From 57ba1bd853ffc6bf2f785a24083b75cd21968b12 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mar 30 2020 14:38:36 +0000
Subject: Restore gssapi-canohost.patch (#1749862)


This is useful when connecting through proxyjump in combination with
GSSAPITrustDNS yes, because we can not get remote address of such socket.

https://src.fedoraproject.org/rpms/openssh/blob/f29/f/openssh-6.1p1-gssapi-canohost.patch

---

diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch
index 9500cc3..0681e28 100644
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@@ -325,7 +325,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
  #include "openbsd-compat/sys-queue.h"
  
  #include "xmalloc.h"
-@@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st
+@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
  
  #if defined(GSSAPI) && defined(WITH_OPENSSL)
  	if (options.gss_keyex) {
@@ -333,12 +333,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
 -		 * client to the key exchange algorithm proposal */
 -		orig = myproposal[PROPOSAL_KEX_ALGS];
 -
--		if (options.gss_server_identity)
+-		if (options.gss_server_identity) {
 -			gss_host = xstrdup(options.gss_server_identity);
--		else if (options.gss_trust_dns)
+-		} else if (options.gss_trust_dns) {
 -			gss_host = remote_hostname(ssh);
--		else
+-			/* Fall back to specified host if we are using proxy command
+-			 * and can not use DNS on that socket */
+-			if (strcmp(gss_host, "UNKNOWN") == 0) {
+-				free(gss_host);
+-				gss_host = xstrdup(host);
+-			}
+-		} else {
 -			gss_host = xstrdup(host);
+-		}
 -
 -		gss = ssh_gssapi_client_mechanisms(gss_host,
 -		    options.gss_client_identity, options.gss_kex_algorithms);
@@ -360,12 +367,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
 +			 * client to the key exchange algorithm proposal */
 +			orig = myproposal[PROPOSAL_KEX_ALGS];
 +
-+			if (options.gss_server_identity)
++			if (options.gss_server_identity) {
 +				gss_host = xstrdup(options.gss_server_identity);
-+			else if (options.gss_trust_dns)
++			} else if (options.gss_trust_dns) {
 +				gss_host = remote_hostname(ssh);
-+			else
++				/* Fall back to specified host if we are using proxy command
++				 * and can not use DNS on that socket */
++				if (strcmp(gss_host, "UNKNOWN") == 0) {
++					free(gss_host);
++					gss_host = xstrdup(host);
++				}
++			} else {
 +				gss_host = xstrdup(host);
++			}
 +
 +			gss = ssh_gssapi_client_mechanisms(gss_host,
 +			    options.gss_client_identity, options.gss_kex_algorithms);
diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch
index 9e7ea72..538b881 100644
--- a/openssh-8.0p1-gssapi-keyex.patch
+++ b/openssh-8.0p1-gssapi-keyex.patch
@@ -3522,7 +3522,7 @@ index af00fb30..03bc87eb 100644
  	xxx_host = host;
  	xxx_hostaddr = hostaddr;
  
-@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
  		    compat_pkalg_proposal(options.hostkeyalgorithms);
  	}
  
@@ -3532,12 +3532,19 @@ index af00fb30..03bc87eb 100644
 +		 * client to the key exchange algorithm proposal */
 +		orig = myproposal[PROPOSAL_KEX_ALGS];
 +
-+		if (options.gss_server_identity)
++		if (options.gss_server_identity) {
 +			gss_host = xstrdup(options.gss_server_identity);
-+		else if (options.gss_trust_dns)
++		} else if (options.gss_trust_dns) {
 +			gss_host = remote_hostname(ssh);
-+		else
++			/* Fall back to specified host if we are using proxy command
++			 * and can not use DNS on that socket */
++			if (strcmp(gss_host, "UNKNOWN") == 0) {
++				free(gss_host);
++				gss_host = xstrdup(host);
++			}
++		} else {
 +			gss_host = xstrdup(host);
++		}
 +
 +		gss = ssh_gssapi_client_mechanisms(gss_host,
 +		    options.gss_client_identity, options.gss_kex_algorithms);
@@ -3626,18 +3633,25 @@ index af00fb30..03bc87eb 100644
  	{"gssapi-with-mic",
  		userauth_gssapi,
  		userauth_gssapi_cleanup,
-@@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh)
+@@ -716,12 +784,32 @@ userauth_gssapi(struct ssh *ssh)
  	OM_uint32 min;
  	int r, ok = 0;
  	gss_OID mech = NULL;
-+	char *gss_host;
++	char *gss_host = NULL;
 +
-+	if (options.gss_server_identity)
++	if (options.gss_server_identity) {
 +		gss_host = xstrdup(options.gss_server_identity);
-+	else if (options.gss_trust_dns)
++	} else if (options.gss_trust_dns) {
 +		gss_host = remote_hostname(ssh);
-+	else
++		/* Fall back to specified host if we are using proxy command
++		 * and can not use DNS on that socket */
++		if (strcmp(gss_host, "UNKNOWN") == 0) {
++			free(gss_host);
++			gss_host = xstrdup(authctxt->host);
++		}
++	} else {
 +		gss_host = xstrdup(authctxt->host);
++	}
  
  	/* Try one GSSAPI method at a time, rather than sending them all at
  	 * once. */