Sync from SUSE:SLFO:Main openssh revision a671063fcb9bb4733f77682129b431c2
This commit is contained in:
parent
2b4415248e
commit
094cd910aa
@ -0,0 +1,414 @@
|
||||
From 7c116ef927a8ef14d09065757f75560fa0ab79d0 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Tue, 17 Oct 2023 04:04:13 +0200
|
||||
Subject: [PATCH 1/6] auth: Add KbdintResult definition to define result values
|
||||
explicitly
|
||||
|
||||
kbdint result vfunc may return various values, so use an enum to make it
|
||||
clearer what each result means without having to dig into the struct
|
||||
documentation.
|
||||
---
|
||||
auth-bsdauth.c | 2 +-
|
||||
auth-pam.c | 10 +++++-----
|
||||
auth.h | 5 +++++
|
||||
auth2-chall.c | 4 ++--
|
||||
4 files changed, 13 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/auth-bsdauth.c b/auth-bsdauth.c
|
||||
index d124e994e77..ca41735debb 100644
|
||||
--- a/auth-bsdauth.c
|
||||
+++ b/auth-bsdauth.c
|
||||
@@ -111,7 +111,7 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses)
|
||||
authctxt->as = NULL;
|
||||
debug3("bsdauth_respond: <%s> = <%d>", responses[0], authok);
|
||||
|
||||
- return (authok == 0) ? -1 : 0;
|
||||
+ return (authok == 0) ? KbdintResultFailure : KbdintResultSuccess;
|
||||
}
|
||||
|
||||
static void
|
||||
diff --git a/auth-pam.c b/auth-pam.c
|
||||
index b49d415e7c7..86137a1acdb 100644
|
||||
--- a/auth-pam.c
|
||||
+++ b/auth-pam.c
|
||||
@@ -990,15 +990,15 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
switch (ctxt->pam_done) {
|
||||
case 1:
|
||||
sshpam_authenticated = 1;
|
||||
- return (0);
|
||||
+ return KbdintResultSuccess;
|
||||
case 0:
|
||||
break;
|
||||
default:
|
||||
- return (-1);
|
||||
+ return KbdintResultFailure;
|
||||
}
|
||||
if (num != 1) {
|
||||
error("PAM: expected one response, got %u", num);
|
||||
- return (-1);
|
||||
+ return KbdintResultFailure;
|
||||
}
|
||||
if ((buffer = sshbuf_new()) == NULL)
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
@@ -1015,10 +1015,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
}
|
||||
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, buffer) == -1) {
|
||||
sshbuf_free(buffer);
|
||||
- return (-1);
|
||||
+ return KbdintResultFailure;
|
||||
}
|
||||
sshbuf_free(buffer);
|
||||
- return (1);
|
||||
+ return KbdintResultAgain;
|
||||
}
|
||||
|
||||
static void
|
||||
diff --git a/auth.h b/auth.h
|
||||
index 6d2d3976234..aac1e92d9cd 100644
|
||||
--- a/auth.h
|
||||
+++ b/auth.h
|
||||
@@ -51,6 +51,7 @@ struct sshauthopt;
|
||||
typedef struct Authctxt Authctxt;
|
||||
typedef struct Authmethod Authmethod;
|
||||
typedef struct KbdintDevice KbdintDevice;
|
||||
+typedef int KbdintResult;
|
||||
|
||||
struct Authctxt {
|
||||
sig_atomic_t success;
|
||||
@@ -111,6 +112,10 @@ struct Authmethod {
|
||||
# int *enabled;
|
||||
int (*userauth)(struct ssh *, const char *);
|
||||
};
|
||||
|
||||
+#define KbdintResultFailure -1
|
||||
+#define KbdintResultSuccess 0
|
||||
+#define KbdintResultAgain 1
|
||||
+
|
||||
/*
|
||||
* Keyboard interactive device:
|
||||
* init_ctx returns: non NULL upon success
|
||||
diff --git a/auth2-chall.c b/auth2-chall.c
|
||||
index 021df829173..047d4e83c33 100644
|
||||
--- a/auth2-chall.c
|
||||
+++ b/auth2-chall.c
|
||||
@@ -331,11 +331,11 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
|
||||
free(response);
|
||||
|
||||
switch (res) {
|
||||
- case 0:
|
||||
+ case KbdintResultSuccess:
|
||||
/* Success! */
|
||||
authenticated = authctxt->valid ? 1 : 0;
|
||||
break;
|
||||
- case 1:
|
||||
+ case KbdintResultAgain:
|
||||
/* Authentication needs further interaction */
|
||||
if (send_userauth_info_request(ssh) == 1)
|
||||
authctxt->postponed = 1;
|
||||
|
||||
From 91ef15e8ed01a7e16d96ba6cb9ed51965dca9641 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Mon, 16 Oct 2023 21:15:45 +0200
|
||||
Subject: [PATCH 2/6] auth-pam: Add an enum to define the PAM done status
|
||||
|
||||
Makes things more readable and easier to extend
|
||||
---
|
||||
auth-pam.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/auth-pam.c b/auth-pam.c
|
||||
index 86137a1acdb..21291631011 100644
|
||||
--- a/auth-pam.c
|
||||
+++ b/auth-pam.c
|
||||
@@ -136,11 +136,16 @@ typedef pid_t sp_pthread_t;
|
||||
#define pthread_join fake_pthread_join
|
||||
#endif
|
||||
|
||||
+typedef int SshPamDone;
|
||||
+#define SshPamError -1
|
||||
+#define SshPamNone 0
|
||||
+#define SshPamAuthenticated 1
|
||||
+
|
||||
struct pam_ctxt {
|
||||
sp_pthread_t pam_thread;
|
||||
int pam_psock;
|
||||
int pam_csock;
|
||||
- int pam_done;
|
||||
+ SshPamDone pam_done;
|
||||
};
|
||||
|
||||
static void sshpam_free_ctx(void *);
|
||||
@@ -904,7 +909,7 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
**prompts = NULL;
|
||||
*num = 0;
|
||||
**echo_on = 0;
|
||||
- ctxt->pam_done = -1;
|
||||
+ ctxt->pam_done = SshPamError;
|
||||
free(msg);
|
||||
sshbuf_free(buffer);
|
||||
return 0;
|
||||
@@ -931,7 +936,7 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
import_environments(buffer);
|
||||
*num = 0;
|
||||
**echo_on = 0;
|
||||
- ctxt->pam_done = 1;
|
||||
+ ctxt->pam_done = SshPamAuthenticated;
|
||||
free(msg);
|
||||
sshbuf_free(buffer);
|
||||
return (0);
|
||||
@@ -944,7 +949,7 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
*num = 0;
|
||||
**echo_on = 0;
|
||||
free(msg);
|
||||
- ctxt->pam_done = -1;
|
||||
+ ctxt->pam_done = SshPamError;
|
||||
sshbuf_free(buffer);
|
||||
return (-1);
|
||||
}
|
||||
@@ -988,10 +993,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
|
||||
debug2("PAM: %s entering, %u responses", __func__, num);
|
||||
switch (ctxt->pam_done) {
|
||||
- case 1:
|
||||
+ case SshPamAuthenticated:
|
||||
sshpam_authenticated = 1;
|
||||
return KbdintResultSuccess;
|
||||
- case 0:
|
||||
+ case SshPamNone:
|
||||
break;
|
||||
default:
|
||||
return KbdintResultFailure;
|
||||
|
||||
From 6fa8934d31cb9925c856f1b992fc5e04dd26da21 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Tue, 17 Oct 2023 04:35:17 +0200
|
||||
Subject: [PATCH 3/6] auth-pam: Add debugging information when we receive PAM
|
||||
messages
|
||||
|
||||
---
|
||||
auth-pam.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/auth-pam.c b/auth-pam.c
|
||||
index 21291631011..7a72e724adc 100644
|
||||
--- a/auth-pam.c
|
||||
+++ b/auth-pam.c
|
||||
@@ -450,6 +450,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
|
||||
break;
|
||||
case PAM_ERROR_MSG:
|
||||
case PAM_TEXT_INFO:
|
||||
+ debug3("PAM: Got message of type %d: %s",
|
||||
+ PAM_MSG_MEMBER(msg, i, msg_style),
|
||||
+ PAM_MSG_MEMBER(msg, i, msg));
|
||||
if ((r = sshbuf_put_cstring(buffer,
|
||||
PAM_MSG_MEMBER(msg, i, msg))) != 0)
|
||||
fatal("%s: buffer error: %s",
|
||||
|
||||
From 598ee34312b541fa7b3988b4896641bf81996e27 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Tue, 17 Oct 2023 04:27:32 +0200
|
||||
Subject: [PATCH 4/6] auth-pam: Immediately report interactive instructions to
|
||||
clients
|
||||
|
||||
SSH keyboard-interactive authentication method supports instructions but
|
||||
sshd didn't show them until an user prompt was requested.
|
||||
|
||||
This is quite inconvenient for various PAM modules that need to notify
|
||||
an user without requiring for their explicit input.
|
||||
|
||||
So, properly implement RFC4256 making instructions to be shown to users
|
||||
when they are requested from PAM.
|
||||
|
||||
Closes: https://bugzilla.mindrot.org/show_bug.cgi?id=2876
|
||||
---
|
||||
auth-pam.c | 21 ++++++++++++---------
|
||||
1 file changed, 12 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/auth-pam.c b/auth-pam.c
|
||||
index 7a72e724adc..b756f0e5221 100644
|
||||
--- a/auth-pam.c
|
||||
+++ b/auth-pam.c
|
||||
@@ -140,6 +140,7 @@ typedef int SshPamDone;
|
||||
#define SshPamError -1
|
||||
#define SshPamNone 0
|
||||
#define SshPamAuthenticated 1
|
||||
+#define SshPamAgain 2
|
||||
|
||||
struct pam_ctxt {
|
||||
sp_pthread_t pam_thread;
|
||||
@@ -868,6 +869,8 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
**prompts = NULL;
|
||||
plen = 0;
|
||||
*echo_on = xmalloc(sizeof(u_int));
|
||||
+ ctxt->pam_done = SshPamNone;
|
||||
+
|
||||
while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) {
|
||||
if (++nmesg > PAM_MAX_NUM_MSG)
|
||||
fatal_f("too many query messages");
|
||||
@@ -888,15 +891,13 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
return (0);
|
||||
case PAM_ERROR_MSG:
|
||||
case PAM_TEXT_INFO:
|
||||
- /* accumulate messages */
|
||||
- len = plen + mlen + 2;
|
||||
- **prompts = xreallocarray(**prompts, 1, len);
|
||||
- strlcpy(**prompts + plen, msg, len - plen);
|
||||
- plen += mlen;
|
||||
- strlcat(**prompts + plen, "\n", len - plen);
|
||||
- plen++;
|
||||
- free(msg);
|
||||
- break;
|
||||
+ *num = 0;
|
||||
+ free(*info);
|
||||
+ *info = msg; /* Steal the message */
|
||||
+ msg = NULL;
|
||||
+ ctxt->pam_done = SshPamAgain;
|
||||
+ sshbuf_free(buffer);
|
||||
+ return (0);
|
||||
case PAM_ACCT_EXPIRED:
|
||||
case PAM_MAXTRIES:
|
||||
if (type == PAM_ACCT_EXPIRED)
|
||||
@@ -1001,6 +1002,8 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
return KbdintResultSuccess;
|
||||
case SshPamNone:
|
||||
break;
|
||||
+ case SshPamAgain:
|
||||
+ return KbdintResultAgain;
|
||||
default:
|
||||
return KbdintResultFailure;
|
||||
}
|
||||
|
||||
From cc14301ce0542cdbb825eff8041ce98a1da9ef08 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Tue, 17 Oct 2023 06:12:03 +0200
|
||||
Subject: [PATCH 5/6] sshconnect2: Write kbd-interactive service, info and
|
||||
instructions as utf-8
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
As per the previous server change now the keyboard-interactive service
|
||||
and instruction values could be reported as soon as they are available
|
||||
and so they're not prompts anymore and not parsed like them.
|
||||
|
||||
While this was already supported by the SSH client, these messages were
|
||||
not properly written as the escaped sequences they contained were not
|
||||
correctly reported.
|
||||
|
||||
So for example a message containing "\" was represented as "\\" and
|
||||
similarly for all the other C escape sequences.
|
||||
|
||||
This was leading to more problems when it come to utf-8 chars, as they
|
||||
were only represented by their octal representation.
|
||||
|
||||
This was easily testable by adding a line like the one below to the
|
||||
sshd PAM service:
|
||||
auth requisite pam_echo.so Hello SSHD! Want some 🍕?
|
||||
|
||||
Which was causing this to be written instead:
|
||||
Hello SSHD! Want some \360\237\215\225?
|
||||
|
||||
To handle this, instead of simply using fmprintf, we're using the notifier
|
||||
in a way can be exposed to users in the proper format and UI.
|
||||
---
|
||||
sshconnect2.c | 33 ++++++++++++++++++++++++---------
|
||||
1 file changed, 24 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index 5831a00c6d1..543431218c1 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -1091,6 +1091,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
|
||||
char *info = NULL, *lang = NULL, *password = NULL, *retype = NULL;
|
||||
char prompt[256];
|
||||
const char *host;
|
||||
+ size_t info_len;
|
||||
int r;
|
||||
|
||||
debug2("input_userauth_passwd_changereq");
|
||||
@@ -1100,11 +1101,15 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
|
||||
"no authentication context");
|
||||
host = options.host_key_alias ? options.host_key_alias : authctxt->host;
|
||||
|
||||
- if ((r = sshpkt_get_cstring(ssh, &info, NULL)) != 0 ||
|
||||
+ if ((r = sshpkt_get_cstring(ssh, &info, &info_len)) != 0 ||
|
||||
(r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
|
||||
goto out;
|
||||
- if (strlen(info) > 0)
|
||||
- logit("%s", info);
|
||||
+ if (info_len > 0) {
|
||||
+ struct notifier_ctx *notifier = NULL;
|
||||
+ debug_f("input_userauth_passwd_changereq info: %s", info);
|
||||
+ notifier = notify_start(0, "%s", info);
|
||||
+ notify_complete(notifier, NULL);
|
||||
+ }
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
(r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
|
||||
(r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
|
||||
@@ -1938,8 +1943,10 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
char *name = NULL, *inst = NULL, *lang = NULL, *prompt = NULL;
|
||||
char *display_prompt = NULL, *response = NULL;
|
||||
+ struct notifier_ctx *notifier = NULL;
|
||||
u_char echo = 0;
|
||||
u_int num_prompts, i;
|
||||
+ size_t name_len, inst_len;
|
||||
int r;
|
||||
|
||||
debug2_f("entering");
|
||||
@@ -1949,14 +1956,22 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
|
||||
|
||||
authctxt->info_req_seen = 1;
|
||||
|
||||
- if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0 ||
|
||||
- (r = sshpkt_get_cstring(ssh, &inst, NULL)) != 0 ||
|
||||
+ if ((r = sshpkt_get_cstring(ssh, &name, &name_len)) != 0 ||
|
||||
+ (r = sshpkt_get_cstring(ssh, &inst, &inst_len)) != 0 ||
|
||||
(r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
|
||||
goto out;
|
||||
- if (strlen(name) > 0)
|
||||
- logit("%s", name);
|
||||
- if (strlen(inst) > 0)
|
||||
- logit("%s", inst);
|
||||
+ if (name_len > 0) {
|
||||
+ debug_f("kbd int name: %s", name);
|
||||
+ notifier = notify_start(0, "%s", name);
|
||||
+ notify_complete(notifier, NULL);
|
||||
+ notifier = NULL;
|
||||
+ }
|
||||
+ if (inst_len > 0) {
|
||||
+ debug_f("kbd int inst: %s", inst);
|
||||
+ notifier = notify_start(0, "%s", inst);
|
||||
+ notify_complete(notifier, NULL);
|
||||
+ notifier = NULL;
|
||||
+ }
|
||||
|
||||
if ((r = sshpkt_get_u32(ssh, &num_prompts)) != 0)
|
||||
goto out;
|
||||
|
||||
From 99656caabc5cff24122e5b9a140e5a38ab418a5d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Tue, 17 Oct 2023 06:05:59 +0200
|
||||
Subject: [PATCH 6/6] auth2-chall: Fix selection of the keyboard-interactive
|
||||
device
|
||||
|
||||
We were only checking if the prefix of a device name was matching what
|
||||
we had in the devices list, so if the device list contained "pam", then
|
||||
also the device "pam-foo" was matching.
|
||||
---
|
||||
auth2-chall.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/auth2-chall.c b/auth2-chall.c
|
||||
index 047d4e83c33..db658c9b4a7 100644
|
||||
--- a/auth2-chall.c
|
||||
+++ b/auth2-chall.c
|
||||
@@ -170,7 +170,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
|
||||
"keyboard-interactive", devices[i]->name))
|
||||
continue;
|
||||
if (strncmp(kbdintctxt->devices, devices[i]->name,
|
||||
- len) == 0) {
|
||||
+ len) == 0 && strlen(devices[i]->name) == len) {
|
||||
kbdintctxt->device = devices[i];
|
||||
kbdintctxt->devices_done |= 1 << i;
|
||||
}
|
36
0001-fix-utmpx-ifdef.patch
Normal file
36
0001-fix-utmpx-ifdef.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From c7fda601186ff28128cfe3eab9c9c0622de096e1 Mon Sep 17 00:00:00 2001
|
||||
From: Christoph Ostarek <christoph@zededa.com>
|
||||
Date: Wed, 3 Jul 2024 12:46:59 +0200
|
||||
Subject: fix utmpx ifdef
|
||||
|
||||
02e16ad95fb1f56ab004b01a10aab89f7103c55d did a copy-paste for
|
||||
utmpx, but forgot to change the ifdef appropriately
|
||||
---
|
||||
loginrec.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/loginrec.c b/loginrec.c
|
||||
index 7460bb2c..45f13dee 100644
|
||||
--- a/loginrec.c
|
||||
+++ b/loginrec.c
|
||||
@@ -723,7 +723,7 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx)
|
||||
void
|
||||
construct_utmpx(struct logininfo *li, struct utmpx *utx)
|
||||
{
|
||||
-# ifdef HAVE_ADDR_V6_IN_UTMP
|
||||
+# ifdef HAVE_ADDR_V6_IN_UTMPX
|
||||
struct sockaddr_in6 *sa6;
|
||||
# endif
|
||||
memset(utx, '\0', sizeof(*utx));
|
||||
@@ -769,7 +769,7 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx)
|
||||
if (li->hostaddr.sa.sa_family == AF_INET)
|
||||
utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
|
||||
# endif
|
||||
-# ifdef HAVE_ADDR_V6_IN_UTMP
|
||||
+# ifdef HAVE_ADDR_V6_IN_UTMPX
|
||||
/* this is just a 128-bit IPv6 address */
|
||||
if (li->hostaddr.sa.sa_family == AF_INET6) {
|
||||
sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
|
||||
--
|
||||
cgit v1.2.3
|
||||
|
@ -1,55 +0,0 @@
|
||||
From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Tue, 30 Apr 2024 02:14:10 +0000
|
||||
Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
|
||||
reported
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
by Tõivo Leedjärv; ok deraadt@
|
||||
|
||||
OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
|
||||
---
|
||||
clientloop.c | 4 ++--
|
||||
serverloop.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index be8bb5fc1f2..8ea2ada4216 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
#@@ -1,4 +1,4 @@
|
||||
#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
|
||||
#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
|
||||
# /*
|
||||
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
|
||||
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
|
||||
&npfd_active, channel_did_enqueue, &osigset,
|
||||
&conn_in_ready, &conn_out_ready);
|
||||
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
|
||||
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
|
||||
error_f("osigset sigprocmask: %s", strerror(errno));
|
||||
|
||||
if (quit_pending)
|
||||
diff --git a/serverloop.c b/serverloop.c
|
||||
index f3683c2e4a6..94c8943a616 100644
|
||||
--- a/serverloop.c
|
||||
+++ b/serverloop.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
|
||||
+/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
|
||||
wait_until_can_do_something(ssh, connection_in, connection_out,
|
||||
&pfd, &npfd_alloc, &npfd_active, &osigset,
|
||||
&conn_in_ready, &conn_out_ready);
|
||||
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
|
||||
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
|
||||
error_f("osigset sigprocmask: %s", strerror(errno));
|
||||
|
||||
if (received_sigterm) {
|
@ -1,32 +0,0 @@
|
||||
From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Wed, 21 Feb 2024 05:57:34 +0000
|
||||
Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
|
||||
timing
|
||||
|
||||
obfuscation was added. GHPR#463 from montag451
|
||||
|
||||
OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
|
||||
---
|
||||
clientloop.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index eb4902905fb..8ec36af94b3 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
|
||||
+/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
|
||||
{
|
||||
int r;
|
||||
|
||||
- if ((ssh->kex->flags & KEX_HAS_PING) == 0)
|
||||
+ if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
|
||||
return 0;
|
||||
/* XXX probabilistically send chaff? */
|
||||
/*
|
@ -1,38 +0,0 @@
|
||||
From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Mon, 1 Jul 2024 04:31:17 +0000
|
||||
Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
|
||||
we
|
||||
|
||||
can't rely on channel_did_enqueue to tell that there is data to send. This
|
||||
flag indicates that the channels code enqueued a packet on _this_ ppoll()
|
||||
iteration, not that data was enqueued in _any_ ppoll() iteration in the
|
||||
timeslice. ok markus@
|
||||
|
||||
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
|
||||
---
|
||||
clientloop.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index 0b6f3c9be02..8ed8b1c3449 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
#@@ -1,4 +1,4 @@
|
||||
#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
|
||||
#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
|
||||
# /*
|
||||
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
|
||||
if (timespeccmp(&now, &chaff_until, >=)) {
|
||||
/* Stop if there have been no keystrokes for a while */
|
||||
stop_reason = "chaff time expired";
|
||||
- } else if (timespeccmp(&now, &next_interval, >=)) {
|
||||
- /* Otherwise if we were due to send, then send chaff */
|
||||
+ } else if (timespeccmp(&now, &next_interval, >=) &&
|
||||
+ !ssh_packet_have_data_to_write(ssh)) {
|
||||
+ /* If due to send but have no data, then send chaff */
|
||||
if (send_chaff(ssh))
|
||||
nchaff++;
|
||||
}
|
@ -0,0 +1,291 @@
|
||||
From 66878e12a207fa9746dee3e2bdcca29b704cf035 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Wed, 25 Sep 2024 01:24:04 +0000
|
||||
Subject: upstream: fix regression introduced when I switched the "Match"
|
||||
|
||||
criteria tokeniser to a more shell-like one. Apparently the old tokeniser
|
||||
(accidentally?) allowed "Match criteria=argument" as well as the "Match
|
||||
criteria argument" syntax that we tested for.
