Accepting request 863944 from home:dirkmueller:branches:network
- update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features ------------ * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time OBS-URL: https://build.opensuse.org/request/show/863944 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
This commit is contained in:
parent
87425e5010
commit
6543c1a02b
@ -5,11 +5,11 @@ default of forbidding access to the root account with a password, we are
|
||||
temporarily introducing this change to keep the default used in older OpenSSH
|
||||
versions shipped with SLE.
|
||||
|
||||
Index: openssh-7.9p1/servconf.c
|
||||
Index: openssh-8.4p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/servconf.c
|
||||
+++ openssh-7.9p1/servconf.c
|
||||
@@ -292,7 +292,7 @@ fill_default_server_options(ServerOption
|
||||
--- openssh-8.4p1.orig/servconf.c
|
||||
+++ openssh-8.4p1/servconf.c
|
||||
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
|
||||
if (options->login_grace_time == -1)
|
||||
options->login_grace_time = 120;
|
||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||
@ -18,10 +18,10 @@ Index: openssh-7.9p1/servconf.c
|
||||
if (options->ignore_rhosts == -1)
|
||||
options->ignore_rhosts = 1;
|
||||
if (options->ignore_user_known_hosts == -1)
|
||||
Index: openssh-7.9p1/sshd_config
|
||||
Index: openssh-8.4p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config
|
||||
+++ openssh-7.9p1/sshd_config
|
||||
--- openssh-8.4p1.orig/sshd_config
|
||||
+++ openssh-8.4p1/sshd_config
|
||||
@@ -29,7 +29,7 @@
|
||||
# Authentication:
|
||||
|
||||
@ -31,11 +31,11 @@ Index: openssh-7.9p1/sshd_config
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
Index: openssh-7.9p1/sshd_config.0
|
||||
Index: openssh-8.4p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config.0
|
||||
+++ openssh-7.9p1/sshd_config.0
|
||||
@@ -749,7 +749,7 @@ DESCRIPTION
|
||||
--- openssh-8.4p1.orig/sshd_config.0
|
||||
+++ openssh-8.4p1/sshd_config.0
|
||||
@@ -778,7 +778,7 @@ DESCRIPTION
|
||||
PermitRootLogin
|
||||
Specifies whether root can log in using ssh(1). The argument
|
||||
must be yes, prohibit-password, forced-commands-only, or no. The
|
||||
@ -44,11 +44,11 @@ Index: openssh-7.9p1/sshd_config.0
|
||||
|
||||
If this option is set to prohibit-password (or its deprecated
|
||||
alias, without-password), password and keyboard-interactive
|
||||
Index: openssh-7.9p1/sshd_config.5
|
||||
Index: openssh-8.4p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config.5
|
||||
+++ openssh-7.9p1/sshd_config.5
|
||||
@@ -1285,7 +1285,7 @@ The argument must be
|
||||
--- openssh-8.4p1.orig/sshd_config.5
|
||||
+++ openssh-8.4p1/sshd_config.5
|
||||
@@ -1331,7 +1331,7 @@ The argument must be
|
||||
or
|
||||
.Cm no .
|
||||
The default is
|
||||
|
@ -2,10 +2,10 @@
|
||||
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
|
||||
CAVS test for OpenSSH's own CTR encryption mode implementation
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index d5c37b5..5d4fcd2 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
Index: openssh-8.4p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/Makefile.in
|
||||
+++ openssh-8.4p1/Makefile.in
|
||||
@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
@ -14,7 +14,7 @@ index d5c37b5..5d4fcd2 100644
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -70,6 +71,8 @@ MKDIR_P=@MKDIR_P@
|
||||
@@ -68,6 +69,8 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
@ -23,7 +23,7 @@ index d5c37b5..5d4fcd2 100644
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
@@ -244,6 +247,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
|
||||
@@ -242,6 +245,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
@ -34,7 +34,7 @@ index d5c37b5..5d4fcd2 100644
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
@@ -398,6 +405,7 @@ install-files:
|
||||
@@ -400,6 +407,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
@ -42,11 +42,10 @@ index d5c37b5..5d4fcd2 100644
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
diff --git a/cavstest-ctr.c b/cavstest-ctr.c
|
||||
new file mode 100644
|
||||
index 0000000..f81cb72
|
||||
Index: openssh-8.4p1/cavstest-ctr.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/cavstest-ctr.c
|
||||
+++ openssh-8.4p1/cavstest-ctr.c
|
||||
@@ -0,0 +1,214 @@
|
||||
+/*
|
||||
+ *
|
||||
@ -262,10 +261,10 @@ index 0000000..f81cb72
|
||||
+ printf("\n");
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/cipher.c b/cipher.c
|
||||
index 2f5430b..599b54a 100644
|
||||
--- a/cipher.c
|
||||
+++ b/cipher.c
|
||||
Index: openssh-8.4p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/cipher.c
|
||||
+++ openssh-8.4p1/cipher.c
|
||||
@@ -58,15 +58,6 @@
|
||||
#define EVP_CIPHER_CTX void
|
||||
#endif
|
||||
@ -282,10 +281,10 @@ index 2f5430b..599b54a 100644
|
||||
struct sshcipher {
|
||||
char *name;
|
||||
u_int block_size;
|
||||
diff --git a/cipher.h b/cipher.h
|
||||
index 1a591cd..10ccb28 100644
|
||||
--- a/cipher.h
|
||||
+++ b/cipher.h
|
||||
Index: openssh-8.4p1/cipher.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/cipher.h
|
||||
+++ openssh-8.4p1/cipher.h
|
||||
@@ -48,7 +48,15 @@
|
||||
#define CIPHER_DECRYPT 0
|
||||
|
||||
|
@ -2,10 +2,10 @@
|
||||
# Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
|
||||
CAVS test for KDF implementation in OpenSSH
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 5d4fcd2..9eab827 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
Index: openssh-8.4p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/Makefile.in
|
||||
+++ openssh-8.4p1/Makefile.in
|
||||
@@ -26,6 +26,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
@ -14,7 +14,7 @@ index 5d4fcd2..9eab827 100644
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -71,7 +72,7 @@ MKDIR_P=@MKDIR_P@
|
||||
@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
@ -23,7 +23,7 @@ index 5d4fcd2..9eab827 100644
|
||||
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
@@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
@@ -249,6 +250,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
|
||||
@ -33,7 +33,7 @@ index 5d4fcd2..9eab827 100644
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
@@ -406,6 +410,7 @@ install-files:
|
||||
@@ -408,6 +412,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
@ -41,11 +41,10 @@ index 5d4fcd2..9eab827 100644
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
diff --git a/cavstest-kdf.c b/cavstest-kdf.c
|
||||
new file mode 100644
|
||||
index 0000000..a6ecf45
|
||||
Index: openssh-8.4p1/cavstest-kdf.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/cavstest-kdf.c
|
||||
+++ openssh-8.4p1/cavstest-kdf.c
|
||||
@@ -0,0 +1,402 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||
|
@ -3,11 +3,11 @@
|
||||
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
||||
algorithms.
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 62cd072..d5c37b5 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -114,6 +114,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
Index: openssh-8.4p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/Makefile.in
|
||||
+++ openssh-8.4p1/Makefile.in
|
||||
@@ -112,6 +112,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
|
||||
SKOBJS= ssh-sk-client.o
|
||||
|
||||
@ -16,10 +16,10 @@ index 62cd072..d5c37b5 100644
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
|
||||
|
||||
diff --git a/cipher-ctr.c b/cipher-ctr.c
|
||||
index 32771f2..b66f92f 100644
|
||||
--- a/cipher-ctr.c
|
||||
+++ b/cipher-ctr.c
|
||||
Index: openssh-8.4p1/cipher-ctr.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/cipher-ctr.c
|
||||
+++ openssh-8.4p1/cipher-ctr.c
|
||||
@@ -27,6 +27,8 @@
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
@ -38,10 +38,10 @@ index 32771f2..b66f92f 100644
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff --git a/cipher.c b/cipher.c
|
||||
index 8195199..2f5430b 100644
|
||||
--- a/cipher.c
|
||||
+++ b/cipher.c
|
||||
Index: openssh-8.4p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/cipher.c
|
||||
+++ openssh-8.4p1/cipher.c
|
||||
@@ -51,6 +51,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@ -61,7 +61,7 @@ index 8195199..2f5430b 100644
|
||||
#ifdef WITH_OPENSSL
|
||||
#ifndef OPENSSL_NO_DES
|
||||
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
|
||||
@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] = {
|
||||
@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[]
|
||||
{ NULL, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
@ -132,11 +132,10 @@ index 8195199..2f5430b 100644
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
diff --git a/fips.c b/fips.c
|
||||
new file mode 100644
|
||||
index 0000000..23e3876
|
||||
Index: openssh-8.4p1/fips.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/fips.c
|
||||
+++ openssh-8.4p1/fips.c
|
||||
@@ -0,0 +1,212 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -350,11 +349,10 @@ index 0000000..23e3876
|
||||
+ return dgst;
|
||||
+}
|
||||
+
|
||||
diff --git a/fips.h b/fips.h
|
||||
new file mode 100644
|
||||
index 0000000..a115a61
|
||||
Index: openssh-8.4p1/fips.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/fips.h
|
||||
+++ openssh-8.4p1/fips.h
|
||||
@@ -0,0 +1,44 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -400,11 +398,11 @@ index 0000000..a115a61
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
diff --git a/hmac.c b/hmac.c
|
||||
index 7b58801..5a92074 100644
|
||||
--- a/hmac.c
|
||||
+++ b/hmac.c
|
||||
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen)
|
||||
Index: openssh-8.4p1/hmac.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/hmac.c
|
||||
+++ openssh-8.4p1/hmac.c
|
||||
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *
|
||||
size_t i;
|
||||
u_char digest[16];
|
||||
|
||||
@ -413,11 +411,11 @@ index 7b58801..5a92074 100644
|
||||
printf("ssh_hmac_start failed");
|
||||
if (ssh_hmac_init(ctx, key, klen) < 0 ||
|
||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||
diff --git a/kex.c b/kex.c
|
||||
index b09fbac..a5e4be7 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -63,6 +63,8 @@
|
||||
Index: openssh-8.4p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/kex.c
|
||||
+++ openssh-8.4p1/kex.c
|
||||
@@ -62,6 +62,8 @@
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
|
||||
@ -426,7 +424,7 @@ index b09fbac..a5e4be7 100644
|
||||
/* prototype */
|
||||
static int kex_choose_conf(struct ssh *);
|
||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||
@@ -86,7 +88,7 @@ struct kexalg {
|
||||
@@ -85,7 +87,7 @@ struct kexalg {
|
||||
int ec_nid;
|
||||
int hash_alg;
|
||||
};
|
||||
@ -435,7 +433,7 @@ index b09fbac..a5e4be7 100644
|
||||
#ifdef WITH_OPENSSL
|
||||
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
@@ -117,6 +119,47 @@ static const struct kexalg kexalgs[] = {
|
||||
@@ -116,6 +118,47 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, 0, -1, -1},
|
||||
};
|
||||
|
||||
@ -483,7 +481,7 @@ index b09fbac..a5e4be7 100644
|
||||
char *
|
||||
kex_alg_list(char sep)
|
||||
{
|
||||
@@ -124,7 +167,7 @@ kex_alg_list(char sep)
|
||||
@@ -123,7 +166,7 @@ kex_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct kexalg *k;
|
||||
|
||||
@ -492,7 +490,7 @@ index b09fbac..a5e4be7 100644
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(k->name);
|
||||
@@ -144,7 +187,7 @@ kex_alg_by_name(const char *name)
|
||||
@@ -143,7 +186,7 @@ kex_alg_by_name(const char *name)
|
||||
{
|
||||
const struct kexalg *k;
|
||||
|
||||
@ -501,7 +499,7 @@ index b09fbac..a5e4be7 100644
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
}
|
||||
@@ -164,7 +207,10 @@ kex_names_valid(const char *names)
|
||||
@@ -163,7 +206,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
@ -512,10 +510,10 @@ index b09fbac..a5e4be7 100644
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
diff --git a/mac.c b/mac.c
|
||||
index f3dda66..90d71c8 100644
|
||||
--- a/mac.c
|
||||
+++ b/mac.c
|
||||
Index: openssh-8.4p1/mac.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/mac.c
|
||||
+++ openssh-8.4p1/mac.c
|
||||
@@ -41,6 +41,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@ -586,7 +584,7 @@ index f3dda66..90d71c8 100644
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(m->name);
|
||||
@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name)
|
||||
@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name
