diff options
| author | Ed Maste <emaste@FreeBSD.org> | 2021-09-08 01:05:51 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2022-02-09 19:53:11 +0000 |
| commit | 317a38ab65334cbd24bd020b20b11041423d142f (patch) | |
| tree | 4589b448f2eb7a5fd1a77c073e24060d8fdc0451 /crypto/openssh/auth2-gss.c | |
| parent | bbe50accc9ee80dd6b2636d8648c9748a3bfb30c (diff) | |
openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.
Additional integration work is needed to support FIDO/U2F in the base
system.
Deprecation Notice
------------------
OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.
Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985
(cherry picked from commit 19261079b74319502c6ffa1249920079f0f69a72)
(cherry picked from commit f448c3ed4ae1281861913a56377f9d93d49f8e8e)
(cherry picked from commit 1f290c707a19d1695c303e6c8ead9cc414ccc6dc)
(cherry picked from commit 0f9bafdfc325779e4ecc5154d5bb06c752297138)
(cherry picked from commit adb56e58e8db84d8087ebe3d3e7def0074cb5a90)
(cherry picked from commit 576b58108c1723c85e4dd00355e29bfe301dab11)
(cherry picked from commit 1c99af1ebe61cbaf633792941640dcd254acf921)
(cherry picked from commit 87152f34054921632016bc5eb4ab9f836fbaa522)
(cherry picked from commit 172fa4aa7577915bf5ace5783251821d3774dc05)
Diffstat (limited to 'crypto/openssh/auth2-gss.c')
| -rw-r--r-- | crypto/openssh/auth2-gss.c | 29 |
1 files changed, 15 insertions, 14 deletions
diff --git a/crypto/openssh/auth2-gss.c b/crypto/openssh/auth2-gss.c index 9351e042819f..60e36961ce0a 100644 --- a/crypto/openssh/auth2-gss.c +++ b/crypto/openssh/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -44,6 +44,7 @@ #include "misc.h" #include "servconf.h" #include "packet.h" +#include "kex.h" #include "ssh-gss.h" #include "monitor_wrap.h" @@ -71,7 +72,7 @@ userauth_gssapi(struct ssh *ssh) u_char *doid = NULL; if ((r = sshpkt_get_u32(ssh, &mechs)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse packet"); if (mechs == 0) { debug("Mechanism negotiation is not supported"); @@ -85,7 +86,7 @@ userauth_gssapi(struct ssh *ssh) present = 0; if ((r = sshpkt_get_string(ssh, &doid, &len)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse oid"); if (len > 2 && doid[0] == SSH_GSS_OIDTYPE && doid[1] == len - 2) { @@ -104,7 +105,7 @@ userauth_gssapi(struct ssh *ssh) } if (!authctxt->valid || authctxt->user == NULL) { - debug2("%s: disabled because of invalid user", __func__); + debug2_f("disabled because of invalid user"); free(doid); return (0); } @@ -123,7 +124,7 @@ userauth_gssapi(struct ssh *ssh) if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_GSSAPI_RESPONSE)) != 0 || (r = sshpkt_put_string(ssh, doid, len)) != 0 || (r = sshpkt_send(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "send packet"); free(doid); @@ -152,7 +153,7 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh) gssctxt = authctxt->methoddata; if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 || (r = sshpkt_get_end(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse packet"); recv_tok.value = p; recv_tok.length = len; @@ -168,7 +169,7 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh) (r = sshpkt_put_string(ssh, send_tok.value, send_tok.length)) != 0 || (r = sshpkt_send(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "send ERRTOK packet"); } authctxt->postponed = 0; ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); @@ -180,7 +181,7 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh) (r = sshpkt_put_string(ssh, send_tok.value, send_tok.length)) != 0 || (r = sshpkt_send(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "send TOKEN packet"); } if (maj_status == GSS_S_COMPLETE) { ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); @@ -216,7 +217,7 @@ input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh) gssctxt = authctxt->methoddata; if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 || (r = sshpkt_get_end(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse packet"); recv_tok.value = p; recv_tok.length = len; @@ -258,7 +259,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) */ if ((r = sshpkt_get_end(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse packet"); authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); @@ -293,16 +294,16 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) gssctxt = authctxt->methoddata; if ((r = sshpkt_get_string(ssh, &p, &len)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse packet"); if ((b = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); mic.value = p; mic.length = len; ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, - "gssapi-with-mic"); + "gssapi-with-mic", ssh->kex->session_id); if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) - fatal("%s: sshbuf_mutable_ptr failed", __func__); + fatal_f("sshbuf_mutable_ptr failed"); gssbuf.length = sshbuf_len(b); if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |