Accepting request 642573 from home:scarabeus_iv:branches:network
- Update to 7.8p1: * no actual changes for the askpass - Format with spec-cleaner - Respect cflags - Use gtk3 rather than gtk2 which is being phased out - Remove the mention of the SLE12 in the README.SUSE - Install firewall rules only when really needed (<SLE15) - Version update to 7.8p1: * For most details see release notes file * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format - Rebase patches to apply on 7.8p1 release: * openssh-7.7p1-fips.patch * openssh-7.7p1-cavstest-kdf.patch * openssh-7.7p1-fips_checks.patch * openssh-7.7p1-gssapi_key_exchange.patch * openssh-7.7p1-audit.patch * openssh-7.7p1-openssl_1.1.0.patch * openssh-7.7p1-ldap.patch * openssh-7.7p1-IPv6_X_forwarding.patch * openssh-7.7p1-sftp_print_diagnostic_messages.patch * openssh-7.7p1-disable_short_DH_parameters.patch * openssh-7.7p1-hostname_changes_when_forwarding_X.patch * openssh-7.7p1-pam_check_locks.patch * openssh-7.7p1-seed-prng.patch * openssh-7.7p1-systemd-notify.patch * openssh-7.7p1-X11_trusted_forwarding.patch - Dropped patches: OBS-URL: https://build.opensuse.org/request/show/642573 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=153
This commit is contained in:
parent
f56a5ff67f
commit
7bccbbd821
@ -1,11 +1,9 @@
|
|||||||
This is OpenSSH version 7.2p2 for SLE12
|
|
||||||
|
|
||||||
There are following changes in default settings of ssh client and server:
|
There are following changes in default settings of ssh client and server:
|
||||||
|
|
||||||
* Accepting and sending of locale environment variables in protocol 2 is
|
* Accepting and sending of locale environment variables in protocol 2 is
|
||||||
enabled.
|
enabled.
|
||||||
|
|
||||||
* PAM authentication is enabled.
|
* PAM authentication is enabled and mostly even required, do not turn it off.
|
||||||
|
|
||||||
* root authentiation with password is enabled by default (PermitRootLogin yes).
|
* root authentiation with password is enabled by default (PermitRootLogin yes).
|
||||||
NOTE: this has security implications and is only done in order to not change
|
NOTE: this has security implications and is only done in order to not change
|
||||||
@ -26,4 +24,3 @@ There are following changes in default settings of ssh client and server:
|
|||||||
ssh_config and sshd_config manual pages.
|
ssh_config and sshd_config manual pages.
|
||||||
|
|
||||||
For more information on differences in SUSE OpenSSH package see README.FIPS
|
For more information on differences in SUSE OpenSSH package see README.FIPS
|
||||||
|
|
||||||
|
@ -3,9 +3,6 @@ for Kerberos-related names. These DNS lookups were problematic
|
|||||||
for dialup users because they would lead to excessive delays
|
for dialup users because they would lead to excessive delays
|
||||||
if DNS was not reachable.
|
if DNS was not reachable.
|
||||||
|
|
||||||
In order to disable these lookups, I had to change the default
|
|
||||||
configuration, disabling GSSAPI authentication.
|
|
||||||
|
|
||||||
If you do use Kerberos, please make sure you edit the server and
|
If you do use Kerberos, please make sure you edit the server and
|
||||||
client configuration files as follows:
|
client configuration files as follows:
|
||||||
|
|
||||||
@ -19,4 +16,3 @@ client configuration files as follows:
|
|||||||
... lots of other options ...
|
... lots of other options ...
|
||||||
GSSAPIAuthentication yes
|
GSSAPIAuthentication yes
|
||||||
GSSAPIDelegateCredentials yes
|
GSSAPIDelegateCredentials yes
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
#!/usr/bin/env perl
|
#!/usr/bin/perl
|
||||||
#
|
#
|
||||||
# CAVS test driver for OpenSSH
|
# CAVS test driver for OpenSSH
|
||||||
#
|
#
|
||||||
|
54
openssh-7.7p1-IPv6_X_forwarding.patch
Normal file
54
openssh-7.7p1-IPv6_X_forwarding.patch
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 8df645ca39d64de025d8838c5713812e72308c92
|
||||||
|
Correctly parse DISPLAY variable for cases where it contains an IPv6 address
|
||||||
|
(which should - but not always is - in (square) brackets).
|
||||||
|
|
||||||
|
bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c
|
||||||
|
--- openssh-7.7p1/channels.c
|
||||||
|
+++ openssh-7.7p1/channels.c
|
||||||
|
@@ -4590,33 +4590,42 @@ x11_connect_display(struct ssh *ssh)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
/* OK, we now have a connection to the display. */
|
||||||
|
return sock;
|
||||||
|
}
|
||||||
|
/*
|
||||||
|
* Connect to an inet socket. The DISPLAY value is supposedly
|
||||||
|
* hostname:d[.s], where hostname may also be numeric IP address.
|
||||||
|
+ * Note that IPv6 numeric addresses contain colons (e.g. ::1:0)
|
||||||
|
*/
|
||||||
|
strlcpy(buf, display, sizeof(buf));
|
||||||
|
- cp = strchr(buf, ':');
|
||||||
|
+ cp = strrchr(buf, ':');
|
||||||
|
if (!cp) {
|
||||||
|
error("Could not find ':' in DISPLAY: %.100s", display);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
*cp = 0;
|
||||||
|
/*
|
||||||
|
* buf now contains the host name. But first we parse the
|
||||||
|
* display number.
|
||||||
|
*/
|
||||||
|
if (sscanf(cp + 1, "%u", &display_number) != 1) {
|
||||||
|
error("Could not parse display number from DISPLAY: %.100s",
|
||||||
|
display);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /* Remove brackets surrounding IPv6 addresses if there are any. */
|
||||||
|
+ if (buf[0] == '[' && (cp = strchr(buf, ']'))) {
|
||||||
|
+ *cp = 0;
|
||||||
|
+ cp = buf + 1;
|
||||||
|
+ } else {
|
||||||
|
+ cp = buf;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* Look up the host address */
|
||||||
|
memset(&hints, 0, sizeof(hints));
|
||||||
|
hints.ai_family = ssh->chanctxt->IPv4or6;
|
||||||
|
hints.ai_socktype = SOCK_STREAM;
|
||||||
|
snprintf(strport, sizeof strport, "%u", 6000 + display_number);
|
||||||
|
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
|
||||||
|
error("%.100s: unknown host. (%s)", buf,
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:87754e4234f7ed87e145cc61ea4c1e71121dd0ff10e28e86336f95033b8f7300
|
|
||||||
size 147974
|
|
47
openssh-7.7p1-X11_trusted_forwarding.patch
Normal file
47
openssh-7.7p1-X11_trusted_forwarding.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent d25c96855fd67e997e25ec1198d953af33eb289c
|
||||||
|
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
||||||
|
# configuration
|
||||||
|
# bnc#50836 (was suse #35836)
|
||||||
|
Enable Trusted X11 forwarding by default, since the security benefits of
|
||||||
|
having it disabled are negligible these days with XI2 being widely used.
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/ssh_config
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/ssh_config
|
||||||
|
+++ openssh-7.8p1/ssh_config
|
||||||
|
@@ -17,9 +17,20 @@
|
||||||
|
# list of available options, their meanings and defaults, please see the
|
||||||
|
# ssh_config(5) man page.
|
||||||
|
|
||||||
|
-# Host *
|
||||||
|
+Host *
|
||||||
|
# ForwardAgent no
|
||||||
|
# ForwardX11 no
|
||||||
|
+
|
||||||
|
+# If you do not trust your remote host (or its administrator), you
|
||||||
|
+# should not forward X11 connections to your local X11-display for
|
||||||
|
+# security reasons: Someone stealing the authentification data on the
|
||||||
|
+# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||||
|
+# keystrokes as you type, just like any other X11 client could do.
|
||||||
|
+# Set this to "no" here for global effect or in your own ~/.ssh/config
|
||||||
|
+# file if you want to have the remote X11 authentification data to
|
||||||
|
+# expire after twenty minutes after remote login.
|
||||||
|
+ ForwardX11Trusted yes
|
||||||
|
+
|
||||||
|
# PasswordAuthentication yes
|
||||||
|
# HostbasedAuthentication no
|
||||||
|
# GSSAPIAuthentication no
|
||||||
|
Index: openssh-7.8p1/sshd_config
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sshd_config
|
||||||
|
+++ openssh-7.8p1/sshd_config
|
||||||
|
@@ -84,7 +84,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
#AllowAgentForwarding yes
|
||||||
|
#AllowTcpForwarding yes
|
||||||
|
#GatewayPorts no
|
||||||
|
-#X11Forwarding no
|
||||||
|
+X11Forwarding yes
|
||||||
|
#X11DisplayOffset 10
|
||||||
|
#X11UseLocalhost yes
|
||||||
|
#PermitTTY yes
|
32
openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Normal file
32
openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 44592f09f090e74432f608084069d30d808fda69
|
||||||
|
Do not throw away already open sockets for X11 forwarding if another socket
|
||||||
|
family is not available for bind()
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c
|
||||||
|
--- openssh-7.7p1/channels.c
|
||||||
|
+++ openssh-7.7p1/channels.c
|
||||||
|
@@ -4421,16 +4421,23 @@ x11_create_display_inet(struct ssh *ssh,
|
||||||
|
if (ai->ai_family == AF_INET6)
|
||||||
|
sock_set_v6only(sock);
|
||||||
|
if (x11_use_localhost)
|
||||||
|
set_reuseaddr(sock);
|
||||||
|
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
||||||
|
debug2("%s: bind port %d: %.100s", __func__,
|
||||||
|
port, strerror(errno));
|
||||||
|
close(sock);
|
||||||
|
+ /* do not remove successfully opened sockets if
|
||||||
|
+ * the request failed because the protocol
|
||||||
|
+ * IPv4/6 is not available (e.g. IPv6 may be
|
||||||
|
+ * disabled while being supported)
|
||||||
|
+ */
|
||||||
|
+ if (EADDRNOTAVAIL == errno)
|
||||||
|
+ continue;
|
||||||
|
for (n = 0; n < num_socks; n++)
|
||||||
|
close(socks[n]);
|
||||||
|
num_socks = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
socks[num_socks++] = sock;
|
||||||
|
if (num_socks == NUM_SOCKS)
|
||||||
|
break;
|
95
openssh-7.7p1-allow_root_password_login.patch
Normal file
95
openssh-7.7p1-allow_root_password_login.patch
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 3bf0158be93bd08d60a30a320650ea7f9844ef50
|
||||||
|
Allow root login with password by default. While less secure than upstream
|
||||||
|
default of forbidding access to the root account with a password, we are
|
||||||
|
temporarily introducing this change to keep the default used in older OpenSSH
|
||||||
|
versions shipped with SLE.
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/servconf.c b/openssh-7.7p1/servconf.c
|
||||||
|
--- openssh-7.7p1/servconf.c
|
||||||
|
+++ openssh-7.7p1/servconf.c
|
||||||
|
@@ -265,17 +265,17 @@ fill_default_server_options(ServerOption
|
||||||
|
options->address_family = AF_UNSPEC;
|
||||||
|
if (options->listen_addrs == NULL)
|
||||||
|
add_listen_addr(options, NULL, NULL, 0);
|
||||||
|
if (options->pid_file == NULL)
|
||||||
|
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
||||||
|
if (options->login_grace_time == -1)
|
||||||
|
options->login_grace_time = 120;
|
||||||
|
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||||
|
- options->permit_root_login = PERMIT_NO_PASSWD;
|
||||||
|
+ options->permit_root_login = PERMIT_YES;
|
||||||
|
if (options->ignore_rhosts == -1)
|
||||||
|
options->ignore_rhosts = 1;
|
||||||
|
if (options->ignore_user_known_hosts == -1)
|
||||||
|
options->ignore_user_known_hosts = 0;
|
||||||
|
if (options->print_motd == -1)
|
||||||
|
options->print_motd = 1;
|
||||||
|
if (options->print_lastlog == -1)
|
||||||
|
options->print_lastlog = 1;
|
||||||
|
diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
|
||||||
|
--- openssh-7.7p1/sshd_config
|
||||||
|
+++ openssh-7.7p1/sshd_config
|
||||||
|
@@ -24,17 +24,17 @@
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
#SyslogFacility AUTH
|
||||||
|
#LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication:
|
||||||
|
|
||||||
|
#LoginGraceTime 2m
|
||||||
|
-#PermitRootLogin prohibit-password
|
||||||
|
+#PermitRootLogin yes
|
||||||
|
#StrictModes yes
|
||||||
|
#MaxAuthTries 6
|
||||||
|
#MaxSessions 10
|
||||||
|
|
||||||
|
#PubkeyAuthentication yes
|
||||||
|
|
||||||
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||||
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||||
|
diff --git a/openssh-7.7p1/sshd_config.0 b/openssh-7.7p1/sshd_config.0
|
||||||
|
--- openssh-7.7p1/sshd_config.0
|
||||||
|
+++ openssh-7.7p1/sshd_config.0
|
||||||
|
@@ -709,17 +709,17 @@ DESCRIPTION
|
||||||
|
none can be used to prohibit all forwarding requests. The
|
||||||
|
wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
|
||||||
|
ports, respectively. By default all port forwarding requests are
|
||||||
|
permitted.
|
||||||
|
|
||||||
|
PermitRootLogin
|
||||||
|
Specifies whether root can log in using ssh(1). The argument
|
||||||
|
must be yes, prohibit-password, forced-commands-only, or no. The
|
||||||
|
- default is prohibit-password.
|
||||||
|
+ default is yes.
|
||||||
|
|
||||||
|
If this option is set to prohibit-password (or its deprecated
|
||||||
|
alias, without-password), password and keyboard-interactive
|
||||||
|
authentication are disabled for root.
|
||||||
|
|
||||||
|
If this option is set to forced-commands-only, root login with
|
||||||
|
public key authentication will be allowed, but only if the
|
||||||
|
command option has been specified (which may be useful for taking
|
||||||
|
diff --git a/openssh-7.7p1/sshd_config.5 b/openssh-7.7p1/sshd_config.5
|
||||||
|
--- openssh-7.7p1/sshd_config.5
|
||||||
|
+++ openssh-7.7p1/sshd_config.5
|
||||||
|
@@ -1220,17 +1220,17 @@ Specifies whether root can log in using
|
||||||
|
.Xr ssh 1 .
|
||||||
|
The argument must be
|
||||||
|
.Cm yes ,
|
||||||
|
.Cm prohibit-password ,
|
||||||
|
.Cm forced-commands-only ,
|
||||||
|
or
|
||||||
|
.Cm no .
|
||||||
|
The default is
|
||||||
|
-.Cm prohibit-password .
|
||||||
|
+.Cm yes .
|
||||||
|
.Pp
|
||||||
|
If this option is set to
|
||||||
|
.Cm prohibit-password
|
||||||
|
(or its deprecated alias,
|
||||||
|
.Cm without-password ) ,
|
||||||
|
password and keyboard-interactive authentication are disabled for root.
|
||||||
|
.Pp
|
||||||
|
If this option is set to
|
2264
openssh-7.7p1-audit.patch
Normal file
2264
openssh-7.7p1-audit.patch
Normal file
File diff suppressed because it is too large
Load Diff
75
openssh-7.7p1-blocksigalrm.patch
Normal file
75
openssh-7.7p1-blocksigalrm.patch
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 2e66b48b2212113d9897a58aaada67557b7c4f35
|
||||||
|
block SIGALRM while logging through syslog to prevent deadlocks
|
||||||
|
(through grace_alarm_handler())
|
||||||
|
|
||||||
|
bnc#57354
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/log.c b/openssh-7.7p1/log.c
|
||||||
|
--- openssh-7.7p1/log.c
|
||||||
|
+++ openssh-7.7p1/log.c
|
||||||
|
@@ -46,16 +46,17 @@
|
||||||
|
#include <syslog.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <errno.h>
|
||||||
|
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
|
||||||
|
# include <vis.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "log.h"
|
||||||
|
+#include <signal.h>
|
||||||
|
|
||||||
|
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
||||||
|
static int log_on_stderr = 1;
|
||||||
|
static int log_stderr_fd = STDERR_FILENO;
|
||||||
|
static int log_facility = LOG_AUTH;
|
||||||
|
static char *argv0;
|
||||||
|
static log_handler_fn *log_handler;
|
||||||
|
static void *log_handler_ctx;
|
||||||
|
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt,
|
||||||
|
{
|
||||||
|
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||||
|
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||||
|
#endif
|
||||||
|
char msgbuf[MSGBUFSIZ];
|
||||||
|
char fmtbuf[MSGBUFSIZ];
|
||||||
|
char *txt = NULL;
|
||||||
|
int pri = LOG_INFO;
|
||||||
|
+ sigset_t nset, oset;
|
||||||
|
int saved_errno = errno;
|
||||||
|
log_handler_fn *tmp_handler;
|
||||||
|
|
||||||
|
if (level > log_level)
|
||||||
|
return;
|
||||||
|
|
||||||
|
switch (level) {
|
||||||
|
case SYSLOG_LEVEL_FATAL:
|
||||||
|
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt,
|
||||||
|
log_handler = NULL;
|
||||||
|
tmp_handler(level, fmtbuf, log_handler_ctx);
|
||||||
|
log_handler = tmp_handler;
|
||||||
|
} else if (log_on_stderr) {
|
||||||
|
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
|
||||||
|
(int)sizeof msgbuf - 3, fmtbuf);
|
||||||
|
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
|
||||||
|
} else {
|
||||||
|
+ /* Prevent a race between the grace_alarm which writes a
|
||||||
|
+ * log message and terminates and main sshd code that leads
|
||||||
|
+ * to deadlock as syslog is not async safe.
