00 SHA256 a5866e4a72070af9a2c0ac0ca4364a6c2248752e8ba2b54dd939608c3c0ce7e8 +MISC ChangeLog 68884 RMD160 bbadb6bae5fc6423e17865954bafecb62881aed5 SHA1 1d9e59977518fbb8ab0fa54ed1180966e81c32f5 SHA256 aec10ec072efac4c5f03c31bedf7be07b5b7d030d6d6304c3209d14464fd81c0 +MISC metadata.xml 1601 RMD160 70f43b0909a7b98d28ead925e1f8999a99cbd855 SHA1 95dc6406e66de6cbbb3c0a093bfd84d2c1494394 SHA256 1407a0a1ffb719bf4dd25e93d61fe10cc6544f733ebeff2be56bf2662f9ecc74 diff --git a/net-misc/openssh/files/openssh-5.3p1-gsskex-all-20100124.patch b/net-misc/openssh/files/openssh-5.3p1-gsskex-all-20100124.patch deleted file mode 100644 index 8ccc089..0000000 --- a/net-misc/openssh/files/openssh-5.3p1-gsskex-all-20100124.patch +++ /dev/null @@ -1,2975 +0,0 @@ -Index: openssh-5.3p1/gss-serv.c -=================================================================== ---- openssh-5.3p1.orig/gss-serv.c 2008-05-19 06:05:07.000000000 +0100 -+++ openssh-5.3p1/gss-serv.c 2010-01-24 10:36:10.000000000 +0000 -@@ -1,7 +1,7 @@ - /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ - - /* -- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. -+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -45,15 +45,20 @@ - #include "channels.h" - #include "session.h" - #include "misc.h" -+#include "servconf.h" -+#include "uidswap.h" - - #include "ssh-gss.h" -+#include "monitor_wrap.h" -+ -+extern ServerOptions options; - - static ssh_gssapi_client gssapi_client = - { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, -- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; -+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0}; - - ssh_gssapi_mech gssapi_null_mech = -- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; -+ { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL}; - - #ifdef KRB5 - extern ssh_gssapi_mech gssapi_kerberos_mech; -@@ -81,25 +86,32 @@ - char lname[MAXHOSTNAMELEN]; - gss_OID_set oidset; - -- gss_create_empty_oid_set(&status, &oidset); -- gss_add_oid_set_member(&status, ctx->oid, &oidset); -+ if (options.gss_strict_acceptor) { -+ gss_create_empty_oid_set(&status, &oidset); -+ gss_add_oid_set_member(&status, ctx->oid, &oidset); -+ -+ if (gethostname(lname, MAXHOSTNAMELEN)) { -+ gss_release_oid_set(&status, &oidset); -+ return (-1); -+ } - -- if (gethostname(lname, MAXHOSTNAMELEN)) { -- gss_release_oid_set(&status, &oidset); -- return (-1); -- } -+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { -+ gss_release_oid_set(&status, &oidset); -+ return (ctx->major); -+ } -+ -+ if ((ctx->major = gss_acquire_cred(&ctx->minor, -+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, -+ NULL, NULL))) -+ ssh_gssapi_error(ctx); - -- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { - gss_release_oid_set(&status, &oidset); - return (ctx->major); -+ } else { -+ ctx->name = GSS_C_NO_NAME; -+ ctx->creds = GSS_C_NO_CREDENTIAL; - } -- -- if ((ctx->major = gss_acquire_cred(&ctx->minor, -- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) -- ssh_gssapi_error(ctx); -- -- gss_release_oid_set(&status, &oidset); -- return (ctx->major); -+ return GSS_S_COMPLETE; - } - - /* Privileged */ -@@ -114,6 +126,29 @@ - } - - /* Unprivileged */ -+char * -+ssh_gssapi_server_mechanisms() { -+ gss_OID_set supported; -+ -+ ssh_gssapi_supported_oids(&supported); -+ return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech, -+ NULL, NULL)); -+} -+ -+/* Unprivileged */ -+int -+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data, -+ const char *dummy) { -+ Gssctxt *ctx = NULL; -+ int res; -+ -+ res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid))); -+ ssh_gssapi_delete_ctx(&ctx); -+ -+ return (res); -+} -+ -+/* Unprivileged */ - void - ssh_gssapi_supported_oids(gss_OID_set *oidset) - { -@@ -123,7 +158,9 @@ - gss_OID_set supported; - - gss_create_empty_oid_set(&min_status, oidset); -- gss_indicate_mechs(&min_status, &supported); -+ -+ if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported))) -+ return; - - while (supported_mechs[i]->name != NULL) { - if (GSS_ERROR(gss_test_oid_set_member(&min_status, -@@ -247,8 +284,48 @@ - ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) - { - int i = 0; -+ int equal = 0; -+ gss_name_t new_name = GSS_C_NO_NAME; -+ gss_buffer_desc ename = GSS_C_EMPTY_BUFFER; -+ -+ if (options.gss_store_rekey && client->used && ctx->client_creds) { -+ if (client->mech->oid.length != ctx->oid->length || -+ (memcmp(client->mech->oid.elements, -+ ctx->oid->elements, ctx->oid->length) !=0)) { -+ debug("Rekeyed credentials have different mechanism"); -+ return GSS_S_COMPLETE; -+ } -+ -+ if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor, -+ ctx->client_creds, ctx->oid, &new_name, -+ NULL, NULL, NULL))) { -+ ssh_gssapi_error(ctx); -+ return (ctx->major); -+ } -+ -+ ctx->major = gss_compare_name(&ctx->minor, client->name, -+ new_name, &equal); - -- gss_buffer_desc ename; -+ if (GSS_ERROR(ctx->major)) { -+ ssh_gssapi_error(ctx); -+ return (ctx->major); -+ } -+ -+ if (!equal) { -+ debug("Rekeyed credentials have different name"); -+ return GSS_S_COMPLETE; -+ } -+ -+ debug("Marking rekeyed credentials for export"); -+ -+ gss_release_name(&ctx->minor, &client->name); -+ gss_release_cred(&ctx->minor, &client->creds); -+ client->name = new_name; -+ client->creds = ctx->client_creds; -+ ctx->client_creds = GSS_C_NO_CREDENTIAL; -+ client->updated = 1; -+ return GSS_S_COMPLETE; -+ } - - client->mech = NULL; - -@@ -263,6 +340,13 @@ - if (client->mech == NULL) - return GSS_S_FAILURE; - -+ if (ctx->client_creds && -+ (ctx->major = gss_inquire_cred_by_mech(&ctx->minor, -+ ctx->client_creds, ctx->oid, &client->name, NULL, NULL, NULL))) { -+ ssh_gssapi_error(ctx); -+ return (ctx->major); -+ } -+ - if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, - &client->displayname, NULL))) { - ssh_gssapi_error(ctx); -@@ -280,6 +364,8 @@ - return (ctx->major); - } - -+ gss_release_buffer(&ctx->minor, &ename); -+ - /* We can't copy this structure, so we just move the pointer to it */ - client->creds = ctx->client_creds; - ctx->client_creds = GSS_C_NO_CREDENTIAL; -@@ -327,7 +413,7 @@ - - /* Privileged */ - int --ssh_gssapi_userok(char *user) -+ssh_gssapi_userok(char *user, struct passwd *pw) - { - OM_uint32 lmin; - -@@ -337,9 +423,11 @@ - return 0; - } - if (gssapi_client.mech && gssapi_client.mech->userok) -- if ((*gssapi_client.mech->userok)(&gssapi_client, user)) -+ if ((*gssapi_client.mech->userok)(&gssapi_client, user)) { -+ gssapi_client.used = 1; -+ gssapi_client.store.owner = pw; - return 1; -- else { -+ } else { - /* Destroy delegated credentials if userok fails */ - gss_release_buffer(&lmin, &gssapi_client.displayname); - gss_release_buffer(&lmin, &gssapi_client.exportedname); -@@ -352,14 +440,90 @@ - return (0); - } - --/* Privileged */ --OM_uint32 --ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) -+/* These bits are only used for rekeying. The unpriviledged child is running -+ * as the user, the monitor is root. -+ * -+ * In the child, we want to : -+ * *) Ask the monitor to store our credentials into the store we specify -+ * *) If it succeeds, maybe do a PAM update -+ */ -+ -+/* Stuff for PAM */ -+ -+#ifdef USE_PAM -+static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg, -+ struct pam_response **resp, void *data) - { -- ctx->major = gss_verify_mic(&ctx->minor, ctx->context, -- gssbuf, gssmic, NULL); -+ return (PAM_CONV_ERR); -+} -+#endif - -- return (ctx->major); -+void -+ssh_gssapi_rekey_creds() { -+ int ok; -+ int ret; -+#ifdef USE_PAM -+ pam_handle_t *pamh = NULL; -+ struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL}; -+ char *envstr; -+#endif -+ -+ if (gssapi_client.store.filename == NULL && -+ gssapi_client.store.envval == NULL && -+ gssapi_client.store.envvar == NULL) -+ return; -+ -+ ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store)); -+ -+ if (!ok) -+ return; -+ -+ debug("Rekeyed credentials stored successfully"); -+ -+ /* Actually managing to play with the ssh pam stack from here will -+ * be next to impossible. In any case, we may want different options -+ * for rekeying. So, use our own :) -+ */ -+#ifdef USE_PAM -+ if (!use_privsep) { -+ debug("Not even going to try and do PAM with privsep disabled"); -+ return; -+ } -+ -+ ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name, -+ &pamconv, &pamh); -+ if (ret) -+ return; -+ -+ xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, -+ gssapi_client.store.envval); -+ -+ ret = pam_putenv(pamh, envstr); -+ if (!ret) -+ pam_setcred(pamh, PAM_REINITIALIZE_CRED); -+ pam_end(pamh, PAM_SUCCESS); -+#endif -+} -+ -+int -+ssh_gssapi_update_creds(ssh_gssapi_ccache *store) { -+ int ok = 0; -+ -+ /* Check we've got credentials to store */ -+ if (!gssapi_client.updated) -+ return 0; -+ -+ gssapi_client.updated = 0; -+ -+ temporarily_use_uid(gssapi_client.store.owner); -+ if (gssapi_client.mech && gssapi_client.mech->updatecreds) -+ ok = (*gssapi_client.mech->updatecreds)(store, &gssapi_client); -+ else -+ debug("No update function for this mechanism"); -+ -+ restore_uid(); -+ -+ return ok; - } - - #endif -Index: openssh-5.3p1/servconf.c -=================================================================== ---- openssh-5.3p1.orig/servconf.c 2009-06-21 11:26:17.000000000 +0100 -+++ openssh-5.3p1/servconf.c 2010-01-24 10:36:10.000000000 +0000 -@@ -92,7 +92,10 @@ - options->kerberos_ticket_cleanup = -1; - options->kerberos_get_afs_token = -1; - options->gss_authentication=-1; -+ options->gss_keyex = -1; - options->gss_cleanup_creds = -1; -+ options->gss_strict_acceptor = -1; -+ options->gss_store_rekey = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; -@@ -210,8 +213,14 @@ - options->kerberos_get_afs_token = 0; - if (options->gss_authentication == -1) - options->gss_authentication = 0; -+ if (options->gss_keyex == -1) -+ options->gss_keyex = 0; - if (options->gss_cleanup_creds == -1) - options->gss_cleanup_creds = 1; -+ if (options->gss_strict_acceptor == -1) -+ options->gss_strict_acceptor = 1; -+ if (options->gss_store_rekey == -1) -+ options->gss_store_rekey = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -@@ -302,7 +311,9 @@ - sBanner, sUseDNS, sHostbasedAuthentication, - sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, -- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, -+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, -+ sGssKeyEx, sGssStoreRekey, -+ sAcceptEnv, sPermitTunnel, - sMatch, sPermitOpen, sForceCommand, sChrootDirectory, - sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, -@@ -364,9 +375,15 @@ - #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, - { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, -+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, -+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, -+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, - #else - { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, - { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, -+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, -+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, -+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, - #endif - { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -891,10 +908,22 @@ - intptr = &options->gss_authentication; - goto parse_flag; - -+ case sGssKeyEx: -+ intptr = &options->gss_keyex; -+ goto parse_flag; -+ - case sGssCleanupCreds: - intptr = &options->gss_cleanup_creds; - goto parse_flag; - -+ case sGssStrictAcceptor: -+ intptr = &options->gss_strict_acceptor; -+ goto parse_flag; -+ -+ case sGssStoreRekey: -+ intptr = &options->gss_store_rekey; -+ goto parse_flag; -+ - case sPasswordAuthentication: - intptr = &options->password_authentication; - goto parse_flag; -Index: openssh-5.3p1/servconf.h -=================================================================== ---- openssh-5.3p1.orig/servconf.h 2009-01-28 05:31:23.000000000 +0000 -+++ openssh-5.3p1/servconf.h 2010-01-24 10:36:10.000000000 +0000 -@@ -91,7 +91,10 @@ - int kerberos_get_afs_token; /* If true, try to get AFS token if - * authenticated with Kerberos. */ - int gss_authentication; /* If true, permit GSSAPI authentication */ -+ int gss_keyex; /* If true, permit GSSAPI key exchange */ - int gss_cleanup_creds; /* If true, destroy cred cache on logout */ -+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ -+ int gss_store_rekey; - int password_authentication; /* If true, permit password - * authentication. */ - int kbd_interactive_authentication; /* If true, permit */ -Index: openssh-5.3p1/sshd_config -=================================================================== ---- openssh-5.3p1.orig/sshd_config 2008-07-02 13:35:43.000000000 +0100 -+++ openssh-5.3p1/sshd_config 2010-01-24 10:30:18.000000000 +0000 -@@ -73,6 +73,8 @@ - # GSSAPI options - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes -+#GSSAPIStrictAcceptorCheck