Accepting request 433779 from home:pcerny:factory

- remaining patches that were still missing
  since the update to 7.2p2 (FATE#319675):
  [openssh-7.2p2-disable_openssl_abi_check.patch]
- fix forwarding with IPv6 addresses in DISPLAY (bnc#847710)
  [openssh-7.2p2-IPv6_X_forwarding.patch]
- ignore PAM environment when using login
  (bsc#975865, CVE-2015-8325)
  [openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
- limit accepted password length (prevents possible DoS)
  (bsc#992533, CVE-2016-6515)
  [openssh-7.2p2-limit_password_length.patch]
- Prevent user enumeration through the timing of password
  processing (bsc#989363, CVE-2016-6210)
  [openssh-7.2p2-prevent_timing_user_enumeration.patch]
- Add auditing for PRNG re-seeding
  [openssh-7.2p2-audit_seed_prng.patch]

OBS-URL: https://build.opensuse.org/request/show/433779
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=113
This commit is contained in:
Petr Cerny 2016-10-07 15:57:29 +00:00 committed by Git OBS Bridge
parent fe873a1c10
commit 6c861e0b33
36 changed files with 605 additions and 46 deletions

View File

@ -0,0 +1,72 @@
# HG changeset patch
# Parent 8c4cb20b9633595de68131224b2d434e8dc41e17
Correctly parse DISPLAY variable for cases where it contains an IPv6 address
(which should - but not always is - in (square) brackets).
bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710
diff --git a/openssh-7.2p2/channels.c b/openssh-7.2p2/channels.c
--- a/openssh-7.2p2/channels.c
+++ b/openssh-7.2p2/channels.c
@@ -4049,18 +4049,19 @@ x11_connect_display(void)
/* OK, we now have a connection to the display. */
return sock;
}
#endif
/*
* Check if it is a unix domain socket. Unix domain displays are in
* one of the following formats: unix:d[.s], :d[.s], ::d[.s]
*/
+ cp = strrchr(display, ':');
if (strncmp(display, "unix:", 5) == 0 ||
- display[0] == ':') {
+ (display[0] == ':' && ((cp - display) < 2)) ) {
/* Connect to the unix domain socket. */
if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) {
error("Could not parse display number from DISPLAY: %.100s",
display);
return -1;
}
/* Create a socket. */
sock = connect_local_xsocket(display_number);
@@ -4068,30 +4069,39 @@ x11_connect_display(void)
return -1;
/* OK, we now have a connection to the display. */
return sock;
}
/*
* Connect to an inet socket. The DISPLAY value is supposedly
* hostname:d[.s], where hostname may also be numeric IP address.
+ * Note that IPv6 numberic addresses contain colons (e.g. ::1:0)
*/
strlcpy(buf, display, sizeof(buf));
- cp = strchr(buf, ':');
+ cp = strrchr(buf, ':');
if (!cp) {
error("Could not find ':' in DISPLAY: %.100s", display);
return -1;
}
*cp = 0;
/* buf now contains the host name. But first we parse the display number. */
if (sscanf(cp + 1, "%u", &display_number) != 1) {
error("Could not parse display number from DISPLAY: %.100s",
display);
return -1;
}
+
+ /* Remove brackets surrounding IPv6 addresses if there are any. */
+ if (buf[0] == '[' && (cp = strchr(buf, ']'))) {
+ *cp = 0;
+ cp = buf + 1;
+ } else {
+ cp = buf;
+ }
/* Look up the host address */
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_socktype = SOCK_STREAM;
snprintf(strport, sizeof strport, "%u", 6000 + display_number);
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
error("%.100s: unknown host. (%s)", buf,

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent d11948586a6da11e968278f55b48318b2263802b
# Parent 7197d7a6b7c90566c68e980b5f8b937c183e79d0
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
# configuration
# bnc#50836 (was suse #35836)

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 3d4efb38a918055f977a08aa7d1486a04bee6e11
# Parent 28e8840bbf49c6e603bf2b55a08ed9050a60f9fb
Do not throw away already open sockets for X11 forwarding if another socket
family is not available for bind()

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 27b9bd4a1a53a28b5e9eda0a9c013d98f821149b
# Parent e7bdbc5ea8971599466becf01bff12b9fcb5df3e
Enable the seccomp-bpf sandbox on more architectures
upstream commit: b9c50614eba9d90939b2b119b6e1b7e03b462278 (7.3p1)
@ -7,7 +7,7 @@ Author: Damien Miller <djm@mindrot.org>
Date: Fri Jul 8 13:59:13 2016 +1000
whitelist more architectures for seccomp-bpf
bz#2590 - testing and patch from Jakub Jelen
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent ec31f6a59145c0db748855bd5bc178161591dae9
# Parent d33bce122aa351a56ce457be35feda52171f9088
Enable DSS authentication by default to maintain compatibility with older
versions.

