pool/openssh
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 220466 from home:pcerny:factory

Browse Source 
- Update of the underlying OpenSSH to 6.4p1

- Update to 6.4p1
  Features since 6.2p2:
  * ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or
    hostkeys on smartcards.
  * ssh(1)/sshd(8): allow optional time-based rekeying via a
    second argument to the existing RekeyLimit option. RekeyLimit
    is now supported in sshd_config as well as on the client.
  * sshd(8): standardise logging of information during user
    authentication.
  * The presented key/cert and the remote username (if available)
    is now logged in the authentication success/failure message on
    the same log line as the local username, remote host/port and
    protocol in use.  Certificates contents and the key
    fingerprint of the signing CA are logged too.
  * ssh(1) ability to query what cryptographic algorithms are
    supported in the binary.
  * ssh(1): ProxyCommand=- for cases where stdin and stdout
    already point to the proxy.
  * ssh(1): allow IdentityFile=none
  * ssh(1)/sshd(8): -E option to append debugging logs to a
    specified file instead of stderr or syslog.
  * sftp(1): support resuming partial downloads with the "reget"
    command and on the sftp commandline or on the "get"
    commandline with the "-a" (append) option.
  * ssh(1): "IgnoreUnknown" configuration option to selectively
    suppress errors arising from unknown configuration directives.
  * sshd(8): support for submethods to be appended to required
    authentication methods listed via AuthenticationMethods.

OBS-URL: https://build.opensuse.org/request/show/220466
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=58
This commit is contained in:
Petr Cerny 2014-01-31 12:18:41 +00:00 committed by Git OBS Bridge
parent 6fccab223a
commit 712ccf3395
39 changed files with 1129 additions and 976 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
openssh-6.2p2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b
size 1182922

14
openssh-6.2p2-X11-forwarding.patch → openssh-6.4p1-X11-forwarding.patch
View File

@ -2,9 +2,9 @@
# configuration
# bnc#50836 (was suse #35836)
diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
--- a/openssh-6.2p2/ssh_config
+++ b/openssh-6.2p2/ssh_config
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
--- a/openssh-6.4p1/ssh_config
+++ b/openssh-6.4p1/ssh_config
@@ -12,19 +12,30 @@
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
@ -37,10 +37,10 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
--- a/openssh-6.2p2/sshd_config
+++ b/openssh-6.2p2/sshd_config
@@ -90,17 +90,17 @@ AuthorizedKeysFile .ssh/authorized_keys
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
--- a/openssh-6.4p1/sshd_config
+++ b/openssh-6.4p1/sshd_config
@@ -93,17 +93,17 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

8
openssh-6.2p2-audit1-remove_duplicit_audit.patch → openssh-6.4p1-audit1-remove_duplicit_audit.patch
View File

@ -8,10 +8,10 @@
#
# PRIVSEP(getpwnamallow()) a few lines above already did this.
diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c
--- a/openssh-6.2p2/auth2.c
+++ b/openssh-6.2p2/auth2.c
@@ -239,19 +239,16 @@ input_userauth_request(int type, u_int32
diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
--- a/openssh-6.4p1/auth2.c
+++ b/openssh-6.4p1/auth2.c
@@ -242,19 +242,16 @@ input_userauth_request(int type, u_int32
authctxt->pw = PRIVSEP(getpwnamallow(user));
authctxt->user = xstrdup(user);
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {

115
openssh-6.2p2-audit2-better_audit_of_user_actions.patch → openssh-6.4p1-audit2-better_audit_of_user_actions.patch
View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2011
# by jchadima@redhat.com
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
--- a/openssh-6.2p2/audit-bsm.c
+++ b/openssh-6.2p2/audit-bsm.c
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c
@@ -370,20 +370,33 @@ audit_connection_from(const char *host,
/* this is used on IPv4-only machines */
tid->port = (dev_t)port;
@ -42,9 +42,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
/* not implemented */
}
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
--- a/openssh-6.2p2/audit-linux.c
+++ b/openssh-6.2p2/audit-linux.c
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c
@@ -30,97 +30,210 @@
#include "includes.h"
#if defined(USE_LINUX_AUDIT)
@ -276,9 +276,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
}
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
--- a/openssh-6.2p2/audit.c
+++ b/openssh-6.2p2/audit.c
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
--- a/openssh-6.4p1/audit.c
+++ b/openssh-6.4p1/audit.c
@@ -135,16 +135,27 @@ audit_connection_from(const char *host,
void
audit_event(ssh_audit_event_t event)
@ -344,9 +344,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
+
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
--- a/openssh-6.2p2/audit.h
+++ b/openssh-6.2p2/audit.h
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
--- a/openssh-6.4p1/audit.h
+++ b/openssh-6.4p1/audit.h
@@ -44,14 +44,16 @@ enum ssh_audit_event_type {
SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */
SSH_CONNECTION_ABANDON, /* closed without completing auth */
@ -365,10 +365,10 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
ssh_audit_event_t audit_classify_auth(const char *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
--- a/openssh-6.2p2/monitor.c
+++ b/openssh-6.2p2/monitor.c
@@ -180,16 +180,17 @@ int mm_answer_gss_setup_ctx(int, Buffer
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+++ b/openssh-6.4p1/monitor.c
@@ -181,16 +181,17 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@ -386,7 +386,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -267,16 +268,17 @@ struct mon_table mon_dispatch_postauth20
@@ -268,16 +269,17 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
{MONITOR_REQ_PTY, 0, mm_answer_pty},
@ -404,7 +404,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -309,16 +311,17 @@ struct mon_table mon_dispatch_proto15[]
@@ -310,16 +312,17 @@ struct mon_table mon_dispatch_proto15[]
struct mon_table mon_dispatch_postauth15[] = {
{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
@ -422,7 +422,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -1427,16 +1430,22 @@ mm_record_login(Session *s, struct passw
@@ -1442,16 +1445,22 @@ mm_record_login(Session *s, struct passw
static void
mm_session_close(Session *s)
{
@ -445,7 +445,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
{
extern struct monitor *pmonitor;
Session *s;
@@ -1749,21 +1758,54 @@ mm_answer_audit_event(int socket, Buffer
@@ -1764,21 +1773,53 @@ mm_answer_audit_event(int socket, Buffer
return (0);
}
@ -458,7 +458,6 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
debug3("%s entering", __func__);
cmd = buffer_get_string(m, &len);
+
/* sanity check command, if so how? */
- audit_run_command(cmd);
+ s = session_new();
@ -493,7 +492,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
+ fatal("%s: invalid handle", __func__);
+ mm_session_close(s);
+
xfree(cmd);
free(cmd);
return (0);
}
#endif /* SSH_AUDIT_EVENTS */
@ -501,9 +500,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
void
monitor_apply_keystate(struct monitor *pmonitor)
{
diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
--- a/openssh-6.2p2/monitor.h
+++ b/openssh-6.2p2/monitor.h
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
--- a/openssh-6.4p1/monitor.h
+++ b/openssh-6.4p1/monitor.h
@@ -64,16 +64,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_START = 100,
@ -522,10 +521,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
--- a/openssh-6.2p2/monitor_wrap.c
+++ b/openssh-6.2p2/monitor_wrap.c
@@ -1184,27 +1184,48 @@ mm_audit_event(ssh_audit_event_t event)
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c
@@ -1186,27 +1186,48 @@ mm_audit_event(ssh_audit_event_t event)
buffer_init(&m);
buffer_put_int(&m, event);
@ -575,9 +574,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
OM_uint32
mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
{
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
--- a/openssh-6.2p2/monitor_wrap.h
+++ b/openssh-6.2p2/monitor_wrap.h
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h
@@ -69,17 +69,18 @@ void *mm_sshpam_init_ctx(struct Authctxt
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_sshpam_respond(void *, u_int, char **);
@ -598,9 +597,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
--- a/openssh-6.2p2/session.c
+++ b/openssh-6.2p2/session.c
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
--- a/openssh-6.4p1/session.c
+++ b/openssh-6.4p1/session.c
@@ -740,16 +740,24 @@ do_exec_pty(Session *s, const char *comm
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
#endif
@ -658,7 +657,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
original_command = NULL;
@@ -1862,16 +1874,17 @@ session_unused(int id)
@@ -1875,16 +1887,17 @@ session_unused(int id)
bzero(&sessions[id], sizeof(*sessions));
sessions[id].self = id;
sessions[id].used = 0;
@ -676,7 +675,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
session_new(void)
{
Session *s, *tmp;
@@ -1944,16 +1957,29 @@ session_open(Authctxt *authctxt, int cha
@@ -1957,16 +1970,29 @@ session_open(Authctxt *authctxt, int cha
if (s->pw == NULL || !authctxt->valid)
fatal("no user for session %d", s->self);
debug("session_open: session %d: link with channel %d", s->self, chanid);
@ -706,7 +705,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
debug("session_by_tty: session %d tty %s", i, tty);
return s;
@@ -2469,16 +2495,40 @@ session_exit_message(Session *s, int sta
@@ -2473,16 +2499,40 @@ session_exit_message(Session *s, int sta
* interested in data we write.
* Note that we must not call 'chan_read_failed', since there could
* be some more data waiting in the pipe.
@ -721,7 +720,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
+{
+ if (s->command != NULL) {
+ audit_end_command(s->command_handle, s->command);
+ xfree(s->command);
+ free(s->command);
+ s->command = NULL;
+ s->command_handle = -1;
+ }
@ -732,7 +731,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
+{
+ if (s->command != NULL) {
+ PRIVSEP(audit_end_command(s->command_handle, s->command));
+ xfree(s->command);
+ free(s->command);
+ s->command = NULL;
+ s->command_handle = -1;
+ }
@ -747,7 +746,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
@@ -2509,16 +2559,20 @@ session_close(Session *s)
@@ -2513,16 +2563,20 @@ session_close(Session *s)
int status;
waitpid(pid, &status, 0);
@ -760,15 +759,15 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
+ if (s->command)
+ session_end_command(s);
+#endif
if (s->term)
xfree(s->term);
if (s->display)
xfree(s->display);
if (s->x11_chanids)
xfree(s->x11_chanids);
if (s->auth_display)
xfree(s->auth_display);
@@ -2728,16 +2782,25 @@ session_setup_x11fwd(Session *s)
free(s->term);
free(s->display);
free(s->x11_chanids);
free(s->auth_display);
free(s->auth_data);
free(s->auth_proto);
if (s->env != NULL) {
for (i = 0; i < s->num_env; i++) {
@@ -2726,16 +2780,25 @@ session_setup_x11fwd(Session *s)
}
static void
@ -794,7 +793,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
debug("do_cleanup");
/* no cleanup if we're in the child for login shell */
@@ -2776,10 +2839,10 @@ do_cleanup(Authctxt *authctxt)
@@ -2774,10 +2837,10 @@ do_cleanup(Authctxt *authctxt)
/* remove agent socket */
auth_sock_cleanup_proc(authctxt->pw);
@ -806,9 +805,9 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
- session_destroy_all(session_pty_cleanup2);
+ session_destroy_all(do_cleanup_one_session);
}
diff --git a/openssh-6.2p2/session.h b/openssh-6.2p2/session.h
--- a/openssh-6.2p2/session.h
+++ b/openssh-6.2p2/session.h
diff --git a/openssh-6.4p1/session.h b/openssh-6.4p1/session.h
--- a/openssh-6.4p1/session.h
+++ b/openssh-6.4p1/session.h
@@ -55,29 +55,37 @@ struct Session {
int chanid;
int *x11_chanids;
@ -847,10 +846,10 @@ diff --git a/openssh-6.2p2/session.h b/openssh-6.2p2/session.h
const char *value);
#endif
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
--- a/openssh-6.2p2/sshd.c
+++ b/openssh-6.2p2/sshd.c
@@ -2404,13 +2404,14 @@ cleanup_exit(int i)
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+++ b/openssh-6.4p1/sshd.c
@@ -2487,13 +2487,14 @@ cleanup_exit(int i)
if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
errno != ESRCH)
error("%s: kill(%d): %s", __func__,

138
openssh-6.2p2-audit3-key_auth_usage.patch → openssh-6.4p1-audit3-key_auth_usage.patch
View File

@ -5,9 +5,9 @@
# (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1975)
# by jchadima@redhat.com
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
--- a/openssh-6.2p2/audit-bsm.c
+++ b/openssh-6.2p2/audit-bsm.c
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c
@@ -401,16 +401,22 @@ audit_session_open(struct logininfo *li)
}
@ -31,9 +31,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
if (cannot_audit(0))
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
--- a/openssh-6.2p2/audit-linux.c
+++ b/openssh-6.2p2/audit-linux.c
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c
@@ -36,16 +36,18 @@
#include "log.h"
#include "audit.h"
@ -101,9 +101,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
audit_connection_from(const char *host, int port)
{
/* not implemented */
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
--- a/openssh-6.2p2/audit.c
+++ b/openssh-6.2p2/audit.c
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
--- a/openssh-6.4p1/audit.c
+++ b/openssh-6.4p1/audit.c
@@ -31,16 +31,17 @@
#ifdef SSH_AUDIT_EVENTS
@ -144,7 +144,7 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
+ crypto_name = key_ssh_name(key);
+ if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0)
+ *rv = 0;
+ xfree(fp);
+ free(fp);
+}
+
# ifndef CUSTOM_SSH_AUDIT_EVENTS
@ -178,9 +178,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
--- a/openssh-6.2p2/audit.h
+++ b/openssh-6.2p2/audit.h
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
--- a/openssh-6.4p1/audit.h
+++ b/openssh-6.4p1/audit.h
@@ -23,16 +23,17 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@ -212,9 +212,9 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
+void audit_key(int, int *, const Key *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
--- a/openssh-6.2p2/auth-rsa.c
+++ b/openssh-6.2p2/auth-rsa.c
diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
--- a/openssh-6.4p1/auth-rsa.c
+++ b/openssh-6.4p1/auth-rsa.c
@@ -87,17 +87,20 @@ auth_rsa_generate_challenge(Key *key)
return challenge;
}
@ -259,7 +259,7 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
}
- /* Correct answer. */
- return (1);
+ xfree(fp);
+ free(fp);
+#endif
+
+ return rv;
@ -271,10 +271,10 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
* our challenge; returns zero if the client gives a wrong answer.
*/
diff --git a/openssh-6.2p2/auth.h b/openssh-6.2p2/auth.h
--- a/openssh-6.2p2/auth.h
+++ b/openssh-6.2p2/auth.h
@@ -176,31 +176,33 @@ int allowed_user(struct passwd *);
diff --git a/openssh-6.4p1/auth.h b/openssh-6.4p1/auth.h
--- a/openssh-6.4p1/auth.h
+++ b/openssh-6.4p1/auth.h
@@ -182,16 +182,17 @@ int allowed_user(struct passwd *);
struct passwd * getpwnamallow(const char *user);
char *get_challenge(Authctxt *);
@ -292,13 +292,15 @@ diff --git a/openssh-6.2p2/auth.h b/openssh-6.2p2/auth.h
HostStatus
check_key_in_hostfiles(struct passwd *, Key *, const char *,
const char *, const char *);
@@ -199,16 +200,17 @@ check_key_in_hostfiles(struct passwd *,
/* hostkey handling */
Key *get_hostkey_by_index(int);
Key *get_hostkey_public_by_index(int);
Key *get_hostkey_public_by_type(int);
Key *get_hostkey_private_by_type(int);
int get_hostkey_index(Key *);
int ssh1_session_key(BIGNUM *);
void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int);
+int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
/* debug messages during authentication */
@ -308,15 +310,15 @@ diff --git a/openssh-6.2p2/auth.h b/openssh-6.2p2/auth.h
struct passwd *fakepw(void);
diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c
--- a/openssh-6.2p2/auth2-hostbased.c
+++ b/openssh-6.2p2/auth2-hostbased.c
@@ -114,33 +114,45 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_cstring(&b, chost);
buffer_put_cstring(&b, cuser);
#ifdef DEBUG_PK
buffer_dump(&b);
diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c
--- a/openssh-6.4p1/auth2-hostbased.c
+++ b/openssh-6.4p1/auth2-hostbased.c
@@ -118,33 +118,45 @@ userauth_hostbased(Authctxt *authctxt)
#endif
pubkey_auth_info(authctxt, key,
"client user \"%.100s\", client host \"%.100s\"", cuser, chost);
/* test for allowed key and correct signature */
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
@ -330,11 +332,11 @@ diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c
debug2("userauth_hostbased: authenticated %d", authenticated);
if (key != NULL)
key_free(key);
xfree(pkalg);
xfree(pkblob);
xfree(cuser);
xfree(chost);
xfree(sig);
free(pkalg);
free(pkblob);
free(cuser);
free(chost);
free(sig);
return authenticated;
}
@ -358,15 +360,15 @@ diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c
const char *resolvedname, *ipaddr, *lookup, *reason;
HostStatus host_status;
int len;
diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
--- a/openssh-6.2p2/auth2-pubkey.c
+++ b/openssh-6.2p2/auth2-pubkey.c
@@ -141,17 +141,17 @@ userauth_pubkey(Authctxt *authctxt)
}
buffer_put_string(&b, pkblob, blen);
diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
--- a/openssh-6.4p1/auth2-pubkey.c
+++ b/openssh-6.4p1/auth2-pubkey.c
@@ -147,17 +147,17 @@ userauth_pubkey(Authctxt *authctxt)
#ifdef DEBUG_PK
buffer_dump(&b);
#endif
pubkey_auth_info(authctxt, key, NULL);
/* test for correct signature */
authenticated = 0;
if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
@ -375,17 +377,17 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
buffer_len(&b))) == 1)
authenticated = 1;
buffer_free(&b);
xfree(sig);
free(sig);
} else {
debug("test whether pkalg/pkblob are acceptable");
packet_check_eom();
@@ -178,16 +178,28 @@ done:
@@ -184,16 +184,28 @@ done:
debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
if (key != NULL)
key_free(key);
xfree(pkalg);
xfree(pkblob);
free(pkalg);
free(pkblob);
return authenticated;
}
@ -401,18 +403,18 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
+ return rv;
+}
+
static int
match_principals_option(const char *principal_list, struct KeyCert *cert)
void
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
{
char *result;
u_int i;
char *fp, *extra;
va_list ap;
int i;
/* XXX percent_expand() sequences for authorized_principals? */
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
--- a/openssh-6.2p2/monitor.c
+++ b/openssh-6.2p2/monitor.c
@@ -1347,26 +1347,30 @@ monitor_valid_hostbasedblob(u_char *data
extra = NULL;
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+++ b/openssh-6.4p1/monitor.c
@@ -1362,26 +1362,30 @@ monitor_valid_hostbasedblob(u_char *data
}
int
@ -443,7 +445,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
switch (key_blobtype) {
case MM_USERKEY:
valid_data = monitor_valid_userblob(data, datalen);
@@ -1377,17 +1381,27 @@ mm_answer_keyverify(int sock, Buffer *m)
@@ -1392,17 +1396,27 @@ mm_answer_keyverify(int sock, Buffer *m)
break;
default:
valid_data = 0;
@ -468,14 +470,14 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
__func__, key, (verified == 1) ? "verified" : "unverified");
key_free(key);
xfree(blob);
xfree(signature);
xfree(data);
free(blob);
free(signature);
free(data);
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
--- a/openssh-6.2p2/monitor_wrap.c
+++ b/openssh-6.2p2/monitor_wrap.c
@@ -426,30 +426,31 @@ mm_key_allowed(enum mm_keytype type, cha
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c
@@ -428,30 +428,31 @@ mm_key_allowed(enum mm_keytype type, cha
/*
* This key verify needs to send the key type along, because the
@ -503,12 +505,12 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
buffer_put_string(&m, blob, len);
buffer_put_string(&m, sig, siglen);
buffer_put_string(&m, data, datalen);
xfree(blob);
free(blob);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);
debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__);
@@ -457,16 +458,29 @@ mm_key_verify(Key *key, u_char *sig, u_i
@@ -459,16 +460,29 @@ mm_key_verify(Key *key, u_char *sig, u_i
verified = buffer_get_int(&m);
@ -538,9 +540,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
u_int len;
Newkeys *newkey = NULL;
Enc *enc;
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
--- a/openssh-6.2p2/monitor_wrap.h
+++ b/openssh-6.2p2/monitor_wrap.h
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h
@@ -44,17 +44,18 @@ int mm_key_sign(Key *, u_char **, u_int
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *);

