Ticket #42523: openssh-6.3p1-gsskex-all-20130920.patch.diff
| File openssh-6.3p1-gsskex-all-20130920.patch.diff, 46.6 KB (added by arthurmesh@…, 10 years ago) |
|---|
-
openssh-6.3p1-gsskex-all-20130920.patch
old new 1 diff - -speed-large-files --minimal -Nru openssh-5.8p1/ChangeLog.gssapi openssh-5.8p1.new/ChangeLog.gssapi2 --- openssh- 5.8p1/ChangeLog.gssapi 1970-01-01 01:00:00.000000000 +01003 +++ openssh- 5.8p1.new/ChangeLog.gssapi 2011-02-12 18:07:10.948345760 +01001 diff -Nrup openssh-6.5p1/ChangeLog.gssapi openssh-6.5p1.patched/ChangeLog.gssapi 2 --- openssh-6.5p1/ChangeLog.gssapi 1969-12-31 16:00:00.000000000 -0800 3 +++ openssh-6.5p1.patched/ChangeLog.gssapi 2014-02-15 16:50:46.000000000 -0800 4 4 @@ -0,0 +1,113 @@ 5 5 +20110101 6 6 + - Finally update for OpenSSH 5.6p1 … … 115 115 + add support for GssapiTrustDns option for gssapi-with-mic 116 116 + (from jbasney AT ncsa.uiuc.edu) 117 117 + <gssapi-with-mic support is Bugzilla #1008> 118 diff - -speed-large-files --minimal -Nru openssh-5.8p1/Makefile.in openssh-5.8p1.new/Makefile.in119 --- openssh- 5.8p1/Makefile.in 2011-02-04 01:42:13.000000000 +0100120 +++ openssh- 5.8p1.new/Makefile.in 2011-02-12 18:07:10.990611445 +0100121 @@ -7 5,6 +75,7 @@118 diff -Nrup openssh-6.5p1/Makefile.in openssh-6.5p1.patched/Makefile.in 119 --- openssh-6.5p1/Makefile.in 2014-01-26 22:35:04.000000000 -0800 120 +++ openssh-6.5p1.patched/Makefile.in 2014-02-15 16:51:24.000000000 -0800 121 @@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o 122 122 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ 123 123 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ 124 124 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 125 125 + kexgssc.o \ 126 126 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ 127 jpake.o schnorr.o ssh-pkcs11.o kr 1.o128 129 @@ -91,7 +92,7 @@ 127 jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ 128 kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ 129 @@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw 130 130 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ 131 131 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ 132 auth-krb5.o \132 kexc25519s.o auth-krb5.o \ 133 133 - auth2-gss.o gss-serv.o gss-serv-krb5.o \ 134 + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \134 + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ 135 135 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 136 136 sftp-server.o sftp-common.o \ 137 roaming_common.o roaming_serv.o 138 diff - -speed-large-files --minimal -Nru openssh-5.8p1/auth-krb5.c openssh-5.8p1.new/auth-krb5.c139 --- openssh- 5.8p1/auth-krb5.c 2009-12-21 00:49:22.000000000 +0100140 +++ openssh- 5.8p1.new/auth-krb5.c 2011-02-12 18:07:11.002529804 +0100141 @@ -1 70,8 +170,13 @@137 roaming_common.o roaming_serv.o \ 138 diff -Nrup openssh-6.5p1/auth-krb5.c openssh-6.5p1.patched/auth-krb5.c 139 --- openssh-6.5p1/auth-krb5.c 2013-10-23 16:53:02.000000000 -0700 140 +++ openssh-6.5p1.patched/auth-krb5.c 2014-02-15 16:50:46.000000000 -0800 141 @@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c 142 142 143 143 len = strlen(authctxt->krb5_ticket_file) + 6; 144 144 authctxt->krb5_ccname = xmalloc(len); … … 152 152 153 153 #ifdef USE_PAM 154 154 if (options.use_pam) 155 @@ -2 26,15 +231,22 @@155 @@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt) 156 156 #ifndef HEIMDAL 157 157 krb5_error_code 158 158 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { … … 177 177 old_umask = umask(0177); 178 178 tmpfd = mkstemp(ccname + strlen("FILE:")); 179 179 oerrno = errno; 180 @@ -2 49,6 +261,7 @@180 @@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c 181 181 return oerrno; 182 182 } 183 183 close(tmpfd); … … 185 185 186 186 return (krb5_cc_resolve(ctx, ccname, ccache)); 187 187 } 188 diff - -speed-large-files --minimal -Nru openssh-5.8p1/auth2-gss.c openssh-5.8p1.new/auth2-gss.c189 --- openssh- 5.8p1/auth2-gss.c 2007-12-02 12:59:45.000000000 +0100190 +++ openssh- 5.8p1.new/auth2-gss.c 2011-02-12 18:07:11.030761708 +0100188 diff -Nrup openssh-6.5p1/auth2-gss.c openssh-6.5p1.patched/auth2-gss.c 189 --- openssh-6.5p1/auth2-gss.c 2013-06-01 14:31:18.000000000 -0700 190 +++ openssh-6.5p1.patched/auth2-gss.c 2014-02-15 16:50:46.000000000 -0800 191 191 @@ -1,7 +1,7 @@ 192 /* $OpenBSD: auth2-gss.c,v 1. 16 2007/10/29 00:52:45 dtuckerExp $ */192 /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */ 193 193 194 194 /* 195 195 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. … … 197 197 * 198 198 * Redistribution and use in source and binary forms, with or without 199 199 * modification, are permitted provided that the following conditions 200 @@ -52,6 +52,40 @@ 200 @@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u 201 201 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 202 202 static void input_gssapi_errtok(int, u_int32_t, void *); 203 203 … … 238 238 /* 239 239 * We only support those mechanisms that we know about (ie ones that we know 240 240 * how to check local user kuserok and the like) 241 @@ -24 2,7 +278,8 @@241 @@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type, 242 242 243 243 packet_check_eom(); 244 244 … … 248 248 249 249 authctxt->postponed = 0; 250 250 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 251 @@ -27 7,7 +314,8 @@251 @@ -275,7 +310,8 @@ input_gssapi_mic(int type, u_int32_t ple 252 252 gssbuf.length = buffer_len(&b); 253 253 254 254 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) … … 258 258 else 259 259 logit("GSSAPI MIC check failed"); 260 260 261 @@ -29 2,6 +330,12 @@262 userauth_finish(authctxt, authenticated, "gssapi-with-mic" );261 @@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t ple 262 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 263 263 } 264 264 265 265 +Authmethod method_gsskeyex = { … … 271 271 Authmethod method_gssapi = { 272 272 "gssapi-with-mic", 273 273 userauth_gssapi, 274 diff - -speed-large-files --minimal -Nru openssh-5.8p1/auth2.c openssh-5.8p1.new/auth2.c275 --- openssh- 5.8p1/auth2.c 2010-08-31 14:36:39.000000000 +0200276 +++ openssh- 5.8p1.new/auth2.c 2011-02-12 18:07:11.043418162 +0100277 @@ -69,6 +69,7 @@ 274 diff -Nrup openssh-6.5p1/auth2.c openssh-6.5p1.patched/auth2.c 275 --- openssh-6.5p1/auth2.c 2013-06-01 14:41:51.000000000 -0700 276 +++ openssh-6.5p1.patched/auth2.c 2014-02-15 16:50:46.000000000 -0800 277 @@ -69,6 +69,7 @@ extern Authmethod method_passwd; 278 278 