pool/openssh
SHA256
12
0
Fork 1
Code Issues Pull Requests Activity

Accepting request 1272617 from network

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1272617
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=193
This commit is contained in:
Ana Guerrero
2025-04-25 20:18:22 +00:00
committed by Git OBS Bridge
parent b867c42e05 e33b294c28
commit 19a564c163
28 changed files with 496 additions and 442 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
fix-x11-regression-bsc1229449.patch
View File

@@ -1,56 +0,0 @@
Index: openssh-9.9p1/clientloop.c
===================================================================
--- openssh-9.9p1.orig/clientloop.c
+++ openssh-9.9p1/clientloop.c
@@ -663,9 +663,10 @@ obfuscate_keystroke_timing(struct ssh *s
if (just_started)
return 1;
- /* Don't arm output fd for poll until the timing interval has elapsed */
+ /* Don't arm output fd for poll until the timing interval has elapsed... */
if (timespeccmp(&now, &next_interval, <))
- return 0;
+ /* ...unless there's x11 communicattion happening */
+ return x11_channel_used_recently(ssh);
/* Calculate number of intervals missed since the last check */
n = (now.tv_sec - next_interval.tv_sec) * 1000LL * 1000 * 1000;
Index: openssh-9.9p1/channels.c
===================================================================
--- openssh-9.9p1.orig/channels.c
+++ openssh-9.9p1/channels.c
@@ -5352,3 +5352,22 @@ x11_request_forwarding_with_spoofing(str
fatal_fr(r, "send x11-req");
free(new_data);
}
+
+/*
+ * Returns whether an x11 channel was used recently (less than a second ago)
+ */
+int
+x11_channel_used_recently(struct ssh *ssh) {
+ u_int i;
+ Channel *c;
+ time_t lastused = 0;
+
+ for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
+ c = ssh->chanctxt->channels[i];
+ if (c == NULL || c->ctype == NULL || c->lastused == 0 ||
+ strcmp(c->ctype, "x11-connection"))
+ continue;
+ lastused = c->lastused;
+ }
+ return (lastused != 0 && monotime() < lastused + 1);
+}
Index: openssh-9.9p1/channels.h
===================================================================
--- openssh-9.9p1.orig/channels.h
+++ openssh-9.9p1/channels.h
@@ -382,6 +382,7 @@ int x11_connect_display(struct ssh *);
int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
void x11_request_forwarding_with_spoofing(struct ssh *, int,
const char *, const char *, const char *, int);
+int x11_channel_used_recently(struct ssh *ssh);
/* channel close */

6
logind_set_tty.patch
View File

@@ -14,8 +14,8 @@ index f0ea07e7b..35dcf45f1 100644
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBSYSTEMD)
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
$(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
@@ -195,6 +195,6 @@ index 86caf83b2..8b413190b 100644
+}
+#endif
+
/**
** Low-level libutil login() functions
**/

BIN
openssh-10.0p1.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
openssh-10.0p1.tar.gz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmf2G9sACgkQKj9BTnNg
YLotnA//ffB/6FpNdutTHMItUiZC693bQyyOAFGfnSMp6IwTkMdXa0rMdzch0wQ7
Uu3qQIeOqah8gd6tTqX4s26OqXflnMJtL2vf1d8zhD1deMJeIKnrJW39hiSLFTsU
vgcYXR/02yGpBXkAzm4A7kieW3PkBV9WT/Y2HV1qbHc78vZt76iWuD5AZb4D3WG8
5aD/XfLE3a5ZVBrgwPPCaHKjtJY7WMnDMHlX5pdEUAj4wjC9KjRKdbpsg/Tad8DO
bhVvT7CqrcJx6Q/qr0/PoTBOIRksB4rKH2XVRu4ZrEI/LN7ghu/rFEYJyiNgtjFK
NMaXFc5Ie4uPzEJJ5O0dGHcO5B2LWZbOJE0Cr7d2lJBJfeci3sm34FdKZnK6SDsG
j4WETUSKiwogHzhT1oA/Pr8vKWnWy7rbCDHnjRrWWjszR7W3YZ4BT2Rc4hCuh3rC
wrt1kGzwgLfCRGWP4QarybGOsNNIFTEZovwLD3Az3p0cnG3XPQsQQ9ZofvhjZgU7
g8N/8wndQ72U8Gsmb/KPUeOpO0uMGOUHK3Bl0/apPdF1o54jzHeOy1D76IPZxbjn
ystFba6IKA3iLU7P8qe+6oa4Uvi0mHCawKtds4QHlIjy8cXwjXfeF+jRUEimqKeG
jw1oF5OLwvF6ZgDkPz2Pcfie6Bee4BBUrLOT9Un+29qDYYCpnR8=
=XwX3
-----END PGP SIGNATURE-----

8
openssh-6.6.1p1-selinux-contexts.patch
View File

@@ -104,12 +104,12 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.h
#endif
#ifdef LINUX_OOM_ADJUST
Index: openssh-9.6p1/sshd-session.c
Index: openssh-9.6p1/sshd-auth.c
===================================================================
--- openssh-9.6p1.orig/sshd-session.c
+++ openssh-9.6p1/sshd-session.c
--- openssh-9.6p1.orig/sshd-auth.c
+++ openssh-9.6p1/sshd-auth.c
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
demote_sensitive_data(ssh);
#endif
#ifdef WITH_SELINUX
- ssh_selinux_change_context("sshd_net_t");

23
openssh-6.6p1-privsep-selinux.patch
View File

@@ -81,7 +81,7 @@ Index: openssh-9.3p2/session.c
@@ -1487,9 +1495,6 @@ do_pwchange(Session *s)
if (s->ttyfd != -1) {
fprintf(stderr,
"You must change your password now and login again!\n");
"You must change your password now and log in again!\n");
-#ifdef WITH_SELINUX
- setexeccon(NULL);
-#endif
@@ -98,14 +98,15 @@ Index: openssh-9.3p2/session.c
exit(sftp_server_main(i, argv, s->pw));
}
Index: openssh-9.3p2/sshd-session.c
Index: openssh-10/sshd-auth.c
===================================================================
--- openssh-9.3p2.orig/sshd-session.c
+++ openssh-9.3p2/sshd-session.c
@@ -342,6 +342,10 @@ privsep_preauth_child(struct ssh *ssh)
/* Demote the private keys to public keys. */
demote_sensitive_data(ssh);
--- openssh-10.orig/sshd-auth.c
+++ openssh-10/sshd-auth.c
@@ -200,6 +200,11 @@ privsep_preauth_child(struct ssh *ssh)
if ((box = ssh_sandbox_init(pmonitor)) == NULL)
fatal_f("ssh_sandbox_init failed");
#endif
+
+#ifdef WITH_SELINUX
+ ssh_selinux_change_context("sshd_net_t");
+#endif
@@ -113,7 +114,11 @@ Index: openssh-9.3p2/sshd-session.c
/* Demote the child */
if (privsep_chroot) {
/* Change our root directory */
@@ -444,7 +448,7 @@ privsep_postauth(struct ssh *ssh, Authct
Index: openssh-9.3p2/sshd-session.c
===================================================================
--- openssh-9.3p2.orig/sshd-session.c
+++ openssh-9.3p2/sshd-session.c
@@ -490,7 +490,7 @@ privsep_postauth(struct ssh *ssh, Authct
* fd passing, as AFAIK PTY allocation on this platform doesn't require
* special privileges to begin with.
*/