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent aab6d99cb51e48a9046c3d7be8443b83b8ee5127
# Parent c43ae523939377778762e81743b77b3c75eb4bd1
Allow root login with password by default. While less secure than upstream
default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH

View File

@ -1,7 +1,6 @@
# HG changeset patch
# Parent cca48c52e3c70244e7f52d4fb3f86f920d5c8e0f
Extended auditing through Linux Audit subsystem
bz#1402
# Parent af5c4026e36e7aa181c164d2eca72b7e2a8a897a
Extended auditing through the Linux Auditing subsystem
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
--- a/openssh-7.2p2/Makefile.in

View File

@ -0,0 +1,116 @@
# HG changeset patch
# Parent 3aad88a155050008275527c0624ae6fa05d0cdad
Audit PRNG re-seeding
diff --git a/openssh-7.2p2/audit-bsm.c b/openssh-7.2p2/audit-bsm.c
--- a/openssh-7.2p2/audit-bsm.c
+++ b/openssh-7.2p2/audit-bsm.c
@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char
/* not implemented */
}
void
audit_generate_ephemeral_server_key(const char *fp)
{
/* not implemented */
}
+
+void
+audit_linux_prng_seed(long bytes, const char *rf)
+{
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-7.2p2/audit-linux.c b/openssh-7.2p2/audit-linux.c
--- a/openssh-7.2p2/audit-linux.c
+++ b/openssh-7.2p2/audit-linux.c
@@ -402,9 +402,31 @@ audit_generate_ephemeral_server_key(cons
}
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
buf, NULL, 0, NULL, 1);
audit_close(audit_fd);
/* do not abort if the error is EPERM and sshd is run as non root user */
if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
error("cannot write into audit");
}
+
+void
+audit_linux_prng_seed(long bytes, const char *rf)
+{
+ char buf[AUDIT_LOG_SIZE];
+ int audit_fd, audit_ok;
+
+ snprintf(buf, sizeof(buf), "op=prng_seed kind=server bytes=%li source=%s ", bytes, rf);
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
+ errno != EAFNOSUPPORT)
+ error("cannot open audit");
+ return;
+ }
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_PARAM_CHANGE_USER,
+ buf, NULL, 0, NULL, 1);
+ audit_close(audit_fd);
+ /* do not abort if the error is EPERM and sshd is run as non root user */
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-7.2p2/audit.c b/openssh-7.2p2/audit.c
--- a/openssh-7.2p2/audit.c
+++ b/openssh-7.2p2/audit.c
@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char
/*
* This will be called on generation of the ephemeral server key
*/
void
audit_generate_ephemeral_server_key(const char *)
{
debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
}
+
+void
+audit_linux_prng_seed(long bytes, const char *rf)
+{
+ debug("audit PRNG seed euid %d bytes %li source %s", geteuid(), bytes, rf);
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-7.2p2/audit.h b/openssh-7.2p2/audit.h
--- a/openssh-7.2p2/audit.h
+++ b/openssh-7.2p2/audit.h
@@ -69,10 +69,11 @@ void audit_key(int, int *, const Key *);
void audit_unsupported(int);
void audit_kex(int, char *, char *, char *, char *);
void audit_unsupported_body(int);
void audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
void audit_session_key_free(int ctos);
void audit_session_key_free_body(int ctos, pid_t, uid_t);
void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
void audit_generate_ephemeral_server_key(const char *);
+void audit_linux_prng_seed(long, const char *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
--- a/openssh-7.2p2/sshd.c
+++ b/openssh-7.2p2/sshd.c
@@ -1421,16 +1421,19 @@ server_accept_loop(int *sock_in, int *so
if (maxfd < startup_p[0])
maxfd = startup_p[0];
startups++;
break;
}
if(!(--re_seeding_counter)) {
re_seeding_counter = RESEED_AFTER;
linux_seed();
+#ifdef SSH_AUDIT_EVENTS
+ audit_linux_prng_seed(rand_bytes, rand_file);
+#endif
}
/*
* Got connection. Fork a child to handle it, unless
* we are in debugging mode.
*/
if (debug_flag) {
/*