|
||||
{
|
||||
const struct macalg *m;
|
||||
|
||||
@ -595,10 +593,10 @@ index f3dda66..90d71c8 100644
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 26e80c5..595f053 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
Index: openssh-8.4p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/readconf.c
|
||||
+++ openssh-8.4p1/readconf.c
|
||||
@@ -68,6 +68,8 @@
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
@ -608,7 +606,7 @@ index 26e80c5..595f053 100644
|
||||
/* Format of the configuration file:
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
@@ -1908,6 +1910,23 @@ option_clear_or_none(const char *o)
|
||||
@@ -1949,6 +1951,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
@ -632,7 +630,7 @@ index 26e80c5..595f053 100644
|
||||
/*
|
||||
* Initializes options to special values that indicate that they have not yet
|
||||
* been set. Read_config_file will only set options with this value. Options
|
||||
@@ -2196,6 +2215,9 @@ fill_default_options(Options * options)
|
||||
@@ -2240,6 +2259,9 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
@ -642,7 +640,7 @@ index 26e80c5..595f053 100644
|
||||
#ifdef ENABLE_SK_INTERNAL
|
||||
if (options->sk_provider == NULL)
|
||||
options->sk_provider = xstrdup("internal");
|
||||
@@ -2229,6 +2251,7 @@ fill_default_options(Options * options)
|
||||
@@ -2273,6 +2295,7 @@ fill_default_options(Options * options)
|
||||
ASSEMBLE(pubkey_key_types, def_key, all_key);
|
||||
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
|
||||
#undef ASSEMBLE
|
||||
@ -650,7 +648,7 @@ index 26e80c5..595f053 100644
|
||||
free(all_cipher);
|
||||
free(all_mac);
|
||||
free(all_kex);
|
||||
@@ -2240,6 +2263,8 @@ fill_default_options(Options * options)
|
||||
@@ -2284,6 +2307,8 @@ fill_default_options(Options * options)
|
||||
kex_default_pk_alg_filtered = def_key; /* save for later use */
|
||||
free(def_sig);
|
||||
|
||||
@ -659,11 +657,11 @@ index 26e80c5..595f053 100644
|
||||
#define CLEAR_ON_NONE(v) \
|
||||
do { \
|
||||
if (option_clear_or_none(v)) { \
|
||||
diff --git a/readconf.h b/readconf.h
|
||||
index e143a10..ef18d5c 100644
|
||||
--- a/readconf.h
|
||||
+++ b/readconf.h
|
||||
@@ -199,6 +199,7 @@ typedef struct {
|
||||
Index: openssh-8.4p1/readconf.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/readconf.h
|
||||
+++ openssh-8.4p1/readconf.h
|
||||
@@ -200,6 +200,7 @@ typedef struct {
|
||||
#define SSH_STRICT_HOSTKEY_YES 2
|
||||
#define SSH_STRICT_HOSTKEY_ASK 3
|
||||
|
||||
@ -671,11 +669,11 @@ index e143a10..ef18d5c 100644
|
||||
const char *kex_default_pk_alg(void);
|
||||
char *ssh_connection_hash(const char *thishost, const char *host,
|
||||
const char *portstr, const char *user);
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 6be7274..9a51bfb 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -69,6 +69,7 @@
|
||||
Index: openssh-8.4p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/servconf.c
|
||||
+++ openssh-8.4p1/servconf.c
|
||||
@@ -70,6 +70,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
@ -683,7 +681,7 @@ index 6be7274..9a51bfb 100644
|
||||
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
@@ -200,6 +201,23 @@ option_clear_or_none(const char *o)
|
||||
@@ -201,6 +202,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
@ -707,7 +705,7 @@ index 6be7274..9a51bfb 100644
|
||||
static void
|
||||
assemble_algorithms(ServerOptions *o)
|
||||
{
|
||||
@@ -241,6 +259,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
@@ -242,6 +260,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
free(def_kex);
|
||||
free(def_key);
|
||||
free(def_sig);
|
||||
@ -716,7 +714,7 @@ index 6be7274..9a51bfb 100644
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -453,6 +473,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
@@ -454,6 +474,8 @@ fill_default_server_options(ServerOption
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
@ -725,10 +723,10 @@ index 6be7274..9a51bfb 100644
|
||||
if (options->disable_forwarding == -1)
|
||||
options->disable_forwarding = 0;
|
||||
if (options->expose_userauth_info == -1)
|
||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||
index 944faca..c1ecc54 100644
|
||||
--- a/ssh-keygen.c
|
||||
+++ b/ssh-keygen.c
|
||||
Index: openssh-8.4p1/ssh-keygen.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/ssh-keygen.c
|
||||
+++ openssh-8.4p1/ssh-keygen.c
|
||||
@@ -66,6 +66,8 @@
|
||||
#include "ssh-sk.h"
|
||||
#include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
|
||||
@ -738,7 +736,7 @@ index 944faca..c1ecc54 100644
|
||||
#ifdef WITH_OPENSSL
|
||||
# define DEFAULT_KEY_TYPE_NAME "rsa"
|
||||
#else
|
||||
@@ -1032,11 +1034,13 @@ do_fingerprint(struct passwd *pw)
|
||||
@@ -1036,11 +1038,13 @@ do_fingerprint(struct passwd *pw)
|
||||
static void
|
||||
do_gen_all_hostkeys(struct passwd *pw)
|
||||
{
|
||||
@ -754,7 +752,7 @@ index 944faca..c1ecc54 100644
|
||||
#ifdef WITH_OPENSSL
|
||||
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
||||
@@ -1051,6 +1055,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
@@ -1055,6 +1059,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
@ -772,7 +770,7 @@ index 944faca..c1ecc54 100644
|
||||
u_int32_t bits = 0;
|
||||
int first = 0;
|
||||
struct stat st;
|
||||
@@ -1058,6 +1073,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
@@ -1062,6 +1077,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
|
||||
int i, type, fd, r;
|
||||
|
||||
@ -785,7 +783,7 @@ index 944faca..c1ecc54 100644
|
||||
for (i = 0; key_types[i].key_type; i++) {
|
||||
public = private = NULL;
|
||||
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
||||
@@ -3532,6 +3553,15 @@ main(int argc, char **argv)
|
||||
@@ -3586,6 +3607,15 @@ main(int argc, char **argv)
|
||||
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||
|
||||
type = sshkey_type_from_name(key_type_name);
|
||||
@ -801,11 +799,11 @@ index 944faca..c1ecc54 100644
|
||||
type_bits_valid(type, key_type_name, &bits);
|
||||
|
||||
if (!quiet)
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index c45fb8d..55d4b5e 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -669,6 +669,8 @@ Valid options are:
|
||||
Index: openssh-8.4p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/ssh_config.5
|
||||
+++ openssh-8.4p1/ssh_config.5
|
||||
@@ -682,6 +682,8 @@ Valid options are:
|
||||
and
|
||||
.Cm sha256
|
||||
(the default).
|
||||
@ -814,11 +812,11 @@ index c45fb8d..55d4b5e 100644
|
||||
.It Cm ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index a24241c..e18078f 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -128,6 +128,8 @@
|
||||
Index: openssh-8.4p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd.c
|
||||
+++ openssh-8.4p1/sshd.c
|
||||
@@ -124,6 +124,8 @@
|
||||
#include "ssherr.h"
|
||||
#include "sk-api.h"
|
||||
|
||||
@ -827,10 +825,10 @@ index a24241c..e18078f 100644
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 52552d2..35affe5 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
Index: openssh-8.4p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd_config.5
|
||||
+++ openssh-8.4p1/sshd_config.5
|
||||
@@ -594,6 +594,8 @@ and
|
||||
.Cm sha256 .
|
||||
The default is
|
||||
|
@ -14,11 +14,10 @@
|
||||
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
|
||||
# otherwise.
|
||||
|
||||
diff --git a/fips-check.c b/fips-check.c
|
||||
new file mode 100644
|
||||
index 0000000..eceb031
|
||||
Index: openssh-8.4p1/fips-check.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/fips-check.c
|
||||
+++ openssh-8.4p1/fips-check.c
|
||||
@@ -0,0 +1,34 @@
|
||||
+#include "includes.h"
|
||||
+#include <fcntl.h>
|
||||
@ -54,10 +53,10 @@ index 0000000..eceb031
|
||||
+ fips_ssh_init();
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/fips.c b/fips.c
|
||||
index 23e3876..297ae99 100644
|
||||
--- a/fips.c
|
||||
+++ b/fips.c
|
||||
Index: openssh-8.4p1/fips.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/fips.c
|
||||
+++ openssh-8.4p1/fips.c
|
||||
@@ -35,30 +35,293 @@
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
@ -246,7 +245,9 @@ index 23e3876..297ae99 100644
|
||||
{
|
||||
int fips_required = 0;
|
||||
- char *env = getenv(SSH_FORCE_FIPS_ENV);
|
||||
-
|
||||
+ int fips_fd;
|
||||
+ char fips_sys = 0;
|
||||
|
||||
- if (env) {
|
||||
- errno = 0;
|
||||
- fips_required = strtol(env, NULL, 10);
|
||||
@ -256,9 +257,6 @@ index 23e3876..297ae99 100644
|
||||
- fips_required = 0;
|
||||
- } else
|
||||
- fips_required = 1;
|
||||
+ int fips_fd;
|
||||
+ char fips_sys = 0;
|
||||
+
|
||||
+ struct stat dummy;
|
||||
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
|
||||
+ switch (errno) {
|
||||
@ -364,10 +362,10 @@ index 23e3876..297ae99 100644
|
||||
int
|
||||
fips_mode(void)
|
||||
{
|
||||
diff --git a/fips.h b/fips.h
|
||||
index a115a61..3404684 100644
|
||||
--- a/fips.h
|
||||
+++ b/fips.h
|
||||
Index: openssh-8.4p1/fips.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/fips.h
|
||||
+++ openssh-8.4p1/fips.h
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -404,15 +402,15 @@ index a115a61..3404684 100644
|
||||
int fips_mode(void);
|
||||
int fips_correct_dgst(int);
|
||||
int fips_dgst_min(void);
|
||||
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum fp_type);
|
||||
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum
|
||||
int fips_filter_crypto(char **, fips_filters);
|
||||
|
||||
#endif
|
||||
-
|
||||
diff --git a/sftp-server.c b/sftp-server.c
|
||||
index 359204f..d6395fd 100644
|
||||
--- a/sftp-server.c
|
||||
+++ b/sftp-server.c
|
||||
Index: openssh-8.4p1/sftp-server.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sftp-server.c
|
||||
+++ openssh-8.4p1/sftp-server.c
|
||||
@@ -53,6 +53,8 @@
|
||||
|
||||
char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
|
||||
@ -422,7 +420,7 @@ index 359204f..d6395fd 100644
|
||||
/* Our verbosity */
|
||||
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
|
||||
|
||||
@@ -1576,6 +1578,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
@@ -1577,6 +1579,9 @@ sftp_server_main(int argc, char **argv,
|
||||
extern char *optarg;
|
||||
extern char *__progname;
|
||||
|
||||
@ -432,10 +430,10 @@ index 359204f..d6395fd 100644
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index 98b6ce7..dce28fd 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
Index: openssh-8.4p1/ssh.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/ssh.c
|
||||
+++ openssh-8.4p1/ssh.c
|
||||
@@ -113,6 +113,8 @@
|
||||
#include "ssh-pkcs11.h"
|
||||
#endif
|
||||
@ -445,9 +443,9 @@ index 98b6ce7..dce28fd 100644
|
||||
extern char *__progname;
|
||||
|
||||
/* Saves a copy of argv for setproctitle emulation */
|
||||
@@ -630,6 +632,10 @@ main(int ac, char **av)
|
||||
struct addrinfo *addrs = NULL;
|
||||
@@ -658,6 +660,10 @@ main(int ac, char **av)
|
||||
size_t n, len;
|
||||
u_int j;
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
@ -456,11 +454,11 @@ index 98b6ce7..dce28fd 100644
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index b2146a6..6092f0f 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1505,6 +1505,10 @@ main(int ac, char **av)
|
||||
Index: openssh-8.4p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd.c
|
||||
+++ openssh-8.4p1/sshd.c
|
||||
@@ -1545,6 +1545,10 @@ main(int ac, char **av)
|
||||
Authctxt *authctxt;
|
||||
struct connection_info *connection_info = NULL;
|
||||
|
||||
|
@ -3,11 +3,11 @@
|
||||
# -- uset do be called '-xauthlocalhostname'
|
||||
handle hostname changes when forwarding X
|
||||
|
||||
diff --git a/session.c b/session.c
|
||||
index 18cdfa8..85a9ee2 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -985,7 +985,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
|
||||
Index: openssh-8.4p1/session.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/session.c
|
||||
+++ openssh-8.4p1/session.c
|
||||
@@ -985,7 +985,7 @@ copy_environment(char **source, char ***
|
||||
#endif
|
||||
|
||||
static char **
|
||||
@ -16,7 +16,7 @@ index 18cdfa8..85a9ee2 100644
|
||||
{
|
||||
char buf[256];
|
||||
size_t n;
|
||||
@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
for (i = 0; env[i]; i++)
|
||||
fprintf(stderr, " %.200s\n", env[i]);
|
||||
}
|
||||
@ -25,7 +25,7 @@ index 18cdfa8..85a9ee2 100644
|
||||
return env;
|
||||
}
|
||||
|
||||
@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
* first in this order).