13
openssh-7.6p1-cleanup-selinux.patch
View File

@@ -265,6 +265,19 @@ Index: openssh-9.3p2/sshd-session.c
#endif
#ifdef USE_PAM
if (options.use_pam) {
Index: openssh-10.0p1/sshd-auth.c
===================================================================
--- openssh-10.0p1.orig/sshd-auth.c
+++ openssh-10.0p1/sshd-auth.c
@@ -122,7 +122,7 @@ char *config_file_name = _PATH_SERVER_CO
int debug_flag = 0;
/* Flag indicating that the daemon is being started from inetd. */
-static int inetd_flag = 0;
+int inetd_flag = 0;
/* Saved arguments to main(). */
static char **saved_argv;
Index: openssh-9.3p2/sshconnect.c
===================================================================
--- openssh-9.3p2.orig/sshconnect.c

4
openssh-7.7p1-cavstest-ctr.patch
View File

@@ -7,7 +7,7 @@ Index: openssh-8.8p1/Makefile.in
--- openssh-8.8p1.orig/Makefile.in
+++ openssh-8.8p1/Makefile.in
@@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSHD_SESSION=$(libexecdir)/sshd-session
SSHD_AUTH=$(libexecdir)/sshd-auth
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
@@ -16,7 +16,7 @@ Index: openssh-8.8p1/Makefile.in
STRIP_OPT=@STRIP_OPT@
@@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) $(SK_STANDALONE)
+TARGETS += cavstest-ctr$(EXEEXT)
+

2
openssh-7.7p1-cavstest-kdf.patch
View File

@@ -16,7 +16,7 @@ Index: openssh-8.8p1/Makefile.in
STRIP_OPT=@STRIP_OPT@
@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) $(SK_STANDALONE)
-TARGETS += cavstest-ctr$(EXEEXT)
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)

8
openssh-7.7p1-fips.patch
View File

@@ -574,8 +574,8 @@ Index: openssh-9.6p1/readconf.c
--- openssh-9.6p1.orig/readconf.c
+++ openssh-9.6p1/readconf.c
@@ -71,6 +71,8 @@
#include "myproposal.h"
#include "digest.h"
#include "version.h"
+#include "fips.h"
+
@@ -642,9 +642,9 @@ Index: openssh-9.6p1/servconf.c
--- openssh-9.6p1.orig/servconf.c
+++ openssh-9.6p1/servconf.c
@@ -68,6 +68,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
#include "version.h"
+#include "fips.h"
#if !defined(SSHD_PAM_SERVICE)
@@ -785,14 +785,14 @@ Index: openssh-9.6p1/sshd.c
--- openssh-9.6p1.orig/sshd.c
+++ openssh-9.6p1/sshd.c
@@ -128,6 +128,8 @@
#include "addr.h"
#include "srclimit.h"
#include "atomicio.h"
+#include "fips.h"
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 2)
Index: openssh-9.6p1/sshd_config.5
===================================================================
--- openssh-9.6p1.orig/sshd_config.5

4
openssh-7.7p1-fips_checks.patch
View File

@@ -444,7 +444,7 @@ Index: openssh-8.8p1/ssh.c
/* Saves a copy of argv for setproctitle emulation */
@@ -632,6 +634,10 @@ main(int ac, char **av)
u_int j;
struct utsname utsname;
struct ssh_conn_info *cinfo = NULL;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
@@ -459,7 +459,7 @@ Index: openssh-8.8p1/sshd.c
--- openssh-8.8p1.orig/sshd.c
+++ openssh-8.8p1/sshd.c
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
struct connection_info connection_info;
struct utsname utsname;
sigset_t sigmask;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a

4
openssh-7.7p1-ldap.patch
View File

@@ -128,7 +128,7 @@ Index: openssh-8.9p1/Makefile.in
--- openssh-8.9p1.orig/Makefile.in
+++ openssh-8.9p1/Makefile.in
@@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSHD_SESSION=$(libexecdir)/sshd-session
SSHD_AUTH=$(libexecdir)/sshd-auth
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@@ -168,7 +168,7 @@ Index: openssh-8.9p1/Makefile.in
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -421,6 +429,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd-session$(EXEEXT) $(DESTDIR)$(SSHD_SESSION)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd-auth$(EXEEXT) $(DESTDIR)$(SSHD_AUTH)$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \

2
openssh-7.8p1-role-mls.patch
View File

@@ -276,8 +276,8 @@ diff -up openssh/monitor.h.role-mls openssh/monitor.h
--- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200
@@ -55,6 +55,10 @@ enum monitor_reqtype {
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
MONITOR_REQ_TERM = 50,
MONITOR_REQ_STATE = 51, MONITOR_ANS_STATE = 52,
+#ifdef WITH_SELINUX
+ MONITOR_REQ_AUTHROLE = 80,