yes -+#GSSAPIKeyExchange no - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -Index: openssh-5.3p1/sshd_config.5 -=================================================================== ---- openssh-5.3p1.orig/sshd_config.5 2009-08-28 01:27:08.000000000 +0100 -+++ openssh-5.3p1/sshd_config.5 2010-01-24 10:36:10.000000000 +0000 -@@ -379,12 +379,40 @@ - The default is - .Dq no . - Note that this option applies to protocol version 2 only. -+.It Cm GSSAPIKeyExchange -+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange -+doesn't rely on ssh keys to verify host identity. -+The default is -+.Dq no . -+Note that this option applies to protocol version 2 only. - .It Cm GSSAPICleanupCredentials - Specifies whether to automatically destroy the user's credentials cache - on logout. - The default is - .Dq yes . - Note that this option applies to protocol version 2 only. -+.It Cm GSSAPIStrictAcceptorCheck -+Determines whether to be strict about the identity of the GSSAPI acceptor -+a client authenticates against. If -+.Dq yes -+then the client must authenticate against the -+.Pa host -+service on the current hostname. If -+.Dq no -+then the client may authenticate against any service key stored in the -+machine's default store. This facility is provided to assist with operation -+on multi homed machines. -+The default is -+.Dq yes . -+Note that this option applies only to protocol version 2 GSSAPI connections, -+and setting it to -+.Dq no -+may only work with recent Kerberos GSSAPI libraries. -+.It Cm GSSAPIStoreCredentialsOnRekey -+Controls whether the user's GSSAPI credentials should be updated following a -+successful connection rekeying. This option can be used to accepted renewed -+or updated credentials from a compatible client. The default is -+.Dq no . - .It Cm HostbasedAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication together - with successful public key client host authentication is allowed -Index: openssh-5.3p1/readconf.c -=================================================================== ---- openssh-5.3p1.orig/readconf.c 2010-01-24 10:28:05.000000000 +0000 -+++ openssh-5.3p1/readconf.c 2010-01-24 10:36:10.000000000 +0000 -@@ -127,6 +127,7 @@ - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, - oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, -@@ -164,10 +165,18 @@ - { "afstokenpassing", oUnsupported }, - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, -+ { "gssapikeyexchange", oGssKeyEx }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, -+ { "gssapiclientidentity", oGssClientIdentity }, -+ { "gssapirenewalforcesrekey", oGssRenewalRekey }, - #else - { "gssapiauthentication", oUnsupported }, -+ { "gssapikeyexchange", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, -+ { "gssapiclientidentity", oUnsupported }, -+ { "gssapirenewalforcesrekey", oUnsupported }, - #endif - { "fallbacktorsh", oDeprecated }, - { "usersh", oDeprecated }, -@@ -454,10 +463,26 @@ - intptr = &options->gss_authentication; - goto parse_flag; - -+ case oGssKeyEx: -+ intptr = &options->gss_keyex; -+ goto parse_flag; -+ - case oGssDelegateCreds: - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ -+ case oGssClientIdentity: -+ charptr = &options->gss_client_identity; -+ goto parse_string; -+ -+ case oGssRenewalRekey: -+ intptr = &options->gss_renewal_rekey; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1013,7 +1038,11 @@ - options->pubkey_authentication = -1; - options->challenge_response_authentication = -1; - options->gss_authentication = -1; -+ options->gss_keyex = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; -+ options->gss_renewal_rekey = -1; -+ options->gss_client_identity = NULL; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -1105,8 +1134,14 @@ - options->challenge_response_authentication = 1; - if (options->gss_authentication == -1) - options->gss_authentication = 0; -+ if (options->gss_keyex == -1) -+ options->gss_keyex = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; -+ if (options->gss_renewal_rekey == -1) -+ options->gss_renewal_rekey = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -Index: openssh-5.3p1/readconf.h -=================================================================== ---- openssh-5.3p1.orig/readconf.h 2010-01-24 10:28:05.000000000 +0000 -+++ openssh-5.3p1/readconf.h 2010-01-24 10:36:10.000000000 +0000 -@@ -44,7 +44,11 @@ - int challenge_response_authentication; - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ -+ int gss_keyex; /* Try GSS key exchange */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ -+ int gss_renewal_rekey; /* Credential renewal forces rekey */ -+ char *gss_client_identity; /* Principal to initiate GSSAPI with */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -Index: openssh-5.3p1/ssh_config.5 -=================================================================== ---- openssh-5.3p1.orig/ssh_config.5 2010-01-24 10:28:05.000000000 +0000 -+++ openssh-5.3p1/ssh_config.5 2010-01-24 10:36:10.000000000 +0000 -@@ -478,11 +478,38 @@ - The default is - .Dq no . - Note that this option applies to protocol version 2 only. -+.It Cm GSSAPIKeyExchange -+Specifies whether key exchange based on GSSAPI may be used. When using -+GSSAPI key exchange the server need not have a host key. -+The default is -+.Dq no . -+Note that this option applies to protocol version 2 only. -+.It Cm GSSAPIClientIdentity -+If set, specifies the GSSAPI client identity that ssh should use when -+connecting to the server. The default is unset, which means that the default -+identity will be used. - .It Cm GSSAPIDelegateCredentials - Forward (delegate) credentials to the server. - The default is - .Dq no . --Note that this option applies to protocol version 2 only. -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPIRenewalForcesRekey -+If set to -+.Dq yes -+then renewal of the client's GSSAPI credentials will force the rekeying of the -+ssh connection. With a compatible server, this can delegate the renewed -+credentials to a session on the server. -+The default is -+.Dq no . -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 -Index: openssh-5.3p1/sshconnect2.c -=================================================================== ---- openssh-5.3p1.orig/sshconnect2.c 2010-01-24 10:28:05.000000000 +0000 -+++ openssh-5.3p1/sshconnect2.c 2010-01-24 10:35:28.000000000 +0000 -@@ -105,9 +105,34 @@ - { - Kex *kex; - -+#ifdef GSSAPI -+ char *orig = NULL, *gss = NULL; -+ char *gss_host = NULL; -+#endif -+ - xxx_host = host; - xxx_hostaddr = hostaddr; - -+#ifdef GSSAPI -+ if (options.gss_keyex) { -+ /* Add the GSSAPI mechanisms currently supported on this -+ * client to the key exchange algorithm proposal */ -+ orig = myproposal[PROPOSAL_KEX_ALGS]; -+ -+ if (options.gss_trust_dns) -+ gss_host = (char *)get_canonical_hostname(1); -+ else -+ gss_host = host; -+ -+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); -+ if (gss) { -+ debug("Offering GSSAPI proposal: %s", gss); -+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], -+ "%s,%s", gss, orig); -+ } -+ } -+#endif -+ - if (options.ciphers == (char *)-1) { - logit("No valid ciphers for protocol version 2 given, using defaults."); - options.ciphers = NULL; -@@ -135,6 +160,17 @@ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - options.hostkeyalgorithms; - -+#ifdef GSSAPI -+ /* If we've got GSSAPI algorithms, then we also support the -+ * 'null' hostkey, as a last resort */ -+ if (options.gss_keyex && gss) { -+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; -+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], -+ "%s,null", orig); -+ xfree(gss); -+ } -+#endif -+ - if (options.rekey_limit) - packet_set_rekey_limit((u_int32_t)options.rekey_limit); - -@@ -144,10 +180,26 @@ - kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; - kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; - kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; -+#ifdef GSSAPI -+ if (options.gss_keyex) { -+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; -+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client; -+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; -+ } -+#endif - kex->client_version_string=client_version_string; - kex->server_version_string=server_version_string; - kex->verify_host_key=&verify_host_key_callback; - -+#ifdef GSSAPI -+ if (options.gss_keyex) { -+ kex->gss_deleg_creds = options.gss_deleg_creds; -+ kex->gss_trust_dns = options.gss_trust_dns; -+ kex->gss_client = options.gss_client_identity; -+ kex->gss_host = gss_host; -+ } -+#endif -+ - xxx_kex = kex; - - dispatch_run(DISPATCH_BLOCK, &kex->done, kex); -@@ -236,6 +288,7 @@ - void input_gssapi_hash(int type, u_int32_t, void *); - void input_gssapi_error(int, u_int32_t, void *); - void input_gssapi_errtok(int, u_int32_t, void *); -+int userauth_gsskeyex(Authctxt *authctxt); - #endif - - void userauth(Authctxt *, char *); -@@ -251,6 +304,11 @@ - - Authmethod authmethods[] = { - #ifdef GSSAPI -+ {"gssapi-keyex", -+ userauth_gsskeyex, -+ NULL, -+ &options.gss_authentication, -+ NULL}, - {"gssapi-with-mic", - userauth_gssapi, - NULL, -@@ -542,19 +600,29 @@ - static u_int mech = 0; - OM_uint32 min; - int ok = 0; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) -+ gss_host = get_canonical_hostname(1); -+ else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ - - if (gss_supported == NULL) -- gss_indicate_mechs(&min, &gss_supported); -+ if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) { -+ gss_supported = NULL; -+ return 0; -+ } - - /* Check to see if the mechanism is usable before we offer it */ - while (mech < gss_supported->count && !ok) { - /* My DER encoding requires length<128 */ - if (gss_supported->elements[mech].length < 128 && - ssh_gssapi_check_mechanism(&gssctxt, -- &gss_supported->elements[mech], authctxt->host)) { -+ &gss_supported->elements[mech], gss_host, -+ options.gss_client_identity)) { - ok = 1; /* Mechanism works */ - } else { - mech++; -@@ -651,8 +719,8 @@ - { - Authctxt *authctxt = ctxt; - Gssctxt *gssctxt; -- int oidlen; -- char *oidv; -+ u_int oidlen; -+ u_char *oidv; - - if (authctxt == NULL) - fatal("input_gssapi_response: no authentication context"); -@@ -762,6 +830,48 @@ - xfree(msg); - xfree(lang); - } -+ -+int -+userauth_gsskeyex(Authctxt *authctxt) -+{ -+ Buffer b; -+ gss_buffer_desc gssbuf; -+ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; -+ OM_uint32 ms; -+ -+ static int attempt = 0; -+ if (attempt++ >= 1) -+ return (0); -+ -+ if (gss_kex_context == NULL) { -+ debug("No valid Key exchange context"); -+ return (0); -+ } -+ -+ ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service, -+ "gssapi-keyex"); -+ -+ gssbuf.value = buffer_ptr(&b); -+ gssbuf.length = buffer_len(&b); -+ -+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) { -+ buffer_free(&b); -+ return (0); -+ } -+ -+ packet_start(SSH2_MSG_USERAUTH_REQUEST); -+ packet_put_cstring(authctxt->server_user); -+ packet_put_cstring(authctxt->service); -+ packet_put_cstring(authctxt->method->name); -+ packet_put_string(mic.value, mic.length); -+ packet_send(); -+ -+ buffer_free(&b); -+ gss_release_buffer(&ms, &mic); -+ -+ return (1); -+} -+ - #endif /* GSSAPI */ - - int -Index: openssh-5.3p1/auth.h -=================================================================== ---- openssh-5.3p1.orig/auth.h 2008-11-05 05:20:46.000000000 +0000 -+++ openssh-5.3p1/auth.h 2010-01-24 10:28:35.000000000 +0000 -@@ -53,6 +53,7 @@ - int valid; /* user exists and is allowed to login */ - int attempt; - int failures; -+ int server_caused_failure; - int force_pwchange; - char *user; /* username sent by the client */ - char *service; -Index: openssh-5.3p1/auth2-gss.c -=================================================================== ---- openssh-5.3p1.orig/auth2-gss.c 2007-12-02 11:59:45.000000000 +0000 -+++ openssh-5.3p1/auth2-gss.c 2010-01-24 10:36:10.000000000 +0000 -@@ -1,7 +1,7 @@ - /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ - - /* -- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. -+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -52,6 +52,40 @@ - static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); - static void input_gssapi_errtok(int, u_int32_t, void *); - -+/* -+ * The 'gssapi_keyex' userauth mechanism. -+ */ -+static int -+userauth_gsskeyex(Authctxt *authctxt) -+{ -+ int authenticated = 0; -+ Buffer b; -+ gss_buffer_desc mic, gssbuf; -+ u_int len; -+ -+ mic.value = packet_get_string(&len); -+ mic.length = len; -+ -+ packet_check_eom(); -+ -+ ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, -+ "gssapi-keyex"); -+ -+ gssbuf.value = buffer_ptr(&b); -+ gssbuf.length = buffer_len(&b); -+ -+ /* gss_kex_context is NULL with privsep, so we can't check it here */ -+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, -+ &gssbuf, &mic)))) -+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, -+ authctxt->pw)); -+ -+ buffer_free(&b); -+ xfree(mic.value); -+ -+ return (authenticated); -+} -+ - /* - * We only support those mechanisms that we know about (ie ones that we know - * how to check local user kuserok and the like) -@@ -102,6 +136,7 @@ - - if (!present) { - xfree(doid); -+ authctxt->server_caused_failure = 1; - return (0); - } - -@@ -109,6 +144,7 @@ - if (ctxt != NULL) - ssh_gssapi_delete_ctx(&ctxt); - xfree(doid); -+ authctxt->server_caused_failure = 1; - return (0); - } - -@@ -242,7 +278,8 @@ - - packet_check_eom(); - -- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); -+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, -+ authctxt->pw)); - - authctxt->postponed = 0; - dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); -@@ -277,7 +314,8 @@ - gssbuf.length = buffer_len(&b); - - if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) -- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); -+ authenticated = -+ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)); - else - logit("GSSAPI MIC check failed"); - -@@ -292,6 +330,12 @@ - userauth_finish(authctxt, authenticated, "gssapi-with-mic"); - } - -+Authmethod method_gsskeyex = { -+ "gssapi-keyex", -+ userauth_gsskeyex, -+ &options.gss_authentication -+}; -+ - Authmethod method_gssapi = { - "gssapi-with-mic", - userauth_gssapi, -Index: openssh-5.3p1/auth2.c -=================================================================== ---- openssh-5.3p1.orig/auth2.c 2009-06-22 07:11:07.000000000 +0100 -+++ openssh-5.3p1/auth2.c 2010-01-24 10:30:18.000000000 +0000 -@@ -69,6 +69,7 @@ - extern Authmethod method_kbdint; - extern Authmethod method_hostbased; - #ifdef GSSAPI -+extern Authmethod method_gsskeyex; - extern Authmethod method_gssapi; - #endif - #ifdef JPAKE -@@ -79,6 +80,7 @@ - &method_none, - &method_pubkey, - #ifdef GSSAPI -+ &method_gsskeyex, - &method_gssapi, - #endif - #ifdef JPAKE -@@ -274,6 +276,7 @@ - #endif - - authctxt->postponed = 0; -+ authctxt->server_caused_failure = 0; - - /* try to authenticate user */ - m = authmethod_lookup(method); -@@ -346,7 +349,8 @@ - } else { - - /* Allow initial try of "none" auth without failure penalty */ -- if (authctxt->attempt > 1 || strcmp(method, "none") != 0) -+ if (!authctxt->server_caused_failure && -+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) - authctxt->failures++; - if (authctxt->failures >= options.max_authtries) { - #ifdef SSH_AUDIT_EVENTS -Index: openssh-5.3p1/auth-krb5.c -=================================================================== ---- openssh-5.3p1.orig/auth-krb5.c 2006-08-05 03:39:39.000000000 +0100 -+++ openssh-5.3p1/auth-krb5.c 2010-01-24 10:29:25.000000000 +0000 -@@ -166,8 +166,13 @@ - - len = strlen(authctxt->krb5_ticket_file) + 6; - authctxt->krb5_ccname = xmalloc(len); -+#ifdef USE_CCAPI -+ snprintf(authctxt->krb5_ccname, len, "API:%s", -+ authctxt->krb5_ticket_file); -+#else - snprintf(authctxt->krb5_ccname, len, "FILE:%s", - authctxt->krb5_ticket_file); -+#endif - - #ifdef USE_PAM - if (options.use_pam) -@@ -219,15 +224,22 @@ - #ifndef HEIMDAL - krb5_error_code - ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { -- int tmpfd, ret; -+ int ret; - char ccname[40]; - mode_t old_umask; -+#ifdef USE_CCAPI -+ char cctemplate[] = "API:krb5cc_%d"; -+#else -+ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX"; -+ int tmpfd; -+#endif - - ret = snprintf(ccname, sizeof(ccname), -- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); -+ cctemplate, geteuid()); - if (ret < 0 || (size_t)ret >= sizeof(ccname)) - return ENOMEM; - -+#ifndef USE_CCAPI - old_umask = umask(0177); - tmpfd = mkstemp(ccname + strlen("FILE:")); - umask(old_umask); -@@ -242,6 +254,7 @@ - return errno; - } - close(tmpfd); -+#endif - - return (krb5_cc_resolve(ctx, ccname, ccache)); - } -Index: openssh-5.3p1/gss-serv-krb5.c -=================================================================== ---- openssh-5.3p1.orig/gss-serv-krb5.c 2006-09-01 06:38:36.000000000 +0100 -+++ openssh-5.3p1/gss-serv-krb5.c 2010-01-24 10:36:10.000000000 +0000 -@@ -1,7 +1,7 @@ - /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ - - /* -- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. -+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -120,6 +120,7 @@ - krb5_principal princ; - OM_uint32 maj_status, min_status; - int len; -+ const char *new_ccname; - - if (client->creds == NULL) { - debug("No credentials stored"); -@@ -168,11 +169,16 @@ - return; - } - -- client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); -+ new_ccname = krb5_cc_get_name(krb_context, ccache); -+ - client->store.envvar = "KRB5CCNAME"; -- len = strlen(client->store.filename) + 6; -- client->store.envval = xmalloc(len); -- snprintf(client->store.envval, len, "FILE:%s", client->store.filename); -+#ifdef USE_CCAPI -+ xasprintf(&client->store.envval, "API:%s", new_ccname); -+ client->store.filename = NULL; -+#else -+ xasprintf(&client->store.envval, "FILE:%s", new_ccname); -+ client->store.filename = xstrdup(new_ccname); -+#endif - - #ifdef USE_PAM - if (options.use_pam) -@@ -184,6 +190,71 @@ - return; - } - -+int -+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, -+ ssh_gssapi_client *client) -+{ -+ krb5_ccache ccache = NULL; -+ krb5_principal principal = NULL; -+ char *name = NULL; -+ krb5_error_code problem; -+ OM_uint32 maj_status, min_status; -+ -+ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) { -+ logit("krb5_cc_resolve(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ return 0; -+ } -+ -+ /* Find out who the principal in this cache is */ -+ if ((problem = krb5_cc_get_principal(krb_context, ccache, -+ &principal))) { -+ logit("krb5_cc_get_principal(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ if ((problem = krb5_unparse_name(krb_context, principal, &name))) { -+ logit("krb5_unparse_name(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ krb5_free_principal(krb_context, principal); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ -+ if (strcmp(name,client->exportedname.value)!=0) { -+ debug("Name in local credentials cache differs. Not storing"); -+ krb5_free_principal(krb_context, principal); -+ krb5_cc_close(krb_context, ccache); -+ krb5_free_unparsed_name(krb_context, name); -+ return 0; -+ } -+ krb5_free_unparsed_name(krb_context, name); -+ -+ /* Name matches, so lets get on with it! */ -+ -+ if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) { -+ logit("krb5_cc_initialize(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ krb5_free_principal(krb_context, principal); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ krb5_free_principal(krb_context, principal); -+ -+ if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, -+ ccache))) { -+ logit("gss_krb5_copy_ccache() failed. Sorry!"); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ return 1; -+} -+ - ssh_gssapi_mech gssapi_kerberos_mech = { - "toWM5Slw5Ew8Mqkay+al2g==", - "Kerberos", -@@ -191,7 +262,8 @@ - NULL, - &ssh_gssapi_krb5_userok, - NULL, -- &ssh_gssapi_krb5_storecreds -+ &ssh_gssapi_krb5_storecreds, -+ &ssh_gssapi_krb5_updatecreds - }; - - #endif /* KRB5 */ -Index: openssh-5.3p1/sshd.c -=================================================================== ---- openssh-5.3p1.orig/sshd.c 2009-06-21 11:26:17.000000000 +0100 -+++ openssh-5.3p1/sshd.c 2010-01-24 10:30:18.000000000 +0000 -@@ -120,6 +120,10 @@ - #include "roaming.h" - #include "version.h" - -+#ifdef USE_SECURITY_SESSION_API -+#include <Security/AuthSession.h> -+#endif -+ - #ifdef LIBWRAP - #include <tcpd.h> - #include <syslog.h> -@@ -1531,10 +1535,13 @@ - logit("Disabling protocol version 1. Could not load host key"); - options.protocol &= ~SSH_PROTO_1; - } -+#ifndef GSSAPI -+ /* The GSSAPI key exchange can run without a host key */ - if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { - logit("Disabling protocol version 2. Could not load host key"); - options.protocol &= ~SSH_PROTO_2; - } -+#endif - if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { - logit("sshd: no hostkeys available -- exiting."); - exit(1); -@@ -1818,6 +1825,60 @@ - /* Log the connection. */ - verbose("Connection from %.500s port %d", remote_ip, remote_port); - -+#ifdef USE_SECURITY_SESSION_API -+ /* -+ * Create a new security session for use by the new user login if -+ * the current session is the root session or we are not launched -+ * by inetd (eg: debugging mode or server mode). We do not -+ * necessarily need to create a session if we are launched from -+ * inetd because Panther xinetd will create a session for us. -+ * -+ * The only case where this logic will fail is if there is an -+ * inetd running in a non-root session which is not creating -+ * new sessions for us. Then all the users will end up in the -+ * same session (bad). -+ * -+ * When the client exits, the session will be destroyed for us -+ * automatically. -+ * -+ * We must create the session before any credentials are stored -+ * (including AFS pags, which happens a few lines below). -+ */ -+ { -+ OSStatus err = 0; -+ SecuritySessionId sid = 0; -+ SessionAttributeBits sattrs = 0; -+ -+ err = SessionGetInfo(callerSecuritySession, &sid, &sattrs); -+ if (err) -+ error("SessionGetInfo() failed with error %.8X", -+ (unsigned) err); -+ else -+ debug("Current Session ID is %.8X / Session Attributes are %.8X", -+ (unsigned) sid, (unsigned) sattrs); -+ -+ if (inetd_flag && !(sattrs & sessionIsRoot)) -+ debug("Running in inetd mode in a non-root session... " -+ "assuming inetd created the session for us."); -+ else { -+ debug("Creating new security session..."); -+ err = SessionCreate(0, sessionHasTTY | sessionIsRemote); -+ if (err) -+ error("SessionCreate() failed with error %.8X", -+ (unsigned) err); -+ -+ err = SessionGetInfo(callerSecuritySession, &sid, -+ &sattrs); -+ if (err) -+ error("SessionGetInfo() failed with error %.8X", -+ (unsigned) err); -+ else -+ debug("New Session ID is %.8X / Session Attributes are %.8X", -+ (unsigned) sid, (unsigned) sattrs); -+ } -+ } -+#endif -+ - /* - * We don't want to listen forever unless the other side - * successfully authenticates itself. So we set up an alarm which is -@@ -2195,12 +2256,61 @@ - - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); - -+#ifdef GSSAPI -+ { -+ char *orig; -+ char *gss = NULL; -+ char *newstr = NULL; -+ orig = myproposal[PROPOSAL_KEX_ALGS]; -+ -+ /* -+ * If we don't have a host key, then there's no point advertising -+ * the other key exchange algorithms -+ */ -+ -+ if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) -+ orig = NULL; -+ -+ if (options.gss_keyex) -+ gss = ssh_gssapi_server_mechanisms(); -+ else -+ gss = NULL; -+ -+ if (gss && orig) -+ xasprintf(&newstr, "%s,%s", gss, orig); -+ else if (gss) -+ newstr = gss; -+ else if (orig) -+ newstr = orig; -+ -+ /* -+ * If we've got GSSAPI mechanisms, then we've got the 'null' host -+ * key alg, but we can't tell people about it unless its the only -+ * host key algorithm we support -+ */ -+ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0) -+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null"; -+ -+ if (newstr) -+ myproposal[PROPOSAL_KEX_ALGS] = newstr; -+ else -+ fatal("No supported key exchange algorithms"); -+ } -+#endif -+ - /* start key exchange */ - kex = kex_setup(myproposal); - kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; - kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; - kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; - kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; -+#ifdef GSSAPI -+ if (options.gss_keyex) { -+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; -+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; -+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; -+ } -+#endif - kex->server = 1; - kex->client_version_string=client_version_string; - kex->server_version_string=server_version_string; -Index: openssh-5.3p1/configure.ac -=================================================================== ---- openssh-5.3p1.orig/configure.ac 2009-09-11 05:56:08.000000000 +0100 -+++ openssh-5.3p1/configure.ac 2010-01-24 10:29:25.000000000 +0000 -@@ -477,6 +477,30 @@ - [Use tunnel device compatibility to OpenBSD]) - AC_DEFINE(SSH_TUN_PREPEND_AF, 1, - [Prepend the address family to IP tunnel traffic]) -+ AC_MSG_CHECKING(if we have the Security Authorization Session API) -+ AC_TRY_COMPILE([#include <Security/AuthSession.h>], -+ [SessionCreate(0, 0);], -+ [ac_cv_use_security_session_api="yes" -+ AC_DEFINE(USE_SECURITY_SESSION_API, 1, -+ [platform has the Security Authorization Session API]) -+ LIBS="$LIBS -framework Security" -+ AC_MSG_RESULT(yes)], -+ [ac_cv_use_security_session_api="no" -+ AC_MSG_RESULT(no)]) -+ AC_MSG_CHECKING(if we have an in-memory credentials cache) -+ AC_TRY_COMPILE( -+ [#include <Kerberos/Kerberos.h>], -+ [cc_context_t c; -+ (void) cc_initialize (&c, 0, NULL, NULL);], -+ [AC_DEFINE(USE_CCAPI, 1, -+ [platform uses an in-memory credentials cache]) -+ LIBS="$LIBS -framework Security" -+ AC_MSG_RESULT(yes) -+ if test "x$ac_cv_use_security_session_api" = "xno"; then -+ AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***) -+ fi], -+ [AC_MSG_RESULT(no)] -+ ) - m4_pattern_allow(AU_IPv) - AC_CHECK_DECL(AU_IPv4, [], - AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) -Index: openssh-5.3p1/ChangeLog.gssapi -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssh-5.3p1/ChangeLog.gssapi 2010-01-24 10:38:43.000000000 +0000 -@@ -0,0 +1,103 @@ -+20100124 -+ - [ sshconnect2.c ] -+ Adapt to deal with additional element in Authmethod structure. Thanks to -+ Colin Watson -+ - [ clientloop.c ] -+ Protect credentials updated code with suitable #ifdefs. Thanks to Colin -+ Watson -+ -+20090615 -+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c -+ sshd.c ] -+ Fix issues identified by Greg Hudson following a code review -+ Check return value of gss_indicate_mechs -+ Protect GSSAPI calls in monitor, so they can only be used if enabled -+ Check return values of bignum functions in key exchange -+ Use BN_clear_free to clear other side's DH value -+ Make ssh_gssapi_id_kex more robust -+ Only configure kex table pointers if GSSAPI is enabled -+ Don't leak mechanism list, or gss mechanism list -+ Cast data.length before printing -+ If serverkey isn't provided, use an empty string, rather than NULL -+ -+20090201 -+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h -+ ssh_config.5 sshconnet2.c ] -+ Add support for the GSSAPIClientIdentity option, which allows the user -+ to specify which GSSAPI identity to use to contact a given server -+ -+20080404 -+ - [ gss-serv.c ] -+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow -+ been omitted from a previous version of this patch. Reported by Borislav -+ Stoichkov -+ -+20070317 -+ - [ gss-serv-krb5.c ] -+ Remove C99ism, where new_ccname was being declared in the middle of a -+ function -+ -+20061220 -+ - [ servconf.c ] -+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and -+ documented, behaviour. Reported by Dan Watson. -+ -+20060910 -+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c -+ ssh-gss.h ] -+ add support for gss-group14-sha1 key exchange mechanisms -+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ] -+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of -+ acceptor principal checking on multi-homed machines. -+ <Bugzilla #928> -+ - [ sshd_config ssh_config ] -+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample -+ configuration files -+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ] -+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf() -+ Limit length of error messages displayed by client -+ -+20060909 -+ - [ gss-genr.c gss-serv.c ] -+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server -+ only, where they belong -+ <Bugzilla #1225> -+ -+20060829 -+ - [ gss-serv-krb5.c ] -+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment -+ variable -+ -+20060828 -+ - [ gss-genr.c ] -+ Avoid Heimdal context freeing problem -+ <Fixed upstream 20060829> -+ -+20060818 -+ - [ gss-genr.c ssh-gss.h sshconnect2.c ] -+ Make sure that SPENGO is disabled -+ <Bugzilla #1218 - Fixed upstream 20060818> -+ -+20060421 -+ - [ gssgenr.c, sshconnect2.c ] -+ a few type changes (signed versus unsigned, int versus size_t) to -+ fix compiler errors/warnings -+ (from jbasney AT ncsa.uiuc.edu) -+ - [ kexgssc.c, sshconnect2.c ] -+ fix uninitialized variable warnings -+ (from jbasney AT ncsa.uiuc.edu) -+ - [ gssgenr.c ] -+ pass oid to gss_display_status (helpful when using GSSAPI mechglue) -+ (from jbasney AT ncsa.uiuc.edu) -+ <Bugzilla #1220 > -+ - [ gss-serv-krb5.c ] -+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H -+ (from jbasney AT ncsa.uiuc.edu) -+ <Fixed upstream 20060304> -+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c -+ add client-side GssapiKeyExchange option -+ (from jbasney AT ncsa.uiuc.edu) -+ - [ sshconnect2.c ] -+ add support for GssapiTrustDns option for gssapi-with-mic -+ (from jbasney AT ncsa.uiuc.edu) -+ <gssapi-with-mic support is Bugzilla #1008> -Index: openssh-5.3p1/Makefile.in -=================================================================== ---- openssh-5.3p1.orig/Makefile.in 2009-08-28 01:47:38.000000000 +0100 -+++ openssh-5.3p1/Makefile.in 2010-01-24 10:30:18.000000000 +0000 -@@ -71,7 +71,8 @@ - atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ - monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ - kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ -- entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o -+ entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o \ -+ kexgssc.o - - SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect1.o sshconnect2.o mux.o \ -@@ -85,7 +86,7 @@ - auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ - monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ - auth-krb5.o \ -- auth2-gss.o gss-serv.o gss-serv-krb5.o \ -+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ - roaming_common.o -Index: openssh-5.3p1/gss-genr.c -=================================================================== ---- openssh-5.3p1.orig/gss-genr.c 2009-06-22 07:11:07.000000000 +0100 -+++ openssh-5.3p1/gss-genr.c 2010-01-24 10:36:10.000000000 +0000 -@@ -1,7 +1,7 @@ - /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ - - /* -- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. -+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -39,12 +39,167 @@ - #include "buffer.h" - #include "log.h" - #include "ssh2.h" -+#include "cipher.h" -+#include "key.h" -+#include "kex.h" -+#include <openssl/evp.h> - - #include "ssh-gss.h" - - extern u_char *session_id2; - extern u_int session_id2_len; - -+typedef struct { -+ char *encoded; -+ gss_OID oid; -+} ssh_gss_kex_mapping; -+ -+/* -+ * XXX - It would be nice to find a more elegant way of handling the -+ * XXX passing of the key exchange context to the userauth routines -+ */ -+ -+Gssctxt *gss_kex_context = NULL; -+ -+static ssh_gss_kex_mapping *gss_enc2oid = NULL; -+ -+int -+ssh_gssapi_oid_table_ok() { -+ return (gss_enc2oid != NULL); -+} -+ -+/* -+ * Return a list of the gss-group1-sha1 mechanisms supported by this program -+ * -+ * We test mechanisms to ensure that we can use them, to avoid starting -+ * a key exchange with a bad mechanism -+ */ -+ -+char * -+ssh_gssapi_client_mechanisms(const char *host, const char *client) { -+ gss_OID_set gss_supported; -+ OM_uint32 min_status; -+ -+ if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported))) -+ return NULL; -+ -+ return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism, -+ host, client)); -+} -+ -+char * -+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check, -+ const char *host, const char *client) { -+ Buffer buf; -+ size_t i; -+ int oidpos, enclen; -+ char *mechs, *encoded; -+ u_char digest[EVP_MAX_MD_SIZE]; -+ char deroid[2]; -+ const EVP_MD *evp_md = EVP_md5(); -+ EVP_MD_CTX md; -+ -+ if (gss_enc2oid != NULL) { -+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++) -+ xfree(gss_enc2oid[i].encoded); -+ xfree(gss_enc2oid); -+ } -+ -+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * -+ (gss_supported->count + 1)); -+ -+ buffer_init(&buf); -+ -+ oidpos = 0; -+ for (i = 0; i < gss_supported->count; i++) { -+ if (gss_supported->elements[i].length < 128 && -+ (*check)(NULL, &(gss_supported->elements[i]), host, client)) { -+ -+ deroid[0] = SSH_GSS_OIDTYPE; -+ deroid[1] = gss_supported->elements[i].length; -+ -+ EVP_DigestInit(&md, evp_md); -+ EVP_DigestUpdate(&md, deroid, 2); -+ EVP_DigestUpdate(&md, -+ gss_supported->elements[i].elements, -+ gss_supported->elements[i].length); -+ EVP_DigestFinal(&md, digest, NULL); -+ -+ encoded = xmalloc(EVP_MD_size(evp_md) * 2); -+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md), -+ encoded, EVP_MD_size(evp_md) * 2); -+ -+ if (oidpos != 0) -+ buffer_put_char(&buf, ','); -+ -+ buffer_append(&buf, KEX_GSS_GEX_SHA1_ID, -+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1); -+ buffer_append(&buf, encoded, enclen); -+ buffer_put_char(&buf, ','); -+ buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, -+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1); -+ buffer_append(&buf, encoded, enclen); -+ buffer_put_char(&buf, ','); -+ buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID, -+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1); -+ buffer_append(&buf, encoded, enclen); -+ -+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); -+ gss_enc2oid[oidpos].encoded = encoded; -+ oidpos++; -+ } -+ } -+ gss_enc2oid[oidpos].oid = NULL; -+ gss_enc2oid[oidpos].encoded = NULL; -+ -+ buffer_put_char(&buf, '\0'); -+ -+ mechs = xmalloc(buffer_len(&buf)); -+ buffer_get(&buf, mechs, buffer_len(&buf)); -+ buffer_free(&buf); -+ -+ if (strlen(mechs) == 0) { -+ xfree(mechs); -+ mechs = NULL; -+ } -+ -+ return (mechs); -+} -+ -+gss_OID -+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) { -+ int i = 0; -+ -+ switch (kex_type) { -+ case KEX_GSS_GRP1_SHA1: -+ if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID)) -+ return GSS_C_NO_OID; -+ name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1; -+ break; -+ case KEX_GSS_GRP14_SHA1: -+ if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID)) -+ return GSS_C_NO_OID; -+ name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1; -+ break; -+ case KEX_GSS_GEX_SHA1: -+ if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID)) -+ return GSS_C_NO_OID; -+ name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1; -+ break; -+ default: -+ return GSS_C_NO_OID; -+ } -+ -+ while (gss_enc2oid[i].encoded != NULL && -+ strcmp(name, gss_enc2oid[i].encoded) != 0) -+ i++; -+ -+ if (gss_enc2oid[i].oid != NULL && ctx != NULL) -+ ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid); -+ -+ return gss_enc2oid[i].oid; -+} -+ - /* Check that the OID in a data stream matches that in the context */ - int - ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) -@@ -197,7 +352,7 @@ - } - - ctx->major = gss_init_sec_context(&ctx->minor, -- GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, -+ ctx->client_creds, &ctx->context, ctx->name, ctx->oid, - GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, - 0, NULL, recv_tok, NULL, send_tok, flags, NULL); - -@@ -227,8 +382,42 @@ - } - - OM_uint32 -+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name) -+{ -+ gss_buffer_desc gssbuf; -+ gss_name_t gssname; -+ OM_uint32 status; -+ gss_OID_set oidset; -+ -+ gssbuf.value = (void *) name; -+ gssbuf.length = strlen(gssbuf.value); -+ -+ gss_create_empty_oid_set(&status, &oidset); -+ gss_add_oid_set_member(&status, ctx->oid, &oidset); -+ -+ ctx->major = gss_import_name(&ctx->minor, &gssbuf, -+ GSS_C_NT_USER_NAME, &gssname); -+ -+ if (!ctx->major) -+ ctx->major = gss_acquire_cred(&ctx->minor, -+ gssname, 0, oidset, GSS_C_INITIATE, -+ &ctx->client_creds, NULL, NULL); -+ -+ gss_release_name(&status, &gssname); -+ gss_release_oid_set(&status, &oidset); -+ -+ if (ctx->major) -+ ssh_gssapi_error(ctx); -+ -+ return(ctx->major); -+} -+ -+OM_uint32 - ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) - { -+ if (ctx == NULL) -+ return -1; -+ - if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, - GSS_C_QOP_DEFAULT, buffer, hash))) - ssh_gssapi_error(ctx); -@@ -236,6 +425,19 @@ - return (ctx->major); - } - -+/* Priviledged when used by server */ -+OM_uint32 -+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) -+{ -+ if (ctx == NULL) -+ return -1; -+ -+ ctx->major = gss_verify_mic(&ctx->minor, ctx->context, -+ gssbuf, gssmic, NULL); -+ -+ return (ctx->major); -+} -+ - void - ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, - const char *context) -@@ -249,11 +451,16 @@ - } - - int --ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) -+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host, -+ const char *client) - { - gss_buffer_desc token = GSS_C_EMPTY_BUFFER; - OM_uint32 major, minor; - gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; -+ Gssctxt *intctx = NULL; -+ -+ if (ctx == NULL) -+ ctx = &intctx; - - /* RFC 4462 says we MUST NOT do SPNEGO */ - if (oid->length == spnego_oid.length && -@@ -263,6 +470,10 @@ - ssh_gssapi_build_ctx(ctx); - ssh_gssapi_set_oid(*ctx, oid); - major = ssh_gssapi_import_name(*ctx, host); -+ -+ if (!GSS_ERROR(major) && client) -+ major = ssh_gssapi_client_identity(*ctx, client); -+ - if (!GSS_ERROR(major)) { - major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, - NULL); -@@ -272,10 +483,67 @@ - GSS_C_NO_BUFFER); - } - -- if (GSS_ERROR(major)) -+ if (GSS_ERROR(major) || intctx != NULL) - ssh_gssapi_delete_ctx(ctx); - - return (!GSS_ERROR(major)); - } - -+int -+ssh_gssapi_credentials_updated(Gssctxt *ctxt) { -+ static gss_name_t saved_name = GSS_C_NO_NAME; -+ static OM_uint32 saved_lifetime = 0; -+ static gss_OID saved_mech = GSS_C_NO_OID; -+ static gss_name_t name; -+ static OM_uint32 last_call = 0; -+ OM_uint32 lifetime, now, major, minor; -+ int equal; -+ gss_cred_usage_t usage = GSS_C_INITIATE; -+ -+ now = time(NULL); -+ -+ if (ctxt) { -+ debug("Rekey has happened - updating saved versions"); -+ -+ if (saved_name != GSS_C_NO_NAME) -+ gss_release_name(&minor, &saved_name); -+ -+ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, -+ &saved_name, &saved_lifetime, NULL, NULL); -+ -+ if (!GSS_ERROR(major)) { -+ saved_mech = ctxt->oid; -+ saved_lifetime+= now; -+ } else { -+ /* Handle the error */ -+ } -+ return 0; -+ } -+ -+ if (now - last_call < 10) -+ return 0; -+ -+ last_call = now; -+ -+ if (saved_mech == GSS_C_NO_OID) -+ return 0; -+ -+ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, -+ &name, &lifetime, NULL, NULL); -+ if (major == GSS_S_CREDENTIALS_EXPIRED) -+ return 0; -+ else if (GSS_ERROR(major)) -+ return 0; -+ -+ major = gss_compare_name(&minor, saved_name, name, &equal); -+ gss_release_name(&minor, &name); -+ if (GSS_ERROR(major)) -+ return 0; -+ -+ if (equal && (saved_lifetime < lifetime + now - 10)) -+ return 1; -+ -+ return 0; -+} -+ - #endif /* GSSAPI */ -Index: openssh-5.3p1/kex.c -=================================================================== ---- openssh-5.3p1.orig/kex.c 2009-06-21 09:15:25.000000000 +0100 -+++ openssh-5.3p1/kex.c 2010-01-24 10:31:14.000000000 +0000 -@@ -49,6 +49,10 @@ - #include "dispatch.h" - #include "monitor.h" - -+#ifdef GSSAPI -+#include "ssh-gss.h" -+#endif -+ - #if OPENSSL_VERSION_NUMBER >= 0x00907000L - # if defined(HAVE_EVP_SHA256) - # define evp_ssh_sha256 EVP_sha256 -@@ -325,6 +329,20 @@ - k->kex_type = KEX_DH_GEX_SHA256; - k->evp_md = evp_ssh_sha256(); - #endif -+#ifdef GSSAPI -+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, -+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) { -+ k->kex_type = KEX_GSS_GEX_SHA1; -+ k->evp_md = EVP_sha1(); -+ } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID, -+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) { -+ k->kex_type = KEX_GSS_GRP1_SHA1; -+ k->evp_md = EVP_sha1(); -+ } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID, -+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) { -+ k->kex_type = KEX_GSS_GRP14_SHA1; -+ k->evp_md = EVP_sha1(); -+#endif - } else - fatal("bad kex alg %s", k->name); - } -Index: openssh-5.3p1/kex.h -=================================================================== ---- openssh-5.3p1.orig/kex.h 2009-06-21 09:15:25.000000000 +0100 -+++ openssh-5.3p1/kex.h 2010-01-24 10:35:28.000000000 +0000 -@@ -66,6 +66,9 @@ - KEX_DH_GRP14_SHA1, - KEX_DH_GEX_SHA1, - KEX_DH_GEX_SHA256, -+ KEX_GSS_GRP1_SHA1, -+ KEX_GSS_GRP14_SHA1, -+ KEX_GSS_GEX_SHA1, - KEX_MAX - }; - -@@ -121,6 +124,12 @@ - sig_atomic_t done; - int flags; - const EVP_MD *evp_md; -+#ifdef GSSAPI -+ int gss_deleg_creds; -+ int gss_trust_dns; -+ char *gss_host; -+ char *gss_client; -+#endif - char *client_version_string; - char *server_version_string; - int (*verify_host_key)(Key *); -@@ -143,6 +152,11 @@ - void kexgex_client(Kex *); - void kexgex_server(Kex *); - -+#ifdef GSSAPI -+void kexgss_client(Kex *); -+void kexgss_server(Kex *); -+#endif -+ - void - kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, - BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); -Index: openssh-5.3p1/kexgssc.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssh-5.3p1/kexgssc.c 2010-01-24 10:36:10.000000000 +0000 -@@ -0,0 +1,334 @@ -+/* -+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR -+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "includes.h" -+ -+#ifdef GSSAPI -+ -+#include "includes.h" -+ -+#include <openssl/crypto.h> -+#include <openssl/bn.h> -+ -+#include <string.h> -+ -+#include "xmalloc.h" -+#include "buffer.h" -+#include "ssh2.h" -+#include "key.h" -+#include "cipher.h" -+#include "kex.h" -+#include "log.h" -+#include "packet.h" -+#include "dh.h" -+ -+#include "ssh-gss.h" -+ -+void -+kexgss_client(Kex *kex) { -+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr; -+ Gssctxt *ctxt; -+ OM_uint32 maj_status, min_status, ret_flags; -+ u_int klen, kout, slen = 0, hashlen, strlen; -+ DH *dh; -+ BIGNUM *dh_server_pub = NULL; -+ BIGNUM *shared_secret = NULL; -+ BIGNUM *p = NULL; -+ BIGNUM *g = NULL; -+ u_char *kbuf, *hash; -+ u_char *serverhostkey = NULL; -+ u_char *empty = ""; -+ char *msg; -+ char *lang; -+ int type = 0; -+ int first = 1; -+ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; -+ -+ /* Initialise our GSSAPI world */ -+ ssh_gssapi_build_ctx(&ctxt); -+ if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type) -+ == GSS_C_NO_OID) -+ fatal("Couldn't identify host exchange"); -+ -+ if (ssh_gssapi_import_name(ctxt, kex->gss_host)) -+ fatal("Couldn't import hostname"); -+ -+ if (kex->gss_client && -+ ssh_gssapi_client_identity(ctxt, kex->gss_client)) -+ fatal("Couldn't acquire client credentials"); -+ -+ switch (kex->kex_type) { -+ case KEX_GSS_GRP1_SHA1: -+ dh = dh_new_group1(); -+ break; -+ case KEX_GSS_GRP14_SHA1: -+ dh = dh_new_group14(); -+ break; -+ case KEX_GSS_GEX_SHA1: -+ debug("Doing group exchange\n"); -+ nbits = dh_estimate(kex->we_need * 8); -+ packet_start(SSH2_MSG_KEXGSS_GROUPREQ); -+ packet_put_int(min); -+ packet_put_int(nbits); -+ packet_put_int(max); -+ -+ packet_send(); -+ -+ packet_read_expect(SSH2_MSG_KEXGSS_GROUP); -+ -+ if ((p = BN_new()) == NULL) -+ fatal("BN_new() failed"); -+ packet_get_bignum2(p); -+ if ((g = BN_new()) == NULL) -+ fatal("BN_new() failed"); -+ packet_get_bignum2(g); -+ packet_check_eom(); -+ -+ if (BN_num_bits(p) < min || BN_num_bits(p) > max) -+ fatal("GSSGRP_GEX group out of range: %d !< %d !< %d", -+ min, BN_num_bits(p), max); -+ -+ dh = dh_new_group(g, p); -+ break; -+ default: -+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); -+ } -+ -+ /* Step 1 - e is dh->pub_key */ -+ dh_gen_key(dh, kex->we_need * 8); -+ -+ /* This is f, we initialise it now to make life easier */ -+ dh_server_pub = BN_new(); -+ if (dh_server_pub == NULL) -+ fatal("dh_server_pub == NULL"); -+ -+ token_ptr = GSS_C_NO_BUFFER; -+ -+ do { -+ debug("Calling gss_init_sec_context"); -+ -+ maj_status = ssh_gssapi_init_ctx(ctxt, -+ kex->gss_deleg_creds, token_ptr, &send_tok, -+ &ret_flags); -+ -+ if (GSS_ERROR(maj_status)) { -+ if (send_tok.length != 0) { -+ packet_start(SSH2_MSG_KEXGSS_CONTINUE); -+ packet_put_string(send_tok.value, -+ send_tok.length); -+ } -+ fatal("gss_init_context failed"); -+ } -+ -+ /* If we've got an old receive buffer get rid of it */ -+ if (token_ptr != GSS_C_NO_BUFFER) -+ xfree(recv_tok.value); -+ -+ if (maj_status == GSS_S_COMPLETE) { -+ /* If mutual state flag is not true, kex fails */ -+ if (!(ret_flags & GSS_C_MUTUAL_FLAG)) -+ fatal("Mutual authentication failed"); -+ -+ /* If integ avail flag is not true kex fails */ -+ if (!(ret_flags & GSS_C_INTEG_FLAG)) -+ fatal("Integrity check failed"); -+ } -+ -+ /* -+ * If we have data to send, then the last message that we -+ * received cannot have been a 'complete'. -+ */ -+ if (send_tok.length != 0) { -+ if (first) { -+ packet_start(SSH2_MSG_KEXGSS_INIT); -+ packet_put_string(send_tok.value, -+ send_tok.length); -+ packet_put_bignum2(dh->pub_key); -+ first = 0; -+ } else { -+ packet_start(SSH2_MSG_KEXGSS_CONTINUE); -+ packet_put_string(send_tok.value, -+ send_tok.length); -+ } -+ packet_send(); -+ gss_release_buffer(&min_status, &send_tok); -+ -+ /* If we've sent them data, they should reply */ -+ do { -+ type = packet_read(); -+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) { -+ debug("Received KEXGSS_HOSTKEY"); -+ if (serverhostkey) -+ fatal("Server host key received more than once"); -+ serverhostkey = -+ packet_get_string(&slen); -+ } -+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY); -+ -+ switch (type) { -+ case SSH2_MSG_KEXGSS_CONTINUE: -+ debug("Received GSSAPI_CONTINUE"); -+ if (maj_status == GSS_S_COMPLETE) -+ fatal("GSSAPI Continue received from server when complete"); -+ recv_tok.value = packet_get_string(&strlen); -+ recv_tok.length = strlen; -+ break; -+ case SSH2_MSG_KEXGSS_COMPLETE: -+ debug("Received GSSAPI_COMPLETE"); -+ packet_get_bignum2(dh_server_pub); -+ msg_tok.value = packet_get_string(&strlen); -+ msg_tok.length = strlen; -+ -+ /* Is there a token included? */ -+ if (packet_get_char()) { -+ recv_tok.value= -+ packet_get_string(&strlen); -+ recv_tok.length = strlen; -+ /* If we're already complete - protocol error */ -+ if (maj_status == GSS_S_COMPLETE) -+ packet_disconnect("Protocol error: received token when complete"); -+ } else { -+ /* No token included */ -+ if (maj_status != GSS_S_COMPLETE) -+ packet_disconnect("Protocol error: did not receive final token"); -+ } -+ break; -+ case SSH2_MSG_KEXGSS_ERROR: -+ debug("Received Error"); -+ maj_status = packet_get_int(); -+ min_status = packet_get_int(); -+ msg = packet_get_string(NULL); -+ lang = packet_get_string(NULL); -+ fatal("GSSAPI Error: \n%.400s",msg); -+ default: -+ packet_disconnect("Protocol error: didn't expect packet type %d", -+ type); -+ } -+ token_ptr = &recv_tok; -+ } else { -+ /* No data, and not complete */ -+ if (maj_status != GSS_S_COMPLETE) -+ fatal("Not complete, and no token output"); -+ } -+ } while (maj_status & GSS_S_CONTINUE_NEEDED); -+ -+ /* -+ * We _must_ have received a COMPLETE message in reply from the -+ * server, which will have set dh_server_pub and msg_tok -+ */ -+ -+ if (type != SSH2_MSG_KEXGSS_COMPLETE) -+ fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it"); -+ -+ /* Check f in range [1, p-1] */ -+ if (!dh_pub_is_valid(dh, dh_server_pub)) -+ packet_disconnect("bad server public DH value"); -+ -+ /* compute K=f^x mod p */ -+ klen = DH_size(dh); -+ kbuf = xmalloc(klen); -+ kout = DH_compute_key(kbuf, dh_server_pub, dh); -+ if (kout < 0) -+ fatal("DH_compute_key: failed"); -+ -+ shared_secret = BN_new(); -+ if (shared_secret == NULL) -+ fatal("kexgss_client: BN_new failed"); -+ -+ if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) -+ fatal("kexdh_client: BN_bin2bn failed"); -+ -+ memset(kbuf, 0, klen); -+ xfree(kbuf); -+ -+ switch (kex->kex_type) { -+ case KEX_GSS_GRP1_SHA1: -+ case KEX_GSS_GRP14_SHA1: -+ kex_dh_hash( kex->client_version_string, -+ kex->server_version_string, -+ buffer_ptr(&kex->my), buffer_len(&kex->my), -+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), -+ (serverhostkey ? serverhostkey : empty), slen, -+ dh->pub_key, /* e */ -+ dh_server_pub, /* f */ -+ shared_secret, /* K */ -+ &hash, &hashlen -+ ); -+ break; -+ case KEX_GSS_GEX_SHA1: -+ kexgex_hash( -+ kex->evp_md, -+ kex->client_version_string, -+ kex->server_version_string, -+ buffer_ptr(&kex->my), buffer_len(&kex->my), -+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), -+ (serverhostkey ? serverhostkey : empty), slen, -+ min, nbits, max, -+ dh->p, dh->g, -+ dh->pub_key, -+ dh_server_pub, -+ shared_secret, -+ &hash, &hashlen -+ ); -+ break; -+ default: -+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); -+ } -+ -+ gssbuf.value = hash; -+ gssbuf.length = hashlen; -+ -+ /* Verify that the hash matches the MIC we just got. */ -+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) -+ packet_disconnect("Hash's MIC didn't verify"); -+ -+ xfree(msg_tok.value); -+ -+ DH_free(dh); -+ if (serverhostkey) -+ xfree(serverhostkey); -+ BN_clear_free(dh_server_pub); -+ -+ /* save session id */ -+ if (kex->session_id == NULL) { -+ kex->session_id_len = hashlen; -+ kex->session_id = xmalloc(kex->session_id_len); -+ memcpy(kex->session_id, hash, kex->session_id_len); -+ } -+ -+ if (kex->gss_deleg_creds) -+ ssh_gssapi_credentials_updated(ctxt); -+ -+ if (gss_kex_context == NULL) -+ gss_kex_context = ctxt; -+ else -+ ssh_gssapi_delete_ctx(&ctxt); -+ -+ kex_derive_keys(kex, hash, hashlen, shared_secret); -+ BN_clear_free(shared_secret); -+ kex_finish(kex); -+} -+ -+#endif /* GSSAPI */ -Index: openssh-5.3p1/kexgsss.