|
||||
*/
|
||||
static void
|
||||
@ -33,9 +33,9 @@ index 18cdfa8..85a9ee2 100644
|
||||
+do_rc_files(struct ssh *ssh, Session *s, const char *shell, char **env, int *env_size)
|
||||
{
|
||||
FILE *f = NULL;
|
||||
char cmd[1024];
|
||||
@@ -1258,12 +1260,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell)
|
||||
options.xauth_location);
|
||||
char *cmd = NULL, *user_rc = NULL;
|
||||
@@ -1260,12 +1262,20 @@ do_rc_files(struct ssh *ssh, Session *s,
|
||||
fatal("%s: xasprintf: %s", __func__, strerror(errno));
|
||||
f = popen(cmd, "w");
|
||||
if (f) {
|
||||
+ char hostname[MAXHOSTNAMELEN];
|
||||
@ -55,7 +55,7 @@ index 18cdfa8..85a9ee2 100644
|
||||
} else {
|
||||
fprintf(stderr, "Could not run %s\n",
|
||||
cmd);
|
||||
@@ -1519,6 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
@@ -1526,6 +1536,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
char **env, *argv[ARGV_MAX], remote_id[512];
|
||||
const char *shell, *shell0;
|
||||
struct passwd *pw = s->pw;
|
||||
@ -63,7 +63,7 @@ index 18cdfa8..85a9ee2 100644
|
||||
int r = 0;
|
||||
|
||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||
@@ -1575,7 +1586,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
@@ -1582,7 +1593,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
* Make sure $SHELL points to the shell from the password file,
|
||||
* even if shell is overridden from login.conf
|
||||
*/
|
||||
@ -72,7 +72,7 @@ index 18cdfa8..85a9ee2 100644
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||
@@ -1639,7 +1650,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
@@ -1646,7 +1657,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
|
@ -5,11 +5,11 @@ UsePAM is used
|
||||
|
||||
bnc#708678, FATE#312033
|
||||
|
||||
Index: openssh-7.8p1/auth.c
|
||||
Index: openssh-8.4p1/auth.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/auth.c
|
||||
+++ openssh-7.8p1/auth.c
|
||||
@@ -112,7 +112,7 @@ allowed_user(struct passwd * pw)
|
||||
--- openssh-8.4p1.orig/auth.c
|
||||
+++ openssh-8.4p1/auth.c
|
||||
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
|
||||
return 0;
|
||||
|
||||
#ifdef USE_SHADOW
|
||||
@ -18,7 +18,7 @@ Index: openssh-7.8p1/auth.c
|
||||
spw = getspnam(pw->pw_name);
|
||||
#ifdef HAS_SHADOW_EXPIRE
|
||||
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
||||
@@ -132,7 +132,7 @@ allowed_user(struct passwd * pw)
|
||||
@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
|
||||
#endif
|
||||
|
||||
/* check for locked account */
|
||||
@ -27,11 +27,11 @@ Index: openssh-7.8p1/auth.c
|
||||
int locked = 0;
|
||||
|
||||
#ifdef LOCKED_PASSWD_STRING
|
||||
Index: openssh-7.8p1/servconf.c
|
||||
Index: openssh-8.4p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/servconf.c
|
||||
+++ openssh-7.8p1/servconf.c
|
||||
@@ -83,6 +83,7 @@ initialize_server_options(ServerOptions
|
||||
--- openssh-8.4p1.orig/servconf.c
|
||||
+++ openssh-8.4p1/servconf.c
|
||||
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
|
||||
|
||||
/* Portable-specific options */
|
||||
options->use_pam = -1;
|
||||
@ -39,7 +39,7 @@ Index: openssh-7.8p1/servconf.c
|
||||
|
||||
/* Standard Options */
|
||||
options->num_ports = 0;
|
||||
@@ -259,6 +260,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption
|
||||
/* Portable-specific options */
|
||||
if (options->use_pam == -1)
|
||||
options->use_pam = 0;
|
||||
@ -48,7 +48,7 @@ Index: openssh-7.8p1/servconf.c
|
||||
|
||||
/* Standard Options */
|
||||
if (options->num_host_key_files == 0) {
|
||||
@@ -459,7 +462,7 @@ fill_default_server_options(ServerOption
|
||||
@@ -501,7 +504,7 @@ fill_default_server_options(ServerOption
|
||||
typedef enum {
|
||||
sBadOption, /* == unknown option */
|
||||
/* Portable-specific options */
|
||||
@ -57,7 +57,7 @@ Index: openssh-7.8p1/servconf.c
|
||||
/* Standard Options */
|
||||
sPort, sHostKeyFile, sLoginGraceTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
@@ -509,8 +512,10 @@ static struct {
|
||||
@@ -553,8 +556,10 @@ static struct {
|
||||
/* Portable-specific options */
|
||||
#ifdef USE_PAM
|
||||
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
||||
@ -68,7 +68,7 @@ Index: openssh-7.8p1/servconf.c
|
||||
#endif
|
||||
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
||||
/* Standard Options */
|
||||
@@ -1250,6 +1255,9 @@ process_server_config_line(ServerOptions
|
||||
@@ -1318,6 +1323,9 @@ process_server_config_line_depth(ServerO
|
||||
case sUsePAM:
|
||||
intptr = &options->use_pam;
|
||||
goto parse_flag;
|
||||
@ -78,11 +78,11 @@ Index: openssh-7.8p1/servconf.c
|
||||
|
||||
/* Standard Options */
|
||||
case sBadOption:
|
||||
Index: openssh-7.8p1/servconf.h
|
||||
Index: openssh-8.4p1/servconf.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/servconf.h
|
||||
+++ openssh-7.8p1/servconf.h
|
||||
@@ -181,6 +181,7 @@ typedef struct {
|
||||
--- openssh-8.4p1.orig/servconf.h
|
||||
+++ openssh-8.4p1/servconf.h
|
||||
@@ -195,6 +195,7 @@ typedef struct {
|
||||
char *adm_forced_command;
|
||||
|
||||
int use_pam; /* Enable auth via PAM */
|
||||
@ -90,11 +90,11 @@ Index: openssh-7.8p1/servconf.h
|
||||
|
||||
int permit_tun;
|
||||
|
||||
Index: openssh-7.8p1/sshd_config.0
|
||||
Index: openssh-8.4p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd_config.0
|
||||
+++ openssh-7.8p1/sshd_config.0
|
||||
@@ -961,6 +961,14 @@ DESCRIPTION
|
||||
--- openssh-8.4p1.orig/sshd_config.0
|
||||
+++ openssh-8.4p1/sshd_config.0
|
||||
@@ -1032,6 +1032,14 @@ DESCRIPTION
|
||||
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
||||
non-root user. The default is no.
|
||||
|
||||
@ -109,11 +109,11 @@ Index: openssh-7.8p1/sshd_config.0
|
||||
VersionAddendum
|
||||
Optionally specifies additional text to append to the SSH
|
||||
protocol banner sent by the server upon connection. The default
|
||||
Index: openssh-7.8p1/sshd_config.5
|
||||
Index: openssh-8.4p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd_config.5
|
||||
+++ openssh-7.8p1/sshd_config.5
|
||||
@@ -1613,6 +1613,18 @@ is enabled, you will not be able to run
|
||||
--- openssh-8.4p1.orig/sshd_config.5
|
||||
+++ openssh-8.4p1/sshd_config.5
|
||||
@@ -1718,6 +1718,18 @@ is enabled, you will not be able to run
|
||||
as a non-root user.
|
||||
The default is
|
||||
.Cm no .
|
||||
|
@ -1,14 +1,16 @@
|
||||
--- original/sftp-server.8 2016-12-19 04:59:41.000000000 +0000
|
||||
+++ original/sftp-server.8 2017-11-23 08:47:01.267239186 +0000
|
||||
Index: openssh-8.4p1/sftp-server.8
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sftp-server.8
|
||||
+++ openssh-8.4p1/sftp-server.8
|
||||
@@ -38,6 +38,7 @@
|
||||
.Op Fl P Ar blacklisted_requests
|
||||
.Op Fl p Ar whitelisted_requests
|
||||
.Op Fl P Ar denied_requests
|
||||
.Op Fl p Ar allowed_requests
|
||||
.Op Fl u Ar umask
|
||||
+.Op Fl m Ar force_file_dir_perms
|
||||
.Ek
|
||||
.Nm
|
||||
.Fl Q Ar protocol_feature
|
||||
@@ -138,6 +139,10 @@
|
||||
@@ -138,6 +139,10 @@ Sets an explicit
|
||||
.Xr umask 2
|
||||
to be applied to newly-created files and directories, instead of the
|
||||
user's default mask.
|
||||
@ -19,9 +21,11 @@
|
||||
.El
|
||||
.Pp
|
||||
On some systems,
|
||||
--- original/sftp-server.c 2016-12-19 04:59:41.000000000 +0000
|
||||
+++ original/sftp-server.c 2017-11-23 13:07:08.481765581 +0000
|
||||
@@ -65,6 +65,10 @@
|
||||
Index: openssh-8.4p1/sftp-server.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sftp-server.c
|
||||
+++ openssh-8.4p1/sftp-server.c
|
||||
@@ -69,6 +69,10 @@ struct sshbuf *oqueue;
|
||||
/* Version of client */
|
||||
static u_int version;
|
||||
|
||||
@ -32,7 +36,7 @@
|
||||
/* SSH2_FXP_INIT received */
|
||||
static int init_done;
|
||||
|
||||
@@ -679,6 +683,7 @@
|
||||
@@ -687,6 +691,7 @@ process_open(u_int32_t id)
|
||||
Attrib a;
|
||||
char *name;
|
||||
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
|
||||
@ -40,7 +44,7 @@
|
||||
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
||||
@@ -688,6 +693,10 @@
|
||||
@@ -696,6 +701,10 @@ process_open(u_int32_t id)
|
||||
debug3("request %u: open flags %d", id, pflags);
|
||||
flags = flags_from_portable(pflags);
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
||||
@ -51,7 +55,7 @@
|
||||
logit("open \"%s\" flags %s mode 0%o",
|
||||
name, string_from_portable(pflags), mode);
|
||||
if (readonly &&
|
||||
@@ -709,6 +718,8 @@
|
||||
@@ -717,6 +726,8 @@ process_open(u_int32_t id)
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -60,7 +64,7 @@
|
||||
if (status != SSH2_FX_OK)
|
||||
send_status(id, status);
|
||||
free(name);
|
||||
@@ -1110,6 +1121,7 @@
|
||||
@@ -1131,6 +1142,7 @@ process_mkdir(u_int32_t id)
|
||||
Attrib a;
|
||||
char *name;
|
||||
int r, mode, status = SSH2_FX_FAILURE;
|
||||
@ -68,7 +72,7 @@
|
||||
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = decode_attrib(iqueue, &a)) != 0)
|
||||
@@ -1117,9 +1129,16 @@
|
||||
@@ -1138,9 +1150,16 @@ process_mkdir(u_int32_t id)
|
||||
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
|
||||
a.perm & 07777 : 0777;
|
||||
@ -85,16 +89,16 @@
|
||||
status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
|
||||
send_status(id, status);
|
||||
free(name);
|
||||
@@ -1490,7 +1509,7 @@
|
||||
@@ -1560,7 +1579,7 @@ sftp_server_usage(void)
|
||||
fprintf(stderr,
|
||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||
"[-l log_level]\n\t[-P blacklisted_requests] "
|
||||
- "[-p whitelisted_requests] [-u umask]\n"
|
||||
+ "[-p whitelisted_requests] [-u umask] [-m force_file_dir_perms]\n"
|
||||
"[-l log_level]\n\t[-P denied_requests] "
|
||||
- "[-p allowed_requests] [-u umask]\n"
|
||||
+ "[-p allowed_requests] [-u umask] [-m force_file_dir_perms]\n"
|
||||
" %s -Q protocol_feature\n",
|
||||
__progname, __progname);
|
||||
exit(1);
|
||||
@@ -1516,7 +1535,7 @@
|
||||
@@ -1588,7 +1607,7 @@ sftp_server_main(int argc, char **argv,
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
while (!skipargs && (ch = getopt(argc, argv,
|
||||
@ -103,7 +107,7 @@
|
||||
switch (ch) {
|
||||
case 'Q':
|
||||
if (strcasecmp(optarg, "requests") != 0) {
|
||||
@@ -1576,6 +1595,15 @@
|
||||
@@ -1650,6 +1669,15 @@ sftp_server_main(int argc, char **argv,
|
||||
fatal("Invalid umask \"%s\"", optarg);
|
||||
(void)umask((mode_t)mask);
|
||||
break;
|
||||
|
@ -2,11 +2,11 @@
|
||||
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
|
||||
Put back sftp client diagnostic messages in batch mode
|
||||
|
||||
diff --git a/sftp.1 b/sftp.1
|
||||
index a305b37..6e802ec 100644
|
||||
--- a/sftp.1
|
||||
+++ b/sftp.1
|
||||
@@ -282,6 +282,9 @@ Specifies the port to connect to on the remote host.
|
||||
Index: openssh-8.4p1/sftp.1
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sftp.1
|
||||
+++ openssh-8.4p1/sftp.1
|
||||
@@ -287,6 +287,9 @@ Specifies the port to connect to on the
|
||||
.It Fl p
|
||||
Preserves modification times, access times, and modes from the
|
||||
original files transferred.
|
||||
@ -16,10 +16,10 @@ index a305b37..6e802ec 100644
|
||||
.It Fl q
|
||||
Quiet mode: disables the progress meter as well as warning and
|
||||
diagnostic messages from
|
||||
diff --git a/sftp.c b/sftp.c
|
||||
index 2799e4a..52b2c23 100644
|
||||
--- a/sftp.c
|
||||
+++ b/sftp.c
|
||||
Index: openssh-8.4p1/sftp.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sftp.c
|
||||
+++ openssh-8.4p1/sftp.c
|
||||
@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
|
||||
/* Suppress diagnositic messages */
|
||||
int quiet = 0;
|
||||
@ -30,15 +30,15 @@ index 2799e4a..52b2c23 100644
|
||||
/* This is set to 0 if the progressmeter is not desired. */
|
||||
int showprogress = 1;
|
||||
|
||||
@@ -2409,7 +2412,7 @@ main(int argc, char **argv)
|
||||
@@ -2408,7 +2411,7 @@ main(int argc, char **argv)
|
||||
infile = stdin;
|
||||
|
||||
while ((ch = getopt(argc, argv,
|
||||
- "1246afhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||
+ "1246afhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||
- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||
+ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||
switch (ch) {
|
||||
/* Passed through to ssh(1) */
|
||||
case '4':
|
||||
case 'A':
|
||||
@@ -2426,6 +2429,9 @@ main(int argc, char **argv)
|
||||
addargs(&args, "-%c", ch);
|
||||
addargs(&args, "%s", optarg);
|
||||
@ -56,5 +56,5 @@ index 2799e4a..52b2c23 100644
|
||||
+ if (batchmode && loud)
|
||||
+ quiet = 0;
|
||||
|
||||
if (!isatty(STDERR_FILENO))
|
||||
showprogress = 0;
|
||||
/* Do this last because we want the user to be able to override it */
|
||||
addargs(&args, "-oForwardAgent no");
|
||||
|
@ -1,8 +1,8 @@
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 88aba09..b815eac 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -115,7 +115,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
Index: openssh-8.4p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/Makefile.in
|
||||
+++ openssh-8.4p1/Makefile.in
|
||||
@@ -113,7 +113,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
||||
kexgssc.o \
|
||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||
@ -11,11 +11,11 @@ index 88aba09..b815eac 100644
|
||||
|
||||
SKOBJS= ssh-sk-client.o
|
||||
|
||||
diff --git a/audit-bsm.c b/audit-bsm.c
|
||||
index 0ba16c7..d5e9cda 100644
|
||||
--- a/audit-bsm.c
|
||||
+++ b/audit-bsm.c
|
||||
@@ -372,12 +372,25 @@ audit_connection_from(const char *host, int port)
|
||||
Index: openssh-8.4p1/audit-bsm.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/audit-bsm.c
|
||||
+++ openssh-8.4p1/audit-bsm.c
|
||||
@@ -372,13 +372,26 @@ audit_connection_from(const char *host,
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -33,16 +33,17 @@ index 0ba16c7..d5e9cda 100644
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
+void
|
||||
void
|
||||
+audit_count_session_open(void)
|
||||
+{
|
||||
+ /* not necessary */
|
||||
+}
|
||||
+
|
||||
void
|
||||
+void
|
||||
audit_session_open(struct logininfo *li)
|
||||
{
|
||||
@@ -390,6 +403,12 @@ audit_session_close(struct logininfo *li)
|
||||
/* not implemented */
|
||||
@@ -390,6 +403,12 @@ audit_session_close(struct logininfo *li
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
@ -55,7 +56,7 @@ index 0ba16c7..d5e9cda 100644
|
||||
void
|
||||
audit_event(struct ssh *ssh, ssh_audit_event_t event)
|
||||
{
|
||||
@@ -451,4 +470,28 @@ audit_event(struct ssh *ssh, ssh_audit_event_t event)
|
||||
@@ -451,4 +470,28 @@ audit_event(struct ssh *ssh, ssh_audit_e
|
||||
debug("%s: unhandled event %d", __func__, event);
|
||||
}
|
||||
}
|
||||
@ -84,10 +85,10 @@ index 0ba16c7..d5e9cda 100644
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff --git a/audit-linux.c b/audit-linux.c
|
||||
index 3fcbe5c..a823c30 100644
|
||||
--- a/audit-linux.c
|
||||
+++ b/audit-linux.c
|
||||
Index: openssh-8.4p1/audit-linux.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/audit-linux.c
|
||||
+++ openssh-8.4p1/audit-linux.c
|
||||
@@ -33,27 +33,40 @@
|
||||
|
||||
#include "log.h"
|
||||
@ -99,10 +100,11 @@ index 3fcbe5c..a823c30 100644
|
||||
+#include "servconf.h"
|
||||
#include "canohost.h"
|
||||
#include "packet.h"
|
||||
-
|
||||
+#include "cipher.h"
|
||||
+#include "channels.h"
|
||||
+#include "session.h"
|
||||
|
||||
+
|
||||
+#define AUDIT_LOG_SIZE 256
|
||||
+
|
||||
+extern ServerOptions options;
|
||||
@ -136,7 +138,7 @@ index 3fcbe5c..a823c30 100644
|
||||
saved_errno = errno;
|
||||
close(audit_fd);
|
||||
|
||||
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const char *username, const char *hostname,
|
||||
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const
|
||||
rc = 0;
|
||||
errno = saved_errno;
|
||||
|
||||
@ -234,7 +236,7 @@ index 3fcbe5c..a823c30 100644
|
||||
/* Below is the sshd audit API code */
|
||||
|
||||
void
|
||||
@@ -76,49 +176,210 @@ audit_connection_from(const char *host, int port)
|
||||
@@ -76,49 +176,210 @@ audit_connection_from(const char *host,
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
@ -457,10 +459,10 @@ index 3fcbe5c..a823c30 100644
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff --git a/audit.c b/audit.c
|
||||
index dd2f035..c8d54b1 100644
|
||||
--- a/audit.c
|
||||
+++ b/audit.c
|
||||
Index: openssh-8.4p1/audit.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/audit.c
|
||||
+++ openssh-8.4p1/audit.c
|
||||
@@ -34,6 +34,12 @@
|
||||
#include "log.h"
|
||||
#include "hostfile.h"
|
||||
@ -534,11 +536,10 @@ index dd2f035..c8d54b1 100644
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
/*
|
||||
* Null implementations of audit functions.
|
||||
@@ -137,6 +170,17 @@ audit_event(struct ssh *ssh, ssh_audit_event_t event)
|
||||
audit_username(), event, audit_event_lookup(event));
|
||||
@@ -138,6 +171,17 @@ audit_event(struct ssh *ssh, ssh_audit_e
|
||||
}
|
||||
|
||||
+/*
|
||||
/*
|
||||
+ * Called when a child process has called, or will soon call,
|
||||
+ * audit_session_open.
|
||||
+ */
|
||||
@ -549,10 +550,11 @@ index dd2f035..c8d54b1 100644
|
||||
+ audit_username());
|
||||
+}
|
||||
+
|
||||
/*
|
||||
+/*
|
||||
* Called when a user session is started. Argument is the tty allocated to
|
||||
* the session, or NULL if no tty was allocated.