|
||||||
|
+ */
|
||||||
|
+ sigemptyset(&nset);
|
||||||
|
+ sigaddset(&nset, SIGALRM);
|
||||||
|
+ sigprocmask(SIG_BLOCK, &nset, &oset);
|
||||||
|
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||||
|
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
|
||||||
|
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
||||||
|
closelog_r(&sdata);
|
||||||
|
#else
|
||||||
|
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
|
||||||
|
syslog(pri, "%.500s", fmtbuf);
|
||||||
|
closelog();
|
||||||
|
#endif
|
||||||
|
+ sigprocmask(SIG_SETMASK, &oset, NULL);
|
||||||
|
}
|
||||||
|
errno = saved_errno;
|
||||||
|
}
|
361
openssh-7.7p1-cavstest-ctr.patch
Normal file
361
openssh-7.7p1-cavstest-ctr.patch
Normal file
@ -0,0 +1,361 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
|
||||||
|
CAVS test for OpenSSH's own CTR encryption mode implementation
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||||
|
--- openssh-7.7p1/Makefile.in
|
||||||
|
+++ openssh-7.7p1/Makefile.in
|
||||||
|
@@ -19,16 +19,17 @@ top_srcdir=@top_srcdir@
|
||||||
|
|
||||||
|
DESTDIR=
|
||||||
|
VPATH=@srcdir@
|
||||||
|
SSH_PROGRAM=@bindir@/ssh
|
||||||
|
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||||
|
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
|
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||||
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
|
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||||
|
STRIP_OPT=@STRIP_OPT@
|
||||||
|
TEST_SHELL=@TEST_SHELL@
|
||||||
|
|
||||||
|
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||||
|
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||||
|
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||||
|
@@ -57,16 +58,18 @@ ENT=@ENT@
|
||||||
|
XAUTH_PATH=@XAUTH_PATH@
|
||||||
|
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||||
|
EXEEXT=@EXEEXT@
|
||||||
|
MANFMT=@MANFMT@
|
||||||
|
MKDIR_P=@MKDIR_P@
|
||||||
|
|
||||||
|
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||||
|
|
||||||
|
+TARGETS += cavstest-ctr$(EXEEXT)
|
||||||
|
+
|
||||||
|
XMSS_OBJS=\
|
||||||
|
ssh-xmss.o \
|
||||||
|
sshkey-xmss.o \
|
||||||
|
xmss_commons.o \
|
||||||
|
xmss_fast.o \
|
||||||
|
xmss_hash.o \
|
||||||
|
xmss_hash_address.o \
|
||||||
|
xmss_wots.o
|
||||||
|
@@ -199,16 +202,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
|
||||||
|
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
|
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||||
|
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
|
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||||
|
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||||
|
|
||||||
|
+# FIPS tests
|
||||||
|
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||||
|
+ $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
+
|
||||||
|
# test driver for the loginrec code - not built by default
|
||||||
|
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||||
|
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
|
$(MANPAGES): $(MANPAGES_IN)
|
||||||
|
if test "$(MANTYPE)" = "cat"; then \
|
||||||
|
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
||||||
|
else \
|
||||||
|
@@ -339,16 +346,17 @@ install-files:
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||||
|
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
|
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||||
|
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||||
|
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||||
|
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||||
|
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||||
|
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||||
|
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||||
|
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
||||||
|
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||||
|
diff --git a/openssh-7.7p1/cavstest-ctr.c b/openssh-7.7p1/cavstest-ctr.c
|
||||||
|
new file mode 100644
|
||||||
|
--- /dev/null
|
||||||
|
+++ openssh-7.7p1/cavstest-ctr.c
|
||||||
|
@@ -0,0 +1,214 @@
|
||||||
|
+/*
|
||||||
|
+ *
|
||||||
|
+ * invocation (all of the following are equal):
|
||||||
|
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
|
||||||
|
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
|
||||||
|
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include "includes.h"
|
||||||
|
+
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+#include <sys/param.h>
|
||||||
|
+#include <stdarg.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <ctype.h>
|
||||||
|
+
|
||||||
|
+#include "xmalloc.h"
|
||||||
|
+#include "log.h"
|
||||||
|
+#include "cipher.h"
|
||||||
|
+
|
||||||
|
+/* compatibility with old or broken OpenSSL versions */
|
||||||
|
+#include "openbsd-compat/openssl-compat.h"
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+usage(void)
|
||||||
|
+{
|
||||||
|
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
|
||||||
|
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
|
||||||
|
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
|
||||||
|
+ "Hexadecimal output is printed to stdout.\n"
|
||||||
|
+ "Hexadecimal input data can be alternatively read from stdin.\n");
|
||||||
|
+ exit(1);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void *
|
||||||
|
+fromhex(char *hex, size_t * len)
|
||||||
|
+{
|
||||||
|
+ unsigned char *bin;
|
||||||
|
+ char *p;
|
||||||
|
+ size_t n = 0;
|
||||||
|
+ int shift = 4;
|
||||||
|
+ unsigned char out = 0;
|
||||||
|
+ unsigned char *optr;
|
||||||
|
+
|
||||||
|
+ bin = xmalloc(strlen(hex) / 2);
|
||||||
|
+ optr = bin;
|
||||||
|
+
|
||||||
|
+ for (p = hex; *p != '\0'; ++p) {
|
||||||
|
+ unsigned char c;
|
||||||
|
+
|
||||||
|
+ c = *p;
|
||||||
|
+ if (isspace(c))
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ if (c >= '0' && c <= '9') {
|
||||||
|
+ c = c - '0';
|
||||||
|
+ } else if (c >= 'A' && c <= 'F') {
|
||||||
|
+ c = c - 'A' + 10;
|
||||||
|
+ } else if (c >= 'a' && c <= 'f') {
|
||||||
|
+ c = c - 'a' + 10;
|
||||||
|
+ } else {
|
||||||
|
+ /* truncate on nonhex cipher */
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ out |= c << shift;
|
||||||
|
+ shift = (shift + 4) % 8;
|
||||||
|
+
|
||||||
|
+ if (shift) {
|
||||||
|
+ *(optr++) = out;
|
||||||
|
+ out = 0;
|
||||||
|
+ ++n;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *len = n;
|
||||||
|
+ return bin;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define READ_CHUNK 4096
|
||||||
|
+#define MAX_READ_SIZE 1024*1024*100
|
||||||
|
+char *
|
||||||
|
+read_stdin(void)
|
||||||
|
+{
|
||||||
|
+ char *buf;
|
||||||
|
+ size_t n, total = 0;
|
||||||
|
+
|
||||||
|
+ buf = xmalloc(READ_CHUNK);
|
||||||
|
+
|
||||||
|
+ do {
|
||||||
|
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
|
||||||
|
+ if (n < READ_CHUNK) /* terminate on short read */
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ total += n;
|
||||||
|
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
|
||||||
|
+ } while (total < MAX_READ_SIZE);
|
||||||
|
+ return buf;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+main(int argc, char *argv[])
|
||||||
|
+{
|
||||||
|
+
|
||||||
|
+ struct sshcipher *c;
|
||||||
|
+ struct sshcipher_ctx cc;
|
||||||
|
+ struct sshcipher_ctx *ccp;
|
||||||
|
+ char *algo = "aes128-ctr";
|
||||||
|
+ char *hexkey = NULL;
|
||||||
|
+ char *hexiv = "00000000000000000000000000000000";
|
||||||
|
+ char *hexdata = NULL;
|
||||||
|
+ char *p;
|
||||||
|
+ int i;
|
||||||
|
+ int encrypt = 1;
|
||||||
|
+ void *key;
|
||||||
|
+ size_t keylen;
|
||||||
|
+ void *iv;
|
||||||
|
+ size_t ivlen;
|
||||||
|
+ void *data;
|
||||||
|
+ size_t datalen;
|
||||||
|
+ void *outdata;
|
||||||
|
+
|
||||||
|
+ for (i = 1; i < argc; ++i) {
|
||||||
|
+ if (strcmp(argv[i], "--algo") == 0) {
|
||||||
|
+ algo = argv[++i];
|
||||||
|
+ } else if (strcmp(argv[i], "--key") == 0) {
|
||||||
|
+ hexkey = argv[++i];
|
||||||
|
+ } else if (strcmp(argv[i], "--mode") == 0) {
|
||||||
|
+ ++i;
|
||||||
|
+ if (argv[i] == NULL) {
|
||||||
|
+ usage();
|
||||||
|
+ }
|
||||||
|
+ if (strncmp(argv[i], "enc", 3) == 0) {
|
||||||
|
+ encrypt = 1;
|
||||||
|
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
|
||||||
|
+ encrypt = 0;
|
||||||
|
+ } else {
|
||||||
|
+ usage();
|
||||||
|
+ }
|
||||||
|
+ } else if (strcmp(argv[i], "--iv") == 0) {
|
||||||
|
+ hexiv = argv[++i];
|
||||||
|
+ } else if (strcmp(argv[i], "--data") == 0) {
|
||||||
|
+ hexdata = argv[++i];
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (hexkey == NULL || algo == NULL) {
|
||||||
|
+ usage();
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ SSLeay_add_all_algorithms();
|
||||||
|
+
|
||||||
|
+ c = cipher_by_name(algo);
|
||||||
|
+ if (c == NULL) {
|
||||||
|
+ fprintf(stderr, "Error: unknown algorithm\n");
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (hexdata == NULL) {
|
||||||
|
+ hexdata = read_stdin();
|
||||||
|
+ } else {
|
||||||
|
+ hexdata = xstrdup(hexdata);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ key = fromhex(hexkey, &keylen);
|
||||||
|
+
|
||||||
|
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
|
||||||
|
+ fprintf(stderr, "Error: unsupported key length\n");
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ iv = fromhex(hexiv, &ivlen);
|
||||||
|
+
|
||||||
|
+ if (ivlen != 16) {
|
||||||
|
+ fprintf(stderr, "Error: unsupported iv length\n");
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ data = fromhex(hexdata, &datalen);
|
||||||
|
+
|
||||||
|
+ if (data == NULL || datalen == 0) {
|
||||||
|
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ccp = &cc;
|
||||||
|
+ cipher_init(&ccp, c, key, keylen, iv, ivlen, encrypt);
|
||||||
|
+
|
||||||
|
+ free(key);
|
||||||
|
+ free(iv);
|
||||||
|
+
|
||||||
|
+ outdata = malloc(datalen);
|
||||||
|
+ if (outdata == NULL) {
|
||||||
|
+ fprintf(stderr, "Error: memory allocation failure\n");
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
|
||||||
|
+
|
||||||
|
+ free(data);
|
||||||
|
+
|
||||||
|
+ cipher_free(&cc);
|
||||||
|
+
|
||||||
|
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
||||||
|
+ printf("%02X", (unsigned char) *p);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(outdata);
|
||||||
|
+
|
||||||
|
+ printf("\n");
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
|
||||||
|
--- openssh-7.7p1/cipher.c
|
||||||
|
+++ openssh-7.7p1/cipher.c
|
||||||
|
@@ -49,25 +49,16 @@
|
||||||
|
#include "ssherr.h"
|
||||||
|
#include "digest.h"
|
||||||
|
|
||||||
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
|
||||||
|
#include "fips.h"
|
||||||
|
#include "log.h"
|
||||||
|
|
||||||
|
-struct sshcipher_ctx {
|
||||||
|
- int plaintext;
|
||||||
|
- int encrypt;
|
||||||
|
- EVP_CIPHER_CTX *evp;
|
||||||
|
- struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
|
||||||
|
- struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
||||||
|
- const struct sshcipher *cipher;
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
struct sshcipher {
|
||||||
|
char *name;
|
||||||
|
u_int block_size;
|
||||||
|
u_int key_len;
|
||||||
|
u_int iv_len; /* defaults to block_size */
|
||||||
|
u_int auth_len;
|
||||||
|
u_int flags;
|
||||||
|
#define CFLAG_CBC (1<<0)
|
||||||
|
diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
|
||||||
|
--- openssh-7.7p1/cipher.h
|
||||||
|
+++ openssh-7.7p1/cipher.h
|
||||||
|
@@ -41,17 +41,25 @@
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include "cipher-chachapoly.h"
|
||||||
|
#include "cipher-aesctr.h"
|
||||||
|
|
||||||
|
#define CIPHER_ENCRYPT 1
|
||||||
|
#define CIPHER_DECRYPT 0
|
||||||
|
|
||||||
|
struct sshcipher;
|
||||||
|
-struct sshcipher_ctx;
|
||||||
|
+struct sshcipher_ctx {
|
||||||
|
+ int plaintext;
|
||||||
|
+ int encrypt;
|
||||||
|
+ EVP_CIPHER_CTX *evp;
|
||||||
|
+ struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
|
||||||
|
+ struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
||||||
|
+ const struct sshcipher *cipher;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
|
||||||
|
const struct sshcipher *cipher_by_name(const char *);
|
||||||
|
const char *cipher_warning_message(const struct sshcipher_ctx *);
|
||||||
|
int ciphers_valid(const char *);
|
||||||
|
char *cipher_alg_list(char, int);
|
||||||
|
int cipher_init(struct sshcipher_ctx **, const struct sshcipher *,
|
||||||
|
const u_char *, u_int, const u_char *, u_int, int);
|
||||||
|
int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,
|
474
openssh-7.7p1-cavstest-kdf.patch
Normal file
474
openssh-7.7p1-cavstest-kdf.patch
Normal file
@ -0,0 +1,474 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
|
||||||
|
CAVS test for KDF implementation in OpenSSH
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||||
|
--- openssh-7.7p1/Makefile.in
|
||||||
|
+++ openssh-7.7p1/Makefile.in
|
||||||
|
@@ -20,16 +20,17 @@ top_srcdir=@top_srcdir@
|
||||||
|
DESTDIR=
|
||||||
|
VPATH=@srcdir@
|
||||||
|
SSH_PROGRAM=@bindir@/ssh
|
||||||
|
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||||
|
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
|
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||||
|
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||||
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
|
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||||
|
STRIP_OPT=@STRIP_OPT@
|
||||||
|
TEST_SHELL=@TEST_SHELL@
|
||||||
|
|
||||||
|
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||||
|
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||||
|
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||||
|
@@ -58,17 +59,17 @@ ENT=@ENT@
|
||||||
|
XAUTH_PATH=@XAUTH_PATH@
|
||||||
|
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||||
|
EXEEXT=@EXEEXT@
|
||||||
|
MANFMT=@MANFMT@
|
||||||
|
MKDIR_P=@MKDIR_P@
|
||||||
|
|
||||||
|
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||||
|
|
||||||
|
-TARGETS += cavstest-ctr$(EXEEXT)
|
||||||
|
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||||
|
|
||||||
|
XMSS_OBJS=\
|
||||||
|
ssh-xmss.o \
|
||||||
|
sshkey-xmss.o \
|
||||||
|
xmss_commons.o \
|
||||||
|
xmss_fast.o \
|
||||||
|
xmss_hash.o \
|
||||||
|
xmss_hash_address.o \
|
||||||
|
@@ -206,16 +207,19 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
|
||||||
|
|
||||||
|
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||||
|
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||||
|
|
||||||
|
# FIPS tests
|
||||||
|
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||||
|
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
|
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-kdf.o
|
||||||
|
+ $(LD) -o $@ cavstest-kdf.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
+
|
||||||
|
# test driver for the loginrec code - not built by default
|
||||||
|
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||||
|
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
|
$(MANPAGES): $(MANPAGES_IN)
|
||||||
|
if test "$(MANTYPE)" = "cat"; then \
|
||||||
|
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
||||||
|
else \
|
||||||
|
@@ -347,16 +351,17 @@ install-files:
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||||
|
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||||
|
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-kdf$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-kdf$(EXEEXT)
|
||||||
|
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||||
|
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||||
|
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||||
|
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||||
|
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||||
|
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||||
|
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
||||||
|
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||||
|
diff --git a/openssh-7.7p1/cavstest-kdf.c b/openssh-7.7p1/cavstest-kdf.c
|
||||||
|
new file mode 100644
|
||||||
|
--- /dev/null
|
||||||
|
+++ openssh-7.7p1/cavstest-kdf.c
|
||||||
|
@@ -0,0 +1,387 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||||
|
+ *
|
||||||
|
+ * Redistribution and use in source and binary forms, with or without
|
||||||
|
+ * modification, are permitted provided that the following conditions
|
||||||
|
+ * are met:
|
||||||
|
+ * 1. Redistributions of source code must retain the above copyright
|
||||||
|
+ * notice, and the entire permission notice in its entirety,
|
||||||
|
+ * including the disclaimer of warranties.
|
||||||
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
+ * notice, this list of conditions and the following disclaimer in the
|
||||||
|
+ * documentation and/or other materials provided with the distribution.
|
||||||
|
+ * 3. The name of the author may not be used to endorse or promote
|
||||||
|
+ * products derived from this software without specific prior
|
||||||
|
+ * written permission.
|
||||||
|
+ *
|
||||||
|
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||||
|
+ * the GNU General Public License, in which case the provisions of the GPL2
|
||||||
|
+ * are required INSTEAD OF the above restrictions. (This clause is
|
||||||
|
+ * necessary due to a potential bad interaction between the GPL and
|
||||||
|
+ * the restrictions contained in a BSD-style copyright.)
|
||||||
|
+ *
|
||||||
|
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||||
|
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
|
||||||
|
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
|
||||||
|
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||||
|
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
||||||
|
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
||||||
|
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||||
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
||||||
|
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
|
||||||
|
+ * DAMAGE.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include "includes.h"
|
||||||
|
+
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+
|
||||||
|
+#include <openssl/bn.h>
|
||||||
|
+
|
||||||
|
+#include "xmalloc.h"
|
||||||
|
+#include "sshbuf.h"
|
||||||
|
+#include "sshkey.h"
|
||||||
|
+#include "cipher.h"
|
||||||
|
+#include "kex.h"
|
||||||
|
+#include "packet.h"
|
||||||
|
+
|
||||||
|
+static int bin_char(unsigned char hex)
|
||||||
|
+{
|
||||||
|
+ if (48 <= hex && 57 >= hex)
|
||||||
|
+ return (hex - 48);
|
||||||
|
+ if (65 <= hex && 70 >= hex)
|
||||||
|
+ return (hex - 55);
|
||||||
|
+ if (97 <= hex && 102 >= hex)
|
||||||
|
+ return (hex - 87);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Convert hex representation into binary string
|
||||||
|
+ * @hex input buffer with hex representation
|
||||||
|
+ * @hexlen length of hex
|
||||||
|
+ * @bin output buffer with binary data
|
||||||
|
+ * @binlen length of already allocated bin buffer (should be at least
|
||||||
|
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
|
||||||
|
+ */
|
||||||
|
+static void hex2bin(const char *hex, size_t hexlen,
|
||||||
|
+ unsigned char *bin, size_t binlen)
|
||||||
|
+{
|
||||||
|
+ size_t i = 0;
|
||||||
|
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < chars; i++) {
|
||||||
|
+ bin[i] = bin_char(hex[(i*2)]) << 4;
|
||||||
|
+ bin[i] |= bin_char(hex[((i*2)+1)]);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Allocate sufficient space for binary representation of hex
|
||||||
|
+ * and convert hex into bin
|
||||||
|
+ *
|
||||||
|
+ * Caller must free bin
|
||||||
|
+ * @hex input buffer with hex representation
|
||||||
|
+ * @hexlen length of hex
|
||||||
|
+ * @bin return value holding the pointer to the newly allocated buffer
|
||||||
|
+ * @binlen return value holding the allocated size of bin
|
||||||
|
+ *
|
||||||
|
+ * return: 0 on success, !0 otherwise
|
||||||
|
+ */
|
||||||
|
+static int hex2bin_alloc(const char *hex, size_t hexlen,
|
||||||
|
+ unsigned char **bin, size_t *binlen)
|
||||||
|
+{
|
||||||
|
+ unsigned char *out = NULL;
|
||||||
|
+ size_t outlen = 0;
|
||||||
|
+
|
||||||
|
+ if (!hexlen)
|
||||||
|
+ return -EINVAL;
|
||||||
|
+
|
||||||
|
+ outlen = (hexlen + 1) / 2;
|
||||||
|
+
|
||||||
|
+ out = calloc(1, outlen);
|
||||||
|
+ if (!out)
|
||||||
|
+ return -errno;
|
||||||
|
+
|
||||||
|
+ hex2bin(hex, hexlen, out, outlen);
|
||||||
|
+ *bin = out;
|
||||||
|
+ *binlen = outlen;
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||||
|
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
|
||||||
|
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||||
|
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
||||||
|
+static char hex_char(unsigned int bin, int u)
|
||||||
|
+{
|
||||||
|
+ if (bin < sizeof(hex_char_map_l))
|
||||||
|
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
|
||||||
|
+ return 'X';
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Convert binary string into hex representation
|
||||||
|
+ * @bin input buffer with binary data
|
||||||
|
+ * @binlen length of bin
|
||||||
|
+ * @hex output buffer to store hex data
|
||||||
|
+ * @hexlen length of already allocated hex buffer (should be at least
|
||||||
|
+ * twice binlen -- if not, only a fraction of binlen is converted)
|
||||||
|
+ * @u case of hex characters (0=>lower case, 1=>upper case)
|
||||||
|
+ */
|
||||||
|
+static void bin2hex(const unsigned char *bin, size_t binlen,
|
||||||
|
+ char *hex, size_t hexlen, int u)
|
||||||
|
+{
|
||||||
|
+ size_t i = 0;
|
||||||
|
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < chars; i++) {
|
||||||
|
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
|
||||||
|
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+struct kdf_cavs {
|
||||||
|
+ unsigned char *K;
|
||||||
|
+ size_t Klen;
|
||||||
|
+ unsigned char *H;
|
||||||
|
+ size_t Hlen;
|
||||||
|
+ unsigned char *session_id;
|
||||||
|
+ size_t session_id_len;
|
||||||
|
+
|
||||||
|
+ unsigned int iv_len;
|
||||||
|
+ unsigned int ek_len;
|
||||||
|
+ unsigned int ik_len;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static int sshkdf_cavs(struct kdf_cavs *test)
|
||||||
|
+{
|
||||||
|
+ int ret = 0;
|
||||||
|
+ struct kex kex;
|
||||||
|
+ BIGNUM *Kbn = NULL;
|
||||||
|
+ int mode = 0;
|
||||||
|
+ struct newkeys *keys_client;
|
||||||
|
+ struct newkeys *keys_server;
|
||||||
|
+ struct ssh *ssh = NULL;
|
||||||
|
+
|
||||||
|
+#define HEXOUTLEN 500
|
||||||
|
+ char hex[HEXOUTLEN];
|
||||||
|
+
|
||||||
|
+ memset(&kex, 0, sizeof(struct kex));
|
||||||
|
+
|
||||||
|
+ Kbn = BN_new();
|
||||||
|
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
||||||
|
+ if (!Kbn) {
|
||||||
|
+ printf("cannot convert K into BIGNUM\n");
|
||||||
|
+ ret = 1;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ kex.session_id = test->session_id;
|
||||||
|
+ kex.session_id_len = test->session_id_len;
|
||||||
|
+
|
||||||
|
+ /* setup kex */
|
||||||
|
+
|
||||||
|
+ /* select the right hash based on struct ssh_digest digests */
|
||||||
|
+ switch (test->ik_len) {
|
||||||
|
+ case 20:
|
||||||
|
+ kex.hash_alg = 2;
|
||||||
|
+ break;
|
||||||
|
+ case 32:
|
||||||
|
+ kex.hash_alg = 3;
|
||||||
|
+ break;
|
||||||
|
+ case 48:
|
||||||
|
+ kex.hash_alg = 4;
|
||||||
|
+ break;
|
||||||
|
+ case 64:
|
||||||
|
+ kex.hash_alg = 5;
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ printf("Wrong hash type %u\n", test->ik_len);
|
||||||
|
+ ret = 1;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* implement choose_enc */
|
||||||
|
+ for (mode = 0; mode < 2; mode++) {
|
||||||
|
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
|
||||||
|
+ if (!kex.newkeys[mode]) {
|
||||||
|
+ printf("allocation of newkeys failed\n");
|
||||||
|
+ ret = 1;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
|
||||||
|
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
|
||||||
|
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
|
||||||
|
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* implement kex_choose_conf */
|
||||||
|
+ kex.we_need = kex.newkeys[0]->enc.key_len;
|
||||||
|
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
|
||||||
|
+ kex.we_need = kex.newkeys[0]->enc.block_size;
|
||||||
|
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
|
||||||
|
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
|
||||||
|
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
|
||||||
|
+ kex.we_need = kex.newkeys[0]->mac.key_len;
|
||||||
|
+
|
||||||
|
+ /* MODE_OUT (1) -> server to client
|
||||||
|
+ * MODE_IN (0) -> client to server */
|
||||||
|
+ kex.server = 1;
|
||||||
|
+
|
||||||
|
+ /* do it */
|
||||||
|
+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
|
||||||
|
+ printf("Allocation error\n");
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ ssh->kex = &kex;
|
||||||
|
+ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
|
||||||
|
+
|
||||||
|
+ keys_client = kex.newkeys[0];
|
||||||
|
+ keys_server = kex.newkeys[1];
|
||||||
|
+
|
||||||
|
+ /* get data */
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_client->enc.iv, (size_t)keys_client->enc.iv_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Initial IV (client to server) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_server->enc.iv, (size_t)keys_server->enc.iv_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Initial IV (server to client) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_client->enc.key, (size_t)keys_client->enc.key_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Encryption key (client to server) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_server->enc.key, (size_t)keys_server->enc.key_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Encryption key (server to client) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_client->mac.key, (size_t)keys_client->mac.key_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Integrity key (client to server) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_server->mac.key, (size_t)keys_server->mac.key_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Integrity key (server to client) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ free(keys_client);
|
||||||
|
+ free(keys_server);
|
||||||
|
+
|
||||||
|
+out:
|
||||||
|
+ if (Kbn)
|
||||||
|
+ BN_free(Kbn);
|
||||||
|
+ if (ssh)
|
||||||
|
+ ssh_packet_close(ssh);
|
||||||
|
+ if (kex.newkeys[0])
|
||||||
|
+ free(kex.newkeys[0]);
|
||||||
|
+ if (kex.newkeys[1])
|
||||||
|
+ free(kex.newkeys[1]);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void usage(void)
|
||||||
|
+{
|
||||||
|
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
|
||||||
|
+ fprintf(stderr, "Usage:\n");
|
||||||
|
+ fprintf(stderr, "\t-K\tShared secret string\n");
|
||||||
|
+ fprintf(stderr, "\t-H\tHash string\n");
|
||||||
|
+ fprintf(stderr, "\t-s\tSession ID string\n");
|
||||||
|
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
|
||||||
|
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
|
||||||
|
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Test command example:
|
||||||
|
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
|
||||||
|
+ *
|
||||||
|
+ * Expected result for example:
|
||||||
|
+ * Initial IV (client to server) = 4bb320d1679dfd3a
|
||||||
|
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
|
||||||
|
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
|
||||||
|
+ * Initial IV (server to client) = 43dea6fdf263a308
|
||||||
|
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
|
||||||
|
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
|
||||||
|
+ */
|
||||||
|
+int main(int argc, char *argv[])
|
||||||
|
+{
|
||||||
|
+ struct kdf_cavs test;
|
||||||
|
+ int ret = 1;
|
||||||
|
+ int opt = 0;
|
||||||
|
+
|
||||||
|
+ memset(&test, 0, sizeof(struct kdf_cavs));
|
||||||
|
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
|
||||||
|
+ {
|
||||||
|
+ size_t len = 0;
|
||||||
|
+ switch(opt)
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * CAVS K is MPINT
|
||||||
|
+ * we want a hex (i.e. the caller must ensure the
|
||||||
|
+ * following transformations already happened):
|
||||||
|
+ * 1. cut off first four bytes
|
||||||
|
+ * 2. if most significant bit of value is
|
||||||
|
+ * 1, prepend 0 byte
|
||||||
|
+ */
|
||||||
|
+ case 'K':
|
||||||
|
+ len = strlen(optarg);
|
||||||
|
+ ret = hex2bin_alloc(optarg, len,
|
||||||
|
+ &test.K, &test.Klen);
|
||||||
|
+ if (ret)
|
||||||
|
+ goto out;
|
||||||
|
+ break;
|
||||||
|
+ case 'H':
|
||||||
|
+ len = strlen(optarg);
|
||||||
|
+ ret = hex2bin_alloc(optarg, len,
|
||||||
|
+ &test.H, &test.Hlen);
|
||||||
|
+ if (ret)
|
||||||
|
+ goto out;
|
||||||
|
+ break;
|
||||||
|
+ case 's':
|
||||||
|
+ len = strlen(optarg);
|
||||||
|
+ ret = hex2bin_alloc(optarg, len,
|
||||||
|
+ &test.session_id,
|
||||||
|
+ &test.session_id_len);
|
||||||
|
+ if (ret)
|
||||||
|
+ goto out;
|
||||||
|
+ break;
|
||||||
|
+ case 'i':
|
||||||
|
+ test.iv_len = strtoul(optarg, NULL, 10);
|
||||||
|
+ break;
|
||||||
|
+ case 'e':
|
||||||
|
+ test.ek_len = strtoul(optarg, NULL, 10);
|
||||||
|
+ break;
|
||||||
|
+ case 'm':
|
||||||
|
+ test.ik_len = strtoul(optarg, NULL, 10);
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ usage();
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = sshkdf_cavs(&test);
|
||||||
|
+
|
||||||
|
+out:
|
||||||
|
+ if (test.session_id)
|
||||||
|
+ free(test.session_id);
|
||||||
|
+ if (test.K)
|
||||||
|
+ free(test.K);
|
||||||
|
+ if (test.H)
|
||||||
|
+ free(test.H);
|
||||||
|
+ return ret;
|
||||||
|
+
|
||||||
|
+}
|
64
openssh-7.7p1-disable_openssl_abi_check.patch
Normal file
64
openssh-7.7p1-disable_openssl_abi_check.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent b13da8c3e99081cb92ab226d2c512241a82cd0d5
|
||||||
|
disable run-time check for OpenSSL ABI by version number as that is not a
|
||||||
|
reliable indicator of ABI changes and doesn't make much sense in a
|
||||||
|
distribution package
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/configure.ac b/openssh-7.7p1/configure.ac
|
||||||
|
--- openssh-7.7p1/configure.ac
|
||||||
|
+++ openssh-7.7p1/configure.ac
|
||||||
|
@@ -4895,16 +4895,29 @@ AC_ARG_WITH([bsd-auth],
|
||||||
|
if test "x$withval" != "xno" ; then
|
||||||
|
AC_DEFINE([BSD_AUTH], [1],
|
||||||
|
[Define if you have BSD auth support])
|
||||||
|
BSD_AUTH_MSG=yes
|
||||||
|
fi
|
||||||
|
]
|
||||||
|
)
|
||||||
|
|
||||||
|
+# Whether we are using distribution (Open)SSL, so no runtime checks are necessary
|
||||||
|
+DISTRO_SSL=no
|
||||||
|
+AC_ARG_WITH([distro-ssl],
|
||||||
|
+ [ --with-distro-ssl Disable runtime OpenSSL version checks (good for distributions)],
|
||||||
|
+ [
|
||||||
|
+ if test "x$withval" != "xno" ; then
|
||||||
|
+ AC_DEFINE([DISTRO_SSL], [1],
|
||||||
|
+ [Define if you are using distribution SSL library and don;t expect its API/ABI to change])
|
||||||
|
+ DISTRO_SSL=yes
|
||||||
|
+ fi
|
||||||
|
+ ]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
# Where to place sshd.pid
|
||||||
|
piddir=/var/run
|
||||||
|
# make sure the directory exists
|
||||||
|
if test ! -d $piddir ; then
|
||||||
|
piddir=`eval echo ${sysconfdir}`
|
||||||
|
case $piddir in
|
||||||
|
NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
|
||||||
|
esac
|
||||||
|
diff --git a/openssh-7.7p1/entropy.c b/openssh-7.7p1/entropy.c
|
||||||
|
--- openssh-7.7p1/entropy.c
|
||||||
|
+++ openssh-7.7p1/entropy.c
|
||||||
|
@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m)
|
||||||
|
#endif /* OPENSSL_PRNG_ONLY */
|
||||||
|
|
||||||
|
void
|
||||||
|
seed_rng(void)
|
||||||
|
{
|
||||||
|
#ifndef OPENSSL_PRNG_ONLY
|
||||||
|
unsigned char buf[RANDOM_SEED_SIZE];
|
||||||
|
#endif
|
||||||
|
+#ifndef DISTRO_SSL
|
||||||
|
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
|
||||||
|
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||||
|
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#ifndef OPENSSL_PRNG_ONLY
|
||||||
|
if (RAND_status() == 1) {
|
||||||
|
debug3("RNG is ready, skipping seeding");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|
425
openssh-7.7p1-disable_short_DH_parameters.patch
Normal file
425
openssh-7.7p1-disable_short_DH_parameters.patch
Normal file
@ -0,0 +1,425 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 681914438b1a02c1940d19204138e9b8eacfda7b
|
||||||
|
|
||||||
|
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
||||||
|
7.2. 1024b values are believed to be in breaking range for state adversaries
|
||||||
|
and the default moduli shipped with openssh have been around long enough to
|
||||||
|
make it more likely for them to be broken.
|
||||||
|
|
||||||
|
Also provide an option that allows the client to accept shorter (RFC4419
|
||||||
|
compliant) parameters.
|
||||||
|
|
||||||
|
CVE-2015-4000 (LOGJAM)
|
||||||
|
bsc#932483
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/dh.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/dh.c
|
||||||
|
+++ openssh-7.8p1/dh.c
|
||||||
|
@@ -43,6 +43,8 @@
|
||||||
|
#include "misc.h"
|
||||||
|
#include "ssherr.h"
|
||||||
|
|
||||||
|
+int dh_grp_min = DH_GRP_MIN;
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
||||||
|
{
|
||||||
|
Index: openssh-7.8p1/dh.h
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/dh.h
|
||||||
|
+++ openssh-7.8p1/dh.h
|
||||||
|
@@ -50,6 +50,7 @@ u_int dh_estimate(int);
|
||||||
|
* Max value from RFC4419.
|
||||||
|
* Miniumum increased in light of DH precomputation attacks.
|
||||||
|
*/
|
||||||
|
+#define DH_GRP_MIN_RFC 1024
|
||||||
|
#define DH_GRP_MIN 2048
|
||||||
|
#define DH_GRP_MAX 8192
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/kexgexc.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/kexgexc.c
|
||||||
|
+++ openssh-7.8p1/kexgexc.c
|
||||||
|
@@ -51,6 +51,9 @@
|
||||||
|
#include "sshbuf.h"
|
||||||
|
#include "misc.h"
|
||||||
|
|
||||||
|
+/* import from dh.c */
|
||||||
|
+extern int dh_grp_min;
|
||||||
|
+
|
||||||
|
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
||||||
|
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
||||||
|
|
||||||
|
@@ -63,7 +66,7 @@ kexgex_client(struct ssh *ssh)
|
||||||
|
|
||||||
|
nbits = dh_estimate(kex->dh_need * 8);
|
||||||
|
|
||||||
|
- kex->min = DH_GRP_MIN;
|
||||||
|
+ kex->min = dh_grp_min;
|
||||||
|
kex->max = DH_GRP_MAX;
|
||||||
|
kex->nbits = nbits;
|
||||||
|
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||||
|
@@ -108,6 +111,12 @@ input_kex_dh_gex_group(int type, u_int32
|
||||||
|
goto out;
|
||||||
|
if ((bits = BN_num_bits(p)) < 0 ||
|
||||||
|
(u_int)bits < kex->min || (u_int)bits > kex->max) {
|
||||||
|
+ if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC)
|
||||||
|
+ logit("DH parameter offered by the server (%d bits) "
|
||||||
|
+ "is considered insecure. "
|
||||||
|
+ "You can lower the accepted the minimum "
|
||||||
|
+ "via the KexDHMin option.",
|
||||||
|
+ bits);
|
||||||
|
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
Index: openssh-7.8p1/kexgexs.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/kexgexs.c
|
||||||
|
+++ openssh-7.8p1/kexgexs.c
|
||||||
|
@@ -54,6 +54,9 @@
|
||||||
|
#include "sshbuf.h"
|
||||||
|
#include "misc.h"
|
||||||
|
|
||||||
|
+/* import from dh.c */
|
||||||
|
+extern int dh_grp_min;
|
||||||
|
+
|
||||||
|
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
||||||
|
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
||||||
|
|
||||||
|
@@ -82,13 +85,19 @@ input_kex_dh_gex_request(int type, u_int
|
||||||
|
kex->nbits = nbits;
|
||||||
|
kex->min = min;
|
||||||
|
kex->max = max;
|
||||||
|
- min = MAXIMUM(DH_GRP_MIN, min);
|
||||||
|
+ min = MAXIMUM(dh_grp_min, min);
|
||||||
|
max = MINIMUM(DH_GRP_MAX, max);
|
||||||
|
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
|
||||||
|
+ nbits = MAXIMUM(dh_grp_min, nbits);
|
||||||
|
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
||||||
|
|
||||||
|
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||||
|
kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
|
||||||
|
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
|
||||||
|
+ logit("DH parameter requested by the client (%d bits) "
|
||||||
|
+ "is considered insecure. "
|
||||||
|
+ "You can lower the accepted minimum "
|
||||||
|
+ "via the KexDHMin option.",
|
||||||
|
+ kex->nbits);
|
||||||
|
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
Index: openssh-7.8p1/readconf.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/readconf.c
|
||||||
|
+++ openssh-7.8p1/readconf.c
|
||||||
|
@@ -67,6 +67,7 @@
|
||||||
|
#include "uidswap.h"
|
||||||
|
#include "myproposal.h"
|
||||||
|
#include "digest.h"
|
||||||
|
+#include "dh.h"
|
||||||
|
|
||||||
|
/* Format of the configuration file:
|
||||||
|
|
||||||
|
@@ -167,7 +168,7 @@ typedef enum {
|
||||||
|
oTunnel, oTunnelDevice,
|
||||||
|
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
||||||
|
oVisualHostKey,
|
||||||
|
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
||||||
|
+ oKexAlgorithms, oKexDHMin, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
||||||
|
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
||||||
|
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
||||||
|
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
||||||
|
@@ -291,6 +292,7 @@ static struct {
|
||||||
|
{ "remotecommand", oRemoteCommand },
|
||||||
|
{ "visualhostkey", oVisualHostKey },
|
||||||
|
{ "kexalgorithms", oKexAlgorithms },
|
||||||
|
+ { "kexdhmin", oKexDHMin },
|
||||||
|
{ "ipqos", oIPQoS },
|
||||||
|
{ "requesttty", oRequestTTY },
|
||||||
|
{ "proxyusefdpass", oProxyUseFdpass },
|
||||||
|
@@ -312,6 +314,9 @@ static struct {
|
||||||
|
{ NULL, oBadOption }
|
||||||
|
};
|
||||||
|
|
||||||
|
+/* import from dh.c */
|
||||||
|
+extern int dh_grp_min;
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Adds a local TCP/IP port forward to options. Never returns if there is an
|
||||||
|
* error.
|
||||||
|
@@ -1206,6 +1211,10 @@ parse_int:
|
||||||
|
options->kex_algorithms = xstrdup(arg);
|
||||||
|
break;
|
||||||
|
|
||||||
|
+ case oKexDHMin:
|
||||||
|
+ intptr = &options->kex_dhmin;
|
||||||
|
+ goto parse_int;
|
||||||
|
+
|
||||||
|
case oHostKeyAlgorithms:
|
||||||
|
charptr = &options->hostkeyalgorithms;
|
||||||
|
parse_keytypes:
|
||||||
|
@@ -1835,6 +1844,7 @@ initialize_options(Options * options)
|
||||||
|
options->ciphers = NULL;
|
||||||
|
options->macs = NULL;
|
||||||
|
options->kex_algorithms = NULL;
|
||||||
|
+ options->kex_dhmin = -1;
|
||||||
|
options->hostkeyalgorithms = NULL;
|
||||||
|
options->num_identity_files = 0;
|
||||||
|
options->num_certificate_files = 0;
|
||||||
|
@@ -1988,6 +1998,13 @@ fill_default_options(Options * options)
|
||||||
|
options->connection_attempts = 1;
|
||||||
|
if (options->number_of_password_prompts == -1)
|
||||||
|
options->number_of_password_prompts = 3;
|
||||||
|
+ if (options->kex_dhmin == -1)
|
||||||
|
+ options->kex_dhmin = DH_GRP_MIN;
|
||||||
|
+ else {
|
||||||
|
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||||
|
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||||
|
+ }
|
||||||
|
+ dh_grp_min = options->kex_dhmin;
|
||||||
|
/* options->hostkeyalgorithms, default set in myproposals.h */
|
||||||
|
if (options->add_keys_to_agent == -1)
|
||||||
|
options->add_keys_to_agent = 0;
|
||||||
|
Index: openssh-7.8p1/readconf.h
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/readconf.h
|
||||||
|
+++ openssh-7.8p1/readconf.h
|
||||||
|
@@ -67,6 +67,7 @@ typedef struct {
|
||||||
|
char *macs; /* SSH2 macs in order of preference. */
|
||||||
|
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
||||||
|
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||||
|
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||||
|
char *hostname; /* Real host to connect. */
|
||||||
|
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
||||||
|
char *proxy_command; /* Proxy command for connecting the host. */
|
||||||
|
Index: openssh-7.8p1/servconf.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/servconf.c
|
||||||
|
+++ openssh-7.8p1/servconf.c
|
||||||
|
@@ -64,6 +64,10 @@
|
||||||
|
#include "auth.h"
|
||||||
|
#include "myproposal.h"
|
||||||
|
#include "digest.h"
|
||||||
|
+#include "dh.h"
|
||||||
|
+
|
||||||
|
+/* import from dh.c */
|
||||||
|
+extern int dh_grp_min;
|
||||||
|
|
||||||
|
static void add_listen_addr(ServerOptions *, const char *,
|
||||||
|
const char *, int);
|
||||||
|
@@ -146,6 +150,7 @@ initialize_server_options(ServerOptions
|
||||||
|
options->ciphers = NULL;
|
||||||
|
options->macs = NULL;
|
||||||
|
options->kex_algorithms = NULL;
|
||||||
|
+ options->kex_dhmin = -1;
|
||||||
|
options->fwd_opts.gateway_ports = -1;
|
||||||
|
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
||||||
|
options->fwd_opts.streamlocal_bind_unlink = -1;
|
||||||
|
@@ -263,6 +268,14 @@ fill_default_server_options(ServerOption
|
||||||
|
if (options->use_pam_check_locks == -1)
|
||||||
|
options->use_pam_check_locks = 0;
|
||||||
|
|
||||||
|
+ if (options->kex_dhmin == -1)
|
||||||
|
+ options->kex_dhmin = DH_GRP_MIN;
|
||||||
|
+ else {
|
||||||
|
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||||
|
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||||
|
+ }
|
||||||
|
+ dh_grp_min = options->kex_dhmin;
|
||||||
|
+
|
||||||
|
/* Standard Options */
|
||||||
|
if (options->num_host_key_files == 0) {
|
||||||
|
/* fill default hostkeys for protocols */
|
||||||
|
@@ -490,7 +503,7 @@ typedef enum {
|
||||||
|
sHostCertificate,
|
||||||
|
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||||
|
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
||||||
|
- sKexAlgorithms, sIPQoS, sVersionAddendum,
|
||||||
|
+ sKexAlgorithms, sKexDHMin, sIPQoS, sVersionAddendum,
|
||||||
|
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||||
|
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||||
|
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||||
|
@@ -631,6 +644,7 @@ static struct {
|
||||||
|
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
||||||
|
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
||||||
|
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||||
|
+ { "kexdhmin", sKexDHMin },
|
||||||
|
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||||
|
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
||||||
|
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
||||||
|
@@ -1726,6 +1740,10 @@ process_server_config_line(ServerOptions
|
||||||
|
options->kex_algorithms = xstrdup(arg);
|
||||||
|
break;
|
||||||
|
|
||||||
|
+ case sKexDHMin:
|
||||||
|
+ intptr = &options->kex_dhmin;
|
||||||
|
+ goto parse_int;
|
||||||
|
+
|
||||||
|
case sSubsystem:
|
||||||
|
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
|
||||||
|
fatal("%s line %d: too many subsystems defined.",
|
||||||
|
@@ -2540,6 +2558,7 @@ dump_config(ServerOptions *o)
|
||||||
|
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
||||||
|
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
||||||
|
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
||||||
|
+ dump_cfg_int(sKexDHMin, o->kex_dhmin);
|
||||||
|
|
||||||
|
/* formatted integer arguments */
|
||||||
|
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
||||||
|
Index: openssh-7.8p1/servconf.h
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/servconf.h
|
||||||
|
+++ openssh-7.8p1/servconf.h
|
||||||
|
@@ -103,6 +103,7 @@ typedef struct {
|
||||||
|
char *ciphers; /* Supported SSH2 ciphers. */
|
||||||
|
char *macs; /* Supported SSH2 macs. */
|
||||||
|
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||||
|
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||||
|
struct ForwardOptions fwd_opts; /* forwarding options */
|
||||||
|
SyslogFacility log_facility; /* Facility for system logging. */
|
||||||
|
LogLevel log_level; /* Level for system logging. */
|
||||||
|
Index: openssh-7.8p1/ssh_config
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/ssh_config
|
||||||
|
+++ openssh-7.8p1/ssh_config
|
||||||
|
@@ -17,6 +17,11 @@
|
||||||
|
# list of available options, their meanings and defaults, please see the
|
||||||
|
# ssh_config(5) man page.
|
||||||
|
|
||||||
|
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
|
||||||
|
+# to maintain compatibility with RFC4419, but should be set higher.
|
||||||
|
+# Upstream default is identical to setting this to 2048.
|
||||||
|
+#KexDHMin 1024
|
||||||
|
+
|
||||||
|
Host *
|
||||||
|
# ForwardAgent no
|
||||||
|
# ForwardX11 no
|
||||||
|
Index: openssh-7.8p1/ssh_config.0
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/ssh_config.0
|
||||||
|
+++ openssh-7.8p1/ssh_config.0
|
||||||
|
@@ -595,6 +595,23 @@ DESCRIPTION
|
||||||
|
The list of available key exchange algorithms may also be
|
||||||
|
obtained using "ssh -Q kex".
|
||||||
|
|
||||||
|
+ KexDHMin
|
||||||
|
+ Specifies the minimum accepted bit length of the DH group
|
||||||
|
+ parameter p.
|
||||||
|
+
|
||||||
|
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
||||||
|
+ been seen as insecure, which prompted the change to 2048 bits.
|
||||||
|
+ Setting this option allows the client to accept parameters shorter
|
||||||
|
+ than the current minimum, down to the RFC specified 1024 bits.
|
||||||
|
+ Using this option may be needed when connecting to servers that
|
||||||
|
+ only know short DH group parameters.
|
||||||
|
+
|
||||||
|
+ Note, that while by default this option is set to 1024 to maintain
|
||||||
|
+ maximum backward compatibility, using it can severly impact
|
||||||
|
+ security and thus should be viewed as a temporary fix of last
|
||||||
|
+ resort and all efforts should be made to fix the (broken)
|
||||||
|
+ counterparty.
|
||||||
|
+
|
||||||
|
LocalCommand
|
||||||
|
Specifies a command to execute on the local machine after
|
||||||
|
successfully connecting to the server. The command string
|
||||||
|
Index: openssh-7.8p1/ssh_config.5
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/ssh_config.5
|
||||||
|
+++ openssh-7.8p1/ssh_config.5
|
||||||
|
@@ -1025,6 +1025,22 @@ diffie-hellman-group14-sha1
|
||||||
|
.Pp
|
||||||
|
The list of available key exchange algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q kex .
|
||||||
|
+.It Cm KexDHMin
|
||||||
|
+Specifies the minimum accepted bit length of the DH group
|
||||||
|
+parameter p.
|
||||||
|
+.Pp
|
||||||
|
+As per RFC4419, this is 1024 bits, however this has increasingly
|
||||||
|
+been seen as insecure, which prompted the change to 2048 bits.
|
||||||
|
+Setting this option allows the client to accept parameters shorter
|
||||||
|
+than the current minimum, down to the RFC specified 1024 bits.
|
||||||
|
+Using this option may be needed when connecting to servers that
|
||||||
|
+only know short DH group parameters.
|
||||||
|
+.Pp
|
||||||
|
+Note, that while by default this option is set to 1024 to maintain
|
||||||
|
+maximum backward compatibility, using it can severly impact
|
||||||
|
+security and thus should be viewed as a temporary fix of last
|
||||||
|
+resort and all efforts should be made to fix the (broken)
|
||||||
|
+counterparty.
|
||||||
|
.It Cm LocalCommand
|
||||||
|
Specifies a command to execute on the local machine after successfully
|
||||||
|
connecting to the server.
|
||||||
|
Index: openssh-7.8p1/sshd_config
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sshd_config
|
||||||
|
+++ openssh-7.8p1/sshd_config
|
||||||
|
@@ -19,6 +19,13 @@
|
||||||
|
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
+# Minimum accepted size of the DH parameter p. The default, which replicates
|
||||||
|
+# upstream behaviour, is 2048. To maintain compatibility with RFC4419 it should
|
||||||
|
+# be set to 1024.
|
||||||
|
+# You will also need to add a HostKey directive to load a DSA key (typically
|
||||||
|
+# located in /etc/ssh/ssh_host_dsa_key), which is not loaded by default.
|
||||||
|
+#KexDHMin 2048
|
||||||
|
+
|
||||||
|
# Ciphers and keying
|
||||||
|
#RekeyLimit default none
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/sshd_config.0
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sshd_config.0
|
||||||
|
+++ openssh-7.8p1/sshd_config.0
|
||||||
|
@@ -545,6 +545,23 @@ DESCRIPTION
|
||||||
|
The list of available key exchange algorithms may also be
|
||||||
|
obtained using "ssh -Q kex".
|
||||||
|
|
||||||
|
+ KexDHMin
|
||||||
|
+ Specifies the minimum accepted bit length of the DH group
|
||||||
|
+ parameter p.
|
||||||
|
+
|
||||||
|
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
||||||
|
+ been seen as insecure, which prompted the change to 2048 bits.
|
||||||
|
+ Setting this option allows the server to accept parameters shorter
|
||||||
|
+ than the current minimum, down to the RFC specified 1024 bits.
|
||||||
|
+ Using this option may be needed when some of the connectiong
|
||||||
|
+ clients only know short DH group parameters.
|
||||||
|
+
|
||||||
|
+ Note, that while by default this option is set to 1024 to maintain
|
||||||
|
+ maximum backward compatibility, using it can severly impact
|
||||||
|
+ security and thus should be viewed as a temporary fix of last
|
||||||
|
+ resort and all efforts should be made to fix the (broken)
|
||||||
|
+ counterparty.
|
||||||
|
+
|
||||||
|
ListenAddress
|
||||||
|
Specifies the local addresses sshd(8) should listen on. The
|
||||||
|
following forms may be used:
|
||||||
|
Index: openssh-7.8p1/sshd_config.5
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sshd_config.5
|
||||||
|
+++ openssh-7.8p1/sshd_config.5
|
||||||
|
@@ -912,6 +912,22 @@ diffie-hellman-group14-sha256,diffie-hel
|
||||||
|
.Pp
|
||||||
|
The list of available key exchange algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q kex .
|
||||||
|
+.It Cm KexDHMin
|
||||||
|
+Specifies the minimum accepted bit length of the DH group
|
||||||
|
+parameter p.
|
||||||
|
+.Pp
|
||||||
|
+As per RFC4419, this is 1024 bits, however this has increasingly
|
||||||
|
+been seen as insecure, which prompted the change to 2048 bits.
