View | Details | Raw Unified | Return to bug 225451 | Differences between
and this patch

Collapse All | Expand All

(-)openssh-7.4p1/gss-serv-krb5.c (-2 / +1 lines)
Lines 260-266 ssh_gssapi_krb5_cmdok(krb5_principal pri Link Here
260
	FILE *fp;
260
	FILE *fp;
261
	char file[MAXPATHLEN];
261
	char file[MAXPATHLEN];
262
	char line[BUFSIZ];
262
	char line[BUFSIZ];
263
	char kuser[65]; /* match krb5_kuserok() */
264
	struct stat st;
263
	struct stat st;
265
	struct passwd *pw = the_authctxt->pw;
264
	struct passwd *pw = the_authctxt->pw;
266
	int found_principal = 0;
265
	int found_principal = 0;
Lines 269-275 ssh_gssapi_krb5_cmdok(krb5_principal pri Link Here
269
268
270
	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
269
	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
271
	/* If both .k5login and .k5users DNE, self-login is ok. */
270
	/* If both .k5login and .k5users DNE, self-login is ok. */
272
	if (!k5login_exists && (access(file, F_OK) == -1)) {
271
	if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
273
                return ssh_krb5_kuserok(krb_context, principal, luser,
272
                return ssh_krb5_kuserok(krb_context, principal, luser,
274
                                        k5login_exists);
273
                                        k5login_exists);
275
	}
274
	}
(-)openssh-7.4p1/servconf.c (-1 / +12 lines)
Lines 166-171 initialize_server_options(ServerOptions Link Here
166
	options->ip_qos_bulk = -1;
166
	options->ip_qos_bulk = -1;
167
	options->version_addendum = NULL;
167
	options->version_addendum = NULL;
168
	options->use_kuserok = -1;
168
	options->use_kuserok = -1;
169
	options->enable_k5users = -1;
169
	options->fingerprint_hash = -1;
170
	options->fingerprint_hash = -1;
170
	options->disable_forwarding = -1;
171
	options->disable_forwarding = -1;
171
}
172
}
Lines 337-342 fill_default_server_options(ServerOption Link Here
337
		options->show_patchlevel = 0;
338
		options->show_patchlevel = 0;
338
	if (options->use_kuserok == -1)
339
	if (options->use_kuserok == -1)
339
		options->use_kuserok = 1;
340
		options->use_kuserok = 1;
341
	if (options->enable_k5users == -1)
342
		options->enable_k5users = 0;
340
	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
343
	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
341
		options->fwd_opts.streamlocal_bind_mask = 0177;
344
		options->fwd_opts.streamlocal_bind_mask = 0177;
342
	if (options->fwd_opts.streamlocal_bind_unlink == -1)
345
	if (options->fwd_opts.streamlocal_bind_unlink == -1)
Lines 418-424 typedef enum { Link Here
418
	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
421
	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
419
	sHostKeyAlgorithms,
422
	sHostKeyAlgorithms,
420
	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
423
	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
421
	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
424
	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
422
	sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
425
	sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
423
	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
426
	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
424
	sUsePrivilegeSeparation, sAllowAgentForwarding,
427
	sUsePrivilegeSeparation, sAllowAgentForwarding,
Lines 497-508 static struct { Link Here
497
	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
500
	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
498
	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
501
	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
499
	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
502
	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
503
	{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
500
#else
504
#else
501
	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
505
	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
502
	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
506
	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
503
	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
507
	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
504
	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
508
	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
505
	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
509
	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
510
	{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
506
#endif
511
#endif
507
	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
512
	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
508
	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
513
	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
Lines 1653-1658 process_server_config_line(ServerOptions Link Here
1653
		intptr = &options->use_kuserok;
1658
		intptr = &options->use_kuserok;
1654
		goto parse_flag;
1659
		goto parse_flag;
1655
1660
1661
	case sGssEnablek5users:
1662
		intptr = &options->enable_k5users;
1663
		goto parse_flag;
1664
1656
	case sPermitOpen:
1665
	case sPermitOpen:
1657
		arg = strdelim(&cp);
1666
		arg = strdelim(&cp);
1658
		if (!arg || *arg == '\0')
1667
		if (!arg || *arg == '\0')
Lines 2026-2031 copy_set_server_options(ServerOptions *d Link Here
2026
	M_CP_INTOPT(ip_qos_interactive);
2035
	M_CP_INTOPT(ip_qos_interactive);
2027
	M_CP_INTOPT(ip_qos_bulk);
2036
	M_CP_INTOPT(ip_qos_bulk);
2028
	M_CP_INTOPT(use_kuserok);
2037
	M_CP_INTOPT(use_kuserok);
2038
	M_CP_INTOPT(enable_k5users);
2029
	M_CP_INTOPT(rekey_limit);
2039
	M_CP_INTOPT(rekey_limit);
2030
	M_CP_INTOPT(rekey_interval);
2040
	M_CP_INTOPT(rekey_interval);
2031
2041
Lines 2319-2324 dump_config(ServerOptions *o) Link Here
2319
	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2329
	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2320
	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2330
	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2321
	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
2331
	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
2332
	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
2322
	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2333
	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2323
2334
2324
	/* string arguments */
2335
	/* string arguments */
(-)openssh-7.4p1/servconf.h (-1 / +2 lines)
Lines 174-180 typedef struct { Link Here
174
174
175
	int	num_permitted_opens;
175
	int	num_permitted_opens;
176
176
177
	int	use_kuserok;
177
	int		use_kuserok;
178
	int		enable_k5users;
178
	char   *chroot_directory;
179
	char   *chroot_directory;
179
	char   *revoked_keys_file;
180
	char   *revoked_keys_file;
180
	char   *trusted_user_ca_keys;
181
	char   *trusted_user_ca_keys;
(-)openssh-7.4p1/sshd_config.5 (+6 lines)
Lines 633-638 Specifies whether key exchange based on Link Here
633
doesn't rely on ssh keys to verify host identity.
633
doesn't rely on ssh keys to verify host identity.
634
The default is
634
The default is
635
.Dq no .
635
.Dq no .
636
.It Cm GSSAPIEnablek5users
637
Specifies whether to look at .k5users file for GSSAPI authentication
638
access control. Further details are described in
639
.Xr ksu 1 .
640
The default is
641
.Cm no .
636
.It Cm GSSAPIStrictAcceptorCheck
642
.It Cm GSSAPIStrictAcceptorCheck
637
Determines whether to be strict about the identity of the GSSAPI acceptor
643
Determines whether to be strict about the identity of the GSSAPI acceptor
638
a client authenticates against.
644
a client authenticates against.
(-)openssh-7.4p1/sshd_config (+1 lines)
Lines 80-85 GSSAPIAuthentication yes Link Here
80
GSSAPICleanupCredentials no
80
GSSAPICleanupCredentials no
81
#GSSAPIStrictAcceptorCheck yes
81
#GSSAPIStrictAcceptorCheck yes
82
#GSSAPIKeyExchange no
82
#GSSAPIKeyExchange no
83
#GSSAPIEnablek5users no
83
84
84
# Set this to 'yes' to enable PAM authentication, account processing,
85
# Set this to 'yes' to enable PAM authentication, account processing,
85
# and session processing. If this is enabled, PAM authentication will
86
# and session processing. If this is enabled, PAM authentication will

Return to bug 225451