Dominique Leuenberger 2018-11-28 10:11:24 +00:00 committed by Git OBS Bridge
commit 7ca123a3a4
22 changed files with 922 additions and 4184 deletions

View File

@ -5,16 +5,6 @@ There are following changes in default settings of ssh client and server:
* PAM authentication is enabled and mostly even required, do not turn it off. * PAM authentication is enabled and mostly even required, do not turn it off.
* root authentiation with password is enabled by default (PermitRootLogin yes).
NOTE: this has security implications and is only done in order to not change
behaviour of the server in an update. We strongly suggest setting this option
either "prohibit-password" or even better to "no" (which disables direct
remote root login entirely).
* SSH protocol version 1 is enabled for maximum compatibility.
NOTE: do not use protocol version 1. It is less secure then v2 and should
generally be phased out.
* DSA authentication is enabled by default for maximum compatibility. * DSA authentication is enabled by default for maximum compatibility.
NOTE: do not use DSA authentication since it is being phased out for a reason NOTE: do not use DSA authentication since it is being phased out for a reason
- the size of DSA keys is limited by the standard to 1024 bits which cannot - the size of DSA keys is limited by the standard to 1024 bits which cannot

View File

@ -1,95 +0,0 @@
# HG changeset patch
# Parent 3bf0158be93bd08d60a30a320650ea7f9844ef50
Allow root login with password by default. While less secure than upstream
default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
diff --git a/openssh-7.7p1/servconf.c b/openssh-7.7p1/servconf.c
--- openssh-7.7p1/servconf.c
+++ openssh-7.7p1/servconf.c
@@ -265,17 +265,17 @@ fill_default_server_options(ServerOption
options->address_family = AF_UNSPEC;
if (options->listen_addrs == NULL)
add_listen_addr(options, NULL, NULL, 0);
if (options->pid_file == NULL)
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
options->ignore_user_known_hosts = 0;
if (options->print_motd == -1)
options->print_motd = 1;
if (options->print_lastlog == -1)
options->print_lastlog = 1;
diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
--- openssh-7.7p1/sshd_config
+++ openssh-7.7p1/sshd_config
@@ -24,17 +24,17 @@
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
diff --git a/openssh-7.7p1/sshd_config.0 b/openssh-7.7p1/sshd_config.0
--- openssh-7.7p1/sshd_config.0
+++ openssh-7.7p1/sshd_config.0
@@ -709,17 +709,17 @@ DESCRIPTION
none can be used to prohibit all forwarding requests. The
wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
ports, respectively. By default all port forwarding requests are
permitted.
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, forced-commands-only, or no. The
- default is prohibit-password.
+ default is yes.
If this option is set to prohibit-password (or its deprecated
alias, without-password), password and keyboard-interactive
authentication are disabled for root.
If this option is set to forced-commands-only, root login with
public key authentication will be allowed, but only if the
command option has been specified (which may be useful for taking
diff --git a/openssh-7.7p1/sshd_config.5 b/openssh-7.7p1/sshd_config.5
--- openssh-7.7p1/sshd_config.5
+++ openssh-7.7p1/sshd_config.5
@@ -1220,17 +1220,17 @@ Specifies whether root can log in using
.Xr ssh 1 .
The argument must be
.Cm yes ,
.Cm prohibit-password ,
.Cm forced-commands-only ,
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm yes .
.Pp
If this option is set to
.Cm prohibit-password
(or its deprecated alias,
.Cm without-password ) ,
password and keyboard-interactive authentication are disabled for root.
.Pp
If this option is set to

View File

@ -3,11 +3,11 @@
Extended auditing through the Linux Auditing subsystem Extended auditing through the Linux Auditing subsystem
RH patch from git://pkgs.fedoraproject.org/openssh.git RH patch from git://pkgs.fedoraproject.org/openssh.git
Index: openssh-7.8p1/Makefile.in Index: openssh-7.9p1/Makefile.in
=================================================================== ===================================================================
--- openssh-7.8p1.orig/Makefile.in --- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.8p1/Makefile.in +++ openssh-7.9p1/Makefile.in
@@ -110,6 +110,8 @@ LIBSSH_OBJS += fips.o @@ -111,6 +111,8 @@ LIBSSH_OBJS += fips.o
LIBSSH_OBJS += kexgssc.o kexgsss.o LIBSSH_OBJS += kexgssc.o kexgsss.o
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o sshconnect.o sshconnect2.o mux.o
Index: openssh-7.8p1/audit-bsm.c Index: openssh-7.9p1/audit-bsm.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/audit-bsm.c --- openssh-7.9p1.orig/audit-bsm.c
+++ openssh-7.8p1/audit-bsm.c +++ openssh-7.9p1/audit-bsm.c
@@ -372,10 +372,23 @@ audit_connection_from(const char *host, @@ -372,10 +372,23 @@ audit_connection_from(const char *host,
#endif #endif
} }
@ -93,11 +93,11 @@ Index: openssh-7.8p1/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
Index: openssh-7.8p1/audit-linux.c Index: openssh-7.9p1/audit-linux.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/audit-linux.c --- openssh-7.9p1.orig/audit-linux.c
+++ openssh-7.8p1/audit-linux.c +++ openssh-7.9p1/audit-linux.c
@@ -33,27 +33,40 @@ @@ -33,27 +33,41 @@
#include "log.h" #include "log.h"
#include "audit.h" #include "audit.h"
@ -106,6 +106,7 @@ Index: openssh-7.8p1/audit-linux.c
+#include "auth.h" +#include "auth.h"
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ +#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h" +#include "servconf.h"
+#include "ssherr.h"
#include "canohost.h" #include "canohost.h"
#include "packet.h" #include "packet.h"
- -
@ -146,7 +147,7 @@ Index: openssh-7.8p1/audit-linux.c
saved_errno = errno; saved_errno = errno;
close(audit_fd); close(audit_fd);
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const @@ -65,9 +79,96 @@ linux_audit_record_event(int uid, const
rc = 0; rc = 0;
errno = saved_errno; errno = saved_errno;
@ -244,7 +245,7 @@ Index: openssh-7.8p1/audit-linux.c
/* Below is the sshd audit API code */ /* Below is the sshd audit API code */
void void
@@ -76,24 +176,55 @@ audit_connection_from(const char *host, @@ -76,24 +177,55 @@ audit_connection_from(const char *host,
/* not implemented */ /* not implemented */
} }
@ -306,7 +307,7 @@ Index: openssh-7.8p1/audit-linux.c
} }
void void
@@ -102,25 +233,155 @@ audit_event(ssh_audit_event_t event) @@ -102,25 +234,155 @@ audit_event(ssh_audit_event_t event)
struct ssh *ssh = active_state; /* XXX */ struct ssh *ssh = active_state; /* XXX */
switch(event) { switch(event) {
@ -468,10 +469,10 @@ Index: openssh-7.8p1/audit-linux.c
+ error("cannot write into audit"); + error("cannot write into audit");
+} +}
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
Index: openssh-7.8p1/audit.c Index: openssh-7.9p1/audit.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/audit.c --- openssh-7.9p1.orig/audit.c
+++ openssh-7.8p1/audit.c +++ openssh-7.9p1/audit.c
@@ -34,13 +34,19 @@ @@ -34,13 +34,19 @@
#include "log.h" #include "log.h"
#include "hostfile.h" #include "hostfile.h"
@ -648,10 +649,10 @@ Index: openssh-7.8p1/audit.c
} }
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
Index: openssh-7.8p1/audit.h Index: openssh-7.9p1/audit.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/audit.h --- openssh-7.9p1.orig/audit.h
+++ openssh-7.8p1/audit.h +++ openssh-7.9p1/audit.h
