Sync from SUSE:SLFO:Main openssh revision f793e41158efbf91a9de8e2e7a9a07fd
This commit is contained in:
commit
15c3ad6ea3
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
64
README.FIPS
Normal file
64
README.FIPS
Normal file
@ -0,0 +1,64 @@
|
||||
Notes on FIPS mode and OpenSSH
|
||||
|
||||
---
|
||||
|
||||
SUSE OpenSSH comes with FIPS 140-2 support, and certain versions have been
|
||||
certified as FIPS compliant by NIST. Apart from other things, this standard
|
||||
puts restrictions on cryptographic algorithms that may be used.
|
||||
|
||||
Important notice: FIPS is not only a matter of functionality. If you want to
|
||||
claim having a FIPS certified service, you *must* use the certified binaries.
|
||||
Even binaries built from the same sources in the same environment and running
|
||||
on a certified system, yet from a package lacking the certification, are
|
||||
formally not considered to be fulfilling the requirements.
|
||||
|
||||
The certified binaries (ssh, sshd, sftp-server) perform mandatory selfcheck at
|
||||
startup and proceed only when the checks succeed (non-certified binaries may
|
||||
skip the check). These checks require the cryptographic hashes contained in the
|
||||
openssh-fips subpackage.
|
||||
|
||||
The FIPS mode for OpenSSH is enabled in two ways - either:
|
||||
|
||||
1) /proc/sys/crypto/fips_enabled contains a single character '1' - this is a
|
||||
system-wide setting controlled bu the fips kernel parameter; or
|
||||
|
||||
2) the environment variable SSH_FORCE_FIPS - if set (to any value), the
|
||||
binaries behave as if they were running on a system in FIPS mode.
|
||||
|
||||
Since FIPS 140-2 only allows use of certain cryptographic algorithms, both the
|
||||
client and server will fail if they are requested to use non-approved
|
||||
algorithms while in FIPS mode. This means that working configurations for FIPS
|
||||
mode form a proper subset of all working (generic) configurations. Some
|
||||
configurations may even prevent the binaries from starting at all.
|
||||
|
||||
This however should be viewed in the context of FIPS being a security policy
|
||||
tool - it is not of much use to run the same system both in FIPS mode and
|
||||
outside of it, since that would defeat the main purpose of FIPS having
|
||||
guaranteeing standardised minimum restrictions on cryptographic algorithms
|
||||
(and thus on the overall security of the system).
|
||||
|
||||
Unless you specify what cryptographic algorithms you wish to use, both the
|
||||
client and server should work out of the box in FIPS mode.
|
||||
|
||||
For sshd, you can use the `-t` option to check whether the configuration file
|
||||
is working. Setting the above mentioned environment variable allows testing of
|
||||
behaviour in FIPS mode (checksum files for both OpenSSH and OpenSSL must be
|
||||
installed).
|
||||
|
||||
In addition to cryptographic algorithms restrictions, sshd performs periodic
|
||||
PRNG re-seeding. The seed is read from entropy source either /dev/urandom or
|
||||
/dev/random. By default, the former is used, unless the environment variable
|
||||
SSH_USE_STRONG_RNG is set to a non-zero value or the binary is running in FIPS
|
||||
mode. This has two important implications:
|
||||
|
||||
1) the selected entropy source must be available, i.e. when running in a
|
||||
changeroot the device files need to be present there.
|
||||
|
||||
2) /dev/random is a blocking interface - unless enough randomness is available,
|
||||
the process stops until the entropy pool is replenished. Thus on systems where
|
||||
a long running processes are expected, one should make sure there is always
|
||||
enough entropy for sshd. Sporadically this may also cause sshd to aborted,
|
||||
since some versions of OpenSSL (the underlying cryptographic engine) don't
|
||||
handle gracefully being interrupted while trying to read entropy from the
|
||||
system source.
|
||||
|
16
README.SUSE
Normal file
16
README.SUSE
Normal file
@ -0,0 +1,16 @@
|
||||
There are following changes in default settings of ssh client and server:
|
||||
|
||||
* Accepting and sending of locale environment variables in protocol 2 is
|
||||
enabled.
|
||||
|
||||
* PAM authentication is enabled and mostly even required, do not turn it off.
|
||||
|
||||
* DSA authentication is enabled by default for maximum compatibility.
|
||||
NOTE: do not use DSA authentication since it is being phased out for a reason
|
||||
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
||||
be considered safe any more.
|
||||
|
||||
* Accepting all RFC4419 specified DH group parameters. See KexDHMin in
|
||||
ssh_config and sshd_config manual pages.
|
||||
|
||||
For more information on differences in SUSE OpenSSH package see README.FIPS
|
18
README.kerberos
Normal file
18
README.kerberos
Normal file
@ -0,0 +1,18 @@
|
||||
This version of the Kerbros/GSSAPI support avoids DNS lookups
|
||||
for Kerberos-related names. These DNS lookups were problematic
|
||||
for dialup users because they would lead to excessive delays
|
||||
if DNS was not reachable.
|
||||
|
||||
If you do use Kerberos, please make sure you edit the server and
|
||||
client configuration files as follows:
|
||||
|
||||
/etc/ssh/sshd_config:
|
||||
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials yes
|
||||
|
||||
/etc/ssh/ssh_config:
|
||||
Host *
|
||||
... lots of other options ...
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPIDelegateCredentials yes
|
3
_multibuild
Normal file
3
_multibuild
Normal file
@ -0,0 +1,3 @@
|
||||
<multibuild>
|
||||
<package>openssh-askpass-gnome</package>
|
||||
</multibuild>
|
184
cavs_driver-ssh.pl
Normal file
184
cavs_driver-ssh.pl
Normal file
@ -0,0 +1,184 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# CAVS test driver for OpenSSH
|
||||
#
|
||||
# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# NO WARRANTY
|
||||
#
|
||||
# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
# REPAIR OR CORRECTION.
|
||||
#
|
||||
# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
# POSSIBILITY OF SUCH DAMAGES.
|
||||
#
|
||||
use strict;
|
||||
use warnings;
|
||||
use IPC::Open2;
|
||||
|
||||
# Executing a program by feeding STDIN and retrieving
|
||||
# STDOUT
|
||||
# $1: data string to be piped to the app on STDIN
|
||||
# rest: program and args
|
||||
# returns: STDOUT of program as string
|
||||
sub pipe_through_program($@) {
|
||||
my $in = shift;
|
||||
my @args = @_;
|
||||
|
||||
my ($CO, $CI);
|
||||
my $pid = open2($CO, $CI, @args);
|
||||
|
||||
my $out = "";
|
||||
my $len = length($in);
|
||||
my $first = 1;
|
||||
while (1) {
|
||||
my $rin = "";
|
||||
my $win = "";
|
||||
# Output of prog is FD that we read
|
||||
vec($rin,fileno($CO),1) = 1;
|
||||
# Input of prog is FD that we write
|
||||
# check for $first is needed because we can have NULL input
|
||||
# that is to be written to the app
|
||||
if ( $len > 0 || $first) {
|
||||
(vec($win,fileno($CI),1) = 1);
|
||||
$first=0;
|
||||
}
|
||||
# Let us wait for 100ms
|
||||
my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
|
||||
if ( $wout ) {
|
||||
my $written = syswrite($CI, $in, $len);
|
||||
die "broken pipe" if !defined $written;
|
||||
$len -= $written;
|
||||
substr($in, 0, $written) = "";
|
||||
if ($len <= 0) {
|
||||
close $CI or die "broken pipe: $!";
|
||||
}
|
||||
}
|
||||
if ( $rout ) {
|
||||
my $tmp_out = "";
|
||||
my $bytes_read = sysread($CO, $tmp_out, 4096);
|
||||
$out .= $tmp_out;
|
||||
last if ($bytes_read == 0);
|
||||
}
|
||||
}
|
||||
close $CO or die "broken pipe: $!";
|
||||
waitpid $pid, 0;
|
||||
|
||||
return $out;
|
||||
}
|
||||
|
||||
# Parser of CAVS test vector file
|
||||
# $1: Test vector file
|
||||
# $2: Output file for test results
|
||||
# return: nothing
|
||||
sub parse($$) {
|
||||
my $infile = shift;
|
||||
my $outfile = shift;
|
||||
|
||||
my $out = "";
|
||||
|
||||
my $K = "";
|
||||
my $H = "";
|
||||
my $session_id = "";
|
||||
my $ivlen = 0;
|
||||
my $eklen = "";
|
||||
my $iklen = "";
|
||||
|
||||
open(IN, "<$infile");
|
||||
while(<IN>) {
|
||||
|
||||
my $line = $_;
|
||||
chomp($line);
|
||||
$line =~ s/\r//;
|
||||
|
||||
if ($line =~ /\[SHA-1\]/) {
|
||||
$iklen = 20;
|
||||
} elsif ($line =~ /\[SHA-256\]/) {
|
||||
$iklen = 32;
|
||||
} elsif ($line =~ /\[SHA-384\]/) {
|
||||
$iklen = 48;
|
||||
} elsif ($line =~ /\[SHA-512\]/) {
|
||||
$iklen = 64;
|
||||
} elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
|
||||
$ivlen = $1;
|
||||
$ivlen = $ivlen / 8;
|
||||
} elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
|
||||
$eklen = $1;
|
||||
$eklen = $eklen / 8;
|
||||
} elsif ($line =~ /^K\s*=\s*(.*)/) {
|
||||
$K = $1;
|
||||
$K = substr($K, 8);
|
||||
$K = "00" . $K;
|
||||
} elsif ($line =~ /^H\s*=\s*(.*)/) {
|
||||
$H = $1;
|
||||
} elsif ($line =~ /^session_id\s*=\s*(.*)/) {
|
||||
$session_id = $1;
|
||||
}
|
||||
$out .= $line . "\n";
|
||||
|
||||
if ($K ne "" && $H ne "" && $session_id ne "" &&
|
||||
$ivlen ne "" && $eklen ne "" && $iklen > 0) {
|
||||
$out .= pipe_through_program("", "@LIBEXECDIR@/ssh/cavstest-kdf -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
|
||||
|
||||
$K = "";
|
||||
$H = "";
|
||||
$session_id = "";
|
||||
}
|
||||
}
|
||||
close IN;
|
||||
$out =~ s/\n/\r\n/g; # make it a dos file
|
||||
open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
|
||||
print OUT $out;
|
||||
close OUT;
|
||||
}
|
||||
|
||||
############################################################
|
||||
#
|
||||
# let us pretend to be C :-)
|
||||
sub main() {
|
||||
|
||||
my $infile=$ARGV[0];
|
||||
die "Error: Test vector file $infile not found" if (! -f $infile);
|
||||
|
||||
my $outfile = $infile;
|
||||
# let us add .rsp regardless whether we could strip .req
|
||||
$outfile =~ s/\.req$//;
|
||||
$outfile .= ".rsp";
|
||||
if (-f $outfile) {
|
||||
die "Output file $outfile could not be removed: $?"
|
||||
unless unlink($outfile);
|
||||
}
|
||||
print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
|
||||
|
||||
# Do the job
|
||||
parse($infile, $outfile);
|
||||
}
|
||||
|
||||
###########################################
|
||||
# Call it
|
||||
main();
|
||||
1;
|
25
fix-missing-lz.patch
Normal file
25
fix-missing-lz.patch
Normal file
@ -0,0 +1,25 @@
|
||||
Index: openssh-9.3p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.3p1.orig/Makefile.in
|
||||
+++ openssh-9.3p1/Makefile.in
|
||||
@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
|
||||
- $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
# FIPS tests
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
- $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
|
||||
- $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
197
logind_set_tty.patch
Normal file
197
logind_set_tty.patch
Normal file
@ -0,0 +1,197 @@
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index f0ea07e7b..35dcf45f1 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -56,6 +56,7 @@ SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBFIDO2=@LIBFIDO2@
|
||||
LIBWTMPDB=@LIBWTMPDB@
|
||||
+LIBSYSTEMD=@LIBSYSTEMD@
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
RANLIB=@RANLIB@
|
||||
@@ -208,7 +209,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
||||
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index a12c6f7ad..860df3379 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1789,6 +1789,47 @@ AC_ARG_WITH([wtmpdb],
|
||||
)
|
||||
|
||||
|
||||
+# Check whether user wants logind/set tty support
|
||||
+AC_ARG_WITH([logind],
|
||||
+ [ --with-logind[[=PATH]] Enable logind support for sshd],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ if test "x$withval" = "xyes" ; then
|
||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||
+ if test "x$PKGCONFIG" != "xno"; then
|
||||
+ AC_MSG_CHECKING([if $PKGCONFIG knows about libsystemd])
|
||||
+ if "$PKGCONFIG" libsystemd; then
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ use_pkgconfig_for_libsystemd=yes
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+ else
|
||||
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
|
||||
+ if test -n "${rpath_opt}"; then
|
||||
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test "x$use_pkgconfig_for_libsystemd" = "xyes"; then
|
||||
+ LIBSYSTEMD=`$PKGCONFIG --libs libsystemd`
|
||||
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libsystemd`"
|
||||
+ else
|
||||
+ LIBSYSTEMD="-lsystemd"
|
||||
+ fi
|
||||
+ OTHERLIBS=`echo $LIBSYSTEMD | sed 's/-lsystemd//'`
|
||||
+ AC_CHECK_LIB([systemd], [sd_bus_open_system],
|
||||
+ [ AC_DEFINE([USE_LOGIND], [1], [Use systemd-logind])
|
||||
+ AC_SUBST([LIBSYSTEMD])
|
||||
+ ],
|
||||
+ [ AC_MSG_ERROR([libsystemd not found]) ],
|
||||
+ [ $OTHERLIBS ]
|
||||
+ )
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
+
|
||||
AUDIT_MODULE=none
|
||||
AC_ARG_WITH([audit],
|
||||
[ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
|
||||
diff --git a/loginrec.c b/loginrec.c
|
||||
index 86caf83b2..8b413190b 100644
|
||||
--- a/loginrec.c
|
||||
+++ b/loginrec.c
|
||||
@@ -191,6 +191,10 @@
|
||||
# include <wtmpdb.h>
|
||||
#endif
|
||||
|
||||
+#ifdef USE_LOGIND
|
||||
+# include <systemd/sd-bus.h>
|
||||
+#endif
|
||||
+
|
||||
/**
|
||||
** prototypes for helper functions in this file
|
||||
**/
|
||||
@@ -214,6 +218,9 @@ int syslogin_write_entry(struct logininfo *li);
|
||||
#ifdef USE_WTMPDB
|
||||
int wtmpdb_write_entry(struct logininfo *li);
|
||||
#endif
|
||||
+#ifdef USE_LOGIND
|
||||
+int logind_set_tty(struct logininfo *li);
|
||||
+#endif
|
||||
|
||||
int getlast_entry(struct logininfo *li);
|
||||
int lastlog_get_entry(struct logininfo *li);
|
||||
@@ -477,6 +484,9 @@ login_write(struct logininfo *li)
|
||||
#ifdef USE_WTMPDB
|
||||
wtmpdb_write_entry(li);
|
||||
#endif
|
||||
+#ifdef USE_LOGIND
|
||||
+ logind_set_tty(li);
|
||||
+#endif
|
||||
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
|
||||
if (li->type == LTYPE_LOGIN &&
|
||||
!sys_auth_record_login(li->username,li->hostname,li->line,
|
||||
@@ -1476,6 +1486,88 @@ wtmpdb_write_entry(struct logininfo *li)
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifdef USE_LOGIND
|
||||
+#define DBUS_DESTINATION "org.freedesktop.login1"
|
||||
+#define DBUS_PATH_ID "/org/freedesktop/login1/session/auto"
|
||||
+#define DBUS_INTERFACE "org.freedesktop.login1.Session"
|
||||
+#define DBUS_PATH "/org/freedesktop/login1/session/%s"
|
||||
+
|
||||
+static int
|
||||
+logind_perform_login(struct logininfo *li)
|
||||
+{
|
||||
+ sd_bus *bus = NULL;
|
||||
+ sd_bus_error error = SD_BUS_ERROR_NULL;
|
||||
+ char *session_id = NULL;
|
||||
+ char *dbus_path;
|
||||
+ const char *tty;
|
||||
+ char buf[PATH_MAX];
|
||||
+ int r;
|
||||
+ int fd;
|
||||
+
|
||||
+ if (sd_bus_open_system(&bus) < 0)
|
||||
+ {
|
||||
+ logit("logind: canot open dbus");
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ if (sd_bus_get_property_string(bus, DBUS_DESTINATION,
|
||||
+ DBUS_PATH_ID, DBUS_INTERFACE,
|
||||
+ "Id", &error, &session_id) < 0)
|
||||
+ {
|
||||
+ logit("logind: cannot get session ID");
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ if (strncmp(li->line, "/dev/", 5) != 0)
|
||||
+ snprintf (buf, sizeof(buf), "/dev/%s", li->line);
|
||||
+ else
|
||||
+ tty = li->line;
|
||||
+
|
||||
+ fd = open(tty, O_RDWR|O_CLOEXEC|O_NOCTTY);
|
||||
+
|
||||
+ if (asprintf (&dbus_path, DBUS_PATH, session_id) < 0)
|
||||
+ return (0);
|
||||
+
|
||||
+ if (sd_bus_call_method(bus, DBUS_DESTINATION, dbus_path,
|
||||
+ DBUS_INTERFACE, "TakeControl", &error, NULL,
|
||||
+ "b", 1) < 0) {
|
||||
+ logit("logind: cannot take control");
|
||||
+ free(dbus_path);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ if ((r = sd_bus_call_method(bus, DBUS_DESTINATION, dbus_path,
|
||||
+ DBUS_INTERFACE, "SetTTY", &error, NULL,
|
||||
+ "h", fd)) < 0) {
|
||||
+ if (r != -EBADR) /* logind does not support "SetTTY" */
|
||||
+ logit("logind: cannot set TTY(%s, %s): %s", session_id, tty, strerror(-r));
|
||||
+ free(dbus_path);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ free(dbus_path);
|
||||
+
|
||||
+ if (sd_bus_flush(bus) < 0)
|
||||
+ return (0);
|
||||
+
|
||||
+ return (1);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+logind_set_tty(struct logininfo *li)
|
||||
+{
|
||||
+ switch(li->type) {
|
||||
+ case LTYPE_LOGIN:
|
||||
+ return (logind_perform_login(li));
|
||||
+ case LTYPE_LOGOUT:
|
||||
+ return (1);
|
||||
+ default:
|
||||
+ logit("%s: invalid type field", __func__);
|
||||
+ return (0);
|
||||
+ }
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
|
||||
/**
|
||||
** Low-level libutil login() functions
|
119
openssh-6.6.1p1-selinux-contexts.patch
Normal file
119
openssh-6.6.1p1-selinux-contexts.patch
Normal file
@ -0,0 +1,119 @@
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
@@ -33,6 +33,7 @@
|
||||
#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
#include "servconf.h"
|
||||
#include "port-linux.h"
|
||||
+#include "misc.h"
|
||||
#include "sshkey.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
@@ -451,7 +452,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
void
|
||||
sshd_selinux_copy_context(void)
|
||||
{
|
||||
- security_context_t *ctx;
|
||||
+ char *ctx;
|
||||
|
||||
if (!sshd_selinux_enabled())
|
||||
return;
|
||||
@@ -470,6 +471,72 @@ sshd_selinux_copy_context(void)
|
||||
}
|
||||
}
|
||||
|
||||
+void
|
||||
+sshd_selinux_change_privsep_preauth_context(void)
|
||||
+{
|
||||
+ int len;
|
||||
+ char line[1024], *preauth_context = NULL, *cp, *arg;
|
||||
+ const char *contexts_path;
|
||||
+ FILE *contexts_file;
|
||||
+ struct stat sb;
|
||||
+
|
||||
+ contexts_path = selinux_openssh_contexts_path();
|
||||
+ if (contexts_path == NULL) {
|
||||
+ debug3_f("Failed to get the path to SELinux context");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
||||
+ debug_f("Failed to open SELinux context file");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
||||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
||||
+ logit_f("SELinux context file needs to be owned by root"
|
||||
+ " and not writable by anyone else");
|
||||
+ fclose(contexts_file);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ while (fgets(line, sizeof(line), contexts_file)) {
|
||||
+ /* Strip trailing whitespace */
|
||||
+ for (len = strlen(line) - 1; len > 0; len--) {
|
||||
+ if (strchr(" \t\r\n", line[len]) == NULL)
|
||||
+ break;
|
||||
+ line[len] = '\0';
|
||||
+ }
|
||||
+
|
||||
+ if (line[0] == '\0')
|
||||
+ continue;
|
||||
+
|
||||
+ cp = line;
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (arg && *arg == '\0')
|
||||
+ arg = strdelim(&cp);
|
||||
+
|
||||
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (!arg || *arg == '\0') {
|
||||
+ debug_f("privsep_preauth is empty");
|
||||
+ fclose(contexts_file);
|
||||
+ return;
|
||||
+ }
|
||||
+ preauth_context = xstrdup(arg);
|
||||
+ }
|
||||
+ }
|
||||
+ fclose(contexts_file);
|
||||
+
|
||||
+ if (preauth_context == NULL) {
|
||||
+ debug_f("Unable to find 'privsep_preauth' option in"
|
||||
+ " SELinux context file");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ ssh_selinux_change_context(preauth_context);
|
||||
+ free(preauth_context);
|
||||
+}
|
||||
+
|
||||
#endif
|
||||
#endif
|
||||
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
@@ -27,6 +27,7 @@ int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
int sshd_selinux_setup_env_variables(void);
|
||||
+void sshd_selinux_change_privsep_preauth_context(void);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-9.6p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
|
||||
demote_sensitive_data(ssh);
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- ssh_selinux_change_context("sshd_net_t");
|
||||
+ sshd_selinux_change_privsep_preauth_context();
|
||||
#endif
|
||||
|
||||
/* Demote the child */
|
491
openssh-6.6p1-keycat.patch
Normal file
491
openssh-6.6p1-keycat.patch
Normal file
@ -0,0 +1,491 @@
|
||||
Index: openssh-9.3p2/misc.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/misc.c
|
||||
+++ openssh-9.3p2/misc.c
|
||||
@@ -2770,6 +2770,13 @@ subprocess(const char *tag, const char *
|
||||
error("%s: dup2: %s", tag, strerror(errno));
|
||||
_exit(1);
|
||||
}
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (sshd_selinux_setup_env_variables() < 0) {
|
||||
+ error ("failed to copy environment: %s",
|
||||
+ strerror(errno));
|
||||
+ _exit(127);
|
||||
+ }
|
||||
+#endif
|
||||
if (env != NULL)
|
||||
execve(av[0], av, env);
|
||||
else
|
||||
Index: openssh-9.3p2/HOWTO.ssh-keycat
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.3p2/HOWTO.ssh-keycat
|
||||
@@ -0,0 +1,12 @@
|
||||
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
|
||||
+of an user in any environment. This includes environments with
|
||||
+polyinstantiation of home directories and SELinux MLS policy enabled.
|
||||
+
|
||||
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
|
||||
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
|
||||
+ AuthorizedKeysCommandUser root
|
||||
+
|
||||
+Do not forget to enable public key authentication:
|
||||
+ PubkeyAuthentication yes
|
||||
+
|
||||
+
|
||||
Index: openssh-9.3p2/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/Makefile.in
|
||||
+++ openssh-9.3p2/Makefile.in
|
||||
@@ -24,6 +24,7 @@ SSH_PROGRAM=@bindir@/ssh
|
||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
|
||||
K5LIBS=@K5LIBS@
|
||||
GSSLIBS=@GSSLIBS@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
+KEYCATLIBS=@KEYCATLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBFIDO2=@LIBFIDO2@
|
||||
LIBWTMPDB=@LIBWTMPDB@
|
||||
@@ -75,7 +77,7 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
.SUFFIXES: .lo
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
|
||||
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
|
||||
@@ -245,6 +247,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
|
||||
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
|
||||
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
|
||||
|
||||
@@ -431,6 +436,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
@@ -23,8 +23,10 @@ void ssh_selinux_setup_pty(char *, const
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
+int sshd_selinux_setup_env_variables(void);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
|
||||
extern int inetd_flag;
|
||||
extern int rexeced_flag;
|
||||
|
||||
+/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
+int
|
||||
+sshd_selinux_enabled(void)
|
||||
+{
|
||||
+ static int enabled = -1;
|
||||
+
|
||||
+ if (enabled == -1) {
|
||||
+ enabled = (is_selinux_enabled() == 1);
|
||||
+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
|
||||
+ }
|
||||
+
|
||||
+ return (enabled);
|
||||
+}
|
||||
+
|
||||
/* Send audit message */
|
||||
static int
|
||||
sshd_selinux_send_audit_message(int success, security_context_t default_context,
|
||||
@@ -318,7 +332,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
|
||||
/* Setup environment variables for pam_selinux */
|
||||
static int
|
||||
-sshd_selinux_setup_pam_variables(void)
|
||||
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -329,16 +343,16 @@ sshd_selinux_setup_pam_variables(void)
|
||||
|
||||
ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
|
||||
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
|
||||
if (inetd_flag && !rexeced_flag) {
|
||||
use_current = "1";
|
||||
} else {
|
||||
use_current = "";
|
||||
- rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
|
||||
+ rv = rv || set_it("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
|
||||
}
|
||||
|
||||
- rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
|
||||
+ rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current);
|
||||
|
||||
if (role != NULL)
|
||||
free(role);
|
||||
@@ -346,6 +360,24 @@ sshd_selinux_setup_pam_variables(void)
|
||||
return rv;
|
||||
}
|
||||
|
||||
+static int
|
||||
+sshd_selinux_setup_pam_variables(void)
|
||||
+{
|
||||
+ return sshd_selinux_setup_variables(do_pam_putenv);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+do_setenv(char *name, const char *value)
|
||||
+{
|
||||
+ return setenv(name, value, 1);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+sshd_selinux_setup_env_variables(void)
|
||||
+{
|
||||
+ return sshd_selinux_setup_variables(do_setenv);
|
||||
+}
|
||||
+
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
sshd_selinux_setup_exec_context(char *pwname)
|
||||
@@ -354,7 +386,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
int r = 0;
|
||||
security_context_t default_ctx = NULL;
|
||||
|
||||
- if (!ssh_selinux_enabled())
|
||||
+ if (!sshd_selinux_enabled())
|
||||
return;
|
||||
|
||||
if (options.use_pam) {
|
||||
@@ -421,7 +453,7 @@ sshd_selinux_copy_context(void)
|
||||
{
|
||||
security_context_t *ctx;
|
||||
|
||||
- if (!ssh_selinux_enabled())
|
||||
+ if (!sshd_selinux_enabled())
|
||||
return;
|
||||
|
||||
if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||
Index: openssh-9.3p2/platform.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/platform.c
|
||||
+++ openssh-9.3p2/platform.c
|
||||
@@ -100,7 +100,7 @@ platform_setusercontext(struct passwd *p
|
||||
{
|
||||
#ifdef WITH_SELINUX
|
||||
/* Cache selinux status for later use */
|
||||
- (void)ssh_selinux_enabled();
|
||||
+ (void)sshd_selinux_enabled();
|
||||
#endif
|
||||
|
||||
#ifdef USE_SOLARIS_PROJECTS
|
||||
Index: openssh-9.3p2/ssh-keycat.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.3p2/ssh-keycat.c
|
||||
@@ -0,0 +1,241 @@
|
||||
+/*
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Copyright (c) 2011 Red Hat, Inc.
|
||||
+ * Written by Tomas Mraz <tmraz@redhat.com>
|
||||
+*/
|
||||
+
|
||||
+#define _GNU_SOURCE
|
||||
+
|
||||
+#include "config.h"
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <pwd.h>
|
||||
+#include <fcntl.h>
|
||||
+#include <unistd.h>
|
||||
+#ifdef HAVE_STDINT_H
|
||||
+#include <stdint.h>
|
||||
+#endif
|
||||
+
|
||||
+#include <security/pam_appl.h>
|
||||
+
|
||||
+#include "uidswap.h"
|
||||
+#include "misc.h"
|
||||
+
|
||||
+#define ERR_USAGE 1
|
||||
+#define ERR_PAM_START 2
|
||||
+#define ERR_OPEN_SESSION 3
|
||||
+#define ERR_CLOSE_SESSION 4
|
||||
+#define ERR_PAM_END 5
|
||||
+#define ERR_GETPWNAM 6
|
||||
+#define ERR_MEMORY 7
|
||||
+#define ERR_OPEN 8
|
||||
+#define ERR_FILE_MODE 9
|
||||
+#define ERR_FDOPEN 10
|
||||
+#define ERR_STAT 11
|
||||
+#define ERR_WRITE 12
|
||||
+#define ERR_PAM_PUTENV 13
|
||||
+#define BUFLEN 4096
|
||||
+
|
||||
+/* Just ignore the messages in the conversation function */
|
||||
+static int
|
||||
+dummy_conv(int num_msg, const struct pam_message **msgm,
|
||||
+ struct pam_response **response, void *appdata_ptr)
|
||||
+{
|
||||
+ struct pam_response *rsp;
|
||||
+
|
||||
+ (void)msgm;
|
||||
+ (void)appdata_ptr;
|
||||
+
|
||||
+ if (num_msg <= 0)
|
||||
+ return PAM_CONV_ERR;
|
||||
+
|
||||
+ /* Just allocate the array as empty responses */
|
||||
+ rsp = calloc (num_msg, sizeof (struct pam_response));
|
||||
+ if (rsp == NULL)
|
||||
+ return PAM_CONV_ERR;
|
||||
+
|
||||
+ *response = rsp;
|
||||
+ return PAM_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+static struct pam_conv conv = {
|
||||
+ dummy_conv,
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
+char *
|
||||
+make_auth_keys_name(const struct passwd *pwd)
|
||||
+{
|
||||
+ char *fname;
|
||||
+
|
||||
+ if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
|
||||
+ return NULL;
|
||||
+
|
||||
+ return fname;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+dump_keys(const char *user)
|
||||
+{
|
||||
+ struct passwd *pwd;
|
||||
+ int fd = -1;
|
||||
+ FILE *f = NULL;
|
||||
+ char *fname = NULL;
|
||||
+ int rv = 0;
|
||||
+ char buf[BUFLEN];
|
||||
+ size_t len;
|
||||
+ struct stat st;
|
||||
+
|
||||
+ if ((pwd = getpwnam(user)) == NULL) {
|
||||
+ return ERR_GETPWNAM;
|
||||
+ }
|
||||
+
|
||||
+ if ((fname = make_auth_keys_name(pwd)) == NULL) {
|
||||
+ return ERR_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ temporarily_use_uid(pwd);
|
||||
+
|
||||
+ if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
|
||||
+ rv = ERR_OPEN;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ if (fstat(fd, &st) < 0) {
|
||||
+ rv = ERR_STAT;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ if (!S_ISREG(st.st_mode) ||
|
||||
+ (st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
|
||||
+ rv = ERR_FILE_MODE;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ unset_nonblock(fd);
|
||||
+
|
||||
+ if ((f = fdopen(fd, "r")) == NULL) {
|
||||
+ rv = ERR_FDOPEN;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ fd = -1;
|
||||
+
|
||||
+ while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
|
||||
+ rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
|
||||
+ }
|
||||
+
|
||||
+fail:
|
||||
+ if (fd != -1)
|
||||
+ close(fd);
|
||||
+ if (f != NULL)
|
||||
+ fclose(f);
|
||||
+ free(fname);
|
||||
+ restore_uid();
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
|
||||
+ "SELINUX_LEVEL_REQUESTED",
|
||||
+ "SELINUX_USE_CURRENT_RANGE"
|
||||
+};
|
||||
+
|
||||
+extern char **environ;
|
||||
+
|
||||
+int
|
||||
+set_pam_environment(pam_handle_t *pamh)
|
||||
+{
|
||||
+ int i;
|
||||
+ size_t j;
|
||||
+
|
||||
+ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
|
||||
+ int len = strlen(env_names[j]);
|
||||
+
|
||||
+ for (i = 0; environ[i] != NULL; ++i) {
|
||||
+ if (strncmp(env_names[j], environ[i], len) == 0 &&
|
||||
+ environ[i][len] == '=') {
|
||||
+ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
|
||||
+ return ERR_PAM_PUTENV;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char *argv[])
|
||||
+{
|
||||
+ pam_handle_t *pamh = NULL;
|
||||
+ int retval;
|
||||
+ int ev = 0;
|
||||
+
|
||||
+ if (argc != 2) {
|
||||
+ fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
|
||||
+ return ERR_USAGE;
|
||||
+ }
|
||||
+
|
||||
+ retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
|
||||
+ if (retval != PAM_SUCCESS) {
|
||||
+ return ERR_PAM_START;
|
||||
+ }
|
||||
+
|
||||
+ ev = set_pam_environment(pamh);
|
||||
+ if (ev != 0)
|
||||
+ goto finish;
|
||||
+
|
||||
+ retval = pam_open_session(pamh, PAM_SILENT);
|
||||
+ if (retval != PAM_SUCCESS) {
|
||||
+ ev = ERR_OPEN_SESSION;
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
+ ev = dump_keys(argv[1]);
|
||||
+
|
||||
+ retval = pam_close_session(pamh, PAM_SILENT);
|
||||
+ if (retval != PAM_SUCCESS) {
|
||||
+ ev = ERR_CLOSE_SESSION;
|
||||
+ }
|
||||
+
|
||||
+finish:
|
||||
+ retval = pam_end (pamh,retval);
|
||||
+ if (retval != PAM_SUCCESS) {
|
||||
+ ev = ERR_PAM_END;
|
||||
+ }
|
||||
+ return ev;
|
||||
+}
|
||||
Index: openssh-9.3p2/configure.ac
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/configure.ac
|
||||
+++ openssh-9.3p2/configure.ac
|
||||
@@ -3632,6 +3632,7 @@ AC_ARG_WITH([pam],
|
||||
PAM_MSG="yes"
|
||||
|
||||
SSHDLIBS="$SSHDLIBS -lpam"
|
||||
+ KEYCATLIBS="$KEYCATLIBS -lpam"
|
||||
AC_DEFINE([USE_PAM], [1],
|
||||
[Define if you want to enable PAM support])
|
||||
|
||||
@@ -3642,6 +3643,7 @@ AC_ARG_WITH([pam],
|
||||
;;
|
||||
*)
|
||||
SSHDLIBS="$SSHDLIBS -ldl"
|
||||
+ KEYCATLIBS="$KEYCATLIBS -ldl"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
@@ -4875,6 +4877,7 @@ AC_ARG_WITH([selinux],
|
||||
fi ]
|
||||
)
|
||||
AC_SUBST([SSHDLIBS])
|
||||
+AC_SUBST([KEYCATLIBS])
|
||||
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
@@ -5905,6 +5908,9 @@ fi
|
||||
if test ! -z "${SSHDLIBS}"; then
|
||||
echo " +for sshd: ${SSHDLIBS}"
|
||||
fi
|
||||
+if test ! -z "${KEYCATLIBS}"; then
|
||||
+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
||||
+fi
|
||||
|
||||
echo ""
|
||||
|
125
openssh-6.6p1-privsep-selinux.patch
Normal file
125
openssh-6.6p1-privsep-selinux.patch
Normal file
@ -0,0 +1,125 @@
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
@@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
@@ -416,6 +416,28 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
debug3_f("done");
|
||||
}
|
||||
|
||||
+void
|
||||
+sshd_selinux_copy_context(void)
|
||||
+{
|
||||
+ security_context_t *ctx;
|
||||
+
|
||||
+ if (!ssh_selinux_enabled())
|
||||
+ return;
|
||||
+
|
||||
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||
+ logit_f("getexeccon failed with %s", strerror(errno));
|
||||
+ return;
|
||||
+ }
|
||||
+ if (ctx != NULL) {
|
||||
+ /* unset exec context before we will lose this capabililty */
|
||||
+ if (setexeccon(NULL) != 0)
|
||||
+ fatal_f("setexeccon failed with %s", strerror(errno));
|
||||
+ if (setcon(ctx) != 0)
|
||||
+ fatal_f("setcon failed with %s", strerror(errno));
|
||||
+ freecon(ctx);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
#endif
|
||||
#endif
|
||||
|
||||
Index: openssh-9.3p2/session.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/session.c
|
||||
+++ openssh-9.3p2/session.c
|
||||
@@ -1403,7 +1403,7 @@ do_setusercontext(struct passwd *pw)
|
||||
|
||||
platform_setusercontext(pw);
|
||||
|
||||
- if (platform_privileged_uidswap()) {
|
||||
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
if (setusercontext(lc, pw, pw->pw_uid,
|
||||
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
||||
@@ -1435,6 +1435,9 @@ do_setusercontext(struct passwd *pw)
|
||||
(unsigned long long)pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, "U", uidstr, (char *)NULL);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
@@ -1470,6 +1473,11 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (in_chroot == 0)
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
} else if (options.chroot_directory != NULL &&
|
||||
strcasecmp(options.chroot_directory, "none") != 0) {
|
||||
fatal("server lacks privileges to chroot to ChrootDirectory");
|
||||
@@ -1487,9 +1495,6 @@ do_pwchange(Session *s)
|
||||
if (s->ttyfd != -1) {
|
||||
fprintf(stderr,
|
||||
"You must change your password now and login again!\n");
|
||||
-#ifdef WITH_SELINUX
|
||||
- setexeccon(NULL);
|
||||
-#endif
|
||||
#ifdef PASSWD_NEEDS_USERNAME
|
||||
execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
|
||||
(char *)NULL);
|
||||
@@ -1723,9 +1728,6 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
-#ifdef WITH_SELINUX
|
||||
- ssh_selinux_change_context("sftpd_t");
|
||||
-#endif
|
||||
exit(sftp_server_main(i, argv, s->pw));
|
||||
}
|
||||
|
||||
Index: openssh-9.3p2/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd.c
|
||||
+++ openssh-9.3p2/sshd.c
|
||||
@@ -510,6 +510,10 @@ privsep_preauth_child(struct ssh *ssh)
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data(ssh);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ ssh_selinux_change_context("sshd_net_t");
|
||||
+#endif
|
||||
+
|
||||
/* Demote the child */
|
||||
if (privsep_chroot) {
|
||||
/* Change our root directory */
|
||||
@@ -602,6 +606,9 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
{
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
if (1) {
|
||||
+#elif defined(WITH_SELINUX)
|
||||
+ if (0) {
|
||||
+ /* even root user can be confined by SELinux */
|
||||
#else
|
||||
if (authctxt->pw->pw_uid == 0) {
|
||||
#endif
|
291
openssh-7.6p1-cleanup-selinux.patch
Normal file
291
openssh-7.6p1-cleanup-selinux.patch
Normal file
@ -0,0 +1,291 @@
|
||||
Index: openssh-9.3p2/auth2-pubkey.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/auth2-pubkey.c
|
||||
+++ openssh-9.3p2/auth2-pubkey.c
|
||||
@@ -72,6 +72,9 @@
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+extern Authctxt *the_authctxt;
|
||||
|
||||
static char *
|
||||
format_key(const struct sshkey *key)
|
||||
@@ -459,7 +462,8 @@ match_principals_command(struct passwd *
|
||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
|
||||
ac, av, &f,
|
||||
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||
goto out;
|
||||
|
||||
uid_swapped = 1;
|
||||
@@ -727,7 +731,8 @@ user_key_command_allowed2(struct passwd
|
||||
if ((pid = subprocess("AuthorizedKeysCommand", command,
|
||||
ac, av, &f,
|
||||
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||
goto out;
|
||||
|
||||
uid_swapped = 1;
|
||||
Index: openssh-9.3p2/misc.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/misc.c
|
||||
+++ openssh-9.3p2/misc.c
|
||||
@@ -2637,7 +2637,8 @@ stdfd_devnull(int do_stdin, int do_stdou
|
||||
pid_t
|
||||
subprocess(const char *tag, const char *command,
|
||||
int ac, char **av, FILE **child, u_int flags,
|
||||
- struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs)
|
||||
+ struct passwd *pw, privdrop_fn *drop_privs,
|
||||
+ privrestore_fn *restore_privs, int inetd, void *the_authctxt)
|
||||
{
|
||||
FILE *f = NULL;
|
||||
struct stat st;
|
||||
@@ -2771,7 +2772,7 @@ subprocess(const char *tag, const char *
|
||||
_exit(1);
|
||||
}
|
||||
#ifdef WITH_SELINUX
|
||||
- if (sshd_selinux_setup_env_variables() < 0) {
|
||||
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
|
||||
error ("failed to copy environment: %s",
|
||||
strerror(errno));
|
||||
_exit(127);
|
||||
Index: openssh-9.3p2/misc.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/misc.h
|
||||
+++ openssh-9.3p2/misc.h
|
||||
@@ -110,7 +110,7 @@ typedef void privrestore_fn(void);
|
||||
#define SSH_SUBPROCESS_UNSAFE_PATH (1<<3) /* Don't check for safe cmd */
|
||||
#define SSH_SUBPROCESS_PRESERVE_ENV (1<<4) /* Keep parent environment */
|
||||
pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int,
|
||||
- struct passwd *, privdrop_fn *, privrestore_fn *);
|
||||
+ struct passwd *, privdrop_fn *, privrestore_fn *, int, void *);
|
||||
|
||||
typedef struct arglist arglist;
|
||||
struct arglist {
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
@@ -25,8 +25,8 @@ void ssh_selinux_setfscreatecon(const ch
|
||||
|
||||
int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
-void sshd_selinux_setup_exec_context(char *);
|
||||
-int sshd_selinux_setup_env_variables(void);
|
||||
+void sshd_selinux_setup_exec_context(char *, int, int(char *, const char *), void *, int);
|
||||
+int sshd_selinux_setup_env_variables(int inetd, void *);
|
||||
void sshd_selinux_change_privsep_preauth_context(void);
|
||||
#endif
|
||||
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
@@ -49,11 +49,6 @@
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
-extern ServerOptions options;
|
||||
-extern Authctxt *the_authctxt;
|
||||
-extern int inetd_flag;
|
||||
-extern int rexeced_flag;
|
||||
-
|
||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
int
|
||||
sshd_selinux_enabled(void)
|
||||
@@ -223,7 +218,8 @@ get_user_context(const char *sename, con
|
||||
}
|
||||
|
||||
static void
|
||||
-ssh_selinux_get_role_level(char **role, const char **level)
|
||||
+ssh_selinux_get_role_level(char **role, const char **level,
|
||||
+ Authctxt *the_authctxt)
|
||||
{
|
||||
*role = NULL;
|
||||
*level = NULL;
|
||||
@@ -241,8 +237,8 @@ ssh_selinux_get_role_level(char **role,
|
||||
|
||||
/* Return the default security context for the given username */
|
||||
static int
|
||||
-sshd_selinux_getctxbyname(char *pwname,
|
||||
- security_context_t *default_sc, security_context_t *user_sc)
|
||||
+sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
|
||||
+ security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
|
||||
{
|
||||
char *sename, *lvl;
|
||||
char *role;
|
||||
@@ -250,7 +246,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
int r = 0;
|
||||
context_t con = NULL;
|
||||
|
||||
- ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
||||
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
@@ -272,7 +268,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
|
||||
if (r == 0) {
|
||||
/* If launched from xinetd, we must use current level */
|
||||
- if (inetd_flag && !rexeced_flag) {
|
||||
+ if (inetd) {
|
||||
security_context_t sshdsc=NULL;
|
||||
|
||||
if (getcon_raw(&sshdsc) < 0)
|
||||
@@ -333,7 +329,8 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
|
||||
/* Setup environment variables for pam_selinux */
|
||||
static int
|
||||
-sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
|
||||
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *), int inetd,
|
||||
+ Authctxt *the_authctxt)
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
||||
|
||||
debug3_f("setting execution context");
|
||||
|
||||
- ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
||||
|
||||
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
|
||||
- if (inetd_flag && !rexeced_flag) {
|
||||
+ if (inetd) {
|
||||
use_current = "1";
|
||||
} else {
|
||||
use_current = "";
|
||||
@@ -362,9 +359,10 @@ sshd_selinux_setup_variables(int(*set_it
|
||||
}
|
||||
|
||||
static int
|
||||
-sshd_selinux_setup_pam_variables(void)
|
||||
+sshd_selinux_setup_pam_variables(int inetd,
|
||||
+ int(pam_setenv)(char *, const char *), Authctxt *the_authctxt)
|
||||
{
|
||||
- return sshd_selinux_setup_variables(do_pam_putenv);
|
||||
+ return sshd_selinux_setup_variables(pam_setenv, inetd, the_authctxt);
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -374,25 +372,28 @@ do_setenv(char *name, const char *value)
|
||||
}
|
||||
|
||||
int
|
||||
-sshd_selinux_setup_env_variables(void)
|
||||
+sshd_selinux_setup_env_variables(int inetd, void *the_authctxt)
|
||||
{
|
||||
- return sshd_selinux_setup_variables(do_setenv);
|
||||
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
|
||||
+ return sshd_selinux_setup_variables(do_setenv, inetd, authctxt);
|
||||
}
|
||||
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
-sshd_selinux_setup_exec_context(char *pwname)
|
||||
+sshd_selinux_setup_exec_context(char *pwname, int inetd,
|
||||
+ int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
|
||||
{
|
||||
security_context_t user_ctx = NULL;
|
||||
int r = 0;
|
||||
security_context_t default_ctx = NULL;
|
||||
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
|
||||
|
||||
if (!sshd_selinux_enabled())
|
||||
return;
|
||||
|
||||
- if (options.use_pam) {
|
||||
+ if (use_pam) {
|
||||
/* do not compute context, just setup environment for pam_selinux */
|
||||
- if (sshd_selinux_setup_pam_variables()) {
|
||||
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
|
||||
switch (security_getenforce()) {
|
||||
case -1:
|
||||
fatal_f("security_getenforce() failed");
|
||||
@@ -408,7 +409,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
|
||||
debug3_f("setting execution context");
|
||||
|
||||
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
|
||||
if (r >= 0) {
|
||||
r = setexeccon(user_ctx);
|
||||
if (r < 0) {
|
||||
Index: openssh-9.3p2/platform.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/platform.c
|
||||
+++ openssh-9.3p2/platform.c
|
||||
@@ -34,6 +34,9 @@
|
||||
|
||||
extern int use_privsep;
|
||||
extern ServerOptions options;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+extern Authctxt *the_authctxt;
|
||||
|
||||
void
|
||||
platform_pre_listen(void)
|
||||
@@ -185,7 +188,9 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
- sshd_selinux_setup_exec_context(pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(pw->pw_name,
|
||||
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
|
||||
+ options.use_pam);
|
||||
#endif
|
||||
}
|
||||
|
||||
Index: openssh-9.3p2/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd.c
|
||||
+++ openssh-9.3p2/sshd.c
|
||||
@@ -166,7 +166,7 @@ int debug_flag = 0;
|
||||
static int test_flag = 0;
|
||||
|
||||
/* Flag indicating that the daemon is being started from inetd. */
|
||||
-static int inetd_flag = 0;
|
||||
+int inetd_flag = 0;
|
||||
|
||||
/* Flag indicating that sshd should not detach and become a daemon. */
|
||||
static int no_daemon_flag = 0;
|
||||
@@ -179,7 +179,7 @@ static char **saved_argv;
|
||||
static int saved_argc;
|
||||
|
||||
/* re-exec */
|
||||
-static int rexeced_flag = 0;
|
||||
+int rexeced_flag = 0;
|
||||
static int rexec_flag = 1;
|
||||
static int rexec_argc = 0;
|
||||
static char **rexec_argv;
|
||||
@@ -2396,7 +2396,9 @@ main(int ac, char **av)
|
||||
}
|
||||
#endif
|
||||
#ifdef WITH_SELINUX
|
||||
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
|
||||
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
|
||||
+ options.use_pam);
|
||||
#endif
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
Index: openssh-9.3p2/sshconnect.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshconnect.c
|
||||
+++ openssh-9.3p2/sshconnect.c
|
||||
@@ -893,7 +893,7 @@ load_hostkeys_command(struct hostkeys *h
|
||||
|
||||
if ((pid = subprocess(tag, command, ac, av, &f,
|
||||
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH|
|
||||
- SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0)
|
||||
+ SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0)
|
||||
goto out;
|
||||
|
||||
load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1);
|
38
openssh-7.7p1-IPv6_X_forwarding.patch
Normal file
38
openssh-7.7p1-IPv6_X_forwarding.patch
Normal file
@ -0,0 +1,38 @@
|
||||
# HG changeset patch
|
||||
# Parent 8df645ca39d64de025d8838c5713812e72308c92
|
||||
Correctly parse DISPLAY variable for cases where it contains an IPv6 address
|
||||
(which should - but not always is - in (square) brackets).