41
openssh-8.0p1-gssapi-keyex.patch
View File

@@ -19,6 +19,15 @@ index e7549470..b68c1710 100644
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o \
sftp-server.o sftp-common.o \
@@ -155,7 +156,7 @@ SSHD_AUTH_OBJS=sshd-auth.o \
groupaccess.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
- monitor_wrap.o auth-krb5.o \
+ monitor_wrap.o auth-krb5.o kexgsss.o \
audit.o audit-bsm.o audit-linux.o platform.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o \
sandbox-null.o sandbox-rlimit.o sandbox-darwin.o \
@@ -523,7 +523,7 @@ regress-prep:
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
@@ -2534,11 +2543,11 @@ index 2ce89fe9..ebf76c7f 100644
+ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif
{MONITOR_REQ_STATE, MON_ONCE, mm_answer_state},
#ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif
@@ -293,6 +302,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_STATE, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
@@ -2869,9 +2878,9 @@ diff -up a/readconf.c.gsskex b/readconf.c
--- a/readconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200
+++ b/readconf.c 2021-08-27 12:25:42.556421509 +0200
@@ -67,6 +67,7 @@
#include "uidswap.h"
#include "myproposal.h"
#include "digest.h"
#include "version.h"
+#include "ssh-gss.h"
#include "fips.h"
@@ -3020,9 +3029,9 @@ diff -up a/servconf.c.gsskex b/servconf.c
--- a/servconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200
+++ b/servconf.c 2021-08-27 12:28:15.887735189 +0200
@@ -70,6 +70,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
#include "version.h"
+#include "ssh-gss.h"
#include "fips.h"
@@ -3297,8 +3306,8 @@ index 60de6087..db5c65bc 100644
--- a/ssh.1
+++ b/ssh.1
@@ -503,7 +503,13 @@ For full details of the options listed below, and their possible values, see
.It GatewayPorts
.It GlobalKnownHostsFile
.It ForwardX11Timeout
.It ForwardX11Trusted
.It GSSAPIAuthentication
+.It GSSAPIKeyExchange
+.It GSSAPIClientIdentity
@@ -3307,9 +3316,9 @@ index 60de6087..db5c65bc 100644
+.It GSSAPIRenewalForcesRekey
+.It GSSAPIServerIdentity
+.It GSSAPITrustDns
.It GatewayPorts
.It GlobalKnownHostsFile
.It HashKnownHosts
.It Host
.It HostbasedAcceptedAlgorithms
@@ -624,6 +624,8 @@
(supported message integrity codes),
.Ar kex
@@ -3691,7 +3700,11 @@ index 60b2aaf7..d92f03aa 100644
sshpkt_fatal(ssh, r, "%s: send", __func__);
sshbuf_free(buf);
}
@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
diff --git a/sshd-auth.c b/sshd-auth.c
index 60b2aaf7..d92f03aa 100644
--- a/sshd-auth.c
+++ b/sshd-auth.c
@@ -840,6 +840,48 @@ do_ssh2_kex(struct ssh *ssh)
free(hkalgs);
@@ -3740,11 +3753,11 @@ index 60b2aaf7..d92f03aa 100644
/* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0)
fatal_r(r, "kex_setup");
@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
#ifdef OPENSSL_HAS_ECC
@@ -855,7 +898,18 @@ do_ssh2_kex(struct ssh *ssh)
# ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
#endif
-#endif
# endif /* OPENSSL_HAS_ECC */
-#endif /* WITH_OPENSSL */
+# ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -3759,7 +3772,7 @@ index 60b2aaf7..d92f03aa 100644
+#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
diff --git a/sshd_config b/sshd_config
index 19b7c91a..2c48105f 100644
--- a/sshd_config

93
openssh-8.1p1-audit.patch
View File

@@ -1122,7 +1122,7 @@ Index: openssh-8.9p1/monitor.c
#include "ssherr.h"
#include "sk-api.h"
@@ -107,6 +108,8 @@ extern u_int utmp_len;
extern struct sshbuf *loginmsg;
extern struct include_list includes;
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
+extern void destroy_sensitive_data(struct ssh *);
@@ -1878,12 +1878,9 @@ Index: openssh-8.9p1/session.c
#endif
if (s->ttyfd != -1)
ret = do_exec_pty(ssh, s, command);
@@ -1550,8 +1562,11 @@ do_child(struct ssh *ssh, Session *s, co
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
@@ -1550,6 +1562,9 @@ do_child(struct ssh *ssh, Session *s, co
/* remove hostkey from the child's memory */
- destroy_sensitive_data();
+ destroy_sensitive_data(ssh);
/* remove keys from memory */
ssh_packet_clear_keys(ssh);
+ /* Don't audit this - both us and the parent would be talking to the
+ monitor over a single socket, with no synchronization. */
@@ -2075,9 +2072,9 @@ Index: openssh-8.9p1/sshd-session.c
#endif
#include "monitor_wrap.h"
+#include "audit.h"
#include "ssh-sandbox.h"
#include "auth-options.h"
#include "version.h"
#include "ssherr.h"
@@ -265,8 +266,8 @@ struct sshbuf *loginmsg;
struct sshbuf *loginmsg;
@@ -2086,9 +2083,9 @@ Index: openssh-8.9p1/sshd-session.c
-void demote_sensitive_data(void);
+void destroy_sensitive_data(struct ssh *);
+void demote_sensitive_data(struct ssh *);
static void do_ssh2_kex(struct ssh *);
/*
/* XXX reduce to stub once postauth split */
int
@@ -382,18 +383,40 @@ grace_alarm_handler(int sig)
_exit(EXIT_LOGIN_GRACE);
}
@@ -2173,42 +2170,42 @@ Index: openssh-8.9p1/sshd-session.c
}
/* Certs do not need demotion */
}
@@ -443,7 +489,7 @@ reseed_prngs(void)
}
static void
-privsep_preauth_child(void)
+privsep_preauth_child(struct ssh *ssh)
{
gid_t gidset[1];
@@ -458,7 +504,7 @@ privsep_preauth_child(void)
reseed_prngs();
/* Demote the private keys to public keys. */
- demote_sensitive_data();
+ demote_sensitive_data(ssh);
/* Demote the child */
if (privsep_chroot) {
@@ -493,7 +539,7 @@ privsep_preauth(struct ssh *ssh)
pmonitor->m_pkex = &ssh->kex;
box = ssh_sandbox_init(pmonitor);
- pid = fork();
+ pmonitor->m_pid = pid = fork();
if (pid == -1) {
fatal("fork of unprivileged child failed");
} else if (pid != 0) {
@@ -538,7 +584,7 @@ privsep_preauth(struct ssh *ssh)
/* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor);
- privsep_preauth_child();
+ privsep_preauth_child(ssh);
setproctitle("%s", "[net]");
if (box != NULL)
ssh_sandbox_child(box);
#@@ -443,7 +489,7 @@ reseed_prngs(void)
# }
#
# static void
#-privsep_preauth_child(void)
#+privsep_preauth_child(struct ssh *ssh)
# {
# gid_t gidset[1];
#
#@@ -458,7 +504,7 @@ privsep_preauth_child(void)
# reseed_prngs();
#
# /* Demote the private keys to public keys. */
#- demote_sensitive_data();
#+ demote_sensitive_data(ssh);
#
# /* Demote the child */
# if (privsep_chroot) {
#@@ -493,7 +539,7 @@ privsep_preauth(struct ssh *ssh)
# pmonitor->m_pkex = &ssh->kex;
#
# box = ssh_sandbox_init(pmonitor);
#- pid = fork();
#+ pmonitor->m_pid = pid = fork();
# if (pid == -1) {
# fatal("fork of unprivileged child failed");
# } else if (pid != 0) {
#@@ -538,7 +584,7 @@ privsep_preauth(struct ssh *ssh)
# /* Arrange for logging to be sent to the monitor */
# set_log_handler(mm_log_handler, pmonitor);
#
#- privsep_preauth_child();
#+ privsep_preauth_child(ssh);
# setproctitle("%s", "[net]");
# if (box != NULL)
# ssh_sandbox_child(box);
@@ -582,7 +628,7 @@ privsep_postauth(struct ssh *ssh, Authct
pmonitor->m_sendfd = -1;
@@ -2218,7 +2215,7 @@ Index: openssh-8.9p1/sshd-session.c
reseed_prngs();
@@ -2311,6 +2358,9 @@ main(int ac, char **av)
@@ -1352,6 +1398,9 @@ main(int ac, char **av)
do_authenticated(ssh, authctxt);
/* The connection has been terminated. */
@@ -2228,7 +2225,7 @@ Index: openssh-8.9p1/sshd-session.c
ssh_packet_get_bytes(ssh, &ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes",
(unsigned long long)obytes, (unsigned long long)ibytes);
@@ -2491,6 +2541,15 @@ do_ssh2_kex(struct ssh *ssh)
@@ -1397,6 +1446,15 @@ do_ssh2_kex(struct ssh *ssh)
void
cleanup_exit(int i)
{
@@ -2244,7 +2241,7 @@ Index: openssh-8.9p1/sshd-session.c
extern int auth_attempted; /* monitor.c */
if (the_active_state != NULL && the_authctxt != NULL) {
@@ -2525,7 +2593,9 @@ cleanup_exit(int i)
@@ -1413,7 +1471,9 @@ cleanup_exit(int i)
}
#ifdef SSH_AUDIT_EVENTS
/* done after do_cleanup so it can cancel the PAM auth 'thread' */

