Accepting request 220466 from home:pcerny:factory
- Update of the underlying OpenSSH to 6.4p1 - Update to 6.4p1 Features since 6.2p2: * ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or hostkeys on smartcards. * ssh(1)/sshd(8): allow optional time-based rekeying via a second argument to the existing RekeyLimit option. RekeyLimit is now supported in sshd_config as well as on the client. * sshd(8): standardise logging of information during user authentication. * The presented key/cert and the remote username (if available) is now logged in the authentication success/failure message on the same log line as the local username, remote host/port and protocol in use. Certificates contents and the key fingerprint of the signing CA are logged too. * ssh(1) ability to query what cryptographic algorithms are supported in the binary. * ssh(1): ProxyCommand=- for cases where stdin and stdout already point to the proxy. * ssh(1): allow IdentityFile=none * ssh(1)/sshd(8): -E option to append debugging logs to a specified file instead of stderr or syslog. * sftp(1): support resuming partial downloads with the "reget" command and on the sftp commandline or on the "get" commandline with the "-a" (append) option. * ssh(1): "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives. * sshd(8): support for submethods to be appended to required authentication methods listed via AuthenticationMethods. OBS-URL: https://build.opensuse.org/request/show/220466 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=58
This commit is contained in:
parent
6fccab223a
commit
712ccf3395
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b
|
||||
size 1182922
|
@ -2,9 +2,9 @@
|
||||
# configuration
|
||||
# bnc#50836 (was suse #35836)
|
||||
|
||||
diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
|
||||
--- a/openssh-6.2p2/ssh_config
|
||||
+++ b/openssh-6.2p2/ssh_config
|
||||
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
|
||||
--- a/openssh-6.4p1/ssh_config
|
||||
+++ b/openssh-6.4p1/ssh_config
|
||||
@@ -12,19 +12,30 @@
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
# Thus, host-specific definitions should be at the beginning of the
|
||||
@ -37,10 +37,10 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
|
||||
# GSSAPIDelegateCredentials no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
|
||||
--- a/openssh-6.2p2/sshd_config
|
||||
+++ b/openssh-6.2p2/sshd_config
|
||||
@@ -90,17 +90,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
|
||||
--- a/openssh-6.4p1/sshd_config
|
||||
+++ b/openssh-6.4p1/sshd_config
|
||||
@@ -93,17 +93,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
@ -8,10 +8,10 @@
|
||||
#
|
||||
# PRIVSEP(getpwnamallow()) a few lines above already did this.
|
||||
|
||||
diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c
|
||||
--- a/openssh-6.2p2/auth2.c
|
||||
+++ b/openssh-6.2p2/auth2.c
|
||||
@@ -239,19 +239,16 @@ input_userauth_request(int type, u_int32
|
||||
diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
|
||||
--- a/openssh-6.4p1/auth2.c
|
||||
+++ b/openssh-6.4p1/auth2.c
|
||||
@@ -242,19 +242,16 @@ input_userauth_request(int type, u_int32
|
||||
authctxt->pw = PRIVSEP(getpwnamallow(user));
|
||||
authctxt->user = xstrdup(user);
|
||||
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
|
@ -4,9 +4,9 @@
|
||||
# https://bugzilla.mindrot.org/attachment.cgi?id=2011
|
||||
# by jchadima@redhat.com
|
||||
|
||||
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
--- a/openssh-6.2p2/audit-bsm.c
|
||||
+++ b/openssh-6.2p2/audit-bsm.c
|
||||
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
|
||||
--- a/openssh-6.4p1/audit-bsm.c
|
||||
+++ b/openssh-6.4p1/audit-bsm.c
|
||||
@@ -370,20 +370,33 @@ audit_connection_from(const char *host,
|
||||
/* this is used on IPv4-only machines */
|
||||
tid->port = (dev_t)port;
|
||||
@ -42,9 +42,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
--- a/openssh-6.2p2/audit-linux.c
|
||||
+++ b/openssh-6.2p2/audit-linux.c
|
||||
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
|
||||
--- a/openssh-6.4p1/audit-linux.c
|
||||
+++ b/openssh-6.4p1/audit-linux.c
|
||||
@@ -30,97 +30,210 @@
|
||||
#include "includes.h"
|
||||
#if defined(USE_LINUX_AUDIT)
|
||||
@ -276,9 +276,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
}
|
||||
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
--- a/openssh-6.2p2/audit.c
|
||||
+++ b/openssh-6.2p2/audit.c
|
||||
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
|
||||
--- a/openssh-6.4p1/audit.c
|
||||
+++ b/openssh-6.4p1/audit.c
|
||||
@@ -135,16 +135,27 @@ audit_connection_from(const char *host,
|
||||
void
|
||||
audit_event(ssh_audit_event_t event)
|
||||
@ -344,9 +344,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
+
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
--- a/openssh-6.2p2/audit.h
|
||||
+++ b/openssh-6.2p2/audit.h
|
||||
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
|
||||
--- a/openssh-6.4p1/audit.h
|
||||
+++ b/openssh-6.4p1/audit.h
|
||||
@@ -44,14 +44,16 @@ enum ssh_audit_event_type {
|
||||
SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */
|
||||
SSH_CONNECTION_ABANDON, /* closed without completing auth */
|
||||
@ -365,10 +365,10 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
ssh_audit_event_t audit_classify_auth(const char *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
--- a/openssh-6.2p2/monitor.c
|
||||
+++ b/openssh-6.2p2/monitor.c
|
||||
@@ -180,16 +180,17 @@ int mm_answer_gss_setup_ctx(int, Buffer
|
||||
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
|
||||
--- a/openssh-6.4p1/monitor.c
|
||||
+++ b/openssh-6.4p1/monitor.c
|
||||
@@ -181,16 +181,17 @@ int mm_answer_gss_setup_ctx(int, Buffer
|
||||
int mm_answer_gss_accept_ctx(int, Buffer *);
|
||||
int mm_answer_gss_userok(int, Buffer *);
|
||||
int mm_answer_gss_checkmic(int, Buffer *);
|
||||
@ -386,7 +386,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
|
||||
|
||||
/* local state for key verify */
|
||||
@@ -267,16 +268,17 @@ struct mon_table mon_dispatch_postauth20
|
||||
@@ -268,16 +269,17 @@ struct mon_table mon_dispatch_postauth20
|
||||
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
|
||||
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
|
||||
{MONITOR_REQ_PTY, 0, mm_answer_pty},
|
||||
@ -404,7 +404,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
|
||||
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
|
||||
@@ -309,16 +311,17 @@ struct mon_table mon_dispatch_proto15[]
|
||||
@@ -310,16 +312,17 @@ struct mon_table mon_dispatch_proto15[]
|
||||
|
||||
struct mon_table mon_dispatch_postauth15[] = {
|
||||
{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
|
||||
@ -422,7 +422,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
|
||||
/* Specifies if a certain message is allowed at the moment */
|
||||
|
||||
@@ -1427,16 +1430,22 @@ mm_record_login(Session *s, struct passw
|
||||
@@ -1442,16 +1445,22 @@ mm_record_login(Session *s, struct passw
|
||||
static void
|
||||
mm_session_close(Session *s)
|
||||
{
|
||||
@ -445,7 +445,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
{
|
||||
extern struct monitor *pmonitor;
|
||||
Session *s;
|
||||
@@ -1749,21 +1758,54 @@ mm_answer_audit_event(int socket, Buffer
|
||||
@@ -1764,21 +1773,53 @@ mm_answer_audit_event(int socket, Buffer
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -458,7 +458,6 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
|
||||
debug3("%s entering", __func__);
|
||||
cmd = buffer_get_string(m, &len);
|
||||
+
|
||||
/* sanity check command, if so how? */
|
||||
- audit_run_command(cmd);
|
||||
+ s = session_new();
|
||||
@ -493,7 +492,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
+ fatal("%s: invalid handle", __func__);
|
||||
+ mm_session_close(s);
|
||||
+
|
||||
xfree(cmd);
|
||||
free(cmd);
|
||||
return (0);
|
||||
}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
@ -501,9 +500,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
void
|
||||
monitor_apply_keystate(struct monitor *pmonitor)
|
||||
{
|
||||
diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
|
||||
--- a/openssh-6.2p2/monitor.h
|
||||
+++ b/openssh-6.2p2/monitor.h
|
||||
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
|
||||
--- a/openssh-6.4p1/monitor.h
|
||||
+++ b/openssh-6.4p1/monitor.h
|
||||
@@ -64,16 +64,17 @@ enum monitor_reqtype {
|
||||
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
@ -522,10 +521,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
|
||||
int m_recvfd;
|
||||
int m_sendfd;
|
||||
int m_log_recvfd;
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
--- a/openssh-6.2p2/monitor_wrap.c
|
||||
+++ b/openssh-6.2p2/monitor_wrap.c
|
||||
@@ -1184,27 +1184,48 @@ mm_audit_event(ssh_audit_event_t event)
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
|
||||
--- a/openssh-6.4p1/monitor_wrap.c
|
||||
+++ b/openssh-6.4p1/monitor_wrap.c
|
||||
@@ -1186,27 +1186,48 @@ mm_audit_event(ssh_audit_event_t event)
|
||||
|
||||
buffer_init(&m);
|
||||
buffer_put_int(&m, event);
|
||||
@ -575,9 +574,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
OM_uint32
|
||||
mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
|
||||
{
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
|
||||
--- a/openssh-6.2p2/monitor_wrap.h
|
||||
+++ b/openssh-6.2p2/monitor_wrap.h
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
|
||||
--- a/openssh-6.4p1/monitor_wrap.h
|
||||
+++ b/openssh-6.4p1/monitor_wrap.h
|
||||
@@ -69,17 +69,18 @@ void *mm_sshpam_init_ctx(struct Authctxt
|
||||
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
|
||||
int mm_sshpam_respond(void *, u_int, char **);
|
||||
@ -598,9 +597,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
|
||||
void mm_session_pty_cleanup2(struct Session *);
|
||||
|
||||
/* SSHv1 interfaces */
|
||||
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
--- a/openssh-6.2p2/session.c
|
||||
+++ b/openssh-6.2p2/session.c
|
||||
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
|
||||
--- a/openssh-6.4p1/session.c
|
||||
+++ b/openssh-6.4p1/session.c
|
||||
@@ -740,16 +740,24 @@ do_exec_pty(Session *s, const char *comm
|
||||
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
|
||||
#endif
|
||||
@ -658,7 +657,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
|
||||
original_command = NULL;
|
||||
|
||||
@@ -1862,16 +1874,17 @@ session_unused(int id)
|
||||
@@ -1875,16 +1887,17 @@ session_unused(int id)
|
||||
bzero(&sessions[id], sizeof(*sessions));
|
||||
sessions[id].self = id;
|
||||
sessions[id].used = 0;
|
||||
@ -676,7 +675,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
session_new(void)
|
||||
{
|
||||
Session *s, *tmp;
|
||||
@@ -1944,16 +1957,29 @@ session_open(Authctxt *authctxt, int cha
|
||||
@@ -1957,16 +1970,29 @@ session_open(Authctxt *authctxt, int cha
|
||||
if (s->pw == NULL || !authctxt->valid)
|
||||
fatal("no user for session %d", s->self);
|
||||
debug("session_open: session %d: link with channel %d", s->self, chanid);
|
||||
@ -706,7 +705,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
|
||||
debug("session_by_tty: session %d tty %s", i, tty);
|
||||
return s;
|
||||
@@ -2469,16 +2495,40 @@ session_exit_message(Session *s, int sta
|
||||
@@ -2473,16 +2499,40 @@ session_exit_message(Session *s, int sta
|
||||
* interested in data we write.
|
||||
* Note that we must not call 'chan_read_failed', since there could
|
||||
* be some more data waiting in the pipe.
|
||||
@ -721,7 +720,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
+{
|
||||
+ if (s->command != NULL) {
|
||||
+ audit_end_command(s->command_handle, s->command);
|
||||
+ xfree(s->command);
|
||||
+ free(s->command);
|
||||
+ s->command = NULL;
|
||||
+ s->command_handle = -1;
|
||||
+ }
|
||||
@ -732,7 +731,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
+{
|
||||
+ if (s->command != NULL) {
|
||||
+ PRIVSEP(audit_end_command(s->command_handle, s->command));
|
||||
+ xfree(s->command);
|
||||
+ free(s->command);
|
||||
+ s->command = NULL;
|
||||
+ s->command_handle = -1;
|
||||
+ }
|
||||
@ -747,7 +746,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
|
||||
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
|
||||
|
||||
@@ -2509,16 +2559,20 @@ session_close(Session *s)
|
||||
@@ -2513,16 +2563,20 @@ session_close(Session *s)
|
||||
int status;
|
||||
|
||||
waitpid(pid, &status, 0);
|
||||
@ -760,15 +759,15 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
+ if (s->command)
|
||||
+ session_end_command(s);
|
||||
+#endif
|
||||
if (s->term)
|
||||
xfree(s->term);
|
||||
if (s->display)
|
||||
xfree(s->display);
|
||||
if (s->x11_chanids)
|
||||
xfree(s->x11_chanids);
|
||||
if (s->auth_display)
|
||||
xfree(s->auth_display);
|
||||
@@ -2728,16 +2782,25 @@ session_setup_x11fwd(Session *s)
|
||||
free(s->term);
|
||||
free(s->display);
|
||||
free(s->x11_chanids);
|
||||
free(s->auth_display);
|
||||
free(s->auth_data);
|
||||
free(s->auth_proto);
|
||||
if (s->env != NULL) {
|
||||
for (i = 0; i < s->num_env; i++) {
|
||||
@@ -2726,16 +2780,25 @@ session_setup_x11fwd(Session *s)
|
||||
}
|
||||
|
||||
static void
|
||||
@ -794,7 +793,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
debug("do_cleanup");
|
||||
|
||||
/* no cleanup if we're in the child for login shell */
|
||||
@@ -2776,10 +2839,10 @@ do_cleanup(Authctxt *authctxt)
|
||||
@@ -2774,10 +2837,10 @@ do_cleanup(Authctxt *authctxt)
|
||||
/* remove agent socket */
|
||||
auth_sock_cleanup_proc(authctxt->pw);
|
||||
|
||||
@ -806,9 +805,9 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
- session_destroy_all(session_pty_cleanup2);
|
||||
+ session_destroy_all(do_cleanup_one_session);
|
||||
}
|
||||
diff --git a/openssh-6.2p2/session.h b/openssh-6.2p2/session.h
|
||||
--- a/openssh-6.2p2/session.h
|
||||
+++ b/openssh-6.2p2/session.h
|
||||
diff --git a/openssh-6.4p1/session.h b/openssh-6.4p1/session.h
|
||||
--- a/openssh-6.4p1/session.h
|
||||
+++ b/openssh-6.4p1/session.h
|
||||
@@ -55,29 +55,37 @@ struct Session {
|
||||
int chanid;
|
||||
int *x11_chanids;
|
||||
@ -847,10 +846,10 @@ diff --git a/openssh-6.2p2/session.h b/openssh-6.2p2/session.h
|
||||
const char *value);
|
||||
|
||||
#endif
|
||||
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
--- a/openssh-6.2p2/sshd.c
|
||||
+++ b/openssh-6.2p2/sshd.c
|
||||
@@ -2404,13 +2404,14 @@ cleanup_exit(int i)
|
||||
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
|
||||
--- a/openssh-6.4p1/sshd.c
|
||||
+++ b/openssh-6.4p1/sshd.c
|
||||
@@ -2487,13 +2487,14 @@ cleanup_exit(int i)
|
||||
if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
|
||||
errno != ESRCH)
|
||||
error("%s: kill(%d): %s", __func__,
|
@ -5,9 +5,9 @@
|
||||
# (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1975)
|
||||
# by jchadima@redhat.com
|
||||
|
||||
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
--- a/openssh-6.2p2/audit-bsm.c
|
||||
+++ b/openssh-6.2p2/audit-bsm.c
|
||||
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
|
||||
--- a/openssh-6.4p1/audit-bsm.c
|
||||
+++ b/openssh-6.4p1/audit-bsm.c
|
||||
@@ -401,16 +401,22 @@ audit_session_open(struct logininfo *li)
|
||||
}
|
||||
|
||||
@ -31,9 +31,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
|
||||
|
||||
if (cannot_audit(0))
|
||||
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
--- a/openssh-6.2p2/audit-linux.c
|
||||
+++ b/openssh-6.2p2/audit-linux.c
|
||||
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
|
||||
--- a/openssh-6.4p1/audit-linux.c
|
||||
+++ b/openssh-6.4p1/audit-linux.c
|
||||
@@ -36,16 +36,18 @@
|
||||
#include "log.h"
|
||||
#include "audit.h"
|
||||
@ -101,9 +101,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
audit_connection_from(const char *host, int port)
|
||||
{
|
||||
/* not implemented */
|
||||
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
--- a/openssh-6.2p2/audit.c
|
||||
+++ b/openssh-6.2p2/audit.c
|
||||
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
|
||||
--- a/openssh-6.4p1/audit.c
|
||||
+++ b/openssh-6.4p1/audit.c
|
||||
@@ -31,16 +31,17 @@
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@ -144,7 +144,7 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
+ crypto_name = key_ssh_name(key);
|
||||
+ if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0)
|
||||
+ *rv = 0;
|
||||
+ xfree(fp);
|
||||
+ free(fp);
|
||||
+}
|
||||
+
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
@ -178,9 +178,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
--- a/openssh-6.2p2/audit.h
|
||||
+++ b/openssh-6.2p2/audit.h
|
||||
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
|
||||
--- a/openssh-6.4p1/audit.h
|
||||
+++ b/openssh-6.4p1/audit.h
|
||||
@@ -23,16 +23,17 @@
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
@ -212,9 +212,9 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
+void audit_key(int, int *, const Key *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
|
||||
--- a/openssh-6.2p2/auth-rsa.c
|
||||
+++ b/openssh-6.2p2/auth-rsa.c
|
||||
diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
|
||||
--- a/openssh-6.4p1/auth-rsa.c
|
||||
+++ b/openssh-6.4p1/auth-rsa.c
|
||||
@@ -87,17 +87,20 @@ auth_rsa_generate_challenge(Key *key)
|
||||
return challenge;
|
||||
}
|
||||
@ -259,7 +259,7 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
|
||||
}
|
||||
- /* Correct answer. */
|
||||
- return (1);
|
||||
+ xfree(fp);
|
||||
+ free(fp);
|
||||
+#endif
|
||||
+
|
||||
+ return rv;
|
||||
@ -271,10 +271,10 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
|
||||
* our challenge; returns zero if the client gives a wrong answer.
|
||||
*/
|
||||
|
||||
diff --git a/openssh-6.2p2/auth.h b/openssh-6.2p2/auth.h
|
||||
--- a/openssh-6.2p2/auth.h
|
||||
+++ b/openssh-6.2p2/auth.h
|
||||
@@ -176,31 +176,33 @@ int allowed_user(struct passwd *);
|
||||
diff --git a/openssh-6.4p1/auth.h b/openssh-6.4p1/auth.h
|
||||
--- a/openssh-6.4p1/auth.h
|
||||
+++ b/openssh-6.4p1/auth.h
|
||||
@@ -182,16 +182,17 @@ int allowed_user(struct passwd *);
|
||||
struct passwd * getpwnamallow(const char *user);
|
||||
|
||||
char *get_challenge(Authctxt *);
|
||||
@ -292,13 +292,15 @@ diff --git a/openssh-6.2p2/auth.h b/openssh-6.2p2/auth.h
|
||||
HostStatus
|
||||
check_key_in_hostfiles(struct passwd *, Key *, const char *,
|
||||
const char *, const char *);
|
||||
|
||||
@@ -199,16 +200,17 @@ check_key_in_hostfiles(struct passwd *,
|
||||
/* hostkey handling */
|
||||
Key *get_hostkey_by_index(int);
|
||||
Key *get_hostkey_public_by_index(int);
|
||||
Key *get_hostkey_public_by_type(int);
|
||||
Key *get_hostkey_private_by_type(int);
|
||||
int get_hostkey_index(Key *);
|
||||
int ssh1_session_key(BIGNUM *);
|
||||
void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int);
|
||||
+int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
|
||||
|
||||
/* debug messages during authentication */
|
||||
@ -308,15 +310,15 @@ diff --git a/openssh-6.2p2/auth.h b/openssh-6.2p2/auth.h
|
||||
|
||||
struct passwd *fakepw(void);
|
||||
|
||||
diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c
|
||||
--- a/openssh-6.2p2/auth2-hostbased.c
|
||||
+++ b/openssh-6.2p2/auth2-hostbased.c
|
||||
@@ -114,33 +114,45 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_put_cstring(&b, chost);
|
||||
buffer_put_cstring(&b, cuser);
|
||||
#ifdef DEBUG_PK
|
||||
buffer_dump(&b);
|
||||
diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c
|
||||
--- a/openssh-6.4p1/auth2-hostbased.c
|
||||
+++ b/openssh-6.4p1/auth2-hostbased.c
|
||||
@@ -118,33 +118,45 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
#endif
|
||||
|
||||
pubkey_auth_info(authctxt, key,
|
||||
"client user \"%.100s\", client host \"%.100s\"", cuser, chost);
|
||||
|
||||
/* test for allowed key and correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
|
||||
@ -330,11 +332,11 @@ diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c
|
||||
debug2("userauth_hostbased: authenticated %d", authenticated);
|
||||
if (key != NULL)
|
||||
key_free(key);
|
||||
xfree(pkalg);
|
||||
xfree(pkblob);
|
||||
xfree(cuser);
|
||||
xfree(chost);
|
||||
xfree(sig);
|
||||
free(pkalg);
|
||||
free(pkblob);
|
||||
free(cuser);
|
||||
free(chost);
|
||||
free(sig);
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
@ -358,15 +360,15 @@ diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c
|
||||
const char *resolvedname, *ipaddr, *lookup, *reason;
|
||||
HostStatus host_status;
|
||||
int len;
|
||||
diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
|
||||
--- a/openssh-6.2p2/auth2-pubkey.c
|
||||
+++ b/openssh-6.2p2/auth2-pubkey.c
|
||||
@@ -141,17 +141,17 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
}
|
||||
buffer_put_string(&b, pkblob, blen);
|
||||
diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
|
||||
--- a/openssh-6.4p1/auth2-pubkey.c
|
||||
+++ b/openssh-6.4p1/auth2-pubkey.c
|
||||
@@ -147,17 +147,17 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
#ifdef DEBUG_PK
|
||||
buffer_dump(&b);
|
||||
#endif
|
||||
pubkey_auth_info(authctxt, key, NULL);
|
||||
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
|
||||
@ -375,17 +377,17 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
|
||||
buffer_len(&b))) == 1)
|
||||
authenticated = 1;
|
||||
buffer_free(&b);
|
||||
xfree(sig);
|
||||
free(sig);
|
||||
} else {
|
||||
debug("test whether pkalg/pkblob are acceptable");
|
||||
packet_check_eom();
|
||||
|
||||
@@ -178,16 +178,28 @@ done:
|
||||
@@ -184,16 +184,28 @@ done:
|
||||
debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
|
||||
if (key != NULL)
|
||||
key_free(key);
|
||||
xfree(pkalg);
|
||||
xfree(pkblob);
|
||||
free(pkalg);
|
||||
free(pkblob);
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
@ -401,18 +403,18 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
match_principals_option(const char *principal_list, struct KeyCert *cert)
|
||||
void
|
||||
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
|
||||
{
|
||||
char *result;
|
||||
u_int i;
|
||||
char *fp, *extra;
|
||||
va_list ap;
|
||||
int i;
|
||||
|
||||
/* XXX percent_expand() sequences for authorized_principals? */
|
||||
|
||||
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
--- a/openssh-6.2p2/monitor.c
|
||||
+++ b/openssh-6.2p2/monitor.c
|
||||
@@ -1347,26 +1347,30 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
extra = NULL;
|
||||
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
|
||||
--- a/openssh-6.4p1/monitor.c
|
||||
+++ b/openssh-6.4p1/monitor.c
|
||||
@@ -1362,26 +1362,30 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
}
|
||||
|
||||
int
|
||||
@ -443,7 +445,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
switch (key_blobtype) {
|
||||
case MM_USERKEY:
|
||||
valid_data = monitor_valid_userblob(data, datalen);
|
||||
@@ -1377,17 +1381,27 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
@@ -1392,17 +1396,27 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
break;
|
||||
default:
|
||||
valid_data = 0;
|
||||
@ -468,14 +470,14 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
__func__, key, (verified == 1) ? "verified" : "unverified");
|
||||
|
||||
key_free(key);
|
||||
xfree(blob);
|
||||
xfree(signature);
|
||||
xfree(data);
|
||||
free(blob);
|
||||
free(signature);
|
||||
free(data);
|
||||
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
--- a/openssh-6.2p2/monitor_wrap.c
|
||||
+++ b/openssh-6.2p2/monitor_wrap.c
|
||||
@@ -426,30 +426,31 @@ mm_key_allowed(enum mm_keytype type, cha
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
|
||||
--- a/openssh-6.4p1/monitor_wrap.c
|
||||
+++ b/openssh-6.4p1/monitor_wrap.c
|
||||
@@ -428,30 +428,31 @@ mm_key_allowed(enum mm_keytype type, cha
|
||||
|
||||
/*
|
||||
* This key verify needs to send the key type along, because the
|
||||
@ -503,12 +505,12 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
buffer_put_string(&m, blob, len);
|
||||
buffer_put_string(&m, sig, siglen);
|
||||
buffer_put_string(&m, data, datalen);
|
||||
xfree(blob);
|
||||
free(blob);
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);
|
||||
|
||||
debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__);
|
||||
@@ -457,16 +458,29 @@ mm_key_verify(Key *key, u_char *sig, u_i
|
||||
@@ -459,16 +460,29 @@ mm_key_verify(Key *key, u_char *sig, u_i
|
||||
|
||||
verified = buffer_get_int(&m);
|
||||
|
||||
@ -538,9 +540,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
u_int len;
|
||||
Newkeys *newkey = NULL;
|
||||
Enc *enc;
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
|
||||
--- a/openssh-6.2p2/monitor_wrap.h
|
||||
+++ b/openssh-6.2p2/monitor_wrap.h
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
|
||||
--- a/openssh-6.4p1/monitor_wrap.h
|
||||
+++ b/openssh-6.4p1/monitor_wrap.h
|
||||
@@ -44,17 +44,18 @@ int mm_key_sign(Key *, u_char **, u_int
|
||||
void mm_inform_authserv(char *, char *);
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
@ -5,9 +5,9 @@
|
||||
# (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1976)
|
||||
# by jchadima@redhat.com
|
||||
|
||||
diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
--- a/openssh-6.2p2/Makefile.in
|
||||
+++ b/openssh-6.2p2/Makefile.in
|
||||
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
|
||||
--- a/openssh-6.4p1/Makefile.in
|
||||
+++ b/openssh-6.4p1/Makefile.in
|
||||
@@ -68,17 +68,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
@ -27,9 +27,9 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
audit.o audit-bsm.o audit-linux.o platform.o \
|
||||
sshpty.o sshlogin.o servconf.o serverloop.o \
|
||||
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
--- a/openssh-6.2p2/audit-bsm.c
|
||||
+++ b/openssh-6.2p2/audit-bsm.c
|
||||
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
|
||||
--- a/openssh-6.4p1/audit-bsm.c
|
||||
+++ b/openssh-6.4p1/audit-bsm.c
|
||||
@@ -468,9 +468,21 @@ audit_event(ssh_audit_event_t event)
|
||||
case SSH_AUTH_FAIL_KBDINT:
|
||||
bsm_audit_bad_login("interactive password entry");
|
||||
@ -52,9 +52,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
--- a/openssh-6.2p2/audit-linux.c
|
||||
+++ b/openssh-6.2p2/audit-linux.c
|
||||
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
|
||||
--- a/openssh-6.4p1/audit-linux.c
|
||||
+++ b/openssh-6.4p1/audit-linux.c
|
||||
@@ -35,16 +35,18 @@
|
||||
|
||||
#include "log.h"
|
||||
@ -95,7 +95,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
+ snprintf(buf, sizeof(buf), "op=unsupported-%s direction=? cipher=? ksize=? rport=%d laddr=%s lport=%d ",
|
||||
+ name[what], get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())),
|
||||
+ get_local_port());
|
||||
+ xfree(s);
|
||||
+ free(s);
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0)
|
||||
+ /* no problem, the next instruction will be fatal() */
|
||||
@ -121,7 +121,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
+ direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
|
||||
+ (intmax_t)pid, (intmax_t)uid,
|
||||
+ get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port());
|
||||
+ xfree(s);
|
||||
+ free(s);
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
@ -140,9 +140,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
+}
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
--- a/openssh-6.2p2/audit.c
|
||||
+++ b/openssh-6.2p2/audit.c
|
||||
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
|
||||
--- a/openssh-6.4p1/audit.c
|
||||
+++ b/openssh-6.4p1/audit.c
|
||||
@@ -23,24 +23,27 @@
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
@ -177,7 +177,7 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
crypto_name = key_ssh_name(key);
|
||||
if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0)
|
||||
*rv = 0;
|
||||
xfree(fp);
|
||||
free(fp);
|
||||
}
|
||||
|
||||
+void
|
||||
@ -232,9 +232,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
--- a/openssh-6.2p2/audit.h
|
||||
+++ b/openssh-6.2p2/audit.h
|
||||
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
|
||||
--- a/openssh-6.4p1/audit.h
|
||||
+++ b/openssh-6.4p1/audit.h
|
||||
@@ -53,10 +53,14 @@ void audit_event(ssh_audit_event_t);
|
||||
void audit_count_session_open(void);
|
||||
void audit_session_open(struct logininfo *);
|
||||
@ -250,10 +250,10 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
+void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff --git a/openssh-6.2p2/auditstub.c b/openssh-6.2p2/auditstub.c
|
||||
diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/auditstub.c
|
||||
+++ b/openssh-6.4p1/auditstub.c
|
||||
@@ -0,0 +1,39 @@
|
||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||
+
|
||||
@ -294,10 +294,10 @@ new file mode 100644
|
||||
+{
|
||||
+}
|
||||
+
|
||||
diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c
|
||||
--- a/openssh-6.2p2/cipher.c
|
||||
+++ b/openssh-6.2p2/cipher.c
|
||||
@@ -50,27 +50,17 @@
|
||||
diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
|
||||
--- a/openssh-6.4p1/cipher.c
|
||||
+++ b/openssh-6.4p1/cipher.c
|
||||
@@ -50,29 +50,17 @@
|
||||
|
||||
/* compatibility with old or broken OpenSSL versions */
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@ -316,7 +316,9 @@ diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c
|
||||
- u_int discard_len;
|
||||
- u_int cbc_mode;
|
||||
- const EVP_CIPHER *(*evptype)(void);
|
||||
-} ciphers[] = {
|
||||
-};
|
||||
-
|
||||
-static const struct Cipher ciphers[] = {
|
||||
+struct Cipher ciphers[] = {
|
||||
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
|
||||
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
|
||||
@ -326,9 +328,9 @@ diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c
|
||||
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
|
||||
{ "blowfish-cbc",
|
||||
SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
|
||||
diff --git a/openssh-6.2p2/cipher.h b/openssh-6.2p2/cipher.h
|
||||
--- a/openssh-6.2p2/cipher.h
|
||||
+++ b/openssh-6.2p2/cipher.h
|
||||
diff --git a/openssh-6.4p1/cipher.h b/openssh-6.4p1/cipher.h
|
||||
--- a/openssh-6.4p1/cipher.h
|
||||
+++ b/openssh-6.4p1/cipher.h
|
||||
@@ -56,17 +56,28 @@
|
||||
#define SSH_CIPHER_MAX 31
|
||||
|
||||
@ -355,13 +357,13 @@ diff --git a/openssh-6.2p2/cipher.h b/openssh-6.2p2/cipher.h
|
||||
int plaintext;
|
||||
int encrypt;
|
||||
EVP_CIPHER_CTX evp;
|
||||
Cipher *cipher;
|
||||
const Cipher *cipher;
|
||||
};
|
||||
|
||||
u_int cipher_mask_ssh1(int);
|
||||
diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
|
||||
--- a/openssh-6.2p2/kex.c
|
||||
+++ b/openssh-6.2p2/kex.c
|
||||
diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
|
||||
--- a/openssh-6.4p1/kex.c
|
||||
+++ b/openssh-6.4p1/kex.c
|
||||
@@ -44,16 +44,17 @@
|
||||
#include "key.h"
|
||||
#include "kex.h"
|
||||
@ -380,7 +382,7 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
|
||||
extern const EVP_MD *evp_ssh_sha256(void);
|
||||
# endif
|
||||
#endif
|
||||
@@ -291,53 +292,65 @@ kex_kexinit_finish(Kex *kex)
|
||||
@@ -336,53 +337,65 @@ kex_kexinit_finish(Kex *kex)
|
||||
fatal("Unsupported key exchange %d", kex->kex_type);
|
||||
}
|
||||
}
|
||||
@ -449,7 +451,7 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
|
||||
comp->type = COMP_NONE;
|
||||
} else {
|
||||
fatal("unsupported comp %s", name);
|
||||
@@ -455,16 +468,19 @@ kex_choose_conf(Kex *kex)
|
||||
@@ -487,16 +500,19 @@ kex_choose_conf(Kex *kex)
|
||||
if (authlen == 0)
|
||||
choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);
|
||||
choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
|
||||
@ -469,11 +471,10 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
|
||||
for (mode = 0; mode < MODE_MAX; mode++) {
|
||||
newkeys = kex->newkeys[mode];
|
||||
if (need < newkeys->enc.key_len)
|
||||
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
--- a/openssh-6.2p2/monitor.c
|
||||
+++ b/openssh-6.2p2/monitor.c
|
||||
@@ -92,16 +92,17 @@
|
||||
#endif
|
||||
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
|
||||
--- a/openssh-6.4p1/monitor.c
|
||||
+++ b/openssh-6.4p1/monitor.c
|
||||
@@ -93,16 +93,17 @@
|
||||
#include "monitor_wrap.h"
|
||||
#include "monitor_fdpass.h"
|
||||
#include "misc.h"
|
||||
@ -481,6 +482,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
#include "ssh2.h"
|
||||
#include "jpake.h"
|
||||
#include "roaming.h"
|
||||
#include "authfd.h"
|
||||
+#include "audit.h"
|
||||
|
||||
#ifdef GSSAPI
|
||||
@ -490,7 +492,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
/* Imports */
|
||||
extern ServerOptions options;
|
||||
extern u_int utmp_len;
|
||||
@@ -181,16 +182,18 @@ int mm_answer_gss_accept_ctx(int, Buffer
|
||||
@@ -182,16 +183,18 @@ int mm_answer_gss_accept_ctx(int, Buffer
|
||||
int mm_answer_gss_userok(int, Buffer *);
|
||||
int mm_answer_gss_checkmic(int, Buffer *);
|
||||
#endif
|
||||
@ -509,7 +511,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
|
||||
|
||||
/* local state for key verify */
|
||||
@@ -232,16 +235,18 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -233,16 +236,18 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
|
||||
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
|
||||
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
|
||||
@ -528,7 +530,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
#ifdef SKEY
|
||||
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
|
||||
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
|
||||
@@ -269,16 +274,18 @@ struct mon_table mon_dispatch_postauth20
|
||||
@@ -270,16 +275,18 @@ struct mon_table mon_dispatch_postauth20
|
||||
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
|
||||
{MONITOR_REQ_PTY, 0, mm_answer_pty},
|
||||
{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
|
||||
@ -547,7 +549,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
|
||||
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
|
||||
@@ -300,28 +307,32 @@ struct mon_table mon_dispatch_proto15[]
|
||||
@@ -301,28 +308,32 @@ struct mon_table mon_dispatch_proto15[]
|
||||
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
|
||||
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
|
||||
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
|
||||
@ -580,7 +582,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
|
||||
/* Specifies if a certain message is allowed at the moment */
|
||||
|
||||
@@ -2391,8 +2402,52 @@ mm_answer_jpake_check_confirm(int sock,
|
||||
@@ -2410,8 +2421,52 @@ mm_answer_jpake_check_confirm(int sock,
|
||||
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
|
||||
|
||||
@ -623,9 +625,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
+
|
||||
+ audit_kex_body(ctos, cipher, mac, compress, pid, uid);
|
||||
+
|
||||
+ xfree(cipher);
|
||||
+ xfree(mac);
|
||||
+ xfree(compress);
|
||||
+ free(cipher);
|
||||
+ free(mac);
|
||||
+ free(compress);
|
||||
+ buffer_clear(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
|
||||
@ -633,9 +635,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
+}
|
||||
+
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
|
||||
--- a/openssh-6.2p2/monitor.h
|
||||
+++ b/openssh-6.2p2/monitor.h
|
||||
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
|
||||
--- a/openssh-6.4p1/monitor.h
|
||||
+++ b/openssh-6.4p1/monitor.h
|
||||
@@ -65,16 +65,18 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
@ -655,10 +657,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
|
||||
int m_recvfd;
|
||||
int m_sendfd;
|
||||
int m_log_recvfd;
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
--- a/openssh-6.2p2/monitor_wrap.c
|
||||
+++ b/openssh-6.2p2/monitor_wrap.c
|
||||
@@ -1481,8 +1481,46 @@ mm_jpake_check_confirm(const BIGNUM *k,
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
|
||||
--- a/openssh-6.4p1/monitor_wrap.c
|
||||
+++ b/openssh-6.4p1/monitor_wrap.c
|
||||
@@ -1483,8 +1483,46 @@ mm_jpake_check_confirm(const BIGNUM *k,
|
||||
|
||||
success = buffer_get_int(&m);
|
||||
buffer_free(&m);
|
||||
@ -705,9 +707,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
|
||||
--- a/openssh-6.2p2/monitor_wrap.h
|
||||
+++ b/openssh-6.2p2/monitor_wrap.h
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
|
||||
--- a/openssh-6.4p1/monitor_wrap.h
|
||||
+++ b/openssh-6.4p1/monitor_wrap.h
|
||||
@@ -72,16 +72,18 @@ int mm_sshpam_respond(void *, u_int, cha
|
||||
void mm_sshpam_free_ctx(void *);
|
||||
#endif
|
||||
@ -727,10 +729,10 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
|
||||
void mm_session_pty_cleanup2(struct Session *);
|
||||
|
||||
/* SSHv1 interfaces */
|
||||
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
--- a/openssh-6.2p2/sshd.c
|
||||
+++ b/openssh-6.2p2/sshd.c
|
||||
@@ -113,16 +113,17 @@
|
||||
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
|
||||
--- a/openssh-6.4p1/sshd.c
|
||||
+++ b/openssh-6.4p1/sshd.c
|
||||
@@ -114,16 +114,17 @@
|
||||
#include "session.h"
|
||||
#include "monitor_mm.h"
|
||||
#include "monitor.h"
|
||||
@ -748,7 +750,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
#include <syslog.h>
|
||||
int allow_severity;
|
||||
int deny_severity;
|
||||
@@ -2236,16 +2237,20 @@ do_ssh1_kex(void)
|
||||
@@ -2297,16 +2298,20 @@ do_ssh1_kex(void)
|
||||
packet_disconnect("Warning: client selects unsupported cipher.");
|
||||
|
||||
/* Get check bytes from the packet. These must match those we
|
@ -4,9 +4,9 @@
|
||||
# https://bugzilla.mindrot.org/attachment.cgi?id=2014
|
||||
# by jchadima@redhat.com
|
||||
|
||||
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
--- a/openssh-6.2p2/audit-bsm.c
|
||||
+++ b/openssh-6.2p2/audit-bsm.c
|
||||
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
|
||||
--- a/openssh-6.4p1/audit-bsm.c
|
||||
+++ b/openssh-6.4p1/audit-bsm.c
|
||||
@@ -480,9 +480,15 @@ audit_unsupported_body(int what)
|
||||
/* not implemented */
|
||||
}
|
||||
@ -23,9 +23,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
--- a/openssh-6.2p2/audit-linux.c
|
||||
+++ b/openssh-6.2p2/audit-linux.c
|
||||
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
|
||||
--- a/openssh-6.4p1/audit-linux.c
|
||||
+++ b/openssh-6.4p1/audit-linux.c
|
||||
@@ -289,24 +289,25 @@ audit_unsupported_body(int what)
|
||||
/* no problem, the next instruction will be fatal() */
|
||||
return;
|
||||
@ -52,7 +52,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
|
||||
(intmax_t)pid, (intmax_t)uid,
|
||||
get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port());
|
||||
xfree(s);
|
||||
free(s);
|
||||
@@ -322,9 +323,37 @@ audit_kex_body(int ctos, char *enc, char
|
||||
buf, NULL, get_remote_ipaddr(), NULL, 1);
|
||||
audit_close(audit_fd);
|
||||
@ -74,7 +74,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
+ get_remote_port(),
|
||||
+ (s = get_local_ipaddr(packet_get_connection_in())),
|
||||
+ get_local_port());
|
||||
+ xfree(s);
|
||||
+ free(s);
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
||||
@ -91,9 +91,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
+}
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
--- a/openssh-6.2p2/audit.c
|
||||
+++ b/openssh-6.2p2/audit.c
|
||||
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
|
||||
--- a/openssh-6.4p1/audit.c
|
||||
+++ b/openssh-6.4p1/audit.c
|
||||
@@ -138,16 +138,22 @@ audit_unsupported(int what)
|
||||
}
|
||||
|
||||
@ -138,9 +138,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
--- a/openssh-6.2p2/audit.h
|
||||
+++ b/openssh-6.2p2/audit.h
|
||||
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
|
||||
--- a/openssh-6.4p1/audit.h
|
||||
+++ b/openssh-6.4p1/audit.h
|
||||
@@ -57,10 +57,12 @@ int audit_run_command(const char *);
|
||||
void audit_end_command(int, const char *);
|
||||
ssh_audit_event_t audit_classify_auth(const char *);
|
||||
@ -154,9 +154,9 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff --git a/openssh-6.2p2/auditstub.c b/openssh-6.2p2/auditstub.c
|
||||
--- a/openssh-6.2p2/auditstub.c
|
||||
+++ b/openssh-6.2p2/auditstub.c
|
||||
diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c
|
||||
--- a/openssh-6.4p1/auditstub.c
|
||||
+++ b/openssh-6.4p1/auditstub.c
|
||||
@@ -22,18 +22,29 @@
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
@ -187,10 +187,10 @@ diff --git a/openssh-6.2p2/auditstub.c b/openssh-6.2p2/auditstub.c
|
||||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+}
|
||||
diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
|
||||
--- a/openssh-6.2p2/kex.c
|
||||
+++ b/openssh-6.2p2/kex.c
|
||||
@@ -635,8 +635,39 @@ dump_digest(char *msg, u_char *digest, i
|
||||
diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
|
||||
--- a/openssh-6.4p1/kex.c
|
||||
+++ b/openssh-6.4p1/kex.c
|
||||
@@ -667,8 +667,39 @@ dump_digest(char *msg, u_char *digest, i
|
||||
if (i%32 == 31)
|
||||
fprintf(stderr, "\n");
|
||||
else if (i%8 == 7)
|
||||
@ -208,12 +208,12 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
|
||||
+
|
||||
+ if (enc->key) {
|
||||
+ memset(enc->key, 0, enc->key_len);
|
||||
+ xfree(enc->key);
|
||||
+ free(enc->key);
|
||||
+ }
|
||||
+
|
||||
+ if (enc->iv) {
|
||||
+ memset(enc->iv, 0, enc->block_size);
|
||||
+ xfree(enc->iv);
|
||||
+ free(enc->iv);
|
||||
+ }
|
||||
+
|
||||
+ memset(enc, 0, sizeof(*enc));
|
||||
@ -230,10 +230,10 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
|
||||
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
|
||||
+}
|
||||
+
|
||||
diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h
|
||||
--- a/openssh-6.2p2/kex.h
|
||||
+++ b/openssh-6.2p2/kex.h
|
||||
@@ -153,16 +153,18 @@ Newkeys *kex_get_newkeys(int);
|
||||
diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h
|
||||
--- a/openssh-6.4p1/kex.h
|
||||
+++ b/openssh-6.4p1/kex.h
|
||||
@@ -157,16 +157,18 @@ Newkeys *kex_get_newkeys(int);
|
||||
|
||||
void kexdh_client(Kex *);
|
||||
void kexdh_server(Kex *);
|
||||
@ -252,10 +252,10 @@ diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h
|
||||
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
|
||||
BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c
|
||||
--- a/openssh-6.2p2/mac.c
|
||||
+++ b/openssh-6.2p2/mac.c
|
||||
@@ -194,16 +194,30 @@ mac_clear(Mac *mac)
|
||||
diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c
|
||||
--- a/openssh-6.4p1/mac.c
|
||||
+++ b/openssh-6.4p1/mac.c
|
||||
@@ -219,16 +219,30 @@ mac_clear(Mac *mac)
|
||||
if (mac->umac_ctx != NULL)
|
||||
umac128_delete(mac->umac_ctx);
|
||||
} else if (mac->evp_md != NULL)
|
||||
@ -272,7 +272,7 @@ diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c
|
||||
+
|
||||
+ if (mac->key) {
|
||||
+ memset(mac->key, 0, mac->key_len);
|
||||
+ xfree(mac->key);
|
||||
+ free(mac->key);
|
||||
+ }
|
||||
+
|
||||
+ memset(mac, 0, sizeof(*mac));
|
||||
@ -286,23 +286,23 @@ diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c
|
||||
char *maclist, *cp, *p;
|
||||
|
||||
if (names == NULL || strcmp(names, "") == 0)
|
||||
diff --git a/openssh-6.2p2/mac.h b/openssh-6.2p2/mac.h
|
||||
--- a/openssh-6.2p2/mac.h
|
||||
+++ b/openssh-6.2p2/mac.h
|
||||
@@ -23,8 +23,9 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
diff --git a/openssh-6.4p1/mac.h b/openssh-6.4p1/mac.h
|
||||
--- a/openssh-6.4p1/mac.h
|
||||
+++ b/openssh-6.4p1/mac.h
|
||||
@@ -24,8 +24,9 @@
|
||||
*/
|
||||
|
||||
int mac_valid(const char *);
|
||||
char *mac_alg_list(void);
|
||||
int mac_setup(Mac *, char *);
|
||||
int mac_init(Mac *);
|
||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||
void mac_clear(Mac *);
|
||||
+void mac_destroy(Mac *);
|
||||
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
--- a/openssh-6.2p2/monitor.c
|
||||
+++ b/openssh-6.2p2/monitor.c
|
||||
@@ -184,16 +184,17 @@ int mm_answer_gss_checkmic(int, Buffer *
|
||||
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
|
||||
--- a/openssh-6.4p1/monitor.c
|
||||
+++ b/openssh-6.4p1/monitor.c
|
||||
@@ -185,16 +185,17 @@ int mm_answer_gss_checkmic(int, Buffer *
|
||||
#endif
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@ -320,7 +320,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
|
||||
|
||||
/* local state for key verify */
|
||||
@@ -237,16 +238,17 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -238,16 +239,17 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
|
||||
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
|
||||
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
|
||||
@ -338,7 +338,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
#ifdef SKEY
|
||||
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
|
||||
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
|
||||
@@ -276,16 +278,17 @@ struct mon_table mon_dispatch_postauth20
|
||||
@@ -277,16 +279,17 @@ struct mon_table mon_dispatch_postauth20
|
||||
{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
|
||||
{MONITOR_REQ_TERM, 0, mm_answer_term},
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@ -356,7 +356,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
|
||||
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
|
||||
@@ -309,30 +312,32 @@ struct mon_table mon_dispatch_proto15[]
|
||||
@@ -310,30 +313,32 @@ struct mon_table mon_dispatch_proto15[]
|
||||
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
|
||||
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
|
||||
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
|
||||
@ -389,7 +389,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
|
||||
/* Specifies if a certain message is allowed at the moment */
|
||||
|
||||
@@ -1951,21 +1956,23 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
@@ -1970,21 +1975,23 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
goto skip;
|
||||
} else {
|
||||
/* Get the Kex for rekeying */
|
||||
@ -399,13 +399,13 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
blob = buffer_get_string(&m, &bloblen);
|
||||
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
|
||||
+ memset(blob, 0, bloblen);
|
||||
xfree(blob);
|
||||
free(blob);
|
||||
|
||||
debug3("%s: Waiting for second key", __func__);
|
||||
blob = buffer_get_string(&m, &bloblen);
|
||||
current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
|
||||
+ memset(blob, 0, bloblen);
|
||||
xfree(blob);
|
||||
free(blob);
|
||||
|
||||
/* Now get sequence numbers for the packets */
|
||||
seqnr = buffer_get_int(&m);
|
||||
@ -413,7 +413,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
packets = buffer_get_int(&m);
|
||||
bytes = buffer_get_int64(&m);
|
||||
packet_set_state(MODE_OUT, seqnr, blocks, packets, bytes);
|
||||
@@ -2001,16 +2008,31 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
@@ -2020,16 +2027,31 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
|
||||
/* Roaming */
|
||||
if (compat20) {
|
||||
@ -445,9 +445,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
|
||||
{
|
||||
size_t len = (size_t) size * ncount;
|
||||
@@ -2445,9 +2467,27 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||
xfree(mac);
|
||||
xfree(compress);
|
||||
@@ -2464,9 +2486,27 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||
free(mac);
|
||||
free(compress);
|
||||
buffer_clear(m);
|
||||
|
||||
mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
|
||||
@ -473,9 +473,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
+ return 0;
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
|
||||
--- a/openssh-6.2p2/monitor.h
|
||||
+++ b/openssh-6.2p2/monitor.h
|
||||
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
|
||||
--- a/openssh-6.4p1/monitor.h
|
||||
+++ b/openssh-6.4p1/monitor.h
|
||||
@@ -67,16 +67,17 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
|
||||
@ -494,10 +494,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
|
||||
int m_recvfd;
|
||||
int m_sendfd;
|
||||
int m_log_recvfd;
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
--- a/openssh-6.2p2/monitor_wrap.c
|
||||
+++ b/openssh-6.2p2/monitor_wrap.c
|
||||
@@ -649,22 +649,24 @@ mm_send_keystate(struct monitor *monitor
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
|
||||
--- a/openssh-6.4p1/monitor_wrap.c
|
||||
+++ b/openssh-6.4p1/monitor_wrap.c
|
||||
@@ -651,22 +651,24 @@ mm_send_keystate(struct monitor *monitor
|
||||
__func__, packet_get_newkeys(MODE_OUT),
|
||||
packet_get_newkeys(MODE_IN));
|
||||
|
||||
@ -507,14 +507,14 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
|
||||
buffer_put_string(&m, blob, bloblen);
|
||||
+ memset(blob, 0, bloblen);
|
||||
xfree(blob);
|
||||
free(blob);
|
||||
|
||||
if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen))
|
||||
fatal("%s: conversion of newkeys failed", __func__);
|
||||
|
||||
buffer_put_string(&m, blob, bloblen);
|
||||
+ memset(blob, 0, bloblen);
|
||||
xfree(blob);
|
||||
free(blob);
|
||||
|
||||
packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
|
||||
buffer_put_int(&m, seqnr);
|
||||
@ -522,7 +522,7 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
buffer_put_int(&m, packets);
|
||||
buffer_put_int64(&m, bytes);
|
||||
packet_get_state(MODE_IN, &seqnr, &blocks, &packets, &bytes);
|
||||
@@ -1518,9 +1520,24 @@ mm_audit_kex_body(int ctos, char *cipher
|
||||
@@ -1520,9 +1522,24 @@ mm_audit_kex_body(int ctos, char *cipher
|
||||
buffer_put_int64(&m, uid);
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
|
||||
@ -547,9 +547,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
|
||||
--- a/openssh-6.2p2/monitor_wrap.h
|
||||
+++ b/openssh-6.2p2/monitor_wrap.h
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
|
||||
--- a/openssh-6.4p1/monitor_wrap.h
|
||||
+++ b/openssh-6.4p1/monitor_wrap.h
|
||||
@@ -74,16 +74,17 @@ void mm_sshpam_free_ctx(void *);
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@ -568,16 +568,16 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
|
||||
void mm_session_pty_cleanup2(struct Session *);
|
||||
|
||||
/* SSHv1 interfaces */
|
||||
diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
|
||||
--- a/openssh-6.2p2/packet.c
|
||||
+++ b/openssh-6.2p2/packet.c
|
||||
@@ -55,16 +55,17 @@
|
||||
#include <stdarg.h>
|
||||
diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c
|
||||
--- a/openssh-6.4p1/packet.c
|
||||
+++ b/openssh-6.4p1/packet.c
|
||||
@@ -56,16 +56,17 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <signal.h>
|
||||
#include <time.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
+#include "audit.h"
|
||||
@ -589,7 +589,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
|
||||
#include "channels.h"
|
||||
#include "compat.h"
|
||||
#include "ssh1.h"
|
||||
@@ -463,41 +464,51 @@ packet_get_connection_in(void)
|
||||
@@ -469,41 +470,51 @@ packet_get_connection_in(void)
|
||||
/* Returns the descriptor used for writing. */
|
||||
|
||||
int
|
||||
@ -650,7 +650,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
|
||||
packet_set_protocol_flags(u_int protocol_flags)
|
||||
{
|
||||
active_state->remote_protocol_flags = protocol_flags;
|
||||
@@ -722,16 +733,35 @@ packet_send1(void)
|
||||
@@ -728,16 +739,35 @@ packet_send1(void)
|
||||
|
||||
/*
|
||||
* Note that the packet is now only buffered in output. It won't be
|
||||
@ -665,17 +665,17 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
|
||||
+ if (newkeys == NULL)
|
||||
+ return;
|
||||
+
|
||||
+ xfree(newkeys->enc.name);
|
||||
+ free(newkeys->enc.name);
|
||||
+
|
||||
+ mac_clear(&newkeys->mac);
|
||||
+ /* MAC may happen to be empty - if the GCM mode of AES is used */
|
||||
+ if (newkeys->mac.name)
|
||||
+ xfree(newkeys->mac.name);
|
||||
+ free(newkeys->mac.name);
|
||||
+
|
||||
+ xfree(newkeys->comp.name);
|
||||
+ free(newkeys->comp.name);
|
||||
+
|
||||
+ newkeys_destroy(newkeys);
|
||||
+ xfree(newkeys);
|
||||
+ free(newkeys);
|
||||
+}
|
||||
+
|
||||
void
|
||||
@ -686,7 +686,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
|
||||
Comp *comp;
|
||||
CipherContext *cc;
|
||||
u_int64_t *max_blocks;
|
||||
@@ -747,31 +777,19 @@ set_newkeys(int mode)
|
||||
@@ -753,31 +783,19 @@ set_newkeys(int mode)
|
||||
} else {
|
||||
cc = &active_state->receive_context;
|
||||
crypt_type = CIPHER_DECRYPT;
|
||||
@ -704,13 +704,13 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
|
||||
- memset(enc->iv, 0, enc->iv_len);
|
||||
- memset(enc->key, 0, enc->key_len);
|
||||
- memset(mac->key, 0, mac->key_len);
|
||||
- xfree(enc->name);
|
||||
- xfree(enc->iv);
|
||||
- xfree(enc->key);
|
||||
- xfree(mac->name);
|
||||
- xfree(mac->key);
|
||||
- xfree(comp->name);
|
||||
- xfree(active_state->newkeys[mode]);
|
||||
- free(enc->name);
|
||||
- free(enc->iv);
|
||||
- free(enc->key);
|
||||
- free(mac->name);
|
||||
- free(mac->key);
|
||||
- free(comp->name);
|
||||
- free(active_state->newkeys[mode]);
|
||||
+ newkeys_destroy_and_free(active_state->newkeys[mode]);
|
||||
}
|
||||
active_state->newkeys[mode] = kex_get_newkeys(mode);
|
||||
@ -720,7 +720,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
|
||||
mac = &active_state->newkeys[mode]->mac;
|
||||
comp = &active_state->newkeys[mode]->comp;
|
||||
if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0)
|
||||
@@ -1967,54 +1985,93 @@ packet_get_output(void)
|
||||
@@ -1995,54 +2013,93 @@ packet_get_output(void)
|
||||
}
|
||||
|
||||
void *
|
||||
@ -819,15 +819,15 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
|
||||
+ backup_state->connection_in = -1;
|
||||
+ backup_state->connection_out = -1;
|
||||
+ packet_destroy_state(backup_state);
|
||||
+ xfree(backup_state);
|
||||
+ free(backup_state);
|
||||
+ backup_state = NULL;
|
||||
}
|
||||
+
|
||||
diff --git a/openssh-6.2p2/packet.h b/openssh-6.2p2/packet.h
|
||||
--- a/openssh-6.2p2/packet.h
|
||||
+++ b/openssh-6.2p2/packet.h
|
||||
@@ -118,9 +118,10 @@ int packet_need_rekeying(void);
|
||||
void packet_set_rekey_limit(u_int32_t);
|
||||
diff --git a/openssh-6.4p1/packet.h b/openssh-6.4p1/packet.h
|
||||
--- a/openssh-6.4p1/packet.h
|
||||
+++ b/openssh-6.4p1/packet.h
|
||||
@@ -119,9 +119,10 @@ void packet_set_rekey_limits(u_int32_t,
|
||||
time_t packet_get_rekey_timeout(void);
|
||||
|
||||
void packet_backup_state(void);
|
||||
void packet_restore_state(void);
|
||||
@ -837,10 +837,10 @@ diff --git a/openssh-6.2p2/packet.h b/openssh-6.2p2/packet.h
|
||||
|
||||
+void packet_destroy_all(int, int);
|
||||
#endif /* PACKET_H */
|
||||
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
--- a/openssh-6.2p2/session.c
|
||||
+++ b/openssh-6.2p2/session.c
|
||||
@@ -1648,16 +1648,19 @@ do_child(Session *s, const char *command
|
||||
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
|
||||
--- a/openssh-6.4p1/session.c
|
||||
+++ b/openssh-6.4p1/session.c
|
||||
@@ -1661,16 +1661,19 @@ do_child(Session *s, const char *command
|
||||
int env_size;
|
||||
char *argv[ARGV_MAX];
|
||||
const char *shell, *shell0, *hostname = NULL;
|
||||
@ -860,10 +860,10 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
do_pwchange(s);
|
||||
exit(1);
|
||||
}
|
||||
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
--- a/openssh-6.2p2/sshd.c
|
||||
+++ b/openssh-6.2p2/sshd.c
|
||||
@@ -695,16 +695,18 @@ privsep_preauth(Authctxt *authctxt)
|
||||
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
|
||||
--- a/openssh-6.4p1/sshd.c
|
||||
+++ b/openssh-6.4p1/sshd.c
|
||||
@@ -703,16 +703,18 @@ privsep_preauth(Authctxt *authctxt)
|
||||
setproctitle("%s", "[net]");
|
||||
if (box != NULL)
|
||||
ssh_sandbox_child(box);
|
||||
@ -882,7 +882,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
if (1) {
|
||||
#else
|
||||
@@ -719,16 +721,20 @@ privsep_postauth(Authctxt *authctxt)
|
||||
@@ -727,16 +729,20 @@ privsep_postauth(Authctxt *authctxt)
|
||||
monitor_reinit(pmonitor);
|
||||
|
||||
pmonitor->m_pid = fork();
|
||||
@ -903,7 +903,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
|
||||
/* child */
|
||||
|
||||
@@ -2028,16 +2034,17 @@ main(int ac, char **av)
|
||||
@@ -2089,16 +2095,17 @@ main(int ac, char **av)
|
||||
do_authentication(authctxt);
|
||||
}
|
||||
/*
|
||||
@ -921,7 +921,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
* Cancel the alarm we set to limit the time taken for
|
||||
* authentication.
|
||||
*/
|
||||
@@ -2080,16 +2087,18 @@ main(int ac, char **av)
|
||||
@@ -2141,16 +2148,18 @@ main(int ac, char **av)
|
||||
|
||||
packet_set_timeout(options.client_alive_interval,
|
||||
options.client_alive_count_max);
|
||||
@ -940,7 +940,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -2397,26 +2406,38 @@ do_ssh2_kex(void)
|
||||
@@ -2480,26 +2489,38 @@ do_ssh2_kex(void)
|
||||
#endif
|
||||
debug("KEX done");
|
||||
}
|
@ -4,9 +4,9 @@
|
||||
# https://bugzilla.mindrot.org/attachment.cgi?id=2015
|
||||
# by jchadima@redhat.com
|
||||
|
||||
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
--- a/openssh-6.2p2/audit-bsm.c
|
||||
+++ b/openssh-6.2p2/audit-bsm.c
|
||||
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
|
||||
--- a/openssh-6.4p1/audit-bsm.c
|
||||
+++ b/openssh-6.4p1/audit-bsm.c
|
||||
@@ -486,9 +486,27 @@ audit_kex_body(int ctos, char *enc, char
|
||||
/* not implemented */
|
||||
}
|
||||
@ -35,9 +35,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
--- a/openssh-6.2p2/audit-linux.c
|
||||
+++ b/openssh-6.2p2/audit-linux.c
|
||||
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
|
||||
--- a/openssh-6.4p1/audit-linux.c
|
||||
+++ b/openssh-6.4p1/audit-linux.c
|
||||
@@ -351,9 +351,55 @@ audit_session_key_free_body(int ctos, pi
|
||||
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
||||
buf, NULL, get_remote_ipaddr(), NULL, 1);
|
||||
@ -94,9 +94,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
--- a/openssh-6.2p2/audit.c
|
||||
+++ b/openssh-6.2p2/audit.c
|
||||
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
|
||||
--- a/openssh-6.4p1/audit.c
|
||||
+++ b/openssh-6.4p1/audit.c
|
||||
@@ -285,10 +285,29 @@ audit_kex_body(int ctos, char *enc, char
|
||||
* This will be called on succesfull session key discard
|
||||
*/
|
||||
@ -127,9 +127,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
--- a/openssh-6.2p2/audit.h
|
||||
+++ b/openssh-6.2p2/audit.h
|
||||
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
|
||||
--- a/openssh-6.4p1/audit.h
|
||||
+++ b/openssh-6.4p1/audit.h
|
||||
@@ -43,26 +43,30 @@ enum ssh_audit_event_type {
|
||||
SSH_INVALID_USER,
|
||||
SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */
|
||||
@ -161,10 +161,10 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
+void audit_generate_ephemeral_server_key(const char *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
--- a/openssh-6.2p2/key.c
|
||||
+++ b/openssh-6.2p2/key.c
|
||||
@@ -1841,16 +1841,40 @@ key_demote(const Key *k)
|
||||
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
|
||||
--- a/openssh-6.4p1/key.c
|
||||
+++ b/openssh-6.4p1/key.c
|
||||
@@ -1805,16 +1805,40 @@ key_demote(const Key *k)
|
||||
fatal("key_free: bad key type %d", k->type);
|
||||
break;
|
||||
}
|
||||
@ -205,9 +205,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
case KEY_RSA_CERT_V00:
|
||||
case KEY_DSA_CERT_V00:
|
||||
case KEY_RSA_CERT:
|
||||
diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
|
||||
--- a/openssh-6.2p2/key.h
|
||||
+++ b/openssh-6.2p2/key.h
|
||||
diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
|
||||
--- a/openssh-6.4p1/key.h
|
||||
+++ b/openssh-6.4p1/key.h
|
||||
@@ -106,16 +106,17 @@ int key_read(Key *, char **);
|
||||
u_int key_size(const Key *);
|
||||
enum fp_type key_fp_type_select(void);
|
||||
@ -226,10 +226,10 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
|
||||
int key_cert_check_authority(const Key *, int, int, const char *,
|
||||
const char **);
|
||||
int key_cert_is_legacy(const Key *);
|
||||
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
--- a/openssh-6.2p2/monitor.c
|
||||
+++ b/openssh-6.2p2/monitor.c
|
||||
@@ -109,16 +109,18 @@ extern u_int utmp_len;
|
||||
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
|
||||
--- a/openssh-6.4p1/monitor.c
|
||||
+++ b/openssh-6.4p1/monitor.c
|
||||
@@ -110,16 +110,18 @@ extern u_int utmp_len;
|
||||
extern Newkeys *current_keys[];
|
||||
extern z_stream incoming_stream;
|
||||
extern z_stream outgoing_stream;
|
||||
@ -248,7 +248,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
u_char *keyin;
|
||||
u_int keyinlen;
|
||||
u_char *keyout;
|
||||
@@ -185,16 +187,17 @@ int mm_answer_gss_checkmic(int, Buffer *
|
||||
@@ -186,16 +188,17 @@ int mm_answer_gss_checkmic(int, Buffer *
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
int mm_answer_audit_event(int, Buffer *);
|
||||
@ -266,7 +266,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
|
||||
|
||||
/* local state for key verify */
|
||||
@@ -239,16 +242,17 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -240,16 +243,17 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
|
||||
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
|
||||
#endif
|
||||
@ -284,7 +284,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
#ifdef SKEY
|
||||
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
|
||||
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
|
||||
@@ -279,16 +283,17 @@ struct mon_table mon_dispatch_postauth20
|
||||
@@ -280,16 +284,17 @@ struct mon_table mon_dispatch_postauth20
|
||||
{MONITOR_REQ_TERM, 0, mm_answer_term},
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
@ -302,7 +302,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
|
||||
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
|
||||
@@ -313,31 +318,33 @@ struct mon_table mon_dispatch_proto15[]
|
||||
@@ -314,31 +319,33 @@ struct mon_table mon_dispatch_proto15[]
|
||||
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
|
||||
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
|
||||
#endif
|
||||
@ -336,7 +336,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
|
||||
/* Specifies if a certain message is allowed at the moment */
|
||||
|
||||
@@ -1746,16 +1753,18 @@ mm_answer_term(int sock, Buffer *req)
|
||||
@@ -1761,16 +1768,18 @@ mm_answer_term(int sock, Buffer *req)
|
||||
/* The child is terminating */
|
||||
session_destroy_all(&mm_session_close);
|
||||
|
||||
@ -355,7 +355,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
|
||||
/* Terminate process */
|
||||
exit(res);
|
||||
@@ -2485,9 +2494,30 @@ mm_answer_audit_session_key_free_body(in
|
||||
@@ -2504,9 +2513,30 @@ mm_answer_audit_session_key_free_body(in
|
||||
|
||||
audit_session_key_free_body(ctos, pid, uid);
|
||||
|
||||
@ -379,16 +379,16 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
+
|
||||
+ audit_destroy_sensitive_data(fp, pid, uid);
|
||||
+
|
||||
+ xfree(fp);
|
||||
+ free(fp);
|
||||
+ buffer_clear(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m);
|
||||
+ return 0;
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
|
||||
--- a/openssh-6.2p2/monitor.h
|
||||
+++ b/openssh-6.2p2/monitor.h
|
||||
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
|
||||
--- a/openssh-6.4p1/monitor.h
|
||||
+++ b/openssh-6.4p1/monitor.h
|
||||
@@ -68,16 +68,17 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
|
||||
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
|
||||
@ -407,10 +407,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
|
||||
int m_recvfd;
|
||||
int m_sendfd;
|
||||
int m_log_recvfd;
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
--- a/openssh-6.2p2/monitor_wrap.c
|
||||
+++ b/openssh-6.2p2/monitor_wrap.c
|
||||
@@ -1535,9 +1535,25 @@ mm_audit_session_key_free_body(int ctos,
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
|
||||
--- a/openssh-6.4p1/monitor_wrap.c
|
||||
+++ b/openssh-6.4p1/monitor_wrap.c
|
||||
@@ -1537,9 +1537,25 @@ mm_audit_session_key_free_body(int ctos,
|
||||
buffer_put_int(&m, ctos);
|
||||
buffer_put_int64(&m, pid);
|
||||
buffer_put_int64(&m, uid);
|
||||
@ -436,9 +436,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
|
||||
--- a/openssh-6.2p2/monitor_wrap.h
|
||||
+++ b/openssh-6.2p2/monitor_wrap.h
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
|
||||
--- a/openssh-6.4p1/monitor_wrap.h
|
||||
+++ b/openssh-6.4p1/monitor_wrap.h
|
||||
@@ -75,16 +75,17 @@ void mm_sshpam_free_ctx(void *);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
#include "audit.h"
|
||||
@ -457,10 +457,10 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
|
||||
void mm_session_pty_cleanup2(struct Session *);
|
||||
|
||||
/* SSHv1 interfaces */
|
||||
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
--- a/openssh-6.2p2/session.c
|
||||
+++ b/openssh-6.2p2/session.c
|
||||
@@ -131,17 +131,17 @@ static int session_pty_req(Session *);
|
||||
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
|
||||
--- a/openssh-6.4p1/session.c
|
||||
+++ b/openssh-6.4p1/session.c
|
||||
@@ -132,17 +132,17 @@ static int session_pty_req(Session *);
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
@ -479,7 +479,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
/* data */
|
||||
static int sessions_first_unused = -1;
|
||||
static int sessions_nalloc = 0;
|
||||
@@ -1647,17 +1647,17 @@ do_child(Session *s, const char *command
|
||||
@@ -1660,17 +1660,17 @@ do_child(Session *s, const char *command
|
||||
char **env;
|
||||
int env_size;
|
||||
char *argv[ARGV_MAX];
|
||||
@ -498,10 +498,10 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
if (s->authctxt->force_pwchange) {
|
||||
do_setusercontext(pw);
|
||||
child_close_fds();
|
||||
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
--- a/openssh-6.2p2/sshd.c
|
||||
+++ b/openssh-6.2p2/sshd.c
|
||||
@@ -250,17 +250,17 @@ Buffer cfg;
|
||||
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
|
||||
--- a/openssh-6.4p1/sshd.c
|
||||
+++ b/openssh-6.4p1/sshd.c
|
||||
@@ -256,17 +256,17 @@ Buffer cfg;
|
||||
|
||||
/* message to be displayed after login */
|
||||
Buffer loginmsg;
|
||||
@ -520,7 +520,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
/*
|
||||
* Close all listening sockets
|
||||
*/
|
||||
@@ -269,16 +269,25 @@ close_listen_socks(void)
|
||||
@@ -275,16 +275,25 @@ close_listen_socks(void)
|
||||
{
|
||||
int i;
|
||||
|
||||
@ -546,7 +546,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
if (startup_pipes)
|
||||
for (i = 0; i < options.max_startups; i++)
|
||||
if (startup_pipes[i] != -1)
|
||||
@@ -541,60 +550,99 @@ sshd_exchange_identification(int sock_in
|
||||
@@ -547,60 +556,99 @@ sshd_exchange_identification(int sock_in
|
||||
close(sock_out);
|
||||
logit("Protocol major versions differ for %s: %.200s vs. %.200s",
|
||||
get_remote_ipaddr(),
|
||||
@ -592,7 +592,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
+ else
|
||||
+ audit_destroy_sensitive_data(fp,
|
||||
+ pid, uid);
|
||||
+ xfree(fp);
|
||||
+ free(fp);
|
||||
+ }
|
||||
}
|
||||
- if (sensitive_data.host_certificates[i]) {
|
||||
@ -639,7 +639,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
sensitive_data.ssh1_host_key = tmp;
|
||||
+ if (fp != NULL) {
|
||||
+ audit_destroy_sensitive_data(fp, pid, uid);
|
||||
+ xfree(fp);
|
||||
+ free(fp);
|
||||
+ }
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
@ -649,7 +649,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -1154,16 +1202,17 @@ server_accept_loop(int *sock_in, int *so
|
||||
@@ -1179,16 +1227,17 @@ server_accept_loop(int *sock_in, int *so
|
||||
|
||||
/* Wait in select until there is a connection. */
|
||||
ret = select(maxfd+1, fdset, NULL, NULL, NULL);
|
||||
@ -667,7 +667,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
generate_ephemeral_server_key();
|
||||
key_used = 0;
|
||||
key_do_regen = 0;
|
||||
@@ -2077,27 +2126,28 @@ main(int ac, char **av)
|
||||
@@ -2138,27 +2187,28 @@ main(int ac, char **av)
|
||||
/*
|
||||
* In privilege separation, we fork another child and prepare
|
||||
* file descriptor passing.
|
||||
@ -697,11 +697,11 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
|
||||
verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
|
||||
|
||||
@@ -2316,17 +2366,17 @@ do_ssh1_kex(void)
|
||||
@@ -2377,17 +2427,17 @@ do_ssh1_kex(void)
|
||||
MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
|
||||
MD5_Final(session_key + 16, &md);
|
||||
memset(buf, 0, bytes);
|
||||
xfree(buf);
|
||||
free(buf);
|
||||
for (i = 0; i < 16; i++)
|
||||
session_id[i] = session_key[i] ^ session_key[i + 16];
|
||||
}
|
||||
@ -716,7 +716,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
BN_clear_free(session_key_int);
|
||||
|
||||
/* Set the session key. From this on all communications will be encrypted. */
|
||||
@@ -2427,16 +2477,18 @@ cleanup_exit(int i)
|
||||
@@ -2510,16 +2560,18 @@ cleanup_exit(int i)
|
||||
debug("Killing privsep child %d", pmonitor->m_pid);
|
||||
if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
|
||||
errno != ESRCH)
|
@ -1,8 +1,8 @@
|
||||
# definitions for AUDIT_CRYPTO_* symbols fom libaudit 2.x
|
||||
|
||||
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
--- a/openssh-6.2p2/audit-linux.c
|
||||
+++ b/openssh-6.2p2/audit-linux.c
|
||||
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
|
||||
--- a/openssh-6.4p1/audit-linux.c
|
||||
+++ b/openssh-6.4p1/audit-linux.c
|
||||
@@ -25,16 +25,17 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
@ -21,10 +21,10 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
diff --git a/openssh-6.2p2/compat-libaudit.h b/openssh-6.2p2/compat-libaudit.h
|
||||
diff --git a/openssh-6.4p1/compat-libaudit.h b/openssh-6.4p1/compat-libaudit.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/compat-libaudit.h
|
||||
+++ b/openssh-6.4p1/compat-libaudit.h
|
||||
@@ -0,0 +1,79 @@
|
||||
+/* AUDIT_CRYPTO symbol definitions from libaudit 2.x */
|
||||
+/* libaudit.h --
|
@ -4,9 +4,9 @@
|
||||
# Note that this particular solution causes the logs to always contain
|
||||
# "hostname=?, addr=?" when DNS lookups are disabled.
|
||||
|
||||
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
--- a/openssh-6.2p2/audit-linux.c
|
||||
+++ b/openssh-6.2p2/audit-linux.c
|
||||
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
|
||||
--- a/openssh-6.4p1/audit-linux.c
|
||||
+++ b/openssh-6.4p1/audit-linux.c
|
||||
@@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c
|
||||
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
errno == EAFNOSUPPORT)
|
@ -2,10 +2,10 @@
|
||||
# grace_alarm_handler)
|
||||
# bnc#57354
|
||||
|
||||
diff --git a/openssh-6.2p2/log.c b/openssh-6.2p2/log.c
|
||||
--- a/openssh-6.2p2/log.c
|
||||
+++ b/openssh-6.2p2/log.c
|
||||
@@ -46,16 +46,17 @@
|
||||
diff --git a/openssh-6.4p1/log.c b/openssh-6.4p1/log.c
|
||||
--- a/openssh-6.4p1/log.c
|
||||
+++ b/openssh-6.4p1/log.c
|
||||
@@ -47,16 +47,17 @@
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
|
||||
@ -18,12 +18,12 @@ diff --git a/openssh-6.2p2/log.c b/openssh-6.2p2/log.c
|
||||
|
||||
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
||||
static int log_on_stderr = 1;
|
||||
static int log_stderr_fd = STDERR_FILENO;
|
||||
static int log_facility = LOG_AUTH;
|
||||
static char *argv0;
|
||||
static log_handler_fn *log_handler;
|
||||
static void *log_handler_ctx;
|
||||
|
||||
@@ -368,16 +369,17 @@ do_log(LogLevel level, const char *fmt,
|
||||
@@ -384,16 +385,17 @@ do_log(LogLevel level, const char *fmt,
|
||||
{
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||
@ -41,14 +41,14 @@ diff --git a/openssh-6.2p2/log.c b/openssh-6.2p2/log.c
|
||||
|
||||
switch (level) {
|
||||
case SYSLOG_LEVEL_FATAL:
|
||||
@@ -426,20 +428,29 @@ do_log(LogLevel level, const char *fmt,
|
||||
@@ -442,20 +444,29 @@ do_log(LogLevel level, const char *fmt,
|
||||
tmp_handler = log_handler;
|
||||
log_handler = NULL;
|
||||
tmp_handler(level, fmtbuf, log_handler_ctx);
|
||||
log_handler = tmp_handler;
|
||||
} else if (log_on_stderr) {
|
||||
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
|
||||
write(STDERR_FILENO, msgbuf, strlen(msgbuf));
|
||||
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
|
||||
} else {
|
||||
+ /* Prevent a race between the grace_alarm
|
||||
+ * which writes a log message and terminates
|
@ -1,8 +1,8 @@
|
||||
# only enable SSHv2 protocol by default (upstream default is fallback to v1)
|
||||
|
||||
diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
|
||||
--- a/openssh-6.2p2/ssh_config
|
||||
+++ b/openssh-6.2p2/ssh_config
|
||||
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
|
||||
--- a/openssh-6.4p1/ssh_config
|
||||
+++ b/openssh-6.4p1/ssh_config
|
||||
@@ -41,17 +41,17 @@ ForwardX11Trusted yes
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
@ -2,9 +2,9 @@
|
||||
# reliable indicator of ABI changes and doesn't make much sense in a
|
||||
# distribution package
|
||||
|
||||
diff --git a/openssh-6.2p2/entropy.c b/openssh-6.2p2/entropy.c
|
||||
--- a/openssh-6.2p2/entropy.c
|
||||
+++ b/openssh-6.2p2/entropy.c
|
||||
diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c
|
||||
--- a/openssh-6.4p1/entropy.c
|
||||
+++ b/openssh-6.4p1/entropy.c
|
||||
@@ -212,22 +212,23 @@ seed_rng(void)
|
||||
#endif
|
||||
/*
|
@ -1,9 +1,9 @@
|
||||
# fix paths and references in sshd man pages
|
||||
|
||||
diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8
|
||||
--- a/openssh-6.2p2/sshd.8
|
||||
+++ b/openssh-6.2p2/sshd.8
|
||||
@@ -871,17 +871,17 @@ See
|
||||
diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
|
||||
--- a/openssh-6.4p1/sshd.8
|
||||
+++ b/openssh-6.4p1/sshd.8
|
||||
@@ -872,17 +872,17 @@ See
|
||||
If this file exists,
|
||||
.Nm
|
||||
refuses to let anyone except root log in.
|
||||
@ -22,7 +22,7 @@ diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8
|
||||
.It Pa /etc/ssh/ssh_host_key
|
||||
.It Pa /etc/ssh/ssh_host_dsa_key
|
||||
.It Pa /etc/ssh/ssh_host_ecdsa_key
|
||||
@@ -950,17 +950,17 @@ The content of this file is not sensitiv
|
||||
@@ -951,17 +951,17 @@ The content of this file is not sensitiv
|
||||
.Xr sftp 1 ,
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
@ -41,10 +41,10 @@ diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8
|
||||
OpenSSH is a derivative of the original and free
|
||||
ssh 1.2.12 release by Tatu Ylonen.
|
||||
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
|
||||
diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5
|
||||
--- a/openssh-6.2p2/sshd_config.5
|
||||
+++ b/openssh-6.2p2/sshd_config.5
|
||||
@@ -271,18 +271,17 @@ The contents of the specified file are s
|
||||
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
|
||||
--- a/openssh-6.4p1/sshd_config.5
|
||||
+++ b/openssh-6.4p1/sshd_config.5
|
||||
@@ -278,18 +278,17 @@ The contents of the specified file are s
|
||||
authentication is allowed.
|
||||
If the argument is
|
||||
.Dq none
|
||||
@ -64,7 +64,7 @@ diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5
|
||||
to after authentication.