|
||||
|
||||
bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710
|
||||
|
||||
Index: openssh-8.8p1/channels.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/channels.c
|
||||
+++ openssh-8.8p1/channels.c
|
||||
@@ -4776,9 +4776,10 @@ x11_connect_display(struct ssh *ssh)
|
||||
/*
|
||||
* Connect to an inet socket. The DISPLAY value is supposedly
|
||||
* hostname:d[.s], where hostname may also be numeric IP address.
|
||||
+ * Note that IPv6 numeric addresses contain colons (e.g. ::1:0)
|
||||
*/
|
||||
strlcpy(buf, display, sizeof(buf));
|
||||
- cp = strchr(buf, ':');
|
||||
+ cp = strrchr(buf, ':');
|
||||
if (!cp) {
|
||||
error("Could not find ':' in DISPLAY: %.100s", display);
|
||||
return -1;
|
||||
@@ -4793,6 +4794,14 @@ x11_connect_display(struct ssh *ssh)
|
||||
display);
|
||||
return -1;
|
||||
}
|
||||
+
|
||||
+ /* Remove brackets surrounding IPv6 addresses if there are any. */
|
||||
+ if (buf[0] == '[' && (cp = strchr(buf, ']'))) {
|
||||
+ *cp = 0;
|
||||
+ cp = buf + 1;
|
||||
+ } else {
|
||||
+ cp = buf;
|
||||
+ }
|
||||
|
||||
/* Look up the host address */
|
||||
memset(&hints, 0, sizeof(hints));
|
47
openssh-7.7p1-X11_trusted_forwarding.patch
Normal file
47
openssh-7.7p1-X11_trusted_forwarding.patch
Normal file
@ -0,0 +1,47 @@
|
||||
# HG changeset patch
|
||||
# Parent d25c96855fd67e997e25ec1198d953af33eb289c
|
||||
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
||||
# configuration
|
||||
# bnc#50836 (was suse #35836)
|
||||
Enable Trusted X11 forwarding by default, since the security benefits of
|
||||
having it disabled are negligible these days with XI2 being widely used.
|
||||
|
||||
Index: openssh-8.8p1/ssh_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh_config
|
||||
+++ openssh-8.8p1/ssh_config
|
||||
@@ -17,9 +17,20 @@
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
-# Host *
|
||||
+Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
+
|
||||
+# If you do not trust your remote host (or its administrator), you
|
||||
+# should not forward X11 connections to your local X11-display for
|
||||
+# security reasons: Someone stealing the authentification data on the
|
||||
+# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||
+# keystrokes as you type, just like any other X11 client could do.
|
||||
+# Set this to "no" here for global effect or in your own ~/.ssh/config
|
||||
+# file if you want to have the remote X11 authentification data to
|
||||
+# expire after twenty minutes after remote login.
|
||||
+ ForwardX11Trusted yes
|
||||
+
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
Index: openssh-8.8p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config
|
||||
+++ openssh-8.8p1/sshd_config
|
||||
@@ -84,7 +84,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
-#X11Forwarding no
|
||||
+X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
23
openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Normal file
23
openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Normal file
@ -0,0 +1,23 @@
|
||||
# HG changeset patch
|
||||
# Parent 44592f09f090e74432f608084069d30d808fda69
|
||||
Do not throw away already open sockets for X11 forwarding if another socket
|
||||
family is not available for bind()
|
||||
|
||||
Index: openssh-8.8p1/channels.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/channels.c
|
||||
+++ openssh-8.8p1/channels.c
|
||||
@@ -4607,6 +4607,13 @@ x11_create_display_inet(struct ssh *ssh,
|
||||
debug2_f("bind port %d: %.100s", port,
|
||||
strerror(errno));
|
||||
close(sock);
|
||||
+ /* do not remove successfully opened sockets if
|
||||
+ * the request failed because the protocol
|
||||
+ * IPv4/6 is not available (e.g. IPv6 may be
|
||||
+ * disabled while being supported)
|
||||
+ */
|
||||
+ if (EADDRNOTAVAIL == errno)
|
||||
+ continue;
|
||||
for (n = 0; n < num_socks; n++)
|
||||
close(socks[n]);
|
||||
num_socks = 0;
|
304
openssh-7.7p1-cavstest-ctr.patch
Normal file
304
openssh-7.7p1-cavstest-ctr.patch
Normal file
@ -0,0 +1,304 @@
|
||||
# HG changeset patch
|
||||
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
|
||||
CAVS test for OpenSSH's own CTR encryption mode implementation
|
||||
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
+TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
@@ -245,6 +248,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
+# FIPS tests
|
||||
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
@@ -407,6 +414,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
Index: openssh-8.8p1/cavstest-ctr.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/cavstest-ctr.c
|
||||
@@ -0,0 +1,214 @@
|
||||
+/*
|
||||
+ *
|
||||
+ * invocation (all of the following are equal):
|
||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
|
||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
|
||||
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/param.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <ctype.h>
|
||||
+
|
||||
+#include "xmalloc.h"
|
||||
+#include "log.h"
|
||||
+#include "cipher.h"
|
||||
+
|
||||
+/* compatibility with old or broken OpenSSL versions */
|
||||
+#include "openbsd-compat/openssl-compat.h"
|
||||
+
|
||||
+void
|
||||
+usage(void)
|
||||
+{
|
||||
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
|
||||
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
|
||||
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
|
||||
+ "Hexadecimal output is printed to stdout.\n"
|
||||
+ "Hexadecimal input data can be alternatively read from stdin.\n");
|
||||
+ exit(1);
|
||||
+}
|
||||
+
|
||||
+void *
|
||||
+fromhex(char *hex, size_t * len)
|
||||
+{
|
||||
+ unsigned char *bin;
|
||||
+ char *p;
|
||||
+ size_t n = 0;
|
||||
+ int shift = 4;
|
||||
+ unsigned char out = 0;
|
||||
+ unsigned char *optr;
|
||||
+
|
||||
+ bin = xmalloc(strlen(hex) / 2);
|
||||
+ optr = bin;
|
||||
+
|
||||
+ for (p = hex; *p != '\0'; ++p) {
|
||||
+ unsigned char c;
|
||||
+
|
||||
+ c = *p;
|
||||
+ if (isspace(c))
|
||||
+ continue;
|
||||
+
|
||||
+ if (c >= '0' && c <= '9') {
|
||||
+ c = c - '0';
|
||||
+ } else if (c >= 'A' && c <= 'F') {
|
||||
+ c = c - 'A' + 10;
|
||||
+ } else if (c >= 'a' && c <= 'f') {
|
||||
+ c = c - 'a' + 10;
|
||||
+ } else {
|
||||
+ /* truncate on nonhex cipher */
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ out |= c << shift;
|
||||
+ shift = (shift + 4) % 8;
|
||||
+
|
||||
+ if (shift) {
|
||||
+ *(optr++) = out;
|
||||
+ out = 0;
|
||||
+ ++n;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ *len = n;
|
||||
+ return bin;
|
||||
+}
|
||||
+
|
||||
+#define READ_CHUNK 4096
|
||||
+#define MAX_READ_SIZE 1024*1024*100
|
||||
+char *
|
||||
+read_stdin(void)
|
||||
+{
|
||||
+ char *buf;
|
||||
+ size_t n, total = 0;
|
||||
+
|
||||
+ buf = xmalloc(READ_CHUNK);
|
||||
+
|
||||
+ do {
|
||||
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
|
||||
+ if (n < READ_CHUNK) /* terminate on short read */
|
||||
+ break;
|
||||
+
|
||||
+ total += n;
|
||||
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
|
||||
+ } while (total < MAX_READ_SIZE);
|
||||
+ return buf;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char *argv[])
|
||||
+{
|
||||
+
|
||||
+ struct sshcipher *c;
|
||||
+ struct sshcipher_ctx cc;
|
||||
+ struct sshcipher_ctx *ccp;
|
||||
+ char *algo = "aes128-ctr";
|
||||
+ char *hexkey = NULL;
|
||||
+ char *hexiv = "00000000000000000000000000000000";
|
||||
+ char *hexdata = NULL;
|
||||
+ char *p;
|
||||
+ int i;
|
||||
+ int encrypt = 1;
|
||||
+ void *key;
|
||||
+ size_t keylen;
|
||||
+ void *iv;
|
||||
+ size_t ivlen;
|
||||
+ void *data;
|
||||
+ size_t datalen;
|
||||
+ void *outdata;
|
||||
+
|
||||
+ for (i = 1; i < argc; ++i) {
|
||||
+ if (strcmp(argv[i], "--algo") == 0) {
|
||||
+ algo = argv[++i];
|
||||
+ } else if (strcmp(argv[i], "--key") == 0) {
|
||||
+ hexkey = argv[++i];
|
||||
+ } else if (strcmp(argv[i], "--mode") == 0) {
|
||||
+ ++i;
|
||||
+ if (argv[i] == NULL) {
|
||||
+ usage();
|
||||
+ }
|
||||
+ if (strncmp(argv[i], "enc", 3) == 0) {
|
||||
+ encrypt = 1;
|
||||
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
|
||||
+ encrypt = 0;
|
||||
+ } else {
|
||||
+ usage();
|
||||
+ }
|
||||
+ } else if (strcmp(argv[i], "--iv") == 0) {
|
||||
+ hexiv = argv[++i];
|
||||
+ } else if (strcmp(argv[i], "--data") == 0) {
|
||||
+ hexdata = argv[++i];
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (hexkey == NULL || algo == NULL) {
|
||||
+ usage();
|
||||
+ }
|
||||
+
|
||||
+ OpenSSL_add_all_algorithms();
|
||||
+
|
||||
+ c = cipher_by_name(algo);
|
||||
+ if (c == NULL) {
|
||||
+ fprintf(stderr, "Error: unknown algorithm\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ if (hexdata == NULL) {
|
||||
+ hexdata = read_stdin();
|
||||
+ } else {
|
||||
+ hexdata = xstrdup(hexdata);
|
||||
+ }
|
||||
+
|
||||
+ key = fromhex(hexkey, &keylen);
|
||||
+
|
||||
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
|
||||
+ fprintf(stderr, "Error: unsupported key length\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ iv = fromhex(hexiv, &ivlen);
|
||||
+
|
||||
+ if (ivlen != 16) {
|
||||
+ fprintf(stderr, "Error: unsupported iv length\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ data = fromhex(hexdata, &datalen);
|
||||
+
|
||||
+ if (data == NULL || datalen == 0) {
|
||||
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ ccp = &cc;
|
||||
+ cipher_init(&ccp, c, key, keylen, iv, ivlen, encrypt);
|
||||
+
|
||||
+ free(key);
|
||||
+ free(iv);
|
||||
+
|
||||
+ outdata = malloc(datalen);
|
||||
+ if (outdata == NULL) {
|
||||
+ fprintf(stderr, "Error: memory allocation failure\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
|
||||
+
|
||||
+ free(data);
|
||||
+
|
||||
+ cipher_free(&cc);
|
||||
+
|
||||
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
||||
+ printf("%02X", (unsigned char) *p);
|
||||
+ }
|
||||
+
|
||||
+ free(outdata);
|
||||
+
|
||||
+ printf("\n");
|
||||
+ return 0;
|
||||
+}
|
||||
Index: openssh-8.8p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/cipher.c
|
||||
+++ openssh-8.8p1/cipher.c
|
||||
@@ -58,15 +58,6 @@
|
||||
#define EVP_CIPHER_CTX void
|
||||
#endif
|
||||
|
||||
-struct sshcipher_ctx {
|
||||
- int plaintext;
|
||||
- int encrypt;
|
||||
- EVP_CIPHER_CTX *evp;
|
||||
- struct chachapoly_ctx *cp_ctx;
|
||||
- struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
||||
- const struct sshcipher *cipher;
|
||||
-};
|
||||
-
|
||||
struct sshcipher {
|
||||
char *name;
|
||||
u_int block_size;
|
||||
Index: openssh-8.8p1/cipher.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/cipher.h
|
||||
+++ openssh-8.8p1/cipher.h
|
||||
@@ -48,7 +48,15 @@
|
||||
#define CIPHER_DECRYPT 0
|
||||
|
||||
struct sshcipher;
|
||||
-struct sshcipher_ctx;
|
||||
+struct sshcipher_ctx {
|
||||
+ int plaintext;
|
||||
+ int encrypt;
|
||||
+ EVP_CIPHER_CTX *evp;
|
||||
+ struct chachapoly_ctx *cp_ctx; /* XXX union with evp? */
|
||||
+ struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
||||
+ const struct sshcipher *cipher;
|
||||
+};
|
||||
+
|
||||
|
||||
const struct sshcipher *cipher_by_name(const char *);
|
||||
const char *cipher_warning_message(const struct sshcipher_ctx *);
|
450
openssh-7.7p1-cavstest-kdf.patch
Normal file
450
openssh-7.7p1-cavstest-kdf.patch
Normal file
@ -0,0 +1,450 @@
|
||||
# HG changeset patch
|
||||
# Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
|
||||
CAVS test for KDF implementation in OpenSSH
|
||||
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -27,6 +27,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
-TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
@@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
|
||||
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
|
||||
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
@@ -415,6 +419,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-kdf$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-kdf$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
Index: openssh-8.8p1/cavstest-kdf.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/cavstest-kdf.c
|
||||
@@ -0,0 +1,402 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU General Public License, in which case the provisions of the GPL2
|
||||
+ * are required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
|
||||
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
|
||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
||||
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
||||
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
||||
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
|
||||
+ * DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <errno.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <string.h>
|
||||
+
|
||||
+#include <openssl/bn.h>
|
||||
+
|
||||
+#include "xmalloc.h"
|
||||
+#include "ssherr.h"
|
||||
+#include "sshbuf.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "cipher.h"
|
||||
+#include "kex.h"
|
||||
+#include "packet.h"
|
||||
+
|
||||
+static int bin_char(unsigned char hex)
|
||||
+{
|
||||
+ if (48 <= hex && 57 >= hex)
|
||||
+ return (hex - 48);
|
||||
+ if (65 <= hex && 70 >= hex)
|
||||
+ return (hex - 55);
|
||||
+ if (97 <= hex && 102 >= hex)
|
||||
+ return (hex - 87);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Convert hex representation into binary string
|
||||
+ * @hex input buffer with hex representation
|
||||
+ * @hexlen length of hex
|
||||
+ * @bin output buffer with binary data
|
||||
+ * @binlen length of already allocated bin buffer (should be at least
|
||||
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
|
||||
+ */
|
||||
+static void hex2bin(const char *hex, size_t hexlen,
|
||||
+ unsigned char *bin, size_t binlen)
|
||||
+{
|
||||
+ size_t i = 0;
|
||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||
+
|
||||
+ for (i = 0; i < chars; i++) {
|
||||
+ bin[i] = bin_char(hex[(i*2)]) << 4;
|
||||
+ bin[i] |= bin_char(hex[((i*2)+1)]);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Allocate sufficient space for binary representation of hex
|
||||
+ * and convert hex into bin
|
||||
+ *
|
||||
+ * Caller must free bin
|
||||
+ * @hex input buffer with hex representation
|
||||
+ * @hexlen length of hex
|
||||
+ * @bin return value holding the pointer to the newly allocated buffer
|
||||
+ * @binlen return value holding the allocated size of bin
|
||||
+ *
|
||||
+ * return: 0 on success, !0 otherwise
|
||||
+ */
|
||||
+static int hex2bin_alloc(const char *hex, size_t hexlen,
|
||||
+ unsigned char **bin, size_t *binlen)
|
||||
+{
|
||||
+ unsigned char *out = NULL;
|
||||
+ size_t outlen = 0;
|
||||
+
|
||||
+ if (!hexlen)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ outlen = (hexlen + 1) / 2;
|
||||
+
|
||||
+ out = calloc(1, outlen);
|
||||
+ if (!out)
|
||||
+ return -errno;
|
||||
+
|
||||
+ hex2bin(hex, hexlen, out, outlen);
|
||||
+ *bin = out;
|
||||
+ *binlen = outlen;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
|
||||
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
||||
+static char hex_char(unsigned int bin, int u)
|
||||
+{
|
||||
+ if (bin < sizeof(hex_char_map_l))
|
||||
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
|
||||
+ return 'X';
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Convert binary string into hex representation
|
||||
+ * @bin input buffer with binary data
|
||||
+ * @binlen length of bin
|
||||
+ * @hex output buffer to store hex data
|
||||
+ * @hexlen length of already allocated hex buffer (should be at least
|
||||
+ * twice binlen -- if not, only a fraction of binlen is converted)
|
||||
+ * @u case of hex characters (0=>lower case, 1=>upper case)
|
||||
+ */
|
||||
+static void bin2hex(const unsigned char *bin, size_t binlen,
|
||||
+ char *hex, size_t hexlen, int u)
|
||||
+{
|
||||
+ size_t i = 0;
|
||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||
+
|
||||
+ for (i = 0; i < chars; i++) {
|
||||
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
|
||||
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+struct kdf_cavs {
|
||||
+ unsigned char *K;
|
||||
+ size_t Klen;
|
||||
+ unsigned char *H;
|
||||
+ size_t Hlen;
|
||||
+ unsigned char *session_id;
|
||||
+ size_t session_id_len;
|
||||
+
|
||||
+ unsigned int iv_len;
|
||||
+ unsigned int ek_len;
|
||||
+ unsigned int ik_len;
|
||||
+};
|
||||
+
|
||||
+#ifdef WITH_OPENSSL
|
||||
+static int
|
||||
+kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
|
||||
+ const BIGNUM *secret)
|
||||
+{
|
||||
+ struct sshbuf *shared_secret;
|
||||
+ int r;
|
||||
+
|
||||
+ if ((shared_secret = sshbuf_new()) == NULL)
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
+ if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
|
||||
+ r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
|
||||
+ sshbuf_free(shared_secret);
|
||||
+ return r;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+static int sshkdf_cavs(struct kdf_cavs *test)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ struct kex kex;
|
||||
+ BIGNUM *Kbn = NULL;
|
||||
+ int mode = 0;
|
||||
+ struct newkeys *keys_client;
|
||||
+ struct newkeys *keys_server;
|
||||
+ struct ssh *ssh = NULL;
|
||||
+
|
||||
+#define HEXOUTLEN 500
|
||||
+ char hex[HEXOUTLEN];
|
||||
+
|
||||
+ memset(&kex, 0, sizeof(struct kex));
|
||||
+
|
||||
+ Kbn = BN_new();
|
||||
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
||||
+ if (!Kbn) {
|
||||
+ printf("cannot convert K into BIGNUM\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ kex.session_id = sshbuf_new();
|
||||
+ sshbuf_put(kex.session_id, test->session_id, test->session_id_len);
|
||||
+
|
||||
+ /* setup kex */
|
||||
+
|
||||
+ /* select the right hash based on struct ssh_digest digests */
|
||||
+ switch (test->ik_len) {
|
||||
+ case 20:
|
||||
+ kex.hash_alg = 2;
|
||||
+ break;
|
||||
+ case 32:
|
||||
+ kex.hash_alg = 3;
|
||||
+ break;
|
||||
+ case 48:
|
||||
+ kex.hash_alg = 4;
|
||||
+ break;
|
||||
+ case 64:
|
||||
+ kex.hash_alg = 5;
|
||||
+ break;
|
||||
+ default:
|
||||
+ printf("Wrong hash type %u\n", test->ik_len);
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* implement choose_enc */
|
||||
+ for (mode = 0; mode < 2; mode++) {
|
||||
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
|
||||
+ if (!kex.newkeys[mode]) {
|
||||
+ printf("allocation of newkeys failed\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
|
||||
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
|
||||
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
|
||||
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
|
||||
+ }
|
||||
+
|
||||
+ /* implement kex_choose_conf */
|
||||
+ kex.we_need = kex.newkeys[0]->enc.key_len;
|
||||
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
|
||||
+ kex.we_need = kex.newkeys[0]->enc.block_size;
|
||||
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
|
||||
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
|
||||
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
|
||||
+ kex.we_need = kex.newkeys[0]->mac.key_len;
|
||||
+
|
||||
+ /* MODE_OUT (1) -> server to client
|
||||
+ * MODE_IN (0) -> client to server */
|
||||
+ kex.server = 1;
|
||||
+
|
||||
+ /* do it */
|
||||
+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
|
||||
+ printf("Allocation error\n");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ ssh->kex = &kex;
|
||||
+ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
|
||||
+
|
||||
+ keys_client = kex.newkeys[0];
|
||||
+ keys_server = kex.newkeys[1];
|
||||
+
|
||||
+ /* get data */
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_client->enc.iv, (size_t)keys_client->enc.iv_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Initial IV (client to server) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_server->enc.iv, (size_t)keys_server->enc.iv_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Initial IV (server to client) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_client->enc.key, (size_t)keys_client->enc.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Encryption key (client to server) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_server->enc.key, (size_t)keys_server->enc.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Encryption key (server to client) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_client->mac.key, (size_t)keys_client->mac.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Integrity key (client to server) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_server->mac.key, (size_t)keys_server->mac.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Integrity key (server to client) = %s\n", hex);
|
||||
+
|
||||
+out:
|
||||
+ if (Kbn)
|
||||
+ BN_free(Kbn);
|
||||
+ if (ssh)
|
||||
+ ssh_packet_close(ssh);
|
||||
+ if (kex.newkeys[0])
|
||||
+ free(kex.newkeys[0]);
|
||||
+ if (kex.newkeys[1])
|
||||
+ free(kex.newkeys[1]);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static void usage(void)
|
||||
+{
|
||||
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
|
||||
+ fprintf(stderr, "Usage:\n");
|
||||
+ fprintf(stderr, "\t-K\tShared secret string\n");
|
||||
+ fprintf(stderr, "\t-H\tHash string\n");
|
||||
+ fprintf(stderr, "\t-s\tSession ID string\n");
|
||||
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
|
||||
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
|
||||
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Test command example:
|
||||
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
|
||||
+ *
|
||||
+ * Expected result for example:
|
||||
+ * Initial IV (client to server) = 4bb320d1679dfd3a
|
||||
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
|
||||
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
|
||||
+ * Initial IV (server to client) = 43dea6fdf263a308
|
||||
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
|
||||
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
|
||||
+ */
|
||||
+int main(int argc, char *argv[])
|
||||
+{
|
||||
+ struct kdf_cavs test;
|
||||
+ int ret = 1;
|
||||
+ int opt = 0;
|
||||
+
|
||||
+ memset(&test, 0, sizeof(struct kdf_cavs));
|
||||
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
|
||||
+ {
|
||||
+ size_t len = 0;
|
||||
+ switch(opt)
|
||||
+ {
|
||||
+ /*
|
||||
+ * CAVS K is MPINT
|
||||
+ * we want a hex (i.e. the caller must ensure the
|
||||
+ * following transformations already happened):
|
||||
+ * 1. cut off first four bytes
|
||||
+ * 2. if most significant bit of value is
|
||||
+ * 1, prepend 0 byte
|
||||
+ */
|
||||
+ case 'K':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.K, &test.Klen);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 'H':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.H, &test.Hlen);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 's':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.session_id,
|
||||
+ &test.session_id_len);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 'i':
|
||||
+ test.iv_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ case 'e':
|
||||
+ test.ek_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ case 'm':
|
||||
+ test.ik_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ default:
|
||||
+ usage();
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = sshkdf_cavs(&test);
|
||||
+
|
||||
+out:
|
||||
+ if (test.session_id)
|
||||
+ free(test.session_id);
|
||||
+ if (test.K)
|
||||
+ free(test.K);
|
||||
+ if (test.H)
|
||||
+ free(test.H);
|
||||
+ return ret;
|
||||
+
|
||||
+}
|
48
openssh-7.7p1-disable_openssl_abi_check.patch
Normal file
48
openssh-7.7p1-disable_openssl_abi_check.patch
Normal file
@ -0,0 +1,48 @@
|
||||
# HG changeset patch
|
||||
# Parent b13da8c3e99081cb92ab226d2c512241a82cd0d5
|
||||
disable run-time check for OpenSSL ABI by version number as that is not a
|
||||
reliable indicator of ABI changes and doesn't make much sense in a
|
||||
distribution package
|
||||
|
||||
Index: openssh-8.8p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/configure.ac
|
||||
+++ openssh-8.8p1/configure.ac
|
||||
@@ -5236,6 +5236,19 @@ AC_ARG_WITH([bsd-auth],
|
||||
]
|
||||
)
|
||||
|
||||
+# Whether we are using distribution (Open)SSL, so no runtime checks are necessary
|
||||
+DISTRO_SSL=no
|
||||
+AC_ARG_WITH([distro-ssl],
|
||||
+ [ --with-distro-ssl Disable runtime OpenSSL version checks (good for distributions)],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE([DISTRO_SSL], [1],
|
||||
+ [Define if you are using distribution SSL library and don;t expect its API/ABI to change])
|
||||
+ DISTRO_SSL=yes
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Where to place sshd.pid
|
||||
piddir=/var/run
|
||||
# make sure the directory exists
|
||||
Index: openssh-8.8p1/entropy.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/entropy.c
|
||||
+++ openssh-8.8p1/entropy.c
|
||||
@@ -100,11 +100,13 @@ seed_rng(void)
|
||||
/* Initialise libcrypto */
|
||||
ssh_libcrypto_init();
|
||||
|
||||
+#ifndef DISTRO_SSL
|
||||
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER,
|
||||
OpenSSL_version_num()))
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER,
|
||||
OpenSSL_version_num());
|
||||
+#endif
|
||||
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
if (RAND_status() == 1)
|
18
openssh-7.7p1-eal3.patch
Normal file
18
openssh-7.7p1-eal3.patch
Normal file
@ -0,0 +1,18 @@
|
||||
# HG changeset patch
|
||||
# Parent 8fd4e445c3a5c823568661a4f71b064cbcb217a9
|
||||
fix paths and references in sshd man pages
|
||||
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -165,7 +165,8 @@ PATHSUBS = \
|
||||
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
||||
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
|
||||
-e 's|/usr/libexec|$(libexecdir)|g' \
|
||||
- -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
|
||||
+ -e 's|login\.conf|login.defs|g' \
|
||||
+ -e 's|/etc/shosts.equiv|$(sysconfdir)/ssh/shosts.equiv|g' \
|
||||
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
|
19
openssh-7.7p1-enable_PAM_by_default.patch
Normal file
19
openssh-7.7p1-enable_PAM_by_default.patch
Normal file
@ -0,0 +1,19 @@
|
||||
# HG changeset patch
|
||||
# Parent 5c1e122e31b601de64d81085294216af33f31aed
|
||||
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
||||
# bnc#46749
|
||||
# --used to be called '-pam-fix2'
|
||||
|
||||
Index: openssh-8.8p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config
|
||||
+++ openssh-8.8p1/sshd_config
|
||||
@@ -79,7 +79,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and KbdInteractiveAuthentication to 'no'.
|
||||
-#UsePAM no
|
||||
+UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
810
openssh-7.7p1-fips.patch
Normal file
810
openssh-7.7p1-fips.patch
Normal file
@ -0,0 +1,810 @@
|
||||
# HG changeset patch
|
||||
# Parent 92d953171b34f6fba18d24085eeeaa24b1d2d5b5
|
||||
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
||||
algorithms.
