From 7ea48e01a09f1c61b754b10fcc68cd6a611d2e12 Mon Sep 17 00:00:00 2001
From: Mattias Ellert <mattias.ellert@physics.uu.se>
Date: May 28 2019 13:41:32 +0000
Subject: Based on openssh-8.0p1-3.fc30

Change GSSAPITrustDNS default to no

---

diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 5e17ca0..756fe74 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -31,7 +31,7 @@
 %global ldap 1
 
 %global openssh_ver 8.0p1
-%global openssh_rel 2
+%global openssh_rel 3
 
 Summary: An implementation of the SSH protocol with GSI authentication
 Name: gsi-openssh
@@ -150,8 +150,6 @@ Patch953: openssh-7.8p1-scp-ipv6.patch
 #  - do not return 0 if the write fails (full disk)
 #  - shellcheck reports (upstream #2902)
 Patch958: openssh-7.9p1-ssh-copy-id.patch
-# Update cached passwd structure after PAM authentication (#1674541)
-Patch960: openssh-7.9p1-updated-cached-pw.patch
 # Verify the SCP vulnerabilities are fixed in the package testsuite
 # https://bugzilla.mindrot.org/show_bug.cgi?id=3007
 Patch961: openssh-8.0p1-scp-tests.patch
@@ -307,7 +305,6 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch951 -p1 -b .pkcs11-uri
 %patch953 -p1 -b .scp-ipv6
 %patch958 -p1 -b .ssh-copy-id
-%patch960 -p1 -b .update-pw
 %patch961 -p1 -b .scp-tests
 %patch962 -p1 -b .crypto-policies
 %patch963 -p1 -b .openssl-evp
@@ -523,6 +520,10 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_tmpfilesdir}/gsissh.conf
 
 %changelog
+* Tue May 28 2019 Mattias Ellert <mattias.ellert@physics.uu.se> - 8.0p1-3
+- Based on openssh-8.0p1-3.fc30
+- Change GSSAPITrustDNS default to no
+
 * Mon May 20 2019 Mattias Ellert <mattias.ellert@physics.uu.se> - 8.0p1-2
 - Based on openssh-8.0p1-2.fc30
 