extern Authmethod method_kbdint; 279 279 extern Authmethod method_hostbased; 280 280 #ifdef GSSAPI … … 282 282 extern Authmethod method_gssapi; 283 283 #endif 284 284 #ifdef JPAKE 285 @@ -79,6 +80,7 @@ 285 @@ -79,6 +80,7 @@ Authmethod *authmethods[] = { 286 286 &method_none, 287 287 &method_pubkey, 288 288 #ifdef GSSAPI … … 290 290 &method_gssapi, 291 291 #endif 292 292 #ifdef JPAKE 293 diff - -speed-large-files --minimal -Nru openssh-5.8p1/clientloop.c openssh-5.8p1.new/clientloop.c294 --- openssh- 5.8p1/clientloop.c 2011-01-16 13:18:35.000000000 +0100295 +++ openssh- 5.8p1.new/clientloop.c 2011-02-12 18:07:11.063578136 +0100293 diff -Nrup openssh-6.5p1/clientloop.c openssh-6.5p1.patched/clientloop.c 294 --- openssh-6.5p1/clientloop.c 2013-11-20 18:57:15.000000000 -0800 295 +++ openssh-6.5p1.patched/clientloop.c 2014-02-15 16:50:46.000000000 -0800 296 296 @@ -111,6 +111,10 @@ 297 297 #include "msg.h" 298 298 #include "roaming.h" … … 304 304 /* import options */ 305 305 extern Options options; 306 306 307 @@ -1 483,6 +1487,15 @@307 @@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_cha 308 308 /* Do channel operations unless rekeying in progress. */ 309 309 if (!rekeying) { 310 310 channel_after_select(readset, writeset); … … 320 320 if (need_rekeying || packet_need_rekeying()) { 321 321 debug("need rekeying"); 322 322 xxx_kex->done = 0; 323 diff - -speed-large-files --minimal -Nru openssh-5.8p1/configure.ac openssh-5.8p1.new/configure.ac324 --- openssh- 5.8p1/configure.ac 2011-02-04 01:42:14.000000000 +0100325 +++ openssh- 5.8p1.new/configure.ac 2011-02-12 18:07:11.092748915 +0100326 @@ -5 14,6 +514,30 @@323 diff -Nrup openssh-6.5p1/configure.ac openssh-6.5p1.patched/configure.ac 324 --- openssh-6.5p1/configure.ac 2014-01-29 16:26:46.000000000 -0800 325 +++ openssh-6.5p1.patched/configure.ac 2014-02-15 16:50:46.000000000 -0800 326 @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary(" 327 327 [Use tunnel device compatibility to OpenBSD]) 328 328 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 329 329 [Prepend the address family to IP tunnel traffic]) … … 353 353 + ) 354 354 m4_pattern_allow([AU_IPv]) 355 355 AC_CHECK_DECL([AU_IPv4], [], 356 AC_DEFINE([AU_IPv4], 0, [System only supports IPv4 audit records])357 diff - -speed-large-files --minimal -Nru openssh-5.8p1/gss-genr.c openssh-5.8p1.new/gss-genr.c358 --- openssh- 5.8p1/gss-genr.c 2009-06-22 08:11:07.000000000 +0200359 +++ openssh- 5.8p1.new/gss-genr.c 2011-02-12 18:07:11.108432434 +0100356 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) 357 diff -Nrup openssh-6.5p1/gss-genr.c openssh-6.5p1.patched/gss-genr.c 358 --- openssh-6.5p1/gss-genr.c 2013-11-07 17:19:57.000000000 -0800 359 +++ openssh-6.5p1.patched/gss-genr.c 2014-02-15 17:23:28.000000000 -0800 360 360 @@ -1,7 +1,7 @@ 361 /* $OpenBSD: gss-genr.c,v 1.2 0 2009/06/22 05:39:28 dtuckerExp $ */361 /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */ 362 362 363 363 /* 364 364 - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. … … 534 534 /* Check that the OID in a data stream matches that in the context */ 535 535 int 536 536 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) 537 @@ -197,7 +352,7 @@ 537 @@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de 538 538 } 539 539 540 540 ctx->major = gss_init_sec_context(&ctx->minor, … … 543 543 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 544 544 0, NULL, recv_tok, NULL, send_tok, flags, NULL); 545 545 546 @@ -227,8 +382,42 @@ 546 @@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con 547 547 } 548 548 549 549 OM_uint32 … … 586 586 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, 587 587 GSS_C_QOP_DEFAULT, buffer, hash))) 588 588 ssh_gssapi_error(ctx); 589 @@ -236,6 +425,19 @@ 589 @@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer 590 590 return (ctx->major); 591 591 } 592 592 … … 606 606 void 607 607 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, 608 608 const char *context) 609 @@ -249,11 +451,16 @@ 609 @@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha 610 610 } 611 611 612 612 int … … 624 624 625 625 /* RFC 4462 says we MUST NOT do SPNEGO */ 626 626 if (oid->length == spnego_oid.length && 627 @@ -263,6 +470,10 @@ 627 @@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx 628 628 ssh_gssapi_build_ctx(ctx); 629 629 ssh_gssapi_set_oid(*ctx, oid); 630 630 major = ssh_gssapi_import_name(*ctx, host); … … 635 635 if (!GSS_ERROR(major)) { 636 636 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 637 637 NULL); 638 @@ -272,10 +483,6 7 @@638 @@ -272,10 +483,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx 639 639 GSS_C_NO_BUFFER); 640 640 } 641 641 … … 655 655 + static OM_uint32 last_call = 0; 656 656 + OM_uint32 lifetime, now, major, minor; 657 657 + int equal; 658 + gss_cred_usage_t usage = GSS_C_INITIATE; 659 + 658 + 660 659 + now = time(NULL); 661 660 + 662 661 + if (ctxt) { … … 704 703 +} 705 704 + 706 705 #endif /* GSSAPI */ 707 diff - -speed-large-files --minimal -Nru openssh-5.8p1/gss-serv-krb5.c openssh-5.8p1.new/gss-serv-krb5.c708 --- openssh- 5.8p1/gss-serv-krb5.c 2006-09-01 07:38:36.000000000 +0200709 +++ openssh- 5.8p1.new/gss-serv-krb5.c 2011-02-12 18:07:11.123072516 +0100706 diff -Nrup openssh-6.5p1/gss-serv-krb5.c openssh-6.5p1.patched/gss-serv-krb5.c 707 --- openssh-6.5p1/gss-serv-krb5.c 2014-01-19 18:18:09.000000000 -0800 708 +++ openssh-6.5p1.patched/gss-serv-krb5.c 2014-02-15 16:50:46.000000000 -0800 710 709 @@ -1,7 +1,7 @@ 711 /* $OpenBSD: gss-serv-krb5.c,v 1. 