|
||||
|
||||
Index: openssh-9.6p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/Makefile.in
|
||||
+++ openssh-9.6p1/Makefile.in
|
||||
@@ -115,6 +115,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
|
||||
SKOBJS= ssh-sk-client.o
|
||||
|
||||
+LIBSSH_OBJS += fips.o
|
||||
+
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
|
||||
|
||||
Index: openssh-9.6p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/cipher.c
|
||||
+++ openssh-9.6p1/cipher.c
|
||||
@@ -51,6 +51,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+#include "log.h"
|
||||
+
|
||||
#ifndef WITH_OPENSSL
|
||||
#define EVP_CIPHER_CTX void
|
||||
#endif
|
||||
@@ -83,7 +86,7 @@ struct sshcipher {
|
||||
#endif
|
||||
};
|
||||
|
||||
-static const struct sshcipher ciphers[] = {
|
||||
+static const struct sshcipher ciphers_all[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
#ifndef OPENSSL_NO_DES
|
||||
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
|
||||
@@ -110,8 +113,52 @@ static const struct sshcipher ciphers[]
|
||||
{ NULL, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
+static const struct sshcipher ciphers_fips140_2[] = {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
|
||||
+ { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
|
||||
+ { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
|
||||
+ { "rijndael-cbc@lysator.liu.se",
|
||||
+ 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
|
||||
+ { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr },
|
||||
+ { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr },
|
||||
+ { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr },
|
||||
+# ifdef OPENSSL_HAVE_EVPGCM
|
||||
+ { "aes128-gcm@openssh.com",
|
||||
+ 16, 16, 12, 16, 0, EVP_aes_128_gcm },
|
||||
+ { "aes256-gcm@openssh.com",
|
||||
+ 16, 32, 12, 16, 0, EVP_aes_256_gcm },
|
||||
+# endif /* OPENSSL_HAVE_EVPGCM */
|
||||
+#else
|
||||
+ { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL },
|
||||
+ { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL },
|
||||
+ { "aes256-ctr", 16, 32, 0, 0, CFLAG_AESCTR, NULL },
|
||||
+#endif
|
||||
+ { "none", 8, 0, 0, 0, CFLAG_NONE, NULL },
|
||||
+
|
||||
+ { NULL, 0, 0, 0, 0, 0, NULL }
|
||||
+};
|
||||
+
|
||||
/*--*/
|
||||
|
||||
+/* Returns array of ciphers available depending on selected FIPS mode */
|
||||
+static const struct sshcipher *
|
||||
+fips_select_ciphers(void)
|
||||
+{
|
||||
+ int fips = fips_mode();
|
||||
+ switch (fips) {
|
||||
+ case 0:
|
||||
+ return ciphers_all;
|
||||
+ case 1:
|
||||
+ return ciphers_fips140_2;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
|
||||
+ fips, __FILE__, __LINE__);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* Returns a comma-separated list of supported ciphers. */
|
||||
char *
|
||||
cipher_alg_list(char sep, int auth_only)
|
||||
@@ -120,7 +167,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct sshcipher *c;
|
||||
|
||||
- for (c = ciphers; c->name != NULL; c++) {
|
||||
+ for (c = fips_select_ciphers(); c->name != NULL; c++) {
|
||||
if ((c->flags & CFLAG_INTERNAL) != 0)
|
||||
continue;
|
||||
if (auth_only && c->auth_len == 0)
|
||||
@@ -203,7 +250,7 @@ const struct sshcipher *
|
||||
cipher_by_name(const char *name)
|
||||
{
|
||||
const struct sshcipher *c;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = fips_select_ciphers(); c->name != NULL; c++)
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
Index: openssh-9.6p1/fips.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.6p1/fips.c
|
||||
@@ -0,0 +1,212 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#include "fips.h"
|
||||
+
|
||||
+#include "cipher.h"
|
||||
+#include "dh.h"
|
||||
+#include "digest.h"
|
||||
+#include "kex.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "mac.h"
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include <openssl/crypto.h>
|
||||
+
|
||||
+static int fips_state = -1;
|
||||
+
|
||||
+static int
|
||||
+fips_check_required_env(void)
|
||||
+{
|
||||
+ int fips_required = 0;
|
||||
+ char *env = getenv(SSH_FORCE_FIPS_ENV);
|
||||
+
|
||||
+ if (env) {
|
||||
+ errno = 0;
|
||||
+ fips_required = strtol(env, NULL, 10);
|
||||
+ if (errno) {
|
||||
+ debug("bogus value in the %s environment variable, ignoring\n"
|
||||
+ , SSH_FORCE_FIPS_ENV);
|
||||
+ fips_required = 0;
|
||||
+ } else
|
||||
+ fips_required = 1;
|
||||
+ }
|
||||
+ return fips_required;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+fips_mode(void)
|
||||
+{
|
||||
+ if (-1 == fips_state) {
|
||||
+ fips_state = FIPS_mode();
|
||||
+ if (fips_state)
|
||||
+ debug("FIPS mode initialized");
|
||||
+ else {
|
||||
+ if (fips_check_required_env()) {
|
||||
+ debug("FIPS mode requested through the environment variable '%s'"
|
||||
+ , SSH_FORCE_FIPS_ENV);
|
||||
+ if (!FIPS_mode_set(1))
|
||||
+ fatal("Unable to enter FIPS mode as requested through the environment variable '%s'"
|
||||
+ , SSH_FORCE_FIPS_ENV);
|
||||
+ fips_state = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ return fips_state;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+fips_correct_dgst(int digest)
|
||||
+{
|
||||
+ int fips;
|
||||
+ int rv = -1;
|
||||
+
|
||||
+ fips = fips_mode();
|
||||
+ switch (fips) {
|
||||
+ case 0:
|
||||
+ rv = digest;
|
||||
+ break;
|
||||
+ case 1:
|
||||
+ switch (digest) {
|
||||
+ case SSH_DIGEST_MD5:
|
||||
+ case SSH_DIGEST_SHA1:
|
||||
+ debug("MD5/RIPEMD160 digests not allowed in FIPS 140-2 mode"
|
||||
+ "using SHA-256 instead.");
|
||||
+ rv = SSH_DIGEST_SHA256;
|
||||
+ break;
|
||||
+ default:
|
||||
+ rv = digest;
|
||||
+ break;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
|
||||
+ fips, __FILE__, __LINE__);
|
||||
+ }
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * filter out FIPS disallowed algorithms
|
||||
+ * *crypto MUST be free()-able - it is assigned newly allocated memory and
|
||||
+ * the previous one is freed
|
||||
+ *
|
||||
+ * returns zero if all algorithms were rejected, non-zero otherwise
|
||||
+ */
|
||||
+int
|
||||
+fips_filter_crypto(char **crypto, fips_filters filter)
|
||||
+{
|
||||
+ char *token, *tmp, *tmp_sav, *new;
|
||||
+ int plus = 0;
|
||||
+ int valid;
|
||||
+ int comma = 0;
|
||||
+ int empty = 1;
|
||||
+ size_t len;
|
||||
+
|
||||
+ tmp = tmp_sav = xstrdup(*crypto);
|
||||
+
|
||||
+ len = strlen(tmp) + 1;
|
||||
+ new = xcalloc(1, len);
|
||||
+
|
||||
+ if ('+' == *tmp) {
|
||||
+ plus = 1;
|
||||
+ tmp++;
|
||||
+ }
|
||||
+
|
||||
+ while ((token = strsep(&tmp, ",")) != NULL) {
|
||||
+ switch(filter) {
|
||||
+ case FIPS_FILTER_CIPHERS:
|
||||
+ valid = ciphers_valid(token);
|
||||
+ if (!valid)
|
||||
+ debug("Cipher '%s' is not allowed in FIPS mode",
|
||||
+ token);
|
||||
+ break;
|
||||
+ case FIPS_FILTER_MACS:
|
||||
+ valid = mac_valid(token);
|
||||
+ if (!valid)
|
||||
+ debug("MAC '%s' is not allowed in FIPS mode",
|
||||
+ token);
|
||||
+ break;
|
||||
+ case FIPS_FILTER_KEX_ALGS:
|
||||
+ valid = kex_names_valid(token);
|
||||
+ if (!valid)
|
||||
+ debug("KEX '%s' is not allowed in FIPS mode",
|
||||
+ token);
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS filter '%i' requested at %s:%u",
|
||||
+ filter, __FILE__, __LINE__);
|
||||
+ }
|
||||
+
|
||||
+ if (valid) {
|
||||
+ empty = 0;
|
||||
+ if (plus) {
|
||||
+ strlcat(new, "+", len);
|
||||
+ plus = 0;
|
||||
+ }
|
||||
+ if (comma)
|
||||
+ strlcat(new, ",", len);
|
||||
+ else
|
||||
+ comma = 1;
|
||||
+ strlcat(new, token, len);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* free tmp and re-allocate shorter buffer for result if necessary */
|
||||
+ free(tmp_sav);
|
||||
+ free(*crypto);
|
||||
+ *crypto = new;
|
||||
+
|
||||
+ return (!empty);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+fips_dgst_min(void)
|
||||
+{
|
||||
+ int fips;
|
||||
+ int dgst;
|
||||
+
|
||||
+ fips = fips_mode();
|
||||
+ switch (fips) {
|
||||
+ case 0:
|
||||
+ dgst = SSH_DIGEST_MD5;
|
||||
+ break;
|
||||
+ case 1:
|
||||
+ dgst = SSH_DIGEST_SHA256;
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
|
||||
+ fips, __FILE__, __LINE__);
|
||||
+ }
|
||||
+ return dgst;
|
||||
+}
|
||||
+
|
||||
Index: openssh-9.6p1/fips.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.6p1/fips.h
|
||||
@@ -0,0 +1,44 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+#ifndef FIPS_H
|
||||
+#define FIPS_H
|
||||
+
|
||||
+#include "sshkey.h"
|
||||
+
|
||||
+#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
|
||||
+
|
||||
+typedef enum {
|
||||
+ FIPS_FILTER_CIPHERS,
|
||||
+ FIPS_FILTER_MACS,
|
||||
+ FIPS_FILTER_KEX_ALGS
|
||||
+} fips_filters;
|
||||
+
|
||||
+int fips_mode(void);
|
||||
+int fips_correct_dgst(int);
|
||||
+int fips_dgst_min(void);
|
||||
+enum fp_type fips_correct_fp_type(enum fp_type);
|
||||
+int fips_filter_crypto(char **, fips_filters);
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-9.6p1/hmac.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/hmac.c
|
||||
+++ openssh-9.6p1/hmac.c
|
||||
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *
|
||||
size_t i;
|
||||
u_char digest[16];
|
||||
|
||||
- if ((ctx = ssh_hmac_start(SSH_DIGEST_MD5)) == NULL)
|
||||
+ if ((ctx = ssh_hmac_start(fips_correct_dgst(SSH_DIGEST_MD5))) == NULL)
|
||||
printf("ssh_hmac_start failed");
|
||||
if (ssh_hmac_init(ctx, key, klen) < 0 ||
|
||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||
Index: openssh-9.6p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/kex.c
|
||||
+++ openssh-9.6p1/kex.c
|
||||
@@ -64,6 +64,8 @@
|
||||
#include "digest.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* prototype */
|
||||
static int kex_choose_conf(struct ssh *, uint32_t seq);
|
||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||
@@ -87,7 +89,7 @@ struct kexalg {
|
||||
int ec_nid;
|
||||
int hash_alg;
|
||||
};
|
||||
-static const struct kexalg kexalgs[] = {
|
||||
+static const struct kexalg kexalgs_all[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
@@ -120,6 +122,47 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, 0, -1, -1},
|
||||
};
|
||||
|
||||
+static const struct kexalg kexalgs_fips140_2[] = {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
+ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
+ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
|
||||
+ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
|
||||
+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
+#endif /* HAVE_EVP_SHA256 */
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
|
||||
+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
|
||||
+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
|
||||
+ SSH_DIGEST_SHA384 },
|
||||
+# ifdef OPENSSL_HAS_NISTP521
|
||||
+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
|
||||
+ SSH_DIGEST_SHA512 },
|
||||
+# endif /* OPENSSL_HAS_NISTP521 */
|
||||
+#endif /* OPENSSL_HAS_ECC */
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+ { NULL, -1, -1, -1},
|
||||
+};
|
||||
+
|
||||
+/* Returns array of macs available depending on selected FIPS mode */
|
||||
+static const struct kexalg *
|
||||
+fips_select_kexalgs(void)
|
||||
+{
|
||||
+ int fips = fips_mode();
|
||||
+ switch (fips) {
|
||||
+ case 0:
|
||||
+ return kexalgs_all;
|
||||
+ case 1:
|
||||
+ return kexalgs_fips140_2;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
|
||||
+ fips, __FILE__, __LINE__);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
char *
|
||||
kex_alg_list(char sep)
|
||||
{
|
||||
@@ -127,7 +170,7 @@ kex_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct kexalg *k;
|
||||
|
||||
- for (k = kexalgs; k->name != NULL; k++) {
|
||||
+ for (k = fips_select_kexalgs(); k->name != NULL; k++) {
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(k->name);
|
||||
@@ -147,7 +190,7 @@ kex_alg_by_name(const char *name)
|
||||
{
|
||||
const struct kexalg *k;
|
||||
|
||||
- for (k = kexalgs; k->name != NULL; k++) {
|
||||
+ for (k = fips_select_kexalgs(); k->name != NULL; k++) {
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
}
|
||||
@@ -167,7 +210,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
+ /* do not complain here - MACs and ciphers checks
|
||||
+ * are silent here
|
||||
error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
+ */
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
Index: openssh-9.6p1/mac.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/mac.c
|
||||
+++ openssh-9.6p1/mac.c
|
||||
@@ -41,6 +41,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+#include "log.h"
|
||||
+
|
||||
#define SSH_DIGEST 1 /* SSH_DIGEST_XXX */
|
||||
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
|
||||
#define SSH_UMAC128 3
|
||||
@@ -55,7 +58,7 @@ struct macalg {
|
||||
int etm; /* Encrypt-then-MAC */
|
||||
};
|
||||
|
||||
-static const struct macalg macs[] = {
|
||||
+static const struct macalg macs_all[] = {
|
||||
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
||||
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
||||
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
|
||||
@@ -79,6 +82,41 @@ static const struct macalg macs[] = {
|
||||
{ NULL, 0, 0, 0, 0, 0, 0 }
|
||||
};
|
||||
|
||||
+static const struct macalg macs_fips140_2[] = {
|
||||
+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
||||
+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
|
||||
+ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
|
||||
+#endif
|
||||
+
|
||||
+ /* Encrypt-then-MAC variants */
|
||||
+ { "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
|
||||
+ { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
|
||||
+#endif
|
||||
+
|
||||
+ { NULL, 0, 0, 0, 0, 0, 0 }
|
||||
+};
|
||||
+
|
||||
+/* Returns array of macs available depending on selected FIPS mode */
|
||||
+static const struct macalg *
|
||||
+fips_select_macs(void)
|
||||
+{
|
||||
+ int fips = fips_mode();
|
||||
+ switch (fips) {
|
||||
+ case 0:
|
||||
+ return macs_all;
|
||||
+ case 1:
|
||||
+ return macs_fips140_2;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
|
||||
+ fips, __FILE__, __LINE__);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* Returns a list of supported MACs separated by the specified char. */
|
||||
char *
|
||||
mac_alg_list(char sep)
|
||||
@@ -87,7 +125,7 @@ mac_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct macalg *m;
|
||||
|
||||
- for (m = macs; m->name != NULL; m++) {
|
||||
+ for (m = fips_select_macs(); m->name != NULL; m++) {
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(m->name);
|
||||
@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name
|
||||
{
|
||||
const struct macalg *m;
|
||||
|
||||
- for (m = macs; m->name != NULL; m++) {
|
||||
+ for (m = fips_select_macs(); m->name != NULL; m++) {
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
Index: openssh-9.6p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/readconf.c
|
||||
+++ openssh-9.6p1/readconf.c
|
||||
@@ -71,6 +71,8 @@
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* Format of the configuration file:
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
@@ -2478,6 +2480,23 @@ config_has_permitted_cnames(Options *opt
|
||||
return options->num_permitted_cnames > 0;
|
||||
}
|
||||
|
||||
+/* remove algorithms not approved for use in FIPS mode, when running in FIPS
|
||||
+ * mode
|
||||
+ */
|
||||
+void
|
||||
+filter_fips_algorithms(Options *o)
|
||||
+{
|
||||
+ if (fips_mode()) {
|
||||
+ if (!fips_filter_crypto(&o->ciphers, FIPS_FILTER_CIPHERS))
|
||||
+ fatal("None of selected ciphers can be used in FIPS mode");
|
||||
+ if (!fips_filter_crypto(&o->macs, FIPS_FILTER_MACS))
|
||||
+ fatal("None of selected MAC algorithms can be used in FIPS mode");
|
||||
+ if (!fips_filter_crypto(&o->kex_algorithms, FIPS_FILTER_KEX_ALGS))
|
||||
+ fatal("None of selected KEX algorithms can be used in FIPS mode");
|
||||
+ }
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Initializes options to special values that indicate that they have not yet
|
||||
* been set. Read_config_file will only set options with this value. Options
|
||||
@@ -2796,6 +2815,9 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ options->fingerprint_hash =
|
||||
+ fips_correct_dgst(options->fingerprint_hash);
|
||||
+
|
||||
#ifdef ENABLE_SK_INTERNAL
|
||||
if (options->sk_provider == NULL)
|
||||
options->sk_provider = xstrdup("internal");
|
||||
@@ -2840,6 +2862,8 @@ fill_default_options(Options * options)
|
||||
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
|
||||
#undef ASSEMBLE
|
||||
|
||||
+ filter_fips_algorithms(options);
|
||||
+
|
||||
#define CLEAR_ON_NONE(v) \
|
||||
do { \
|
||||
if (option_clear_or_none(v)) { \
|
||||
Index: openssh-9.6p1/readconf.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/readconf.h
|
||||
+++ openssh-9.6p1/readconf.h
|
||||
@@ -231,6 +231,7 @@ typedef struct {
|
||||
#define SSH_KEYSTROKE_CHAFF_MIN_MS 1024
|
||||
#define SSH_KEYSTROKE_CHAFF_RNG_MS 2048
|
||||
|
||||
+void filter_fips_algorithms(Options *o);
|
||||
const char *kex_default_pk_alg(void);
|
||||
char *ssh_connection_hash(const char *thishost, const char *host,
|
||||
const char *portstr, const char *user, const char *jump_host);
|
||||
Index: openssh-9.6p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/servconf.c
|
||||
+++ openssh-9.6p1/servconf.c
|
||||
@@ -68,6 +68,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "fips.h"
|
||||
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
@@ -207,6 +208,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
+/* remove algorithms not approved for use in FIPS mode, when running in FIPS
|
||||
+ * mode
|
||||
+ */
|
||||
+static void
|
||||
+filter_fips_algorithms_s(ServerOptions *o)
|
||||
+{
|
||||
+ if (fips_mode()) {
|
||||
+ if (!fips_filter_crypto(&o->ciphers, FIPS_FILTER_CIPHERS))
|
||||
+ fatal("None of selected ciphers can be used in FIPS mode");
|
||||
+ if (!fips_filter_crypto(&o->macs, FIPS_FILTER_MACS))
|
||||
+ fatal("None of selected MAC algorithms can be used in FIPS mode");
|
||||
+ if (!fips_filter_crypto(&o->kex_algorithms, FIPS_FILTER_KEX_ALGS))
|
||||
+ fatal("None of selected KEX algorithms can be used in FIPS mode");
|
||||
+ }
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
assemble_algorithms(ServerOptions *o)
|
||||
{
|
||||
@@ -248,6 +266,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
free(def_kex);
|
||||
free(def_key);
|
||||
free(def_sig);
|
||||
+
|
||||
+ filter_fips_algorithms_s(o);
|
||||
}
|
||||
|
||||
void
|
||||
@@ -440,6 +460,8 @@ fill_default_server_options(ServerOption
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ options->fingerprint_hash =
|
||||
+ fips_correct_dgst(options->fingerprint_hash);
|
||||
if (options->disable_forwarding == -1)
|
||||
options->disable_forwarding = 0;
|
||||
if (options->expose_userauth_info == -1)
|
||||
Index: openssh-9.6p1/ssh-keygen.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/ssh-keygen.c
|
||||
+++ openssh-9.6p1/ssh-keygen.c
|
||||
@@ -18,6 +18,8 @@
|
||||
#include <sys/socket.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
@@ -1040,11 +1042,13 @@ do_fingerprint(struct passwd *pw)
|
||||
static void
|
||||
do_gen_all_hostkeys(struct passwd *pw)
|
||||
{
|
||||
- struct {
|
||||
+ struct Key_types {
|
||||
char *key_type;
|
||||
char *key_type_display;
|
||||
char *path;
|
||||
- } key_types[] = {
|
||||
+ };
|
||||
+
|
||||
+ struct Key_types key_types_all[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
@@ -1058,6 +1062,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
+ struct Key_types key_types_fips140_2[] = {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
|
||||
+#endif /* OPENSSL_HAS_ECC */
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+ { NULL, NULL, NULL }
|
||||
+ };
|
||||
+
|
||||
+ struct Key_types *key_types;
|
||||
u_int32_t bits = 0;
|
||||
int first = 0;
|
||||
struct stat st;
|
||||
@@ -1065,6 +1080,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
|
||||
int i, type, fd, r;
|
||||
|
||||
+ if (fips_mode()) {
|
||||
+ key_types = key_types_fips140_2;
|
||||
+ } else {
|
||||
+ key_types = key_types_all;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; key_types[i].key_type; i++) {
|
||||
public = private = NULL;
|
||||
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
||||
@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
|
||||
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||
|
||||
type = sshkey_type_from_name(key_type_name);
|
||||
+
|
||||
+ /* protocol v1 is not allowed in FIPS mode, DSA is not acceptable because
|
||||
+ * it has to be 1024 bit due to RFC 4253 using SHA-1 which implies 1024 bit
|
||||
+ * keys due to FIPS-186 specification for DSS */
|
||||
+ if (fips_mode() &&
|
||||
+ (type == KEY_DSA || type == KEY_ED25519 ||
|
||||
+ type == KEY_DSA_CERT || type == KEY_ED25519_CERT))
|
||||
+ fatal("Key type %s not alowed in FIPS mode", key_type_name);
|
||||
+
|
||||
type_bits_valid(type, key_type_name, &bits);
|
||||
|
||||
if (!quiet)
|
||||
Index: openssh-9.6p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/ssh_config.5
|
||||
+++ openssh-9.6p1/ssh_config.5
|
||||
@@ -831,6 +831,8 @@ The argument to this keyword must be
|
||||
option) or
|
||||
.Cm no
|
||||
(the default).
|
||||
+.Pp
|
||||
+In the FIPS mode the minimum of SHA-1 is enforced (which means sha256).
|
||||
.It Cm ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
Index: openssh-9.6p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -128,6 +128,8 @@
|
||||
#include "srclimit.h"
|
||||
#include "dh.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
Index: openssh-9.6p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd_config.5
|
||||
+++ openssh-9.6p1/sshd_config.5
|
||||
@@ -681,6 +681,8 @@ and
|
||||
.Cm sha256 .
|
||||
The default is
|
||||
.Cm sha256 .
|
||||
+.Pp
|
||||
+In the FIPS mode the minimum of SHA-1 is enforced (which means sha256).
|
||||
.It Cm ForceCommand
|
||||
Forces the execution of the command specified by
|
||||
.Cm ForceCommand ,
|
471
openssh-7.7p1-fips_checks.patch
Normal file
471
openssh-7.7p1-fips_checks.patch
Normal file
@ -0,0 +1,471 @@
|
||||
# HG changeset patch
|
||||
# Parent e9b69da9a0f8dca923f8fc2836b38fe6590c791a
|
||||
#
|
||||
# Simple implementation of FIPS 140-2 selfchecks. Use OpenSSL to generate and
|
||||
# verify checksums of binaries. Any hash iused in OpenSSH can be used (MD5 would
|
||||
# obviously be a poor choice, since OpenSSL would barf and abort immediately in
|
||||
# FIPS mode). SHA-2 seems to be a reasonable choice.
|
||||
#
|
||||
# The logic of the checks is as follows: decide whether FIPS mode is mandated
|
||||
# (either by checking /proc/sys/crypto/fips_enabled or environment variable
|
||||
# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
|
||||
# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
|
||||
# still must be performed, unless the hashes are not installed. Thus if the hash
|
||||
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
|
||||
# otherwise.
|
||||
|
||||
Index: openssh-8.8p1/fips-check.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/fips-check.c
|
||||
@@ -0,0 +1,34 @@
|
||||
+#include "includes.h"
|
||||
+#include <fcntl.h>
|
||||
+#include <limits.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <unistd.h>
|
||||
+
|
||||
+#include "digest.h"
|
||||
+#include "fips.h"
|
||||
+
|
||||
+#include <openssl/err.h>
|
||||
+
|
||||
+#define PROC_NAME_LEN 64
|
||||
+
|
||||
+static const char *argv0;
|
||||
+
|
||||
+void
|
||||
+print_help_exit(int ev)
|
||||
+{
|
||||
+ fprintf(stderr, "%s <-c|-w> <file> <checksum_file>\n", argv0);
|
||||
+ fprintf(stderr, " -c verify hash of 'file' against hash in 'checksum_file'\n");
|
||||
+ fprintf(stderr, " -w write hash of 'file' into 'checksum_file'\n");
|
||||
+ exit(ev);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char **argv)
|
||||
+{
|
||||
+ fips_ssh_init();
|
||||
+ return 0;
|
||||
+}
|
||||
Index: openssh-8.8p1/fips.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/fips.c
|
||||
+++ openssh-8.8p1/fips.c
|
||||
@@ -35,30 +35,293 @@
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
+#include <errno.h>
|
||||
+#include <fcntl.h>
|
||||
#include <string.h>
|
||||
+#include <string.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <unistd.h>
|
||||
#include <openssl/crypto.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/hmac.h>
|
||||
|
||||
static int fips_state = -1;
|
||||
|
||||
+/* calculates HMAC of contents of a file given by filename using the hash
|
||||
+ * algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into
|
||||
+ * newly allacated memory - remember to free it when not needed anymore */
|
||||
static int
|
||||
-fips_check_required_env(void)
|
||||
+hmac_file(const char *filename, u_char **hmac_out)
|
||||
+{
|
||||
+ int check = -1;
|
||||
+ int fd;
|
||||
+ struct stat fs;
|
||||
+ void *hmap;
|
||||
+ unsigned char *hmac;
|
||||
+ unsigned char *hmac_rv = NULL;
|
||||
+
|
||||
+ hmac = xmalloc(FIPS_HMAC_LEN);
|
||||
+
|
||||
+ fd = open(filename, O_RDONLY);
|
||||
+ if (-1 == fd)
|
||||
+ goto bail_out;
|
||||
+
|
||||
+ if (-1 == fstat(fd, &fs))
|
||||
+ goto bail_out;
|
||||
+
|
||||
+ hmap = mmap(NULL, fs.st_size, PROT_READ, MAP_SHARED, fd, 0);
|
||||
+
|
||||
+ if ((void *)(-1) != hmap) {
|
||||
+ hmac_rv = HMAC(FIPS_HMAC_EVP(), FIPS_HMAC_KEY
|
||||
+ , strlen(FIPS_HMAC_KEY), hmap, fs.st_size, hmac, NULL);
|
||||
+ check = CHECK_OK;
|
||||
+ munmap(hmap, fs.st_size);
|
||||
+ }
|
||||
+ close(fd);
|
||||
+
|
||||
+bail_out:
|
||||
+ if (hmac_rv) {
|
||||
+ check = CHECK_OK;
|
||||
+ *hmac_out = hmac;
|
||||
+ } else {
|
||||
+ check = CHECK_FAIL;
|
||||
+ *hmac_out = NULL;
|
||||
+ free(hmac);
|
||||
+ }
|
||||
+ return check;
|
||||
+}
|
||||
+
|
||||
+/* find pathname of binary of process with PID pid. exe is buffer expected to
|
||||
+ * be capable of holding at least max_pathlen characters
|
||||
+ */
|
||||
+static int
|
||||
+get_executable_path(pid_t pid, char *exe, int max_pathlen)
|
||||
+{
|
||||
+ char exe_sl[PROC_EXE_PATH_LEN];
|
||||
+ int n;
|
||||
+ int rv = -1;
|
||||
+
|
||||
+ n = snprintf(exe_sl, sizeof(exe_sl), "/proc/%u/exe", pid);
|
||||
+ if ((n <= 10) || (n >= max_pathlen)) {
|
||||
+ fatal("error compiling filename of link to executable");
|
||||
+ }
|
||||
+
|
||||
+ exe[0] = 0;
|
||||
+ n = readlink(exe_sl, exe, max_pathlen);
|
||||
+ /* the file doesn't need to exist - procfs might not be mounted in
|
||||
+ * chroot */
|
||||
+ if (n == -1) {
|
||||
+ rv = CHECK_MISSING;
|
||||
+ } else {
|
||||
+ if (n < max_pathlen) {
|
||||
+ exe[n] = 0;
|
||||
+ rv = CHECK_OK;
|
||||
+ } else {
|
||||
+ rv = CHECK_FAIL;
|
||||
+ }
|
||||
+ }
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+/* Read HMAC from file chk, allocating enough memory to hold the HMAC and
|
||||
+ * return it in *hmac.
|
||||
+ * Remember to free() it when it's not needed anymore.
|
||||
+ */
|
||||
+static int
|
||||
+read_hmac(const char *chk, u_char **hmac)
|
||||
+{
|
||||
+ int check = -1;
|
||||
+ int fdh, n;
|
||||
+ u_char *hmac_in;
|
||||
+
|
||||
+ *hmac = NULL;
|
||||
+
|
||||
+ fdh = open(chk, O_RDONLY);
|
||||
+ if (-1 == fdh) {
|
||||
+ switch (errno) {
|
||||
+ case ENOENT:
|
||||
+ check = CHECK_MISSING;
|
||||
+ debug("fips: checksum file %s is missing\n", chk);
|
||||
+ break;
|
||||
+ default:
|
||||
+ check = CHECK_FAIL;
|
||||
+ debug("fips: ckecksum file %s not accessible\n", chk);
|
||||
+ break;
|
||||
+
|
||||
+ }
|
||||
+ goto bail_out;
|
||||
+ }
|
||||
+
|
||||
+ hmac_in = xmalloc(FIPS_HMAC_LEN);
|
||||
+
|
||||
+ n = read(fdh, (void *)hmac_in, FIPS_HMAC_LEN);
|
||||
+ if (FIPS_HMAC_LEN != n) {
|
||||
+ debug("fips: unable to read whole checksum from checksum file\n");
|
||||
+ free (hmac_in);
|
||||
+ check = CHECK_FAIL;
|
||||
+ } else {
|
||||
+ check = CHECK_OK;
|
||||
+ *hmac = hmac_in;
|
||||
+ }
|
||||
+bail_out:
|
||||
+ return check;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+fips_hmac_self(void)
|
||||
+{
|
||||
+ int check = -1;
|
||||
+ u_char *hmac = NULL, *hmac_chk = NULL;
|
||||
+ char *exe, *chk;
|
||||
+
|
||||
+ exe = xmalloc(PATH_MAX);
|
||||
+ chk = xmalloc(PATH_MAX);
|
||||
+
|
||||
+ /* we will need to add the suffix and the null terminator */
|
||||
+ check = get_executable_path(getpid(), exe
|
||||
+ , PATH_MAX - strlen(CHECKSUM_SUFFIX) - 1);
|
||||
+ if (CHECK_OK != check)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ strncpy(chk, exe, PATH_MAX);
|
||||
+ strlcat(chk, CHECKSUM_SUFFIX, PATH_MAX);
|
||||
+
|
||||
+ check = read_hmac(chk, &hmac_chk);
|
||||
+ if (CHECK_OK != check)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ check = hmac_file(exe, &hmac);
|
||||
+ if (CHECK_OK != check)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ check = memcmp(hmac, hmac_chk, FIPS_HMAC_LEN);
|
||||
+ if (0 == check) {
|
||||
+ check = CHECK_OK;
|
||||
+ debug("fips: checksum matches\n");
|
||||
+ } else {
|
||||
+ check = CHECK_FAIL;
|
||||
+ debug("fips: checksum mismatch!\n");
|
||||
+ }
|
||||
+
|
||||
+cleanup:
|
||||
+ free(hmac);
|
||||
+ free(hmac_chk);
|
||||
+ free(chk);
|
||||
+ free(exe);
|
||||
+
|
||||
+ return check;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+fips_check_required_proc(void)
|
||||
{
|
||||
int fips_required = 0;
|
||||
- char *env = getenv(SSH_FORCE_FIPS_ENV);
|
||||
+ int fips_fd;
|
||||
+ char fips_sys = 0;
|
||||
|
||||
- if (env) {
|
||||
- errno = 0;
|
||||
- fips_required = strtol(env, NULL, 10);
|
||||
- if (errno) {
|
||||
- debug("bogus value in the %s environment variable, ignoring\n"
|
||||
- , SSH_FORCE_FIPS_ENV);
|
||||
- fips_required = 0;
|
||||
- } else
|
||||
- fips_required = 1;
|
||||
+ struct stat dummy;
|
||||
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
|
||||
+ switch (errno) {
|
||||
+ case ENOENT:
|
||||
+ case ENOTDIR:
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
|
||||
+ " be accessed for reason other than non-existence - aborting"
|
||||
+ , FIPS_PROC_PATH);
|
||||
+ break;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY)))
|
||||
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
|
||||
+ " be opened for reading - aborting"
|
||||
+ , FIPS_PROC_PATH);
|
||||
+ if (1 > read(fips_fd, &fips_sys, 1))
|
||||
+ fatal("Check for system-wide FIPS mode is required and %s doesn't"
|
||||
+ " return at least one character - aborting"
|
||||
+ , FIPS_PROC_PATH);
|
||||
+ close(fips_sys);
|
||||
+ switch (fips_sys) {
|
||||
+ case '0':
|
||||
+ case '1':
|
||||
+ fips_required = fips_sys - '0';
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Bogus character %c found in %s - aborting"
|
||||
+ , fips_sys, FIPS_PROC_PATH);
|
||||
+ }
|
||||
}
|
||||
return fips_required;
|
||||
}
|
||||
|
||||
+static int
|
||||
+fips_check_required_env(void)
|
||||
+{
|
||||
+ return (NULL != getenv(SSH_FORCE_FIPS_ENV));
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+fips_required(void)
|
||||
+{
|
||||
+ int fips_requests = 0;
|
||||
+ fips_requests += fips_check_required_proc();
|
||||
+ fips_requests += fips_check_required_env();
|
||||
+ return fips_requests;
|
||||
+}
|
||||
+
|
||||
+/* check whether FIPS mode is required and perform selfchecksum/selftest */
|
||||
+void
|
||||
+fips_ssh_init(void)
|
||||
+{
|
||||
+ int checksum;
|
||||
+
|
||||
+ checksum = fips_hmac_self();
|
||||
+
|
||||
+ if (fips_required()) {
|
||||
+ switch (checksum) {
|
||||
+ case CHECK_OK:
|
||||
+ debug("fips: mandatory checksum ok");
|
||||
+ break;
|
||||
+ case CHECK_FAIL:
|
||||
+ fatal("fips: mandatory checksum failed - aborting");
|
||||
+ break;
|
||||
+ case CHECK_MISSING:
|
||||
+ fatal("fips: mandatory checksum data missing - aborting");
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Fatal error: internal error at %s:%u"
|
||||
+ , __FILE__, __LINE__);
|
||||
+ break;
|
||||
+ }
|
||||
+ fips_state = FIPS_mode_set(1);
|
||||
+ if (1 != fips_state) {
|
||||
+ ERR_load_crypto_strings();
|
||||
+ u_long err = ERR_get_error();
|
||||
+ error("fips: OpenSSL error %lx: %s"
|
||||
+ , err, ERR_error_string(err, NULL));
|
||||
+ fatal("fips: unable to set OpenSSL into FIPS mode - aborting");
|
||||
+ }
|
||||
+ } else {
|
||||
+ switch (checksum) {
|
||||
+ case CHECK_OK:
|
||||
+ debug("fips: checksum ok");
|
||||
+ break;
|
||||
+ case CHECK_FAIL:
|
||||
+ fatal("fips: checksum failed - aborting");
|
||||
+ break;
|
||||
+ case CHECK_MISSING:
|
||||
+ debug("fips: checksum data missing, but not required - continuing non-FIPS");
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Fatal error: internal error at %s:%u",
|
||||
+ __FILE__, __LINE__);
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
int
|
||||
fips_mode(void)
|
||||
{
|
||||
Index: openssh-8.8p1/fips.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/fips.h
|
||||
+++ openssh-8.8p1/fips.h
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
+ * Copyright (c) 2012-2014 Petr Cerny. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -27,6 +27,15 @@
|
||||
#include "sshkey.h"
|
||||
|
||||
#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
|
||||
+#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled"
|
||||
+
|
||||
+#define PROC_EXE_PATH_LEN 64
|
||||
+#define CHECKSUM_SUFFIX ".hmac"
|
||||
+#define FIPS_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
||||
+#define FIPS_HMAC_EVP EVP_sha256
|
||||
+#define FIPS_HMAC_LEN 32
|
||||
+
|
||||
+void fips_ssh_init(void);
|
||||
|
||||
typedef enum {
|
||||
FIPS_FILTER_CIPHERS,
|
||||
@@ -34,6 +43,12 @@ typedef enum {
|
||||
FIPS_FILTER_KEX_ALGS
|
||||
} fips_filters;
|
||||
|
||||
+typedef enum {
|
||||
+ CHECK_OK = 0,
|
||||
+ CHECK_FAIL,
|
||||
+ CHECK_MISSING
|
||||
+} fips_checksum_status;
|
||||
+
|
||||
int fips_mode(void);
|
||||
int fips_correct_dgst(int);
|
||||
int fips_dgst_min(void);
|
||||
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum
|
||||
int fips_filter_crypto(char **, fips_filters);
|
||||
|
||||
#endif
|
||||
-
|
||||
Index: openssh-8.8p1/sftp-server.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sftp-server.c
|
||||
+++ openssh-8.8p1/sftp-server.c
|
||||
@@ -57,6 +57,8 @@ char *sftp_realpath(const char *, char *
|
||||
/* Maximum data read that we are willing to accept */
|
||||
#define SFTP_MAX_READ_LENGTH (SFTP_MAX_MSG_LENGTH - 1024)
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* Our verbosity */
|
||||
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
|
||||
|
||||
@@ -1717,6 +1719,9 @@ sftp_server_main(int argc, char **argv,
|
||||
extern char *optarg;
|
||||
extern char *__progname;
|
||||
|
||||
+ /* initialize fips */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
|
||||
Index: openssh-8.8p1/ssh.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh.c
|
||||
+++ openssh-8.8p1/ssh.c
|
||||
@@ -113,6 +113,8 @@
|
||||
#include "ssh-pkcs11.h"
|
||||
#endif
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
extern char *__progname;
|
||||
|
||||
/* Saves a copy of argv for setproctitle emulation */
|
||||
@@ -632,6 +634,10 @@ main(int ac, char **av)
|
||||
u_int j;
|
||||
struct ssh_conn_info *cinfo = NULL;
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
|
||||
Index: openssh-8.8p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
|
||||
struct connection_info *connection_info = NULL;
|
||||
sigset_t sigmask;
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
20
openssh-7.7p1-host_ident.patch
Normal file
20
openssh-7.7p1-host_ident.patch
Normal file
@ -0,0 +1,20 @@
|
||||
# HG changeset patch
|
||||
# Parent 0f731d0b541b8a919d24ac91098f560a49712822
|
||||
Suggest command line for removal of offending keys from known_hosts file
|
||||
|
||||
Index: openssh-8.8p1/sshconnect.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshconnect.c
|
||||
+++ openssh-8.8p1/sshconnect.c
|
||||
@@ -1270,6 +1270,11 @@ check_host_key(char *hostname, const str
|
||||
error("Offending %s key in %s:%lu",
|
||||
sshkey_type(host_found->key),
|
||||
host_found->file, host_found->line);
|
||||
+ error("You can use following command to remove the offending key:");
|
||||
+ if (host_found->file)
|
||||
+ error("ssh-keygen -R %s -f %s", host, host_found->file);
|
||||
+ else
|
||||
+ error("ssh-keygen -R %s", host);
|
||||
|
||||
/*
|
||||
* If strict host key checking is in use, the user will have
|
83
openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Normal file
83
openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Normal file
@ -0,0 +1,83 @@
|
||||
# HG changeset patch
|
||||
# Parent 5e19a205fa03584bb0d829ecbba7495ce1899b65
|
||||
# -- uset do be called '-xauthlocalhostname'
|
||||
handle hostname changes when forwarding X
|
||||
|
||||
Index: openssh-8.8p1/session.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/session.c
|
||||
+++ openssh-8.8p1/session.c
|
||||
@@ -981,7 +981,7 @@ copy_environment(char **source, char ***
|
||||
#endif
|
||||
|
||||
static char **
|
||||
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
+do_setup_env(struct ssh *ssh, Session *s, const char *shell, int *env_size)
|
||||
{
|
||||
char buf[256];
|
||||
size_t n;
|
||||
@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
for (i = 0; env[i]; i++)
|
||||
fprintf(stderr, " %.200s\n", env[i]);
|
||||
}
|
||||
+
|
||||
+ *env_size = envsize;
|
||||
return env;
|
||||
}
|
||||
|
||||
@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
* first in this order).