|
||||
|
||||
People were using this syntax so this adds back support for
|
||||
"Match criteria=argument"
|
||||
|
||||
bz3739 ok dtucker
|
||||
|
||||
OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
|
||||
---
|
||||
misc.c | 23 ++++++++++++++++++++++-
|
||||
misc.h | 3 ++-
|
||||
readconf.c | 28 +++++++++++++++++++++++-----
|
||||
servconf.c | 57 ++++++++++++++++++++++++++++++++++++++++++---------------
|
||||
4 files changed, 89 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/misc.c b/misc.c
|
||||
index afdf5142..1b4b55c5 100644
|
||||
--- a/misc.c
|
||||
+++ b/misc.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */
|
||||
+/* $OpenBSD: misc.c,v 1.197 2024/09/25 01:24:04 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
|
||||
@@ -107,6 +107,27 @@ rtrim(char *s)
|
||||
}
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * returns pointer to character after 'prefix' in 's' or otherwise NULL
|
||||
+ * if the prefix is not present.
|
||||
+ */
|
||||
+const char *
|
||||
+strprefix(const char *s, const char *prefix, int ignorecase)
|
||||
+{
|
||||
+ size_t prefixlen;
|
||||
+
|
||||
+ if ((prefixlen = strlen(prefix)) == 0)
|
||||
+ return s;
|
||||
+ if (ignorecase) {
|
||||
+ if (strncasecmp(s, prefix, prefixlen) != 0)
|
||||
+ return NULL;
|
||||
+ } else {
|
||||
+ if (strncmp(s, prefix, prefixlen) != 0)
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ return s + prefixlen;
|
||||
+}
|
||||
+
|
||||
/* set/unset filedescriptor to non-blocking */
|
||||
int
|
||||
set_nonblock(int fd)
|
||||
diff --git a/misc.h b/misc.h
|
||||
index 11340389..efecdf1a 100644
|
||||
--- a/misc.h
|
||||
+++ b/misc.h
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: misc.h,v 1.109 2024/06/06 17:15:25 djm Exp $ */
|
||||
+/* $OpenBSD: misc.h,v 1.110 2024/09/25 01:24:04 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@@ -56,6 +56,7 @@ struct ForwardOptions {
|
||||
char *chop(char *);
|
||||
void rtrim(char *);
|
||||
void skip_space(char **);
|
||||
+const char *strprefix(const char *, const char *, int);
|
||||
char *strdelim(char **);
|
||||
char *strdelimw(char **);
|
||||
int set_nonblock(int);
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 3d9cc6db..de42fb6f 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */
|
||||
+/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
|
||||
struct passwd *pw, const char *host_arg, const char *original_host,
|
||||
int final_pass, int *want_final_pass, const char *filename, int linenum)
|
||||
{
|
||||
- char *arg, *oattrib, *attrib, *cmd, *host, *criteria;
|
||||
+ char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
|
||||
const char *ruser;
|
||||
int r, this_result, result = 1, attributes = 0, negate;
|
||||
|
||||
@@ -731,7 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
|
||||
|
||||
debug2("checking match for '%s' host %s originally %s",
|
||||
full_line, host, original_host);
|
||||
- while ((oattrib = attrib = argv_next(acp, avp)) != NULL) {
|
||||
+ while ((oattrib = argv_next(acp, avp)) != NULL) {
|
||||
+ attrib = xstrdup(oattrib);
|
||||
/* Terminate on comment */
|
||||
if (*attrib == '#') {
|
||||
argv_consume(acp);
|
||||
@@ -777,9 +778,23 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
|
||||
this_result ? "" : "not ", oattrib);
|
||||
continue;
|
||||
}
|
||||
+
|
||||
+ /* Keep this list in sync with below */
|
||||
+ if (strprefix(attrib, "host=", 1) != NULL ||
|
||||
+ strprefix(attrib, "originalhost=", 1) != NULL ||
|
||||
+ strprefix(attrib, "user=", 1) != NULL ||
|
||||
+ strprefix(attrib, "localuser=", 1) != NULL ||
|
||||
+ strprefix(attrib, "localnetwork=", 1) != NULL ||
|
||||
+ strprefix(attrib, "tagged=", 1) != NULL ||
|
||||
+ strprefix(attrib, "exec=", 1) != NULL) {
|
||||
+ arg = strchr(attrib, '=');
|
||||
+ *(arg++) = '\0';
|
||||
+ } else {
|
||||
+ arg = argv_next(acp, avp);
|
||||
+ }
|
||||
+
|
||||
/* All other criteria require an argument */
|
||||
- if ((arg = argv_next(acp, avp)) == NULL ||
|
||||
- *arg == '\0' || *arg == '#') {
|
||||
+ if (arg == NULL || *arg == '\0' || *arg == '#') {
|
||||
error("Missing Match criteria for %s", attrib);
|
||||
result = -1;
|
||||
goto out;
|
||||
@@ -856,6 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
|
||||
criteria == NULL ? "" : criteria,
|
||||
criteria == NULL ? "" : "\"");
|
||||
free(criteria);
|
||||
+ free(attrib);
|
||||
+ attrib = NULL;
|
||||
}
|
||||
if (attributes == 0) {
|
||||
error("One or more attributes required for Match");
|
||||
@@ -865,6 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
|
||||
out:
|
||||
if (result != -1)
|
||||
debug2("match %sfound", result ? "" : "not ");
|
||||
+ free(attrib);
|
||||
free(host);
|
||||
return result;
|
||||
}
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 89b8413e..dd774f46 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */
|
||||
+/* $OpenBSD: servconf.c,v 1.419 2024/09/25 01:24:04 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@@ -1033,7 +1033,7 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
|
||||
int line, struct connection_info *ci)
|
||||
{
|
||||
int result = 1, attributes = 0, port;
|
||||
- char *arg, *attrib;
|
||||
+ char *arg, *attrib = NULL, *oattrib;
|
||||
|
||||
if (ci == NULL)
|
||||
debug3("checking syntax for 'Match %s'", full_line);
|
||||
@@ -1047,7 +1047,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
|
||||
ci->laddress ? ci->laddress : "(null)", ci->lport);
|
||||
}
|
||||
|
||||
- while ((attrib = argv_next(acp, avp)) != NULL) {
|
||||
+ while ((oattrib = argv_next(acp, avp)) != NULL) {
|
||||
+ attrib = xstrdup(oattrib);
|
||||
/* Terminate on comment */
|
||||
if (*attrib == '#') {
|
||||
argv_consume(acp); /* mark all arguments consumed */
|
||||
@@ -1062,11 +1063,13 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
|
||||
*arg != '\0' && *arg != '#')) {
|
||||
error("'all' cannot be combined with other "
|
||||
"Match attributes");
|
||||
- return -1;
|
||||
+ result = -1;
|
||||
+ goto out;
|
||||
}
|
||||
if (arg != NULL && *arg == '#')
|
||||
argv_consume(acp); /* consume remaining args */
|
||||
- return 1;
|
||||
+ result = 1;
|
||||
+ goto out;
|
||||
}
|
||||
/* Criterion "invalid-user" also has no argument */
|
||||
if (strcasecmp(attrib, "invalid-user") == 0) {
|
||||
@@ -1078,11 +1081,26 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
|
||||
debug("matched invalid-user at line %d", line);
|
||||
continue;
|
||||
}
|
||||
+
|
||||
+ /* Keep this list in sync with below */
|
||||
+ if (strprefix(attrib, "user=", 1) != NULL ||
|
||||
+ strprefix(attrib, "group=", 1) != NULL ||
|
||||
+ strprefix(attrib, "host=", 1) != NULL ||
|
||||
+ strprefix(attrib, "address=", 1) != NULL ||
|
||||
+ strprefix(attrib, "localaddress=", 1) != NULL ||
|
||||
+ strprefix(attrib, "localport=", 1) != NULL ||
|
||||
+ strprefix(attrib, "rdomain=", 1) != NULL) {
|
||||
+ arg = strchr(attrib, '=');
|
||||
+ *(arg++) = '\0';
|
||||
+ } else {
|
||||
+ arg = argv_next(acp, avp);
|
||||
+ }
|
||||
+
|
||||
/* All other criteria require an argument */
|
||||
- if ((arg = argv_next(acp, avp)) == NULL ||
|
||||
- *arg == '\0' || *arg == '#') {
|
||||
+ if (arg == NULL || *arg == '\0' || *arg == '#') {
|
||||
error("Missing Match criteria for %s", attrib);
|
||||
- return -1;
|
||||
+ result = -1;
|
||||
+ goto out;
|
||||
}
|
||||
if (strcasecmp(attrib, "user") == 0) {
|
||||
if (ci == NULL || (ci->test && ci->user == NULL)) {
|
||||
@@ -1105,7 +1123,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
|
||||
match_test_missing_fatal("Group", "user");
|
||||
switch (match_cfg_line_group(arg, line, ci->user)) {
|
||||
case -1:
|
||||
- return -1;
|
||||
+ result = -1;
|
||||
+ goto out;
|
||||
case 0:
|
||||
result = 0;
|
||||
}
|
||||
@@ -1141,7 +1160,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
|
||||
result = 0;
|
||||
break;
|
||||
case -2:
|
||||
- return -1;
|
||||
+ result = -1;
|
||||
+ goto out;
|
||||
}
|
||||
} else if (strcasecmp(attrib, "localaddress") == 0){
|
||||
if (ci == NULL || (ci->test && ci->laddress == NULL)) {
|
||||
@@ -1166,13 +1186,15 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
|
||||
result = 0;
|
||||
break;
|
||||
case -2:
|
||||
- return -1;
|
||||
+ result = -1;
|
||||
+ goto out;
|
||||
}
|
||||
} else if (strcasecmp(attrib, "localport") == 0) {
|
||||
if ((port = a2port(arg)) == -1) {
|
||||
error("Invalid LocalPort '%s' on Match line",
|
||||
arg);
|
||||
- return -1;
|
||||
+ result = -1;
|
||||
+ goto out;
|
||||
}
|
||||
if (ci == NULL || (ci->test && ci->lport == -1)) {
|
||||
result = 0;
|
||||
@@ -1200,16 +1222,21 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
|
||||
debug("user %.100s matched 'RDomain %.100s' at "
|
||||
"line %d", ci->rdomain, arg, line);
|
||||
} else {
|
||||
- error("Unsupported Match attribute %s", attrib);
|
||||
- return -1;
|
||||
+ error("Unsupported Match attribute %s", oattrib);
|
||||
+ result = -1;
|
||||
+ goto out;
|
||||
}
|
||||
+ free(attrib);
|
||||
+ attrib = NULL;
|
||||
}
|
||||
if (attributes == 0) {
|
||||
error("One or more attributes required for Match");
|
||||
return -1;
|
||||
}
|
||||
- if (ci != NULL)
|
||||
+ out:
|
||||
+ if (ci != NULL && result != -1)
|
||||
debug3("match %sfound", result ? "" : "not ");
|
||||
+ free(attrib);
|
||||
return result;
|
||||
}
|
||||
|
||||
--
|
||||
cgit v1.2.3
|
||||
|
@ -0,0 +1,65 @@
|
||||
From 19bcb2d90c6caf14abf386b644fb24eb7afab889 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Thu, 26 Sep 2024 23:55:08 +0000
|
||||
Subject: upstream: fix previous change to ssh_config Match, which broken on
|
||||
|
||||
negated Matches; spotted by phessler@ ok deraadt@
|
||||
|
||||
OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7
|
||||
---
|
||||
readconf.c | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index de42fb6f..9f559269 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
|
||||
+/* $OpenBSD: readconf.c,v 1.392 2024/09/26 23:55:08 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
|
||||
struct passwd *pw, const char *host_arg, const char *original_host,
|
||||
int final_pass, int *want_final_pass, const char *filename, int linenum)
|
||||
{
|
||||
- char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
|
||||
+ char *arg, *oattrib = NULL, *attrib = NULL, *cmd, *host, *criteria;
|
||||
const char *ruser;
|
||||
int r, this_result, result = 1, attributes = 0, negate;
|
||||
|
||||
@@ -731,8 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
|
||||
|
||||
debug2("checking match for '%s' host %s originally %s",
|
||||
full_line, host, original_host);
|
||||
- while ((oattrib = argv_next(acp, avp)) != NULL) {
|
||||
- attrib = xstrdup(oattrib);
|
||||
+ while ((attrib = argv_next(acp, avp)) != NULL) {
|
||||
+ attrib = oattrib = xstrdup(attrib);
|
||||
/* Terminate on comment */
|
||||
if (*attrib == '#') {
|
||||
argv_consume(acp);
|
||||
@@ -871,8 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
|
||||
criteria == NULL ? "" : criteria,
|
||||
criteria == NULL ? "" : "\"");
|
||||
free(criteria);
|
||||
- free(attrib);
|
||||
- attrib = NULL;
|
||||
+ free(oattrib);
|
||||
+ oattrib = attrib = NULL;
|
||||
}
|
||||
if (attributes == 0) {
|
||||
error("One or more attributes required for Match");
|
||||
@@ -882,7 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
|
||||
out:
|
||||
if (result != -1)
|
||||
debug2("match %sfound", result ? "" : "not ");
|
||||
- free(attrib);
|
||||
+ free(oattrib);
|
||||
free(host);
|
||||
return result;
|
||||
}
|
||||
--
|
||||
cgit v1.2.3
|
||||
|
@ -0,0 +1,94 @@
|
||||
From 11f348196b3fb51c3d8d1f4f36db9d73f03149ed Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Sun, 27 Oct 2024 02:06:01 +0000
|
||||
Subject: upstream: fix ML-KEM768x25519 KEX on big-endian systems; spotted by
|
||||
|
||||
jsg@ feedback/ok deraadt@
|
||||
|
||||
OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0
|
||||
---
|
||||
libcrux_mlkem768_sha3.h | 8 +++++---
|
||||
mlkem768.sh | 17 ++++++++++++-----
|
||||
2 files changed, 17 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h
|
||||
index a82d60e8..b8ac1436 100644
|
||||
--- a/libcrux_mlkem768_sha3.h
|
||||
+++ b/libcrux_mlkem768_sha3.h
|
||||
@@ -1,4 +1,5 @@
|
||||
-/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.1 2024/09/02 12:13:56 djm Exp $ */
|
||||
+/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */
|
||||
+
|
||||
/* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */
|
||||
|
||||
/*
|
||||
@@ -160,18 +161,19 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok,
|
||||
// CORE STUFF (conversions, endianness, ...)
|
||||
|
||||
static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) {
|
||||
+ v = htole64(v);
|
||||
memcpy(buf, &v, sizeof(v));
|
||||
}
|
||||
static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) {
|
||||
uint64_t v;
|
||||
memcpy(&v, buf, sizeof(v));
|
||||
- return v;
|
||||
+ return le64toh(v);
|
||||
}
|
||||
|
||||
static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
|
||||
uint32_t v;
|
||||
memcpy(&v, buf, sizeof(v));
|
||||
- return v;
|
||||
+ return le32toh(v);
|
||||
}
|
||||
|
||||
static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
|
||||
diff --git a/mlkem768.sh b/mlkem768.sh
|
||||
index 2fdc2831..3d12b2ed 100644
|
||||
--- a/mlkem768.sh
|
||||
+++ b/mlkem768.sh
|
||||
@@ -1,9 +1,10 @@
|
||||
#!/bin/sh
|
||||
-# $OpenBSD: mlkem768.sh,v 1.2 2024/09/04 05:11:33 djm Exp $
|
||||
+# $OpenBSD: mlkem768.sh,v 1.3 2024/10/27 02:06:01 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
#
|
||||
|
||||
-WANT_LIBCRUX_REVISION="origin/main"
|
||||
+#WANT_LIBCRUX_REVISION="origin/main"
|
||||
+WANT_LIBCRUX_REVISION="84c5d87b3092c59294345aa269ceefe0eb97cc35"
|
||||
|
||||
FILES="
|
||||
libcrux/libcrux-ml-kem/cg/eurydice_glue.h
|
||||
@@ -47,6 +48,7 @@ echo '#define KRML_NOINLINE __attribute__((noinline, unused))'
|
||||
echo '#define KRML_HOST_EPRINTF(...)'
|
||||
echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
|
||||
echo
|
||||
+
|
||||
for i in $FILES; do
|
||||
echo "/* from $i */"
|
||||
# Changes to all files:
|
||||
@@ -56,11 +58,16 @@ for i in $FILES; do
|
||||
-e 's/[ ]*$//' \
|
||||
$i | \
|
||||
case "$i" in
|
||||
- # XXX per-file handling goes here.
|
||||
+ */libcrux-ml-kem/cg/eurydice_glue.h)
|
||||
+ # Replace endian functions with versions that work.
|
||||
+ perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' |
|
||||
+ perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' |
|
||||
+ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s'
|
||||
+ ;;
|
||||
# Default: pass through.
|
||||
*)
|
||||
- cat
|
||||
- ;;
|
||||
+ cat
|
||||
+ ;;
|
||||
esac
|
||||
echo
|
||||
done
|
||||
--
|
||||
cgit v1.2.3
|
||||
|
@ -1,19 +0,0 @@
|
||||
Index: openssh-9.6p1/log.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/log.c
|
||||
+++ openssh-9.6p1/log.c
|
||||
@@ -451,12 +451,14 @@ void
|
||||
sshsigdie(const char *file, const char *func, int line, int showfunc,
|
||||
LogLevel level, const char *suffix, const char *fmt, ...)
|
||||
{
|
||||
+#if 0
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
|
||||
suffix, fmt, args);
|
||||
va_end(args);
|
||||
+#endif
|
||||
_exit(1);
|
||||
}
|
||||
|
@ -1,25 +0,0 @@
|
||||
Index: openssh-9.3p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.3p1.orig/Makefile.in
|
||||
+++ openssh-9.3p1/Makefile.in
|
||||
@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
|
||||
- $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
# FIPS tests
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
- $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
|
||||
- $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
56
fix-x11-regression-bsc1229449.patch
Normal file
56
fix-x11-regression-bsc1229449.patch
Normal file
@ -0,0 +1,56 @@
|
||||
Index: openssh-9.9p1/clientloop.c
|
||||
===================================================================
|
||||
--- openssh-9.9p1.orig/clientloop.c
|
||||
+++ openssh-9.9p1/clientloop.c
|
||||
@@ -663,9 +663,10 @@ obfuscate_keystroke_timing(struct ssh *s
|
||||
if (just_started)
|
||||
return 1;
|
||||
|
||||
- /* Don't arm output fd for poll until the timing interval has elapsed */
|
||||
+ /* Don't arm output fd for poll until the timing interval has elapsed... */
|
||||
if (timespeccmp(&now, &next_interval, <))
|
||||
- return 0;
|
||||
+ /* ...unless there's x11 communicattion happening */
|
||||
+ return x11_channel_used_recently(ssh);
|
||||
|
||||
/* Calculate number of intervals missed since the last check */
|
||||
n = (now.tv_sec - next_interval.tv_sec) * 1000LL * 1000 * 1000;
|
||||
Index: openssh-9.9p1/channels.c
|
||||
===================================================================
|
||||
--- openssh-9.9p1.orig/channels.c
|
||||
+++ openssh-9.9p1/channels.c
|
||||
@@ -5352,3 +5352,22 @@ x11_request_forwarding_with_spoofing(str
|
||||
fatal_fr(r, "send x11-req");
|
||||
free(new_data);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * Returns whether an x11 channel was used recently (less than a second ago)
|
||||
+ */
|
||||
+int
|
||||
+x11_channel_used_recently(struct ssh *ssh) {
|
||||
+ u_int i;
|
||||
+ Channel *c;
|
||||
+ time_t lastused = 0;
|
||||
+
|
||||
+ for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
|
||||
+ c = ssh->chanctxt->channels[i];
|
||||
+ if (c == NULL || c->ctype == NULL || c->lastused == 0 ||
|
||||
+ strcmp(c->ctype, "x11-connection"))
|
||||
+ continue;
|
||||
+ lastused = c->lastused;
|
||||
+ }
|
||||
+ return (lastused != 0 && monotime() < lastused + 1);
|
||||
+}
|
||||
Index: openssh-9.9p1/channels.h
|
||||
===================================================================
|
||||
--- openssh-9.9p1.orig/channels.h
|
||||
+++ openssh-9.9p1/channels.h
|
||||
@@ -382,6 +382,7 @@ int x11_connect_display(struct ssh *);
|
||||
int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
|
||||
void x11_request_forwarding_with_spoofing(struct ssh *, int,
|
||||
const char *, const char *, const char *, int);
|
||||
+int x11_channel_used_recently(struct ssh *ssh);
|
||||
|
||||
/* channel close */
|
||||
|
@ -14,11 +14,11 @@ index f0ea07e7b..35dcf45f1 100644
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
||||
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
|
||||
$(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index a12c6f7ad..860df3379 100644
|
||||
--- a/configure.ac
|
||||
@ -106,7 +106,7 @@ index 86caf83b2..8b413190b 100644
|
||||
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
|
||||
if (li->type == LTYPE_LOGIN &&
|
||||
!sys_auth_record_login(li->username,li->hostname,li->line,
|
||||
@@ -1476,6 +1486,88 @@ wtmpdb_write_entry(struct logininfo *li)
|
||||
@@ -1476,6 +1486,91 @@ wtmpdb_write_entry(struct logininfo *li)
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -171,9 +171,12 @@ index 86caf83b2..8b413190b 100644
|
||||
+
|
||||
+ free(dbus_path);
|
||||
+
|
||||
+ if (sd_bus_flush(bus) < 0)
|
||||
+ if (sd_bus_flush(bus) < 0) {
|
||||
+ sd_bus_unref(bus);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ sd_bus_unref(bus);
|
||||
+ return (1);
|
||||
+}
|
||||
+
|
||||
|
@ -104,10 +104,10 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-9.6p1/sshd.c
|
||||
Index: openssh-9.6p1/sshd-session.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
--- openssh-9.6p1.orig/sshd-session.c
|
||||
+++ openssh-9.6p1/sshd-session.c
|
||||
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
|
||||
demote_sensitive_data(ssh);
|
||||
|
||||
|
@ -16,70 +16,70 @@ Index: openssh-9.3p2/misc.c
|
||||
if (env != NULL)
|
||||
execve(av[0], av, env);
|
||||
else
|
||||
Index: openssh-9.3p2/HOWTO.ssh-keycat
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.3p2/HOWTO.ssh-keycat
|
||||
@@ -0,0 +1,12 @@
|
||||
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
|
||||
+of an user in any environment. This includes environments with
|
||||
+polyinstantiation of home directories and SELinux MLS policy enabled.
|
||||
+
|
||||
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
|
||||
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
|
||||
+ AuthorizedKeysCommandUser root
|
||||
+
|
||||
+Do not forget to enable public key authentication:
|
||||
+ PubkeyAuthentication yes
|
||||
+
|
||||
+
|
||||
Index: openssh-9.3p2/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/Makefile.in
|
||||
+++ openssh-9.3p2/Makefile.in
|
||||
@@ -24,6 +24,7 @@ SSH_PROGRAM=@bindir@/ssh
|
||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
|
||||
K5LIBS=@K5LIBS@
|
||||
GSSLIBS=@GSSLIBS@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
+KEYCATLIBS=@KEYCATLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBFIDO2=@LIBFIDO2@
|
||||
LIBWTMPDB=@LIBWTMPDB@
|
||||
@@ -75,7 +77,7 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
.SUFFIXES: .lo
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
|
||||
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
|
||||
@@ -245,6 +247,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
|
||||
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
|
||||
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
|
||||
|
||||
@@ -431,6 +436,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
#Index: openssh-9.3p2/HOWTO.ssh-keycat
|
||||
#===================================================================
|
||||
#--- /dev/null
|
||||
#+++ openssh-9.3p2/HOWTO.ssh-keycat
|
||||
#@@ -0,0 +1,12 @@
|
||||
#+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
|
||||
#+of an user in any environment. This includes environments with
|
||||
#+polyinstantiation of home directories and SELinux MLS policy enabled.
|
||||
#+
|
||||
#+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
|
||||
#+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
|
||||
#+ AuthorizedKeysCommandUser root
|
||||
#+
|
||||
#+Do not forget to enable public key authentication:
|
||||
#+ PubkeyAuthentication yes
|
||||
#+
|
||||
#+
|
||||
#Index: openssh-9.3p2/Makefile.in
|
||||
#===================================================================
|
||||
#--- openssh-9.3p2.orig/Makefile.in
|
||||
#+++ openssh-9.3p2/Makefile.in
|
||||
#@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
# ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
# SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
# SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
#+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
# SSHD_SESSION=$(libexecdir)/sshd-session
|
||||
# SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
# SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
#@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
|
||||
# K5LIBS=@K5LIBS@
|
||||
# GSSLIBS=@GSSLIBS@
|
||||
# SSHDLIBS=@SSHDLIBS@
|
||||
#+KEYCATLIBS=@KEYCATLIBS@
|
||||
# LIBEDIT=@LIBEDIT@
|
||||
# LIBFIDO2=@LIBFIDO2@
|
||||
# LIBWTMPDB=@LIBWTMPDB@
|
||||
#@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||
#
|
||||
# .SUFFIXES: .lo
|
||||
#
|
||||
#-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
#+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
#
|
||||
# TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
#
|
||||
#@@ -245,6 +247,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
# ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
|
||||
# $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
|
||||
#
|
||||
#+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||
#+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||
#+
|
||||
# ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
# $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
|
||||
#
|
||||
#@@ -431,6 +436,7 @@ install-files:
|
||||
# $(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
# fi
|
||||
# $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
#+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
# $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
# $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
# $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
|
||||
@ -99,9 +99,9 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
|
||||
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
|
||||
extern Authctxt *the_authctxt;
|
||||
extern int inetd_flag;
|
||||
extern int rexeced_flag;
|
||||
|
||||
+/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
+int
|
||||
@ -129,14 +129,14 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -329,16 +343,16 @@ sshd_selinux_setup_pam_variables(void)
|
||||
@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void)
|
||||
|
||||
ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
|
||||
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
|
||||
if (inetd_flag && !rexeced_flag) {
|
||||
if (inetd_flag) {
|
||||
use_current = "1";
|
||||
} else {
|
||||
use_current = "";
|
||||
@ -205,287 +205,287 @@ Index: openssh-9.3p2/platform.c
|
||||
#endif
|
||||
|
||||
#ifdef USE_SOLARIS_PROJECTS
|
||||
Index: openssh-9.3p2/ssh-keycat.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.3p2/ssh-keycat.c
|
||||
@@ -0,0 +1,241 @@
|
||||
+/*
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Copyright (c) 2011 Red Hat, Inc.
|
||||
+ * Written by Tomas Mraz <tmraz@redhat.com>
|
||||
+*/
|
||||
+
|
||||
+#define _GNU_SOURCE
|
||||
+
|
||||
+#include "config.h"
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <pwd.h>
|
||||
+#include <fcntl.h>
|
||||
+#include <unistd.h>
|
||||
+#ifdef HAVE_STDINT_H
|
||||
+#include <stdint.h>
|
||||
+#endif
|
||||
+
|
||||
+#include <security/pam_appl.h>
|
||||
+
|
||||
+#include "uidswap.h"
|
||||
+#include "misc.h"
|
||||
+
|
||||
+#define ERR_USAGE 1
|
||||
+#define ERR_PAM_START 2
|
||||
+#define ERR_OPEN_SESSION 3
|
||||
+#define ERR_CLOSE_SESSION 4
|
||||
+#define ERR_PAM_END 5
|
||||
+#define ERR_GETPWNAM 6
|
||||
+#define ERR_MEMORY 7
|
||||
+#define ERR_OPEN 8
|
||||
+#define ERR_FILE_MODE 9
|
||||
+#define ERR_FDOPEN 10
|
||||
+#define ERR_STAT 11
|
||||
+#define ERR_WRITE 12
|
||||
+#define ERR_PAM_PUTENV 13
|
||||
+#define BUFLEN 4096
|
||||
+
|
||||
+/* Just ignore the messages in the conversation function */
|
||||
+static int
|
||||
+dummy_conv(int num_msg, const struct pam_message **msgm,
|
||||
+ struct pam_response **response, void *appdata_ptr)
|
||||
+{
|
||||
+ struct pam_response *rsp;
|
||||
+
|
||||
+ (void)msgm;
|
||||
+ (void)appdata_ptr;
|
||||
+
|
||||
+ if (num_msg <= 0)
|
||||
+ return PAM_CONV_ERR;
|
||||
+
|
||||
+ /* Just allocate the array as empty responses */
|
||||
+ rsp = calloc (num_msg, sizeof (struct pam_response));
|
||||
+ if (rsp == NULL)
|
||||
+ return PAM_CONV_ERR;
|
||||
+
|
||||
+ *response = rsp;
|
||||
+ return PAM_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+static struct pam_conv conv = {
|
||||
+ dummy_conv,
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
+char *
|
||||
+make_auth_keys_name(const struct passwd *pwd)
|
||||
+{
|
||||
+ char *fname;
|
||||
+
|
||||
+ if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
|
||||
+ return NULL;
|
||||
+
|
||||
+ return fname;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+dump_keys(const char *user)
|
||||
+{
|
||||
+ struct passwd *pwd;
|
||||
+ int fd = -1;
|
||||
+ FILE *f = NULL;
|
||||
+ char *fname = NULL;
|
||||
+ int rv = 0;
|
||||
+ char buf[BUFLEN];
|
||||
+ size_t len;
|
||||
+ struct stat st;
|
||||
+
|
||||
+ if ((pwd = getpwnam(user)) == NULL) {
|
||||
+ return ERR_GETPWNAM;
|
||||
+ }
|
||||
+
|
||||
+ if ((fname = make_auth_keys_name(pwd)) == NULL) {
|
||||
+ return ERR_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ temporarily_use_uid(pwd);
|
||||
+
|
||||
+ if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
|
||||
+ rv = ERR_OPEN;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ if (fstat(fd, &st) < 0) {
|
||||
+ rv = ERR_STAT;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ if (!S_ISREG(st.st_mode) ||
|
||||
+ (st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
|
||||
+ rv = ERR_FILE_MODE;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ unset_nonblock(fd);
|
||||
+
|
||||
+ if ((f = fdopen(fd, "r")) == NULL) {
|
||||
+ rv = ERR_FDOPEN;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ fd = -1;
|
||||
+
|
||||
+ while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
|
||||
+ rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
|
||||
+ }
|
||||
+
|
||||
+fail:
|
||||
+ if (fd != -1)
|
||||
+ close(fd);
|
||||
+ if (f != NULL)
|
||||
+ fclose(f);
|
||||
+ free(fname);
|
||||
+ restore_uid();
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
|
||||
+ "SELINUX_LEVEL_REQUESTED",
|
||||
+ "SELINUX_USE_CURRENT_RANGE"
|
||||
+};
|
||||
+
|
||||
+extern char **environ;
|
||||
+
|
||||
+int
|
||||
+set_pam_environment(pam_handle_t *pamh)
|
||||
+{
|
||||
+ int i;
|
||||
+ size_t j;
|
||||
+
|
||||
+ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
|
||||
+ int len = strlen(env_names[j]);
|
||||
+
|
||||
+ for (i = 0; environ[i] != NULL; ++i) {
|
||||
+ if (strncmp(env_names[j], environ[i], len) == 0 &&
|
||||
+ environ[i][len] == '=') {
|
||||
+ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
|
||||
+ return ERR_PAM_PUTENV;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char *argv[])
|
||||
+{
|
||||
+ pam_handle_t *pamh = NULL;
|
||||
+ int retval;
|
||||
+ int ev = 0;
|
||||
+
|
||||
+ if (argc != 2) {
|
||||
+ fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
|
||||
+ return ERR_USAGE;
|
||||
+ }
|
||||
+
|
||||
+ retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
|
||||
+ if (retval != PAM_SUCCESS) {
|
||||
+ return ERR_PAM_START;
|
||||
+ }
|
||||
+
|
||||
+ ev = set_pam_environment(pamh);
|
||||
+ if (ev != 0)
|
||||
+ goto finish;
|
||||
+
|
||||
+ retval = pam_open_session(pamh, PAM_SILENT);
|
||||
+ if (retval != PAM_SUCCESS) {
|
||||
+ ev = ERR_OPEN_SESSION;
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
+ ev = dump_keys(argv[1]);
|
||||
+
|
||||
+ retval = pam_close_session(pamh, PAM_SILENT);
|
||||
+ if (retval != PAM_SUCCESS) {
|
||||
+ ev = ERR_CLOSE_SESSION;
|
||||
+ }
|
||||
+
|
||||
+finish:
|
||||
+ retval = pam_end (pamh,retval);
|
||||
+ if (retval != PAM_SUCCESS) {
|
||||
+ ev = ERR_PAM_END;
|
||||
+ }
|
||||
+ return ev;
|
||||
+}
|
||||
Index: openssh-9.3p2/configure.ac
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/configure.ac
|
||||
+++ openssh-9.3p2/configure.ac
|
||||
@@ -3632,6 +3632,7 @@ AC_ARG_WITH([pam],
|
||||
PAM_MSG="yes"
|
||||
|
||||
SSHDLIBS="$SSHDLIBS -lpam"
|
||||
+ KEYCATLIBS="$KEYCATLIBS -lpam"
|
||||
AC_DEFINE([USE_PAM], [1],
|
||||
[Define if you want to enable PAM support])
|
||||
|
||||
@@ -3642,6 +3643,7 @@ AC_ARG_WITH([pam],
|
||||
;;
|
||||
*)
|
||||
SSHDLIBS="$SSHDLIBS -ldl"
|
||||
+ KEYCATLIBS="$KEYCATLIBS -ldl"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
@@ -4875,6 +4877,7 @@ AC_ARG_WITH([selinux],
|
||||
fi ]
|
||||
)
|
||||
AC_SUBST([SSHDLIBS])
|
||||
+AC_SUBST([KEYCATLIBS])
|
||||
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
@@ -5905,6 +5908,9 @@ fi
|
||||
if test ! -z "${SSHDLIBS}"; then
|
||||
echo " +for sshd: ${SSHDLIBS}"
|
||||
fi
|
||||
+if test ! -z "${KEYCATLIBS}"; then
|
||||
+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
||||
+fi
|
||||
|
||||
echo ""
|
||||
|
||||
#Index: openssh-9.3p2/ssh-keycat.c
|
||||
#===================================================================
|
||||
#--- /dev/null
|
||||
#+++ openssh-9.3p2/ssh-keycat.c
|
||||
#@@ -0,0 +1,241 @@
|
||||
#+/*
|
||||
#+ * Redistribution and use in source and binary forms, with or without
|
||||
#+ * modification, are permitted provided that the following conditions
|
||||
#+ * are met:
|
||||
#+ * 1. Redistributions of source code must retain the above copyright
|
||||
#+ * notice, and the entire permission notice in its entirety,
|
||||
#+ * including the disclaimer of warranties.
|
||||
#+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
#+ * notice, this list of conditions and the following disclaimer in the
|
||||
#+ * documentation and/or other materials provided with the distribution.
|
||||
#+ * 3. The name of the author may not be used to endorse or promote
|
||||
#+ * products derived from this software without specific prior
|
||||
#+ * written permission.
|
||||
#+ *
|
||||
#+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
#+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
#+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
#+ * necessary due to a potential bad interaction between the GPL and
|
||||
#+ * the restrictions contained in a BSD-style copyright.)
|
||||
#+ *
|
||||
#+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
#+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
#+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
#+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
#+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
#+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
#+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
#+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
#+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
#+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
#+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
#+ */
|
||||
#+
|
||||
#+/*
|
||||
#+ * Copyright (c) 2011 Red Hat, Inc.
|
||||
#+ * Written by Tomas Mraz <tmraz@redhat.com>
|
||||
#+*/
|
||||
#+
|
||||
#+#define _GNU_SOURCE
|
||||
#+
|
||||
#+#include "config.h"
|
||||
#+#include <stdio.h>
|
||||
#+#include <stdlib.h>
|
||||
#+#include <string.h>
|
||||
#+#include <sys/types.h>
|
||||
#+#include <sys/stat.h>
|
||||
#+#include <pwd.h>
|
||||
#+#include <fcntl.h>
|
||||
#+#include <unistd.h>
|
||||
#+#ifdef HAVE_STDINT_H
|
||||
#+#include <stdint.h>
|
||||
#+#endif
|
||||
#+
|
||||
#+#include <security/pam_appl.h>
|
||||
#+
|
||||
#+#include "uidswap.h"
|
||||
#+#include "misc.h"
|
||||
#+
|
||||
#+#define ERR_USAGE 1
|
||||
#+#define ERR_PAM_START 2
|
||||
#+#define ERR_OPEN_SESSION 3
|
||||
#+#define ERR_CLOSE_SESSION 4
|
||||
#+#define ERR_PAM_END 5
|
||||
#+#define ERR_GETPWNAM 6
|
||||
#+#define ERR_MEMORY 7
|
||||
#+#define ERR_OPEN 8
|
||||
#+#define ERR_FILE_MODE 9
|
||||
#+#define ERR_FDOPEN 10
|
||||
#+#define ERR_STAT 11
|
||||
#+#define ERR_WRITE 12
|
||||
#+#define ERR_PAM_PUTENV 13
|
||||
#+#define BUFLEN 4096
|
||||
#+
|
||||
#+/* Just ignore the messages in the conversation function */
|
||||
#+static int
|
||||
#+dummy_conv(int num_msg, const struct pam_message **msgm,
|
||||
#+ struct pam_response **response, void *appdata_ptr)
|
||||
#+{
|
||||
#+ struct pam_response *rsp;
|
||||
#+
|
||||
#+ (void)msgm;
|
||||
#+ (void)appdata_ptr;
|
||||
#+
|
||||
#+ if (num_msg <= 0)
|
||||
#+ return PAM_CONV_ERR;
|
||||
#+
|
||||
#+ /* Just allocate the array as empty responses */
|
||||
#+ rsp = calloc (num_msg, sizeof (struct pam_response));
|
||||
#+ if (rsp == NULL)
|
||||
#+ return PAM_CONV_ERR;
|
||||
#+
|
||||
#+ *response = rsp;
|
||||
#+ return PAM_SUCCESS;
|
||||
#+}
|
||||
#+
|
||||
#+static struct pam_conv conv = {
|
||||
#+ dummy_conv,
|
||||
#+ NULL
|
||||
#+};
|
||||
#+
|
||||
#+char *
|
||||
#+make_auth_keys_name(const struct passwd *pwd)
|
||||
#+{
|
||||
#+ char *fname;
|
||||
#+
|
||||
#+ if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
|
||||
#+ return NULL;
|
||||
#+
|
||||
#+ return fname;
|
||||
#+}
|
||||
#+
|
||||
#+int
|
||||
#+dump_keys(const char *user)
|
||||
#+{
|
||||
#+ struct passwd *pwd;
|
||||
#+ int fd = -1;
|
||||
#+ FILE *f = NULL;
|
||||
#+ char *fname = NULL;
|
||||
#+ int rv = 0;
|
||||
#+ char buf[BUFLEN];
|
||||
#+ size_t len;
|
||||
#+ struct stat st;
|
||||
#+
|
||||
#+ if ((pwd = getpwnam(user)) == NULL) {
|
||||
#+ return ERR_GETPWNAM;
|
||||
#+ }
|
||||
#+
|
||||
#+ if ((fname = make_auth_keys_name(pwd)) == NULL) {
|
||||
#+ return ERR_MEMORY;
|
||||
#+ }
|
||||
#+
|
||||
#+ temporarily_use_uid(pwd);
|
||||
#+
|
||||
#+ if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
|
||||
#+ rv = ERR_OPEN;
|
||||
#+ goto fail;
|
||||
#+ }
|
||||
#+
|
||||
#+ if (fstat(fd, &st) < 0) {
|
||||
#+ rv = ERR_STAT;
|
||||
#+ goto fail;
|
||||
#+ }
|
||||
#+
|
||||
#+ if (!S_ISREG(st.st_mode) ||
|
||||
#+ (st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
|
||||
#+ rv = ERR_FILE_MODE;
|
||||
#+ goto fail;
|
||||
#+ }
|
||||
#+
|
||||
#+ unset_nonblock(fd);
|
||||
#+
|
||||
#+ if ((f = fdopen(fd, "r")) == NULL) {
|
||||
#+ rv = ERR_FDOPEN;
|
||||
#+ goto fail;
|
||||
#+ }
|
||||
#+
|
||||
#+ fd = -1;
|
||||
#+
|
||||
#+ while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
|
||||
#+ rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
|
||||
#+ }
|
||||
#+
|
||||
#+fail:
|
||||
#+ if (fd != -1)
|
||||
#+ close(fd);
|
||||
#+ if (f != NULL)
|
||||
#+ fclose(f);
|
||||
#+ free(fname);
|
||||
#+ restore_uid();
|
||||
#+ return rv;
|
||||
#+}
|
||||
#+
|
||||
#+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
|
||||
#+ "SELINUX_LEVEL_REQUESTED",
|
||||
#+ "SELINUX_USE_CURRENT_RANGE"
|
||||
#+};
|
||||
#+
|
||||
#+extern char **environ;
|
||||
#+
|
||||
#+int
|
||||
#+set_pam_environment(pam_handle_t *pamh)
|
||||
#+{
|
||||
#+ int i;
|
||||
#+ size_t j;
|
||||
#+
|
||||
#+ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
|
||||
#+ int len = strlen(env_names[j]);
|
||||
#+
|
||||
#+ for (i = 0; environ[i] != NULL; ++i) {
|
||||
#+ if (strncmp(env_names[j], environ[i], len) == 0 &&
|
||||
#+ environ[i][len] == '=') {
|
||||
#+ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
|
||||
#+ return ERR_PAM_PUTENV;
|
||||
#+ }
|
||||
#+ }
|
||||
#+ }
|
||||
#+
|
||||
#+ return 0;
|
||||
#+}
|
||||
#+
|
||||
#+int
|
||||
#+main(int argc, char *argv[])
|
||||
#+{
|
||||
#+ pam_handle_t *pamh = NULL;
|
||||
#+ int retval;
|
||||
#+ int ev = 0;
|
||||
#+
|
||||
#+ if (argc != 2) {
|
||||
#+ fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
|
||||
#+ return ERR_USAGE;
|
||||
#+ }
|
||||
#+
|
||||
#+ retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
|
||||
#+ if (retval != PAM_SUCCESS) {
|
||||
#+ return ERR_PAM_START;
|
||||
#+ }
|
||||
#+
|
||||
#+ ev = set_pam_environment(pamh);
|
||||
#+ if (ev != 0)
|
||||
#+ goto finish;
|
||||
#+
|
||||
#+ retval = pam_open_session(pamh, PAM_SILENT);
|
||||
#+ if (retval != PAM_SUCCESS) {
|
||||
#+ ev = ERR_OPEN_SESSION;
|
||||
#+ goto finish;
|
||||
#+ }
|
||||
#+
|
||||
#+ ev = dump_keys(argv[1]);
|
||||
#+
|
||||
#+ retval = pam_close_session(pamh, PAM_SILENT);
|
||||
#+ if (retval != PAM_SUCCESS) {
|
||||
#+ ev = ERR_CLOSE_SESSION;
|
||||
#+ }
|
||||
#+
|
||||
#+finish:
|
||||
#+ retval = pam_end (pamh,retval);
|
||||
#+ if (retval != PAM_SUCCESS) {
|
||||
#+ ev = ERR_PAM_END;
|
||||
#+ }
|
||||
#+ return ev;
|
||||
#+}
|
||||
#Index: openssh-9.3p2/configure.ac
|
||||
#===================================================================
|
||||
#--- openssh-9.3p2.orig/configure.ac
|
||||
#+++ openssh-9.3p2/configure.ac
|
||||
#@@ -3632,6 +3632,7 @@ AC_ARG_WITH([pam],
|
||||
# PAM_MSG="yes"
|
||||
#
|
||||
# SSHDLIBS="$SSHDLIBS -lpam"
|
||||
#+ KEYCATLIBS="$KEYCATLIBS -lpam"
|
||||
# AC_DEFINE([USE_PAM], [1],
|
||||
# [Define if you want to enable PAM support])
|
||||
#
|
||||
#@@ -3642,6 +3643,7 @@ AC_ARG_WITH([pam],
|
||||
# ;;
|
||||
# *)
|
||||
# SSHDLIBS="$SSHDLIBS -ldl"
|
||||
#+ KEYCATLIBS="$KEYCATLIBS -ldl"
|
||||
# ;;
|
||||
# esac
|
||||
# fi
|
||||
#@@ -4875,6 +4877,7 @@ AC_ARG_WITH([selinux],
|
||||
# fi ]
|
||||
# )
|
||||
# AC_SUBST([SSHDLIBS])
|
||||
#+AC_SUBST([KEYCATLIBS])
|
||||
#
|
||||
# # Check whether user wants Kerberos 5 support
|
||||
# KRB5_MSG="no"
|
||||
#@@ -5905,6 +5908,9 @@ fi
|
||||
# if test ! -z "${SSHDLIBS}"; then
|
||||
# echo " +for sshd: ${SSHDLIBS}"
|
||||
# fi
|
||||
#+if test ! -z "${KEYCATLIBS}"; then
|
||||
#+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
||||
#+fi
|
||||
#
|
||||
# echo ""
|
||||
#
|
||||
|
@ -52,7 +52,7 @@ Index: openssh-9.3p2/session.c
|
||||
platform_setusercontext(pw);
|
||||
|
||||
- if (platform_privileged_uidswap()) {
|
||||
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
|
||||
+ if (platform_privileged_uidswap() && !is_child) {
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
if (setusercontext(lc, pw, pw->pw_uid,
|
||||
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
||||
@ -98,11 +98,11 @@ Index: openssh-9.3p2/session.c
|
||||
exit(sftp_server_main(i, argv, s->pw));
|
||||
}
|
||||
|
||||
Index: openssh-9.3p2/sshd.c
|
||||
Index: openssh-9.3p2/sshd-session.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd.c
|
||||
+++ openssh-9.3p2/sshd.c
|
||||
@@ -510,6 +510,10 @@ privsep_preauth_child(struct ssh *ssh)
|
||||
--- openssh-9.3p2.orig/sshd-session.c
|
||||
+++ openssh-9.3p2/sshd-session.c
|
||||
@@ -342,6 +342,10 @@ privsep_preauth_child(struct ssh *ssh)
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data(ssh);
|
||||
|
||||
@ -113,13 +113,12 @@ Index: openssh-9.3p2/sshd.c
|
||||
/* Demote the child */
|
||||
if (privsep_chroot) {
|
||||
/* Change our root directory */
|
||||
@@ -602,6 +606,9 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
if (1) {
|
||||
+#elif defined(WITH_SELINUX)
|
||||
+ if (0) {
|
||||
+ /* even root user can be confined by SELinux */
|
||||
#else
|
||||
if (authctxt->pw->pw_uid == 0) {
|
||||
@@ -444,7 +448,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
* fd passing, as AFAIK PTY allocation on this platform doesn't require
|
||||
* special privileges to begin with.