126
openssh-6.2p2-audit4-kex_results.patch → openssh-6.4p1-audit4-kex_results.patch
View File

@ -5,9 +5,9 @@
# (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1976)
# by jchadima@redhat.com
diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
--- a/openssh-6.2p2/Makefile.in
+++ b/openssh-6.2p2/Makefile.in
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in
+++ b/openssh-6.4p1/Makefile.in
@@ -68,17 +68,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
@ -27,9 +27,9 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
--- a/openssh-6.2p2/audit-bsm.c
+++ b/openssh-6.2p2/audit-bsm.c
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c
@@ -468,9 +468,21 @@ audit_event(ssh_audit_event_t event)
case SSH_AUTH_FAIL_KBDINT:
bsm_audit_bad_login("interactive password entry");
@ -52,9 +52,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
--- a/openssh-6.2p2/audit-linux.c
+++ b/openssh-6.2p2/audit-linux.c
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c
@@ -35,16 +35,18 @@
#include "log.h"
@ -95,7 +95,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
+ snprintf(buf, sizeof(buf), "op=unsupported-%s direction=? cipher=? ksize=? rport=%d laddr=%s lport=%d ",
+ name[what], get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())),
+ get_local_port());
+ xfree(s);
+ free(s);
+ audit_fd = audit_open();
+ if (audit_fd < 0)
+ /* no problem, the next instruction will be fatal() */
@ -121,7 +121,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
+ direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
+ (intmax_t)pid, (intmax_t)uid,
+ get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port());
+ xfree(s);
+ free(s);
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
@ -140,9 +140,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
+}
+
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
--- a/openssh-6.2p2/audit.c
+++ b/openssh-6.2p2/audit.c
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
--- a/openssh-6.4p1/audit.c
+++ b/openssh-6.4p1/audit.c
@@ -23,24 +23,27 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@ -177,7 +177,7 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
crypto_name = key_ssh_name(key);
if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0)
*rv = 0;
xfree(fp);
free(fp);
}
+void
@ -232,9 +232,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
--- a/openssh-6.2p2/audit.h
+++ b/openssh-6.2p2/audit.h
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
--- a/openssh-6.4p1/audit.h
+++ b/openssh-6.4p1/audit.h
@@ -53,10 +53,14 @@ void audit_event(ssh_audit_event_t);
void audit_count_session_open(void);
void audit_session_open(struct logininfo *);
@ -250,10 +250,10 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
+void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.2p2/auditstub.c b/openssh-6.2p2/auditstub.c
diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/auditstub.c
+++ b/openssh-6.4p1/auditstub.c
@@ -0,0 +1,39 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+
@ -294,10 +294,10 @@ new file mode 100644
+{
+}
+
diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c
--- a/openssh-6.2p2/cipher.c
+++ b/openssh-6.2p2/cipher.c
@@ -50,27 +50,17 @@
diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
--- a/openssh-6.4p1/cipher.c
+++ b/openssh-6.4p1/cipher.c
@@ -50,29 +50,17 @@
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
@ -316,7 +316,9 @@ diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c
- u_int discard_len;
- u_int cbc_mode;
- const EVP_CIPHER *(*evptype)(void);
-} ciphers[] = {
-};
-
-static const struct Cipher ciphers[] = {
+struct Cipher ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
@ -326,9 +328,9 @@ diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
{ "blowfish-cbc",
SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
diff --git a/openssh-6.2p2/cipher.h b/openssh-6.2p2/cipher.h
--- a/openssh-6.2p2/cipher.h
+++ b/openssh-6.2p2/cipher.h
diff --git a/openssh-6.4p1/cipher.h b/openssh-6.4p1/cipher.h
--- a/openssh-6.4p1/cipher.h
+++ b/openssh-6.4p1/cipher.h
@@ -56,17 +56,28 @@
#define SSH_CIPHER_MAX 31
@ -355,13 +357,13 @@ diff --git a/openssh-6.2p2/cipher.h b/openssh-6.2p2/cipher.h
int plaintext;
int encrypt;
EVP_CIPHER_CTX evp;
Cipher *cipher;
const Cipher *cipher;
};
u_int cipher_mask_ssh1(int);
diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
--- a/openssh-6.2p2/kex.c
+++ b/openssh-6.2p2/kex.c
diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
--- a/openssh-6.4p1/kex.c
+++ b/openssh-6.4p1/kex.c
@@ -44,16 +44,17 @@
#include "key.h"
#include "kex.h"
@ -380,7 +382,7 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
extern const EVP_MD *evp_ssh_sha256(void);
# endif
#endif
@@ -291,53 +292,65 @@ kex_kexinit_finish(Kex *kex)
@@ -336,53 +337,65 @@ kex_kexinit_finish(Kex *kex)
fatal("Unsupported key exchange %d", kex->kex_type);
}
}
@ -449,7 +451,7 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
comp->type = COMP_NONE;
} else {
fatal("unsupported comp %s", name);
@@ -455,16 +468,19 @@ kex_choose_conf(Kex *kex)
@@ -487,16 +500,19 @@ kex_choose_conf(Kex *kex)
if (authlen == 0)
choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);
choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
@ -469,11 +471,10 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
for (mode = 0; mode < MODE_MAX; mode++) {
newkeys = kex->newkeys[mode];
if (need < newkeys->enc.key_len)
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
--- a/openssh-6.2p2/monitor.c
+++ b/openssh-6.2p2/monitor.c
@@ -92,16 +92,17 @@
#endif
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+++ b/openssh-6.4p1/monitor.c
@@ -93,16 +93,17 @@
#include "monitor_wrap.h"
#include "monitor_fdpass.h"
#include "misc.h"
@ -481,6 +482,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
#include "ssh2.h"
#include "jpake.h"
#include "roaming.h"
#include "authfd.h"
+#include "audit.h"
#ifdef GSSAPI
@ -490,7 +492,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
/* Imports */
extern ServerOptions options;
extern u_int utmp_len;
@@ -181,16 +182,18 @@ int mm_answer_gss_accept_ctx(int, Buffer
@@ -182,16 +183,18 @@ int mm_answer_gss_accept_ctx(int, Buffer
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
#endif
@ -509,7 +511,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -232,16 +235,18 @@ struct mon_table mon_dispatch_proto20[]
@@ -233,16 +236,18 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
@ -528,7 +530,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
#ifdef SKEY
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
@@ -269,16 +274,18 @@ struct mon_table mon_dispatch_postauth20
@@ -270,16 +275,18 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
{MONITOR_REQ_PTY, 0, mm_answer_pty},
{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
@ -547,7 +549,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -300,28 +307,32 @@ struct mon_table mon_dispatch_proto15[]
@@ -301,28 +308,32 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
@ -580,7 +582,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -2391,8 +2402,52 @@ mm_answer_jpake_check_confirm(int sock,
@@ -2410,8 +2421,52 @@ mm_answer_jpake_check_confirm(int sock,
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
@ -623,9 +625,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
+
+ audit_kex_body(ctos, cipher, mac, compress, pid, uid);
+
+ xfree(cipher);
+ xfree(mac);
+ xfree(compress);
+ free(cipher);
+ free(mac);
+ free(compress);
+ buffer_clear(m);
+
+ mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
@ -633,9 +635,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
+}
+
+#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
--- a/openssh-6.2p2/monitor.h
+++ b/openssh-6.2p2/monitor.h
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
--- a/openssh-6.4p1/monitor.h
+++ b/openssh-6.4p1/monitor.h
@@ -65,16 +65,18 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
@ -655,10 +657,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
--- a/openssh-6.2p2/monitor_wrap.c
+++ b/openssh-6.2p2/monitor_wrap.c
@@ -1481,8 +1481,46 @@ mm_jpake_check_confirm(const BIGNUM *k,
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c
@@ -1483,8 +1483,46 @@ mm_jpake_check_confirm(const BIGNUM *k,
success = buffer_get_int(&m);
buffer_free(&m);
@ -705,9 +707,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
+ buffer_free(&m);
+}
+#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
--- a/openssh-6.2p2/monitor_wrap.h
+++ b/openssh-6.2p2/monitor_wrap.h
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h
@@ -72,16 +72,18 @@ int mm_sshpam_respond(void *, u_int, cha
void mm_sshpam_free_ctx(void *);
#endif
@ -727,10 +729,10 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
--- a/openssh-6.2p2/sshd.c
+++ b/openssh-6.2p2/sshd.c
@@ -113,16 +113,17 @@
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+++ b/openssh-6.4p1/sshd.c
@@ -114,16 +114,17 @@
#include "session.h"
#include "monitor_mm.h"
#include "monitor.h"
@ -748,7 +750,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
#include <syslog.h>
int allow_severity;
int deny_severity;
@@ -2236,16 +2237,20 @@ do_ssh1_kex(void)
@@ -2297,16 +2298,20 @@ do_ssh1_kex(void)
packet_disconnect("Warning: client selects unsupported cipher.");
/* Get check bytes from the packet. These must match those we

204
openssh-6.2p2-audit5-session_key_destruction.patch → openssh-6.4p1-audit5-session_key_destruction.patch
View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2014
# by jchadima@redhat.com
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
--- a/openssh-6.2p2/audit-bsm.c
+++ b/openssh-6.2p2/audit-bsm.c
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c
@@ -480,9 +480,15 @@ audit_unsupported_body(int what)
/* not implemented */
}
@ -23,9 +23,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
--- a/openssh-6.2p2/audit-linux.c
+++ b/openssh-6.2p2/audit-linux.c
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c
@@ -289,24 +289,25 @@ audit_unsupported_body(int what)
/* no problem, the next instruction will be fatal() */
return;
@ -52,7 +52,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
(intmax_t)pid, (intmax_t)uid,
get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port());
xfree(s);
free(s);
@@ -322,9 +323,37 @@ audit_kex_body(int ctos, char *enc, char
buf, NULL, get_remote_ipaddr(), NULL, 1);
audit_close(audit_fd);
@ -74,7 +74,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
+ get_remote_port(),
+ (s = get_local_ipaddr(packet_get_connection_in())),
+ get_local_port());
+ xfree(s);
+ free(s);
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
@ -91,9 +91,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
+}
+
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
--- a/openssh-6.2p2/audit.c
+++ b/openssh-6.2p2/audit.c
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
--- a/openssh-6.4p1/audit.c
+++ b/openssh-6.4p1/audit.c
@@ -138,16 +138,22 @@ audit_unsupported(int what)
}
@ -138,9 +138,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
--- a/openssh-6.2p2/audit.h
+++ b/openssh-6.2p2/audit.h
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
--- a/openssh-6.4p1/audit.h
+++ b/openssh-6.4p1/audit.h
@@ -57,10 +57,12 @@ int audit_run_command(const char *);
void audit_end_command(int, const char *);
ssh_audit_event_t audit_classify_auth(const char *);
@ -154,9 +154,9 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.2p2/auditstub.c b/openssh-6.2p2/auditstub.c
--- a/openssh-6.2p2/auditstub.c
+++ b/openssh-6.2p2/auditstub.c
diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c
--- a/openssh-6.4p1/auditstub.c
+++ b/openssh-6.4p1/auditstub.c
@@ -22,18 +22,29 @@
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
@ -187,10 +187,10 @@ diff --git a/openssh-6.2p2/auditstub.c b/openssh-6.2p2/auditstub.c
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+}
diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
--- a/openssh-6.2p2/kex.c
+++ b/openssh-6.2p2/kex.c
@@ -635,8 +635,39 @@ dump_digest(char *msg, u_char *digest, i
diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
--- a/openssh-6.4p1/kex.c
+++ b/openssh-6.4p1/kex.c
@@ -667,8 +667,39 @@ dump_digest(char *msg, u_char *digest, i
if (i%32 == 31)
fprintf(stderr, "\n");
else if (i%8 == 7)
@ -208,12 +208,12 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
+
+ if (enc->key) {
+ memset(enc->key, 0, enc->key_len);
+ xfree(enc->key);
+ free(enc->key);
+ }
+
+ if (enc->iv) {
+ memset(enc->iv, 0, enc->block_size);
+ xfree(enc->iv);
+ free(enc->iv);
+ }
+
+ memset(enc, 0, sizeof(*enc));
@ -230,10 +230,10 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
+
diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h
--- a/openssh-6.2p2/kex.h
+++ b/openssh-6.2p2/kex.h
@@ -153,16 +153,18 @@ Newkeys *kex_get_newkeys(int);
diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h
--- a/openssh-6.4p1/kex.h
+++ b/openssh-6.4p1/kex.h
@@ -157,16 +157,18 @@ Newkeys *kex_get_newkeys(int);
void kexdh_client(Kex *);
void kexdh_server(Kex *);
@ -252,10 +252,10 @@ diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, u_char **, u_int *);
#ifdef OPENSSL_HAS_ECC
diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c
--- a/openssh-6.2p2/mac.c
+++ b/openssh-6.2p2/mac.c
@@ -194,16 +194,30 @@ mac_clear(Mac *mac)
diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c
--- a/openssh-6.4p1/mac.c
+++ b/openssh-6.4p1/mac.c
@@ -219,16 +219,30 @@ mac_clear(Mac *mac)
if (mac->umac_ctx != NULL)
umac128_delete(mac->umac_ctx);
} else if (mac->evp_md != NULL)
@ -272,7 +272,7 @@ diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c
+
+ if (mac->key) {
+ memset(mac->key, 0, mac->key_len);
+ xfree(mac->key);
+ free(mac->key);
+ }
+
+ memset(mac, 0, sizeof(*mac));
@ -286,23 +286,23 @@ diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c
char *maclist, *cp, *p;
if (names == NULL || strcmp(names, "") == 0)
diff --git a/openssh-6.2p2/mac.h b/openssh-6.2p2/mac.h
--- a/openssh-6.2p2/mac.h
+++ b/openssh-6.2p2/mac.h
@@ -23,8 +23,9 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/openssh-6.4p1/mac.h b/openssh-6.4p1/mac.h
--- a/openssh-6.4p1/mac.h
+++ b/openssh-6.4p1/mac.h
@@ -24,8 +24,9 @@
*/
int mac_valid(const char *);
char *mac_alg_list(void);
int mac_setup(Mac *, char *);
int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *);
+void mac_destroy(Mac *);
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
--- a/openssh-6.2p2/monitor.c
+++ b/openssh-6.2p2/monitor.c
@@ -184,16 +184,17 @@ int mm_answer_gss_checkmic(int, Buffer *
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+++ b/openssh-6.4p1/monitor.c
@@ -185,16 +185,17 @@ int mm_answer_gss_checkmic(int, Buffer *
#endif
#ifdef SSH_AUDIT_EVENTS
@ -320,7 +320,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -237,16 +238,17 @@ struct mon_table mon_dispatch_proto20[]
@@ -238,16 +239,17 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
@ -338,7 +338,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
#ifdef SKEY
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
@@ -276,16 +278,17 @@ struct mon_table mon_dispatch_postauth20
@@ -277,16 +279,17 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
{MONITOR_REQ_TERM, 0, mm_answer_term},
#ifdef SSH_AUDIT_EVENTS
@ -356,7 +356,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -309,30 +312,32 @@ struct mon_table mon_dispatch_proto15[]
@@ -310,30 +313,32 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
@ -389,7 +389,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -1951,21 +1956,23 @@ mm_get_keystate(struct monitor *pmonitor
@@ -1970,21 +1975,23 @@ mm_get_keystate(struct monitor *pmonitor
goto skip;
} else {
/* Get the Kex for rekeying */
@ -399,13 +399,13 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
+ memset(blob, 0, bloblen);
xfree(blob);
free(blob);
debug3("%s: Waiting for second key", __func__);
blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
+ memset(blob, 0, bloblen);
xfree(blob);
free(blob);
/* Now get sequence numbers for the packets */
seqnr = buffer_get_int(&m);
@ -413,7 +413,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
packets = buffer_get_int(&m);
bytes = buffer_get_int64(&m);
packet_set_state(MODE_OUT, seqnr, blocks, packets, bytes);
@@ -2001,16 +2008,31 @@ mm_get_keystate(struct monitor *pmonitor
@@ -2020,16 +2027,31 @@ mm_get_keystate(struct monitor *pmonitor
/* Roaming */
if (compat20) {
@ -445,9 +445,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
{
size_t len = (size_t) size * ncount;
@@ -2445,9 +2467,27 @@ mm_answer_audit_kex_body(int sock, Buffe
xfree(mac);
xfree(compress);
@@ -2464,9 +2486,27 @@ mm_answer_audit_kex_body(int sock, Buffe
free(mac);
free(compress);
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
@ -473,9 +473,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
--- a/openssh-6.2p2/monitor.h
+++ b/openssh-6.2p2/monitor.h
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
--- a/openssh-6.4p1/monitor.h
+++ b/openssh-6.4p1/monitor.h
@@ -67,16 +67,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
@ -494,10 +494,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
--- a/openssh-6.2p2/monitor_wrap.c
+++ b/openssh-6.2p2/monitor_wrap.c
@@ -649,22 +649,24 @@ mm_send_keystate(struct monitor *monitor
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c
@@ -651,22 +651,24 @@ mm_send_keystate(struct monitor *monitor
__func__, packet_get_newkeys(MODE_OUT),
packet_get_newkeys(MODE_IN));
@ -507,14 +507,14 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
buffer_put_string(&m, blob, bloblen);
+ memset(blob, 0, bloblen);
xfree(blob);
free(blob);
if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen))
fatal("%s: conversion of newkeys failed", __func__);
buffer_put_string(&m, blob, bloblen);
+ memset(blob, 0, bloblen);
xfree(blob);
free(blob);
packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
buffer_put_int(&m, seqnr);
@ -522,7 +522,7 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
buffer_put_int(&m, packets);
buffer_put_int64(&m, bytes);
packet_get_state(MODE_IN, &seqnr, &blocks, &packets, &bytes);
@@ -1518,9 +1520,24 @@ mm_audit_kex_body(int ctos, char *cipher
@@ -1520,9 +1522,24 @@ mm_audit_kex_body(int ctos, char *cipher
buffer_put_int64(&m, uid);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
@ -547,9 +547,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
--- a/openssh-6.2p2/monitor_wrap.h
+++ b/openssh-6.2p2/monitor_wrap.h
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h
@@ -74,16 +74,17 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS
@ -568,16 +568,16 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
--- a/openssh-6.2p2/packet.c
+++ b/openssh-6.2p2/packet.c
@@ -55,16 +55,17 @@
#include <stdarg.h>
diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c
--- a/openssh-6.4p1/packet.c
+++ b/openssh-6.4p1/packet.c
@@ -56,16 +56,17 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <time.h>
#include "xmalloc.h"
+#include "audit.h"
@ -589,7 +589,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
#include "channels.h"
#include "compat.h"
#include "ssh1.h"
@@ -463,41 +464,51 @@ packet_get_connection_in(void)
@@ -469,41 +470,51 @@ packet_get_connection_in(void)
/* Returns the descriptor used for writing. */
int
@ -650,7 +650,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
packet_set_protocol_flags(u_int protocol_flags)
{
active_state->remote_protocol_flags = protocol_flags;
@@ -722,16 +733,35 @@ packet_send1(void)
@@ -728,16 +739,35 @@ packet_send1(void)
/*
* Note that the packet is now only buffered in output. It won't be
@ -665,17 +665,17 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
+ if (newkeys == NULL)
+ return;
+
+ xfree(newkeys->enc.name);
+ free(newkeys->enc.name);
+
+ mac_clear(&newkeys->mac);
+ /* MAC may happen to be empty - if the GCM mode of AES is used */
+ if (newkeys->mac.name)
+ xfree(newkeys->mac.name);
+ free(newkeys->mac.name);
+
+ xfree(newkeys->comp.name);
+ free(newkeys->comp.name);
+
+ newkeys_destroy(newkeys);
+ xfree(newkeys);
+ free(newkeys);
+}
+
void
@ -686,7 +686,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
Comp *comp;
CipherContext *cc;
u_int64_t *max_blocks;
@@ -747,31 +777,19 @@ set_newkeys(int mode)
@@ -753,31 +783,19 @@ set_newkeys(int mode)
} else {
cc = &active_state->receive_context;
crypt_type = CIPHER_DECRYPT;
@ -704,13 +704,13 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
- memset(enc->iv, 0, enc->iv_len);
- memset(enc->key, 0, enc->key_len);
- memset(mac->key, 0, mac->key_len);
- xfree(enc->name);
- xfree(enc->iv);
- xfree(enc->key);
- xfree(mac->name);
- xfree(mac->key);
- xfree(comp->name);
- xfree(active_state->newkeys[mode]);
- free(enc->name);
- free(enc->iv);
- free(enc->key);
- free(mac->name);
- free(mac->key);
- free(comp->name);
- free(active_state->newkeys[mode]);
+ newkeys_destroy_and_free(active_state->newkeys[mode]);
}
active_state->newkeys[mode] = kex_get_newkeys(mode);
@ -720,7 +720,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
mac = &active_state->newkeys[mode]->mac;
comp = &active_state->newkeys[mode]->comp;
if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0)
@@ -1967,54 +1985,93 @@ packet_get_output(void)
@@ -1995,54 +2013,93 @@ packet_get_output(void)
}
void *
@ -819,15 +819,15 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c
+ backup_state->connection_in = -1;
+ backup_state->connection_out = -1;
+ packet_destroy_state(backup_state);
+ xfree(backup_state);
+ free(backup_state);
+ backup_state = NULL;
}
+
diff --git a/openssh-6.2p2/packet.h b/openssh-6.2p2/packet.h
--- a/openssh-6.2p2/packet.h
+++ b/openssh-6.2p2/packet.h
@@ -118,9 +118,10 @@ int packet_need_rekeying(void);
void packet_set_rekey_limit(u_int32_t);
diff --git a/openssh-6.4p1/packet.h b/openssh-6.4p1/packet.h
--- a/openssh-6.4p1/packet.h
+++ b/openssh-6.4p1/packet.h
@@ -119,9 +119,10 @@ void packet_set_rekey_limits(u_int32_t,
time_t packet_get_rekey_timeout(void);
void packet_backup_state(void);
void packet_restore_state(void);
@ -837,10 +837,10 @@ diff --git a/openssh-6.2p2/packet.h b/openssh-6.2p2/packet.h
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
--- a/openssh-6.2p2/session.c
+++ b/openssh-6.2p2/session.c
@@ -1648,16 +1648,19 @@ do_child(Session *s, const char *command
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
--- a/openssh-6.4p1/session.c
+++ b/openssh-6.4p1/session.c
@@ -1661,16 +1661,19 @@ do_child(Session *s, const char *command
int env_size;
char *argv[ARGV_MAX];
const char *shell, *shell0, *hostname = NULL;
@ -860,10 +860,10 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
do_pwchange(s);
exit(1);
}
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
--- a/openssh-6.2p2/sshd.c
+++ b/openssh-6.2p2/sshd.c
@@ -695,16 +695,18 @@ privsep_preauth(Authctxt *authctxt)
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+++ b/openssh-6.4p1/sshd.c
@@ -703,16 +703,18 @@ privsep_preauth(Authctxt *authctxt)
setproctitle("%s", "[net]");
if (box != NULL)
ssh_sandbox_child(box);
@ -882,7 +882,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
#ifdef DISABLE_FD_PASSING
if (1) {
#else
@@ -719,16 +721,20 @@ privsep_postauth(Authctxt *authctxt)
@@ -727,16 +729,20 @@ privsep_postauth(Authctxt *authctxt)
monitor_reinit(pmonitor);
pmonitor->m_pid = fork();
@ -903,7 +903,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
/* child */
@@ -2028,16 +2034,17 @@ main(int ac, char **av)
@@ -2089,16 +2095,17 @@ main(int ac, char **av)
do_authentication(authctxt);
}
/*
@ -921,7 +921,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
* Cancel the alarm we set to limit the time taken for
* authentication.
*/
@@ -2080,16 +2087,18 @@ main(int ac, char **av)
@@ -2141,16 +2148,18 @@ main(int ac, char **av)
packet_set_timeout(options.client_alive_interval,
options.client_alive_count_max);
@ -940,7 +940,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
#ifdef USE_PAM
@@ -2397,26 +2406,38 @@ do_ssh2_kex(void)
@@ -2480,26 +2489,38 @@ do_ssh2_kex(void)
#endif
debug("KEX done");
}

