- djm@cvs.openbsd.org 2014/02/26 20:28:44
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
sandboxing, as running this code in the sandbox can cause violations;
ok markus@
diff --git a/sshd.c b/sshd.c
index 93e698b..51d7078 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.418 2014/02/02 03:44:32 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.419 2014/02/26 20:28:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -618,6 +618,10 @@
/* Enable challenge-response authentication for privilege separation */
privsep_challenge_enable();
+ /* Cache supported mechanism OIDs for later use */
+ if (options.gss_authentication)
+ ssh_gssapi_prepare_supported_oids();
+
arc4random_stir();
arc4random_buf(rnd, sizeof(rnd));
RAND_seed(rnd, sizeof(rnd));