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 0c50460ce313d041c2484d21ab810c8ee487cded
# Parent 0bfb5dd4b190b546a3e40a59483b2b2884a47c39
block SIGALRM while logging through syslog to prevent deadlocks
(through grace_alarm_handler())

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 2d4a91c3c6c5b161f21511712889c2906fa158a4
# Parent 16c4937db837ab7cdbe0422b81de0e7a9a8479cd
disable run-time check for OpenSSL ABI by version number as that is not a
reliable indicator of ABI changes and doesn't make much sense in a
distribution package

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 69bdfde8282f9ab67c29e431a74916c045301ff5
# Parent 7b5f436e0026923299fdd1994f8da8fd9948be7c
Raise minimal size of DH group parameters to 2048 bits like upstream did in
7.2. 1024b values are believed to be in breaking range for state adversaries

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 93f67586b27e7f018c5b34e33f8156df772e980d
# Parent e4886597a8984ae1594b6866fe1b232370b23529
# posix threads are generally not supported nor safe
# (see upstream log from 2005-05-24)
# --used to be called '-pam-fix3'

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 8e5876ee9478740b83887db9fc6e3b1605848534
# Parent f19426f2fa9c634474e635bf33b86acea0518f6d
fix paths and references in sshd man pages
diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent a51f9cba48652fc5df45b9ac8bd238268c70673c
# Parent 980f301b2920c09b30577dd722546bca85d25fc1
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
# bnc#46749
# --used to be called '-pam-fix2'

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 0c3e1f1c3b2ab533f9cb1c82fb75ff247a9c71b1
# Parent 3e1393b771d6430ae09ae30741a3b9b382e3e041
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 9240088fbf80624f62dc79bcf5f3113a1b6dddd8
# Parent 84a6252b7ac18855cf188e5911bdf8a757d4460a
GSSAPI Key Exchange implementation
diff --git a/openssh-7.2p2/ChangeLog.gssapi b/openssh-7.2p2/ChangeLog.gssapi

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent fe2618b7337c0d97483dc98a6b53636c89f3d371
# Parent 605a6220fcc2c96e9196681fe480fab16b505ee1
Suggest command line for removal of offending keys from known_hosts file
diff --git a/openssh-7.2p2/sshconnect.c b/openssh-7.2p2/sshconnect.c

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 7e84e692f90c19e76a4180d54c7fdda2752c6c41
# Parent f7ba2081f120bd1e44dbe68737c898f078725aab
# -- uset do be called '-xauthlocalhostname'
handle hostname changes when forwarding X

View File

@ -0,0 +1,33 @@
# HG changeset patch
# Parent cb9be7363a9f32133f0d105d515149dd77cc8cd3
Do not import PAM environment variables when using login, since it may have
security implications.
CVE-2015-8325
bsc#975865
Backport of upstream commit 85bdcd7c92fe7ff133bbc4e10a65c91810f88755
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
--- a/openssh-7.2p2/session.c
+++ b/openssh-7.2p2/session.c
@@ -1351,17 +1351,17 @@ do_setup_env(Session *s, const char *she
child_set_env(&env, &envsize, "KRB5CCNAME",
s->authctxt->krb5_ccname);
#endif
#ifdef USE_PAM
/*
* Pull in any environment variables that may have
* been set by PAM.
*/
- if (options.use_pam) {
+ if (options.use_pam && !options.use_login) {
char **p;
p = fetch_pam_child_environment();
copy_environment(p, &env, &envsize);
free_pam_environment(p);
p = fetch_pam_environment();
copy_environment(p, &env, &envsize);

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 3007da75cc9c93ead70a4971b9057d230178511c
# Parent 79c00e0f450c33b3f545ef104112b55186290e2c
# set uid for functions that use it to seek in lastlog and wtmp files
# bnc#18024 (was suse #3024)

