Accepting request 1150501 from network
- Update to openssh 9.6p1: * No changes for askpass, see main package changelog for details. - Update to openssh 9.6p1: = Security * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. = Potentially incompatible changes * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this (forwarded request 1150500 from hpjansson) OBS-URL: https://build.opensuse.org/request/show/1150501 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=170
This commit is contained in:
commit
2446674e73
@ -1,23 +0,0 @@
|
||||
From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Tucker <dtucker@dtucker.net>
|
||||
Date: Sat, 19 Aug 2023 07:39:08 +1000
|
||||
Subject: [PATCH] Fix zlib version check for 1.3 and future version.
|
||||
|
||||
bz#3604.
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 07893e87065..e3128dfcbb4 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1464,7 +1464,7 @@ else
|
||||
[[
|
||||
int a=0, b=0, c=0, d=0, n, v;
|
||||
n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
|
||||
- if (n != 3 && n != 4)
|
||||
+ if (n < 1)
|
||||
exit(1);
|
||||
v = a*1000000 + b*10000 + c*100 + d;
|
||||
fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
|
@ -1,7 +1,7 @@
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
@@ -33,6 +33,7 @@
|
||||
#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
#include "servconf.h"
|
||||
@ -92,23 +92,10 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
#endif
|
||||
#endif
|
||||
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux.c
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux.c
|
||||
@@ -182,7 +182,7 @@ ssh_selinux_change_context(const char *n
|
||||
strlcpy(newctx + len, newname, newlen - len);
|
||||
if ((cx = index(cx + 1, ':')))
|
||||
strlcat(newctx, cx, newlen);
|
||||
- debug3("%s: setting context from '%s' to '%s'", __func__,
|
||||
+ debug_f("setting context from '%s' to '%s'",
|
||||
oldctx, newctx);
|
||||
if (setcon(newctx) < 0)
|
||||
do_log2(log_level, "%s: setcon %s from %s failed with %s",
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
@@ -27,6 +27,7 @@ int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
@ -117,10 +104,10 @@ Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-9.3p2/sshd.c
|
||||
Index: openssh-9.6p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd.c
|
||||
+++ openssh-9.3p2/sshd.c
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
|
||||
demote_sensitive_data(ssh);
|
||||
|
||||
|
@ -3,11 +3,11 @@
|
||||
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
||||
algorithms.
|
||||
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
Index: openssh-9.6p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -113,6 +113,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
--- openssh-9.6p1.orig/Makefile.in
|
||||
+++ openssh-9.6p1/Makefile.in
|
||||
@@ -115,6 +115,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
|
||||
SKOBJS= ssh-sk-client.o
|
||||
|
||||
@ -16,32 +16,10 @@ Index: openssh-8.8p1/Makefile.in
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
|
||||
|
||||
#Index: openssh-8.8p1/cipher-ctr.c
|
||||
#===================================================================
|
||||
#--- openssh-8.8p1.orig/cipher-ctr.c
|
||||
#+++ openssh-8.8p1/cipher-ctr.c
|
||||
#@@ -27,6 +27,8 @@
|
||||
# #include "xmalloc.h"
|
||||
# #include "log.h"
|
||||
#
|
||||
#+#include "fips.h"
|
||||
#+
|
||||
# /* compatibility with old or broken OpenSSL versions */
|
||||
# #include "openbsd-compat/openssl-compat.h"
|
||||
#
|
||||
#@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
|
||||
# #ifndef SSH_OLD_EVP
|
||||
# aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
||||
# EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
||||
#+ if (fips_mode())
|
||||
#+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
|
||||
# #endif
|
||||
# return (&aes_ctr);
|
||||
# }
|
||||
Index: openssh-8.8p1/cipher.c
|
||||
Index: openssh-9.6p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/cipher.c
|
||||
+++ openssh-8.8p1/cipher.c
|
||||
--- openssh-9.6p1.orig/cipher.c
|
||||
+++ openssh-9.6p1/cipher.c
|
||||
@@ -51,6 +51,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@ -61,7 +39,7 @@ Index: openssh-8.8p1/cipher.c
|
||||
#ifdef WITH_OPENSSL
|
||||
#ifndef OPENSSL_NO_DES
|
||||
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
|
||||
@@ -112,8 +115,52 @@ static const struct sshcipher ciphers[]
|
||||
@@ -110,8 +113,52 @@ static const struct sshcipher ciphers[]
|
||||
{ NULL, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
@ -114,7 +92,7 @@ Index: openssh-8.8p1/cipher.c
|
||||
/* Returns a comma-separated list of supported ciphers. */
|
||||
char *
|
||||
cipher_alg_list(char sep, int auth_only)
|
||||
@@ -122,7 +169,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
@@ -120,7 +167,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct sshcipher *c;
|
||||
|
||||
@ -123,7 +101,7 @@ Index: openssh-8.8p1/cipher.c
|
||||
if ((c->flags & CFLAG_INTERNAL) != 0)
|
||||
continue;
|
||||
if (auth_only && c->auth_len == 0)
|
||||
@@ -205,7 +252,7 @@ const struct sshcipher *
|
||||
@@ -203,7 +250,7 @@ const struct sshcipher *
|
||||
cipher_by_name(const char *name)
|
||||
{
|
||||
const struct sshcipher *c;
|
||||
@ -132,10 +110,10 @@ Index: openssh-8.8p1/cipher.c
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
Index: openssh-8.8p1/fips.c
|
||||
Index: openssh-9.6p1/fips.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/fips.c
|
||||
+++ openssh-9.6p1/fips.c
|
||||
@@ -0,0 +1,212 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -349,10 +327,10 @@ Index: openssh-8.8p1/fips.c
|
||||
+ return dgst;
|
||||
+}
|
||||
+
|
||||
Index: openssh-8.8p1/fips.h
|
||||
Index: openssh-9.6p1/fips.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/fips.h
|
||||
+++ openssh-9.6p1/fips.h
|
||||
@@ -0,0 +1,44 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -398,10 +376,10 @@ Index: openssh-8.8p1/fips.h
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-8.8p1/hmac.c
|
||||
Index: openssh-9.6p1/hmac.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/hmac.c
|
||||
+++ openssh-8.8p1/hmac.c
|
||||
--- openssh-9.6p1.orig/hmac.c
|
||||
+++ openssh-9.6p1/hmac.c
|
||||
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *
|
||||
size_t i;
|
||||
u_char digest[16];
|
||||
@ -411,20 +389,20 @@ Index: openssh-8.8p1/hmac.c
|
||||
printf("ssh_hmac_start failed");
|
||||
if (ssh_hmac_init(ctx, key, klen) < 0 ||
|
||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||
Index: openssh-8.8p1/kex.c
|
||||
Index: openssh-9.6p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/kex.c
|
||||
+++ openssh-8.8p1/kex.c
|
||||
@@ -62,6 +62,8 @@
|
||||
--- openssh-9.6p1.orig/kex.c
|
||||
+++ openssh-9.6p1/kex.c
|
||||
@@ -64,6 +64,8 @@
|
||||
#include "digest.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* prototype */
|
||||
static int kex_choose_conf(struct ssh *);
|
||||
static int kex_choose_conf(struct ssh *, uint32_t seq);
|
||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||
@@ -85,7 +87,7 @@ struct kexalg {
|
||||
@@ -87,7 +89,7 @@ struct kexalg {
|
||||
int ec_nid;
|
||||
int hash_alg;
|
||||
};
|
||||
@ -433,7 +411,7 @@ Index: openssh-8.8p1/kex.c
|
||||
#ifdef WITH_OPENSSL
|
||||
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
@@ -118,6 +120,47 @@ static const struct kexalg kexalgs[] = {
|
||||
@@ -120,6 +122,47 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, 0, -1, -1},
|
||||
};
|
||||
|
||||
@ -481,7 +459,7 @@ Index: openssh-8.8p1/kex.c