@@ -26,6 +26,7 @@ @@ -26,6 +26,7 @@
# define _SSH_AUDIT_H # define _SSH_AUDIT_H
@ -694,10 +695,10 @@ Index: openssh-7.8p1/audit.h
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t); +void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
Index: openssh-7.8p1/auditstub.c Index: openssh-7.9p1/auditstub.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/auditstub.c +++ openssh-7.9p1/auditstub.c
@@ -0,0 +1,50 @@ @@ -0,0 +1,50 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+ +
@ -749,11 +750,11 @@ Index: openssh-7.8p1/auditstub.c
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{ +{
+} +}
Index: openssh-7.8p1/auth.c Index: openssh-7.9p1/auth.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/auth.c --- openssh-7.9p1.orig/auth.c
+++ openssh-7.8p1/auth.c +++ openssh-7.9p1/auth.c
@@ -362,7 +362,7 @@ auth_log(Authctxt *authctxt, int authent @@ -366,7 +366,7 @@ auth_log(Authctxt *authctxt, int authent
# endif # endif
#endif #endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
@ -762,7 +763,7 @@ Index: openssh-7.8p1/auth.c
audit_event(audit_classify_auth(method)); audit_event(audit_classify_auth(method));
#endif #endif
} }
@@ -601,9 +601,6 @@ getpwnamallow(const char *user) @@ -605,9 +605,6 @@ getpwnamallow(const char *user)
record_failed_login(user, record_failed_login(user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
#endif #endif
@ -772,10 +773,10 @@ Index: openssh-7.8p1/auth.c
return (NULL); return (NULL);
} }
if (!allowed_user(pw)) if (!allowed_user(pw))
Index: openssh-7.8p1/auth.h Index: openssh-7.9p1/auth.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/auth.h --- openssh-7.9p1.orig/auth.h
+++ openssh-7.8p1/auth.h +++ openssh-7.9p1/auth.h
@@ -193,6 +193,8 @@ struct passwd * getpwnamallow(const char @@ -193,6 +193,8 @@ struct passwd * getpwnamallow(const char
char *expand_authorized_keys(const char *, struct passwd *pw); char *expand_authorized_keys(const char *, struct passwd *pw);
@ -794,11 +795,11 @@ Index: openssh-7.8p1/auth.h
/* Key / cert options linkage to auth layer */ /* Key / cert options linkage to auth layer */
const struct sshauthopt *auth_options(struct ssh *); const struct sshauthopt *auth_options(struct ssh *);
Index: openssh-7.8p1/auth2-hostbased.c Index: openssh-7.9p1/auth2-hostbased.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/auth2-hostbased.c --- openssh-7.9p1.orig/auth2-hostbased.c
+++ openssh-7.8p1/auth2-hostbased.c +++ openssh-7.9p1/auth2-hostbased.c
@@ -141,7 +141,7 @@ userauth_hostbased(struct ssh *ssh) @@ -148,7 +148,7 @@ userauth_hostbased(struct ssh *ssh)
/* test for allowed key and correct signature */ /* test for allowed key and correct signature */
authenticated = 0; authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
@ -807,7 +808,7 @@ Index: openssh-7.8p1/auth2-hostbased.c
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0) sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
authenticated = 1; authenticated = 1;
@@ -158,6 +158,19 @@ done: @@ -165,6 +165,19 @@ done:
return authenticated; return authenticated;
} }
@ -827,11 +828,11 @@ Index: openssh-7.8p1/auth2-hostbased.c
/* return 1 if given hostkey is allowed */ /* return 1 if given hostkey is allowed */
int int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
Index: openssh-7.8p1/auth2-pubkey.c Index: openssh-7.9p1/auth2-pubkey.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/auth2-pubkey.c --- openssh-7.9p1.orig/auth2-pubkey.c
+++ openssh-7.8p1/auth2-pubkey.c +++ openssh-7.9p1/auth2-pubkey.c
@@ -187,7 +187,7 @@ userauth_pubkey(struct ssh *ssh) @@ -193,7 +193,7 @@ userauth_pubkey(struct ssh *ssh)
/* test for correct signature */ /* test for correct signature */
authenticated = 0; authenticated = 0;
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@ -840,7 +841,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
sshbuf_ptr(b), sshbuf_len(b), sshbuf_ptr(b), sshbuf_len(b),
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
ssh->compat)) == 0) { ssh->compat)) == 0) {
@@ -246,6 +246,19 @@ done: @@ -252,6 +252,19 @@ done:
return authenticated; return authenticated;
} }
@ -860,7 +861,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
static int static int
match_principals_option(const char *principal_list, struct sshkey_cert *cert) match_principals_option(const char *principal_list, struct sshkey_cert *cert)
{ {
@@ -767,7 +780,7 @@ user_cert_trusted_ca(struct ssh *ssh, st @@ -773,7 +786,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
found_principal = 1; found_principal = 1;
/* If principals file or command is specified, then require a match */ /* If principals file or command is specified, then require a match */
use_authorized_principals = principals_file != NULL || use_authorized_principals = principals_file != NULL ||
@ -869,10 +870,10 @@ Index: openssh-7.8p1/auth2-pubkey.c
if (!found_principal && use_authorized_principals) { if (!found_principal && use_authorized_principals) {
reason = "Certificate does not contain an authorized principal"; reason = "Certificate does not contain an authorized principal";
goto fail_reason; goto fail_reason;
Index: openssh-7.8p1/auth2.c Index: openssh-7.9p1/auth2.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/auth2.c --- openssh-7.9p1.orig/auth2.c
+++ openssh-7.8p1/auth2.c +++ openssh-7.9p1/auth2.c
@@ -284,9 +284,6 @@ input_userauth_request(int type, u_int32 @@ -284,9 +284,6 @@ input_userauth_request(int type, u_int32
} else { } else {
/* Invalid user, fake password information */ /* Invalid user, fake password information */
@ -883,10 +884,10 @@ Index: openssh-7.8p1/auth2.c
} }
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) if (options.use_pam)
Index: openssh-7.8p1/cipher.c Index: openssh-7.9p1/cipher.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/cipher.c --- openssh-7.9p1.orig/cipher.c
+++ openssh-7.8p1/cipher.c +++ openssh-7.9p1/cipher.c
@@ -54,25 +54,6 @@ @@ -54,25 +54,6 @@
#include "fips.h" #include "fips.h"
#include "log.h" #include "log.h"
@ -922,10 +923,10 @@ Index: openssh-7.8p1/cipher.c
return; return;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx)); explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
Index: openssh-7.8p1/cipher.h Index: openssh-7.9p1/cipher.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/cipher.h --- openssh-7.9p1.orig/cipher.h
+++ openssh-7.8p1/cipher.h +++ openssh-7.9p1/cipher.h
@@ -45,7 +45,25 @@ @@ -45,7 +45,25 @@
#define CIPHER_ENCRYPT 1 #define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0 #define CIPHER_DECRYPT 0
@ -953,10 +954,10 @@ Index: openssh-7.8p1/cipher.h
struct sshcipher_ctx { struct sshcipher_ctx {
int plaintext; int plaintext;
int encrypt; int encrypt;
Index: openssh-7.8p1/kex.c Index: openssh-7.9p1/kex.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/kex.c --- openssh-7.9p1.orig/kex.c
+++ openssh-7.8p1/kex.c +++ openssh-7.9p1/kex.c
@@ -53,6 +53,7 @@ @@ -53,6 +53,7 @@
#include "ssherr.h" #include "ssherr.h"
#include "sshbuf.h" #include "sshbuf.h"
@ -1053,10 +1054,10 @@ Index: openssh-7.8p1/kex.c
+ mac_destroy(&newkeys->mac); + mac_destroy(&newkeys->mac);
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp)); + memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+} +}
Index: openssh-7.8p1/kex.h Index: openssh-7.9p1/kex.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/kex.h --- openssh-7.9p1.orig/kex.h
+++ openssh-7.8p1/kex.h +++ openssh-7.9p1/kex.h
