Ticket #32475: openssh_gss_api_trust_dns.patch

Portfile

@@ -72 +72 @@
   depends_run-delete    port:xauth
 }
 
+variant gss_api_trust_dns description "Enable GSSAPITrustDNS SSH configuration keyword" {
+  patchfiles-append GSSAPITrustDNS.patch
+}
+
 # For high-performance patch
 # re-enable when patch for current version is available
 #variant hpn description "apply high performance patch" {

files/GSSAPITrustDNS.patch

@@ +1 @@
+Index: readconf.c
+===================================================================
+RCS file: /cvs/openssh/readconf.c,v
+retrieving revision 1.135
+diff -u -r1.135 readconf.c
+--- readconf.c  5 Aug 2006 02:39:40 -0000       1.135
++++ readconf.c  19 Aug 2006 11:59:52 -0000
+@@ -126,6 +126,7 @@
+        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++       oGssTrustDns, 
+        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+        oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
+        oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+@@ -163,9 +164,11 @@
+ #if defined(GSSAPI)
+        { "gssapiauthentication", oGssAuthentication },
+        { "gssapidelegatecredentials", oGssDelegateCreds },
++       { "gssapitrustdns", oGssTrustDns },
+ #else
+        { "gssapiauthentication", oUnsupported },
+        { "gssapidelegatecredentials", oUnsupported },
++       { "gssapitrustdns", oUnsupported },
+ #endif
+        { "fallbacktorsh", oDeprecated },
+        { "usersh", oDeprecated },
+@@ -444,6 +447,10 @@
+                intptr = &options->gss_deleg_creds;
+                goto parse_flag;
+ 
++       case oGssTrustDns:
++               intptr = &options->gss_trust_dns;
++               goto parse_flag;
++
+        case oBatchMode:
+                intptr = &options->batch_mode;
+                goto parse_flag;
+@@ -1010,6 +1017,7 @@
+        options->challenge_response_authentication = -1;
+        options->gss_authentication = -1;
+        options->gss_deleg_creds = -1;
++       options->gss_trust_dns = -1;
+        options->password_authentication = -1;
+        options->kbd_interactive_authentication = -1;
+        options->kbd_interactive_devices = NULL;
+@@ -1100,6 +1108,8 @@
+                options->gss_authentication = 0;
+        if (options->gss_deleg_creds == -1)
+                options->gss_deleg_creds = 0;
++       if (options->gss_trust_dns == -1)
++               options->gss_trust_dns = 0;
+        if (options->password_authentication == -1)
+                options->password_authentication = 1;
+        if (options->kbd_interactive_authentication == -1)
+Index: readconf.h
+===================================================================
+RCS file: /cvs/openssh/readconf.h,v
+retrieving revision 1.63
+diff -u -r1.63 readconf.h
+--- readconf.h  5 Aug 2006 02:39:40 -0000       1.63
++++ readconf.h  19 Aug 2006 11:59:52 -0000
+@@ -45,6 +45,7 @@
+                                        /* Try S/Key or TIS, authentication. */
+        int     gss_authentication;     /* Try GSS authentication */
+        int     gss_deleg_creds;        /* Delegate GSS credentials */
++       int     gss_trust_dns;          /* Trust DNS for GSS canonicalization */
+        int     password_authentication;        /* Try password
+                                                 * authentication. */
+        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+Index: ssh_config.5
+===================================================================
+RCS file: /cvs/openssh/ssh_config.5,v
+retrieving revision 1.97
+diff -u -r1.97 ssh_config.5
+--- ssh_config.5        5 Aug 2006 01:34:51 -0000       1.97
++++ ssh_config.5        19 Aug 2006 11:59:53 -0000
+@@ -483,7 +483,16 @@
+ Forward (delegate) credentials to the server.
+ The default is
+ .Dq no .
+-Note that this option applies to protocol version 2 only.
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to 
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If 
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+Index: sshconnect2.c
+===================================================================
+RCS file: /cvs/openssh/sshconnect2.c,v
+retrieving revision 1.151
+diff -u -r1.151 sshconnect2.c
+--- sshconnect2.c       18 Aug 2006 14:33:34 -0000      1.151
++++ sshconnect2.c       19 Aug 2006 11:59:53 -0000
+@@ -499,6 +499,12 @@
+        static u_int mech = 0;
+        OM_uint32 min;
+        int ok = 0;
++       const char *gss_host;
++
++       if (options.gss_trust_dns)
++               gss_host = get_canonical_hostname(1);
++       else
++               gss_host = authctxt->host;
+ 
+        /* Try one GSSAPI method at a time, rather than sending them all at
+         * once. */
+@@ -511,7 +517,7 @@
+                /* My DER encoding requires length<128 */
+                if (gss_supported->elements[mech].length < 128 &&
+                    ssh_gssapi_check_mechanism(&gssctxt, 
+-                   &gss_supported->elements[mech], authctxt->host)) {
++                   &gss_supported->elements[mech], gss_host)) {
+                        ok = 1; /* Mechanism works */
+                } else {
+                        mech++;