|
||||
char *
|
||||
kex_alg_list(char sep)
|
||||
{
|
||||
@@ -125,7 +168,7 @@ kex_alg_list(char sep)
|
||||
@@ -127,7 +170,7 @@ kex_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct kexalg *k;
|
||||
|
||||
@ -490,7 +468,7 @@ Index: openssh-8.8p1/kex.c
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(k->name);
|
||||
@@ -145,7 +188,7 @@ kex_alg_by_name(const char *name)
|
||||
@@ -147,7 +190,7 @@ kex_alg_by_name(const char *name)
|
||||
{
|
||||
const struct kexalg *k;
|
||||
|
||||
@ -499,7 +477,7 @@ Index: openssh-8.8p1/kex.c
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
}
|
||||
@@ -165,7 +208,10 @@ kex_names_valid(const char *names)
|
||||
@@ -167,7 +210,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
@ -510,10 +488,10 @@ Index: openssh-8.8p1/kex.c
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
Index: openssh-8.8p1/mac.c
|
||||
Index: openssh-9.6p1/mac.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/mac.c
|
||||
+++ openssh-8.8p1/mac.c
|
||||
--- openssh-9.6p1.orig/mac.c
|
||||
+++ openssh-9.6p1/mac.c
|
||||
@@ -41,6 +41,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@ -593,11 +571,11 @@ Index: openssh-8.8p1/mac.c
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
Index: openssh-8.8p1/readconf.c
|
||||
Index: openssh-9.6p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/readconf.c
|
||||
+++ openssh-8.8p1/readconf.c
|
||||
@@ -68,6 +68,8 @@
|
||||
--- openssh-9.6p1.orig/readconf.c
|
||||
+++ openssh-9.6p1/readconf.c
|
||||
@@ -71,6 +71,8 @@
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
|
||||
@ -606,7 +584,7 @@ Index: openssh-8.8p1/readconf.c
|
||||
/* Format of the configuration file:
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
@@ -2307,6 +2309,23 @@ config_has_permitted_cnames(Options *opt
|
||||
@@ -2478,6 +2480,23 @@ config_has_permitted_cnames(Options *opt
|
||||
return options->num_permitted_cnames > 0;
|
||||
}
|
||||
|
||||
@ -630,7 +608,7 @@ Index: openssh-8.8p1/readconf.c
|
||||
/*
|
||||
* Initializes options to special values that indicate that they have not yet
|
||||
* been set. Read_config_file will only set options with this value. Options
|
||||
@@ -2618,6 +2637,9 @@ fill_default_options(Options * options)
|
||||
@@ -2796,6 +2815,9 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
@ -640,7 +618,7 @@ Index: openssh-8.8p1/readconf.c
|
||||
#ifdef ENABLE_SK_INTERNAL
|
||||
if (options->sk_provider == NULL)
|
||||
options->sk_provider = xstrdup("internal");
|
||||
@@ -2654,6 +2676,8 @@ fill_default_options(Options * options)
|
||||
@@ -2840,6 +2862,8 @@ fill_default_options(Options * options)
|
||||
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
|
||||
#undef ASSEMBLE
|
||||
|
||||
@ -649,23 +627,23 @@ Index: openssh-8.8p1/readconf.c
|
||||
#define CLEAR_ON_NONE(v) \
|
||||
do { \
|
||||
if (option_clear_or_none(v)) { \
|
||||
Index: openssh-8.8p1/readconf.h
|
||||
Index: openssh-9.6p1/readconf.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/readconf.h
|
||||
+++ openssh-8.8p1/readconf.h
|
||||
@@ -212,6 +212,7 @@ typedef struct {
|
||||
#define SSH_STRICT_HOSTKEY_YES 2
|
||||
#define SSH_STRICT_HOSTKEY_ASK 3
|
||||
--- openssh-9.6p1.orig/readconf.h
|
||||
+++ openssh-9.6p1/readconf.h
|
||||
@@ -231,6 +231,7 @@ typedef struct {
|
||||
#define SSH_KEYSTROKE_CHAFF_MIN_MS 1024
|
||||
#define SSH_KEYSTROKE_CHAFF_RNG_MS 2048
|
||||
|
||||
+void filter_fips_algorithms(Options *o);
|
||||
const char *kex_default_pk_alg(void);
|
||||
char *ssh_connection_hash(const char *thishost, const char *host,
|
||||
const char *portstr, const char *user);
|
||||
Index: openssh-8.8p1/servconf.c
|
||||
const char *portstr, const char *user, const char *jump_host);
|
||||
Index: openssh-9.6p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/servconf.c
|
||||
+++ openssh-8.8p1/servconf.c
|
||||
@@ -70,6 +70,7 @@
|
||||
--- openssh-9.6p1.orig/servconf.c
|
||||
+++ openssh-9.6p1/servconf.c
|
||||
@@ -68,6 +68,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
@ -673,7 +651,7 @@ Index: openssh-8.8p1/servconf.c
|
||||
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
@@ -205,6 +206,23 @@ option_clear_or_none(const char *o)
|
||||
@@ -207,6 +208,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
@ -697,7 +675,7 @@ Index: openssh-8.8p1/servconf.c
|
||||
static void
|
||||
assemble_algorithms(ServerOptions *o)
|
||||
{
|
||||
@@ -246,6 +264,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
@@ -248,6 +266,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
free(def_kex);
|
||||
free(def_key);
|
||||
free(def_sig);
|
||||
@ -706,7 +684,7 @@ Index: openssh-8.8p1/servconf.c
|
||||
}
|
||||
|
||||
void
|
||||
@@ -438,6 +458,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -440,6 +460,8 @@ fill_default_server_options(ServerOption
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
@ -715,20 +693,20 @@ Index: openssh-8.8p1/servconf.c
|
||||
if (options->disable_forwarding == -1)
|
||||
options->disable_forwarding = 0;
|
||||
if (options->expose_userauth_info == -1)
|
||||
Index: openssh-8.8p1/ssh-keygen.c
|
||||
Index: openssh-9.6p1/ssh-keygen.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh-keygen.c
|
||||
+++ openssh-8.8p1/ssh-keygen.c
|
||||
@@ -67,6 +67,8 @@
|
||||
#include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
|
||||
#include "cipher.h"
|
||||
--- openssh-9.6p1.orig/ssh-keygen.c
|
||||
+++ openssh-9.6p1/ssh-keygen.c
|
||||
@@ -18,6 +18,8 @@
|
||||
#include <sys/socket.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
#ifdef WITH_OPENSSL
|
||||
# define DEFAULT_KEY_TYPE_NAME "rsa"
|
||||
#else
|
||||
@@ -1037,11 +1039,13 @@ do_fingerprint(struct passwd *pw)
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
@@ -1040,11 +1042,13 @@ do_fingerprint(struct passwd *pw)
|
||||
static void
|
||||
do_gen_all_hostkeys(struct passwd *pw)
|
||||
{
|
||||
@ -744,8 +722,7 @@ Index: openssh-8.8p1/ssh-keygen.c
|
||||
#ifdef WITH_OPENSSL
|
||||
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
# { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
||||
@@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
@@ -1058,6 +1062,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
@ -763,7 +740,7 @@ Index: openssh-8.8p1/ssh-keygen.c
|
||||
u_int32_t bits = 0;
|
||||
int first = 0;
|
||||
struct stat st;
|
||||
@@ -1063,6 +1078,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
@@ -1065,6 +1080,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
|
||||
int i, type, fd, r;
|
||||
|
||||
@ -776,7 +753,7 @@ Index: openssh-8.8p1/ssh-keygen.c
|
||||
for (i = 0; key_types[i].key_type; i++) {
|
||||
public = private = NULL;
|
||||
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
||||
@@ -3620,6 +3641,15 @@ main(int argc, char **argv)
|
||||
@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
|
||||
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||
|
||||
type = sshkey_type_from_name(key_type_name);
|
||||
@ -792,11 +769,11 @@ Index: openssh-8.8p1/ssh-keygen.c
|
||||
type_bits_valid(type, key_type_name, &bits);
|
||||
|
||||
if (!quiet)
|
||||
Index: openssh-8.8p1/ssh_config.5
|
||||
Index: openssh-9.6p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh_config.5
|
||||
+++ openssh-8.8p1/ssh_config.5
|
||||
@@ -736,6 +736,8 @@ The argument to this keyword must be
|
||||
--- openssh-9.6p1.orig/ssh_config.5
|
||||
+++ openssh-9.6p1/ssh_config.5
|
||||
@@ -831,6 +831,8 @@ The argument to this keyword must be
|
||||
option) or
|
||||
.Cm no
|
||||
(the default).