|
||||||
|
+Setting this option allows the server to accept parameters shorter
|
||||||
|
+than the current minimum, down to the RFC specified 1024 bits.
|
||||||
|
+Using this option may be needed when some of the connectiong
|
||||||
|
+clients only know short DH group parameters.
|
||||||
|
+.Pp
|
||||||
|
+Note, that while by default this option is set to 1024 to maintain
|
||||||
|
+maximum backward compatibility, using it can severly impact
|
||||||
|
+security and thus should be viewed as a temporary fix of last
|
||||||
|
+resort and all efforts should be made to fix the (broken)
|
||||||
|
+counterparty.
|
||||||
|
.It Cm ListenAddress
|
||||||
|
Specifies the local addresses
|
||||||
|
.Xr sshd 8
|
27
openssh-7.7p1-eal3.patch
Normal file
27
openssh-7.7p1-eal3.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 8fd4e445c3a5c823568661a4f71b064cbcb217a9
|
||||||
|
fix paths and references in sshd man pages
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||||
|
--- openssh-7.7p1/Makefile.in
|
||||||
|
+++ openssh-7.7p1/Makefile.in
|
||||||
|
@@ -127,17 +127,18 @@ MANTYPE = @MANTYPE@
|
||||||
|
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||||
|
CONFIGFILES_IN=sshd_config ssh_config moduli
|
||||||
|
|
||||||
|
PATHSUBS = \
|
||||||
|
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
||||||
|
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
|
||||||
|
-e 's|/usr/libexec|$(libexecdir)|g' \
|
||||||
|
- -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
|
||||||
|
+ -e 's|login\.conf|login.defs|g' \
|
||||||
|
+ -e 's|/etc/shosts.equiv|$(sysconfdir)/ssh/shosts.equiv|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
|
||||||
|
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
|
||||||
|
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
|
||||||
|
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
|
28
openssh-7.7p1-enable_PAM_by_default.patch
Normal file
28
openssh-7.7p1-enable_PAM_by_default.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 5c1e122e31b601de64d81085294216af33f31aed
|
||||||
|
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
||||||
|
# bnc#46749
|
||||||
|
# --used to be called '-pam-fix2'
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
|
||||||
|
--- openssh-7.7p1/sshd_config
|
||||||
|
+++ openssh-7.7p1/sshd_config
|
||||||
|
@@ -74,17 +74,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
-#UsePAM no
|
||||||
|
+UsePAM yes
|
||||||
|
|
||||||
|
#AllowAgentForwarding yes
|
||||||
|
#AllowTcpForwarding yes
|
||||||
|
#GatewayPorts no
|
||||||
|
X11Forwarding yes
|
||||||
|
#X11DisplayOffset 10
|
||||||
|
#X11UseLocalhost yes
|
||||||
|
#PermitTTY yes
|
1010
openssh-7.7p1-fips.patch
Normal file
1010
openssh-7.7p1-fips.patch
Normal file
File diff suppressed because it is too large
Load Diff
479
openssh-7.7p1-fips_checks.patch
Normal file
479
openssh-7.7p1-fips_checks.patch
Normal file
@ -0,0 +1,479 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent e9b69da9a0f8dca923f8fc2836b38fe6590c791a
|
||||||
|
#
|
||||||
|
# Simple implementation of FIPS 140-2 selfchecks. Use OpenSSL to generate and
|
||||||
|
# verify checksums of binaries. Any hash iused in OpenSSH can be used (MD5 would
|
||||||
|
# obviously be a poor choice, since OpenSSL would barf and abort immediately in
|
||||||
|
# FIPS mode). SHA-2 seems to be a reasonable choice.
|
||||||
|
#
|
||||||
|
# The logic of the checks is as follows: decide whether FIPS mode is mandated
|
||||||
|
# (either by checking /proc/sys/crypto/fips_enabled or envoroinment variable
|
||||||
|
# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
|
||||||
|
# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
|
||||||
|
# still must be performed, unless the hashes are not installed. Thus if the hash
|
||||||
|
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
|
||||||
|
# otherwise.
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/fips-check.c
|
||||||
|
===================================================================
|
||||||
|
--- /dev/null
|
||||||
|
+++ openssh-7.8p1/fips-check.c
|
||||||
|
@@ -0,0 +1,34 @@
|
||||||
|
+#include "includes.h"
|
||||||
|
+#include <fcntl.h>
|
||||||
|
+#include <limits.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <sys/stat.h>
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+
|
||||||
|
+#include "digest.h"
|
||||||
|
+#include "fips.h"
|
||||||
|
+
|
||||||
|
+#include <openssl/err.h>
|
||||||
|
+
|
||||||
|
+#define PROC_NAME_LEN 64
|
||||||
|
+
|
||||||
|
+static const char *argv0;
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+print_help_exit(int ev)
|
||||||
|
+{
|
||||||
|
+ fprintf(stderr, "%s <-c|-w> <file> <checksum_file>\n", argv0);
|
||||||
|
+ fprintf(stderr, " -c verify hash of 'file' against hash in 'checksum_file'\n");
|
||||||
|
+ fprintf(stderr, " -w write hash of 'file' into 'checksum_file'\n");
|
||||||
|
+ exit(ev);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+main(int argc, char **argv)
|
||||||
|
+{
|
||||||
|
+ fips_ssh_init();
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
Index: openssh-7.8p1/fips.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/fips.c
|
||||||
|
+++ openssh-7.8p1/fips.c
|
||||||
|
@@ -35,33 +35,296 @@
|
||||||
|
#include "log.h"
|
||||||
|
#include "xmalloc.h"
|
||||||
|
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <fcntl.h>
|
||||||
|
#include <string.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <sys/stat.h>
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
+#include <openssl/err.h>
|
||||||
|
+#include <openssl/hmac.h>
|
||||||
|
|
||||||
|
/* import from dh.c */
|
||||||
|
extern int dh_grp_min;
|
||||||
|
|
||||||
|
static int fips_state = -1;
|
||||||
|
|
||||||
|
+/* calculates HMAC of contents of a file given by filename using the hash
|
||||||
|
+ * algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into
|
||||||
|
+ * newly allacated memory - remember to free it when not needed anymore */
|
||||||
|
static int
|
||||||
|
-fips_check_required_env(void)
|
||||||
|
+hmac_file(const char *filename, u_char **hmac_out)
|
||||||
|
+{
|
||||||
|
+ int check = -1;
|
||||||
|
+ int fd;
|
||||||
|
+ struct stat fs;
|
||||||
|
+ void *hmap;
|
||||||
|
+ unsigned char *hmac;
|
||||||
|
+ unsigned char *hmac_rv = NULL;
|
||||||
|
+
|
||||||
|
+ hmac = xmalloc(FIPS_HMAC_LEN);
|
||||||
|
+
|
||||||
|
+ fd = open(filename, O_RDONLY);
|
||||||
|
+ if (-1 == fd)
|
||||||
|
+ goto bail_out;
|
||||||
|
+
|
||||||
|
+ if (-1 == fstat(fd, &fs))
|
||||||
|
+ goto bail_out;
|
||||||
|
+
|
||||||
|
+ hmap = mmap(NULL, fs.st_size, PROT_READ, MAP_SHARED, fd, 0);
|
||||||
|
+
|
||||||
|
+ if ((void *)(-1) != hmap) {
|
||||||
|
+ hmac_rv = HMAC(FIPS_HMAC_EVP(), FIPS_HMAC_KEY
|
||||||
|
+ , strlen(FIPS_HMAC_KEY), hmap, fs.st_size, hmac, NULL);
|
||||||
|
+ check = CHECK_OK;
|
||||||
|
+ munmap(hmap, fs.st_size);
|
||||||
|
+ }
|
||||||
|
+ close(fd);
|
||||||
|
+
|
||||||
|
+bail_out:
|
||||||
|
+ if (hmac_rv) {
|
||||||
|
+ check = CHECK_OK;
|
||||||
|
+ *hmac_out = hmac;
|
||||||
|
+ } else {
|
||||||
|
+ check = CHECK_FAIL;
|
||||||
|
+ *hmac_out = NULL;
|
||||||
|
+ free(hmac);
|
||||||
|
+ }
|
||||||
|
+ return check;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* find pathname of binary of process with PID pid. exe is buffer expected to
|
||||||
|
+ * be capable of holding at least max_pathlen characters
|
||||||
|
+ */
|
||||||
|
+static int
|
||||||
|
+get_executable_path(pid_t pid, char *exe, int max_pathlen)
|
||||||
|
+{
|
||||||
|
+ char exe_sl[PROC_EXE_PATH_LEN];
|
||||||
|
+ int n;
|
||||||
|
+ int rv = -1;
|
||||||
|
+
|
||||||
|
+ n = snprintf(exe_sl, sizeof(exe_sl), "/proc/%u/exe", pid);
|
||||||
|
+ if ((n <= 10) || (n >= max_pathlen)) {
|
||||||
|
+ fatal("error compiling filename of link to executable");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ exe[0] = 0;
|
||||||
|
+ n = readlink(exe_sl, exe, max_pathlen);
|
||||||
|
+ /* the file doesn't need to exist - procfs might not be mounted in
|
||||||
|
+ * chroot */
|
||||||
|
+ if (n == -1) {
|
||||||
|
+ rv = CHECK_MISSING;
|
||||||
|
+ } else {
|
||||||
|
+ if (n < max_pathlen) {
|
||||||
|
+ exe[n] = 0;
|
||||||
|
+ rv = CHECK_OK;
|
||||||
|
+ } else {
|
||||||
|
+ rv = CHECK_FAIL;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return rv;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* Read HMAC from file chk, allocating enough memory to hold the HMAC and
|
||||||
|
+ * return it in *hmac.
|
||||||
|
+ * Remember to free() it when it's not needed anymore.
|
||||||
|
+ */
|
||||||
|
+static int
|
||||||
|
+read_hmac(const char *chk, u_char **hmac)
|
||||||
|
+{
|
||||||
|
+ int check = -1;
|
||||||
|
+ int fdh, n;
|
||||||
|
+ u_char *hmac_in;
|
||||||
|
+
|
||||||
|
+ *hmac = NULL;
|
||||||
|
+
|
||||||
|
+ fdh = open(chk, O_RDONLY);
|
||||||
|
+ if (-1 == fdh) {
|
||||||
|
+ switch (errno) {
|
||||||
|
+ case ENOENT:
|
||||||
|
+ check = CHECK_MISSING;
|
||||||
|
+ debug("fips: checksum file %s is missing\n", chk);
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ check = CHECK_FAIL;
|
||||||
|
+ debug("fips: ckecksum file %s not accessible\n", chk);
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
+ goto bail_out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ hmac_in = xmalloc(FIPS_HMAC_LEN);
|
||||||
|
+
|
||||||
|
+ n = read(fdh, (void *)hmac_in, FIPS_HMAC_LEN);
|
||||||
|
+ if (FIPS_HMAC_LEN != n) {
|
||||||
|
+ debug("fips: unable to read whole checksum from checksum file\n");
|
||||||
|
+ free (hmac_in);
|
||||||
|
+ check = CHECK_FAIL;
|
||||||
|
+ } else {
|
||||||
|
+ check = CHECK_OK;
|
||||||
|
+ *hmac = hmac_in;
|
||||||
|
+ }
|
||||||
|
+bail_out:
|
||||||
|
+ return check;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+fips_hmac_self(void)
|
||||||
|
+{
|
||||||
|
+ int check = -1;
|
||||||
|
+ u_char *hmac = NULL, *hmac_chk = NULL;
|
||||||
|
+ char *exe, *chk;
|
||||||
|
+
|
||||||
|
+ exe = xmalloc(PATH_MAX);
|
||||||
|
+ chk = xmalloc(PATH_MAX);
|
||||||
|
+
|
||||||
|
+ /* we will need to add the suffix and the null terminator */
|
||||||
|
+ check = get_executable_path(getpid(), exe
|
||||||
|
+ , PATH_MAX - strlen(CHECKSUM_SUFFIX) - 1);
|
||||||
|
+ if (CHECK_OK != check)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
+ strncpy(chk, exe, PATH_MAX);
|
||||||
|
+ strlcat(chk, CHECKSUM_SUFFIX, PATH_MAX);
|
||||||
|
+
|
||||||
|
+ check = read_hmac(chk, &hmac_chk);
|
||||||
|
+ if (CHECK_OK != check)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
+ check = hmac_file(exe, &hmac);
|
||||||
|
+ if (CHECK_OK != check)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
+ check = memcmp(hmac, hmac_chk, FIPS_HMAC_LEN);
|
||||||
|
+ if (0 == check) {
|
||||||
|
+ check = CHECK_OK;
|
||||||
|
+ debug("fips: checksum matches\n");
|
||||||
|
+ } else {
|
||||||
|
+ check = CHECK_FAIL;
|
||||||
|
+ debug("fips: checksum mismatch!\n");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+cleanup:
|
||||||
|
+ free(hmac);
|
||||||
|
+ free(hmac_chk);
|
||||||
|
+ free(chk);
|
||||||
|
+ free(exe);
|
||||||
|
+
|
||||||
|
+ return check;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+fips_check_required_proc(void)
|
||||||
|
{
|
||||||
|
int fips_required = 0;
|
||||||
|
- char *env = getenv(SSH_FORCE_FIPS_ENV);
|
||||||
|
+ int fips_fd;
|
||||||
|
+ char fips_sys = 0;
|
||||||
|
|
||||||
|
- if (env) {
|
||||||
|
- errno = 0;
|
||||||
|
- fips_required = strtol(env, NULL, 10);
|
||||||
|
- if (errno) {
|
||||||
|
- debug("bogus value in the %s environment variable, ignoring\n"
|
||||||
|
- , SSH_FORCE_FIPS_ENV);
|
||||||
|
- fips_required = 0;
|
||||||
|
- } else
|
||||||
|
- fips_required = 1;
|
||||||
|
+ struct stat dummy;
|
||||||
|
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
|
||||||
|
+ switch (errno) {
|
||||||
|
+ case ENOENT:
|
||||||
|
+ case ENOTDIR:
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
|
||||||
|
+ " be accessed for reason other than non-existence - aborting"
|
||||||
|
+ , FIPS_PROC_PATH);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY)))
|
||||||
|
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
|
||||||
|
+ " be opened for reading - aborting"
|
||||||
|
+ , FIPS_PROC_PATH);
|
||||||
|
+ if (1 > read(fips_fd, &fips_sys, 1))
|
||||||
|
+ fatal("Check for system-wide FIPS mode is required and %s doesn't"
|
||||||
|
+ " return at least one character - aborting"
|
||||||
|
+ , FIPS_PROC_PATH);
|
||||||
|
+ close(fips_sys);
|
||||||
|
+ switch (fips_sys) {
|
||||||
|
+ case '0':
|
||||||
|
+ case '1':
|
||||||
|
+ fips_required = fips_sys - '0';
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ fatal("Bogus character %c found in %s - aborting"
|
||||||
|
+ , fips_sys, FIPS_PROC_PATH);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
return fips_required;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+fips_check_required_env(void)
|
||||||
|
+{
|
||||||
|
+ return (NULL != getenv(SSH_FORCE_FIPS_ENV));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+fips_required(void)
|
||||||
|
+{
|
||||||
|
+ int fips_requests = 0;
|
||||||
|
+ fips_requests += fips_check_required_proc();
|
||||||
|
+ fips_requests += fips_check_required_env();
|
||||||
|
+ return fips_requests;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* check whether FIPS mode is required and perform selfchecksum/selftest */
|
||||||
|
+void
|
||||||
|
+fips_ssh_init(void)
|
||||||
|
+{
|
||||||
|
+ int checksum;
|
||||||
|
+
|
||||||
|
+ checksum = fips_hmac_self();
|
||||||
|
+
|
||||||
|
+ if (fips_required()) {
|
||||||
|
+ switch (checksum) {
|
||||||
|
+ case CHECK_OK:
|
||||||
|
+ debug("fips: mandatory checksum ok");
|
||||||
|
+ break;
|
||||||
|
+ case CHECK_FAIL:
|
||||||
|
+ fatal("fips: mandatory checksum failed - aborting");
|
||||||
|
+ break;
|
||||||
|
+ case CHECK_MISSING:
|
||||||
|
+ fatal("fips: mandatory checksum data missing - aborting");
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ fatal("Fatal error: internal error at %s:%u"
|
||||||
|
+ , __FILE__, __LINE__);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ fips_state = FIPS_mode_set(1);
|
||||||
|
+ if (1 != fips_state) {
|
||||||
|
+ ERR_load_crypto_strings();
|
||||||
|
+ u_long err = ERR_get_error();
|
||||||
|
+ error("fips: OpenSSL error %lx: %s"
|
||||||
|
+ , err, ERR_error_string(err, NULL));
|
||||||
|
+ fatal("fips: unable to set OpenSSL into FIPS mode - aborting");
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ switch (checksum) {
|
||||||
|
+ case CHECK_OK:
|
||||||
|
+ debug("fips: checksum ok");
|
||||||
|
+ break;
|
||||||
|
+ case CHECK_FAIL:
|
||||||
|
+ fatal("fips: checksum failed - aborting");
|
||||||
|
+ break;
|
||||||
|
+ case CHECK_MISSING:
|
||||||
|
+ debug("fips: checksum data missing, but not required - continuing non-FIPS");
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ fatal("Fatal error: internal error at %s:%u",
|
||||||
|
+ __FILE__, __LINE__);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int
|
||||||
|
fips_mode(void)
|
||||||
|
{
|
||||||
|
@@ -234,4 +497,3 @@ fips_dh_grp_min(void)
|
||||||
|
}
|
||||||
|
return dh;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
Index: openssh-7.8p1/fips.h
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/fips.h
|
||||||
|
+++ openssh-7.8p1/fips.h
|
||||||
|
@@ -1,5 +1,5 @@
|
||||||
|
/*
|
||||||
|
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||||
|
+ * Copyright (c) 2012-2014 Petr Cerny. All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
@@ -27,6 +27,15 @@
|
||||||
|
#include "sshkey.h"
|
||||||
|
|
||||||
|
#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
|
||||||
|
+#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled"
|
||||||
|
+
|
||||||
|
+#define PROC_EXE_PATH_LEN 64
|
||||||
|
+#define CHECKSUM_SUFFIX ".hmac"
|
||||||
|
+#define FIPS_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
||||||
|
+#define FIPS_HMAC_EVP EVP_sha256
|
||||||
|
+#define FIPS_HMAC_LEN 32
|
||||||
|
+
|
||||||
|
+void fips_ssh_init(void);
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
FIPS_FILTER_CIPHERS,
|
||||||
|
@@ -34,6 +43,12 @@ typedef enum {
|
||||||
|
FIPS_FILTER_KEX_ALGS
|
||||||
|
} fips_filters;
|
||||||
|
|
||||||
|
+typedef enum {
|
||||||
|
+ CHECK_OK = 0,
|
||||||
|
+ CHECK_FAIL,
|
||||||
|
+ CHECK_MISSING
|
||||||
|
+} fips_checksum_status;
|
||||||
|
+
|
||||||
|
int fips_mode(void);
|
||||||
|
int fips_correct_dgst(int);
|
||||||
|
int fips_dgst_min(void);
|
||||||
|
@@ -42,4 +57,3 @@ enum fp_type fips_correct_fp_type(enum
|
||||||
|
int fips_filter_crypto(char **, fips_filters);
|
||||||
|
|
||||||
|
#endif
|
||||||
|
-
|
||||||
|
Index: openssh-7.8p1/sftp-server.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sftp-server.c
|
||||||
|
+++ openssh-7.8p1/sftp-server.c
|
||||||
|
@@ -51,6 +51,8 @@
|
||||||
|
#include "sftp.h"
|
||||||
|
#include "sftp-common.h"
|
||||||
|
|
||||||
|
+#include "fips.h"
|
||||||
|
+
|
||||||
|
/* Our verbosity */
|
||||||
|
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
|
||||||
|
|
||||||
|
@@ -1509,6 +1511,9 @@ sftp_server_main(int argc, char **argv,
|
||||||
|
extern char *optarg;
|
||||||
|
extern char *__progname;
|
||||||
|
|
||||||
|
+ /* initialize fips */
|
||||||
|
+ fips_ssh_init();
|
||||||
|
+
|
||||||
|
ssh_malloc_init(); /* must be called before any mallocs */
|
||||||
|
__progname = ssh_get_progname(argv[0]);
|
||||||
|
log_init(__progname, log_level, log_facility, log_stderr);
|
||||||
|
Index: openssh-7.8p1/ssh.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/ssh.c
|
||||||
|
+++ openssh-7.8p1/ssh.c
|
||||||
|
@@ -113,6 +113,8 @@
|
||||||
|
#include "ssh-pkcs11.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#include "fips.h"
|
||||||
|
+
|
||||||
|
extern char *__progname;
|
||||||
|
|
||||||
|
/* Saves a copy of argv for setproctitle emulation */
|
||||||
|
@@ -593,6 +595,10 @@ main(int ac, char **av)
|
||||||
|
struct ssh_digest_ctx *md;
|
||||||
|
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
|
||||||
|
|
||||||
|
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||||
|
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||||
|
+ fips_ssh_init();
|
||||||
|
+
|
||||||
|
ssh_malloc_init(); /* must be called before any mallocs */
|
||||||
|
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||||
|
sanitise_stdfd();
|
||||||
|
Index: openssh-7.8p1/sshd.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sshd.c
|
||||||
|
+++ openssh-7.8p1/sshd.c
|
||||||
|
@@ -1486,6 +1486,10 @@ main(int ac, char **av)
|
||||||
|
Authctxt *authctxt;
|
||||||
|
struct connection_info *connection_info = NULL;
|
||||||
|
|
||||||
|
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||||
|
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||||
|
+ fips_ssh_init();
|
||||||
|
+
|
||||||
|
ssh_malloc_init(); /* must be called before any mallocs */
|
||||||
|
|
||||||
|
#ifdef HAVE_SECUREWARE
|
3319
openssh-7.7p1-gssapi_key_exchange.patch
Normal file
3319
openssh-7.7p1-gssapi_key_exchange.patch
Normal file
File diff suppressed because it is too large
Load Diff
29
openssh-7.7p1-host_ident.patch
Normal file
29
openssh-7.7p1-host_ident.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 0f731d0b541b8a919d24ac91098f560a49712822
|
||||||
|
Suggest command line for removal of offending keys from known_hosts file
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/sshconnect.c b/openssh-7.7p1/sshconnect.c
|
||||||
|
--- openssh-7.7p1/sshconnect.c
|
||||||
|
+++ openssh-7.7p1/sshconnect.c
|
||||||
|
@@ -1147,16 +1147,21 @@ check_host_key(char *hostname, struct so
|
||||||
|
}
|
||||||
|
/* The host key has changed. */
|
||||||
|
warn_changed_key(host_key);
|
||||||
|
error("Add correct host key in %.100s to get rid of this message.",
|
||||||
|
user_hostfiles[0]);
|
||||||
|
error("Offending %s key in %s:%lu",
|
||||||
|
sshkey_type(host_found->key),
|
||||||
|
host_found->file, host_found->line);
|
||||||
|
+ error("You can use following command to remove the offending key:");
|
||||||
|
+ if (host_found->file)
|
||||||
|
+ error("ssh-keygen -R %s -f %s", host, host_found->file);
|
||||||
|
+ else
|
||||||
|
+ error("ssh-keygen -R %s", host);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If strict host key checking is in use, the user will have
|
||||||
|
* to edit the key manually and we can only abort.