@@ -213,6 +213,8 @@ int kexgss_client(struct ssh *); @@ -213,6 +213,8 @@ int kexgss_client(struct ssh *);
int kexgss_server(struct ssh *); int kexgss_server(struct ssh *);
#endif #endif
@ -1066,10 +1067,10 @@ Index: openssh-7.8p1/kex.h
int kex_dh_hash(int, const char *, const char *, int kex_dh_hash(int, const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
Index: openssh-7.8p1/mac.c Index: openssh-7.9p1/mac.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/mac.c --- openssh-7.9p1.orig/mac.c
+++ openssh-7.8p1/mac.c +++ openssh-7.9p1/mac.c
@@ -280,6 +280,20 @@ mac_clear(struct sshmac *mac) @@ -280,6 +280,20 @@ mac_clear(struct sshmac *mac)
mac->umac_ctx = NULL; mac->umac_ctx = NULL;
} }
@ -1091,10 +1092,10 @@ Index: openssh-7.8p1/mac.c
/* XXX copied from ciphers_valid */ /* XXX copied from ciphers_valid */
#define MAC_SEP "," #define MAC_SEP ","
int int
Index: openssh-7.8p1/mac.h Index: openssh-7.9p1/mac.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/mac.h --- openssh-7.9p1.orig/mac.h
+++ openssh-7.8p1/mac.h +++ openssh-7.9p1/mac.h
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3 @@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t, int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
const u_char *, size_t); const u_char *, size_t);
@ -1102,11 +1103,11 @@ Index: openssh-7.8p1/mac.h
+void mac_destroy(struct sshmac *); +void mac_destroy(struct sshmac *);
#endif /* SSHMAC_H */ #endif /* SSHMAC_H */
Index: openssh-7.8p1/monitor.c Index: openssh-7.9p1/monitor.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/monitor.c --- openssh-7.9p1.orig/monitor.c
+++ openssh-7.8p1/monitor.c +++ openssh-7.9p1/monitor.c
@@ -91,6 +91,7 @@ @@ -93,6 +93,7 @@
#include "compat.h" #include "compat.h"
#include "ssh2.h" #include "ssh2.h"
#include "authfd.h" #include "authfd.h"
@ -1114,7 +1115,7 @@ Index: openssh-7.8p1/monitor.c
#include "match.h" #include "match.h"
#include "ssherr.h" #include "ssherr.h"
@@ -105,6 +106,8 @@ extern u_char session_id[]; @@ -107,6 +108,8 @@ extern u_char session_id[];
extern struct sshbuf *loginmsg; extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
@ -1123,7 +1124,7 @@ Index: openssh-7.8p1/monitor.c
/* State exported from the child */ /* State exported from the child */
static struct sshbuf *child_state; static struct sshbuf *child_state;
@@ -150,6 +153,11 @@ int mm_answer_gss_updatecreds(int, struc @@ -152,6 +155,11 @@ int mm_answer_gss_updatecreds(int, struc
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, struct sshbuf *); int mm_answer_audit_event(int, struct sshbuf *);
int mm_answer_audit_command(int, struct sshbuf *); int mm_answer_audit_command(int, struct sshbuf *);
@ -1135,7 +1136,7 @@ Index: openssh-7.8p1/monitor.c
#endif #endif
static int monitor_read_log(struct monitor *); static int monitor_read_log(struct monitor *);
@@ -203,6 +211,11 @@ struct mon_table mon_dispatch_proto20[] @@ -205,6 +213,11 @@ struct mon_table mon_dispatch_proto20[]
#endif #endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -1147,7 +1148,7 @@ Index: openssh-7.8p1/monitor.c
#endif #endif
#ifdef BSD_AUTH #ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -231,6 +244,11 @@ struct mon_table mon_dispatch_postauth20 @@ -233,6 +246,11 @@ struct mon_table mon_dispatch_postauth20
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@ -1159,15 +1160,19 @@ Index: openssh-7.8p1/monitor.c
#endif #endif
#ifdef GSSAPI #ifdef GSSAPI
{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
@@ -1375,6 +1393,7 @@ mm_answer_keyverify(int sock, struct ssh @@ -1379,8 +1397,10 @@ mm_answer_keyverify(int sock, struct ssh
char *sigalg; char *sigalg;
size_t signaturelen, datalen, bloblen; size_t signaturelen, datalen, bloblen;
int r, ret, valid_data = 0, encoded_ret; int r, ret, valid_data = 0, encoded_ret;
+ int type = 0; + int type = 0;
if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 || - if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
+ if ((r = sshbuf_get_u32(m, &type)) != 0 ||
+ (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 || (r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
@@ -1385,6 +1404,8 @@ mm_answer_keyverify(int sock, struct ssh (r = sshbuf_get_string(m, &data, &datalen)) != 0 ||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
@@ -1389,6 +1409,8 @@ mm_answer_keyverify(int sock, struct ssh
if (hostbased_cuser == NULL || hostbased_chost == NULL || if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen)) !monitor_allowed_key(blob, bloblen))
fatal("%s: bad key, not previously allowed", __func__); fatal("%s: bad key, not previously allowed", __func__);
@ -1176,7 +1181,7 @@ Index: openssh-7.8p1/monitor.c
/* Empty signature algorithm means NULL. */ /* Empty signature algorithm means NULL. */
if (*sigalg == '\0') { if (*sigalg == '\0') {
@@ -1399,22 +1420,25 @@ mm_answer_keyverify(int sock, struct ssh @@ -1403,22 +1425,25 @@ mm_answer_keyverify(int sock, struct ssh
switch (key_blobtype) { switch (key_blobtype) {
case MM_USERKEY: case MM_USERKEY:
valid_data = monitor_valid_userblob(data, datalen); valid_data = monitor_valid_userblob(data, datalen);
@ -1204,7 +1209,7 @@ Index: openssh-7.8p1/monitor.c
debug3("%s: %s %p signature %s", __func__, auth_method, key, debug3("%s: %s %p signature %s", __func__, auth_method, key,
(ret == 0) ? "verified" : "unverified"); (ret == 0) ? "verified" : "unverified");
auth2_record_key(authctxt, ret == 0, key); auth2_record_key(authctxt, ret == 0, key);
@@ -1474,6 +1498,12 @@ mm_session_close(Session *s) @@ -1478,6 +1503,12 @@ mm_session_close(Session *s)
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
session_pty_cleanup2(s); session_pty_cleanup2(s);
} }
@ -1217,7 +1222,7 @@ Index: openssh-7.8p1/monitor.c
session_unused(s->self); session_unused(s->self);
} }
@@ -1582,6 +1612,8 @@ mm_answer_term(int sock, struct sshbuf * @@ -1586,6 +1617,8 @@ mm_answer_term(int sock, struct sshbuf *
sshpam_cleanup(); sshpam_cleanup();
#endif #endif
@ -1226,7 +1231,7 @@ Index: openssh-7.8p1/monitor.c
while (waitpid(pmonitor->m_pid, &status, 0) == -1) while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR) if (errno != EINTR)
exit(1); exit(1);
@@ -1628,14 +1660,50 @@ mm_answer_audit_command(int socket, stru @@ -1632,14 +1665,50 @@ mm_answer_audit_command(int socket, stru
{ {
char *cmd; char *cmd;
int r; int r;
@ -1280,7 +1285,7 @@ Index: openssh-7.8p1/monitor.c
} }
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
@@ -1697,6 +1765,7 @@ monitor_apply_keystate(struct monitor *p @@ -1701,6 +1770,7 @@ monitor_apply_keystate(struct monitor *p
void void
mm_get_keystate(struct monitor *pmonitor) mm_get_keystate(struct monitor *pmonitor)
{ {
@ -1288,7 +1293,7 @@ Index: openssh-7.8p1/monitor.c
debug3("%s: Waiting for new keys", __func__); debug3("%s: Waiting for new keys", __func__);
if ((child_state = sshbuf_new()) == NULL) if ((child_state = sshbuf_new()) == NULL)
@@ -1704,6 +1773,19 @@ mm_get_keystate(struct monitor *pmonitor @@ -1708,6 +1778,19 @@ mm_get_keystate(struct monitor *pmonitor
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
child_state); child_state);
debug3("%s: GOT new keys", __func__); debug3("%s: GOT new keys", __func__);
@ -1308,33 +1313,16 @@ Index: openssh-7.8p1/monitor.c
} }
@@ -1902,19 +1984,19 @@ mm_answer_gss_sign(int socket, struct ss @@ -1909,7 +1992,7 @@ mm_answer_gss_sign(int socket, struct ss
int r; fatal("In GSSAPI monitor when GSSAPI is disabled");
if (!options.gss_authentication && !options.gss_keyex)