|
||||
@ -805,11 +782,11 @@ Index: openssh-8.8p1/ssh_config.5
|
||||
.It Cm ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
Index: openssh-8.8p1/sshd.c
|
||||
Index: openssh-9.6p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -126,6 +126,8 @@
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -128,6 +128,8 @@
|
||||
#include "srclimit.h"
|
||||
#include "dh.h"
|
||||
|
||||
@ -818,11 +795,11 @@ Index: openssh-8.8p1/sshd.c
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
Index: openssh-8.8p1/sshd_config.5
|
||||
Index: openssh-9.6p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config.5
|
||||
+++ openssh-8.8p1/sshd_config.5
|
||||
@@ -600,6 +600,8 @@ and
|
||||
--- openssh-9.6p1.orig/sshd_config.5
|
||||
+++ openssh-9.6p1/sshd_config.5
|
||||
@@ -681,6 +681,8 @@ and
|
||||
.Cm sha256 .
|
||||
The default is
|
||||
.Cm sha256 .
|
||||
|
@ -1,8 +1,8 @@
|
||||
Index: openssh-9.3p2/auth2.c
|
||||
Index: openssh-9.6p1/auth2.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/auth2.c
|
||||
+++ openssh-9.3p2/auth2.c
|
||||
@@ -262,6 +262,9 @@ input_userauth_request(int type, u_int32
|
||||
--- openssh-9.6p1.orig/auth2.c
|
||||
+++ openssh-9.6p1/auth2.c
|
||||
@@ -273,6 +273,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
|
||||
@ -12,7 +12,7 @@ Index: openssh-9.3p2/auth2.c
|
||||
int r, authenticated = 0;
|
||||
double tstart = monotime_double();
|
||||
|
||||
@@ -275,6 +278,11 @@ input_userauth_request(int type, u_int32
|
||||
@@ -286,6 +289,11 @@ input_userauth_request(int type, u_int32
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
@ -24,7 +24,7 @@ Index: openssh-9.3p2/auth2.c
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -302,8 +310,15 @@ input_userauth_request(int type, u_int32
|
||||
@@ -313,8 +321,15 @@ input_userauth_request(int type, u_int32
|
||||
use_privsep ? " [net]" : "");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
@ -39,13 +39,13 @@ Index: openssh-9.3p2/auth2.c
|
||||
+#endif
|
||||
+ }
|
||||
userauth_banner(ssh);
|
||||
if (auth2_setup_methods_lists(authctxt) != 0)
|
||||
ssh_packet_disconnect(ssh,
|
||||
Index: openssh-9.3p2/auth2-gss.c
|
||||
if ((r = kex_server_update_ext_info(ssh)) != 0)
|
||||
fatal_fr(r, "kex_server_update_ext_info failed");
|
||||
Index: openssh-9.6p1/auth2-gss.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/auth2-gss.c
|
||||
+++ openssh-9.3p2/auth2-gss.c
|
||||
@@ -325,6 +325,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
--- openssh-9.6p1.orig/auth2-gss.c
|
||||
+++ openssh-9.6p1/auth2-gss.c
|
||||
@@ -331,6 +331,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int r, authenticated = 0;
|
||||
@ -53,7 +53,7 @@ Index: openssh-9.3p2/auth2-gss.c
|
||||
struct sshbuf *b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
const char *displayname;
|
||||
@@ -342,7 +343,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
@@ -348,7 +349,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
fatal_f("sshbuf_new failed");
|
||||
mic.value = p;
|
||||
mic.length = len;
|
||||
@ -68,7 +68,7 @@ Index: openssh-9.3p2/auth2-gss.c
|
||||
"gssapi-with-mic", ssh->kex->session_id);
|
||||
|
||||
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||
@@ -356,6 +363,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
@@ -362,6 +369,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
sshbuf_free(b);
|
||||
@ -77,10 +77,10 @@ Index: openssh-9.3p2/auth2-gss.c
|
||||
free(mic.value);
|
||||
|
||||
if ((!use_privsep || mm_is_monitor()) &&
|
||||
Index: openssh-9.3p2/auth2-hostbased.c
|
||||
Index: openssh-9.6p1/auth2-hostbased.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/auth2-hostbased.c
|
||||
+++ openssh-9.3p2/auth2-hostbased.c
|
||||
--- openssh-9.6p1.orig/auth2-hostbased.c
|
||||
+++ openssh-9.6p1/auth2-hostbased.c
|
||||
@@ -128,7 +128,16 @@ userauth_hostbased(struct ssh *ssh, cons
|
||||
/* reconstruct packet */
|
||||
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
|
||||
@ -98,10 +98,10 @@ Index: openssh-9.3p2/auth2-hostbased.c
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, method)) != 0 ||
|
||||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
||||
Index: openssh-9.3p2/auth2-pubkey.c
|
||||
Index: openssh-9.6p1/auth2-pubkey.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/auth2-pubkey.c
|
||||
+++ openssh-9.3p2/auth2-pubkey.c
|
||||
--- openssh-9.6p1.orig/auth2-pubkey.c
|
||||
+++ openssh-9.6p1/auth2-pubkey.c
|
||||
@@ -200,9 +200,16 @@ userauth_pubkey(struct ssh *ssh, const c
|
||||
goto done;
|
||||
}
|
||||
@ -121,10 +121,10 @@ Index: openssh-9.3p2/auth2-pubkey.c
|
||||
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
Index: openssh-9.3p2/auth.h
|
||||
Index: openssh-9.6p1/auth.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/auth.h
|
||||
+++ openssh-9.3p2/auth.h
|
||||
--- openssh-9.6p1.orig/auth.h
|
||||
+++ openssh-9.6p1/auth.h
|
||||
@@ -65,6 +65,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
@ -135,11 +135,11 @@ Index: openssh-9.3p2/auth.h
|
||||
|
||||
/* Method lists for multiple authentication */
|
||||
char **auth_methods; /* modified from server config */
|
||||
Index: openssh-9.3p2/auth-pam.c
|
||||
Index: openssh-9.6p1/auth-pam.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/auth-pam.c
|
||||
+++ openssh-9.3p2/auth-pam.c
|
||||
@@ -1240,7 +1240,7 @@ is_pam_session_open(void)
|
||||
--- openssh-9.6p1.orig/auth-pam.c
|
||||
+++ openssh-9.6p1/auth-pam.c
|
||||
@@ -1242,7 +1242,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
@ -148,10 +148,10 @@ Index: openssh-9.3p2/auth-pam.c
|
||||
{
|
||||
int ret = 1;
|
||||
char *compound;
|
||||
Index: openssh-9.3p2/auth-pam.h
|
||||
Index: openssh-9.6p1/auth-pam.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/auth-pam.h
|
||||
+++ openssh-9.3p2/auth-pam.h
|
||||
--- openssh-9.6p1.orig/auth-pam.h
|
||||
+++ openssh-9.6p1/auth-pam.h
|
||||
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
|
||||
void do_pam_session(struct ssh *);
|
||||
void do_pam_setcred(int );
|
||||
@ -161,11 +161,11 @@ Index: openssh-9.3p2/auth-pam.h
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
Index: openssh-9.3p2/misc.c
|
||||
Index: openssh-9.6p1/misc.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/misc.c
|
||||
+++ openssh-9.3p2/misc.c
|
||||
@@ -745,6 +745,7 @@ char *
|
||||
--- openssh-9.6p1.orig/misc.c
|
||||
+++ openssh-9.6p1/misc.c
|
||||
@@ -771,6 +771,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
@ -173,7 +173,7 @@ Index: openssh-9.3p2/misc.c
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return NULL;
|
||||
@@ -760,6 +761,13 @@ colon(char *cp)
|
||||
@@ -786,6 +787,13 @@ colon(char *cp)
|
||||
return (cp);
|
||||
if (*cp == '/')
|
||||
return NULL;
|
||||