|
||||||
|
*/
|
||||||
|
if (options.strict_host_key_checking !=
|
||||||
|
SSH_STRICT_HOSTKEY_OFF) {
|
||||||
|
error("%s host key for %.200s has changed and you have "
|
85
openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Normal file
85
openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 5e19a205fa03584bb0d829ecbba7495ce1899b65
|
||||||
|
# -- uset do be called '-xauthlocalhostname'
|
||||||
|
handle hostname changes when forwarding X
|
||||||
|
|
||||||
|
bnc#98627
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/session.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/session.c
|
||||||
|
+++ openssh-7.8p1/session.c
|
||||||
|
@@ -1009,7 +1009,7 @@ copy_environment(char **source, char ***
|
||||||
|
}
|
||||||
|
|
||||||
|
static char **
|
||||||
|
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||||
|
+do_setup_env(struct ssh *ssh, Session *s, const char *shell, int *env_size)
|
||||||
|
{
|
||||||
|
char buf[256];
|
||||||
|
size_t n;
|
||||||
|
@@ -1213,6 +1213,8 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||||
|
for (i = 0; env[i]; i++)
|
||||||
|
fprintf(stderr, " %.200s\n", env[i]);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ *env_size = envsize;
|
||||||
|
return env;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1221,7 +1223,7 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||||
|
* first in this order).
|
||||||
|
*/
|
||||||
|
static void
|
||||||
|
-do_rc_files(struct ssh *ssh, Session *s, const char *shell)
|
||||||
|
+do_rc_files(struct ssh *ssh, Session *s, const char *shell, char **env, int *env_size)
|
||||||
|
{
|
||||||
|
FILE *f = NULL;
|
||||||
|
char cmd[1024];
|
||||||
|
@@ -1276,12 +1278,20 @@ do_rc_files(struct ssh *ssh, Session *s,
|
||||||
|
options.xauth_location);
|
||||||
|
f = popen(cmd, "w");
|
||||||
|
if (f) {
|
||||||
|
+ char hostname[MAXHOSTNAMELEN];
|
||||||
|
+
|
||||||
|
fprintf(f, "remove %s\n",
|
||||||
|
s->auth_display);
|
||||||
|
fprintf(f, "add %s %s %s\n",
|
||||||
|
s->auth_display, s->auth_proto,
|
||||||
|
s->auth_data);
|
||||||
|
pclose(f);
|
||||||
|
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
|
||||||
|
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
|
||||||
|
+ hostname);
|
||||||
|
+ else
|
||||||
|
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
|
||||||
|
+ strerror(errno));
|
||||||
|
} else {
|
||||||
|
fprintf(stderr, "Could not run %s\n",
|
||||||
|
cmd);
|
||||||
|
@@ -1534,6 +1544,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||||
|
{
|
||||||
|
extern char **environ;
|
||||||
|
char **env;
|
||||||
|
+ int env_size;
|
||||||
|
char *argv[ARGV_MAX];
|
||||||
|
const char *shell, *shell0;
|
||||||
|
struct passwd *pw = s->pw;
|
||||||
|
@@ -1591,7 +1602,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||||
|
* Make sure $SHELL points to the shell from the password file,
|
||||||
|
* even if shell is overridden from login.conf
|
||||||
|
*/
|
||||||
|
- env = do_setup_env(ssh, s, shell);
|
||||||
|
+ env = do_setup_env(ssh, s, shell, &env_size);
|
||||||
|
|
||||||
|
#ifdef HAVE_LOGIN_CAP
|
||||||
|
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||||
|
@@ -1655,7 +1666,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||||
|
|
||||||
|
closefrom(STDERR_FILENO + 1);
|
||||||
|
|
||||||
|
- do_rc_files(ssh, s, shell);
|
||||||
|
+ do_rc_files(ssh, s, shell, env, &env_size);
|
||||||
|
|
||||||
|
/* restore SIGPIPE for child */
|
||||||
|
signal(SIGPIPE, SIG_DFL);
|
2710
openssh-7.7p1-ldap.patch
Normal file
2710
openssh-7.7p1-ldap.patch
Normal file
File diff suppressed because it is too large
Load Diff
26
openssh-7.7p1-no_fork-no_pid_file.patch
Normal file
26
openssh-7.7p1-no_fork-no_pid_file.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent bad0c8b3b8d72abb6960ed85b57ee42352371738
|
||||||
|
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/sshd.c b/openssh-7.7p1/sshd.c
|
||||||
|
--- openssh-7.7p1/sshd.c
|
||||||
|
+++ openssh-7.7p1/sshd.c
|
||||||
|
@@ -1996,17 +1996,17 @@ main(int ac, char **av)
|
||||||
|
signal(SIGCHLD, main_sigchld_handler);
|
||||||
|
signal(SIGTERM, sigterm_handler);
|
||||||
|
signal(SIGQUIT, sigterm_handler);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Write out the pid file after the sigterm handler
|
||||||
|
* is setup and the listen sockets are bound
|
||||||
|
*/
|
||||||
|
- if (options.pid_file != NULL && !debug_flag) {
|
||||||
|
+ if (!no_daemon_flag && options.pid_file != NULL && !debug_flag) {
|
||||||
|
FILE *f = fopen(options.pid_file, "w");
|
||||||
|
|
||||||
|
if (f == NULL) {
|
||||||
|
error("Couldn't create pid file \"%s\": %s",
|
||||||
|
options.pid_file, strerror(errno));
|
||||||
|
} else {
|
||||||
|
fprintf(f, "%ld\n", (long) getpid());
|
||||||
|
fclose(f);
|
3102
openssh-7.7p1-openssl_1.1.0.patch
Normal file
3102
openssh-7.7p1-openssl_1.1.0.patch
Normal file
File diff suppressed because it is too large
Load Diff
134
openssh-7.7p1-pam_check_locks.patch
Normal file
134
openssh-7.7p1-pam_check_locks.patch
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 089f4fba0112d410a1bfa74398941f076681d446
|
||||||
|
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
||||||
|
UsePAM is used
|
||||||
|
|
||||||
|
bnc#708678, FATE#312033
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/auth.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/auth.c
|
||||||
|
+++ openssh-7.8p1/auth.c
|
||||||
|
@@ -112,7 +112,7 @@ allowed_user(struct passwd * pw)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
#ifdef USE_SHADOW
|
||||||
|
- if (!options.use_pam)
|
||||||
|
+ if (!options.use_pam || options.use_pam_check_locks)
|
||||||
|
spw = getspnam(pw->pw_name);
|
||||||
|
#ifdef HAS_SHADOW_EXPIRE
|
||||||
|
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
||||||
|
@@ -132,7 +132,7 @@ allowed_user(struct passwd * pw)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* check for locked account */
|
||||||
|
- if (!options.use_pam && passwd && *passwd) {
|
||||||
|
+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
||||||
|
int locked = 0;
|
||||||
|
|
||||||
|
#ifdef LOCKED_PASSWD_STRING
|
||||||
|
Index: openssh-7.8p1/servconf.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/servconf.c
|
||||||
|
+++ openssh-7.8p1/servconf.c
|
||||||
|
@@ -83,6 +83,7 @@ initialize_server_options(ServerOptions
|
||||||
|
|
||||||
|
/* Portable-specific options */
|
||||||
|
options->use_pam = -1;
|
||||||
|
+ options->use_pam_check_locks = -1;
|
||||||
|
|
||||||
|
/* Standard Options */
|
||||||
|
options->num_ports = 0;
|
||||||
|
@@ -259,6 +260,8 @@ fill_default_server_options(ServerOption
|
||||||
|
/* Portable-specific options */
|
||||||
|
if (options->use_pam == -1)
|
||||||
|
options->use_pam = 0;
|
||||||
|
+ if (options->use_pam_check_locks == -1)
|
||||||
|
+ options->use_pam_check_locks = 0;
|
||||||
|
|
||||||
|
/* Standard Options */
|
||||||
|
if (options->num_host_key_files == 0) {
|
||||||
|
@@ -459,7 +462,7 @@ fill_default_server_options(ServerOption
|
||||||
|
typedef enum {
|
||||||
|
sBadOption, /* == unknown option */
|
||||||
|
/* Portable-specific options */
|
||||||
|
- sUsePAM,
|
||||||
|
+ sUsePAM, sUsePAMChecklocks,
|
||||||
|
/* Standard Options */
|
||||||
|
sPort, sHostKeyFile, sLoginGraceTime,
|
||||||
|
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||||
|
@@ -509,8 +512,10 @@ static struct {
|
||||||
|
/* Portable-specific options */
|
||||||
|
#ifdef USE_PAM
|
||||||
|
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
||||||
|
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
||||||
|
#else
|
||||||
|
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
#endif
|
||||||
|
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
||||||
|
/* Standard Options */
|
||||||
|
@@ -1250,6 +1255,9 @@ process_server_config_line(ServerOptions
|
||||||
|
case sUsePAM:
|
||||||
|
intptr = &options->use_pam;
|
||||||
|
goto parse_flag;
|
||||||
|
+ case sUsePAMChecklocks:
|
||||||
|
+ intptr = &options->use_pam_check_locks;
|
||||||
|
+ goto parse_flag;
|
||||||
|
|
||||||
|
/* Standard Options */
|
||||||
|
case sBadOption:
|
||||||
|
Index: openssh-7.8p1/servconf.h
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/servconf.h
|
||||||
|
+++ openssh-7.8p1/servconf.h
|
||||||
|
@@ -181,6 +181,7 @@ typedef struct {
|
||||||
|
char *adm_forced_command;
|
||||||
|
|
||||||
|
int use_pam; /* Enable auth via PAM */
|
||||||
|
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
||||||
|
|
||||||
|
int permit_tun;
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/sshd_config.0
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sshd_config.0
|
||||||
|
+++ openssh-7.8p1/sshd_config.0
|
||||||
|
@@ -961,6 +961,14 @@ DESCRIPTION
|
||||||
|
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
||||||
|
non-root user. The default is no.
|
||||||
|
|
||||||
|
+ UsePAMCheckLocks
|
||||||
|
+ When set to ``yes'', the checks whether the account has been
|
||||||
|
+ locked with `passwd -l' are performed even when PAM authentication
|
||||||
|
+ is enabled via UsePAM. This is to ensure that it is not possible
|
||||||
|
+ to log in with e.g. a public key (in such a case PAM is used only
|
||||||
|
+ to set up the session and some PAM modules will not check whether
|
||||||
|
+ the account is locked in this scenario). The default is ``no''.
|
||||||
|
+
|
||||||
|
VersionAddendum
|
||||||
|
Optionally specifies additional text to append to the SSH
|
||||||
|
protocol banner sent by the server upon connection. The default
|
||||||
|
Index: openssh-7.8p1/sshd_config.5
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sshd_config.5
|
||||||
|
+++ openssh-7.8p1/sshd_config.5
|
||||||
|
@@ -1613,6 +1613,18 @@ is enabled, you will not be able to run
|
||||||
|
as a non-root user.
|
||||||
|
The default is
|
||||||
|
.Cm no .
|
||||||
|
+.It Cm UsePAMCheckLocks
|
||||||
|
+When set to
|
||||||
|
+.Dq yes
|
||||||
|
+, the checks whether the account has been locked with
|
||||||
|
+.Pa passwd -l
|
||||||
|
+are performed even when PAM authentication is enabled via
|
||||||
|
+.Cm UsePAM .
|
||||||
|
+This is to ensure that it is not possible to log in with e.g. a
|
||||||
|
+public key (in such a case PAM is used only to set up the session and some PAM
|
||||||
|
+modules will not check whether the account is locked in this scenario). The
|
||||||
|
+default is
|
||||||
|
+.Dq no .
|
||||||
|
.It Cm VersionAddendum
|
||||||
|
Optionally specifies additional text to append to the SSH protocol banner
|
||||||
|
sent by the server upon connection.
|
49
openssh-7.7p1-pts_names_formatting.patch
Normal file
49
openssh-7.7p1-pts_names_formatting.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 7cd948c83939479d1ba88a3161991cb561306f3f
|
||||||
|
# use same lines naming as utempter (prevents problems with using different
|
||||||
|
# formats in ?tmp? files)
|
||||||
|
# --used to be called '-pts'
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/loginrec.c b/openssh-7.7p1/loginrec.c
|
||||||
|
--- openssh-7.7p1/loginrec.c
|
||||||
|
+++ openssh-7.7p1/loginrec.c
|
||||||
|
@@ -541,17 +541,17 @@ getlast_entry(struct logininfo *li)
|
||||||
|
/*
|
||||||
|
* 'line' string utility functions
|
||||||
|
*
|
||||||
|
* These functions process the 'line' string into one of three forms:
|
||||||
|
*
|
||||||
|
* 1. The full filename (including '/dev')
|
||||||
|
* 2. The stripped name (excluding '/dev')
|
||||||
|
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
|
||||||
|
- * /dev/pts/1 -> ts/1 )
|
||||||
|
+ * /dev/pts/1 -> /1 )
|
||||||
|
*
|
||||||
|
* Form 3 is used on some systems to identify a .tmp.? entry when
|
||||||
|
* attempting to remove it. Typically both addition and removal is
|
||||||
|
* performed by one application - say, sshd - so as long as the choice
|
||||||
|
* uniquely identifies a terminal it's ok.
|
||||||
|
*/
|
||||||
|
|
||||||
|
|
||||||
|
@@ -602,16 +602,20 @@ line_abbrevname(char *dst, const char *s
|
||||||
|
/* Always skip prefix if present */
|
||||||
|
if (strncmp(src, "/dev/", 5) == 0)
|
||||||
|
src += 5;
|
||||||
|
|
||||||
|
#ifdef WITH_ABBREV_NO_TTY
|
||||||
|
if (strncmp(src, "tty", 3) == 0)
|
||||||
|
src += 3;
|
||||||
|
#endif
|
||||||
|
+ if (strncmp(src, "pts/", 4) == 0) {
|
||||||
|
+ src += 3;
|
||||||
|
+ if (strlen(src) > 4) src++;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
len = strlen(src);
|
||||||
|
|
||||||
|
if (len > 0) {
|
||||||
|
if (((int)len - dstsize) > 0)
|
||||||
|
src += ((int)len - dstsize);
|
||||||
|
|
||||||
|
/* note: _don't_ change this to strlcpy */
|
55
openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Normal file
55
openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent a60c0d88667efe0a64c030168950b69476af1622
|
||||||
|
# --used to be called '-xauth'
|
||||||
|
try to remove xauth cookies on logout
|
||||||
|
|
||||||
|
bnc#98815
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/session.c b/openssh-7.7p1/session.c
|
||||||
|
--- openssh-7.7p1/session.c
|
||||||
|
+++ openssh-7.7p1/session.c
|
||||||
|
@@ -2302,16 +2302,44 @@ session_close(struct ssh *ssh, Session *
|
||||||
|
u_int i;
|
||||||
|
|
||||||
|
verbose("Close session: user %s from %.200s port %d id %d",
|
||||||
|
s->pw->pw_name,
|
||||||
|
ssh_remote_ipaddr(ssh),
|
||||||
|
ssh_remote_port(ssh),
|
||||||
|
s->self);
|
||||||
|
|
||||||
|
+ if ((s->display != NULL) && (s->auth_proto != NULL) &&
|
||||||
|
+ (s->auth_data != NULL) && (options.xauth_location != NULL)) {
|
||||||
|
+ pid_t pid;
|
||||||
|
+ FILE *f;
|
||||||
|
+ char cmd[1024];
|
||||||
|
+ struct passwd * pw = s->pw;
|
||||||
|
+
|
||||||
|
+ if (!(pid = fork())) {
|
||||||
|
+ permanently_set_uid(pw);
|
||||||
|
+
|
||||||
|
+ /* Remove authority data from .Xauthority if appropriate. */
|
||||||
|
+ debug("Running %.500s remove %.100s\n",
|
||||||
|
+ options.xauth_location, s->auth_display);
|
||||||
|
+
|
||||||
|
+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
|
||||||
|
+ s->pw->pw_dir, options.xauth_location);
|
||||||
|
+ f = popen(cmd, "w");
|
||||||
|
+ if (f) {
|
||||||
|
+ fprintf(f, "remove %s\n", s->auth_display);
|
||||||
|
+ pclose(f);
|
||||||
|
+ } else
|
||||||
|
+ error("Could not run %s\n", cmd);
|
||||||
|
+ exit(0);
|
||||||
|
+ } else if (pid > 0) {
|
||||||
|
+ waitpid(pid, NULL, 0);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (s->ttyfd != -1)
|
||||||
|
session_pty_cleanup(s);
|
||||||
|
free(s->term);
|
||||||
|
free(s->display);
|
||||||
|
free(s->x11_chanids);
|
||||||
|
free(s->auth_display);
|
||||||
|
free(s->auth_data);
|
||||||
|
free(s->auth_proto);
|
36
openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
Normal file
36
openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent a7b18fdd68dba10349e59a9085fd822343311f45
|
||||||
|
Patch from IBM enabling use of EP11 hw crypto accelerator, submitted upstreams:
|
||||||
|
|
||||||
|
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||||
|
To: openssh-unix-dev@mindrot.org
|
||||||
|
Subject: [PATCH 3/3] Enable specific ioctl call for EP11 crypto card (s390)
|
||||||
|
Date: Tue, 9 May 2017 14:27:15 -0300
|
||||||
|
|
||||||
|
The EP11 crypto card needs to make an ioctl call, which receives an
|
||||||
|
specific argument. This crypto card is for s390 only.
|
||||||
|
|
||||||
|
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
|
||||||
|
--- openssh-7.7p1/sandbox-seccomp-filter.c
|
||||||
|
+++ openssh-7.7p1/sandbox-seccomp-filter.c
|
||||||
|
@@ -248,16 +248,18 @@ static const struct sock_filter preauth_
|
||||||
|
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
|
||||||
|
SC_DENY(__NR_socketcall, EACCES),
|
||||||
|
#endif
|
||||||
|
#if defined(__NR_ioctl) && defined(__s390__)
|
||||||
|
/* Allow ioctls for ICA crypto card on s390 */
|
||||||
|
SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
|
||||||
|
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
|
||||||
|
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
|
||||||
|
+ /* Allow ioctls for EP11 crypto card on s390 */
|
||||||
|
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
|
||||||
|
#endif
|
||||||
|
#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
|
||||||
|
/*
|
||||||
|
* On Linux x32, the clock_gettime VDSO falls back to the
|
||||||
|
* x86-64 syscall under some circumstances, e.g.
|
||||||
|
* https://bugs.debian.org/849923
|
||||||
|
*/
|
||||||
|
SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
|
60
openssh-7.7p1-seccomp_ipc_flock.patch
Normal file
60
openssh-7.7p1-seccomp_ipc_flock.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 9d38b7292619a6d5faf554b1a88888fdfa535de7
|
||||||
|
Patch from IBM enabling the use of OpenCryptoki, submitted upstreams:
|
||||||
|
|
||||||
|
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||||
|
To: openssh-unix-dev@mindrot.org
|
||||||
|
Subject: [PATCH 1/3] Allow flock and ipc syscall for s390 architecture
|
||||||
|
Date: Tue, 9 May 2017 14:27:13 -0300
|
||||||
|
|
||||||
|
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
||||||
|
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
||||||
|
implementation) which calls the libraries that will communicate with the
|
||||||
|
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
||||||
|
this is only need on s390 architecture.
|
||||||
|
|
||||||
|
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
|
||||||
|
--- openssh-7.7p1/sandbox-seccomp-filter.c
|
||||||
|
+++ openssh-7.7p1/sandbox-seccomp-filter.c
|
||||||
|
@@ -167,16 +167,19 @@ static const struct sock_filter preauth_
|
||||||
|
SC_ALLOW(__NR_exit_group),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_geteuid
|
||||||
|
SC_ALLOW(__NR_geteuid),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_geteuid32
|
||||||
|
SC_ALLOW(__NR_geteuid32),
|
||||||
|
#endif
|
||||||
|
+#if defined(__NR_flock) && defined(__s390__)
|
||||||
|
+ SC_ALLOW(__NR_flock),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_getpgid
|
||||||
|
SC_ALLOW(__NR_getpgid),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_getpid
|
||||||
|
SC_ALLOW(__NR_getpid),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_getrandom
|
||||||
|
SC_ALLOW(__NR_getrandom),
|
||||||
|
@@ -185,16 +188,19 @@ static const struct sock_filter preauth_
|
||||||
|
SC_ALLOW(__NR_gettimeofday),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_getuid
|
||||||
|
SC_ALLOW(__NR_getuid),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_getuid32
|
||||||
|
SC_ALLOW(__NR_getuid32),
|
||||||
|
#endif
|
||||||
|
+#if defined(__NR_ipc) && defined(__s390__)
|
||||||
|
+ SC_ALLOW(__NR_ipc),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_madvise
|
||||||
|
SC_ALLOW(__NR_madvise),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_mmap
|
||||||
|
SC_ALLOW(__NR_mmap),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_mmap2
|
||||||
|
SC_ALLOW(__NR_mmap2),
|
30
openssh-7.7p1-seccomp_stat.patch
Normal file
30
openssh-7.7p1-seccomp_stat.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 5034ae16f6a5c9c7151d931dc1cce2a541fe010e
|
||||||
|
Allow the stat() syscall for OpenSSL re-seed patch
|
||||||
|
(which causes OpenSSL use stat() on some file)
|
||||||
|
|
||||||
|
bnc#912436
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
|
||||||
|
--- openssh-7.7p1/sandbox-seccomp-filter.c
|
||||||
|
+++ openssh-7.7p1/sandbox-seccomp-filter.c
|
||||||
|
@@ -224,16 +224,19 @@ static const struct sock_filter preauth_
|
||||||
|
SC_ALLOW(__NR_select),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_shutdown
|
||||||
|
SC_ALLOW(__NR_shutdown),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_sigprocmask
|
||||||
|
SC_ALLOW(__NR_sigprocmask),
|
||||||
|
#endif
|
||||||
|
+#ifdef __NR_stat
|
||||||
|
+ SC_ALLOW(__NR_stat),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_time
|
||||||
|
SC_ALLOW(__NR_time),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_write
|
||||||
|
SC_ALLOW(__NR_write),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_socketcall
|
||||||
|
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
|
332
openssh-7.7p1-seed-prng.patch
Normal file
332
openssh-7.7p1-seed-prng.patch
Normal file
@ -0,0 +1,332 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent e655fcb8e89d19ce9e954d6fc330e5e3e093a848
|
||||||
|
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
||||||
|
# bnc#703221, FATE#312172
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/entropy.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/entropy.c
|
||||||
|
+++ openssh-7.8p1/entropy.c
|
||||||
|
@@ -235,6 +235,9 @@ seed_rng(void)
|
||||||
|
memset(buf, '\0', sizeof(buf));
|
||||||
|
|
||||||
|
#endif /* OPENSSL_PRNG_ONLY */
|
||||||
|
+
|
||||||
|
+ linux_seed();
|
||||||
|
+
|
||||||
|
if (RAND_status() != 1)
|
||||||
|
fatal("PRNG is not seeded");
|
||||||
|
}
|
||||||
|
Index: openssh-7.8p1/openbsd-compat/Makefile.in
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/openbsd-compat/Makefile.in
|
||||||
|
+++ openssh-7.8p1/openbsd-compat/Makefile.in
|
||||||
|
@@ -90,6 +90,7 @@ COMPAT= arc4random.o \
|
||||||
|
PORTS= port-aix.o \
|
||||||
|
port-irix.o \
|
||||||
|
port-linux.o \
|
||||||
|
+ port-linux-prng.o \
|
||||||
|
port-solaris.o \
|
||||||
|
port-net.o \
|
||||||
|
port-uw.o
|
||||||
|
Index: openssh-7.8p1/openbsd-compat/port-linux-prng.c
|
||||||
|
===================================================================
|
||||||
|
--- /dev/null
|
||||||
|
+++ openssh-7.8p1/openbsd-compat/port-linux-prng.c
|
||||||
|
@@ -0,0 +1,81 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
||||||
|
+ * (c) 2011 Petr Cerny <pcerny@suse.cz>
|
||||||
|
+ *
|
||||||
|
+ * Permission to use, copy, modify, and distribute this software for any
|
||||||
|
+ * purpose with or without fee is hereby granted, provided that the above
|
||||||
|
+ * copyright notice and this permission notice appear in all copies.
