From fc64073f9832bb6ce5c2a577b336fc6bd039e911 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 19 2017 13:24:11 +0000 Subject: import openssh-7.4p1-13.el7_4 --- diff --git a/SOURCES/openssh-7.4p1-gss-strict-acceptor.patch b/SOURCES/openssh-7.4p1-gss-strict-acceptor.patch new file mode 100644 index 0000000..878ce1a --- /dev/null +++ b/SOURCES/openssh-7.4p1-gss-strict-acceptor.patch @@ -0,0 +1,28 @@ +From 13bd2e2d622d01dc85d22b94520a5b243d006049 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 6 Jan 2017 03:45:41 +0000 +Subject: [PATCH] upstream commit + +sshd_config is documented to set +GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this. +bz#2637 ok dtucker + +Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665 +--- + servconf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/servconf.c b/servconf.c +index 795ddbab7..c9105a592 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -270,7 +270,7 @@ fill_default_server_options(ServerOptions *options) + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; + if (options->gss_strict_acceptor == -1) +- options->gss_strict_acceptor = 0; ++ options->gss_strict_acceptor = 1; + if (options->gss_store_rekey == -1) + options->gss_store_rekey = 0; + if (options->password_authentication == -1) + diff --git a/SOURCES/openssh-7.4p1-gssKexAlgorithms.patch b/SOURCES/openssh-7.4p1-gssKexAlgorithms.patch index 657610d..c83636e 100644 --- a/SOURCES/openssh-7.4p1-gssKexAlgorithms.patch +++ b/SOURCES/openssh-7.4p1-gssKexAlgorithms.patch @@ -240,7 +240,7 @@ diff -up openssh-7.4p1/servconf.c.gsskexalg openssh-7.4p1/servconf.c options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; @@ -280,6 +281,10 @@ fill_default_server_options(ServerOption - options->gss_strict_acceptor = 0; + options->gss_strict_acceptor = 1; if (options->gss_store_rekey == -1) options->gss_store_rekey = 0; +#ifdef GSSAPI diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 69a8ae4..c2ce291 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -64,7 +64,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 7.4p1 -%define openssh_rel 12 +%define openssh_rel 13 %define pam_ssh_agent_ver 0.10.3 %define pam_ssh_agent_rel 1 @@ -183,6 +183,9 @@ Patch900: openssh-6.1p1-gssapi-canohost.patch Patch901: openssh-7.4p1-kuserok.patch # use default_ccache_name from /etc/krb5.conf (#991186) Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch +# Change GSSAPIStrictAcceptor to yes as it ever was (#1488982) +Patch903: openssh-7.4p1-gss-strict-acceptor.patch + # Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375 Patch905: openssh-7.4p1-legacy-ssh-copy-id.patch # Use tty allocation for a remote scp (#985650) @@ -457,6 +460,8 @@ popd %patch900 -p1 -b .canohost %patch901 -p1 -b .kuserok %patch902 -p1 -b .ccache_name +%patch903 -p1 -b .gss-strict + %patch905 -p1 -b .legacy-ssh-copy-id %patch906 -p1 -b .fromto-remote %patch914 -p1 -b .log-sftp-only @@ -812,6 +817,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Wed Sep 13 2017 Jakub Jelen - 7.4p1-13 + 0.10.3-1 +- Revert default of GSSAPIStrictAcceptorCheck=no back to yes (#1488982) + * Mon Aug 07 2017 Jakub Jelen - 7.4p1-12 + 0.10.3-1 - Revert upstream change to UseDNS=no back to yes (#1478175)