116
openssh-6.2p2-audit6-server_key_destruction.patch → openssh-6.4p1-audit6-server_key_destruction.patch
View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2015
# by jchadima@redhat.com
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
--- a/openssh-6.2p2/audit-bsm.c
+++ b/openssh-6.2p2/audit-bsm.c
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c
@@ -486,9 +486,27 @@ audit_kex_body(int ctos, char *enc, char
/* not implemented */
}
@ -35,9 +35,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
--- a/openssh-6.2p2/audit-linux.c
+++ b/openssh-6.2p2/audit-linux.c
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c
@@ -351,9 +351,55 @@ audit_session_key_free_body(int ctos, pi
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
buf, NULL, get_remote_ipaddr(), NULL, 1);
@ -94,9 +94,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
--- a/openssh-6.2p2/audit.c
+++ b/openssh-6.2p2/audit.c
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
--- a/openssh-6.4p1/audit.c
+++ b/openssh-6.4p1/audit.c
@@ -285,10 +285,29 @@ audit_kex_body(int ctos, char *enc, char
* This will be called on succesfull session key discard
*/
@ -127,9 +127,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
--- a/openssh-6.2p2/audit.h
+++ b/openssh-6.2p2/audit.h
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
--- a/openssh-6.4p1/audit.h
+++ b/openssh-6.4p1/audit.h
@@ -43,26 +43,30 @@ enum ssh_audit_event_type {
SSH_INVALID_USER,
SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */
@ -161,10 +161,10 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
+void audit_generate_ephemeral_server_key(const char *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
--- a/openssh-6.2p2/key.c
+++ b/openssh-6.2p2/key.c
@@ -1841,16 +1841,40 @@ key_demote(const Key *k)
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
--- a/openssh-6.4p1/key.c
+++ b/openssh-6.4p1/key.c
@@ -1805,16 +1805,40 @@ key_demote(const Key *k)
fatal("key_free: bad key type %d", k->type);
break;
}
@ -205,9 +205,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
case KEY_RSA_CERT_V00:
case KEY_DSA_CERT_V00:
case KEY_RSA_CERT:
diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
--- a/openssh-6.2p2/key.h
+++ b/openssh-6.2p2/key.h
diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
--- a/openssh-6.4p1/key.h
+++ b/openssh-6.4p1/key.h
@@ -106,16 +106,17 @@ int key_read(Key *, char **);
u_int key_size(const Key *);
enum fp_type key_fp_type_select(void);
@ -226,10 +226,10 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
int key_cert_check_authority(const Key *, int, int, const char *,
const char **);
int key_cert_is_legacy(const Key *);
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
--- a/openssh-6.2p2/monitor.c
+++ b/openssh-6.2p2/monitor.c
@@ -109,16 +109,18 @@ extern u_int utmp_len;
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+++ b/openssh-6.4p1/monitor.c
@@ -110,16 +110,18 @@ extern u_int utmp_len;
extern Newkeys *current_keys[];
extern z_stream incoming_stream;
extern z_stream outgoing_stream;
@ -248,7 +248,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
u_char *keyin;
u_int keyinlen;
u_char *keyout;
@@ -185,16 +187,17 @@ int mm_answer_gss_checkmic(int, Buffer *
@@ -186,16 +188,17 @@ int mm_answer_gss_checkmic(int, Buffer *
#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, Buffer *);
@ -266,7 +266,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -239,16 +242,17 @@ struct mon_table mon_dispatch_proto20[]
@@ -240,16 +243,17 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
@ -284,7 +284,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
#ifdef SKEY
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
@@ -279,16 +283,17 @@ struct mon_table mon_dispatch_postauth20
@@ -280,16 +284,17 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_TERM, 0, mm_answer_term},
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -302,7 +302,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -313,31 +318,33 @@ struct mon_table mon_dispatch_proto15[]
@@ -314,31 +319,33 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
@ -336,7 +336,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -1746,16 +1753,18 @@ mm_answer_term(int sock, Buffer *req)
@@ -1761,16 +1768,18 @@ mm_answer_term(int sock, Buffer *req)
/* The child is terminating */
session_destroy_all(&mm_session_close);
@ -355,7 +355,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
/* Terminate process */
exit(res);
@@ -2485,9 +2494,30 @@ mm_answer_audit_session_key_free_body(in
@@ -2504,9 +2513,30 @@ mm_answer_audit_session_key_free_body(in
audit_session_key_free_body(ctos, pid, uid);
@ -379,16 +379,16 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
+
+ audit_destroy_sensitive_data(fp, pid, uid);
+
+ xfree(fp);
+ free(fp);
+ buffer_clear(m);
+
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m);
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
--- a/openssh-6.2p2/monitor.h
+++ b/openssh-6.2p2/monitor.h
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
--- a/openssh-6.4p1/monitor.h
+++ b/openssh-6.4p1/monitor.h
@@ -68,16 +68,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -407,10 +407,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
--- a/openssh-6.2p2/monitor_wrap.c
+++ b/openssh-6.2p2/monitor_wrap.c
@@ -1535,9 +1535,25 @@ mm_audit_session_key_free_body(int ctos,
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c
@@ -1537,9 +1537,25 @@ mm_audit_session_key_free_body(int ctos,
buffer_put_int(&m, ctos);
buffer_put_int64(&m, pid);
buffer_put_int64(&m, uid);
@ -436,9 +436,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
--- a/openssh-6.2p2/monitor_wrap.h
+++ b/openssh-6.2p2/monitor_wrap.h
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h
@@ -75,16 +75,17 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS
#include "audit.h"
@ -457,10 +457,10 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
--- a/openssh-6.2p2/session.c
+++ b/openssh-6.2p2/session.c
@@ -131,17 +131,17 @@ static int session_pty_req(Session *);
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
--- a/openssh-6.4p1/session.c
+++ b/openssh-6.4p1/session.c
@@ -132,17 +132,17 @@ static int session_pty_req(Session *);
/* import */
extern ServerOptions options;
@ -479,7 +479,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
/* data */
static int sessions_first_unused = -1;
static int sessions_nalloc = 0;
@@ -1647,17 +1647,17 @@ do_child(Session *s, const char *command
@@ -1660,17 +1660,17 @@ do_child(Session *s, const char *command
char **env;
int env_size;
char *argv[ARGV_MAX];
@ -498,10 +498,10 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
if (s->authctxt->force_pwchange) {
do_setusercontext(pw);
child_close_fds();
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
--- a/openssh-6.2p2/sshd.c
+++ b/openssh-6.2p2/sshd.c
@@ -250,17 +250,17 @@ Buffer cfg;
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+++ b/openssh-6.4p1/sshd.c
@@ -256,17 +256,17 @@ Buffer cfg;
/* message to be displayed after login */
Buffer loginmsg;
@ -520,7 +520,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
/*
* Close all listening sockets
*/
@@ -269,16 +269,25 @@ close_listen_socks(void)
@@ -275,16 +275,25 @@ close_listen_socks(void)
{
int i;
@ -546,7 +546,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
if (startup_pipes)
for (i = 0; i < options.max_startups; i++)
if (startup_pipes[i] != -1)
@@ -541,60 +550,99 @@ sshd_exchange_identification(int sock_in
@@ -547,60 +556,99 @@ sshd_exchange_identification(int sock_in
close(sock_out);
logit("Protocol major versions differ for %s: %.200s vs. %.200s",
get_remote_ipaddr(),
@ -592,7 +592,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
+ else
+ audit_destroy_sensitive_data(fp,
+ pid, uid);
+ xfree(fp);
+ free(fp);
+ }
}
- if (sensitive_data.host_certificates[i]) {
@ -639,7 +639,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
sensitive_data.ssh1_host_key = tmp;
+ if (fp != NULL) {
+ audit_destroy_sensitive_data(fp, pid, uid);
+ xfree(fp);
+ free(fp);
+ }
}
/* Certs do not need demotion */
@ -649,7 +649,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
}
static void
@@ -1154,16 +1202,17 @@ server_accept_loop(int *sock_in, int *so
@@ -1179,16 +1227,17 @@ server_accept_loop(int *sock_in, int *so
/* Wait in select until there is a connection. */
ret = select(maxfd+1, fdset, NULL, NULL, NULL);
@ -667,7 +667,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
generate_ephemeral_server_key();
key_used = 0;
key_do_regen = 0;
@@ -2077,27 +2126,28 @@ main(int ac, char **av)
@@ -2138,27 +2187,28 @@ main(int ac, char **av)
/*
* In privilege separation, we fork another child and prepare
* file descriptor passing.
@ -697,11 +697,11 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
@@ -2316,17 +2366,17 @@ do_ssh1_kex(void)
@@ -2377,17 +2427,17 @@ do_ssh1_kex(void)
MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
MD5_Final(session_key + 16, &md);
memset(buf, 0, bytes);
xfree(buf);
free(buf);
for (i = 0; i < 16; i++)
session_id[i] = session_key[i] ^ session_key[i + 16];
}
@ -716,7 +716,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
BN_clear_free(session_key_int);
/* Set the session key. From this on all communications will be encrypted. */
@@ -2427,16 +2477,18 @@ cleanup_exit(int i)
@@ -2510,16 +2560,18 @@ cleanup_exit(int i)
debug("Killing privsep child %d", pmonitor->m_pid);
if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
errno != ESRCH)

10
openssh-6.2p2-audit7-libaudit_compat.patch → openssh-6.4p1-audit7-libaudit_compat.patch
View File

@ -1,8 +1,8 @@
# definitions for AUDIT_CRYPTO_* symbols fom libaudit 2.x
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
--- a/openssh-6.2p2/audit-linux.c
+++ b/openssh-6.2p2/audit-linux.c
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c
@@ -25,16 +25,17 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
@ -21,10 +21,10 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
#include "key.h"
#include "hostfile.h"
#include "auth.h"
diff --git a/openssh-6.2p2/compat-libaudit.h b/openssh-6.2p2/compat-libaudit.h
diff --git a/openssh-6.4p1/compat-libaudit.h b/openssh-6.4p1/compat-libaudit.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/compat-libaudit.h
+++ b/openssh-6.4p1/compat-libaudit.h
@@ -0,0 +1,79 @@
+/* AUDIT_CRYPTO symbol definitions from libaudit 2.x */
+/* libaudit.h --

6
openssh-6.2p2-audit8-libaudit_dns_timeouts.patch → openssh-6.4p1-audit8-libaudit_dns_timeouts.patch
View File

@ -4,9 +4,9 @@
# Note that this particular solution causes the logs to always contain
# "hostname=?, addr=?" when DNS lookups are disabled.
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
--- a/openssh-6.2p2/audit-linux.c
+++ b/openssh-6.2p2/audit-linux.c
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c
@@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)

16
openssh-6.2p2-blocksigalrm.patch → openssh-6.4p1-blocksigalrm.patch
View File

@ -2,10 +2,10 @@
# grace_alarm_handler)
# bnc#57354
diff --git a/openssh-6.2p2/log.c b/openssh-6.2p2/log.c
--- a/openssh-6.2p2/log.c
+++ b/openssh-6.2p2/log.c
@@ -46,16 +46,17 @@
diff --git a/openssh-6.4p1/log.c b/openssh-6.4p1/log.c
--- a/openssh-6.4p1/log.c
+++ b/openssh-6.4p1/log.c
@@ -47,16 +47,17 @@
#include <unistd.h>
#include <errno.h>
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
@ -18,12 +18,12 @@ diff --git a/openssh-6.2p2/log.c b/openssh-6.2p2/log.c
static LogLevel log_level = SYSLOG_LEVEL_INFO;
static int log_on_stderr = 1;
static int log_stderr_fd = STDERR_FILENO;
static int log_facility = LOG_AUTH;
static char *argv0;
static log_handler_fn *log_handler;
static void *log_handler_ctx;
@@ -368,16 +369,17 @@ do_log(LogLevel level, const char *fmt,
@@ -384,16 +385,17 @@ do_log(LogLevel level, const char *fmt,
{
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
@ -41,14 +41,14 @@ diff --git a/openssh-6.2p2/log.c b/openssh-6.2p2/log.c
switch (level) {
case SYSLOG_LEVEL_FATAL:
@@ -426,20 +428,29 @@ do_log(LogLevel level, const char *fmt,
@@ -442,20 +444,29 @@ do_log(LogLevel level, const char *fmt,
tmp_handler = log_handler;
log_handler = NULL;
tmp_handler(level, fmtbuf, log_handler_ctx);
log_handler = tmp_handler;
} else if (log_on_stderr) {
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
write(STDERR_FILENO, msgbuf, strlen(msgbuf));
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
} else {
+ /* Prevent a race between the grace_alarm
+ * which writes a log message and terminates

6
openssh-6.2p2-default-protocol.patch → openssh-6.4p1-default-protocol.patch
View File

@ -1,8 +1,8 @@
# only enable SSHv2 protocol by default (upstream default is fallback to v1)
diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
--- a/openssh-6.2p2/ssh_config
+++ b/openssh-6.2p2/ssh_config
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
--- a/openssh-6.4p1/ssh_config
+++ b/openssh-6.4p1/ssh_config
@@ -41,17 +41,17 @@ ForwardX11Trusted yes
# CheckHostIP yes
# AddressFamily any

6
openssh-6.2p2-disable-openssl-abi-check.patch → openssh-6.4p1-disable-openssl-abi-check.patch
View File

@ -2,9 +2,9 @@
# reliable indicator of ABI changes and doesn't make much sense in a
# distribution package
diff --git a/openssh-6.2p2/entropy.c b/openssh-6.2p2/entropy.c
--- a/openssh-6.2p2/entropy.c
+++ b/openssh-6.2p2/entropy.c
diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c
--- a/openssh-6.4p1/entropy.c
+++ b/openssh-6.4p1/entropy.c
@@ -212,22 +212,23 @@ seed_rng(void)
#endif
/*

20
openssh-6.2p2-eal3.patch → openssh-6.4p1-eal3.patch
View File

@ -1,9 +1,9 @@
# fix paths and references in sshd man pages
diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8
--- a/openssh-6.2p2/sshd.8
+++ b/openssh-6.2p2/sshd.8
@@ -871,17 +871,17 @@ See
diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
--- a/openssh-6.4p1/sshd.8
+++ b/openssh-6.4p1/sshd.8
@@ -872,17 +872,17 @@ See
If this file exists,
.Nm
refuses to let anyone except root log in.
@ -22,7 +22,7 @@ diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8
.It Pa /etc/ssh/ssh_host_key
.It Pa /etc/ssh/ssh_host_dsa_key
.It Pa /etc/ssh/ssh_host_ecdsa_key
@@ -950,17 +950,17 @@ The content of this file is not sensitiv
@@ -951,17 +951,17 @@ The content of this file is not sensitiv
.Xr sftp 1 ,
.Xr ssh 1 ,
.Xr ssh-add 1 ,
@ -41,10 +41,10 @@ diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5
--- a/openssh-6.2p2/sshd_config.5
+++ b/openssh-6.2p2/sshd_config.5
@@ -271,18 +271,17 @@ The contents of the specified file are s
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5
+++ b/openssh-6.4p1/sshd_config.5
@@ -278,18 +278,17 @@ The contents of the specified file are s
authentication is allowed.
If the argument is
.Dq none
@ -64,7 +64,7 @@ diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5
to after authentication.
All components of the pathname must be root-owned directories that are
not writable by any other user or group.
@@ -550,17 +549,17 @@ and
@@ -565,17 +564,17 @@ and
.Pa .shosts
files will not be used in
.Cm RhostsRSAAuthentication

256
openssh-6.2p2-fingerprint_hash.patch → openssh-6.4p1-fingerprint_hash.patch
View File

@ -1,36 +1,36 @@
# HG changeset patch
# Parent 2e71c896d924778e46e68e0c9be9a8b13e428f2f
# Parent d41afe56fd49d0a9669738b1f4d53ddae0cb195a
# select fingerprint hash algorithms based on the environment variable
# SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints
# Petr Cerny <pcerny@suse.cz>
diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
--- a/openssh-6.2p2/auth-rsa.c
+++ b/openssh-6.2p2/auth-rsa.c
@@ -323,17 +323,17 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
return (0);
}
/*
* Correct response. The client has been successfully
* authenticated. Note that we have not yet processed the
* options; this will be reset if the options cause the
* authentication to be rejected.
*/
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
verbose("Found matching %s key: %s",
key_type(key), fp);
xfree(fp);
key_free(key);
diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
--- a/openssh-6.4p1/auth-rsa.c
+++ b/openssh-6.4p1/auth-rsa.c
@@ -226,17 +226,17 @@ rsa_key_allowed_in_file(struct passwd *p
packet_send_debug("RSA authentication accepted.");
return (1);
}
diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c
--- a/openssh-6.2p2/auth.c
+++ b/openssh-6.2p2/auth.c
@@ -658,17 +658,17 @@ auth_key_is_revoked(Key *key)
/* check the real bits */
keybits = BN_num_bits(key->rsa->n);
if (keybits < 0 || bits != keybits)
logit("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(key), fp);
free(fp);
/* Never accept a revoked key */
if (auth_key_is_revoked(key))
break;
diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c
--- a/openssh-6.4p1/auth.c
+++ b/openssh-6.4p1/auth.c
@@ -680,17 +680,17 @@ auth_key_is_revoked(Key *key)
case -1:
/* Error opening revoked_keys_file: refuse all keys */
error("Revoked keys file is unreadable: refusing public key "
@ -43,16 +43,16 @@ diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c
+ key_fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
error("WARNING: authentication attempt with a revoked "
"%s key %s ", key_type(key), key_fp);
xfree(key_fp);
free(key_fp);
return 1;
}
fatal("key_in_file returned junk");
}
diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c
--- a/openssh-6.2p2/auth2-hostbased.c
+++ b/openssh-6.2p2/auth2-hostbased.c
@@ -192,23 +192,23 @@ hostbased_key_allowed(struct passwd *pw,
diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c
--- a/openssh-6.4p1/auth2-hostbased.c
+++ b/openssh-6.4p1/auth2-hostbased.c
@@ -196,23 +196,23 @@ hostbased_key_allowed(struct passwd *pw,
_PATH_SSH_SYSTEM_HOSTFILE2,
options.ignore_user_known_hosts ? NULL :
_PATH_SSH_USER_HOSTFILE2);
@ -73,15 +73,43 @@ diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c
verbose("Accepted %s public key %s from %s@%s",
key_type(key), fp, cuser, lookup);
}
xfree(fp);
free(fp);
}
return (host_status == HOST_OK);
}
diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
--- a/openssh-6.2p2/auth2-pubkey.c
+++ b/openssh-6.2p2/auth2-pubkey.c
@@ -312,17 +312,17 @@ check_authkeys_file(FILE *f, char *file,
diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
--- a/openssh-6.4p1/auth2-pubkey.c
+++ b/openssh-6.4p1/auth2-pubkey.c
@@ -202,25 +202,25 @@ pubkey_auth_info(Authctxt *authctxt, con
i = vasprintf(&extra, fmt, ap);
va_end(ap);
if (i < 0 || extra == NULL)
fatal("%s: vasprintf failed", __func__);
}
if (key_is_cert(key)) {
fp = key_fingerprint(key->cert->signature_key,
- SSH_FP_MD5, SSH_FP_HEX);
+ key_fp_type_select(), SSH_FP_HEX);
auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
key_type(key), key->cert->key_id,
(unsigned long long)key->cert->serial,
key_type(key->cert->signature_key), fp,
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
} else {
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
}
free(extra);
}
static int
@@ -354,17 +354,17 @@ check_authkeys_file(FILE *f, char *file,
if (key_is_cert(key)) {
if (!key_equal(found, key->cert->signature_key))
continue;
@ -100,26 +128,26 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
* a key option, then prefer that list to matching
* their username in the certificate principals list.
*/
@@ -355,17 +355,17 @@ check_authkeys_file(FILE *f, char *file,
@@ -395,17 +395,17 @@ check_authkeys_file(FILE *f, char *file,
break;
} else if (key_equal(found, key)) {
if (auth_parse_options(pw, key_options, file,
linenum) != 1)
continue;
if (key_is_cert_authority)
continue;
found_key = 1;
debug("matching key found: file %s, line %lu",
file, linenum);
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(found, key_fp_type_select(), SSH_FP_HEX);
verbose("Found matching %s key: %s",
key_type(found), fp);
xfree(fp);
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(found), fp);
free(fp);
break;
}
}
key_free(found);
if (!found_key)
@@ -380,17 +380,17 @@ user_cert_trusted_ca(struct passwd *pw,
if (found != NULL)
key_free(found);
@@ -421,17 +421,17 @@ user_cert_trusted_ca(struct passwd *pw,
char *ca_fp, *principals_file = NULL;
const char *reason;
int ret = 0;
@ -138,11 +166,11 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c
options.trusted_user_ca_keys);
goto out;
}
diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
--- a/openssh-6.2p2/key.c
+++ b/openssh-6.2p2/key.c
@@ -391,30 +391,38 @@ key_fingerprint_raw(const Key *k, enum f
xfree(blob);
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
--- a/openssh-6.4p1/key.c
+++ b/openssh-6.4p1/key.c
@@ -390,30 +390,38 @@ key_fingerprint_raw(const Key *k, enum f
free(blob);
} else {
fatal("key_fingerprint_raw: blob is null");
}
@ -183,7 +211,7 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
{
char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
@@ -489,17 +497,18 @@ key_fingerprint_bubblebabble(u_char *dgs
@@ -488,17 +496,18 @@ key_fingerprint_bubblebabble(u_char *dgs
* can be in the exact middle of the picture, and FLDBASE should be >=8 .
* Else pictures would be too dense, and drawing the frame would
* fail, too, because the key type would not fit in anymore.
@ -203,7 +231,7 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
char *augmentation_string = " .o+=*BOX@%&#/^SE";
char *retval, *p;
u_char field[FLDSIZE_X][FLDSIZE_Y];
@@ -556,18 +565,19 @@ key_fingerprint_randomart(u_char *dgst_r
@@ -555,18 +564,19 @@ key_fingerprint_randomart(u_char *dgst_r
*p++ = '|';
for (x = 0; x < FLDSIZE_X; x++)
*p++ = augmentation_string[MIN(field[x][y], len)];
@ -224,8 +252,8 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
}
char *
key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
@@ -576,34 +586,91 @@ key_fingerprint(Key *k, enum fp_type dgs
key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
@@ -575,34 +585,91 @@ key_fingerprint(const Key *k, enum fp_ty
u_char *dgst_raw;
u_int dgst_raw_len;
@ -250,7 +278,7 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
break;
}
memset(dgst_raw, 0, dgst_raw_len);
xfree(dgst_raw);
free(dgst_raw);
return retval;
}
@ -319,9 +347,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
* the buffer containing the number.
*/
static int
diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
--- a/openssh-6.2p2/key.h
+++ b/openssh-6.2p2/key.h
diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
--- a/openssh-6.4p1/key.h
+++ b/openssh-6.4p1/key.h
@@ -51,16 +51,18 @@ enum fp_type {
SSH_FP_MD5,
SSH_FP_SHA256
@ -343,7 +371,7 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
u_int type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */
@@ -97,16 +99,18 @@ int key_equal_public(const Key *, cons
int key_equal(const Key *, const Key *);
char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
const char *key_type(const Key *);
const char *key_cert_type(const Key *);
@ -360,9 +388,9 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
int key_type_plain(int);
int key_to_certified(Key *, int);
int key_drop_cert(Key *);
diff --git a/openssh-6.2p2/ssh-add.c b/openssh-6.2p2/ssh-add.c
--- a/openssh-6.2p2/ssh-add.c
+++ b/openssh-6.2p2/ssh-add.c
diff --git a/openssh-6.4p1/ssh-add.c b/openssh-6.4p1/ssh-add.c
--- a/openssh-6.4p1/ssh-add.c
+++ b/openssh-6.4p1/ssh-add.c
@@ -321,17 +321,17 @@ list_identities(AuthenticationConnection
int version;
@ -377,15 +405,15 @@ diff --git a/openssh-6.2p2/ssh-add.c b/openssh-6.2p2/ssh-add.c
SSH_FP_HEX);
printf("%d %s %s (%s)\n",
key_size(key), fp, comment, key_type(key));
xfree(fp);
free(fp);
} else {
if (!key_write(key, stdout))
fprintf(stderr, "key_write failed");
fprintf(stdout, " %s\n", comment);
diff --git a/openssh-6.2p2/ssh-agent.c b/openssh-6.2p2/ssh-agent.c
--- a/openssh-6.2p2/ssh-agent.c
+++ b/openssh-6.2p2/ssh-agent.c
@@ -194,17 +194,17 @@ lookup_identity(Key *key, int version)
diff --git a/openssh-6.4p1/ssh-agent.c b/openssh-6.4p1/ssh-agent.c
--- a/openssh-6.4p1/ssh-agent.c
+++ b/openssh-6.4p1/ssh-agent.c
@@ -193,17 +193,17 @@ lookup_identity(Key *key, int version)
/* Check confirmation of keysign request */
static int
@ -399,14 +427,44 @@ diff --git a/openssh-6.2p2/ssh-agent.c b/openssh-6.2p2/ssh-agent.c
if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
id->comment, p))
ret = 0;
xfree(p);
free(p);
return (ret);
}
diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
--- a/openssh-6.2p2/ssh-keygen.c
+++ b/openssh-6.2p2/ssh-keygen.c
diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
--- a/openssh-6.4p1/ssh-keygen.c
+++ b/openssh-6.4p1/ssh-keygen.c
@@ -725,27 +725,27 @@ do_download(struct passwd *pw)
{
#ifdef ENABLE_PKCS11
Key **keys = NULL;
int i, nkeys;
enum fp_rep rep;
enum fp_type fptype;
char *fp, *ra;
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fp_type_select();
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
pkcs11_init(0);
nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);
if (nkeys <= 0)
fatal("cannot read public key from pkcs11");
for (i = 0; i < nkeys; i++) {
if (print_fingerprint) {
fp = key_fingerprint(keys[i], fptype, rep);
- ra = key_fingerprint(keys[i], SSH_FP_MD5,
+ ra = key_fingerprint(keys[i], key_fp_type_select(),
SSH_FP_RANDOMART);
printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
fp, key_type(keys[i]));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
free(ra);
free(fp);
} else {
@@ -768,29 +768,29 @@ do_fingerprint(struct passwd *pw)
FILE *f;
Key *public;
@ -436,9 +494,9 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
key_free(public);
xfree(comment);
xfree(ra);
xfree(fp);
free(comment);
free(ra);
free(fp);
@@ -846,17 +846,17 @@ do_fingerprint(struct passwd *pw)
public = key_new(KEY_UNSPEC);
if (key_read(public, &cp) != 1) {
@ -454,8 +512,8 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
comment ? comment : "no comment", key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
xfree(ra);
xfree(fp);
free(ra);
free(fp);
key_free(public);
invalid = 0;
@@ -967,20 +967,20 @@ do_gen_all_hostkeys(struct passwd *pw)
@ -477,11 +535,11 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
xfree(ra);
xfree(fp);
free(ra);
free(fp);
} else {
if (hash && (name = host_hash(name, NULL, 0)) == NULL)
@@ -1849,19 +1849,19 @@ do_show_cert(struct passwd *pw)
@@ -1850,19 +1850,19 @@ do_show_cert(struct passwd *pw)
if (stat(identity_file, &st) < 0)
fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
if ((key = key_load_public(identity_file, NULL)) == NULL)
@ -503,7 +561,7 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
printf(" Signing CA: %s %s\n",
key_type(key->cert->signature_key), ca_fp);
printf(" Key ID: \"%s\"\n", key->cert->key_id);
@@ -2646,18 +2646,18 @@ passphrase_again:
@@ -2650,18 +2650,18 @@ passphrase_again:
exit(1);
}
if (!key_write(public, f))
@ -523,11 +581,11 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c
printf("%s %s\n", fp, comment);
printf("The key's randomart image is:\n");
printf("%s\n", ra);
xfree(ra);
diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
--- a/openssh-6.2p2/sshconnect.c
+++ b/openssh-6.2p2/sshconnect.c
@@ -826,18 +826,18 @@ check_host_key(char *hostname, struct so
free(ra);
diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
--- a/openssh-6.4p1/sshconnect.c
+++ b/openssh-6.4p1/sshconnect.c
@@ -825,18 +825,18 @@ check_host_key(char *hostname, struct so
"address '%.128s' to the list of known "
"hosts (%.30s).", type, ip,
user_hostfiles[0]);
@ -542,13 +600,13 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
+ ra = key_fingerprint(host_key, key_fp_type_select(),
SSH_FP_RANDOMART);
logit("Host key fingerprint is %s\n%s\n", fp, ra);
xfree(ra);
xfree(fp);
free(ra);
free(fp);
}
break;
case HOST_NEW:
if (options.host_key_alias == NULL && port != 0 &&
@@ -867,18 +867,18 @@ check_host_key(char *hostname, struct so
@@ -866,18 +866,18 @@ check_host_key(char *hostname, struct so
if (show_other_keys(host_hostkeys, host_key))
snprintf(msg1, sizeof(msg1),
@ -569,7 +627,7 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
"Matching host key fingerprint"
" found in DNS.\n");
else
@@ -1132,17 +1132,17 @@ fail:
@@ -1131,17 +1131,17 @@ fail:
/* returns 0 if key verifies or -1 if key does NOT verify */
int
@ -581,14 +639,14 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(host_key, key_fp_type_select(), SSH_FP_HEX);
debug("Server host key: %s %s", key_type(host_key), fp);
xfree(fp);
free(fp);
/* XXX certs are not yet supported for DNS */
if (!key_is_cert(host_key) && options.verify_host_key_dns &&
verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
if (flags & DNS_VERIFY_FOUND) {
@@ -1234,18 +1234,18 @@ show_other_keys(struct hostkeys *hostkey
@@ -1233,18 +1233,18 @@ show_other_keys(struct hostkeys *hostkey
char *fp, *ra;
const struct hostkey_entry *found;
@ -609,7 +667,7 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
key_type(found->key), fp);
if (options.visual_host_key)
logit("%s", ra);
@@ -1256,17 +1256,17 @@ show_other_keys(struct hostkeys *hostkey
@@ -1255,17 +1255,17 @@ show_other_keys(struct hostkeys *hostkey
return ret;
}
@ -628,10 +686,10 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed.");
error("The fingerprint for the %s key sent by the remote host is\n%s.",
diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
--- a/openssh-6.2p2/sshconnect2.c
+++ b/openssh-6.2p2/sshconnect2.c
@@ -592,17 +592,17 @@ input_userauth_pk_ok(int type, u_int32_t
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c
+++ b/openssh-6.4p1/sshconnect2.c
@@ -590,17 +590,17 @@ input_userauth_pk_ok(int type, u_int32_t
goto done;
}
if (key->type != pktype) {
@ -643,14 +701,14 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
debug2("input_userauth_pk_ok: fp %s", fp);
xfree(fp);
free(fp);
/*
* search keys in the reverse order, because last candidate has been
* moved to the end of the queue. this also avoids confusion by
* duplicate keys
*/
@@ -1207,17 +1207,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
@@ -1204,17 +1204,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
Buffer b;
u_char *blob, *signature;
u_int bloblen, slen;
@ -662,7 +720,7 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(id->key, key_fp_type_select(), SSH_FP_HEX);
debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
xfree(fp);
free(fp);
if (key_to_blob(id->key, &blob, &bloblen) == 0) {
/* we cannot handle this key */

86
openssh-6.2p2-fips.patch → openssh-6.4p1-fips.patch
View File

@ -4,9 +4,9 @@
# HG changeset patch
# Parent 6536ed881743cbf05afe962021b985f9b1eab495
diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
--- a/openssh-6.2p2/Makefile.in
+++ b/openssh-6.2p2/Makefile.in
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in
+++ b/openssh-6.4p1/Makefile.in
@@ -72,17 +72,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
@ -26,9 +26,9 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
--- a/openssh-6.2p2/auth-rsa.c
+++ b/openssh-6.2p2/auth-rsa.c
diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
--- a/openssh-6.4p1/auth-rsa.c
+++ b/openssh-6.4p1/auth-rsa.c
@@ -15,17 +15,17 @@
*/
@ -132,7 +132,7 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
debug("unsuccessful audit");
rv = 0;
}
xfree(fp);
free(fp);
@@ -135,17 +145,17 @@ auth_rsa_verify_response(Key *key, BIGNU
* and returns true (non-zero) if the client gave the correct answer to
* our challenge; returns zero if the client gives a wrong answer.
@ -171,9 +171,9 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c
return (success);
}
diff --git a/openssh-6.2p2/cipher-ctr.c b/openssh-6.2p2/cipher-ctr.c
--- a/openssh-6.2p2/cipher-ctr.c
+++ b/openssh-6.2p2/cipher-ctr.c
diff --git a/openssh-6.4p1/cipher-ctr.c b/openssh-6.4p1/cipher-ctr.c
--- a/openssh-6.4p1/cipher-ctr.c
+++ b/openssh-6.4p1/cipher-ctr.c
@@ -21,16 +21,17 @@
#include <stdarg.h>
@ -208,9 +208,9 @@ diff --git a/openssh-6.2p2/cipher-ctr.c b/openssh-6.2p2/cipher-ctr.c
}
#endif /* OPENSSL_HAVE_EVPCTR */
diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c
--- a/openssh-6.2p2/cipher.c
+++ b/openssh-6.2p2/cipher.c
diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
--- a/openssh-6.4p1/cipher.c
+++ b/openssh-6.4p1/cipher.c
@@ -42,16 +42,17 @@
#include <openssl/md5.h>
@ -373,10 +373,10 @@ diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c
/*
* Exports an IV from the CipherContext required to export the key
* state back from the unprivileged child to the privileged parent
diff --git a/openssh-6.2p2/fips.c b/openssh-6.2p2/fips.c
diff --git a/openssh-6.4p1/fips.c b/openssh-6.4p1/fips.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/fips.c
+++ b/openssh-6.4p1/fips.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -554,10 +554,10 @@ new file mode 100644
+ return EVP_get_digestbynid(fips_hash_nid_min());
+}
+
diff --git a/openssh-6.2p2/fips.h b/openssh-6.2p2/fips.h
diff --git a/openssh-6.4p1/fips.h b/openssh-6.4p1/fips.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/fips.h
+++ b/openssh-6.4p1/fips.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -613,9 +613,9 @@ new file mode 100644
+
+#endif
+
diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
--- a/openssh-6.2p2/key.c
+++ b/openssh-6.2p2/key.c
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
--- a/openssh-6.4p1/key.c
+++ b/openssh-6.4p1/key.c
@@ -49,16 +49,17 @@
#include "xmalloc.h"
#include "key.h"
@ -654,9 +654,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
/*
* string lengths must be less or equal to SSH_FP_TYPE_STRLEN (defined in
* key.h) as to fit into the fingerprint string buffer
diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c
--- a/openssh-6.2p2/mac.c
+++ b/openssh-6.2p2/mac.c
diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c
--- a/openssh-6.4p1/mac.c
+++ b/openssh-6.4p1/mac.c
@@ -36,34 +36,35 @@
#include "xmalloc.h"
#include "log.h"
@ -760,9 +760,9 @@ diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c
mac_setup_by_id(mac, i);
debug2("mac_setup: found %s", name);
return (0);
diff --git a/openssh-6.2p2/myproposal.h b/openssh-6.2p2/myproposal.h
--- a/openssh-6.2p2/myproposal.h
+++ b/openssh-6.2p2/myproposal.h
diff --git a/openssh-6.4p1/myproposal.h b/openssh-6.4p1/myproposal.h
--- a/openssh-6.4p1/myproposal.h
+++ b/openssh-6.4p1/myproposal.h
@@ -71,16 +71,20 @@
"ssh-dss"
@ -804,9 +804,9 @@ diff --git a/openssh-6.2p2/myproposal.h b/openssh-6.2p2/myproposal.h
static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX,
KEX_DEFAULT_PK_ALG,
diff --git a/openssh-6.2p2/openbsd-compat/bsd-arc4random.c b/openssh-6.2p2/openbsd-compat/bsd-arc4random.c
--- a/openssh-6.2p2/openbsd-compat/bsd-arc4random.c
+++ b/openssh-6.2p2/openbsd-compat/bsd-arc4random.c
diff --git a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c b/openssh-6.4p1/openbsd-compat/bsd-arc4random.c
--- a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c
+++ b/openssh-6.4p1/openbsd-compat/bsd-arc4random.c
@@ -18,34 +18,35 @@
#include <sys/types.h>
@ -930,9 +930,9 @@ diff --git a/openssh-6.2p2/openbsd-compat/bsd-arc4random.c b/openssh-6.2p2/openb
{
size_t i;
u_int32_t r = 0;
diff --git a/openssh-6.2p2/ssh-rsa.c b/openssh-6.2p2/ssh-rsa.c
--- a/openssh-6.2p2/ssh-rsa.c
+++ b/openssh-6.2p2/ssh-rsa.c
diff --git a/openssh-6.4p1/ssh-rsa.c b/openssh-6.4p1/ssh-rsa.c
--- a/openssh-6.4p1/ssh-rsa.c
+++ b/openssh-6.4p1/ssh-rsa.c
@@ -27,16 +27,17 @@
#include "xmalloc.h"
@ -981,15 +981,15 @@ diff --git a/openssh-6.2p2/ssh-rsa.c b/openssh-6.2p2/ssh-rsa.c
+ fips_correct_nid(&nid);
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
xfree(sigblob);
free(sigblob);
return -1;
}
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, data, datalen);
EVP_DigestFinal(&md, digest, &dlen);
diff --git a/openssh-6.2p2/ssh.c b/openssh-6.2p2/ssh.c
--- a/openssh-6.2p2/ssh.c
+++ b/openssh-6.2p2/ssh.c
diff --git a/openssh-6.4p1/ssh.c b/openssh-6.4p1/ssh.c
--- a/openssh-6.4p1/ssh.c
+++ b/openssh-6.4p1/ssh.c
@@ -99,16 +99,17 @@
#include "kex.h"
#include "mac.h"
@ -1028,7 +1028,7 @@ diff --git a/openssh-6.2p2/ssh.c b/openssh-6.2p2/ssh.c
options.address_family = AF_INET;
break;
@@ -781,17 +784,22 @@ main(int ac, char **av)
xfree(cp);
free(cp);
}
if (muxclient_command != 0 && options.control_path == NULL)
fatal("No ControlPath specified for \"-O\" command");
@ -1051,9 +1051,9 @@ diff --git a/openssh-6.2p2/ssh.c b/openssh-6.2p2/ssh.c
options.use_privileged_port,
#else
original_effective_uid == 0 && options.use_privileged_port,
diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
--- a/openssh-6.2p2/sshconnect2.c
+++ b/openssh-6.2p2/sshconnect2.c
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c
+++ b/openssh-6.4p1/sshconnect2.c
@@ -67,16 +67,17 @@
#include "dispatch.h"
#include "canohost.h"
@ -1110,9 +1110,9 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
order_hostkeyalgs(host, hostaddr, port);
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
--- a/openssh-6.2p2/sshd.c
+++ b/openssh-6.2p2/sshd.c
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+++ b/openssh-6.4p1/sshd.c
@@ -118,16 +118,17 @@
#ifdef GSSAPI
#include "ssh-gss.h"