- fatal("In GSSAPI monitor when GSSAPI is disabled");
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0) if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); - fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (data.length != 20) if (data.length != 20)
- fatal("%s: data length incorrect: %d", __func__, fatal("%s: data length incorrect: %d", __func__,
- (int) data.length); (int) data.length);
+ fatal("%s: data length incorrect: %d", __func__, @@ -1966,3 +2049,102 @@ mm_answer_gss_updatecreds(int socket, st
+ (int) data.length);
/* Save the session ID on the first time around */
if (session_id2_len == 0) {
- session_id2_len = data.length;
- session_id2 = xmalloc(session_id2_len);
- memcpy(session_id2, data.value, session_id2_len);
+ session_id2_len = data.length;
+ session_id2 = xmalloc(session_id2_len);
+ memcpy(session_id2, data.value, session_id2_len);
}
major = ssh_gssapi_sign(gsscontext, &data, &hash);
@@ -1962,3 +2044,102 @@ mm_answer_gss_updatecreds(int socket, st
} }
#endif /* GSSAPI */ #endif /* GSSAPI */
@ -1437,10 +1425,10 @@ Index: openssh-7.8p1/monitor.c
+ return 0; + return 0;
+} +}
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
Index: openssh-7.8p1/monitor.h Index: openssh-7.9p1/monitor.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/monitor.h --- openssh-7.9p1.orig/monitor.h
+++ openssh-7.8p1/monitor.h +++ openssh-7.9p1/monitor.h
@@ -61,7 +61,13 @@ enum monitor_reqtype { @@ -61,7 +61,13 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1456,10 +1444,10 @@ Index: openssh-7.8p1/monitor.h
MONITOR_REQ_GSSSIGN = 201, MONITOR_ANS_GSSSIGN = 202, MONITOR_REQ_GSSSIGN = 201, MONITOR_ANS_GSSSIGN = 202,
MONITOR_REQ_GSSUPCREDS = 203, MONITOR_ANS_GSSUPCREDS = 204, MONITOR_REQ_GSSUPCREDS = 203, MONITOR_ANS_GSSUPCREDS = 204,
Index: openssh-7.8p1/monitor_wrap.c Index: openssh-7.9p1/monitor_wrap.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/monitor_wrap.c --- openssh-7.9p1.orig/monitor_wrap.c
+++ openssh-7.8p1/monitor_wrap.c +++ openssh-7.9p1/monitor_wrap.c
@@ -497,7 +497,7 @@ mm_key_allowed(enum mm_keytype type, con @@ -497,7 +497,7 @@ mm_key_allowed(enum mm_keytype type, con
*/ */
@ -1637,10 +1625,10 @@ Index: openssh-7.8p1/monitor_wrap.c
+ sshbuf_free(m); + sshbuf_free(m);
+} +}
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
Index: openssh-7.8p1/monitor_wrap.h Index: openssh-7.9p1/monitor_wrap.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/monitor_wrap.h --- openssh-7.9p1.orig/monitor_wrap.h
+++ openssh-7.8p1/monitor_wrap.h +++ openssh-7.9p1/monitor_wrap.h
@@ -53,7 +53,9 @@ int mm_user_key_allowed(struct ssh *, st @@ -53,7 +53,9 @@ int mm_user_key_allowed(struct ssh *, st
struct sshauthopt **); struct sshauthopt **);
int mm_hostbased_key_allowed(struct passwd *, const char *, int mm_hostbased_key_allowed(struct passwd *, const char *,
@ -1666,10 +1654,10 @@ Index: openssh-7.8p1/monitor_wrap.h
#endif #endif
struct Session; struct Session;
Index: openssh-7.8p1/packet.c Index: openssh-7.9p1/packet.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/packet.c --- openssh-7.9p1.orig/packet.c
+++ openssh-7.8p1/packet.c +++ openssh-7.9p1/packet.c
@@ -76,6 +76,7 @@ @@ -76,6 +76,7 @@
#include <zlib.h> #include <zlib.h>
@ -1829,20 +1817,20 @@ Index: openssh-7.8p1/packet.c
/* Reset after_authentication and reset compression in post-auth privsep */ /* Reset after_authentication and reset compression in post-auth privsep */
static int static int
ssh_packet_set_postauth(struct ssh *ssh) ssh_packet_set_postauth(struct ssh *ssh)
Index: openssh-7.8p1/packet.h Index: openssh-7.9p1/packet.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/packet.h --- openssh-7.9p1.orig/packet.h
+++ openssh-7.8p1/packet.h +++ openssh-7.9p1/packet.h
@@ -219,4 +219,5 @@ extern struct ssh *active_state; @@ -219,4 +219,5 @@ extern struct ssh *active_state;
# undef EC_POINT # undef EC_POINT
#endif #endif
+void packet_destroy_all(int, int); +void packet_destroy_all(int, int);
#endif /* PACKET_H */ #endif /* PACKET_H */
Index: openssh-7.8p1/session.c Index: openssh-7.9p1/session.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/session.c --- openssh-7.9p1.orig/session.c
+++ openssh-7.8p1/session.c +++ openssh-7.9p1/session.c
@@ -139,7 +139,7 @@ extern char *__progname; @@ -139,7 +139,7 @@ extern char *__progname;
extern int debug_flag; extern int debug_flag;
extern u_int utmp_len; extern u_int utmp_len;
@ -1867,7 +1855,7 @@ Index: openssh-7.8p1/session.c
/* Enter interactive session. */ /* Enter interactive session. */
s->ptymaster = ptymaster; s->ptymaster = ptymaster;
packet_set_interactive(1, packet_set_interactive(1,
@@ -739,15 +747,19 @@ do_exec(struct ssh *ssh, Session *s, con @@ -741,15 +749,19 @@ do_exec(struct ssh *ssh, Session *s, con
s->self); s->self);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
@ -1889,7 +1877,7 @@ Index: openssh-7.8p1/session.c
#endif #endif
if (s->ttyfd != -1) if (s->ttyfd != -1)
ret = do_exec_pty(ssh, s, command); ret = do_exec_pty(ssh, s, command);
@@ -1551,8 +1563,11 @@ do_child(struct ssh *ssh, Session *s, co @@ -1553,8 +1565,11 @@ do_child(struct ssh *ssh, Session *s, co
int r = 0; int r = 0;
/* remove hostkey from the child's memory */ /* remove hostkey from the child's memory */
@ -1902,7 +1890,7 @@ Index: openssh-7.8p1/session.c
/* Force a password change */ /* Force a password change */
if (s->authctxt->force_pwchange) { if (s->authctxt->force_pwchange) {
@@ -1759,6 +1774,9 @@ session_unused(int id) @@ -1761,6 +1776,9 @@ session_unused(int id)
sessions[id].ttyfd = -1; sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1; sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL; sessions[id].x11_chanids = NULL;
@ -1912,7 +1900,7 @@ Index: openssh-7.8p1/session.c
sessions[id].next_unused = sessions_first_unused; sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id; sessions_first_unused = id;
} }
@@ -1841,6 +1859,19 @@ session_open(Authctxt *authctxt, int cha @@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
} }
Session * Session *
@ -1932,7 +1920,7 @@ Index: openssh-7.8p1/session.c
session_by_tty(char *tty) session_by_tty(char *tty)
{ {
int i; int i;
@@ -2352,6 +2383,32 @@ session_exit_message(struct ssh *ssh, Se @@ -2428,6 +2459,32 @@ session_exit_message(struct ssh *ssh, Se
chan_write_failed(ssh, c); chan_write_failed(ssh, c);
} }
@ -1965,7 +1953,7 @@ Index: openssh-7.8p1/session.c
void void
session_close(struct ssh *ssh, Session *s) session_close(struct ssh *ssh, Session *s)
{ {
@@ -2393,6 +2450,10 @@ session_close(struct ssh *ssh, Session * @@ -2469,6 +2526,10 @@ session_close(struct ssh *ssh, Session *
if (s->ttyfd != -1) if (s->ttyfd != -1)
session_pty_cleanup(s); session_pty_cleanup(s);
@ -1976,7 +1964,7 @@ Index: openssh-7.8p1/session.c
free(s->term); free(s->term);
free(s->display); free(s->display);
free(s->x11_chanids); free(s->x11_chanids);
@@ -2600,6 +2661,15 @@ do_authenticated2(struct ssh *ssh, Authc @@ -2677,6 +2738,15 @@ do_authenticated2(struct ssh *ssh, Authc
server_loop2(ssh, authctxt); server_loop2(ssh, authctxt);
} }
@ -1992,7 +1980,7 @@ Index: openssh-7.8p1/session.c
void void
do_cleanup(struct ssh *ssh, Authctxt *authctxt) do_cleanup(struct ssh *ssh, Authctxt *authctxt)
{ {
@@ -2657,7 +2727,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au @@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
* or if running in monitor. * or if running in monitor.
*/ */
if (!use_privsep || mm_is_monitor()) if (!use_privsep || mm_is_monitor())
@ -2001,11 +1989,11 @@ Index: openssh-7.8p1/session.c
} }
/* Return a name for the remote host that fits inside utmp_size */ /* Return a name for the remote host that fits inside utmp_size */
Index: openssh-7.8p1/session.h Index: openssh-7.9p1/session.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/session.h --- openssh-7.9p1.orig/session.h
+++ openssh-7.8p1/session.h +++ openssh-7.9p1/session.h
@@ -60,6 +60,12 @@ struct Session { @@ -61,6 +61,12 @@ struct Session {
char *name; char *name;
char *val; char *val;
} *env; } *env;
@ -2018,7 +2006,7 @@ Index: openssh-7.8p1/session.h
}; };
void do_authenticated(struct ssh *, Authctxt *); void do_authenticated(struct ssh *, Authctxt *);
@@ -72,8 +78,10 @@ void session_close_by_pid(struct ssh *s @@ -73,8 +79,10 @@ void session_close_by_pid(struct ssh *s
void session_close_by_channel(struct ssh *, int, void *); void session_close_by_channel(struct ssh *, int, void *);
void session_destroy_all(struct ssh *, void (*)(Session *)); void session_destroy_all(struct ssh *, void (*)(Session *));
void session_pty_cleanup2(Session *); void session_pty_cleanup2(Session *);
@ -2029,10 +2017,10 @@ Index: openssh-7.8p1/session.h
Session *session_by_tty(char *); Session *session_by_tty(char *);
void session_close(struct ssh *, Session *); void session_close(struct ssh *, Session *);
void do_setusercontext(struct passwd *); void do_setusercontext(struct passwd *);
Index: openssh-7.8p1/sshd.c Index: openssh-7.9p1/sshd.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/sshd.c --- openssh-7.9p1.orig/sshd.c
+++ openssh-7.8p1/sshd.c +++ openssh-7.9p1/sshd.c
@@ -124,6 +124,7 @@ @@ -124,6 +124,7 @@
#include "ssh-gss.h" #include "ssh-gss.h"
#endif #endif
@ -2091,24 +2079,24 @@ Index: openssh-7.8p1/sshd.c
for (i = 0; i < options.num_host_key_files; i++) { for (i = 0; i < options.num_host_key_files; i++) {
if (sensitive_data.host_keys[i]) { if (sensitive_data.host_keys[i]) {
- sshkey_free(sensitive_data.host_keys[i]); - sshkey_free(sensitive_data.host_keys[i]);
+ char *fp; + char *fp;
+ +
+ if (sshkey_is_private(sensitive_data.host_keys[i])) + if (sshkey_is_private(sensitive_data.host_keys[i]))
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX); + fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else + else
+ fp = NULL; + fp = NULL;
+ sshkey_free(sensitive_data.host_keys[i]); + sshkey_free(sensitive_data.host_keys[i]);
sensitive_data.host_keys[i] = NULL; sensitive_data.host_keys[i] = NULL;
+ if (fp != NULL) { + if (fp != NULL) {
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ if (privsep) + if (privsep)
+ PRIVSEP(audit_destroy_sensitive_data(fp, + PRIVSEP(audit_destroy_sensitive_data(fp,
+ pid, uid)); + pid, uid));
+ else + else
+ audit_destroy_sensitive_data(fp, + audit_destroy_sensitive_data(fp,
+ pid, uid); + pid, uid);
+#endif +#endif
+ free(fp); + free(fp);
+ } + }
} }
- if (sensitive_data.host_certificates[i]) { - if (sensitive_data.host_certificates[i]) {
@ -2117,30 +2105,28 @@ Index: openssh-7.8p1/sshd.c
sshkey_free(sensitive_data.host_certificates[i]); sshkey_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL; sensitive_data.host_certificates[i] = NULL;
} }
@@ -513,9 +551,22 @@ demote_sensitive_data(void) @@ -513,8 +551,21 @@ demote_sensitive_data(void)
struct sshkey *tmp; struct sshkey *tmp;
u_int i; u_int i;
int r; int r;
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ pid_t pid; + pid_t pid;
+ uid_t uid; + uid_t uid;
+
- for (i = 0; i < options.num_host_key_files; i++) { + pid = getpid();
+ pid = getpid(); + uid = getuid();
+ uid = getuid();
+#endif +#endif
for (i = 0; i < options.num_host_key_files; i++) {
+ char *fp;
+ +
+ for (i = 0; i < options.num_host_key_files; i++) { + if (sshkey_is_private(sensitive_data.host_keys[i]))
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
if (sensitive_data.host_keys[i]) { if (sensitive_data.host_keys[i]) {
+ char *fp; if ((r = sshkey_from_private(
+ sensitive_data.host_keys[i], &tmp)) != 0)
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
if ((r = sshkey_demote(sensitive_data.host_keys[i],
&tmp)) != 0)
fatal("could not demote host %s key: %s",
@@ -523,6 +574,12 @@ demote_sensitive_data(void) @@ -523,6 +574,12 @@ demote_sensitive_data(void)
ssh_err(r)); ssh_err(r));
sshkey_free(sensitive_data.host_keys[i]); sshkey_free(sensitive_data.host_keys[i]);
@ -2213,48 +2199,11 @@ Index: openssh-7.8p1/sshd.c
audit_event(SSH_CONNECTION_ABANDON); audit_event(SSH_CONNECTION_ABANDON);
#endif #endif
_exit(i); _exit(i);
Index: openssh-7.8p1/sshkey.c Index: openssh-7.9p1/sshkey.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/sshkey.c --- openssh-7.9p1.orig/sshkey.h
+++ openssh-7.8p1/sshkey.c +++ openssh-7.9p1/sshkey.h
@@ -326,6 +326,32 @@ sshkey_type_is_valid_ca(int type) @@ -147,6 +147,7 @@ u_int sshkey_size(const struct sshkey
}
int
+sshkey_is_private(const struct sshkey *k)
+{
+ switch (k->type) {
+#ifdef WITH_OPENSSL
+ case KEY_RSA_CERT:
+ case KEY_RSA:
+ return k->rsa->d != NULL;
+ case KEY_DSA_CERT:
+ case KEY_DSA:
+ return k->dsa->priv_key != NULL;
+#ifdef OPENSSL_HAS_ECC
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA:
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+ case KEY_ED25519_CERT:
+ case KEY_ED25519:
+ return (k->ed25519_pk != NULL);
+ default:
+ /* fatal("key_is_private: bad key type %d", k->type); */
+ return 0;
+ }
+}
+
+int
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)
Index: openssh-7.8p1/sshkey.h
===================================================================
--- openssh-7.8p1.orig/sshkey.h
+++ openssh-7.8p1/sshkey.h
@@ -148,6 +148,7 @@ u_int sshkey_size(const struct sshkey
int sshkey_generate(int type, u_int bits, struct sshkey **keyp); int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
int sshkey_from_private(const struct sshkey *, struct sshkey **); int sshkey_from_private(const struct sshkey *, struct sshkey **);
int sshkey_type_from_name(const char *); int sshkey_type_from_name(const char *);
@ -2262,3 +2211,46 @@ Index: openssh-7.8p1/sshkey.h
int sshkey_is_cert(const struct sshkey *); int sshkey_is_cert(const struct sshkey *);
int sshkey_type_is_cert(int); int sshkey_type_is_cert(int);
int sshkey_type_plain(int); int sshkey_type_plain(int);
Index: openssh-7.9p1/sshkey.c
===================================================================
--- openssh-7.9p1.orig/sshkey.c
+++ openssh-7.9p1/sshkey.c
@@ -331,6 +331,38 @@ sshkey_type_is_valid_ca(int type)
}
int
+sshkey_is_private(const struct sshkey *k)
+{
+ switch (k->type) {
+#ifdef WITH_OPENSSL
+ case KEY_RSA_CERT:
+ case KEY_RSA: {
+ const BIGNUM *d;
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
+ return d != NULL;
+ }
+ case KEY_DSA_CERT:
+ case KEY_DSA: {
+ const BIGNUM *priv_key;
+ DSA_get0_key(k->dsa, NULL, &priv_key);
+ return priv_key != NULL;
+ }
+#ifdef OPENSSL_HAS_ECC
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA:
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+ case KEY_ED25519_CERT:
+ case KEY_ED25519:
+ return (k->ed25519_pk != NULL);
+ default:
+ /* fatal("key_is_private: bad key type %d", k->type); */
+ return 0;
+ }
+}
+
+int
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)

View File

@ -1,75 +0,0 @@
# HG changeset patch
# Parent 2e66b48b2212113d9897a58aaada67557b7c4f35
block SIGALRM while logging through syslog to prevent deadlocks
(through grace_alarm_handler())
bnc#57354
diff --git a/openssh-7.7p1/log.c b/openssh-7.7p1/log.c
--- openssh-7.7p1/log.c
+++ openssh-7.7p1/log.c
@@ -46,16 +46,17 @@
#include <syslog.h>
#include <unistd.h>
#include <errno.h>
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
# include <vis.h>
#endif
#include "log.h"
+#include <signal.h>
static LogLevel log_level = SYSLOG_LEVEL_INFO;
static int log_on_stderr = 1;
static int log_stderr_fd = STDERR_FILENO;
static int log_facility = LOG_AUTH;
static char *argv0;
static log_handler_fn *log_handler;
static void *log_handler_ctx;
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt,
{
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif
char msgbuf[MSGBUFSIZ];
char fmtbuf[MSGBUFSIZ];
char *txt = NULL;
int pri = LOG_INFO;
+ sigset_t nset, oset;
int saved_errno = errno;
log_handler_fn *tmp_handler;
if (level > log_level)
return;
switch (level) {
case SYSLOG_LEVEL_FATAL:
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt,
log_handler = NULL;
tmp_handler(level, fmtbuf, log_handler_ctx);
log_handler = tmp_handler;
} else if (log_on_stderr) {
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
(int)sizeof msgbuf - 3, fmtbuf);
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
} else {
+ /* Prevent a race between the grace_alarm which writes a
+ * log message and terminates and main sshd code that leads
+ * to deadlock as syslog is not async safe.