|
||||
All components of the pathname must be root-owned directories that are
|
||||
not writable by any other user or group.
|
||||
@@ -550,17 +549,17 @@ and
|
||||
@@ -565,17 +564,17 @@ and
|
||||
.Pa .shosts
|
||||
files will not be used in
|
||||
.Cm RhostsRSAAuthentication
|
@ -1,36 +1,36 @@
|
||||
# HG changeset patch
|
||||
# Parent 2e71c896d924778e46e68e0c9be9a8b13e428f2f
|
||||
# Parent d41afe56fd49d0a9669738b1f4d53ddae0cb195a
|
||||
|
||||
# select fingerprint hash algorithms based on the environment variable
|
||||
# SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints
|
||||
# Petr Cerny <pcerny@suse.cz>
|
||||
|
||||
diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
|
||||
--- a/openssh-6.2p2/auth-rsa.c
|
||||
+++ b/openssh-6.2p2/auth-rsa.c
|
||||
@@ -323,17 +323,17 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
|
||||
return (0);
|
||||
}
|
||||
/*
|
||||
* Correct response. The client has been successfully
|
||||
* authenticated. Note that we have not yet processed the
|
||||
* options; this will be reset if the options cause the
|
||||
* authentication to be rejected.
|
||||
*/
|
||||
diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
|
||||
--- a/openssh-6.4p1/auth-rsa.c
|
||||
+++ b/openssh-6.4p1/auth-rsa.c
|
||||
@@ -226,17 +226,17 @@ rsa_key_allowed_in_file(struct passwd *p
|
||||
|
||||
/* check the real bits */
|
||||
keybits = BN_num_bits(key->rsa->n);
|
||||
if (keybits < 0 || bits != keybits)
|
||||
logit("Warning: %s, line %lu: keysize mismatch: "
|
||||
"actual %d vs. announced %d.",
|
||||
file, linenum, BN_num_bits(key->rsa->n), bits);
|
||||
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
|
||||
verbose("Found matching %s key: %s",
|
||||
key_type(key), fp);
|
||||
xfree(fp);
|
||||
key_free(key);
|
||||
debug("matching key found: file %s, line %lu %s %s",
|
||||
file, linenum, key_type(key), fp);
|
||||
free(fp);
|
||||
|
||||
packet_send_debug("RSA authentication accepted.");
|
||||
return (1);
|
||||
}
|
||||
diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c
|
||||
--- a/openssh-6.2p2/auth.c
|
||||
+++ b/openssh-6.2p2/auth.c
|
||||
@@ -658,17 +658,17 @@ auth_key_is_revoked(Key *key)
|
||||
/* Never accept a revoked key */
|
||||
if (auth_key_is_revoked(key))
|
||||
break;
|
||||
|
||||
diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c
|
||||
--- a/openssh-6.4p1/auth.c
|
||||
+++ b/openssh-6.4p1/auth.c
|
||||
@@ -680,17 +680,17 @@ auth_key_is_revoked(Key *key)
|
||||
case -1:
|
||||
/* Error opening revoked_keys_file: refuse all keys */
|
||||
error("Revoked keys file is unreadable: refusing public key "
|
||||
@ -43,16 +43,16 @@ diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c
|
||||
+ key_fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
|
||||
error("WARNING: authentication attempt with a revoked "
|
||||
"%s key %s ", key_type(key), key_fp);
|
||||
xfree(key_fp);
|
||||
free(key_fp);
|
||||
return 1;
|
||||
}
|
||||
fatal("key_in_file returned junk");
|
||||
}
|
||||
|
||||
diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c
|
||||
--- a/openssh-6.2p2/auth2-hostbased.c
|
||||
+++ b/openssh-6.2p2/auth2-hostbased.c
|
||||
@@ -192,23 +192,23 @@ hostbased_key_allowed(struct passwd *pw,
|
||||
diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c
|
||||
--- a/openssh-6.4p1/auth2-hostbased.c
|
||||
+++ b/openssh-6.4p1/auth2-hostbased.c
|
||||
@@ -196,23 +196,23 @@ hostbased_key_allowed(struct passwd *pw,
|
||||
_PATH_SSH_SYSTEM_HOSTFILE2,
|
||||
options.ignore_user_known_hosts ? NULL :
|
||||
_PATH_SSH_USER_HOSTFILE2);
|
||||
@ -73,15 +73,43 @@ diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c
|
||||
verbose("Accepted %s public key %s from %s@%s",
|
||||
key_type(key), fp, cuser, lookup);
|
||||
}
|
||||
xfree(fp);
|
||||
free(fp);
|
||||
}
|
||||
|
||||
return (host_status == HOST_OK);
|
||||
}
|
||||
diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
|
||||
--- a/openssh-6.2p2/auth2-pubkey.c
|
||||
+++ b/openssh-6.2p2/auth2-pubkey.c
|
||||
@@ -312,17 +312,17 @@ check_authkeys_file(FILE *f, char *file,
|
||||
diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
|
||||
--- a/openssh-6.4p1/auth2-pubkey.c
|
||||
+++ b/openssh-6.4p1/auth2-pubkey.c
|
||||
@@ -202,25 +202,25 @@ pubkey_auth_info(Authctxt *authctxt, con
|
||||
i = vasprintf(&extra, fmt, ap);
|
||||
va_end(ap);
|
||||
if (i < 0 || extra == NULL)
|
||||
fatal("%s: vasprintf failed", __func__);
|
||||
}
|
||||
|
||||
if (key_is_cert(key)) {
|
||||
fp = key_fingerprint(key->cert->signature_key,
|
||||
- SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ key_fp_type_select(), SSH_FP_HEX);
|
||||
auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
|
||||
key_type(key), key->cert->key_id,
|
||||
(unsigned long long)key->cert->serial,
|
||||
key_type(key->cert->signature_key), fp,
|
||||
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
|
||||
free(fp);
|
||||
} else {
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
|
||||
auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
|
||||
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
|
||||
free(fp);
|
||||
}
|
||||
free(extra);
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -354,17 +354,17 @@ check_authkeys_file(FILE *f, char *file,
|
||||
if (key_is_cert(key)) {
|
||||
if (!key_equal(found, key->cert->signature_key))
|
||||
continue;
|
||||
@ -100,26 +128,26 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
|
||||
* a key option, then prefer that list to matching
|
||||
* their username in the certificate principals list.
|
||||
*/
|
||||
@@ -355,17 +355,17 @@ check_authkeys_file(FILE *f, char *file,
|
||||
@@ -395,17 +395,17 @@ check_authkeys_file(FILE *f, char *file,
|
||||
break;
|
||||
} else if (key_equal(found, key)) {
|
||||
if (auth_parse_options(pw, key_options, file,
|
||||
linenum) != 1)
|
||||
continue;
|
||||
if (key_is_cert_authority)
|
||||
continue;
|
||||
found_key = 1;
|
||||
debug("matching key found: file %s, line %lu",
|
||||
file, linenum);
|
||||
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_fingerprint(found, key_fp_type_select(), SSH_FP_HEX);
|
||||
verbose("Found matching %s key: %s",
|
||||
key_type(found), fp);
|
||||
xfree(fp);
|
||||
debug("matching key found: file %s, line %lu %s %s",
|
||||
file, linenum, key_type(found), fp);
|
||||
free(fp);
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (found != NULL)
|
||||
key_free(found);
|
||||
if (!found_key)
|
||||
@@ -380,17 +380,17 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
@@ -421,17 +421,17 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
char *ca_fp, *principals_file = NULL;
|
||||
const char *reason;
|
||||
int ret = 0;
|
||||
@ -138,11 +166,11 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
|
||||
options.trusted_user_ca_keys);
|
||||
goto out;
|
||||
}
|
||||
diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
--- a/openssh-6.2p2/key.c
|
||||
+++ b/openssh-6.2p2/key.c
|
||||
@@ -391,30 +391,38 @@ key_fingerprint_raw(const Key *k, enum f
|
||||
xfree(blob);
|
||||
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
|
||||
--- a/openssh-6.4p1/key.c
|
||||
+++ b/openssh-6.4p1/key.c
|
||||
@@ -390,30 +390,38 @@ key_fingerprint_raw(const Key *k, enum f
|
||||
free(blob);
|
||||
} else {
|
||||
fatal("key_fingerprint_raw: blob is null");
|
||||
}
|
||||
@ -183,7 +211,7 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
{
|
||||
char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
|
||||
char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
|
||||
@@ -489,17 +497,18 @@ key_fingerprint_bubblebabble(u_char *dgs
|
||||
@@ -488,17 +496,18 @@ key_fingerprint_bubblebabble(u_char *dgs
|
||||
* can be in the exact middle of the picture, and FLDBASE should be >=8 .
|
||||
* Else pictures would be too dense, and drawing the frame would
|
||||
* fail, too, because the key type would not fit in anymore.
|
||||
@ -203,7 +231,7 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
char *augmentation_string = " .o+=*BOX@%&#/^SE";
|
||||
char *retval, *p;
|
||||
u_char field[FLDSIZE_X][FLDSIZE_Y];
|
||||
@@ -556,18 +565,19 @@ key_fingerprint_randomart(u_char *dgst_r
|
||||
@@ -555,18 +564,19 @@ key_fingerprint_randomart(u_char *dgst_r
|
||||
*p++ = '|';
|
||||
for (x = 0; x < FLDSIZE_X; x++)
|
||||
*p++ = augmentation_string[MIN(field[x][y], len)];
|
||||
@ -224,8 +252,8 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
}
|
||||
|
||||
char *
|
||||
key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
|
||||
@@ -576,34 +586,91 @@ key_fingerprint(Key *k, enum fp_type dgs
|
||||
key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
|
||||
@@ -575,34 +585,91 @@ key_fingerprint(const Key *k, enum fp_ty
|
||||
u_char *dgst_raw;
|
||||
u_int dgst_raw_len;
|
||||
|
||||
@ -250,7 +278,7 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
break;
|
||||
}
|
||||
memset(dgst_raw, 0, dgst_raw_len);
|
||||
xfree(dgst_raw);
|
||||
free(dgst_raw);
|
||||
return retval;
|
||||
}
|
||||
|
||||
@ -319,9 +347,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
* the buffer containing the number.
|
||||
*/
|
||||
static int
|
||||
diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
|
||||
--- a/openssh-6.2p2/key.h
|
||||
+++ b/openssh-6.2p2/key.h
|
||||
diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
|
||||
--- a/openssh-6.4p1/key.h
|
||||
+++ b/openssh-6.4p1/key.h
|
||||
@@ -51,16 +51,18 @@ enum fp_type {
|
||||
SSH_FP_MD5,
|
||||
SSH_FP_SHA256
|
||||
@ -343,7 +371,7 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
|
||||
u_int type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */
|
||||
@@ -97,16 +99,18 @@ int key_equal_public(const Key *, cons
|
||||
int key_equal(const Key *, const Key *);
|
||||
char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
|
||||
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
|
||||
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
|
||||
const char *key_type(const Key *);
|
||||
const char *key_cert_type(const Key *);
|
||||
@ -360,9 +388,9 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
|
||||
int key_type_plain(int);
|
||||
int key_to_certified(Key *, int);
|
||||
int key_drop_cert(Key *);
|
||||
diff --git a/openssh-6.2p2/ssh-add.c b/openssh-6.2p2/ssh-add.c
|
||||
--- a/openssh-6.2p2/ssh-add.c
|
||||
+++ b/openssh-6.2p2/ssh-add.c
|
||||
diff --git a/openssh-6.4p1/ssh-add.c b/openssh-6.4p1/ssh-add.c
|
||||
--- a/openssh-6.4p1/ssh-add.c
|
||||
+++ b/openssh-6.4p1/ssh-add.c
|
||||
@@ -321,17 +321,17 @@ list_identities(AuthenticationConnection
|
||||
int version;
|
||||
|
||||
@ -377,15 +405,15 @@ diff --git a/openssh-6.2p2/ssh-add.c b/openssh-6.2p2/ssh-add.c
|
||||
SSH_FP_HEX);
|
||||
printf("%d %s %s (%s)\n",
|
||||
key_size(key), fp, comment, key_type(key));
|
||||
xfree(fp);
|
||||
free(fp);
|
||||
} else {
|
||||
if (!key_write(key, stdout))
|
||||
fprintf(stderr, "key_write failed");
|
||||
fprintf(stdout, " %s\n", comment);
|
||||
diff --git a/openssh-6.2p2/ssh-agent.c b/openssh-6.2p2/ssh-agent.c
|
||||
--- a/openssh-6.2p2/ssh-agent.c
|
||||
+++ b/openssh-6.2p2/ssh-agent.c
|
||||
@@ -194,17 +194,17 @@ lookup_identity(Key *key, int version)
|
||||
diff --git a/openssh-6.4p1/ssh-agent.c b/openssh-6.4p1/ssh-agent.c
|
||||
--- a/openssh-6.4p1/ssh-agent.c
|
||||
+++ b/openssh-6.4p1/ssh-agent.c
|
||||
@@ -193,17 +193,17 @@ lookup_identity(Key *key, int version)
|
||||
|
||||
/* Check confirmation of keysign request */
|
||||
static int
|
||||
@ -399,14 +427,44 @@ diff --git a/openssh-6.2p2/ssh-agent.c b/openssh-6.2p2/ssh-agent.c
|
||||
if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
|
||||
id->comment, p))
|
||||
ret = 0;
|
||||
xfree(p);
|
||||
free(p);
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
|
||||
--- a/openssh-6.2p2/ssh-keygen.c
|
||||
+++ b/openssh-6.2p2/ssh-keygen.c
|
||||
diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
|
||||
--- a/openssh-6.4p1/ssh-keygen.c
|
||||
+++ b/openssh-6.4p1/ssh-keygen.c
|
||||
@@ -725,27 +725,27 @@ do_download(struct passwd *pw)
|
||||
{
|
||||
#ifdef ENABLE_PKCS11
|
||||
Key **keys = NULL;
|
||||
int i, nkeys;
|
||||
enum fp_rep rep;
|
||||
enum fp_type fptype;
|
||||
char *fp, *ra;
|
||||
|
||||
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fp_type_select();
|
||||
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
||||
|
||||
pkcs11_init(0);
|
||||
nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);
|
||||
if (nkeys <= 0)
|
||||
fatal("cannot read public key from pkcs11");
|
||||
for (i = 0; i < nkeys; i++) {
|
||||
if (print_fingerprint) {
|
||||
fp = key_fingerprint(keys[i], fptype, rep);
|
||||
- ra = key_fingerprint(keys[i], SSH_FP_MD5,
|
||||
+ ra = key_fingerprint(keys[i], key_fp_type_select(),
|
||||
SSH_FP_RANDOMART);
|
||||
printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
|
||||
fp, key_type(keys[i]));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
free(ra);
|
||||
free(fp);
|
||||
} else {
|
||||
@@ -768,29 +768,29 @@ do_fingerprint(struct passwd *pw)
|
||||
FILE *f;
|
||||
Key *public;
|
||||
@ -436,9 +494,9 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
key_free(public);
|
||||
xfree(comment);
|
||||
xfree(ra);
|
||||
xfree(fp);
|
||||
free(comment);
|
||||
free(ra);
|
||||
free(fp);
|
||||
@@ -846,17 +846,17 @@ do_fingerprint(struct passwd *pw)
|
||||
public = key_new(KEY_UNSPEC);
|
||||
if (key_read(public, &cp) != 1) {
|
||||
@ -454,8 +512,8 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
|
||||
comment ? comment : "no comment", key_type(public));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
xfree(ra);
|
||||
xfree(fp);
|
||||
free(ra);
|
||||
free(fp);
|
||||
key_free(public);
|
||||
invalid = 0;
|
||||
@@ -967,20 +967,20 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
@ -477,11 +535,11 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
|
||||
key_type(public));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
xfree(ra);
|
||||
xfree(fp);
|
||||
free(ra);
|
||||
free(fp);
|
||||
} else {
|
||||
if (hash && (name = host_hash(name, NULL, 0)) == NULL)
|
||||
@@ -1849,19 +1849,19 @@ do_show_cert(struct passwd *pw)
|
||||
@@ -1850,19 +1850,19 @@ do_show_cert(struct passwd *pw)
|
||||
if (stat(identity_file, &st) < 0)
|
||||
fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
|
||||
if ((key = key_load_public(identity_file, NULL)) == NULL)
|
||||
@ -503,7 +561,7 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
|
||||
printf(" Signing CA: %s %s\n",
|
||||
key_type(key->cert->signature_key), ca_fp);
|
||||
printf(" Key ID: \"%s\"\n", key->cert->key_id);
|
||||
@@ -2646,18 +2646,18 @@ passphrase_again:
|
||||
@@ -2650,18 +2650,18 @@ passphrase_again:
|
||||
exit(1);
|
||||
}
|
||||
if (!key_write(public, f))
|
||||
@ -523,11 +581,11 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
|
||||
printf("%s %s\n", fp, comment);
|
||||
printf("The key's randomart image is:\n");
|
||||
printf("%s\n", ra);
|
||||
xfree(ra);
|
||||
diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
|
||||
--- a/openssh-6.2p2/sshconnect.c
|
||||
+++ b/openssh-6.2p2/sshconnect.c
|
||||
@@ -826,18 +826,18 @@ check_host_key(char *hostname, struct so
|
||||
free(ra);
|
||||
diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
|
||||
--- a/openssh-6.4p1/sshconnect.c
|
||||
+++ b/openssh-6.4p1/sshconnect.c
|
||||
@@ -825,18 +825,18 @@ check_host_key(char *hostname, struct so
|
||||
"address '%.128s' to the list of known "
|
||||
"hosts (%.30s).", type, ip,
|
||||
user_hostfiles[0]);
|
||||
@ -542,13 +600,13 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
|
||||
+ ra = key_fingerprint(host_key, key_fp_type_select(),
|
||||
SSH_FP_RANDOMART);
|
||||
logit("Host key fingerprint is %s\n%s\n", fp, ra);
|
||||
xfree(ra);
|
||||
xfree(fp);
|
||||
free(ra);
|
||||
free(fp);
|
||||
}
|
||||
break;
|
||||
case HOST_NEW:
|
||||
if (options.host_key_alias == NULL && port != 0 &&
|
||||
@@ -867,18 +867,18 @@ check_host_key(char *hostname, struct so
|
||||
@@ -866,18 +866,18 @@ check_host_key(char *hostname, struct so
|
||||
|
||||
if (show_other_keys(host_hostkeys, host_key))
|
||||
snprintf(msg1, sizeof(msg1),
|
||||
@ -569,7 +627,7 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
|
||||
"Matching host key fingerprint"
|
||||
" found in DNS.\n");
|
||||
else
|
||||
@@ -1132,17 +1132,17 @@ fail:
|
||||
@@ -1131,17 +1131,17 @@ fail:
|
||||
|
||||
/* returns 0 if key verifies or -1 if key does NOT verify */
|
||||
int
|
||||
@ -581,14 +639,14 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
|
||||
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_fingerprint(host_key, key_fp_type_select(), SSH_FP_HEX);
|
||||
debug("Server host key: %s %s", key_type(host_key), fp);
|
||||
xfree(fp);
|
||||
free(fp);
|
||||
|
||||
/* XXX certs are not yet supported for DNS */
|
||||
if (!key_is_cert(host_key) && options.verify_host_key_dns &&
|
||||
verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
|
||||
if (flags & DNS_VERIFY_FOUND) {
|
||||
|
||||
@@ -1234,18 +1234,18 @@ show_other_keys(struct hostkeys *hostkey
|
||||
@@ -1233,18 +1233,18 @@ show_other_keys(struct hostkeys *hostkey
|
||||
char *fp, *ra;
|
||||
const struct hostkey_entry *found;
|
||||
|
||||
@ -609,7 +667,7 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
|
||||
key_type(found->key), fp);
|
||||
if (options.visual_host_key)
|
||||
logit("%s", ra);
|
||||
@@ -1256,17 +1256,17 @@ show_other_keys(struct hostkeys *hostkey
|
||||
@@ -1255,17 +1255,17 @@ show_other_keys(struct hostkeys *hostkey
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -628,10 +686,10 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
|
||||
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
|
||||
error("It is also possible that a host key has just been changed.");
|
||||
error("The fingerprint for the %s key sent by the remote host is\n%s.",
|
||||
diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
--- a/openssh-6.2p2/sshconnect2.c
|
||||
+++ b/openssh-6.2p2/sshconnect2.c
|
||||
@@ -592,17 +592,17 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
|
||||
--- a/openssh-6.4p1/sshconnect2.c
|
||||
+++ b/openssh-6.4p1/sshconnect2.c
|
||||
@@ -590,17 +590,17 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
goto done;
|
||||
}
|
||||
if (key->type != pktype) {
|
||||
@ -643,14 +701,14 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
|
||||
debug2("input_userauth_pk_ok: fp %s", fp);
|
||||
xfree(fp);
|
||||
free(fp);
|
||||
|
||||
/*
|
||||
* search keys in the reverse order, because last candidate has been
|
||||
* moved to the end of the queue. this also avoids confusion by
|
||||
* duplicate keys
|
||||
*/
|
||||
@@ -1207,17 +1207,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
|
||||
@@ -1204,17 +1204,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
|
||||
Buffer b;
|
||||
u_char *blob, *signature;
|
||||
u_int bloblen, slen;
|
||||
@ -662,7 +720,7 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_fingerprint(id->key, key_fp_type_select(), SSH_FP_HEX);
|
||||
debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
|
||||
xfree(fp);
|
||||
free(fp);
|
||||
|
||||
if (key_to_blob(id->key, &blob, &bloblen) == 0) {
|
||||
/* we cannot handle this key */
|
@ -4,9 +4,9 @@
|
||||
# HG changeset patch
|
||||
# Parent 6536ed881743cbf05afe962021b985f9b1eab495
|
||||
|
||||
diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
--- a/openssh-6.2p2/Makefile.in
|
||||
+++ b/openssh-6.2p2/Makefile.in
|
||||
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
|
||||
--- a/openssh-6.4p1/Makefile.in
|
||||
+++ b/openssh-6.4p1/Makefile.in
|
||||
@@ -72,17 +72,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
@ -26,9 +26,9 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
audit.o audit-bsm.o audit-linux.o platform.o \
|
||||
sshpty.o sshlogin.o servconf.o serverloop.o \
|
||||
diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
|
||||
--- a/openssh-6.2p2/auth-rsa.c
|
||||
+++ b/openssh-6.2p2/auth-rsa.c
|
||||
diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
|
||||
--- a/openssh-6.4p1/auth-rsa.c
|
||||
+++ b/openssh-6.4p1/auth-rsa.c
|
||||
@@ -15,17 +15,17 @@
|
||||
*/
|
||||
|
||||
@ -132,7 +132,7 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
|
||||
debug("unsuccessful audit");
|
||||
rv = 0;
|
||||
}
|
||||
xfree(fp);
|
||||
free(fp);
|
||||
@@ -135,17 +145,17 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
* and returns true (non-zero) if the client gave the correct answer to
|
||||
* our challenge; returns zero if the client gives a wrong answer.