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent fac59d81a8fba12278aea6a7b8a88b02fe02155a
# Parent b8135c449e59282a8926ff44fcb4670baf8f158e
# Helper app for retrieving keys from a LDAP server
# by Jan F. Chadima <jchadima@redhat.com>
#

View File

@ -0,0 +1,52 @@
# HG changeset patch
# Parent e351203d2784230a3b56b8e3dd6955403ed10ca4
Limit accepted passwords length to prevent DoS by resource consumption
(via crypt() eating CPU cycles).
CVE-2016-6515
bsc#992533
upstream commit: fcd135c9df440bcd2d5870405ad3311743d78d97
diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c
--- a/openssh-7.2p2/auth-passwd.c
+++ b/openssh-7.2p2/auth-passwd.c
@@ -61,16 +61,18 @@ extern ServerOptions options;
#ifdef HAVE_LOGIN_CAP
extern login_cap_t *lc;
#endif
#define DAY (24L * 60 * 60) /* 1 day in seconds */
#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */
+#define MAX_PASSWORD_LEN 1024
+
void
disable_forwarding(void)
{
no_port_forwarding_flag = 1;
no_agent_forwarding_flag = 1;
no_x11_forwarding_flag = 1;
}
@@ -82,16 +84,19 @@ int
auth_password(Authctxt *authctxt, const char *password)
{
struct passwd * pw = authctxt->pw;
int result, ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
static int expire_checked = 0;
#endif
+ if (strlen(password) > MAX_PASSWORD_LEN)
+ return 0;
+
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
#ifdef KRB5

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent a2ec408c99eefdd4c23f01eafddb0ce786514f50
# Parent 295ae9c5f5da12d273f3b91e90145b449984a7dc
# HG changeset patch
# Parent b262fd34c8ecd55e93d457b3ca5593abce716856
# login-pam cannot handle the option terminator "--" as login from util-linux

View File

@ -1,11 +1,11 @@
# HG changeset patch
# Parent 09a93433f5bb8baff0dce629c75f96357e3b1055
# Parent 7ce81a30bb196401c63782b646d8a6d511ddec4b
Do not write a PID file when not daemonizing (e.g. when running from systemd)
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
--- a/openssh-7.2p2/sshd.c
+++ b/openssh-7.2p2/sshd.c
@@ -2104,17 +2104,17 @@ main(int ac, char **av)
@@ -2107,17 +2107,17 @@ main(int ac, char **av)
signal(SIGCHLD, main_sigchld_handler);
signal(SIGTERM, sigterm_handler);
signal(SIGQUIT, sigterm_handler);

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 2b2855c68e979299aee899a7cb6e4aa57a828668
# Parent ac7f843cd7ebec413691d51823cdc67b611abdff
new option UsePAMCheckLocks to enforce checking for locked accounts while
UsePAM is used