+ */
+ sigemptyset(&nset);
+ sigaddset(&nset, SIGALRM);
+ sigprocmask(SIG_BLOCK, &nset, &oset);
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
syslog_r(pri, &sdata, "%.500s", fmtbuf);
closelog_r(&sdata);
#else
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
syslog(pri, "%.500s", fmtbuf);
closelog();
#endif
+ sigprocmask(SIG_SETMASK, &oset, NULL);
}
errno = saved_errno;
}

View File

@ -2,15 +2,11 @@
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63 # Parent cc1022edba2c5eeb0facba08468f65afc2466b63
CAVS test for OpenSSH's own CTR encryption mode implementation CAVS test for OpenSSH's own CTR encryption mode implementation
diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in Index: openssh-7.9p1/Makefile.in
--- openssh-7.7p1/Makefile.in ===================================================================
+++ openssh-7.7p1/Makefile.in --- openssh-7.9p1.orig/Makefile.in
@@ -19,16 +19,17 @@ top_srcdir=@top_srcdir@ +++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
DESTDIR=
VPATH=@srcdir@
SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -18,17 +14,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@ STRIP_OPT=@STRIP_OPT@
TEST_SHELL=@TEST_SHELL@ @@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
@@ -57,16 +58,18 @@ ENT=@ENT@
XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
@ -37,17 +23,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
XMSS_OBJS=\ XMSS_OBJS=\
ssh-xmss.o \ ssh-xmss.o \
sshkey-xmss.o \ sshkey-xmss.o \
xmss_commons.o \ @@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
xmss_fast.o \
xmss_hash.o \
xmss_hash_address.o \
xmss_wots.o
@@ -199,16 +202,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
@ -58,17 +34,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
# test driver for the loginrec code - not built by default # test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
@@ -348,6 +355,7 @@ install-files:
$(MANPAGES): $(MANPAGES_IN)
if test "$(MANTYPE)" = "cat"; then \
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
else \
@@ -339,16 +346,17 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -76,15 +42,10 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 Index: openssh-7.9p1/cavstest-ctr.c
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 ===================================================================
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
diff --git a/openssh-7.7p1/cavstest-ctr.c b/openssh-7.7p1/cavstest-ctr.c
new file mode 100644
--- /dev/null --- /dev/null
+++ openssh-7.7p1/cavstest-ctr.c +++ openssh-7.9p1/cavstest-ctr.c
@@ -0,0 +1,214 @@ @@ -0,0 +1,214 @@
+/* +/*
+ * + *
@ -238,7 +199,7 @@ new file mode 100644
+ usage(); + usage();
+ } + }
+ +
+ SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms();
+ +
+ c = cipher_by_name(algo); + c = cipher_by_name(algo);
+ if (c == NULL) { + if (c == NULL) {
@ -300,15 +261,11 @@ new file mode 100644
+ printf("\n"); + printf("\n");
+ return 0; + return 0;
+} +}
diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c Index: openssh-7.9p1/cipher.c
--- openssh-7.7p1/cipher.c ===================================================================
+++ openssh-7.7p1/cipher.c --- openssh-7.9p1.orig/cipher.c
@@ -49,25 +49,16 @@ +++ openssh-7.9p1/cipher.c
#include "ssherr.h" @@ -54,15 +54,6 @@
#include "digest.h"
#include "openbsd-compat/openssl-compat.h"
#include "fips.h" #include "fips.h"
#include "log.h" #include "log.h"
@ -324,20 +281,11 @@ diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
struct sshcipher { struct sshcipher {
char *name; char *name;
u_int block_size; u_int block_size;
u_int key_len; Index: openssh-7.9p1/cipher.h
u_int iv_len; /* defaults to block_size */ ===================================================================
u_int auth_len; --- openssh-7.9p1.orig/cipher.h
u_int flags; +++ openssh-7.9p1/cipher.h
#define CFLAG_CBC (1<<0) @@ -46,7 +46,15 @@
diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
--- openssh-7.7p1/cipher.h
+++ openssh-7.7p1/cipher.h
@@ -41,17 +41,25 @@
#include <openssl/evp.h>
#include "cipher-chachapoly.h"
#include "cipher-aesctr.h"
#define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0 #define CIPHER_DECRYPT 0
struct sshcipher; struct sshcipher;
@ -354,8 +302,3 @@ diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
const struct sshcipher *cipher_by_name(const char *); const struct sshcipher *cipher_by_name(const char *);
const char *cipher_warning_message(const struct sshcipher_ctx *); const char *cipher_warning_message(const struct sshcipher_ctx *);
int ciphers_valid(const char *);
char *cipher_alg_list(char, int);
int cipher_init(struct sshcipher_ctx **, const struct sshcipher *,
const u_char *, u_int, const u_char *, u_int, int);
int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,

View File

@ -12,23 +12,23 @@ compliant) parameters.
CVE-2015-4000 (LOGJAM) CVE-2015-4000 (LOGJAM)
bsc#932483 bsc#932483
Index: openssh-7.8p1/dh.c Index: openssh-7.9p1/dh.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/dh.c --- openssh-7.9p1.orig/dh.c
+++ openssh-7.8p1/dh.c +++ openssh-7.9p1/dh.c
@@ -43,6 +43,8 @@ @@ -45,6 +45,8 @@
#include "misc.h"
#include "ssherr.h" #include "openbsd-compat/openssl-compat.h"
+int dh_grp_min = DH_GRP_MIN; +int dh_grp_min = DH_GRP_MIN;
+ +
static int static int
parse_prime(int linenum, char *line, struct dhgroup *dhg) parse_prime(int linenum, char *line, struct dhgroup *dhg)
{ {
Index: openssh-7.8p1/dh.h Index: openssh-7.9p1/dh.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/dh.h --- openssh-7.9p1.orig/dh.h
+++ openssh-7.8p1/dh.h +++ openssh-7.9p1/dh.h
@@ -50,6 +50,7 @@ u_int dh_estimate(int); @@ -50,6 +50,7 @@ u_int dh_estimate(int);
* Max value from RFC4419. * Max value from RFC4419.
* Miniumum increased in light of DH precomputation attacks. * Miniumum increased in light of DH precomputation attacks.
@ -37,11 +37,11 @@ Index: openssh-7.8p1/dh.h
#define DH_GRP_MIN 2048 #define DH_GRP_MIN 2048
#define DH_GRP_MAX 8192 #define DH_GRP_MAX 8192
Index: openssh-7.8p1/kexgexc.c Index: openssh-7.9p1/kexgexc.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/kexgexc.c --- openssh-7.9p1.orig/kexgexc.c
+++ openssh-7.8p1/kexgexc.c +++ openssh-7.9p1/kexgexc.c
@@ -51,6 +51,9 @@ @@ -53,6 +53,9 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "misc.h" #include "misc.h"
@ -51,7 +51,7 @@ Index: openssh-7.8p1/kexgexc.c
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
@@ -63,7 +66,7 @@ kexgex_client(struct ssh *ssh) @@ -65,7 +68,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8); nbits = dh_estimate(kex->dh_need * 8);
@ -60,7 +60,7 @@ Index: openssh-7.8p1/kexgexc.c
kex->max = DH_GRP_MAX; kex->max = DH_GRP_MAX;
kex->nbits = nbits; kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE) if (datafellows & SSH_BUG_DHGEX_LARGE)
@@ -108,6 +111,12 @@ input_kex_dh_gex_group(int type, u_int32 @@ -111,6 +114,12 @@ input_kex_dh_gex_group(int type, u_int32
goto out; goto out;
if ((bits = BN_num_bits(p)) < 0 || if ((bits = BN_num_bits(p)) < 0 ||
(u_int)bits < kex->min || (u_int)bits > kex->max) { (u_int)bits < kex->min || (u_int)bits > kex->max) {
@ -73,11 +73,11 @@ Index: openssh-7.8p1/kexgexc.c
r = SSH_ERR_DH_GEX_OUT_OF_RANGE; r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
goto out; goto out;
} }
Index: openssh-7.8p1/kexgexs.c Index: openssh-7.9p1/kexgexs.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/kexgexs.c --- openssh-7.9p1.orig/kexgexs.c
+++ openssh-7.8p1/kexgexs.c +++ openssh-7.9p1/kexgexs.c
@@ -54,6 +54,9 @@ @@ -56,6 +56,9 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "misc.h" #include "misc.h"
@ -87,7 +87,7 @@ Index: openssh-7.8p1/kexgexs.c
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
@@ -82,13 +85,19 @@ input_kex_dh_gex_request(int type, u_int @@ -85,13 +88,19 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits; kex->nbits = nbits;
kex->min = min; kex->min = min;
kex->max = max; kex->max = max;
@ -109,10 +109,10 @@ Index: openssh-7.8p1/kexgexs.c
r = SSH_ERR_DH_GEX_OUT_OF_RANGE; r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
goto out; goto out;
} }
Index: openssh-7.8p1/readconf.c Index: openssh-7.9p1/readconf.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/readconf.c --- openssh-7.9p1.orig/readconf.c
+++ openssh-7.8p1/readconf.c +++ openssh-7.9p1/readconf.c
@@ -67,6 +67,7 @@ @@ -67,6 +67,7 @@
#include "uidswap.h" #include "uidswap.h"
#include "myproposal.h" #include "myproposal.h"
@ -130,7 +130,7 @@ Index: openssh-7.8p1/readconf.c
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
@@ -291,6 +292,7 @@ static struct { @@ -292,6 +293,7 @@ static struct {
{ "remotecommand", oRemoteCommand }, { "remotecommand", oRemoteCommand },
{ "visualhostkey", oVisualHostKey }, { "visualhostkey", oVisualHostKey },
{ "kexalgorithms", oKexAlgorithms }, { "kexalgorithms", oKexAlgorithms },
@ -138,7 +138,7 @@ Index: openssh-7.8p1/readconf.c
{ "ipqos", oIPQoS }, { "ipqos", oIPQoS },
{ "requesttty", oRequestTTY }, { "requesttty", oRequestTTY },
{ "proxyusefdpass", oProxyUseFdpass }, { "proxyusefdpass", oProxyUseFdpass },
@@ -312,6 +314,9 @@ static struct { @@ -313,6 +315,9 @@ static struct {
{ NULL, oBadOption } { NULL, oBadOption }
}; };
@ -148,7 +148,7 @@ Index: openssh-7.8p1/readconf.c
/* /*
* Adds a local TCP/IP port forward to options. Never returns if there is an * Adds a local TCP/IP port forward to options. Never returns if there is an
* error. * error.