|
||||
@ -171,9 +171,9 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
|
||||
return (success);
|
||||
}
|
||||
|
||||
diff --git a/openssh-6.2p2/cipher-ctr.c b/openssh-6.2p2/cipher-ctr.c
|
||||
--- a/openssh-6.2p2/cipher-ctr.c
|
||||
+++ b/openssh-6.2p2/cipher-ctr.c
|
||||
diff --git a/openssh-6.4p1/cipher-ctr.c b/openssh-6.4p1/cipher-ctr.c
|
||||
--- a/openssh-6.4p1/cipher-ctr.c
|
||||
+++ b/openssh-6.4p1/cipher-ctr.c
|
||||
@@ -21,16 +21,17 @@
|
||||
|
||||
#include <stdarg.h>
|
||||
@ -208,9 +208,9 @@ diff --git a/openssh-6.2p2/cipher-ctr.c b/openssh-6.2p2/cipher-ctr.c
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_HAVE_EVPCTR */
|
||||
diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c
|
||||
--- a/openssh-6.2p2/cipher.c
|
||||
+++ b/openssh-6.2p2/cipher.c
|
||||
diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
|
||||
--- a/openssh-6.4p1/cipher.c
|
||||
+++ b/openssh-6.4p1/cipher.c
|
||||
@@ -42,16 +42,17 @@
|
||||
#include <openssl/md5.h>
|
||||
|
||||
@ -373,10 +373,10 @@ diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c
|
||||
/*
|
||||
* Exports an IV from the CipherContext required to export the key
|
||||
* state back from the unprivileged child to the privileged parent
|
||||
diff --git a/openssh-6.2p2/fips.c b/openssh-6.2p2/fips.c
|
||||
diff --git a/openssh-6.4p1/fips.c b/openssh-6.4p1/fips.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/fips.c
|
||||
+++ b/openssh-6.4p1/fips.c
|
||||
@@ -0,0 +1,176 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -554,10 +554,10 @@ new file mode 100644
|
||||
+ return EVP_get_digestbynid(fips_hash_nid_min());
|
||||
+}
|
||||
+
|
||||
diff --git a/openssh-6.2p2/fips.h b/openssh-6.2p2/fips.h
|
||||
diff --git a/openssh-6.4p1/fips.h b/openssh-6.4p1/fips.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/fips.h
|
||||
+++ b/openssh-6.4p1/fips.h
|
||||
@@ -0,0 +1,54 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -613,9 +613,9 @@ new file mode 100644
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
--- a/openssh-6.2p2/key.c
|
||||
+++ b/openssh-6.2p2/key.c
|
||||
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
|
||||
--- a/openssh-6.4p1/key.c
|
||||
+++ b/openssh-6.4p1/key.c
|
||||
@@ -49,16 +49,17 @@
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
@ -654,9 +654,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
/*
|
||||
* string lengths must be less or equal to SSH_FP_TYPE_STRLEN (defined in
|
||||
* key.h) as to fit into the fingerprint string buffer
|
||||
diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c
|
||||
--- a/openssh-6.2p2/mac.c
|
||||
+++ b/openssh-6.2p2/mac.c
|
||||
diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c
|
||||
--- a/openssh-6.4p1/mac.c
|
||||
+++ b/openssh-6.4p1/mac.c
|
||||
@@ -36,34 +36,35 @@
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
@ -760,9 +760,9 @@ diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c
|
||||
mac_setup_by_id(mac, i);
|
||||
debug2("mac_setup: found %s", name);
|
||||
return (0);
|
||||
diff --git a/openssh-6.2p2/myproposal.h b/openssh-6.2p2/myproposal.h
|
||||
--- a/openssh-6.2p2/myproposal.h
|
||||
+++ b/openssh-6.2p2/myproposal.h
|
||||
diff --git a/openssh-6.4p1/myproposal.h b/openssh-6.4p1/myproposal.h
|
||||
--- a/openssh-6.4p1/myproposal.h
|
||||
+++ b/openssh-6.4p1/myproposal.h
|
||||
@@ -71,16 +71,20 @@
|
||||
"ssh-dss"
|
||||
|
||||
@ -804,9 +804,9 @@ diff --git a/openssh-6.2p2/myproposal.h b/openssh-6.2p2/myproposal.h
|
||||
static char *myproposal[PROPOSAL_MAX] = {
|
||||
KEX_DEFAULT_KEX,
|
||||
KEX_DEFAULT_PK_ALG,
|
||||
diff --git a/openssh-6.2p2/openbsd-compat/bsd-arc4random.c b/openssh-6.2p2/openbsd-compat/bsd-arc4random.c
|
||||
--- a/openssh-6.2p2/openbsd-compat/bsd-arc4random.c
|
||||
+++ b/openssh-6.2p2/openbsd-compat/bsd-arc4random.c
|
||||
diff --git a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c b/openssh-6.4p1/openbsd-compat/bsd-arc4random.c
|
||||
--- a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c
|
||||
+++ b/openssh-6.4p1/openbsd-compat/bsd-arc4random.c
|
||||
@@ -18,34 +18,35 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -930,9 +930,9 @@ diff --git a/openssh-6.2p2/openbsd-compat/bsd-arc4random.c b/openssh-6.2p2/openb
|
||||
{
|
||||
size_t i;
|
||||
u_int32_t r = 0;
|
||||
diff --git a/openssh-6.2p2/ssh-rsa.c b/openssh-6.2p2/ssh-rsa.c
|
||||
--- a/openssh-6.2p2/ssh-rsa.c
|
||||
+++ b/openssh-6.2p2/ssh-rsa.c
|
||||
diff --git a/openssh-6.4p1/ssh-rsa.c b/openssh-6.4p1/ssh-rsa.c
|
||||
--- a/openssh-6.4p1/ssh-rsa.c
|
||||
+++ b/openssh-6.4p1/ssh-rsa.c
|
||||
@@ -27,16 +27,17 @@
|
||||
|
||||
#include "xmalloc.h"
|
||||
@ -981,15 +981,15 @@ diff --git a/openssh-6.2p2/ssh-rsa.c b/openssh-6.2p2/ssh-rsa.c
|
||||
+ fips_correct_nid(&nid);
|
||||
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
|
||||
error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
|
||||
xfree(sigblob);
|
||||
free(sigblob);
|
||||
return -1;
|
||||
}
|
||||
EVP_DigestInit(&md, evp_md);
|
||||
EVP_DigestUpdate(&md, data, datalen);
|
||||
EVP_DigestFinal(&md, digest, &dlen);
|
||||
diff --git a/openssh-6.2p2/ssh.c b/openssh-6.2p2/ssh.c
|
||||
--- a/openssh-6.2p2/ssh.c
|
||||
+++ b/openssh-6.2p2/ssh.c
|
||||
diff --git a/openssh-6.4p1/ssh.c b/openssh-6.4p1/ssh.c
|
||||
--- a/openssh-6.4p1/ssh.c
|
||||
+++ b/openssh-6.4p1/ssh.c
|
||||
@@ -99,16 +99,17 @@
|
||||
#include "kex.h"
|
||||
#include "mac.h"
|
||||
@ -1028,7 +1028,7 @@ diff --git a/openssh-6.2p2/ssh.c b/openssh-6.2p2/ssh.c
|
||||
options.address_family = AF_INET;
|
||||
break;
|
||||
@@ -781,17 +784,22 @@ main(int ac, char **av)
|
||||
xfree(cp);
|
||||
free(cp);
|
||||
}
|
||||
if (muxclient_command != 0 && options.control_path == NULL)
|
||||
fatal("No ControlPath specified for \"-O\" command");
|
||||
@ -1051,9 +1051,9 @@ diff --git a/openssh-6.2p2/ssh.c b/openssh-6.2p2/ssh.c
|
||||
options.use_privileged_port,
|
||||
#else
|
||||
original_effective_uid == 0 && options.use_privileged_port,
|
||||
diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
--- a/openssh-6.2p2/sshconnect2.c
|
||||
+++ b/openssh-6.2p2/sshconnect2.c
|
||||
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
|
||||
--- a/openssh-6.4p1/sshconnect2.c
|
||||
+++ b/openssh-6.4p1/sshconnect2.c
|
||||
@@ -67,16 +67,17 @@
|
||||
#include "dispatch.h"
|
||||
#include "canohost.h"
|
||||
@ -1110,9 +1110,9 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
/* Prefer algorithms that we already have keys for */
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
order_hostkeyalgs(host, hostaddr, port);
|
||||
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
--- a/openssh-6.2p2/sshd.c
|
||||
+++ b/openssh-6.2p2/sshd.c
|
||||
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
|
||||
--- a/openssh-6.4p1/sshd.c
|
||||
+++ b/openssh-6.4p1/sshd.c
|
||||
@@ -118,16 +118,17 @@
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
@ -1,10 +1,10 @@
|
||||
# HG changeset patch
|
||||
# Parent a72dad36a987a441e9c92807b1d654e43ddee409
|
||||
|
||||
diff --git a/openssh-6.2p2/ChangeLog.gssapi b/openssh-6.2p2/ChangeLog.gssapi
|
||||
diff --git a/openssh-6.4p1/ChangeLog.gssapi b/openssh-6.4p1/ChangeLog.gssapi
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ChangeLog.gssapi
|
||||
+++ b/openssh-6.4p1/ChangeLog.gssapi
|
||||
@@ -0,0 +1,113 @@
|
||||
+20110101
|
||||
+ - Finally update for OpenSSH 5.6p1
|
||||
@ -119,9 +119,9 @@ new file mode 100644
|
||||
+ add support for GssapiTrustDns option for gssapi-with-mic
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ <gssapi-with-mic support is Bugzilla #1008>
|
||||
diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
--- a/openssh-6.2p2/Makefile.in
|
||||
+++ b/openssh-6.2p2/Makefile.in
|
||||
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
|
||||
--- a/openssh-6.4p1/Makefile.in
|
||||
+++ b/openssh-6.4p1/Makefile.in
|
||||
@@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
@ -158,9 +158,9 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
|
||||
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
|
||||
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
|
||||
diff --git a/openssh-6.2p2/auth-krb5.c b/openssh-6.2p2/auth-krb5.c
|
||||
--- a/openssh-6.2p2/auth-krb5.c
|
||||
+++ b/openssh-6.2p2/auth-krb5.c
|
||||
diff --git a/openssh-6.4p1/auth-krb5.c b/openssh-6.4p1/auth-krb5.c
|
||||
--- a/openssh-6.4p1/auth-krb5.c
|
||||
+++ b/openssh-6.4p1/auth-krb5.c
|
||||
@@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
if (problem)
|
||||
goto out;
|
||||
@ -229,9 +229,9 @@ diff --git a/openssh-6.2p2/auth-krb5.c b/openssh-6.2p2/auth-krb5.c
|
||||
}
|
||||
#endif /* !HEIMDAL */
|
||||
#endif /* KRB5 */
|
||||
diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
|
||||
--- a/openssh-6.2p2/auth2-gss.c
|
||||
+++ b/openssh-6.2p2/auth2-gss.c
|
||||
diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c
|
||||
--- a/openssh-6.4p1/auth2-gss.c
|
||||
+++ b/openssh-6.4p1/auth2-gss.c
|
||||
@@ -1,12 +1,12 @@
|
||||
/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
|
||||
|
||||
@ -284,7 +284,7 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
|
||||
+ authctxt->pw));
|
||||
+
|
||||
+ buffer_free(&b);
|
||||
+ xfree(mic.value);
|
||||
+ free(mic.value);
|
||||
+
|
||||
+ return (authenticated);
|
||||
+}
|
||||
@ -333,7 +333,7 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
buffer_free(&b);
|
||||
xfree(mic.value);
|
||||
free(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
|
||||
@ -357,9 +357,9 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
|
||||
|
||||
Authmethod method_gssapi_old = {
|
||||
"gssapi",
|
||||
diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c
|
||||
--- a/openssh-6.2p2/auth2.c
|
||||
+++ b/openssh-6.2p2/auth2.c
|
||||
diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
|
||||
--- a/openssh-6.4p1/auth2.c
|
||||
+++ b/openssh-6.4p1/auth2.c
|
||||
@@ -64,27 +64,29 @@ extern Buffer loginmsg;
|
||||
/* methods */
|
||||
|
||||
@ -390,9 +390,9 @@ diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c
|
||||
#endif
|
||||
&method_passwd,
|
||||
&method_kbdint,
|
||||
diff --git a/openssh-6.2p2/clientloop.c b/openssh-6.2p2/clientloop.c
|
||||
--- a/openssh-6.2p2/clientloop.c
|
||||
+++ b/openssh-6.2p2/clientloop.c
|
||||
diff --git a/openssh-6.4p1/clientloop.c b/openssh-6.4p1/clientloop.c
|
||||
--- a/openssh-6.4p1/clientloop.c
|
||||
+++ b/openssh-6.4p1/clientloop.c
|
||||
@@ -106,16 +106,20 @@
|
||||
#include "authfd.h"
|
||||
#include "atomicio.h"
|
||||
@ -440,9 +440,9 @@ diff --git a/openssh-6.2p2/clientloop.c b/openssh-6.2p2/clientloop.c
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac
|
||||
--- a/openssh-6.2p2/configure.ac
|
||||
+++ b/openssh-6.2p2/configure.ac
|
||||
diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
|
||||
--- a/openssh-6.4p1/configure.ac
|
||||
+++ b/openssh-6.4p1/configure.ac
|
||||
@@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
|
||||
AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
|
||||
@ -484,9 +484,9 @@ diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac
|
||||
[Define if pututxline updates lastlog too])
|
||||
)
|
||||
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
|
||||
diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c
|
||||
--- a/openssh-6.2p2/gss-genr.c
|
||||
+++ b/openssh-6.2p2/gss-genr.c
|
||||
diff --git a/openssh-6.4p1/gss-genr.c b/openssh-6.4p1/gss-genr.c
|
||||
--- a/openssh-6.4p1/gss-genr.c
|
||||
+++ b/openssh-6.4p1/gss-genr.c
|
||||
@@ -1,12 +1,12 @@
|
||||
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
|
||||
|
||||
@ -572,8 +572,8 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c
|
||||
+
|
||||
+ if (gss_enc2oid != NULL) {
|
||||
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
||||
+ xfree(gss_enc2oid[i].encoded);
|
||||
+ xfree(gss_enc2oid);
|
||||
+ free(gss_enc2oid[i].encoded);
|
||||
+ free(gss_enc2oid);
|
||||
+ }
|
||||
+
|
||||
+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
|
||||
@ -630,7 +630,7 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c
|
||||
+ buffer_free(&buf);
|
||||
+
|
||||
+ if (strlen(mechs) == 0) {
|
||||
+ xfree(mechs);
|
||||
+ free(mechs);
|
||||
+ mechs = NULL;
|
||||
+ }
|
||||
+
|
||||
@ -702,7 +702,7 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c
|
||||
&gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
|
||||
ssh_gssapi_error(ctx);
|
||||
|
||||
xfree(gssbuf.value);
|
||||
free(gssbuf.value);
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
@ -874,9 +874,9 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c
|
||||
+}
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
diff --git a/openssh-6.2p2/gss-serv-krb5.c b/openssh-6.2p2/gss-serv-krb5.c
|
||||
--- a/openssh-6.2p2/gss-serv-krb5.c
|
||||
+++ b/openssh-6.2p2/gss-serv-krb5.c
|
||||
diff --git a/openssh-6.4p1/gss-serv-krb5.c b/openssh-6.4p1/gss-serv-krb5.c
|
||||
--- a/openssh-6.4p1/gss-serv-krb5.c
|
||||
+++ b/openssh-6.4p1/gss-serv-krb5.c
|
||||
@@ -1,12 +1,12 @@
|
||||
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
@ -1023,9 +1023,9 @@ diff --git a/openssh-6.2p2/gss-serv-krb5.c b/openssh-6.2p2/gss-serv-krb5.c
|
||||
#endif /* KRB5 */
|
||||
|
||||
#endif /* GSSAPI */
|
||||
diff --git a/openssh-6.2p2/gss-serv.c b/openssh-6.2p2/gss-serv.c
|
||||
--- a/openssh-6.2p2/gss-serv.c
|
||||
+++ b/openssh-6.2p2/gss-serv.c
|
||||
diff --git a/openssh-6.4p1/gss-serv.c b/openssh-6.4p1/gss-serv.c
|
||||
--- a/openssh-6.4p1/gss-serv.c
|
||||
+++ b/openssh-6.4p1/gss-serv.c
|
||||
@@ -1,12 +1,12 @@
|
||||
/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
|
||||
|
||||
@ -1412,9 +1412,9 @@ diff --git a/openssh-6.2p2/gss-serv.c b/openssh-6.2p2/gss-serv.c
|
||||
}
|
||||
|
||||
#endif
|
||||
diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
|
||||
--- a/openssh-6.2p2/kex.c
|
||||
+++ b/openssh-6.2p2/kex.c
|
||||
diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
|
||||
--- a/openssh-6.4p1/kex.c
|
||||
+++ b/openssh-6.4p1/kex.c
|
||||
@@ -46,16 +46,24 @@
|
||||
#include "log.h"
|
||||
#include "mac.h"
|
||||
@ -1471,9 +1471,9 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
|
||||
choose_hostkeyalg(Kex *k, char *client, char *server)
|
||||
{
|
||||
char *hostkeyalg = match_list(client, server, NULL);
|
||||
diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h
|
||||
--- a/openssh-6.2p2/kex.h
|
||||
+++ b/openssh-6.2p2/kex.h
|
||||
diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h
|
||||
--- a/openssh-6.4p1/kex.h
|
||||
+++ b/openssh-6.4p1/kex.h
|
||||
@@ -68,16 +68,19 @@ enum kex_modes {
|
||||
};
|
||||
|
||||
@ -1539,10 +1539,10 @@ diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h
|
||||
kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
|
||||
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
|
||||
BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
diff --git a/openssh-6.2p2/kexgssc.c b/openssh-6.2p2/kexgssc.c
|
||||
diff --git a/openssh-6.4p1/kexgssc.c b/openssh-6.4p1/kexgssc.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/kexgssc.c
|
||||
+++ b/openssh-6.4p1/kexgssc.c
|
||||
@@ -0,0 +1,334 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1690,7 +1690,7 @@ new file mode 100644
|
||||
+
|
||||
+ /* If we've got an old receive buffer get rid of it */
|
||||
+ if (token_ptr != GSS_C_NO_BUFFER)
|
||||
+ xfree(recv_tok.value);
|
||||
+ free(recv_tok.value);
|
||||
+
|
||||
+ if (maj_status == GSS_S_COMPLETE) {
|
||||
+ /* If mutual state flag is not true, kex fails */
|
||||
@ -1807,7 +1807,7 @@ new file mode 100644
|
||||
+ fatal("kexdh_client: BN_bin2bn failed");
|
||||
+
|
||||
+ memset(kbuf, 0, klen);
|
||||
+ xfree(kbuf);
|
||||
+ free(kbuf);
|
||||
+
|
||||
+ switch (kex->kex_type) {
|
||||
+ case KEX_GSS_GRP1_SHA1:
|
||||
@ -1850,11 +1850,11 @@ new file mode 100644
|
||||
+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
|
||||
+ packet_disconnect("Hash's MIC didn't verify");
|
||||
+
|
||||
+ xfree(msg_tok.value);
|
||||
+ free(msg_tok.value);
|
||||
+
|
||||
+ DH_free(dh);
|
||||
+ if (serverhostkey)
|
||||
+ xfree(serverhostkey);
|
||||
+ free(serverhostkey);
|
||||
+ BN_clear_free(dh_server_pub);
|
||||
+
|
||||
+ /* save session id */
|
||||
@ -1878,10 +1878,10 @@ new file mode 100644
|
||||
+}
|
||||
+
|
||||
+#endif /* GSSAPI */
|
||||
diff --git a/openssh-6.2p2/kexgsss.c b/openssh-6.2p2/kexgsss.c
|
||||
diff --git a/openssh-6.4p1/kexgsss.c b/openssh-6.4p1/kexgsss.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/kexgsss.c
|
||||
+++ b/openssh-6.4p1/kexgsss.c
|
||||
@@ -0,0 +1,288 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1965,7 +1965,7 @@ new file mode 100644
|
||||
+ */
|
||||
+ if (!ssh_gssapi_oid_table_ok())
|
||||
+ if ((mechs = ssh_gssapi_server_mechanisms()))
|
||||
+ xfree(mechs);
|
||||
+ free(mechs);
|
||||
+
|
||||
+ debug2("%s: Identifying %s", __func__, kex->name);
|
||||
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
||||
@ -2043,7 +2043,7 @@ new file mode 100644
|
||||
+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
|
||||
+ &send_tok, &ret_flags));
|
||||
+
|
||||
+ xfree(recv_tok.value);
|
||||
+ free(recv_tok.value);
|
||||
+
|
||||
+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
|
||||
+ fatal("Zero length token output when incomplete");
|
||||
@ -2092,7 +2092,7 @@ new file mode 100644
|
||||
+ fatal("kexgss_server: BN_bin2bn failed");
|
||||
+
|
||||
+ memset(kbuf, 0, klen);
|
||||
+ xfree(kbuf);
|
||||
+ free(kbuf);
|
||||
+
|
||||
+ switch (kex->kex_type) {
|
||||
+ case KEX_GSS_GRP1_SHA1:
|
||||
@ -2171,9 +2171,9 @@ new file mode 100644
|
||||
+ ssh_gssapi_rekey_creds();
|
||||
+}
|
||||
+#endif /* GSSAPI */
|
||||
diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
--- a/openssh-6.2p2/key.c
|
||||
+++ b/openssh-6.2p2/key.c
|
||||
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
|
||||
--- a/openssh-6.4p1/key.c
|
||||
+++ b/openssh-6.4p1/key.c
|
||||
@@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int
|
||||
return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
|
||||
case NID_secp521r1:
|
||||
@ -2212,9 +2212,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
|
||||
|
||||
int
|
||||
key_ecdsa_nid_from_name(const char *name)
|
||||
diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
|
||||
--- a/openssh-6.2p2/key.h
|
||||
+++ b/openssh-6.2p2/key.h
|
||||
diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
|
||||
--- a/openssh-6.4p1/key.h
|
||||
+++ b/openssh-6.4p1/key.h
|
||||
@@ -39,16 +39,17 @@ enum types {
|
||||
KEY_RSA,
|
||||
KEY_DSA,
|
||||
@ -2233,9 +2233,9 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
|
||||
SSH_FP_SHA256
|
||||
};
|
||||
enum fp_rep {
|
||||
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
--- a/openssh-6.2p2/monitor.c
|
||||
+++ b/openssh-6.2p2/monitor.c
|
||||
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
|
||||
--- a/openssh-6.4p1/monitor.c
|
||||
+++ b/openssh-6.4p1/monitor.c
|
||||
@@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *)
|
||||
int mm_answer_pam_free_ctx(int, Buffer *);
|
||||
#endif
|
||||
@ -2355,7 +2355,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
blob = buffer_get_string(m, &bloblen);
|
||||
buffer_init(&kex->my);
|
||||
buffer_append(&kex->my, blob, bloblen);
|
||||
xfree(blob);
|
||||
free(blob);
|
||||
blob = buffer_get_string(m, &bloblen);
|
||||
@@ -2135,16 +2159,19 @@ monitor_reinit(struct monitor *mon)
|
||||
#ifdef GSSAPI
|
||||
@ -2374,7 +2374,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
|
||||
major = ssh_gssapi_server_ctx(&gsscontext, &goid);
|
||||
|
||||
xfree(goid.elements);
|
||||
free(goid.elements);
|
||||
|
||||
buffer_clear(m);
|
||||
@@ -2162,16 +2189,19 @@ int
|
||||
@ -2392,7 +2392,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
in.value = buffer_get_string(m, &len);
|
||||
in.length = len;
|
||||
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
|
||||
xfree(in.value);
|
||||
free(in.value);
|
||||
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, major);
|
||||
@ -2428,7 +2428,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
|
||||
ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
|
||||
|
||||
xfree(gssbuf.value);
|
||||
free(gssbuf.value);
|
||||
@@ -2216,29 +2250,101 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||
return (0);
|
||||
}
|
||||
@ -2482,7 +2482,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
+ }
|
||||
+ major = ssh_gssapi_sign(gsscontext, &data, &hash);
|
||||
+
|
||||
+ xfree(data.value);
|
||||
+ free(data.value);
|
||||
+
|
||||
+ buffer_clear(m);
|
||||
+ buffer_put_int(m, major);
|
||||
@ -2512,9 +2512,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
+
|
||||
+ ok = ssh_gssapi_update_creds(&store);
|
||||
+
|
||||
+ xfree(store.filename);
|
||||
+ xfree(store.envvar);
|
||||
+ xfree(store.envval);
|
||||
+ free(store.filename);
|
||||
+ free(store.envvar);
|
||||
+ free(store.envval);
|
||||
+
|
||||
+ buffer_clear(m);
|
||||
+ buffer_put_int(m, ok);
|
||||
@ -2532,9 +2532,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
|
||||
{
|
||||
struct jpake_ctx *pctx;
|
||||
u_char *x3_proof, *x4_proof;
|
||||
diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
|
||||
--- a/openssh-6.2p2/monitor.h
|
||||
+++ b/openssh-6.2p2/monitor.h
|
||||
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
|
||||
--- a/openssh-6.4p1/monitor.h
|
||||
+++ b/openssh-6.4p1/monitor.h
|
||||
@@ -70,16 +70,19 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
|
||||
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
|
||||
@ -2555,9 +2555,9 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
|
||||
int m_sendfd;
|
||||
int m_log_recvfd;
|
||||
int m_log_sendfd;
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
--- a/openssh-6.2p2/monitor_wrap.c
|
||||
+++ b/openssh-6.2p2/monitor_wrap.c
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
|
||||
--- a/openssh-6.4p1/monitor_wrap.c
|
||||
+++ b/openssh-6.4p1/monitor_wrap.c
|
||||
@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||
&m);
|
||||
|
||||
@ -2638,9 +2638,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
|
||||
char **hash_scheme, char **salt)
|
||||
{
|
||||
Buffer m;
|
||||
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
|
||||
--- a/openssh-6.2p2/monitor_wrap.h
|
||||
+++ b/openssh-6.2p2/monitor_wrap.h
|
||||
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
|
||||
--- a/openssh-6.4p1/monitor_wrap.h
|
||||
+++ b/openssh-6.4p1/monitor_wrap.h
|
||||
@@ -54,18 +54,20 @@ int mm_user_key_verify(Key *, u_char *,
|
||||
int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
|
||||
int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
|
||||
@ -2663,9 +2663,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
|
||||
void *mm_sshpam_init_ctx(struct Authctxt *);
|
||||
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
|
||||
int mm_sshpam_respond(void *, u_int, char **);
|
||||
diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
|
||||
--- a/openssh-6.2p2/readconf.c
|
||||
+++ b/openssh-6.2p2/readconf.c
|
||||
diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
|
||||
--- a/openssh-6.4p1/readconf.c
|
||||
+++ b/openssh-6.4p1/readconf.c
|
||||
@@ -124,16 +124,18 @@ typedef enum {
|
||||
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
|
||||
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
|
||||
@ -2813,9 +2813,9 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
|
||||
options->rhosts_rsa_authentication = 0;
|
||||
if (options->hostbased_authentication == -1)
|
||||
options->hostbased_authentication = 0;
|
||||
diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h
|
||||
--- a/openssh-6.2p2/readconf.h
|
||||
+++ b/openssh-6.2p2/readconf.h
|
||||
diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h
|
||||
--- a/openssh-6.4p1/readconf.h
|
||||
+++ b/openssh-6.4p1/readconf.h
|
||||
@@ -43,18 +43,23 @@ typedef struct {
|
||||
int rhosts_rsa_authentication; /* Try rhosts with RSA
|
||||
* authentication. */
|
||||
@ -2840,9 +2840,9 @@ diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h
|
||||
int batch_mode; /* Batch mode: do not ask for passwords. */
|
||||
int check_host_ip; /* Also keep track of keys for IP address */
|
||||
int strict_host_key_checking; /* Strict host key checking. */
|
||||
diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
--- a/openssh-6.2p2/servconf.c
|
||||
+++ b/openssh-6.2p2/servconf.c
|
||||
diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
|
||||
--- a/openssh-6.4p1/servconf.c
|
||||
+++ b/openssh-6.4p1/servconf.c
|
||||
@@ -98,18 +98,21 @@ initialize_server_options(ServerOptions
|
||||
options->hostbased_uses_name_from_packet_only = -1;
|
||||
options->rsa_authentication = -1;
|
||||
@ -3000,9 +3000,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||
o->kbd_interactive_authentication);
|
||||
diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
|
||||
--- a/openssh-6.2p2/servconf.h
|
||||
+++ b/openssh-6.2p2/servconf.h
|
||||
diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
|
||||
--- a/openssh-6.4p1/servconf.h
|
||||
+++ b/openssh-6.4p1/servconf.h
|
||||
@@ -105,18 +105,21 @@ typedef struct {
|
||||
* authentication mechanism,
|
||||
* such as SecurID or
|
||||
@ -3025,9 +3025,9 @@ diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
|
||||
/* If true, permit jpake auth */
|
||||
int permit_empty_passwd; /* If false, do not permit empty
|
||||
* passwords. */
|
||||
diff --git a/openssh-6.2p2/ssh-gss.h b/openssh-6.2p2/ssh-gss.h
|
||||
--- a/openssh-6.2p2/ssh-gss.h
|
||||
+++ b/openssh-6.2p2/ssh-gss.h
|
||||
diff --git a/openssh-6.4p1/ssh-gss.h b/openssh-6.4p1/ssh-gss.h
|
||||
--- a/openssh-6.4p1/ssh-gss.h
|
||||
+++ b/openssh-6.4p1/ssh-gss.h
|
||||
@@ -1,11 +1,11 @@
|
||||
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
|
||||
/*
|
||||
@ -3151,9 +3151,9 @@ diff --git a/openssh-6.2p2/ssh-gss.h b/openssh-6.2p2/ssh-gss.h
|
||||
#endif /* GSSAPI */
|
||||
|
||||
#endif /* _SSH_GSS_H */
|
||||
diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
|
||||
--- a/openssh-6.2p2/ssh_config
|
||||
+++ b/openssh-6.2p2/ssh_config
|
||||
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
|
||||
--- a/openssh-6.4p1/ssh_config
|
||||
+++ b/openssh-6.4p1/ssh_config
|
||||
@@ -32,16 +32,18 @@ Host *
|
||||
ForwardX11Trusted yes
|
||||
|
||||
@ -3173,9 +3173,9 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
|
||||
# IdentityFile ~/.ssh/identity
|
||||
# IdentityFile ~/.ssh/id_rsa
|
||||
# IdentityFile ~/.ssh/id_dsa
|
||||
diff --git a/openssh-6.2p2/ssh_config.5 b/openssh-6.2p2/ssh_config.5
|
||||
--- a/openssh-6.2p2/ssh_config.5
|
||||
+++ b/openssh-6.2p2/ssh_config.5
|
||||
diff --git a/openssh-6.4p1/ssh_config.5 b/openssh-6.4p1/ssh_config.5
|
||||
--- a/openssh-6.4p1/ssh_config.5
|
||||
+++ b/openssh-6.4p1/ssh_config.5
|
||||
@@ -525,21 +525,53 @@ host key database, separated by whitespa
|
||||
The default is
|
||||
.Pa /etc/ssh/ssh_known_hosts ,
|
||||
@ -3231,9 +3231,9 @@ diff --git a/openssh-6.2p2/ssh_config.5 b/openssh-6.2p2/ssh_config.5
|
||||
These hashed names may be used normally by
|
||||
.Xr ssh 1
|
||||
and
|
||||
diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
--- a/openssh-6.2p2/sshconnect2.c
|
||||
+++ b/openssh-6.2p2/sshconnect2.c
|
||||
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
|
||||
--- a/openssh-6.4p1/sshconnect2.c
|
||||
+++ b/openssh-6.4p1/sshconnect2.c
|
||||
@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc
|
||||
return ret;
|
||||
}
|
||||
@ -3295,7 +3295,7 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
|
||||
+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||
+ "%s,null", orig);
|
||||
+ xfree(gss);
|
||||
+ free(gss);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
@ -3450,8 +3450,8 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
packet_check_eom();
|
||||
|
||||
debug("Server GSSAPI Error:\n%s", msg);
|
||||
xfree(msg);
|
||||
xfree(lang);
|
||||
free(msg);
|
||||
free(lang);
|
||||
}
|
||||
+
|
||||
+int
|
||||
@ -3503,9 +3503,9 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
/* initial userauth request */
|
||||
packet_start(SSH2_MSG_USERAUTH_REQUEST);
|
||||
packet_put_cstring(authctxt->server_user);
|
||||
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
--- a/openssh-6.2p2/sshd.c
|
||||
+++ b/openssh-6.2p2/sshd.c
|
||||
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
|
||||
--- a/openssh-6.4p1/sshd.c
|
||||
+++ b/openssh-6.4p1/sshd.c
|
||||
@@ -119,16 +119,24 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
@ -3812,9 +3812,9 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
kex->host_key_index=&get_hostkey_index;
|
||||
|
||||
xxx_kex = kex;
|
||||
diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
|
||||
--- a/openssh-6.2p2/sshd_config
|
||||
+++ b/openssh-6.2p2/sshd_config
|
||||
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
|
||||
--- a/openssh-6.4p1/sshd_config
|
||||
+++ b/openssh-6.4p1/sshd_config
|
||||
@@ -75,16 +75,18 @@ PasswordAuthentication no
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
@ -3834,9 +3834,9 @@ diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
|
||||
#GSSAPIEnableMITMAttack no
|
||||
|
||||
|
||||
diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5
|
||||
--- a/openssh-6.2p2/sshd_config.5
|
||||
+++ b/openssh-6.2p2/sshd_config.5
|
||||
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
|
||||
--- a/openssh-6.4p1/sshd_config.5
|
||||
+++ b/openssh-6.4p1/sshd_config.5
|
||||
@@ -475,22 +475,50 @@ to force remote port forwardings to bind
|
||||
to allow the client to select the address to which the forwarding is bound.