@ -187,10 +187,10 @@ Index: openssh-9.3p2/misc.c
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
Index: openssh-9.3p2/monitor.c
|
||||
Index: openssh-9.6p1/monitor.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/monitor.c
|
||||
+++ openssh-9.3p2/monitor.c
|
||||
--- openssh-9.6p1.orig/monitor.c
|
||||
+++ openssh-9.6p1/monitor.c
|
||||
@@ -120,6 +120,9 @@ int mm_answer_sign(struct ssh *, int, st
|
||||
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
||||
@ -201,7 +201,7 @@ Index: openssh-9.3p2/monitor.c
|
||||
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
||||
@@ -203,6 +206,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -200,6 +203,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
@ -211,7 +211,7 @@ Index: openssh-9.3p2/monitor.c
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -832,6 +838,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
|
||||
@@ -834,6 +840,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
|
||||
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
@ -221,7 +221,7 @@ Index: openssh-9.3p2/monitor.c
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -906,6 +915,26 @@ key_base_type_match(const char *method,
|
||||
@@ -908,6 +917,26 @@ key_base_type_match(const char *method,
|
||||
return found;
|
||||
}
|
||||
|
||||
@ -248,7 +248,7 @@ Index: openssh-9.3p2/monitor.c
|
||||
int
|
||||
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
{
|
||||
@@ -1278,7 +1307,7 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
@@ -1280,7 +1309,7 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
struct sshbuf *b;
|
||||
struct sshkey *hostkey = NULL;
|
||||
const u_char *p;
|
||||
@ -257,7 +257,7 @@ Index: openssh-9.3p2/monitor.c
|
||||
size_t len;
|
||||
u_char type;
|
||||
int hostbound = 0, r, fail = 0;
|
||||
@@ -1309,6 +1338,8 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
@@ -1311,6 +1340,8 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal_fr(r, "parse userstyle");
|
||||
@ -266,7 +266,7 @@ Index: openssh-9.3p2/monitor.c
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
@@ -1359,7 +1390,7 @@ monitor_valid_hostbasedblob(const u_char
|
||||
@@ -1361,7 +1392,7 @@ monitor_valid_hostbasedblob(const u_char
|
||||
{
|
||||
struct sshbuf *b;
|
||||
const u_char *p;
|
||||
@ -275,7 +275,7 @@ Index: openssh-9.3p2/monitor.c
|
||||
size_t len;
|
||||
int r, fail = 0;
|
||||
u_char type;
|
||||
@@ -1380,6 +1411,8 @@ monitor_valid_hostbasedblob(const u_char
|
||||
@@ -1382,6 +1413,8 @@ monitor_valid_hostbasedblob(const u_char
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal_fr(r, "parse userstyle");
|
||||
@ -284,10 +284,10 @@ Index: openssh-9.3p2/monitor.c
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
Index: openssh-9.3p2/monitor.h
|
||||
Index: openssh-9.6p1/monitor.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/monitor.h
|
||||
+++ openssh-9.3p2/monitor.h
|
||||
--- openssh-9.6p1.orig/monitor.h
|
||||
+++ openssh-9.6p1/monitor.h
|
||||
@@ -55,6 +55,10 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
||||
MONITOR_REQ_TERM = 50,
|
||||
@ -299,10 +299,10 @@ Index: openssh-9.3p2/monitor.h
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||
Index: openssh-9.3p2/monitor_wrap.c
|
||||
Index: openssh-9.6p1/monitor_wrap.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/monitor_wrap.c
|
||||
+++ openssh-9.3p2/monitor_wrap.c
|
||||
--- openssh-9.6p1.orig/monitor_wrap.c
|
||||
+++ openssh-9.6p1/monitor_wrap.c
|
||||
@@ -396,6 +396,27 @@ mm_inform_authserv(char *service, char *
|
||||
sshbuf_free(m);
|
||||
}
|
||||
@ -331,10 +331,10 @@ Index: openssh-9.3p2/monitor_wrap.c
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(struct ssh *ssh, char *password)
|
||||
Index: openssh-9.3p2/monitor_wrap.h
|
||||
Index: openssh-9.6p1/monitor_wrap.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/monitor_wrap.h
|
||||
+++ openssh-9.3p2/monitor_wrap.h
|
||||
--- openssh-9.6p1.orig/monitor_wrap.h
|
||||
+++ openssh-9.6p1/monitor_wrap.h
|
||||
@@ -49,6 +49,9 @@ int mm_sshkey_sign(struct ssh *, struct
|
||||
const u_char *, size_t, const char *, const char *,
|
||||
const char *, u_int compat);
|
||||
@ -345,10 +345,10 @@ Index: openssh-9.3p2/monitor_wrap.h
|
||||
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct ssh *, char *);
|
||||
Index: openssh-9.3p2/openbsd-compat/Makefile.in
|
||||
Index: openssh-9.6p1/openbsd-compat/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/Makefile.in
|
||||
+++ openssh-9.3p2/openbsd-compat/Makefile.in
|
||||
--- openssh-9.6p1.orig/openbsd-compat/Makefile.in
|
||||
+++ openssh-9.6p1/openbsd-compat/Makefile.in
|
||||
@@ -100,7 +100,8 @@ PORTS= port-aix.o \
|
||||
port-prngd.o \
|
||||
port-solaris.o \
|
||||
@ -359,11 +359,11 @@ Index: openssh-9.3p2/openbsd-compat/Makefile.in
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux.c
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux.c
|
||||
@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux.c
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux.c
|
||||
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return sc;
|
||||
}
|
||||
|
||||
@ -401,7 +401,7 @@ Index: openssh-9.3p2/openbsd-compat/port-linux.c
|
||||
/* Set the TTY context for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
@@ -143,7 +112,11 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
@@ -144,7 +113,11 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
@ -414,10 +414,10 @@ Index: openssh-9.3p2/openbsd-compat/port-linux.c
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
@@ -20,9 +20,10 @@
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
@ -430,10 +430,10 @@ Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
@@ -0,0 +1,421 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
@ -856,10 +856,10 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-9.3p2/platform.c
|
||||
Index: openssh-9.6p1/platform.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/platform.c
|
||||
+++ openssh-9.3p2/platform.c
|
||||
--- openssh-9.6p1.orig/platform.c
|
||||
+++ openssh-9.6p1/platform.c
|
||||
@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
@ -869,11 +869,11 @@ Index: openssh-9.3p2/platform.c
|
||||
#endif
|
||||
}
|
||||
|
||||
Index: openssh-9.3p2/sshd.c
|
||||
Index: openssh-9.6p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd.c
|
||||
+++ openssh-9.3p2/sshd.c
|
||||
@@ -2388,6 +2388,9 @@ main(int ac, char **av)
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -2387,6 +2387,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
|
File diff suppressed because it is too large
Load Diff
BIN
openssh-9.3p2.tar.gz
(Stored with Git LFS)
BIN
openssh-9.3p2.tar.gz
(Stored with Git LFS)
Binary file not shown.