|
||||
*/
|
||||
-#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN)
|
||||
+#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) && !defined(WITH_SELINUX)
|
||||
skip_privdrop = 1;
|
||||
#endif
|
||||
|
||||
|
@ -9,16 +9,16 @@ Index: openssh-9.3p2/auth2-pubkey.c
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+extern Authctxt *the_authctxt;
|
||||
extern struct authmethod_cfg methodcfg_pubkey;
|
||||
|
||||
static char *
|
||||
format_key(const struct sshkey *key)
|
||||
@@ -459,7 +462,8 @@ match_principals_command(struct passwd *
|
||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
|
||||
ac, av, &f,
|
||||
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||
+ inetd_flag, the_authctxt)) == 0)
|
||||
goto out;
|
||||
|
||||
uid_swapped = 1;
|
||||
@ -28,7 +28,7 @@ Index: openssh-9.3p2/auth2-pubkey.c
|
||||
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||
+ inetd_flag, the_authctxt)) == 0)
|
||||
goto out;
|
||||
|
||||
uid_swapped = 1;
|
||||
@ -87,14 +87,13 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
@@ -49,11 +49,6 @@
|
||||
@@ -49,10 +49,6 @@
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
-extern ServerOptions options;
|
||||
-extern Authctxt *the_authctxt;
|
||||
-extern int inetd_flag;
|
||||
-extern int rexeced_flag;
|
||||
-
|
||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
int
|
||||
@ -133,7 +132,7 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
|
||||
if (r == 0) {
|
||||
/* If launched from xinetd, we must use current level */
|
||||
- if (inetd_flag && !rexeced_flag) {
|
||||
- if (inetd_flag) {
|
||||
+ if (inetd) {
|
||||
security_context_t sshdsc=NULL;
|
||||
|
||||
@ -157,7 +156,7 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
|
||||
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
|
||||
- if (inetd_flag && !rexeced_flag) {
|
||||
- if (inetd_flag) {
|
||||
+ if (inetd) {
|
||||
use_current = "1";
|
||||
} else {
|
||||
@ -222,56 +221,46 @@ Index: openssh-9.3p2/platform.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/platform.c
|
||||
+++ openssh-9.3p2/platform.c
|
||||
@@ -34,6 +34,9 @@
|
||||
@@ -34,6 +34,8 @@
|
||||
#include "openbsd-compat/openbsd-compat.h"
|
||||
|
||||
extern int use_privsep;
|
||||
extern ServerOptions options;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+extern Authctxt *the_authctxt;
|
||||
|
||||
void
|
||||
platform_pre_listen(void)
|
||||
@@ -185,7 +188,9 @@ platform_setusercontext_post_groups(stru
|
||||
/* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
|
||||
int
|
||||
@@ -185,7 +187,9 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
- sshd_selinux_setup_exec_context(pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(pw->pw_name,
|
||||
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
|
||||
+ inetd_flag, do_pam_putenv, the_authctxt,
|
||||
+ options.use_pam);
|
||||
#endif
|
||||
}
|
||||
|
||||
Index: openssh-9.3p2/sshd.c
|
||||
Index: openssh-9.3p2/sshd-session.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd.c
|
||||
+++ openssh-9.3p2/sshd.c
|
||||
--- openssh-9.3p2.orig/sshd-session.c
|
||||
+++ openssh-9.3p2/sshd-session.c
|
||||
@@ -166,7 +166,7 @@ int debug_flag = 0;
|
||||
static int test_flag = 0;
|
||||
int debug_flag = 0;
|
||||
|
||||
/* Flag indicating that the daemon is being started from inetd. */
|
||||
-static int inetd_flag = 0;
|
||||
+int inetd_flag = 0;
|
||||
|
||||
/* Flag indicating that sshd should not detach and become a daemon. */
|
||||
static int no_daemon_flag = 0;
|
||||
@@ -179,7 +179,7 @@ static char **saved_argv;
|
||||
static int saved_argc;
|
||||
|
||||
/* re-exec */
|
||||
-static int rexeced_flag = 0;
|
||||
+int rexeced_flag = 0;
|
||||
static int rexec_flag = 1;
|
||||
static int rexec_argc = 0;
|
||||
static char **rexec_argv;
|
||||
/* debug goes to stderr unless inetd_flag is set */
|
||||
static int log_stderr = 0;
|
||||
@@ -2396,7 +2396,9 @@ main(int ac, char **av)
|
||||
}
|
||||
#endif
|
||||
#ifdef WITH_SELINUX
|
||||
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
|
||||
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
|
||||
+ inetd_flag, do_pam_putenv, the_authctxt,
|
||||
+ options.use_pam);
|
||||
#endif
|
||||
#ifdef USE_PAM
|
||||
|
@ -7,7 +7,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSHD_SESSION=$(libexecdir)/sshd-session
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
@ -16,7 +16,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
+TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+
|
||||
@ -29,7 +29,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
|
||||
+# FIPS tests
|
||||
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
+
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
|
@ -16,7 +16,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
-TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
@ -25,10 +25,10 @@ Index: openssh-8.8p1/Makefile.in
|
||||
ssh-xmss.o \
|
||||
@@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
|
||||
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
+
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
|
@ -389,17 +389,17 @@ Index: openssh-9.6p1/hmac.c
|
||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||
Index: openssh-9.6p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/kex.c
|
||||
+++ openssh-9.6p1/kex.c
|
||||
--- openssh-9.6p1.orig/kex-names.c
|
||||
+++ openssh-9.6p1/kex-names.c
|
||||
@@ -64,6 +64,8 @@
|
||||
#include "digest.h"
|
||||
#include "ssherr.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* prototype */
|
||||
static int kex_choose_conf(struct ssh *, uint32_t seq);
|
||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||
struct kexalg {
|
||||
char *name;
|
||||
u_int type;
|
||||
@@ -87,7 +89,7 @@ struct kexalg {
|
||||
int ec_nid;
|
||||
int hash_alg;
|
||||
@ -647,8 +647,8 @@ Index: openssh-9.6p1/servconf.c
|
||||
#include "digest.h"
|
||||
+#include "fips.h"
|
||||
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
#if !defined(SSHD_PAM_SERVICE)
|
||||
# define SSHD_PAM_SERVICE "sshd"
|
||||
@@ -207,6 +208,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
@ -754,7 +754,7 @@ Index: openssh-9.6p1/ssh-keygen.c
|
||||
@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
|
||||
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||
|
||||
type = sshkey_type_from_name(key_type_name);
|
||||
type = sshkey_type_from_shortname(key_type_name);
|
||||
+
|
||||
+ /* protocol v1 is not allowed in FIPS mode, DSA is not acceptable because
|
||||
+ * it has to be 1024 bit due to RFC 4253 using SHA-1 which implies 1024 bit
|
||||
@ -785,8 +785,8 @@ Index: openssh-9.6p1/sshd.c
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -128,6 +128,8 @@
|
||||
#include "addr.h"
|
||||
#include "srclimit.h"
|
||||
#include "dh.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
|
@ -459,13 +459,13 @@ Index: openssh-8.8p1/sshd.c
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
|
||||
struct connection_info *connection_info = NULL;
|
||||
struct connection_info connection_info;
|
||||
sigset_t sigmask;
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
memset(&connection_info, 0, sizeof(connection_info));
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
|
@ -128,7 +128,7 @@ Index: openssh-8.9p1/Makefile.in
|
||||
--- openssh-8.9p1.orig/Makefile.in
|
||||
+++ openssh-8.9p1/Makefile.in
|
||||
@@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSHD_SESSION=$(libexecdir)/sshd-session
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
@ -168,7 +168,7 @@ Index: openssh-8.9p1/Makefile.in
|
||||
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -421,6 +429,10 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd-session$(EXEEXT) $(DESTDIR)$(SSHD_SESSION)$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
||||
|
@ -32,17 +32,17 @@ Index: openssh-8.8p1/servconf.c
|
||||
--- openssh-8.8p1.orig/servconf.c
|
||||
+++ openssh-8.8p1/servconf.c
|
||||
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
|
||||
|
||||
/* Portable-specific options */
|
||||
options->use_pam = -1;
|
||||
options->pam_service_name = NULL;
|
||||
+ options->use_pam_check_locks = -1;
|
||||
|
||||
/* Standard Options */
|
||||
options->num_ports = 0;
|
||||
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
||||
/* Portable-specific options */
|
||||
if (options->use_pam == -1)
|
||||
options->use_pam = 0;
|
||||
if (options->pam_service_name == NULL)
|
||||
options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
|
||||
+ if (options->use_pam_check_locks == -1)
|
||||
+ options->use_pam_check_locks = 0;
|
||||
|
||||
@ -52,26 +52,27 @@ Index: openssh-8.8p1/servconf.c
|
||||
typedef enum {
|
||||
sBadOption, /* == unknown option */
|
||||
/* Portable-specific options */
|
||||
- sUsePAM,
|
||||
+ sUsePAM, sUsePAMChecklocks,
|
||||
- sUsePAM, sPAMServiceName,
|
||||
+ sUsePAM, sPAMServiceName, sUsePAMChecklocks,
|
||||
/* Standard Options */
|
||||
sPort, sHostKeyFile, sLoginGraceTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||
@@ -535,8 +538,10 @@ static struct {
|
||||
/* Portable-specific options */
|
||||
@@ -535,9 +538,11 @@ static struct {
|
||||
#ifdef USE_PAM
|
||||
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
||||
{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
|
||||
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "pamservicename", sUnsupported, SSHCFG_ALL },
|
||||
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
||||
/* Standard Options */
|
||||
@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO
|
||||
case sUsePAM:
|
||||
intptr = &options->use_pam;
|
||||
goto parse_flag;
|
||||
if (*activep && *charptr == NULL)
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
+ case sUsePAMChecklocks:
|
||||
+ intptr = &options->use_pam_check_locks;
|
||||
+ goto parse_flag;
|
||||
@ -83,9 +84,9 @@ Index: openssh-8.8p1/servconf.h
|
||||
--- openssh-8.8p1.orig/servconf.h
|
||||
+++ openssh-8.8p1/servconf.h
|
||||
@@ -200,6 +200,7 @@ typedef struct {
|
||||
char *adm_forced_command;
|
||||
|
||||
int use_pam; /* Enable auth via PAM */
|
||||
char *pam_service_name;
|
||||
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
||||
|
||||
int permit_tun;
|
||||
|
@ -61,7 +61,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
+
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
#include "sshpty.h"
|
||||
@@ -308,6 +312,10 @@ sighup_handler(int sig)
|
||||
static void
|
||||
sighup_restart(void)
|
||||
@ -84,4 +84,4 @@ Index: openssh-8.8p1/sshd.c
|
||||
+
|
||||
/* Accept a connection and return in a forked child */
|
||||
server_accept_loop(&sock_in, &sock_out,
|
||||
&newsock, config_s);
|
||||
&newsock, config_s, log_stderr);
|
||||
|
@ -1,8 +1,7 @@
|
||||
Index: openssh-9.6p1/auth2.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2.c
|
||||
+++ openssh-9.6p1/auth2.c
|
||||
@@ -273,6 +273,9 @@ input_userauth_request(int type, u_int32
|
||||
diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||
--- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200
|
||||
@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
|
||||
@ -12,7 +11,7 @@ Index: openssh-9.6p1/auth2.c
|
||||
int r, authenticated = 0;
|
||||
double tstart = monotime_double();
|
||||
|
||||
@@ -286,6 +289,11 @@ input_userauth_request(int type, u_int32
|
||||
@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
@ -24,36 +23,32 @@ Index: openssh-9.6p1/auth2.c
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -313,8 +321,15 @@ input_userauth_request(int type, u_int32
|
||||
use_privsep ? " [net]" : "");
|
||||
@@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32
|
||||
setproctitle("%s [net]", authctxt->valid ? user : "unknown");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
- if (use_privsep)
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role = role ? xstrdup(role) : NULL;
|
||||
+#endif
|
||||
+ if (use_privsep) {
|
||||
mm_inform_authserv(service, style);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ mm_inform_authrole(role);
|
||||
+#endif
|
||||
+ }
|
||||
userauth_banner(ssh);
|
||||
if ((r = kex_server_update_ext_info(ssh)) != 0)
|
||||
fatal_fr(r, "kex_server_update_ext_info failed");
|
||||
Index: openssh-9.6p1/auth2-gss.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2-gss.c
|
||||
+++ openssh-9.6p1/auth2-gss.c
|
||||
@@ -331,6 +331,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
||||
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
|
||||
@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int r, authenticated = 0;
|
||||
+ char *micuser;
|
||||
struct sshbuf *b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
const char *displayname;
|
||||
@@ -348,7 +349,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
u_char *p;
|
||||
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
fatal_f("sshbuf_new failed");
|
||||
mic.value = p;
|
||||
mic.length = len;
|
||||
@ -68,7 +63,7 @@ Index: openssh-9.6p1/auth2-gss.c
|
||||
"gssapi-with-mic", ssh->kex->session_id);
|
||||
|
||||
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||
@@ -362,6 +369,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
sshbuf_free(b);
|
||||
@ -76,12 +71,11 @@ Index: openssh-9.6p1/auth2-gss.c
|
||||
+ free(micuser);
|
||||
free(mic.value);
|
||||
|
||||
if ((!use_privsep || mm_is_monitor()) &&
|
||||
Index: openssh-9.6p1/auth2-hostbased.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2-hostbased.c
|
||||
+++ openssh-9.6p1/auth2-hostbased.c
|
||||
@@ -128,7 +128,16 @@ userauth_hostbased(struct ssh *ssh, cons
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
||||
--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
||||
/* reconstruct packet */
|
||||
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
|
||||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
@ -98,11 +92,10 @@ Index: openssh-9.6p1/auth2-hostbased.c
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, method)) != 0 ||
|
||||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
||||
Index: openssh-9.6p1/auth2-pubkey.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2-pubkey.c
|
||||
+++ openssh-9.6p1/auth2-pubkey.c
|
||||
@@ -200,9 +200,16 @@ userauth_pubkey(struct ssh *ssh, const c
|
||||
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
|
||||
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
|
||||
+++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200
|
||||
@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
|
||||
goto done;
|
||||
}
|
||||
/* reconstruct packet */
|
||||
@ -121,10 +114,9 @@ Index: openssh-9.6p1/auth2-pubkey.c
|
||||
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
Index: openssh-9.6p1/auth.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth.h
|
||||
+++ openssh-9.6p1/auth.h
|
||||
diff -up openssh/auth.h.role-mls openssh/auth.h
|
||||
--- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -65,6 +65,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
@ -135,11 +127,10 @@ Index: openssh-9.6p1/auth.h
|
||||
|
||||
/* Method lists for multiple authentication */
|
||||
char **auth_methods; /* modified from server config */
|
||||
Index: openssh-9.6p1/auth-pam.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth-pam.c
|
||||
+++ openssh-9.6p1/auth-pam.c
|
||||
@@ -1242,7 +1242,7 @@ is_pam_session_open(void)
|
||||
diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
|
||||
--- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -1172,7 +1172,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
@ -148,24 +139,22 @@ Index: openssh-9.6p1/auth-pam.c
|
||||
{
|
||||
int ret = 1;
|
||||
char *compound;
|
||||
Index: openssh-9.6p1/auth-pam.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth-pam.h
|
||||
+++ openssh-9.6p1/auth-pam.h
|
||||
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
|
||||
--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
|
||||
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
|
||||
void do_pam_session(struct ssh *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_setcred(void);
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
Index: openssh-9.6p1/misc.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/misc.c
|
||||
+++ openssh-9.6p1/misc.c
|
||||
@@ -771,6 +771,7 @@ char *
|
||||
diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
|
||||
@@ -542,6 +542,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
@ -173,7 +162,7 @@ Index: openssh-9.6p1/misc.c
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return NULL;
|
||||
@@ -786,6 +787,13 @@ colon(char *cp)
|
||||
@@ -557,6 +558,13 @@ colon(char *cp)
|
||||
return (cp);
|
||||
if (*cp == '/')
|
||||
return NULL;
|
||||
@ -187,11 +176,10 @@ Index: openssh-9.6p1/misc.c
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
Index: openssh-9.6p1/monitor.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor.c
|
||||
+++ openssh-9.6p1/monitor.c
|
||||
@@ -120,6 +120,9 @@ int mm_answer_sign(struct ssh *, int, st
|
||||
diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||
--- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200
|
||||
+++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200
|
||||
@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
|
||||
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
|
||||
@ -201,7 +189,7 @@ Index: openssh-9.6p1/monitor.c
|
||||
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
||||
@@ -200,6 +203,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
@ -211,7 +199,7 @@ Index: openssh-9.6p1/monitor.c
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -834,6 +840,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
|
||||
@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
|
||||
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
@ -221,7 +209,7 @@ Index: openssh-9.6p1/monitor.c
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -908,6 +917,26 @@ key_base_type_match(const char *method,
|
||||
@@ -877,6 +886,26 @@ key_base_type_match(const char *method,
|
||||
return found;
|
||||
}
|
||||
|
||||
@ -248,7 +236,7 @@ Index: openssh-9.6p1/monitor.c
|
||||
int
|
||||
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
{
|
||||
@@ -1280,7 +1309,7 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
struct sshbuf *b;
|
||||
struct sshkey *hostkey = NULL;
|
||||
const u_char *p;
|
||||
@ -257,7 +245,7 @@ Index: openssh-9.6p1/monitor.c
|
||||
size_t len;
|
||||
u_char type;
|
||||
int hostbound = 0, r, fail = 0;
|
||||
@@ -1311,6 +1340,8 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal_fr(r, "parse userstyle");
|
||||
@ -266,7 +254,7 @@ Index: openssh-9.6p1/monitor.c
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
@@ -1361,7 +1392,7 @@ monitor_valid_hostbasedblob(const u_char
|
||||
@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
|
||||
{
|
||||
struct sshbuf *b;
|
||||
const u_char *p;
|
||||
@ -275,7 +263,7 @@ Index: openssh-9.6p1/monitor.c
|
||||
size_t len;
|
||||
int r, fail = 0;
|
||||
u_char type;
|
||||
@@ -1382,6 +1413,8 @@ monitor_valid_hostbasedblob(const u_char
|
||||
@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal_fr(r, "parse userstyle");
|
||||
@ -284,10 +272,9 @@ Index: openssh-9.6p1/monitor.c
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
Index: openssh-9.6p1/monitor.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor.h
|
||||
+++ openssh-9.6p1/monitor.h
|
||||
diff -up openssh/monitor.h.role-mls openssh/monitor.h
|
||||
--- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200
|
||||
@@ -55,6 +55,10 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
||||
MONITOR_REQ_TERM = 50,
|
||||
@ -299,11 +286,10 @@ Index: openssh-9.6p1/monitor.h
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||
Index: openssh-9.6p1/monitor_wrap.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor_wrap.c
|
||||
+++ openssh-9.6p1/monitor_wrap.c
|
||||
@@ -396,6 +396,27 @@ mm_inform_authserv(char *service, char *
|
||||
diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
||||
--- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||
+++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200
|
||||
@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
|
||||
sshbuf_free(m);
|
||||
}
|
||||
|
||||
@ -331,11 +317,10 @@ Index: openssh-9.6p1/monitor_wrap.c
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(struct ssh *ssh, char *password)
|
||||
Index: openssh-9.6p1/monitor_wrap.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor_wrap.h
|
||||
+++ openssh-9.6p1/monitor_wrap.h
|
||||
@@ -49,6 +49,9 @@ int mm_sshkey_sign(struct ssh *, struct
|
||||
diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
||||
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
|
||||
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
|
||||
const u_char *, size_t, const char *, const char *,
|
||||
const char *, u_int compat);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
@ -345,11 +330,10 @@ Index: openssh-9.6p1/monitor_wrap.h
|
||||
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct ssh *, char *);
|
||||
Index: openssh-9.6p1/openbsd-compat/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/Makefile.in
|
||||
+++ openssh-9.6p1/openbsd-compat/Makefile.in
|
||||
@@ -100,7 +100,8 @@ PORTS= port-aix.o \
|
||||
diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
|
||||
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
|
||||
port-prngd.o \
|
||||
port-solaris.o \
|
||||
port-net.o \
|
||||
@ -359,11 +343,10 @@ Index: openssh-9.6p1/openbsd-compat/Makefile.in
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux.c
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux.c
|
||||
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
|
||||
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return sc;
|
||||
}
|
||||
|
||||
@ -401,7 +384,7 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.c
|
||||
/* Set the TTY context for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
@@ -144,7 +113,11 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
@ -414,10 +397,9 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.c
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
|
||||
--- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -20,9 +20,10 @@
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
@ -430,11 +412,10 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
@@ -0,0 +1,421 @@
|
||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -0,0 +1,420 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||
@ -488,7 +469,6 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
+extern ServerOptions options;
|
||||
+extern Authctxt *the_authctxt;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+
|
||||
+/* Send audit message */
|
||||
+static int
|
||||
@ -694,7 +674,7 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
+
|
||||
+ if (r == 0) {
|
||||
+ /* If launched from xinetd, we must use current level */
|
||||
+ if (inetd_flag && !rexeced_flag) {
|
||||
+ if (inetd_flag) {
|
||||
+ security_context_t sshdsc=NULL;