|
||||
@@ -172,13 +216,82 @@ audit_session_close(struct logininfo *li)
|
||||
*
|
||||
@@ -172,13 +216,82 @@ audit_session_close(struct logininfo *li
|
||||
/*
|
||||
* This will be called when a user runs a non-interactive command. Note that
|
||||
* it may be called multiple times for a single connection since SSH2 allows
|
||||
@ -638,10 +640,10 @@ index dd2f035..c8d54b1 100644
|
||||
}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/audit.h b/audit.h
|
||||
index 38cb5ad..45d66cc 100644
|
||||
--- a/audit.h
|
||||
+++ b/audit.h
|
||||
Index: openssh-8.4p1/audit.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/audit.h
|
||||
+++ openssh-8.4p1/audit.h
|
||||
@@ -26,6 +26,7 @@
|
||||
# define _SSH_AUDIT_H
|
||||
|
||||
@ -684,11 +686,10 @@ index 38cb5ad..45d66cc 100644
|
||||
+void audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff --git a/auditstub.c b/auditstub.c
|
||||
new file mode 100644
|
||||
index 0000000..639a798
|
||||
Index: openssh-8.4p1/auditstub.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/auditstub.c
|
||||
+++ openssh-8.4p1/auditstub.c
|
||||
@@ -0,0 +1,52 @@
|
||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||
+
|
||||
@ -742,11 +743,11 @@ index 0000000..639a798
|
||||
+audit_session_key_free_body(struct ssh *ssh, int ctos, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+}
|
||||
diff --git a/auth.c b/auth.c
|
||||
index 779a1af..f6f3c86 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
|
||||
Index: openssh-8.4p1/auth.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/auth.c
|
||||
+++ openssh-8.4p1/auth.c
|
||||
@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica
|
||||
# endif
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@ -755,7 +756,7 @@ index 779a1af..f6f3c86 100644
|
||||
audit_event(ssh, audit_classify_auth(method));
|
||||
#endif
|
||||
}
|
||||
@@ -593,9 +593,6 @@ getpwnamallow(struct ssh *ssh, const char *user)
|
||||
@@ -593,9 +593,6 @@ getpwnamallow(struct ssh *ssh, const cha
|
||||
record_failed_login(ssh, user,
|
||||
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
||||
#endif
|
||||
@ -765,11 +766,11 @@ index 779a1af..f6f3c86 100644
|
||||
return (NULL);
|
||||
}
|
||||
if (!allowed_user(ssh, pw))
|
||||
diff --git a/auth.h b/auth.h
|
||||
index becc672..c8a99fb 100644
|
||||
--- a/auth.h
|
||||
+++ b/auth.h
|
||||
@@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh *, const char *user);
|
||||
Index: openssh-8.4p1/auth.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/auth.h
|
||||
+++ openssh-8.4p1/auth.h
|
||||
@@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh
|
||||
|
||||
char *expand_authorized_keys(const char *, struct passwd *pw);
|
||||
char *authorized_principals_file(struct passwd *);
|
||||
@ -778,7 +779,7 @@ index becc672..c8a99fb 100644
|
||||
|
||||
FILE *auth_openkeyfile(const char *, struct passwd *, int);
|
||||
FILE *auth_openprincipals(const char *, struct passwd *, int);
|
||||
@@ -208,6 +210,8 @@ struct sshkey *get_hostkey_private_by_type(int, int, struct ssh *);
|
||||
@@ -208,6 +210,8 @@ struct sshkey *get_hostkey_private_by_ty
|
||||
int get_hostkey_index(struct sshkey *, int, struct ssh *);
|
||||
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
|
||||
u_char **, size_t *, const u_char *, size_t, const char *);
|
||||
@ -787,10 +788,10 @@ index becc672..c8a99fb 100644
|
||||
|
||||
/* Key / cert options linkage to auth layer */
|
||||
const struct sshauthopt *auth_options(struct ssh *);
|
||||
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
||||
index 5e9b7c6..c0a09a3 100644
|
||||
--- a/auth2-hostbased.c
|
||||
+++ b/auth2-hostbased.c
|
||||
Index: openssh-8.4p1/auth2-hostbased.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/auth2-hostbased.c
|
||||
+++ openssh-8.4p1/auth2-hostbased.c
|
||||
@@ -150,7 +150,7 @@ userauth_hostbased(struct ssh *ssh)
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
|
||||
@ -820,10 +821,10 @@ index 5e9b7c6..c0a09a3 100644
|
||||
/* return 1 if given hostkey is allowed */
|
||||
int
|
||||
hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index 815ea0f..f8a4325 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
Index: openssh-8.4p1/auth2-pubkey.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/auth2-pubkey.c
|
||||
+++ openssh-8.4p1/auth2-pubkey.c
|
||||
@@ -212,7 +212,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
@ -833,7 +834,7 @@ index 815ea0f..f8a4325 100644
|
||||
sshbuf_ptr(b), sshbuf_len(b),
|
||||
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
||||
ssh->compat, &sig_details)) == 0) {
|
||||
@@ -294,6 +294,19 @@ done:
|
||||
@@ -308,6 +308,19 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
@ -853,11 +854,11 @@ index 815ea0f..f8a4325 100644
|
||||
static int
|
||||
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
|
||||
{
|
||||
diff --git a/auth2.c b/auth2.c
|
||||
index a4a5e00..b12d2ac 100644
|
||||
--- a/auth2.c
|
||||
+++ b/auth2.c
|
||||
@@ -293,9 +293,6 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
|
||||
Index: openssh-8.4p1/auth2.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/auth2.c
|
||||
+++ openssh-8.4p1/auth2.c
|
||||
@@ -293,9 +293,6 @@ input_userauth_request(int type, u_int32
|
||||
} else {
|
||||
/* Invalid user, fake password information */
|
||||
authctxt->pw = fakepw();
|
||||
@ -867,10 +868,10 @@ index a4a5e00..b12d2ac 100644
|
||||
}
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
diff --git a/cipher.c b/cipher.c
|
||||
index 599b54a..7f25a18 100644
|
||||
--- a/cipher.c
|
||||
+++ b/cipher.c
|
||||
Index: openssh-8.4p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/cipher.c
|
||||
+++ openssh-8.4p1/cipher.c
|
||||
@@ -58,25 +58,6 @@
|
||||
#define EVP_CIPHER_CTX void
|
||||
#endif
|
||||
@ -897,7 +898,7 @@ index 599b54a..7f25a18 100644
|
||||
static const struct sshcipher ciphers_all[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
#ifndef OPENSSL_NO_DES
|
||||
@@ -462,7 +443,7 @@ cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
|
||||
@@ -462,7 +443,7 @@ cipher_get_length(struct sshcipher_ctx *
|
||||
void
|
||||
cipher_free(struct sshcipher_ctx *cc)
|
||||
{
|
||||
@ -906,10 +907,10 @@ index 599b54a..7f25a18 100644
|
||||
return;
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
|
||||
chachapoly_free(cc->cp_ctx);
|
||||
diff --git a/cipher.h b/cipher.h
|
||||
index 626f2f5..b3383a5 100644
|
||||
--- a/cipher.h
|
||||
+++ b/cipher.h
|
||||
Index: openssh-8.4p1/cipher.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/cipher.h
|
||||
+++ openssh-8.4p1/cipher.h
|
||||
@@ -47,7 +47,25 @@
|
||||
#define CIPHER_ENCRYPT 1
|
||||
#define CIPHER_DECRYPT 0
|
||||
@ -937,10 +938,10 @@ index 626f2f5..b3383a5 100644
|
||||
struct sshcipher_ctx {
|
||||
int plaintext;
|
||||
int encrypt;
|
||||
diff --git a/kex.c b/kex.c
|
||||
index fbb8e4f..39cad99 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
Index: openssh-8.4p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/kex.c
|
||||
+++ openssh-8.4p1/kex.c
|
||||
@@ -62,6 +62,7 @@
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
@ -968,7 +969,7 @@ index fbb8e4f..39cad99 100644
|
||||
if ((enc->cipher = cipher_by_name(name)) == NULL) {
|
||||
error("%s: unsupported cipher %s", __func__, name);
|
||||
free(name);
|
||||
@@ -883,8 +888,12 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
|
||||
@@ -883,8 +888,12 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||
{
|
||||
char *name = match_list(client, server, NULL);
|
||||
|
||||
@ -982,7 +983,7 @@ index fbb8e4f..39cad99 100644
|
||||
if (mac_setup(mac, name) < 0) {
|
||||
error("%s: unsupported MAC %s", __func__, name);
|
||||
free(name);
|
||||
@@ -897,12 +906,16 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
|
||||
@@ -897,12 +906,16 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||
}
|
||||
|
||||
static int
|
||||
@ -1030,7 +1031,7 @@ index fbb8e4f..39cad99 100644
|
||||
}
|
||||
/* XXX need runden? */
|
||||
kex->we_need = need;
|
||||
@@ -1245,6 +1262,36 @@ dump_digest(const char *msg, const u_char *digest, int len)
|
||||
@@ -1245,6 +1262,36 @@ dump_digest(const char *msg, const u_cha
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -1067,10 +1068,10 @@ index fbb8e4f..39cad99 100644
|
||||
/*
|
||||
* Send a plaintext error message to the peer, suffixed by \r\n.
|
||||
* Only used during banner exchange, and there only for the server.
|
||||
diff --git a/kex.h b/kex.h
|
||||
index 4dc48fd..fdf0cf6 100644
|
||||
--- a/kex.h
|
||||
+++ b/kex.h
|
||||
Index: openssh-8.4p1/kex.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/kex.h
|
||||
+++ openssh-8.4p1/kex.h
|
||||
@@ -226,6 +226,8 @@ int kexgss_client(struct ssh *);
|
||||
int kexgss_server(struct ssh *);
|
||||
#endif
|
||||
@ -1080,10 +1081,10 @@ index 4dc48fd..fdf0cf6 100644
|
||||
int kex_dh_keypair(struct kex *);
|
||||
int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
|
||||
struct sshbuf **);
|
||||
diff --git a/mac.c b/mac.c
|
||||
index 90d71c8..6d87a80 100644
|
||||
--- a/mac.c
|
||||
+++ b/mac.c
|
||||
Index: openssh-8.4p1/mac.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/mac.c
|
||||
+++ openssh-8.4p1/mac.c
|
||||
@@ -277,6 +277,20 @@ mac_clear(struct sshmac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
@ -1105,21 +1106,21 @@ index 90d71c8..6d87a80 100644
|
||||
/* XXX copied from ciphers_valid */
|
||||
#define MAC_SEP ","
|
||||
int
|
||||
diff --git a/mac.h b/mac.h
|
||||
index 0b119d7..5fb593b 100644
|
||||
--- a/mac.h
|
||||
+++ b/mac.h
|
||||
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int32_t, const u_char *, int,
|
||||
Index: openssh-8.4p1/mac.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/mac.h
|
||||
+++ openssh-8.4p1/mac.h
|
||||
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3
|
||||
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
|
||||
const u_char *, size_t);
|
||||
void mac_clear(struct sshmac *);
|
||||
+void mac_destroy(struct sshmac *);
|
||||
|
||||
#endif /* SSHMAC_H */
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index cf775e5..fcd8283 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
Index: openssh-8.4p1/monitor.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/monitor.c
|
||||
+++ openssh-8.4p1/monitor.c
|
||||
@@ -93,6 +93,7 @@
|
||||
#include "compat.h"
|
||||
#include "ssh2.h"
|
||||
@ -1137,7 +1138,7 @@ index cf775e5..fcd8283 100644
|
||||
/* State exported from the child */
|
||||
static struct sshbuf *child_state;
|
||||
|
||||
@@ -155,6 +158,11 @@ int mm_answer_gss_updatecreds(struct ssh*, int, struct sshbuf *);
|
||||
@@ -155,6 +158,11 @@ int mm_answer_gss_updatecreds(struct ssh
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
int mm_answer_audit_event(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_audit_command(struct ssh *, int, struct sshbuf *);
|
||||
@ -1149,7 +1150,7 @@ index cf775e5..fcd8283 100644
|
||||
#endif
|
||||
|
||||
static Authctxt *authctxt;
|
||||
@@ -210,6 +218,10 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
@@ -210,6 +218,10 @@ struct mon_table mon_dispatch_proto20[]
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
@ -1160,7 +1161,7 @@ index cf775e5..fcd8283 100644
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
@@ -244,6 +256,11 @@ struct mon_table mon_dispatch_postauth20[] = {
|
||||
@@ -244,6 +256,11 @@ struct mon_table mon_dispatch_postauth20
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||
@ -1172,9 +1173,9 @@ index cf775e5..fcd8283 100644
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -1406,8 +1423,10 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
size_t signaturelen, datalen, bloblen;
|
||||
int r, ret, req_presence = 0, valid_data = 0, encoded_ret;
|
||||
@@ -1407,8 +1424,10 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
|
||||
int encoded_ret;
|
||||
struct sshkey_sig_details *sig_details = NULL;
|
||||
+ int type = 0;
|
||||
|
||||
@ -1184,7 +1185,7 @@ index cf775e5..fcd8283 100644
|
||||
(r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 ||
|
||||
(r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 ||
|
||||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
|
||||
@@ -1416,6 +1435,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1417,6 +1436,8 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||
!monitor_allowed_key(blob, bloblen))
|
||||
fatal("%s: bad key, not previously allowed", __func__);
|
||||
@ -1193,7 +1194,7 @@ index cf775e5..fcd8283 100644
|
||||
|
||||
/* Empty signature algorithm means NULL. */
|
||||
if (*sigalg == '\0') {
|
||||
@@ -1431,14 +1452,19 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1432,14 +1453,19 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
case MM_USERKEY:
|
||||
valid_data = monitor_valid_userblob(data, datalen);
|
||||
auth_method = "publickey";
|
||||
@ -1213,7 +1214,7 @@ index cf775e5..fcd8283 100644
|
||||
break;
|
||||
}
|
||||
if (!valid_data)
|
||||
@@ -1448,8 +1474,6 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1449,8 +1475,6 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
|
||||
@ -1222,7 +1223,7 @@ index cf775e5..fcd8283 100644
|
||||
debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key,
|
||||
(ret == 0) ? "verified" : "unverified",
|
||||
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
|
||||
@@ -1524,13 +1548,19 @@ mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw)
|
||||
@@ -1537,13 +1561,19 @@ mm_record_login(struct ssh *ssh, Session
|
||||
}
|
||||
|
||||
static void
|
||||
@ -1243,7 +1244,7 @@ index cf775e5..fcd8283 100644
|
||||
session_unused(s->self);
|
||||
}
|
||||
|
||||
@@ -1597,7 +1627,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1610,7 +1640,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
|
||||
|
||||
error:
|
||||
if (s != NULL)
|
||||
@ -1252,7 +1253,7 @@ index cf775e5..fcd8283 100644
|
||||
if ((r = sshbuf_put_u32(m, 0)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
mm_request_send(sock, MONITOR_ANS_PTY, m);
|
||||
@@ -1616,7 +1646,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1629,7 +1659,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
|
||||
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
if ((s = session_by_tty(tty)) != NULL)
|
||||
@ -1261,7 +1262,7 @@ index cf775e5..fcd8283 100644
|
||||
sshbuf_reset(m);
|
||||
free(tty);
|
||||
return (0);
|
||||
@@ -1638,6 +1668,8 @@ mm_answer_term(struct ssh *ssh, int sock, struct sshbuf *req)
|
||||
@@ -1651,6 +1681,8 @@ mm_answer_term(struct ssh *ssh, int sock
|
||||
sshpam_cleanup();
|
||||
#endif
|
||||
|
||||
@ -1270,7 +1271,7 @@ index cf775e5..fcd8283 100644
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
@@ -1684,12 +1716,47 @@ mm_answer_audit_command(struct ssh *ssh, int socket, struct sshbuf *m)
|
||||
@@ -1697,12 +1729,47 @@ mm_answer_audit_command(struct ssh *ssh,
|
||||
{
|
||||
char *cmd;
|
||||
int r;
|
||||
@ -1319,7 +1320,7 @@ index cf775e5..fcd8283 100644
|
||||
free(cmd);
|
||||
return (0);
|
||||
}
|
||||
@@ -1755,6 +1822,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
@@ -1768,6 +1835,7 @@ monitor_apply_keystate(struct ssh *ssh,
|
||||
void
|
||||
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
{
|
||||
@ -1327,7 +1328,7 @@ index cf775e5..fcd8283 100644
|
||||
debug3("%s: Waiting for new keys", __func__);
|
||||
|
||||
if ((child_state = sshbuf_new()) == NULL)
|
||||
@@ -1762,6 +1830,19 @@ mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
@@ -1775,6 +1843,19 @@ mm_get_keystate(struct ssh *ssh, struct
|
||||
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
||||
child_state);
|
||||
debug3("%s: GOT new keys", __func__);
|
||||
@ -1347,7 +1348,7 @@ index cf775e5..fcd8283 100644
|
||||
}
|
||||
|
||||
|
||||
@@ -2039,3 +2120,102 @@ mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) {
|
||||
@@ -2052,3 +2133,102 @@ mm_answer_gss_updatecreds(struct ssh *ss
|
||||
|
||||
#endif /* GSSAPI */
|
||||
|
||||
@ -1450,10 +1451,10 @@ index cf775e5..fcd8283 100644
|
||||
+ return 0;
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/monitor.h b/monitor.h
|
||||
index 2b1a2d5..7817990 100644
|
||||
--- a/monitor.h
|
||||
+++ b/monitor.h
|
||||
Index: openssh-8.4p1/monitor.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/monitor.h
|
||||
+++ openssh-8.4p1/monitor.h
|
||||
@@ -61,7 +61,13 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
|
||||
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
|
||||
@ -1469,11 +1470,11 @@ index 2b1a2d5..7817990 100644
|
||||
|
||||
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
|
||||
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index 6edb509..cb5e5f3 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -492,7 +492,7 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
|
||||
Index: openssh-8.4p1/monitor_wrap.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/monitor_wrap.c
|
||||
+++ openssh-8.4p1/monitor_wrap.c
|
||||
@@ -492,7 +492,7 @@ mm_key_allowed(enum mm_keytype type, con
|
||||
*/
|
||||
|
||||
int
|
||||
@ -1482,7 +1483,7 @@ index 6edb509..cb5e5f3 100644
|
||||
const u_char *data, size_t datalen, const char *sigalg, u_int compat,
|
||||
struct sshkey_sig_details **sig_detailsp)
|
||||
{
|
||||
@@ -508,7 +508,8 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
@@ -508,7 +508,8 @@ mm_sshkey_verify(const struct sshkey *ke
|
||||
*sig_detailsp = NULL;
|
||||
if ((m = sshbuf_new()) == NULL)
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
@ -1492,7 +1493,7 @@ index 6edb509..cb5e5f3 100644
|
||||
(r = sshbuf_put_string(m, sig, siglen)) != 0 ||
|
||||
(r = sshbuf_put_string(m, data, datalen)) != 0 ||
|
||||
(r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
|
||||
@@ -541,6 +542,20 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
@@ -541,6 +542,20 @@ mm_sshkey_verify(const struct sshkey *ke
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -1513,7 +1514,7 @@ index 6edb509..cb5e5f3 100644
|
||||
void
|
||||
mm_send_keystate(struct ssh *ssh, struct monitor *monitor)
|
||||
{
|
||||
@@ -894,11 +909,12 @@ mm_audit_event(struct ssh *ssh, ssh_audit_event_t event)
|
||||
@@ -894,11 +909,12 @@ mm_audit_event(struct ssh *ssh, ssh_audi
|
||||
sshbuf_free(m);
|
||||
}
|
||||
|
||||
@ -1528,7 +1529,7 @@ index 6edb509..cb5e5f3 100644
|
||||
|
||||
debug3("%s entering command %s", __func__, command);
|
||||
|
||||
@@ -908,6 +924,30 @@ mm_audit_run_command(const char *command)
|
||||
@@ -908,6 +924,30 @@ mm_audit_run_command(const char *command
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m);
|
||||
@ -1559,7 +1560,7 @@ index 6edb509..cb5e5f3 100644
|
||||
sshbuf_free(m);
|
||||
}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
@@ -1068,3 +1108,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
|
||||
@@ -1068,3 +1108,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
|
||||
}
|
||||
|
||||
#endif /* GSSAPI */
|
||||
@ -1643,11 +1644,11 @@ index 6edb509..cb5e5f3 100644
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
||||
index 485590c..73c095e 100644
|
||||
--- a/monitor_wrap.h
|
||||
+++ b/monitor_wrap.h
|
||||
@@ -57,7 +57,9 @@ int mm_user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int,
|
||||
Index: openssh-8.4p1/monitor_wrap.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/monitor_wrap.h
|
||||
+++ openssh-8.4p1/monitor_wrap.h
|
||||
@@ -58,7 +58,9 @@ int mm_user_key_allowed(struct ssh *, st
|
||||
struct sshauthopt **);
|
||||
int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *,
|
||||
const char *, struct sshkey *);
|
||||
@ -1658,7 +1659,7 @@ index 485590c..73c095e 100644
|
||||
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||
|
||||
#ifdef GSSAPI
|
||||
@@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *);
|
||||
@@ -83,7 +85,12 @@ void mm_sshpam_free_ctx(void *);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
#include "audit.h"
|
||||
void mm_audit_event(struct ssh *, ssh_audit_event_t);
|
||||
@ -1672,10 +1673,10 @@ index 485590c..73c095e 100644
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff --git a/packet.c b/packet.c
|
||||
index e7abb34..997c338 100644
|
||||
--- a/packet.c
|
||||
+++ b/packet.c
|
||||
Index: openssh-8.4p1/packet.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/packet.c
|
||||
+++ openssh-8.4p1/packet.c
|
||||
@@ -81,6 +81,7 @@
|
||||
#endif
|
||||
|
||||
@ -1684,7 +1685,7 @@ index e7abb34..997c338 100644
|
||||
#include "compat.h"
|
||||
#include "ssh2.h"
|
||||
#include "cipher.h"
|
||||
@@ -515,6 +516,13 @@ ssh_packet_get_connection_out(struct ssh *ssh)
|
||||
@@ -518,6 +519,13 @@ ssh_packet_get_connection_out(struct ssh
|
||||
return ssh->state->connection_out;
|
||||
}
|
||||
|
||||
@ -1698,7 +1699,7 @@ index e7abb34..997c338 100644
|
||||
/*
|
||||
* Returns the IP-address of the remote host as a string. The returned
|
||||
* string must not be freed.