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmS3g5wACgkQKj9BTnNg
|
||||
YLrMYw//evjl0mlSnycb85tWASdBWQh28xQCouuqYhDhY+8kt6YpEx34r4zuXvL3
|
||||
pEN/F1ancNXwvlRPct/tF3OEQVpKHZqiRyfWuHHURSBLaGf9V1b+gQgfM4lEQNtH
|
||||
8PqRj+ur8E2GMGxvxuDKPcfduCTFrjbPJ/0OCgquuEteSM6dgcClT7q5SKKpTVSa
|
||||
jV0PaXeYgnaa+u+4GsH01oUteyJNmhvEa4T+fC1RDrct1DiieUQNkaw3pwMqYXA5
|
||||
8PldGatn/npNM5ZFW4uxTjbib2yJXNIEhUIzo2A00XWRG3jIArtRJwJ6ZSBahUE4
|
||||
PyasPMhJVIxIaKy5OL4s4FAd1goe2hBlPzmDhUJOhpFniLIZ9dS5AGaX4i2TjsZl
|
||||
iaIwtE2VLIn3peKZPvm7SCBqyBoiPKC0BfHmVOYs8c1W5Q30jE+kCcTDrJhHl32/
|
||||
kN5khCHIg6bUc3JzFZM7Ib0tshNP5AY0pyduSEF7SPOB5Zz2E+EwkDmkrnw9FoMh
|
||||
LCvSERDkBdxWD7okUdb0ARr564lShRjd2UTFZqv3Py4nVfvnP19RgCfakNg0CZ3w
|
||||
VoLytn8OQ/joAx4GMWox6g5ieYqeQ2kLzXYfXObTlDIjxirFeiBYPh6Ln5oGl81/
|
||||
jx/172HqCzRDgUogtZ/BTwiLDEzTHG7YS5RDIUYkqEGkkjjj6gg=
|
||||
=yVD2
|
||||
-----END PGP SIGNATURE-----
|
BIN
openssh-9.6p1.tar.gz
(Stored with Git LFS)
Normal file
BIN
openssh-9.6p1.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
openssh-9.6p1.tar.gz.asc
Normal file
16
openssh-9.6p1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmWAXvAACgkQKj9BTnNg
|
||||
YLrypA/6A1O8e80XnzVWIFhXkbv/biGL10Q5ZMvjQvND6mbkphNWZ4G4QOEh0nBG
|
||||
rseD3Fce7me9pfeLYVhaNXO9R3OYAXxjbWfQwI7FpBU4QUCnbH53PG32B6ESq7pl
|
||||
0vlDqdqI7aBAyMpp+8WFD+EvHWUVA77JtfU4MFw7myKJacrVrDUygDaZkJKOhqKf
|
||||
N1Nurz4YppdQ5zIK1ElL0jlRJXm08flLFRg8fD5/5rwabpUbZIY9b5qZzGKgnR7I
|
||||
sxUBlDkfLnvKIlKzUXbRvOHazvFAHYH1ltJZGlJUc/+H/ZaPigWf4IR+E1FB9c2O
|
||||
zxaZhlbwGKyD+p7l08F9n8T21taxpBCW1Uxkx7MLTz8k9huPNpdX5l8VM4Gotmn8
|
||||
I4V3Fevyx+M3XJYeKtkspa51h0GqF3gNFPLxW7ERGaIuqwoxuHxIEKwYE+JPmQag
|
||||
UDma5LDrSrasa8Rw8g5urGE48PeDQ5muPy8Bi9eIGZU5JLqX6TNgz7QDDs/dQsHB
|
||||
iny4wQOLmdIA78IGttiCo0rqikEvFtFDFR4mCUTC8K0nQKzWwGewO3gRTcHttzyU
|
||||
xMalxw+wt9cUJ8gb1E9p7OeMUuXdaHMmem8/PcFCar/vKx1mdV/On6evnp3P8yQA
|
||||
la8WnbcP0+zJg0GGwGszpFlOMjWCDB0kUTBCT+MR+IWbj/pVZVA=
|
||||
=G9YA
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Update to openssh 9.6p1:
|
||||
* No changes for askpass, see main package changelog for
|
||||
details.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 21 05:13:56 UTC 2023 - Simon Lees <sflees@suse.de>
|
||||
|
||||
|
@ -18,7 +18,7 @@
|
||||
|
||||
%define _name openssh
|
||||
Name: openssh-askpass-gnome
|
||||
Version: 9.3p2
|
||||
Version: 9.6p1
|
||||
Release: 0
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
License: BSD-2-Clause
|
||||
|
@ -1,399 +0,0 @@
|
||||
Index: openssh-9.3p2/PROTOCOL
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/PROTOCOL
|
||||
+++ openssh-9.3p2/PROTOCOL
|
||||
@@ -104,6 +104,25 @@ http://git.libssh.org/users/aris/libssh.
|
||||
|
||||
This is identical to curve25519-sha256 as later published in RFC8731.
|
||||
|
||||
+1.9 transport: strict key exchange extension
|
||||
+
|
||||
+OpenSSH supports a number of transport-layer hardening measures under
|
||||
+a "strict KEX" feature. This feature is signalled similarly to the
|
||||
+RFC8305 ext-info feature: by including a additional algorithm in the
|
||||
+SSH2_MSG_KEXINIT kex_algorithms field. The client may append
|
||||
+"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
|
||||
+may append "kex-strict-s-v00@openssh.com".
|
||||
+
|
||||
+When endpoint that supports this extension observes this algorithm
|
||||
+name in a peer's KEXINIT packet, it MUST make the following changes to
|
||||
+the the protocol:
|
||||
+
|
||||
+a) During initial KEX, terminate the connection if any unexpected or
|
||||
+ out-of-sequence packet is received. This includes terminating the
|
||||
+ connection if the first packet received is not SSH2_MSG_KEXINIT.
|
||||
+b) At each SSH2_MSG_NEWKEYS message, reset the packet sequence number
|
||||
+ to zero.
|
||||
+
|
||||
2. Connection protocol changes
|
||||
|
||||
2.1. connection: Channel write close extension "eow@openssh.com"
|
||||
Index: openssh-9.3p2/kex.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/kex.c
|
||||
+++ openssh-9.3p2/kex.c
|
||||
@@ -76,7 +76,7 @@
|
||||
#include "fips.h"
|
||||
|
||||
/* prototype */
|
||||
-static int kex_choose_conf(struct ssh *);
|
||||
+static int kex_choose_conf(struct ssh *, uint32_t seq);
|
||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||
|
||||
static const char * const proposal_names[PROPOSAL_MAX] = {
|
||||
@@ -261,6 +261,18 @@ kex_names_valid(const char *names)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+/* returns non-zero if proposal contains any algorithm from algs */
|
||||
+static int
|
||||
+has_any_alg(const char *proposal, const char *algs)
|
||||
+{
|
||||
+ char *cp;
|
||||
+
|
||||
+ if ((cp = match_list(proposal, algs, NULL)) == NULL)
|
||||
+ return 0;
|
||||
+ free(cp);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Concatenate algorithm names, avoiding duplicates in the process.
|
||||
* Caller must free returned string.
|
||||
@@ -268,7 +280,7 @@ kex_names_valid(const char *names)
|
||||
char *
|
||||
kex_names_cat(const char *a, const char *b)
|
||||
{
|
||||
- char *ret = NULL, *tmp = NULL, *cp, *p, *m;
|
||||
+ char *ret = NULL, *tmp = NULL, *cp, *p;
|
||||
size_t len;
|
||||
|
||||
if (a == NULL || *a == '\0')
|
||||
@@ -285,10 +297,8 @@ kex_names_cat(const char *a, const char
|
||||
}
|
||||
strlcpy(ret, a, len);
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
|
||||
- if ((m = match_list(ret, p, NULL)) != NULL) {
|
||||
- free(m);
|
||||
+ if (has_any_alg(ret, p))
|
||||
continue; /* Algorithm already present */
|
||||
- }
|
||||
if (strlcat(ret, ",", len) >= len ||
|
||||
strlcat(ret, p, len) >= len) {
|
||||
free(tmp);
|
||||
@@ -441,15 +451,23 @@ kex_proposal_populate_entries(struct ssh
|
||||
const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT };
|
||||
const char **defprop = ssh->kex->server ? defpropserver : defpropclient;
|
||||
u_int i;
|
||||
+ char *cp;
|
||||
|
||||
if (prop == NULL)
|
||||
fatal_f("proposal missing");
|
||||
|
||||
+ /* Append EXT_INFO signalling to KexAlgorithms */
|
||||
+ if (kexalgos == NULL)
|
||||
+ kexalgos = defprop[PROPOSAL_KEX_ALGS];
|
||||
+ if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
|
||||
+ "kex-strict-s-v00@openssh.com" :
|
||||
+ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
|
||||
+ fatal_f("kex_names_cat");
|
||||
+
|
||||
for (i = 0; i < PROPOSAL_MAX; i++) {
|
||||
switch(i) {
|
||||
case PROPOSAL_KEX_ALGS:
|
||||
- prop[i] = compat_kex_proposal(ssh,
|
||||
- kexalgos ? kexalgos : defprop[i]);
|
||||
+ prop[i] = compat_kex_proposal(ssh, cp);
|
||||
break;
|
||||
case PROPOSAL_ENC_ALGS_CTOS:
|
||||
case PROPOSAL_ENC_ALGS_STOC:
|
||||
@@ -470,6 +488,7 @@ kex_proposal_populate_entries(struct ssh
|
||||
prop[i] = xstrdup(defprop[i]);
|
||||
}
|
||||
}
|
||||
+ free(cp);
|
||||
}
|
||||
|
||||
void
|
||||
@@ -573,7 +592,12 @@ kex_protocol_error(int type, u_int32_t s
|
||||
{
|
||||
int r;
|
||||
|
||||
- error("kex protocol error: type %d seq %u", type, seq);
|
||||
+ /* If in strict mode, any unexpected message is an error */
|
||||
+ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) {
|
||||
+ ssh_packet_disconnect(ssh, "strict KEX violation: "
|
||||
+ "unexpected packet type %u (seqnr %u)", type, seq);
|
||||
+ }
|
||||
+ error_f("type %u seq %u", type, seq);
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
|
||||