|
||||
+
|
||||
+ if (getcon_raw(&sshdsc) < 0)
|
||||
@ -768,7 +748,7 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
+
|
||||
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
+
|
||||
+ if (inetd_flag && !rexeced_flag) {
|
||||
+ if (inetd_flag) {
|
||||
+ use_current = "1";
|
||||
+ } else {
|
||||
+ use_current = "";
|
||||
@ -856,11 +836,10 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-9.6p1/platform.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/platform.c
|
||||
+++ openssh-9.6p1/platform.c
|
||||
@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(stru
|
||||
diff -up openssh/platform.c.role-mls openssh/platform.c
|
||||
--- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
@ -869,11 +848,10 @@ Index: openssh-9.6p1/platform.c
|
||||
#endif
|
||||
}
|
||||
|
||||
Index: openssh-9.6p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -2387,6 +2387,9 @@ main(int ac, char **av)
|
||||
diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
||||
--- openssh/sshd-session.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/sshd-session.c 2018-08-22 11:14:56.820430957 +0200
|
||||
@@ -2186,6 +2186,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
@ -882,4 +860,4 @@ Index: openssh-9.6p1/sshd.c
|
||||
+#endif
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
do_pam_setcred(1);
|
||||
do_pam_setcred();
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -3,7 +3,7 @@ Index: openssh-8.9p1/Makefile.in
|
||||
--- openssh-8.9p1.orig/Makefile.in
|
||||
+++ openssh-8.9p1/Makefile.in
|
||||
@@ -116,7 +116,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
kexsntrup761x25519.o sntrup761.o kexgen.o \
|
||||
kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
|
||||
kexgssc.o \
|
||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||
- sshbuf-io.o
|
||||
@ -236,7 +236,7 @@ Index: openssh-8.9p1/audit-linux.c
|
||||
/* Below is the sshd audit API code */
|
||||
|
||||
void
|
||||
@@ -76,49 +176,210 @@ audit_connection_from(const char *host,
|
||||
@@ -76,49 +176,211 @@ audit_connection_from(const char *host,
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
@ -315,6 +315,7 @@ Index: openssh-8.9p1/audit-linux.c
|
||||
case SSH_AUTH_FAIL_PASSWD:
|
||||
+ if (options.use_pam)
|
||||
+ break;
|
||||
+ /* Fallthrough */
|
||||
+ case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||
case SSH_AUTH_FAIL_KBDINT:
|
||||
case SSH_AUTH_FAIL_PUBKEY:
|
||||
@ -451,7 +452,7 @@ Index: openssh-8.9p1/audit-linux.c
|
||||
+ }
|
||||
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
||||
+ buf, NULL,
|
||||
+ listening_for_clients() ? NULL : ssh_remote_ipaddr(ssh),
|
||||
+ ssh_remote_ipaddr(ssh), /*FIXME listening_for_clients() ? NULL : ssh_remote_ipaddr(ssh) */
|
||||
+ NULL, 1);
|
||||
+ audit_close(audit_fd);
|
||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
@ -518,19 +519,19 @@ Index: openssh-8.9p1/audit.c
|
||||
+void
|
||||
+audit_unsupported(struct ssh *ssh, int what)
|
||||
+{
|
||||
+ PRIVSEP(audit_unsupported_body(ssh, what));
|
||||
+ mm_audit_unsupported_body(ssh, what);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+audit_kex(struct ssh *ssh, int ctos, char *enc, char *mac, char *comp, char *pfs)
|
||||
+{
|
||||
+ PRIVSEP(audit_kex_body(ssh, ctos, enc, mac, comp, pfs, getpid(), getuid()));
|
||||
+ mm_audit_kex_body(ssh, ctos, enc, mac, comp, pfs, getpid(), getuid());
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+audit_session_key_free(struct ssh *ssh, int ctos)
|
||||
+{
|
||||
+ PRIVSEP(audit_session_key_free_body(ssh, ctos, getpid(), getuid()));
|
||||
+ mm_audit_session_key_free_body(ssh, ctos, getpid(), getuid());
|
||||
+}
|
||||
+
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
@ -778,18 +779,18 @@ Index: openssh-8.9p1/auth.h
|
||||
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||
|
||||
/* Key / cert options linkage to auth layer */
|
||||
const struct sshauthopt *auth_options(struct ssh *);
|
||||
int auth_activate_options(struct ssh *, struct sshauthopt *);
|
||||
Index: openssh-8.9p1/auth2-hostbased.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/auth2-hostbased.c
|
||||
+++ openssh-8.9p1/auth2-hostbased.c
|
||||
@@ -149,7 +149,7 @@ userauth_hostbased(struct ssh *ssh, cons
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
|
||||
chost, key)) &&
|
||||
- PRIVSEP(sshkey_verify(key, sig, slen,
|
||||
+ PRIVSEP(hostbased_key_verify(ssh, key, sig, slen,
|
||||
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0)
|
||||
if (mm_hostbased_key_allowed(ssh, authctxt->pw, cuser,
|
||||
chost, key) &&
|
||||
- mm_sshkey_verify(key, sig, slen,
|
||||
+ mm_hostbased_key_verify(ssh, key, sig, slen,
|
||||
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL) == 0)
|
||||
authenticated = 1;
|
||||
|
||||
@@ -166,6 +166,19 @@ done:
|
||||
@ -819,12 +820,12 @@ Index: openssh-8.9p1/auth2-pubkey.c
|
||||
@@ -223,7 +223,7 @@ userauth_pubkey(struct ssh *ssh, const c
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
||||
- PRIVSEP(sshkey_verify(key, sig, slen,
|
||||
+ PRIVSEP(user_key_verify(ssh, key, sig, slen,
|
||||
if (mm_user_key_allowed(ssh, pw, key, 1, &authopts) &&
|
||||
- mm_sshkey_verify(key, sig, slen,
|
||||
+ mm_user_key_verify(ssh, key, sig, slen,
|
||||
sshbuf_ptr(b), sshbuf_len(b),
|
||||
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
||||
ssh->compat, &sig_details)) == 0) {
|
||||
ssh->compat, &sig_details) == 0) {
|
||||
@@ -316,6 +316,19 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
@ -854,7 +855,7 @@ Index: openssh-8.9p1/auth2.c
|
||||
/* Invalid user, fake password information */
|
||||
authctxt->pw = fakepw();
|
||||
-#ifdef SSH_AUDIT_EVENTS
|
||||
- PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
|
||||
- mm_audit_event(ssh, SSH_INVALID_USER);
|
||||
-#endif
|
||||
}
|
||||
#ifdef USE_PAM
|
||||
@ -939,8 +940,8 @@ Index: openssh-8.9p1/kex.c
|
||||
#include "xmalloc.h"
|
||||
+#include "audit.h"
|
||||
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
/* prototype */
|
||||
static int kex_choose_conf(struct ssh *, uint32_t seq);
|
||||
@@ -879,12 +880,16 @@ kex_start_rekex(struct ssh *ssh)
|
||||
}
|
||||
|
||||
@ -1124,7 +1125,7 @@ Index: openssh-8.9p1/monitor.c
|
||||
extern struct sshbuf *loginmsg;
|
||||
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
||||
|
||||
+extern void destroy_sensitive_data(struct ssh *, int);
|
||||
+extern void destroy_sensitive_data(struct ssh *);
|
||||
+
|
||||
/* State exported from the child */
|
||||
static struct sshbuf *child_state;
|
||||
@ -1257,7 +1258,7 @@ Index: openssh-8.9p1/monitor.c
|
||||
sshpam_cleanup();
|
||||
#endif
|
||||
|
||||
+ destroy_sensitive_data(ssh, 0);
|
||||
+ destroy_sensitive_data(ssh);
|
||||
+
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
@ -1301,12 +1302,12 @@ Index: openssh-8.9p1/monitor.c
|
||||
+ debug3("%s entering", __func__);
|
||||
+ if ((r = sshbuf_get_u32(m, &handle)) != 0 ||
|
||||
+ (r = sshbuf_get_string(m, &cmd, &len)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+
|
||||
+ s = session_by_id(handle);
|
||||
+ if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
|
||||
+ strcmp(s->command, cmd) != 0)
|
||||
+ fatal("%s: invalid handle", __func__);
|
||||
+ fatal_f("invalid handle");
|
||||
+ mm_session_close(ssh, s);
|
||||
free(cmd);
|
||||
return (0);
|
||||
@ -1349,7 +1350,7 @@ Index: openssh-8.9p1/monitor.c
|
||||
+ int what, r;
|
||||
+
|
||||
+ if ((r = sshbuf_get_u32(m, &what)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+
|
||||
+ audit_unsupported_body(ssh, what);
|
||||
+
|
||||
@ -1374,10 +1375,10 @@ Index: openssh-8.9p1/monitor.c
|
||||
+ (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 ||
|
||||
+ (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 ||
|
||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ pid = (pid_t) tmp;
|
||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ uid = (pid_t) tmp;
|
||||
+
|
||||
+ audit_kex_body(ssh, ctos, cipher, mac, compress, pfs, pid, uid);
|
||||
@ -1402,10 +1403,10 @@ Index: openssh-8.9p1/monitor.c
|
||||
+
|
||||
+ if ((r = sshbuf_get_u32(m, &ctos)) != 0 ||
|
||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ pid = (pid_t) tmp;
|
||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ uid = (uid_t) tmp;
|
||||
+
|
||||
+ audit_session_key_free_body(ssh, ctos, pid, uid);
|
||||
@ -1427,10 +1428,10 @@ Index: openssh-8.9p1/monitor.c
|
||||
+
|
||||
+ if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 ||
|
||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ pid = (pid_t) tmp;
|
||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ uid = (uid_t) tmp;
|
||||
+
|
||||
+ audit_destroy_sensitive_data(ssh, fp, pid, uid);
|
||||
@ -1526,7 +1527,7 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m);
|
||||
+
|
||||
+ if ((r = sshbuf_get_u32(m, &handle)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ sshbuf_free(m);
|
||||
+
|
||||
+ return (handle);
|
||||
@ -1541,19 +1542,19 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ debug3("%s entering command %s", __func__, command);
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ if ((r = sshbuf_put_u32(m, handle)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, command)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m);
|
||||
sshbuf_free(m);
|
||||
}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
@@ -1074,3 +1114,130 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
|
||||
@@ -1217,3 +1257,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
|
||||
return &ci;
|
||||
}
|
||||
|
||||
#endif /* GSSAPI */
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+void
|
||||
+mm_audit_unsupported_body(struct ssh *ssh, int what)
|
||||
@ -1562,9 +1563,9 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ if ((r = sshbuf_put_u32(m, what)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
@ -1581,7 +1582,7 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, cipher)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, (mac ? mac : "<implicit>"))) != 0 ||
|
||||
@ -1589,7 +1590,7 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ (r = sshbuf_put_cstring(m, fps)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
|
||||
@ -1605,11 +1606,11 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||
@ -1624,62 +1625,15 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ if ((r = sshbuf_put_cstring(m, fp)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+
|
||||
+int mm_forward_audit_messages(int fdin)
|
||||
+{
|
||||
+ u_char buf[4];
|
||||
+ u_int blen, msg_len;
|
||||
+ struct sshbuf *m;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ debug3("%s: entering", __func__);
|
||||
+ m = sshbuf_new();
|
||||
+ do {
|
||||
+ int r;
|
||||
+
|
||||
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
||||
+ if (blen == 0) /* closed pipe */
|
||||
+ break;
|
||||
+ if (blen != sizeof(buf)) {
|
||||
+ error("%s: Failed to read the buffer from child", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ msg_len = get_u32(buf);
|
||||
+ if (msg_len > 256 * 1024)
|
||||
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
||||
+ sshbuf_reset(m);
|
||||
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to read the the buffer conent from the child", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
||||
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to write the messag to the monitor", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ } while (1);
|
||||
+ sshbuf_free(m);
|
||||
+ return ret;
|
||||
+}
|
||||
+void mm_set_monitor_pipe(int fd)
|
||||
+{
|
||||
+ pmonitor->m_recvfd = fd;
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
Index: openssh-8.9p1/monitor_wrap.h
|
||||
===================================================================
|
||||
@ -1695,8 +1649,8 @@ Index: openssh-8.9p1/monitor_wrap.h
|
||||
+int mm_user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||
|
||||
#ifdef GSSAPI
|
||||
@@ -83,7 +85,14 @@ void mm_sshpam_free_ctx(void *);
|
||||
void mm_decode_activate_server_options(struct ssh *ssh, struct sshbuf *m);
|
||||
@@ -83,7 +85,12 @@ void mm_sshpam_free_ctx(void *);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
#include "audit.h"
|
||||
void mm_audit_event(struct ssh *, ssh_audit_event_t);
|
||||
@ -1707,8 +1661,6 @@ Index: openssh-8.9p1/monitor_wrap.h
|
||||
+void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t);
|
||||
+void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t);
|
||||
+void mm_audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
|
||||
+int mm_forward_audit_messages(int);
|
||||
+void mm_set_monitor_pipe(int);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
@ -1738,12 +1690,7 @@ Index: openssh-8.9p1/packet.c
|
||||
/*
|
||||
* Returns the IP-address of the remote host as a string. The returned
|
||||
* string must not be freed.
|
||||
@@ -579,26 +587,23 @@ ssh_packet_rdomain_in(struct ssh *ssh)
|
||||
/* Closes the connection and clears and frees internal data structures. */
|
||||
|
||||
static void
|
||||
-ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
||||
+ssh_packet_close_internal(struct ssh *ssh, int do_close, int do_audit)
|
||||
@@ -579,22 +587,19 @@ ssh_packet_rdomain_in(struct ssh *ssh)
|
||||
{
|
||||
struct session_state *state = ssh->state;
|
||||
u_int mode;
|
||||
@ -1775,7 +1722,7 @@ Index: openssh-8.9p1/packet.c
|
||||
#endif /* WITH_ZLIB */
|
||||
cipher_free(state->send_context);
|
||||
cipher_free(state->receive_context);
|
||||
+ if (do_audit && had_keys && state->server_side) {
|
||||
+ if (had_keys && state->server_side) {
|
||||
+ /* Assuming this is called only from privsep child */
|
||||
+ audit_session_key_free(ssh, MODE_MAX);
|
||||
+ }
|
||||
@ -1790,28 +1737,6 @@ Index: openssh-8.9p1/packet.c
|
||||
free(ssh->local_ipaddr);
|
||||
ssh->local_ipaddr = NULL;
|
||||
free(ssh->remote_ipaddr);
|
||||
@@ -650,13 +665,19 @@ ssh_packet_close_internal(struct ssh *ss
|
||||
void
|
||||
ssh_packet_close(struct ssh *ssh)
|
||||
{
|
||||
- ssh_packet_close_internal(ssh, 1);
|
||||
+ ssh_packet_close_internal(ssh, 1, 1);
|
||||
}
|
||||
|
||||
void
|
||||
ssh_packet_clear_keys(struct ssh *ssh)
|
||||
{
|
||||
- ssh_packet_close_internal(ssh, 0);
|
||||
+ ssh_packet_close_internal(ssh, 0, 1);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+ssh_packet_clear_keys_noaudit(struct ssh *ssh)
|
||||
+{
|
||||
+ ssh_packet_close_internal(ssh, 0, 0);
|
||||
}
|
||||
|
||||
/* Sets remote side protocol flags. */
|
||||
@@ -892,6 +913,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
|
||||
(unsigned long long)state->p_send.bytes,
|
||||
(unsigned long long)state->p_send.blocks);
|
||||
@ -1820,7 +1745,7 @@ Index: openssh-8.9p1/packet.c
|
||||
state->newkeys[mode] = NULL;
|
||||
}
|
||||
/* note that both bytes and the seqnr are not reset */
|
||||
@@ -2183,6 +2205,73 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
@@ -2183,6 +2205,72 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
return (void *)ssh->state->output;
|
||||
}
|
||||
|
||||
@ -1850,9 +1775,8 @@ Index: openssh-8.9p1/packet.c
|
||||
+ return;
|
||||
+
|
||||
+ cipher_free(state->receive_context);
|
||||
+ state->receive_context = NULL;
|
||||
+ cipher_free(state->send_context);
|
||||
+ state->send_context = NULL;
|
||||
+ state->send_context = state->receive_context = NULL;
|
||||
+
|
||||
+ sshbuf_free(state->input);
|
||||
+ state->input = NULL;
|
||||
@ -1898,14 +1822,6 @@ Index: openssh-8.9p1/packet.h
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/packet.h
|
||||
+++ openssh-8.9p1/packet.h
|
||||
@@ -102,6 +102,7 @@ int ssh_packet_get_connection_out(s
|
||||
void ssh_packet_close(struct ssh *);
|
||||
void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
|
||||
void ssh_packet_clear_keys(struct ssh *);
|
||||
+void ssh_packet_clear_keys_noaudit(struct ssh *);
|
||||
void ssh_clear_newkeys(struct ssh *, int);
|
||||
|
||||
int ssh_packet_is_rekeying(struct ssh *);
|
||||
@@ -220,4 +221,5 @@ const u_char *sshpkt_ptr(struct ssh *, s
|
||||
# undef EC_POINT
|
||||
#endif
|
||||
@ -1921,22 +1837,11 @@ Index: openssh-8.9p1/session.c
|
||||
extern u_int utmp_len;
|
||||
extern int startup_pipe;
|
||||
-extern void destroy_sensitive_data(void);
|
||||
+extern void destroy_sensitive_data(struct ssh *, int);
|
||||
+extern void destroy_sensitive_data(struct ssh *);
|
||||
extern struct sshbuf *loginmsg;
|
||||
extern struct sshauthopt *auth_opts;
|
||||
extern char *tun_fwd_ifnames; /* serverloop.c */
|
||||
@@ -157,6 +157,10 @@ static Session *sessions = NULL;
|
||||
login_cap_t *lc;
|
||||
#endif
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+int paudit[2];
|
||||
+#endif
|
||||
+
|
||||
static int is_child = 0;
|
||||
static int in_chroot = 0;
|
||||
|
||||
@@ -642,6 +646,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
|
||||
@@ -644,6 +644,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
|
||||
/* Parent. Close the slave side of the pseudo tty. */
|
||||
close(ttyfd);
|
||||
|
||||
@ -1951,85 +1856,42 @@ Index: openssh-8.9p1/session.c
|
||||
/* Enter interactive session. */
|
||||
s->ptymaster = ptymaster;
|
||||
ssh_packet_set_interactive(ssh, 1,
|
||||
@@ -706,15 +718,21 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||
@@ -736,15 +744,19 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||
s->self);
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
+ if (s->command != NULL || s->command_handle != -1)
|
||||
+ fatal("do_exec: command already set");
|
||||
if (command != NULL)
|
||||
- PRIVSEP(audit_run_command(command));
|
||||
- mm_audit_run_command(command);
|
||||
+ s->command = xstrdup(command);
|
||||
else if (s->ttyfd == -1) {
|
||||
char *shell = s->pw->pw_shell;
|
||||
|
||||
if (shell[0] == '\0') /* empty shell means /bin/sh */
|
||||
shell =_PATH_BSHELL;
|
||||
- PRIVSEP(audit_run_command(shell));
|
||||
- mm_audit_run_command(shell);
|
||||
+ s->command = xstrdup(shell);
|
||||
}
|
||||
+ if (s->command != NULL && s->ptyfd == -1)
|
||||
+ s->command_handle = PRIVSEP(audit_run_command(ssh, s->command));
|
||||
+ if (pipe(paudit) < 0)
|
||||
+ fatal("pipe: %s", strerror(errno));
|
||||
+ s->command_handle = mm_audit_run_command(ssh, s->command);
|
||||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
ret = do_exec_pty(ssh, s, command);
|
||||
@@ -730,6 +748,20 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||
*/
|
||||
sshbuf_reset(loginmsg);
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ close(paudit[1]);
|
||||
+ if (use_privsep && ret == 0) {
|
||||
+ /*
|
||||
+ * Read the audit messages from forked child and send them
|
||||
+ * back to monitor. We don't want to communicate directly,
|
||||
+ * because the messages might get mixed up.
|
||||
+ * Continue after the pipe gets closed (all messages sent).
|
||||
+ */
|
||||
+ ret = mm_forward_audit_messages(paudit[0]);
|
||||
+ }
|
||||
+ close(paudit[0]);
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -1530,11 +1562,30 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
int env_size;
|
||||
int r = 0;
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ int pparent = paudit[1];
|
||||
+ close(paudit[0]);
|
||||
+ /* Hack the monitor pipe to avoid race condition with parent */
|
||||
+ if (use_privsep)
|
||||
+ mm_set_monitor_pipe(pparent);
|
||||
+#endif
|
||||
+
|
||||
@@ -1550,8 +1562,11 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
- destroy_sensitive_data();
|
||||
- ssh_packet_clear_keys(ssh);
|
||||
+ destroy_sensitive_data(ssh, use_privsep);
|
||||
+ ssh_packet_clear_keys_noaudit(ssh);
|
||||
+ /*
|
||||
+ * We can audit this, because we hacked the pipe to direct the
|
||||
+ * messages over postauth child. But this message requires an answer
|
||||
+ * which we can't do using a one-way pipe.
|
||||
+ */
|
||||
+ destroy_sensitive_data(ssh);
|
||||
ssh_packet_clear_keys(ssh);
|
||||
+ /* Don't audit this - both us and the parent would be talking to the
|
||||
+ monitor over a single socket, with no synchronization. */
|
||||
+ packet_destroy_all(ssh, 0, 1);
|
||||
+
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ /* Notify parent that we are done */
|
||||
+ close(pparent);
|
||||
+#endif
|
||||
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
@@ -1743,6 +1794,9 @@ session_unused(int id)
|
||||
@@ -1763,6 +1778,9 @@ session_unused(int id)
|
||||
sessions[id].ttyfd = -1;
|
||||
sessions[id].ptymaster = -1;
|
||||
sessions[id].x11_chanids = NULL;
|
||||
@ -2039,7 +1901,7 @@ Index: openssh-8.9p1/session.c
|
||||
sessions[id].next_unused = sessions_first_unused;
|
||||
sessions_first_unused = id;
|
||||
}
|
||||
@@ -1822,6 +1876,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
@@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
}
|
||||
|
||||
Session *
|
||||
@ -2050,7 +1912,7 @@ Index: openssh-8.9p1/session.c
|
||||
+ if (s->used)
|
||||
+ return s;
|
||||
+ }
|
||||
+ debug("%s: unknown id %d", __func__, id);
|
||||
+ debug_f("unknown id %d", id);
|
||||
+ session_dump();
|
||||
+ return NULL;
|
||||
+}
|
||||
@ -2059,7 +1921,7 @@ Index: openssh-8.9p1/session.c
|
||||
session_by_tty(char *tty)
|
||||
{
|
||||
int i;
|
||||
@@ -2429,6 +2496,32 @@ session_exit_message(struct ssh *ssh, Se
|
||||
@@ -2450,6 +2481,32 @@ session_exit_message(struct ssh *ssh, Se
|
||||
chan_write_failed(ssh, c);
|
||||
}
|
||||
|
||||
@ -2081,7 +1943,7 @@ Index: openssh-8.9p1/session.c
|
||||
+{
|
||||
+ if (s->command != NULL) {
|
||||
+ if (s->command_handle != -1)
|
||||
+ PRIVSEP(audit_end_command(ssh, s->command_handle, s->command));
|
||||
+ mm_audit_end_command(ssh, s->command_handle, s->command);
|
||||
+ free(s->command);
|
||||
+ s->command = NULL;
|
||||
+ s->command_handle = -1;
|
||||
@ -2092,7 +1954,7 @@ Index: openssh-8.9p1/session.c
|
||||
void
|
||||
session_close(struct ssh *ssh, Session *s)
|
||||
{
|
||||
@@ -2470,6 +2563,10 @@ session_close(struct ssh *ssh, Session *
|
||||
@@ -2463,6 +2520,10 @@ session_close(struct ssh *ssh, Session *
|
||||
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
@ -2103,7 +1965,7 @@ Index: openssh-8.9p1/session.c
|
||||
free(s->term);
|
||||
free(s->display);
|
||||
free(s->x11_chanids);
|
||||
@@ -2544,14 +2641,14 @@ session_close_by_channel(struct ssh *ssh
|
||||
@@ -2537,14 +2598,14 @@ session_close_by_channel(struct ssh *ssh
|
||||
}
|
||||
|
||||
void
|
||||
@ -2120,7 +1982,7 @@ Index: openssh-8.9p1/session.c
|
||||
else
|
||||
session_close(ssh, s);
|
||||
}
|
||||
@@ -2677,6 +2774,15 @@ do_authenticated2(struct ssh *ssh, Authc
|
||||
@@ -2671,6 +2732,15 @@ do_authenticated2(struct ssh *ssh, Authc
|
||||
server_loop2(ssh, authctxt);
|
||||
}
|
||||
|
||||
@ -2136,10 +1998,10 @@ Index: openssh-8.9p1/session.c
|
||||
void
|
||||
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||
{
|
||||
@@ -2740,7 +2846,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||
@@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||
* or if running in monitor.