228
openssh-6.2p2-gssapi_key_exchange.patch → openssh-6.4p1-gssapi_key_exchange.patch
View File

@ -1,10 +1,10 @@
# HG changeset patch
# Parent a72dad36a987a441e9c92807b1d654e43ddee409
diff --git a/openssh-6.2p2/ChangeLog.gssapi b/openssh-6.2p2/ChangeLog.gssapi
diff --git a/openssh-6.4p1/ChangeLog.gssapi b/openssh-6.4p1/ChangeLog.gssapi
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ChangeLog.gssapi
+++ b/openssh-6.4p1/ChangeLog.gssapi
@@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
@ -119,9 +119,9 @@ new file mode 100644
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
--- a/openssh-6.2p2/Makefile.in
+++ b/openssh-6.2p2/Makefile.in
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in
+++ b/openssh-6.4p1/Makefile.in
@@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
canohost.o channels.o cipher.o cipher-aes.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
@ -158,9 +158,9 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
diff --git a/openssh-6.2p2/auth-krb5.c b/openssh-6.2p2/auth-krb5.c
--- a/openssh-6.2p2/auth-krb5.c
+++ b/openssh-6.2p2/auth-krb5.c
diff --git a/openssh-6.4p1/auth-krb5.c b/openssh-6.4p1/auth-krb5.c
--- a/openssh-6.4p1/auth-krb5.c
+++ b/openssh-6.4p1/auth-krb5.c
@@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
@ -229,9 +229,9 @@ diff --git a/openssh-6.2p2/auth-krb5.c b/openssh-6.2p2/auth-krb5.c
}
#endif /* !HEIMDAL */
#endif /* KRB5 */
diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
--- a/openssh-6.2p2/auth2-gss.c
+++ b/openssh-6.2p2/auth2-gss.c
diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c
--- a/openssh-6.4p1/auth2-gss.c
+++ b/openssh-6.4p1/auth2-gss.c
@@ -1,12 +1,12 @@
/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
@ -284,7 +284,7 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
+ authctxt->pw));
+
+ buffer_free(&b);
+ xfree(mic.value);
+ free(mic.value);
+
+ return (authenticated);
+}
@ -333,7 +333,7 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
logit("GSSAPI MIC check failed");
buffer_free(&b);
xfree(mic.value);
free(mic.value);
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@ -357,9 +357,9 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
Authmethod method_gssapi_old = {
"gssapi",
diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c
--- a/openssh-6.2p2/auth2.c
+++ b/openssh-6.2p2/auth2.c
diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
--- a/openssh-6.4p1/auth2.c
+++ b/openssh-6.4p1/auth2.c
@@ -64,27 +64,29 @@ extern Buffer loginmsg;
/* methods */
@ -390,9 +390,9 @@ diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c
#endif
&method_passwd,
&method_kbdint,
diff --git a/openssh-6.2p2/clientloop.c b/openssh-6.2p2/clientloop.c
--- a/openssh-6.2p2/clientloop.c
+++ b/openssh-6.2p2/clientloop.c
diff --git a/openssh-6.4p1/clientloop.c b/openssh-6.4p1/clientloop.c
--- a/openssh-6.4p1/clientloop.c
+++ b/openssh-6.4p1/clientloop.c
@@ -106,16 +106,20 @@
#include "authfd.h"
#include "atomicio.h"
@ -440,9 +440,9 @@ diff --git a/openssh-6.2p2/clientloop.c b/openssh-6.2p2/clientloop.c
}
}
diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac
--- a/openssh-6.2p2/configure.ac
+++ b/openssh-6.2p2/configure.ac
diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
--- a/openssh-6.4p1/configure.ac
+++ b/openssh-6.4p1/configure.ac
@@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
@ -484,9 +484,9 @@ diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac
[Define if pututxline updates lastlog too])
)
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c
--- a/openssh-6.2p2/gss-genr.c
+++ b/openssh-6.2p2/gss-genr.c
diff --git a/openssh-6.4p1/gss-genr.c b/openssh-6.4p1/gss-genr.c
--- a/openssh-6.4p1/gss-genr.c
+++ b/openssh-6.4p1/gss-genr.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
@ -572,8 +572,8 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c
+
+ if (gss_enc2oid != NULL) {
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
+ xfree(gss_enc2oid[i].encoded);
+ xfree(gss_enc2oid);
+ free(gss_enc2oid[i].encoded);
+ free(gss_enc2oid);
+ }
+
+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
@ -630,7 +630,7 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c
+ buffer_free(&buf);
+
+ if (strlen(mechs) == 0) {
+ xfree(mechs);
+ free(mechs);
+ mechs = NULL;
+ }
+
@ -702,7 +702,7 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c
&gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
ssh_gssapi_error(ctx);
xfree(gssbuf.value);
free(gssbuf.value);
return (ctx->major);
}
@ -874,9 +874,9 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c
+}
+
#endif /* GSSAPI */
diff --git a/openssh-6.2p2/gss-serv-krb5.c b/openssh-6.2p2/gss-serv-krb5.c
--- a/openssh-6.2p2/gss-serv-krb5.c
+++ b/openssh-6.2p2/gss-serv-krb5.c
diff --git a/openssh-6.4p1/gss-serv-krb5.c b/openssh-6.4p1/gss-serv-krb5.c
--- a/openssh-6.4p1/gss-serv-krb5.c
+++ b/openssh-6.4p1/gss-serv-krb5.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1023,9 +1023,9 @@ diff --git a/openssh-6.2p2/gss-serv-krb5.c b/openssh-6.2p2/gss-serv-krb5.c
#endif /* KRB5 */
#endif /* GSSAPI */
diff --git a/openssh-6.2p2/gss-serv.c b/openssh-6.2p2/gss-serv.c
--- a/openssh-6.2p2/gss-serv.c
+++ b/openssh-6.2p2/gss-serv.c
diff --git a/openssh-6.4p1/gss-serv.c b/openssh-6.4p1/gss-serv.c
--- a/openssh-6.4p1/gss-serv.c
+++ b/openssh-6.4p1/gss-serv.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
@ -1412,9 +1412,9 @@ diff --git a/openssh-6.2p2/gss-serv.c b/openssh-6.2p2/gss-serv.c
}
#endif
diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
--- a/openssh-6.2p2/kex.c
+++ b/openssh-6.2p2/kex.c
diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
--- a/openssh-6.4p1/kex.c
+++ b/openssh-6.4p1/kex.c
@@ -46,16 +46,24 @@
#include "log.h"
#include "mac.h"
@ -1471,9 +1471,9 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c
choose_hostkeyalg(Kex *k, char *client, char *server)
{
char *hostkeyalg = match_list(client, server, NULL);
diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h
--- a/openssh-6.2p2/kex.h
+++ b/openssh-6.2p2/kex.h
diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h
--- a/openssh-6.4p1/kex.h
+++ b/openssh-6.4p1/kex.h
@@ -68,16 +68,19 @@ enum kex_modes {
};
@ -1539,10 +1539,10 @@ diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h
kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, u_char **, u_int *);
diff --git a/openssh-6.2p2/kexgssc.c b/openssh-6.2p2/kexgssc.c
diff --git a/openssh-6.4p1/kexgssc.c b/openssh-6.4p1/kexgssc.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/kexgssc.c
+++ b/openssh-6.4p1/kexgssc.c
@@ -0,0 +1,334 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1690,7 +1690,7 @@ new file mode 100644
+
+ /* If we've got an old receive buffer get rid of it */
+ if (token_ptr != GSS_C_NO_BUFFER)
+ xfree(recv_tok.value);
+ free(recv_tok.value);
+
+ if (maj_status == GSS_S_COMPLETE) {
+ /* If mutual state flag is not true, kex fails */
@ -1807,7 +1807,7 @@ new file mode 100644
+ fatal("kexdh_client: BN_bin2bn failed");
+
+ memset(kbuf, 0, klen);
+ xfree(kbuf);
+ free(kbuf);
+
+ switch (kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
@ -1850,11 +1850,11 @@ new file mode 100644
+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
+ packet_disconnect("Hash's MIC didn't verify");
+
+ xfree(msg_tok.value);
+ free(msg_tok.value);
+
+ DH_free(dh);
+ if (serverhostkey)
+ xfree(serverhostkey);
+ free(serverhostkey);
+ BN_clear_free(dh_server_pub);
+
+ /* save session id */
@ -1878,10 +1878,10 @@ new file mode 100644
+}
+
+#endif /* GSSAPI */
diff --git a/openssh-6.2p2/kexgsss.c b/openssh-6.2p2/kexgsss.c
diff --git a/openssh-6.4p1/kexgsss.c b/openssh-6.4p1/kexgsss.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/kexgsss.c
+++ b/openssh-6.4p1/kexgsss.c
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1965,7 +1965,7 @@ new file mode 100644
+ */
+ if (!ssh_gssapi_oid_table_ok())
+ if ((mechs = ssh_gssapi_server_mechanisms()))
+ xfree(mechs);
+ free(mechs);
+
+ debug2("%s: Identifying %s", __func__, kex->name);
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
@ -2043,7 +2043,7 @@ new file mode 100644
+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
+ &send_tok, &ret_flags));
+
+ xfree(recv_tok.value);
+ free(recv_tok.value);
+
+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
+ fatal("Zero length token output when incomplete");
@ -2092,7 +2092,7 @@ new file mode 100644
+ fatal("kexgss_server: BN_bin2bn failed");
+
+ memset(kbuf, 0, klen);
+ xfree(kbuf);
+ free(kbuf);
+
+ switch (kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
@ -2171,9 +2171,9 @@ new file mode 100644
+ ssh_gssapi_rekey_creds();
+}
+#endif /* GSSAPI */
diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
--- a/openssh-6.2p2/key.c
+++ b/openssh-6.2p2/key.c
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
--- a/openssh-6.4p1/key.c
+++ b/openssh-6.4p1/key.c
@@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int
return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
case NID_secp521r1:
@ -2212,9 +2212,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c
int
key_ecdsa_nid_from_name(const char *name)
diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
--- a/openssh-6.2p2/key.h
+++ b/openssh-6.2p2/key.h
diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
--- a/openssh-6.4p1/key.h
+++ b/openssh-6.4p1/key.h
@@ -39,16 +39,17 @@ enum types {
KEY_RSA,
KEY_DSA,
@ -2233,9 +2233,9 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h
SSH_FP_SHA256
};
enum fp_rep {
diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
--- a/openssh-6.2p2/monitor.c
+++ b/openssh-6.2p2/monitor.c
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+++ b/openssh-6.4p1/monitor.c
@@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *)
int mm_answer_pam_free_ctx(int, Buffer *);
#endif
@ -2355,7 +2355,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
blob = buffer_get_string(m, &bloblen);
buffer_init(&kex->my);
buffer_append(&kex->my, blob, bloblen);
xfree(blob);
free(blob);
blob = buffer_get_string(m, &bloblen);
@@ -2135,16 +2159,19 @@ monitor_reinit(struct monitor *mon)
#ifdef GSSAPI
@ -2374,7 +2374,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
major = ssh_gssapi_server_ctx(&gsscontext, &goid);
xfree(goid.elements);
free(goid.elements);
buffer_clear(m);
@@ -2162,16 +2189,19 @@ int
@ -2392,7 +2392,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
xfree(in.value);
free(in.value);
buffer_clear(m);
buffer_put_int(m, major);
@ -2428,7 +2428,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
xfree(gssbuf.value);
free(gssbuf.value);
@@ -2216,29 +2250,101 @@ mm_answer_gss_checkmic(int sock, Buffer
return (0);
}
@ -2482,7 +2482,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
+ }
+ major = ssh_gssapi_sign(gsscontext, &data, &hash);
+
+ xfree(data.value);
+ free(data.value);
+
+ buffer_clear(m);
+ buffer_put_int(m, major);
@ -2512,9 +2512,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
+
+ ok = ssh_gssapi_update_creds(&store);
+
+ xfree(store.filename);
+ xfree(store.envvar);
+ xfree(store.envval);
+ free(store.filename);
+ free(store.envvar);
+ free(store.envval);
+
+ buffer_clear(m);
+ buffer_put_int(m, ok);
@ -2532,9 +2532,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c
{
struct jpake_ctx *pctx;
u_char *x3_proof, *x4_proof;
diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
--- a/openssh-6.2p2/monitor.h
+++ b/openssh-6.2p2/monitor.h
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
--- a/openssh-6.4p1/monitor.h
+++ b/openssh-6.4p1/monitor.h
@@ -70,16 +70,19 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
@ -2555,9 +2555,9 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h
int m_sendfd;
int m_log_recvfd;
int m_log_sendfd;
diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
--- a/openssh-6.2p2/monitor_wrap.c
+++ b/openssh-6.2p2/monitor_wrap.c
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c
@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
&m);
@ -2638,9 +2638,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c
char **hash_scheme, char **salt)
{
Buffer m;
diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
--- a/openssh-6.2p2/monitor_wrap.h
+++ b/openssh-6.2p2/monitor_wrap.h
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h
@@ -54,18 +54,20 @@ int mm_user_key_verify(Key *, u_char *,
int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
@ -2663,9 +2663,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h
void *mm_sshpam_init_ctx(struct Authctxt *);
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_sshpam_respond(void *, u_int, char **);
diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
--- a/openssh-6.2p2/readconf.c
+++ b/openssh-6.2p2/readconf.c
diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
--- a/openssh-6.4p1/readconf.c
+++ b/openssh-6.4p1/readconf.c
@@ -124,16 +124,18 @@ typedef enum {
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
@ -2813,9 +2813,9 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h
--- a/openssh-6.2p2/readconf.h
+++ b/openssh-6.2p2/readconf.h
diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h
--- a/openssh-6.4p1/readconf.h
+++ b/openssh-6.4p1/readconf.h
@@ -43,18 +43,23 @@ typedef struct {
int rhosts_rsa_authentication; /* Try rhosts with RSA
* authentication. */
@ -2840,9 +2840,9 @@ diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h
int batch_mode; /* Batch mode: do not ask for passwords. */
int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */
diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
--- a/openssh-6.2p2/servconf.c
+++ b/openssh-6.2p2/servconf.c
diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
--- a/openssh-6.4p1/servconf.c
+++ b/openssh-6.4p1/servconf.c
@@ -98,18 +98,21 @@ initialize_server_options(ServerOptions
options->hostbased_uses_name_from_packet_only = -1;
options->rsa_authentication = -1;
@ -3000,9 +3000,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
o->kbd_interactive_authentication);
diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
--- a/openssh-6.2p2/servconf.h
+++ b/openssh-6.2p2/servconf.h
diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
--- a/openssh-6.4p1/servconf.h
+++ b/openssh-6.4p1/servconf.h
@@ -105,18 +105,21 @@ typedef struct {
* authentication mechanism,
* such as SecurID or
@ -3025,9 +3025,9 @@ diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
/* If true, permit jpake auth */
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
diff --git a/openssh-6.2p2/ssh-gss.h b/openssh-6.2p2/ssh-gss.h
--- a/openssh-6.2p2/ssh-gss.h
+++ b/openssh-6.2p2/ssh-gss.h
diff --git a/openssh-6.4p1/ssh-gss.h b/openssh-6.4p1/ssh-gss.h
--- a/openssh-6.4p1/ssh-gss.h
+++ b/openssh-6.4p1/ssh-gss.h
@@ -1,11 +1,11 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*
@ -3151,9 +3151,9 @@ diff --git a/openssh-6.2p2/ssh-gss.h b/openssh-6.2p2/ssh-gss.h
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
--- a/openssh-6.2p2/ssh_config
+++ b/openssh-6.2p2/ssh_config
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
--- a/openssh-6.4p1/ssh_config
+++ b/openssh-6.4p1/ssh_config
@@ -32,16 +32,18 @@ Host *
ForwardX11Trusted yes
@ -3173,9 +3173,9 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
diff --git a/openssh-6.2p2/ssh_config.5 b/openssh-6.2p2/ssh_config.5
--- a/openssh-6.2p2/ssh_config.5
+++ b/openssh-6.2p2/ssh_config.5
diff --git a/openssh-6.4p1/ssh_config.5 b/openssh-6.4p1/ssh_config.5
--- a/openssh-6.4p1/ssh_config.5
+++ b/openssh-6.4p1/ssh_config.5
@@ -525,21 +525,53 @@ host key database, separated by whitespa
The default is
.Pa /etc/ssh/ssh_known_hosts ,
@ -3231,9 +3231,9 @@ diff --git a/openssh-6.2p2/ssh_config.5 b/openssh-6.2p2/ssh_config.5
These hashed names may be used normally by
.Xr ssh 1
and
diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
--- a/openssh-6.2p2/sshconnect2.c
+++ b/openssh-6.2p2/sshconnect2.c
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c
+++ b/openssh-6.4p1/sshconnect2.c
@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc
return ret;
}
@ -3295,7 +3295,7 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
+ "%s,null", orig);
+ xfree(gss);
+ free(gss);
+ }
+#endif
+
@ -3450,8 +3450,8 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
packet_check_eom();
debug("Server GSSAPI Error:\n%s", msg);
xfree(msg);
xfree(lang);
free(msg);
free(lang);
}
+
+int
@ -3503,9 +3503,9 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
/* initial userauth request */
packet_start(SSH2_MSG_USERAUTH_REQUEST);
packet_put_cstring(authctxt->server_user);
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
--- a/openssh-6.2p2/sshd.c
+++ b/openssh-6.2p2/sshd.c
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+++ b/openssh-6.4p1/sshd.c
@@ -119,16 +119,24 @@
#include "ssh-gss.h"
#endif
@ -3812,9 +3812,9 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
kex->host_key_index=&get_hostkey_index;
xxx_kex = kex;
diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
--- a/openssh-6.2p2/sshd_config
+++ b/openssh-6.2p2/sshd_config
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
--- a/openssh-6.4p1/sshd_config
+++ b/openssh-6.4p1/sshd_config
@@ -75,16 +75,18 @@ PasswordAuthentication no
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
@ -3834,9 +3834,9 @@ diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
#GSSAPIEnableMITMAttack no
diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5
--- a/openssh-6.2p2/sshd_config.5
+++ b/openssh-6.2p2/sshd_config.5
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5
+++ b/openssh-6.4p1/sshd_config.5
@@ -475,22 +475,50 @@ to force remote port forwardings to bind
to allow the client to select the address to which the forwarding is bound.
The default is