20
openssh-8.4p1-vendordir.patch
View File

@@ -58,11 +58,11 @@ Index: openssh-8.9p1/ssh.c
--- openssh-8.9p1.orig/ssh.c
+++ openssh-8.9p1/ssh.c
@@ -549,6 +549,7 @@ static void
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
int *want_final_pass)
process_config_files(const char *host_name, struct passwd *pw,
int final_pass, int *want_final_pass)
{
+ struct stat st;
char buf[PATH_MAX];
char *cmd, buf[PATH_MAX];
int r;
@@ -567,10 +568,23 @@ process_config_files(const char *host_na
@@ -71,7 +71,7 @@ Index: openssh-8.9p1/ssh.c
- /* Read systemwide configuration file after user config. */
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
- host, host_name, &options,
- host, host_name, cmd, &options,
- final_pass ? SSHCONF_FINAL : 0, want_final_pass);
+ /* If only the vendor configuration file exists, use that.
+ * Else use the standard configuration file.
@@ -80,19 +80,19 @@ Index: openssh-8.9p1/ssh.c
+ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) {
+ /* Read vendor distributed configuration file. */
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE,
+ pw, host, host_name, &options,
+ pw, host, host_name, cmd, &options,
+ final_pass ? SSHCONF_FINAL : 0,
+ want_final_pass);
+ } else {
+ /* Read systemwide configuration file after user config. */
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
+ host, host_name, &options,
+ host, host_name, cmd, &options,
+ final_pass ? SSHCONF_FINAL : 0,
+ want_final_pass);
+ }
}
free(cmd);
}
Index: openssh-8.9p1/ssh_config.5
===================================================================
--- openssh-8.9p1.orig/ssh_config.5
@@ -187,14 +187,14 @@ Index: openssh-8.9p1/ssh-keysign.c
/* verify that ssh-keysign is enabled by the admin */
initialize_options(&options);
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", "",
- &options, 0, NULL);
+
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", "",
+ &options, 0, NULL);
+ else
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "",
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "", "",
+ &options, 0, NULL);
+
(void)fill_default_options(&options);

24
openssh-9.6p1-crypto-policies-man.patch
View File

@@ -64,8 +64,8 @@ Index: openssh-9.6p1/ssh_config.5
-The default is:
-.Bd -literal -offset indent
-chacha20-poly1305@openssh.com,
-aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
-aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-aes128-ctr,aes192-ctr,aes256-ctr
-.Ed
-.Pp
The list of available ciphers may also be obtained using
@@ -160,7 +160,7 @@ Index: openssh-9.6p1/ssh_config.5
.It Cm HostKeyAlias
Specifies an alias that should be used instead of the
real host name when looking up or saving the host key
@@ -1311,37 +1313,30 @@ it may be zero or more of:
@@ -1311,36 +1313,30 @@ it may be zero or more of:
and
.Cm pam .
.It Cm KexAlgorithms
@@ -194,15 +194,14 @@ Index: openssh-9.6p1/ssh_config.5
-.Pp
-The default is:
-.Bd -literal -offset indent
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
-mlkem768x25519-sha256,
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
-diffie-hellman-group16-sha512,
-diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256,
-diffie-hellman-group14-sha1
-diffie-hellman-group14-sha256
-.Ed
+built-in openssh default set.
.Pp
@@ -386,8 +385,8 @@ Index: openssh-9.6p1/sshd_config.5
-The default is:
-.Bd -literal -offset indent
-chacha20-poly1305@openssh.com,
-aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
-aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-aes128-ctr,aes192-ctr,aes256-ctr
-.Ed
-.Pp
The list of available ciphers may also be obtained using
@@ -535,19 +534,16 @@ Index: openssh-9.6p1/sshd_config.5
.Pp
The supported algorithms are:
.Pp
@@ -1072,17 +1057,6 @@ ecdh-sha2-nistp521
@@ -1072,14 +1057,6 @@ ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com
.El
.Pp
-The default is:
-.Bd -literal -offset indent
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
-mlkem768x25519-sha256,
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
-.Ed
-.Pp
The list of supported key exchange algorithms may also be obtained using