|
||||
*/
|
||||
if (!use_privsep || mm_is_monitor())
|
||||
if (mm_is_monitor())
|
||||
- session_destroy_all(ssh, session_pty_cleanup2);
|
||||
+ session_destroy_all(ssh, do_cleanup_one_session);
|
||||
}
|
||||
@ -2180,26 +2042,7 @@ Index: openssh-8.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd.c
|
||||
+++ openssh-8.9p1/sshd.c
|
||||
@@ -125,6 +125,7 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
+#include "audit.h"
|
||||
#include "ssh-sandbox.h"
|
||||
#include "auth-options.h"
|
||||
#include "version.h"
|
||||
@@ -265,8 +266,8 @@ struct sshbuf *loginmsg;
|
||||
struct passwd *privsep_pw = NULL;
|
||||
|
||||
/* Prototypes for various functions defined later in this file. */
|
||||
-void destroy_sensitive_data(void);
|
||||
-void demote_sensitive_data(void);
|
||||
+void destroy_sensitive_data(struct ssh *, int);
|
||||
+void demote_sensitive_data(struct ssh *);
|
||||
static void do_ssh2_kex(struct ssh *);
|
||||
|
||||
static char *listener_proctitle;
|
||||
@@ -284,6 +285,15 @@ close_listen_socks(void)
|
||||
@@ -219,6 +219,15 @@ close_listen_socks(void)
|
||||
num_listen_socks = 0;
|
||||
}
|
||||
|
||||
@ -2209,14 +2052,45 @@ Index: openssh-8.9p1/sshd.c
|
||||
+ */
|
||||
+int listening_for_clients(void)
|
||||
+{
|
||||
+ return num_listen_socks >= 0;
|
||||
+ return num_listen_socks > 0;
|
||||
+}
|
||||
+
|
||||
/* Allocate and initialise the children array */
|
||||
static void
|
||||
close_startup_pipes(void)
|
||||
{
|
||||
@@ -382,18 +392,45 @@ grace_alarm_handler(int sig)
|
||||
ssh_remote_port(the_active_state));
|
||||
child_alloc(void)
|
||||
@@ -897,6 +906,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
+ /* destroy_sensitive_data(ssh, 0); FIXME */
|
||||
close_listen_socks();
|
||||
if (options.pid_file != NULL)
|
||||
unlink(options.pid_file);
|
||||
Index: openssh-8.9p1/sshd-session.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd-session.c
|
||||
+++ openssh-8.9p1/sshd-session.c
|
||||
@@ -125,6 +125,7 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
+#include "audit.h"
|
||||
#include "ssh-sandbox.h"
|
||||
#include "auth-options.h"
|
||||
#include "version.h"
|
||||
@@ -265,8 +266,8 @@ struct sshbuf *loginmsg;
|
||||
struct sshbuf *loginmsg;
|
||||
|
||||
/* Prototypes for various functions defined later in this file. */
|
||||
-void destroy_sensitive_data(void);
|
||||
-void demote_sensitive_data(void);
|
||||
+void destroy_sensitive_data(struct ssh *);
|
||||
+void demote_sensitive_data(struct ssh *);
|
||||
static void do_ssh2_kex(struct ssh *);
|
||||
|
||||
/*
|
||||
@@ -382,18 +383,40 @@ grace_alarm_handler(int sig)
|
||||
_exit(EXIT_LOGIN_GRACE);
|
||||
}
|
||||
|
||||
-/* Destroy the host and server keys. They will no longer be needed. */
|
||||
@ -2226,7 +2100,7 @@ Index: openssh-8.9p1/sshd.c
|
||||
+ */
|
||||
void
|
||||
-destroy_sensitive_data(void)
|
||||
+destroy_sensitive_data(struct ssh *ssh, int privsep)
|
||||
+destroy_sensitive_data(struct ssh *ssh)
|
||||
{
|
||||
u_int i;
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
@ -2248,12 +2122,7 @@ Index: openssh-8.9p1/sshd.c
|
||||
sensitive_data.host_keys[i] = NULL;
|
||||
+ if (fp != NULL) {
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ if (privsep)
|
||||
+ PRIVSEP(audit_destroy_sensitive_data(ssh, fp,
|
||||
+ pid, uid));
|
||||
+ else
|
||||
+ audit_destroy_sensitive_data(ssh, fp,
|
||||
+ pid, uid);
|
||||
+ audit_destroy_sensitive_data(ssh, fp, pid, uid);
|
||||
+#endif
|
||||
+ free(fp);
|
||||
+ }
|
||||
@ -2264,7 +2133,7 @@ Index: openssh-8.9p1/sshd.c
|
||||
sshkey_free(sensitive_data.host_certificates[i]);
|
||||
sensitive_data.host_certificates[i] = NULL;
|
||||
}
|
||||
@@ -402,20 +439,38 @@ destroy_sensitive_data(void)
|
||||
@@ -402,20 +430,38 @@ destroy_sensitive_data(void)
|
||||
|
||||
/* Demote private to public keys for network child */
|
||||
void
|
||||
@ -2304,7 +2173,7 @@ Index: openssh-8.9p1/sshd.c
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
}
|
||||
@@ -443,7 +498,7 @@ reseed_prngs(void)
|
||||
@@ -443,7 +489,7 @@ reseed_prngs(void)
|
||||
}
|
||||
|
||||
static void
|
||||
@ -2313,7 +2182,7 @@ Index: openssh-8.9p1/sshd.c
|
||||
{
|
||||
gid_t gidset[1];
|
||||
|
||||
@@ -458,7 +513,7 @@ privsep_preauth_child(void)
|
||||
@@ -458,7 +504,7 @@ privsep_preauth_child(void)
|
||||
reseed_prngs();
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@ -2322,16 +2191,16 @@ Index: openssh-8.9p1/sshd.c
|
||||
|
||||
/* Demote the child */
|
||||
if (privsep_chroot) {
|
||||
@@ -493,7 +548,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
@@ -493,7 +539,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
pmonitor->m_pkex = &ssh->kex;
|
||||
|
||||
if (use_privsep == PRIVSEP_ON)
|
||||
box = ssh_sandbox_init(pmonitor);
|
||||
- pid = fork();
|
||||
+ pmonitor->m_pid = pid = fork();
|
||||
if (pid == -1) {
|
||||
fatal("fork of unprivileged child failed");
|
||||
} else if (pid != 0) {
|
||||
@@ -538,7 +593,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
@@ -538,7 +584,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
/* Arrange for logging to be sent to the monitor */
|
||||
set_log_handler(mm_log_handler, pmonitor);
|
||||
|
||||
@ -2340,7 +2209,7 @@ Index: openssh-8.9p1/sshd.c
|
||||
setproctitle("%s", "[net]");
|
||||
if (box != NULL)
|
||||
ssh_sandbox_child(box);
|
||||
@@ -582,7 +637,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
@@ -582,7 +628,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
pmonitor->m_sendfd = -1;
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@ -2349,43 +2218,17 @@ Index: openssh-8.9p1/sshd.c
|
||||
|
||||
reseed_prngs();
|
||||
|
||||
@@ -1136,7 +1191,7 @@ server_listen(void)
|
||||
* from this function are in a forked subprocess.
|
||||
*/
|
||||
static void
|
||||
-server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
+server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
{
|
||||
struct pollfd *pfd = NULL;
|
||||
int i, j, ret, npfd;
|
||||
@@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
+ destroy_sensitive_data(ssh, 0);
|
||||
close_listen_socks();
|
||||
if (options.pid_file != NULL)
|
||||
unlink(options.pid_file);
|
||||
@@ -2088,7 +2144,7 @@ main(int ac, char **av)
|
||||
#endif
|
||||
|
||||
/* Accept a connection and return in a forked child */
|
||||
- server_accept_loop(&sock_in, &sock_out,
|
||||
+ server_accept_loop(ssh, &sock_in, &sock_out,
|
||||
&newsock, config_s);
|
||||
}
|
||||
|
||||
@@ -2311,6 +2367,9 @@ main(int ac, char **av)
|
||||
@@ -2311,6 +2358,9 @@ main(int ac, char **av)
|
||||
do_authenticated(ssh, authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
+ packet_destroy_all(ssh, 1, 1);
|
||||
+ destroy_sensitive_data(ssh, 1);
|
||||
+ destroy_sensitive_data(ssh);
|
||||
+
|
||||
ssh_packet_get_bytes(ssh, &ibytes, &obytes);
|
||||
verbose("Transferred: sent %llu, received %llu bytes",
|
||||
(unsigned long long)obytes, (unsigned long long)ibytes);
|
||||
@@ -2491,6 +2550,15 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
@@ -2491,6 +2541,15 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
@ -2398,32 +2241,35 @@ Index: openssh-8.9p1/sshd.c
|
||||
+ if (in_cleanup)
|
||||
+ _exit(i);
|
||||
+ in_cleanup = 1;
|
||||
extern int auth_attempted; /* monitor.c */
|
||||
|
||||
if (the_active_state != NULL && the_authctxt != NULL) {
|
||||
do_cleanup(the_active_state, the_authctxt);
|
||||
if (use_privsep && privsep_is_preauth &&
|
||||
@@ -2503,9 +2571,16 @@ cleanup_exit(int i)
|
||||
@@ -2525,7 +2593,9 @@ cleanup_exit(int i)
|
||||
}
|
||||
}
|
||||
}
|
||||
+ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
|
||||
+ if (sensitive_data.host_keys != NULL && the_active_state != NULL)
|
||||
+ destroy_sensitive_data(the_active_state, is_privsep_child);
|
||||
+ if (the_active_state != NULL)
|
||||
+ packet_destroy_all(the_active_state, 1, is_privsep_child);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
||||
- if (the_active_state != NULL && (!use_privsep || mm_is_monitor()))
|
||||
- if (the_active_state != NULL && mm_is_monitor())
|
||||
+ if (the_active_state != NULL &&
|
||||
+ (the_authctxt == NULL || !the_authctxt->authenticated) &&
|
||||
+ (!use_privsep || mm_is_monitor()))
|
||||
+ mm_is_monitor())
|
||||
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
_exit(i);
|
||||
/* Override default fatal exit value when auth was attempted */
|
||||
Index: openssh-8.9p1/sshkey.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshkey.c
|
||||
+++ openssh-8.9p1/sshkey.c
|
||||
@@ -400,6 +400,38 @@ sshkey_type_is_valid_ca(int type)
|
||||
@@ -35,6 +35,9 @@ sshkey_type_is_valid_ca(int type)
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/pem.h>
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+# include <openssl/core_names.h>
|
||||
+# endif
|
||||
#endif
|
||||
|
||||
#include "crypto_api.h"
|
||||
@@ -400,6 +403,53 @@ sshkey_type_is_valid_ca(int type)
|
||||
}
|
||||
|
||||
int
|
||||
@ -2431,23 +2277,38 @@ Index: openssh-8.9p1/sshkey.c
|
||||
+{
|
||||
+ switch (k->type) {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+ case KEY_RSA_CERT:
|
||||
+ case KEY_RSA: {
|
||||
+ const BIGNUM *d;
|
||||
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
|
||||
+ case KEY_RSA:
|
||||
+ case KEY_ECDSA_CERT:
|
||||
+ case KEY_ECDSA: {
|
||||
+ BIGNUM *d = NULL;
|
||||
+ EVP_PKEY_get_bn_param(k->pkey, OSSL_PKEY_PARAM_PRIV_KEY, &d);
|
||||
+ return d != NULL;
|
||||
+ }
|
||||
+# else /* OPENSSL < 3.0.0 */
|
||||
+ case KEY_RSA_CERT:
|
||||
+ case KEY_RSA: {
|
||||
+ const BIGNUM *d = NULL;
|
||||
+ RSA *rsakey = EVP_PKEY_get0_RSA(k->pkey);
|
||||
+ if (rsakey)
|
||||
+ RSA_get0_key(rsakey, NULL, NULL, &d);
|
||||
+ return d != NULL;
|
||||
+ }
|
||||
+# ifdef OPENSSL_HAS_ECC
|
||||
+ case KEY_ECDSA_CERT:
|
||||
+ case KEY_ECDSA: {
|
||||
+ EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(k->pkey);
|
||||
+ return (eckey != NULL) && (EC_KEY_get0_private_key(eckey) != NULL);
|
||||
+ }
|
||||
+# endif /* OPENSSL_HAS_ECC */
|
||||
+# endif /* OPENSSL < 3.0.0 */
|
||||
+ case KEY_DSA_CERT:
|
||||
+ case KEY_DSA: {
|
||||
+ const BIGNUM *priv_key;
|
||||
+ const BIGNUM *priv_key = NULL;
|
||||
+ DSA_get0_key(k->dsa, NULL, &priv_key);
|
||||
+ return priv_key != NULL;
|
||||
+ }
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ case KEY_ECDSA_CERT:
|
||||
+ case KEY_ECDSA:
|
||||
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
|
||||
+#endif /* OPENSSL_HAS_ECC */
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+ case KEY_ED25519_CERT:
|
||||
+ case KEY_ED25519:
|
||||
@ -2467,9 +2328,9 @@ Index: openssh-8.9p1/sshkey.h
|
||||
--- openssh-8.9p1.orig/sshkey.h
|
||||
+++ openssh-8.9p1/sshkey.h
|
||||
@@ -189,6 +189,7 @@ int sshkey_shield_private(struct sshke
|
||||
int sshkey_unshield_private(struct sshkey *);
|
||||
|
||||
int sshkey_type_from_name(const char *);
|
||||
int sshkey_type_from_shortname(const char *);
|
||||
+int sshkey_is_private(const struct sshkey *);
|
||||
int sshkey_is_cert(const struct sshkey *);
|
||||
int sshkey_is_sk(const struct sshkey *);
|
||||
|
@ -123,28 +123,21 @@ Index: openssh-8.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd.c
|
||||
+++ openssh-8.9p1/sshd.c
|
||||
@@ -148,7 +148,7 @@ extern char *__progname;
|
||||
ServerOptions options;
|
||||
|
||||
/* Name of the server configuration file. */
|
||||
-char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
+char *config_file_name = NULL;
|
||||
|
||||
/*
|
||||
* Debug mode flag. This can be set on the command line. If debug
|
||||
@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av)
|
||||
int
|
||||
main(int ac, char **av)
|
||||
{
|
||||
+ struct stat st;
|
||||
struct ssh *ssh = NULL;
|
||||
@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av)
|
||||
extern char *optarg;
|
||||
extern int optind;
|
||||
int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0;
|
||||
- char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
+ char *config_file_name = NULL;
|
||||
+ struct stat st;
|
||||
int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
|
||||
int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
|
||||
int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
|
||||
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
|
||||
*/
|
||||
(void)atomicio(vwrite, startup_pipe, "\0", 1);
|
||||
}
|
||||
+ } else if (config_file_name == NULL) {
|
||||
/* Fetch our configuration */
|
||||
if ((cfg = sshbuf_new()) == NULL)
|
||||
fatal("sshbuf_new config failed");
|
||||
+ if (config_file_name == NULL) {
|
||||
+ /* If only the vendor configuration file exists, use that.
|
||||
+ * Else use the standard configuration file.
|
||||
+ */
|
||||
@ -157,11 +150,12 @@ Index: openssh-8.9p1/sshd.c
|
||||
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
+ }
|
||||
+ load_server_config(config_file_name, cfg);
|
||||
} else if (strcasecmp(config_file_name, "none") != 0)
|
||||
- if (strcasecmp(config_file_name, "none") != 0)
|
||||
+ } else if (strcasecmp(config_file_name, "none") != 0)
|
||||
+ /* load config specified on commandline */
|
||||
load_server_config(config_file_name, cfg);
|
||||
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
parse_server_config(&options, config_file_name, cfg,
|
||||
Index: openssh-8.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd_config.5
|
||||
|
@ -84,13 +84,14 @@ Index: openssh-9.6p1/ssh_config.5
|
||||
The list of key exchange algorithms that are offered for GSSAPI
|
||||
key exchange. Possible values are
|
||||
.Bd -literal -offset 3n
|
||||
@@ -991,9 +993,8 @@ gss-nistp256-sha256-,
|
||||
@@ -991,10 +993,8 @@ gss-nistp256-sha256-,
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
.Pp
|
||||
-The default is
|
||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
This option only applies to protocol version 2 connections using GSSAPI.
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
This option only applies to connections using GSSAPI.
|
||||
+.Pp
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
@ -159,7 +160,7 @@ Index: openssh-9.6p1/ssh_config.5
|
||||
.It Cm HostKeyAlias
|
||||
Specifies an alias that should be used instead of the
|
||||
real host name when looking up or saving the host key
|
||||
@@ -1311,31 +1313,26 @@ it may be zero or more of:
|
||||
@@ -1311,37 +1313,30 @@ it may be zero or more of:
|
||||
and
|
||||
.Cm pam .
|
||||
.It Cm KexAlgorithms
|
||||
@ -169,8 +170,12 @@ Index: openssh-9.6p1/ssh_config.5
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Specifies the permitted KEX (Key Exchange) algorithms that will be used and
|
||||
their preference order.
|
||||
The selected algorithm will be the first algorithm in this list that
|
||||
the server also supports.
|
||||
Multiple algorithms must be comma-separated.
|
||||
.Pp
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
@ -186,9 +191,11 @@ Index: openssh-9.6p1/ssh_config.5
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
-.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-sntrup761x25519-sha512@openssh.com,
|
||||
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
|
||||
-mlkem768x25519-sha256,
|
||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
-diffie-hellman-group-exchange-sha256,
|
||||
@ -199,7 +206,7 @@ Index: openssh-9.6p1/ssh_config.5
|
||||
-.Ed
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
@@ -1445,37 +1442,34 @@ function, and all code in the
|
||||
file.
|
||||
@ -386,7 +393,7 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
.It Cm ClientAliveCountMax
|
||||
@@ -764,52 +760,45 @@ For this to work
|
||||
@@ -764,53 +760,45 @@ For this to work
|
||||
.Cm GSSAPIKeyExchange
|
||||
needs to be enabled in the server and also used by the client.
|
||||
.It Cm GSSAPIKexAlgorithms
|
||||
@ -415,8 +422,9 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
.Ed
|
||||
-.Pp
|
||||
-The default is
|
||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
This option only applies to protocol version 2 connections using GSSAPI.
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
This option only applies to connections using GSSAPI.
|
||||
.It Cm HostbasedAcceptedAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
@ -492,7 +500,7 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q HostKeyAlgorithms .
|
||||
.It Cm IgnoreRhosts
|
||||
@@ -1027,20 +1006,26 @@ file on logout.
|
||||
@@ -1027,24 +1006,30 @@ file on logout.
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm KexAlgorithms
|
||||
@ -502,9 +510,13 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Specifies the permitted KEX (Key Exchange) algorithms that the server will
|
||||
offer to clients.
|
||||
The ordering of this list is not important, as the client specifies the
|
||||
preference order.
|
||||
Multiple algorithms must be comma-separated.
|
||||
Alternately if the specified list begins with a
|
||||
.Pp
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
-instead of replacing them.
|
||||
@ -520,16 +532,17 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The supported algorithms are:
|
||||
.Pp
|
||||
.Bl -item -compact -offset indent
|
||||
@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
|
||||
@@ -1072,17 +1057,6 @@ ecdh-sha2-nistp521
|
||||
sntrup761x25519-sha512@openssh.com
|
||||
.El
|
||||
.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-sntrup761x25519-sha512@openssh.com,
|
||||
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
|
||||
-mlkem768x25519-sha256,
|
||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
-diffie-hellman-group-exchange-sha256,
|
||||
@ -537,7 +550,7 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q KexAlgorithms .
|
||||
.It Cm ListenAddress
|
||||
@@ -1167,21 +1142,27 @@ function, and all code in the
|
||||
|
BIN
openssh-9.6p1.tar.gz
(Stored with Git LFS)
BIN
openssh-9.6p1.tar.gz
(Stored with Git LFS)
Binary file not shown.