@@ -1206,6 +1211,10 @@ parse_int: @@ -1216,6 +1221,10 @@ parse_int:
options->kex_algorithms = xstrdup(arg); options->kex_algorithms = xstrdup(arg);
break; break;
@ -159,15 +159,15 @@ Index: openssh-7.8p1/readconf.c
case oHostKeyAlgorithms: case oHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms; charptr = &options->hostkeyalgorithms;
parse_keytypes: parse_keytypes:
@@ -1835,6 +1844,7 @@ initialize_options(Options * options) @@ -1860,6 +1869,7 @@ initialize_options(Options * options)
options->ciphers = NULL; options->ciphers = NULL;
options->macs = NULL; options->macs = NULL;
options->kex_algorithms = NULL; options->kex_algorithms = NULL;
+ options->kex_dhmin = -1; + options->kex_dhmin = -1;
options->hostkeyalgorithms = NULL; options->hostkeyalgorithms = NULL;
options->ca_sign_algorithms = NULL;
options->num_identity_files = 0; options->num_identity_files = 0;
options->num_certificate_files = 0; @@ -2014,6 +2024,13 @@ fill_default_options(Options * options)
@@ -1988,6 +1998,13 @@ fill_default_options(Options * options)
options->connection_attempts = 1; options->connection_attempts = 1;
if (options->number_of_password_prompts == -1) if (options->number_of_password_prompts == -1)
options->number_of_password_prompts = 3; options->number_of_password_prompts = 3;
@ -181,22 +181,22 @@ Index: openssh-7.8p1/readconf.c
/* options->hostkeyalgorithms, default set in myproposals.h */ /* options->hostkeyalgorithms, default set in myproposals.h */
if (options->add_keys_to_agent == -1) if (options->add_keys_to_agent == -1)
options->add_keys_to_agent = 0; options->add_keys_to_agent = 0;
Index: openssh-7.8p1/readconf.h Index: openssh-7.9p1/readconf.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/readconf.h --- openssh-7.9p1.orig/readconf.h
+++ openssh-7.8p1/readconf.h +++ openssh-7.9p1/readconf.h
@@ -67,6 +67,7 @@ typedef struct { @@ -68,6 +68,7 @@ typedef struct {
char *macs; /* SSH2 macs in order of preference. */
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
char *kex_algorithms; /* SSH2 kex methods in order of preference. */ char *kex_algorithms; /* SSH2 kex methods in order of preference. */
+ int kex_dhmin; /* minimum bit length of the DH group parameter */ char *ca_sign_algorithms; /* Allowed CA signature algorithms */
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
char *hostname; /* Real host to connect. */ char *hostname; /* Real host to connect. */
char *host_key_alias; /* hostname alias for .ssh/known_hosts */ char *host_key_alias; /* hostname alias for .ssh/known_hosts */
char *proxy_command; /* Proxy command for connecting the host. */ char *proxy_command; /* Proxy command for connecting the host. */
Index: openssh-7.8p1/servconf.c Index: openssh-7.9p1/servconf.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/servconf.c --- openssh-7.9p1.orig/servconf.c
+++ openssh-7.8p1/servconf.c +++ openssh-7.9p1/servconf.c
@@ -64,6 +64,10 @@ @@ -64,6 +64,10 @@
#include "auth.h" #include "auth.h"
#include "myproposal.h" #include "myproposal.h"
@ -213,10 +213,10 @@ Index: openssh-7.8p1/servconf.c
options->macs = NULL; options->macs = NULL;
options->kex_algorithms = NULL; options->kex_algorithms = NULL;
+ options->kex_dhmin = -1; + options->kex_dhmin = -1;
options->ca_sign_algorithms = NULL;
options->fwd_opts.gateway_ports = -1; options->fwd_opts.gateway_ports = -1;
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
options->fwd_opts.streamlocal_bind_unlink = -1; @@ -267,6 +272,14 @@ fill_default_server_options(ServerOption
@@ -263,6 +268,14 @@ fill_default_server_options(ServerOption
if (options->use_pam_check_locks == -1) if (options->use_pam_check_locks == -1)
options->use_pam_check_locks = 0; options->use_pam_check_locks = 0;
@ -231,16 +231,16 @@ Index: openssh-7.8p1/servconf.c
/* Standard Options */ /* Standard Options */
if (options->num_host_key_files == 0) { if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */ /* fill default hostkeys for protocols */
@@ -490,7 +503,7 @@ typedef enum { @@ -494,7 +507,7 @@ typedef enum {
sHostCertificate, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
- sKexAlgorithms, sIPQoS, sVersionAddendum, - sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
+ sKexAlgorithms, sKexDHMin, sIPQoS, sVersionAddendum, + sKexAlgorithms, sKexDHMin, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink, sStreamLocalBindMask, sStreamLocalBindUnlink,
@@ -631,6 +644,7 @@ static struct { @@ -635,6 +648,7 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
@ -248,7 +248,7 @@ Index: openssh-7.8p1/servconf.c
{ "ipqos", sIPQoS, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
@@ -1726,6 +1740,10 @@ process_server_config_line(ServerOptions @@ -1735,6 +1749,10 @@ process_server_config_line(ServerOptions
options->kex_algorithms = xstrdup(arg); options->kex_algorithms = xstrdup(arg);
break; break;
@ -259,7 +259,7 @@ Index: openssh-7.8p1/servconf.c
case sSubsystem: case sSubsystem:
if (options->num_subsystems >= MAX_SUBSYSTEMS) { if (options->num_subsystems >= MAX_SUBSYSTEMS) {
fatal("%s line %d: too many subsystems defined.", fatal("%s line %d: too many subsystems defined.",
@@ -2540,6 +2558,7 @@ dump_config(ServerOptions *o) @@ -2549,6 +2567,7 @@ dump_config(ServerOptions *o)
dump_cfg_int(sClientAliveInterval, o->client_alive_interval); dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
@ -267,10 +267,10 @@ Index: openssh-7.8p1/servconf.c
/* formatted integer arguments */ /* formatted integer arguments */
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
Index: openssh-7.8p1/servconf.h Index: openssh-7.9p1/servconf.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/servconf.h --- openssh-7.9p1.orig/servconf.h
+++ openssh-7.8p1/servconf.h +++ openssh-7.9p1/servconf.h
@@ -103,6 +103,7 @@ typedef struct { @@ -103,6 +103,7 @@ typedef struct {
char *ciphers; /* Supported SSH2 ciphers. */ char *ciphers; /* Supported SSH2 ciphers. */
char *macs; /* Supported SSH2 macs. */ char *macs; /* Supported SSH2 macs. */
@ -279,10 +279,10 @@ Index: openssh-7.8p1/servconf.h
struct ForwardOptions fwd_opts; /* forwarding options */ struct ForwardOptions fwd_opts; /* forwarding options */
SyslogFacility log_facility; /* Facility for system logging. */ SyslogFacility log_facility; /* Facility for system logging. */
LogLevel log_level; /* Level for system logging. */ LogLevel log_level; /* Level for system logging. */
Index: openssh-7.8p1/ssh_config Index: openssh-7.9p1/ssh_config
=================================================================== ===================================================================
--- openssh-7.8p1.orig/ssh_config --- openssh-7.9p1.orig/ssh_config
+++ openssh-7.8p1/ssh_config +++ openssh-7.9p1/ssh_config
@@ -17,6 +17,11 @@ @@ -17,6 +17,11 @@
# list of available options, their meanings and defaults, please see the # list of available options, their meanings and defaults, please see the
# ssh_config(5) man page. # ssh_config(5) man page.
@ -295,11 +295,11 @@ Index: openssh-7.8p1/ssh_config
Host * Host *
# ForwardAgent no # ForwardAgent no
# ForwardX11 no # ForwardX11 no
Index: openssh-7.8p1/ssh_config.0 Index: openssh-7.9p1/ssh_config.0
=================================================================== ===================================================================
--- openssh-7.8p1.orig/ssh_config.0 --- openssh-7.9p1.orig/ssh_config.0
+++ openssh-7.8p1/ssh_config.0 +++ openssh-7.9p1/ssh_config.0
@@ -595,6 +595,23 @@ DESCRIPTION @@ -610,6 +610,23 @@ DESCRIPTION
The list of available key exchange algorithms may also be The list of available key exchange algorithms may also be
obtained using "ssh -Q kex". obtained using "ssh -Q kex".