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssh-5.3p1/kexgsss.c 2010-01-24 10:36:10.000000000 +0000 -@@ -0,0 +1,288 @@ -+/* -+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR -+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "includes.h" -+ -+#ifdef GSSAPI -+ -+#include <string.h> -+ -+#include <openssl/crypto.h> -+#include <openssl/bn.h> -+ -+#include "xmalloc.h" -+#include "buffer.h" -+#include "ssh2.h" -+#include "key.h" -+#include "cipher.h" -+#include "kex.h" -+#include "log.h" -+#include "packet.h" -+#include "dh.h" -+#include "ssh-gss.h" -+#include "monitor_wrap.h" -+#include "servconf.h" -+ -+extern ServerOptions options; -+ -+void -+kexgss_server(Kex *kex) -+{ -+ OM_uint32 maj_status, min_status; -+ -+ /* -+ * Some GSSAPI implementations use the input value of ret_flags (an -+ * output variable) as a means of triggering mechanism specific -+ * features. Initializing it to zero avoids inadvertently -+ * activating this non-standard behaviour. -+ */ -+ -+ OM_uint32 ret_flags = 0; -+ gss_buffer_desc gssbuf, recv_tok, msg_tok; -+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; -+ Gssctxt *ctxt = NULL; -+ u_int slen, klen, kout, hashlen; -+ u_char *kbuf, *hash; -+ DH *dh; -+ int min = -1, max = -1, nbits = -1; -+ BIGNUM *shared_secret = NULL; -+ BIGNUM *dh_client_pub = NULL; -+ int type = 0; -+ gss_OID oid; -+ char *mechs; -+ -+ /* Initialise GSSAPI */ -+ -+ /* If we're rekeying, privsep means that some of the private structures -+ * in the GSSAPI code are no longer available. This kludges them back -+ * into life -+ */ -+ if (!ssh_gssapi_oid_table_ok()) -+ if ((mechs = ssh_gssapi_server_mechanisms())) -+ xfree(mechs); -+ -+ debug2("%s: Identifying %s", __func__, kex->name); -+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); -+ if (oid == GSS_C_NO_OID) -+ fatal("Unknown gssapi mechanism"); -+ -+ debug2("%s: Acquiring credentials", __func__); -+ -+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) -+ fatal("Unable to acquire credentials for the server"); -+ -+ switch (kex->kex_type) { -+ case KEX_GSS_GRP1_SHA1: -+ dh = dh_new_group1(); -+ break; -+ case KEX_GSS_GRP14_SHA1: -+ dh = dh_new_group14(); -+ break; -+ case KEX_GSS_GEX_SHA1: -+ debug("Doing group exchange"); -+ packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ); -+ min = packet_get_int(); -+ nbits = packet_get_int(); -+ max = packet_get_int(); -+ min = MAX(DH_GRP_MIN, min); -+ max = MIN(DH_GRP_MAX, max); -+ packet_check_eom(); -+ if (max < min || nbits < min || max < nbits) -+ fatal("GSS_GEX, bad parameters: %d !< %d !< %d", -+ min, nbits, max); -+ dh = PRIVSEP(choose_dh(min, nbits, max)); -+ if (dh == NULL) -+ packet_disconnect("Protocol error: no matching group found"); -+ -+ packet_start(SSH2_MSG_KEXGSS_GROUP); -+ packet_put_bignum2(dh->p); -+ packet_put_bignum2(dh->g); -+ packet_send(); -+ -+ packet_write_wait(); -+ break; -+ default: -+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); -+ } -+ -+ dh_gen_key(dh, kex->we_need * 8); -+ -+ do { -+ debug("Wait SSH2_MSG_GSSAPI_INIT"); -+ type = packet_read(); -+ switch(type) { -+ case SSH2_MSG_KEXGSS_INIT: -+ if (dh_client_pub != NULL) -+ fatal("Received KEXGSS_INIT after initialising"); -+ recv_tok.value = packet_get_string(&slen); -+ recv_tok.length = slen; -+ -+ if ((dh_client_pub = BN_new()) == NULL) -+ fatal("dh_client_pub == NULL"); -+ -+ packet_get_bignum2(dh_client_pub); -+ -+ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */ -+ break; -+ case SSH2_MSG_KEXGSS_CONTINUE: -+ recv_tok.value = packet_get_string(&slen); -+ recv_tok.length = slen; -+ break; -+ default: -+ packet_disconnect( -+ "Protocol error: didn't expect packet type %d", -+ type); -+ } -+ -+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, -+ &send_tok, &ret_flags)); -+ -+ xfree(recv_tok.value); -+ -+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) -+ fatal("Zero length token output when incomplete"); -+ -+ if (dh_client_pub == NULL) -+ fatal("No client public key"); -+ -+ if (maj_status & GSS_S_CONTINUE_NEEDED) { -+ debug("Sending GSSAPI_CONTINUE"); -+ packet_start(SSH2_MSG_KEXGSS_CONTINUE); -+ packet_put_string(send_tok.value, send_tok.length); -+ packet_send(); -+ gss_release_buffer(&min_status, &send_tok); -+ } -+ } while (maj_status & GSS_S_CONTINUE_NEEDED); -+ -+ if (GSS_ERROR(maj_status)) { -+ if (send_tok.length > 0) { -+ packet_start(SSH2_MSG_KEXGSS_CONTINUE); -+ packet_put_string(send_tok.value, send_tok.length); -+ packet_send(); -+ } -+ fatal("accept_ctx died"); -+ } -+ -+ if (!(ret_flags & GSS_C_MUTUAL_FLAG)) -+ fatal("Mutual Authentication flag wasn't set"); -+ -+ if (!(ret_flags & GSS_C_INTEG_FLAG)) -+ fatal("Integrity flag wasn't set"); -+ -+ if (!dh_pub_is_valid(dh, dh_client_pub)) -+ packet_disconnect("bad client public DH value"); -+ -+ klen = DH_size(dh); -+ kbuf = xmalloc(klen); -+ kout = DH_compute_key(kbuf, dh_client_pub, dh); -+ if (kout < 0) -+ fatal("DH_compute_key: failed"); -+ -+ shared_secret = BN_new(); -+ if (shared_secret == NULL) -+ fatal("kexgss_server: BN_new failed"); -+ -+ if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) -+ fatal("kexgss_server: BN_bin2bn failed"); -+ -+ memset(kbuf, 0, klen); -+ xfree(kbuf); -+ -+ switch (kex->kex_type) { -+ case KEX_GSS_GRP1_SHA1: -+ case KEX_GSS_GRP14_SHA1: -+ kex_dh_hash( -+ kex->client_version_string, kex->server_version_string, -+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), -+ buffer_ptr(&kex->my), buffer_len(&kex->my), -+ NULL, 0, /* Change this if we start sending host keys */ -+ dh_client_pub, dh->pub_key, shared_secret, -+ &hash, &hashlen -+ ); -+ break; -+ case KEX_GSS_GEX_SHA1: -+ kexgex_hash( -+ kex->evp_md, -+ kex->client_version_string, kex->server_version_string, -+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), -+ buffer_ptr(&kex->my), buffer_len(&kex->my), -+ NULL, 0, -+ min, nbits, max, -+ dh->p, dh->g, -+ dh_client_pub, -+ dh->pub_key, -+ shared_secret, -+ &hash, &hashlen -+ ); -+ break; -+ default: -+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); -+ } -+ -+ BN_clear_free(dh_client_pub); -+ -+ if (kex->session_id == NULL) { -+ kex->session_id_len = hashlen; -+ kex->session_id = xmalloc(kex->session_id_len); -+ memcpy(kex->session_id, hash, kex->session_id_len); -+ } -+ -+ gssbuf.value = hash; -+ gssbuf.length = hashlen; -+ -+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok)))) -+ fatal("Couldn't get MIC"); -+ -+ packet_start(SSH2_MSG_KEXGSS_COMPLETE); -+ packet_put_bignum2(dh->pub_key); -+ packet_put_string(msg_tok.value,msg_tok.length); -+ -+ if (send_tok.length != 0) { -+ packet_put_char(1); /* true */ -+ packet_put_string(send_tok.value, send_tok.length); -+ } else { -+ packet_put_char(0); /* false */ -+ } -+ packet_send(); -+ -+ gss_release_buffer(&min_status, &send_tok); -+ gss_release_buffer(&min_status, &msg_tok); -+ -+ if (gss_kex_context == NULL) -+ gss_kex_context = ctxt; -+ else -+ ssh_gssapi_delete_ctx(&ctxt); -+ -+ DH_free(dh); -+ -+ kex_derive_keys(kex, hash, hashlen, shared_secret); -+ BN_clear_free(shared_secret); -+ kex_finish(kex); -+ -+ /* If this was a rekey, then save out any delegated credentials we -+ * just exchanged. */ -+ if (options.gss_store_rekey) -+ ssh_gssapi_rekey_creds(); -+} -+#endif /* GSSAPI */ -Index: openssh-5.3p1/key.c -=================================================================== ---- openssh-5.3p1.orig/key.c 2008-11-03 08:24:17.000000000 +0000 -+++ openssh-5.3p1/key.c 2010-01-24 10:30:18.000000000 +0000 -@@ -764,6 +764,8 @@ - return KEY_RSA; - } else if (strcmp(name, "ssh-dss") == 0) { - return KEY_DSA; -+ } else if (strcmp(name, "null") == 0) { -+ return KEY_NULL; - } - debug2("key_type_from_name: unknown key type '%s'", name); - return KEY_UNSPEC; -Index: openssh-5.3p1/key.h -=================================================================== ---- openssh-5.3p1.orig/key.h 2008-06-12 19:40:35.000000000 +0100 -+++ openssh-5.3p1/key.h 2010-01-24 10:30:18.000000000 +0000 -@@ -34,6 +34,7 @@ - KEY_RSA1, - KEY_RSA, - KEY_DSA, -+ KEY_NULL, - KEY_UNSPEC - }; - enum fp_type { -Index: openssh-5.3p1/monitor.c -=================================================================== ---- openssh-5.3p1.orig/monitor.c 2009-06-21 09:58:46.000000000 +0100 -+++ openssh-5.3p1/monitor.c 2010-01-24 10:36:10.000000000 +0000 -@@ -172,6 +172,8 @@ - int mm_answer_gss_accept_ctx(int, Buffer *); - int mm_answer_gss_userok(int, Buffer *); - int mm_answer_gss_checkmic(int, Buffer *); -+int mm_answer_gss_sign(int, Buffer *); -+int mm_answer_gss_updatecreds(int, Buffer *); - #endif - - #ifdef SSH_AUDIT_EVENTS -@@ -241,6 +243,7 @@ - {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, - {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, - {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, -+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, - #endif - #ifdef JPAKE - {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, -@@ -253,6 +256,12 @@ - }; - - struct mon_table mon_dispatch_postauth20[] = { -+#ifdef GSSAPI -+ {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, -+ {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, -+ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, -+ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, -+#endif - {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, - {MONITOR_REQ_SIGN, 0, mm_answer_sign}, - {MONITOR_REQ_PTY, 0, mm_answer_pty}, -@@ -357,6 +366,10 @@ - /* Permit requests for moduli and signatures */ - monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); -+#ifdef GSSAPI -+ /* and for the GSSAPI key exchange */ -+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); -+#endif - } else { - mon_dispatch = mon_dispatch_proto15; - -@@ -443,6 +456,10 @@ - monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -+#ifdef GSSAPI -+ /* and for the GSSAPI key exchange */ -+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); -+#endif - } else { - mon_dispatch = mon_dispatch_postauth15; - monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1706,6 +1723,13 @@ - kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; - kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; - kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; -+#ifdef GSSAPI -+ if (options.gss_keyex) { -+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; -+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; -+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; -+ } -+#endif - kex->server = 1; - kex->hostkey_type = buffer_get_int(m); - kex->kex_type = buffer_get_int(m); -@@ -1911,6 +1935,9 @@ - OM_uint32 major; - u_int len; - -+ if (!options.gss_authentication && !options.gss_keyex) -+ fatal("In GSSAPI monitor when GSSAPI is disabled"); -+ - goid.elements = buffer_get_string(m, &len); - goid.length = len; - -@@ -1938,6 +1965,9 @@ - OM_uint32 flags = 0; /* GSI needs this */ - u_int len; - -+ if (!options.gss_authentication && !options.gss_keyex) -+ fatal("In GSSAPI monitor when GSSAPI is disabled"); -+ - in.value = buffer_get_string(m, &len); - in.length = len; - major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -1955,6 +1985,7 @@ - monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); - monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); -+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); - } - return (0); - } -@@ -1966,6 +1997,9 @@ - OM_uint32 ret; - u_int len; - -+ if (!options.gss_authentication && !options.gss_keyex) -+ fatal("In GSSAPI monitor when GSSAPI is disabled"); -+ - gssbuf.value = buffer_get_string(m, &len); - gssbuf.length = len; - mic.value = buffer_get_string(m, &len); -@@ -1992,7 +2026,11 @@ - { - int authenticated; - -- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); -+ if (!options.gss_authentication && !options.gss_keyex) -+ fatal("In GSSAPI monitor when GSSAPI is disabled"); -+ -+ authenticated = authctxt->valid && -+ ssh_gssapi_userok(authctxt->user, authctxt->pw); - - buffer_clear(m); - buffer_put_int(m, authenticated); -@@ -2005,6 +2043,74 @@ - /* Monitor loop will terminate if authenticated */ - return (authenticated); - } -+ -+int -+mm_answer_gss_sign(int socket, Buffer *m) -+{ -+ gss_buffer_desc data; -+ gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; -+ OM_uint32 major, minor; -+ u_int len; -+ -+ if (!options.gss_authentication && !options.gss_keyex) -+ fatal("In GSSAPI monitor when GSSAPI is disabled"); -+ -+ data.value = buffer_get_string(m, &len); -+ data.length = len; -+ if (data.length != 20) -+ fatal("%s: data length incorrect: %d", __func__, -+ (int) data.length); -+ -+ /* Save the session ID on the first time around */ -+ if (session_id2_len == 0) { -+ session_id2_len = data.length; -+ session_id2 = xmalloc(session_id2_len); -+ memcpy(session_id2, data.value, session_id2_len); -+ } -+ major = ssh_gssapi_sign(gsscontext, &data, &hash); -+ -+ xfree(data.value); -+ -+ buffer_clear(m); -+ buffer_put_int(m, major); -+ buffer_put_string(m, hash.value, hash.length); -+ -+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); -+ -+ gss_release_buffer(&minor, &hash); -+ -+ /* Turn on getpwnam permissions */ -+ monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); -+ -+ /* And credential updating, for when rekeying */ -+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1); -+ -+ return (0); -+} -+ -+int -+mm_answer_gss_updatecreds(int socket, Buffer *m) { -+ ssh_gssapi_ccache store; -+ int ok; -+ -+ store.filename = buffer_get_string(m, NULL); -+ store.envvar = buffer_get_string(m, NULL); -+ store.envval = buffer_get_string(m, NULL); -+ -+ ok = ssh_gssapi_update_creds(&store); -+ -+ xfree(store.filename); -+ xfree(store.envvar); -+ xfree(store.envval); -+ -+ buffer_clear(m); -+ buffer_put_int(m, ok); -+ -+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); -+ -+ return(0); -+} -+ - #endif /* GSSAPI */ - - #ifdef JPAKE -Index: openssh-5.3p1/monitor.h -=================================================================== ---- openssh-5.3p1.orig/monitor.h 2008-11-05 05:20:46.000000000 +0000 -+++ openssh-5.3p1/monitor.h 2010-01-24 10:36:10.000000000 +0000 -@@ -53,6 +53,8 @@ - MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, - MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, - MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, -+ MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN, -+ MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS, - MONITOR_REQ_PAM_START, - MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, - MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, -Index: openssh-5.3p1/monitor_wrap.c -=================================================================== ---- openssh-5.3p1.orig/monitor_wrap.c 2009-06-22 07:11:07.000000000 +0100 -+++ openssh-5.3p1/monitor_wrap.c 2010-01-24 10:36:10.000000000 +0000 -@@ -1248,7 +1248,7 @@ - } - - int --mm_ssh_gssapi_userok(char *user) -+mm_ssh_gssapi_userok(char *user, struct passwd *pw) - { - Buffer m; - int authenticated = 0; -@@ -1265,6 +1265,51 @@ - debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); - return (authenticated); - } -+ -+OM_uint32 -+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) -+{ -+ Buffer m; -+ OM_uint32 major; -+ u_int len; -+ -+ buffer_init(&m); -+ buffer_put_string(&m, data->value, data->length); -+ -+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m); -+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m); -+ -+ major = buffer_get_int(&m); -+ hash->value = buffer_get_string(&m, &len); -+ hash->length = len; -+ -+ buffer_free(&m); -+ -+ return(major); -+} -+ -+int -+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) -+{ -+ Buffer m; -+ int ok; -+ -+ buffer_init(&m); -+ -+ buffer_put_cstring(&m, store->filename ? store->filename : ""); -+ buffer_put_cstring(&m, store->envvar ? store->envvar : ""); -+ buffer_put_cstring(&m, store->envval ? store->envval : ""); -+ -+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m); -+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m); -+ -+ ok = buffer_get_int(&m); -+ -+ buffer_free(&m); -+ -+ return (ok); -+} -+ - #endif /* GSSAPI */ - - #ifdef JPAKE -Index: openssh-5.3p1/monitor_wrap.h -=================================================================== ---- openssh-5.3p1.orig/monitor_wrap.h 2009-03-05 13:58:22.000000000 +0000 -+++ openssh-5.3p1/monitor_wrap.h 2010-01-24 10:36:10.000000000 +0000 -@@ -57,8 +57,10 @@ - OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); - OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, - gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); --int mm_ssh_gssapi_userok(char *user); -+int mm_ssh_gssapi_userok(char *user, struct passwd *); - OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); -+OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); -+int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *); - #endif - - #ifdef USE_PAM -Index: openssh-5.3p1/ssh-gss.h -=================================================================== ---- openssh-5.3p1.orig/ssh-gss.h 2007-06-12 14:40:39.000000000 +0100 -+++ openssh-5.3p1/ssh-gss.h 2010-01-24 10:36:10.000000000 +0000 -@@ -1,6 +1,6 @@ - /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ - /* -- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. -+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -60,10 +60,22 @@ - - #define SSH_GSS_OIDTYPE 0x06 - -+#define SSH2_MSG_KEXGSS_INIT 30 -+#define SSH2_MSG_KEXGSS_CONTINUE 31 -+#define SSH2_MSG_KEXGSS_COMPLETE 32 -+#define SSH2_MSG_KEXGSS_HOSTKEY 33 -+#define SSH2_MSG_KEXGSS_ERROR 34 -+#define SSH2_MSG_KEXGSS_GROUPREQ 40 -+#define SSH2_MSG_KEXGSS_GROUP 41 -+#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-" -+#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-" -+#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-" -+ - typedef struct { - char *filename; - char *envvar; - char *envval; -+ struct passwd *owner; - void *data; - } ssh_gssapi_ccache; - -@@ -71,8 +83,11 @@ - gss_buffer_desc displayname; - gss_buffer_desc exportedname; - gss_cred_id_t creds; -+ gss_name_t name; - struct ssh_gssapi_mech_struct *mech; - ssh_gssapi_ccache store; -+ int used; -+ int updated; - } ssh_gssapi_client; - - typedef struct ssh_gssapi_mech_struct { -@@ -83,6 +98,7 @@ - int (*userok) (ssh_gssapi_client *, char *); - int (*localname) (ssh_gssapi_client *, char **); - void (*storecreds) (ssh_gssapi_client *); -+ int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *); - } ssh_gssapi_mech; - - typedef struct { -@@ -93,10 +109,11 @@ - gss_OID oid; /* client */ - gss_cred_id_t creds; /* server */ - gss_name_t client; /* server */ -- gss_cred_id_t client_creds; /* server */ -+ gss_cred_id_t client_creds; /* both */ - } Gssctxt; - - extern ssh_gssapi_mech *supported_mechs[]; -+extern Gssctxt *gss_kex_context; - - int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); - void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); -@@ -116,16 +133,30 @@ - void ssh_gssapi_delete_ctx(Gssctxt **); - OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); - void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); --int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); -+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *); -+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *); -+int ssh_gssapi_credentials_updated(Gssctxt *); - - /* In the server */ -+typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *, -+ const char *); -+char *ssh_gssapi_client_mechanisms(const char *, const char *); -+char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *, -+ const char *); -+gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int); -+int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, -+ const char *); - OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); --int ssh_gssapi_userok(char *name); -+int ssh_gssapi_userok(char *name, struct passwd *); - OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); - void ssh_gssapi_do_child(char ***, u_int *); - void ssh_gssapi_cleanup_creds(void); - void ssh_gssapi_storecreds(void); - -+char *ssh_gssapi_server_mechanisms(void); -+int ssh_gssapi_oid_table_ok(); -+ -+int ssh_gssapi_update_creds(ssh_gssapi_ccache *store); - #endif /* GSSAPI */ - - #endif /* _SSH_GSS_H */ -Index: openssh-5.3p1/ssh_config -=================================================================== ---- openssh-5.3p1.orig/ssh_config 2009-02-21 01:45:02.000000000 +0000 -+++ openssh-5.3p1/ssh_config 2010-01-24 10:30:18.000000000 +0000 -@@ -26,6 +26,8 @@ - # HostbasedAuthentication no - # GSSAPIAuthentication no - # GSSAPIDelegateCredentials no -+# GSSAPIKeyExchange no -+# GSSAPITrustDNS no - # BatchMode no - # CheckHostIP yes - # AddressFamily any -Index: openssh-5.3p1/clientloop.c -=================================================================== ---- openssh-5.3p1.orig/clientloop.c 2009-08-28 02:21:07.000000000 +0100 -+++ openssh-5.3p1/clientloop.c 2010-01-24 10:37:05.000000000 +0000 -@@ -111,6 +111,10 @@ - #include "msg.h" - #include "roaming.h" - -+#ifdef GSSAPI -+#include "ssh-gss.h" -+#endif -+ - /* import options */ - extern Options options; - -@@ -1430,6 +1434,15 @@ - /* Do channel operations unless rekeying in progress. */ - if (!rekeying) { - channel_after_select(readset, writeset); -+ -+#ifdef GSSAPI -+ if (options.gss_renewal_rekey && -+ ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) { -+ debug("credentials updated - forcing rekey"); -+ need_rekeying = 1; -+ } -+#endif -+ - if (need_rekeying || packet_need_rekeying()) { - debug("need rekeying"); - xxx_kex->done = 0; diff --git a/net-misc/openssh/files/openssh-5.8_p1-selinux.patch b/net-misc/openssh/files/openssh-5.8_p1-selinux.patch deleted file mode 100644 index 7be2879..0000000 --- a/net-misc/openssh/files/openssh-5.8_p1-selinux.patch +++ /dev/null @@ -1,18 +0,0 @@ -http://bugs.gentoo.org/354247 - -[openbsd-compat/port-linux.c] Bug #1851: fix syntax error in - selinux code. Patch from Leonardo Chiquitto. - -/* $Id: openssh-5.8_p1-selinux.patch,v 1.1 2011/02/10 02:44:53 vapier Exp $ */ - ---- a/openbsd-compat/port-linux.c -+++ b/openbsd-compat/port-linux.c -@@ -213,7 +213,7 @@ - - if (!ssh_selinux_enabled()) - return; -- if (path == NULL) -+ if (path == NULL) { - setfscreatecon(NULL); - return; - } diff --git a/net-misc/openssh/files/openssh-5.8_p1-x509-hpn-glue.patch b/net-misc/openssh/files/openssh-5.8_p1-x509-hpn-glue.patch deleted file mode 100644 index 74d06c7..0000000 --- a/net-misc/openssh/files/openssh-5.8_p1-x509-hpn-glue.patch +++ /dev/null @@ -1,61 +0,0 @@ -Move things around so hpn applies cleanly when using X509. - ---- a/Makefile.in -+++ b/Makefile.in -@@ -46,12 +46,13 @@ - CC=@CC@ - LD=@LD@ - CFLAGS=@CFLAGS@ --CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ -+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ - LIBS=@LIBS@ - SSHLIBS=@SSHLIBS@ - SSHDLIBS=@SSHDLIBS@ - LIBEDIT=@LIBEDIT@ - LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ -+CPPFLAGS+=@LDAP_CPPFLAGS@ - AR=@AR@ - AWK=@AWK@ - RANLIB=@RANLIB@ ---- a/servconf.c -+++ b/servconf.c -@@ -153,9 +153,6 @@ initialize_server_options(ServerOptions *options) - options->zero_knowledge_password_authentication = -1; - options->revoked_keys_file = NULL; - options->trusted_user_ca_keys = NULL; -- options->authorized_principals_file = NULL; -- options->ip_qos_interactive = -1; -- options->ip_qos_bulk = -1; - - options->hostbased_algorithms = NULL; - options->pubkey_algorithms = NULL; -@@ -168,6 +165,9 @@ initialize_server_options(ServerOptions *options) - options->va.certificate_file = NULL; - options->va.responder_url = NULL; - #endif /*def SSH_OCSP_ENABLED*/ -+ options->authorized_principals_file = NULL; -+ options->ip_qos_interactive = -1; -+ options->ip_qos_bulk = -1; - } - - void -@@ -367,9 +367,6 @@ typedef enum { - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, - sMatch, sPermitOpen, sForceCommand, sChrootDirectory, - sUsePrivilegeSeparation, sAllowAgentForwarding, -- sZeroKnowledgePasswordAuthentication, sHostCertificate, -- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, -- sKexAlgorithms, sIPQoS, - sHostbasedAlgorithms, - sPubkeyAlgorithms, - sX509KeyAlgorithm, -@@ -380,6 +377,9 @@ typedef enum { - sCAldapVersion, sCAldapURL, - sVAType, sVACertificateFile, - sVAOCSPResponderURL, -+ sZeroKnowledgePasswordAuthentication, sHostCertificate, -+ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, -+ sKexAlgorithms, sIPQoS, - sDeprecated, sUnsupported - } ServerOpCodes; - diff --git a/net-misc/openssh/files/sshd.rc6 b/net-misc/openssh/files/sshd.rc6 index 2e0b442..0316068 100644 --- a/net-misc/openssh/files/sshd.rc6 +++ b/net-misc/openssh/files/sshd.rc6 @@ -1,9 +1,10 @@ #!/sbin/runscript -# Copyright 1999-2006 Gentoo Foundation +# Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.27 2009/08/12 08:09:52 idl0r Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.28 2011/12/04 10:08:19 swegener Exp $ -opts="${opts} reload checkconfig gen_keys" +extra_commands="checkconfig gen_keys" +extra_started_commands="reload" depend() { use logger dns diff --git a/net-misc/openssh/files/sshd.rc6.1 b/net-misc/openssh/files/sshd.rc6.1 index 0afb948..6524601 100644 --- a/net-misc/openssh/files/sshd.rc6.1 +++ b/net-misc/openssh/files/sshd.rc6.1 @@ -1,9 +1,10 @@ #!/sbin/runscript -# Copyright 1999-2010 Gentoo Foundation +# Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.1,v 1.1 2010/10/11 22:50:07 flameeyes Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.1,v 1.2 2011/12/04 10:08:19 swegener Exp $ -opts="${opts} reload checkconfig gen_keys" +extra_commands="checkconfig gen_keys" +extra_started_commands="reload" depend() { use logger dns diff --git a/net-misc/openssh/files/sshd.rc6.2 b/net-misc/openssh/files/sshd.rc6.2 index 86f87ba..22aaaad 100644 --- a/net-misc/openssh/files/sshd.rc6.2 +++ b/net-misc/openssh/files/sshd.rc6.2 @@ -1,9 +1,10 @@ #!