View File

@ -0,0 +1,264 @@
# HG changeset patch
# Parent 323ac0fc20b1d5e9bf7037e020adfd760dd2d5f2
Prevent user enumeration through password processing timing
CVE-2016-6210
bsc#989363
non-PAM part:
upstream commit: 9286875a73b2de7736b5e50692739d314cd8d9dc
PAM part:
upstream commit: 283b97ff33ea2c641161950849931bd578de6946
diff --git a/openssh-7.2p2/auth-pam.c b/openssh-7.2p2/auth-pam.c
--- a/openssh-7.2p2/auth-pam.c
+++ b/openssh-7.2p2/auth-pam.c
@@ -227,17 +227,16 @@ static pam_handle_t *sshpam_handle = NUL
static int sshpam_err = 0;
static int sshpam_authenticated = 0;
static int sshpam_session_open = 0;
static int sshpam_cred_established = 0;
static int sshpam_account_status = -1;
static char **sshpam_env = NULL;
static Authctxt *sshpam_authctxt = NULL;
static const char *sshpam_password = NULL;
-static char badpw[] = "\b\n\r\177INCORRECT";
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
static char **
pam_getenvlist(pam_handle_t *pamh)
{
/*
* XXX - If necessary, we can still support envrionment passing
@@ -807,22 +806,45 @@ sshpam_query(void *ctx, char **name, cha
free(msg);
ctxt->pam_done = -1;
return (-1);
}
}
return (-1);
}
+/*
+ * Returns a junk password of identical length to that the user supplied.
+ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
+ * vary processing time in proportion to password length.
+ */
+static char *
+fake_password(const char *wire_password)
+{
+ const char junk[] = "\b\n\r\177INCORRECT";
+ char *ret = NULL;
+ size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
+
+ if (l >= INT_MAX)
+ fatal("%s: password length too long: %zu", __func__, l);
+
+ ret = xmalloc(l + 1);
+ for (i = 0; i < l; i++)
+ ret[i] = junk[i % (sizeof(junk) - 1)];
+ ret[i] = '\0';
+ return ret;
+}
+
/* XXX - see also comment in auth-chall.c:verify_response */
static int
sshpam_respond(void *ctx, u_int num, char **resp)
{
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
+ char *fake;
debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
case 1:
sshpam_authenticated = 1;
return (0);
case 0:
break;
@@ -833,18 +855,21 @@ sshpam_respond(void *ctx, u_int num, cha
error("PAM: expected one response, got %u", num);
return (-1);
}
buffer_init(&buffer);
if (sshpam_authctxt->valid &&
(sshpam_authctxt->pw->pw_uid != 0 ||
options.permit_root_login == PERMIT_YES))
buffer_put_cstring(&buffer, *resp);
- else
- buffer_put_cstring(&buffer, badpw);
+ else {
+ fake = fake_password(*resp);
+ buffer_put_cstring(&buffer, fake);
+ free(fake);
+ }
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
buffer_free(&buffer);
return (-1);
}
buffer_free(&buffer);
return (1);
}
@@ -1178,41 +1203,43 @@ static struct pam_conv passwd_conv = { s
/*
* Attempt password authentication via PAM
*/
int
sshpam_auth_passwd(Authctxt *authctxt, const char *password)
{
int flags = (options.permit_empty_passwd == 0 ?
PAM_DISALLOW_NULL_AUTHTOK : 0);
+ char *fake = NULL;
if (!options.use_pam || sshpam_handle == NULL)
fatal("PAM: %s called when PAM disabled or failed to "
"initialise.", __func__);
sshpam_password = password;
sshpam_authctxt = authctxt;
/*
* If the user logging in is invalid, or is root but is not permitted
* by PermitRootLogin, use an invalid password to prevent leaking
* information via timing (eg if the PAM config has a delay on fail).
*/
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
options.permit_root_login != PERMIT_YES))
- sshpam_password = badpw;
+ sshpam_password = fake = fake_password(password);
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&passwd_conv);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
pam_strerror(sshpam_handle, sshpam_err));
sshpam_err = pam_authenticate(sshpam_handle, flags);
sshpam_password = NULL;
+ free(fake);
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
authctxt->user);
return 1;
} else {
debug("PAM: password authentication failed for %.100s: %s",
authctxt->valid ? authctxt->user : "an illegal user",
pam_strerror(sshpam_handle, sshpam_err));
diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c
--- a/openssh-7.2p2/auth-passwd.c
+++ b/openssh-7.2p2/auth-passwd.c
@@ -188,28 +188,32 @@ sys_auth_passwd(Authctxt *authctxt, cons
return (auth_close(as));
}
}
#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
int
sys_auth_passwd(Authctxt *authctxt, const char *password)
{
struct passwd *pw = authctxt->pw;
- char *encrypted_password;
+ char *encrypted_password, *salt = NULL;
/* Just use the supplied fake password if authctxt is invalid */
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
/* Check for users with no password. */
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
return (1);
- /* Encrypt the candidate password using the proper salt. */
- encrypted_password = xcrypt(password,
- (pw_password[0] && pw_password[1]) ? pw_password : "xx");
+ /*
+ * Encrypt the candidate password using the proper salt, or pass a
+ * NULL and let xcrypt pick one.
+ */
+ if (authctxt->valid && pw_password[0] && pw_password[1])
+ salt = pw_password;
+ encrypted_password = xcrypt(password, salt);
/*
* Authentication is accepted if the encrypted passwords
* are identical.
*/
return encrypted_password != NULL &&
strcmp(encrypted_password, pw_password) == 0;
}
diff --git a/openssh-7.2p2/openbsd-compat/xcrypt.c b/openssh-7.2p2/openbsd-compat/xcrypt.c
--- a/openssh-7.2p2/openbsd-compat/xcrypt.c
+++ b/openssh-7.2p2/openbsd-compat/xcrypt.c
@@ -20,16 +20,17 @@
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#include <sys/types.h>
+#include <string.h>
#include <unistd.h>
#include <pwd.h>
# if defined(HAVE_CRYPT_H) && !defined(HAVE_SECUREWARE)
# include <crypt.h>
# endif
# ifdef __hpux
@@ -57,21 +58,54 @@
# include "md5crypt.h"
# endif
# if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
# include <openssl/des.h>
# define crypt DES_crypt
# endif
+/*
+ * Pick an appropriate password encryption type and salt for the running
+ * system.
+ */
+static const char *
+pick_salt(void)
+{
+ struct passwd *pw;
+ char *passwd, *p;
+ size_t typelen;
+ static char salt[32];
+
+ if (salt[0] != '\0')
+ return salt;
+ strlcpy(salt, "xx", sizeof(salt));
+ if ((pw = getpwuid(0)) == NULL)
+ return salt;
+ passwd = shadow_pw(pw);
+ if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
+ return salt; /* no $, DES */
+ typelen = p - passwd + 1;
+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+ explicit_bzero(passwd, strlen(passwd));
+ return salt;
+}
+
char *
xcrypt(const char *password, const char *salt)
{
char *crypted;
+ /*
+ * If we don't have a salt we are encrypting a fake password for
+ * for timing purposes. Pick an appropriate salt.
+ */
+ if (salt == NULL)
+ salt = pick_salt();
+
# ifdef HAVE_MD5_PASSWORDS
if (is_md5_salt(salt))
crypted = md5_crypt(password, salt);
else
crypted = crypt(password, salt);
# elif defined(__hpux) && !defined(HAVE_SECUREWARE)
if (iscomsec())
crypted = bigcrypt(password, salt);