|
||||
*/
|
||||
static void
|
||||
-do_rc_files(struct ssh *ssh, Session *s, const char *shell)
|
||||
+do_rc_files(struct ssh *ssh, Session *s, const char *shell, char **env, int *env_size)
|
||||
{
|
||||
FILE *f = NULL;
|
||||
char *cmd = NULL, *user_rc = NULL;
|
||||
@@ -1256,12 +1258,20 @@ do_rc_files(struct ssh *ssh, Session *s,
|
||||
fatal_f("xasprintf: %s", strerror(errno));
|
||||
f = popen(cmd, "w");
|
||||
if (f) {
|
||||
+ char hostname[MAXHOSTNAMELEN];
|
||||
+
|
||||
fprintf(f, "remove %s\n",
|
||||
s->auth_display);
|
||||
fprintf(f, "add %s %s %s\n",
|
||||
s->auth_display, s->auth_proto,
|
||||
s->auth_data);
|
||||
pclose(f);
|
||||
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
|
||||
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
|
||||
+ hostname);
|
||||
+ else
|
||||
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
|
||||
+ strerror(errno));
|
||||
} else {
|
||||
fprintf(stderr, "Could not run %s\n",
|
||||
cmd);
|
||||
@@ -1518,6 +1528,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
char **env, *argv[ARGV_MAX], remote_id[512];
|
||||
const char *shell, *shell0;
|
||||
struct passwd *pw = s->pw;
|
||||
+ int env_size;
|
||||
int r = 0;
|
||||
|
||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||
@@ -1574,7 +1585,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
* Make sure $SHELL points to the shell from the password file,
|
||||
* even if shell is overridden from login.conf
|
||||
*/
|
||||
- env = do_setup_env(ssh, s, shell);
|
||||
+ env = do_setup_env(ssh, s, shell, &env_size);
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||
@@ -1638,7 +1649,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
- do_rc_files(ssh, s, shell);
|
||||
+ do_rc_files(ssh, s, shell, env, &env_size);
|
||||
|
||||
/* restore SIGPIPE for child */
|
||||
ssh_signal(SIGPIPE, SIG_DFL);
|
2719
openssh-7.7p1-ldap.patch
Normal file
2719
openssh-7.7p1-ldap.patch
Normal file
File diff suppressed because it is too large
Load Diff
17
openssh-7.7p1-no_fork-no_pid_file.patch
Normal file
17
openssh-7.7p1-no_fork-no_pid_file.patch
Normal file
@ -0,0 +1,17 @@
|
||||
# HG changeset patch
|
||||
# Parent bad0c8b3b8d72abb6960ed85b57ee42352371738
|
||||
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
||||
|
||||
Index: openssh-8.8p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -2129,7 +2129,7 @@ main(int ac, char **av)
|
||||
* Write out the pid file after the sigterm handler
|
||||
* is setup and the listen sockets are bound
|
||||
*/
|
||||
- if (options.pid_file != NULL && !debug_flag) {
|
||||
+ if (!no_daemon_flag && options.pid_file != NULL && !debug_flag) {
|
||||
FILE *f = fopen(options.pid_file, "w");
|
||||
|
||||
if (f == NULL) {
|
134
openssh-7.7p1-pam_check_locks.patch
Normal file
134
openssh-7.7p1-pam_check_locks.patch
Normal file
@ -0,0 +1,134 @@
|
||||
# HG changeset patch
|
||||
# Parent 089f4fba0112d410a1bfa74398941f076681d446
|
||||
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
||||
UsePAM is used
|
||||
|
||||
bnc#708678, FATE#312033
|
||||
|
||||
Index: openssh-8.8p1/auth.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/auth.c
|
||||
+++ openssh-8.8p1/auth.c
|
||||
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
|
||||
if (!pw || !pw->pw_name)
|
||||
return 0;
|
||||
|
||||
- if (!options.use_pam && platform_locked_account(pw)) {
|
||||
+ if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) {
|
||||
logit("User %.100s not allowed because account is locked",
|
||||
pw->pw_name);
|
||||
return 0;
|
||||
#@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
|
||||
# #endif
|
||||
#
|
||||
# /* check for locked account */
|
||||
#- if (!options.use_pam && passwd && *passwd) {
|
||||
#+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
||||
# int locked = 0;
|
||||
#
|
||||
# #ifdef LOCKED_PASSWD_STRING
|
||||
Index: openssh-8.8p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/servconf.c
|
||||
+++ openssh-8.8p1/servconf.c
|
||||
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
|
||||
|
||||
/* Portable-specific options */
|
||||
options->use_pam = -1;
|
||||
+ options->use_pam_check_locks = -1;
|
||||
|
||||
/* Standard Options */
|
||||
options->num_ports = 0;
|
||||
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
||||
/* Portable-specific options */
|
||||
if (options->use_pam == -1)
|
||||
options->use_pam = 0;
|
||||
+ if (options->use_pam_check_locks == -1)
|
||||
+ options->use_pam_check_locks = 0;
|
||||
|
||||
/* Standard Options */
|
||||
if (options->num_host_key_files == 0) {
|
||||
@@ -485,7 +488,7 @@ fill_default_server_options(ServerOption
|
||||
typedef enum {
|
||||
sBadOption, /* == unknown option */
|
||||
/* Portable-specific options */
|
||||
- sUsePAM,
|
||||
+ sUsePAM, sUsePAMChecklocks,
|
||||
/* Standard Options */
|
||||
sPort, sHostKeyFile, sLoginGraceTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||
@@ -535,8 +538,10 @@ static struct {
|
||||
/* Portable-specific options */
|
||||
#ifdef USE_PAM
|
||||
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
||||
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
||||
/* Standard Options */
|
||||
@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO
|
||||
case sUsePAM:
|
||||
intptr = &options->use_pam;
|
||||
goto parse_flag;
|
||||
+ case sUsePAMChecklocks:
|
||||
+ intptr = &options->use_pam_check_locks;
|
||||
+ goto parse_flag;
|
||||
|
||||
/* Standard Options */
|
||||
case sBadOption:
|
||||
Index: openssh-8.8p1/servconf.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/servconf.h
|
||||
+++ openssh-8.8p1/servconf.h
|
||||
@@ -200,6 +200,7 @@ typedef struct {
|
||||
char *adm_forced_command;
|
||||
|
||||
int use_pam; /* Enable auth via PAM */
|
||||
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
||||
|
||||
int permit_tun;
|
||||
|
||||
Index: openssh-8.8p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config.0
|
||||
+++ openssh-8.8p1/sshd_config.0
|
||||
@@ -1074,6 +1074,14 @@ DESCRIPTION
|
||||
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
||||
non-root user. The default is no.
|
||||
|
||||
+ UsePAMCheckLocks
|
||||
+ When set to ``yes'', the checks whether the account has been
|
||||
+ locked with `passwd -l' are performed even when PAM authentication
|
||||
+ is enabled via UsePAM. This is to ensure that it is not possible
|
||||
+ to log in with e.g. a public key (in such a case PAM is used only
|
||||
+ to set up the session and some PAM modules will not check whether
|
||||
+ the account is locked in this scenario). The default is ``no''.
|
||||
+
|
||||
VersionAddendum
|
||||
Optionally specifies additional text to append to the SSH
|
||||
protocol banner sent by the server upon connection. The default
|
||||
Index: openssh-8.8p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config.5
|
||||
+++ openssh-8.8p1/sshd_config.5
|
||||
@@ -1775,6 +1775,18 @@ is enabled, you will not be able to run
|
||||
as a non-root user.
|
||||
The default is
|
||||
.Cm no .
|
||||
+.It Cm UsePAMCheckLocks
|
||||
+When set to
|
||||
+.Dq yes
|
||||
+, the checks whether the account has been locked with
|
||||
+.Pa passwd -l
|
||||
+are performed even when PAM authentication is enabled via
|
||||
+.Cm UsePAM .
|
||||
+This is to ensure that it is not possible to log in with e.g. a
|
||||
+public key (in such a case PAM is used only to set up the session and some PAM
|
||||
+modules will not check whether the account is locked in this scenario). The
|
||||
+default is
|
||||
+.Dq no .
|
||||
.It Cm VersionAddendum
|
||||
Optionally specifies additional text to append to the SSH protocol banner
|
||||
sent by the server upon connection.
|
30
openssh-7.7p1-pts_names_formatting.patch
Normal file
30
openssh-7.7p1-pts_names_formatting.patch
Normal file
@ -0,0 +1,30 @@
|
||||
# HG changeset patch
|
||||
# Parent 7cd948c83939479d1ba88a3161991cb561306f3f
|
||||
# use same lines naming as utempter (prevents problems with using different
|
||||
# formats in ?tmp? files)
|
||||
# --used to be called '-pts'
|
||||
|
||||
Index: openssh-8.8p1/loginrec.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/loginrec.c
|
||||
+++ openssh-8.8p1/loginrec.c
|
||||
@@ -549,7 +549,7 @@ getlast_entry(struct logininfo *li)
|
||||
* 1. The full filename (including '/dev')
|
||||
* 2. The stripped name (excluding '/dev')
|
||||
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
|
||||
- * /dev/pts/1 -> ts/1 )
|
||||
+ * /dev/pts/1 -> /1 )
|
||||
*
|
||||
* Form 3 is used on some systems to identify a .tmp.? entry when
|
||||
* attempting to remove it. Typically both addition and removal is
|
||||
@@ -610,6 +610,10 @@ line_abbrevname(char *dst, const char *s
|
||||
if (strncmp(src, "tty", 3) == 0)
|
||||
src += 3;
|
||||
#endif
|
||||
+ if (strncmp(src, "pts/", 4) == 0) {
|
||||
+ src += 3;
|
||||
+ if (strlen(src) > 4) src++;
|
||||
+ }
|
||||
|
||||
len = strlen(src);
|
||||
|
46
openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Normal file
46
openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Normal file
@ -0,0 +1,46 @@
|
||||
# HG changeset patch
|
||||
# Parent a60c0d88667efe0a64c030168950b69476af1622
|
||||
# --used to be called '-xauth'
|
||||
try to remove xauth cookies on logout
|
||||
|
||||
bnc#98815
|
||||
|
||||
Index: openssh-8.8p1/session.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/session.c
|
||||
+++ openssh-8.8p1/session.c
|
||||
@@ -2441,6 +2441,34 @@ session_close(struct ssh *ssh, Session *
|
||||
ssh_remote_port(ssh),
|
||||
s->self);
|
||||
|
||||
+ if ((s->display != NULL) && (s->auth_proto != NULL) &&
|
||||
+ (s->auth_data != NULL) && (options.xauth_location != NULL)) {
|
||||
+ pid_t pid;
|
||||
+ FILE *f;
|
||||
+ char cmd[1024];
|
||||
+ struct passwd * pw = s->pw;
|
||||
+
|
||||
+ if (!(pid = fork())) {
|
||||
+ permanently_set_uid(pw);
|
||||
+
|
||||
+ /* Remove authority data from .Xauthority if appropriate. */
|
||||
+ debug("Running %.500s remove %.100s\n",
|
||||
+ options.xauth_location, s->auth_display);
|
||||
+
|
||||
+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
|
||||
+ s->pw->pw_dir, options.xauth_location);
|
||||
+ f = popen(cmd, "w");
|
||||
+ if (f) {
|
||||
+ fprintf(f, "remove %s\n", s->auth_display);
|
||||
+ pclose(f);
|
||||
+ } else
|
||||
+ error("Could not run %s\n", cmd);
|
||||
+ exit(0);
|
||||
+ } else if (pid > 0) {
|
||||
+ waitpid(pid, NULL, 0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
free(s->term);
|
41
openssh-7.7p1-seccomp_ipc_flock.patch
Normal file
41
openssh-7.7p1-seccomp_ipc_flock.patch
Normal file
@ -0,0 +1,41 @@
|
||||
# HG changeset patch
|
||||
# Parent 9d38b7292619a6d5faf554b1a88888fdfa535de7
|
||||
Patch from IBM enabling the use of OpenCryptoki, submitted upstreams:
|
||||
|
||||
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||
To: openssh-unix-dev@mindrot.org
|
||||
Subject: [PATCH 1/3] Allow flock and ipc syscall for s390 architecture
|
||||
Date: Tue, 9 May 2017 14:27:13 -0300
|
||||
|
||||
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
||||
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
||||
implementation) which calls the libraries that will communicate with the
|
||||
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
||||
this is only need on s390 architecture.
|
||||
|
||||
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -219,6 +219,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_geteuid32
|
||||
SC_ALLOW(__NR_geteuid32),
|
||||
#endif
|
||||
+#if defined(__NR_flock) && defined(__s390__)
|
||||
+ SC_ALLOW(__NR_flock),
|
||||
+#endif
|
||||
#ifdef __NR_getpgid
|
||||
SC_ALLOW(__NR_getpgid),
|
||||
#endif
|
||||
@@ -237,6 +240,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_getuid32
|
||||
SC_ALLOW(__NR_getuid32),
|
||||
#endif
|
||||
+#if defined(__NR_ipc) && defined(__s390__)
|
||||
+ SC_ALLOW(__NR_ipc),
|
||||
+#endif
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL),
|
||||
# ifdef MADV_FREE
|
21
openssh-7.7p1-seccomp_stat.patch
Normal file
21
openssh-7.7p1-seccomp_stat.patch
Normal file
@ -0,0 +1,21 @@
|
||||
# HG changeset patch
|
||||
# Parent 5034ae16f6a5c9c7151d931dc1cce2a541fe010e
|
||||
Allow the stat() syscall for OpenSSL re-seed patch
|
||||
(which causes OpenSSL use stat() on some file)
|
||||
|
||||
bnc#912436
|
||||
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -294,6 +294,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_sigprocmask
|
||||
SC_ALLOW(__NR_sigprocmask),
|
||||
#endif
|
||||
+#ifdef __NR_stat
|
||||
+ SC_ALLOW(__NR_stat),
|
||||
+#endif
|
||||
#ifdef __NR_time
|
||||
SC_ALLOW(__NR_time),
|
||||
#endif
|
37
openssh-7.7p1-send_locale.patch
Normal file
37
openssh-7.7p1-send_locale.patch
Normal file
@ -0,0 +1,37 @@
|
||||
# HG changeset patch
|
||||
# Parent db426aecefd1f4f8a7f9b9b6e8936cd8dd2f17fa
|
||||
send locales in default configuration
|
||||
bnc#65747
|
||||
|
||||
Index: openssh-8.8p1/ssh_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh_config
|
||||
+++ openssh-8.8p1/ssh_config
|
||||
@@ -31,6 +31,11 @@ Host *
|
||||
# expire after twenty minutes after remote login.
|
||||
ForwardX11Trusted yes
|
||||
|
||||
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
|
||||
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL
|
||||
+
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
Index: openssh-8.8p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config
|
||||
+++ openssh-8.8p1/sshd_config
|
||||
@@ -108,6 +108,11 @@ X11Forwarding yes
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
|
||||
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||
+
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
125
openssh-7.7p1-sftp_force_permissions.patch
Normal file
125
openssh-7.7p1-sftp_force_permissions.patch
Normal file
@ -0,0 +1,125 @@
|
||||
Index: openssh-8.8p1/sftp-server.8
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sftp-server.8
|
||||
+++ openssh-8.8p1/sftp-server.8
|
||||
@@ -38,6 +38,7 @@
|
||||
.Op Fl P Ar denied_requests
|
||||
.Op Fl p Ar allowed_requests
|
||||
.Op Fl u Ar umask
|
||||
+.Op Fl m Ar force_file_dir_perms
|
||||
.Ek
|
||||
.Nm
|
||||
.Fl Q Ar protocol_feature
|
||||
@@ -138,6 +139,10 @@ Sets an explicit
|
||||
.Xr umask 2
|
||||
to be applied to newly-created files and directories, instead of the
|
||||
user's default mask.
|
||||
+.It Fl m Ar force_file_dir_perms
|
||||
+Sets explicit permissions to be applied to newly-created files and directories
|
||||
+instead of the default or client requested mode. Numeric values include:
|
||||
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
|
||||
.El
|
||||
.Pp
|
||||
On some systems,
|
||||
Index: openssh-8.8p1/sftp-server.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sftp-server.c
|
||||
+++ openssh-8.8p1/sftp-server.c
|
||||
@@ -73,6 +73,10 @@ struct sshbuf *oqueue;
|
||||
/* Version of client */
|
||||
static u_int version;
|
||||
|
||||
+/* Force file and directory permissions */
|
||||
+int permforce = 0;
|
||||
+long permforcemode;
|
||||
+
|
||||
/* SSH2_FXP_INIT received */
|
||||
static int init_done;
|
||||
|
||||
@@ -724,6 +728,7 @@ process_open(u_int32_t id)
|
||||
Attrib a;
|
||||
char *name;
|
||||
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
|
||||
+ mode_t old_umask = 0;
|
||||
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
||||
@@ -733,6 +738,10 @@ process_open(u_int32_t id)
|
||||
debug3("request %u: open flags %d", id, pflags);
|
||||
flags = flags_from_portable(pflags);
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
||||
+ if (permforce == 1) { /* Force perm if -m is set */
|
||||
+ mode = permforcemode;
|
||||
+ old_umask = umask(0); /* so umask does not interfere */
|
||||
+ }
|
||||
logit("open \"%s\" flags %s mode 0%o",
|
||||
name, string_from_portable(pflags), mode);
|
||||
if (readonly &&
|
||||
@@ -754,6 +763,8 @@ process_open(u_int32_t id)
|
||||
}
|
||||
}
|
||||
}
|
||||
+ if (permforce == 1)
|
||||
+ (void) umask(old_umask); /* restore umask to something sane */
|
||||
if (status != SSH2_FX_OK)
|
||||
send_status(id, status);
|
||||
free(name);
|
||||
@@ -1183,6 +1194,7 @@ process_mkdir(u_int32_t id)
|
||||
Attrib a;
|
||||
char *name;
|
||||
int r, mode, status = SSH2_FX_FAILURE;
|
||||
+ mode_t old_umask = 0;
|
||||
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = decode_attrib(iqueue, &a)) != 0)
|
||||
@@ -1190,9 +1202,16 @@ process_mkdir(u_int32_t id)
|
||||
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
|
||||
a.perm & 07777 : 0777;
|
||||
+ if (permforce == 1) { /* Force perm if -m is set */
|
||||
+ mode = permforcemode;
|
||||
+ old_umask = umask(0); /* so umask does not interfere */
|
||||
+ }
|
||||
+
|
||||
debug3("request %u: mkdir", id);
|
||||
logit("mkdir name \"%s\" mode 0%o", name, mode);
|
||||
r = mkdir(name, mode);
|
||||
+ if (permforce == 1)
|
||||
+ (void) umask(old_umask); /* restore umask to something sane */
|
||||
status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
|
||||
send_status(id, status);
|
||||
free(name);
|
||||
@@ -1700,7 +1719,7 @@ sftp_server_usage(void)
|
||||
fprintf(stderr,
|
||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||
"[-l log_level]\n\t[-P denied_requests] "
|
||||
- "[-p allowed_requests] [-u umask]\n"
|
||||
+ "[-p allowed_requests] [-u umask] [-m force_file_dir_perms]\n"
|
||||
" %s -Q protocol_feature\n",
|
||||
__progname, __progname);
|
||||
exit(1);
|
||||
@@ -1728,7 +1747,7 @@ sftp_server_main(int argc, char **argv,
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
while (!skipargs && (ch = getopt(argc, argv,
|
||||
- "d:f:l:P:p:Q:u:cehR")) != -1) {
|
||||
+ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
|
||||
switch (ch) {
|
||||
case 'Q':
|
||||
if (strcasecmp(optarg, "requests") != 0) {
|
||||
@@ -1790,6 +1809,15 @@ sftp_server_main(int argc, char **argv,
|
||||
fatal("Invalid umask \"%s\"", optarg);
|
||||
(void)umask((mode_t)mask);
|
||||
break;
|
||||
+ case 'm':
|
||||
+ /* Force permissions on file and directory received via sftp */
|
||||
+ permforce = 1;
|
||||
+ permforcemode = strtol(optarg, &cp, 8);
|
||||
+ if (permforcemode < 0 || permforcemode > 0777 ||
|
||||
+ *cp != '\0' || (permforcemode == 0 &&
|
||||
+ errno != 0))
|
||||
+ fatal("Invalid file mode \"%s\"", optarg);
|
||||
+ break;
|
||||
case 'h':
|
||||
default:
|
||||
sftp_server_usage();
|
60
openssh-7.7p1-sftp_print_diagnostic_messages.patch
Normal file
60
openssh-7.7p1-sftp_print_diagnostic_messages.patch
Normal file
@ -0,0 +1,60 @@
|
||||
# HG changeset patch
|
||||
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
|
||||
Put back sftp client diagnostic messages in batch mode
|
||||
|
||||
Index: openssh-8.8p1/sftp.1
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sftp.1
|
||||
+++ openssh-8.8p1/sftp.1
|
||||
@@ -287,6 +287,9 @@ Specifies the port to connect to on the
|
||||
.It Fl p
|
||||
Preserves modification times, access times, and modes from the
|
||||
original files transferred.
|
||||
+.It Fl Q
|
||||
+Not-so-quiet batch mode: forces printing of diagnostic messages
|
||||
+in batch mode.
|
||||
.It Fl q
|
||||
Quiet mode: disables the progress meter as well as warning and
|
||||
diagnostic messages from
|
||||
Index: openssh-8.8p1/sftp.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sftp.c
|
||||
+++ openssh-8.8p1/sftp.c
|
||||
@@ -82,6 +82,9 @@ static volatile pid_t sshpid = -1;
|
||||
/* Suppress diagnostic messages */
|
||||
int quiet = 0;
|
||||
|
||||
+/* Force diagnositic messages in batch mode */
|
||||
+int loud = 0;
|
||||
+
|
||||
/* This is set to 0 if the progressmeter is not desired. */
|
||||
int showprogress = 1;
|
||||
|
||||
@@ -2381,7 +2384,7 @@ main(int argc, char **argv)
|
||||
infile = stdin;
|
||||
|
||||
while ((ch = getopt(argc, argv,
|
||||
- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
|
||||
+ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
|
||||
switch (ch) {
|
||||
/* Passed through to ssh(1) */
|
||||
case 'A':
|
||||
@@ -2399,6 +2402,9 @@ main(int argc, char **argv)
|
||||
addargs(&args, "-%c", ch);
|
||||
addargs(&args, "%s", optarg);
|
||||
break;
|
||||
+ case 'Q':
|
||||
+ loud = 1;
|
||||
+ break;
|
||||
case 'q':
|
||||
ll = SYSLOG_LEVEL_ERROR;
|
||||
quiet = 1;
|
||||
@@ -2483,6 +2489,8 @@ main(int argc, char **argv)
|
||||
usage();
|
||||
}
|
||||
}
|
||||
+ if (batchmode && loud)
|
||||
+ quiet = 0;
|
||||
|
||||
/* Do this last because we want the user to be able to override it */
|
||||
addargs(&args, "-oForwardAgent no");
|
87
openssh-7.7p1-systemd-notify.patch
Normal file
87
openssh-7.7p1-systemd-notify.patch
Normal file
@ -0,0 +1,87 @@
|
||||
# HG changeset patch
|
||||
# Parent d296e85dc414b8cd1b4b55ad03d8216feb26531a
|
||||
Send signals to systemd to prevent various race conditions
|
||||
bsc#1048367
|
||||
|
||||
Index: openssh-8.8p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/configure.ac
|
||||
+++ openssh-8.8p1/configure.ac
|
||||
@@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
|
||||
# AC_SUBST([GSSLIBS])
|
||||
AC_SUBST([K5LIBS])
|
||||
AC_SUBST([CHANNELLIBS])
|
||||
|
||||
+# Check whether user wants systemd support
|
||||
+SYSTEMD_MSG="no"
|
||||
+AC_ARG_WITH(systemd,
|
||||
+ [ --with-systemd Enable systemd support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||
+ if test "$PKGCONFIG" != "no"; then
|
||||
+ AC_MSG_CHECKING([for libsystemd])
|
||||
+ if $PKGCONFIG --exists libsystemd; then
|
||||
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
|
||||
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
|
||||
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
|
||||
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
|
||||
+ SYSTEMD_MSG="yes"
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
+
|
||||
# Looking for programs, paths and files
|
||||
|
||||
PRIVSEP_PATH=/var/empty
|
||||
@@ -5564,6 +5588,7 @@ echo " libldns support
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
echo " Solaris project support: $SP_MSG"
|
||||
echo " Solaris privilege support: $SPP_MSG"
|
||||
+echo " systemd support: $SYSTEMD_MSG"
|
||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
Index: openssh-8.8p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -85,6 +85,10 @@
|
||||
#include <prot.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+#include <systemd/sd-daemon.h>
|
||||
+#endif
|
||||
+
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
@@ -308,6 +312,10 @@ sighup_handler(int sig)
|
||||
static void
|
||||
sighup_restart(void)
|
||||
{
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ /* Signal systemd that we are reloading */
|
||||
+ sd_notify(0, "RELOADING=1");
|
||||
+#endif
|
||||
logit("Received SIGHUP; restarting.");
|
||||
if (options.pid_file != NULL)
|
||||
unlink(options.pid_file);
|
||||
@@ -2076,6 +2084,11 @@ main(int ac, char **av)
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ /* Signal systemd that we are ready to accept connections */
|
||||
+ sd_notify(0, "READY=1");
|
||||
+#endif
|
||||
+
|
||||
/* Accept a connection and return in a forked child */
|
||||
server_accept_loop(&sock_in, &sock_out,
|
||||
&newsock, config_s);
|
885
openssh-7.8p1-role-mls.patch
Normal file
885
openssh-7.8p1-role-mls.patch
Normal file
@ -0,0 +1,885 @@
|
||||
Index: openssh-9.6p1/auth2.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2.c
|
||||
+++ openssh-9.6p1/auth2.c
|
||||
@@ -273,6 +273,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role = NULL;
|
||||
+#endif
|
||||
int r, authenticated = 0;
|
||||
double tstart = monotime_double();
|
||||
|
||||
@@ -286,6 +289,11 @@ input_userauth_request(int type, u_int32
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if ((role = strchr(user, '/')) != NULL)
|
||||
+ *role++ = 0;
|
||||
+#endif
|
||||
+
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -313,8 +321,15 @@ input_userauth_request(int type, u_int32
|
||||
use_privsep ? " [net]" : "");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
- if (use_privsep)
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role = role ? xstrdup(role) : NULL;
|
||||
+#endif
|
||||
+ if (use_privsep) {
|
||||
mm_inform_authserv(service, style);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ mm_inform_authrole(role);
|
||||
+#endif
|
||||
+ }
|
||||
userauth_banner(ssh);
|
||||
if ((r = kex_server_update_ext_info(ssh)) != 0)
|
||||
fatal_fr(r, "kex_server_update_ext_info failed");
|
||||
Index: openssh-9.6p1/auth2-gss.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2-gss.c
|
||||
+++ openssh-9.6p1/auth2-gss.c
|
||||
@@ -331,6 +331,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int r, authenticated = 0;
|
||||
+ char *micuser;
|
||||
struct sshbuf *b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
const char *displayname;
|
||||
@@ -348,7 +349,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
fatal_f("sshbuf_new failed");
|
||||
mic.value = p;
|
||||
mic.length = len;
|
||||
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role && authctxt->role[0] != 0)
|
||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||
+ else
|
||||
+#endif
|
||||
+ micuser = authctxt->user;
|
||||
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
||||
"gssapi-with-mic", ssh->kex->session_id);
|
||||
|
||||
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||
@@ -362,6 +369,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
sshbuf_free(b);
|
||||
+ if (micuser != authctxt->user)
|
||||
+ free(micuser);
|
||||
free(mic.value);
|
||||
|
||||
if ((!use_privsep || mm_is_monitor()) &&
|
||||
Index: openssh-9.6p1/auth2-hostbased.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2-hostbased.c
|
||||
+++ openssh-9.6p1/auth2-hostbased.c
|
||||
@@ -128,7 +128,16 @@ userauth_hostbased(struct ssh *ssh, cons
|
||||
/* reconstruct packet */
|
||||
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
|
||||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ (authctxt->role
|
||||
+ ? ( (r = sshbuf_put_u32(b, strlen(authctxt->user)+strlen(authctxt->role)+1)) != 0 ||
|
||||
+ (r = sshbuf_put(b, authctxt->user, strlen(authctxt->user))) != 0 ||
|
||||
+ (r = sshbuf_put_u8(b, '/') != 0) ||
|
||||
+ (r = sshbuf_put(b, authctxt->role, strlen(authctxt->role))) != 0)
|
||||
+ : (r = sshbuf_put_cstring(b, authctxt->user)) != 0) ||
|
||||
+#else
|
||||
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
||||
+#endif
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, method)) != 0 ||
|
||||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
||||
Index: openssh-9.6p1/auth2-pubkey.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2-pubkey.c
|
||||
+++ openssh-9.6p1/auth2-pubkey.c
|
||||
@@ -200,9 +200,16 @@ userauth_pubkey(struct ssh *ssh, const c
|
||||
goto done;
|
||||
}
|
||||
/* reconstruct packet */
|
||||
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
- authctxt->style ? authctxt->style : "");
|
||||
+ authctxt->style ? authctxt->style : "",
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role ? "/" : "",
|
||||
+ authctxt->role ? authctxt->role : ""
|
||||
+#else
|
||||
+ "", ""
|
||||
+#endif
|
||||
+ );
|
||||
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
Index: openssh-9.6p1/auth.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth.h
|
||||
+++ openssh-9.6p1/auth.h
|
||||
@@ -65,6 +65,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role;
|
||||
+#endif
|
||||
|
||||
/* Method lists for multiple authentication */
|
||||
char **auth_methods; /* modified from server config */
|
||||
Index: openssh-9.6p1/auth-pam.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth-pam.c
|
||||
+++ openssh-9.6p1/auth-pam.c
|
||||
@@ -1242,7 +1242,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
-do_pam_putenv(char *name, char *value)
|
||||
+do_pam_putenv(char *name, const char *value)
|
||||
{
|
||||
int ret = 1;
|
||||
char *compound;
|
||||
Index: openssh-9.6p1/auth-pam.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth-pam.h
|
||||
+++ openssh-9.6p1/auth-pam.h
|
||||
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
|
||||
void do_pam_session(struct ssh *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
Index: openssh-9.6p1/misc.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/misc.c
|
||||
+++ openssh-9.6p1/misc.c
|
||||
@@ -771,6 +771,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
+ int start = 1;
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return NULL;
|
||||
@@ -786,6 +787,13 @@ colon(char *cp)
|
||||
return (cp);
|
||||
if (*cp == '/')
|
||||
return NULL;
|
||||
+ if (start) {
|
||||
+ /* Slash on beginning or after dots only denotes file name. */
|
||||
+ if (*cp == '/')
|
||||
+ return (0);
|
||||
+ if (*cp != '.')
|
||||
+ start = 0;
|
||||
+ }
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
Index: openssh-9.6p1/monitor.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor.c
|
||||
+++ openssh-9.6p1/monitor.c
|
||||
@@ -120,6 +120,9 @@ int mm_answer_sign(struct ssh *, int, st
|
||||
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
|
||||
+#endif
|
||||
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
||||
@@ -200,6 +203,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
+#ifdef WITH_SELINUX
|
||||
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
|
||||
+#endif
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -834,6 +840,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
|
||||
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
|
||||
+#endif
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -908,6 +917,26 @@ key_base_type_match(const char *method,
|
||||
return found;
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+int
|
||||
+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
+{
|
||||
+ int r;
|
||||
+ monitor_permit_authentications(1);
|
||||
+
|
||||
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
||||
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||
+ debug3_f("role=%s", authctxt->role);
|
||||
+
|
||||
+ if (strlen(authctxt->role) == 0) {
|
||||
+ free(authctxt->role);
|
||||
+ authctxt->role = NULL;
|
||||
+ }
|
||||
+
|
||||
+ return (0);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
int
|
||||
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
{
|
||||
@@ -1280,7 +1309,7 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
struct sshbuf *b;
|
||||
struct sshkey *hostkey = NULL;
|
||||
const u_char *p;
|
||||
- char *userstyle, *cp;
|
||||
+ char *userstyle, *s, *cp;
|
||||
size_t len;
|
||||
u_char type;
|
||||
int hostbound = 0, r, fail = 0;
|
||||
@@ -1311,6 +1340,8 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal_fr(r, "parse userstyle");
|
||||
+ if ((s = strchr(cp, '/')) != NULL)
|
||||
+ *s = '\0';
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
@@ -1361,7 +1392,7 @@ monitor_valid_hostbasedblob(const u_char
|
||||
{
|
||||
struct sshbuf *b;
|
||||
const u_char *p;
|
||||
- char *cp, *userstyle;
|
||||
+ char *cp, *s, *userstyle;
|
||||
size_t len;
|
||||
int r, fail = 0;
|
||||
u_char type;
|
||||
@@ -1382,6 +1413,8 @@ monitor_valid_hostbasedblob(const u_char
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal_fr(r, "parse userstyle");
|
||||
+ if ((s = strchr(cp, '/')) != NULL)
|
||||
+ *s = '\0';
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
Index: openssh-9.6p1/monitor.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor.h
|
||||
+++ openssh-9.6p1/monitor.h
|
||||
@@ -55,6 +55,10 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
||||
MONITOR_REQ_TERM = 50,
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ MONITOR_REQ_AUTHROLE = 80,
|
||||
+#endif
|
||||
+
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||
Index: openssh-9.6p1/monitor_wrap.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor_wrap.c
|
||||
+++ openssh-9.6p1/monitor_wrap.c
|
||||
@@ -396,6 +396,27 @@ mm_inform_authserv(char *service, char *
|
||||
sshbuf_free(m);
|
||||
}
|
||||
|
||||
+/* Inform the privileged process about role */
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+void
|
||||
+mm_inform_authrole(char *role)
|
||||
+{
|
||||
+ int r;
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ debug3_f("entering");
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
||||
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
||||
+
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(struct ssh *ssh, char *password)
|
||||
Index: openssh-9.6p1/monitor_wrap.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor_wrap.h
|
||||
+++ openssh-9.6p1/monitor_wrap.h
|
||||
@@ -49,6 +49,9 @@ int mm_sshkey_sign(struct ssh *, struct
|
||||
const u_char *, size_t, const char *, const char *,
|
||||
const char *, u_int compat);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+void mm_inform_authrole(char *);
|
||||
+#endif
|
||||
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct ssh *, char *);
|
||||
Index: openssh-9.6p1/openbsd-compat/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/Makefile.in
|
||||
+++ openssh-9.6p1/openbsd-compat/Makefile.in
|
||||
@@ -100,7 +100,8 @@ PORTS= port-aix.o \
|
||||
port-prngd.o \
|
||||
port-solaris.o \
|
||||
port-net.o \
|
||||
- port-uw.o
|
||||
+ port-uw.o \
|
||||
+ port-linux-sshd.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux.c
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux.c
|
||||
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return sc;
|
||||
}
|
||||
|
||||
-/* Set the execution context to the default for the specified user */
|
||||
-void
|
||||
-ssh_selinux_setup_exec_context(char *pwname)
|
||||
-{
|
||||
- char *user_ctx = NULL;
|
||||
-
|
||||
- if (!ssh_selinux_enabled())
|
||||
- return;
|
||||
-
|
||||
- debug3("%s: setting execution context", __func__);
|
||||
-
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
- if (setexeccon(user_ctx) != 0) {
|
||||
- switch (security_getenforce()) {
|
||||
- case -1:
|
||||
- fatal("%s: security_getenforce() failed", __func__);
|
||||
- case 0:
|
||||
- error("%s: Failed to set SELinux execution "
|
||||
- "context for %s", __func__, pwname);
|
||||
- break;
|
||||
- default:
|
||||
- fatal("%s: Failed to set SELinux execution context "
|
||||
- "for %s (in enforcing mode)", __func__, pwname);
|
||||
- }
|
||||
- }
|
||||
- if (user_ctx != NULL)
|
||||
- freecon(user_ctx);
|
||||
-
|
||||
- debug3("%s: done", __func__);
|
||||
-}
|
||||
-
|
||||
/* Set the TTY context for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
@@ -144,7 +113,11 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
+ if (getexeccon(&user_ctx) != 0) {
|
||||
+ error_f("getexeccon: %s", strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
@@ -20,9 +20,10 @@
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
-void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
+
|
||||
+void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
@@ -0,0 +1,421 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Linux-specific portability code - just SELinux support for sshd at present
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
|
||||
+#include <errno.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/context.h>
|
||||
+#include <selinux/get_context_list.h>
|
||||
+#include <selinux/get_default_type.h>
|
||||
+
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+#include <libaudit.h>
|
||||
+#include <unistd.h>
|
||||
+#endif
|
||||
+
|
||||
+extern ServerOptions options;
|
||||
+extern Authctxt *the_authctxt;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+
|
||||
+/* Send audit message */
|
||||
+static int
|
||||
+sshd_selinux_send_audit_message(int success, security_context_t default_context,
|
||||
+ security_context_t selected_context)
|
||||
+{
|
||||
+ int rc=0;
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ char *msg = NULL;
|
||||
+ int audit_fd = audit_open();
|
||||
+ security_context_t default_raw=NULL;
|
||||
+ security_context_t selected_raw=NULL;
|
||||
+ rc = -1;
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
+ errno == EAFNOSUPPORT)
|
||||
+ return 0; /* No audit support in kernel */
|
||||
+ error("Error connecting to audit system.");
|
||||
+ return rc;
|
||||
+ }
|
||||
+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
|
||||
+ error("Error translating default context.");
|
||||
+ default_raw = NULL;
|
||||
+ }
|
||||
+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
|
||||
+ error("Error translating selected context.");
|
||||
+ selected_raw = NULL;
|
||||
+ }
|
||||
+ if (asprintf(&msg, "sshd: default-context=%s selected-context=%s",
|
||||
+ default_raw ? default_raw : (default_context ? default_context: "?"),
|
||||
+ selected_context ? selected_raw : (selected_context ? selected_context :"?")) < 0) {
|
||||
+ error("Error allocating memory.");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
|
||||
+ msg, NULL, NULL, NULL, success) <= 0) {
|
||||
+ error("Error sending audit message.");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ rc = 0;
|
||||
+ out:
|
||||
+ free(msg);
|
||||
+ freecon(default_raw);
|
||||
+ freecon(selected_raw);
|
||||
+ close(audit_fd);
|
||||
+#endif
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+mls_range_allowed(security_context_t src, security_context_t dst)
|
||||
+{
|
||||
+ struct av_decision avd;
|
||||
+ int retval;
|
||||
+ access_vector_t bit;
|
||||
+ security_class_t class;
|
||||
+
|
||||
+ debug_f("src:%s dst:%s", src, dst);
|
||||
+ class = string_to_security_class("context");
|
||||
+ if (!class) {
|
||||
+ error("string_to_security_class failed to translate security class context");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ bit = string_to_av_perm(class, "contains");
|
||||
+ if (!bit) {
|
||||
+ error("string_to_av_perm failed to translate av perm contains");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ retval = security_compute_av(src, dst, class, bit, &avd);
|
||||
+ if (retval || ((bit & avd.allowed) != bit))
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+get_user_context(const char *sename, const char *role, const char *lvl,
|
||||
+ security_context_t *sc) {
|
||||
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
+ if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {
|
||||
+ /* User may have requested a level completely outside of his
|
||||
+ allowed range. We get a context just for auditing as the
|
||||
+ range check below will certainly fail for default context. */
|
||||
+#endif
|
||||
+ if (get_default_context(sename, NULL, sc) != 0) {
|
||||
+ *sc = NULL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
+ }
|
||||
+#endif
|
||||
+ if (role != NULL && role[0]) {
|
||||
+ context_t con;
|
||||
+ char *type=NULL;
|
||||
+ if (get_default_type(role, &type) != 0) {
|
||||
+ error("get_default_type: failed to get default type for '%s'",
|
||||
+ role);
|
||||
+ goto out;
|
||||
+ }
|
||||
+ con = context_new(*sc);
|
||||
+ if (!con) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+ context_role_set(con, role);
|
||||
+ context_type_set(con, type);
|
||||
+ freecon(*sc);
|
||||
+ *sc = strdup(context_str(con));
|
||||
+ context_free(con);
|
||||
+ if (!*sc)
|
||||
+ return -1;
|
||||
+ }
|
||||
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
+ if (lvl != NULL && lvl[0]) {
|
||||
+ /* verify that the requested range is obtained */
|
||||
+ context_t con;
|
||||
+ security_context_t obtained_raw;
|
||||
+ security_context_t requested_raw;
|
||||
+ con = context_new(*sc);
|
||||
+ if (!con) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+ context_range_set(con, lvl);
|
||||
+ if (selinux_trans_to_raw_context(*sc, &obtained_raw) < 0) {
|
||||
+ context_free(con);
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (selinux_trans_to_raw_context(context_str(con), &requested_raw) < 0) {
|
||||
+ freecon(obtained_raw);
|
||||
+ context_free(con);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ debug("get_user_context: obtained context '%s' requested context '%s'",
|
||||
+ obtained_raw, requested_raw);
|
||||
+ if (strcmp(obtained_raw, requested_raw)) {
|
||||
+ /* set the context to the real requested one but fail */
|
||||
+ freecon(requested_raw);
|
||||
+ freecon(obtained_raw);
|
||||
+ freecon(*sc);
|
||||
+ *sc = strdup(context_str(con));
|
||||
+ context_free(con);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ freecon(requested_raw);
|
||||
+ freecon(obtained_raw);
|
||||
+ context_free(con);
|
||||
+ }
|
||||
+#endif
|
||||
+ return 0;
|
||||
+ out:
|
||||
+ freecon(*sc);
|
||||
+ *sc = NULL;
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+ssh_selinux_get_role_level(char **role, const char **level)
|
||||
+{
|
||||
+ *role = NULL;
|
||||
+ *level = NULL;
|
||||
+ if (the_authctxt) {
|
||||
+ if (the_authctxt->role != NULL) {
|
||||
+ char *slash;
|
||||
+ *role = xstrdup(the_authctxt->role);
|
||||
+ if ((slash = strchr(*role, '/')) != NULL) {
|
||||
+ *slash = '\0';
|
||||
+ *level = slash + 1;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* Return the default security context for the given username */
|
||||
+static int
|
||||
+sshd_selinux_getctxbyname(char *pwname,
|
||||
+ security_context_t *default_sc, security_context_t *user_sc)
|
||||
+{
|
||||
+ char *sename, *lvl;
|
||||
+ char *role;
|
||||
+ const char *reqlvl;
|
||||
+ int r = 0;
|
||||
+ context_t con = NULL;
|
||||
+
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
+
|
||||
+#ifdef HAVE_GETSEUSERBYNAME
|
||||
+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
+ sename = NULL;
|
||||
+ lvl = NULL;
|
||||
+ }
|
||||
+#else
|
||||
+ sename = pwname;
|
||||
+ lvl = "";
|
||||
+#endif
|
||||
+
|
||||
+ if (r == 0) {
|
||||
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
+ r = get_default_context_with_level(sename, lvl, NULL, default_sc);
|
||||
+#else
|
||||
+ r = get_default_context(sename, NULL, default_sc);
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
+ if (r == 0) {
|
||||
+ /* If launched from xinetd, we must use current level */
|
||||
+ if (inetd_flag && !rexeced_flag) {
|
||||
+ security_context_t sshdsc=NULL;
|
||||
+
|
||||
+ if (getcon_raw(&sshdsc) < 0)
|
||||
+ fatal("failed to allocate security context");
|
||||
+
|
||||
+ if ((con=context_new(sshdsc)) == NULL)
|
||||
+ fatal("failed to allocate selinux context");
|
||||
+ reqlvl = context_range_get(con);
|
||||
+ freecon(sshdsc);
|
||||
+ if (reqlvl !=NULL && lvl != NULL && strcmp(reqlvl, lvl) == 0)
|
||||
+ /* we actually don't change level */
|
||||
+ reqlvl = "";
|
||||
+
|
||||
+ debug_f("current connection level '%s'", reqlvl);
|
||||
+
|
||||
+ }
|
||||
+
|
||||
+ if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
|
||||
+ r = get_user_context(sename, role, reqlvl, user_sc);
|
||||
+
|
||||
+ if (r == 0 && reqlvl != NULL && reqlvl[0]) {
|
||||
+ security_context_t default_level_sc = *default_sc;
|
||||
+ if (role != NULL && role[0]) {
|
||||
+ if (get_user_context(sename, role, lvl, &default_level_sc) < 0)
|
||||
+ default_level_sc = *default_sc;
|
||||
+ }
|
||||
+ /* verify that the requested range is contained in the user range */
|
||||
+ if (mls_range_allowed(default_level_sc, *user_sc)) {
|
||||
+ logit("permit MLS level %s (user range %s)", reqlvl, lvl);
|
||||
+ } else {
|
||||
+ r = -1;
|
||||
+ error("deny MLS level %s (user range %s)", reqlvl, lvl);
|
||||
+ }
|
||||
+ if (default_level_sc != *default_sc)
|
||||
+ freecon(default_level_sc);
|
||||
+ }
|
||||
+ } else {
|
||||
+ *user_sc = *default_sc;
|
||||
+ }
|
||||
+ }
|
||||
+ if (r != 0) {
|
||||
+ error_f("Failed to get default SELinux security "
|
||||
+ "context for %s", pwname);
|
||||
+ }
|
||||
+
|
||||
+#ifdef HAVE_GETSEUSERBYNAME
|
||||
+ free(sename);
|
||||
+ free(lvl);
|
||||
+#endif
|
||||
+
|
||||
+ if (role != NULL)
|
||||
+ free(role);
|
||||
+ if (con)
|
||||
+ context_free(con);
|
||||
+
|
||||
+ return (r);
|
||||
+}
|
||||
+
|
||||
+/* Setup environment variables for pam_selinux */
|
||||
+static int
|
||||
+sshd_selinux_setup_pam_variables(void)
|
||||
+{
|
||||
+ const char *reqlvl;
|
||||
+ char *role;
|
||||
+ char *use_current;
|
||||
+ int rv;
|
||||
+
|
||||
+ debug3_f("setting execution context");
|
||||
+
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
+
|
||||
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
+
|
||||
+ if (inetd_flag && !rexeced_flag) {
|
||||
+ use_current = "1";
|
||||
+ } else {
|
||||
+ use_current = "";
|
||||
+ rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
|
||||
+ }
|
||||
+
|
||||
+ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
|
||||
+
|
||||
+ if (role != NULL)
|
||||
+ free(role);
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+/* Set the execution context to the default for the specified user */
|
||||
+void
|
||||
+sshd_selinux_setup_exec_context(char *pwname)
|
||||
+{
|
||||
+ security_context_t user_ctx = NULL;
|
||||
+ int r = 0;
|
||||
+ security_context_t default_ctx = NULL;
|
||||
+
|
||||
+ if (!ssh_selinux_enabled())
|
||||
+ return;
|
||||
+
|
||||
+ if (options.use_pam) {
|
||||
+ /* do not compute context, just setup environment for pam_selinux */
|
||||
+ if (sshd_selinux_setup_pam_variables()) {
|
||||
+ switch (security_getenforce()) {
|
||||
+ case -1:
|
||||
+ fatal_f("security_getenforce() failed");
|
||||
+ case 0:
|
||||
+ error_f("SELinux PAM variable setup failure. Continuing in permissive mode.");
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal_f("SELinux PAM variable setup failure. Aborting connection.");
|
||||
+ }
|
||||
+ }
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ debug3_f("setting execution context");
|
||||
+
|
||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||
+ if (r >= 0) {
|
||||
+ r = setexeccon(user_ctx);
|
||||
+ if (r < 0) {
|
||||
+ error_f("Failed to set SELinux execution context %s for %s",
|
||||
+ user_ctx, pwname);
|
||||
+ }
|
||||
+#ifdef HAVE_SETKEYCREATECON
|
||||
+ else if (setkeycreatecon(user_ctx) < 0) {
|
||||
+ error_f("Failed to set SELinux keyring creation context %s for %s",
|
||||
+ user_ctx, pwname);
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+ if (user_ctx == NULL) {
|
||||
+ user_ctx = default_ctx;
|
||||
+ }
|
||||
+ if (r < 0 || user_ctx != default_ctx) {
|
||||
+ /* audit just the case when user changed a role or there was
|
||||
+ a failure */
|
||||
+ sshd_selinux_send_audit_message(r >= 0, default_ctx, user_ctx);
|
||||
+ }
|
||||
+ if (r < 0) {
|
||||
+ switch (security_getenforce()) {
|
||||
+ case -1:
|
||||
+ fatal_f("security_getenforce() failed");
|
||||
+ case 0:
|
||||
+ error_f("ELinux failure. Continuing in permissive mode.");
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal_f("SELinux failure. Aborting connection.");
|
||||
+ }
|
||||
+ }
|
||||
+ if (user_ctx != NULL && user_ctx != default_ctx)
|
||||
+ freecon(user_ctx);
|
||||
+ if (default_ctx != NULL)
|
||||
+ freecon(default_ctx);
|
||||
+
|
||||
+ debug3_f("done");
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-9.6p1/platform.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/platform.c
|
||||
+++ openssh-9.6p1/platform.c
|
||||
@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
- ssh_selinux_setup_exec_context(pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(pw->pw_name);
|
||||
#endif
|
||||
}
|
||||
|
||||
Index: openssh-9.6p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -2387,6 +2387,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
+#ifdef WITH_SELINUX
|
||||
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
|
||||
+#endif
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
do_pam_setcred(1);
|
39
openssh-7.9p1-keygen-preserve-perms.patch
Normal file
39
openssh-7.9p1-keygen-preserve-perms.patch
Normal file
@ -0,0 +1,39 @@
|
||||
commit 07ffb49749c310b82e44278ae05e081d6f4a82bf
|
||||
Author: Hans Petter Jansson <hpj@cl.no>
|
||||
Date: Fri Sep 27 01:57:16 2019 +0200
|
||||
|
||||
ssh-keygen: Preserve known_hosts permissions on rewrite
|
||||
|
||||
Transfer the permissions of the old known_hosts file instead of
|
||||
just going with what mkstemp() gives us. This is useful in corner
|
||||
cases where known_hosts is shared between users.
|
||||
|
||||
Index: openssh-8.8p1/ssh-keygen.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh-keygen.c
|
||||
+++ openssh-8.8p1/ssh-keygen.c
|
||||
@@ -1384,6 +1384,11 @@ do_known_hosts(struct passwd *pw, const
|
||||
if (inplace)
|
||||
unlink(tmp);
|
||||
} else if (inplace) {
|
||||
+ struct stat st;
|
||||
+
|
||||
+ /* Get metadata for existing file */
|
||||
+ r = stat(identity_file, &st);
|
||||
+
|
||||
/* Backup existing file */
|
||||
if (unlink(old) == -1 && errno != ENOENT)
|
||||
fatal("unlink %.100s: %s", old, strerror(errno));
|
||||
@@ -1398,6 +1403,12 @@ do_known_hosts(struct passwd *pw, const
|
||||
unlink(old);
|
||||
exit(1);
|
||||
}
|
||||
+ /* Preserve permissions; non-critical */
|
||||
+ if (r != -1)
|
||||
+ r = chown(identity_file, st.st_uid, st.st_gid);
|
||||
+ if (r != -1)
|
||||
+ chmod(identity_file,
|
||||
+ st.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO));
|
||||
|
||||
printf("%s updated.\n", identity_file);
|
||||
printf("Original contents retained as %s\n", old);
|
76
openssh-7.9p1-revert-new-qos-defaults.patch
Normal file
76
openssh-7.9p1-revert-new-qos-defaults.patch
Normal file
@ -0,0 +1,76 @@
|
||||
commit 101aa2f70c937abb428c9433c39ba0fd9a91fe6b
|
||||
Author: Hans Petter Jansson <hpj@cl.no>
|
||||
Date: Thu Jun 20 23:54:11 2019 +0200
|
||||
|
||||
Revert IPQoS DSCP AF21/CS1 from upstream due to bugs in other software
|
||||
|
||||
Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
|
||||
|
||||
Index: openssh-8.8p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/readconf.c
|
||||
+++ openssh-8.8p1/readconf.c
|
||||
@@ -2679,9 +2679,9 @@ fill_default_options(Options * options)
|
||||
if (options->visual_host_key == -1)
|
||||
options->visual_host_key = 0;
|
||||
if (options->ip_qos_interactive == -1)
|
||||
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
|
||||
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||
if (options->ip_qos_bulk == -1)
|
||||
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
|
||||
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->request_tty == -1)
|
||||
options->request_tty = REQUEST_TTY_AUTO;
|
||||
if (options->session_type == -1)
|
||||
Index: openssh-8.8p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/servconf.c
|
||||
+++ openssh-8.8p1/servconf.c
|
||||
@@ -459,9 +459,9 @@ fill_default_server_options(ServerOption
|
||||
if (options->permit_tun == -1)
|
||||
options->permit_tun = SSH_TUNMODE_NO;
|
||||
if (options->ip_qos_interactive == -1)
|
||||
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
|
||||
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||
if (options->ip_qos_bulk == -1)
|
||||
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
|
||||
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
Index: openssh-8.8p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh_config.5
|
||||
+++ openssh-8.8p1/ssh_config.5
|
||||
@@ -1182,11 +1182,9 @@ If one argument is specified, it is used
|
||||
If two values are specified, the first is automatically selected for
|
||||
interactive sessions and the second for non-interactive sessions.
|
||||
The default is
|
||||
-.Cm af21
|
||||
-(Low-Latency Data)
|
||||
+.Cm lowdelay
|
||||
for interactive sessions and
|
||||
-.Cm cs1
|
||||
-(Lower Effort)
|
||||
+.Cm throughput
|
||||
for non-interactive sessions.
|
||||
.It Cm KbdInteractiveAuthentication
|
||||
Specifies whether to use keyboard-interactive authentication.
|
||||
Index: openssh-8.8p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config.5
|
||||
+++ openssh-8.8p1/sshd_config.5
|
||||
@@ -903,11 +903,9 @@ If one argument is specified, it is used
|
||||
If two values are specified, the first is automatically selected for
|
||||
interactive sessions and the second for non-interactive sessions.
|
||||
The default is
|
||||
-.Cm af21
|
||||
-(Low-Latency Data)
|
||||
+.Cm lowdelay
|
||||
for interactive sessions and
|
||||
-.Cm cs1
|
||||
-(Lower Effort)
|
||||
+.Cm throughput
|
||||
for non-interactive sessions.
|
||||
.It Cm KbdInteractiveAuthentication
|
||||
Specifies whether to allow keyboard-interactive authentication.
|
3966
openssh-8.0p1-gssapi-keyex.patch
Normal file
3966
openssh-8.0p1-gssapi-keyex.patch
Normal file
File diff suppressed because it is too large
Load Diff
2476
openssh-8.1p1-audit.patch
Normal file
2476
openssh-8.1p1-audit.patch
Normal file
File diff suppressed because it is too large
Load Diff
74
openssh-8.1p1-ed25519-use-openssl-rng.patch
Normal file
74
openssh-8.1p1-ed25519-use-openssl-rng.patch
Normal file
@ -0,0 +1,74 @@
|
||||
commit d281831d887044ede45d458c3dda74be9ae017e3
|
||||
Author: Hans Petter Jansson <hpj@hpjansson.org>
|
||||
Date: Fri Sep 25 23:26:58 2020 +0200
|
||||
|
||||
Use OpenSSL's FIPS approved RAND_bytes() to get randomness for Ed25519
|
||||
|
||||
diff --git a/ed25519.c b/ed25519.c
|
||||
index 767ec24..5d506a9 100644
|
||||
--- a/ed25519.c
|
||||
+++ b/ed25519.c
|
||||
@@ -9,6 +9,13 @@
|
||||
|
||||
#include "crypto_api.h"
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+#include <openssl/rand.h>
|
||||
+#include <openssl/err.h>
|
||||
+#endif
|
||||
+
|
||||
+#include "log.h"
|
||||
+
|
||||
#define int8 crypto_int8
|
||||
#define uint8 crypto_uint8
|
||||
#define int16 crypto_int16
|
||||
@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
|
||||
sc25519 scsk;
|
||||
ge25519 gepk;
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ /* Use FIPS approved RNG */
|
||||
+ if (RAND_bytes(sk, 32) <= 0)
|
||||
+ fatal("Couldn't obtain random bytes (error 0x%lx)",
|
||||
+ (unsigned long)ERR_get_error());
|
||||
+#else
|
||||
randombytes(sk,32);
|
||||
+#endif
|
||||
+
|
||||
crypto_hash_sha512(az,sk,32);
|
||||
az[0] &= 248;
|
||||
az[31] &= 127;
|
||||
diff --git a/kexc25519.c b/kexc25519.c
|
||||
index f13d766..2604eda 100644
|
||||
--- a/kexc25519.c
|
||||
+++ b/kexc25519.c
|
||||
@@ -33,6 +33,13 @@
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+#include <openssl/rand.h>
|
||||
+#include <openssl/err.h>
|
||||
+#endif
|
||||
+
|
||||
+#include "log.h"
|
||||
+
|
||||
#include "sshkey.h"
|
||||
#include "kex.h"
|
||||
#include "sshbuf.h"
|
||||
@@ -51,7 +58,15 @@ kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
|
||||
{
|
||||
static const u_char basepoint[CURVE25519_SIZE] = {9};
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ /* Use FIPS approved RNG */
|
||||
+ if (RAND_bytes(key, CURVE25519_SIZE) <= 0)
|
||||
+ fatal("Couldn't obtain random bytes (error 0x%lx)",
|
||||
+ (unsigned long)ERR_get_error());
|
||||
+#else
|
||||
arc4random_buf(key, CURVE25519_SIZE);
|
||||
+#endif
|
||||
+
|
||||
crypto_scalarmult_curve25519(pub, key, basepoint);
|
||||
}
|
||||
|
25
openssh-8.1p1-seccomp-clock_gettime64.patch
Normal file
25
openssh-8.1p1-seccomp-clock_gettime64.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From b110cefdfbf5a20f49b774a55062d6ded2fb6e22 Mon Sep 17 00:00:00 2001
|
||||
From: Khem Raj <raj.khem@gmail.com>
|
||||
Date: Tue, 7 Jan 2020 16:26:45 -0800
|
||||
Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox.
|
||||
|
||||
This helps sshd accept connections on mips platforms with
|
||||
upcoming glibc ( 2.31 )
|
||||
---
|
||||
sandbox-seccomp-filter.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -279,6 +279,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_clock_nanosleep_time64
|
||||
SC_ALLOW(__NR_clock_nanosleep_time64),
|
||||
#endif
|
||||
+#ifdef __NR_clock_gettime64
|
||||
+ SC_ALLOW(__NR_clock_gettime64),
|
||||
+#endif
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(__NR__newselect),
|
||||
#endif
|
14
openssh-8.1p1-seccomp-clock_nanosleep.patch
Normal file
14
openssh-8.1p1-seccomp-clock_nanosleep.patch
Normal file
@ -0,0 +1,14 @@
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -273,6 +273,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_clock_gettime64
|
||||
SC_ALLOW(__NR_clock_gettime64),
|
||||
#endif
|
||||
+#ifdef __NR_clock_nanosleep
|
||||
+ SC_ALLOW(__NR_clock_nanosleep),
|
||||
+#endif
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(__NR__newselect),
|
||||
#endif
|
24
openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
Normal file
24
openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
Normal file
@ -0,0 +1,24 @@
|
||||
From 5af6fd5461bb709304e6979c8b7856c7af921c9e Mon Sep 17 00:00:00 2001
|
||||
From: Darren Tucker <dtucker@dtucker.net>
|
||||
Date: Mon, 16 Dec 2019 13:55:56 +1100
|
||||
Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox.
|
||||
|
||||
Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
|
||||
---
|
||||
sandbox-seccomp-filter.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -276,6 +276,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_clock_nanosleep
|
||||
SC_ALLOW(__NR_clock_nanosleep),
|
||||
#endif
|
||||
+#ifdef __NR_clock_nanosleep_time64
|
||||
+ SC_ALLOW(__NR_clock_nanosleep_time64),
|
||||
+#endif
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(__NR__newselect),
|
||||
#endif
|
158
openssh-8.1p1-use-openssl-kdf.patch
Normal file
158
openssh-8.1p1-use-openssl-kdf.patch
Normal file
@ -0,0 +1,158 @@
|
||||
Index: openssh-8.8p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/kex.c
|
||||
+++ openssh-8.8p1/kex.c
|
||||
@@ -40,6 +40,7 @@
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/dh.h>
|
||||
+#include <openssl/kdf.h>
|
||||
#endif
|
||||
|
||||
#include "ssh.h"
|
||||
@@ -1115,8 +1116,93 @@ kex_choose_conf(struct ssh *ssh)
|
||||
return r;
|
||||
}
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+
|
||||
+static const EVP_MD *
|
||||
+get_openssl_md_for_hash_alg (int hash_alg)
|
||||
+{
|
||||
+ if (hash_alg < 0 || hash_alg >= SSH_DIGEST_MAX)
|
||||
+ return NULL;
|
||||
+
|
||||
+ switch (hash_alg)
|
||||
+ {
|
||||
+ case SSH_DIGEST_MD5:
|
||||
+ return EVP_md5();
|
||||
+ case SSH_DIGEST_SHA1:
|
||||
+ return EVP_sha1();
|
||||
+ case SSH_DIGEST_SHA256:
|
||||
+ return EVP_sha256();
|
||||
+ case SSH_DIGEST_SHA384:
|
||||
+ return EVP_sha384();
|
||||
+ case SSH_DIGEST_SHA512:
|
||||
+ return EVP_sha512();
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
-derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
+derive_key_via_openssl(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
+ const struct sshbuf *shared_secret, u_char **keyp)
|
||||
+{
|
||||
+ struct kex *kex = ssh->kex;
|
||||
+ EVP_KDF_CTX *hashctx = NULL;
|
||||
+ const EVP_MD *md = NULL;
|
||||
+ u_char *digest = NULL;
|
||||
+ int r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+
|
||||
+ hashctx = EVP_KDF_CTX_new_id (EVP_KDF_SSHKDF);
|
||||
+ if (!hashctx)
|
||||
+ goto out;
|
||||
+
|
||||
+ md = get_openssl_md_for_hash_alg (kex->hash_alg);
|
||||
+ if (!md)
|
||||
+ goto out;
|
||||
+
|
||||
+ if (EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_MD,
|
||||
+ md) != 1
|
||||
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_KEY,
|
||||
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret)) != 1
|
||||
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
|
||||
+ (int) id) != 1
|
||||
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
|
||||
+ hash, (size_t) hashlen) != 1
|
||||
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
||||
+ sshbuf_ptr(kex->session_id),
|
||||
+ (size_t) sshbuf_len(kex->session_id)) != 1)
|
||||
+ goto out;
|
||||
+
|
||||
+ digest = calloc (1, need);
|
||||
+ if (!digest) {
|
||||
+ r = SSH_ERR_ALLOC_FAIL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (EVP_KDF_derive (hashctx, digest, need) != 1)
|
||||
+ goto out;
|
||||
+
|
||||
+ *keyp = digest;
|
||||
+ digest = NULL;
|
||||
+ r = 0;
|
||||
+
|
||||
+ out:
|
||||
+ if (hashctx)
|
||||
+ EVP_KDF_CTX_free(hashctx);
|
||||
+
|
||||
+ if (digest)
|
||||
+ free(digest);
|
||||
+
|
||||
+ return r;
|
||||
+}
|
||||
+
|
||||
+#else
|
||||
+# error This version of openssh must be built with openssl to benefit from FIPS certification.
|
||||
+#endif
|
||||
+
|
||||
+static int
|
||||
+derive_key_via_internal(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
const struct sshbuf *shared_secret, u_char **keyp)
|
||||
{
|
||||
struct kex *kex = ssh->kex;
|
||||
@@ -1179,6 +1265,50 @@ derive_key(struct ssh *ssh, int id, u_in
|
||||
return r;
|
||||
}
|
||||
|
||||
+/* Belt and suspenders; we want the output from openssl because it's FIPS certified. However,
|
||||
+ * if there's a bug in the implementation, we should not proceed. Minimize risk by requiring
|
||||
+ * the implementations agree. */
|
||||
+static int
|
||||
+derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
+ const struct sshbuf *shared_secret, u_char **keyp)
|
||||
+{
|
||||
+#ifdef WITH_OPENSSL
|
||||
+
|
||||
+ u_char *buf_openssl = NULL, *buf_internal = NULL;
|
||||
+ int r;
|
||||
+
|
||||
+ r = derive_key_via_openssl (ssh, id, need, hash, hashlen, shared_secret, &buf_openssl);
|
||||
+ if (r != 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ r = derive_key_via_internal (ssh, id, need, hash, hashlen, shared_secret, &buf_internal);
|
||||
+ if (r != 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ if (memcmp (buf_openssl, buf_internal, need))
|
||||
+ {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ *keyp = buf_openssl;
|
||||
+ buf_openssl = NULL;
|
||||
+
|
||||
+ out:
|
||||
+ if (buf_openssl)
|
||||
+ free (buf_openssl);
|
||||
+ if (buf_internal)
|
||||
+ free (buf_internal);
|
||||
+
|
||||
+ return r;
|
||||
+
|
||||
+#else
|
||||
+
|
||||
+ return derive_key_via_internal (ssh, id, need, hash, hashlen, shared_secret, keyp);
|
||||
+
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
#define NKEYS 6
|
||||
int
|
||||
kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
|
13
openssh-8.4p1-pam_motd.patch
Normal file
13
openssh-8.4p1-pam_motd.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff -u openssh-8.4p1.orig/sshd_config openssh-8.4p1/sshd_config
|
||||
--- openssh-8.4p1.orig/sshd_config 2020-09-27 09:25:01.000000000 +0200
|
||||
+++ openssh-8.4p1/sshd_config 2021-05-18 19:15:39.190701511 +0200
|
||||
@@ -88,8 +88,7 @@
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
-#PrintMotd yes
|
||||
-#PrintLastLog yes
|
||||
+PrintMotd no
|
||||
#TCPKeepAlive yes
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
40
openssh-8.4p1-ssh_config_d.patch
Normal file
40
openssh-8.4p1-ssh_config_d.patch
Normal file
@ -0,0 +1,40 @@
|
||||
Index: openssh-8.9p1/ssh_config
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/ssh_config
|
||||
+++ openssh-8.9p1/ssh_config
|
||||
@@ -17,6 +17,13 @@
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
+# To modify the system-wide ssh configuration, create a "*.conf" file under
|
||||
+# "/etc/ssh/ssh_config.d/" which will be automatically included below.
|
||||
+# Don't edit this configuration file itself if possible to avoid update
|
||||
+# problems.
|
||||
+Include /etc/ssh/ssh_config.d/*.conf
|
||||
+Include /usr/etc/ssh/ssh_config.d/*.conf
|
||||
+
|
||||
Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
Index: openssh-8.9p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd_config
|
||||
+++ openssh-8.9p1/sshd_config
|
||||
@@ -5,10 +5,17 @@
|
||||
|
||||
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||
|
||||
+# To modify the system-wide sshd configuration, create a "*.conf" file under
|
||||
+# "/etc/ssh/sshd_config.d/" which will be automatically included below.
|
||||
+# Don't edit this configuration file itself if possible to avoid update
|
||||
+# problems.
|
||||
+Include /etc/ssh/sshd_config.d/*.conf
|
||||
+
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
+Include /usr/etc/ssh/sshd_config.d/*.conf
|
||||
|
||||
#Port 22
|
||||
#AddressFamily any
|
208
openssh-8.4p1-vendordir.patch
Normal file
208
openssh-8.4p1-vendordir.patch
Normal file
@ -0,0 +1,208 @@
|
||||
Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib.
|
||||
Index: openssh-8.9p1/dh.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/dh.c
|
||||
+++ openssh-8.9p1/dh.c
|
||||
@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file
|
||||
|
||||
static const char * get_moduli_filename(void)
|
||||
{
|
||||
- return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
|
||||
+ struct stat st;
|
||||
+
|
||||
+ if (moduli_filename)
|
||||
+ return moduli_filename;
|
||||
+
|
||||
+ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 &&
|
||||
+ stat(_PATH_DH_MODULI, &st) == -1) {
|
||||
+ return _PATH_VENDOR_DH_MODULI;
|
||||
+ }
|
||||
+
|
||||
+ return _PATH_DH_MODULI;
|
||||
}
|
||||
|
||||
static int
|
||||
Index: openssh-8.9p1/pathnames.h
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/pathnames.h
|
||||
+++ openssh-8.9p1/pathnames.h
|
||||
@@ -18,6 +18,8 @@
|
||||
#define SSHDIR ETCDIR "/ssh"
|
||||
#endif
|
||||
|
||||
+#define VENDORDIR "/usr/etc/ssh"
|
||||
+
|
||||
#ifndef _PATH_SSH_PIDDIR
|
||||
#define _PATH_SSH_PIDDIR "/var/run"
|
||||
#endif
|
||||
@@ -35,13 +37,17 @@
|
||||
* should be world-readable.
|
||||
*/
|
||||
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
|
||||
+#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config"
|
||||
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
|
||||
+#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config"
|
||||
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
|
||||
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
|
||||
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
|
||||
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
|
||||
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
|
||||
#define _PATH_DH_MODULI SSHDIR "/moduli"
|
||||
+#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli"
|
||||
+
|
||||
|
||||
#ifndef _PATH_SSH_PROGRAM
|
||||
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
||||
Index: openssh-8.9p1/ssh.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/ssh.c
|
||||
+++ openssh-8.9p1/ssh.c
|
||||
@@ -549,6 +549,7 @@ static void
|
||||
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
|
||||
int *want_final_pass)
|
||||
{
|
||||
+ struct stat st;
|
||||
char buf[PATH_MAX];
|
||||
int r;
|
||||
|
||||
@@ -567,10 +568,23 @@ process_config_files(const char *host_na
|
||||
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
|
||||
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
|
||||
|
||||
- /* Read systemwide configuration file after user config. */
|
||||
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
||||
- host, host_name, &options,
|
||||
- final_pass ? SSHCONF_FINAL : 0, want_final_pass);
|
||||
+ /* If only the vendor configuration file exists, use that.
|
||||
+ * Else use the standard configuration file.
|
||||
+ */
|
||||
+ if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 &&
|
||||
+ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) {
|
||||
+ /* Read vendor distributed configuration file. */
|
||||
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE,
|
||||
+ pw, host, host_name, &options,
|
||||
+ final_pass ? SSHCONF_FINAL : 0,
|
||||
+ want_final_pass);
|
||||
+ } else {
|
||||
+ /* Read systemwide configuration file after user config. */
|
||||
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
||||
+ host, host_name, &options,
|
||||
+ final_pass ? SSHCONF_FINAL : 0,
|
||||
+ want_final_pass);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
Index: openssh-8.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/ssh_config.5
|
||||
+++ openssh-8.9p1/ssh_config.5
|
||||
@@ -54,6 +54,9 @@ user's configuration file
|
||||
.It
|
||||
system-wide configuration file
|
||||
.Pq Pa /etc/ssh/ssh_config
|
||||
+.It
|
||||
+vendor configuration file
|
||||
+.Pq Pa /usr/etc/ssh/ssh_config
|
||||
.El
|
||||
.Pp
|
||||
Unless noted otherwise, for each parameter, the first obtained value
|
||||
@@ -2220,6 +2223,11 @@ This file provides defaults for those
|
||||
values that are not specified in the user's configuration file, and
|
||||
for those users who do not have a configuration file.
|
||||
This file must be world-readable.
|
||||
+.It Pa /usr/etc/ssh/ssh_config
|
||||
+Vendor specific configuraiton file.
|
||||
+This file provides the vendor defaults and is used as fallback if the
|
||||
+.Ic /etc/ssh/ssh_config
|
||||
+configuration file does not exist.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1
|
||||
Index: openssh-8.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd.c
|
||||
+++ openssh-8.9p1/sshd.c
|
||||
@@ -148,7 +148,7 @@ extern char *__progname;
|
||||
ServerOptions options;
|
||||
|
||||
/* Name of the server configuration file. */
|
||||
-char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
+char *config_file_name = NULL;
|
||||
|
||||
/*
|
||||
* Debug mode flag. This can be set on the command line. If debug
|
||||
@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av)
|
||||
int
|
||||
main(int ac, char **av)
|
||||
{
|
||||
+ struct stat st;
|
||||
struct ssh *ssh = NULL;
|
||||
extern char *optarg;
|
||||
extern int optind;
|
||||
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
|
||||
*/
|
||||
(void)atomicio(vwrite, startup_pipe, "\0", 1);
|
||||
}
|
||||
+ } else if (config_file_name == NULL) {
|
||||
+ /* If only the vendor configuration file exists, use that.
|
||||
+ * Else use the standard configuration file.
|
||||
+ */
|
||||
+ if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 &&
|
||||
+ stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) {
|
||||
+ /* fill with global distributor settings */
|
||||
+ config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE;
|
||||
+ } else {
|
||||
+ /* load global admin settings */
|
||||
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
+ }
|
||||
+ load_server_config(config_file_name, cfg);
|
||||
} else if (strcasecmp(config_file_name, "none") != 0)
|
||||
+ /* load config specified on commandline */
|
||||
load_server_config(config_file_name, cfg);
|
||||
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
Index: openssh-8.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd_config.5
|
||||
+++ openssh-8.9p1/sshd_config.5
|
||||
@@ -44,7 +44,9 @@
|
||||
.Xr sshd 8
|
||||
reads configuration data from
|
||||
.Pa /etc/ssh/sshd_config
|
||||
-(or the file specified with
|
||||
+(
|
||||
+.Pa /usr/etc/ssh/sshd_config
|
||||
+if the file does not exist or the file specified with
|
||||
.Fl f
|
||||
on the command line).
|
||||
The file contains keyword-argument pairs, one per line.
