Ticket #32475: openssh_gss_api_trust_dns.patch

File openssh_gss_api_trust_dns.patch, 5.2 KB (added by david.abdurachmanov@…, 13 years ago)

Patch modifying openssh Portfile and adding new patch (GSSAPITrustDNS)

  • Portfile

    diff -rupN openssh.orig/Portfile openssh/Portfile
    old new variant no_x11 description "do not inclu 
    7272  depends_run-delete    port:xauth
    7373}
    7474
     75variant gss_api_trust_dns description "Enable GSSAPITrustDNS SSH configuration keyword" {
     76  patchfiles-append GSSAPITrustDNS.patch
     77}
     78
    7579# For high-performance patch
    7680# re-enable when patch for current version is available
    7781#variant hpn description "apply high performance patch" {
  • files/GSSAPITrustDNS.patch

    diff -rupN openssh.orig/files/GSSAPITrustDNS.patch openssh/files/GSSAPITrustDNS.patch
    old new  
     1Index: readconf.c
     2===================================================================
     3RCS file: /cvs/openssh/readconf.c,v
     4retrieving revision 1.135
     5diff -u -r1.135 readconf.c
     6--- readconf.c  5 Aug 2006 02:39:40 -0000       1.135
     7+++ readconf.c  19 Aug 2006 11:59:52 -0000
     8@@ -126,6 +126,7 @@
     9        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
     10        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
     11        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
     12+       oGssTrustDns,
     13        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
     14        oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
     15        oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
     16@@ -163,9 +164,11 @@
     17 #if defined(GSSAPI)
     18        { "gssapiauthentication", oGssAuthentication },
     19        { "gssapidelegatecredentials", oGssDelegateCreds },
     20+       { "gssapitrustdns", oGssTrustDns },
     21 #else
     22        { "gssapiauthentication", oUnsupported },
     23        { "gssapidelegatecredentials", oUnsupported },
     24+       { "gssapitrustdns", oUnsupported },
     25 #endif
     26        { "fallbacktorsh", oDeprecated },
     27        { "usersh", oDeprecated },
     28@@ -444,6 +447,10 @@
     29                intptr = &options->gss_deleg_creds;
     30                goto parse_flag;
     31 
     32+       case oGssTrustDns:
     33+               intptr = &options->gss_trust_dns;
     34+               goto parse_flag;
     35+
     36        case oBatchMode:
     37                intptr = &options->batch_mode;
     38                goto parse_flag;
     39@@ -1010,6 +1017,7 @@
     40        options->challenge_response_authentication = -1;
     41        options->gss_authentication = -1;
     42        options->gss_deleg_creds = -1;
     43+       options->gss_trust_dns = -1;
     44        options->password_authentication = -1;
     45        options->kbd_interactive_authentication = -1;
     46        options->kbd_interactive_devices = NULL;
     47@@ -1100,6 +1108,8 @@
     48                options->gss_authentication = 0;
     49        if (options->gss_deleg_creds == -1)
     50                options->gss_deleg_creds = 0;
     51+       if (options->gss_trust_dns == -1)
     52+               options->gss_trust_dns = 0;
     53        if (options->password_authentication == -1)
     54                options->password_authentication = 1;
     55        if (options->kbd_interactive_authentication == -1)
     56Index: readconf.h
     57===================================================================
     58RCS file: /cvs/openssh/readconf.h,v
     59retrieving revision 1.63
     60diff -u -r1.63 readconf.h
     61--- readconf.h  5 Aug 2006 02:39:40 -0000       1.63
     62+++ readconf.h  19 Aug 2006 11:59:52 -0000
     63@@ -45,6 +45,7 @@
     64                                        /* Try S/Key or TIS, authentication. */
     65        int     gss_authentication;     /* Try GSS authentication */
     66        int     gss_deleg_creds;        /* Delegate GSS credentials */
     67+       int     gss_trust_dns;          /* Trust DNS for GSS canonicalization */
     68        int     password_authentication;        /* Try password
     69                                                 * authentication. */
     70        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
     71Index: ssh_config.5
     72===================================================================
     73RCS file: /cvs/openssh/ssh_config.5,v
     74retrieving revision 1.97
     75diff -u -r1.97 ssh_config.5
     76--- ssh_config.5        5 Aug 2006 01:34:51 -0000       1.97
     77+++ ssh_config.5        19 Aug 2006 11:59:53 -0000
     78@@ -483,7 +483,16 @@
     79 Forward (delegate) credentials to the server.
     80 The default is
     81 .Dq no .
     82-Note that this option applies to protocol version 2 only.
     83+Note that this option applies to protocol version 2 connections using GSSAPI.
     84+.It Cm GSSAPITrustDns
     85+Set to
     86+.Dq yes to indicate that the DNS is trusted to securely canonicalize
     87+the name of the host being connected to. If
     88+.Dq no, the hostname entered on the
     89+command line will be passed untouched to the GSSAPI library.
     90+The default is
     91+.Dq no .
     92+This option only applies to protocol version 2 connections using GSSAPI.
     93 .It Cm HashKnownHosts
     94 Indicates that
     95 .Xr ssh 1
     96Index: sshconnect2.c
     97===================================================================
     98RCS file: /cvs/openssh/sshconnect2.c,v
     99retrieving revision 1.151
     100diff -u -r1.151 sshconnect2.c
     101--- sshconnect2.c       18 Aug 2006 14:33:34 -0000      1.151
     102+++ sshconnect2.c       19 Aug 2006 11:59:53 -0000
     103@@ -499,6 +499,12 @@
     104        static u_int mech = 0;
     105        OM_uint32 min;
     106        int ok = 0;
     107+       const char *gss_host;
     108+
     109+       if (options.gss_trust_dns)
     110+               gss_host = get_canonical_hostname(1);
     111+       else
     112+               gss_host = authctxt->host;
     113 
     114        /* Try one GSSAPI method at a time, rather than sending them all at
     115         * once. */
     116@@ -511,7 +517,7 @@
     117                /* My DER encoding requires length<128 */
     118                if (gss_supported->elements[mech].length < 128 &&
     119                    ssh_gssapi_check_mechanism(&gssctxt,
     120-                   &gss_supported->elements[mech], authctxt->host)) {
     121+                   &gss_supported->elements[mech], gss_host)) {
     122                        ok = 1; /* Mechanism works */
     123                } else {
     124                        mech++;