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent c08afc8b92580b589ea02d84cf3d29be257ec103
# Parent 787bc0aab11e5a7b6510c8dbf771958743ca25b0
# use same lines naming as utempter (prevents problems with using different
# formats in ?tmp? files)
# --used to be called '-pts'

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent ff8f0a192e120430204441cdcd18ff130f85a61e
# Parent 18c2690afd988b9cb0fd0fa927d02cf5336dce9c
# --used to be called '-xauth'
try to remove xauth cookies on logout

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 80f5b9b81269880fbc12bcbc5830fe2044baf894
# Parent c66097e5e31cd607bf2206b2da95730cce518b7a
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
from being killed by the seccomp filter

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent f8357691112e6b15424f506f7ab6c417f5aa6f9e
# Parent def949a57b8101691c79ecce6366cc7ae1685b07
Allow the stat() syscall for OpenSSL re-seed patch
(which causes OpenSSL use stat() on some file)

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent ea1ef0bb63e77f14c91b2b417f1b8c3383b2835f
# Parent 6ece65e11f754d75dd33d72b6f8e487a9d047f2e
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
# bnc#703221, FATE#312172

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 5bcf5f230ccaec7b9c9398cc6b4193574559861d
# Parent dfcac093fca4d826a806b9d1c0bdc26e7ae8ee8e
send locales in default configuration
bnc#65747

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 7951ad8c720728b382cfaa32e3d7a549126a1496
# Parent efa850d8312ceef224dbec0f2ae1002201afabd9
additional option for sftp-server to force file mode for new files
FATE#312774
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html

View File

@ -1,5 +1,5 @@
# HG changeset patch
# Parent 2f269fe1cd176bc5ff833819e1b04f1d96f13144
# Parent 9b1033f35a6cb173fbc13416065ed40c4b14e656
run sftp sessions inside a chroot
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c

View File

@ -1,6 +1,8 @@
-------------------------------------------------------------------
Thu Sep 29 23:27:49 UTC 2016 - pcerny@suse.com
- remaining patches that were still missing
since the update to 7.2p2 (FATE#319675):
- allow X forwarding over IPv4 when IPv6 sockets is not available
[openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
- do not write PID file when not daemonizing
@ -13,7 +15,7 @@ Thu Sep 29 23:27:49 UTC 2016 - pcerny@suse.com
- allow forcing permissions over sftp
[openssh-7.2p2-sftp_force_permissions.patch]
- do not perform run-time checks for OpenSSL API/ABI change
[openssh-7.2p2-disable-openssl-abi-check.patch]
[openssh-7.2p2-disable_openssl_abi_check.patch]
- suggest commands for cleaning known hosts file
[openssh-7.2p2-host_ident.patch]
- sftp home chroot patch
@ -22,6 +24,19 @@ Thu Sep 29 23:27:49 UTC 2016 - pcerny@suse.com
[openssh-7.2p2-audit.patch]
- enable seccomp sandbox on additional architectures
[openssh-7.2p2-additional_seccomp_archs.patch]
- fix forwarding with IPv6 addresses in DISPLAY (bnc#847710)
[openssh-7.2p2-IPv6_X_forwarding.patch]
- ignore PAM environment when using login
(bsc#975865, CVE-2015-8325)
[openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
- limit accepted password length (prevents possible DoS)
(bsc#992533, CVE-2016-6515)
[openssh-7.2p2-limit_password_length.patch]
- Prevent user enumeration through the timing of password
processing (bsc#989363, CVE-2016-6210)
[openssh-7.2p2-prevent_timing_user_enumeration.patch]
- Add auditing for PRNG re-seeding
[openssh-7.2p2-audit_seed_prng.patch]
-------------------------------------------------------------------
Fri Sep 16 12:45:11 UTC 2016 - pcerny@suse.com

View File

@ -53,11 +53,9 @@
%endif
%define sandbox_seccomp 0
%ifarch %ix86 x86_64
%if 0%{?suse_version} > 1220
%define sandbox_seccomp 1
%endif
%endif
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
%define _fwdefdir %{_fwdir}/services
@ -132,15 +130,20 @@ Patch16: openssh-7.2p2-fips.patch
Patch17: openssh-7.2p2-seed-prng.patch
Patch18: openssh-7.2p2-gssapi_key_exchange.patch
Patch19: openssh-7.2p2-audit.patch
Patch20: openssh-7.2p2-login_options.patch
Patch21: openssh-7.2p2-disable-openssl-abi-check.patch
Patch22: openssh-7.2p2-no_fork-no_pid_file.patch
Patch23: openssh-7.2p2-host_ident.patch
Patch24: openssh-7.2p2-sftp_homechroot.patch
Patch25: openssh-7.2p2-sftp_force_permissions.patch
Patch26: openssh-7.2p2-X_forward_with_disabled_ipv6.patch
Patch27: openssh-7.2p2-ldap.patch
Patch28: openssh-7.2p2-additional_seccomp_archs.patch
Patch20: openssh-7.2p2-audit_seed_prng.patch
Patch21: openssh-7.2p2-login_options.patch
Patch22: openssh-7.2p2-disable_openssl_abi_check.patch
Patch23: openssh-7.2p2-no_fork-no_pid_file.patch
Patch24: openssh-7.2p2-host_ident.patch
Patch25: openssh-7.2p2-sftp_homechroot.patch
Patch26: openssh-7.2p2-sftp_force_permissions.patch
Patch27: openssh-7.2p2-X_forward_with_disabled_ipv6.patch
Patch28: openssh-7.2p2-ldap.patch
Patch29: openssh-7.2p2-additional_seccomp_archs.patch
Patch30: openssh-7.2p2-IPv6_X_forwarding.patch
Patch31: openssh-7.2p2-ignore_PAM_with_UseLogin.patch
Patch32: openssh-7.2p2-prevent_timing_user_enumeration.patch
Patch33: openssh-7.2p2-limit_password_length.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Conflicts: nonfreessh
Recommends: audit
@ -221,13 +224,18 @@ FIPS140 CAVS tests related parts of the OpenSSH package
%patch26 -p2
%patch27 -p2
%patch28 -p2
%patch29 -p2
%patch30 -p2
%patch31 -p2
%patch32 -p2
%patch33 -p2
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
%build
# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
$( grep -Rl @LIBEXECDIR@ \
$( grep "^+++" %{PATCH27} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
$( grep "^+++" %{PATCH28} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
)
autoreconf -fiv