|
||||
@@ -592,22 +600,19 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
||||
@@ -595,22 +603,19 @@ ssh_packet_close_internal(struct ssh *ss
|
||||
{
|
||||
struct session_state *state = ssh->state;
|
||||
u_int mode;
|
||||
@ -1726,7 +1727,7 @@ index e7abb34..997c338 100644
|
||||
for (mode = 0; mode < MODE_MAX; mode++) {
|
||||
kex_free_newkeys(state->newkeys[mode]); /* current keys */
|
||||
state->newkeys[mode] = NULL;
|
||||
@@ -643,8 +648,18 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
||||
@@ -646,8 +651,18 @@ ssh_packet_close_internal(struct ssh *ss
|
||||
#endif /* WITH_ZLIB */
|
||||
cipher_free(state->send_context);
|
||||
cipher_free(state->receive_context);
|
||||
@ -1745,7 +1746,7 @@ index e7abb34..997c338 100644
|
||||
free(ssh->local_ipaddr);
|
||||
ssh->local_ipaddr = NULL;
|
||||
free(ssh->remote_ipaddr);
|
||||
@@ -899,6 +914,7 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
||||
@@ -904,6 +919,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
|
||||
(unsigned long long)state->p_send.bytes,
|
||||
(unsigned long long)state->p_send.blocks);
|
||||
kex_free_newkeys(state->newkeys[mode]);
|
||||
@ -1753,7 +1754,7 @@ index e7abb34..997c338 100644
|
||||
state->newkeys[mode] = NULL;
|
||||
}
|
||||
/* note that both bytes and the seqnr are not reset */
|
||||
@@ -2205,6 +2221,73 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
@@ -2210,6 +2226,73 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
return (void *)ssh->state->output;
|
||||
}
|
||||
|
||||
@ -1827,20 +1828,20 @@ index e7abb34..997c338 100644
|
||||
/* Reset after_authentication and reset compression in post-auth privsep */
|
||||
static int
|
||||
ssh_packet_set_postauth(struct ssh *ssh)
|
||||
diff --git a/packet.h b/packet.h
|
||||
index c2544bd..239b391 100644
|
||||
--- a/packet.h
|
||||
+++ b/packet.h
|
||||
@@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
|
||||
Index: openssh-8.4p1/packet.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/packet.h
|
||||
+++ openssh-8.4p1/packet.h
|
||||
@@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, s
|
||||
# undef EC_POINT
|
||||
#endif
|
||||
|
||||
+void packet_destroy_all(struct ssh *, int, int);
|
||||
#endif /* PACKET_H */
|
||||
diff --git a/session.c b/session.c
|
||||
index 530aa26..9e7a8f8 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
Index: openssh-8.4p1/session.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/session.c
|
||||
+++ openssh-8.4p1/session.c
|
||||
@@ -136,7 +136,7 @@ extern char *__progname;
|
||||
extern int debug_flag;
|
||||
extern u_int utmp_len;
|
||||
@ -1850,7 +1851,7 @@ index 530aa26..9e7a8f8 100644
|
||||
extern struct sshbuf *loginmsg;
|
||||
extern struct sshauthopt *auth_opts;
|
||||
extern char *tun_fwd_ifnames; /* serverloop.c */
|
||||
@@ -647,6 +647,14 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command)
|
||||
@@ -647,6 +647,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
|
||||
/* Parent. Close the slave side of the pseudo tty. */
|
||||
close(ttyfd);
|
||||
|
||||
@ -1865,7 +1866,7 @@ index 530aa26..9e7a8f8 100644
|
||||
/* Enter interactive session. */
|
||||
s->ptymaster = ptymaster;
|
||||
ssh_packet_set_interactive(ssh, 1,
|
||||
@@ -711,15 +719,19 @@ do_exec(struct ssh *ssh, Session *s, const char *command)
|
||||
@@ -711,15 +719,19 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||
s->self);
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@ -1887,7 +1888,7 @@ index 530aa26..9e7a8f8 100644
|
||||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
ret = do_exec_pty(ssh, s, command);
|
||||
@@ -1535,8 +1547,11 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
@@ -1542,8 +1554,11 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
@ -1900,7 +1901,7 @@ index 530aa26..9e7a8f8 100644
|
||||
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
@@ -1745,6 +1760,9 @@ session_unused(int id)
|
||||
@@ -1752,6 +1767,9 @@ session_unused(int id)
|
||||
sessions[id].ttyfd = -1;
|
||||
sessions[id].ptymaster = -1;
|
||||
sessions[id].x11_chanids = NULL;
|
||||
@ -1910,11 +1911,10 @@ index 530aa26..9e7a8f8 100644
|
||||
sessions[id].next_unused = sessions_first_unused;
|
||||
sessions_first_unused = id;
|
||||
}
|
||||
@@ -1826,6 +1844,19 @@ session_open(Authctxt *authctxt, int chanid)
|
||||
return 1;
|
||||
@@ -1834,6 +1852,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
}
|
||||
|
||||
+Session *
|
||||
Session *
|
||||
+session_by_id(int id)
|
||||
+{
|
||||
+ if (id >= 0 && id < sessions_nalloc) {
|
||||
@ -1927,10 +1927,11 @@ index 530aa26..9e7a8f8 100644
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
Session *
|
||||
+Session *
|
||||
session_by_tty(char *tty)
|
||||
{
|
||||
@@ -2437,6 +2468,32 @@ session_exit_message(struct ssh *ssh, Session *s, int status)
|
||||
int i;
|
||||
@@ -2444,6 +2475,32 @@ session_exit_message(struct ssh *ssh, Se
|
||||
chan_write_failed(ssh, c);
|
||||
}
|
||||
|
||||
@ -1963,7 +1964,7 @@ index 530aa26..9e7a8f8 100644
|
||||
void
|
||||
session_close(struct ssh *ssh, Session *s)
|
||||
{
|
||||
@@ -2478,6 +2535,10 @@ session_close(struct ssh *ssh, Session *s)
|
||||
@@ -2485,6 +2542,10 @@ session_close(struct ssh *ssh, Session *
|
||||
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
@ -1974,7 +1975,7 @@ index 530aa26..9e7a8f8 100644
|
||||
free(s->term);
|
||||
free(s->display);
|
||||
free(s->x11_chanids);
|
||||
@@ -2553,14 +2614,14 @@ session_close_by_channel(struct ssh *ssh, int id, void *arg)
|
||||
@@ -2560,14 +2621,14 @@ session_close_by_channel(struct ssh *ssh
|
||||
}
|
||||
|
||||
void
|
||||
@ -1991,7 +1992,7 @@ index 530aa26..9e7a8f8 100644
|
||||
else
|
||||
session_close(ssh, s);
|
||||
}
|
||||
@@ -2686,6 +2747,15 @@ do_authenticated2(struct ssh *ssh, Authctxt *authctxt)
|
||||
@@ -2693,6 +2754,15 @@ do_authenticated2(struct ssh *ssh, Authc
|
||||
server_loop2(ssh, authctxt);
|
||||
}
|
||||
|
||||
@ -2007,7 +2008,7 @@ index 530aa26..9e7a8f8 100644
|
||||
void
|
||||
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||
{
|
||||
@@ -2749,7 +2819,7 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||
@@ -2756,7 +2826,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||
* or if running in monitor.
|
||||
*/
|
||||
if (!use_privsep || mm_is_monitor())
|
||||
@ -2016,10 +2017,10 @@ index 530aa26..9e7a8f8 100644
|
||||
}
|
||||
|
||||
/* Return a name for the remote host that fits inside utmp_size */
|
||||
diff --git a/session.h b/session.h
|
||||
index ce59dab..bcd4b1d 100644
|
||||
--- a/session.h
|
||||
+++ b/session.h
|
||||
Index: openssh-8.4p1/session.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/session.h
|
||||
+++ openssh-8.4p1/session.h
|
||||
@@ -61,6 +61,12 @@ struct Session {
|
||||
char *name;
|
||||
char *val;
|
||||
@ -2047,10 +2048,10 @@ index ce59dab..bcd4b1d 100644
|
||||
Session *session_by_tty(char *);
|
||||
void session_close(struct ssh *, Session *);
|
||||
void do_setusercontext(struct passwd *);
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 7d23232..9c83ce0 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
Index: openssh-8.4p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd.c
|
||||
+++ openssh-8.4p1/sshd.c
|
||||
@@ -122,6 +122,7 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
@ -2212,7 +2213,7 @@ index 7d23232..9c83ce0 100644
|
||||
setproctitle("%s", "[net]");
|
||||
if (box != NULL)
|
||||
ssh_sandbox_child(box);
|
||||
@@ -592,7 +647,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
||||
@@ -592,7 +647,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
pmonitor->m_sendfd = -1;
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@ -2221,7 +2222,7 @@ index 7d23232..9c83ce0 100644
|
||||
|
||||
reseed_prngs();
|
||||
|
||||
@@ -1101,7 +1156,7 @@ server_listen(void)
|
||||
@@ -1159,7 +1214,7 @@ server_listen(void)
|
||||
* from this function are in a forked subprocess.
|
||||
*/
|
||||
static void
|
||||
@ -2230,7 +2231,7 @@ index 7d23232..9c83ce0 100644
|
||||
{
|
||||
fd_set *fdset;
|
||||
int i, j, ret, maxfd;
|
||||
@@ -1162,6 +1217,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
@@ -1220,6 +1275,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
@ -2238,7 +2239,7 @@ index 7d23232..9c83ce0 100644
|
||||
close_listen_socks();
|
||||
if (options.pid_file != NULL)
|
||||
unlink(options.pid_file);
|
||||
@@ -2039,7 +2095,7 @@ main(int ac, char **av)
|
||||
@@ -2089,7 +2145,7 @@ main(int ac, char **av)
|
||||
#endif
|
||||
|
||||
/* Accept a connection and return in a forked child */
|
||||
@ -2247,7 +2248,7 @@ index 7d23232..9c83ce0 100644
|
||||
&newsock, config_s);
|
||||
}
|
||||
|
||||
@@ -2274,6 +2330,9 @@ main(int ac, char **av)
|
||||
@@ -2325,6 +2381,9 @@ main(int ac, char **av)
|
||||
do_authenticated(ssh, authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
@ -2257,7 +2258,7 @@ index 7d23232..9c83ce0 100644
|
||||
ssh_packet_get_bytes(ssh, &ibytes, &obytes);
|
||||
verbose("Transferred: sent %llu, received %llu bytes",
|
||||
(unsigned long long)obytes, (unsigned long long)ibytes);
|
||||
@@ -2457,6 +2516,15 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
@@ -2509,6 +2568,15 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
@ -2273,7 +2274,7 @@ index 7d23232..9c83ce0 100644
|
||||
if (the_active_state != NULL && the_authctxt != NULL) {
|
||||
do_cleanup(the_active_state, the_authctxt);
|
||||
if (use_privsep && privsep_is_preauth &&
|
||||
@@ -2468,9 +2536,16 @@ cleanup_exit(int i)
|
||||
@@ -2520,9 +2588,16 @@ cleanup_exit(int i)
|
||||
pmonitor->m_pid, strerror(errno));
|
||||
}
|
||||
}
|
||||
@ -2291,15 +2292,14 @@ index 7d23232..9c83ce0 100644
|
||||
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
_exit(i);
|
||||
diff --git a/sshkey.c b/sshkey.c
|
||||
index 1ac32a0..f579108 100644
|
||||
--- a/sshkey.c
|
||||
+++ b/sshkey.c
|
||||
@@ -368,6 +368,38 @@ sshkey_type_is_valid_ca(int type)
|
||||
}
|
||||
Index: openssh-8.4p1/sshkey.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshkey.c
|
||||
+++ openssh-8.4p1/sshkey.c
|
||||
@@ -371,6 +371,38 @@ sshkey_type_is_valid_ca(int type)
|
||||
}
|
||||
|
||||
+int
|
||||
int
|
||||
+sshkey_is_private(const struct sshkey *k)
|
||||
+{
|
||||
+ switch (k->type) {
|
||||
@ -2331,14 +2331,15 @@ index 1ac32a0..f579108 100644
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
int
|
||||
+int
|
||||
sshkey_is_cert(const struct sshkey *k)
|
||||
{
|
||||
diff --git a/sshkey.h b/sshkey.h
|
||||
index f586e89..a08bc65 100644
|
||||
--- a/sshkey.h
|
||||
+++ b/sshkey.h
|
||||
@@ -187,6 +187,7 @@ int sshkey_shield_private(struct sshkey *);
|
||||
if (k == NULL)
|
||||
Index: openssh-8.4p1/sshkey.h
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshkey.h
|
||||