(r = sshpkt_put_u32(ssh, seq)) != 0 ||
|
||||
(r = sshpkt_send(ssh)) != 0)
|
||||
@@ -651,7 +675,7 @@ kex_input_ext_info(int type, u_int32_t s
|
||||
if (ninfo >= 1024) {
|
||||
error("SSH2_MSG_EXT_INFO with too many entries, expected "
|
||||
"<=1024, received %u", ninfo);
|
||||
- return SSH_ERR_INVALID_FORMAT;
|
||||
+ return dispatch_protocol_error(type, seq, ssh);
|
||||
}
|
||||
for (i = 0; i < ninfo; i++) {
|
||||
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
|
||||
@@ -767,7 +791,7 @@ kex_input_kexinit(int type, u_int32_t se
|
||||
error_f("no kex");
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
}
|
||||
- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
|
||||
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
|
||||
ptr = sshpkt_ptr(ssh, &dlen);
|
||||
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
|
||||
return r;
|
||||
@@ -803,7 +827,7 @@ kex_input_kexinit(int type, u_int32_t se
|
||||
if (!(kex->flags & KEX_INIT_SENT))
|
||||
if ((r = kex_send_kexinit(ssh)) != 0)
|
||||
return r;
|
||||
- if ((r = kex_choose_conf(ssh)) != 0)
|
||||
+ if ((r = kex_choose_conf(ssh, seq)) != 0)
|
||||
return r;
|
||||
|
||||
if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
|
||||
@@ -1082,20 +1106,14 @@ proposals_match(char *my[PROPOSAL_MAX],
|
||||
return (1);
|
||||
}
|
||||
|
||||
-/* returns non-zero if proposal contains any algorithm from algs */
|
||||
static int
|
||||
-has_any_alg(const char *proposal, const char *algs)
|
||||
+kexalgs_contains(char **peer, const char *ext)
|
||||
{
|
||||
- char *cp;
|
||||
-
|
||||
- if ((cp = match_list(proposal, algs, NULL)) == NULL)
|
||||
- return 0;
|
||||
- free(cp);
|
||||
- return 1;
|
||||
+ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
|
||||
}
|
||||
|
||||
static int
|
||||
-kex_choose_conf(struct ssh *ssh)
|
||||
+kex_choose_conf(struct ssh *ssh, uint32_t seq)
|
||||
{
|
||||
struct kex *kex = ssh->kex;
|
||||
struct newkeys *newkeys;
|
||||
@@ -1120,13 +1138,23 @@ kex_choose_conf(struct ssh *ssh)
|
||||
sprop=peer;
|
||||
}
|
||||
|
||||
- /* Check whether client supports ext_info_c */
|
||||
- if (kex->server && (kex->flags & KEX_INITIAL)) {
|
||||
- char *ext;
|
||||
-
|
||||
- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
|
||||
- kex->ext_info_c = (ext != NULL);
|
||||
- free(ext);
|
||||
+ /* Check whether peer supports ext_info/kex_strict */
|
||||
+ if ((kex->flags & KEX_INITIAL) != 0) {
|
||||
+ if (kex->server) {
|
||||
+ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c");
|
||||
+ kex->kex_strict = kexalgs_contains(peer,
|
||||
+ "kex-strict-c-v00@openssh.com");
|
||||
+ } else {
|
||||
+ kex->kex_strict = kexalgs_contains(peer,
|
||||
+ "kex-strict-s-v00@openssh.com");
|
||||
+ }
|
||||
+ if (kex->kex_strict) {
|
||||
+ debug3_f("will use strict KEX ordering");
|
||||
+ if (seq != 0)
|
||||
+ ssh_packet_disconnect(ssh,
|
||||
+ "strict KEX violation: "
|
||||
+ "KEXINIT was not the first packet");
|
||||
+ }
|
||||
}
|
||||
|
||||
/* Check whether client supports rsa-sha2 algorithms */
|
||||
Index: openssh-9.3p2/kex.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/kex.h
|
||||
+++ openssh-9.3p2/kex.h
|
||||
@@ -157,6 +157,7 @@ struct kex {
|
||||
u_int kex_type;
|
||||
char *server_sig_algs;
|
||||
int ext_info_c;
|
||||
+ int kex_strict;
|
||||
struct sshbuf *my;
|
||||
struct sshbuf *peer;
|
||||
struct sshbuf *client_version;
|
||||
Index: openssh-9.3p2/packet.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/packet.c
|
||||
+++ openssh-9.3p2/packet.c
|
||||
@@ -1236,6 +1236,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh
|
||||
state->p_send.bytes += len;
|
||||
sshbuf_reset(state->outgoing_packet);
|
||||
|
||||
+ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
|
||||
+ debug_f("resetting send seqnr %u", state->p_send.seqnr);
|
||||
+ state->p_send.seqnr = 0;
|
||||
+ }
|
||||
+
|
||||
if (type == SSH2_MSG_NEWKEYS)
|
||||
r = ssh_set_newkeys(ssh, MODE_OUT);
|
||||
else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
|
||||
@@ -1364,8 +1369,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u
|
||||
/* Stay in the loop until we have received a complete packet. */
|
||||
for (;;) {
|
||||
/* Try to read a packet from the buffer. */
|
||||
- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
|
||||
- if (r != 0)
|
||||
+ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
|
||||
break;
|
||||
/* If we got a packet, return it. */
|
||||
if (*typep != SSH_MSG_NONE)
|
||||
@@ -1649,6 +1630,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u
|
||||
if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
|
||||
goto out;
|
||||
}
|
||||
+
|
||||
if (seqnr_p != NULL)
|
||||
*seqnr_p = state->p_read.seqnr;
|
||||
if (++state->p_read.seqnr == 0)
|
||||
@@ -1718,6 +1700,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u
|
||||
#endif
|
||||
/* reset for next packet */
|
||||
state->packlen = 0;
|
||||
+ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
|
||||
+ debug_f("resetting read seqnr %u", state->p_read.seqnr);
|
||||
+ state->p_read.seqnr = 0;
|
||||
+ }
|
||||
|
||||
if ((r = ssh_packet_check_rekey(ssh)) != 0)
|
||||
return r;
|
||||
@@ -1738,10 +1724,39 @@ ssh_packet_read_poll_seqnr(struct ssh *s
|
||||
r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
|
||||
if (r != 0)
|
||||
return r;
|
||||
- if (*typep) {
|
||||
- state->keep_alive_timeouts = 0;
|
||||
- DBG(debug("received packet type %d", *typep));
|
||||
+ if (*typep == 0) {
|
||||
+ /* no message ready */
|
||||
+ return 0;
|
||||
}
|
||||
+ state->keep_alive_timeouts = 0;
|
||||
+ DBG(debug("received packet type %d", *typep));
|
||||
+
|
||||
+ /* Always process disconnect messages */
|
||||
+ if (*typep == SSH2_MSG_DISCONNECT) {
|
||||
+ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
|
||||
+ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
|
||||
+ return r;
|
||||
+ /* Ignore normal client exit notifications */
|
||||
+ do_log2(ssh->state->server_side &&
|
||||
+ reason == SSH2_DISCONNECT_BY_APPLICATION ?
|
||||
+ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
|
||||
+ "Received disconnect from %s port %d:"
|
||||
+ "%u: %.400s", ssh_remote_ipaddr(ssh),
|
||||
+ ssh_remote_port(ssh), reason, msg);
|
||||
+ free(msg);
|
||||
+ return SSH_ERR_DISCONNECTED;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Do not implicitly handle any messages here during initial
|
||||
+ * KEX when in strict mode. They will be need to be allowed
|
||||
+ * explicitly by the KEX dispatch table or they will generate
|
||||
+ * protocol errors.
|
||||
+ */
|
||||
+ if (ssh->kex != NULL &&
|
||||
+ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
|
||||
+ return 0;
|
||||
+ /* Implicitly handle transport-level messages */
|
||||
switch (*typep) {
|
||||
case SSH2_MSG_IGNORE:
|
||||
debug3("Received SSH2_MSG_IGNORE");
|
||||
@@ -1756,19 +1771,6 @@ ssh_packet_read_poll_seqnr(struct ssh *s
|
||||
debug("Remote: %.900s", msg);
|
||||
free(msg);
|
||||
break;
|
||||
- case SSH2_MSG_DISCONNECT:
|
||||
- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
|
||||
- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
|
||||
- return r;
|
||||
- /* Ignore normal client exit notifications */
|
||||
- do_log2(ssh->state->server_side &&
|
||||
- reason == SSH2_DISCONNECT_BY_APPLICATION ?
