You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
128 lines
4.4 KiB
128 lines
4.4 KiB
13 years ago
|
http://bugs.gentoo.org/165444
|
||
|
https://bugzilla.mindrot.org/show_bug.cgi?id=1008
|
||
|
|
||
|
Index: readconf.c
|
||
|
===================================================================
|
||
|
RCS file: /cvs/openssh/readconf.c,v
|
||
|
retrieving revision 1.135
|
||
|
diff -u -r1.135 readconf.c
|
||
|
--- readconf.c 5 Aug 2006 02:39:40 -0000 1.135
|
||
|
+++ readconf.c 19 Aug 2006 11:59:52 -0000
|
||
|
@@ -126,6 +126,7 @@
|
||
|
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||
|
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||
|
+ oGssTrustDns,
|
||
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||
|
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
|
||
|
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
||
|
@@ -163,9 +164,11 @@
|
||
|
#if defined(GSSAPI)
|
||
|
{ "gssapiauthentication", oGssAuthentication },
|
||
|
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
||
|
+ { "gssapitrustdns", oGssTrustDns },
|
||
|
#else
|
||
|
{ "gssapiauthentication", oUnsupported },
|
||
|
{ "gssapidelegatecredentials", oUnsupported },
|
||
|
+ { "gssapitrustdns", oUnsupported },
|
||
|
#endif
|
||
|
{ "fallbacktorsh", oDeprecated },
|
||
|
{ "usersh", oDeprecated },
|
||
|
@@ -444,6 +447,10 @@
|
||
|
intptr = &options->gss_deleg_creds;
|
||
|
goto parse_flag;
|
||
|
|
||
|
+ case oGssTrustDns:
|
||
|
+ intptr = &options->gss_trust_dns;
|
||
|
+ goto parse_flag;
|
||
|
+
|
||
|
case oBatchMode:
|
||
|
intptr = &options->batch_mode;
|
||
|
goto parse_flag;
|
||
|
@@ -1010,6 +1017,7 @@
|
||
|
options->challenge_response_authentication = -1;
|
||
|
options->gss_authentication = -1;
|
||
|
options->gss_deleg_creds = -1;
|
||
|
+ options->gss_trust_dns = -1;
|
||
|
options->password_authentication = -1;
|
||
|
options->kbd_interactive_authentication = -1;
|
||
|
options->kbd_interactive_devices = NULL;
|
||
|
@@ -1100,6 +1108,8 @@
|
||
|
options->gss_authentication = 0;
|
||
|
if (options->gss_deleg_creds == -1)
|
||
|
options->gss_deleg_creds = 0;
|
||
|
+ if (options->gss_trust_dns == -1)
|
||
|
+ options->gss_trust_dns = 0;
|
||
|
if (options->password_authentication == -1)
|
||
|
options->password_authentication = 1;
|
||
|
if (options->kbd_interactive_authentication == -1)
|
||
|
Index: readconf.h
|
||
|
===================================================================
|
||
|
RCS file: /cvs/openssh/readconf.h,v
|
||
|
retrieving revision 1.63
|
||
|
diff -u -r1.63 readconf.h
|
||
|
--- readconf.h 5 Aug 2006 02:39:40 -0000 1.63
|
||
|
+++ readconf.h 19 Aug 2006 11:59:52 -0000
|
||
|
@@ -45,6 +45,7 @@
|
||
|
/* Try S/Key or TIS, authentication. */
|
||
|
int gss_authentication; /* Try GSS authentication */
|
||
|
int gss_deleg_creds; /* Delegate GSS credentials */
|
||
|
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
|
||
|
int password_authentication; /* Try password
|
||
|
* authentication. */
|
||
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||
|
Index: ssh_config.5
|
||
|
===================================================================
|
||
|
RCS file: /cvs/openssh/ssh_config.5,v
|
||
|
retrieving revision 1.97
|
||
|
diff -u -r1.97 ssh_config.5
|
||
|
--- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97
|
||
|
+++ ssh_config.5 19 Aug 2006 11:59:53 -0000
|
||
|
@@ -483,7 +483,16 @@
|
||
|
Forward (delegate) credentials to the server.
|
||
|
The default is
|
||
|
.Dq no .
|
||
|
-Note that this option applies to protocol version 2 only.
|
||
|
+Note that this option applies to protocol version 2 connections using GSSAPI.
|
||
|
+.It Cm GSSAPITrustDns
|
||
|
+Set to
|
||
|
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
|
||
|
+the name of the host being connected to. If
|
||
|
+.Dq no, the hostname entered on the
|
||
|
+command line will be passed untouched to the GSSAPI library.
|
||
|
+The default is
|
||
|
+.Dq no .
|
||
|
+This option only applies to protocol version 2 connections using GSSAPI.
|
||
|
.It Cm HashKnownHosts
|
||
|
Indicates that
|
||
|
.Xr ssh 1
|
||
|
Index: sshconnect2.c
|
||
|
===================================================================
|
||
|
RCS file: /cvs/openssh/sshconnect2.c,v
|
||
|
retrieving revision 1.151
|
||
|
diff -u -r1.151 sshconnect2.c
|
||
|
--- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151
|
||
|
+++ sshconnect2.c 19 Aug 2006 11:59:53 -0000
|
||
|
@@ -499,6 +499,12 @@
|
||
|
static u_int mech = 0;
|
||
|
OM_uint32 min;
|
||
|
int ok = 0;
|
||
|
+ const char *gss_host;
|
||
|
+
|
||
|
+ if (options.gss_trust_dns)
|
||
|
+ gss_host = get_canonical_hostname(1);
|
||
|
+ else
|
||
|
+ gss_host = authctxt->host;
|
||
|
|
||
|
/* Try one GSSAPI method at a time, rather than sending them all at
|
||
|
* once. */
|
||
|
@@ -511,7 +517,7 @@
|
||
|
/* My DER encoding requires length<128 */
|
||
|
if (gss_supported->elements[mech].length < 128 &&
|
||
|
ssh_gssapi_check_mechanism(&gssctxt,
|
||
|
- &gss_supported->elements[mech], authctxt->host)) {
|
||
|
+ &gss_supported->elements[mech], gss_host)) {
|
||
|
ok = 1; /* Mechanism works */
|
||
|
} else {
|
||
|
mech++;
|