+++ openssh-8.4p1/sshkey.h
|
||||
@@ -187,6 +187,7 @@ int sshkey_shield_private(struct sshke
|
||||
int sshkey_unshield_private(struct sshkey *);
|
||||
|
||||
int sshkey_type_from_name(const char *);
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2
|
||||
size 1706358
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl7N2TQACgkQ0+X1a22S
|
||||
DTCXbAx/eycNNXxdVK3JtDQBUuSyup/eXeiuAdfTb77dKhdInk6ivaaKtVZ+3rlu
|
||||
eEUwAY2Bf/majUUigI5OI/niODMqbYWBBDKRudQlDSGfH8XnRge6dRjIWXU6XvZP
|
||||
MJpxVZWRorjnuCArWemlJ5QFxSds938Ae+7MFkveQ59UpRDeslYiI6twCXjRiZEL
|
||||
e8lBfsfZqcOLO8KLVRvDx6sqD8EXlak8fhdjmjKdbvA4oWHLcwUcuaNT/o5I2ZWn
|
||||
m2sOQcuhwt3+jm+f9SQKLURHcmGC6Hu5YXBq4+Ut7P9Qc9lAf76SDDnsrRQ8pv+Z
|
||||
tLsXBO+bNe3tSkRbG/AQQRZtGEzlhM8KPyQ6oA0JqlN4Wb5XMWYFyYyJTwJ/95ZI
|
||||
dluMmpwQTRVQGUNU7kVNe04TwRl+8APqvcnE3/i7MDm6EG5BHGcAneRmZfvt209F
|
||||
z8yGtKQKCvZm5Rn9V0/Gm3+pq5O2sie90CPW9ebyPsajzQlrYBQPoJ1aQ+Ue4QE6
|
||||
gee5eO3TZOJJ3peTqjihGUtpKH+21w==
|
||||
=lhX0
|
||||
-----END PGP SIGNATURE-----
|
3
openssh-8.4p1.tar.gz
Normal file
3
openssh-8.4p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24
|
||||
size 1742201
|
14
openssh-8.4p1.tar.gz.asc
Normal file
14
openssh-8.4p1.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl9wQnwACgkQ0+X1a22S
|
||||
DTAR6wyAjRcvW7Jg9v73AR7TUO4WAD085sYi4ZLsECMZqhVZUBVv0Ofmcz2ISg3I
|
||||
NU1nr9Kiqf1/i05OUIR64kJEd4wTSwv+4HhyP5MPJqyCkKcFJ9TyRy6pASZtyH6D
|
||||
hKezJ79iGUg1U46bI6yyxchcAKrz0if97fKd0/1h5yE7T5lcbo+zQPsAg9dDXHBJ
|
||||
nL5mpBQXU3xbU8bC+E+vZ7VAyxEm6kzuY7MRW2wOhpPQ5DJgEjAUjtvzvd9SJhKl
|
||||
u/hgKXqIJBQB1pHlAFI1knfTrGUGrzob8QphukrvmbMJC3dO/o3Dplvx6lZkes0c
|
||||
6hP66rhTRp5Tmw9ae3iUmoDf6SyStlo/4QomCuw0NxHrSOng16VjCR+NRWHvZbXC
|
||||
JckIqparyOJ2jtHz0+e52sRZCZKauFBDMZboNj7f+htwQRUFOVfeSecpJiYut4bM
|
||||
YALdayOQwL96J6aMdoMKfMGZUevCPN6OM96E6cMC1fmanBenZQ/vatmskIvvvO/P
|
||||
rwECYTpGVRezhAvXMEy9x+EVdV6ctA==
|
||||
=PW3D
|
||||
-----END PGP SIGNATURE-----
|
@ -18,14 +18,14 @@
|
||||
|
||||
%define _name openssh
|
||||
Name: openssh-askpass-gnome
|
||||
Version: 8.3p1
|
||||
Version: 8.4p1
|
||||
Release: 0
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
License: BSD-2-Clause
|
||||
Group: Productivity/Networking/SSH
|
||||
URL: http://www.openssh.com/
|
||||
Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
|
||||
Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
|
||||
URL: https://www.openssh.com/
|
||||
Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
|
||||
Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
|
||||
Requires: %{_name} = %{version}
|
||||
Supplements: packageand(openssh-clients:libgtk-3-0)
|
||||
%if 0%{?suse_version} >= 1550
|
||||
|
130
openssh.changes
130
openssh.changes
@ -1,3 +1,133 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 18 00:30:37 UTC 2021 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- update to 8.4p1:
|
||||
Security
|
||||
========
|
||||
* ssh-agent(1): restrict ssh-agent from signing web challenges for
|
||||
FIDO/U2F keys.
|
||||
* ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
|
||||
a FIDO resident key.
|
||||
* ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
|
||||
each use. These keys may be generated using ssh-keygen using a new
|
||||
"verify-required" option. When a PIN-required key is used, the user
|
||||
will be prompted for a PIN to complete the signature operation.
|
||||
New Features
|
||||
------------
|
||||
* sshd(8): authorized_keys now supports a new "verify-required"
|
||||
option to require FIDO signatures assert that the token verified
|
||||
that the user was present before making the signature. The FIDO
|
||||
protocol supports multiple methods for user-verification, but
|
||||
currently OpenSSH only supports PIN verification.
|
||||
|
||||
* sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
|
||||
signatures. Webauthn is a standard for using FIDO keys in web
|
||||
browsers. These signatures are a slightly different format to plain
|
||||
FIDO signatures and thus require explicit support.
|
||||
|
||||
* ssh(1): allow some keywords to expand shell-style ${ENV}
|
||||
environment variables. The supported keywords are CertificateFile,
|
||||
ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
|
||||
RemoteForward when used for Unix domain socket paths. bz#3140
|
||||
|
||||
* ssh(1), ssh-agent(1): allow some additional control over the use of
|
||||
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
|
||||
including forcibly enabling and disabling its use. bz#69
|
||||
|
||||
* ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
|
||||
limit for keys in addition to its current flag options. Time-
|
||||
limited keys will automatically be removed from ssh-agent after
|
||||
their expiry time has passed.
|
||||
|
||||
* scp(1), sftp(1): allow the -A flag to explicitly enable agent
|
||||
forwarding in scp and sftp. The default remains to not forward an
|
||||
agent, even when ssh_config enables it.
|
||||
|
||||
* ssh(1): add a '%k' TOKEN that expands to the effective HostKey of
|
||||
the destination. This allows, e.g., keeping host keys in individual
|
||||
files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654
|
||||
|
||||
* ssh(1): add %-TOKEN, environment variable and tilde expansion to
|
||||
the UserKnownHostsFile directive, allowing the path to be
|
||||
completed by the configuration (e.g. bz#1654)
|
||||
|
||||
* ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted
|
||||
from stdin. bz#3180
|
||||
|
||||
* sshd(8): improve logging for MaxStartups connection throttling.
|
||||
sshd will now log when it starts and stops throttling and periodically
|
||||
while in this state. bz#3055
|
||||
|
||||
Bugfixes
|
||||
--------
|
||||
* ssh(1), ssh-keygen(1): better support for multiple attached FIDO
|
||||
tokens. In cases where OpenSSH cannot unambiguously determine which
|
||||
token to direct a request to, the user is now required to select a
|
||||
token by touching it. In cases of operations that require a PIN to
|
||||
be verified, this avoids sending the wrong PIN to the wrong token
|
||||
and incrementing the token's PIN failure counter (tokens
|
||||
effectively erase their keys after too many PIN failures).
|
||||
* sshd(8): fix Include before Match in sshd_config; bz#3122
|
||||
* ssh(1): close stdin/out/error when forking after authentication
|
||||
completes ("ssh -f ...") bz#3137
|
||||
* ssh(1), sshd(8): limit the amount of channel input data buffered,
|
||||
avoiding peers that advertise large windows but are slow to read
|
||||
from causing high memory consumption.
|
||||
* ssh-agent(1): handle multiple requests sent in a single write() to
|
||||
the agent.
|
||||
* sshd(8): allow sshd_config longer than 256k
|
||||
* sshd(8): avoid spurious "Unable to load host key" message when sshd
|
||||
load a private key but no public counterpart
|
||||
* ssh(1): prefer the default hostkey algorithm list whenever we have
|
||||
a hostkey that matches its best-preference algorithm.
|
||||
* sshd(1): when ordering the hostkey algorithms to request from a
|
||||
server, prefer certificate types if the known_hosts files contain a key
|
||||
marked as a @cert-authority; bz#3157
|
||||
* ssh(1): perform host key fingerprint comparisons for the "Are you
|
||||
sure you want to continue connecting (yes/no/[fingerprint])?"
|
||||
prompt with case sensitivity.
|
||||
* sshd(8): ensure that address/masklen mismatches in sshd_config
|
||||
yield fatal errors at daemon start time rather than later when
|
||||
they are evaluated.
|
||||
* ssh-keygen(1): ensure that certificate extensions are lexically
|
||||
sorted. Previously if the user specified a custom extension then
|
||||
the everything would be in order except the custom ones. bz#3198
|
||||
* ssh(1): also compare username when checking for JumpHost loops.
|
||||
bz#3057
|
||||
* ssh-keygen(1): preserve group/world read permission on known_hosts
|
||||
files across runs of "ssh-keygen -Rf /path". The old behaviour was
|
||||
to remove all rights for group/other. bz#3146
|
||||
* ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen
|
||||
manual page and usage().
|
||||
* sshd(8): explicitly construct path to ~/.ssh/rc rather than
|
||||
relying on it being relative to the current directory, so that it
|
||||
can still be found if the shell startup changes its directory.
|
||||
bz#3185
|
||||
* sshd(8): when redirecting sshd's log output to a file, undo this
|
||||
redirection after the session child process is forked(). Fixes
|
||||
missing log messages when using this feature under some
|
||||
circumstances.
|
||||
* sshd(8): start ClientAliveInterval bookkeeping before first pass
|
||||
through select() loop; fixed theoretical case where busy sshd may
|
||||
ignore timeouts from client.
|
||||
* ssh(1): only reset the ServerAliveInterval check when we receive
|
||||
traffic from the server and ignore traffic from a port forwarding
|
||||
client, preventing a client from keeping a connection alive when
|
||||
it should be terminated. bz#2265
|
||||
* ssh-keygen(1): avoid spurious error message when ssh-keygen
|
||||
creates files outside ~/.ssh
|
||||
* sftp-client(1): fix off-by-one error that caused sftp downloads to
|
||||
make one more concurrent request that desired. This prevented using
|
||||
sftp(1) in unpipelined request/response mode, which is useful when
|
||||
debugging. bz#3054
|
||||
* ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect()
|
||||
helpers. bz#3071
|
||||
* ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to
|
||||
write to it so we don't leave an empty .ssh directory when it's not
|
||||
needed. bz#3156
|
||||
* ssh(1), sshd(8): fix multiplier when parsing time specifications
|
||||
when handling seconds after other units. bz#3171
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 8 01:37:02 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
|
@ -38,14 +38,14 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: openssh
|
||||
Version: 8.3p1
|
||||
Version: 8.4p1
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-2-Clause AND MIT
|
||||
Group: Productivity/Networking/SSH
|
||||
URL: https://www.openssh.com/
|
||||
Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
Source1: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
Source2: sshd.pamd
|
||||
Source3: README.SUSE
|
||||
Source4: README.kerberos
|
||||
@ -108,7 +108,7 @@ Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
|
||||
Patch41: openssh-fips-ensure-approved-moduli.patch
|
||||
Patch42: openssh-link-with-sk.patch
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: groff
|
||||
BuildRequires: libedit-devel
|
||||
BuildRequires: libselinux-devel
|
||||
|
Loading…
Reference in New Issue
Block a user