|
||||
Index: openssh-8.9p1/ssh-keysign.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/ssh-keysign.c
|
||||
+++ openssh-8.9p1/ssh-keysign.c
|
||||
@@ -186,6 +186,7 @@ main(int argc, char **argv)
|
||||
u_char *signature, *data, rver;
|
||||
char *host, *fp, *pkalg;
|
||||
size_t slen, dlen;
|
||||
+ struct stat st;
|
||||
|
||||
if (pledge("stdio rpath getpw dns id", NULL) != 0)
|
||||
fatal("%s: pledge: %s", __progname, strerror(errno));
|
||||
@@ -219,8 +220,14 @@ main(int argc, char **argv)
|
||||
|
||||
/* verify that ssh-keysign is enabled by the admin */
|
||||
initialize_options(&options);
|
||||
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
||||
- &options, 0, NULL);
|
||||
+
|
||||
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
|
||||
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
||||
+ &options, 0, NULL);
|
||||
+ else
|
||||
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "",
|
||||
+ &options, 0, NULL);
|
||||
+
|
||||
(void)fill_default_options(&options);
|
||||
if (options.enable_ssh_keysign != 1)
|
||||
fatal("ssh-keysign not enabled in %s",
|
BIN
openssh-9.6p1.tar.gz
(Stored with Git LFS)
Normal file
BIN
openssh-9.6p1.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
openssh-9.6p1.tar.gz.asc
Normal file
16
openssh-9.6p1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmWAXvAACgkQKj9BTnNg
|
||||
YLrypA/6A1O8e80XnzVWIFhXkbv/biGL10Q5ZMvjQvND6mbkphNWZ4G4QOEh0nBG
|
||||
rseD3Fce7me9pfeLYVhaNXO9R3OYAXxjbWfQwI7FpBU4QUCnbH53PG32B6ESq7pl
|
||||
0vlDqdqI7aBAyMpp+8WFD+EvHWUVA77JtfU4MFw7myKJacrVrDUygDaZkJKOhqKf
|
||||
N1Nurz4YppdQ5zIK1ElL0jlRJXm08flLFRg8fD5/5rwabpUbZIY9b5qZzGKgnR7I
|
||||
sxUBlDkfLnvKIlKzUXbRvOHazvFAHYH1ltJZGlJUc/+H/ZaPigWf4IR+E1FB9c2O
|
||||
zxaZhlbwGKyD+p7l08F9n8T21taxpBCW1Uxkx7MLTz8k9huPNpdX5l8VM4Gotmn8
|
||||
I4V3Fevyx+M3XJYeKtkspa51h0GqF3gNFPLxW7ERGaIuqwoxuHxIEKwYE+JPmQag
|
||||
UDma5LDrSrasa8Rw8g5urGE48PeDQ5muPy8Bi9eIGZU5JLqX6TNgz7QDDs/dQsHB
|
||||
iny4wQOLmdIA78IGttiCo0rqikEvFtFDFR4mCUTC8K0nQKzWwGewO3gRTcHttzyU
|
||||
xMalxw+wt9cUJ8gb1E9p7OeMUuXdaHMmem8/PcFCar/vKx1mdV/On6evnp3P8yQA
|
||||
la8WnbcP0+zJg0GGwGszpFlOMjWCDB0kUTBCT+MR+IWbj/pVZVA=
|
||||
=G9YA
|
||||
-----END PGP SIGNATURE-----
|
334
openssh-askpass-gnome.changes
Normal file
334
openssh-askpass-gnome.changes
Normal file
@ -0,0 +1,334 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Update to openssh 9.6p1:
|
||||
* No changes for askpass, see main package changelog for
|
||||
details.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 21 05:13:56 UTC 2023 - Simon Lees <sflees@suse.de>
|
||||
|
||||
- Update to openssh 9.3p2
|
||||
* No changes for askpass, see main package changelog for
|
||||
details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
|
||||
|
||||
- openssh-askpass-gnome: require only openssh-clients, not the full
|
||||
openssh (including -server), to avoid pulling in excessive
|
||||
dependencies when installing git on Gnome (boo#1211446)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Update to openssh 9.3p1
|
||||
* No changes for askpass, see main package changelog for
|
||||
details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Version upgrade to 8.8p1
|
||||
* No changes for askpass, see main package changelog for
|
||||
details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
- Upgrade some old specfile constructs/macros.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 10 22:44:00 UTC 2020 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Supplement openssh-clients instead of openssh (bsc#1176434).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 18 14:07:56 UTC 2019 - Fabian Vogt <fvogt@suse.com>
|
||||
|
||||
- Supplement libgtk-3-0 instead to avoid installation on a textmode install
|
||||
(boo#1142000)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 14 10:36:03 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
- Supplement the openssh and libx11 together to ensure this package
|
||||
is installed on machines where there is X stack
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 22 08:59:02 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
- Version update to 7.9p1
|
||||
* No actual changes for the askpass
|
||||
* See main package changelog for details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
- Update to 7.8p1:
|
||||
* no actual changes for the askpass
|
||||
- Format with spec-cleaner
|
||||
- Respect cflags
|
||||
- Use gtk3 rather than gtk2 which is being phased out
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon May 21 15:19:03 UTC 2018 - pcerny@suse.com
|
||||
|
||||
- Upgrade to 7.7p1 (bsc#1094068)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 31 22:54:55 UTC 2018 - pcerny@suse.com
|
||||
|
||||
- .spec file cleanup
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
||||
|
||||
- upgrade to 7.6p1
|
||||
see main package changelog for details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 25 13:45:53 UTC 2016 - meissner@suse.com
|
||||
|
||||
- fixed url
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Apr 17 23:27:51 UTC 2016 - pcerny@suse.com
|
||||
|
||||
- upgrade to 7.2p2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 10 13:28:56 UTC 2015 - pcerny@suse.com
|
||||
|
||||
- changing license to 2-clause BSD to match source
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 11 21:50:51 UTC 2014 - pcerny@suse.com
|
||||
|
||||
- Update of the underlying OpenSSH to 6.6p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com
|
||||
|
||||
- Update of the underlying OpenSSH to 6.5p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com
|
||||
|
||||
- Update of the underlying OpenSSH to 6.4p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 19 02:02:56 UTC 2013 - pcerny@suse.com
|
||||
|
||||
- spec file cleanup (don't pointelssly build whole OpenSSH)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Aug 3 18:12:20 UTC 2013 - crrodriguez@opensuse.org
|
||||
|
||||
- Update for 6.2p2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 13 10:51:12 UTC 2012 - meissner@suse.com
|
||||
|
||||
- Updated to 6.1p1, a bugfix release
|
||||
Features:
|
||||
* sshd(8): This release turns on pre-auth sandboxing sshd by default for
|
||||
new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
|
||||
* ssh-keygen(1): Add options to specify starting line number and number of
|
||||
lines to process when screening moduli candidates, allowing processing
|
||||
of different parts of a candidate moduli file in parallel
|
||||
* sshd(8): The Match directive now supports matching on the local (listen)
|
||||
address and port upon which the incoming connection was received via
|
||||
LocalAddress and LocalPort clauses.
|
||||
* sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv
|
||||
and {Allow,Deny}{Users,Groups}
|
||||
* Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
|
||||
* ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8
|
||||
* sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as
|
||||
an argument to refuse all port-forwarding requests.
|
||||
* sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile
|
||||
* ssh-keyscan(1): Look for ECDSA keys by default. bz#1971
|
||||
* sshd(8): Add "VersionAddendum" to sshd_config to allow server operators
|
||||
to append some arbitrary text to the server SSH protocol banner.
|
||||
Bugfixes:
|
||||
* ssh(1)/sshd(8): Don't spin in accept() in situations of file
|
||||
descriptor exhaustion. Instead back off for a while.
|
||||
* ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as
|
||||
they were removed from the specification. bz#2023,
|
||||
* sshd(8): Handle long comments in config files better. bz#2025
|
||||
* ssh(1): Delay setting tty_flag so RequestTTY options are correctly
|
||||
picked up. bz#1995
|
||||
* sshd(8): Fix handling of /etc/nologin incorrectly being applied to root
|
||||
on platforms that use login_cap.
|
||||
Portable OpenSSH:
|
||||
* sshd(8): Allow sshd pre-auth sandboxing to fall-back to the rlimit
|
||||
sandbox from the Linux SECCOMP filter sandbox when the latter is
|
||||
not available in the kernel.
|
||||
* ssh(1): Fix NULL dereference when built with LDNS and using DNSSEC to
|
||||
retrieve a CNAME SSHFP record.
|
||||
* Fix cross-compilation problems related to pkg-config. bz#1996
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 27 09:51:19 UTC 2012 - coolo@suse.com
|
||||
|
||||
- the gnome askpass does not require the x11 askpass - especially not
|
||||
in the version of openssh (it's at 1.X)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 29 07:14:53 UTC 2012 - meissner@suse.com
|
||||
|
||||
- use correct tarball url
|
||||
- update to 6.0p1.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 28 11:42:32 UTC 2012 - aj@suse.de
|
||||
|
||||
- Add build require on autoconf and automake.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 21 10:31:42 UTC 2011 - coolo@suse.com
|
||||
|
||||
- remove call to suse_update_config (very old work around)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 19 00:40:15 UTC 2011 - pcerny@suse.com
|
||||
|
||||
- Update to 5.9p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 4 11:19:14 UTC 2011 - lchiquitto@novell.com
|
||||
|
||||
- Update to 5.8p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 24 11:51:10 UTC 2011 - lchiquitto@novell.com
|
||||
|
||||
- Update to 5.7p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz
|
||||
|
||||
- Removed relics of no more implemented opensc support.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 24 15:50:17 CEST 2010 - anicka@suse.cz
|
||||
|
||||
- update to 5.6p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 26 11:04:59 CET 2010 - anicka@suse.cz
|
||||
|
||||
- update to 5.4p1
|
||||
- remove -pam-fix4.diff (in upstream now)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 23 17:27:22 CET 2009 - anicka@suse.cz
|
||||
|
||||
- update to 5.2p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 9 14:35:42 CEST 2008 - anicka@suse.cz
|
||||
|
||||
- update to 5.0p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 2 15:06:01 CEST 2008 - anicka@suse.cz
|
||||
|
||||
- update to 4.9p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 5 10:56:07 CET 2007 - anicka@suse.cz
|
||||
|
||||
- - update to 4.7p1
|
||||
* Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
|
||||
GSSAPIDelegateCredentials=yes. This is symmetric with -k
|
||||
* make scp try to skip FIFOs rather than blocking when nothing is
|
||||
listening.
|
||||
* increase default channel windows
|
||||
* put the MAC list into a display
|
||||
* many bugfixes
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 12 14:44:41 CET 2006 - anicka@suse.cz
|
||||
|
||||
- update to 4.5p1
|
||||
* Use privsep_pw if we have it, but only require it if we
|
||||
absolutely need it.
|
||||
* Correctly check for bad signatures in the monitor, otherwise
|
||||
the monitor and the unpriv process can get out of sync.
|
||||
* Clear errno before calling the strtol functions.
|
||||
* exit instead of doing a blocking tcp send if we detect
|
||||
a client/server timeout, since the tcp sendqueue might
|
||||
be already full (of alive requests)
|
||||
* include signal.h, errno.h, sys/in.h
|
||||
* some more bugfixes
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 4 12:56:40 CEST 2006 - postadal@suse.cz
|
||||
|
||||
- updated to version 4.4p1 [#208662]
|
||||
* fixed pre-authentication DoS, that would cause sshd(8) to spin
|
||||
until the login grace time expired
|
||||
* fixed unsafe signal hander, which was vulnerable to a race condition
|
||||
that could be exploited to perform a pre-authentication DoS
|
||||
* fixed a GSSAPI authentication abort that could be used to determine
|
||||
the validity of usernames on some platforms
|
||||
* implemented conditional configuration in sshd_config(5) using the
|
||||
"Match" directive
|
||||
* added support for Diffie-Hellman group exchange key agreement with a
|
||||
final hash of SHA256
|
||||
* added a "ForceCommand", "PermitOpen" directive to sshd_config(5)
|
||||
* added optional logging of transactions to sftp-server(8)
|
||||
* ssh(1) will now record port numbers for hosts stored in
|
||||
~/.ssh/authorized_keys when a non-standard port has been requested
|
||||
* added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
|
||||
a non-zero exit code) when requested port forwardings could not be
|
||||
established
|
||||
* extended sshd_config(5) "SubSystem" declarations to allow the
|
||||
specification of command-line arguments
|
||||
- removed obsoleted patches: autoconf-fix.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 25 13:40:10 CEST 2006 - schwab@suse.de
|
||||
|
||||
- Fix syntax error in configure script.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 25 21:39:06 CET 2006 - mls@suse.de
|
||||
|
||||
- converted neededforbuild to BuildRequires
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 3 15:54:49 CET 2006 - postadal@suse.cz
|
||||
|
||||
- updated to version 4.2p1
|
||||
- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 8 16:20:06 CEST 2005 - postadal@suse.cz
|
||||
|
||||
- don't strip
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 4 11:30:18 CEST 2005 - uli@suse.de
|
||||
|
||||
- parallelize build
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 10 16:24:22 CEST 2005 - postadal@suse.cz
|
||||
|
||||
- updated to version 4.1p1
|
||||
- removed obsoleted patches: restore_terminal, pam-returnfromsession,
|
||||
timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource,
|
||||
sendenv-fix, documentation-fix
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 19 18:25:29 CET 2005 - postadal@suse.cz
|
||||
|
||||
- renamed askpass-gnome package to openssh-askpass-gnome
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 19 15:58:07 CET 2005 - postadal@suse.cz
|
||||
|
||||
- splited spec file to decreas number of build dependencies
|
||||
|
66
openssh-askpass-gnome.spec
Normal file
66
openssh-askpass-gnome.spec
Normal file
@ -0,0 +1,66 @@
|
||||
#
|
||||
# spec file for package openssh-askpass-gnome
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
%define _name openssh
|
||||
Name: openssh-askpass-gnome
|
||||
Version: 9.6p1
|
||||
Release: 0
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
License: BSD-2-Clause
|
||||
Group: Productivity/Networking/SSH
|
||||
URL: https://www.openssh.com/
|
||||
Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
|
||||
Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
|
||||
Requires: %{_name}-clients = %{version}
|
||||
Supplements: packageand(openssh-clients:libgtk-3-0)
|
||||
%if 0%{?suse_version} >= 1550
|
||||
BuildRequires: gtk3-devel
|
||||
%else
|
||||
BuildRequires: gtk2-devel
|
||||
%endif
|
||||
|
||||
%description
|
||||
SSH (Secure Shell) is a program for logging into a remote machine and
|
||||
for executing commands on a remote machine. This package contains a
|
||||
GNOME-based passphrase dialog for OpenSSH.
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n %{_name}-%{version}
|
||||
|
||||
%build
|
||||
cd contrib
|
||||
export CFLAGS="%{optflags}"
|
||||
%if 0%{?suse_version} >= 1550
|
||||
%make_build gnome-ssh-askpass3
|
||||
%else
|
||||
%make_build gnome-ssh-askpass2
|
||||
%endif
|
||||
|
||||
%install
|
||||
install -d -m 755 %{buildroot}%{_libexecdir}/ssh/
|
||||
%if 0%{?suse_version} >= 1550
|
||||
install contrib/gnome-ssh-askpass3 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
|
||||
%else
|
||||
install contrib/gnome-ssh-askpass2 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
|
||||
%endif
|
||||
|
||||
%files
|
||||
%dir %{_libexecdir}/ssh
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/gnome-ssh-askpass
|
||||
|
||||
%changelog
|
19
openssh-do-not-send-empty-message.patch
Normal file
19
openssh-do-not-send-empty-message.patch
Normal file
@ -0,0 +1,19 @@
|
||||
--- openssh-8.4p1.orig/auth-pam.c 2020-09-27 09:25:01.000000000 +0200
|
||||
+++ openssh-8.4p1/auth-pam.c 2022-03-04 13:02:23.447712697 +0100
|
||||
@@ -638,10 +638,12 @@
|
||||
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
|
||||
case PAM_ERROR_MSG:
|
||||
case PAM_TEXT_INFO:
|
||||
- if ((r = sshbuf_putf(loginmsg, "%s\n",
|
||||
- PAM_MSG_MEMBER(msg, i, msg))) != 0)
|
||||
- fatal("%s: buffer error: %s",
|
||||
- __func__, ssh_err(r));
|
||||
+ if (strlen(PAM_MSG_MEMBER(msg, i, msg)) != 0) {
|
||||
+ if ((r = sshbuf_putf(loginmsg, "%s\n",
|
||||
+ PAM_MSG_MEMBER(msg, i, msg))) != 0)
|
||||
+ fatal("%s: buffer error: %s",
|
||||
+ __func__, ssh_err(r));
|
||||
+ }
|
||||
reply[i].resp_retcode = PAM_SUCCESS;
|
||||
break;
|
||||
default:
|
78
openssh-fips-ensure-approved-moduli.patch
Normal file
78
openssh-fips-ensure-approved-moduli.patch
Normal file
@ -0,0 +1,78 @@
|
||||
commit 15c95d6eb2e8bc549719578c9a16541015363360
|
||||
Author: Hans Petter Jansson <hpj@hpjansson.org>
|
||||
Date: Mon Oct 26 22:26:46 2020 +0100
|
||||
|
||||
Ensure DHGs are approved in FIPS mode using OpenSSL's DH_check_params()
|
||||
|
||||
Index: openssh-8.8p1/dh.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/dh.c
|
||||
+++ openssh-8.8p1/dh.c
|
||||
@@ -155,6 +155,28 @@ parse_prime(int linenum, char *line, str
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int
|
||||
+dhg_is_approved(const struct dhgroup *dhg)
|
||||
+{
|
||||
+ BIGNUM *g, *p;
|
||||
+ DH *dh;
|
||||
+ int dh_status;
|
||||
+ int is_ok = 0;
|
||||
+
|
||||
+ /* DH_set0_pqg() transfers ownership of the bignums, so we
|
||||
+ * make temporary copies here for simplicity. */
|
||||
+ g = BN_dup(dhg->g);
|
||||
+ p = BN_dup(dhg->p);
|
||||
+ dh = dh_new_group(g, p);
|
||||
+
|
||||
+ if (dh) {
|
||||
+ is_ok = DH_check_params(dh, &dh_status);
|
||||
+ }
|
||||
+
|
||||
+ DH_free(dh);
|
||||
+ return is_ok;
|
||||
+}
|
||||
+
|
||||
DH *
|
||||
choose_dh(int min, int wantbits, int max)
|
||||
{
|
||||
@@ -173,12 +195,20 @@ choose_dh(int min, int wantbits, int max
|
||||
linenum = 0;
|
||||
best = bestcount = 0;
|
||||
while (getline(&line, &linesize, f) != -1) {
|
||||
+ int dhg_is_ok;
|
||||
+
|
||||
linenum++;
|
||||
if (!parse_prime(linenum, line, &dhg))
|
||||
continue;
|
||||
+
|
||||
+ dhg_is_ok = dhg_is_approved(&dhg);
|
||||
+
|
||||
BN_clear_free(dhg.g);
|
||||
BN_clear_free(dhg.p);
|
||||
|
||||
+ if (!dhg_is_ok)
|
||||
+ continue;
|
||||
+
|
||||
if (dhg.size > max || dhg.size < min)
|
||||
continue;
|
||||
|
||||
@@ -206,10 +236,16 @@ choose_dh(int min, int wantbits, int max
|
||||
linenum = 0;
|
||||
bestcount = 0;
|
||||
while (getline(&line, &linesize, f) != -1) {
|
||||
+ int dhg_is_ok;
|
||||
+
|
||||
linenum++;
|
||||
if (!parse_prime(linenum, line, &dhg))
|
||||
continue;
|
||||
- if ((dhg.size > max || dhg.size < min) ||
|
||||
+
|
||||
+ dhg_is_ok = dhg_is_approved(&dhg);
|
||||
+
|
||||
+ if (!dhg_is_ok ||
|
||||
+ (dhg.size > max || dhg.size < min) ||
|
||||
dhg.size != best ||
|
||||
bestcount++ != which) {
|
||||
BN_clear_free(dhg.g);
|
15
openssh-link-with-sk.patch
Normal file
15
openssh-link-with-sk.patch
Normal file
@ -0,0 +1,15 @@
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -252,8 +252,8 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
|
||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
-sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
|
||||
- $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
|
||||
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
125
openssh-openssl-3.patch
Normal file
125
openssh-openssl-3.patch
Normal file
@ -0,0 +1,125 @@
|
||||
---
|
||||
fips.c | 5 +++++
|
||||
kex.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
|
||||
2 files changed, 65 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/fips.c
|
||||
+++ b/fips.c
|
||||
@@ -48,6 +48,11 @@
|
||||
|
||||
static int fips_state = -1;
|
||||
|
||||
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
|
||||
+# define FIPS_mode_set(x) EVP_default_properties_enable_fips(NULL,x)
|
||||
+#endif
|
||||
+
|
||||
/* calculates HMAC of contents of a file given by filename using the hash
|
||||
* algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into
|
||||
* newly allacated memory - remember to free it when not needed anymore */
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -41,6 +41,9 @@
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/kdf.h>
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+# include <openssl/core_names.h>
|
||||
+# endif
|
||||
#endif
|
||||
|
||||
#include "ssh.h"
|
||||
@@ -1191,14 +1194,61 @@ derive_key_via_openssl(struct ssh *ssh,
|
||||
{
|
||||
struct kex *kex = ssh->kex;
|
||||
EVP_KDF_CTX *hashctx = NULL;
|
||||
- const EVP_MD *md = NULL;
|
||||
u_char *digest = NULL;
|
||||
int r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+ OSSL_PARAM params[6], *p = params;
|
||||
+ char type = (char) id;
|
||||
+ EVP_KDF *kdf = EVP_KDF_fetch (NULL, "SSHKDF", NULL);
|
||||
+ if (!kdf)
|
||||
+ goto out;
|
||||
+ hashctx = EVP_KDF_CTX_new (kdf);
|
||||
+# else
|
||||
+ const EVP_MD *md = NULL;
|
||||
hashctx = EVP_KDF_CTX_new_id (EVP_KDF_SSHKDF);
|
||||
+# endif
|
||||
if (!hashctx)
|
||||
goto out;
|
||||
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+ switch (kex->hash_alg)
|
||||
+ {
|
||||
+ case SSH_DIGEST_MD5:
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||
+ SN_md5, strlen(SN_md5));
|
||||
+ break;
|
||||
+ case SSH_DIGEST_SHA1:
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||
+ SN_sha1, strlen(SN_sha1));
|
||||
+ break;
|
||||
+ case SSH_DIGEST_SHA256:
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||
+ SN_sha256, strlen(SN_sha256));
|
||||
+ break;
|
||||
+ case SSH_DIGEST_SHA384:
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||
+ SN_sha384, strlen(SN_sha384));
|
||||
+ break;
|
||||
+ case SSH_DIGEST_SHA512:
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||
+ SN_sha512, strlen(SN_sha512));
|
||||
+ break;
|
||||
+ default:
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
|
||||
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret));
|
||||
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
|
||||
+ hash, (size_t) hashlen);
|
||||
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
|
||||
+ sshbuf_ptr(kex->session_id), (size_t) sshbuf_len(kex->session_id));
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
|
||||
+ &type, sizeof(type));
|
||||
+ *p = OSSL_PARAM_construct_end();
|
||||
+
|
||||
+# else
|
||||
md = get_openssl_md_for_hash_alg (kex->hash_alg);
|
||||
if (!md)
|
||||
goto out;
|
||||
@@ -1215,6 +1265,7 @@ derive_key_via_openssl(struct ssh *ssh,
|
||||
sshbuf_ptr(kex->session_id),
|
||||
(size_t) sshbuf_len(kex->session_id)) != 1)
|
||||
goto out;
|
||||
+# endif
|
||||
|
||||
digest = calloc (1, need);
|
||||
if (!digest) {
|
||||
@@ -1222,7 +1273,11 @@ derive_key_via_openssl(struct ssh *ssh,
|
||||
goto out;
|
||||
}
|
||||
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+ if (EVP_KDF_derive (hashctx, digest, need, params) != 1)
|
||||
+# else
|
||||
if (EVP_KDF_derive (hashctx, digest, need) != 1)
|
||||
+# endif
|
||||
goto out;
|
||||
|
||||
*keyp = digest;
|
||||
@@ -1233,6 +1288,10 @@ derive_key_via_openssl(struct ssh *ssh,
|
||||
if (hashctx)
|
||||
EVP_KDF_CTX_free(hashctx);
|
||||
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+ EVP_KDF_free(kdf);
|
||||
+# endif
|
||||
+
|
||||
if (digest)
|
||||
free(digest);
|
||||
|
41
openssh-reenable-dh-group14-sha1-default.patch
Normal file
41
openssh-reenable-dh-group14-sha1-default.patch
Normal file
@ -0,0 +1,41 @@
|
||||
Index: openssh-8.9p1/myproposal.h
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/myproposal.h
|
||||
+++ openssh-8.9p1/myproposal.h
|
||||
@@ -34,7 +34,8 @@
|
||||
"diffie-hellman-group-exchange-sha256," \
|
||||
"diffie-hellman-group16-sha512," \
|
||||
"diffie-hellman-group18-sha512," \
|
||||
- "diffie-hellman-group14-sha256"
|
||||
+ "diffie-hellman-group14-sha256," \
|
||||
+ "diffie-hellman-group14-sha1"
|
||||
|
||||
#define KEX_CLIENT_KEX KEX_SERVER_KEX
|
||||
|
||||
Index: openssh-8.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/ssh_config.5
|
||||
+++ openssh-8.9p1/ssh_config.5
|
||||
@@ -1228,7 +1228,8 @@ sntrup761x25519-sha512@openssh.com,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group16-sha512,
|
||||
diffie-hellman-group18-sha512,
|
||||
-diffie-hellman-group14-sha256
|
||||
+diffie-hellman-group14-sha256,
|
||||
+diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
Index: openssh-8.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd_config.5
|
||||
+++ openssh-8.9p1/sshd_config.5
|
||||
@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||
-diffie-hellman-group14-sha256
|
||||
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
34
openssh-whitelist-syscalls.patch
Normal file
34
openssh-whitelist-syscalls.patch
Normal file
@ -0,0 +1,34 @@
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -201,6 +201,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_close
|
||||
SC_ALLOW(__NR_close),
|
||||
#endif
|
||||
+#ifdef __NR_close_range
|
||||
+ SC_ALLOW(__NR_close_range),
|
||||
+#endif
|
||||
#ifdef __NR_exit
|
||||
SC_ALLOW(__NR_exit),
|
||||
#endif
|
||||
@@ -213,6 +216,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_futex_time64
|
||||
SC_FUTEX(__NR_futex_time64),
|
||||
#endif
|
||||
+#ifdef __NR_futex_time64
|
||||
+ SC_ALLOW(__NR_futex_time64),
|
||||
+#endif
|
||||
#ifdef __NR_geteuid
|
||||
SC_ALLOW(__NR_geteuid),
|
||||
#endif
|
||||
@@ -293,6 +299,9 @@ static const struct sock_filter preauth_
|
||||
#endif
|
||||
#ifdef __NR_pselect6_time64
|
||||
SC_ALLOW(__NR_pselect6_time64),
|
||||
+#endif
|
||||
+#ifdef __NR_pselect6_time64
|
||||
+ SC_ALLOW(__NR_pselect6_time64),
|
||||
#endif
|
||||
#ifdef __NR_read
|
||||
SC_ALLOW(__NR_read),
|
6027
openssh.changes
Normal file
6027
openssh.changes
Normal file
File diff suppressed because it is too large
Load Diff
353
openssh.keyring
Normal file
353
openssh.keyring
Normal file
@ -0,0 +1,353 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQGiBDqa5pwRBADJSEyXXsgXiyytN93prDPTPmrueRP9lQQfgaQvCvqK0bN0AF1Z
|
||||
Vxxk9wlSXQp3+Qw5+qqsN5ovzsn39r9pqGslfCqQn9ACTmsn42+VCyW4hdwUGSBS
|
||||
5myh65ZJTK1ufWCZFssxQ0EiALagu4DlH6Z2O7tFDnJNagF55vlnK0uMQwCg/8RU
|
||||
QYDmisEHjkarAapPaupxjhkD/j9riCVasWPYJwAuhiQWAKxGRwp/ZyTaWCSERUBR
|
||||
4Dg9QxpuwHKIT8BeDA3hJa/9Yxu5jec2NVKbtVSZvRkgUfRNOkrcH2eiY8Iz6est
|
||||
J64dGWuGMKQW0GEqW+OXpRTTPJZ0mgPmU16qDzLPdx6F3BAk2LG+TTwlKUPuGqOt
|
||||
6u2EA/4+1CBYZ8mXq9GJnLRBPAoYwSJJzbQnMm9Jat/yg9N6nigSIiFyG8ixh167
|
||||
gGGKfzvpjY7DeJzDI0Cub+tRova8gFg+T15AcPMST5v7v6O/ug9aYWERZ0zjUhRH
|
||||
ybtYLYhUUbdYM29PwGBNfZhGIOYwfFE9UpPS5LeXHs28oVLlH4jcBCARAgCcBQJS
|
||||
ppQ+lR0BVGhpcyBrZXkgaGFzIGJlZW4gc3VwZXJzZWRlZCBieSBrZXkgSUQgNkQ5
|
||||
MjBEMzAKS2V5IGZpbmdlcnByaW50ID0gNTlDMiAxMThFIEQyMDYgRDkyNyBFNjY3
|
||||
ICBFQkUzIEQzRTUgRjU2QiA2RDkyIDBEMzAKUGxlYXNlIHVwZGF0ZSB0byB0aGlz
|
||||
IG5ldyBrZXkuAAoJEM6OywOG/5xIWdMAoJZA/6ls+J6YIpVDFHkb4/8fl0w4AJ90
|
||||
K3I7hssc7QuWHfPlq3EozRtjIbQuRGFtaWVuIE1pbGxlciAoUGVyc29uYWwgS2V5
|
||||
KSA8ZGptQG1pbmRyb3Qub3JnPohXBBMRAgAXBQI6muacBQsHCgMEAxUDAgMWAgEC
|
||||
F4AACgkQzo7LA4b/nEiDMgCZAUzKq241h5GTJxC0guS6ht9i9ZsAoL/oXCmFsofA
|
||||
RehZF6AakIdasvS9iEYEExECAAYFAj77h64ACgkQmD+U6HbiLS3r4ACfclqiFP6E
|
||||
TBkTbjqC328yXlT2rlEAnR6Wv3SNayY4jOgfxCMxi61S2CkAiQGsBBABAgAGBQJS
|
||||
ppEIAAoJENPl9Wttkg0wMMsMf0tC6QkZnCkTiEVSar2Bd0gJWRCZOGgWwYnXVXif
|
||||
5UaQhRgfXyXDxADWi76UYl4v8UFrH9yODXhZM0hoNbt6T98stHmw3dIvrYfhRgQ0
|
||||
83p/N7II3i1iDJDUZ9PA8n4c5BWXirOUXPxtp23WgsEqG5DaN3CGo99YZO8aB3AH
|
||||
hWd8xvGGDOKOMpAPQekgG/CZw3pcdaSOsZvOEOnbk/VuI2DVjTu/hX0PmRKkfeVf
|
||||
aafi6bcDkm8Vs7Sw4TIrNmGJTKIDhwXSrFlDfs/CmZJUxzP/S7W+dZ4kvESDSWia
|
||||
wmxQFMIxRqgHeLiRHYXCL5Fg+WYFv+EMj/ta5PVot86/iWfrj0MRKZFCpRfDjqTv
|
||||
t0G0ziOW9kTFK8TpxBacJR7n4whM6SNf6L9onHn7xqx2r0J8TLcua9hTvapuNPdL
|
||||
y1cxAKMZO8q10AMGkYd03qLlHxtgKXBeWkV/UYAc1zArv4JFdWTraLbIHmi8jpvE
|
||||
NM3qcNWuNVyiTi4Kxum+CFd8V7b4X/6yBLRD/U6/dMUy4LiIVwQTEQIAFwUCOprm
|
||||
nAULBwoDBAMVAwIDFgIBAheAAAoJEM6OywOG/5xIgzIAnjRm47SkL5RQ9lDvVdm5
|
||||
SmNw0HX0AKC+AssIfepBFkPIFBSLcNoSWiTkzrkCDQQ6mubUEAgA8/15wnMpXvYZ
|
||||
sYMp7a9+WUCSsfYOn7QcNe/CUsDNzuyTThqd/fBIeEPa5BKeTR9alXnBvedxbnnU
|
||||
/SAF6q/KY6ebXajGAnGisvmidEsNc1Q9lTmN4e0sn1NuaXGIhxGtYK3yj1aFpudy
|
||||
MFhlVbarheXYpgHu+fg9Gl8lQjr9BM/cICUeh+vZaeP3A9hsjWhmq8GPRy7xxb1z
|
||||
jWNqpvxleTo8jlDuNYJkOKcl0IfoKHBRR6zNAM73iLMIDaSdMTVl1/IlxrK92Ar6
|
||||
puyaCFPSSsQ1fvem8Qy303SqaC2Cm+vFnbZgMpbIqOfomX1rXTm/16ZNmMeS3Wnc
|
||||
vf/p95unLwAFEQgAq76FUm3dDEdBVl/mwWdDY0nDQaN5D0kgp0Oo0R6JJM+ea/jB
|
||||
3u3asQid6Zru2kTpdn4LoOsKG/u/ql3ypHv03U+sLgm+AnRUurT4D632FfosKtjQ
|
||||
fwWrXjxoO2elAC2lC0NJvNwwhFSyTZ43phHSKLkoXpYpAADu0AyjK+7wIx/J9M8D
|
||||
KcETF57wjOs2JUvYtZDpvC1QE5NFsooaUBkmk7pHT4ypRu7CsDLttLLCvQxlaT4L
|
||||
pU2e6x6l5eI7mPC0No+HTzWj6ClhvCbgVQrMn9g+hjVvez3ykEpMxXmbG1QeEkUK
|
||||
1U3IYAUmKMUVVt3y5P8nN0wuQG4ehqY+Is2sFIhGBBgRAgAGBQI6mubUAAoJEM6O
|
||||
ywOG/5xIH7YAnRyGVA1QFg0WubIkovAKLPiIsgIAAJ9NsBjpdVqP2CfkWPnOijef
|
||||
E5gDxJkBogQ3R/zyEQQAsWguKhytuM/8IwqKRSQBPaHRTyVMjsvLr7uUIoW2qf0V
|
||||
VDVxuSXy4K/k43Q/ssw2nDipUkS74vMgGzgUQk4BI0LkoPSIVoXo+v65KCSbrMNY
|
||||
m7lGGN7ZkFg5zWDfdVFiN5P/tUg91UfmCI71zp78SltyBM+FLPJhBYE0dvkHDjMA
|
||||
oN744XCDTRMARJLK8DH1O3eTkE+1A/9brypK8VFX1+J3jfZmz7nD2St9+6/rkcM+
|
||||
P8V7bHHttSVLswhTZ8bMZv5aJjsyyPrnFFLmlPddaQDND1fVFevrHOTbSnMjt8lK
|
||||
Ksh4z+FFCQTB8wtpXbs2xHjny1Oy8kwiCnYCtDr3fOYnoqFkCMwT2ulbcKGZ3L6k
|
||||
neUGSvWOhAQArqhDaGwsZfkvzirG9vo/PFBwdeKNj/tDOE+1SQasDT0L3gd/tfmZ
|
||||
LBCed2yQ7axppQlQRIcNL24+GHefTY5Y92T7GLVIg2cK5JUtMKMmgWj3szyXi5Oc
|
||||
QKxQdhmBgsWutyJj6SlAHSDrjFhVabIeJKuyuZzxhyvmSzzjBsugsayIUQQgEQIA
|
||||
CQUCOprFaAIdAQASCRCiuYn1EbV0jwdlR1BHAAEB6xwAn3FxEH2wPVFlzVKf09Sh
|
||||
uwEfspiYAKCkKEhT4qVjGQ2D4cwgtoZ03pQgELQlRGFtaWVuIE1pbGxlciA8ZG1p
|
||||
bGxlckBpbG9naWMuY29tLmF1PohfBBMRAgAXBQI6JFsGBQsHCgMEAxUDAgMWAgEC
|
||||
F4AAEgkQormJ9RG1dI8HZUdQRwABAU4BAKCFIZWrqfMjc8zKhnfoTSEAt/ojUwCf
|
||||
eqkKspOp6Uqq1tlr1oyYmN5P5Y6IRgQQEQIABgUCODCW/wAKCRB9nsJ2HENBrF/D
|
||||
AJ48befkKUUGogX4tPfIAzbu+auUPwCgp41iiMRqeqgWbsG1ujpDnVQRp/y0H0Rh
|
||||
bWllbiBNaWxsZXIgPGRqbUBtaW5kcm90Lm9yZz6IXwQTEQIAFwUCOiRbLwULBwoD
|
||||
BAMVAwIDFgIBAheAABIJEKK5ifURtXSPB2VHUEcAAQG/QQCcD+0bmcV5aYRb8JQ9
|
||||
Q+DeKi2fqfwAoJ0g1TDjN+ZpKAaOI95waVgGjYAhiEYEEBECAAYFAjgwlwgACgkQ
|
||||
fZ7CdhxDQazdMwCcCWb+3Ehg/wK6nrIebHYlDBwcYLAAoMXIboTxrdRh71R3/4Pd
|
||||
zTR9g2vQtCVEYW1pZW4gTWlsbGVyIDxkbWlsbGVyQHZpdG5ldC5jb20uc2c+iF8E
|
||||
ExECABcFAjokWy8FCwcKAwQDFQMCAxYCAQIXgAASCRCiuYn1EbV0jwdlR1BHAAEB
|
||||
9qQAnAzpzF24V7K84PQTKQ0V5a1EiGmBAKDIg1wPX7ZSRDHBrAaLKpEirnj1MIhG
|
||||
BBARAgAGBQI4MJcIAAoJEH2ewnYcQ0GsnfYAmwZq27x3h0EV0t+0i3j7dClD5eMX
|
||||
AJwP4AvyuGuyz3qGOYxXG/1RuhqoubkBDQQ3R/0CEAQA35tSeji8z1JVaQApKuEK
|
||||
VhZAm2zaZLFiAusKqS+/RXUhIFTI7Du/dJTPODm3pLQEnF4evo3qgokSP5rf5Y++
|
||||
JPUfkS6NTons29mnCVyWPl8+3yJaTPbX708e+r5ZWuN30c9dl8Br7mHzJrsTRumT
|
||||
9qSVPUklzv77JOAxBGTEhAcAAwUD/0MelpnyrZNVFja/xObo/OL4r6mwwO0pyK1Q
|
||||
qE8AuGO37Ug0WO6QNxgFLKR8l+9sod6q4KAEBxhA0DiVrJFNkTuza6HR5i22Y4ei
|
||||
VNbPC8IqRuF6o4KC3zejZgpPpApqrO0mMmo7GXcBpkpCS8vzJ09EvfExbALB0Jku
|
||||
GQn7SImsiEkEKBECAAkFAjqaxBECHQEACgkQormJ9RG1dI9+GwCfTEqyOILSu5Nz
|
||||
DhcUrqpknPlXX/YAoI/vfDq8kQG0QldbtWsC+MWQH9zsiFQEGBECAAwFAjdH/QIF
|
||||
CQLH6gAAEgkQormJ9RG1dI8HZUdQRwABAfKmAJ9EMdNbg94wSQrHb8oKVAKfjFZt
|
||||
TACgusXeU8duOaTgSb89XrAGCTb3THu5AQ0EOiRfFRQEAOelb5M0Hjb87WcPiIy2
|
||||
UAsxOwDno7H7vR9WLfpfKjPwk7Xoa05qyThF2L96keXZZAm54yapyeXhNPGquFyq
|
||||
YMOwxX+aQyUr13uH3KTkAaDKMkC5jAAkcZwTk+tENsB/StqyqbH5/KVOoCfxEFFA
|
||||
MVgTbXQnEGpqUL+WGz4Ay6IPAAUXBAChhg+rFXcsAMne7QK2816p64Lm44BB46n6
|
||||
WdZoST84rOq0ZNd+fYSqfRcaPJHHjO4lAEH+1dgQjpqxkEveodKPsixoLQdHd76s
|
||||
SRDcX15IhWG+OBNCD4k6Y1DLLYhPE5bUToQYm8kPhVS3yuMLuNhtDntNQURfQL7B
|
||||
JxQM0A8/b4hJBCgRAgAJBQI6msQVAh0BAAoJEKK5ifURtXSP1O8AnA3CcDJd1ZUD
|
||||
2Kr86Q9DSuimSMuAAKCX77M6fadIiy415K3vIfadl/nsq4hOBBgRAgAGBQI6JF8V
|
||||
ABIJEKK5ifURtXSPB2VHUEcAAQHXmQCdEbOoH3DE+L9keE5ODJ7j6CvHPRgAoJZm
|
||||
54r/EPzKnu9gTsI0J+7oIh7emQGiBDqa3UERBACPhKenaTumEld5L06d5z4yl4AC
|
||||
f+VsVD98Im0slZfKTcqMb3Y9Vzq4CduOVb6p4M9yX2bjxCk2mtmg5iunPuteGmVb
|
||||
YSNcd7yjm9giqe6EnxXkxXmCP/AVA0kB09XYcsjmMFbRFahXo3xpdExAjyU6JVxC
|
||||
/61kX8h4oYxjtWw/BwCgzf2qjNPEXshE0lwpoGwcwxk5cnUEAILKVk6G+rcususo
|
||||
b2AiPjzcQnCZYNzoHpNOSkwInV/MqN6Pb1reKcJQ44RFyh6+fsdeNM2+7ifF+5DS
|
||||
ZB13+5fhmtNtryIeMgfH0nYVu7YllPEmSmPOdERpjibxXbxEjWM8n4qKBe7iYVHW
|
||||
tB+j9O6HyAB36mHcorYIs9NvHl76A/9kl+eBT4i2/jjPQQ4V4rrYXl7M5EWxpgMS
|
||||
yUwzqM/YPZZCXJTqzv6FxUUc7LprdOEIbzQOyJqugKqHzQCekii7bcyAwu1NrV/z
|
||||
amTherN+l0UqIArjWVh0IVagpXptGooVq7snoef8W/KzZQRVC1rcEQ3zV3TD3IQZ
|
||||
mjx8ZgWCqbQuRGFtaWVuIE1pbGxlciAoUGVyc29uYWwgS2V5KSA8ZGptQG1pbmRy
|
||||
b3Qub3JnPohfBBMRAgAXBQI6mt1BBQsHCgMEAxUDAgMWAgECF4AAEgkQqBmi2Gke
|
||||
+NoHZUdQRwABAVy9AJ9RqC+W+xZCok3gcEZMiHy1lboyvgCeMSO/ld6brLcz4o8/
|
||||
OMMwNne2IZeJAawEEAECAAYFAlKmjbQACgkQ0+X1a22SDTCk7wx/TLjgpMrFa/tg
|
||||
k+/boARaFlsAJ/4OgyiY6314YbTyqatq1RVwWHTln1QJn8zXWpHUi9scfboxFYqz
|
||||
vKT1g6TXAkg1fu5muiBCTMVVCuawXEDr0iVxfsFoCDjLKecMUxqwfj9gL3kitkbj
|
||||
Ga7YcZnUcAOoLOWxsXNs5QZmKl/+E26iKGAB1sy/wMU40KjrOEg12fvIoDemeGfV
|
||||
gPdeChkhpDkm7upB32UvzDbZsKO7eHxoBYW1sRJy04Tyl/hwXnNCfqYJ42BuITrk
|
||||
EOSDr35MTYuLzC5l5l1uQXiCaJZxLGiM+ngkT76dkVQ4OcCgojuDih8aeT+TkM7H
|
||||
YkCoVje/6Z45wNzsG1lTxE9AKTBzpi0ZKGv5/WVSQ1anuC56bgdfD9jjMrhsVwWf
|
||||
mICN8zrOtYLcOJV6sUa+hZy8edEqZRkt93b8r0F2XDEVYId80debcFWExuil2TDO
|
||||
Z0nfkgxRDq+wtwem51rrRc3gLH1UR/NWsSmC2Mvj7jSDGeA+gIbRFNE6+a2YG1aj
|
||||
fxNdMBZ/OrkBDQQ6mt1DEAQAp/JyP+Brxt7T5vTTJSUMWSjOC+aBNZNFFHbG9KW3
|
||||
x8qoE7d/SYLGIqHXscGQ0a6gzoe01DFiDovtipM6g/FarCPjRVMN72SEju2pv7hl
|
||||
Gr/fcyHhKOYwcxaCVFOQetlnKq4zVrJvc0OZD/nsbRCH2ze3T5xtSQ7IlJ/rDUf/
|
||||
2JsAAwYD/2h2esQEPQy8MRpFhcBZ8Z3iVaAZ0LSgvoap8RKBSmzS9QHYgk/U4N9k
|
||||
W6BFQBfmG02aGMLN+WHy8oMMNVEaJxkQvXU7evd2vPIk9mW8JSeqAGa7dmZRjVkK
|
||||
PBDy79eSoM/Z8Gb1TFnKJ9ju+s+pqdi0bJPsDty+yA+96MFOy5epiE4EGBECAAYF
|
||||
Ajqa3UMAEgkQqBmi2Gke+NoHZUdQRwABAVDHAJ40H81xz0kVSd6/NVHLDEd7+98X
|
||||
tACfZmBzmbxbQ1dhnKg3hxACZvKwMKuZAZ0EUqaCBQEMgJQ2qbhw2Hu10RvBo2Fu
|
||||
fCouIekgt5dPqx10YjRK3Pmh8HW68geb2RdgbldRTCVznLCMhmbYl64qqt3/rADP
|
||||
mVotqAUDqTzoRnPO4ETdvkXFJDgQ3grldkQmjrXEBIQXvPWZAKKqgDr8XjTuG3uc
|
||||
2iJUT3mQ6aomW/hypukLDefx/ZVb6ZVQfoxhFlWtgAL02cla/bit6bZ+OAWE1PX9
|
||||
vHjgbsf1tUmovuEwQZr7FhAEjdhP+6US70diYsVV6JmbWAHV4pdbuNLhy0uXm4+v
|
||||
FrIDkNf+o0HbKqBVWUgoXBSbyAY8Y86ew0qjTEGx4TsTQX8p4alpPlpL3IWA+b0D
|
||||
rnYnH196ViBvR70im3eXGuI9DCAX9zEsa4/9YRs3l+lYWe5XRWKSW6y5UjZ7wYck
|
||||
ZTltAPkCXO9a7hK/qgE5wMJptJzJ1jsjE8GT9cFYIX1AMhraprfYxz11hzwScmzM
|
||||
95UIdfmEbbeiYNGZ0sYvAfsX4K4G8LEAoLKZm0mXkOFGaeF3NGD137RUbiEsXs7T
|
||||
oA0AEQEAAbQfRGFtaWVuIE1pbGxlciA8ZGptQG1pbmRyb3Qub3JnPokBzQQTAQIA
|
||||
JwIbAwUJDUfrsQIeAQIXgAUCUqaMnAQLCQgHBhUKCQgLAgUWAgMBAAAKCRDT5fVr
|
||||
bZINMHZMDH0TWjM8kpQZYk9l5+qxKvwqw7oOndC4+vDZnCCjZB94JP67M0DkAoIM
|
||||
gBpgSlVtCy+7iwPLx0BbX4cQ0LFWsxdYb5IfjWVx0B0jiKjQ8YdVAOXjZHmNfd72
|
||||
l+NgJAAtW/kENd10rrTnifLESa51DcgIUJhchypBsDWd+PdSTTqMaG4z30Hb9qRv
|
||||
EKgVKJRf24cNko1gAalTv8UIX3EJkXgp31PC/LLXuMMiDuSbf9DgnL75U/wXK8Tk
|
||||
mMF0tFBIHNIb0YKO/1/IpZbtLRsxjgPdIoq38mbVdyEQyClGvh4GmAKzevE7WFeP
|
||||
Oqbe173u7Lr+rwK4lS26kmw8pz1aHj6iBRmJ8LS1rtSvFmnzJlNG89JTFiuW8PMz
|
||||
fZUMtDcVfpjaLhU2jjw9IkwD4E9THsNNxkohe3jnvOwsPiMXixF3A6T9AX8ZcKQf
|
||||
YYDIodYI9cg576MheCK5qNypmb1wBaMveGJ1KiEp95+8qTOyDvmYOaOG8C0Odwhu
|
||||
YiYk2Nch7Y9BTiJj1WrmLS+VpUqAGApKiEYEEBECAAYFAlKmi98ACgkQzo7LA4b/
|
||||
nEid/wCfQDsw+t8kjPZ7rjdURXgBfd0734gAn0w6xCIHgueq1Nxz00Ewd/1UsTjo
|
||||
iQIcBBABAgAGBQJTFsNwAAoJEOX6rNyYiqSg3ZwQAKMYW9GCRVKwd8fxBIovohsD
|
||||
oYOK/psUp8f8/IK1+aW9EsYcgnzpd8YuOcEa9PWd7/U+70/2fx4qyIkcJ/ofKP9U
|
||||
zButogqdW1b4VISDP0t5cO9+DE4nSKod0hQdjJNM3611mr6lIhw2D56BdIzWuJl5
|
||||
eCSDnyQQd6iDt5j3wELnBJt8YnYC4TytJFzg9R7iFfkONKJZWpZlgj+ChSuMVMjM
|
||||
qa9l6+mYZKy4FU2mZks4EvLiWYnGQAHPjU9h+KWgoIbTXLv3Rc+NYlgXErECpZaG
|
||||
B89oiEIHqH7Na4e+gtxML2/RgoLgWEsMPJBnv6AnuX8cVX1EqGJT5AzmHVmWlJHq
|
||||
pSXw8g7yIRjtHZ9UKJOIamtHhDfcLpI8lSGwb0quyF/OwBcpbyWkFdOhHfTV+6Vj
|
||||
tLwHbiPDJIEVkCfcyItW9s9l78U42zqyXFsgUNcjrvR09OMf0eXREVRGgo0O6glY
|
||||
XRwUDFG/StCsKYFDUz2IEe4a9MjzGCSB0bUR5nKFVxomSNNQVw6Qo7oeGfXtyEG/
|
||||
/KzhkDHsVWKU6qKSTK5fumQIUJHGJCCiQa6a0/6BXdoC/IVPbFgM/MHwAj030hyY
|
||||
gb525l0BVD9+NEYs4Z7ZXkrdEHSIj2bTaDV2WywIYXcbxwovJlQT+gxeBxMoMJf9
|
||||
zzAY5iVBn985M85NNXvpiEYEEBEIAAYFAlLp6B4ACgkQyYKAx4/0+mkA8QCdFdv8
|
||||
9LNkAe1WK2gpjdW4mxXVCsUAmwf9+GFVwx69yKTXwcrvv29glD1WiQIcBBABAgAG
|
||||
BQJTFqe/AAoJEEu0T4MGAI+Frd8P/0NxkhUMOo7PVWKAYEA15JQ6mvfhUkNI8MCl
|
||||
PP2r0oDm3hf/sDdhi7P1pI/Wqlc/XAVQLZDtJZfZFvU4q0eF3Zs9uX3jvZjOGGQo
|
||||
vVTnioQIV1JxHTriucFbkUEaMqdaQiFFAlb09qIbQaClKrbSa1d8oP+G8A7NIKxq
|
||||
wwQMDk0I1UKus2QN4p0cBEuFdntlbkwwnyse7WrZS/7KcNGiHeFk8B/D63Vy2ISS
|
||||
yORmeBTkA7r8qs4GAB+qrNTs+xsEQTC7Dx4Nz2FtgEmpXOifE0Txc3n761aAfNao
|
||||
8bYukIbbF7Sw2ZvfwnEXikiL3m4uYFPcLsGfT3KFSKra69Vrm/DdZVGODJwALqo1
|
||||
CpPdV69qpq/e6q6SKTdJrc6YKeFZMyjHRFT4IhVG7KvUAjQkt0RcG17JinOlJ26F
|
||||
MH9nosU2RlVJuESUJH9xzMgWugF5Uj6jQlm5h/PWKNEtX/PjFCFjkacffWzRGOEg
|
||||
1mqB8B6O7UttATbt4mNV/BMZFGqNH0Jq64RM0n3Q5TaIhUIW/0jsES1TKrJ96W+M
|
||||
m/JiBd6tTXjAlk7B+m9eI7fEA7y6dugm0Qpw1+C4aIopQayaguPf/hicQqRr/ggu
|
||||
tKsO+vhJ9ie6cB1Zdc+BNGCrmpPrALmMbKmgw7i9ZI1iWE0pijX8kiBJoZaTb4Rq
|
||||
PT8tKiYLiQIcBBABAgAGBQJTF2LJAAoJENaX3zJH9H8fPQMP/0MRl17h9QMdSRvU
|
||||
T0Hy/cVCUwNs4hWhjA5k+eWKZe3LxOjnZEEA7S0Oi07cyOlKH7qNg8xA42KM3NPD
|
||||
tEM8U6CvkdJ7Bctr1OOMUIdLq4485BDsPccoVc5J8MRf+4BFQodd8B8jekTv/rfn
|
||||
/eXie3M12pjiy8ZryeBFod/3C/VLCQwMG4eMzga6+anuc66U6zteEnG0QyS4uckJ
|
||||
iAlcxYqLK3Sm6WB/FlR8LmSPPAEl9xH5W8gSrAGZRg9w5tOVnOOsDWU3yfBxzi8X
|
||||
ZnMRc7+22XOuzkQlQDDRM/r8L5aM6rGjLTRUpbv3JU11gf0+5yUAqrWD+KumgyGd
|
||||
cxWnfEHRQZA7jV3eEXpoE2mKOiZ3zaA0gZRmG745+E+MS964jTOdEy3ZEITuSCOt
|
||||
aPjiySebYSpxhuoqdA5sIgC/qLfigTEDQiY4LnrTxZp1uQGhcbzBKEAScLK6mFHj
|
||||
MTnTFm9hChnD8UmjfBFpHNhvvXS6h+ZdpgLuG2XEv3DtLs8N/E7uh0zN38lupX5M
|
||||
r9GC3EOrTXte/TWGQVlXU4j60J2FiUk38ORryyDMd3LS5bjTqaERkqd+uw7utuM7
|
||||
dTU8cohcMgM+vw6l3fNg8+I31Mpy9N6QLS26qP0b+uYKZpX5UG2H9j+ekrZ7ReBr
|
||||
LB4s2VIDHBoc6qRbXTI7I6Sf/Ez9iQIcBBABAgAGBQJTF5i3AAoJECPNT7oMAX3y
|
||||
AaoP/jSWlN++0Sms0WgN67JHDZhXpU+uiumaKS2VXXakIeAKu8kra6KIqmTadmm1
|
||||
zSJ83yhr6q3TjnCaOMLcSCEaCeizeMHeUbLPiM1zlcXH3jqpZxIPJ2lZTsySeAEA
|
||||
QwT30NIjySlOX5Ba/ZknQ8iiqqkZM1PBxqYIcjN8ijOY59L4NQnTsdn0m6pAe1m1
|
||||
6zD3sGljVvJeQuvoyaqxnOEQhzfnYjziFIkTbRKh0bk2jq3GjpYKjm0H0yDzr1xc
|
||||
G5R31DZb+n5tWDKDYUX+PtDh8ypgzobTBQ1JTl7e2qeu/EpbFccRqsu1S9kJyC3j
|
||||
yYzpk2Bf8mfsfH6Z+FUR8AEKW67vBQQFRIV0H4WCBazI2k1/ibNoaLqKJNDh0j3p
|
||||
89XAdlXdie8Cr+kd0XQJ/ExqaBPpTiVWGFeEVxo9cC18zFv8N8ZvOnEBwJZ77uai
|
||||
KYAjNUEfE8W7RX0bZgkIS5gXcuFRgLDcHqWEhFTasSObmNx8rrbmkZUnyuctCFu3
|
||||
iYAAOvpBZNEXXnwU5S//G19gjfNlLQSBcCn6A4fJo1szPhC9VD9suf21FkZYZ2dG
|
||||
T1U1CYmw46wsb6ZyG8hd56fD3VkMF6fs123NuCmKJwdv4dCAtKXeizm3KwuqfiIt
|
||||
Pr+CZlF7fgBSvxSllErP3fRio6w6ueu/2nMdxq/+VqSSfi0jiQIcBBABAgAGBQJT
|
||||
GxrFAAoJEGXrljbwLFcEA1wQALFhneSP944km15LMqr4AGOaStxSWv+Fr3NcDv/L
|
||||
XOZ9olMHGZIrAV2yl6hW0vPOiQXJGM2+t1H5Q2gbktPt/F5LD/lR8cxMOCfDbVA5
|
||||
nUzi52mY7J6rv15AmJNzlxOrUsOxGIp2AuBFI+NLcmzW1vA4VN8oY22zePYSsAyA
|
||||
NODpYLwzmLvWh/n6Gkb9Dcr5d5M6clPJlvyCjT3HOkmLCPBTv/I4lm004pLW+pep
|
||||
wfmHi1XoXDXLChrBU0caV63+KdIKaSkZafGhhdOSeMT2ti6squ+9VBm6g207ZaU4
|
||||
6wzATdVfCJkhAPk8HMi/853vqXPhl06VFi3KYrL6tsSie0X6vNlMfkQ1obdh2KHV
|
||||
tqSFhO+0pwjLQ6Ei5X0MIYk2M8XFUIV1RPmQ4RdvfbMuJpyXLBxTY2ItB70ZHvEm
|
||||
XOTYLYAhAH+UvSODocIP24I/mdyPbiTxgpYVa8pMFw70aA/1zPWftZCYWe0l98im
|
||||
cUW2YPknLl3bxOV+CI4g5XFW/84qxS1Ty228vIK7GmnZx2AMyaSA0w84d9wQnxJc
|
||||
rNSS1M3uYvHLICEr4HWP+lTj8wFd3kd0URnB8Ybc7zsy/Rroy/KPKArhbCHb9O+w
|
||||
+KuC5f1Bu4uZc/o2Zckp5zfKI7xtUbW914PB9hbo+TXkTBre9nZkSQjODL6wPLIa
|
||||
nYFviQIcBBABAgAGBQJTH7siAAoJEPTXp5Fd6nib42oP/0RJLp8X945IPFd1AMoM
|
||||
Q23cy74qBAvh+c+k2pFEPrU+W9nJ2w3Mqwn8ja9MDewUjSq9ZLZxlTz+M8idYpoN
|
||||
46VtZLCxpaLXH3Uv8T++Vwdi143UMPipJqf50mWqqciDsl9LbQZR2XolfzM9WTVU
|
||||
Vt9ynNVZG+ij4tbeobViZrifY07dfR8y0TZ2LF7mah5lnDAAwSVEUOg/YX7jIgxS
|
||||
fP9oD5buD2SYH/4rZFzkN3fCZQiV4uwCMIJl+fDR/adBvOaZrUVnM661vmGcsgOq
|
||||
qRUE+hSZ/ih8Jsox65UAfPHdx/SEptBFgoyIpdxR4NPxpgeHZbNnstJ1R/cyKmww
|
||||
hMgF11WUJbm1RN1vDPwAZNAcSzDAZhnOmtOsPtiLXDMNm7dufgYWFFxjZUxo87+W
|
||||
eHgWG8ACki+AuYJgjW0gXMghVdkVQJYcLxcbZBPcHu2eUJLI83QhVQxUg5IjdOGv
|
||||
OS3SuMhtDYx04zEdGB3FSVRwfyIqImjEbyXnMAT0RDhFoWvrhAy/jGsrH4tO9hg5
|
||||
1AS4EJ2pwdYme7yCA0h2s1ZG+WHF4lTJ21fvx4H352Ah5tckpmmbpJbB+ZBz+uWv
|
||||
rYmQP/W+06kP1axNmjSDcMID7rqoITn7emPJYLpc4vszoGxxl3yFbWM7IL8kLT2P
|
||||
QC1FMP5L9SY95T3L9xciMnFTiEYEEBECAAYFAlMkhq8ACgkQi9gubzC5S1zAmwCg
|
||||
gBsG5xTQsPG3Ro8GpItuIJBGmZsAoJMRnRC62mQKL700dHk49IFL7sH6iQEcBBAB
|
||||
AgAGBQJUmgqLAAoJEF+OLmRrT7LQnV0H+gMxUdmn+eZUN+6fyAf1TMHifp3qvqdK
|
||||
05sL2NIY4rz7GgYbb3L7wH45w+ztuE6pmdg4JwCGijp3V8quyICbvU94YTbu/n7E
|
||||
3r5U9H4JXUuW99GtML6v0Jnmp7AthmsMVwTFoMj8fzszRTjh0LWxbMIP/BXbr91t
|
||||
hf0A9L2OBFeHCXtpr8JnTK4lkDtwRw5PKZHQPUlP07R2Ki6pva96ePgtGnpnL8n9
|
||||
Zlwvg5mCSsQOQv8R7+7GcmGqSWOEcUB67GF4AVsGMqEj/9BRYsdjWozE7oq60FwG
|
||||
rg+HEaTO7To3EKWI31pZU+u3WgGE7cH82/YgtCQdgKYzDAT9AQFADRCJAhwEEAEC
|
||||
AAYFAlS3/EIACgkQni8RbMiXM6uvYBAAoDMezX0JkRWg7GlsHJyF9mneaUMmhLiJ
|
||||
+yO8Jd9JkJcSsDvy56X0mszyqL3e/mcrSow71fGeAnJbKcTsdMX8T7JpWL26LApb
|
||||
PxiO/wo1vGczwJ+bBMDQAGIQgY9OinCL8OEw1C1saM6rLIa3z9vySBmbQA30TXdG
|
||||
kRBQETcHGZfDAe7BdzBgqBK+ZlCwoCUoiprP+kidiumZ88cQmmR0LFyB72GDeT2q
|
||||
H0E1WOlKRhm0hwqB+Tc7E/wvX3YlufA65azQDjeSC7skDGljHxIl+ze2DSED8p99
|
||||
1bbjE5MESIySX7VdJHpp6mJ/Syh0wdiOKBn5Ff8+DxmymtzyBHGYzdYWs/UOVRIw
|
||||
VSgjn+BJVpbRPqtlhpAC6PLSots7Mm6f194qJv9SDLfi/HDrKP62PG7p6zYM+zjD
|
||||
j5FQBdBdMWK84/fTUT9iQsnCkmrSeaXzIlTRCBH1OUByeIbUaxcngZzGwSzsF4S3
|
||||
fOhYpnsaHW/uBzYRvgui4W2bzcoUui0QU87gGEXg5jnJtUhCtVgD3jvVov+pIQCO
|
||||
eMMUTSTWzg7w/7uPY8B4+tXf95J7vSJcjYnjr+yM21DrIwjhKbzjmcvsk13FR7tZ
|
||||
5f7R9vTuO0CJewIXuCJ0NLaahn/s+8V9RXoNa3TA+R+ZW/KFR/awXrq7SOJ2SbTV
|
||||
JQk037siPOaJAhwEEAECAAYFAlS3/GQACgkQxfSDrd7oY4DKLA/+Kncf9t8FLms1
|
||||
fo1cflBb9UGgG6YceRx2+O3VZXiCqJSsHFj1Ywk+MyH44mD/JDM/YTKazT8mpnny
|
||||
2/lDEzFdfbryZdA0p3pyrFp+8sx4pzKNPZxOubAOqefZ1k/SoTbTa35f3V+L926O
|
||||
zIl2ZdU4WOysa13RhoRvUKjekWl94J0jECcBlkBiOI7uL64Rz4WG4VYhXJGV/LRz
|
||||
OBot27Umh0sCmb3i24b9FmOu8tvAwf//zlh97ykEH1nLiVz+QU054nmbqVACp2W/
|
||||
02Z6cnfWqoLsQIg2Y+6oeCrjCldzlHcOjvE6VwXJpAde7mZfQCw66G9ndEs8Xoa7
|
||||
I4D06uGoewKVMJKU5AaFT4Wf69KXDI9YBRSuyZbww+rxESAB9HGfR3O8quDgsmV3
|
||||
BKsNRJT7rOPm+Z+UoHS12alJmVcuv+ioh1GpmeWoKiRgjlJOQcXy/TIvTMvGb8oF
|
||||
ZN9MEMCZ09x3JoYTiXvx6phrxpW82DLXPqCD7mEHR3/u9898VRWMrSP1WKpNeeyC
|
||||
6Wf8Urz1ySinr/wMbafrQu0Z0nycFFbUXLRO8MwJupt0/S0kA0c2WVzlZwYrbWZ4
|
||||
XGIxl6G9i+G1D5USOKbLC/bXnZlLERiQbD/85UHpt37s0T2K48lGUhSjCxclGyG7
|
||||
UpFf+mzEYbQcNMTkjr1RVURd/DtLeXeJAhwEEAECAAYFAlS3/vcACgkQMn7oMPR2
|
||||
HNgGtxAAiQy29MXY+Ljs3V4ZSE9kuhpV9jruyvNQD3y+vGa2fYXvwZbzqvDQIo/N
|
||||
TRR+hZngz6Qo7i8NUYfzIp/GHI3nqoZll9idWdWjeg+ioD08XzmoTnTJwJAPTOVp
|
||||
2WREzTyRc/FZCD8vW51iFV0xpWZA8a+/Foc1q/P9B/zvBx5UQfYCjMCcKpR3Xkuh
|
||||
oRh6vdxSi9M+QuyATk1mXoniOQKhIvAzLTH2DSoAudI3V4E3GSc1NruGt35WDfvP
|
||||
cwvcXk7iI4outPfyrG9mEIkiZDukB6MrKG3VKegD0fFIFouQ/eoodWKICY0S3QaP
|
||||
HRL3rTOtCNtVEEaVDoaT6jDUvsfOpXreev1UriH24cawD4HmMaOs0p9e+FDTkvJx
|
||||
OLErDBvODG/4Pfqai7BFaLrElnjQ6vI1e42fd+XQJlZPbDqjZkk3PD1DGNeWxXfe
|
||||
VbQVK3O4G7z9Puj/YTcNyygVxwJPuZQrYX7mSjfetG7J/ZjoSSBKqJSzCyCb529o
|
||||
sf2cS5JV/U5e+LQCrq+6i6fXWuUGsTu4ceJpskPahjCvcYVWMtbtBf7XhseJk97k
|
||||
g/Qg01zLg8ff4np1nDCExSd8ak7DPEPOOnbedTNtmUpzaQJ1hAEsIHH23scuJMOZ
|
||||
WdBHXB8j0l+w7Ssd/Up0+WR6KhYc+7D+U+mRlupXcvtXBgxzeK2JAhwEEAEIAAYF
|
||||
AlS4CCsACgkQpLsVjWJqnRcPzg//R1PXrcHYVGO5tMkCpd2EdTEN2KsixMzbQAeW
|
||||
C0LCvCgwuNZz5vXRrO8AIf9d5GvGx1xxr7w/aQHdA3fTwQH4VYz5Diya0OgXDWew
|
||||
u0+P7AhHJbBTFxikPbX7Pe5J9ri2h9W2QGlNg9xZraF86yjdTOavrDYuc+Ly2OD1
|
||||
Ln4xGr1x0LbVLCS9Th8v7rzQMjVpZQghpVUBcZ0Jgk2NFTu4ODMpC40CM7iVX4Nc
|
||||
gzPecBTGRO0UJkU9L1ta/DjTh+TWWSif0gQJB396zeX7P9d9vOXbfYwYwVgvNc5x
|
||||
rt71agaL6RIRiSR0nVOUu5w7M+rtqw2Goc6rVWk97GaMBxq0hCZvunr2SA5IsGDM
|
||||
rFlfLb93/a4up+Tcw+4SeKwoLyRIYMcenPRxjsyYni4bVG9W34uwahQe5It875hT
|
||||
ZWdZob/0uHYpEWOH2w+qzmQUtTsquD+W78J3H3SiojLiPHlsRbAk4nr0SN+EX5R3
|
||||
+YW7jLRrVhrfvr+vYobH1664P7b1LX2Yi2u7ktZcWKVxLr6vZqNVXgdhgQmNyAOX
|
||||
VhJurUc7EryV1tnt+EYRj0ruTdi0Je0fE6cNabrkKTnMUHTUbrpJDxJcq0q34SP+
|
||||
nnqaHmdtfDvuFVMlAynQrfD7nJOY/fm+l6FY9UvNJCvid71afBV9DdbPtivn0oP9
|
||||
L63+pSCJAhwEEwECAAYFAlS3/okACgkQxodfNUHO/eAexBAAl+zTx7FFagVHNlDe
|
||||
tN31ErMvImw1oDVyoTAKCJbVK4YOT0AEL/GRM6nbQb2HAW26iWw0tehoKCJjw9uJ
|
||||
y0m+1o/psE0nRl97sfZX5VCuFiAaRCyboEu49+KUSoCAQnkOc+r2vEPEvO0pNgZU
|
||||
hUsRIwPRP67aDIfb61T9CSwZXmAkukDTuDq+sTGJ0fUpT59aM398O7BBqVnXZoTa
|
||||
LHkXAd1sXGbWXNy7vNVXuHEAvebeQDzmAiiTp/RLxlUNrp4nB6bcAK5wn7kaAPJj
|
||||
jREXeVk4lEGuUE1QpfdtvSAQ+8Qd47A700z4g7XFwHfXN0kX5JmeScVjrghkOCA5
|
||||
sjM9P6uxgCb54iSGnCrNJf57LddvSrI4UNAvFrYHVkek5VvC48xeUME/ldUT+eQv
|
||||
1Xs2CJwtX9mxQg8hvuGDr03PP1LfKoxVvAZcJ4iJ+gxD+q7KHae127X0FCbzxrz5
|
||||
JQtTXep9UO5L9YskX9jKFH2+t+BrLEpxo6EQ2UsY5zmR3FFpvXu8Dryc28nI7MFl
|
||||
uvNj+HPwNlvGt4/jLDxNUr1/qfny4nmH+F0GwJSbvvOysngGZ2R4XtyBOE7MvxEg
|
||||
jsspXuLqm1TRyQCidUUOreramtPUUMQ8kbH66T75GAEnD862nlArSTZ76rbTGJ/4
|
||||
JN+Tb0gCoT3+8rsFFLIbjbi+SBCJAc8EEwECACkFAlKmggUCGwMFCQ1H67EHCwkI
|
||||
BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDT5fVrbZINMHp/DH911etPzwZZetcw
|
||||
8cKb7UY4UHFHQJ8rQIF91mY1PHpX/fh0VG+kXizlHEZxHpwXHXbJWUevYovymo8D
|
||||
hbHB/VKV4kSQLMOR/jVtnbFRRhpkzzGSZhypd85NRODfxqqyFd5M6CPH8+vRikLs
|
||||
QbJTV1OxLUhtlm4/3+W4O+h7pl8Q5pFw8HQRESPFrOeugU7z5nB6h3q0XdE+/2kD
|
||||
Rf0G2eF+oLrvTBvi16u6ftGYc2Qqzbr4W5D3beWn+9eEvVJrxIb7ZR2iQGn19rV+
|
||||
92qB87bADM9yddmiAD0fP0ITDz7DOKxTAw7uMr0pfHaN27C1GCv7duqoHdM8BxR6
|
||||
oSxg/Jm0rsCE52uA1t5EbvFwfWJZ/wSiqv03BUlRTnawlQi0W/fFM3wgq2myWDa7
|
||||
aU+U+bRUBgt00qb5vtXDeBhS1wFLpKlyrlALsq5g6DStrjKT54pYQfaVnXUjxzxx
|
||||
u20yI55QygiKhg7foFNgw6vTPwfo2OSid2XQDm3Hjjee4kSovrtn9jL5h27V0HcY
|
||||
YED6vLNauQGdBFKmggUBDIDU53B+nBcpyH47TRbUWxBIxwSNqEaajzhZOugz+qNN
|
||||
3tiyV3fTQ8y/fCRCfZZ2HJNxr8SaRbR9VMZJiztne/lKk9/SmthKOZ+7xaVejPrg
|
||||
Cl1eoYeOP0oB6rY65S1avChuCJATNTgfGXP3hf/rkGAbmTs5PITcnpuBFwzAkKAK
|
||||
TCMrznBtsGQYf4mj2j9nD1M9zNBwTsGYZiSQs0BdvDuiYoE4vhnrD2xdOjP1SdDQ
|
||||
QH2zhO8BscYpf3LY8RCNk37CTNHcNq9YHuqXy8dkhGaykCwMAm8NPWh+w227wwHz
|
||||
AlzG9lqhnuP3BQtimdo1jH3HESGBsH2jWYFxix0OPfHPmOuC2r9yl2AYLpuD5rAN
|
||||
z/KVDWY2CUp9jw/2EUiEgA1mKWeYCWTkZKhZyU//r2b67fgoqgdThhzcjWk81wvo
|
||||
3KLRuHyYep71Z50p+h3tjjIzVLbR9dpLi+ssiUqDFuwOlaJauTSW1XTe7ILt6oN7
|
||||
efPMZb/YYtMePnGwDb4fAa0+ibmabOO9Xk8U2lLtr3QlABEBAAGJAbUEGAECAA8F
|
||||
AlKmggUCGwwFCQ1H67EACgkQ0+X1a22SDTARJwx/ZCMNabddrAnE0DymqrGsV5MS
|
||||
j4YRLOdVFNR6mutQV3UYfDfepoC+ouLFn7Hxyv7UaP98l3l6IhUl9EthteULyy7w
|
||||
lleeB9fRWG4xxShv8VOKR+lyhiRHOuJSwkQHf86aOUuMaCdCbkbP1NXWK3IXdvOg
|
||||
eRHyy9YQoorM2ggQ8ctTfLtupKQ6uOdjdtl91VGHrXxduNXbw0y6hmxXwTik65Cj
|
||||
L7ezkiOYh/+aRKIUTdUnB1o96bbdSxdq0Vv96gL8CGLSIJ3/yKgXCL6gdPY+e30e
|
||||
vNUXoTyAFU7e8qjpQmANOv1C3bs1zp4cvQ7mPnSKez2hv/cOg4Lc/kDTzOGX7Djr
|
||||
rIYS/n4Sz+6xQCz/ieDiSwjcNMsr1iCPvSXmgG4wVh3dvkoZV8AiUZzmbAg4gbjV
|
||||
gsjNlOsa465PKaPAJ0L1xRknpHYK/9XHSG1nSGoN3JoM7Qij04b9bazZPvXrS1j2
|
||||
JzgzAEIV6bPAUQsgEggc1j+f/CybFAaQjc6Pzomk5VWBHmVdZH4GsZwGORITKJkC
|
||||
DQRf7mYNARAAz2vrsO3Cz8vYpaXvc5tN9uloHBpeMl7Fb5A5U4XB36ux3JE03mxI
|
||||
WgpVaCtKgwPAwaOprywMBee3jJh2xBIuv3cy1JSB/zCl12erUEQhSqk8wc4SWou/
|
||||
h9ecl5L0b3255lbayeTWJaaz2EjVzezbiROqeHTXkd8Agrjbr6IzcdycOZiVK8SL
|
||||
jdpCN8A9VzqjD7FLsQ+i4MN9sE+V7QjUASnTEPBgvVhrEX10xQTagoyF2230XlcY
|
||||
SKv2rLpgk7J2LzjFWrNZ/m2AriMMg1jQGKijYMHV1f5PQ/DSye/9QTUPLwHziRZe
|
||||
k7A3pZGTjv4bq1Tywc8d0VmvE56IfVIsn1cYhYq4mBm2IeWTO+IcxVjAS2ufN8RU
|
||||
u8MnFnFHohzKVB6Q7Cg4HhiUgmNn6xnRE59NxuTd30OcTDxQ0SNgJjSRfMMq8nl0
|
||||
upQCDH5ksrVSCUPB95GLeO2WtSgMOBsefeZcQU3y0QyxRkBX1sB1H84u9vF25FZH
|
||||
HzMJmd+PhWW+V8n00wnr8zpUdvmBzIGz3C91Y0DjJxewmfYvgoBD80cSF9SJQ5Hw
|
||||
vk1M/125sfUBN1rBvh08ON3mMvfxds4deT8Gtc8N74ggWYRGgJUkYvTEc8Ho0FGW
|
||||
kg/VTNeRTEY7tIzVm2XojWMvdK1733sf1b3mEV3NTyqYuDnnxjoDa0cAEQEAAbQf
|
||||
RGFtaWVuIE1pbGxlciA8ZGptQG1pbmRyb3Qub3JnPokCTgQTAQgAOBYhBHFouYOB
|
||||
Wl7vWaSt/So/QU5zYGC6BQJf7mYNAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
|
||||
AAoJECo/QU5zYGC6kI4P/AxEYU8XTuZHYzAim7sHRr+Z1HnknrgN9mGL3HuCy8H8
|
||||
cdOZkQLnHSOmYjGfOKRNTzWibr36Cd4ERCXP+blDCtkrFw1QLoLRICZ5nJCcFSr5
|
||||
CanrU87wUwCQ0xfkkPl8iF8j1dorIDZOetAKumn87wKYnNphGQifPZF5GS0NS+Xp
|
||||
7vmg+R+abTTCSTnxFNPwiQJwRm/lXO+A4bCHcuPL/X1vfVEYOARS+n3l29gpnHUo
|
||||
roiWKC/F+HRvr6o4dIAml+jMq6xBMB6j9yYsyzNrq96GMxXDLvPCUkEad96+gR2v
|
||||
RJJvFMUMa9tzc4C9n/Ks8t5s7um63l3eSYlHuVL6adI9SlVLbzyudBr7P+mU3r0z
|
||||
xvYozTzPALwgohs4bYiWqdtE9y+qLsJrg5zM1g5gFJWAFWNhXkfB10NeoYN0L8Iy
|
||||
RZMaBq4154fg99eaQBETzh1qoyAE1wZ5DFzzGMn0Z5gqyYd6pTxYol+6UIFvkuIb
|
||||
hvzo7AnEQb9CMzCceJcPaSDoWJn8MXibgcR8zQ+bJL9BoOwevTuPBRRg4dW6IOBD
|
||||
EqBjzZysSI7ET36R99WsBq0kxtPjmrbo5G66DkrwDBps7sggRg2Y23tgmrOssDVs
|
||||
zN+erC+80XClDTBz8myB3y6d4VU+dWG4n0ZDGJE+w6YNZN/2pCKESlgU8e5K5qUt
|
||||
iQHDBBABCAAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl/uZjAACgkQ0+X1a22S
|
||||
DTC/XwyAkFkZcqk56SuA4a4Q1PZydNNkQMKMJME2Kt5L8GB07jQPiTUoCDCEKW7v
|
||||
SV5Vxl94HLQs0Wt4G+UhEmI74ZzKU0FZfF+Smnw9PQ/chVdXVAeekeBxQgDP++Mp
|
||||
Lur34YveVeQkIBlQ8fbxrvd3RVI6LJ8DSxTUZ+MT34DgTs6+ryJkyA62mcSy5QL2
|
||||
ZMH82uZ/1KRN6P2YOUV7UmvWPta5kZ+ocfSoTcYCx/Ms4XOx6g6DbfDZ5AkRfY7c
|
||||
qUXwJEA5bEooZXxMIVX3cN6O8CVjhl0lzNyeppoCmsuHBg1/YErsLbyphKzIuY0E
|
||||
8Ng5nSKKefZA3+2OlwvRNN4FPVXcf618s+LkMPdedRxuxOj5Lg0m8I33t//4U8xJ
|
||||
CjgItN27+C8C+3uAb+oG0JP592z+zweVVjbqgfKKQ0XWJBV8YrdQ7CC65WTBkSKK
|
||||
Fk9uVDjfftrsWkkyWttGk1As9yAvPbupZ2swoMEcQLAhyaTLmBYrgIW6g6OMhCHv
|
||||
k4BIGUZ0EQmzi11G5Bu7OEKN2/KIlLkCDQRf7mYNARAA2iZs8bBisxr5aQE1gTVX
|
||||
wvgtnIOjQ6aDOh9bminaAQtg+ntvNFi6HUzSvB0XTjAw8sH2Bz38CkczuDfd4YfZ
|
||||
OzAJRJTG58NAubAMDjJ3yHrfP/uXn+KVEUdDYv+wTbbA4cPztMLhNxNJwgPKjVLj
|
||||
9FGkdYLCe+xTD3POiwMOtazpW4udynNCcQ1P+DIPzHuOisJ1AkYqDrShclEUcitO
|
||||
44/+8JzhiKH9HxwomOLku7lwjF1nEyvVC6zJXlxqXImbeFFRbKLlItcbrVD1SJWB
|
||||
F6EstFgSCFcjG0+KN86LRABfp9804OjHiSBiDOTT0W4W5icDnKOzj+ZlsdSdSIcw
|
||||
AnLz7nsgobgjUaRPos013ddcMDFSIS+SNtAE/si4JHdLGUVCKH5RgHyWMjK2MQGx
|
||||
3LCaHPVT/Ei0uLdSbKtpLpSsYsNokliw84Czd6sUjjR/IhHjJ7ryD4eJSyXt7vuZ
|
||||
6e9twyJumcPJvWw3feFjGqGKmhwpw6viKkYEqDSkS7IJRqdS8My1PMm38Ew61WaS
|
||||
YYehueH1yO//Wtlo2hYfFh4N4Hcu9E6NeJBNEc20gz6tTkkybuIuCsZdRr9MEZgc
|
||||
EEwH+Mf386Lp+/VqfpmykUaT4XATkzhSHiFFx3y1jD/gClN4zATmS9s21df8Nooc
|
||||
qWTJjOjLmKn9nevp4Jrf5NEAEQEAAYkCNgQYAQgAIBYhBHFouYOBWl7vWaSt/So/
|
||||
QU5zYGC6BQJf7mYNAhsMAAoJECo/QU5zYGC6a/oQAKjogHiQqRKLsaRj5yipy52i
|
||||
s8vXjsDdhv29GTFV/0aLrPcFx5NkHPf5mQsN/k1fYfwHaq2uwGuL/YB6Ra6eZBOP
|
||||
/xd0i7JpULrSPTDBWEgqF5UzuabQJY8oYK8RdA5RS6Tc4Q38L9f9RbHYPGvRgDeb
|
||||
ZngMVOUQOD0s4EkAYwofOOE/a5S+Ty+12o7t+BTFucjgF/RiogO38HyeUepKiJFU
|
||||
vuSRcluIvHaooLvDMvfmZT/nZhZsqAa3nT780Og9aopI36tmUuZSR1fJ5jYgj5dU
|
||||
3JA11HWaiwbZiVXEnNDh/WPrzM8k+KGf/dxymLuCbROc+wwjhqiWGn7cKJcVLHzS
|
||||
CO0rPVaJvrliTui0ytRLQ5F3A8+nsq84lbHXDZWnYMcGVF0iluQksbQkc9VPunRI
|
||||
VA3UfPt7O/rK8LkZlJttKPZL042IC7vrPFZIHDbYl5OEQwohO55v/0MgtaDzc/Pk
|
||||
7mnVkcLyvaL1yl8FWe+fKY4Jk8SUCygwxCCjtCv7TWYaNGepelQonwRWxCyf+xUa
|
||||
nErOxgAHhLfgrzFW31qU2nrd2Ubbtj6jXwtJNMeP1ZCBL5BgcUpypYUh9DyxsjdS
|
||||
mjhmFk4UXBCppf5Po/1qSpr5KPmwuWTd0KGCEnosU9RSpJtE78phxqkKaB8A3HmR
|
||||
ePJgyS4h2BL0NgQRIRVW
|
||||
=OOF9
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
571
openssh.spec
Normal file
571
openssh.spec
Normal file
@ -0,0 +1,571 @@
|
||||
#
|
||||
# spec file for package openssh
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
%define sandbox_seccomp 0
|
||||
%ifnarch ppc
|
||||
%define sandbox_seccomp 1
|
||||
%endif
|
||||
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
|
||||
%define _fwdefdir %{_fwdir}/services
|
||||
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
|
||||
%define CHECKSUM_SUFFIX .hmac
|
||||
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
||||
%bcond_without ldap
|
||||
|
||||
%if 0%{?suse_version} >= 1550
|
||||
%bcond_without wtmpdb
|
||||
%else
|
||||
%bcond_with wtmpdb
|
||||
%endif
|
||||
|
||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||
%if ! %{defined _fillupdir}
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: openssh
|
||||
Version: 9.6p1
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-2-Clause AND MIT
|
||||
Group: Productivity/Networking/SSH
|
||||
URL: https://www.openssh.com/
|
||||
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
Source2: sshd.pamd
|
||||
Source3: README.SUSE
|
||||
Source4: README.kerberos
|
||||
Source5: ssh.reg
|
||||
Source6: ssh-askpass
|
||||
Source7: sshd.fw
|
||||
Source8: sysconfig.ssh
|
||||
Source9: sshd-gen-keys-start
|
||||
Source10: sshd.service
|
||||
Source11: README.FIPS
|
||||
Source12: cavs_driver-ssh.pl
|
||||
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
|
||||
Source14: sysusers-sshd.conf
|
||||
Source15: sshd-sle.pamd
|
||||
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
||||
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
||||
Patch4: openssh-7.7p1-eal3.patch
|
||||
Patch6: openssh-7.7p1-send_locale.patch
|
||||
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
|
||||
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
|
||||
Patch9: openssh-7.7p1-pts_names_formatting.patch
|
||||
Patch10: openssh-7.7p1-pam_check_locks.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
Patch14: openssh-7.7p1-seccomp_stat.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
# Local FIPS patchset
|
||||
Patch17: openssh-7.7p1-fips.patch
|
||||
# Local cavs patchset
|
||||
Patch18: openssh-7.7p1-cavstest-ctr.patch
|
||||
# Local cavs patchset
|
||||
Patch19: openssh-7.7p1-cavstest-kdf.patch
|
||||
# Local FIPS patchset
|
||||
Patch20: openssh-7.7p1-fips_checks.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
||||
Patch22: openssh-7.7p1-systemd-notify.patch
|
||||
Patch23: openssh-8.0p1-gssapi-keyex.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
Patch24: openssh-8.1p1-audit.patch
|
||||
# Local patch to disable runtime abi SSL checks, quite pointless for us
|
||||
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
||||
Patch27: openssh-7.7p1-no_fork-no_pid_file.patch
|
||||
Patch28: openssh-7.7p1-host_ident.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
|
||||
Patch29: openssh-7.7p1-sftp_force_permissions.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
|
||||
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch
|
||||
Patch31: openssh-7.7p1-ldap.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
|
||||
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
|
||||
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
||||
Patch34: openssh-7.9p1-keygen-preserve-perms.patch
|
||||
Patch35: openssh-7.9p1-revert-new-qos-defaults.patch
|
||||
Patch36: openssh-8.1p1-seccomp-clock_nanosleep.patch
|
||||
Patch37: openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
|
||||
Patch38: openssh-8.1p1-seccomp-clock_gettime64.patch
|
||||
Patch39: openssh-8.1p1-use-openssl-kdf.patch
|
||||
Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
|
||||
Patch41: openssh-fips-ensure-approved-moduli.patch
|
||||
Patch42: openssh-link-with-sk.patch
|
||||
Patch43: openssh-reenable-dh-group14-sha1-default.patch
|
||||
Patch45: openssh-8.4p1-ssh_config_d.patch
|
||||
Patch46: openssh-whitelist-syscalls.patch
|
||||
Patch47: openssh-8.4p1-vendordir.patch
|
||||
Patch48: openssh-8.4p1-pam_motd.patch
|
||||
Patch49: openssh-do-not-send-empty-message.patch
|
||||
Patch50: openssh-openssl-3.patch
|
||||
Patch51: wtmpdb.patch
|
||||
Patch52: logind_set_tty.patch
|
||||
Patch100: fix-missing-lz.patch
|
||||
Patch102: openssh-7.8p1-role-mls.patch
|
||||
Patch103: openssh-6.6p1-privsep-selinux.patch
|
||||
Patch104: openssh-6.6p1-keycat.patch
|
||||
Patch105: openssh-6.6.1p1-selinux-contexts.patch
|
||||
Patch106: openssh-7.6p1-cleanup-selinux.patch
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: automake
|
||||
BuildRequires: groff
|
||||
BuildRequires: libedit-devel
|
||||
BuildRequires: libselinux-devel
|
||||
%if %{with ldap}
|
||||
BuildRequires: openldap2-devel
|
||||
%endif
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: pkgconfig(libfido2) >= 1.2.0
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
BuildRequires: sysuser-shadow
|
||||
BuildRequires: sysuser-tools
|
||||
Requires: %{name}-clients = %{version}-%{release}
|
||||
Requires: %{name}-server = %{version}-%{release}
|
||||
%if 0%{?suse_version} >= 1550
|
||||
BuildRequires: pkgconfig(krb5)
|
||||
%else
|
||||
BuildRequires: krb5-mini-devel
|
||||
%endif
|
||||
%if %{with wtmpdb}
|
||||
BuildRequires: pkgconfig(libwtmpdb)
|
||||
%endif
|
||||
Requires(pre): findutils
|
||||
Requires(pre): grep
|
||||
|
||||
%description
|
||||
SSH (Secure Shell) is a program for logging into and executing commands
|
||||
on a remote machine. It replaces rsh (rlogin and rsh) and
|
||||
provides secure encrypted communication between two untrusted
|
||||
hosts over an insecure network.
|
||||
|
||||
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||
also be forwarded over the secure channel.
|
||||
|
||||
This is a dummy package that pulls in both the client and server
|
||||
components.
|
||||
|
||||
%package common
|
||||
Summary: SSH (Secure Shell) common files
|
||||
Group: Productivity/Networking/SSH
|
||||
Conflicts: nonfreessh
|
||||
Conflicts: %{name}-fips < %{version}-%{release}
|
||||
Conflicts: %{name}-fips > %{version}-%{release}
|
||||
|
||||
%description common
|
||||
SSH (Secure Shell) is a program for logging into and executing commands
|
||||
on a remote machine. It replaces rsh (rlogin and rsh) and
|
||||
provides secure encrypted communication between two untrusted
|
||||
hosts over an insecure network.
|
||||
|
||||
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||
also be forwarded over the secure channel.
|
||||
|
||||
This package contains common files for the Secure Shell server and
|
||||
clients.
|
||||
|
||||
%package server
|
||||
Summary: SSH (Secure Shell) server
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
Recommends: audit
|
||||
Requires(pre): findutils
|
||||
Requires(pre): grep
|
||||
Requires(post): %fillup_prereq
|
||||
Requires(post): permissions
|
||||
Provides: openssh:%{_sbindir}/sshd
|
||||
%sysusers_requires
|
||||
|
||||
%description server
|
||||
SSH (Secure Shell) is a program for logging into and executing commands
|
||||
on a remote machine. It replaces rsh (rlogin and rsh) and
|
||||
provides secure encrypted communication between two untrusted
|
||||
hosts over an insecure network.
|
||||
|
||||
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||
also be forwarded over the secure channel.
|
||||
|
||||
This package contains the Secure Shell daemon, which allows clients to
|
||||
securely connect to your server.
|
||||
|
||||
%package server-config-rootlogin
|
||||
Summary: Config to permit root logins to sshd
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-server = %{version}-%{release}
|
||||
|
||||
%description server-config-rootlogin
|
||||
The openssh-server package by default disallows password based
|
||||
root logins. This package provides a config that does. It's useful
|
||||
to temporarily have a password based login to be able to use
|
||||
ssh-copy-id(1).
|
||||
|
||||
%package clients
|
||||
Summary: SSH (Secure Shell) client applications
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
Provides: openssh:%{_bindir}/ssh
|
||||
|
||||
%description clients
|
||||
SSH (Secure Shell) is a program for logging into and executing commands
|
||||
on a remote machine. It replaces rsh (rlogin and rsh) and
|
||||
provides secure encrypted communication between two untrusted
|
||||
hosts over an insecure network.
|
||||
|
||||
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||
also be forwarded over the secure channel.
|
||||
|
||||
This package contains clients for making secure connections to Secure
|
||||
Shell servers.
|
||||
|
||||
%if %{with ldap}
|
||||
%package helpers
|
||||
Summary: OpenSSH AuthorizedKeysCommand helpers
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
|
||||
%description helpers
|
||||
SSH (Secure Shell) is a program for logging into and executing commands
|
||||
on a remote machine. It replaces rsh (rlogin and rsh) and
|
||||
provides secure encrypted communication between two untrusted
|
||||
hosts over an insecure network.
|
||||
|
||||
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||
also be forwarded over the secure channel.
|
||||
|
||||
This package contains helper applications for OpenSSH which retrieve
|
||||
keys from various sources.
|
||||
%endif
|
||||
|
||||
%package fips
|
||||
Summary: OpenSSH FIPS crypto module HMACs
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
Conflicts: %{name}-common < %{version}-%{release}
|
||||
Conflicts: %{name}-common > %{version}-%{release}
|
||||
Obsoletes: %{name}-hmac
|
||||
|
||||
%description fips
|
||||
This package contains hashes that, together with the main openssh packages,
|
||||
form the FIPS certifiable crypto module.
|
||||
|
||||
%package cavs
|
||||
Summary: OpenSSH FIPS crypto module CAVS tests
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
|
||||
%description cavs
|
||||
This package contains the FIPS-140 CAVS (Cryptographic Algorithm
|
||||
Validation Program/Suite) related tests of OpenSSH.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||
|
||||
%autopatch -p1
|
||||
|
||||
# set libexec dir in the LDAP patch
|
||||
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
$( grep -Rl @LIBEXECDIR@ \
|
||||
$( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
)
|
||||
|
||||
%build
|
||||
autoreconf -fiv
|
||||
%ifarch s390 s390x %{sparc}
|
||||
PIEFLAGS="-fPIE"
|
||||
%else
|
||||
PIEFLAGS="-fpie"
|
||||
%endif
|
||||
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
|
||||
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
|
||||
LDFLAGS="-pie -Wl,--as-needed"
|
||||
#CPPFLAGS="%%{optflags} -DUSE_INTERNAL_B64"
|
||||
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
||||
%configure \
|
||||
--sysconfdir=%{_sysconfdir}/ssh \
|
||||
--libexecdir=%{_libexecdir}/ssh \
|
||||
--with-selinux \
|
||||
--with-pid-dir=/run \
|
||||
--with-systemd \
|
||||
--with-ssl-engine \
|
||||
--with-pam \
|
||||
--with-kerberos5=%{_prefix} \
|
||||
--with-privsep-path=%{_localstatedir}/lib/empty \
|
||||
%if %{sandbox_seccomp}
|
||||
--with-sandbox=seccomp_filter \
|
||||
%else
|
||||
--with-sandbox=rlimit \
|
||||
%endif
|
||||
--disable-strip \
|
||||
--with-audit=linux \
|
||||
%if %{with ldap}
|
||||
--with-ldap \
|
||||
%endif
|
||||
--with-xauth=%{_bindir}/xauth \
|
||||
--with-libedit \
|
||||
%if %{with wtmpdb}
|
||||
--with-wtmpdb \
|
||||
%endif
|
||||
%if 0%{?suse_version} >= 1550
|
||||
--disable-lastlog \
|
||||
--with-logind \
|
||||
%endif
|
||||
--with-security-key-builtin \
|
||||
--target=%{_target_cpu}-suse-linux
|
||||
|
||||
%make_build
|
||||
%sysusers_generate_pre %{SOURCE14} sshd sshd.conf
|
||||
|
||||
%install
|
||||
%make_install
|
||||
%if %{defined _distconfdir}
|
||||
install -d -m 755 %{buildroot}%{_pam_vendordir}
|
||||
install -m 644 %{SOURCE2} %{buildroot}%{_pam_vendordir}/sshd
|
||||
%else
|
||||
# SLE has no distconfdir, so use sle PAM config
|
||||
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
|
||||
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/sshd
|
||||
%endif
|
||||
install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd
|
||||
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d
|
||||
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d
|
||||
%if 0%{?suse_version} < 1600
|
||||
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
|
||||
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
|
||||
%endif
|
||||
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
|
||||
ln -s service %{buildroot}%{_sbindir}/rcsshd
|
||||
install -d -m 755 %{buildroot}%{_fillupdir}
|
||||
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
|
||||
# install shell script to automate the process of adding your public key to a remote machine
|
||||
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
||||
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
||||
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
|
||||
echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
|
||||
# Move /etc to /usr/etc/ssh
|
||||
%if %{defined _distconfdir}
|
||||
mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%endif
|
||||
|
||||
%if 0%{?suse_version} < 1550
|
||||
# install firewall definitions
|
||||
mkdir -p %{buildroot}%{_fwdefdir}
|
||||
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
|
||||
%endif
|
||||
|
||||
# askpass wrapper
|
||||
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
|
||||
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
|
||||
rm -f %{buildroot}%{_datadir}/Ssh.bin
|
||||
# sshd keys generator wrapper
|
||||
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
|
||||
|
||||
# Install sysusers.d config for sshd user
|
||||
mkdir -p %{buildroot}%{_sysusersdir}
|
||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
|
||||
|
||||
rm %{buildroot}/usr/libexec/ssh/ssh-keycat
|
||||
#rm -r %{buildroot}/usr/lib/debug/.build-id
|
||||
|
||||
# the hmac hashes - taken from openssl
|
||||
#
|
||||
# re-define the __os_install_post macro: the macro strips
|
||||
# the binaries and thereby invalidates any hashes created earlier.
|
||||
#
|
||||
# this shows up earlier because otherwise the %%expand of
|
||||
# the macro is too late.
|
||||
%{expand:%%global __os_install_post {%__os_install_post
|
||||
for b in \
|
||||
%{_bindir}/ssh \
|
||||
%{_sbindir}/sshd \
|
||||
%{_libexecdir}/ssh/sftp-server \
|
||||
; do
|
||||
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
|
||||
done
|
||||
|
||||
}}
|
||||
|
||||
%pre server -f sshd.pre
|
||||
%if %{defined _distconfdir}
|
||||
# Prepare for migration to /usr/etc.
|
||||
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
|
||||
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||:
|
||||
%endif
|
||||
|
||||
%service_add_pre sshd.service
|
||||
|
||||
%post server
|
||||
%{fillup_only -n ssh}
|
||||
%service_add_post sshd.service
|
||||
|
||||
%preun server
|
||||
%service_del_preun sshd.service
|
||||
|
||||
%postun server
|
||||
# The openssh-fips trigger script for openssh will normally restart sshd once
|
||||
# it gets installed, so only restart the service here if openssh-fips is not
|
||||
# present.
|
||||
if rpm -q openssh-fips >/dev/null 2>/dev/null; then
|
||||
%service_del_postun_without_restart sshd.service
|
||||
else
|
||||
%service_del_postun sshd.service
|
||||
fi
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
%posttrans server
|
||||
# Migration to /usr/etc.
|
||||
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd ||:
|
||||
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config ||:
|
||||
%endif
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
%pre clients
|
||||
# Prepare for migration to /usr/etc.
|
||||
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
|
||||
%endif
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
%posttrans clients
|
||||
# Migration to /usr/etc.
|
||||
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config ||:
|
||||
%endif
|
||||
|
||||
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
|
||||
%restart_on_update sshd
|
||||
|
||||
%files
|
||||
# openssh is an empty package that depends on -clients and -server,
|
||||
# resulting in a clean upgrade path from prior to the split even when
|
||||
# recommends are disabled.
|
||||
|
||||
%files common
|
||||
%license LICENCE
|
||||
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%if %{defined _distconfdir}
|
||||
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
||||
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
|
||||
%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
|
||||
%else
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%attr(0600,root,root) %{_sysconfdir}/ssh/moduli
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
|
||||
%endif
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keygen*
|
||||
|
||||
%files server
|
||||
%attr(0755,root,root) %{_sbindir}/sshd
|
||||
%attr(0755,root,root) %{_sbindir}/rcsshd
|
||||
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
|
||||
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
|
||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
|
||||
%if %{defined _distconfdir}
|
||||
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
||||
%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
|
||||
%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
|
||||
%attr(0644,root,root) %{_pam_vendordir}/sshd
|
||||
%else
|
||||
%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
||||
%endif
|
||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||
%attr(0644,root,root) %{_sysusersdir}/sshd.conf
|
||||
%attr(0444,root,root) %{_mandir}/man5/sshd_config*
|
||||
%attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
|
||||
%attr(0444,root,root) %{_mandir}/man8/sshd.8*
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
|
||||
%if 0%{?suse_version} < 1600
|
||||
%dir %{_sysconfdir}/slp.reg.d
|
||||
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
||||
%endif
|
||||
%{_fillupdir}/sysconfig.ssh
|
||||
%if 0%{?suse_version} < 1550
|
||||
%dir %{_fwdir}
|
||||
%dir %{_fwdefdir}
|
||||
%config %{_fwdefdir}/sshd
|
||||
%endif
|
||||
|
||||
%files server-config-rootlogin
|
||||
%if %{defined _distconfdir}
|
||||
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%else
|
||||
%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%endif
|
||||
|
||||
%files clients
|
||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
|
||||
%if %{defined _distconfdir}
|
||||
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
|
||||
%else
|
||||
%attr(0644,root,root) %{_sysconfdir}/ssh/ssh_config
|
||||
%endif
|
||||
%attr(0755,root,root) %{_bindir}/ssh
|
||||
%attr(0755,root,root) %{_bindir}/scp*
|
||||
%attr(0755,root,root) %{_bindir}/sftp*
|
||||
%attr(0755,root,root) %{_bindir}/ssh-add*
|
||||
%attr(0755,root,root) %{_bindir}/ssh-agent*
|
||||
%attr(0755,root,root) %{_bindir}/ssh-copy-id*
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keyscan*
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-askpass*
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-keysign*
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-pkcs11-helper*
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-sk-helper*
|
||||
%attr(0444,root,root) %{_mandir}/man1/scp.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/sftp.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh-add.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh-agent.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh-keyscan.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
||||
%attr(0444,root,root) %{_mandir}/man5/ssh_config.5*
|
||||
%attr(0444,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||
%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
|
||||
%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||
|
||||
%if %{with ldap}
|
||||
%files helpers
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
||||
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
|
||||
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
|
||||
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
||||
%endif
|
||||
|
||||
%files fips
|
||||
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
||||
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
||||
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
||||
|
||||
%files cavs
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
|
||||
|
||||
%changelog
|
26
ssh-askpass
Normal file
26
ssh-askpass
Normal file
@ -0,0 +1,26 @@
|
||||
#!/bin/bash
|
||||
|
||||
SESSION=
|
||||
|
||||
if [ -n "$KDE_FULL_SESSION" ] ; then
|
||||
SESSION=kde
|
||||
fi
|
||||
|
||||
if [ "$DESKTOP_SESSION" = "lxqt" ]; then
|
||||
SESSION=kde
|
||||
fi
|
||||
|
||||
GNOME_SSH_ASKPASS="@LIBEXECDIR@/ssh/gnome-ssh-askpass"
|
||||
KDE_SSH_ASKPASS="@LIBEXECDIR@/ssh/ksshaskpass"
|
||||
|
||||
case "$SESSION" in
|
||||
kde)
|
||||
[ -e $KDE_SSH_ASKPASS ] && exec $KDE_SSH_ASKPASS ${1+"$@"}
|
||||
exec $GNOME_SSH_ASKPASS ${1+"$@"}
|
||||
;;
|
||||
*)
|
||||
[ -e $GNOME_SSH_ASKPASS ] && exec $GNOME_SSH_ASKPASS ${1+"$@"}
|
||||
exec $KDE_SSH_ASKPASS ${1+"$@"}
|
||||
;;
|
||||
esac
|
||||
|
18
ssh.reg
Normal file
18
ssh.reg
Normal file
@ -0,0 +1,18 @@
|
||||
#############################################################################
|
||||
#
|
||||
# OpenSLP registration file
|
||||
#
|
||||
# register SSH daemon
|
||||
#
|
||||
#############################################################################
|
||||
|
||||
# Register the usual sshd, if it is running
|
||||
service:ssh://$HOSTNAME:22,en,65535
|
||||
tcp-port=22
|
||||
description=Secure Shell Daemon
|
||||
|
||||
# ssh can get used to copy files with konqueror using the fish:/ protocol
|
||||
service:fish://$HOSTNAME:22,en,65535
|
||||
tcp-port=22
|
||||
description=KDE file transfer via SSH
|
||||
|
9
sshd-gen-keys-start
Normal file
9
sshd-gen-keys-start
Normal file
@ -0,0 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
test -f /etc/sysconfig/ssh && . /etc/sysconfig/ssh
|
||||
|
||||
if [ "x$SSHD_AUTO_KEYGEN" != "xno" ]; then
|
||||
echo "Checking for missing server keys in /etc/ssh"
|
||||
test -d /etc/ssh || mkdir -p /etc/ssh
|
||||
ssh-keygen -A
|
||||
fi
|
11
sshd-sle.pamd
Normal file
11
sshd-sle.pamd
Normal file
@ -0,0 +1,11 @@
|
||||
#%PAM-1.0
|
||||
auth requisite pam_nologin.so
|
||||
auth include common-auth
|
||||
account requisite pam_nologin.so
|
||||
account include common-account
|
||||
password include common-password
|
||||
session required pam_loginuid.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include common-session
|
||||
session optional pam_motd.so
|
||||
|
5
sshd.fw
Normal file
5
sshd.fw
Normal file
@ -0,0 +1,5 @@
|
||||
## Name: Secure Shell Server
|
||||
## Description: Open ports for Secure Shell Server
|
||||
|
||||
# space separated list of allowed TCP ports
|
||||
TCP="ssh"
|
14
sshd.pamd
Normal file
14
sshd.pamd
Normal file
@ -0,0 +1,14 @@
|
||||
#%PAM-1.0
|
||||
auth requisite pam_nologin.so
|
||||
auth substack common-auth
|
||||
auth include postlogin-auth
|
||||
account requisite pam_nologin.so
|
||||
account substack common-account
|
||||
account include postlogin-account
|
||||
password substack common-password
|
||||
password include postlogin-password
|
||||
session required pam_loginuid.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session substack common-session
|
||||
session include postlogin-session
|
||||
session optional pam_motd.so
|
18
sshd.service
Normal file
18
sshd.service
Normal file
@ -0,0 +1,18 @@
|
||||
[Unit]
|
||||
Description=OpenSSH Daemon
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
EnvironmentFile=-/etc/sysconfig/ssh
|
||||
ExecStartPre=/usr/sbin/sshd-gen-keys-start
|
||||
ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
|
||||
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=process
|
||||
Restart=on-failure
|
||||
RestartPreventExitStatus=255
|
||||
TasksMax=infinity
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
14
sysconfig.ssh
Normal file
14
sysconfig.ssh
Normal file
@ -0,0 +1,14 @@
|
||||
## Path: Network/Remote access/SSH
|
||||
## Description: SSH server settings
|
||||
## Type: string
|
||||
## Default: ""
|
||||
## ServiceRestart: sshd
|
||||
#
|
||||
# Options for sshd
|
||||
#
|
||||
SSHD_OPTS=""
|
||||
|
||||
#
|
||||
# Whether to run ssh-keygen -A
|
||||
#
|
||||
SSHD_AUTO_KEYGEN="yes"
|
2
sysusers-sshd.conf
Normal file
2
sysusers-sshd.conf
Normal file
@ -0,0 +1,2 @@
|
||||
# Type Name ID GECOS [HOME]
|
||||
u sshd - "SSH daemon" /var/lib/sshd
|
185
wtmpdb.patch
Normal file
185
wtmpdb.patch
Normal file
@ -0,0 +1,185 @@
|
||||
diff -ur openssh-8.9p1.old/configure.ac openssh-8.9p1/configure.ac
|
||||
--- openssh-8.9p1.old/configure.ac 2022-02-23 12:31:11.000000000 +0100
|
||||
+++ openssh-8.9p1/configure.ac 2023-04-17 14:52:21.499002203 +0200
|
||||
@@ -1703,6 +1703,49 @@
|
||||
fi ]
|
||||
)
|
||||
|
||||
+# Check whether user wants wtmpdb support
|
||||
+WTMPDB_MSG="no"
|
||||
+AC_ARG_WITH([wtmpdb],
|
||||
+ [ --with-wtmpdb[[=PATH]] Enable wtmpdb support for sshd],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ if test "x$withval" = "xyes" ; then
|
||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||
+ if test "x$PKGCONFIG" != "xno"; then
|
||||
+ AC_MSG_CHECKING([if $PKGCONFIG knows about wtmpdb])
|
||||
+ if "$PKGCONFIG" libwtmpdb; then
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ use_pkgconfig_for_libwtmpdb=yes
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+ else
|
||||
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
|
||||
+ if test -n "${rpath_opt}"; then
|
||||
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test "x$use_pkgconfig_for_libwtmpdb" = "xyes"; then
|
||||
+ LIBWTMPDB=`$PKGCONFIG --libs libwtmpdb`
|
||||
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libwtmpdb`"
|
||||
+ else
|
||||
+ LIBWTMPDB="-lwtmpdb"
|
||||
+ fi
|
||||
+ OTHERLIBS=`echo $LIBWTMPDB | sed 's/-lwtmpdb//'`
|
||||
+ AC_CHECK_LIB([wtmpdb], [wtmpdb_login],
|
||||
+ [ AC_DEFINE([USE_WTMPDB], [1], [Use libwtmpdb for sshd])
|
||||
+ WTMPDB_MSG="yes"
|
||||
+ AC_SUBST([LIBWTMPDB])
|
||||
+ ],
|
||||
+ [ AC_MSG_ERROR([libwtmpdb not found]) ],
|
||||
+ [ $OTHERLIBS ]
|
||||
+ )
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
+
|
||||
AUDIT_MODULE=none
|
||||
AC_ARG_WITH([audit],
|
||||
[ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
|
||||
diff -ur openssh-8.9p1.old/loginrec.c openssh-8.9p1/loginrec.c
|
||||
--- openssh-8.9p1.old/loginrec.c 2022-02-23 12:31:11.000000000 +0100
|
||||
+++ openssh-8.9p1/loginrec.c 2023-04-18 10:05:04.311193333 +0200
|
||||
@@ -187,6 +187,10 @@
|
||||
# include <util.h>
|
||||
#endif
|
||||
|
||||
+#ifdef USE_WTMPDB
|
||||
+# include <wtmpdb.h>
|
||||
+#endif
|
||||
+
|
||||
/**
|
||||
** prototypes for helper functions in this file
|
||||
**/
|
||||
@@ -207,6 +211,9 @@
|
||||
int wtmpx_write_entry(struct logininfo *li);
|
||||
int lastlog_write_entry(struct logininfo *li);
|
||||
int syslogin_write_entry(struct logininfo *li);
|
||||
+#ifdef USE_WTMPDB
|
||||
+int wtmpdb_write_entry(struct logininfo *li);
|
||||
+#endif
|
||||
|
||||
int getlast_entry(struct logininfo *li);
|
||||
int lastlog_get_entry(struct logininfo *li);
|
||||
@@ -467,6 +474,9 @@
|
||||
#ifdef USE_WTMPX
|
||||
wtmpx_write_entry(li);
|
||||
#endif
|
||||
+#ifdef USE_WTMPDB
|
||||
+ wtmpdb_write_entry(li);
|
||||
+#endif
|
||||
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
|
||||
if (li->type == LTYPE_LOGIN &&
|
||||
!sys_auth_record_login(li->username,li->hostname,li->line,
|
||||
@@ -1409,6 +1419,64 @@
|
||||
}
|
||||
#endif /* USE_WTMPX */
|
||||
|
||||
+#ifdef USE_WTMPDB
|
||||
+static int
|
||||
+wtmpdb_perform_login(struct logininfo *li)
|
||||
+{
|
||||
+ uint64_t login_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
|
||||
+ const char *tty;
|
||||
+
|
||||
+ if (strncmp(li->line, "/dev/", 5) == 0)
|
||||
+ tty = &(li->line[5]);
|
||||
+ else
|
||||
+ tty = li->line;
|
||||
+
|
||||
+ li->wtmpdb_id = wtmpdb_login(NULL, USER_PROCESS, li->username,
|
||||
+ login_time, tty, li->hostname, 0, 0);
|
||||
+ if (li->wtmpdb_id < 0)
|
||||
+ return (0);
|
||||
+
|
||||
+ return (1);
|
||||
+}
|
||||
+
|
||||
+
|
||||
+static int
|
||||
+wtmpdb_perform_logout(struct logininfo *li)
|
||||
+{
|
||||
+ uint64_t logout_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
|
||||
+
|
||||
+ if (li->wtmpdb_id == 0) {
|
||||
+ const char *tty;
|
||||
+
|
||||
+ if (strncmp(li->line, "/dev/", 5) == 0)
|
||||
+ tty = &(li->line[5]);
|
||||
+ else
|
||||
+ tty = li->line;
|
||||
+
|
||||
+ li->wtmpdb_id = wtmpdb_get_id(NULL, tty, NULL);
|
||||
+ }
|
||||
+ wtmpdb_logout(NULL, li->wtmpdb_id, logout_time, NULL);
|
||||
+
|
||||
+ return (1);
|
||||
+}
|
||||
+
|
||||
+
|
||||
+int
|
||||
+wtmpdb_write_entry(struct logininfo *li)
|
||||
+{
|
||||
+ switch(li->type) {
|
||||
+ case LTYPE_LOGIN:
|
||||
+ return (wtmpdb_perform_login(li));
|
||||
+ case LTYPE_LOGOUT:
|
||||
+ return (wtmpdb_perform_logout(li));
|
||||
+ default:
|
||||
+ logit("%s: invalid type field", __func__);
|
||||
+ return (0);
|
||||
+ }
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+
|
||||
/**
|
||||
** Low-level libutil login() functions
|
||||
**/
|
||||
diff -ur openssh-8.9p1.old/loginrec.h openssh-8.9p1/loginrec.h
|
||||
--- openssh-8.9p1.old/loginrec.h 2022-02-23 12:31:11.000000000 +0100
|
||||
+++ openssh-8.9p1/loginrec.h 2023-04-17 14:58:20.808850750 +0200
|
||||
@@ -79,6 +79,9 @@
|
||||
unsigned int tv_sec;
|
||||
unsigned int tv_usec;
|
||||
union login_netinfo hostaddr; /* caller's host address(es) */
|
||||
+#ifdef USE_WTMPDB
|
||||
+ int64_t wtmpdb_id; /* ID for wtmpdb_logout */
|
||||
+#endif
|
||||
}; /* struct logininfo */
|
||||
|
||||
/*
|
||||
diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
|
||||
--- openssh-8.9p1.old/Makefile.in 2022-02-23 12:31:11.000000000 +0100
|
||||
+++ openssh-8.9p1/Makefile.in 2023-04-17 14:44:32.156538001 +0200
|
||||
@@ -55,6 +55,7 @@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBFIDO2=@LIBFIDO2@
|
||||
+LIBWTMPDB=@LIBWTMPDB@
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
RANLIB=@RANLIB@
|
||||
@@ -212,7 +213,7 @@
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
||||
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
Loading…
Reference in New Issue
Block a user