diff --git a/openssh-7.9p1-updated-cached-pw.patch b/openssh-7.9p1-updated-cached-pw.patch
deleted file mode 100644
index 398f6bd..0000000
--- a/openssh-7.9p1-updated-cached-pw.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff -up openssh-7.4p1/session.c.update-pw openssh-7.4p1/session.c
---- openssh-7.4p1/session.c.update-pw	2019-03-04 14:10:57.287054645 +0100
-+++ openssh-7.4p1/session.c	2019-03-04 14:12:39.259997218 +0100
-@@ -1522,9 +1522,18 @@ do_child(Session *s, const char *command
- 	extern char **environ;
- 	char **env, *argv[ARGV_MAX], remote_id[512];
- 	const char *shell, *shell0;
--	struct passwd *pw = s->pw;
-+	struct passwd *pw = NULL;
- 	int r = 0;
- 
-+	/* Update the users passwd structure after successful login */
-+	pw = getpwuid(s->pw->pw_uid);
-+	if (pw != NULL) {
-+		free(s->pw);
-+		s->pw = pw;
-+	} else {
-+		pw = s->pw;
-+	}
-+
- 	sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
- 
- 	/* remove hostkey from the child's memory */
diff --git a/openssh-8.0p1-gsissh.patch b/openssh-8.0p1-gsissh.patch
index d889a8f..799a8f0 100644
--- a/openssh-8.0p1-gsissh.patch
+++ b/openssh-8.0p1-gsissh.patch
@@ -1791,7 +1791,7 @@ diff -Nur openssh-8.0p1.orig/monitor_wrap.h openssh-8.0p1/monitor_wrap.h
 diff -Nur openssh-8.0p1.orig/readconf.c openssh-8.0p1/readconf.c
 --- openssh-8.0p1.orig/readconf.c	2019-05-20 08:24:38.169774825 +0200
 +++ openssh-8.0p1/readconf.c	2019-05-20 08:25:21.586323072 +0200
-@@ -2052,13 +2052,13 @@
+@@ -2052,11 +2052,11 @@
  	if (options->challenge_response_authentication == -1)
  		options->challenge_response_authentication = 1;
  	if (options->gss_authentication == -1)
@@ -1804,11 +1804,8 @@ diff -Nur openssh-8.0p1.orig/readconf.c openssh-8.0p1/readconf.c
 -		options->gss_deleg_creds = 0;
 +		options->gss_deleg_creds = 1;
  	if (options->gss_trust_dns == -1)
--		options->gss_trust_dns = 0;
-+		options->gss_trust_dns = 1;
+ 		options->gss_trust_dns = 0;
  	if (options->gss_renewal_rekey == -1)
- 		options->gss_renewal_rekey = 0;
- #ifdef GSSAPI
 diff -Nur openssh-8.0p1.orig/readconf.h openssh-8.0p1/readconf.h
 --- openssh-8.0p1.orig/readconf.h	2019-05-20 08:24:38.074775813 +0200
 +++ openssh-8.0p1/readconf.h	2019-05-20 08:25:21.586323072 +0200
@@ -2099,21 +2096,19 @@ diff -Nur openssh-8.0p1.orig/ssh.c openssh-8.0p1/ssh.c
 diff -Nur openssh-8.0p1.orig/ssh_config openssh-8.0p1/ssh_config
 --- openssh-8.0p1.orig/ssh_config	2019-05-20 08:24:38.076775793 +0200
 +++ openssh-8.0p1/ssh_config	2019-05-20 08:25:21.588323052 +0200
-@@ -22,10 +22,10 @@
+@@ -22,9 +22,9 @@
  #   ForwardX11 no
  #   PasswordAuthentication yes
  #   HostbasedAuthentication no
 -#   GSSAPIAuthentication no
 -#   GSSAPIDelegateCredentials no
 -#   GSSAPIKeyExchange no
--#   GSSAPITrustDNS no
 +#   GSSAPIAuthentication yes
 +#   GSSAPIDelegateCredentials yes
 +#   GSSAPIKeyExchange yes
-+#   GSSAPITrustDNS yes
+ #   GSSAPITrustDNS no
  #   BatchMode no
  #   CheckHostIP yes
- #   AddressFamily any
 diff -Nur openssh-8.0p1.orig/ssh_config.5 openssh-8.0p1/ssh_config.5
 --- openssh-8.0p1.orig/ssh_config.5	2019-05-20 08:24:38.145775075 +0200
 +++ openssh-8.0p1/ssh_config.5	2019-05-20 08:32:58.762570830 +0200
@@ -2154,15 +2149,6 @@ diff -Nur openssh-8.0p1.orig/ssh_config.5 openssh-8.0p1/ssh_config.5
  .It Cm GSSAPIRenewalForcesRekey
  If set to
  .Dq yes
-@@ -796,7 +802,7 @@
- the hostname entered on the
- command line will be passed untouched to the GSSAPI library.
- The default is
--.Dq no .
-+.Dq yes .
- .It Cm GSSAPIKexAlgorithms
- The list of key exchange algorithms that are offered for GSSAPI
- key exchange. Possible values are
 @@ -814,7 +820,6 @@
  .Xr crypto-policies 7 .
  To see the defaults and how to modifuy this default, see manual page
diff --git a/openssh-8.0p1-pkcs11-uri.patch b/openssh-8.0p1-pkcs11-uri.patch
index 9618863..65a94ca 100644
--- a/openssh-8.0p1-pkcs11-uri.patch
+++ b/openssh-8.0p1-pkcs11-uri.patch
@@ -2111,12 +2111,13 @@ index 70f06bff..59332945 100644
  	if (rv != CKR_OK) {
  		error("C_GetAttributeValue failed: %lu", rv);
  		return (NULL);
-@@ -729,18 +863,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+@@ -730,19 +863,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ 	 * ensure that none of the others are zero length.
  	 * XXX assumes CKA_ID is always first.
  	 */
- 	if (key_attr[1].ulValueLen == 0 ||
+-	if (key_attr[1].ulValueLen == 0 ||
 -	    key_attr[2].ulValueLen == 0) {
-+	    key_attr[2].ulValueLen == 0 ||
++	if (key_attr[2].ulValueLen == 0 ||
 +	    key_attr[3].ulValueLen == 0) {
  		error("invalid attribute length");
  		return (NULL);
@@ -2211,12 +2212,13 @@ index 70f06bff..59332945 100644
  	if (rv != CKR_OK) {
  		error("C_GetAttributeValue failed: %lu", rv);
  		return (NULL);
-@@ -850,18 +987,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+@@ -850,19 +987,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ 	 * ensure that none of the others are zero length.
  	 * XXX assumes CKA_ID is always first.
  	 */
- 	if (key_attr[1].ulValueLen == 0 ||
+-	if (key_attr[1].ulValueLen == 0 ||
 -	    key_attr[2].ulValueLen == 0) {
-+	    key_attr[2].ulValueLen == 0 ||
++	if (key_attr[2].ulValueLen == 0 ||
 +	    key_attr[3].ulValueLen == 0) {
  		error("invalid attribute length");
  		return (NULL);