|
||||
- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
|
||||
- "Received disconnect from %s port %d:"
|
||||
- "%u: %.400s", ssh_remote_ipaddr(ssh),
|
||||
- ssh_remote_port(ssh), reason, msg);
|
||||
- free(msg);
|
||||
- return SSH_ERR_DISCONNECTED;
|
||||
case SSH2_MSG_UNIMPLEMENTED:
|
||||
if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
|
||||
return r;
|
||||
@@ -2300,6 +2302,7 @@ kex_to_blob(struct sshbuf *m, struct kex
|
||||
(r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
|
||||
(r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
|
||||
(r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
|
||||
+ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
|
||||
(r = sshbuf_put_stringb(m, kex->my)) != 0 ||
|
||||
(r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
|
||||
(r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
|
||||
@@ -2462,6 +2465,7 @@ kex_from_blob(struct sshbuf *m, struct k
|
||||
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
|
||||
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
|
||||
(r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
|
||||
+ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
|
||||
(r = sshbuf_get_stringb(m, kex->my)) != 0 ||
|
||||
(r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
|
||||
(r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
|
||||
@@ -2790,6 +2794,7 @@ sshpkt_disconnect(struct ssh *ssh, const
|
||||
vsnprintf(buf, sizeof(buf), fmt, args);
|
||||
va_end(args);
|
||||
|
||||
+ debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf);
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
|
||||
(r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
|
||||
(r = sshpkt_put_cstring(ssh, buf)) != 0 ||
|
||||
Index: openssh-9.3p2/sshconnect2.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshconnect2.c
|
||||
+++ openssh-9.3p2/sshconnect2.c
|
||||
@@ -420,7 +420,6 @@ struct cauthmethod {
|
||||
};
|
||||
|
||||
static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
|
||||
-static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
|
||||
static int input_userauth_success(int, u_int32_t, struct ssh *);
|
||||
static int input_userauth_failure(int, u_int32_t, struct ssh *);
|
||||
static int input_userauth_banner(int, u_int32_t, struct ssh *);
|
||||
@@ -540,7 +539,7 @@ ssh_userauth2(struct ssh *ssh, const cha
|
||||
|
||||
ssh->authctxt = &authctxt;
|
||||
ssh_dispatch_init(ssh, &input_userauth_error);
|
||||
- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
|
||||
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
|
||||
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
|
||||
pubkey_cleanup(ssh);
|
||||
@@ -591,12 +590,6 @@ input_userauth_service_accept(int type,
|
||||
return r;
|
||||
}
|
||||
|
||||
-static int
|
||||
-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
|
||||
-{
|
||||
- return kex_input_ext_info(type, seqnr, ssh);
|
||||
-}
|
||||
-
|
||||
void
|
||||
userauth(struct ssh *ssh, char *authlist)
|
||||
{
|
||||
@@ -675,6 +668,7 @@ input_userauth_success(int type, u_int32
|
||||
free(authctxt->methoddata);
|
||||
authctxt->methoddata = NULL;
|
||||
authctxt->success = 1; /* break out */
|
||||
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
|
||||
return 0;
|
||||
}
|
||||
|
219
openssh.changes
219
openssh.changes
@ -1,3 +1,222 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Update to openssh 9.6p1:
|
||||
= Security
|
||||
* ssh(1), sshd(8): implement protocol extensions to thwart the
|
||||
so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
|
||||
Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
|
||||
limited break of the integrity of the early encrypted SSH transport
|
||||
protocol by sending extra messages prior to the commencement of
|
||||
encryption, and deleting an equal number of consecutive messages
|
||||
immediately after encryption starts. A peer SSH client/server
|
||||
would not be able to detect that messages were deleted.
|
||||
* ssh-agent(1): when adding PKCS#11-hosted private keys while
|
||||
specifying destination constraints, if the PKCS#11 token returned
|
||||
multiple keys then only the first key had the constraints applied.
|
||||
Use of regular private keys, FIDO tokens and unconstrained keys
|
||||
are unaffected.
|
||||
* ssh(1): if an invalid user or hostname that contained shell
|
||||
metacharacters was passed to ssh(1), and a ProxyCommand,
|
||||
LocalCommand directive or "match exec" predicate referenced the
|
||||
user or hostname via %u, %h or similar expansion token, then
|
||||
an attacker who could supply arbitrary user/hostnames to ssh(1)
|
||||
could potentially perform command injection depending on what
|
||||
quoting was present in the user-supplied ssh_config(5) directive.
|
||||
|
||||
= Potentially incompatible changes
|
||||
* ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
|
||||
a TCP-like window mechanism that limits the amount of data that
|
||||
can be sent without acceptance from the peer. In cases where this
|
||||
limit was exceeded by a non-conforming peer SSH implementation,
|
||||
ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH
|
||||
9.6, ssh(1)/sshd(8) will now terminate the connection if a peer
|
||||
exceeds the window limit by more than a small grace factor. This
|
||||
change should have no effect of SSH implementations that follow
|
||||
the specification.
|
||||
|
||||
= New features
|
||||
* ssh(1): add a %j token that expands to the configured ProxyJump
|
||||
hostname (or the empty string if this option is not being used)
|
||||
that can be used in a number of ssh_config(5) keywords. bz3610
|
||||
* ssh(1): add ChannelTimeout support to the client, mirroring the
|
||||
same option in the server and allowing ssh(1) to terminate
|
||||
quiescent channels.
|
||||
* ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for
|
||||
reading ED25519 private keys in PEM PKCS8 format. Previously
|
||||
only the OpenSSH private key format was supported.
|
||||
* ssh(1), sshd(8): introduce a protocol extension to allow
|
||||
renegotiation of acceptable signature algorithms for public key
|
||||
authentication after the server has learned the username being
|
||||
used for authentication. This allows varying sshd_config(5)
|
||||
PubkeyAcceptedAlgorithms in a "Match user" block.
|
||||
* ssh-add(1), ssh-agent(1): add an agent protocol extension to allow
|
||||
specifying certificates when loading PKCS#11 keys. This allows the
|
||||
use of certificates backed by PKCS#11 private keys in all OpenSSH
|
||||
tools that support ssh-agent(1). Previously only ssh(1) supported
|
||||
this use-case.
|
||||
|
||||
= Bugfixes
|
||||
* ssh(1): when deciding whether to enable the keystroke timing
|
||||
obfuscation, enable it only if a channel with a TTY is active.
|
||||
* ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals
|
||||
before checking flags set in signal handler. Avoids potential
|
||||
race condition between signaling ssh to exit and polling. bz3531
|
||||
* ssh(1): when connecting to a destination with both the
|
||||
AddressFamily and CanonicalizeHostname directives in use,
|
||||
the AddressFamily directive could be ignored. bz5326
|
||||
* sftp(1): correct handling of the limits@openssh.com option when
|
||||
the server returned an unexpected message.
|
||||
* A number of fixes to the PuTTY and Dropbear regress/integration
|
||||
tests.
|
||||
* ssh(1): release GSS OIDs only at end of authentication, avoiding
|
||||
unnecessary init/cleanup cycles. bz2982
|
||||
* ssh_config(5): mention "none" is a valid argument to IdentityFile
|
||||
in the manual. bz3080
|
||||
* scp(1): improved debugging for paths from the server rejected for
|
||||
not matching the client's glob(3) pattern in old SCP/RCP protocol
|
||||
mode.
|
||||
* ssh-agent(1): refuse signing operations on destination-constrained
|
||||
keys if a previous session-bind operation has failed. This may
|
||||
prevent a fail-open situation in future if a user uses a mismatched
|
||||
ssh(1) client and ssh-agent(1) where the client supports a key type
|
||||
that the agent does not support.
|
||||
|
||||
- Update to openssh 9.5p1:
|
||||
= Potentially incompatible changes
|
||||
* ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
|
||||
are very convenient due to their small size. Ed25519 keys are
|
||||
specified in RFC 8709 and OpenSSH has supported them since version 6.5
|
||||
(January 2014).