|
||||
The default is
|
@ -13,10 +13,10 @@
|
||||
# recommended to use the 'gssapi-with-mic' mechanism. Existing installations
|
||||
# are encouraged to upgrade as soon as possible.
|
||||
|
||||
diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
|
||||
--- a/openssh-6.2p2/auth2-gss.c
|
||||
+++ b/openssh-6.2p2/auth2-gss.c
|
||||
@@ -174,16 +174,25 @@ input_gssapi_token(int type, u_int32_t p
|
||||
diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c
|
||||
--- a/openssh-6.4p1/auth2-gss.c
|
||||
+++ b/openssh-6.4p1/auth2-gss.c
|
||||
@@ -173,16 +173,25 @@ input_gssapi_token(int type, u_int32_t p
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
|
||||
if (flags & GSS_C_INTEG_FLAG)
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
|
||||
@ -42,7 +42,7 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
|
||||
|
||||
static void
|
||||
input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
|
||||
@@ -295,9 +304,15 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
@@ -291,9 +300,15 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
}
|
||||
|
||||
Authmethod method_gssapi = {
|
||||
@ -58,9 +58,9 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
|
||||
+};
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c
|
||||
--- a/openssh-6.2p2/auth2.c
|
||||
+++ b/openssh-6.2p2/auth2.c
|
||||
diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
|
||||
--- a/openssh-6.4p1/auth2.c
|
||||
+++ b/openssh-6.4p1/auth2.c
|
||||
@@ -65,26 +65,28 @@ extern Buffer loginmsg;
|
||||
|
||||
extern Authmethod method_none;
|
||||
@ -90,10 +90,10 @@ diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c
|
||||
&method_kbdint,
|
||||
&method_hostbased,
|
||||
NULL
|
||||
diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
|
||||
--- a/openssh-6.2p2/readconf.c
|
||||
+++ b/openssh-6.2p2/readconf.c
|
||||
@@ -123,17 +123,17 @@ typedef enum {
|
||||
diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
|
||||
--- a/openssh-6.4p1/readconf.c
|
||||
+++ b/openssh-6.4p1/readconf.c
|
||||
@@ -126,17 +126,17 @@ typedef enum {
|
||||
oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
|
||||
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
|
||||
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
|
||||
@ -109,10 +109,10 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
|
||||
oHashKnownHosts,
|
||||
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
||||
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
|
||||
oKexAlgorithms, oIPQoS, oRequestTTY,
|
||||
oDeprecated, oUnsupported
|
||||
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
|
||||
oIgnoredUnknownOption, oDeprecated, oUnsupported
|
||||
} OpCodes;
|
||||
@@ -165,19 +165,21 @@ static struct {
|
||||
@@ -168,19 +168,21 @@ static struct {
|
||||
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
|
||||
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
|
||||
{ "kerberosauthentication", oUnsupported },
|
||||
@ -134,7 +134,7 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
|
||||
{ "identitiesonly", oIdentitiesOnly },
|
||||
{ "hostname", oHostName },
|
||||
{ "hostkeyalias", oHostKeyAlias },
|
||||
@@ -501,16 +503,20 @@ parse_flag:
|
||||
@@ -514,16 +516,20 @@ parse_flag:
|
||||
|
||||
case oGssAuthentication:
|
||||
intptr = &options->gss_authentication;
|
||||
@ -155,7 +155,7 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
|
||||
case oCheckHostIP:
|
||||
intptr = &options->check_host_ip;
|
||||
goto parse_flag;
|
||||
@@ -1154,16 +1160,17 @@ initialize_options(Options * options)
|
||||
@@ -1164,16 +1170,17 @@ initialize_options(Options * options)
|
||||
options->xauth_location = NULL;
|
||||
options->gateway_ports = -1;
|
||||
options->use_privileged_port = -1;
|
||||
@ -173,7 +173,7 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
|
||||
options->batch_mode = -1;
|
||||
options->check_host_ip = -1;
|
||||
options->strict_host_key_checking = -1;
|
||||
@@ -1255,16 +1262,18 @@ fill_default_options(Options * options)
|
||||
@@ -1265,16 +1272,18 @@ fill_default_options(Options * options)
|
||||
if (options->pubkey_authentication == -1)
|
||||
options->pubkey_authentication = 1;
|
||||
if (options->challenge_response_authentication == -1)
|
||||
@ -192,9 +192,9 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
|
||||
options->rhosts_rsa_authentication = 0;
|
||||
if (options->hostbased_authentication == -1)
|
||||
options->hostbased_authentication = 0;
|
||||
diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h
|
||||
--- a/openssh-6.2p2/readconf.h
|
||||
+++ b/openssh-6.2p2/readconf.h
|
||||
diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h
|
||||
--- a/openssh-6.4p1/readconf.h
|
||||
+++ b/openssh-6.4p1/readconf.h
|
||||
@@ -44,16 +44,17 @@ typedef struct {
|
||||
* authentication. */
|
||||
int rsa_authentication; /* Try RSA authentication. */
|
||||
@ -213,10 +213,10 @@ diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h
|
||||
int batch_mode; /* Batch mode: do not ask for passwords. */
|
||||
int check_host_ip; /* Also keep track of keys for IP address */
|
||||
int strict_host_key_checking; /* Strict host key checking. */
|
||||
diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
--- a/openssh-6.2p2/servconf.c
|
||||
+++ b/openssh-6.2p2/servconf.c
|
||||
@@ -98,16 +98,17 @@ initialize_server_options(ServerOptions
|
||||
diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
|
||||
--- a/openssh-6.4p1/servconf.c
|
||||
+++ b/openssh-6.4p1/servconf.c
|
||||
@@ -103,16 +103,17 @@ initialize_server_options(ServerOptions
|
||||
options->rsa_authentication = -1;
|
||||
options->pubkey_authentication = -1;
|
||||
options->kerberos_authentication = -1;
|
||||
@ -233,8 +233,8 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
options->permit_user_env = -1;
|
||||
options->use_login = -1;
|
||||
options->compression = -1;
|
||||
options->allow_tcp_forwarding = -1;
|
||||
@@ -230,16 +231,18 @@ fill_default_server_options(ServerOption
|
||||
options->rekey_limit = -1;
|
||||
@@ -237,16 +238,18 @@ fill_default_server_options(ServerOption
|
||||
if (options->kerberos_ticket_cleanup == -1)
|
||||
options->kerberos_ticket_cleanup = 1;
|
||||
if (options->kerberos_get_afs_token == -1)
|
||||
@ -253,9 +253,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
options->challenge_response_authentication = 1;
|
||||
if (options->permit_empty_passwd == -1)
|
||||
options->permit_empty_passwd = 0;
|
||||
@@ -322,17 +325,17 @@ typedef enum {
|
||||
@@ -333,17 +336,17 @@ typedef enum {
|
||||
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
|
||||
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
||||
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
@ -270,9 +270,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||
sKexAlgorithms, sIPQoS, sVersionAddendum,
|
||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||
sAuthenticationMethods,
|
||||
sAuthenticationMethods, sHostKeyAgent,
|
||||
sDeprecated, sUnsupported
|
||||
@@ -388,19 +391,21 @@ static struct {
|
||||
@@ -400,19 +403,21 @@ static struct {
|
||||
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
@ -294,7 +294,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
#ifdef JPAKE
|
||||
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
|
||||
#else
|
||||
@@ -1048,16 +1053,20 @@ process_server_config_line(ServerOptions
|
||||
@@ -1072,16 +1077,20 @@ process_server_config_line(ServerOptions
|
||||
case sGssAuthentication:
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
@ -315,10 +315,10 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
intptr = &options->zero_knowledge_password_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
|
||||
--- a/openssh-6.2p2/servconf.h
|
||||
+++ b/openssh-6.2p2/servconf.h
|
||||
@@ -106,16 +106,17 @@ typedef struct {
|
||||
diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
|
||||
--- a/openssh-6.4p1/servconf.h
|
||||
+++ b/openssh-6.4p1/servconf.h
|
||||
@@ -107,16 +107,17 @@ typedef struct {
|
||||
* such as SecurID or
|
||||
* /etc/passwd */
|
||||
int kerberos_ticket_cleanup; /* If true, destroy ticket
|
||||
@ -336,10 +336,10 @@ diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
|
||||
/* If true, permit jpake auth */
|
||||
int permit_empty_passwd; /* If false, do not permit empty
|
||||
* passwords. */
|
||||
diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
|
||||
--- a/openssh-6.2p2/ssh_config
|
||||
+++ b/openssh-6.2p2/ssh_config
|
||||
@@ -51,8 +51,15 @@ ForwardX11Trusted yes
|
||||
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
|
||||
--- a/openssh-6.4p1/ssh_config
|
||||
+++ b/openssh-6.4p1/ssh_config
|
||||
@@ -51,9 +51,16 @@ ForwardX11Trusted yes
|
||||
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
|
||||
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
|
||||
# EscapeChar ~
|
||||
@ -355,10 +355,11 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
|
||||
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
||||
+# GSSAPIEnableMITMAttack no
|
||||
+
|
||||
diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
--- a/openssh-6.2p2/sshconnect2.c
|
||||
+++ b/openssh-6.2p2/sshconnect2.c
|
||||
@@ -321,16 +321,21 @@ static char *authmethods_get(void);
|
||||
# RekeyLimit 1G 1h
|
||||
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
|
||||
--- a/openssh-6.4p1/sshconnect2.c
|
||||
+++ b/openssh-6.4p1/sshconnect2.c
|
||||
@@ -322,16 +322,21 @@ static char *authmethods_get(void);
|
||||
|
||||
Authmethod authmethods[] = {
|
||||
#ifdef GSSAPI
|
||||
@ -380,7 +381,7 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
NULL},
|
||||
{"publickey",
|
||||
userauth_pubkey,
|
||||
@@ -698,17 +703,19 @@ process_gssapi_token(void *ctxt, gss_buf
|
||||
@@ -696,17 +701,19 @@ process_gssapi_token(void *ctxt, gss_buf
|
||||
|
||||
packet_put_string(send_tok.value, send_tok.length);
|
||||
packet_send();
|
||||
@ -401,10 +402,10 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
|
||||
|
||||
gssbuf.value = buffer_ptr(&b);
|
||||
gssbuf.length = buffer_len(&b);
|
||||
diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
|
||||
--- a/openssh-6.2p2/sshd_config
|
||||
+++ b/openssh-6.2p2/sshd_config
|
||||
@@ -76,16 +76,23 @@ PasswordAuthentication no
|
||||
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
|
||||
--- a/openssh-6.4p1/sshd_config
|
||||
+++ b/openssh-6.4p1/sshd_config
|
||||
@@ -79,16 +79,23 @@ PasswordAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
@ -1,10 +1,10 @@
|
||||
# identify hashed hosts in known_hosts and suggest command line for their
|
||||
# removal
|
||||
|
||||
diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
|
||||
--- a/openssh-6.2p2/sshconnect.c
|
||||
+++ b/openssh-6.2p2/sshconnect.c
|
||||
@@ -987,16 +987,21 @@ check_host_key(char *hostname, struct so
|
||||
diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
|
||||
--- a/openssh-6.4p1/sshconnect.c
|
||||
+++ b/openssh-6.4p1/sshconnect.c
|
||||
@@ -986,16 +986,21 @@ check_host_key(char *hostname, struct so
|
||||
ip_found->file, ip_found->line);
|
||||
}
|
||||
/* The host key has changed. */
|
@ -1,9 +1,9 @@
|
||||
# SSHv1 to SSHv2 RSA keys converter
|
||||
|
||||
diff --git a/openssh-6.2p2/converter/Makefile b/openssh-6.2p2/converter/Makefile
|
||||
diff --git a/openssh-6.4p1/converter/Makefile b/openssh-6.4p1/converter/Makefile
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/converter/Makefile
|
||||
+++ b/openssh-6.4p1/converter/Makefile
|
||||
@@ -0,0 +1,17 @@
|
||||
+
|
||||
+bindir=/usr/bin
|
||||
@ -12,20 +12,20 @@ new file mode 100644
|
||||
+all : ssh-keyconverter
|
||||
+
|
||||
+ssh-keyconverter.o: ssh-keyconverter.c ../key.h ../authfile.h ../misc.h ../xmalloc.h
|
||||
+ gcc $(RPM_OPT_FLAGS) -c -I../ $< -o $@
|
||||
+ gcc $(CFLAGS) $(RPM_OPT_FLAGS) -c -I../ $< -o $@
|
||||
+
|
||||
+ssh-keyconverter: ssh-keyconverter.o ../libssh.a ../openbsd-compat/libopenbsd-compat.a
|
||||
+ gcc $< -Wl,--no-as-needed $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ -lcrypto -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@
|
||||
+ gcc $< $(LDFLAGS) $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ -lcrypto -lssh -lopenbsd-compat -lcrypto -lssh -lopenbsd-compat -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@
|
||||
+
|
||||
+install: ssh-keyconverter ssh-keyconverter.1
|
||||
+ if [ ! -d $(DESTDIR)$(bindir) ]; then install -d -m 755 $(DESTDIR)$(bindir); fi
|
||||
+ install -m 755 ssh-keyconverter $(DESTDIR)$(bindir)
|
||||
+ if [ ! -d $(DESTDIR)$(mandir)/man1 ]; then install -d -m 755 $(DESTDIR)$(mandir)/man1; fi
|
||||
+ install -m 644 ssh-keyconverter.1 $(DESTDIR)$(mandir)/man1
|
||||
diff --git a/openssh-6.2p2/converter/ssh-keyconverter.1 b/openssh-6.2p2/converter/ssh-keyconverter.1
|
||||
diff --git a/openssh-6.4p1/converter/ssh-keyconverter.1 b/openssh-6.4p1/converter/ssh-keyconverter.1
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/converter/ssh-keyconverter.1
|
||||
+++ b/openssh-6.4p1/converter/ssh-keyconverter.1
|
||||
@@ -0,0 +1,155 @@
|
||||
+.\" Manpage for ssh-keyconverter
|
||||
+.\"
|
||||
@ -182,10 +182,10 @@ new file mode 100644
|
||||
+.%D March 2001
|
||||
+.%O work in progress material
|
||||
+.Re
|
||||
diff --git a/openssh-6.2p2/converter/ssh-keyconverter.c b/openssh-6.2p2/converter/ssh-keyconverter.c
|
||||
diff --git a/openssh-6.4p1/converter/ssh-keyconverter.c b/openssh-6.4p1/converter/ssh-keyconverter.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/converter/ssh-keyconverter.c
|
||||
+++ b/openssh-6.4p1/converter/ssh-keyconverter.c
|
||||
@@ -0,0 +1,345 @@
|
||||
+/*
|
||||
+ * SSH v1 to v2 RSA key converter.
|
||||
@ -330,7 +330,7 @@ new file mode 100644
|
||||
+ if (i) {
|
||||
+ /* Zap old pass phrase */
|
||||
+ memset(passphrase, 0, strlen(passphrase));
|
||||
+ xfree(passphrase);
|
||||
+ free(passphrase);
|
||||
+
|
||||
+ /* Get a pass phrase from the user */
|
||||
+ passphrase = read_passphrase(prompt, 0);
|
||||
@ -387,7 +387,7 @@ new file mode 100644
|
||||
+
|
||||
+out:
|
||||
+ memset(passphrase, 0, strlen(passphrase));
|
||||
+ xfree(passphrase);
|
||||
+ free(passphrase);
|
||||
+ if (key)
|
||||
+ key_free(key);
|
||||
+ if (pk)
|
@ -1,9 +1,9 @@
|
||||
# set uid for functions that use it to seek in lastlog and wtmp files
|
||||
# bnc#18024 (was suse #3024)
|
||||
|
||||
diff --git a/openssh-6.2p2/sshlogin.c b/openssh-6.2p2/sshlogin.c
|
||||
--- a/openssh-6.2p2/sshlogin.c
|
||||
+++ b/openssh-6.2p2/sshlogin.c
|
||||
diff --git a/openssh-6.4p1/sshlogin.c b/openssh-6.4p1/sshlogin.c
|
||||
--- a/openssh-6.4p1/sshlogin.c
|
||||
+++ b/openssh-6.4p1/sshlogin.c
|
||||
@@ -128,16 +128,17 @@ record_login(pid_t pid, const char *tty,
|
||||
{
|
||||
struct logininfo *li;
|
@ -8,10 +8,10 @@
|
||||
# internal versions. ssh-keyconverter consequently fails to link as it lacks
|
||||
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
|
||||
|
||||
diff --git a/openssh-6.2p2/HOWTO.ldap-keys b/openssh-6.2p2/HOWTO.ldap-keys
|
||||
diff --git a/openssh-6.4p1/HOWTO.ldap-keys b/openssh-6.4p1/HOWTO.ldap-keys
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/HOWTO.ldap-keys
|
||||
+++ b/openssh-6.4p1/HOWTO.ldap-keys
|
||||
@@ -0,0 +1,108 @@
|
||||
+
|
||||
+HOW TO START
|
||||
@ -121,9 +121,9 @@ new file mode 100644
|
||||
+ - frederic peters.
|
||||
+ - Finlay dobbie.
|
||||
+ - Stefan Fisher.
|
||||
diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
--- a/openssh-6.2p2/Makefile.in
|
||||
+++ b/openssh-6.2p2/Makefile.in
|
||||
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
|
||||
--- a/openssh-6.4p1/Makefile.in
|
||||
+++ b/openssh-6.4p1/Makefile.in
|
||||
@@ -20,16 +20,18 @@ srcdir=@srcdir@
|
||||
top_srcdir=@top_srcdir@
|
||||
|
||||
@ -185,7 +185,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
PATHSUBS = \
|
||||
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
|
||||
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
||||
@@ -162,16 +166,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
|
||||
@@ -164,16 +168,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
|
||||
$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
@ -205,7 +205,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
@@ -263,30 +270,38 @@ install-files:
|
||||
@@ -266,30 +273,38 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||
@ -244,7 +244,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
install-sysconf:
|
||||
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
|
||||
@@ -306,16 +321,23 @@ install-sysconf:
|
||||
@@ -309,16 +324,23 @@ install-sysconf:
|
||||
echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
|
||||
mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
|
||||
else \
|
||||
@ -268,7 +268,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
else \
|
||||
./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
|
||||
fi ; \
|
||||
@@ -363,27 +385,30 @@ uninstall:
|
||||
@@ -366,27 +388,30 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||
@ -294,15 +294,15 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
|
||||
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
|
||||
$(CC) $(CPPFLAGS) -o $@ $? \
|
||||
$(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)
|
||||
diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac
|
||||
--- a/openssh-6.2p2/configure.ac
|
||||
+++ b/openssh-6.2p2/configure.ac
|
||||
@@ -1504,16 +1504,116 @@ AC_ARG_WITH([audit],
|
||||
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
||||
[ -f `pwd`/regress/Makefile ] || \
|
||||
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
|
||||
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
|
||||
--- a/openssh-6.4p1/configure.ac
|
||||
+++ b/openssh-6.4p1/configure.ac
|
||||
@@ -1519,16 +1519,116 @@ AC_ARG_WITH([audit],
|
||||
AC_MSG_RESULT([no])
|
||||
;;
|
||||
*)
|
||||
@ -419,10 +419,10 @@ diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac
|
||||
asprintf \
|
||||
b64_ntop \
|
||||
__b64_ntop \
|
||||
diff --git a/openssh-6.2p2/ldap-helper.c b/openssh-6.2p2/ldap-helper.c
|
||||
diff --git a/openssh-6.4p1/ldap-helper.c b/openssh-6.4p1/ldap-helper.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ldap-helper.c
|
||||
+++ b/openssh-6.4p1/ldap-helper.c
|
||||
@@ -0,0 +1,155 @@
|
||||
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -579,10 +579,10 @@ new file mode 100644
|
||||
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
|
||||
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
|
||||
+
|
||||
diff --git a/openssh-6.2p2/ldap-helper.h b/openssh-6.2p2/ldap-helper.h
|
||||
diff --git a/openssh-6.4p1/ldap-helper.h b/openssh-6.4p1/ldap-helper.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ldap-helper.h
|
||||
+++ b/openssh-6.4p1/ldap-helper.h
|
||||
@@ -0,0 +1,32 @@
|
||||
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -616,10 +616,10 @@ new file mode 100644
|
||||
+extern int config_warning_config_file;
|
||||
+
|
||||
+#endif /* LDAP_HELPER_H */
|
||||
diff --git a/openssh-6.2p2/ldap.conf b/openssh-6.2p2/ldap.conf
|
||||
diff --git a/openssh-6.4p1/ldap.conf b/openssh-6.4p1/ldap.conf
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ldap.conf
|
||||
+++ b/openssh-6.4p1/ldap.conf
|
||||
@@ -0,0 +1,88 @@
|
||||
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
|
||||
+#
|
||||
@ -709,10 +709,10 @@ new file mode 100644
|
||||
+#tls_cert
|
||||
+#tls_key
|
||||
+
|
||||
diff --git a/openssh-6.2p2/ldapbody.c b/openssh-6.2p2/ldapbody.c
|
||||
diff --git a/openssh-6.4p1/ldapbody.c b/openssh-6.4p1/ldapbody.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ldapbody.c
|
||||
+++ b/openssh-6.4p1/ldapbody.c
|
||||
@@ -0,0 +1,494 @@
|
||||
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -873,7 +873,7 @@ new file mode 100644
|
||||
+ if ((logfile = fopen (logfilename, "a")) == NULL)
|
||||
+ fatal ("cannot append to %s: %s", logfilename, strerror (errno));
|
||||
+ debug3 ("LDAP debug into %s", logfilename);
|
||||
+ xfree (logfilename);
|
||||
+ free (logfilename);
|
||||
+ ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
|
||||
+ }
|
||||
+#endif
|
||||
@ -1162,12 +1162,12 @@ new file mode 100644
|
||||
+ timeout.tv_usec = 0;
|
||||
+ if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
|
||||
+ error ("ldap_search_st(): %s", ldap_err2string (rc));
|
||||
+ xfree (buffer);
|
||||
+ free (buffer);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ /* free */
|
||||
+ xfree (buffer);
|
||||
+ free (buffer);
|
||||
+
|
||||
+ for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
|
||||
+ int num;
|
||||
@ -1208,10 +1208,10 @@ new file mode 100644
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
diff --git a/openssh-6.2p2/ldapbody.h b/openssh-6.2p2/ldapbody.h
|
||||
diff --git a/openssh-6.4p1/ldapbody.h b/openssh-6.4p1/ldapbody.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ldapbody.h
|
||||
+++ b/openssh-6.4p1/ldapbody.h
|
||||
@@ -0,0 +1,37 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1250,10 +1250,10 @@ new file mode 100644
|
||||
+
|
||||
+#endif /* LDAPBODY_H */
|
||||
+
|
||||
diff --git a/openssh-6.2p2/ldapconf.c b/openssh-6.2p2/ldapconf.c
|
||||
diff --git a/openssh-6.4p1/ldapconf.c b/openssh-6.4p1/ldapconf.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ldapconf.c
|
||||
+++ b/openssh-6.4p1/ldapconf.c
|
||||
@@ -0,0 +1,682 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1937,10 +1937,10 @@ new file mode 100644
|
||||
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
||||
+}
|
||||
+
|
||||
diff --git a/openssh-6.2p2/ldapconf.h b/openssh-6.2p2/ldapconf.h
|
||||
diff --git a/openssh-6.4p1/ldapconf.h b/openssh-6.4p1/ldapconf.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ldapconf.h
|
||||
+++ b/openssh-6.4p1/ldapconf.h
|
||||
@@ -0,0 +1,71 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2013,10 +2013,10 @@ new file mode 100644
|
||||
+void dump_config(void);
|
||||
+
|
||||
+#endif /* LDAPCONF_H */
|
||||
diff --git a/openssh-6.2p2/ldapincludes.h b/openssh-6.2p2/ldapincludes.h
|
||||
diff --git a/openssh-6.4p1/ldapincludes.h b/openssh-6.4p1/ldapincludes.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ldapincludes.h
|
||||
+++ b/openssh-6.4p1/ldapincludes.h
|
||||
@@ -0,0 +1,41 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2059,10 +2059,10 @@ new file mode 100644
|
||||
+#endif
|
||||
+
|
||||
+#endif /* LDAPINCLUDES_H */
|
||||
diff --git a/openssh-6.2p2/ldapmisc.c b/openssh-6.2p2/ldapmisc.c
|
||||
diff --git a/openssh-6.4p1/ldapmisc.c b/openssh-6.4p1/ldapmisc.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ldapmisc.c
|
||||
+++ b/openssh-6.4p1/ldapmisc.c
|
||||
@@ -0,0 +1,79 @@
|
||||
+
|
||||
+#include "ldapincludes.h"
|
||||
@ -2143,10 +2143,10 @@ new file mode 100644
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
diff --git a/openssh-6.2p2/ldapmisc.h b/openssh-6.2p2/ldapmisc.h
|
||||
diff --git a/openssh-6.4p1/ldapmisc.h b/openssh-6.4p1/ldapmisc.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ldapmisc.h
|
||||
+++ b/openssh-6.4p1/ldapmisc.h
|
||||
@@ -0,0 +1,35 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2183,9 +2183,9 @@ new file mode 100644
|
||||
+
|
||||
+#endif /* LDAPMISC_H */
|
||||
+
|
||||
diff --git a/openssh-6.2p2/openbsd-compat/base64.c b/openssh-6.2p2/openbsd-compat/base64.c
|
||||
--- a/openssh-6.2p2/openbsd-compat/base64.c
|
||||
+++ b/openssh-6.2p2/openbsd-compat/base64.c
|
||||
diff --git a/openssh-6.4p1/openbsd-compat/base64.c b/openssh-6.4p1/openbsd-compat/base64.c
|
||||
--- a/openssh-6.4p1/openbsd-compat/base64.c
|
||||
+++ b/openssh-6.4p1/openbsd-compat/base64.c
|
||||
@@ -41,17 +41,17 @@
|
||||
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
|
||||
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
|
||||
@ -2243,9 +2243,9 @@ diff --git a/openssh-6.2p2/openbsd-compat/base64.c b/openssh-6.2p2/openbsd-compa
|
||||
*/
|
||||
|
||||
int
|
||||
diff --git a/openssh-6.2p2/openbsd-compat/base64.h b/openssh-6.2p2/openbsd-compat/base64.h
|
||||
--- a/openssh-6.2p2/openbsd-compat/base64.h
|
||||
+++ b/openssh-6.2p2/openbsd-compat/base64.h
|
||||
diff --git a/openssh-6.4p1/openbsd-compat/base64.h b/openssh-6.4p1/openbsd-compat/base64.h
|
||||
--- a/openssh-6.4p1/openbsd-compat/base64.h
|
||||
+++ b/openssh-6.4p1/openbsd-compat/base64.h
|
||||
@@ -42,24 +42,24 @@
|
||||
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
|
||||
*/
|
||||
@ -2275,10 +2275,10 @@ diff --git a/openssh-6.2p2/openbsd-compat/base64.h b/openssh-6.2p2/openbsd-compa
|
||||
#endif /* HAVE___B64_PTON */
|
||||
|
||||
#endif /* _BSD_BASE64_H */
|
||||
diff --git a/openssh-6.2p2/openssh-lpk-openldap.schema b/openssh-6.2p2/openssh-lpk-openldap.schema
|
||||
diff --git a/openssh-6.4p1/openssh-lpk-openldap.schema b/openssh-6.4p1/openssh-lpk-openldap.schema
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/openssh-lpk-openldap.schema
|
||||
+++ b/openssh-6.4p1/openssh-lpk-openldap.schema
|
||||
@@ -0,0 +1,21 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2301,10 +2301,10 @@ new file mode 100644
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
diff --git a/openssh-6.2p2/openssh-lpk-sun.schema b/openssh-6.2p2/openssh-lpk-sun.schema
|
||||
diff --git a/openssh-6.4p1/openssh-lpk-sun.schema b/openssh-6.4p1/openssh-lpk-sun.schema
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/openssh-lpk-sun.schema
|
||||
+++ b/openssh-6.4p1/openssh-lpk-sun.schema
|
||||
@@ -0,0 +1,23 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2329,10 +2329,10 @@ new file mode 100644
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
diff --git a/openssh-6.2p2/ssh-ldap-helper.8 b/openssh-6.2p2/ssh-ldap-helper.8
|
||||
diff --git a/openssh-6.4p1/ssh-ldap-helper.8 b/openssh-6.4p1/ssh-ldap-helper.8
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ssh-ldap-helper.8
|
||||
+++ b/openssh-6.4p1/ssh-ldap-helper.8
|
||||
@@ -0,0 +1,79 @@
|
||||
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
@ -2413,19 +2413,19 @@ new file mode 100644
|
||||
+OpenSSH 5.5 + PKA-LDAP .