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmWAXvAACgkQKj9BTnNg
|
||||
YLrypA/6A1O8e80XnzVWIFhXkbv/biGL10Q5ZMvjQvND6mbkphNWZ4G4QOEh0nBG
|
||||
rseD3Fce7me9pfeLYVhaNXO9R3OYAXxjbWfQwI7FpBU4QUCnbH53PG32B6ESq7pl
|
||||
0vlDqdqI7aBAyMpp+8WFD+EvHWUVA77JtfU4MFw7myKJacrVrDUygDaZkJKOhqKf
|
||||
N1Nurz4YppdQ5zIK1ElL0jlRJXm08flLFRg8fD5/5rwabpUbZIY9b5qZzGKgnR7I
|
||||
sxUBlDkfLnvKIlKzUXbRvOHazvFAHYH1ltJZGlJUc/+H/ZaPigWf4IR+E1FB9c2O
|
||||
zxaZhlbwGKyD+p7l08F9n8T21taxpBCW1Uxkx7MLTz8k9huPNpdX5l8VM4Gotmn8
|
||||
I4V3Fevyx+M3XJYeKtkspa51h0GqF3gNFPLxW7ERGaIuqwoxuHxIEKwYE+JPmQag
|
||||
UDma5LDrSrasa8Rw8g5urGE48PeDQ5muPy8Bi9eIGZU5JLqX6TNgz7QDDs/dQsHB
|
||||
iny4wQOLmdIA78IGttiCo0rqikEvFtFDFR4mCUTC8K0nQKzWwGewO3gRTcHttzyU
|
||||
xMalxw+wt9cUJ8gb1E9p7OeMUuXdaHMmem8/PcFCar/vKx1mdV/On6evnp3P8yQA
|
||||
la8WnbcP0+zJg0GGwGszpFlOMjWCDB0kUTBCT+MR+IWbj/pVZVA=
|
||||
=G9YA
|
||||
-----END PGP SIGNATURE-----
|
BIN
openssh-9.9p1.tar.gz
(Stored with Git LFS)
Normal file
BIN
openssh-9.9p1.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
openssh-9.9p1.tar.gz.asc
Normal file
16
openssh-9.9p1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmbspccACgkQKj9BTnNg
|
||||
YLppxRAAv7eU/Xd2w9MX9vWQdhugiPByEcKg7KuKXUUs9xJGy+HbLqPqUCvn1UW6
|
||||
qodKoSAdeBuSB7AjzuIQ1lTVX7C67OmZaVPRq25ar5b+Wq4SSlv23KMRq0b4EVyw
|
||||
pOW6R9tsxqYBwYaiXQ50APcYL8SpepnGU+b/iR15f7q3SU2XMVVtkVb149UdLOqK
|
||||
smfurbDGwUKFb2Q009MUfEV/d9zq31tdSjphvkqAXCcmxc8siuOYWYcByuysie+m
|
||||
NpaOpee0047L5JIxNSLsa2yZrJZhClP8LbTCH1Vfwr7l0KE5nvL2qAtPKI2XxGQC
|
||||
3jXrDLzp10RFxV8sCym+QlY9pZyzGj9d3G7vCHtxWGQ1Y0Qt+xs18OeBpjiehRhl
|
||||
WM3Y+cjoN35jBaGhOoHdh3ePZQdTUyZ16aSv0h/cUHOohiM7i/4XW+dQtkqsJsw4
|
||||
a81O0E64WrL8ho3Ju9mwcVZ9A0aEaftJsmJPDB+qYBjF/i7xcnH32LginzP5pel7
|
||||
/W0aS2C1ZNo3QKHezI6IA9MyENMZiAMy2ybvfmN0HgLBaBY1plJ8a5GvMwJc+Qwh
|
||||
iCHLCQ6Qgf/1hh+F6liTXnhtedtFHneJdyqvd7XOoardDEipZjxcnGa4HthbDFU+
|
||||
8XdHKnWWhn4BLA+y7KB3ZGURniQK+qibwkF6J63CuMU+LmG+bvQ=
|
||||
=Ukrb
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,17 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 23 06:16:59 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Update to openssh 9.9p1:
|
||||
* No changes for askpass, see main package changelog for
|
||||
details.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Update to openssh 9.8p1:
|
||||
* No changes for askpass, see main package changelog for
|
||||
details.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh-askpass-gnome
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -18,7 +18,7 @@
|
||||
|
||||
%define _name openssh
|
||||
Name: openssh-askpass-gnome
|
||||
Version: 9.6p1
|
||||
Version: 9.9p1
|
||||
Release: 0
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
License: BSD-2-Clause
|
||||
|
@ -207,9 +207,9 @@ Index: openssh-9.3p2/packet.h
|
||||
--- openssh-9.3p2.orig/packet.h
|
||||
+++ openssh-9.3p2/packet.h
|
||||
@@ -103,6 +103,7 @@ void ssh_packet_close(struct ssh *);
|
||||
void ssh_packet_close(struct ssh *);
|
||||
void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
|
||||
void ssh_packet_clear_keys(struct ssh *);
|
||||
void ssh_packet_clear_keys_noaudit(struct ssh *);
|
||||
+void ssh_clear_curkeys(struct ssh *, int);
|
||||
void ssh_clear_newkeys(struct ssh *, int);
|
||||
|
||||
@ -264,12 +264,12 @@ Index: openssh-9.3p2/sshbuf.h
|
||||
/* Macros for decoding/encoding integers */
|
||||
#define PEEK_U64(p) \
|
||||
(((u_int64_t)(((const u_char *)(p))[0]) << 56) | \
|
||||
Index: openssh-9.3p2/sshd.c
|
||||
Index: openssh-9.3p2/sshd-session.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd.c
|
||||
+++ openssh-9.3p2/sshd.c
|
||||
@@ -272,6 +272,19 @@ static void do_ssh2_kex(struct ssh *);
|
||||
static char *listener_proctitle;
|
||||
--- openssh-9.3p2.orig/sshd-session.c
|
||||
+++ openssh-9.3p2/sshd-session.c
|
||||
@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *);
|
||||
static void do_ssh2_kex(struct ssh *);
|
||||
|
||||
/*
|
||||
+ * Clear some stack space. This is a bit naive, but hopefully helps mitigate
|
||||
@ -285,10 +285,10 @@ Index: openssh-9.3p2/sshd.c
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* Close all listening sockets
|
||||
*/
|
||||
static void
|
||||
@@ -430,6 +443,8 @@ destroy_sensitive_data(struct ssh *ssh,
|
||||
* Signal handler for the alarm after the login grace period has expired.
|
||||
* As usual, this may only take signal-safe actions, even though it is
|
||||
* terminal.
|
||||
@@ -260,6 +260,8 @@ destroy_sensitive_data(struct ssh *ssh,
|
||||
sensitive_data.host_certificates[i] = NULL;
|
||||
}
|
||||
}
|
||||
@ -297,32 +297,32 @@ Index: openssh-9.3p2/sshd.c
|
||||
}
|
||||
|
||||
/* Demote private to public keys for network child */
|
||||
@@ -600,6 +615,8 @@ privsep_preauth(struct ssh *ssh)
|
||||
static void
|
||||
privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
||||
@@ -431,6 +432,8 @@ privsep_preauth(struct ssh *ssh)
|
||||
{
|
||||
int skip_privdrop = 0;
|
||||
|
||||
+ clobber_stack();
|
||||
+
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
if (1) {
|
||||
#else
|
||||
@@ -2360,6 +2377,7 @@ main(int ac, char **av)
|
||||
if (use_privsep) {
|
||||
/*
|
||||
* Hack for systems that don't support FD passing: retain privileges
|
||||
* in the post-auth privsep process so it can allocate PTYs directly.
|
||||
@@ -1354,6 +1356,7 @@ main(int ac, char **av)
|
||||
*/
|
||||
mm_send_keystate(ssh, pmonitor);
|
||||
ssh_packet_clear_keys(ssh);
|
||||
+ clobber_stack();
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -2436,6 +2454,7 @@ main(int ac, char **av)
|
||||
if (use_privsep)
|
||||
authenticated:
|
||||
@@ -1431,6 +1434,7 @@ main(int ac, char **av)
|
||||
|
||||
mm_terminate();
|
||||
|
||||
+ clobber_stack();
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -2596,8 +2615,10 @@ cleanup_exit(int i)
|
||||
@@ -1577,8 +1581,10 @@ cleanup_exit(int i)
|
||||
/* cleanup_exit can be called at the very least from the privsep
|
||||
wrappers used for auditing. Make sure we don't recurse
|
||||
indefinitely. */
|
||||
@ -332,13 +332,14 @@ Index: openssh-9.3p2/sshd.c
|
||||
_exit(i);
|
||||
+ }
|
||||
in_cleanup = 1;
|
||||
if (the_active_state != NULL && the_authctxt != NULL) {
|
||||
do_cleanup(the_active_state, the_authctxt);
|
||||
@@ -2623,5 +2644,7 @@ cleanup_exit(int i)
|
||||
(!use_privsep || mm_is_monitor()))
|
||||
extern int auth_attempted; /* monitor.c */
|
||||
|
||||
@@ -1604,6 +1610,8 @@ cleanup_exit(int i)
|
||||
mm_is_monitor())
|
||||
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
+
|
||||
+ clobber_stack();
|
||||
_exit(i);
|
||||
}
|
||||
/* Override default fatal exit value when auth was attempted */
|
||||
if (i == 255 && auth_attempted)
|
||||
_exit(EXIT_AUTH_ATTEMPTED);
|
||||
|
@ -25,7 +25,7 @@ Index: openssh-8.9p1/ssh_config.5
|
||||
+diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
Index: openssh-8.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd_config.5
|
||||
@ -38,4 +38,4 @@ Index: openssh-8.9p1/sshd_config.5
|
||||
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
|
512
openssh.changes
512
openssh.changes
@ -1,3 +1,515 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 28 11:18:04 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Don't force using gcc11 on SLFO/ALP which have a newer version.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 28 10:29:33 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Add patches from upstream:
|
||||
- To fix a copy&paste oversight in an ifdef :
|
||||
* 0001-fix-utmpx-ifdef.patch
|
||||
- To fix a regression introduced when the "Match" criteria
|
||||
tokenizer was modified since it stopped supporting the
|
||||
"Match criteria=argument" format:
|
||||
* 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
|
||||
- To fix the previous patch which broke on negated Matches:
|
||||
* 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
|
||||
- To fix the ML-KEM768x25519 kex algorithm on big-endian systems:
|
||||
* 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 14 15:06:19 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Use %{with ...} instead of 0%{with ...}
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 11 09:28:30 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Add a patch to fix a regression introduced in 9.6 that makes X11
|
||||
forwarding very slow. Submitted to upstream in
|
||||
https://bugzilla.mindrot.org/show_bug.cgi?id=3655#c4 . Fixes
|
||||
bsc#1229449:
|
||||
* fix-x11-regression-bsc1229449.patch
|
||||
- Remove empty line at the end of sshd-sle.pamd (bsc#1227456)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 25 10:45:17 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Add a const to the openssl 1.1/RSA section of sshkey_is_private
|
||||
to keep it similar to what it used before the 9.9 rebase:
|
||||
* openssh-8.1p1-audit.patch
|
||||
- Add a openssl11 bcond to the spec file for the SLE12 case
|
||||
instead of checking suse_version in different parts.
|
||||
- Move conditional patches to a number >= 1000.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 23 06:16:59 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Update to openssh 9.9p1:
|
||||
= Future deprecation notice
|
||||
* OpenSSH plans to remove support for the DSA signature algorithm
|
||||
in early 2025. This release disables DSA by default at compile
|
||||
time. DSA, as specified in the SSHv2 protocol, is inherently
|
||||
weak - being limited to a 160 bit private key and use of the
|
||||
SHA1 digest. Its estimated security level is only 80 bits
|
||||
symmetric equivalent.
|
||||
OpenSSH has disabled DSA keys by default since 2015 but has
|
||||
retained run-time optional support for them. DSA was the only
|
||||
mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
|
||||
because alternative algorithms were encumbered by patents when
|
||||
the SSHv2 protocol was specified.
|
||||
This has not been the case for decades at this point and better
|
||||
algorithms are well supported by all actively-maintained SSH
|
||||
implementations. We do not consider the costs of maintaining
|
||||
DSA in OpenSSH to be justified and hope that removing it from
|
||||
OpenSSH can accelerate its wider deprecation in supporting
|
||||
cryptography libraries.
|
||||
|
||||
= Potentially-incompatible changes
|
||||
* ssh(1): remove support for pre-authentication compression.
|
||||
OpenSSH has only supported post-authentication compression in
|
||||
the server for some years. Compression before authentication
|
||||
significantly increases the attack surface of SSH servers and
|
||||
risks creating oracles that reveal information about
|
||||
information sent during authentication.
|
||||
* ssh(1), sshd(8): processing of the arguments to the "Match"
|
||||
configuration directive now follows more shell-like rules for
|
||||
quoted strings, including allowing nested quotes and \-escaped
|
||||
characters. If configurations contained workarounds for the
|
||||
previous simplistic quote handling then they may need to be
|
||||
adjusted. If this is the case, it's most likely to be in the
|
||||
arguments to a "Match exec" confition. In this case, moving the
|
||||
command to be evaluated from the Match line to an external
|
||||
shell script is easiest way to preserve compatibility with both
|
||||
the old and new versions.
|
||||
|
||||
= New features
|
||||
* ssh(1), sshd(8): add support for a new hybrid post-quantum key
|
||||
exchange based on the FIPS 203 Module-Lattice Key Enapsulation
|
||||
mechanism (ML-KEM) combined with X25519 ECDH as described by
|
||||
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
|
||||
This algorithm "mlkem768x25519-sha256" is available by default.
|
||||
* ssh(1): the ssh_config "Include" directive can now expand
|
||||
environment as well as the same set of %-tokens "Match Exec"
|
||||
supports.
|
||||
* sshd(8): add a sshd_config "RefuseConnection" option that, if
|
||||
set will terminate the connection at the first authentication
|
||||
request.
|
||||
* sshd(8): add a "refuseconnection" penalty class to sshd_config
|
||||
PerSourcePenalties that is applied when a connection is dropped
|
||||
by the new RefuseConnection keyword.
|
||||
* sshd(8): add a "Match invalid-user" predicate to sshd_config
|
||||
Match options that matches when the target username is not
|
||||
valid on the server.
|
||||
* ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
|
||||
substantially faster implementation.
|
||||
* ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key
|
||||
exchange algorithm now has an IANA-assigned name in addition to
|
||||
the "@openssh.com" vendor extension name. This algorithm is now
|
||||
also available under this name "sntrup761x25519-sha512"
|
||||
* ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
|
||||
included in core dump files for most of their lifespans. This
|
||||
is in addition to pre-existing controls in ssh-agent(1) and
|
||||
sshd(8) that prevented coredumps. This feature is supported on
|
||||
OpenBSD, Linux and FreeBSD.
|
||||
* All: convert key handling to use the libcrypto EVP_PKEY API,
|
||||
with the exception of DSA.
|
||||
* sshd(8): add a random amount of jitter (up to 4 seconds) to the
|
||||
grace login time to make its expiry unpredictable.
|
||||
|
||||
= Bugfixes
|
||||
* sshd(8): relax absolute path requirement back to what it was
|
||||
prior to OpenSSH 9.8, which incorrectly required that sshd was
|
||||
started with an absolute path in inetd mode. bz3717
|
||||
* sshd(8): fix regression introduced in openssh-9.8 that swapped
|
||||
the order of source and destination addresses in some sshd log
|
||||
messages.
|
||||
* sshd(8): do not apply authorized_keys options when signature
|
||||
verification fails. Prevents more restrictive key options being
|
||||
incorrectly applied to subsequent keys in authorized_keys.
|
||||
bz3733
|
||||
* ssh-keygen(1): include pathname in some of ssh-keygen's
|
||||
passphrase prompts. Helps the user know what's going on when
|
||||
ssh-keygen is invoked via other tools. Requested in GHPR503
|
||||
* ssh(1), ssh-add(1): make parsing user@host consistently look
|
||||
for the last '@' in the string rather than the first. This
|
||||
makes it possible to more consistently use usernames that
|
||||
contain '@' characters.
|
||||
* ssh(1), sshd(8): be more strict in parsing key type names. Only
|
||||
allow short names (e.g "rsa") in user-interface code and
|
||||
require full SSH protocol names (e.g. "ssh-rsa") everywhere
|
||||
else. bz3725
|
||||
* regress: many performance and correctness improvements to the
|
||||
re-keying regression test.
|
||||
* ssh-keygen(1): clarify that ed25519 is the default key type
|
||||
generated and clarify that rsa-sha2-512 is the default
|
||||
signature scheme when RSA is in use. GHPR505
|
||||
* sshd(8): fix minor memory leak in Subsystem option parsing;
|
||||
GHPR515
|
||||
* All: additional hardening and consistency checks for the sshbuf
|
||||
code.
|
||||
* sshd(8): reduce default logingrace penalty to ensure that a
|
||||
single forgotton login that times out will be below the penalty
|
||||
threshold.
|
||||
* ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started
|
||||
with ControlPersist then later has a forwarding added using mux
|
||||
proxy connection and the forwarding was used, then when the mux
|
||||
proxy session terminated, the mux master process would issue a
|
||||
bad message that terminated the connection.
|
||||
|
||||
= Portability
|
||||
* sync contrib/ssh-copy-id to the latest upstream version.
|
||||
* regress: improve portablility for some awk(1) usage
|
||||
(e.g. Solaris)
|
||||
* In the contrib/redhat RPM spec file, without_openssl was
|
||||
previously incorrectly enabled unconditionally.
|
||||
* sshd(8) restore audit call before exit that regressed in
|
||||
openssh-9.8. Fixes an issue where the SSH_CONNECTION_ABANDON
|
||||
event was not recorded.
|
||||
* sshd(8): add support for class-imposed loging restrictions on
|
||||
FreeBSD. Allowing auth_hostok(3) and auth_timeok(3) to control
|
||||
logins.
|
||||
* Build fixes for Musl libc.
|
||||
* Fix detection of setres*id on GNU/Hurd
|
||||
|
||||
- Drop patches that were already merged by upstream:
|
||||
* fix-memleak-in-process_server_config_line_depth.patch
|
||||
* fix-audit-fail-attempt.patch
|
||||
- Rebase patch with significant changes:
|
||||
* openssh-8.1p1-audit.patch
|
||||
- Rebase patches with context or trivial changes:
|
||||
* openssh-7.7p1-fips.patch
|
||||
* openssh-8.0p1-gssapi-keyex.patch
|
||||
* openssh-9.6p1-crypto-policies-man.patch
|
||||
* openssh-mitigate-lingering-secrets.patch
|
||||
- Several spec file fixes so the package builds and can be
|
||||
installed in SLE 15 SP5 and SLE 12 SP5
|
||||
- Use gcc11 when building in SLE12 and SLE15.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 12 07:43:18 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Drop most of openssh-6.6p1-keycat.patch (actually, it was just
|
||||
commented out). The keycat binary isn't really installed nor
|
||||
supported, so we can drop it, except for the code that is used
|
||||
by other SELinux patches, which is what I kept from that patch
|
||||
(boo#1229072).
|
||||
- Add patch submitted to upstream to fix RFC4256 implementation
|
||||
so that keyboard-interactive authentication method can send
|
||||
instructions and sshd shows them to users even before a prompt
|
||||
is requested. This fixes MFA push notifications (boo#1229010).
|
||||
* 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 23 12:10:00 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Add patch to fix sshd not logging in the audit failed login
|
||||
attempts (submitted to upstream in
|
||||
https://github.com/openssh/openssh-portable/pull/516):
|
||||
* fix-audit-fail-attempt.patch
|
||||
- Use --enable-dsa-keys when building openssh. It's required if
|
||||
the user sets the crypto-policy mode to LEGACY, where DSA keys
|
||||
should be allowed. The option was added by upstream in 9.7 and
|
||||
set to disabled by default.
|
||||
- These two changes fix 2 of the 3 issues reported in bsc#1229650.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 12 08:55:38 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Fix a dbus connection leaked in the logind patch that was
|
||||
missing a sd_bus_unref call (found by Matthias Gerstner):
|
||||
* logind_set_tty.patch
|
||||
- Add a patch that fixes a small memory leak when parsing the
|
||||
subsystem configuration option:
|
||||
* fix-memleak-in-process_server_config_line_depth.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Update to openssh 9.8p1:
|
||||
= Security
|
||||
* 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
|
||||
A critical vulnerability in sshd(8) was present in Portable
|
||||
OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
|
||||
allow arbitrary code execution with root privileges.
|
||||
Successful exploitation has been demonstrated on 32-bit
|
||||
Linux/glibc systems with ASLR. Under lab conditions, the attack
|
||||
requires on average 6-8 hours of continuous connections up to
|
||||
the maximum the server will accept. Exploitation on 64-bit
|
||||
systems is believed to be possible but has not been
|
||||
demonstrated at this time. It's likely that these attacks will
|
||||
be improved upon.
|
||||
Exploitation on non-glibc systems is conceivable but has not
|
||||
been examined. Systems that lack ASLR or users of downstream
|
||||
Linux distributions that have modified OpenSSH to disable
|
||||
per-connection ASLR re-randomisation (yes - this is a thing, no
|
||||
- we don't understand why) may potentially have an easier path
|
||||
to exploitation. OpenBSD is not vulnerable.
|
||||
We thank the Qualys Security Advisory Team for discovering,
|
||||
reporting and demonstrating exploitability of this problem, and
|
||||
for providing detailed feedback on additional mitigation
|
||||
measures.
|
||||
* 2) Logic error in ssh(1) ObscureKeystrokeTiming (bsc#1227318,
|
||||
CVE-2024-39894).
|
||||
In OpenSSH version 9.5 through 9.7 (inclusive), when connected
|
||||
to an OpenSSH server version 9.5 or later, a logic error in the
|
||||
ssh(1) ObscureKeystrokeTiming feature (on by default) rendered
|
||||
this feature ineffective - a passive observer could still
|
||||
detect which network packets contained real keystrokes when the
|
||||
countermeasure was active because both fake and real keystroke
|
||||
packets were being sent unconditionally.
|
||||
This bug was found by Philippos Giavridis and also
|
||||
independently by Jacky Wei En Kung, Daniel Hugenroth and
|
||||
Alastair Beresford of the University of Cambridge Computer Lab.
|
||||
Worse, the unconditional sending of both fake and real
|
||||
keystroke packets broke another long-standing timing attack
|
||||
mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke
|
||||
echo packets for traffic received on TTYs in echo-off mode,
|
||||
such as when entering a password into su(8) or sudo(8). This
|
||||
bug rendered these fake keystroke echoes ineffective and could
|
||||
allow a passive observer of a SSH session to once again detect
|
||||
when echo was off and obtain fairly limited timing information
|
||||
about keystrokes in this situation (20ms granularity by
|
||||
default).
|
||||
This additional implication of the bug was identified by
|
||||
Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and
|
||||
we thank them for their detailed analysis.
|
||||
This bug does not affect connections when
|
||||
ObscureKeystrokeTiming was disabled or sessions where no TTY
|
||||
was requested.
|
||||
|
||||
= Future deprecation notice
|
||||
* OpenSSH plans to remove support for the DSA signature algorithm
|
||||
in early 2025. This release disables DSA by default at compile
|
||||
time.
|
||||
DSA, as specified in the SSHv2 protocol, is inherently weak -
|
||||
being limited to a 160 bit private key and use of the SHA1
|
||||
digest. Its estimated security level is only 80 bits symmetric
|
||||
equivalent.
|
||||
OpenSSH has disabled DSA keys by default since 2015 but has
|
||||
retained run-time optional support for them. DSA was the only
|
||||
mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
|
||||
because alternative algorithms were encumbered by patents when
|
||||
the SSHv2 protocol was specified.
|
||||
This has not been the case for decades at this point and better
|
||||
algorithms are well supported by all actively-maintained SSH
|
||||
implementations. We do not consider the costs of maintaining
|
||||
DSA in OpenSSH to be justified and hope that removing it from
|
||||
OpenSSH can accelerate its wider deprecation in supporting
|
||||
cryptography libraries.
|
||||
This release, and its deactivation of DSA by default at
|
||||
compile-time, marks the second step in our timeline to finally
|
||||
deprecate DSA. The final step of removing DSA support entirely
|
||||
is planned for the first OpenSSH release of 2025.
|
||||
DSA support may be re-enabled in OpenBSD by setting
|
||||
"DSAKEY=yes" in Makefile.inc. To enable DSA support in
|
||||
portable OpenSSH, pass the "--enable-dsa-keys" option to
|
||||
configure.
|
||||
|
||||
= Potentially-incompatible changes
|
||||
* all: as mentioned above, the DSA signature algorithm is now
|
||||
disabled at compile time.
|
||||
* sshd(8): the server will now block client addresses that
|
||||
repeatedly fail authentication, repeatedly connect without ever
|
||||
completing authentication or that crash the server. See the
|
||||
discussion of PerSourcePenalties below for more information.
|
||||
Operators of servers that accept connections from many users,
|
||||
or servers that accept connections from addresses behind NAT or
|
||||
proxies may need to consider these settings.