BIN
openssh-9.9p2.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
openssh-9.9p2.tar.gz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAme0QfUACgkQKj9BTnNg
YLo91A/7BcRjsaDO7VydmhkGWrQOtD/7p4LaSjJE8JY23YsEVRvOkUKJ8OPo7uVq
LxcpDqlaVxHSO/zVfgZg4tQHJct4MLp20PvokMCi6+k7GcioL+TOB19ON0FAx/Pq
vgUWv7jd7w0kT/Rpkygtrg4i0oFf2lg5cJEGFTHAuXsny+Sj+vmcCk92K2TW4e/8
tKgBsZrN7qVnmOAUeyAxFLZ7WiDVzfLTlPiVOfrGjEkbzNLiavjiCGBhGspkluRi
16O5txRp248FqlLgv42sgfUmJOqLSuSNchqk5ioB/9lHia5tDFG/d/4uNP/ELX6M
cAKvs0C0XV3QZxCxBQDL7/49YMsdFnbRIin86mPcahqb75ZpkK9rIgHuKhpgY8Jo
q8WlIPehai3vBWAkpFAsPWOZZwjd6a4C/YmD3pGyjH32rL6gxdHjKGs49nhKkDG9
izwIeCmNu3Ta+e/wEPcOBSX75bFfC83f51yhJb6PUvBl9OSm/L0LeoszmsKWd32j
Iu19zqlabAH7zZSEl1ZWd6Ct0X5XOEaOXGamz5Qw7XIEqfYmQyX/aY5M3/mWmq0K
1Z29MCEtFOirIiwcwUw80d4MCIIEol26M97Y00ZmZMBO7bCoCVr8FldHBfqbHBtC
dTdqesVDiRD/j5VZ3y/MgYo5e13F2OvtdCbvUi3DF2Uh5Rnk2nw=
=r4jr
-----END PGP SIGNATURE-----

14
openssh-askpass-gnome.changes
View File

@@ -1,3 +1,17 @@
-------------------------------------------------------------------
Thu Apr 10 08:16:09 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
- "Update" to openssh 10.0p2:
* No changes for askpass, see main package changelog for
details.
-------------------------------------------------------------------
Wed Apr 9 09:33:10 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 10.0p1:
* No changes for askpass, see main package changelog for
details.
-------------------------------------------------------------------
Mon Sep 23 06:16:59 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>

9
openssh-askpass-gnome.spec
View File

@@ -18,14 +18,15 @@
%define _name openssh
Name: openssh-askpass-gnome
Version: 9.9p2
Version: 10.0p2
%define wrongly_named_version 10.0p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
Group: Productivity/Networking/SSH
URL: https://www.openssh.com/
Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{wrongly_named_version}.tar.gz
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{wrongly_named_version}.tar.gz.asc
Requires: %{_name}-clients = %{version}
Supplements: packageand(openssh-clients:libgtk-3-0)
%if 0%{?suse_version} >= 1550
@@ -40,7 +41,7 @@ for executing commands on a remote machine. This package contains a
GNOME-based passphrase dialog for OpenSSH.
%prep
%autosetup -p1 -n %{_name}-%{version}
%autosetup -p1 -n %{_name}-%{wrongly_named_version}
%build
cd contrib

50
openssh-mitigate-lingering-secrets.patch
View File

@@ -269,7 +269,7 @@ Index: openssh-9.3p2/sshd-session.c
--- openssh-9.3p2.orig/sshd-session.c
+++ openssh-9.3p2/sshd-session.c
@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *);
static void do_ssh2_kex(struct ssh *);
}
/*
+ * Clear some stack space. This is a bit naive, but hopefully helps mitigate
@@ -306,14 +306,14 @@ Index: openssh-9.3p2/sshd-session.c
/*
* Hack for systems that don't support FD passing: retain privileges
* in the post-auth privsep process so it can allocate PTYs directly.
@@ -1354,6 +1356,7 @@ main(int ac, char **av)
*/
mm_send_keystate(ssh, pmonitor);
ssh_packet_clear_keys(ssh);
+ clobber_stack();
exit(0);
authenticated:
#@@ -1354,6 +1356,7 @@ main(int ac, char **av)
# */
# mm_send_keystate(ssh, pmonitor);
# ssh_packet_clear_keys(ssh);
#+ clobber_stack();
# exit(0);
#
# authenticated:
@@ -1431,6 +1434,7 @@ main(int ac, char **av)
mm_terminate();
@@ -343,3 +343,35 @@ Index: openssh-9.3p2/sshd-session.c
/* Override default fatal exit value when auth was attempted */
if (i == 255 && auth_attempted)
_exit(EXIT_AUTH_ATTEMPTED);
Index: openssh-9.9p2/sshd-auth.c
===================================================================
--- openssh-9.9p2.orig/sshd-auth.c
+++ openssh-9.9p2/sshd-auth.c
@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *);
return 0;
}
+/*
+ * Clear some stack space. This is a bit naive, but hopefully helps mitigate
+ * information leaks due to registers and other data having been stored on
+ * the stack. Called after fork() and before exit().
+ */
+static void
+clobber_stack(void)
+{
+ char data [32768];
+
+ explicit_bzero(data, 32768);
+}
+
static void
privsep_child_demote(void)
{
@@ -796,6 +796,7 @@ main(int ac, char **av)
*/
mm_send_keystate(ssh, pmonitor);
ssh_packet_clear_keys(ssh);
+ clobber_stack();
exit(0);
}

41
openssh-reenable-dh-group14-sha1-default.patch
View File

@@ -1,41 +0,0 @@
Index: openssh-8.9p1/myproposal.h
===================================================================
--- openssh-8.9p1.orig/myproposal.h
+++ openssh-8.9p1/myproposal.h
@@ -34,7 +34,8 @@
"diffie-hellman-group-exchange-sha256," \
"diffie-hellman-group16-sha512," \
"diffie-hellman-group18-sha512," \
- "diffie-hellman-group14-sha256"
+ "diffie-hellman-group14-sha256," \
+ "diffie-hellman-group14-sha1"
#define KEX_CLIENT_KEX KEX_SERVER_KEX
Index: openssh-8.9p1/ssh_config.5
===================================================================
--- openssh-8.9p1.orig/ssh_config.5
+++ openssh-8.9p1/ssh_config.5
@@ -1228,7 +1228,8 @@ sntrup761x25519-sha512@openssh.com,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
+diffie-hellman-group14-sha256,
+diffie-hellman-group14-sha1
.Ed
.Pp
The list of supported key exchange algorithms may also be obtained using
Index: openssh-8.9p1/sshd_config.5
===================================================================
--- openssh-8.9p1.orig/sshd_config.5
+++ openssh-8.9p1/sshd_config.5
@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
.Ed
.Pp
The list of supported key exchange algorithms may also be obtained using

30
openssh-send-extra-term-env.patch Normal file
View File

@@ -0,0 +1,30 @@
Index: openssh-10.0p1/ssh_config
===================================================================
--- openssh-10.0p1.orig/ssh_config
+++ openssh-10.0p1/ssh_config
@@ -49,6 +49,10 @@ Host *
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL
+# Send environment variables useful for terminal identification.
+ SendEnv LC_TERMINAL LC_TERMINAL_VERSION
+ SendEnv COLORTERM TERM_PROGRAM TERM_PROGRAM_VERSION
+
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
Index: openssh-10.0p1/sshd_config
===================================================================
--- openssh-10.0p1.orig/sshd_config
+++ openssh-10.0p1/sshd_config
@@ -123,6 +123,10 @@ AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TI
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
+# Accept environment variables useful for terminal identification.
+AcceptEnv LC_TERMINAL LC_TERMINAL_VERSION
+AcceptEnv COLORTERM TERM_PROGRAM TERM_PROGRAM_VERSION
+
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no

242
openssh.changes
View File

@@ -1,3 +1,245 @@
-------------------------------------------------------------------
Tue Apr 22 16:45:33 UTC 2025 - Hans Petter Jansson <hpj@suse.com>
- Add openssh-send-extra-term-env.patch, which appends a few
environment variables useful for terminal identification to the
default send and accept lists.
-------------------------------------------------------------------
Thu Apr 10 08:16:09 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
- "Update" to openssh 10.0p2:
- There was an issue during the packaging of 10.0p1 which made it
identify itself as 10.0p2 so 10.0p1 is now considered identical
to 10.0p2 and upstream won't release a separate 10.0p2 package.
-------------------------------------------------------------------
Wed Apr 9 09:33:10 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 10.0p1:
= Potentially-incompatible changes
* This release removes support for the weak DSA signature
algorithm, completing the deprecation process that began in
2015 (when DSA was disabled by default) and repeatedly warned
over the last 12 months.
* scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by
scp & sftp. This disables implicit session creation by these
tools when ControlMaster was set to yes/auto by configuration,
which some users found surprising. This change will not prevent
scp/sftp from using an existing multiplexing session if one had
already been created. GHPR557
* This release has the version number 10.0 and announces itself
as "SSH-2.0-OpenSSH_10.0". Software that naively matches
versions using patterns like "OpenSSH_1*" may be confused by
this.
* sshd(8): this release removes the code responsible for the
user authentication phase of the protocol from the per-
connection sshd-session binary to a new sshd-auth binary.
Splitting this code into a separate binary ensures that the
crucial pre-authentication attack surface has an entirely
disjoint address space from the code used for the rest of the
connection. It also yields a small runtime memory saving as the
authentication code will be unloaded after the authentication
phase completes. This change should be largely invisible to
users, though some log messages may now come from "sshd-auth"
instead of "sshd-session". Downstream distributors of OpenSSH
will need to package the sshd-auth binary.
* sshd(8): this release disables finite field (a.k.a modp)
Diffie-Hellman key exchange in sshd by default. Specifically,
this removes the "diffie-hellman-group*" and
"diffie-hellman-group-exchange-*" methods from the default
KEXAlgorithms list. The client is unchanged and continues to
support these methods by default. Finite field Diffie Hellman
is slow and computationally expensive for the same security
level as Elliptic Curve DH or PQ key agreement while offering
no redeeming advantages. ECDH has been specified for the SSH
protocol for 15 years and some form of ECDH has been the
default key exchange in OpenSSH for the last 14 years.
* sshd(8): this release removes the implicit fallback to
compiled-in groups for Diffie-Hellman Group Exchange KEX when
the moduli file exists but does not contain moduli within the
client-requested range. The fallback behaviour remains for the
case where the moduli file does not exist at all. This allows
administrators more explicit control over which DH groups will
be selected, but can lead to connection failures if the moduli
file is edited incorrectly. bz#2793
= Security
* sshd(8): fix the DisableForwarding directive, which was failing
to disable X11 forwarding and agent forwarding as documented.
X11 forwarding is disabled by default in the server and agent
forwarding is off by default in the client.
= New features
* ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
is now used by default for key agreement. This algorithm is
considered to be safe against attack by quantum computers,
is guaranteed to be no less strong than the popular
curve25519-sha256 algorithm, has been standardised by NIST
and is considerably faster than the previous default.
* ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
for the connection. The default cipher preference list is now
Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
(128/192/256).
* ssh(1): add %-token and environment variable expansion to the
ssh_config SetEnv directive.
* ssh(1): allow %-token and environment variable expansion in
the ssh_config User directive, with the exception of %r and %C
which would be self-referential. bz#3477
* ssh(1), sshd(8): add "Match version" support to ssh_config and
sshd_config. Allows matching on the local version of OpenSSH,
e.g. "Match version OpenSSH_10.*".
* ssh(1): add support for "Match sessiontype" to ssh_config.
Allows matching on the type of session initially requested,
either "shell" for interactive sessions, "exec" for command
execution sessions, "subsystem" for subsystem requests, such as
sftp, or "none" for transport/forwarding-only sessions.
* ssh(1): add support for "Match command ..." support to
ssh_config, allowing matching on the remote command as
specified on the command-line.
* ssh(1): allow 'Match tagged ""' and 'Match command ""' to match
empty tag and command values respectively.
* sshd(8): allow glob(3) patterns to be used in sshd_config
AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
bz2755
* sshd(1): support the VersionAddendum in the client, mirroring
the option of the same name in the server; bz2745
* ssh-agent(1): the agent will now delete all loaded keys when
signaled with SIGUSR1. This allows deletion of keys without
having access to $SSH_AUTH_SOCK.
* Portable OpenSSH, ssh-agent(1): support systemd-style socket
activation in ssh-agent using the LISTEN_PID/LISTEN_FDS
mechanism. Activated when these environment variables are set,
the agent is started with the -d or -D option and no socket
path is set. GHPR502
* ssh-keygen(1): support FIDO tokens that return no attestation
data, e.g. recent WinHello. GHPR542
* ssh-agent(1): add a "-Owebsafe-allow=..." option to allow the
default FIDO application ID allow-list to be overridden.
* Add a work-in-progress tool to verify FIDO attestation blobs
that ssh-keygen can optionally write when enrolling FIDO keys.
This tool is available under
regress/misc/ssh-verify-attestation for experimentation but is
not installed by "make install".
* ssh-keygen(1): allow "-" as output file for moduli screening.
GHPR393
= Bugfixes
* sshd(8): remove assumption that the sshd_config and any configs
it includes can fit in a (possibly enlarged) socket buffer.
Previously it was possible to create a sufficiently large
configuration that could cause sshd to fail to accept any
connection. sshd(8) will now actively manage sending its config
to the sshd-session sub-process.
* ssh(1): don't start the ObscureKeystrokeTiming mitigations if
there has been traffic on a X11 forwarding channel recently.
Should fix X11 forwarding performance problems when this
setting is enabled. bz3655
* ssh(1): prohibit the comma character in hostnames accepted, but
allow an underscore as the first character in a hostname.
* sftp(1): set high-water when resuming a "put". Prevents bogus
"server reordered acks" debug message.
* ssh(1), sshd(8): fix regression in openssh-9.8, which would
fail to accept "Match criteria=argument" as well as the
documented "Match criteria argument" syntax in ssh_config and
sshd_config. bz3739
* sftp(1), ssh(1): fix a number possible NULL dereference bugs,
including Coverity CIDs 405019 and 477813.
* sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty
when LoginGraceTime was exceeded. bz3797
* sshd(8): fix "Match invalid-user" from incorrectly being
activated in initial configuration pass when no other
predicates were present on the match line
* sshd(8): fix debug logging of user specific delay. GHPR#552
* sshd(8): improve debug logging across sub-process boundaries.
Previously some log messages were lost early in the sshd-auth
and sshd-session processes' life.
* ssh(1): require control-escape character sequences passed via
the '-e ^x' command-line to be exactly two characters long.
Avoids one byte out-of-bounds read if ssh is invoked as
"ssh -e^ ..." GHPR368
* ssh(1), sshd(8): prevent integer overflow in x11 port handling.
These are theoretically possible if the admin misconfigured
X11DisplayOffset or the user misconfigures their own $DISPLAY,
but don't happen in normal operation. bz#3730
* ssh-keygen(1): don't mess up ssh-keygen -l output when the file
contains CR characters; GHPR236 bz3385.
* sshd(8): add rate limits to logging of connections dropped by
PerSourcePenalties. Previously these could be noisy in logs.
* ssh(1): fix argument of "Compression" directive in ssh -G
config dump, which regressed in openssh-9.8.
* sshd(8): fix a corner-case triggered by UpdateHostKeys when
sshd refuses to accept the signature returned by an agent
holding host keys during the hostkey rotation sub-protocol.
This situation could occur in situations where a PKCS#11
smartcard that lacked support for particular signature
algorithms was used to store host keys.
* ssh-keygen(1): when using RSA keys to sign messages with
"ssh-keygen -Y", select the signature algorithm based on the
requested hash algorithm ("-Ohashalg=xxx"). This allows using
something other than the default of rsa-sha2-512, which may not
be supported on all signing backends, e.g. some smartcards only
support SHA256.
* ssh(1), sshd(8), ssh-keyscan(1): fix ML-KEM768x25519 KEX on
big-endian systems.
* Many regression and interop test improvements.
= Portability
* All: add support for AWS-LC (AWS libcrypto). bz3784
* sshd(8): add wtmpdb support as a Y2038 safe wtmp replacement.
* sshd(8): add support for locking sshd into memory, enabled with
the --with-linux-memlock-onfault configure flag.
* Add support for building a standalone sk-libfido2 library,
enabled by --with-security-key-standalone
* ssh(1), sshd(8), ssh-keyscan(1): include __builtin_popcount
replacement function. for compilers that lack it.
* All: Check for and replace le32toh, le64toh, htole64
separately. It appears that at least some versions of endian.h
in glibc do not have the latter two. bz#3794
* Remove ancient RHL 6.x config in RPM spec.
- Rebase patches:
* openssh-7.7p1-fips.patch
* openssh-7.7p1-cavstest-ctr.patch
* openssh-7.7p1-cavstest-kdf.patch
* openssh-7.7p1-fips_checks.patch
* openssh-8.0p1-gssapi-keyex.patch
* openssh-8.1p1-audit.patch
* openssh-7.7p1-ldap.patch
* openssh-reenable-dh-group14-sha1-default.patch
* openssh-8.4p1-vendordir.patch
* logind_set_tty.patch
* openssh-mitigate-lingering-secrets.patch
* openssh-7.8p1-role-mls.patch
* openssh-6.6p1-privsep-selinux.patch
* openssh-6.6.1p1-selinux-contexts.patch
* openssh-9.6p1-crypto-policies-man.patch
* openssh-7.6p1-cleanup-selinux.patch
- Drop patches now included upstream:
* wtmpdb.patch
* fix-x11-regression-bsc1229449.patch
* fix-nopie-flag.patch
- Drop patch since SHA-1 isn't considered secure and the default
kex list comes from crypto-policies anyway:
* openssh-reenable-dh-group14-sha1-default.patch
-------------------------------------------------------------------
Mon Apr 7 12:24:12 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
- Do not try to create /etc/ssh in sshd-gen-keys-start
(bsc#1238191). sshd-gen-keys-start transitions to a SELinux
domain that doesn't have the necessary permissions. Based on
a SR by Johannes Segitz <jsegitz@suse.com>.
-------------------------------------------------------------------
Wed Apr 2 06:28:42 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
- Add patch to fix parsing of CFLAGS with duplicated -pie flags,
which break 'make tests'. Submitted to upstream in
https://bugzilla.mindrot.org/show_bug.cgi?id=3806 .
* fix-nopie-flag.patch
-------------------------------------------------------------------
Tue Mar 18 08:51:16 UTC 2025 - Hillwood Yang <hillwood@opensuse.org>