99
openssh-6.2p2-gssapimitm.patch → openssh-6.4p1-gssapimitm.patch
View File

@ -13,10 +13,10 @@
# recommended to use the 'gssapi-with-mic' mechanism. Existing installations
# are encouraged to upgrade as soon as possible.
diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
--- a/openssh-6.2p2/auth2-gss.c
+++ b/openssh-6.2p2/auth2-gss.c
@@ -174,16 +174,25 @@ input_gssapi_token(int type, u_int32_t p
diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c
--- a/openssh-6.4p1/auth2-gss.c
+++ b/openssh-6.4p1/auth2-gss.c
@@ -173,16 +173,25 @@ input_gssapi_token(int type, u_int32_t p
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
if (flags & GSS_C_INTEG_FLAG)
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
@ -42,7 +42,7 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
static void
input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
@@ -295,9 +304,15 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -291,9 +300,15 @@ input_gssapi_mic(int type, u_int32_t ple
}
Authmethod method_gssapi = {
@ -58,9 +58,9 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c
+};
+
#endif /* GSSAPI */
diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c
--- a/openssh-6.2p2/auth2.c
+++ b/openssh-6.2p2/auth2.c
diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
--- a/openssh-6.4p1/auth2.c
+++ b/openssh-6.4p1/auth2.c
@@ -65,26 +65,28 @@ extern Buffer loginmsg;
extern Authmethod method_none;
@ -90,10 +90,10 @@ diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c
&method_kbdint,
&method_hostbased,
NULL
diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
--- a/openssh-6.2p2/readconf.c
+++ b/openssh-6.2p2/readconf.c
@@ -123,17 +123,17 @@ typedef enum {
diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
--- a/openssh-6.4p1/readconf.c
+++ b/openssh-6.4p1/readconf.c
@@ -126,17 +126,17 @@ typedef enum {
oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
@ -109,10 +109,10 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oKexAlgorithms, oIPQoS, oRequestTTY,
oDeprecated, oUnsupported
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
@@ -165,19 +165,21 @@ static struct {
@@ -168,19 +168,21 @@ static struct {
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
{ "kerberosauthentication", oUnsupported },
@ -134,7 +134,7 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
{ "identitiesonly", oIdentitiesOnly },
{ "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias },
@@ -501,16 +503,20 @@ parse_flag:
@@ -514,16 +516,20 @@ parse_flag:
case oGssAuthentication:
intptr = &options->gss_authentication;
@ -155,7 +155,7 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
case oCheckHostIP:
intptr = &options->check_host_ip;
goto parse_flag;
@@ -1154,16 +1160,17 @@ initialize_options(Options * options)
@@ -1164,16 +1170,17 @@ initialize_options(Options * options)
options->xauth_location = NULL;
options->gateway_ports = -1;
options->use_privileged_port = -1;
@ -173,7 +173,7 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
options->batch_mode = -1;
options->check_host_ip = -1;
options->strict_host_key_checking = -1;
@@ -1255,16 +1262,18 @@ fill_default_options(Options * options)
@@ -1265,16 +1272,18 @@ fill_default_options(Options * options)
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
if (options->challenge_response_authentication == -1)
@ -192,9 +192,9 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c
options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h
--- a/openssh-6.2p2/readconf.h
+++ b/openssh-6.2p2/readconf.h
diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h
--- a/openssh-6.4p1/readconf.h
+++ b/openssh-6.4p1/readconf.h
@@ -44,16 +44,17 @@ typedef struct {
* authentication. */
int rsa_authentication; /* Try RSA authentication. */
@ -213,10 +213,10 @@ diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h
int batch_mode; /* Batch mode: do not ask for passwords. */
int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */
diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
--- a/openssh-6.2p2/servconf.c
+++ b/openssh-6.2p2/servconf.c
@@ -98,16 +98,17 @@ initialize_server_options(ServerOptions
diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
--- a/openssh-6.4p1/servconf.c
+++ b/openssh-6.4p1/servconf.c
@@ -103,16 +103,17 @@ initialize_server_options(ServerOptions
options->rsa_authentication = -1;
options->pubkey_authentication = -1;
options->kerberos_authentication = -1;
@ -233,8 +233,8 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
options->permit_user_env = -1;
options->use_login = -1;
options->compression = -1;
options->allow_tcp_forwarding = -1;
@@ -230,16 +231,18 @@ fill_default_server_options(ServerOption
options->rekey_limit = -1;
@@ -237,16 +238,18 @@ fill_default_server_options(ServerOption
if (options->kerberos_ticket_cleanup == -1)
options->kerberos_ticket_cleanup = 1;
if (options->kerberos_get_afs_token == -1)
@ -253,9 +253,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
options->challenge_response_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
@@ -322,17 +325,17 @@ typedef enum {
@@ -333,17 +336,17 @@ typedef enum {
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions,
@ -270,9 +270,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods,
sAuthenticationMethods, sHostKeyAgent,
sDeprecated, sUnsupported
@@ -388,19 +391,21 @@ static struct {
@@ -400,19 +403,21 @@ static struct {
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@ -294,7 +294,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
#ifdef JPAKE
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
#else
@@ -1048,16 +1053,20 @@ process_server_config_line(ServerOptions
@@ -1072,16 +1077,20 @@ process_server_config_line(ServerOptions
case sGssAuthentication:
intptr = &options->gss_authentication;
goto parse_flag;
@ -315,10 +315,10 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
intptr = &options->zero_knowledge_password_authentication;
goto parse_flag;
diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
--- a/openssh-6.2p2/servconf.h
+++ b/openssh-6.2p2/servconf.h
@@ -106,16 +106,17 @@ typedef struct {
diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
--- a/openssh-6.4p1/servconf.h
+++ b/openssh-6.4p1/servconf.h
@@ -107,16 +107,17 @@ typedef struct {
* such as SecurID or
* /etc/passwd */
int kerberos_ticket_cleanup; /* If true, destroy ticket
@ -336,10 +336,10 @@ diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
/* If true, permit jpake auth */
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
--- a/openssh-6.2p2/ssh_config
+++ b/openssh-6.2p2/ssh_config
@@ -51,8 +51,15 @@ ForwardX11Trusted yes
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
--- a/openssh-6.4p1/ssh_config
+++ b/openssh-6.4p1/ssh_config
@@ -51,9 +51,16 @@ ForwardX11Trusted yes
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
@ -355,10 +355,11 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
+# GSSAPIEnableMITMAttack no
+
diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
--- a/openssh-6.2p2/sshconnect2.c
+++ b/openssh-6.2p2/sshconnect2.c
@@ -321,16 +321,21 @@ static char *authmethods_get(void);
# RekeyLimit 1G 1h
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c
+++ b/openssh-6.4p1/sshconnect2.c
@@ -322,16 +322,21 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@ -380,7 +381,7 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
NULL},
{"publickey",
userauth_pubkey,
@@ -698,17 +703,19 @@ process_gssapi_token(void *ctxt, gss_buf
@@ -696,17 +701,19 @@ process_gssapi_token(void *ctxt, gss_buf
packet_put_string(send_tok.value, send_tok.length);
packet_send();
@ -401,10 +402,10 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c
gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b);
diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
--- a/openssh-6.2p2/sshd_config
+++ b/openssh-6.2p2/sshd_config
@@ -76,16 +76,23 @@ PasswordAuthentication no
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
--- a/openssh-6.4p1/sshd_config
+++ b/openssh-6.4p1/sshd_config
@@ -79,16 +79,23 @@ PasswordAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

8
openssh-6.2p2-host_ident.patch → openssh-6.4p1-host_ident.patch
View File

@ -1,10 +1,10 @@
# identify hashed hosts in known_hosts and suggest command line for their
# removal
diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c
--- a/openssh-6.2p2/sshconnect.c
+++ b/openssh-6.2p2/sshconnect.c
@@ -987,16 +987,21 @@ check_host_key(char *hostname, struct so
diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
--- a/openssh-6.4p1/sshconnect.c
+++ b/openssh-6.4p1/sshconnect.c
@@ -986,16 +986,21 @@ check_host_key(char *hostname, struct so
ip_found->file, ip_found->line);
}
/* The host key has changed. */

20
openssh-6.2p2-key-converter.patch → openssh-6.4p1-key-converter.patch
View File

@ -1,9 +1,9 @@
# SSHv1 to SSHv2 RSA keys converter
diff --git a/openssh-6.2p2/converter/Makefile b/openssh-6.2p2/converter/Makefile
diff --git a/openssh-6.4p1/converter/Makefile b/openssh-6.4p1/converter/Makefile
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/converter/Makefile
+++ b/openssh-6.4p1/converter/Makefile
@@ -0,0 +1,17 @@
+
+bindir=/usr/bin
@ -12,20 +12,20 @@ new file mode 100644
+all : ssh-keyconverter
+
+ssh-keyconverter.o: ssh-keyconverter.c ../key.h ../authfile.h ../misc.h ../xmalloc.h
+ gcc $(RPM_OPT_FLAGS) -c -I../ $< -o $@
+ gcc $(CFLAGS) $(RPM_OPT_FLAGS) -c -I../ $< -o $@
+
+ssh-keyconverter: ssh-keyconverter.o ../libssh.a ../openbsd-compat/libopenbsd-compat.a
+ gcc $< -Wl,--no-as-needed $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ -lcrypto -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@
+ gcc $< $(LDFLAGS) $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ -lcrypto -lssh -lopenbsd-compat -lcrypto -lssh -lopenbsd-compat -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@
+
+install: ssh-keyconverter ssh-keyconverter.1
+ if [ ! -d $(DESTDIR)$(bindir) ]; then install -d -m 755 $(DESTDIR)$(bindir); fi
+ install -m 755 ssh-keyconverter $(DESTDIR)$(bindir)
+ if [ ! -d $(DESTDIR)$(mandir)/man1 ]; then install -d -m 755 $(DESTDIR)$(mandir)/man1; fi
+ install -m 644 ssh-keyconverter.1 $(DESTDIR)$(mandir)/man1
diff --git a/openssh-6.2p2/converter/ssh-keyconverter.1 b/openssh-6.2p2/converter/ssh-keyconverter.1
diff --git a/openssh-6.4p1/converter/ssh-keyconverter.1 b/openssh-6.4p1/converter/ssh-keyconverter.1
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/converter/ssh-keyconverter.1
+++ b/openssh-6.4p1/converter/ssh-keyconverter.1
@@ -0,0 +1,155 @@
+.\" Manpage for ssh-keyconverter
+.\"
@ -182,10 +182,10 @@ new file mode 100644
+.%D March 2001
+.%O work in progress material
+.Re
diff --git a/openssh-6.2p2/converter/ssh-keyconverter.c b/openssh-6.2p2/converter/ssh-keyconverter.c
diff --git a/openssh-6.4p1/converter/ssh-keyconverter.c b/openssh-6.4p1/converter/ssh-keyconverter.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/converter/ssh-keyconverter.c
+++ b/openssh-6.4p1/converter/ssh-keyconverter.c
@@ -0,0 +1,345 @@
+/*
+ * SSH v1 to v2 RSA key converter.
@ -330,7 +330,7 @@ new file mode 100644
+ if (i) {
+ /* Zap old pass phrase */
+ memset(passphrase, 0, strlen(passphrase));
+ xfree(passphrase);
+ free(passphrase);
+
+ /* Get a pass phrase from the user */
+ passphrase = read_passphrase(prompt, 0);
@ -387,7 +387,7 @@ new file mode 100644
+
+out:
+ memset(passphrase, 0, strlen(passphrase));
+ xfree(passphrase);
+ free(passphrase);
+ if (key)
+ key_free(key);
+ if (pk)

6
openssh-6.2p2-lastlog.patch → openssh-6.4p1-lastlog.patch
View File

@ -1,9 +1,9 @@
# set uid for functions that use it to seek in lastlog and wtmp files
# bnc#18024 (was suse #3024)
diff --git a/openssh-6.2p2/sshlogin.c b/openssh-6.2p2/sshlogin.c
--- a/openssh-6.2p2/sshlogin.c
+++ b/openssh-6.2p2/sshlogin.c
diff --git a/openssh-6.4p1/sshlogin.c b/openssh-6.4p1/sshlogin.c
--- a/openssh-6.4p1/sshlogin.c
+++ b/openssh-6.4p1/sshlogin.c
@@ -128,16 +128,17 @@ record_login(pid_t pid, const char *tty,
{
struct logininfo *li;

114
openssh-6.2p2-ldap.patch → openssh-6.4p1-ldap.patch
View File

@ -8,10 +8,10 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
diff --git a/openssh-6.2p2/HOWTO.ldap-keys b/openssh-6.2p2/HOWTO.ldap-keys
diff --git a/openssh-6.4p1/HOWTO.ldap-keys b/openssh-6.4p1/HOWTO.ldap-keys
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/HOWTO.ldap-keys
+++ b/openssh-6.4p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
+
+HOW TO START
@ -121,9 +121,9 @@ new file mode 100644
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
--- a/openssh-6.2p2/Makefile.in
+++ b/openssh-6.2p2/Makefile.in
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in
+++ b/openssh-6.4p1/Makefile.in
@@ -20,16 +20,18 @@ srcdir=@srcdir@
top_srcdir=@top_srcdir@
@ -185,7 +185,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
PATHSUBS = \
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
@@ -162,16 +166,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
@@ -164,16 +168,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
@ -205,7 +205,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
@@ -263,30 +270,38 @@ install-files:
@@ -266,30 +273,38 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@ -244,7 +244,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
install-sysconf:
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
@@ -306,16 +321,23 @@ install-sysconf:
@@ -309,16 +324,23 @@ install-sysconf:
echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
else \
@ -268,7 +268,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
else \
./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
fi ; \
@@ -363,27 +385,30 @@ uninstall:
@@ -366,27 +388,30 @@ uninstall:
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@ -294,15 +294,15 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
$(CC) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)
diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac
--- a/openssh-6.2p2/configure.ac
+++ b/openssh-6.2p2/configure.ac
@@ -1504,16 +1504,116 @@ AC_ARG_WITH([audit],
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
--- a/openssh-6.4p1/configure.ac
+++ b/openssh-6.4p1/configure.ac
@@ -1519,16 +1519,116 @@ AC_ARG_WITH([audit],
AC_MSG_RESULT([no])
;;
*)
@ -419,10 +419,10 @@ diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac
asprintf \
b64_ntop \
__b64_ntop \
diff --git a/openssh-6.2p2/ldap-helper.c b/openssh-6.2p2/ldap-helper.c
diff --git a/openssh-6.4p1/ldap-helper.c b/openssh-6.4p1/ldap-helper.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ldap-helper.c
+++ b/openssh-6.4p1/ldap-helper.c
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -579,10 +579,10 @@ new file mode 100644
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+
diff --git a/openssh-6.2p2/ldap-helper.h b/openssh-6.2p2/ldap-helper.h
diff --git a/openssh-6.4p1/ldap-helper.h b/openssh-6.4p1/ldap-helper.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ldap-helper.h
+++ b/openssh-6.4p1/ldap-helper.h
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -616,10 +616,10 @@ new file mode 100644
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
diff --git a/openssh-6.2p2/ldap.conf b/openssh-6.2p2/ldap.conf
diff --git a/openssh-6.4p1/ldap.conf b/openssh-6.4p1/ldap.conf
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ldap.conf
+++ b/openssh-6.4p1/ldap.conf
@@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@ -709,10 +709,10 @@ new file mode 100644
+#tls_cert
+#tls_key
+
diff --git a/openssh-6.2p2/ldapbody.c b/openssh-6.2p2/ldapbody.c
diff --git a/openssh-6.4p1/ldapbody.c b/openssh-6.4p1/ldapbody.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ldapbody.c
+++ b/openssh-6.4p1/ldapbody.c
@@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -873,7 +873,7 @@ new file mode 100644
+ if ((logfile = fopen (logfilename, "a")) == NULL)
+ fatal ("cannot append to %s: %s", logfilename, strerror (errno));
+ debug3 ("LDAP debug into %s", logfilename);
+ xfree (logfilename);
+ free (logfilename);
+ ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
+ }
+#endif
@ -1162,12 +1162,12 @@ new file mode 100644
+ timeout.tv_usec = 0;
+ if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
+ error ("ldap_search_st(): %s", ldap_err2string (rc));
+ xfree (buffer);
+ free (buffer);
+ return;
+ }
+
+ /* free */
+ xfree (buffer);
+ free (buffer);
+
+ for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
+ int num;
@ -1208,10 +1208,10 @@ new file mode 100644
+ return;
+}
+
diff --git a/openssh-6.2p2/ldapbody.h b/openssh-6.2p2/ldapbody.h
diff --git a/openssh-6.4p1/ldapbody.h b/openssh-6.4p1/ldapbody.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ldapbody.h
+++ b/openssh-6.4p1/ldapbody.h
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1250,10 +1250,10 @@ new file mode 100644
+
+#endif /* LDAPBODY_H */
+
diff --git a/openssh-6.2p2/ldapconf.c b/openssh-6.2p2/ldapconf.c
diff --git a/openssh-6.4p1/ldapconf.c b/openssh-6.4p1/ldapconf.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ldapconf.c
+++ b/openssh-6.4p1/ldapconf.c
@@ -0,0 +1,682 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1937,10 +1937,10 @@ new file mode 100644
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
+}
+
diff --git a/openssh-6.2p2/ldapconf.h b/openssh-6.2p2/ldapconf.h
diff --git a/openssh-6.4p1/ldapconf.h b/openssh-6.4p1/ldapconf.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ldapconf.h
+++ b/openssh-6.4p1/ldapconf.h
@@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2013,10 +2013,10 @@ new file mode 100644
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
diff --git a/openssh-6.2p2/ldapincludes.h b/openssh-6.2p2/ldapincludes.h
diff --git a/openssh-6.4p1/ldapincludes.h b/openssh-6.4p1/ldapincludes.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ldapincludes.h
+++ b/openssh-6.4p1/ldapincludes.h
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2059,10 +2059,10 @@ new file mode 100644
+#endif
+
+#endif /* LDAPINCLUDES_H */
diff --git a/openssh-6.2p2/ldapmisc.c b/openssh-6.2p2/ldapmisc.c
diff --git a/openssh-6.4p1/ldapmisc.c b/openssh-6.4p1/ldapmisc.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ldapmisc.c
+++ b/openssh-6.4p1/ldapmisc.c
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@ -2143,10 +2143,10 @@ new file mode 100644
+}
+#endif
+
diff --git a/openssh-6.2p2/ldapmisc.h b/openssh-6.2p2/ldapmisc.h
diff --git a/openssh-6.4p1/ldapmisc.h b/openssh-6.4p1/ldapmisc.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ldapmisc.h
+++ b/openssh-6.4p1/ldapmisc.h
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2183,9 +2183,9 @@ new file mode 100644
+
+#endif /* LDAPMISC_H */
+
diff --git a/openssh-6.2p2/openbsd-compat/base64.c b/openssh-6.2p2/openbsd-compat/base64.c
--- a/openssh-6.2p2/openbsd-compat/base64.c
+++ b/openssh-6.2p2/openbsd-compat/base64.c
diff --git a/openssh-6.4p1/openbsd-compat/base64.c b/openssh-6.4p1/openbsd-compat/base64.c
--- a/openssh-6.4p1/openbsd-compat/base64.c
+++ b/openssh-6.4p1/openbsd-compat/base64.c
@@ -41,17 +41,17 @@
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
@ -2243,9 +2243,9 @@ diff --git a/openssh-6.2p2/openbsd-compat/base64.c b/openssh-6.2p2/openbsd-compa
*/
int
diff --git a/openssh-6.2p2/openbsd-compat/base64.h b/openssh-6.2p2/openbsd-compat/base64.h
--- a/openssh-6.2p2/openbsd-compat/base64.h
+++ b/openssh-6.2p2/openbsd-compat/base64.h
diff --git a/openssh-6.4p1/openbsd-compat/base64.h b/openssh-6.4p1/openbsd-compat/base64.h
--- a/openssh-6.4p1/openbsd-compat/base64.h
+++ b/openssh-6.4p1/openbsd-compat/base64.h
@@ -42,24 +42,24 @@
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
*/
@ -2275,10 +2275,10 @@ diff --git a/openssh-6.2p2/openbsd-compat/base64.h b/openssh-6.2p2/openbsd-compa
#endif /* HAVE___B64_PTON */
#endif /* _BSD_BASE64_H */
diff --git a/openssh-6.2p2/openssh-lpk-openldap.schema b/openssh-6.2p2/openssh-lpk-openldap.schema
diff --git a/openssh-6.4p1/openssh-lpk-openldap.schema b/openssh-6.4p1/openssh-lpk-openldap.schema
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/openssh-lpk-openldap.schema
+++ b/openssh-6.4p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2301,10 +2301,10 @@ new file mode 100644
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
diff --git a/openssh-6.2p2/openssh-lpk-sun.schema b/openssh-6.2p2/openssh-lpk-sun.schema
diff --git a/openssh-6.4p1/openssh-lpk-sun.schema b/openssh-6.4p1/openssh-lpk-sun.schema
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/openssh-lpk-sun.schema
+++ b/openssh-6.4p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2329,10 +2329,10 @@ new file mode 100644
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
diff --git a/openssh-6.2p2/ssh-ldap-helper.8 b/openssh-6.2p2/ssh-ldap-helper.8
diff --git a/openssh-6.4p1/ssh-ldap-helper.8 b/openssh-6.4p1/ssh-ldap-helper.8
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ssh-ldap-helper.8
+++ b/openssh-6.4p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@ -2413,19 +2413,19 @@ new file mode 100644
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com
diff --git a/openssh-6.2p2/ssh-ldap-wrapper b/openssh-6.2p2/ssh-ldap-wrapper
diff --git a/openssh-6.4p1/ssh-ldap-wrapper b/openssh-6.4p1/ssh-ldap-wrapper
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ssh-ldap-wrapper
+++ b/openssh-6.4p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+
diff --git a/openssh-6.2p2/ssh-ldap.conf.5 b/openssh-6.2p2/ssh-ldap.conf.5
diff --git a/openssh-6.4p1/ssh-ldap.conf.5 b/openssh-6.4p1/ssh-ldap.conf.5
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/ssh-ldap.conf.5
+++ b/openssh-6.4p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"