|
||||
+.Sh AUTHORS
|
||||
+.An Jan F. Chadima Aq jchadima@redhat.com
|
||||
diff --git a/openssh-6.2p2/ssh-ldap-wrapper b/openssh-6.2p2/ssh-ldap-wrapper
|
||||
diff --git a/openssh-6.4p1/ssh-ldap-wrapper b/openssh-6.4p1/ssh-ldap-wrapper
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ssh-ldap-wrapper
|
||||
+++ b/openssh-6.4p1/ssh-ldap-wrapper
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
|
||||
+
|
||||
diff --git a/openssh-6.2p2/ssh-ldap.conf.5 b/openssh-6.2p2/ssh-ldap.conf.5
|
||||
diff --git a/openssh-6.4p1/ssh-ldap.conf.5 b/openssh-6.4p1/ssh-ldap.conf.5
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/ssh-ldap.conf.5
|
||||
+++ b/openssh-6.4p1/ssh-ldap.conf.5
|
||||
@@ -0,0 +1,376 @@
|
||||
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
@ -4,10 +4,10 @@
|
||||
#
|
||||
# bnc#833605
|
||||
|
||||
diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac
|
||||
--- a/openssh-6.2p2/configure.ac
|
||||
+++ b/openssh-6.2p2/configure.ac
|
||||
@@ -666,16 +666,18 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
|
||||
--- a/openssh-6.4p1/configure.ac
|
||||
+++ b/openssh-6.4p1/configure.ac
|
||||
@@ -657,16 +657,18 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
|
||||
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
|
||||
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
|
@ -1,9 +1,9 @@
|
||||
# Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
||||
|
||||
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
--- a/openssh-6.2p2/sshd.c
|
||||
+++ b/openssh-6.2p2/sshd.c
|
||||
@@ -1911,17 +1911,17 @@ main(int ac, char **av)
|
||||
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
|
||||
--- a/openssh-6.4p1/sshd.c
|
||||
+++ b/openssh-6.4p1/sshd.c
|
||||
@@ -1959,17 +1959,17 @@ main(int ac, char **av)
|
||||
signal(SIGCHLD, main_sigchld_handler);
|
||||
signal(SIGTERM, sigterm_handler);
|
||||
signal(SIGQUIT, sigterm_handler);
|
@ -2,10 +2,10 @@
|
||||
# UsePAM is used
|
||||
# bnc#708678, FATE#312033
|
||||
|
||||
diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c
|
||||
--- a/openssh-6.2p2/auth.c
|
||||
+++ b/openssh-6.2p2/auth.c
|
||||
@@ -102,17 +102,17 @@ allowed_user(struct passwd * pw)
|
||||
diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c
|
||||
--- a/openssh-6.4p1/auth.c
|
||||
+++ b/openssh-6.4p1/auth.c
|
||||
@@ -103,17 +103,17 @@ allowed_user(struct passwd * pw)
|
||||
struct spwd *spw = NULL;
|
||||
#endif
|
||||
|
||||
@ -24,7 +24,7 @@ diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c
|
||||
#endif /* USE_SHADOW */
|
||||
|
||||
/* grab passwd field for locked account check */
|
||||
@@ -122,17 +122,17 @@ allowed_user(struct passwd * pw)
|
||||
@@ -123,17 +123,17 @@ allowed_user(struct passwd * pw)
|
||||
#ifdef USE_LIBIAF
|
||||
passwd = get_iaf_password(pw);
|
||||
#else
|
||||
@ -43,10 +43,10 @@ diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c
|
||||
#endif
|
||||
#ifdef LOCKED_PASSWD_PREFIX
|
||||
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
||||
diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
--- a/openssh-6.2p2/servconf.c
|
||||
+++ b/openssh-6.2p2/servconf.c
|
||||
@@ -62,16 +62,17 @@ extern Buffer cfg;
|
||||
diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
|
||||
--- a/openssh-6.4p1/servconf.c
|
||||
+++ b/openssh-6.4p1/servconf.c
|
||||
@@ -66,16 +66,17 @@ extern Buffer cfg;
|
||||
|
||||
void
|
||||
initialize_server_options(ServerOptions *options)
|
||||
@ -64,7 +64,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
options->address_family = -1;
|
||||
options->num_host_key_files = 0;
|
||||
options->num_host_cert_files = 0;
|
||||
@@ -150,16 +151,18 @@ initialize_server_options(ServerOptions
|
||||
@@ -157,16 +158,18 @@ initialize_server_options(ServerOptions
|
||||
}
|
||||
|
||||
void
|
||||
@ -83,7 +83,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
/* fill default hostkeys for protocols */
|
||||
if (options->protocol & SSH_PROTO_1)
|
||||
options->host_key_files[options->num_host_key_files++] =
|
||||
@@ -304,17 +307,17 @@ fill_default_server_options(ServerOption
|
||||
@@ -315,17 +318,17 @@ fill_default_server_options(ServerOption
|
||||
#endif
|
||||
|
||||
}
|
||||
@ -102,7 +102,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
sKerberosGetAFSToken,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
@@ -349,18 +352,20 @@ typedef enum {
|
||||
@@ -360,18 +363,20 @@ typedef enum {
|
||||
static struct {
|
||||
const char *name;
|
||||
ServerOpCodes opcode;
|
||||
@ -121,9 +121,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
{ "port", sPort, SSHCFG_GLOBAL },
|
||||
{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
|
||||
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
||||
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
||||
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
||||
{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
|
||||
@@ -844,16 +849,19 @@ process_server_config_line(ServerOptions
|
||||
@@ -857,16 +862,19 @@ process_server_config_line(ServerOptions
|
||||
}
|
||||
}
|
||||
|
||||
@ -143,10 +143,10 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
|
||||
/* ignore ports from configfile if cmdline specifies ports */
|
||||
if (options->ports_from_cmdline)
|
||||
return 0;
|
||||
diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
|
||||
--- a/openssh-6.2p2/servconf.h
|
||||
+++ b/openssh-6.2p2/servconf.h
|
||||
@@ -160,16 +160,17 @@ typedef struct {
|
||||
diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
|
||||
--- a/openssh-6.4p1/servconf.h
|
||||
+++ b/openssh-6.4p1/servconf.h
|
||||
@@ -161,16 +161,17 @@ typedef struct {
|
||||
*/
|
||||
|
||||
u_int num_authkeys_files; /* Files containing public keys */
|
||||
@ -164,10 +164,10 @@ diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0
|
||||
--- a/openssh-6.2p2/sshd_config.0
|
||||
+++ b/openssh-6.2p2/sshd_config.0
|
||||
@@ -673,16 +673,24 @@ DESCRIPTION
|
||||
diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0
|
||||
--- a/openssh-6.4p1/sshd_config.0
|
||||
+++ b/openssh-6.4p1/sshd_config.0
|
||||
@@ -706,16 +706,24 @@ DESCRIPTION
|
||||
|
||||
Because PAM challenge-response authentication usually serves an
|
||||
equivalent role to password authentication, you should disable
|
||||
@ -192,10 +192,10 @@ diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0
|
||||
privilege separation is to prevent privilege escalation by
|
||||
containing any corruption within the unprivileged processes. The
|
||||
default is ``yes''. If UsePrivilegeSeparation is set to
|
||||
diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5
|
||||
--- a/openssh-6.2p2/sshd_config.5
|
||||
+++ b/openssh-6.2p2/sshd_config.5
|
||||
@@ -1141,16 +1141,28 @@ or
|
||||
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
|
||||
--- a/openssh-6.4p1/sshd_config.5
|
||||
+++ b/openssh-6.4p1/sshd_config.5
|
||||
@@ -1178,16 +1178,28 @@ or
|
||||
.Pp
|
||||
If
|
||||
.Cm UsePAM
|
@ -1,10 +1,10 @@
|
||||
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
||||
# bnc#46749
|
||||
|
||||
diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
|
||||
--- a/openssh-6.2p2/sshd_config
|
||||
+++ b/openssh-6.2p2/sshd_config
|
||||
@@ -60,17 +60,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
|
||||
--- a/openssh-6.4p1/sshd_config
|
||||
+++ b/openssh-6.4p1/sshd_config
|
||||
@@ -63,17 +63,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
@ -23,7 +23,7 @@ diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
@@ -85,17 +85,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
@@ -88,17 +88,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
@ -1,10 +1,10 @@
|
||||
# posix threads are generally not supported nor safe
|
||||
# (see upstream log from 2005-05-24)
|
||||
|
||||
diff --git a/openssh-6.2p2/auth-pam.c b/openssh-6.2p2/auth-pam.c
|
||||
--- a/openssh-6.2p2/auth-pam.c
|
||||
+++ b/openssh-6.2p2/auth-pam.c
|
||||
@@ -781,17 +781,19 @@ sshpam_query(void *ctx, char **name, cha
|
||||
diff --git a/openssh-6.4p1/auth-pam.c b/openssh-6.4p1/auth-pam.c
|
||||
--- a/openssh-6.4p1/auth-pam.c
|
||||
+++ b/openssh-6.4p1/auth-pam.c
|
||||
@@ -779,17 +779,19 @@ sshpam_query(void *ctx, char **name, cha
|
||||
}
|
||||
if (type == PAM_SUCCESS) {
|
||||
if (!sshpam_authctxt->valid ||
|
||||
@ -19,7 +19,7 @@ diff --git a/openssh-6.2p2/auth-pam.c b/openssh-6.2p2/auth-pam.c
|
||||
*num = 0;
|
||||
**echo_on = 0;
|
||||
ctxt->pam_done = 1;
|
||||
xfree(msg);
|
||||
free(msg);
|
||||
return (0);
|
||||
}
|
||||
error("PAM: %s for %s%.100s from %.100s", msg,
|
@ -1,9 +1,9 @@
|
||||
# use same lines naming as utempter (prevents problems with using different
|
||||
# formats in ?tmp? files)
|
||||
|
||||
diff --git a/openssh-6.2p2/loginrec.c b/openssh-6.2p2/loginrec.c
|
||||
--- a/openssh-6.2p2/loginrec.c
|
||||
+++ b/openssh-6.2p2/loginrec.c
|
||||
diff --git a/openssh-6.4p1/loginrec.c b/openssh-6.4p1/loginrec.c
|
||||
--- a/openssh-6.4p1/loginrec.c
|
||||
+++ b/openssh-6.4p1/loginrec.c
|
||||
@@ -535,17 +535,17 @@ getlast_entry(struct logininfo *li)
|
||||
/*
|
||||
* 'line' string utility functions
|
@ -1,9 +1,9 @@
|
||||
# related to bnc#49845, upstream bug #529
|
||||
|
||||
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
--- a/openssh-6.2p2/sshd.c
|
||||
+++ b/openssh-6.2p2/sshd.c
|
||||
@@ -303,16 +303,17 @@ sighup_handler(int sig)
|
||||
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
|
||||
--- a/openssh-6.4p1/sshd.c
|
||||
+++ b/openssh-6.4p1/sshd.c
|
||||
@@ -309,16 +309,17 @@ sighup_handler(int sig)
|
||||
|
||||
/*
|
||||
* Called from the main program after receiving SIGHUP.
|
||||
@ -21,7 +21,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
execv(saved_argv[0], saved_argv);
|
||||
logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
|
||||
strerror(errno));
|
||||
@@ -1355,17 +1356,21 @@ main(int ac, char **av)
|
||||
@@ -1382,17 +1383,21 @@ main(int ac, char **av)
|
||||
saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
|
||||
for (i = 0; i < ac; i++)
|
||||
saved_argv[i] = xstrdup(av[i]);
|
@ -1,9 +1,9 @@
|
||||
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
||||
# bnc#703221, FATE#312172
|
||||
|
||||
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
--- a/openssh-6.2p2/audit-bsm.c
|
||||
+++ b/openssh-6.2p2/audit-bsm.c
|
||||
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
|
||||
--- a/openssh-6.4p1/audit-bsm.c
|
||||
+++ b/openssh-6.4p1/audit-bsm.c
|
||||
@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char
|
||||
/* not implemented */
|
||||
}
|
||||
@ -20,9 +20,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
--- a/openssh-6.2p2/audit-linux.c
|
||||
+++ b/openssh-6.2p2/audit-linux.c
|
||||
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
|
||||
--- a/openssh-6.4p1/audit-linux.c
|
||||
+++ b/openssh-6.4p1/audit-linux.c
|
||||
@@ -398,9 +398,31 @@ audit_generate_ephemeral_server_key(cons
|
||||
}
|
||||
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
||||
@ -55,9 +55,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
--- a/openssh-6.2p2/audit.c
|
||||
+++ b/openssh-6.2p2/audit.c
|
||||
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
|
||||
--- a/openssh-6.4p1/audit.c
|
||||
+++ b/openssh-6.4p1/audit.c
|
||||
@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char
|
||||
/*
|
||||
* This will be called on generation of the ephemeral server key
|
||||
@ -75,9 +75,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
--- a/openssh-6.2p2/audit.h
|
||||
+++ b/openssh-6.2p2/audit.h
|
||||
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
|
||||
--- a/openssh-6.4p1/audit.h
|
||||
+++ b/openssh-6.4p1/audit.h
|
||||
@@ -63,10 +63,11 @@ void audit_key(int, int *, const Key *);
|
||||
void audit_unsupported(int);
|
||||
void audit_kex(int, char *, char *, char *);
|
||||
@ -90,9 +90,9 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
|
||||
+void audit_linux_prng_seed(long, const char *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff --git a/openssh-6.2p2/entropy.c b/openssh-6.2p2/entropy.c
|
||||
--- a/openssh-6.2p2/entropy.c
|
||||
+++ b/openssh-6.2p2/entropy.c
|
||||
diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c
|
||||
--- a/openssh-6.4p1/entropy.c
|
||||
+++ b/openssh-6.4p1/entropy.c
|
||||
@@ -45,16 +45,17 @@
|
||||
|
||||
#include "ssh.h"
|
||||
@ -126,15 +126,15 @@ diff --git a/openssh-6.2p2/entropy.c b/openssh-6.2p2/entropy.c
|
||||
if (RAND_status() != 1)
|
||||
fatal("PRNG is not seeded");
|
||||
}
|
||||
diff --git a/openssh-6.2p2/openbsd-compat/Makefile.in b/openssh-6.2p2/openbsd-compat/Makefile.in
|
||||
--- a/openssh-6.2p2/openbsd-compat/Makefile.in
|
||||
+++ b/openssh-6.2p2/openbsd-compat/Makefile.in
|
||||
diff --git a/openssh-6.4p1/openbsd-compat/Makefile.in b/openssh-6.4p1/openbsd-compat/Makefile.in
|
||||
--- a/openssh-6.4p1/openbsd-compat/Makefile.in
|
||||
+++ b/openssh-6.4p1/openbsd-compat/Makefile.in
|
||||
@@ -15,17 +15,17 @@ AR=@AR@
|
||||
RANLIB=@RANLIB@
|
||||
INSTALL=@INSTALL@
|
||||
LDFLAGS=-L. @LDFLAGS@
|
||||
|
||||
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
|
||||
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
|
||||
|
||||
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
|
||||
@ -148,10 +148,10 @@ diff --git a/openssh-6.2p2/openbsd-compat/Makefile.in b/openssh-6.2p2/openbsd-co
|
||||
|
||||
$(COMPAT): ../config.h
|
||||
$(OPENBSD): ../config.h
|
||||
diff --git a/openssh-6.2p2/openbsd-compat/port-linux-prng.c b/openssh-6.2p2/openbsd-compat/port-linux-prng.c
|
||||
diff --git a/openssh-6.4p1/openbsd-compat/port-linux-prng.c b/openssh-6.4p1/openbsd-compat/port-linux-prng.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/openbsd-compat/port-linux-prng.c
|
||||
+++ b/openssh-6.4p1/openbsd-compat/port-linux-prng.c
|
||||
@@ -0,0 +1,79 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
||||
@ -232,9 +232,9 @@ new file mode 100644
|
||||
+ fatal ("EOF reading %s", random);
|
||||
+ }
|
||||
+}
|
||||
diff --git a/openssh-6.2p2/openbsd-compat/port-linux.h b/openssh-6.2p2/openbsd-compat/port-linux.h
|
||||
--- a/openssh-6.2p2/openbsd-compat/port-linux.h
|
||||
+++ b/openssh-6.2p2/openbsd-compat/port-linux.h
|
||||
diff --git a/openssh-6.4p1/openbsd-compat/port-linux.h b/openssh-6.4p1/openbsd-compat/port-linux.h
|
||||
--- a/openssh-6.4p1/openbsd-compat/port-linux.h
|
||||
+++ b/openssh-6.4p1/openbsd-compat/port-linux.h
|
||||
@@ -14,16 +14,20 @@
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
@ -256,9 +256,9 @@ diff --git a/openssh-6.2p2/openbsd-compat/port-linux.h b/openssh-6.2p2/openbsd-c
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
#endif
|
||||
|
||||
diff --git a/openssh-6.2p2/ssh-add.1 b/openssh-6.2p2/ssh-add.1
|
||||
--- a/openssh-6.2p2/ssh-add.1
|
||||
+++ b/openssh-6.2p2/ssh-add.1
|
||||
diff --git a/openssh-6.4p1/ssh-add.1 b/openssh-6.4p1/ssh-add.1
|
||||
--- a/openssh-6.4p1/ssh-add.1
|
||||
+++ b/openssh-6.4p1/ssh-add.1
|
||||
@@ -155,16 +155,30 @@ or related script.
|
||||
(Note that on some machines it
|
||||
may be necessary to redirect the input from
|
||||
@ -290,9 +290,9 @@ diff --git a/openssh-6.2p2/ssh-add.1 b/openssh-6.2p2/ssh-add.1
|
||||
.It Pa ~/.ssh/id_dsa
|
||||
Contains the protocol version 2 DSA authentication identity of the user.
|
||||
.It Pa ~/.ssh/id_ecdsa
|
||||
diff --git a/openssh-6.2p2/ssh-agent.1 b/openssh-6.2p2/ssh-agent.1
|
||||
--- a/openssh-6.2p2/ssh-agent.1
|
||||
+++ b/openssh-6.2p2/ssh-agent.1
|
||||
diff --git a/openssh-6.4p1/ssh-agent.1 b/openssh-6.4p1/ssh-agent.1
|
||||
--- a/openssh-6.4p1/ssh-agent.1
|
||||
+++ b/openssh-6.4p1/ssh-agent.1
|
||||
@@ -193,16 +193,33 @@ Contains the protocol version 2 ECDSA au
|
||||
.It Pa ~/.ssh/id_rsa
|
||||
Contains the protocol version 2 RSA authentication identity of the user.
|
||||
@ -327,10 +327,10 @@ diff --git a/openssh-6.2p2/ssh-agent.1 b/openssh-6.2p2/ssh-agent.1
|
||||
.Sh AUTHORS
|
||||
OpenSSH is a derivative of the original and free
|
||||
ssh 1.2.12 release by Tatu Ylonen.
|
||||
diff --git a/openssh-6.2p2/ssh-keygen.1 b/openssh-6.2p2/ssh-keygen.1
|
||||
--- a/openssh-6.2p2/ssh-keygen.1
|
||||
+++ b/openssh-6.2p2/ssh-keygen.1
|
||||
@@ -801,16 +801,33 @@ on all machines
|
||||
diff --git a/openssh-6.4p1/ssh-keygen.1 b/openssh-6.4p1/ssh-keygen.1
|
||||
--- a/openssh-6.4p1/ssh-keygen.1
|
||||
+++ b/openssh-6.4p1/ssh-keygen.1
|
||||
@@ -800,16 +800,33 @@ on all machines
|
||||
where the user wishes to log in using public key authentication.
|
||||
There is no need to keep the contents of this file secret.
|
||||
.Pp
|
||||
@ -364,9 +364,9 @@ diff --git a/openssh-6.2p2/ssh-keygen.1 b/openssh-6.2p2/ssh-keygen.1
|
||||
.Xr sshd 8
|
||||
.Rs
|
||||
.%R RFC 4716
|
||||
diff --git a/openssh-6.2p2/ssh-keysign.8 b/openssh-6.2p2/ssh-keysign.8
|
||||
--- a/openssh-6.2p2/ssh-keysign.8
|
||||
+++ b/openssh-6.2p2/ssh-keysign.8
|
||||
diff --git a/openssh-6.4p1/ssh-keysign.8 b/openssh-6.4p1/ssh-keysign.8
|
||||
--- a/openssh-6.4p1/ssh-keysign.8
|
||||
+++ b/openssh-6.4p1/ssh-keysign.8
|
||||
@@ -73,16 +73,33 @@ Since they are readable only by root,
|
||||
must be set-uid root if host-based authentication is used.
