openssh/openssh-7.7p1-hostname_changes_when_forwarding_X.patch

84 lines
2.5 KiB
Diff
Raw Normal View History

# HG changeset patch
# Parent 5e19a205fa03584bb0d829ecbba7495ce1899b65
# -- uset do be called '-xauthlocalhostname'
handle hostname changes when forwarding X
Accepting request 863944 from home:dirkmueller:branches:network - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features ------------ * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time OBS-URL: https://build.opensuse.org/request/show/863944 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
2021-01-18 02:12:55 +01:00
Index: openssh-8.4p1/session.c
===================================================================
--- openssh-8.4p1.orig/session.c
+++ openssh-8.4p1/session.c
@@ -985,7 +985,7 @@ copy_environment(char **source, char ***
Accepting request 811897 from home:hpjansson:openssh-8.3 - Version update to 8.3p1: = Potentially-incompatible changes * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. = New features * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks. * ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding. * all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. * ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path". - Additional changes from 8.2p1 release: = Potentially-incompatible changes * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates. * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): the command-line options related to the generation OBS-URL: https://build.opensuse.org/request/show/811897 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=211
2020-06-06 08:49:00 +02:00
#endif
static char **
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
+do_setup_env(struct ssh *ssh, Session *s, const char *shell, int *env_size)
{
char buf[256];
size_t n;
Accepting request 863944 from home:dirkmueller:branches:network - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features ------------ * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time OBS-URL: https://build.opensuse.org/request/show/863944 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
2021-01-18 02:12:55 +01:00
@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
+
+ *env_size = envsize;
return env;
}
Accepting request 863944 from home:dirkmueller:branches:network - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features ------------ * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time OBS-URL: https://build.opensuse.org/request/show/863944 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
2021-01-18 02:12:55 +01:00
@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s
* first in this order).
*/
static void
-do_rc_files(struct ssh *ssh, Session *s, const char *shell)
+do_rc_files(struct ssh *ssh, Session *s, const char *shell, char **env, int *env_size)
{
FILE *f = NULL;
Accepting request 863944 from home:dirkmueller:branches:network - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features ------------ * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time OBS-URL: https://build.opensuse.org/request/show/863944 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
2021-01-18 02:12:55 +01:00
char *cmd = NULL, *user_rc = NULL;
@@ -1260,12 +1262,20 @@ do_rc_files(struct ssh *ssh, Session *s,
fatal("%s: xasprintf: %s", __func__, strerror(errno));
f = popen(cmd, "w");
if (f) {
+ char hostname[MAXHOSTNAMELEN];
+
fprintf(f, "remove %s\n",
s->auth_display);
fprintf(f, "add %s %s %s\n",
s->auth_display, s->auth_proto,
s->auth_data);
pclose(f);
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
+ hostname);
+ else
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
+ strerror(errno));
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
Accepting request 863944 from home:dirkmueller:branches:network - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features ------------ * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time OBS-URL: https://build.opensuse.org/request/show/863944 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
2021-01-18 02:12:55 +01:00
@@ -1526,6 +1536,7 @@ do_child(struct ssh *ssh, Session *s, co
Accepting request 737034 from home:hpjansson:branches:network Version update to 8.1p1: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ..."). * ssh(1): Allow %n to be expanded in ProxyCommand strings * ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519" * ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email). * ssh-keygen(1): print key comment when extracting public key from a private key. * ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. * All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. - Additional changes from 8.0p1 release: * scp(1): Add "-T" flag to disable client-side filtering of server file list. * sshd(8): Remove support for obsolete "host/port" syntax. OBS-URL: https://build.opensuse.org/request/show/737034 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=197
2019-10-10 15:32:50 +02:00
char **env, *argv[ARGV_MAX], remote_id[512];
const char *shell, *shell0;
struct passwd *pw = s->pw;
Accepting request 737034 from home:hpjansson:branches:network Version update to 8.1p1: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ..."). * ssh(1): Allow %n to be expanded in ProxyCommand strings * ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519" * ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email). * ssh-keygen(1): print key comment when extracting public key from a private key. * ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. * All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. - Additional changes from 8.0p1 release: * scp(1): Add "-T" flag to disable client-side filtering of server file list. * sshd(8): Remove support for obsolete "host/port" syntax. OBS-URL: https://build.opensuse.org/request/show/737034 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=197
2019-10-10 15:32:50 +02:00
+ int env_size;
int r = 0;
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
Accepting request 863944 from home:dirkmueller:branches:network - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features ------------ * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time OBS-URL: https://build.opensuse.org/request/show/863944 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
2021-01-18 02:12:55 +01:00
@@ -1582,7 +1593,7 @@ do_child(struct ssh *ssh, Session *s, co
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
- env = do_setup_env(ssh, s, shell);
+ env = do_setup_env(ssh, s, shell, &env_size);
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
Accepting request 863944 from home:dirkmueller:branches:network - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features ------------ * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time OBS-URL: https://build.opensuse.org/request/show/863944 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
2021-01-18 02:12:55 +01:00
@@ -1646,7 +1657,7 @@ do_child(struct ssh *ssh, Session *s, co
closefrom(STDERR_FILENO + 1);
- do_rc_files(ssh, s, shell);
+ do_rc_files(ssh, s, shell, env, &env_size);
/* restore SIGPIPE for child */
Accepting request 811897 from home:hpjansson:openssh-8.3 - Version update to 8.3p1: = Potentially-incompatible changes * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. = New features * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks. * ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding. * all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. * ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path". - Additional changes from 8.2p1 release: = Potentially-incompatible changes * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates. * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): the command-line options related to the generation OBS-URL: https://build.opensuse.org/request/show/811897 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=211
2020-06-06 08:49:00 +02:00
ssh_signal(SIGPIPE, SIG_DFL);