8
openssh-6.2p2-login_options.patch → openssh-6.4p1-login_options.patch
View File

@ -4,10 +4,10 @@
#
# bnc#833605
diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac
--- a/openssh-6.2p2/configure.ac
+++ b/openssh-6.2p2/configure.ac
@@ -666,16 +666,18 @@ main() { if (NSVersionOfRunTimeLibrary("
diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
--- a/openssh-6.4p1/configure.ac
+++ b/openssh-6.4p1/configure.ac
@@ -657,16 +657,18 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])

8
openssh-6.2p2-no_fork-no_pid_file.patch → openssh-6.4p1-no_fork-no_pid_file.patch
View File

@ -1,9 +1,9 @@
# Do not write a PID file when not daemonizing (e.g. when running from systemd)
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
--- a/openssh-6.2p2/sshd.c
+++ b/openssh-6.2p2/sshd.c
@@ -1911,17 +1911,17 @@ main(int ac, char **av)
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+++ b/openssh-6.4p1/sshd.c
@@ -1959,17 +1959,17 @@ main(int ac, char **av)
signal(SIGCHLD, main_sigchld_handler);
signal(SIGTERM, sigterm_handler);
signal(SIGQUIT, sigterm_handler);

52
openssh-6.2p2-pam-check-locks.patch → openssh-6.4p1-pam-check-locks.patch
View File

@ -2,10 +2,10 @@
# UsePAM is used
# bnc#708678, FATE#312033
diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c
--- a/openssh-6.2p2/auth.c
+++ b/openssh-6.2p2/auth.c
@@ -102,17 +102,17 @@ allowed_user(struct passwd * pw)
diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c
--- a/openssh-6.4p1/auth.c
+++ b/openssh-6.4p1/auth.c
@@ -103,17 +103,17 @@ allowed_user(struct passwd * pw)
struct spwd *spw = NULL;
#endif
@ -24,7 +24,7 @@ diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c
#endif /* USE_SHADOW */
/* grab passwd field for locked account check */
@@ -122,17 +122,17 @@ allowed_user(struct passwd * pw)
@@ -123,17 +123,17 @@ allowed_user(struct passwd * pw)
#ifdef USE_LIBIAF
passwd = get_iaf_password(pw);
#else
@ -43,10 +43,10 @@ diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c
#endif
#ifdef LOCKED_PASSWD_PREFIX
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
--- a/openssh-6.2p2/servconf.c
+++ b/openssh-6.2p2/servconf.c
@@ -62,16 +62,17 @@ extern Buffer cfg;
diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
--- a/openssh-6.4p1/servconf.c
+++ b/openssh-6.4p1/servconf.c
@@ -66,16 +66,17 @@ extern Buffer cfg;
void
initialize_server_options(ServerOptions *options)
@ -64,7 +64,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
options->address_family = -1;
options->num_host_key_files = 0;
options->num_host_cert_files = 0;
@@ -150,16 +151,18 @@ initialize_server_options(ServerOptions
@@ -157,16 +158,18 @@ initialize_server_options(ServerOptions
}
void
@ -83,7 +83,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
/* fill default hostkeys for protocols */
if (options->protocol & SSH_PROTO_1)
options->host_key_files[options->num_host_key_files++] =
@@ -304,17 +307,17 @@ fill_default_server_options(ServerOption
@@ -315,17 +318,17 @@ fill_default_server_options(ServerOption
#endif
}
@ -102,7 +102,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
sKerberosGetAFSToken,
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
@@ -349,18 +352,20 @@ typedef enum {
@@ -360,18 +363,20 @@ typedef enum {
static struct {
const char *name;
ServerOpCodes opcode;
@ -121,9 +121,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
{ "port", sPort, SSHCFG_GLOBAL },
{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
@@ -844,16 +849,19 @@ process_server_config_line(ServerOptions
@@ -857,16 +862,19 @@ process_server_config_line(ServerOptions
}
}
@ -143,10 +143,10 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c
/* ignore ports from configfile if cmdline specifies ports */
if (options->ports_from_cmdline)
return 0;
diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
--- a/openssh-6.2p2/servconf.h
+++ b/openssh-6.2p2/servconf.h
@@ -160,16 +160,17 @@ typedef struct {
diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
--- a/openssh-6.4p1/servconf.h
+++ b/openssh-6.4p1/servconf.h
@@ -161,16 +161,17 @@ typedef struct {
*/
u_int num_authkeys_files; /* Files containing public keys */
@ -164,10 +164,10 @@ diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0
--- a/openssh-6.2p2/sshd_config.0
+++ b/openssh-6.2p2/sshd_config.0
@@ -673,16 +673,24 @@ DESCRIPTION
diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0
--- a/openssh-6.4p1/sshd_config.0
+++ b/openssh-6.4p1/sshd_config.0
@@ -706,16 +706,24 @@ DESCRIPTION
Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable
@ -192,10 +192,10 @@ diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0
privilege separation is to prevent privilege escalation by
containing any corruption within the unprivileged processes. The
default is ``yes''. If UsePrivilegeSeparation is set to
diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5
--- a/openssh-6.2p2/sshd_config.5
+++ b/openssh-6.2p2/sshd_config.5
@@ -1141,16 +1141,28 @@ or
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5
+++ b/openssh-6.4p1/sshd_config.5
@@ -1178,16 +1178,28 @@ or
.Pp
If
.Cm UsePAM

10
openssh-6.2p2-pam-fix2.patch → openssh-6.4p1-pam-fix2.patch
View File

@ -1,10 +1,10 @@
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
# bnc#46749
diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
--- a/openssh-6.2p2/sshd_config
+++ b/openssh-6.2p2/sshd_config
@@ -60,17 +60,17 @@ AuthorizedKeysFile .ssh/authorized_keys
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
--- a/openssh-6.4p1/sshd_config
+++ b/openssh-6.4p1/sshd_config
@@ -63,17 +63,17 @@ AuthorizedKeysFile .ssh/authorized_keys
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
@ -23,7 +23,7 @@ diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
@@ -85,17 +85,17 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -88,17 +88,17 @@ AuthorizedKeysFile .ssh/authorized_keys
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,

10
openssh-6.2p2-pam-fix3.patch → openssh-6.4p1-pam-fix3.patch
View File

@ -1,10 +1,10 @@
# posix threads are generally not supported nor safe
# (see upstream log from 2005-05-24)
diff --git a/openssh-6.2p2/auth-pam.c b/openssh-6.2p2/auth-pam.c
--- a/openssh-6.2p2/auth-pam.c
+++ b/openssh-6.2p2/auth-pam.c
@@ -781,17 +781,19 @@ sshpam_query(void *ctx, char **name, cha
diff --git a/openssh-6.4p1/auth-pam.c b/openssh-6.4p1/auth-pam.c
--- a/openssh-6.4p1/auth-pam.c
+++ b/openssh-6.4p1/auth-pam.c
@@ -779,17 +779,19 @@ sshpam_query(void *ctx, char **name, cha
}
if (type == PAM_SUCCESS) {
if (!sshpam_authctxt->valid ||
@ -19,7 +19,7 @@ diff --git a/openssh-6.2p2/auth-pam.c b/openssh-6.2p2/auth-pam.c
*num = 0;
**echo_on = 0;
ctxt->pam_done = 1;
xfree(msg);
free(msg);
return (0);
}
error("PAM: %s for %s%.100s from %.100s", msg,

6
openssh-6.2p2-pts.patch → openssh-6.4p1-pts.patch
View File

@ -1,9 +1,9 @@
# use same lines naming as utempter (prevents problems with using different
# formats in ?tmp? files)
diff --git a/openssh-6.2p2/loginrec.c b/openssh-6.2p2/loginrec.c
--- a/openssh-6.2p2/loginrec.c
+++ b/openssh-6.2p2/loginrec.c
diff --git a/openssh-6.4p1/loginrec.c b/openssh-6.4p1/loginrec.c
--- a/openssh-6.4p1/loginrec.c
+++ b/openssh-6.4p1/loginrec.c
@@ -535,17 +535,17 @@ getlast_entry(struct logininfo *li)
/*
* 'line' string utility functions

10
openssh-6.2p2-saveargv-fix.patch → openssh-6.4p1-saveargv-fix.patch
View File

@ -1,9 +1,9 @@
# related to bnc#49845, upstream bug #529
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
--- a/openssh-6.2p2/sshd.c
+++ b/openssh-6.2p2/sshd.c
@@ -303,16 +303,17 @@ sighup_handler(int sig)
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+++ b/openssh-6.4p1/sshd.c
@@ -309,16 +309,17 @@ sighup_handler(int sig)
/*
* Called from the main program after receiving SIGHUP.
@ -21,7 +21,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
execv(saved_argv[0], saved_argv);
logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
strerror(errno));
@@ -1355,17 +1356,21 @@ main(int ac, char **av)
@@ -1382,17 +1383,21 @@ main(int ac, char **av)
saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
for (i = 0; i < ac; i++)
saved_argv[i] = xstrdup(av[i]);

102
openssh-6.2p2-seed-prng.patch → openssh-6.4p1-seed-prng.patch
View File

@ -1,9 +1,9 @@
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
# bnc#703221, FATE#312172
diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
--- a/openssh-6.2p2/audit-bsm.c
+++ b/openssh-6.2p2/audit-bsm.c
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c
@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char
/* not implemented */
}
@ -20,9 +20,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
--- a/openssh-6.2p2/audit-linux.c
+++ b/openssh-6.2p2/audit-linux.c
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c
@@ -398,9 +398,31 @@ audit_generate_ephemeral_server_key(cons
}
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
@ -55,9 +55,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
--- a/openssh-6.2p2/audit.c
+++ b/openssh-6.2p2/audit.c
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
--- a/openssh-6.4p1/audit.c
+++ b/openssh-6.4p1/audit.c
@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char
/*
* This will be called on generation of the ephemeral server key
@ -75,9 +75,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
--- a/openssh-6.2p2/audit.h
+++ b/openssh-6.2p2/audit.h
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
--- a/openssh-6.4p1/audit.h
+++ b/openssh-6.4p1/audit.h
@@ -63,10 +63,11 @@ void audit_key(int, int *, const Key *);
void audit_unsupported(int);
void audit_kex(int, char *, char *, char *);
@ -90,9 +90,9 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h
+void audit_linux_prng_seed(long, const char *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.2p2/entropy.c b/openssh-6.2p2/entropy.c
--- a/openssh-6.2p2/entropy.c
+++ b/openssh-6.2p2/entropy.c
diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c
--- a/openssh-6.4p1/entropy.c
+++ b/openssh-6.4p1/entropy.c
@@ -45,16 +45,17 @@
#include "ssh.h"
@ -126,15 +126,15 @@ diff --git a/openssh-6.2p2/entropy.c b/openssh-6.2p2/entropy.c
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
diff --git a/openssh-6.2p2/openbsd-compat/Makefile.in b/openssh-6.2p2/openbsd-compat/Makefile.in
--- a/openssh-6.2p2/openbsd-compat/Makefile.in
+++ b/openssh-6.2p2/openbsd-compat/Makefile.in
diff --git a/openssh-6.4p1/openbsd-compat/Makefile.in b/openssh-6.4p1/openbsd-compat/Makefile.in
--- a/openssh-6.4p1/openbsd-compat/Makefile.in
+++ b/openssh-6.4p1/openbsd-compat/Makefile.in
@@ -15,17 +15,17 @@ AR=@AR@
RANLIB=@RANLIB@
INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@ -148,10 +148,10 @@ diff --git a/openssh-6.2p2/openbsd-compat/Makefile.in b/openssh-6.2p2/openbsd-co
$(COMPAT): ../config.h
$(OPENBSD): ../config.h
diff --git a/openssh-6.2p2/openbsd-compat/port-linux-prng.c b/openssh-6.2p2/openbsd-compat/port-linux-prng.c
diff --git a/openssh-6.4p1/openbsd-compat/port-linux-prng.c b/openssh-6.4p1/openbsd-compat/port-linux-prng.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/openbsd-compat/port-linux-prng.c
+++ b/openssh-6.4p1/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
@ -232,9 +232,9 @@ new file mode 100644
+ fatal ("EOF reading %s", random);
+ }
+}
diff --git a/openssh-6.2p2/openbsd-compat/port-linux.h b/openssh-6.2p2/openbsd-compat/port-linux.h
--- a/openssh-6.2p2/openbsd-compat/port-linux.h
+++ b/openssh-6.2p2/openbsd-compat/port-linux.h
diff --git a/openssh-6.4p1/openbsd-compat/port-linux.h b/openssh-6.4p1/openbsd-compat/port-linux.h
--- a/openssh-6.4p1/openbsd-compat/port-linux.h
+++ b/openssh-6.4p1/openbsd-compat/port-linux.h
@@ -14,16 +14,20 @@
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
@ -256,9 +256,9 @@ diff --git a/openssh-6.2p2/openbsd-compat/port-linux.h b/openssh-6.2p2/openbsd-c
void ssh_selinux_setfscreatecon(const char *);
#endif
diff --git a/openssh-6.2p2/ssh-add.1 b/openssh-6.2p2/ssh-add.1
--- a/openssh-6.2p2/ssh-add.1
+++ b/openssh-6.2p2/ssh-add.1
diff --git a/openssh-6.4p1/ssh-add.1 b/openssh-6.4p1/ssh-add.1
--- a/openssh-6.4p1/ssh-add.1
+++ b/openssh-6.4p1/ssh-add.1
@@ -155,16 +155,30 @@ or related script.
(Note that on some machines it
may be necessary to redirect the input from
@ -290,9 +290,9 @@ diff --git a/openssh-6.2p2/ssh-add.1 b/openssh-6.2p2/ssh-add.1
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa ~/.ssh/id_ecdsa
diff --git a/openssh-6.2p2/ssh-agent.1 b/openssh-6.2p2/ssh-agent.1
--- a/openssh-6.2p2/ssh-agent.1
+++ b/openssh-6.2p2/ssh-agent.1
diff --git a/openssh-6.4p1/ssh-agent.1 b/openssh-6.4p1/ssh-agent.1
--- a/openssh-6.4p1/ssh-agent.1
+++ b/openssh-6.4p1/ssh-agent.1
@@ -193,16 +193,33 @@ Contains the protocol version 2 ECDSA au
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
@ -327,10 +327,10 @@ diff --git a/openssh-6.2p2/ssh-agent.1 b/openssh-6.2p2/ssh-agent.1
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
diff --git a/openssh-6.2p2/ssh-keygen.1 b/openssh-6.2p2/ssh-keygen.1
--- a/openssh-6.2p2/ssh-keygen.1
+++ b/openssh-6.2p2/ssh-keygen.1
@@ -801,16 +801,33 @@ on all machines
diff --git a/openssh-6.4p1/ssh-keygen.1 b/openssh-6.4p1/ssh-keygen.1
--- a/openssh-6.4p1/ssh-keygen.1
+++ b/openssh-6.4p1/ssh-keygen.1
@@ -800,16 +800,33 @@ on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.Pp
@ -364,9 +364,9 @@ diff --git a/openssh-6.2p2/ssh-keygen.1 b/openssh-6.2p2/ssh-keygen.1
.Xr sshd 8
.Rs
.%R RFC 4716
diff --git a/openssh-6.2p2/ssh-keysign.8 b/openssh-6.2p2/ssh-keysign.8
--- a/openssh-6.2p2/ssh-keysign.8
+++ b/openssh-6.2p2/ssh-keysign.8
diff --git a/openssh-6.4p1/ssh-keysign.8 b/openssh-6.4p1/ssh-keysign.8
--- a/openssh-6.4p1/ssh-keysign.8
+++ b/openssh-6.4p1/ssh-keysign.8
@@ -73,16 +73,33 @@ Since they are readable only by root,
must be set-uid root if host-based authentication is used.
.Pp
@ -401,10 +401,10 @@ diff --git a/openssh-6.2p2/ssh-keysign.8 b/openssh-6.2p2/ssh-keysign.8
.Sh HISTORY
.Nm
first appeared in
diff --git a/openssh-6.2p2/ssh.1 b/openssh-6.2p2/ssh.1
--- a/openssh-6.2p2/ssh.1
+++ b/openssh-6.2p2/ssh.1
@@ -1272,16 +1272,30 @@ reads
diff --git a/openssh-6.4p1/ssh.1 b/openssh-6.4p1/ssh.1
--- a/openssh-6.4p1/ssh.1
+++ b/openssh-6.4p1/ssh.1
@@ -1290,16 +1290,30 @@ reads
and adds lines of the format
.Dq VARNAME=value
to the environment if the file exists and users are allowed to
@ -435,10 +435,10 @@ diff --git a/openssh-6.2p2/ssh.1 b/openssh-6.2p2/ssh.1
world-readable if the user's home directory is on an NFS partition,
because
.Xr sshd 8
diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8
--- a/openssh-6.2p2/sshd.8
+++ b/openssh-6.2p2/sshd.8
@@ -940,16 +940,33 @@ and not group or world-writable.
diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
--- a/openssh-6.4p1/sshd.8
+++ b/openssh-6.4p1/sshd.8
@@ -941,16 +941,33 @@ and not group or world-writable.
.It Pa /var/run/sshd.pid
Contains the process ID of the
.Nm
@ -472,9 +472,9 @@ diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
--- a/openssh-6.2p2/sshd.c
+++ b/openssh-6.2p2/sshd.c
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+++ b/openssh-6.4p1/sshd.c
@@ -50,16 +50,18 @@
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
@ -494,8 +494,8 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
#ifdef HAVE_PATHS_H
#include <paths.h>
#endif
@@ -209,16 +211,23 @@ struct {
Key **host_keys; /* all private host keys */
@@ -215,16 +217,23 @@ struct {
Key **host_pubkeys; /* all public host keys */
Key **host_certificates; /* all public host certificates */
int have_ssh1_key;
int have_ssh2_key;
@ -518,7 +518,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c
/* This is set to true when a signal is received. */
static volatile sig_atomic_t received_sighup = 0;
static volatile sig_atomic_t received_sigterm = 0;
@@ -1275,16 +1284,21 @@ server_accept_loop(int *sock_in, int *so
@@ -1300,16 +1309,21 @@ server_accept_loop(int *sock_in, int *so
for (j = 0; j < options.max_startups; j++)
if (startup_pipes[j] == -1) {
startup_pipes[j] = startup_p[0];