|
||||
.Pp
|
||||
@ -401,10 +401,10 @@ diff --git a/openssh-6.2p2/ssh-keysign.8 b/openssh-6.2p2/ssh-keysign.8
|
||||
.Sh HISTORY
|
||||
.Nm
|
||||
first appeared in
|
||||
diff --git a/openssh-6.2p2/ssh.1 b/openssh-6.2p2/ssh.1
|
||||
--- a/openssh-6.2p2/ssh.1
|
||||
+++ b/openssh-6.2p2/ssh.1
|
||||
@@ -1272,16 +1272,30 @@ reads
|
||||
diff --git a/openssh-6.4p1/ssh.1 b/openssh-6.4p1/ssh.1
|
||||
--- a/openssh-6.4p1/ssh.1
|
||||
+++ b/openssh-6.4p1/ssh.1
|
||||
@@ -1290,16 +1290,30 @@ reads
|
||||
and adds lines of the format
|
||||
.Dq VARNAME=value
|
||||
to the environment if the file exists and users are allowed to
|
||||
@ -435,10 +435,10 @@ diff --git a/openssh-6.2p2/ssh.1 b/openssh-6.2p2/ssh.1
|
||||
world-readable if the user's home directory is on an NFS partition,
|
||||
because
|
||||
.Xr sshd 8
|
||||
diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8
|
||||
--- a/openssh-6.2p2/sshd.8
|
||||
+++ b/openssh-6.2p2/sshd.8
|
||||
@@ -940,16 +940,33 @@ and not group or world-writable.
|
||||
diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
|
||||
--- a/openssh-6.4p1/sshd.8
|
||||
+++ b/openssh-6.4p1/sshd.8
|
||||
@@ -941,16 +941,33 @@ and not group or world-writable.
|
||||
.It Pa /var/run/sshd.pid
|
||||
Contains the process ID of the
|
||||
.Nm
|
||||
@ -472,9 +472,9 @@ diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8
|
||||
.Xr ssh-agent 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
--- a/openssh-6.2p2/sshd.c
|
||||
+++ b/openssh-6.2p2/sshd.c
|
||||
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
|
||||
--- a/openssh-6.4p1/sshd.c
|
||||
+++ b/openssh-6.4p1/sshd.c
|
||||
@@ -50,16 +50,18 @@
|
||||
#ifdef HAVE_SYS_STAT_H
|
||||
# include <sys/stat.h>
|
||||
@ -494,8 +494,8 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
#ifdef HAVE_PATHS_H
|
||||
#include <paths.h>
|
||||
#endif
|
||||
@@ -209,16 +211,23 @@ struct {
|
||||
Key **host_keys; /* all private host keys */
|
||||
@@ -215,16 +217,23 @@ struct {
|
||||
Key **host_pubkeys; /* all public host keys */
|
||||
Key **host_certificates; /* all public host certificates */
|
||||
int have_ssh1_key;
|
||||
int have_ssh2_key;
|
||||
@ -518,7 +518,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
|
||||
/* This is set to true when a signal is received. */
|
||||
static volatile sig_atomic_t received_sighup = 0;
|
||||
static volatile sig_atomic_t received_sigterm = 0;
|
||||
@@ -1275,16 +1284,21 @@ server_accept_loop(int *sock_in, int *so
|
||||
@@ -1300,16 +1309,21 @@ server_accept_loop(int *sock_in, int *so
|
||||
for (j = 0; j < options.max_startups; j++)
|
||||
if (startup_pipes[j] == -1) {
|
||||
startup_pipes[j] = startup_p[0];
|
@ -1,10 +1,10 @@
|
||||
# send locales in default configuration
|
||||
# bnc#65747
|
||||
|
||||
diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
|
||||
--- a/openssh-6.2p2/ssh_config
|
||||
+++ b/openssh-6.2p2/ssh_config
|
||||
@@ -58,8 +58,13 @@ ForwardX11Trusted yes
|
||||
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
|
||||
--- a/openssh-6.4p1/ssh_config
|
||||
+++ b/openssh-6.4p1/ssh_config
|
||||
@@ -58,9 +58,14 @@ ForwardX11Trusted yes
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
|
||||
# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
|
||||
@ -18,10 +18,11 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
|
||||
+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+SendEnv LC_IDENTIFICATION LC_ALL
|
||||
+
|
||||
diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
|
||||
--- a/openssh-6.2p2/sshd_config
|
||||
+++ b/openssh-6.2p2/sshd_config
|
||||
@@ -122,13 +122,18 @@ UsePrivilegeSeparation sandbox # Defaul
|
||||
# RekeyLimit 1G 1h
|
||||
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
|
||||
--- a/openssh-6.4p1/sshd_config
|
||||
+++ b/openssh-6.4p1/sshd_config
|
||||
@@ -125,13 +125,18 @@ UsePrivilegeSeparation sandbox # Defaul
|
||||
#VersionAddendum none
|
||||
|
||||
# no default banner path
|
@ -1,9 +1,9 @@
|
||||
# run sftp sessions inside a chroot
|
||||
|
||||
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
--- a/openssh-6.2p2/session.c
|
||||
+++ b/openssh-6.2p2/session.c
|
||||
@@ -119,16 +119,18 @@ int do_exec(Session *, const char *);
|
||||
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
|
||||
--- a/openssh-6.4p1/session.c
|
||||
+++ b/openssh-6.4p1/session.c
|
||||
@@ -120,16 +120,18 @@ int do_exec(Session *, const char *);
|
||||
void do_login(Session *, const char *);
|
||||
#ifdef LOGIN_NEEDS_UTMPX
|
||||
static void do_pre_login(Session *s);
|
||||
@ -179,10 +179,10 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
do_setusercontext(struct passwd *pw)
|
||||
{
|
||||
char *chroot_path, *tmp;
|
||||
diff --git a/openssh-6.2p2/sftp-chrootenv.h b/openssh-6.2p2/sftp-chrootenv.h
|
||||
diff --git a/openssh-6.4p1/sftp-chrootenv.h b/openssh-6.4p1/sftp-chrootenv.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-6.2p2/sftp-chrootenv.h
|
||||
+++ b/openssh-6.4p1/sftp-chrootenv.h
|
||||
@@ -0,0 +1,30 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2009 Jan F Chadima. All rights reserved.
|
||||
@ -214,9 +214,9 @@ new file mode 100644
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
diff --git a/openssh-6.2p2/sftp-common.c b/openssh-6.2p2/sftp-common.c
|
||||
--- a/openssh-6.2p2/sftp-common.c
|
||||
+++ b/openssh-6.2p2/sftp-common.c
|
||||
diff --git a/openssh-6.4p1/sftp-common.c b/openssh-6.4p1/sftp-common.c
|
||||
--- a/openssh-6.4p1/sftp-common.c
|
||||
+++ b/openssh-6.4p1/sftp-common.c
|
||||
@@ -41,16 +41,17 @@
|
||||
#endif
|
||||
|
||||
@ -261,9 +261,9 @@ diff --git a/openssh-6.2p2/sftp-common.c b/openssh-6.2p2/sftp-common.c
|
||||
if (ltime != NULL) {
|
||||
if (time(NULL) - st->st_mtime < (365*24*60*60)/2)
|
||||
sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime);
|
||||
diff --git a/openssh-6.2p2/sftp-server-main.c b/openssh-6.2p2/sftp-server-main.c
|
||||
--- a/openssh-6.2p2/sftp-server-main.c
|
||||
+++ b/openssh-6.2p2/sftp-server-main.c
|
||||
diff --git a/openssh-6.4p1/sftp-server-main.c b/openssh-6.4p1/sftp-server-main.c
|
||||
--- a/openssh-6.4p1/sftp-server-main.c
|
||||
+++ b/openssh-6.4p1/sftp-server-main.c
|
||||
@@ -17,21 +17,24 @@
|
||||
|
||||
#include "includes.h"
|
||||
@ -289,10 +289,10 @@ diff --git a/openssh-6.2p2/sftp-server-main.c b/openssh-6.2p2/sftp-server-main.c
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
diff --git a/openssh-6.2p2/sftp.c b/openssh-6.2p2/sftp.c
|
||||
--- a/openssh-6.2p2/sftp.c
|
||||
+++ b/openssh-6.2p2/sftp.c
|
||||
@@ -97,16 +97,18 @@ struct complete_ctx {
|
||||
diff --git a/openssh-6.4p1/sftp.c b/openssh-6.4p1/sftp.c
|
||||
--- a/openssh-6.4p1/sftp.c
|
||||
+++ b/openssh-6.4p1/sftp.c
|
||||
@@ -106,16 +106,18 @@ struct complete_ctx {
|
||||
char **remote_pathp;
|
||||
};
|
||||
|
||||
@ -311,10 +311,10 @@ diff --git a/openssh-6.2p2/sftp.c b/openssh-6.2p2/sftp.c
|
||||
#define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */
|
||||
#define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */
|
||||
#define LS_NAME_SORT 0x0008 /* Sort by name (default) */
|
||||
diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0
|
||||
--- a/openssh-6.2p2/sshd_config.0
|
||||
+++ b/openssh-6.2p2/sshd_config.0
|
||||
@@ -181,16 +181,24 @@ DESCRIPTION
|
||||
diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0
|
||||
--- a/openssh-6.4p1/sshd_config.0
|
||||
+++ b/openssh-6.4p1/sshd_config.0
|
||||
@@ -189,16 +189,24 @@ DESCRIPTION
|
||||
session this requires at least a shell, typically sh(1), and
|
||||
basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4),
|
||||
stderr(4), arandom(4) and tty(4) devices. For file transfer
|
||||
@ -339,10 +339,10 @@ diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0
|
||||
``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
|
||||
``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
|
||||
``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',
|
||||
diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5
|
||||
--- a/openssh-6.2p2/sshd_config.5
|
||||
+++ b/openssh-6.2p2/sshd_config.5
|
||||
@@ -317,16 +317,27 @@ For file transfer sessions using
|
||||
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
|
||||
--- a/openssh-6.4p1/sshd_config.5
|
||||
+++ b/openssh-6.4p1/sshd_config.5
|
||||
@@ -324,16 +324,27 @@ For file transfer sessions using
|
||||
no additional configuration of the environment is necessary if the
|
||||
in-process sftp server is used,
|
||||
though sessions which use logging do require
|
@ -1,10 +1,10 @@
|
||||
# try to remove xauth cookies on logout
|
||||
# bnc#98815
|
||||
|
||||
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
--- a/openssh-6.2p2/session.c
|
||||
+++ b/openssh-6.2p2/session.c
|
||||
@@ -2473,18 +2473,50 @@ session_exit_message(Session *s, int sta
|
||||
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
|
||||
--- a/openssh-6.4p1/session.c
|
||||
+++ b/openssh-6.4p1/session.c
|
||||
@@ -2477,18 +2477,50 @@ session_exit_message(Session *s, int sta
|
||||
if (c->ostate != CHAN_OUTPUT_CLOSED)
|
||||
chan_write_failed(c);
|
||||
}
|
||||
@ -49,9 +49,9 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
+
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
if (s->term)
|
||||
xfree(s->term);
|
||||
if (s->display)
|
||||
xfree(s->display);
|
||||
if (s->x11_chanids)
|
||||
xfree(s->x11_chanids);
|
||||
free(s->term);
|
||||
free(s->display);
|
||||
free(s->x11_chanids);
|
||||
free(s->auth_display);
|
||||
free(s->auth_data);
|
||||
free(s->auth_proto);
|
@ -1,14 +1,14 @@
|
||||
# handle hostname changes when forwarding X
|
||||
# bnc#98627
|
||||
|
||||
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
--- a/openssh-6.2p2/session.c
|
||||
+++ b/openssh-6.2p2/session.c
|
||||
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
|
||||
--- a/openssh-6.4p1/session.c
|
||||
+++ b/openssh-6.4p1/session.c
|
||||
@@ -1118,17 +1118,17 @@ copy_environment(char **source, char ***
|
||||
debug3("Copy environment: %s=%s", var_name, var_val);
|
||||
child_set_env(env, envsize, var_name, var_val);
|
||||
|
||||
xfree(var_name);
|
||||
free(var_name);
|
||||
}
|
||||
}
|
||||
|
||||
@ -83,7 +83,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -1618,16 +1628,17 @@ child_close_fds(void)
|
||||
@@ -1631,16 +1641,17 @@ child_close_fds(void)
|
||||
* ids, and executing the command or shell.
|
||||
*/
|
||||
#define ARGV_MAX 10
|
||||
@ -101,7 +101,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
/* remove hostkey from the child's memory */
|
||||
destroy_sensitive_data();
|
||||
|
||||
@@ -1684,17 +1695,17 @@ do_child(Session *s, const char *command
|
||||
@@ -1697,17 +1708,17 @@ do_child(Session *s, const char *command
|
||||
* legal, and means /bin/sh.
|
||||
*/
|
||||
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
|
||||
@ -120,7 +120,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
|
||||
/* we have to stash the hostname before we close our socket. */
|
||||
if (options.use_login)
|
||||
hostname = get_remote_name_or_ip(utmp_len,
|
||||
@@ -1753,17 +1764,17 @@ do_child(Session *s, const char *command
|
||||
@@ -1766,17 +1777,17 @@ do_child(Session *s, const char *command
|
||||
strerror(errno));
|
||||
if (r)
|
||||
exit(1);
|
3
openssh-6.4p1.tar.gz
Normal file
3
openssh-6.4p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2
|
||||
size 1201402
|
@ -1,3 +1,8 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com
|
||||
|
||||
- Update of the underlying OpenSSH to 6.4p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 19 02:02:56 UTC 2013 - pcerny@suse.com
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh-askpass-gnome
|
||||
#
|
||||
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -26,7 +26,7 @@ BuildRequires: openssl-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: tcpd-devel
|
||||
BuildRequires: update-desktop-files
|
||||
Version: 6.2p2
|
||||
Version: 6.4p1
|
||||
Release: 0
|
||||
Requires: openssh = %{version}
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
|
@ -1,3 +1,85 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com
|
||||
|
||||
- Update to 6.4p1
|
||||
Features since 6.2p2:
|
||||
* ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or
|
||||
hostkeys on smartcards.
|
||||
* ssh(1)/sshd(8): allow optional time-based rekeying via a
|
||||
second argument to the existing RekeyLimit option. RekeyLimit
|
||||
is now supported in sshd_config as well as on the client.
|
||||
* sshd(8): standardise logging of information during user
|
||||
authentication.
|
||||
* The presented key/cert and the remote username (if available)
|
||||
is now logged in the authentication success/failure message on
|
||||
the same log line as the local username, remote host/port and
|
||||
protocol in use. Certificates contents and the key
|
||||
fingerprint of the signing CA are logged too.
|
||||
* ssh(1) ability to query what cryptographic algorithms are
|
||||
supported in the binary.
|
||||
* ssh(1): ProxyCommand=- for cases where stdin and stdout
|
||||
already point to the proxy.
|
||||
* ssh(1): allow IdentityFile=none
|
||||
* ssh(1)/sshd(8): -E option to append debugging logs to a
|
||||
specified file instead of stderr or syslog.
|
||||
* sftp(1): support resuming partial downloads with the "reget"
|
||||
command and on the sftp commandline or on the "get"
|
||||
commandline with the "-a" (append) option.
|
||||
* ssh(1): "IgnoreUnknown" configuration option to selectively
|
||||
suppress errors arising from unknown configuration directives.
|
||||
* sshd(8): support for submethods to be appended to required
|
||||
authentication methods listed via AuthenticationMethods.
|
||||
Bugfixes since 6.2p2:
|
||||
* sshd(8): fix refusal to accept certificate if a key of a
|
||||
different type to the CA key appeared in authorized_keys
|
||||
before the CA key.
|
||||
* ssh(1)/ssh-agent(1)/sshd(8): Use a monotonic time source for
|
||||
timers so that things like keepalives and rekeying will work
|
||||
properly over clock steps.
|
||||
* sftp(1): update progressmeter when data is acknowledged, not
|
||||
when it's sent. bz#2108
|
||||
* ssh(1)/ssh-keygen(1): improve error messages when the current
|
||||
user does not exist in /etc/passwd; bz#2125
|
||||
* ssh(1): reset the order in which public keys are tried after
|
||||
partial authentication success.
|
||||
* ssh-agent(1): clean up socket files after SIGINT when in debug
|
||||
mode; bz#2120
|
||||
* ssh(1) and others: avoid confusing error messages in the case
|
||||
of broken system resolver configurations; bz#2122
|
||||
* ssh(1): set TCP nodelay for connections started with -N;
|
||||
bz#2124
|
||||
* ssh(1): correct manual for permission requirements on
|
||||
~/.ssh/config; bz#2078
|
||||
* ssh(1): fix ControlPersist timeout not triggering in cases
|
||||
where TCP connections have hung. bz#1917
|
||||
* ssh(1): properly deatch a ControlPersist master from its
|
||||
controlling terminal.
|
||||
* sftp(1): avoid crashes in libedit when it has been compiled
|
||||
with multi- byte character support. bz#1990
|
||||
* sshd(8): when running sshd -D, close stderr unless we have
|
||||
explicitly requested logging to stderr. bz#1976,
|
||||
* ssh(1): fix incomplete bzero; bz#2100
|
||||
* sshd(8): log and error and exit if ChrootDirectory is
|
||||
specified and running without root privileges.
|
||||
* Many improvements to the regression test suite. In particular
|
||||
log files are now saved from ssh and sshd after failures.
|
||||
* Fix a number of memory leaks. bz#1967 bz#2096 and others
|
||||
* sshd(8): fix public key authentication when a :style is
|
||||
appended to the requested username.
|
||||
* ssh(1): do not fatally exit when attempting to cleanup
|
||||
multiplexing- created channels that are incompletely opened.
|
||||
bz#2079
|
||||
* sshd(8): fix a memory corruption problem triggered during
|
||||
rekeying when an AES-GCM cipher is selected
|
||||
* Fix unaligned accesses in umac.c for strict-alignment
|
||||
architectures. bz#2101
|
||||
* Fix broken incorrect commandline reporting errors. bz#1448
|
||||
* Only include SHA256 and ECC-based key exchange methods if
|
||||
libcrypto has the required support.
|
||||
* Fix crash in SOCKS5 dynamic forwarding code on
|
||||
strict-alignment architectures.
|
||||
- FIPS and GSSKEX patched disabled for now
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 4 17:50:32 UTC 2013 - pcerny@suse.com
|
||||
|
||||
|
101
openssh.spec
101
openssh.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh
|
||||
#
|
||||
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -18,10 +18,8 @@
|
||||
|
||||
%if 0%{suse_version} >= 1100
|
||||
%define has_fw_dir 1
|
||||
%define needs_xorg_libs 0
|
||||
%else
|
||||
%define has_fw_dir 0
|
||||
%define needs_xorg_libs 1
|
||||
%endif
|
||||
|
||||
%if 0%{suse_version} >= 1110
|
||||
@ -80,7 +78,7 @@ BuildRequires: openldap2-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: pam-devel
|
||||
%if %{has_systemd}
|
||||
BuildRequires: systemd
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
%{?systemd_requires}
|
||||
%endif
|
||||
BuildRequires: tcpd-devel
|
||||
@ -88,8 +86,8 @@ Requires: /bin/netstat
|
||||
PreReq: pwdutils %{insserv_prereq} %{fillup_prereq} coreutils
|
||||
Conflicts: nonfreessh
|
||||
Recommends: xauth
|
||||
Recommends: %{name}-akc-ldap
|
||||
Version: 6.2p2
|
||||
Recommends: %{name}-helpers
|
||||
Version: 6.4p1
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-3-Clause and MIT
|
||||
@ -106,39 +104,39 @@ Source7: sshd.fw
|
||||
Source8: sysconfig.ssh
|
||||
Source9: sshd-gen-keys-start
|
||||
Source10: sshd.service
|
||||
Patch1: %{name}-%{version}-key-converter.patch
|
||||
Patch2: %{name}-%{version}-X11-forwarding.patch
|
||||
Patch3: %{name}-%{version}-lastlog.patch
|
||||
Patch4: %{name}-%{version}-pam-fix2.patch
|
||||
Patch5: %{name}-%{version}-saveargv-fix.patch
|
||||
Patch6: %{name}-%{version}-pam-fix3.patch
|
||||
Patch7: %{name}-%{version}-gssapimitm.patch
|
||||
Patch8: %{name}-%{version}-eal3.patch
|
||||
Patch9: %{name}-%{version}-blocksigalrm.patch
|
||||
Patch10: %{name}-%{version}-send_locale.patch
|
||||
Patch11: %{name}-%{version}-xauthlocalhostname.patch
|
||||
Patch12: %{name}-%{version}-xauth.patch
|
||||
Patch13: %{name}-%{version}-default-protocol.patch
|
||||
Patch14: %{name}-%{version}-pts.patch
|
||||
Patch15: %{name}-%{version}-pam-check-locks.patch
|
||||
Patch16: %{name}-%{version}-fingerprint_hash.patch
|
||||
Patch17: %{name}-%{version}-audit1-remove_duplicit_audit.patch
|
||||
Patch18: %{name}-%{version}-audit2-better_audit_of_user_actions.patch
|
||||
Patch19: %{name}-%{version}-audit3-key_auth_usage.patch
|
||||
Patch20: %{name}-%{version}-audit4-kex_results.patch
|
||||
Patch21: %{name}-%{version}-audit5-session_key_destruction.patch
|
||||
Patch22: %{name}-%{version}-audit6-server_key_destruction.patch
|
||||
Patch23: %{name}-%{version}-audit7-libaudit_compat.patch
|
||||
Patch24: %{name}-%{version}-audit8-libaudit_dns_timeouts.patch
|
||||
Patch25: %{name}-%{version}-seed-prng.patch
|
||||
Patch26: %{name}-%{version}-ldap.patch
|
||||
Patch27: %{name}-%{version}-fips.patch
|
||||
Patch28: %{name}-%{version}-gssapi_key_exchange.patch
|
||||
Patch29: %{name}-%{version}-login_options.patch
|
||||
Patch30: %{name}-%{version}-disable-openssl-abi-check.patch
|
||||
Patch31: %{name}-%{version}-no_fork-no_pid_file.patch
|
||||
Patch32: %{name}-%{version}-host_ident.patch
|
||||
Patch33: %{name}-%{version}-sftp_homechroot.patch
|
||||
Patch1: openssh-6.4p1-key-converter.patch
|
||||
Patch2: openssh-6.4p1-X11-forwarding.patch
|
||||
Patch3: openssh-6.4p1-lastlog.patch
|
||||
Patch4: openssh-6.4p1-pam-fix2.patch
|
||||
Patch5: openssh-6.4p1-saveargv-fix.patch
|
||||
Patch6: openssh-6.4p1-pam-fix3.patch
|
||||
Patch7: openssh-6.4p1-gssapimitm.patch
|
||||
Patch8: openssh-6.4p1-eal3.patch
|
||||
Patch9: openssh-6.4p1-blocksigalrm.patch
|
||||
Patch10: openssh-6.4p1-send_locale.patch
|
||||
Patch11: openssh-6.4p1-xauthlocalhostname.patch
|
||||
Patch12: openssh-6.4p1-xauth.patch
|
||||
Patch13: openssh-6.4p1-default-protocol.patch
|
||||
Patch14: openssh-6.4p1-pts.patch
|
||||
Patch15: openssh-6.4p1-pam-check-locks.patch
|
||||
Patch16: openssh-6.4p1-fingerprint_hash.patch
|
||||
Patch17: openssh-6.4p1-audit1-remove_duplicit_audit.patch
|
||||
Patch18: openssh-6.4p1-audit2-better_audit_of_user_actions.patch
|
||||
Patch19: openssh-6.4p1-audit3-key_auth_usage.patch
|
||||
Patch20: openssh-6.4p1-audit4-kex_results.patch
|
||||
Patch21: openssh-6.4p1-audit5-session_key_destruction.patch
|
||||
Patch22: openssh-6.4p1-audit6-server_key_destruction.patch
|
||||
Patch23: openssh-6.4p1-audit7-libaudit_compat.patch
|
||||
Patch24: openssh-6.4p1-audit8-libaudit_dns_timeouts.patch
|
||||
Patch25: openssh-6.4p1-seed-prng.patch
|
||||
Patch26: openssh-6.4p1-ldap.patch
|
||||
Patch27: openssh-6.4p1-fips.patch
|
||||
Patch28: openssh-6.4p1-gssapi_key_exchange.patch
|
||||
Patch29: openssh-6.4p1-login_options.patch
|
||||
Patch30: openssh-6.4p1-disable-openssl-abi-check.patch
|
||||
Patch31: openssh-6.4p1-no_fork-no_pid_file.patch
|
||||
Patch32: openssh-6.4p1-host_ident.patch
|
||||
Patch33: openssh-6.4p1-sftp_homechroot.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
@ -152,15 +150,14 @@ xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||
also be forwarded over the secure channel.
|
||||
|
||||
|
||||
%package akc-ldap
|
||||
Summary: OpenSSH AuthorizedKeysCommand helper for LDAP
|
||||
%package helpers
|
||||
Summary: OpenSSH AuthorizedKeysCommand helpers
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: openldap2
|
||||
Requires: openssh
|
||||
|
||||
%description akc-ldap
|
||||
Helper application for OpenSSH which retrieves authorized keys from
|
||||
a LDAP server.
|
||||
%description helpers
|
||||
Helper applications for OpenSSH which retrieve keys from various sources.
|
||||
|
||||
|
||||
%prep
|
||||
@ -192,7 +189,7 @@ a LDAP server.
|
||||
%patch25 -p2
|
||||
%patch26 -p2
|
||||
#patch27 -p2
|
||||
%patch28 -p2
|
||||
#patch28 -p2
|
||||
%patch29 -p2
|
||||
%patch30 -p2
|
||||
%patch31 -p2
|
||||
@ -214,11 +211,17 @@ PIEFLAGS="-fPIE"
|
||||
PIEFLAGS="-fpie"
|
||||
%endif
|
||||
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
|
||||
%if 0%{?suse_version} < 1230
|
||||
CFLAGS="-lrt $CFLAGS"
|
||||
%endif
|
||||
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
|
||||
LDFLAGS="-pie -Wl,--as-needed"
|
||||
%if 0%{?suse_version} < 1230
|
||||
LDFLAGS="-lrt $LDFLAGS"
|
||||
%endif
|
||||
#CPPFLAGS="%{optflags} -DUSE_INTERNAL_B64"
|
||||
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
||||
%configure \
|
||||
./configure \
|
||||
--prefix=%{_prefix} \
|
||||
--mandir=%{_mandir} \
|
||||
--infodir=%{_infodir} \
|
||||
@ -249,9 +252,9 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
||||
--target=%{_target_cpu}-suse-linux \
|
||||
|
||||
### configure end
|
||||
make %{?_smp_mflags}
|
||||
make -j 1
|
||||
|
||||
make %{?_smp_mflags} -C converter
|
||||
make -j 1 -C converter
|
||||
|
||||
%install
|
||||
make install DESTDIR=%{buildroot}
|
||||
@ -360,7 +363,7 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
|
||||
%config %{_fwdefdir}/sshd
|
||||
%endif
|
||||
|
||||
%files akc-ldap
|
||||
%files helpers
|
||||
%defattr(-,root,root)
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
||||
|
Loading…
Reference in New Issue
Block a user