|
||||||
|
+ *
|
||||||
|
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Linux-specific portability code - prng support
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include "includes.h"
|
||||||
|
+#include "defines.h"
|
||||||
|
+
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <stdarg.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <openssl/rand.h>
|
||||||
|
+
|
||||||
|
+#include "log.h"
|
||||||
|
+#include "port-linux.h"
|
||||||
|
+#include "fips.h"
|
||||||
|
+
|
||||||
|
+#define RNG_BYTES_DEFAULT 6L
|
||||||
|
+#define RNG_ENV_VAR "SSH_USE_STRONG_RNG"
|
||||||
|
+
|
||||||
|
+long rand_bytes = 0;
|
||||||
|
+char *rand_file = NULL;
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+linux_seed_init(void)
|
||||||
|
+{
|
||||||
|
+ long elen = 0;
|
||||||
|
+ char *env = getenv(RNG_ENV_VAR);
|
||||||
|
+
|
||||||
|
+ if (env) {
|
||||||
|
+ errno = 0;
|
||||||
|
+ elen = strtol(env, NULL, 10);
|
||||||
|
+ if (errno) {
|
||||||
|
+ elen = RNG_BYTES_DEFAULT;
|
||||||
|
+ debug("bogus value in the %s environment variable, "
|
||||||
|
+ "using %li bytes from /dev/random\n",
|
||||||
|
+ RNG_ENV_VAR, RNG_BYTES_DEFAULT);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (elen || fips_mode())
|
||||||
|
+ rand_file = "/dev/random";
|
||||||
|
+ else
|
||||||
|
+ rand_file = "/dev/urandom";
|
||||||
|
+
|
||||||
|
+ rand_bytes = MAX(elen, RNG_BYTES_DEFAULT);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+linux_seed(void)
|
||||||
|
+{
|
||||||
|
+ long len;
|
||||||
|
+ if (!rand_file)
|
||||||
|
+ linux_seed_init();
|
||||||
|
+
|
||||||
|
+ errno = 0;
|
||||||
|
+ len = RAND_load_file(rand_file, rand_bytes);
|
||||||
|
+ if (len != rand_bytes) {
|
||||||
|
+ if (errno)
|
||||||
|
+ fatal ("cannot read from %s, %s", rand_file, strerror(errno));
|
||||||
|
+ else
|
||||||
|
+ fatal ("EOF reading %s", rand_file);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
Index: openssh-7.8p1/openbsd-compat/port-linux.h
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/openbsd-compat/port-linux.h
|
||||||
|
+++ openssh-7.8p1/openbsd-compat/port-linux.h
|
||||||
|
@@ -17,6 +17,10 @@
|
||||||
|
#ifndef _PORT_LINUX_H
|
||||||
|
#define _PORT_LINUX_H
|
||||||
|
|
||||||
|
+extern long rand_bytes;
|
||||||
|
+extern char *rand_file;
|
||||||
|
+void linux_seed(void);
|
||||||
|
+
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
int ssh_selinux_enabled(void);
|
||||||
|
void ssh_selinux_setup_pty(char *, const char *);
|
||||||
|
Index: openssh-7.8p1/ssh-add.1
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/ssh-add.1
|
||||||
|
+++ openssh-7.8p1/ssh-add.1
|
||||||
|
@@ -172,6 +172,20 @@ to make this work.)
|
||||||
|
Identifies the path of a
|
||||||
|
.Ux Ns -domain
|
||||||
|
socket used to communicate with the agent.
|
||||||
|
+.It Ev SSH_USE_STRONG_RNG
|
||||||
|
+The reseeding of the OpenSSL random generator is usually done from
|
||||||
|
+.Cm /dev/urandom .
|
||||||
|
+If the
|
||||||
|
+.Cm SSH_USE_STRONG_RNG
|
||||||
|
+environment variable is set to value other than
|
||||||
|
+.Cm 0
|
||||||
|
+the OpenSSL random generator is reseeded from
|
||||||
|
+.Cm /dev/random .
|
||||||
|
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||||
|
+Minimum is 6 bytes.
|
||||||
|
+This setting is not recommended on the computers without the hardware
|
||||||
|
+random generator because insufficient entropy causes the connection to
|
||||||
|
+be blocked until enough entropy is available.
|
||||||
|
.El
|
||||||
|
.Sh FILES
|
||||||
|
.Bl -tag -width Ds
|
||||||
|
Index: openssh-7.8p1/ssh-agent.1
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/ssh-agent.1
|
||||||
|
+++ openssh-7.8p1/ssh-agent.1
|
||||||
|
@@ -214,6 +214,23 @@ sockets used to contain the connection t
|
||||||
|
These sockets should only be readable by the owner.
|
||||||
|
The sockets should get automatically removed when the agent exits.
|
||||||
|
.El
|
||||||
|
+.Sh ENVIRONMENT
|
||||||
|
+.Bl -tag -width Ds -compact
|
||||||
|
+.Pp
|
||||||
|
+.It Pa SSH_USE_STRONG_RNG
|
||||||
|
+The reseeding of the OpenSSL random generator is usually done from
|
||||||
|
+.Cm /dev/urandom .
|
||||||
|
+If the
|
||||||
|
+.Cm SSH_USE_STRONG_RNG
|
||||||
|
+environment variable is set to value other than
|
||||||
|
+.Cm 0
|
||||||
|
+the OpenSSL random generator is reseeded from
|
||||||
|
+.Cm /dev/random .
|
||||||
|
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||||
|
+Minimum is 6 bytes.
|
||||||
|
+This setting is not recommended on the computers without the hardware
|
||||||
|
+random generator because insufficient entropy causes the connection to
|
||||||
|
+be blocked until enough entropy is available.
|
||||||
|
.Sh SEE ALSO
|
||||||
|
.Xr ssh 1 ,
|
||||||
|
.Xr ssh-add 1 ,
|
||||||
|
Index: openssh-7.8p1/ssh-keygen.1
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/ssh-keygen.1
|
||||||
|
+++ openssh-7.8p1/ssh-keygen.1
|
||||||
|
@@ -869,6 +869,23 @@ Contains Diffie-Hellman groups used for
|
||||||
|
The file format is described in
|
||||||
|
.Xr moduli 5 .
|
||||||
|
.El
|
||||||
|
+.Sh ENVIRONMENT
|
||||||
|
+.Bl -tag -width Ds -compact
|
||||||
|
+.Pp
|
||||||
|
+.It Pa SSH_USE_STRONG_RNG
|
||||||
|
+The reseeding of the OpenSSL random generator is usually done from
|
||||||
|
+.Cm /dev/urandom .
|
||||||
|
+If the
|
||||||
|
+.Cm SSH_USE_STRONG_RNG
|
||||||
|
+environment variable is set to value other than
|
||||||
|
+.Cm 0
|
||||||
|
+the OpenSSL random generator is reseeded from
|
||||||
|
+.Cm /dev/random .
|
||||||
|
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||||
|
+Minimum is 6 bytes.
|
||||||
|
+This setting is not recommended on the computers without the hardware
|
||||||
|
+random generator because insufficient entropy causes the connection to
|
||||||
|
+be blocked until enough entropy is available.
|
||||||
|
.Sh SEE ALSO
|
||||||
|
.Xr ssh 1 ,
|
||||||
|
.Xr ssh-add 1 ,
|
||||||
|
Index: openssh-7.8p1/ssh-keysign.8
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/ssh-keysign.8
|
||||||
|
+++ openssh-7.8p1/ssh-keysign.8
|
||||||
|
@@ -80,6 +80,23 @@ must be set-uid root if host-based authe
|
||||||
|
If these files exist they are assumed to contain public certificate
|
||||||
|
information corresponding with the private keys above.
|
||||||
|
.El
|
||||||
|
+.Sh ENVIRONMENT
|
||||||
|
+.Bl -tag -width Ds -compact
|
||||||
|
+.Pp
|
||||||
|
+.It Pa SSH_USE_STRONG_RNG
|
||||||
|
+The reseeding of the OpenSSL random generator is usually done from
|
||||||
|
+.Cm /dev/urandom .
|
||||||
|
+If the
|
||||||
|
+.Cm SSH_USE_STRONG_RNG
|
||||||
|
+environment variable is set to value other than
|
||||||
|
+.Cm 0
|
||||||
|
+the OpenSSL random generator is reseeded from
|
||||||
|
+.Cm /dev/random .
|
||||||
|
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||||
|
+Minimum is 6 bytes.
|
||||||
|
+This setting is not recommended on the computers without the hardware
|
||||||
|
+random generator because insufficient entropy causes the connection to
|
||||||
|
+be blocked until enough entropy is available.
|
||||||
|
.Sh SEE ALSO
|
||||||
|
.Xr ssh 1 ,
|
||||||
|
.Xr ssh-keygen 1 ,
|
||||||
|
Index: openssh-7.8p1/ssh.1
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/ssh.1
|
||||||
|
+++ openssh-7.8p1/ssh.1
|
||||||
|
@@ -1432,6 +1432,20 @@ For more information, see the
|
||||||
|
.Cm PermitUserEnvironment
|
||||||
|
option in
|
||||||
|
.Xr sshd_config 5 .
|
||||||
|
+.It Ev SSH_USE_STRONG_RNG
|
||||||
|
+The reseeding of the OpenSSL random generator is usually done from
|
||||||
|
+.Cm /dev/urandom .
|
||||||
|
+If the
|
||||||
|
+.Cm SSH_USE_STRONG_RNG
|
||||||
|
+environment variable is set to value other than
|
||||||
|
+.Cm 0
|
||||||
|
+the OpenSSL random generator is reseeded from
|
||||||
|
+.Cm /dev/random .
|
||||||
|
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||||
|
+Minimum is 6 bytes.
|
||||||
|
+This setting is not recommended on the computers without the hardware
|
||||||
|
+random generator because insufficient entropy causes the connection to
|
||||||
|
+be blocked until enough entropy is available.
|
||||||
|
.Sh FILES
|
||||||
|
.Bl -tag -width Ds -compact
|
||||||
|
.It Pa ~/.rhosts
|
||||||
|
Index: openssh-7.8p1/sshd.8
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sshd.8
|
||||||
|
+++ openssh-7.8p1/sshd.8
|
||||||
|
@@ -966,6 +966,23 @@ concurrently for different ports, this c
|
||||||
|
started last).
|
||||||
|
The content of this file is not sensitive; it can be world-readable.
|
||||||
|
.El
|
||||||
|
+.Sh ENVIRONMENT
|
||||||
|
+.Bl -tag -width Ds -compact
|
||||||
|
+.Pp
|
||||||
|
+.It Pa SSH_USE_STRONG_RNG
|
||||||
|
+The reseeding of the OpenSSL random generator is usually done from
|
||||||
|
+.Cm /dev/urandom .
|
||||||
|
+If the
|
||||||
|
+.Cm SSH_USE_STRONG_RNG
|
||||||
|
+environment variable is set to value other than
|
||||||
|
+.Cm 0
|
||||||
|
+the OpenSSL random generator is reseeded from
|
||||||
|
+.Cm /dev/random .
|
||||||
|
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||||
|
+Minimum is 6 bytes.
|
||||||
|
+This setting is not recommended on the computers without the hardware
|
||||||
|
+random generator because insufficient entropy causes the connection to
|
||||||
|
+be blocked until enough entropy is available.
|
||||||
|
.Sh SEE ALSO
|
||||||
|
.Xr scp 1 ,
|
||||||
|
.Xr sftp 1 ,
|
||||||
|
Index: openssh-7.8p1/sshd.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sshd.c
|
||||||
|
+++ openssh-7.8p1/sshd.c
|
||||||
|
@@ -55,6 +55,8 @@
|
||||||
|
#endif
|
||||||
|
#include "openbsd-compat/sys-tree.h"
|
||||||
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
+#include "openbsd-compat/port-linux.h"
|
||||||
|
+
|
||||||
|
#include <sys/wait.h>
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
@@ -208,6 +210,13 @@ struct {
|
||||||
|
int have_ssh2_key;
|
||||||
|
} sensitive_data;
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the
|
||||||
|
+ * random pool.
|
||||||
|
+ */
|
||||||
|
+#define RESEED_AFTER 100
|
||||||
|
+static int re_seeding_counter = RESEED_AFTER;
|
||||||
|
+
|
||||||
|
/* This is set to true when a signal is received. */
|
||||||
|
static volatile sig_atomic_t received_sighup = 0;
|
||||||
|
static volatile sig_atomic_t received_sigterm = 0;
|
||||||
|
@@ -1252,6 +1261,10 @@ server_accept_loop(int *sock_in, int *so
|
||||||
|
startups++;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ if(!(--re_seeding_counter)) {
|
||||||
|
+ re_seeding_counter = RESEED_AFTER;
|
||||||
|
+ linux_seed();
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Got connection. Fork a child to handle it, unless
|
53
openssh-7.7p1-send_locale.patch
Normal file
53
openssh-7.7p1-send_locale.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent db426aecefd1f4f8a7f9b9b6e8936cd8dd2f17fa
|
||||||
|
send locales in default configuration
|
||||||
|
bnc#65747
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/ssh_config b/openssh-7.7p1/ssh_config
|
||||||
|
--- openssh-7.7p1/ssh_config
|
||||||
|
+++ openssh-7.7p1/ssh_config
|
||||||
|
@@ -26,16 +26,21 @@ Host *
|
||||||
|
# security reasons: Someone stealing the authentification data on the
|
||||||
|
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||||
|
# keystrokes as you type, just like any other X11 client could do.
|
||||||
|
# Set this to "no" here for global effect or in your own ~/.ssh/config
|
||||||
|
# file if you want to have the remote X11 authentification data to
|
||||||
|
# expire after twenty minutes after remote login.
|
||||||
|
ForwardX11Trusted yes
|
||||||
|
|
||||||
|
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
|
||||||
|
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
+ SendEnv LC_IDENTIFICATION LC_ALL
|
||||||
|
+
|
||||||
|
# PasswordAuthentication yes
|
||||||
|
# HostbasedAuthentication no
|
||||||
|
# GSSAPIAuthentication no
|
||||||
|
# GSSAPIDelegateCredentials no
|
||||||
|
# BatchMode no
|
||||||
|
# CheckHostIP yes
|
||||||
|
# AddressFamily any
|
||||||
|
# ConnectTimeout 0
|
||||||
|
diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
|
||||||
|
--- openssh-7.7p1/sshd_config
|
||||||
|
+++ openssh-7.7p1/sshd_config
|
||||||
|
@@ -104,14 +104,19 @@ X11Forwarding yes
|
||||||
|
#VersionAddendum none
|
||||||
|
|
||||||
|
# no default banner path
|
||||||
|
#Banner none
|
||||||
|
|
||||||
|
# override default of no subsystems
|
||||||
|
Subsystem sftp /usr/libexec/sftp-server
|
||||||
|
|
||||||
|
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
|
||||||
|
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
+AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||||
|
+
|
||||||
|
# Example of overriding settings on a per-user basis
|
||||||
|
#Match User anoncvs
|
||||||
|
# X11Forwarding no
|
||||||
|
# AllowTcpForwarding no
|
||||||
|
# PermitTTY no
|
||||||
|
# ForceCommand cvs server
|
157
openssh-7.7p1-sftp_force_permissions.patch
Normal file
157
openssh-7.7p1-sftp_force_permissions.patch
Normal file
@ -0,0 +1,157 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 37bba3ff816d9ab93ddcf23389a4eb29d7716006
|
||||||
|
additional option for sftp-server to force file mode for new files
|
||||||
|
FATE#312774
|
||||||
|
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
|
||||||
|
http://marc.info/?l=openssh-unix-dev&m=128896838930893
|
||||||
|
|
||||||
|
diff --git a/openssh-7.7p1/sftp-server.8 b/openssh-7.7p1/sftp-server.8
|
||||||
|
--- openssh-7.7p1/sftp-server.8
|
||||||
|
+++ openssh-7.7p1/sftp-server.8
|
||||||
|
@@ -33,16 +33,17 @@
|
||||||
|
.Bk -words
|
||||||
|
.Op Fl ehR
|
||||||
|
.Op Fl d Ar start_directory
|
||||||
|
.Op Fl f Ar log_facility
|
||||||
|
.Op Fl l Ar log_level
|
||||||
|
.Op Fl P Ar blacklisted_requests
|
||||||
|
.Op Fl p Ar whitelisted_requests
|
||||||
|
.Op Fl u Ar umask
|
||||||
|
+.Op Fl m Ar force_file_permissions
|
||||||
|
.Ek
|
||||||
|
.Nm
|
||||||
|
.Fl Q Ar protocol_feature
|
||||||
|
.Sh DESCRIPTION
|
||||||
|
.Nm
|
||||||
|
is a program that speaks the server side of SFTP protocol
|
||||||
|
to stdout and expects client requests from stdin.
|
||||||
|
.Nm
|
||||||
|
@@ -133,16 +134,20 @@ Places this instance of
|
||||||
|
into a read-only mode.
|
||||||
|
Attempts to open files for writing, as well as other operations that change
|
||||||
|
the state of the filesystem, will be denied.
|
||||||
|
.It Fl u Ar umask
|
||||||
|
Sets an explicit
|
||||||
|
.Xr umask 2
|
||||||
|
to be applied to newly-created files and directories, instead of the
|
||||||
|
user's default mask.
|
||||||
|
+.It Fl m Ar force_file_permissions
|
||||||
|
+Sets explicit file permissions to be applied to newly-created files instead
|
||||||
|
+of the default or client requested mode. Numeric values include:
|
||||||
|
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
On some systems,
|
||||||
|
.Nm
|
||||||
|
must be able to access
|
||||||
|
.Pa /dev/log
|
||||||
|
for logging to work, and use of
|
||||||
|
.Nm
|
||||||
|
diff --git a/openssh-7.7p1/sftp-server.c b/openssh-7.7p1/sftp-server.c
|
||||||
|
--- openssh-7.7p1/sftp-server.c
|
||||||
|
+++ openssh-7.7p1/sftp-server.c
|
||||||
|
@@ -71,16 +71,20 @@ static u_int version;
|
||||||
|
static int init_done;
|
||||||
|
|
||||||
|
/* Disable writes */
|
||||||
|
static int readonly;
|
||||||
|
|
||||||
|
/* Requests that are allowed/denied */
|
||||||
|
static char *request_whitelist, *request_blacklist;
|
||||||
|
|
||||||
|
+/* Force file permissions */
|
||||||
|
+int permforce = 0;
|
||||||
|
+long permforcemode;
|
||||||
|
+
|
||||||
|
/* portable attributes, etc. */
|
||||||
|
typedef struct Stat Stat;
|
||||||
|
|
||||||
|
struct Stat {
|
||||||
|
char *name;
|
||||||
|
char *long_name;
|
||||||
|
Attrib attrib;
|
||||||
|
};
|
||||||
|
@@ -685,16 +689,20 @@ process_open(u_int32_t id)
|
||||||
|
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||||
|
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
||||||
|
(r = decode_attrib(iqueue, &a)) != 0)
|
||||||
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
|
||||||
|
debug3("request %u: open flags %d", id, pflags);
|
||||||
|
flags = flags_from_portable(pflags);
|
||||||
|
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
||||||
|
+ if (permforce == 1) {
|
||||||
|
+ mode = permforcemode;
|
||||||
|
+ (void)umask(0); /* so umask does not interfere */
|
||||||
|
+ }
|
||||||
|
logit("open \"%s\" flags %s mode 0%o",
|
||||||
|
name, string_from_portable(pflags), mode);
|
||||||
|
if (readonly &&
|
||||||
|
((flags & O_ACCMODE) != O_RDONLY ||
|
||||||
|
(flags & (O_CREAT|O_TRUNC)) != 0)) {
|
||||||
|
verbose("Refusing open request in read-only mode");
|
||||||
|
status = SSH2_FX_PERMISSION_DENIED;
|
||||||
|
} else {
|
||||||
|
@@ -1487,17 +1495,18 @@ sftp_server_cleanup_exit(int i)
|
||||||
|
static void
|
||||||
|
sftp_server_usage(void)
|
||||||
|
{
|
||||||
|
extern char *__progname;
|
||||||
|
|
||||||
|
fprintf(stderr,
|
||||||
|
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||||
|
"[-l log_level]\n\t[-P blacklisted_requests] "
|
||||||
|
- "[-p whitelisted_requests] [-u umask]\n"
|
||||||
|
+ "[-p whitelisted_requests] [-u umask]\n\t"
|
||||||
|
+ "[-m force_file_permissions]\n"
|
||||||
|
" %s -Q protocol_feature\n",
|
||||||
|
__progname, __progname);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||||
|
{
|
||||||
|
@@ -1516,17 +1525,17 @@ sftp_server_main(int argc, char **argv,
|
||||||
|
|
||||||
|
ssh_malloc_init(); /* must be called before any mallocs */
|
||||||
|
__progname = ssh_get_progname(argv[0]);
|
||||||
|
log_init(__progname, log_level, log_facility, log_stderr);
|
||||||
|
|
||||||
|
pw = pwcopy(user_pw);
|
||||||
|
|
||||||
|
while (!skipargs && (ch = getopt(argc, argv,
|
||||||
|
- "d:f:l:P:p:Q:u:cehR")) != -1) {
|
||||||
|
+ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
|
||||||
|
switch (ch) {
|
||||||
|
case 'Q':
|
||||||
|
if (strcasecmp(optarg, "requests") != 0) {
|
||||||
|
fprintf(stderr, "Invalid query type\n");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
for (i = 0; handlers[i].handler != NULL; i++)
|
||||||
|
printf("%s\n", handlers[i].name);
|
||||||
|
@@ -1576,16 +1585,23 @@ sftp_server_main(int argc, char **argv,
|
||||||
|
case 'u':
|
||||||
|
errno = 0;
|
||||||
|
mask = strtol(optarg, &cp, 8);
|
||||||
|
if (mask < 0 || mask > 0777 || *cp != '\0' ||
|
||||||
|
cp == optarg || (mask == 0 && errno != 0))
|
||||||
|
fatal("Invalid umask \"%s\"", optarg);
|
||||||
|
(void)umask((mode_t)mask);
|
||||||
|
break;
|
||||||
|
+ case 'm':
|
||||||
|
+ permforce = 1;
|
||||||
|
+ permforcemode = strtol(optarg, &cp, 8);
|
||||||
|
+ if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
|
||||||
|
+ cp == optarg || (permforcemode == 0 && errno != 0))
|
||||||
|
+ fatal("Invalid umask \"%s\"", optarg);
|
||||||
|
+ break;
|
||||||
|
case 'h':
|
||||||
|
default:
|
||||||
|
sftp_server_usage();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
log_init(__progname, log_level, log_facility, log_stderr);
|
||||||
|
|
76
openssh-7.7p1-sftp_print_diagnostic_messages.patch
Normal file
76
openssh-7.7p1-sftp_print_diagnostic_messages.patch
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
|
||||||
|
Put back sftp client diagnostic messages in batch mode
|
||||||
|
|
||||||
|
bsc#1023275
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/sftp.0
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sftp.0
|
||||||
|
+++ openssh-7.8p1/sftp.0
|
||||||
|
@@ -160,6 +160,9 @@ DESCRIPTION
|
||||||
|
-p Preserves modification times, access times, and modes from the
|
||||||
|
original files transferred.
|
||||||
|
|
||||||
|
+ -Q Not-so-quiet batch mode: forces printing of diagnostic messages
|
||||||
|
+ in batch mode.
|
||||||
|
+
|
||||||
|
-q Quiet mode: disables the progress meter as well as warning and
|
||||||
|
diagnostic messages from ssh(1).
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/sftp.1
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sftp.1
|
||||||
|
+++ openssh-7.8p1/sftp.1
|
||||||
|
@@ -256,6 +256,9 @@ Specifies the port to connect to on the
|
||||||
|
.It Fl p
|
||||||
|
Preserves modification times, access times, and modes from the
|
||||||
|
original files transferred.
|
||||||
|
+.It Fl Q
|
||||||
|
+Not-so-quiet batch mode: forces printing of diagnostic messages
|
||||||
|
+in batch mode.
|
||||||
|
.It Fl q
|
||||||
|
Quiet mode: disables the progress meter as well as warning and
|
||||||
|
diagnostic messages from
|
||||||
|
Index: openssh-7.8p1/sftp.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sftp.c
|
||||||
|
+++ openssh-7.8p1/sftp.c
|
||||||
|
@@ -86,6 +86,9 @@ static volatile pid_t sshpid = -1;
|
||||||
|
/* Suppress diagnositic messages */
|
||||||
|
int quiet = 0;
|
||||||
|
|
||||||
|
+/* Force diagnositic messages in batch mode */
|
||||||
|
+int loud = 0;
|
||||||
|
+
|
||||||
|
/* This is set to 0 if the progressmeter is not desired. */
|
||||||
|
int showprogress = 1;
|
||||||
|
|
||||||
|
@@ -2373,7 +2376,7 @@ main(int argc, char **argv)
|
||||||
|
infile = stdin;
|
||||||
|
|
||||||
|
while ((ch = getopt(argc, argv,
|
||||||
|
- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
|
||||||
|
+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
|
||||||
|
switch (ch) {
|
||||||
|
/* Passed through to ssh(1) */
|
||||||
|
case '4':
|
||||||
|
@@ -2389,6 +2392,9 @@ main(int argc, char **argv)
|
||||||
|
addargs(&args, "-%c", ch);
|
||||||
|
addargs(&args, "%s", optarg);
|
||||||
|
break;
|
||||||
|
+ case 'Q':
|
||||||
|
+ loud = 1;
|
||||||
|
+ break;
|
||||||
|
case 'q':
|
||||||
|
ll = SYSLOG_LEVEL_ERROR;
|
||||||
|
quiet = 1;
|
||||||
|
@@ -2472,6 +2478,8 @@ main(int argc, char **argv)
|
||||||
|
usage();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ if (batchmode && loud)
|
||||||
|
+ quiet = 0;
|
||||||
|
|
||||||
|
if (!isatty(STDERR_FILENO))
|
||||||
|
showprogress = 0;
|
86
openssh-7.7p1-systemd-notify.patch
Normal file
86
openssh-7.7p1-systemd-notify.patch
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent d296e85dc414b8cd1b4b55ad03d8216feb26531a
|
||||||
|
Send signals to systemd to prevent various race conditions
|
||||||
|
bsc#1048367
|
||||||
|
|
||||||
|
Index: openssh-7.8p1/configure.ac
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/configure.ac
|
||||||
|
+++ openssh-7.8p1/configure.ac
|
||||||
|
@@ -4378,6 +4378,30 @@ AC_ARG_WITH([kerberos5],
|
||||||
|
AC_SUBST([GSSLIBS])
|
||||||
|
AC_SUBST([K5LIBS])
|
||||||
|
|
||||||
|
+# Check whether user wants systemd support
|
||||||
|
+SYSTEMD_MSG="no"
|
||||||
|
+AC_ARG_WITH(systemd,
|
||||||
|
+ [ --with-systemd Enable systemd support],
|
||||||
|
+ [ if test "x$withval" != "xno" ; then
|
||||||
|
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||||
|
+ if test "$PKGCONFIG" != "no"; then
|
||||||
|
+ AC_MSG_CHECKING([for libsystemd])
|
||||||
|
+ if $PKGCONFIG --exists libsystemd; then
|
||||||
|
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
|
||||||
|
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
|
||||||
|
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
|
||||||
|
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
|
||||||
|
+ AC_MSG_RESULT([yes])
|
||||||
|
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
|
||||||
|
+ SYSTEMD_MSG="yes"
|
||||||
|
+ else
|
||||||
|
+ AC_MSG_RESULT([no])
|
||||||
|
+ fi
|
||||||
|
+ fi
|
||||||
|
+ fi ]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
# Looking for programs, paths and files
|
||||||
|
|
||||||
|
PRIVSEP_PATH=/var/empty
|
||||||
|
@@ -5183,6 +5207,7 @@ echo " libldns support
|
||||||
|
echo " Solaris process contract support: $SPC_MSG"
|
||||||
|
echo " Solaris project support: $SP_MSG"
|
||||||
|
echo " Solaris privilege support: $SPP_MSG"
|
||||||
|
+echo " systemd support: $SYSTEMD_MSG"
|
||||||
|
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||||||
|
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||||
|
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||||
|
Index: openssh-7.8p1/sshd.c
|
||||||
|
===================================================================
|
||||||
|
--- openssh-7.8p1.orig/sshd.c
|
||||||
|
+++ openssh-7.8p1/sshd.c
|
||||||
|
@@ -87,6 +87,10 @@
|
||||||
|
#include <prot.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifdef HAVE_SYSTEMD
|
||||||
|
+#include <systemd/sd-daemon.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "ssh.h"
|
||||||
|
#include "ssh2.h"
|
||||||
|
@@ -308,6 +312,10 @@ sighup_handler(int sig)
|
||||||
|
static void
|
||||||
|
sighup_restart(void)
|
||||||
|
{
|
||||||
|
+#ifdef HAVE_SYSTEMD
|
||||||
|
+ /* Signal systemd that we are reloading */
|
||||||
|
+ sd_notify(0, "RELOADING=1");
|
||||||
|
+#endif
|
||||||
|
logit("Received SIGHUP; restarting.");
|
||||||
|
if (options.pid_file != NULL)
|
||||||
|
unlink(options.pid_file);
|
||||||
|
@@ -1995,6 +2003,11 @@ main(int ac, char **av)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef HAVE_SYSTEMD
|
||||||
|
+ /* Signal systemd that we are ready to accept connections */
|
||||||
|
+ sd_notify(0, "READY=1");
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* Accept a connection and return in a forked child */
|
||||||
|
server_accept_loop(&sock_in, &sock_out,
|
||||||
|
&newsock, config_s);
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f
|
|
||||||
size 1536900
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlrBwh4ACgkQ0+X1a22S
|
|
||||||
DTCqGwyAgQuR+5b6dAEK3PV3WnzuPSJ8KKnw3/HlqQw40QfWotVOX4+On3+yOYy+
|
|
||||||
txjAWkbocjHa5/6IzKVU0y9GD3A0H7XwJAwjqqQg3pKD3kXyl7Lz5nkwWWICN0z+
|
|
||||||
fU8HUwJv3SOhilD7XRZqWHUfSL69AR5CbYPraurMQWDNwHY0i4n3vDFp1WrSJx8q
|
|
||||||
mcSgAEwucKavr3+PDm0MbmYINAqgqn1USVDalGy8U6ICnCyzXvu4o8gMuiGGwwKR
|
|
||||||
Jlt2zCs5CBnF2LAaFgawwNh6NO/TOLvvNrW3zUm3s3DzLKqYtl4Jfs39Coii9LEE
|
|
||||||
PqF8YFhgbzm+JPPe9/k5zBSEZOWwkzu33cXm7nC1rypt4PQVZLB8BvRE5HXE9QOx
|
|
||||||
xpGi+BFVeMIMqjsW+nOAAdl4S+FNtzR/OABAhwRveLGMPMFRQ9/GqN5B1L9Wezut
|
|
||||||
V/6SUUzQUyf5Kn6Gjo+ktJB1i7ufPTLSjH9eYjS/7Fn5cMdjF5iezOAzp3FNWXln
|
|
||||||
cDZzHkVgrwqYqTKkekDFTwJD+q/QJQ==
|
|
||||||
=gz3x
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
openssh-7.8p1.tar.gz
Normal file
3
openssh-7.8p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca
|
||||||
|
size 1548026
|
14
openssh-7.8p1.tar.gz.asc
Normal file
14
openssh-7.8p1.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlt+Xa8ACgkQ0+X1a22S
|
||||||
|
DTAJPwx9HIW/obxNJYTU7M8trpalBekdl1SqUjxdDwInIsKTLSOpJCsnynBai/3c
|
||||||
|
SuvZkBwcKwZZFe+xCvRQDHkf/YYLT+d7slUQolb0OJmzFKbvu6xwuv7q12ag9hQj
|
||||||
|
/8BUfdYRKb63uemfKuVAHfcnUm9WlwSbif+Au/j1yg/MlETY47ezYA9/q75wignx
|
||||||
|
3g38JVHVgKDenDd8o9/hgjeQpEHKNdCQo71nN2h3MYRlh4xrR9ENZj7y8x65Kp1j
|
||||||
|
WoZEhlvjYkka4deSGwj2MIAJnzsc39uppEoEjkB7F9SUo4O7CxbWFein70Ct7Xbs
|
||||||
|
VDWXQibnJGHKatHIecaPLUYexGWO1XYNZErDhY7fPw0ChfMGbz3+0eDfDJqGY49r
|
||||||
|
Lo6wzsrgv2kDJMqwciT/D/Zb3ocHnCrq1Isnz/Ug2lW58LMk7Y1HisPteZFQ/pkC
|
||||||
|
xKeO+K1RkaRUSCrB5iToqF+7i8eRNVROYmkKLgKcMrC0WYEjnbEoFdr4bktAS9QM
|
||||||
|
BS6aIsh2cyg2H0FjDKmYvcKOUf0IgA==
|
||||||
|
=ZiYm
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,12 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||||
|
|
||||||
|
- Update to 7.8p1:
|
||||||
|
* no actual changes for the askpass
|
||||||
|
- Format with spec-cleaner
|
||||||
|
- Respect cflags
|
||||||
|
- Use gtk3 rather than gtk2 which is being phased out
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon May 21 15:19:03 UTC 2018 - pcerny@suse.com
|
Mon May 21 15:19:03 UTC 2018 - pcerny@suse.com
|
||||||
|
|
||||||
|
@ -12,23 +12,22 @@
|
|||||||
# license that conforms to the Open Source Definition (Version 1.9)
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
# published by the Open Source Initiative.
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
%define _name openssh
|
%define _name openssh
|
||||||
Name: openssh-askpass-gnome
|
Name: openssh-askpass-gnome
|
||||||
BuildRequires: gtk2-devel
|
Version: 7.8p1
|
||||||
Version: 7.7p1
|
|
||||||
Release: 0
|
Release: 0
|
||||||
Requires: %{_name} = %{version}
|
|
||||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
License: BSD-2-Clause
|
License: BSD-2-Clause
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
Url: http://www.openssh.com/
|
URL: http://www.openssh.com/
|
||||||
Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
|
Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
|
||||||
Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
|
Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRequires: gtk3-devel
|
||||||
|
Requires: %{_name} = %{version}
|
||||||
|
|
||||||
%description
|
%description
|
||||||
SSH (Secure Shell) is a program for logging into a remote machine and
|
SSH (Secure Shell) is a program for logging into a remote machine and
|
||||||
@ -40,14 +39,14 @@ GNOME-based passphrase dialog for OpenSSH.
|
|||||||
|
|
||||||
%build
|
%build
|
||||||
cd contrib
|
cd contrib
|
||||||
make %{?_smp_mflags} gnome-ssh-askpass2
|
export CFLAGS="%{optflags}"
|
||||||
|
make %{?_smp_mflags} gnome-ssh-askpass3
|
||||||
|
|
||||||
%install
|
%install
|
||||||
install -d -m 755 %{buildroot}%{_libexecdir}/ssh/
|
install -d -m 755 %{buildroot}%{_libexecdir}/ssh/
|
||||||
install contrib/gnome-ssh-askpass2 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
|
install contrib/gnome-ssh-askpass3 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root)
|
|
||||||
%dir %{_libexecdir}/ssh
|
%dir %{_libexecdir}/ssh
|
||||||
%attr(0755,root,root) %{_libexecdir}/ssh/gnome-ssh-askpass
|
%attr(0755,root,root) %{_libexecdir}/ssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
@ -1,3 +1,80 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 17 08:42:12 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||||
|
|
||||||
|
- Remove the mention of the SLE12 in the README.SUSE
|
||||||
|
- Install firewall rules only when really needed (<SLE15)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 9 12:32:12 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||||
|
|
||||||
|
- Version update to 7.8p1:
|
||||||
|
* For most details see release notes file
|
||||||
|
* ssh-keygen(1): write OpenSSH format private keys by default
|
||||||
|
instead of using OpenSSL's PEM format
|
||||||
|
- Rebase patches to apply on 7.8p1 release:
|
||||||
|
* openssh-7.7p1-fips.patch
|
||||||
|
* openssh-7.7p1-cavstest-kdf.patch
|
||||||
|
* openssh-7.7p1-fips_checks.patch
|
||||||
|
* openssh-7.7p1-gssapi_key_exchange.patch
|
||||||
|
* openssh-7.7p1-audit.patch
|
||||||
|
* openssh-7.7p1-openssl_1.1.0.patch
|
||||||
|
* openssh-7.7p1-ldap.patch
|
||||||
|
* openssh-7.7p1-IPv6_X_forwarding.patch
|
||||||
|
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
||||||
|
* openssh-7.7p1-disable_short_DH_parameters.patch
|
||||||
|
* openssh-7.7p1-hostname_changes_when_forwarding_X.patch
|
||||||
|
* openssh-7.7p1-pam_check_locks.patch
|
||||||
|
* openssh-7.7p1-seed-prng.patch
|
||||||
|
* openssh-7.7p1-systemd-notify.patch
|
||||||
|
* openssh-7.7p1-X11_trusted_forwarding.patch
|
||||||
|
- Dropped patches:
|
||||||
|
* openssh-7.7p1-lastlog.patch
|
||||||
|
* openssh-7.7p1-blocksigalrm.patch
|
||||||
|
- Do not use env in script cavs_driver-ssh.pl
|
||||||
|
- Added pam_keyinit to pam configuration file [bsc#1081947]
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 9 11:01:40 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||||
|
|
||||||
|
- Format with spec-cleaner
|
||||||
|
- Reduce conditionals to support SLE12+ only
|
||||||
|
- Split out bundled patches to be normal patches applied over
|
||||||
|
the package (use -p1 for patches):
|
||||||
|
* openssh-7.7p1-allow_root_password_login.patch
|
||||||
|
* openssh-7.7p1-X11_trusted_forwarding.patch
|
||||||
|
* openssh-7.7p1-lastlog.patch
|
||||||
|
* openssh-7.7p1-enable_PAM_by_default.patch
|
||||||
|
* openssh-7.7p1-eal3.patch
|
||||||
|
* openssh-7.7p1-blocksigalrm.patch
|
||||||
|
* openssh-7.7p1-send_locale.patch
|
||||||
|
* openssh-7.7p1-hostname_changes_when_forwarding_X.patch
|
||||||
|
* openssh-7.7p1-remove_xauth_cookies_on_exit.patch
|
||||||
|
* openssh-7.7p1-pts_names_formatting.patch
|
||||||
|
* openssh-7.7p1-pam_check_locks.patch
|
||||||
|
* openssh-7.7p1-disable_short_DH_parameters.patch
|
||||||
|
* openssh-7.7p1-seccomp_getuid.patch
|
||||||
|
* openssh-7.7p1-seccomp_geteuid.patch
|
||||||
|
* openssh-7.7p1-seccomp_stat.patch
|
||||||
|
* openssh-7.7p1-seccomp_ipc_flock.patch
|
||||||
|
* openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
|
||||||
|
* openssh-7.7p1-fips.patch
|
||||||
|
* openssh-7.7p1-cavstest-ctr.patch
|
||||||
|
* openssh-7.7p1-cavstest-kdf.patch
|
||||||
|
* openssh-7.7p1-fips_checks.patch
|
||||||
|
* openssh-7.7p1-seed-prng.patch
|
||||||
|
* openssh-7.7p1-systemd-notify.patch
|
||||||
|
* openssh-7.7p1-gssapi_key_exchange.patch
|
||||||
|
* openssh-7.7p1-audit.patch
|
||||||
|
* openssh-7.7p1-openssl_1.1.0.patch
|
||||||
|
* openssh-7.7p1-disable_openssl_abi_check.patch
|
||||||
|
* openssh-7.7p1-no_fork-no_pid_file.patch
|
||||||
|
* openssh-7.7p1-host_ident.patch
|
||||||
|
* openssh-7.7p1-sftp_force_permissions.patch
|
||||||
|
* openssh-7.7p1-X_forward_with_disabled_ipv6.patch
|
||||||
|
* openssh-7.7p1-ldap.patch
|
||||||
|
* openssh-7.7p1-IPv6_X_forwarding.patch
|
||||||
|
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Sep 18 09:22:23 UTC 2018 - schwab@suse.de
|
Tue Sep 18 09:22:23 UTC 2018 - schwab@suse.de
|
||||||
|
|
||||||
@ -1628,6 +1705,7 @@ Mon Mar 31 01:22:21 UTC 2014 - pcerny@suse.com
|
|||||||
|
|
||||||
- FIPS checks during ssh client and daemon startup
|
- FIPS checks during ssh client and daemon startup
|
||||||
(-fips-checks.patch)
|
(-fips-checks.patch)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Mar 25 10:07:18 UTC 2014 - idonmez@suse.com
|
Tue Mar 25 10:07:18 UTC 2014 - idonmez@suse.com
|
||||||
|
|
||||||
|
259
openssh.spec
259
openssh.spec
@ -12,97 +12,39 @@
|
|||||||
# license that conforms to the Open Source Definition (Version 1.9)
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
# published by the Open Source Initiative.
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
|
||||||
%if ! %{defined _fillupdir}
|
|
||||||
%define _fillupdir /var/adm/fillup-templates
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if 0%{suse_version} >= 1100
|
|
||||||
%define has_fw_dir 1
|
|
||||||
%else
|
|
||||||
%define has_fw_dir 0
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if 0%{suse_version} >= 1110
|
|
||||||
%define has_libselinux 1
|
|
||||||
%else
|
|
||||||
%define has_libselinux 0
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if 0%{?suse_version} >= 1130
|
|
||||||
%define needs_all_dirs 1
|
|
||||||
%else
|
|
||||||
%define needs_all_dirs 0
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if 0%{?suse_version} >= 1140
|
|
||||||
%define needs_libedit 1
|
|
||||||
%else
|
|
||||||
%define needs_libedit 0
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if 0%{?suse_version} > 1220
|
|
||||||
%define uses_systemd 1
|
|
||||||
%else
|
|
||||||
%define uses_systemd 0
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%define sandbox_seccomp 0
|
%define sandbox_seccomp 0
|
||||||
%ifnarch ppc
|
%ifnarch ppc
|
||||||
%if 0%{?suse_version} > 1220
|
|
||||||
%define sandbox_seccomp 1
|
%define sandbox_seccomp 1
|
||||||
%endif
|
%endif
|
||||||
%endif
|
|
||||||
|
|
||||||
%if 0%{?suse_version} >= 1500
|
%if 0%{?suse_version} >= 1500
|
||||||
%define use_tirpc 1
|
%bcond_with susefirewall
|
||||||
|
%bcond_without tirpc
|
||||||
|
%else
|
||||||
|
%bcond_without susefirewall
|
||||||
|
%bcond_with tirpc
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
|
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
|
||||||
%define _fwdefdir %{_fwdir}/services
|
%define _fwdefdir %{_fwdir}/services
|
||||||
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
|
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
|
||||||
%{!?_initddir:%global _initddir %{_initrddir}}
|
%define CHECKSUM_SUFFIX .hmac
|
||||||
|
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
||||||
|
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||||
|
%if ! %{defined _fillupdir}
|
||||||
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||||
|
%endif
|
||||||
Name: openssh
|
Name: openssh
|
||||||
BuildRequires: audit-devel
|
Version: 7.8p1
|
||||||
BuildRequires: autoconf
|
|
||||||
BuildRequires: groff
|
|
||||||
BuildRequires: zlib-devel
|
|
||||||
BuildRequires: pkgconfig(krb5)
|
|
||||||
%if %{needs_libedit}
|
|
||||||
BuildRequires: libedit-devel
|
|
||||||
%endif
|
|
||||||
%if %{has_libselinux}
|
|
||||||
BuildRequires: libselinux-devel
|
|
||||||
%endif
|
|
||||||
BuildRequires: openldap2-devel
|
|
||||||
BuildRequires: openssl-devel
|
|
||||||
BuildRequires: pam-devel
|
|
||||||
%if 0%{?use_tirpc}
|
|
||||||
BuildRequires: libtirpc-devel
|
|
||||||
%endif
|
|
||||||
%if %{uses_systemd}
|
|
||||||
BuildRequires: pkgconfig(libsystemd)
|
|
||||||
BuildRequires: pkgconfig(systemd)
|
|
||||||
%{?systemd_requires}
|
|
||||||
%endif
|
|
||||||
PreReq: pwdutils %{fillup_prereq} coreutils
|
|
||||||
%if ! %{uses_systemd}
|
|
||||||
PreReq: %{insserv_prereq}
|
|
||||||
%endif
|
|
||||||
Version: 7.7p1
|
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
License: BSD-2-Clause AND MIT
|
License: BSD-2-Clause AND MIT
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
Url: http://www.openssh.com/
|
URL: http://www.openssh.com/
|
||||||
Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
Source1: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||||
Source1: sshd.init
|
|
||||||
Source2: sshd.pamd
|
Source2: sshd.pamd
|
||||||
Source3: README.SUSE
|
Source3: README.SUSE
|
||||||
Source4: README.kerberos
|
Source4: README.kerberos
|
||||||
@ -114,15 +56,61 @@ Source9: sshd-gen-keys-start
|
|||||||
Source10: sshd.service
|
Source10: sshd.service
|
||||||
Source11: README.FIPS
|
Source11: README.FIPS
|
||||||
Source12: cavs_driver-ssh.pl
|
Source12: cavs_driver-ssh.pl
|
||||||
Source100: openssh-%{version}-SUSE_patches.tar.gz
|
Patch0: openssh-7.7p1-allow_root_password_login.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
||||||
Conflicts: nonfreessh
|
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
||||||
|
Patch4: openssh-7.7p1-eal3.patch
|
||||||
|
Patch5: openssh-7.7p1-blocksigalrm.patch
|
||||||
|
Patch6: openssh-7.7p1-send_locale.patch
|
||||||
|
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
|
||||||
|
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
|
||||||
|
Patch9: openssh-7.7p1-pts_names_formatting.patch
|
||||||
|
Patch10: openssh-7.7p1-pam_check_locks.patch
|
||||||
|
Patch11: openssh-7.7p1-disable_short_DH_parameters.patch
|
||||||
|
Patch14: openssh-7.7p1-seccomp_stat.patch
|
||||||
|
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
|
||||||
|
Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
|
||||||
|
Patch17: openssh-7.7p1-fips.patch
|
||||||
|
Patch18: openssh-7.7p1-cavstest-ctr.patch
|
||||||
|
Patch19: openssh-7.7p1-cavstest-kdf.patch
|
||||||
|
Patch20: openssh-7.7p1-fips_checks.patch
|
||||||
|
Patch21: openssh-7.7p1-seed-prng.patch
|
||||||
|
Patch22: openssh-7.7p1-systemd-notify.patch
|
||||||
|
Patch23: openssh-7.7p1-gssapi_key_exchange.patch
|
||||||
|
Patch24: openssh-7.7p1-audit.patch
|
||||||
|
Patch25: openssh-7.7p1-openssl_1.1.0.patch
|
||||||
|
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
|
||||||
|
Patch27: openssh-7.7p1-no_fork-no_pid_file.patch
|
||||||
|
Patch28: openssh-7.7p1-host_ident.patch
|
||||||
|
Patch29: openssh-7.7p1-sftp_force_permissions.patch
|
||||||
|
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch
|
||||||
|
Patch31: openssh-7.7p1-ldap.patch
|
||||||
|
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
|
||||||
|
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
||||||
|
BuildRequires: audit-devel
|
||||||
|
BuildRequires: autoconf
|
||||||
|
BuildRequires: groff
|
||||||
|
BuildRequires: libedit-devel
|
||||||
|
BuildRequires: libselinux-devel
|
||||||
|
BuildRequires: openldap2-devel
|
||||||
|
BuildRequires: openssl-devel
|
||||||
|
BuildRequires: pam-devel
|
||||||
|
BuildRequires: pkgconfig
|
||||||
|
BuildRequires: zlib-devel
|
||||||
|
BuildRequires: pkgconfig(krb5)
|
||||||
|
BuildRequires: pkgconfig(libsystemd)
|
||||||
|
Requires(post): %fillup_prereq
|
||||||
|
Requires(pre): pwdutils
|
||||||
|
Recommends: %{name}-helpers = %{version}-%{release}
|
||||||
Recommends: audit
|
Recommends: audit
|
||||||
Recommends: xauth
|
Recommends: xauth
|
||||||
Recommends: %{name}-helpers = %{version}-%{release}
|
Conflicts: %{name}-fips < %{version}-%{release}
|
||||||
Conflicts: %{name}-fips < %{version}-%{release} , %{name}-fips > %{version}-%{release}
|
Conflicts: %{name}-fips > %{version}-%{release}
|
||||||
%define CHECKSUM_SUFFIX .hmac
|
Conflicts: nonfreessh
|
||||||
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
%{?systemd_requires}
|
||||||
|
%if %{with tirpc}
|
||||||
|
BuildRequires: libtirpc-devel
|
||||||
|
%endif
|
||||||
|
|
||||||
%description
|
%description
|
||||||
SSH (Secure Shell) is a program for logging into and executing commands
|
SSH (Secure Shell) is a program for logging into and executing commands
|
||||||
@ -133,7 +121,6 @@ hosts over an insecure network.
|
|||||||
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||||
also be forwarded over the secure channel.
|
also be forwarded over the secure channel.
|
||||||
|
|
||||||
|
|
||||||
%package helpers
|
%package helpers
|
||||||
Summary: OpenSSH AuthorizedKeysCommand helpers
|
Summary: OpenSSH AuthorizedKeysCommand helpers
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
@ -142,19 +129,18 @@ Requires: %{name} = %{version}-%{release}
|
|||||||
%description helpers
|
%description helpers
|
||||||
Helper applications for OpenSSH which retrieve keys from various sources.
|
Helper applications for OpenSSH which retrieve keys from various sources.
|
||||||
|
|
||||||
|
|
||||||
%package fips
|
%package fips
|
||||||
Summary: OpenSSH FIPS cryptomodule HMACs
|
Summary: OpenSSH FIPS cryptomodule HMACs
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
Conflicts: %{name} < %{version}-%{release} , %{name} > %{version}-%{release}
|
Conflicts: %{name} < %{version}-%{release}
|
||||||
|
Conflicts: %{name} > %{version}-%{release}
|
||||||
Obsoletes: %{name}-hmac
|
Obsoletes: %{name}-hmac
|
||||||
|
|
||||||
%description fips
|
%description fips
|
||||||
Hashes that together with the main package form the FIPS certifiable
|
Hashes that together with the main package form the FIPS certifiable
|
||||||
cryptomodule.
|
cryptomodule.
|
||||||
|
|
||||||
|
|
||||||
%package cavs
|
%package cavs
|
||||||
Summary: OpenSSH FIPS cryptomodule CAVS tests
|
Summary: OpenSSH FIPS cryptomodule CAVS tests
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
@ -163,32 +149,21 @@ Requires: %{name} = %{version}-%{release}
|
|||||||
%description cavs
|
%description cavs
|
||||||
FIPS140 CAVS tests related parts of the OpenSSH package
|
FIPS140 CAVS tests related parts of the OpenSSH package
|
||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -b 100
|
%setup -q
|
||||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||||
# patch sources
|
|
||||||
PATCH_DIR="../SUSE_patches"
|
%autopatch -p1
|
||||||
cat $PATCH_DIR/patch.series | while read p; do
|
|
||||||
%if %{suse_version} < 1330
|
|
||||||
if echo "$p" | grep openssl_1.1.0.patch ; then
|
|
||||||
printf ">> skipping '$p'"
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
%endif
|
|
||||||
printf ">> applying '$p'\n"
|
|
||||||
patch -p2 < "${PATCH_DIR}/$p"
|
|
||||||
done
|
|
||||||
|
|
||||||
#set libexec dir in the LDAP patch
|
#set libexec dir in the LDAP patch
|
||||||
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||||
$( grep -Rl @LIBEXECDIR@ \
|
$( grep -Rl @LIBEXECDIR@ \
|
||||||
$( grep "^+++" $PATCH_DIR/openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
$( grep "^+++" openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||||
)
|
)
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -fiv
|
autoreconf -fiv
|
||||||
%ifarch s390 s390x %sparc
|
%ifarch s390 s390x %{sparc}
|
||||||
PIEFLAGS="-fPIE"
|
PIEFLAGS="-fPIE"
|
||||||
%else
|
%else
|
||||||
PIEFLAGS="-fpie"
|
PIEFLAGS="-fpie"
|
||||||
@ -199,23 +174,16 @@ LDFLAGS="-pie -Wl,--as-needed"
|
|||||||
#CPPFLAGS="% {optflags} -DUSE_INTERNAL_B64"
|
#CPPFLAGS="% {optflags} -DUSE_INTERNAL_B64"
|
||||||
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
||||||
%configure \
|
%configure \
|
||||||
--prefix=%{_prefix} \
|
|
||||||
--mandir=%{_mandir} \
|
|
||||||
--infodir=%{_infodir} \
|
|
||||||
--sysconfdir=%{_sysconfdir}/ssh \
|
--sysconfdir=%{_sysconfdir}/ssh \
|
||||||
--libexecdir=%{_libexecdir}/ssh \
|
--libexecdir=%{_libexecdir}/ssh \
|
||||||
--with-tcp-wrappers \
|
--with-tcp-wrappers \
|
||||||
%if %{has_libselinux}
|
|
||||||
--with-selinux \
|
--with-selinux \
|
||||||
%endif
|
|
||||||
%if %{uses_systemd}
|
|
||||||
--with-pid-dir=/run \
|
--with-pid-dir=/run \
|
||||||
--with-systemd \
|
--with-systemd \
|
||||||
%endif
|
|
||||||
--with-ssl-engine \
|
--with-ssl-engine \
|
||||||
--with-pam \
|
--with-pam \
|
||||||
--with-kerberos5=%{_prefix} \
|
--with-kerberos5=%{_prefix} \
|
||||||
--with-privsep-path=/var/lib/empty \
|
--with-privsep-path=%{_localstatedir}/lib/empty \
|
||||||
%if %{sandbox_seccomp}
|
%if %{sandbox_seccomp}
|
||||||
--with-sandbox=seccomp_filter \
|
--with-sandbox=seccomp_filter \
|
||||||
%else
|
%else
|
||||||
@ -228,46 +196,32 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
|||||||
--with-audit=linux \
|
--with-audit=linux \
|
||||||
--with-ldap \
|
--with-ldap \
|
||||||
--with-xauth=%{_bindir}/xauth \
|
--with-xauth=%{_bindir}/xauth \
|
||||||
%if %{needs_libedit}
|
|
||||||
--with-libedit \
|
--with-libedit \
|
||||||
%endif
|
|
||||||
--with-ssh1 \
|
--with-ssh1 \
|
||||||
--target=%{_target_cpu}-suse-linux \
|
--target=%{_target_cpu}-suse-linux \
|
||||||
|
|
||||||
### configure end
|
### configure end
|
||||||
make %{?_smp_mflags}
|
make %{?_smp_mflags}
|
||||||
|
|
||||||
#make %{?_smp_mflags} -C converter
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
make install DESTDIR=%{buildroot}
|
%make_install
|
||||||
#make install DESTDIR=%{buildroot} -C converter
|
|
||||||
|
|
||||||
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
|
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
|
||||||
install -d -m 755 %{buildroot}/var/lib/sshd
|
install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd
|
||||||
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
|
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
|
||||||
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
|
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
|
||||||
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
|
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
|
||||||
install -d -m 755 %{buildroot}%{_initddir}
|
|
||||||
%if %{uses_systemd}
|
|
||||||
install -m 0755 %{SOURCE1} .
|
|
||||||
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
|
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
|
||||||
ln -s /sbin/service %{buildroot}%{_sbindir}/rcsshd
|
ln -s service %{buildroot}%{_sbindir}/rcsshd
|
||||||
%else
|
|
||||||
install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
|
|
||||||
install -m 0644 %{SOURCE10} .
|
|
||||||
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
|
|
||||||
%endif
|
|
||||||
install -d -m 755 %{buildroot}%{_fillupdir}
|
install -d -m 755 %{buildroot}%{_fillupdir}
|
||||||
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
|
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
|
||||||
# install shell script to automate the process of adding your public key to a remote machine
|
# install shell script to automate the process of adding your public key to a remote machine
|
||||||
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
||||||
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
||||||
sed -i -e s@/usr/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||||
|
|
||||||
%if %{has_fw_dir}
|
%if %{with susefirewall}
|
||||||
#install firewall definitions format is described here:
|
#install firewall definitions
|
||||||
#%{_datadir}/SuSEfirewall2/services/TEMPLATE
|
|
||||||
mkdir -p %{buildroot}%{_fwdefdir}
|
mkdir -p %{buildroot}%{_fwdefdir}
|
||||||
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
|
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
|
||||||
%endif
|
%endif
|
||||||
@ -299,52 +253,36 @@ done
|
|||||||
|
|
||||||
%pre
|
%pre
|
||||||
getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
|
getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
|
||||||
getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd
|
getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstatedir}/lib/sshd -s /bin/false -c "SSH daemon" sshd
|
||||||
%if %{uses_systemd}
|
|
||||||
%service_add_pre sshd.service
|
%service_add_pre sshd.service
|
||||||
%endif
|
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%if %{uses_systemd}
|
|
||||||
%{fillup_only -n ssh sshd}
|
%{fillup_only -n ssh sshd}
|
||||||
%service_add_post sshd.service
|
%service_add_post sshd.service
|
||||||
%else
|
%set_permissions %{_sysconfdir}/ssh/sshd_config
|
||||||
%{fillup_and_insserv -n ssh sshd}
|
|
||||||
%endif
|
|
||||||
%set_permissions /etc/ssh/sshd_config
|
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%if %{uses_systemd}
|
|
||||||
%service_del_preun sshd.service
|
%service_del_preun sshd.service
|
||||||
%else
|
|
||||||
%stop_on_removal sshd
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
# The openssh-fips trigger script for openssh will normally restart sshd once
|
# The openssh-fips trigger script for openssh will normally restart sshd once
|
||||||
# it gets installed, so only restart the service here is openssh-fips is not
|
# it gets installed, so only restart the service here is openssh-fips is not
|
||||||
# present
|
# present
|
||||||
rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
||||||
%if %{uses_systemd}
|
|
||||||
%service_del_postun sshd.service
|
%service_del_postun sshd.service
|
||||||
%else
|
|
||||||
%restart_on_update sshd
|
|
||||||
%{insserv_cleanup}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
|
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
|
||||||
%restart_on_update sshd
|
%restart_on_update sshd
|
||||||
|
|
||||||
%verifyscript
|
%verifyscript
|
||||||
%verify_permissions -e /etc/ssh/sshd_config
|
%verify_permissions -e %{_sysconfdir}/ssh/sshd_config
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root)
|
|
||||||
%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
||||||
%exclude %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
%exclude %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
||||||
%exclude %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
%exclude %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
||||||
%exclude %{_libexecdir}/ssh/cavs*
|
%exclude %{_libexecdir}/ssh/cavs*
|
||||||
%dir %attr(755,root,root) /var/lib/sshd
|
%dir %attr(755,root,root) %{_localstatedir}/lib/sshd
|
||||||
%license LICENCE
|
%license LICENCE
|
||||||
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
|
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
@ -352,34 +290,23 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
|||||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||||
%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
||||||
%if %{uses_systemd}
|
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||||
%doc sshd.init
|
|
||||||
%attr(0644,root,root) %config %{_unitdir}/sshd.service
|
|
||||||
%else
|
|
||||||
%attr(0755,root,root) %config %{_initddir}/sshd
|
|
||||||
%doc sshd.service
|
|
||||||
%endif
|
|
||||||
%attr(0755,root,root) %{_bindir}/*
|
%attr(0755,root,root) %{_bindir}/*
|
||||||
%attr(0755,root,root) %{_sbindir}/*
|
%attr(0755,root,root) %{_sbindir}/*
|
||||||
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
||||||
%exclude %{_libexecdir}/ssh/ssh-ldap*
|
%exclude %{_libexecdir}/ssh/ssh-ldap*
|
||||||
%attr(0755,root,root) %{_libexecdir}/ssh/*
|
%attr(0755,root,root) %{_libexecdir}/ssh/*
|
||||||
%attr(0444,root,root) %doc %{_mandir}/man1/*
|
%attr(0444,root,root) %{_mandir}/man1/*
|
||||||
%attr(0444,root,root) %doc %{_mandir}/man5/*
|
%attr(0444,root,root) %{_mandir}/man5/*
|
||||||
%attr(0444,root,root) %doc %{_mandir}/man8/*
|
%attr(0444,root,root) %{_mandir}/man8/*
|
||||||
%dir %{_sysconfdir}/slp.reg.d
|
%dir %{_sysconfdir}/slp.reg.d
|
||||||
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
||||||
%{_fillupdir}/sysconfig.ssh
|
%{_fillupdir}/sysconfig.ssh
|
||||||
%if %{has_fw_dir}
|
%if %{with susefirewall}
|
||||||
%if %{needs_all_dirs}
|
|
||||||
%dir %{_fwdir}
|
|
||||||
%dir %{_fwdefdir}
|
|
||||||
%endif
|
|
||||||
%config %{_fwdefdir}/sshd
|
%config %{_fwdefdir}/sshd
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files helpers
|
%files helpers
|
||||||
%defattr(-,root,root)
|
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
||||||
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
||||||
@ -387,13 +314,11 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
|||||||
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
||||||
|
|
||||||
%files fips
|
%files fips
|
||||||
%defattr(-,root,root)
|
|
||||||
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
||||||
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
||||||
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
||||||
|
|
||||||
%files cavs
|
%files cavs
|
||||||
%defattr(-,root,root)
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
|
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
150
sshd.init
150
sshd.init
@ -1,150 +0,0 @@
|
|||||||
#! /bin/sh
|
|
||||||
# Copyright (c) 1995-2013 SUSE
|
|
||||||
#
|
|
||||||
# Author: Jiri Smid <feedback@suse.de>
|
|
||||||
#
|
|
||||||
# /etc/init.d/sshd
|
|
||||||
#
|
|
||||||
# and symbolic its link
|
|
||||||
#
|
|
||||||
# /usr/sbin/rcsshd
|
|
||||||
#
|
|
||||||
### BEGIN INIT INFO
|
|
||||||
# Provides: sshd
|
|
||||||
# Required-Start: $network $remote_fs
|
|
||||||
# Required-Stop: $network $remote_fs
|
|
||||||
# Should-Start: haveged auditd
|
|
||||||
# Default-Start: 3 5
|
|
||||||
# Default-Stop: 0 1 2 6
|
|
||||||
# Description: Start the sshd daemon
|
|
||||||
### END INIT INFO
|
|
||||||
|
|
||||||
SSHD_BIN=/usr/sbin/sshd
|
|
||||||
test -x $SSHD_BIN || exit 5
|
|
||||||
|
|
||||||
SSHD_SYSCONFIG=/etc/sysconfig/ssh
|
|
||||||
test -r $SSHD_SYSCONFIG || exit 6
|
|
||||||
. $SSHD_SYSCONFIG
|
|
||||||
|
|
||||||
SSHD_PIDFILE=/var/run/sshd.init.pid
|
|
||||||
|
|
||||||
. /etc/rc.status
|
|
||||||
|
|
||||||
# Shell functions sourced from /etc/rc.status:
|
|
||||||
# rc_check check and set local and overall rc status
|
|
||||||
# rc_status check and set local and overall rc status
|
|
||||||
# rc_status -v ditto but be verbose in local rc status
|
|
||||||
# rc_status -v -r ditto and clear the local rc status
|
|
||||||
# rc_failed set local and overall rc status to failed
|
|
||||||
# rc_reset clear local rc status (overall remains)
|
|
||||||
# rc_exit exit appropriate to overall rc status
|
|
||||||
|
|
||||||
function soft_stop () {
|
|
||||||
echo -n "Shutting down the listening SSH daemon"
|
|
||||||
killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN
|
|
||||||
}
|
|
||||||
|
|
||||||
function force_stop () {
|
|
||||||
echo -n "Shutting down SSH daemon *with all active connections*"
|
|
||||||
trap '' TERM
|
|
||||||
killall sshd 2>/dev/null
|
|
||||||
trap - TERM
|
|
||||||
}
|
|
||||||
|
|
||||||
# First reset status of this service
|
|
||||||
rc_reset
|
|
||||||
|
|
||||||
case "$1" in
|
|
||||||
start)
|
|
||||||
/usr/sbin/sshd-gen-keys-start
|
|
||||||
echo -n "Starting SSH daemon"
|
|
||||||
## Start daemon with startproc(8). If this fails
|
|
||||||
## the echo return value is set appropriate.
|
|
||||||
startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
|
|
||||||
|
|
||||||
# Remember status and be verbose
|
|
||||||
rc_status -v
|
|
||||||
;;
|
|
||||||
stop)
|
|
||||||
# If we're shutting down, kill active sshd connections so they're not
|
|
||||||
# left hanging.
|
|
||||||
runlevel=$(set -- $(runlevel); eval "echo \$$#")
|
|
||||||
if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
|
|
||||||
force_stop
|
|
||||||
else
|
|
||||||
soft_stop
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Remember status and be verbose
|
|
||||||
rc_status -v
|
|
||||||
;;
|
|
||||||
soft-stop)
|
|
||||||
## Stop the listener daemon process with killproc(8) and if this
|
|
||||||
## fails set echo the echo return value.
|
|
||||||
soft_stop
|
|
||||||
|
|
||||||
# Remember status and be verbose
|
|
||||||
rc_status -v
|
|
||||||
;;
|
|
||||||
force-stop)
|
|
||||||
## stop all running ssh
|
|
||||||
force_stop
|
|
||||||
|
|
||||||
# Remember status and be verbose
|
|
||||||
rc_status -v
|
|
||||||
;;
|
|
||||||
try-restart)
|
|
||||||
## Stop the service and if this succeeds (i.e. the
|
|
||||||
## service was running before), start it again.
|
|
||||||
$0 status >/dev/null && $0 restart
|
|
||||||
|
|
||||||
# Remember status and be quiet
|
|
||||||
rc_status
|
|
||||||
;;
|
|
||||||
restart)
|
|
||||||
## Stop the service without closing live connections
|
|
||||||
## and start it again regardless of whether it was
|
|
||||||
## running or not
|
|
||||||
$0 soft-stop
|
|
||||||
$0 start
|
|
||||||
|
|
||||||
# Remember status and be quiet
|
|
||||||
rc_status
|
|
||||||
;;
|
|
||||||
force-reload|reload)
|
|
||||||
## Signal the daemon to reload its config. Most daemons
|
|
||||||
## do this on signal 1 (SIGHUP).
|
|
||||||
echo -n "Reload service sshd"
|
|
||||||
|
|
||||||
killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN
|
|
||||||
|
|
||||||
rc_status -v
|
|
||||||
|
|
||||||
;;
|
|
||||||
status)
|
|
||||||
echo -n "Checking for service sshd "
|
|
||||||
## Check status with checkproc(8), if process is running
|
|
||||||
## checkproc will return with exit status 0.
|
|
||||||
|
|
||||||
# Status has a slightly different for the status command:
|
|
||||||
# 0 - service running
|
|
||||||
# 1 - service dead, but /var/run/ pid file exists
|
|
||||||
# 2 - service dead, but /var/lock/ lock file exists
|
|
||||||
# 3 - service not running
|
|
||||||
|
|
||||||
checkproc -p $SSHD_PIDFILE $SSHD_BIN
|
|
||||||
|
|
||||||
rc_status -v
|
|
||||||
;;
|
|
||||||
probe)
|
|
||||||
## Optional: Probe for the necessity of a reload,
|
|
||||||
## give out the argument which is required for a reload.
|
|
||||||
|
|
||||||
test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Usage: $0 {start|stop|soft-stop|force-stop|status|try-restart|restart|force-reload|reload|probe}"
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
rc_exit
|
|
@ -7,3 +7,4 @@ password include common-password
|
|||||||
session required pam_loginuid.so
|
session required pam_loginuid.so
|
||||||
session include common-session
|
session include common-session
|
||||||
session optional pam_lastlog.so silent noupdate showfailed
|
session optional pam_lastlog.so silent noupdate showfailed
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
Loading…
Reference in New Issue
Block a user