17
openssh-6.2p2-send_locale.patch → openssh-6.4p1-send_locale.patch
View File

@ -1,10 +1,10 @@
# send locales in default configuration
# bnc#65747
diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
--- a/openssh-6.2p2/ssh_config
+++ b/openssh-6.2p2/ssh_config
@@ -58,8 +58,13 @@ ForwardX11Trusted yes
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
--- a/openssh-6.4p1/ssh_config
+++ b/openssh-6.4p1/ssh_config
@@ -58,9 +58,14 @@ ForwardX11Trusted yes
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
@ -18,10 +18,11 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config
+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+SendEnv LC_IDENTIFICATION LC_ALL
+
diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config
--- a/openssh-6.2p2/sshd_config
+++ b/openssh-6.2p2/sshd_config
@@ -122,13 +122,18 @@ UsePrivilegeSeparation sandbox # Defaul
# RekeyLimit 1G 1h
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
--- a/openssh-6.4p1/sshd_config
+++ b/openssh-6.4p1/sshd_config
@@ -125,13 +125,18 @@ UsePrivilegeSeparation sandbox # Defaul
#VersionAddendum none
# no default banner path

48
openssh-6.2p2-sftp_homechroot.patch → openssh-6.4p1-sftp_homechroot.patch
View File

@ -1,9 +1,9 @@
# run sftp sessions inside a chroot
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
--- a/openssh-6.2p2/session.c
+++ b/openssh-6.2p2/session.c
@@ -119,16 +119,18 @@ int do_exec(Session *, const char *);
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
--- a/openssh-6.4p1/session.c
+++ b/openssh-6.4p1/session.c
@@ -120,16 +120,18 @@ int do_exec(Session *, const char *);
void do_login(Session *, const char *);
#ifdef LOGIN_NEEDS_UTMPX
static void do_pre_login(Session *s);
@ -179,10 +179,10 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
do_setusercontext(struct passwd *pw)
{
char *chroot_path, *tmp;
diff --git a/openssh-6.2p2/sftp-chrootenv.h b/openssh-6.2p2/sftp-chrootenv.h
diff --git a/openssh-6.4p1/sftp-chrootenv.h b/openssh-6.4p1/sftp-chrootenv.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.2p2/sftp-chrootenv.h
+++ b/openssh-6.4p1/sftp-chrootenv.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2009 Jan F Chadima. All rights reserved.
@ -214,9 +214,9 @@ new file mode 100644
+
+#endif
+
diff --git a/openssh-6.2p2/sftp-common.c b/openssh-6.2p2/sftp-common.c
--- a/openssh-6.2p2/sftp-common.c
+++ b/openssh-6.2p2/sftp-common.c
diff --git a/openssh-6.4p1/sftp-common.c b/openssh-6.4p1/sftp-common.c
--- a/openssh-6.4p1/sftp-common.c
+++ b/openssh-6.4p1/sftp-common.c
@@ -41,16 +41,17 @@
#endif
@ -261,9 +261,9 @@ diff --git a/openssh-6.2p2/sftp-common.c b/openssh-6.2p2/sftp-common.c
if (ltime != NULL) {
if (time(NULL) - st->st_mtime < (365*24*60*60)/2)
sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime);
diff --git a/openssh-6.2p2/sftp-server-main.c b/openssh-6.2p2/sftp-server-main.c
--- a/openssh-6.2p2/sftp-server-main.c
+++ b/openssh-6.2p2/sftp-server-main.c
diff --git a/openssh-6.4p1/sftp-server-main.c b/openssh-6.4p1/sftp-server-main.c
--- a/openssh-6.4p1/sftp-server-main.c
+++ b/openssh-6.4p1/sftp-server-main.c
@@ -17,21 +17,24 @@
#include "includes.h"
@ -289,10 +289,10 @@ diff --git a/openssh-6.2p2/sftp-server-main.c b/openssh-6.2p2/sftp-server-main.c
int
main(int argc, char **argv)
diff --git a/openssh-6.2p2/sftp.c b/openssh-6.2p2/sftp.c
--- a/openssh-6.2p2/sftp.c
+++ b/openssh-6.2p2/sftp.c
@@ -97,16 +97,18 @@ struct complete_ctx {
diff --git a/openssh-6.4p1/sftp.c b/openssh-6.4p1/sftp.c
--- a/openssh-6.4p1/sftp.c
+++ b/openssh-6.4p1/sftp.c
@@ -106,16 +106,18 @@ struct complete_ctx {
char **remote_pathp;
};
@ -311,10 +311,10 @@ diff --git a/openssh-6.2p2/sftp.c b/openssh-6.2p2/sftp.c
#define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */
#define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */
#define LS_NAME_SORT 0x0008 /* Sort by name (default) */
diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0
--- a/openssh-6.2p2/sshd_config.0
+++ b/openssh-6.2p2/sshd_config.0
@@ -181,16 +181,24 @@ DESCRIPTION
diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0
--- a/openssh-6.4p1/sshd_config.0
+++ b/openssh-6.4p1/sshd_config.0
@@ -189,16 +189,24 @@ DESCRIPTION
session this requires at least a shell, typically sh(1), and
basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4),
stderr(4), arandom(4) and tty(4) devices. For file transfer
@ -339,10 +339,10 @@ diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0
``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',
diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5
--- a/openssh-6.2p2/sshd_config.5
+++ b/openssh-6.2p2/sshd_config.5
@@ -317,16 +317,27 @@ For file transfer sessions using
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5
+++ b/openssh-6.4p1/sshd_config.5
@@ -324,16 +324,27 @@ For file transfer sessions using
no additional configuration of the environment is necessary if the
in-process sftp server is used,
though sessions which use logging do require

20
openssh-6.2p2-xauth.patch → openssh-6.4p1-xauth.patch
View File

@ -1,10 +1,10 @@
# try to remove xauth cookies on logout
# bnc#98815
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
--- a/openssh-6.2p2/session.c
+++ b/openssh-6.2p2/session.c
@@ -2473,18 +2473,50 @@ session_exit_message(Session *s, int sta
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
--- a/openssh-6.4p1/session.c
+++ b/openssh-6.4p1/session.c
@@ -2477,18 +2477,50 @@ session_exit_message(Session *s, int sta
if (c->ostate != CHAN_OUTPUT_CLOSED)
chan_write_failed(c);
}
@ -49,9 +49,9 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
+
if (s->ttyfd != -1)
session_pty_cleanup(s);
if (s->term)
xfree(s->term);
if (s->display)
xfree(s->display);
if (s->x11_chanids)
xfree(s->x11_chanids);
free(s->term);
free(s->display);
free(s->x11_chanids);
free(s->auth_display);
free(s->auth_data);
free(s->auth_proto);

14
openssh-6.2p2-xauthlocalhostname.patch → openssh-6.4p1-xauthlocalhostname.patch
View File

@ -1,14 +1,14 @@
# handle hostname changes when forwarding X
# bnc#98627
diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
--- a/openssh-6.2p2/session.c
+++ b/openssh-6.2p2/session.c
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
--- a/openssh-6.4p1/session.c
+++ b/openssh-6.4p1/session.c
@@ -1118,17 +1118,17 @@ copy_environment(char **source, char ***
debug3("Copy environment: %s=%s", var_name, var_val);
child_set_env(env, envsize, var_name, var_val);
xfree(var_name);
free(var_name);
}
}
@ -83,7 +83,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
}
static void
@@ -1618,16 +1628,17 @@ child_close_fds(void)
@@ -1631,16 +1641,17 @@ child_close_fds(void)
* ids, and executing the command or shell.
*/
#define ARGV_MAX 10
@ -101,7 +101,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
/* remove hostkey from the child's memory */
destroy_sensitive_data();
@@ -1684,17 +1695,17 @@ do_child(Session *s, const char *command
@@ -1697,17 +1708,17 @@ do_child(Session *s, const char *command
* legal, and means /bin/sh.
*/
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
@ -120,7 +120,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c
/* we have to stash the hostname before we close our socket. */
if (options.use_login)
hostname = get_remote_name_or_ip(utmp_len,
@@ -1753,17 +1764,17 @@ do_child(Session *s, const char *command
@@ -1766,17 +1777,17 @@ do_child(Session *s, const char *command
strerror(errno));
if (r)
exit(1);

3
openssh-6.4p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2
size 1201402

5
openssh-askpass-gnome.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com
- Update of the underlying OpenSSH to 6.4p1
-------------------------------------------------------------------
Thu Sep 19 02:02:56 UTC 2013 - pcerny@suse.com

4
openssh-askpass-gnome.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package openssh-askpass-gnome
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -26,7 +26,7 @@ BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: tcpd-devel
BuildRequires: update-desktop-files
Version: 6.2p2
Version: 6.4p1
Release: 0
Requires: openssh = %{version}
Summary: A GNOME-Based Passphrase Dialog for OpenSSH

82
openssh.changes
View File

@ -1,3 +1,85 @@
-------------------------------------------------------------------
Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com
- Update to 6.4p1
Features since 6.2p2:
* ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or
hostkeys on smartcards.
* ssh(1)/sshd(8): allow optional time-based rekeying via a
second argument to the existing RekeyLimit option. RekeyLimit
is now supported in sshd_config as well as on the client.
* sshd(8): standardise logging of information during user
authentication.
* The presented key/cert and the remote username (if available)
is now logged in the authentication success/failure message on
the same log line as the local username, remote host/port and
protocol in use. Certificates contents and the key
fingerprint of the signing CA are logged too.
* ssh(1) ability to query what cryptographic algorithms are
supported in the binary.
* ssh(1): ProxyCommand=- for cases where stdin and stdout
already point to the proxy.
* ssh(1): allow IdentityFile=none
* ssh(1)/sshd(8): -E option to append debugging logs to a
specified file instead of stderr or syslog.
* sftp(1): support resuming partial downloads with the "reget"
command and on the sftp commandline or on the "get"
commandline with the "-a" (append) option.
* ssh(1): "IgnoreUnknown" configuration option to selectively
suppress errors arising from unknown configuration directives.
* sshd(8): support for submethods to be appended to required
authentication methods listed via AuthenticationMethods.
Bugfixes since 6.2p2:
* sshd(8): fix refusal to accept certificate if a key of a
different type to the CA key appeared in authorized_keys
before the CA key.
* ssh(1)/ssh-agent(1)/sshd(8): Use a monotonic time source for
timers so that things like keepalives and rekeying will work
properly over clock steps.
* sftp(1): update progressmeter when data is acknowledged, not
when it's sent. bz#2108
* ssh(1)/ssh-keygen(1): improve error messages when the current
user does not exist in /etc/passwd; bz#2125
* ssh(1): reset the order in which public keys are tried after
partial authentication success.
* ssh-agent(1): clean up socket files after SIGINT when in debug
mode; bz#2120
* ssh(1) and others: avoid confusing error messages in the case
of broken system resolver configurations; bz#2122
* ssh(1): set TCP nodelay for connections started with -N;
bz#2124
* ssh(1): correct manual for permission requirements on
~/.ssh/config; bz#2078
* ssh(1): fix ControlPersist timeout not triggering in cases
where TCP connections have hung. bz#1917
* ssh(1): properly deatch a ControlPersist master from its
controlling terminal.
* sftp(1): avoid crashes in libedit when it has been compiled
with multi- byte character support. bz#1990
* sshd(8): when running sshd -D, close stderr unless we have
explicitly requested logging to stderr. bz#1976,
* ssh(1): fix incomplete bzero; bz#2100
* sshd(8): log and error and exit if ChrootDirectory is
specified and running without root privileges.
* Many improvements to the regression test suite. In particular
log files are now saved from ssh and sshd after failures.
* Fix a number of memory leaks. bz#1967 bz#2096 and others
* sshd(8): fix public key authentication when a :style is
appended to the requested username.
* ssh(1): do not fatally exit when attempting to cleanup
multiplexing- created channels that are incompletely opened.
bz#2079
* sshd(8): fix a memory corruption problem triggered during
rekeying when an AES-GCM cipher is selected
* Fix unaligned accesses in umac.c for strict-alignment
architectures. bz#2101
* Fix broken incorrect commandline reporting errors. bz#1448
* Only include SHA256 and ECC-based key exchange methods if
libcrypto has the required support.
* Fix crash in SOCKS5 dynamic forwarding code on
strict-alignment architectures.
- FIPS and GSSKEX patched disabled for now
-------------------------------------------------------------------
Fri Oct 4 17:50:32 UTC 2013 - pcerny@suse.com

101
openssh.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package openssh
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -18,10 +18,8 @@
%if 0%{suse_version} >= 1100
%define has_fw_dir 1
%define needs_xorg_libs 0
%else
%define has_fw_dir 0
%define needs_xorg_libs 1
%endif
%if 0%{suse_version} >= 1110
@ -80,7 +78,7 @@ BuildRequires: openldap2-devel
BuildRequires: openssl-devel
BuildRequires: pam-devel
%if %{has_systemd}
BuildRequires: systemd
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%endif
BuildRequires: tcpd-devel
@ -88,8 +86,8 @@ Requires: /bin/netstat
PreReq: pwdutils %{insserv_prereq} %{fillup_prereq} coreutils
Conflicts: nonfreessh
Recommends: xauth
Recommends: %{name}-akc-ldap
Version: 6.2p2
Recommends: %{name}-helpers
Version: 6.4p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-3-Clause and MIT
@ -106,39 +104,39 @@ Source7: sshd.fw
Source8: sysconfig.ssh
Source9: sshd-gen-keys-start
Source10: sshd.service
Patch1: %{name}-%{version}-key-converter.patch
Patch2: %{name}-%{version}-X11-forwarding.patch
Patch3: %{name}-%{version}-lastlog.patch
Patch4: %{name}-%{version}-pam-fix2.patch
Patch5: %{name}-%{version}-saveargv-fix.patch
Patch6: %{name}-%{version}-pam-fix3.patch
Patch7: %{name}-%{version}-gssapimitm.patch
Patch8: %{name}-%{version}-eal3.patch
Patch9: %{name}-%{version}-blocksigalrm.patch
Patch10: %{name}-%{version}-send_locale.patch
Patch11: %{name}-%{version}-xauthlocalhostname.patch
Patch12: %{name}-%{version}-xauth.patch
Patch13: %{name}-%{version}-default-protocol.patch
Patch14: %{name}-%{version}-pts.patch
Patch15: %{name}-%{version}-pam-check-locks.patch
Patch16: %{name}-%{version}-fingerprint_hash.patch
Patch17: %{name}-%{version}-audit1-remove_duplicit_audit.patch
Patch18: %{name}-%{version}-audit2-better_audit_of_user_actions.patch
Patch19: %{name}-%{version}-audit3-key_auth_usage.patch
Patch20: %{name}-%{version}-audit4-kex_results.patch
Patch21: %{name}-%{version}-audit5-session_key_destruction.patch
Patch22: %{name}-%{version}-audit6-server_key_destruction.patch
Patch23: %{name}-%{version}-audit7-libaudit_compat.patch
Patch24: %{name}-%{version}-audit8-libaudit_dns_timeouts.patch
Patch25: %{name}-%{version}-seed-prng.patch
Patch26: %{name}-%{version}-ldap.patch
Patch27: %{name}-%{version}-fips.patch
Patch28: %{name}-%{version}-gssapi_key_exchange.patch
Patch29: %{name}-%{version}-login_options.patch
Patch30: %{name}-%{version}-disable-openssl-abi-check.patch
Patch31: %{name}-%{version}-no_fork-no_pid_file.patch
Patch32: %{name}-%{version}-host_ident.patch
Patch33: %{name}-%{version}-sftp_homechroot.patch
Patch1: openssh-6.4p1-key-converter.patch
Patch2: openssh-6.4p1-X11-forwarding.patch
Patch3: openssh-6.4p1-lastlog.patch
Patch4: openssh-6.4p1-pam-fix2.patch
Patch5: openssh-6.4p1-saveargv-fix.patch
Patch6: openssh-6.4p1-pam-fix3.patch
Patch7: openssh-6.4p1-gssapimitm.patch
Patch8: openssh-6.4p1-eal3.patch
Patch9: openssh-6.4p1-blocksigalrm.patch
Patch10: openssh-6.4p1-send_locale.patch
Patch11: openssh-6.4p1-xauthlocalhostname.patch
Patch12: openssh-6.4p1-xauth.patch
Patch13: openssh-6.4p1-default-protocol.patch
Patch14: openssh-6.4p1-pts.patch
Patch15: openssh-6.4p1-pam-check-locks.patch
Patch16: openssh-6.4p1-fingerprint_hash.patch
Patch17: openssh-6.4p1-audit1-remove_duplicit_audit.patch
Patch18: openssh-6.4p1-audit2-better_audit_of_user_actions.patch
Patch19: openssh-6.4p1-audit3-key_auth_usage.patch
Patch20: openssh-6.4p1-audit4-kex_results.patch
Patch21: openssh-6.4p1-audit5-session_key_destruction.patch
Patch22: openssh-6.4p1-audit6-server_key_destruction.patch
Patch23: openssh-6.4p1-audit7-libaudit_compat.patch
Patch24: openssh-6.4p1-audit8-libaudit_dns_timeouts.patch
Patch25: openssh-6.4p1-seed-prng.patch
Patch26: openssh-6.4p1-ldap.patch
Patch27: openssh-6.4p1-fips.patch
Patch28: openssh-6.4p1-gssapi_key_exchange.patch
Patch29: openssh-6.4p1-login_options.patch
Patch30: openssh-6.4p1-disable-openssl-abi-check.patch
Patch31: openssh-6.4p1-no_fork-no_pid_file.patch
Patch32: openssh-6.4p1-host_ident.patch
Patch33: openssh-6.4p1-sftp_homechroot.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -152,15 +150,14 @@ xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
%package akc-ldap
Summary: OpenSSH AuthorizedKeysCommand helper for LDAP
%package helpers
Summary: OpenSSH AuthorizedKeysCommand helpers
Group: Productivity/Networking/SSH
Requires: openldap2
Requires: openssh
%description akc-ldap
Helper application for OpenSSH which retrieves authorized keys from
a LDAP server.
%description helpers
Helper applications for OpenSSH which retrieve keys from various sources.
%prep
@ -192,7 +189,7 @@ a LDAP server.
%patch25 -p2
%patch26 -p2
#patch27 -p2
%patch28 -p2
#patch28 -p2
%patch29 -p2
%patch30 -p2
%patch31 -p2
@ -214,11 +211,17 @@ PIEFLAGS="-fPIE"
PIEFLAGS="-fpie"
%endif
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
%if 0%{?suse_version} < 1230
CFLAGS="-lrt $CFLAGS"
%endif
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
LDFLAGS="-pie -Wl,--as-needed"
%if 0%{?suse_version} < 1230
LDFLAGS="-lrt $LDFLAGS"
%endif
#CPPFLAGS="%{optflags} -DUSE_INTERNAL_B64"
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \
./configure \
--prefix=%{_prefix} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
@ -249,9 +252,9 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
--target=%{_target_cpu}-suse-linux \
### configure end
make %{?_smp_mflags}
make -j 1
make %{?_smp_mflags} -C converter
make -j 1 -C converter
%install
make install DESTDIR=%{buildroot}
@ -360,7 +363,7 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
%config %{_fwdefdir}/sshd
%endif
%files akc-ldap
%files helpers
%defattr(-,root,root)
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf