diff options
author | Patrick McLean <patrick.mclean@sony.com> | 2021-03-03 23:03:14 -0800 |
---|---|---|
committer | Patrick McLean <chutzpah@gentoo.org> | 2021-03-03 23:03:14 -0800 |
commit | 77e3bbd9528150668daa02b6afffe1183a482782 (patch) | |
tree | fbaf7327144c76e396abe196ef8d3b330f21c74e /net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch | |
parent | www-servers/puma: add 5.2.2 (diff) | |
download | gentoo-77e3bbd9528150668daa02b6afffe1183a482782.tar.gz gentoo-77e3bbd9528150668daa02b6afffe1183a482782.tar.bz2 gentoo-77e3bbd9528150668daa02b6afffe1183a482782.zip |
net-misc/openssh-8.5_p1: Version bump
Bug: https://bugs.gentoo.org/774090
Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-3.0.16, Repoman-3.0.2
Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
Diffstat (limited to 'net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch')
-rw-r--r-- | net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..718eacb8a7ed --- /dev/null +++ b/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch @@ -0,0 +1,112 @@ +diff --git a/readconf.c b/readconf.c +index 724974b7..97a1ffd8 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -161,6 +161,7 @@ typedef enum { + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -206,9 +207,11 @@ static struct { + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + # else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + #ifdef ENABLE_PKCS11 + { "pkcs11provider", oPKCS11Provider }, +@@ -1083,6 +1086,10 @@ parse_time: + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -2183,6 +2190,7 @@ initialize_options(Options * options) + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -2340,6 +2348,8 @@ fill_default_options(Options * options) + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +diff --git a/readconf.h b/readconf.h +index 2fba866e..da3ce87a 100644 +--- a/readconf.h ++++ b/readconf.h +@@ -42,6 +42,7 @@ typedef struct { + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +diff --git a/ssh_config.5 b/ssh_config.5 +index f8119189..e0fd0d76 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -783,6 +783,16 @@ The default is + Forward (delegate) credentials to the server. + The default is + .Cm no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +diff --git a/sshconnect2.c b/sshconnect2.c +index 059c9480..ab6f6832 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh) + OM_uint32 min; + int r, ok = 0; + gss_OID mech = NULL; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(ssh, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh) + elements[authctxt->mech_tried]; + /* My DER encoding requires length<128 */ + if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, +- mech, authctxt->host)) { ++ mech, gss_host)) { + ok = 1; /* Mechanism works */ + } else { + authctxt->mech_tried++; |