/sbin/runscript # Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.2,v 1.1 2011/01/24 02:55:47 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.2,v 1.3 2011/12/04 10:08:19 swegener Exp $ -opts="${opts} reload checkconfig gen_keys" +extra_commands="checkconfig gen_keys" +extra_started_commands="reload" depend() { use logger dns @@ -27,7 +28,12 @@ checkconfig() { gen_keys || return 1 - "${SSHD_BINARY}" -t ${myopts} || return 1 + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 } gen_key() { @@ -50,17 +56,12 @@ gen_keys() { } start() { - local myopts="" - [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ - && myopts="${myopts} -o PidFile=${SSHD_PIDFILE}" - [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ - && myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config" - checkconfig || return 1 + ebegin "Starting ${SVCNAME}" start-stop-daemon --start --exec "${SSHD_BINARY}" \ --pidfile "${SSHD_PIDFILE}" \ - -- ${myopts} ${SSHD_OPTS} + -- ${SSHD_OPTS} eend $? } diff --git a/net-misc/openssh/files/sshd.rc6.3 b/net-misc/openssh/files/sshd.rc6.3 new file mode 100755 index 0000000..c55116e --- /dev/null +++ b/net-misc/openssh/files/sshd.rc6.3 @@ -0,0 +1,85 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.3,v 1.2 2011/09/14 21:46:19 polynomial-c Exp $ + +extra_commands="checkconfig gen_keys" +extra_started_commands="reload" + +depend() { + use logger dns + need net +} + +SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh} +SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid} +SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then + eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + gen_keys || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +gen_key() { + local type=$1 key ks + [ $# -eq 1 ] && ks="${type}_" + key="${SSHD_CONFDIR}/ssh_host_${ks}key" + if [ ! -e "${key}" ] ; then + ebegin "Generating ${type} host key" + ssh-keygen -t ${type} -f "${key}" -N '' + eend $? || return $? + fi +} + +gen_keys() { + if egrep -q '^[[:space:]]*Protocol[[:space:]]+.*1' "${SSHD_CONFDIR}"/sshd_config ; then + gen_key rsa1 "" || return 1 + fi + gen_key dsa && gen_key rsa && gen_key ecdsa + return $? +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service new file mode 100644 index 0000000..45f823a --- /dev/null +++ b/net-misc/openssh/files/sshd.service @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH server daemon +After=syslog.target network.target auditd.service + +[Service] +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket new file mode 100644 index 0000000..94b9533 --- /dev/null +++ b/net-misc/openssh/files/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service new file mode 100644 index 0000000..2645ad0 --- /dev/null +++ b/net-misc/openssh/files/sshd_at.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=syslog.target auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=syslog diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml index 494737c..c1ead88 100644 --- a/net-misc/openssh/metadata.xml +++ b/net-misc/openssh/metadata.xml @@ -2,7 +2,7 @@ <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <pkgmetadata> <herd>base-system</herd> - <maintainer restrict="LPK"> + <maintainer restrict="net-misc/openssh[ldap]"> <email>michael@hammill.name</email> <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description> </maintainer> @@ -19,19 +19,10 @@ The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. - -This version of OpenSSH modifies the standard Gentoo version by adding -the Simon Wilkinson GSSAPI key exchange patch. This is required for -working in certain environments, for example, at the Royal Institute -of Technology (KTH) in Stockholm, Sweden. This version is not -supported in any way by KTH. It is only supported by the maintainer -so that he can use KTH facilities. In particular, this openssh + -heimdal. </longdescription> <use> <flag name="hpn">Enable high performance ssh</flag> <flag name="ldap">Add support for storing SSH public keys in LDAP</flag> - <flag name="pkcs11">Enable PKCS#11 smartcard support</flag> <flag name="X509">Adds support for X.509 certificate authentication</flag> </use> </pkgmetadata> diff --git a/net-misc/openssh/openssh-5.3_p1-r1.ebuild b/net-misc/openssh/openssh-5.3_p1-r1.ebuild deleted file mode 100644 index d446ff7..0000000 --- a/net-misc/openssh/openssh-5.3_p1-r1.ebuild +++ /dev/null @@ -1,274 +0,0 @@ -# Copyright 1999-2010 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-5.3_p1-r1.ebuild,v 1.10 2010/03/20 00:17:55 vapier Exp $ - -inherit eutils flag-o-matic multilib autotools pam - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_/} - -HPN_PATCH="${PARCH}-hpn13v6-gentoo.diff.gz" -LDAP_PATCH="${PARCH/openssh/openssh-lpk}-0.3.11.patch.gz" -PKCS11_PATCH="${PARCH/3p1/2}pkcs11-0.26.tar.bz2" -X509_VER="6.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="http://www.openssh.org/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} )} - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} - ${PKCS11_PATCH:+pkcs11? ( http://alon.barlev.googlepages.com/${PKCS11_PATCH} )} - ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}" - -LICENSE="as-is" -SLOT="0" -KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd" -IUSE="hpn kerberos ldap libedit pam pkcs11 selinux skey smartcard static tcpd X X509" - -RDEPEND="pam? ( virtual/pam ) - kerberos? ( virtual/krb5 ) - selinux? ( >=sys-libs/libselinux-1.28 ) - skey? ( >=sys-auth/skey-1.1.5-r1 ) - ldap? ( net-nds/openldap ) - libedit? ( dev-libs/libedit ) - >=dev-libs/openssl-0.9.6d - >=sys-libs/zlib-1.2.3 - smartcard? ( dev-libs/opensc ) - pkcs11? ( dev-libs/pkcs11-helper ) - tcpd? ( >=sys-apps/tcp-wrappers-7.6 ) - X? ( x11-apps/xauth ) - userland_GNU? ( sys-apps/shadow )" -DEPEND="${RDEPEND} - dev-util/pkgconfig - virtual/os-headers - sys-devel/autoconf" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 )" -PROVIDE="virtual/ssh" - -S=${WORKDIR}/${PARCH} - -pkg_setup() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && use ${1} && echo ${1} ; } - local fail=" - $(maybe_fail ldap LDAP_PATCH) - $(maybe_fail pkcs11 PKCS11_PATCH) - $(maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "booooo" - fi -} - -src_unpack() { - unpack ${PARCH}.tar.gz - cd "${S}" - - sed -i \ - -e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \ - pathnames.h || die - - # <mike> - # Apply Simon Wilkinson's kext patch - patch -p1 < ${FILESDIR}/${PN}-5.3p1-gsskex-all-20100124.patch - # </mike> - - if use pkcs11 ; then - cd "${WORKDIR}" - unpack "${PKCS11_PATCH}" - cd "${S}" - # This patch is included with X509, so exclude it if X509 is going to be - # applied. - use X509 && mv -f "${WORKDIR}"/*pkcs11*/1000_all_log.patch "${WORKDIR}" - # Now apply pkcs11 - EPATCH_OPTS="-p1" epatch "${WORKDIR}"/*pkcs11*/{1,2,4}* - # And some glue - epatch "${FILESDIR}"/${PN}-5.3_p1-pkcs11-hpn-glue.patch - fi - if use X509 ; then - # Apply X509 patch - epatch "${DISTDIR}"/${X509_PATCH} - # Apply glue so that HPN will still work after X509 - epatch "${FILESDIR}"/${PN}-5.2_p1-x509-hpn-glue.patch - fi - use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch - if ! use X509 ; then - if [[ -n ${LDAP_PATCH} ]] && use ldap ; then - # The patch for bug 210110 64-bit stuff is now included. - epatch "${DISTDIR}"/${LDAP_PATCH} - epatch "${FILESDIR}"/${PN}-5.2p1-ldap-stdargs.diff #266654 - fi - #epatch "${DISTDIR}"/openssh-5.2p1-gsskex-all-20090726.patch #115553 #216932 #279488 - #epatch "${FILESDIR}"/${P}-gsskex-fix.patch - else - use ldap && ewarn "Sorry, X509 and ldap don't get along, disabling ldap" - fi - # <mike> - # Here I comment out the dns.patch, which is incompatible with Simon's patch. - # for more, see: - # https://bugzilla.mindrot.org/show_bug.cgi?id=1008 - # http://bugs.gentoo.org/show_bug.cgi?id=165444 - # epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex - # </mike> - [[ -n ${HPN_PATCH} ]] && use hpn && epatch "${DISTDIR}"/${HPN_PATCH} - epatch "${FILESDIR}"/${PN}-4.7p1-selinux.diff #191665 - epatch "${FILESDIR}"/${PN}-5.2_p1-autoconf.patch - - # in 5.2p1, the AES-CTR multithreaded variant is temporarily broken, and - # causes random hangs when combined with the -f switch of ssh. - # To avoid this, we change the internal table to use the non-multithread - # version for the meantime. - sed -i \ - -e '/aes...-ctr.*SSH_CIPHER_SSH2/s,evp_aes_ctr_mt,evp_aes_128_ctr,' \ - cipher.c || die - - sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die - - # Disable PATH reset, trust what portage gives us. bug 254615 - sed -i -e 's:^PATH=/:#PATH=/:' configure || die - - eautoreconf -} - -static_use_with() { - local flag=$1 - if use static && use ${flag} ; then - ewarn "Disabling '${flag}' support because of USE='static'" - # rebuild args so that we invert the first one (USE flag) - # but otherwise leave everything else working so we can - # just leverage use_with - shift - [[ -z $1 ]] && flag="${flag} ${flag}" - set -- !${flag} "$@" - fi - use_with "$@" -} - -src_compile() { - addwrite /dev/ptmx - addpredict /etc/skey/skeykeys #skey configure code triggers this - - local myconf="" - use static && append-ldflags -static - - econf \ - --with-ldflags="${LDFLAGS}" \ - --disable-strip \ - --sysconfdir=/etc/ssh \ - --libexecdir=/usr/$(get_libdir)/misc \ - --datadir=/usr/share/openssh \ - --with-privsep-path=/var/empty \ - --with-privsep-user=sshd \ - --with-md5-passwords \ - --with-ssl-engine \ - $(static_use_with pam) \ - $(static_use_with kerberos kerberos5 /usr) \ - ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \ - $(use_with libedit) \ - ${PKCS11_PATCH:+$(use pkcs11 && static_use_with pkcs11)} \ - $(use_with selinux) \ - $(use_with skey) \ - $(use_with smartcard opensc) \ - $(use_with tcpd tcp-wrappers) \ - ${myconf} \ - || die "bad configure" - emake || die "compile problem" -} - -src_install() { - emake install-nokeys DESTDIR="${D}" || die - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd.rc6 sshd - newconfd "${FILESDIR}"/sshd.confd sshd - keepdir /var/empty - - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${D}"/etc/ssh/sshd_config || die "sed of configuration file failed" - fi - - # This instruction is from the HPN webpage, - # Used for the server logging functionality - if [[ -n ${HPN_PATCH} ]] && use hpn; then - keepdir /var/empty/dev - fi - - doman contrib/ssh-copy-id.1 - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config - - diropts -m 0700 - dodir /etc/skel/.ssh -} - -src_test() { - local t tests skipped failed passed shell - tests="interop-tests compat-tests" - skipped="" - shell=$(getent passwd ${UID} | cut -d: -f7) - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite" - elog "requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped="${skipped} tests" - else - tests="${tests} tests" - fi - for t in ${tests} ; do - # Some tests read from stdin ... - emake -k -j1 ${t} </dev/null \ - && passed="${passed}${t} " \ - || failed="${failed}${t} " - done - einfo "Passed tests: ${passed}" - ewarn "Skipped tests: ${skipped}" - if [[ -n ${failed} ]] ; then - ewarn "Failed tests: ${failed}" - die "Some tests failed: ${failed}" - else - einfo "Failed tests: ${failed}" - return 0 - fi -} - -pkg_postinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd - - # help fix broken perms caused by older ebuilds. - # can probably cut this after the next stage release. - chmod u+x "${ROOT}"/etc/skel/.ssh >& /dev/null - - ewarn "Remember to merge your config files in /etc/ssh/ and then" - ewarn "reload sshd: '/etc/init.d/sshd reload'." - if use pam ; then - echo - ewarn "Please be aware users need a valid shell in /etc/passwd" - ewarn "in order to be allowed to login." - fi - if use pkcs11 ; then - echo - einfo "For PKCS#11 you should also emerge one of the askpass softwares" - einfo "Example: net-misc/x11-ssh-askpass" - fi - # This instruction is from the HPN webpage, - # Used for the server logging functionality - if [[ -n ${HPN_PATCH} ]] && use hpn; then - echo - einfo "For the HPN server logging patch, you must ensure that" - einfo "your syslog application also listens at /var/empty/dev/log." - fi -} diff --git a/net-misc/openssh/openssh-5.6_p1-r2.ebuild b/net-misc/openssh/openssh-5.6_p1-r2.ebuild index 0168035..863e464 100644 --- a/net-misc/openssh/openssh-5.6_p1-r2.ebuild +++ b/net-misc/openssh/openssh-5.6_p1-r2.ebuild @@ -42,7 +42,6 @@ DEPEND="${RDEPEND} sys-devel/autoconf" RDEPEND="${RDEPEND} pam? ( >=sys-auth/pambase-20081028 )" -PROVIDE="virtual/ssh" S=${WORKDIR}/${PARCH} @@ -223,7 +222,7 @@ src_test() { local t tests skipped failed passed shell tests="interop-tests compat-tests" skipped="" - shell=$(getent passwd ${UID} | cut -d: -f7) + shell=$(egetshell ${UID}) if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then elog "Running the full OpenSSH testsuite" elog "requires a usable shell for the 'portage'" diff --git a/net-misc/openssh/openssh-5.7_p1-r1.ebuild b/net-misc/openssh/openssh-5.7_p1-r1.ebuild index 90462e5..c898bb2 100644 --- a/net-misc/openssh/openssh-5.7_p1-r1.ebuild +++ b/net-misc/openssh/openssh-5.7_p1-r1.ebuild @@ -42,7 +42,6 @@ DEPEND="${RDEPEND} sys-devel/autoconf" RDEPEND="${RDEPEND} pam? ( >=sys-auth/pambase-20081028 )" -PROVIDE="virtual/ssh" S=${WORKDIR}/${PARCH} @@ -211,7 +210,7 @@ src_test() { local t tests skipped failed passed shell tests="interop-tests compat-tests" skipped="" - shell=$(getent passwd ${UID} | cut -d: -f7) + shell=$(egetshell ${UID}) if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then elog "Running the full OpenSSH testsuite" elog "requires a usable shell for the 'portage'" |