7 2006/08/03 03:34:42 deraadtExp $ */710 /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */ 712 711 713 712 /* 714 713 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. … … 716 715 * 717 716 * Redistribution and use in source and binary forms, with or without 718 717 * modification, are permitted provided that the following conditions 719 @@ -12 0,6 +120,7 @@718 @@ -122,6 +122,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl 720 719 OM_uint32 maj_status, min_status; 721 720 int len; 722 const char *errmsg;721 const char *errmsg; 723 722 + const char *new_ccname; 724 723 725 724 if (client->creds == NULL) { 726 725 debug("No credentials stored"); 727 @@ -1 68,11 +169,16 @@726 @@ -180,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl 728 727 return; 729 728 } 730 729 … … 745 744 746 745 #ifdef USE_PAM 747 746 if (options.use_pam) 748 @@ -1 84,6 +190,71 @@747 @@ -196,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl 749 748 return; 750 749 } 751 750 … … 817 816 ssh_gssapi_mech gssapi_kerberos_mech = { 818 817 "toWM5Slw5Ew8Mqkay+al2g==", 819 818 "Kerberos", 820 @@ - 191,7 +262,8 @@819 @@ -203,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { 821 820 NULL, 822 821 &ssh_gssapi_krb5_userok, 823 822 NULL, … … 827 826 }; 828 827 829 828 #endif /* KRB5 */ 830 diff - -speed-large-files --minimal -Nru openssh-5.8p1/gss-serv.c openssh-5.8p1.new/gss-serv.c831 --- openssh- 5.8p1/gss-serv.c 2008-05-19 07:05:07.000000000 +0200832 +++ openssh- 5.8p1.new/gss-serv.c 2011-02-12 18:07:11.135178913 +0100829 diff -Nrup openssh-6.5p1/gss-serv.c openssh-6.5p1.patched/gss-serv.c 830 --- openssh-6.5p1/gss-serv.c 2013-07-19 20:35:45.000000000 -0700 831 +++ openssh-6.5p1.patched/gss-serv.c 2014-02-15 16:50:46.000000000 -0800 833 832 @@ -1,7 +1,7 @@ 834 /* $OpenBSD: gss-serv.c,v 1.2 2 2008/05/08 12:02:23 djm Exp $ */833 /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */ 835 834 836 835 /* 837 836 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. … … 862 861 863 862 #ifdef KRB5 864 863 extern ssh_gssapi_mech gssapi_kerberos_mech; 865 @@ -81,25 +86,32 @@ 864 @@ -81,25 +86,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) 866 865 char lname[MAXHOSTNAMELEN]; 867 866 gss_OID_set oidset; 868 867 … … 871 870 + if (options.gss_strict_acceptor) { 872 871 + gss_create_empty_oid_set(&status, &oidset); 873 872 + gss_add_oid_set_member(&status, ctx->oid, &oidset); 873 + 874 + if (gethostname(lname, MAXHOSTNAMELEN)) { 875 + gss_release_oid_set(&status, &oidset); 876 + return (-1); 877 + } 874 878 875 879 - if (gethostname(lname, MAXHOSTNAMELEN)) { 876 880 - gss_release_oid_set(&status, &oidset); 877 881 - return (-1); 878 882 - } 879 + if (gethostname(lname, MAXHOSTNAMELEN)) {880 + gss_release_oid_set(&status, &oidset);881 + return (-1);882 + }883 +884 883 + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { 885 884 + gss_release_oid_set(&status, &oidset); 886 885 + return (ctx->major); … … 909 908 } 910 909 911 910 /* Privileged */ 912 @@ -114,6 +126,29 @@ 911 @@ -114,6 +126,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss 913 912 } 914 913 915 914 /* Unprivileged */ … … 939 938 void 940 939 ssh_gssapi_supported_oids(gss_OID_set *oidset) 941 940 { 942 @@ -123,7 +158,9 @@ 941 @@ -123,7 +158,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o 943 942 gss_OID_set supported; 944 943 945 944 gss_create_empty_oid_set(&min_status, oidset); … … 950 949 951 950 while (supported_mechs[i]->name != NULL) { 952 951 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 953 @@ -24 7,8 +284,48 @@952 @@ -249,8 +286,48 @@ OM_uint32 954 953 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 955 954 { 956 955 int i = 0; 957 956 + int equal = 0; 958 957 + gss_name_t new_name = GSS_C_NO_NAME; 959 958 + gss_buffer_desc ename = GSS_C_EMPTY_BUFFER; 960 961 - gss_buffer_desc ename; 959 + 962 960 + if (options.gss_store_rekey && client->used && ctx->client_creds) { 963 961 + if (client->mech->oid.length != ctx->oid->length || 964 962 + (memcmp(client->mech->oid.elements, … … 976 974 + 977 975 + ctx->major = gss_compare_name(&ctx->minor, client->name, 978 976 + new_name, &equal); 979 + 977 978 - gss_buffer_desc ename; 980 979 + if (GSS_ERROR(ctx->major)) { 981 980 + ssh_gssapi_error(ctx); 982 981 + return (ctx->major); … … 1000 999 1001 1000 client->mech = NULL; 1002 1001 1003 @@ -26 3,6 +340,13 @@1002 @@ -265,6 +342,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g 1004 1003 if (client->mech == NULL) 1005 1004 return GSS_S_FAILURE; 1006 1005 … … 1014 1013 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1015 1014 &client->displayname, NULL))) { 1016 1015 ssh_gssapi_error(ctx); 1017 @@ -28 0,6 +364,8 @@1016 @@ -282,6 +366,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g 1018 1017 return (ctx->major); 1019 1018 } 1020 1019 … … 1023 1022 /* We can't copy this structure, so we just move the pointer to it */ 1024 1023 client->creds = ctx->client_creds; 1025 1024 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1026 @@ -32 7,7 +413,7 @@1025 @@ -329,7 +415,7 @@ ssh_gssapi_do_child(char ***envp, u_int 1027 1026 1028 1027 /* Privileged */ 1029 1028 int … … 1032 1031 { 1033 1032 OM_uint32 lmin; 1034 1033 1035 @@ -33 7,9 +423,11 @@1034 @@ -339,9 +425,11 @@ ssh_gssapi_userok(char *user) 1036 1035 return 0; 1037 1036 } 1038 1037 if (gssapi_client.mech && gssapi_client.mech->userok) … … 1046 1045 /* Destroy delegated credentials if userok fails */ 1047 1046 gss_release_buffer(&lmin, &gssapi_client.displayname); 1048 1047 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1049 @@ -35 2,14 +440,90 @@1048 @@ -354,14 +442,90 @@ ssh_gssapi_userok(char *user) 1050 1049 return (0); 1051 1050 } 1052 1051 … … 1143 1142 } 1144 1143 1145 1144 #endif 1146 diff --speed-large-files --minimal -Nru openssh-5.8p1/kex.c openssh-5.8p1.new/kex.c 1147 --- openssh-5.8p1/kex.c 2010-09-24 14:11:14.000000000 +0200 1148 +++ openssh-5.8p1.new/kex.c 2011-02-12 18:07:11.149564726 +0100 1149 @@ -50,6 +50,10 @@ 1150 #include "monitor.h" 1145 diff -Nrup openssh-6.5p1/kex.c openssh-6.5p1.patched/kex.c 1146 --- openssh-6.5p1/kex.c 2014-01-25 14:38:04.000000000 -0800 1147 +++ openssh-6.5p1.patched/kex.c 2014-02-15 17:24:33.000000000 -0800 1148 @@ -51,6 +51,10 @@ 1151 1149 #include "roaming.h" 1150 #include "digest.h" 1152 1151 1153 1152 +#ifdef GSSAPI 1154 1153 +#include "ssh-gss.h" … … 1157 1156 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1158 1157 # if defined(HAVE_EVP_SHA256) 1159 1158 # define evp_ssh_sha256 EVP_sha256 1160 @@ - 80,6 +84,11 @@1161 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 },1162 { KEX_ ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512},1159 @@ -90,6 +94,11 @@ static const struct kexalg kexalgs[] = { 1160 #ifdef HAVE_EVP_SHA256 1161 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 1163 1162 #endif 1164 1163 +#ifdef GSSAPI 1165 + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },1166 + { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },1167 + { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },1164 + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, 1165 + { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, 1166 + { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, 1168 1167 +#endif 1169 { NULL, -1, -1, NULL},1168 { NULL, -1, -1, -1}, 1170 1169 }; 1171 1170 1172 diff --speed-large-files --minimal -Nru openssh-5.8p1/kex.h openssh-5.8p1.new/kex.h 1173 --- openssh-5.8p1/kex.h 2010-09-24 14:11:14.000000000 +0200 1174 +++ openssh-5.8p1.new/kex.h 2011-02-12 18:07:11.161650596 +0100 1175 @@ -73,6 +73,9 @@ 1176 KEX_DH_GEX_SHA1, 1171 diff -Nrup openssh-6.5p1/kex.h openssh-6.5p1.patched/kex.h 1172 --- openssh-6.5p1/kex.h 2014-01-25 14:37:26.000000000 -0800 1173 +++ openssh-6.5p1.patched/kex.h 2014-02-15 16:52:30.000000000 -0800 1174 @@ -76,6 +76,9 @@ enum kex_exchange { 1177 1175 KEX_DH_GEX_SHA256, 1178 1176 KEX_ECDH_SHA2, 1177 KEX_C25519_SHA256, 1179 1178 + KEX_GSS_GRP1_SHA1, 1180 1179 + KEX_GSS_GRP14_SHA1, 1181 1180 + KEX_GSS_GEX_SHA1, 1182 1181 KEX_MAX 1183 1182 }; 1184 1183 1185 @@ -1 29,6 +132,12 @@1184 @@ -136,6 +139,12 @@ struct Kex { 1186 1185 int flags; 1187 const EVP_MD *evp_md;1186 int hash_alg; 1188 1187 int ec_nid; 1189 1188 +#ifdef GSSAPI 1190 1189 + int gss_deleg_creds; … … 1195 1194 char *client_version_string; 1196 1195 char *server_version_string; 1197 1196 int (*verify_host_key)(Key *); 1198 @@ -1 56,6 +165,11 @@1199 void kex ecdh_client(Kex *);1200 void kex ecdh_server(Kex *);1197 @@ -168,6 +177,11 @@ void kexecdh_server(Kex *); 1198 void kexc25519_client(Kex *); 1199 void kexc25519_server(Kex *); 1201 1200 1202 1201 +#ifdef GSSAPI 1203 1202 +void kexgss_client(Kex *); … … 1207 1206 void 1208 1207 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, 1209 1208 BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); 1210 diff - -speed-large-files --minimal -Nru openssh-5.8p1/kexgssc.c openssh-5.8p1.new/kexgssc.c1211 --- openssh- 5.8p1/kexgssc.c 1970-01-01 01:00:00.000000000 +01001212 +++ openssh- 5.8p1.new/kexgssc.c 2011-02-12 18:07:11.176741991 +01001213 @@ -0,0 +1,33 4@@1209 diff -Nrup openssh-6.5p1/kexgssc.c openssh-6.5p1.patched/kexgssc.c 1210 --- openssh-6.5p1/kexgssc.c 1969-12-31 16:00:00.000000000 -0800 1211 +++ openssh-6.5p1.patched/kexgssc.c 2014-02-15 17:17:35.000000000 -0800 1212 @@ -0,0 +1,339 @@ 1214 1213 +/* 1215 1214 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1216 1215 + * … … 1268 1267 + DH *dh; 1269 1268 + BIGNUM *dh_server_pub = NULL; 1270 1269 + BIGNUM *shared_secret = NULL; 1270 + Buffer shared_secret_buffer; 1271 1271 + BIGNUM *p = NULL; 1272 1272 + BIGNUM *g = NULL; 1273 1273 + u_char *kbuf, *hash; … … 1492 1492 + break; 1493 1493 + case KEX_GSS_GEX_SHA1: 1494 1494 + kexgex_hash( 1495 + kex-> evp_md,1495 + kex->hash_alg, 1496 1496 + kex->client_version_string, 1497 1497 + kex->server_version_string, 1498 1498 + buffer_ptr(&kex->my), buffer_len(&kex->my), … … 1539 1539 + else 1540 1540 + ssh_gssapi_delete_ctx(&ctxt); 1541 1541 + 1542 + kex_derive_keys(kex, hash, hashlen, shared_secret); 1542 + buffer_init(&shared_secret_buffer); 1543 + buffer_put_bignum2(&shared_secret_buffer, shared_secret); 1544 + kex_derive_keys(kex, hash, hashlen, buffer_ptr(&shared_secret_buffer), 1545 + buffer_len(&shared_secret_buffer)); 1546 + buffer_free(&shared_secret_buffer); 1543 1547 + BN_clear_free(shared_secret); 1544 1548 + kex_finish(kex); 1545 1549 +} 1546 1550 + 1547 1551 +#endif /* GSSAPI */ 1548 diff - -speed-large-files --minimal -Nru openssh-5.8p1/kexgsss.c openssh-5.8p1.new/kexgsss.c1549 --- openssh- 5.8p1/kexgsss.c 1970-01-01 01:00:00.000000000 +01001550 +++ openssh- 5.8p1.new/kexgsss.c 2011-02-12 18:07:11.186584789 +01001551 @@ -0,0 +1,2 88@@1552 diff -Nrup openssh-6.5p1/kexgsss.c openssh-6.5p1.patched/kexgsss.c 1553 --- openssh-6.5p1/kexgsss.c 1969-12-31 16:00:00.000000000 -0800 1554 +++ openssh-6.5p1.patched/kexgsss.c 2014-02-15 17:31:24.000000000 -0800 1555 @@ -0,0 +1,293 @@ 1552 1556 +/* 1553 1557 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1554 1558 + * … … 1618 1622 + DH *dh; 1619 1623 + int min = -1, max = -1, nbits = -1; 1620 1624 + BIGNUM *shared_secret = NULL; 1625 + Buffer shared_secret_buffer; 1621 1626 + BIGNUM *dh_client_pub = NULL; 1622 1627 + int type = 0; 1623 1628 + gss_OID oid; … … 1774 1779 + break; 1775 1780 + case KEX_GSS_GEX_SHA1: 1776 1781 + kexgex_hash( 1777 + kex-> evp_md,1782 + kex->hash_alg, 1778 1783 + kex->client_version_string, kex->server_version_string, 1779 1784 + buffer_ptr(&kex->peer), buffer_len(&kex->peer), 1780 1785 + buffer_ptr(&kex->my), buffer_len(&kex->my), … … 1827 1832 + 1828 1833 + DH_free(dh); 1829 1834 + 1830 + kex_derive_keys(kex, hash, hashlen, shared_secret); 1835 + buffer_init(&shared_secret_buffer); 1836 + buffer_put_bignum2(&shared_secret_buffer, shared_secret); 1837 + kex_derive_keys(kex, hash, hashlen, buffer_ptr(&shared_secret_buffer), 1838 + buffer_len(&shared_secret_buffer)); 1839 + buffer_free(&shared_secret_buffer); 1831 1840 + BN_clear_free(shared_secret); 1832 1841 + kex_finish(kex); 1833 1842 + … … 1837 1846 + ssh_gssapi_rekey_creds(); 1838 1847 +} 1839 1848 +#endif /* GSSAPI */ 1840 diff --speed-large-files --minimal -Nru openssh-5.8p1/key.c openssh-5.8p1.new/key.c 1841 --- openssh-5.8p1/key.c 2011-02-04 01:48:34.000000000 +0100 1842 +++ openssh-5.8p1.new/key.c 2011-02-12 18:07:11.202089386 +0100 1843 @@ -929,6 +929,7 @@ 1844 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 1849 diff -Nrup openssh-6.5p1/key.c openssh-6.5p1.patched/key.c 1850 --- openssh-6.5p1/key.c 2014-01-09 15:58:53.000000000 -0800 1851 +++ openssh-6.5p1.patched/key.c 2014-02-15 16:50:46.000000000 -0800 1852 @@ -979,6 +979,7 @@ static const struct keytype keytypes[] = 1845 1853 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 1854 # endif 1846 1855 #endif /* OPENSSL_HAS_ECC */ 1847 1856 + { "null", "null", KEY_NULL, 0, 0 }, 1848 1857 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", 1849 1858 KEY_RSA_CERT_V00, 0, 1 }, 1850 1859 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", 1851 diff - -speed-large-files --minimal -Nru openssh-5.8p1/key.h openssh-5.8p1.new/key.h1852 --- openssh- 5.8p1/key.h 2010-11-05 00:19:49.000000000 +01001853 +++ openssh- 5.8p1.new/key.h 2011-02-12 18:07:11.216270794 +01001854 @@ -4 4,6 +44,7 @@1855 KEY_E CDSA_CERT,1860 diff -Nrup openssh-6.5p1/key.h openssh-6.5p1.patched/key.h 1861 --- openssh-6.5p1/key.h 2014-01-09 15:58:53.000000000 -0800 1862 +++ openssh-6.5p1.patched/key.h 2014-02-15 16:50:46.000000000 -0800 1863 @@ -46,6 +46,7 @@ enum types { 1864 KEY_ED25519_CERT, 1856 1865 KEY_RSA_CERT_V00, 1857 1866 KEY_DSA_CERT_V00, 1858 1867 + KEY_NULL, 1859 1868 KEY_UNSPEC 1860 1869 }; 1861 1870 enum fp_type { 1862 diff - -speed-large-files --minimal -Nru openssh-5.8p1/monitor.c openssh-5.8p1.new/monitor.c1863 --- openssh- 5.8p1/monitor.c 2010-09-10 03:23:34.000000000 +02001864 +++ openssh- 5.8p1.new/monitor.c 2011-02-12 18:07:11.241713537 +01001865 @@ -1 72,6 +172,8 @@1871 diff -Nrup openssh-6.5p1/monitor.c openssh-6.5p1.patched/monitor.c 1872 --- openssh-6.5p1/monitor.c 2013-11-06 18:32:52.000000000 -0800 1873 +++ openssh-6.5p1.patched/monitor.c 2014-02-15 16:53:04.000000000 -0800 1874 @@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer 1866 1875 int mm_answer_gss_accept_ctx(int, Buffer *); 1867 1876 int mm_answer_gss_userok(int, Buffer *); 1868 1877 int mm_answer_gss_checkmic(int, Buffer *); … … 1871 1880 #endif 1872 1881 1873 1882 #ifdef SSH_AUDIT_EVENTS 1874 @@ -2 41,6 +243,7 @@1883 @@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[] 1875 1884 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 1876 1885 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 1877 1886 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, … … 1879 1888 #endif 1880 1889 #ifdef JPAKE 1881 1890 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, 1882 @@ -2 53,6 +256,12 @@1891 @@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[] 1883 1892 }; 1884 1893 1885 1894 struct mon_table mon_dispatch_postauth20[] = { … … 1892 1901 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 1893 1902 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 1894 1903 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 1895 @@ -3 57,6 +366,10 @@1904 @@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctx 1896 1905 /* Permit requests for moduli and signatures */ 1897 1906 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 1898 1907 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); … … 1903 1912 } else { 1904 1913 mon_dispatch = mon_dispatch_proto15; 1905 1914 1906 @@ -4 43,6 +456,10 @@1915 @@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *p 1907 1916 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 1908 1917 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 1909 1918 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); … … 1914 1923 } else { 1915 1924 mon_dispatch = mon_dispatch_postauth15; 1916 1925 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 1917 @@ -1692,6 +1709,13 @@ 1918 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 1926 @@ -1856,6 +1873,13 @@ mm_get_kex(Buffer *m) 1919 1927 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 1920 1928 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 1929 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 1921 1930 +#ifdef GSSAPI 1922 1931 + if (options.gss_keyex) { 1923 1932 + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; … … 1928 1937 kex->server = 1; 1929 1938 kex->hostkey_type = buffer_get_int(m); 1930 1939 kex->kex_type = buffer_get_int(m); 1931 @@ - 1898,6 +1922,9 @@1940 @@ -2063,6 +2087,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer 1932 1941 OM_uint32 major; 1933 1942 u_int len; 1934 1943 … … 1938 1947 goid.elements = buffer_get_string(m, &len); 1939 1948 goid.length = len; 1940 1949 1941 @@ - 1925,6 +1952,9 @@1950 @@ -2090,6 +2117,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe 1942 1951 OM_uint32 flags = 0; /* GSI needs this */ 1943 1952 u_int len; 1944 1953 … … 1948 1957 in.value = buffer_get_string(m, &len); 1949 1958 in.length = len; 1950 1959 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 1951 @@ - 1942,6 +1972,7 @@1960 @@ -2107,6 +2137,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe 1952 1961 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 1953 1962 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 1954 1963 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); … … 1956 1965 } 1957 1966 return (0); 1958 1967 } 1959 @@ - 1953,6 +1984,9 @@1968 @@ -2118,6 +2149,9 @@ mm_answer_gss_checkmic(int sock, Buffer 1960 1969 OM_uint32 ret; 1961 1970 u_int len; 1962 1971 … … 1966 1975 gssbuf.value = buffer_get_string(m, &len); 1967 1976 gssbuf.length = len; 1968 1977 mic.value = buffer_get_string(m, &len); 1969 @@ - 1979,7 +2013,11 @@1978 @@ -2144,7 +2178,11 @@ mm_answer_gss_userok(int sock, Buffer *m 1970 1979 { 1971 1980 int authenticated; 1972 1981 … … 1979 1988 1980 1989 buffer_clear(m); 1981 1990 buffer_put_int(m, authenticated); 1982 @@ - 1992,6 +2030,74 @@1991 @@ -2157,6 +2195,74 @@ mm_answer_gss_userok(int sock, Buffer *m 1983 1992 /* Monitor loop will terminate if authenticated */ 1984 1993 return (authenticated); 1985 1994 } … … 2054 2063 #endif /* GSSAPI */ 2055 2064 2056 2065 #ifdef JPAKE 2057 diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor.h openssh-5.8p1.new/monitor.h 2058 --- openssh-5.8p1/monitor.h 2008-11-05 06:20:46.000000000 +0100 2059 +++ openssh-5.8p1.new/monitor.h 2011-02-12 18:07:11.311728071 +0100 2060 @@ -53,6 +53,9 @@ 2061 MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57, 2062 MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59, 2063 MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61, 2064 + 2066 diff -Nrup openssh-6.5p1/monitor.h openssh-6.5p1.patched/monitor.h 2067 --- openssh-6.5p1/monitor.h 2012-12-02 14:53:21.000000000 -0800 2068 +++ openssh-6.5p1.patched/monitor.h 2014-02-15 16:50:46.000000000 -0800 2069 @@ -62,6 +62,9 @@ enum monitor_reqtype { 2070 MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59, 2071 MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61, 2072 2065 2073 + MONITOR_REQ_GSSSIGN = 62, MONITOR_ANS_GSSSIGN = 63, 2066 2074 + MONITOR_REQ_GSSUPCREDS = 64, MONITOR_ANS_GSSUPCREDS = 65, 2067 2068 MONITOR_REQ_PAM_START = 100,2069 MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,2070 MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,2071 diff - -speed-large-files --minimal -Nru openssh-5.8p1/monitor_wrap.c openssh-5.8p1.new/monitor_wrap.c2072 --- openssh- 5.8p1/monitor_wrap.c 2010-08-31 14:41:14.000000000 +02002073 +++ openssh- 5.8p1.new/monitor_wrap.c 2011-02-12 18:07:11.359631731 +01002074 @@ -12 32,7 +1232,7 @@2075 + 2076 MONITOR_REQ_PAM_START = 100, 2077 MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, 2078 MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, 2079 diff -Nrup openssh-6.5p1/monitor_wrap.c openssh-6.5p1.patched/monitor_wrap.c 2080 --- openssh-6.5p1/monitor_wrap.c 2013-11-06 18:35:39.000000000 -0800 2081 +++ openssh-6.5p1.patched/monitor_wrap.c 2014-02-15 16:50:46.000000000 -0800 2082 @@ -1273,7 +1273,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss 2075 2083 } 2076 2084 2077 2085 int … … 2080 2088 { 2081 2089 Buffer m; 2082 2090 int authenticated = 0; 2083 @@ -12 49,6 +1249,51 @@2091 @@ -1290,6 +1290,51 @@ mm_ssh_gssapi_userok(char *user) 2084 2092 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2085 2093 return (authenticated); 2086 2094 } … … 2132 2140 #endif /* GSSAPI */ 2133 2141 2134 2142 #ifdef JPAKE 2135 diff - -speed-large-files --minimal -Nru openssh-5.8p1/monitor_wrap.h openssh-5.8p1.new/monitor_wrap.h2136 --- openssh- 5.8p1/monitor_wrap.h 2009-03-05 14:58:22.000000000 +01002137 +++ openssh- 5.8p1.new/monitor_wrap.h 2011-02-12 18:07:11.407619296 +01002138 @@ -5 7,8 +57,10 @@2143 diff -Nrup openssh-6.5p1/monitor_wrap.h openssh-6.5p1.patched/monitor_wrap.h 2144 --- openssh-6.5p1/monitor_wrap.h 2011-06-19 21:42:23.000000000 -0700 2145 +++ openssh-6.5p1.patched/monitor_wrap.h 2014-02-15 16:50:46.000000000 -0800 2146 @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K 2139 2147 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 2140 2148 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, 2141 2149 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); … … 2147 2155 #endif 2148 2156 2149 2157 #ifdef USE_PAM 2150 diff - -speed-large-files --minimal -Nru openssh-5.8p1/readconf.c openssh-5.8p1.new/readconf.c2151 --- openssh- 5.8p1/readconf.c 2010-11-20 05:19:38.000000000 +01002152 +++ openssh- 5.8p1.new/readconf.c 2011-02-12 18:07:11.460306621 +01002153 @@ -1 29,6 +129,8 @@2158 diff -Nrup openssh-6.5p1/readconf.c openssh-6.5p1.patched/readconf.c 2159 --- openssh-6.5p1/readconf.c 2014-01-17 05:03:57.000000000 -0800 2160 +++ openssh-6.5p1.patched/readconf.c 2014-02-15 16:50:46.000000000 -0800 2161 @@ -140,6 +140,8 @@ typedef enum { 2154 2162 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2155 2163 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2156 2164 oAddressFamily, oGssAuthentication, oGssDelegateCreds, … … 2159 2167 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2160 2168 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2161 2169 oHashKnownHosts, 2162 @@ -1 69,10 +171,19 @@2170 @@ -182,10 +184,19 @@ static struct { 2163 2171 { "afstokenpassing", oUnsupported }, 2164 2172 #if defined(GSSAPI) 2165 2173 { "gssapiauthentication", oGssAuthentication }, … … 2179 2187 #endif 2180 2188 { "fallbacktorsh", oDeprecated }, 2181 2189 { "usersh", oDeprecated }, 2182 @@ - 479,10 +490,30 @@2190 @@ -839,10 +850,30 @@ parse_time: 2183 2191 intptr = &options->gss_authentication; 2184 2192 goto parse_flag; 2185 2193 … … 2210 2218 case oBatchMode: 2211 2219 intptr = &options->batch_mode; 2212 2220 goto parse_flag; 2213 @@ -1 092,7 +1123,12 @@2221 @@ -1488,7 +1519,12 @@ initialize_options(Options * options) 2214 2222 options->pubkey_authentication = -1; 2215 2223 options->challenge_response_authentication = -1; 2216 2224 options->gss_authentication = -1; … … 2223 2231 options->password_authentication = -1; 2224 2232 options->kbd_interactive_authentication = -1; 2225 2233 options->kbd_interactive_devices = NULL; 2226 @@ -1 193,8 +1229,14 @@2234 @@ -1594,8 +1630,14 @@ fill_default_options(Options * options) 2227 2235 options->challenge_response_authentication = 1; 2228 2236 if (options->gss_authentication == -1) 2229 2237 options->gss_authentication = 0; … … 2238 2246 if (options->password_authentication == -1) 2239 2247 options->password_authentication = 1; 2240 2248 if (options->kbd_interactive_authentication == -1) 2241 diff - -speed-large-files --minimal -Nru openssh-5.8p1/readconf.h openssh-5.8p1.new/readconf.h2242 --- openssh- 5.8p1/readconf.h 2010-11-20 05:19:38.000000000 +01002243 +++ openssh- 5.8p1.new/readconf.h 2011-02-12 18:07:11.507187275 +01002244 @@ - 46,7 +46,12 @@2249 diff -Nrup openssh-6.5p1/readconf.h openssh-6.5p1.patched/readconf.h 2250 --- openssh-6.5p1/readconf.h 2013-10-16 17:48:14.000000000 -0700 2251 +++ openssh-6.5p1.patched/readconf.h 2014-02-15 16:50:46.000000000 -0800 2252 @@ -54,7 +54,12 @@ typedef struct { 2245 2253 int challenge_response_authentication; 2246 2254 /* Try S/Key or TIS, authentication. */ 2247 2255 int gss_authentication; /* Try GSS authentication */ … … 2254 2262 int password_authentication; /* Try password 2255 2263 * authentication. */ 2256 2264 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2257 diff - -speed-large-files --minimal -Nru openssh-5.8p1/servconf.c openssh-5.8p1.new/servconf.c2258 --- openssh- 5.8p1/servconf.c 2010-11-20 05:19:38.000000000 +01002259 +++ openssh- 5.8p1.new/servconf.c 2011-02-12 18:07:11.533252334 +01002260 @@ - 97,7 +97,10 @@2265 diff -Nrup openssh-6.5p1/servconf.c openssh-6.5p1.patched/servconf.c 2266 --- openssh-6.5p1/servconf.c 2013-12-06 16:24:02.000000000 -0800 2267 +++ openssh-6.5p1.patched/servconf.c 2014-02-15 16:50:46.000000000 -0800 2268 @@ -108,7 +108,10 @@ initialize_server_options(ServerOptions 2261 2269 options->kerberos_ticket_cleanup = -1; 2262 2270 options->kerberos_get_afs_token = -1; 2263 2271 options->gss_authentication=-1; … … 2268 2276 options->password_authentication = -1; 2269 2277 options->kbd_interactive_authentication = -1; 2270 2278 options->challenge_response_authentication = -1; 2271 @@ -2 26,8 +229,14 @@2279 @@ -245,8 +248,14 @@ fill_default_server_options(ServerOption 2272 2280 options->kerberos_get_afs_token = 0; 2273 2281 if (options->gss_authentication == -1) 2274 2282 options->gss_authentication = 0; … … 2283 2291 if (options->password_authentication == -1) 2284 2292 options->password_authentication = 1; 2285 2293 if (options->kbd_interactive_authentication == -1) 2286 @@ -3 22,7 +331,9 @@2294 @@ -343,7 +352,9 @@ typedef enum { 2287 2295 sBanner, sUseDNS, sHostbasedAuthentication, 2288 2296 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2289 2297 sClientAliveCountMax, sAuthorizedKeysFile, … … 2294 2302 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2295 2303 sUsePrivilegeSeparation, sAllowAgentForwarding, 2296 2304 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2297 @@ - 386,10 +397,20 @@2305 @@ -410,10 +421,20 @@ static struct { 2298 2306 #ifdef GSSAPI 2299 2307 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2300 2308 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, … … 2315 2323 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2316 2324 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2317 2325 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2318 @@ - 944,10 +965,22 @@2326 @@ -1094,10 +1115,22 @@ process_server_config_line(ServerOptions 2319 2327 intptr = &options->gss_authentication; 2320 2328 goto parse_flag; 2321 2329 … … 2338 2346 case sPasswordAuthentication: 2339 2347 intptr = &options->password_authentication; 2340 2348 goto parse_flag; 2341 @@ - 1704,7 +1737,10 @@2349 @@ -2008,7 +2041,10 @@ dump_config(ServerOptions *o) 2342 2350 #endif 2343 2351 #ifdef GSSAPI 2344 2352 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); … … 2349 2357 #endif 2350 2358 #ifdef JPAKE 2351 2359 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, 2352 diff - -speed-large-files --minimal -Nru openssh-5.8p1/servconf.h openssh-5.8p1.new/servconf.h2353 --- openssh- 5.8p1/servconf.h 2010-11-20 05:19:38.000000000 +01002354 +++ openssh- 5.8p1.new/servconf.h 2011-02-12 18:07:11.548572408 +01002355 @@ - 97,7 +97,10 @@2360 diff -Nrup openssh-6.5p1/servconf.h openssh-6.5p1.patched/servconf.h 2361 --- openssh-6.5p1/servconf.h 2013-12-04 19:07:28.000000000 -0800 2362 +++ openssh-6.5p1.patched/servconf.h 2014-02-15 16:50:46.000000000 -0800 2363 @@ -112,7 +112,10 @@ typedef struct { 2356 2364 int kerberos_get_afs_token; /* If true, try to get AFS token if 2357 2365 * authenticated with Kerberos. */ 2358 2366 int gss_authentication; /* If true, permit GSSAPI authentication */ … … 2363 2371 int password_authentication; /* If true, permit password 2364 2372 * authentication. */ 2365 2373 int kbd_interactive_authentication; /* If true, permit */ 2366 diff - -speed-large-files --minimal -Nru openssh-5.8p1/ssh-gss.h openssh-5.8p1.new/ssh-gss.h2367 --- openssh- 5.8p1/ssh-gss.h 2007-06-12 15:40:39.000000000 +02002368 +++ openssh- 5.8p1.new/ssh-gss.h 2011-02-12 18:07:11.567306608 +01002374 diff -Nrup openssh-6.5p1/ssh-gss.h openssh-6.5p1.patched/ssh-gss.h 2375 --- openssh-6.5p1/ssh-gss.h 2013-02-24 16:24:44.000000000 -0800 2376 +++ openssh-6.5p1.patched/ssh-gss.h 2014-02-15 16:50:46.000000000 -0800 2369 2377 @@ -1,6 +1,6 @@ 2370 2378 /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ 2371 2379 /* … … 2374 2382 * 2375 2383 * Redistribution and use in source and binary forms, with or without 2376 2384 * modification, are permitted provided that the following conditions 2377 @@ -6 0,10 +60,22 @@2385 @@ -61,10 +61,22 @@ 2378 2386 2379 2387 #define SSH_GSS_OIDTYPE 0x06 2380 2388 … … 2397 2405 void *data; 2398 2406 } ssh_gssapi_ccache; 2399 2407 2400 @@ -7 1,8 +83,11 @@2408 @@ -72,8 +84,11 @@ typedef struct { 2401 2409 gss_buffer_desc displayname; 2402 2410 gss_buffer_desc exportedname; 2403 2411 gss_cred_id_t creds; … … 2409 2417 } ssh_gssapi_client; 2410 2418 2411 2419 typedef struct ssh_gssapi_mech_struct { 2412 @@ -8 3,6 +98,7 @@2420 @@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct { 2413 2421 int (*userok) (ssh_gssapi_client *, char *); 2414 2422 int (*localname) (ssh_gssapi_client *, char **); 2415 2423 void (*storecreds) (ssh_gssapi_client *); … … 2417 2425 } ssh_gssapi_mech; 2418 2426 2419 2427 typedef struct { 2420 @@ -9 3,10 +109,11 @@2428 @@ -94,10 +110,11 @@ typedef struct { 2421 2429 gss_OID oid; /* client */ 2422 2430 gss_cred_id_t creds; /* server */ 2423 2431 gss_name_t client; /* server */ … … 2430 2438 2431 2439 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); 2432 2440 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); 2433 @@ -11 6,16 +133,30 @@2441 @@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **); 2434 2442 void ssh_gssapi_delete_ctx(Gssctxt **); 2435 2443 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); 2436 2444 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); … … 2463 2471 #endif /* GSSAPI */ 2464 2472 2465 2473 #endif /* _SSH_GSS_H */ 2466 diff - -speed-large-files --minimal -Nru openssh-5.8p1/ssh_config openssh-5.8p1.new/ssh_config2467 --- openssh- 5.8p1/ssh_config 2010-01-12 09:40:27.000000000 +01002468 +++ openssh- 5.8p1.new/ssh_config 2011-02-12 18:07:11.580240516 +01002474 diff -Nrup openssh-6.5p1/ssh_config openssh-6.5p1.patched/ssh_config 2475 --- openssh-6.5p1/ssh_config 2013-10-09 16:24:12.000000000 -0700 2476 +++ openssh-6.5p1.patched/ssh_config 2014-02-15 16:50:46.000000000 -0800 2469 2477 @@ -26,6 +26,8 @@ 2470 2478 # HostbasedAuthentication no 2471 2479 # GSSAPIAuthentication no … … 2475 2483 # BatchMode no 2476 2484 # CheckHostIP yes 2477 2485 # AddressFamily any 2478 diff - -speed-large-files --minimal -Nru openssh-5.8p1/ssh_config.5 openssh-5.8p1.new/ssh_config.52479 --- openssh- 5.8p1/ssh_config.5 2010-12-26 04:26:48.000000000 +01002480 +++ openssh- 5.8p1.new/ssh_config.5 2011-02-12 18:07:11.600266821 +01002481 @@ - 508,11 +508,43 @@2486 diff -Nrup openssh-6.5p1/ssh_config.5 openssh-6.5p1.patched/ssh_config.5 2487 --- openssh-6.5p1/ssh_config.5 2014-01-19 03:36:14.000000000 -0800 2488 +++ openssh-6.5p1.patched/ssh_config.5 2014-02-15 16:50:46.000000000 -0800 2489 @@ -676,11 +676,43 @@ Specifies whether user authentication ba 2482 2490 The default is 2483 2491 .Dq no . 2484 2492 Note that this option applies to protocol version 2 only. … … 2523 2531 .It Cm HashKnownHosts 2524 2532 Indicates that 2525 2533 .Xr ssh 1 2526 diff - -speed-large-files --minimal -Nru openssh-5.8p1/sshconnect2.c openssh-5.8p1.new/sshconnect2.c2527 --- openssh- 5.8p1/sshconnect2.c 2010-12-01 02:21:51.000000000 +01002528 +++ openssh- 5.8p1.new/sshconnect2.c 2011-02-12 18:07:11.623078773 +01002529 @@ -1 59,9 +159,34 @@2534 diff -Nrup openssh-6.5p1/sshconnect2.c openssh-6.5p1.patched/sshconnect2.c 2535 --- openssh-6.5p1/sshconnect2.c 2014-01-09 15:58:53.000000000 -0800 2536 +++ openssh-6.5p1.patched/sshconnect2.c 2014-02-15 16:54:12.000000000 -0800 2537 @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho 2530 2538 { 2531 2539 Kex *kex; 2532 2540 … … 2561 2569 if (options.ciphers == (char *)-1) { 2562 2570 logit("No valid ciphers for protocol version 2 given, using defaults."); 2563 2571 options.ciphers = NULL; 2564 @@ -19 6,6 +221,17 @@2572 @@ -198,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *ho 2565 2573 if (options.kex_algorithms != NULL) 2566 2574 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; 2567 2575 … … 2578 2586 + 2579 2587 if (options.rekey_limit || options.rekey_interval) 2580 2588 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2581 2582 @@ -20 6,10 +242,30 @@2589 (time_t)options.rekey_interval); 2590 @@ -209,11 +245,31 @@ ssh_kex2(char *host, struct sockaddr *ho 2583 2591 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 2584 2592 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 2585 2593 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; … … 2590 2598 + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; 2591 2599 + } 2592 2600 +#endif 2601 kex->kex[KEX_C25519_SHA256] = kexc25519_client; 2593 2602 kex->client_version_string=client_version_string; 2594 2603 kex->server_version_string=server_version_string; 2595 2604 kex->verify_host_key=&verify_host_key_callback; … … 2603 2612 + kex->gss_host = options.gss_server_identity; 2604 2613 + } else { 2605 2614 + kex->gss_host = gss_host; 2606 + 2615 + } 2607 2616 + } 2608 2617 +#endif 2609 2618 + 2610 2619 xxx_kex = kex; 2611 2620 2612 2621 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2613 @@ -30 4,6 +360,7 @@2622 @@ -309,6 +365,7 @@ void input_gssapi_token(int type, u_int3 2614 2623 void input_gssapi_hash(int type, u_int32_t, void *); 2615 2624 void input_gssapi_error(int, u_int32_t, void *); 2616 2625 void input_gssapi_errtok(int, u_int32_t, void *); … … 2618 2627 #endif 2619 2628 2620 2629 void userauth(Authctxt *, char *); 2621 @@ -3 19,6 +376,11 @@2630 @@ -324,6 +381,11 @@ static char *authmethods_get(void); 2622 2631 2623 2632 Authmethod authmethods[] = { 2624 2633 #ifdef GSSAPI … … 2630 2639 {"gssapi-with-mic", 2631 2640 userauth_gssapi, 2632 2641 NULL, 2633 @@ -62 5,19 +687,31 @@2642 @@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt) 2634 2643 static u_int mech = 0; 2635 2644 OM_uint32 min; 2636 2645 int ok = 0; … … 2664 2673 ok = 1; /* Mechanism works */ 2665 2674 } else { 2666 2675 mech++; 2667 @@ -73 4,8 +808,8 @@2676 @@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_ 2668 2677 { 2669 2678 Authctxt *authctxt = ctxt; 2670 2679 Gssctxt *gssctxt; … … 2675 2684 2676 2685 if (authctxt == NULL) 2677 2686 fatal("input_gssapi_response: no authentication context"); 2678 @@ -84 5,6 +919,48 @@2687 @@ -846,6 +920,48 @@ input_gssapi_error(int type, u_int32_t p 2679 2688 free(msg); 2680 2689 free(lang); 2681 2690 } … … 2724 2733 #endif /* GSSAPI */ 2725 2734 2726 2735 int 2727 diff - -speed-large-files --minimal -Nru openssh-5.8p1/sshd.c openssh-5.8p1.new/sshd.c2728 --- openssh- 5.8p1/sshd.c 2011-01-11 07:20:31.000000000 +01002729 +++ openssh- 5.8p1.new/sshd.c 2011-02-12 18:07:11.656005267 +01002730 @@ -12 0,6 +120,10 @@2731 #include " roaming.h"2736 diff -Nrup openssh-6.5p1/sshd.c openssh-6.5p1.patched/sshd.c 2737 --- openssh-6.5p1/sshd.c 2014-01-27 20:08:13.000000000 -0800 2738 +++ openssh-6.5p1.patched/sshd.c 2014-02-15 16:54:54.000000000 -0800 2739 @@ -122,6 +122,10 @@ 2740 #include "ssh-sandbox.h" 2732 2741 #include "version.h" 2733 2742 2734 2743 +#ifdef USE_SECURITY_SESSION_API … … 2738 2747 #ifdef LIBWRAP 2739 2748 #include <tcpd.h> 2740 2749 #include <syslog.h> 2741 @@ -1 590,10 +1594,13 @@2750 @@ -1721,10 +1725,13 @@ main(int ac, char **av) 2742 2751 logit("Disabling protocol version 1. Could not load host key"); 2743 2752 options.protocol &= ~SSH_PROTO_1; 2744 2753 } … … 2752 2761 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2753 2762 logit("sshd: no hostkeys available -- exiting."); 2754 2763 exit(1); 2755 @@ - 1922,6 +1929,60 @@2756 /* Log the connection. */2757 verbose("Connection from %.500s port %d", remote_ip, remote_port);2764 @@ -2051,6 +2058,60 @@ main(int ac, char **av) 2765 remote_ip, remote_port, 2766 get_local_ipaddr(sock_in), get_local_port()); 2758 2767 2759 2768 +#ifdef USE_SECURITY_SESSION_API 2760 2769 + /* … … 2813 2822 /* 2814 2823 * We don't want to listen forever unless the other side 2815 2824 * successfully authenticates itself. So we set up an alarm which is 2816 @@ -2 303,6 +2364,48 @@2817 2818 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();2825 @@ -2456,6 +2517,48 @@ do_ssh2_kex(void) 2826 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 2827 list_hostkey_types()); 2819 2828 2820 2829 +#ifdef GSSAPI 2821 2830 + { … … 2862 2871 /* start key exchange */ 2863 2872 kex = kex_setup(myproposal); 2864 2873 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 2865 @@ -2310,6 +2413,13 @@ 2866 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2874 @@ -2464,6 +2567,13 @@ do_ssh2_kex(void) 2867 2875 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2868 2876 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2877 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2869 2878 +#ifdef GSSAPI 2870 2879 + if (options.gss_keyex) { 2871 2880 + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; … … 2876 2885 kex->server = 1; 2877 2886 kex->client_version_string=client_version_string; 2878 2887 kex->server_version_string=server_version_string; 2879 diff - -speed-large-files --minimal -Nru openssh-5.8p1/sshd_config openssh-5.8p1.new/sshd_config2880 --- openssh- 5.8p1/sshd_config 2010-09-10 03:20:12.000000000 +02002881 +++ openssh- 5.8p1.new/sshd_config 2011-02-12 18:07:11.668077725 +01002882 @@ - 72,6 +72,8 @@2888 diff -Nrup openssh-6.5p1/sshd_config openssh-6.5p1.patched/sshd_config 2889 --- openssh-6.5p1/sshd_config 2014-01-12 00:20:47.000000000 -0800 2890 +++ openssh-6.5p1.patched/sshd_config 2014-02-15 16:50:46.000000000 -0800 2891 @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys 2883 2892 # GSSAPI options 2884 2893 #GSSAPIAuthentication no 2885 2894 #GSSAPICleanupCredentials yes 2886 2895 +#GSSAPIStrictAcceptorCheck yes 2887 2896 +#GSSAPIKeyExchange no 2888 2897 2889 # Set this to 'yes' to enable PAM authentication, account processing, 2890 # and session processing. If this is enabled, PAM authentication will 2891 diff - -speed-large-files --minimal -Nru openssh-5.8p1/sshd_config.5 openssh-5.8p1.new/sshd_config.52892 --- openssh- 5.8p1/sshd_config.5 2010-12-26 04:26:48.000000000 +01002893 +++ openssh- 5.8p1.new/sshd_config.5 2011-02-12 18:07:11.685676774 +01002894 @@ -4 23,12 +423,40 @@2898 # Set this to 'yes' to enable PAM authentication, account processing, 2899 # and session processing. If this is enabled, PAM authentication will 2900 diff -Nrup openssh-6.5p1/sshd_config.5 openssh-6.5p1.patched/sshd_config.5 2901 --- openssh-6.5p1/sshd_config.5 2013-12-17 22:47:03.000000000 -0800 2902 +++ openssh-6.5p1.patched/sshd_config.5 2014-02-15 16:50:46.000000000 -0800 2903 @@ -493,12 +493,40 @@ Specifies whether user authentication ba 2895 2904 The default is 2896 2905 .Dq no . 2897 2906 Note that this option applies to protocol version 2 only.