|
||||
* sshd(8): the Subsystem directive now accurately preserves quoting of
|
||||
subsystem commands and arguments. This may change behaviour for exotic
|
||||
configurations, but the most common subsystem configuration
|
||||
(sftp-server) is unlikely to be affected.
|
||||
|
||||
= New features
|
||||
* ssh(1): add keystroke timing obfuscation to the client. This attempts
|
||||
to hide inter-keystroke timings by sending interactive traffic at
|
||||
fixed intervals (default: every 20ms) when there is only a small
|
||||
amount of data being sent. It also sends fake "chaff" keystrokes for
|
||||
a random interval after the last real keystroke. These are
|
||||
controlled by a new ssh_config ObscureKeystrokeTiming keyword.
|
||||
* ssh(1), sshd(8): Introduce a transport-level ping facility. This adds
|
||||
a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
|
||||
implement a ping capability. These messages use numbers in the "local
|
||||
extensions" number space and are advertised using a "ping@openssh.com"
|
||||
ext-info message with a string version number of "0".
|
||||
* sshd(8): allow override of Subsystem directives in sshd Match blocks.
|
||||
|
||||
= Bugfixes
|
||||
* scp(1): fix scp in SFTP mode recursive upload and download of
|
||||
directories that contain symlinks to other directories. In scp mode,
|
||||
the links would be followed, but in SFTP mode they were not. bz3611
|
||||
* ssh-keygen(1): handle cr+lf (instead of just cr) line endings in
|
||||
sshsig signature files.
|
||||
* ssh(1): interactive mode for ControlPersist sessions if they
|
||||
originally requested a tty.
|
||||
* sshd(8): make PerSourceMaxStartups first-match-wins
|
||||
* sshd(8): limit artificial login delay to a reasonable maximum (5s)
|
||||
and don't delay at all for the "none" authentication mechanism.
|
||||
bz3602
|
||||
* sshd(8): Log errors in kex_exchange_identification() with level
|
||||
verbose instead of error to reduce preauth log spam. All of those
|
||||
get logged with a more generic error message by sshpkt_fatal().
|
||||
* sshd(8): correct math for ClientAliveInterval that caused the probes
|
||||
to be sent less frequently than configured.
|
||||
* ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
|
||||
multiplexed sessions to ignore SIGINT under some circumstances.
|
||||
|
||||
- Update to openssh 9.4p1:
|
||||
= Potentially incompatible changes
|
||||
* This release removes support for older versions of libcrypto.
|
||||
OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
|
||||
Note that these versions are already deprecated by their upstream
|
||||
vendors.
|
||||
* ssh-agent(1): PKCS#11 modules must now be specified by their full
|
||||
paths. Previously dlopen(3) could search for them in system
|
||||
library directories.
|
||||
|
||||
= New features
|
||||
* ssh(1): allow forwarding Unix Domain sockets via ssh -W.
|
||||
* ssh(1): add support for configuration tags to ssh(1).
|
||||
This adds a ssh_config(5) "Tag" directive and corresponding
|
||||
"Match tag" predicate that may be used to select blocks of
|
||||
configuration similar to the pf.conf(5) keywords of the same
|
||||
name.
|
||||
* ssh(1): add a "match localnetwork" predicate. This allows matching
|
||||
on the addresses of available network interfaces and may be used to
|
||||
vary the effective client configuration based on network location.
|
||||
* ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
|
||||
extensions. This defines wire formats for optional KRL extensions
|
||||
and implements parsing of the new submessages. No actual extensions
|
||||
are supported at this point.
|
||||
* sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
|
||||
accept two additional %-expansion sequences: %D which expands to
|
||||
the routing domain of the connected session and %C which expands
|
||||
to the addresses and port numbers for the source and destination
|
||||
of the connection.
|
||||
* ssh-keygen(1): increase the default work factor (rounds) for the
|
||||
bcrypt KDF used to derive symmetric encryption keys for passphrase
|
||||
protected key files by 50%.
|
||||
|
||||
= Bugfixes
|
||||
* ssh-agent(1): improve isolation between loaded PKCS#11 modules
|
||||
by running separate ssh-pkcs11-helpers for each loaded provider.
|
||||
* ssh(1): make -f (fork after authentication) work correctly with
|
||||
multiplexed connections, including ControlPersist. bz3589 bz3589
|
||||
* ssh(1): make ConnectTimeout apply to multiplexing sockets and not
|
||||
just to network connections.
|
||||
* ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
|
||||
modules being loaded by checking that the requested module
|
||||
contains the required symbol before loading it.
|
||||
* sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
|
||||
appears before it in sshd_config. Since OpenSSH 8.7 the
|
||||
AuthorizedPrincipalsCommand directive was incorrectly ignored in
|
||||
this situation. bz3574
|
||||
* sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
|
||||
signatures When the KRL format was originally defined, it included
|
||||
support for signing of KRL objects. However, the code to sign KRLs
|
||||
and verify KRL signatues was never completed in OpenSSH. This
|
||||
release removes the partially-implemented code to verify KRLs.
|
||||
All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
|
||||
KRL files.
|
||||
* All: fix a number of memory leaks and unreachable/harmless integer
|
||||
overflows.
|
||||
* ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
|
||||
modules; GHPR406
|
||||
* sshd(8), ssh(1): better validate CASignatureAlgorithms in
|
||||
ssh_config and sshd_config. Previously this directive would accept
|
||||
certificate algorithm names, but these were unusable in practice as
|
||||
OpenSSH does not support CA chains. bz3577
|
||||
* ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
|
||||
algorithms that are valid for CA signing. Previous behaviour was
|
||||
to list all signing algorithms, including certificate algorithms.
|
||||
* ssh-keyscan(1): gracefully handle systems where rlimits or the
|
||||
maximum number of open files is larger than INT_MAX; bz3581
|
||||
* ssh-keygen(1): fix "no comment" not showing on when running
|
||||
`ssh-keygen -l` on multiple keys where one has a comment and other
|
||||
following keys do not. bz3580
|
||||
* scp(1), sftp(1): adjust ftruncate() logic to handle servers that
|
||||
reorder requests. Previously, if the server reordered requests then
|
||||
the resultant file would be erroneously truncated.
|
||||
* ssh(1): don't incorrectly disable hostname canonicalization when
|
||||
CanonicalizeHostname=yes and ProxyJump was expicitly set to
|
||||
"none". bz3567
|
||||
* scp(1): when copying local->remote, check that the source file
|
||||
exists before opening an SFTP connection to the server. Based on
|
||||
GHPR#370
|
||||
|
||||
- Dropped patches:
|
||||
* cb4ed12f.patch - implemented upstream.
|
||||
* openssh-cve-2023-48795.patch - implemented upstream.
|
||||
|
||||
- Rebased patches:
|
||||
* openssh-6.6p1-selinux-contexts.patch
|
||||
* openssh-7.7p1-fips.patch
|
||||
* openssh-7.8p1-role-mls.patch
|
||||
* openssh-8.0p1-gssapi-keyex.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 19 01:42:55 UTC 2023 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
|
@ -37,7 +37,7 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: openssh
|
||||
Version: 9.3p2
|
||||
Version: 9.6p1
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-2-Clause AND MIT
|
||||
@ -116,15 +116,12 @@ Patch49: openssh-do-not-send-empty-message.patch
|
||||
Patch50: openssh-openssl-3.patch
|
||||
Patch51: wtmpdb.patch
|
||||
Patch52: logind_set_tty.patch
|
||||
# PATCH-FIx-UPSTREAM cb4ed12f.patch -- Fix build with zlib 1.3
|
||||
Patch53: https://github.com/openssh/openssh-portable/commit/cb4ed12f.patch
|
||||
Patch100: fix-missing-lz.patch
|
||||
Patch102: openssh-7.8p1-role-mls.patch
|
||||
Patch103: openssh-6.6p1-privsep-selinux.patch
|
||||
Patch104: openssh-6.6p1-keycat.patch
|
||||
Patch105: openssh-6.6.1p1-selinux-contexts.patch
|
||||
Patch106: openssh-7.6p1-cleanup-selinux.patch
|
||||
Patch107: openssh-cve-2023-48795.patch
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: automake
|
||||
BuildRequires: groff
|
||||
|
Loading…
Reference in New Issue
Block a user