|
||||
* sshd(8): the server has been split into a listener binary,
|
||||
sshd(8), and a per-session binary "sshd-session". This allows
|
||||
for a much smaller listener binary, as it no longer needs to
|
||||
support the SSH protocol. As part of this work, support for
|
||||
disabling privilege separation (which previously required code
|
||||
changes to disable) and disabling re-execution of sshd(8) has
|
||||
been removed. Further separation of sshd-session into
|
||||
additional, minimal binaries is planned for the future.
|
||||
* sshd(8): several log messages have changed. In particular, some
|
||||
log messages will be tagged with as originating from a process
|
||||
named "sshd-session" rather than "sshd".
|
||||
* ssh-keyscan(1): this tool previously emitted comment lines
|
||||
containing the hostname and SSH protocol banner to standard
|
||||
error. This release now emits them to standard output, but adds
|
||||
a new "-q" flag to silence them altogether.
|
||||
* sshd(8): (portable OpenSSH only) sshd will no longer use
|
||||
argv[0] as the PAM service name. A new "PAMServiceName"
|
||||
sshd_config(5) directive allows selecting the service name at
|
||||
runtime. This defaults to "sshd". bz2101
|
||||
* (portable OpenSSH only) Automatically-generated files, such as
|
||||
configure, config.h.in, etc will now be checked in to the
|
||||
portable OpenSSH git release branch (e.g. V_9_8). This should
|
||||
ensure that the contents of the signed release branch exactly
|
||||
match the contents of the signed release tarball.
|
||||
|
||||
= New features
|
||||
* sshd(8): as described above, sshd(8) will now penalise client
|
||||
addresses that, for various reasons, do not successfully
|
||||
complete authentication. This feature is controlled by a new
|
||||
sshd_config(5) PerSourcePenalties option and is on by default.
|
||||
sshd(8) will now identify situations where the session did not
|
||||
authenticate as expected. These conditions include when the
|
||||
client repeatedly attempted authentication unsucessfully
|
||||
(possibly indicating an attack against one or more accounts,
|
||||
e.g. password guessing), or when client behaviour caused sshd
|
||||
to crash (possibly indicating attempts to exploit bugs in
|
||||
sshd).
|
||||
When such a condition is observed, sshd will record a penalty
|
||||
of some duration (e.g. 30 seconds) against the client's
|
||||
address. If this time is above a minimum configurable
|
||||
threshold, then all connections from the client address will be
|
||||
refused (along with any others in the same
|
||||
PerSourceNetBlockSize CIDR range) until the penalty expire.
|
||||
Repeated offenses by the same client address will accrue
|
||||
greater penalties, up to a configurable maximum. Address ranges
|
||||
may be fully exempted from penalties, e.g. to guarantee access
|
||||
from a set of trusted management addresses, using the new
|
||||
sshd_config(5) PerSourcePenaltyExemptList option.
|
||||
We hope these options will make it significantly more difficult
|
||||
for attackers to find accounts with weak/guessable passwords or
|
||||
exploit bugs in sshd(8) itself. This option is enabled by
|
||||
default.
|
||||
* ssh(8): allow the HostkeyAlgorithms directive to disable the
|
||||
implicit fallback from certificate host key to plain host keys.
|
||||
|
||||
= Bugfixes
|
||||
* misc: fix a number of inaccuracies in the PROTOCOL.*
|
||||
documentation files. GHPR430 GHPR487
|
||||
* all: switch to strtonum(3) for more robust integer parsing in
|
||||
most places.
|
||||
* ssh(1), sshd(8): correctly restore sigprocmask around ppoll()
|
||||
* ssh-keysign(8): stricter validation of messaging socket fd
|
||||
GHPR492
|
||||
* sftp(1): flush stdout after writing "sftp>" prompt when not
|
||||
using editline. GHPR480
|
||||
* sftp-server(8): fix home-directory extension implementation,
|
||||
it previously always returned the current user's home directory
|
||||
contrary to the spec. GHPR477
|
||||
* ssh-keyscan(1): do not close stdin to prevent error messages
|
||||
when stdin is read multiple times. E.g.
|
||||
echo localhost | ssh-keyscan -f - -f -
|
||||
* regression tests: fix rekey test that was testing the same KEX
|
||||
algorithm repeatedly instead of testing all of them. bz3692
|
||||
* ssh_config(5), sshd_config(5): clarify the KEXAlgorithms
|
||||
directive documentation, especially around what is supported
|
||||
vs available. bz3701.
|
||||
|
||||
= Portability
|
||||
* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
|
||||
unconditionally. The previous behaviour was to expose it only
|
||||
when particular authentication methods were in use.
|
||||
* build: fix OpenSSL ED25519 support detection. An incorrect
|
||||
function signature in configure.ac previously prevented
|
||||
enabling the recently added support for ED25519 private keys in
|
||||
PEM PKCS8 format.
|
||||
* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
|
||||
environment variable to enable SSH_ASKPASS, similarly to the
|
||||
X11 DISPLAY environment variable. GHPR479
|
||||
* build: improve detection of the -fzero-call-used-regs compiler
|
||||
flag. bz3673.
|
||||
* build: relax OpenSSL version check to accept all OpenSSL 3.x
|
||||
versions.
|
||||
* sshd(8): add support for notifying systemd on server listen and
|
||||
reload, using a standalone implementation that doesn't depend
|
||||
on libsystemd. bz2641
|
||||
|
||||
- Update to openssh 9.7p1:
|
||||
|
||||
= New features
|
||||
* ssh(1), sshd(8): add a "global" ChannelTimeout type that
|
||||
watches all open channels and will close all open channels if
|
||||
there is no traffic on any of them for the specified interval.
|
||||
This is in addition to the existing per-channel timeouts added
|
||||
recently.
|
||||
This supports situations like having both session and x11
|
||||
forwarding channels open where one may be idle for an extended
|
||||
period but the other is actively used. The global timeout could
|
||||
close both channels when both have been idle for too long.
|
||||
* All: make DSA key support compile-time optional, defaulting to
|
||||
on.
|
||||
|
||||
= Bugfixes
|
||||
* sshd(8): don't append an unnecessary space to the end of
|
||||
subsystem arguments (bz3667)
|
||||
* ssh(1): fix the multiplexing "channel proxy" mode, broken when
|
||||
keystroke timing obfuscation was added. (GHPR#463)
|
||||
* ssh(1), sshd(8): fix spurious configuration parsing errors when
|
||||
options that accept array arguments are overridden (bz3657).
|
||||
* ssh-agent(1): fix potential spin in signal handler (bz3670)
|
||||
* Many fixes to manual pages and other documentation, including
|
||||
GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
|
||||
* Greatly improve interop testing against PuTTY.
|
||||
|
||||
= Portability
|
||||
* Improve the error message when the autoconf OpenSSL header
|
||||
check fails (bz#3668)
|
||||
* Improve detection of broken toolchain -fzero-call-used-regs
|
||||
support (bz3645).
|
||||
* Fix regress/misc/fuzz-harness fuzzers and make them compile
|
||||
without warnings when using clang16
|
||||
- Use gcc-11 in SLE to avoid a "parameter name omitted" error
|
||||
- Rebase patches:
|
||||
* logind_set_tty.patch
|
||||
* openssh-6.6.1p1-selinux-contexts.patch
|
||||
* openssh-6.6p1-keycat.patch
|
||||
* openssh-6.6p1-privsep-selinux.patch
|
||||
* openssh-7.6p1-cleanup-selinux.patch
|
||||
* openssh-7.7p1-cavstest-ctr.patch
|
||||
* openssh-7.7p1-cavstest-kdf.patch
|
||||
* openssh-7.7p1-fips.patch
|
||||
* openssh-7.7p1-fips_checks.patch
|
||||
* openssh-7.7p1-ldap.patch
|
||||
* openssh-7.7p1-pam_check_locks.patch
|
||||
* openssh-7.7p1-systemd-notify.patch
|
||||
* openssh-7.8p1-role-mls.patch
|
||||
* openssh-8.0p1-gssapi-keyex.patch
|
||||
* openssh-8.1p1-audit.patch
|
||||
* openssh-8.4p1-vendordir.patch
|
||||
* openssh-9.6p1-crypto-policies-man.patch
|
||||
* openssh-mitigate-lingering-secrets.patch
|
||||
* openssh-reenable-dh-group14-sha1-default.patch
|
||||
* wtmpdb.patch
|
||||
- Thanks to Fedora developers for an initial version of the
|
||||
rebase of the following patches:
|
||||
* openssh-8.0p1-gssapi-keyex.patch
|
||||
* openssh-7.8p1-role-mls.patch
|
||||
* openssh-8.1p1-audit.patch
|
||||
- Remove patches that are already included in 9.8p1:
|
||||
* fix-CVE-2024-6387.patch
|
||||
* 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
|
||||
* 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
|
||||
* 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
|
||||
- Remove patch that is now merged into
|
||||
openssh-7.7p1-cavstest-ctr.patch and
|
||||
openssh-7.7p1-cavstest-kdf.patch where it belongs:
|
||||
* fix-missing-lz.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 15 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Add sshd.socket and sshd@.service units as alternative to the
|
||||
sshd.service that makes systemd listen to the ssh port
|
||||
and run sshd per incoming connection. To enable this,
|
||||
disable sshd.service and enable sshd.socket . If you want to
|
||||
use a non standard sshd port with sshd.socket you can do
|
||||
"systemctl edit sshd.socket" and add something like:
|
||||
|
||||
[Socket]
|
||||
ListenStream=8022
|
||||
|
||||
which listens on port 8022 as well as on port 22. If you want
|
||||
to reset the list of listened ports and just use 8022, use:
|
||||
|
||||
[Socket]
|
||||
ListenStream=
|
||||
ListenStream=8022
|
||||
- To enable a vsock listener in sshd (which allows to connect to
|
||||
libvirt VMs), the systemd-experimental package needs to be
|
||||
installed in the guest system, the libvirt-ssh-proxy package
|
||||
needs to be installed in the host and the vm needs to have
|
||||
vsock support (in virt-manager, click in "Add hardware" and
|
||||
add "VSOCK VirtIO").
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
|
120
openssh.spec
120
openssh.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -34,12 +34,24 @@
|
||||
%bcond_without allow_root_password_login_by_default
|
||||
%endif
|
||||
|
||||
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
|
||||
%bcond_without crypto_policies
|
||||
%else
|
||||
%bcond_with crypto_policies
|
||||
%endif
|
||||
|
||||
%if 0%{?suse_version} < 1500
|
||||
%bcond_without openssl11
|
||||
%else
|
||||
%bcond_with openssl11
|
||||
%endif
|
||||
|
||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||
%if ! %{defined _fillupdir}
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: openssh
|
||||
Version: 9.6p1
|
||||
Version: 9.9p1
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-2-Clause AND MIT
|
||||
@ -61,6 +73,8 @@ Source12: cavs_driver-ssh.pl
|
||||
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
|
||||
Source14: sysusers-sshd.conf
|
||||
Source15: sshd-sle.pamd
|
||||
Source16: sshd@.service
|
||||
Source17: sshd.socket
|
||||
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
||||
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
||||
Patch4: openssh-7.7p1-eal3.patch
|
||||
@ -119,35 +133,53 @@ Patch50: openssh-openssl-3.patch
|
||||
Patch51: wtmpdb.patch
|
||||
Patch52: logind_set_tty.patch
|
||||
Patch54: openssh-mitigate-lingering-secrets.patch
|
||||
Patch100: fix-missing-lz.patch
|
||||
Patch102: openssh-7.8p1-role-mls.patch
|
||||
Patch103: openssh-6.6p1-privsep-selinux.patch
|
||||
Patch104: openssh-6.6p1-keycat.patch
|
||||
Patch105: openssh-6.6.1p1-selinux-contexts.patch
|
||||
Patch106: openssh-7.6p1-cleanup-selinux.patch
|
||||
|
||||
# 200 - 300 -- Patches submitted to upstream
|
||||
# PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
|
||||
Patch200: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
|
||||
# PATCH-FIX-UPSTREAM -- https://bugzilla.mindrot.org/show_bug.cgi?id=3655#c4
|
||||
Patch201: fix-x11-regression-bsc1229449.patch
|
||||
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
|
||||
Patch202: 0001-fix-utmpx-ifdef.patch
|
||||
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
|
||||
Patch203: 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
|
||||
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
|
||||
Patch204: 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
|
||||
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
|
||||
Patch205: 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
|
||||
|
||||
# 1000 - 2000 -- Conditional patches
|
||||
%if %{with crypto_policies}
|
||||
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
|
||||
Patch107: openssh-9.6p1-crypto-policies.patch
|
||||
Patch108: openssh-9.6p1-crypto-policies-man.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
|
||||
Patch109: fix-CVE-2024-6387.patch
|
||||
# PATCH-FIX-UPSTREAM
|
||||
Patch110: 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
|
||||
# PATCH-FIX-UPSTREAM
|
||||
Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
|
||||
Patch112: 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
Patch1000: openssh-7.7p1-allow_root_password_login.patch
|
||||
Patch1000: openssh-9.6p1-crypto-policies.patch
|
||||
Patch1001: openssh-9.6p1-crypto-policies-man.patch
|
||||
%endif
|
||||
%if %{with allow_root_password_login_by_default}
|
||||
# PATCH-FIX-SLE Allow root login with password by default (for SLE12 and SLE15)
|
||||
Patch1002: openssh-7.7p1-allow_root_password_login.patch
|
||||
%endif
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: automake
|
||||
%if 0%{?suse_version} < 1600
|
||||
BuildRequires: gcc11
|
||||
%endif
|
||||
BuildRequires: groff
|
||||
BuildRequires: libedit-devel
|
||||
BuildRequires: libselinux-devel
|
||||
%if %{with ldap}
|
||||
BuildRequires: openldap2-devel
|
||||
%endif
|
||||
%if %{with openssl11}
|
||||
BuildRequires: libopenssl-1_1-devel
|
||||
BuildRequires: openssl-1_1
|
||||
%else
|
||||
BuildRequires: openssl-devel
|
||||
%endif
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: zlib-devel
|
||||
@ -157,7 +189,7 @@ BuildRequires: sysuser-shadow
|
||||
BuildRequires: sysuser-tools
|
||||
Requires: %{name}-clients = %{version}-%{release}
|
||||
Requires: %{name}-server = %{version}-%{release}
|
||||
%if 0%{?suse_version} >= 1550
|
||||
%if 0%{?suse_version} >= 1550 || 0%{?suse_version} < 1500
|
||||
BuildRequires: pkgconfig(krb5)
|
||||
%else
|
||||
BuildRequires: krb5-mini-devel
|
||||
@ -203,14 +235,16 @@ clients.
|
||||
Summary: SSH (Secure Shell) server
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
%if %{with crypto_policies}
|
||||
Requires: crypto-policies >= 20220824
|
||||
%endif
|
||||
Recommends: audit
|
||||
Requires(pre): findutils
|
||||
Requires(pre): grep
|
||||
Requires(post): %fillup_prereq
|
||||
Requires(post): permissions
|
||||
Provides: openssh:%{_sbindir}/sshd
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
%if %{with allow_root_password_login_by_default}
|
||||
# For a brief period of time this package existed in SLE/Leap.
|
||||
# It was removed before GM but some people might have it from
|
||||
# a beta distribution version (boo#1227350)
|
||||
@ -230,7 +264,7 @@ also be forwarded over the secure channel.
|
||||
This package contains the Secure Shell daemon, which allows clients to
|
||||
securely connect to your server.
|
||||
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
%if %{with allow_root_password_login_by_default}
|
||||
%package server-config-disallow-rootlogin
|
||||
Summary: Config to disallow password root logins to sshd
|
||||
Group: Productivity/Networking/SSH
|
||||
@ -259,7 +293,9 @@ ssh-copy-id(1).
|
||||
%package clients
|
||||
Summary: SSH (Secure Shell) client applications
|
||||
Group: Productivity/Networking/SSH
|
||||
%if %{with crypto_policies}
|
||||
Requires: crypto-policies >= 20220824
|
||||
%endif
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
Provides: openssh:%{_bindir}/ssh
|
||||
|
||||
@ -328,6 +364,9 @@ sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
)
|
||||
|
||||
%build
|
||||
%if 0%{?suse_version} < 1600
|
||||
export CC=gcc-11
|
||||
%endif
|
||||
autoreconf -fiv
|
||||
%ifarch s390 s390x %{sparc}
|
||||
PIEFLAGS="-fPIE"
|
||||
@ -368,6 +407,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
||||
--disable-lastlog \
|
||||
--with-logind \
|
||||
%endif
|
||||
--enable-dsa-keys \
|
||||
--with-security-key-builtin \
|
||||
--target=%{_target_cpu}-suse-linux
|
||||
|
||||
@ -392,6 +432,8 @@ install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
|
||||
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
|
||||
%endif
|
||||
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
|
||||
install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service
|
||||
install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket
|
||||
ln -s service %{buildroot}%{_sbindir}/rcsshd
|
||||
install -d -m 755 %{buildroot}%{_fillupdir}
|
||||
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
|
||||
@ -400,7 +442,7 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
||||
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
||||
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
%if %{with allow_root_password_login_by_default}
|
||||
echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
||||
%else
|
||||
echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
@ -412,19 +454,21 @@ mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
%if %{with allow_root_password_login_by_default}
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
||||
%else
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%if %{with crypto_policies}
|
||||
install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
|
||||
%if %{defined _distconfdir}
|
||||
install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||
%else
|
||||
install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%if 0%{?suse_version} < 1550
|
||||
# install firewall definitions
|
||||
@ -443,9 +487,6 @@ install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
|
||||
mkdir -p %{buildroot}%{_sysusersdir}
|
||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
|
||||
|
||||
rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat
|
||||
#rm -r %{buildroot}/usr/lib/debug/.build-id
|
||||
|
||||
# the hmac hashes - taken from openssl
|
||||
#
|
||||
# re-define the __os_install_post macro: the macro strips
|
||||
@ -453,13 +494,19 @@ rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat
|
||||
#
|
||||
# this shows up earlier because otherwise the %%expand of
|
||||
# the macro is too late.
|
||||
%if %{with openssl11}
|
||||
%define opensslbin openssl-1_1
|
||||
%else
|
||||
%define opensslbin openssl
|
||||
%endif
|
||||
|
||||
%{expand:%%global __os_install_post {%__os_install_post
|
||||
for b in \
|
||||
%{_bindir}/ssh \
|
||||
%{_sbindir}/sshd \
|
||||
%{_libexecdir}/ssh/sftp-server \
|
||||
; do
|
||||
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
|
||||
%{opensslbin} dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
|
||||
done
|
||||
|
||||
}}
|
||||
@ -471,12 +518,13 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
|
||||
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||:
|
||||
%endif
|
||||
|
||||
%service_add_pre sshd.service
|
||||
%service_add_pre sshd.service sshd.socket
|
||||
|
||||
%post server
|
||||
%{fillup_only -n ssh}
|
||||
%service_add_post sshd.service
|
||||
%service_add_post sshd.service sshd.socket
|
||||
|
||||
%if %{with crypto_policies}
|
||||
%if ! %{defined _distconfdir}
|
||||
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
|
||||
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
|
||||
@ -485,20 +533,22 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
|
||||
echo "/etc/ssh/sshd_config :"
|
||||
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%preun server
|
||||
%service_del_preun sshd.service
|
||||
%service_del_preun sshd.service sshd.socket
|
||||
|
||||
%postun server
|
||||
# The openssh-fips trigger script for openssh will normally restart sshd once
|
||||
# it gets installed, so only restart the service here if openssh-fips is not
|
||||
# present.
|
||||
if rpm -q openssh-fips >/dev/null 2>/dev/null; then
|
||||
%service_del_postun_without_restart sshd.service
|
||||
%service_del_postun_without_restart sshd.service sshd.socket
|
||||
else
|
||||
%service_del_postun sshd.service
|
||||
%service_del_postun sshd.service sshd.socket
|
||||
fi
|
||||
|
||||
%if %{with crypto_policies}
|
||||
%if ! %{defined _distconfdir}
|
||||
%post server-config-disallow-rootlogin
|
||||
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
|
||||
@ -508,6 +558,7 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
|
||||
echo "the following line is added at the start of /etc/ssh/sshd_config :"
|
||||
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
%posttrans server
|
||||
@ -522,6 +573,7 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
|
||||
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
|
||||
%endif
|
||||
|
||||
%if %{with crypto_policies}
|
||||
%if ! %{defined _distconfdir}
|
||||
%post clients
|
||||
test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
|
||||
@ -531,6 +583,7 @@ test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.con
|
||||
echo "/etc/ssh/ssh_config :"
|
||||
echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
%posttrans clients
|
||||
@ -578,17 +631,22 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
||||
%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
||||
%endif
|
||||
%if %{with crypto_policies}
|
||||
%if %{defined _distconfdir}
|
||||
%attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||
%else
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||
%endif
|
||||
%endif
|
||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||
%attr(0644,root,root) %{_unitdir}/sshd@.service
|
||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||
%attr(0644,root,root) %{_sysusersdir}/sshd.conf
|
||||
%attr(0444,root,root) %{_mandir}/man5/sshd_config*
|
||||
%attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
|
||||
%attr(0444,root,root) %{_mandir}/man8/sshd.8*
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/sshd-session
|
||||
%if 0%{?suse_version} < 1600
|
||||
%dir %{_sysconfdir}/slp.reg.d
|
||||
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
||||
@ -600,7 +658,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
||||
%config %{_fwdefdir}/sshd
|
||||
%endif
|
||||
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
%if %{with allow_root_password_login_by_default}
|
||||
%files server-config-disallow-rootlogin
|
||||
%if %{defined _distconfdir}
|
||||
%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
||||
@ -617,8 +675,10 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
||||
%endif
|
||||
|
||||
%files clients
|
||||
%if %{with crypto_policies}
|
||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
|
||||
%endif
|
||||
%if %{defined _distconfdir}
|
||||
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
|
||||
%else
|
||||
|
@ -8,4 +8,3 @@ session required pam_loginuid.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include common-session
|
||||
session optional pam_motd.so
|
||||
|
||||
|
11
sshd.socket
Normal file
11
sshd.socket
Normal file
@ -0,0 +1,11 @@
|
||||
[Unit]
|
||||
Description=OpenSSH Server Socket
|
||||
Conflicts=sshd.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=22
|
||||
Accept=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
|
11
sshd@.service
Normal file
11
sshd@.service
Normal file
@ -0,0 +1,11 @@
|
||||
[Unit]
|
||||
Description=OpenSSH Per-Connection Server Daemon
|
||||
Documentation=man:systemd-ssh-generator(8) man:sshd(8)
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/etc/sysconfig/ssh
|
||||
ExecStartPre=/usr/sbin/sshd-gen-keys-start
|
||||
ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
|
||||
ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS
|
||||
StandardInput=socket
|
10
wtmpdb.patch
10
wtmpdb.patch
@ -174,12 +174,16 @@ diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
RANLIB=@RANLIB@
|
||||
@@ -212,7 +213,7 @@
|
||||
@@ -212,10 +213,10 @@
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
|
||||
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
|
||||
- $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
|
||||
+ $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
||||
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
Loading…
Reference in New Issue
Block a user