16
openssh.spec
View File

@@ -59,14 +59,15 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
Version: 9.9p2
Version: 10.0p2
%define wrongly_named_version 10.0p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
Group: Productivity/Networking/SSH
URL: https://www.openssh.com/
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{wrongly_named_version}.tar.gz
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{wrongly_named_version}.tar.gz.asc
Source2: sshd.pamd
Source3: README.SUSE
Source4: README.kerberos
@@ -131,14 +132,12 @@ Patch39: openssh-8.1p1-use-openssl-kdf.patch
Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
Patch41: openssh-fips-ensure-approved-moduli.patch
Patch42: openssh-link-with-sk.patch
Patch43: openssh-reenable-dh-group14-sha1-default.patch
Patch45: openssh-8.4p1-ssh_config_d.patch
Patch46: openssh-whitelist-syscalls.patch
Patch47: openssh-8.4p1-vendordir.patch
Patch48: openssh-8.4p1-pam_motd.patch
Patch49: openssh-do-not-send-empty-message.patch
Patch50: openssh-openssl-3.patch
Patch51: wtmpdb.patch
Patch52: logind_set_tty.patch
Patch54: openssh-mitigate-lingering-secrets.patch
Patch102: openssh-7.8p1-role-mls.patch
@@ -146,11 +145,10 @@ Patch103: openssh-6.6p1-privsep-selinux.patch
Patch104: openssh-6.6p1-keycat.patch
Patch105: openssh-6.6.1p1-selinux-contexts.patch
Patch106: openssh-7.6p1-cleanup-selinux.patch
Patch107: openssh-send-extra-term-env.patch
# 200 - 300 -- Patches submitted to upstream
# PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
Patch200: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
# PATCH-FIX-UPSTREAM -- https://bugzilla.mindrot.org/show_bug.cgi?id=3655#c4
Patch201: fix-x11-regression-bsc1229449.patch
# 1000 - 2000 -- Conditional patches
%if %{with crypto_policies}
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
@@ -339,7 +337,7 @@ This package contains the FIPS-140 CAVS (Cryptographic Algorithm
Validation Program/Suite) related tests of OpenSSH.
%prep
%setup -q
%setup -q -n "%{name}-%{wrongly_named_version}"
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
%autopatch -p1
@@ -396,7 +394,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
--disable-lastlog \
--with-logind \
%endif
--enable-dsa-keys \
--with-security-key-builtin \
--target=%{_target_cpu}-suse-linux
@@ -632,6 +629,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
%attr(0755,root,root) %{_libexecdir}/ssh/sshd-session
%attr(0755,root,root) %{_libexecdir}/ssh/sshd-auth
%if 0%{?suse_version} < 1600
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg

1
sshd-gen-keys-start
View File

@@ -4,6 +4,5 @@ test -f /etc/sysconfig/ssh && . /etc/sysconfig/ssh
if [ "x$SSHD_AUTO_KEYGEN" != "xno" ]; then
echo "Checking for missing server keys in /etc/ssh"
test -d /etc/ssh || mkdir -p /etc/ssh
ssh-keygen -A
fi

189
wtmpdb.patch
View File

@@ -1,189 +0,0 @@
diff -ur openssh-8.9p1.old/configure.ac openssh-8.9p1/configure.ac
--- openssh-8.9p1.old/configure.ac 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/configure.ac 2023-04-17 14:52:21.499002203 +0200
@@ -1703,6 +1703,49 @@
fi ]
)
+# Check whether user wants wtmpdb support
+WTMPDB_MSG="no"
+AC_ARG_WITH([wtmpdb],
+ [ --with-wtmpdb[[=PATH]] Enable wtmpdb support for sshd],
+ [ if test "x$withval" != "xno" ; then
+ if test "x$withval" = "xyes" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "x$PKGCONFIG" != "xno"; then
+ AC_MSG_CHECKING([if $PKGCONFIG knows about wtmpdb])
+ if "$PKGCONFIG" libwtmpdb; then
+ AC_MSG_RESULT([yes])
+ use_pkgconfig_for_libwtmpdb=yes
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ else
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ fi
+ if test "x$use_pkgconfig_for_libwtmpdb" = "xyes"; then
+ LIBWTMPDB=`$PKGCONFIG --libs libwtmpdb`
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libwtmpdb`"
+ else
+ LIBWTMPDB="-lwtmpdb"
+ fi
+ OTHERLIBS=`echo $LIBWTMPDB | sed 's/-lwtmpdb//'`
+ AC_CHECK_LIB([wtmpdb], [wtmpdb_login],
+ [ AC_DEFINE([USE_WTMPDB], [1], [Use libwtmpdb for sshd])
+ WTMPDB_MSG="yes"
+ AC_SUBST([LIBWTMPDB])
+ ],
+ [ AC_MSG_ERROR([libwtmpdb not found]) ],
+ [ $OTHERLIBS ]
+ )
+ fi ]
+)
+
+
AUDIT_MODULE=none
AC_ARG_WITH([audit],
[ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
diff -ur openssh-8.9p1.old/loginrec.c openssh-8.9p1/loginrec.c
--- openssh-8.9p1.old/loginrec.c 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/loginrec.c 2023-04-18 10:05:04.311193333 +0200
@@ -187,6 +187,10 @@
# include <util.h>
#endif
+#ifdef USE_WTMPDB
+# include <wtmpdb.h>
+#endif
+
/**
** prototypes for helper functions in this file
**/
@@ -207,6 +211,9 @@
int wtmpx_write_entry(struct logininfo *li);
int lastlog_write_entry(struct logininfo *li);
int syslogin_write_entry(struct logininfo *li);
+#ifdef USE_WTMPDB
+int wtmpdb_write_entry(struct logininfo *li);
+#endif
int getlast_entry(struct logininfo *li);
int lastlog_get_entry(struct logininfo *li);
@@ -467,6 +474,9 @@
#ifdef USE_WTMPX
wtmpx_write_entry(li);
#endif
+#ifdef USE_WTMPDB
+ wtmpdb_write_entry(li);
+#endif
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line,
@@ -1409,6 +1419,64 @@
}
#endif /* USE_WTMPX */
+#ifdef USE_WTMPDB
+static int
+wtmpdb_perform_login(struct logininfo *li)
+{
+ uint64_t login_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
+ const char *tty;
+
+ if (strncmp(li->line, "/dev/", 5) == 0)
+ tty = &(li->line[5]);
+ else
+ tty = li->line;
+
+ li->wtmpdb_id = wtmpdb_login(NULL, USER_PROCESS, li->username,
+ login_time, tty, li->hostname, 0, 0);
+ if (li->wtmpdb_id < 0)
+ return (0);
+
+ return (1);
+}
+
+
+static int
+wtmpdb_perform_logout(struct logininfo *li)
+{
+ uint64_t logout_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
+
+ if (li->wtmpdb_id == 0) {
+ const char *tty;
+
+ if (strncmp(li->line, "/dev/", 5) == 0)
+ tty = &(li->line[5]);
+ else
+ tty = li->line;
+
+ li->wtmpdb_id = wtmpdb_get_id(NULL, tty, NULL);
+ }
+ wtmpdb_logout(NULL, li->wtmpdb_id, logout_time, NULL);
+
+ return (1);
+}
+
+
+int
+wtmpdb_write_entry(struct logininfo *li)
+{
+ switch(li->type) {
+ case LTYPE_LOGIN:
+ return (wtmpdb_perform_login(li));
+ case LTYPE_LOGOUT:
+ return (wtmpdb_perform_logout(li));
+ default:
+ logit("%s: invalid type field", __func__);
+ return (0);
+ }
+}
+#endif
+
+
/**
** Low-level libutil login() functions
**/
diff -ur openssh-8.9p1.old/loginrec.h openssh-8.9p1/loginrec.h
--- openssh-8.9p1.old/loginrec.h 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/loginrec.h 2023-04-17 14:58:20.808850750 +0200
@@ -79,6 +79,9 @@
unsigned int tv_sec;
unsigned int tv_usec;
union login_netinfo hostaddr; /* caller's host address(es) */
+#ifdef USE_WTMPDB
+ int64_t wtmpdb_id; /* ID for wtmpdb_logout */
+#endif
}; /* struct logininfo */
/*
diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
--- openssh-8.9p1.old/Makefile.in 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/Makefile.in 2023-04-17 14:44:32.156538001 +0200
@@ -55,6 +55,7 @@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@
+LIBWTMPDB=@LIBWTMPDB@
AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
@@ -212,10 +213,10 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
- $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
+ $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)