@ -323,11 +323,11 @@ Index: openssh-7.8p1/ssh_config.0
LocalCommand LocalCommand
Specifies a command to execute on the local machine after Specifies a command to execute on the local machine after
successfully connecting to the server. The command string successfully connecting to the server. The command string
Index: openssh-7.8p1/ssh_config.5 Index: openssh-7.9p1/ssh_config.5
=================================================================== ===================================================================
--- openssh-7.8p1.orig/ssh_config.5 --- openssh-7.9p1.orig/ssh_config.5
+++ openssh-7.8p1/ssh_config.5 +++ openssh-7.9p1/ssh_config.5
@@ -1025,6 +1025,22 @@ diffie-hellman-group14-sha1 @@ -1047,6 +1047,22 @@ diffie-hellman-group14-sha1
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex . .Qq ssh -Q kex .
@ -350,10 +350,10 @@ Index: openssh-7.8p1/ssh_config.5
.It Cm LocalCommand .It Cm LocalCommand
Specifies a command to execute on the local machine after successfully Specifies a command to execute on the local machine after successfully
connecting to the server. connecting to the server.
Index: openssh-7.8p1/sshd_config Index: openssh-7.9p1/sshd_config
=================================================================== ===================================================================
--- openssh-7.8p1.orig/sshd_config --- openssh-7.9p1.orig/sshd_config
+++ openssh-7.8p1/sshd_config +++ openssh-7.9p1/sshd_config
@@ -19,6 +19,13 @@ @@ -19,6 +19,13 @@
#HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key #HostKey /etc/ssh/ssh_host_ed25519_key
@ -368,11 +368,11 @@ Index: openssh-7.8p1/sshd_config
# Ciphers and keying # Ciphers and keying
#RekeyLimit default none #RekeyLimit default none
Index: openssh-7.8p1/sshd_config.0 Index: openssh-7.9p1/sshd_config.0
=================================================================== ===================================================================
--- openssh-7.8p1.orig/sshd_config.0 --- openssh-7.9p1.orig/sshd_config.0
+++ openssh-7.8p1/sshd_config.0 +++ openssh-7.9p1/sshd_config.0
@@ -545,6 +545,23 @@ DESCRIPTION @@ -555,6 +555,23 @@ DESCRIPTION
The list of available key exchange algorithms may also be The list of available key exchange algorithms may also be
obtained using "ssh -Q kex". obtained using "ssh -Q kex".
@ -396,11 +396,11 @@ Index: openssh-7.8p1/sshd_config.0
ListenAddress ListenAddress
Specifies the local addresses sshd(8) should listen on. The Specifies the local addresses sshd(8) should listen on. The
following forms may be used: following forms may be used:
Index: openssh-7.8p1/sshd_config.5 Index: openssh-7.9p1/sshd_config.5
=================================================================== ===================================================================
--- openssh-7.8p1.orig/sshd_config.5 --- openssh-7.9p1.orig/sshd_config.5
+++ openssh-7.8p1/sshd_config.5 +++ openssh-7.9p1/sshd_config.5
@@ -912,6 +912,22 @@ diffie-hellman-group14-sha256,diffie-hel @@ -923,6 +923,22 @@ diffie-hellman-group14-sha256,diffie-hel
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex . .Qq ssh -Q kex .

View File

@ -3,10 +3,10 @@
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms. algorithms.
Index: openssh-7.8p1/Makefile.in Index: openssh-7.9p1/Makefile.in
=================================================================== ===================================================================
--- openssh-7.8p1.orig/Makefile.in --- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.8p1/Makefile.in +++ openssh-7.9p1/Makefile.in
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
platform-pledge.o platform-tracing.o platform-misc.o platform-pledge.o platform-tracing.o platform-misc.o
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o sshconnect.o sshconnect2.o mux.o
Index: openssh-7.8p1/cipher-ctr.c Index: openssh-7.9p1/cipher-ctr.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/cipher-ctr.c --- openssh-7.9p1.orig/cipher-ctr.c
+++ openssh-7.8p1/cipher-ctr.c +++ openssh-7.9p1/cipher-ctr.c
@@ -27,6 +27,8 @@ @@ -27,6 +27,8 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "log.h" #include "log.h"
@ -38,10 +38,10 @@ Index: openssh-7.8p1/cipher-ctr.c
#endif #endif
return (&aes_ctr); return (&aes_ctr);
} }
Index: openssh-7.8p1/cipher.c Index: openssh-7.9p1/cipher.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/cipher.c --- openssh-7.9p1.orig/cipher.c
+++ openssh-7.8p1/cipher.c +++ openssh-7.9p1/cipher.c
@@ -51,6 +51,8 @@ @@ -51,6 +51,8 @@
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
@ -131,10 +131,10 @@ Index: openssh-7.8p1/cipher.c
if (strcmp(c->name, name) == 0) if (strcmp(c->name, name) == 0)
return c; return c;
return NULL; return NULL;
Index: openssh-7.8p1/dh.h Index: openssh-7.9p1/dh.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/dh.h --- openssh-7.9p1.orig/dh.h
+++ openssh-7.8p1/dh.h +++ openssh-7.9p1/dh.h
@@ -52,6 +52,7 @@ u_int dh_estimate(int); @@ -52,6 +52,7 @@ u_int dh_estimate(int);
*/ */
#define DH_GRP_MIN_RFC 1024 #define DH_GRP_MIN_RFC 1024
@ -143,10 +143,10 @@ Index: openssh-7.8p1/dh.h
#define DH_GRP_MAX 8192 #define DH_GRP_MAX 8192
/* /*
Index: openssh-7.8p1/fips.c Index: openssh-7.9p1/fips.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/fips.c +++ openssh-7.9p1/fips.c
@@ -0,0 +1,237 @@ @@ -0,0 +1,237 @@
+/* +/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved. + * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -385,10 +385,10 @@ Index: openssh-7.8p1/fips.c
+ return dh; + return dh;
+} +}
+ +
Index: openssh-7.8p1/fips.h Index: openssh-7.9p1/fips.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/fips.h +++ openssh-7.9p1/fips.h
@@ -0,0 +1,45 @@ @@ -0,0 +1,45 @@
+/* +/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved. + * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -435,10 +435,10 @@ Index: openssh-7.8p1/fips.h
+ +
+#endif +#endif
+ +
Index: openssh-7.8p1/hmac.c Index: openssh-7.9p1/hmac.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/hmac.c --- openssh-7.9p1.orig/hmac.c
+++ openssh-7.8p1/hmac.c +++ openssh-7.9p1/hmac.c
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void * @@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
size_t i; size_t i;
u_char digest[16]; u_char digest[16];
@ -448,10 +448,10 @@ Index: openssh-7.8p1/hmac.c
printf("ssh_hmac_start failed"); printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 || if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 || ssh_hmac_update(ctx, m, mlen) < 0 ||
Index: openssh-7.8p1/kex.c Index: openssh-7.9p1/kex.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/kex.c --- openssh-7.9p1.orig/kex.c
+++ openssh-7.8p1/kex.c +++ openssh-7.9p1/kex.c
@@ -54,6 +54,8 @@ @@ -54,6 +54,8 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "digest.h" #include "digest.h"
@ -547,11 +547,11 @@ Index: openssh-7.8p1/kex.c
free(s); free(s);
return 0; return 0;
} }
Index: openssh-7.8p1/kexgexc.c Index: openssh-7.9p1/kexgexc.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/kexgexc.c --- openssh-7.9p1.orig/kexgexc.c
+++ openssh-7.8p1/kexgexc.c +++ openssh-7.9p1/kexgexc.c
@@ -51,8 +51,7 @@ @@ -53,8 +53,7 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "misc.h" #include "misc.h"
@ -561,7 +561,7 @@ Index: openssh-7.8p1/kexgexc.c
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
@@ -66,7 +65,7 @@ kexgex_client(struct ssh *ssh) @@ -68,7 +67,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8); nbits = dh_estimate(kex->dh_need * 8);
@ -570,11 +570,11 @@ Index: openssh-7.8p1/kexgexc.c
kex->max = DH_GRP_MAX; kex->max = DH_GRP_MAX;
kex->nbits = nbits; kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE) if (datafellows & SSH_BUG_DHGEX_LARGE)
Index: openssh-7.8p1/kexgexs.c Index: openssh-7.9p1/kexgexs.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/kexgexs.c --- openssh-7.9p1.orig/kexgexs.c
+++ openssh-7.8p1/kexgexs.c +++ openssh-7.9p1/kexgexs.c
@@ -54,8 +54,7 @@ @@ -56,8 +56,7 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "misc.h" #include "misc.h"
@ -584,7 +584,7 @@ Index: openssh-7.8p1/kexgexs.c
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
@@ -85,9 +84,9 @@ input_kex_dh_gex_request(int type, u_int @@ -88,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits; kex->nbits = nbits;
kex->min = min; kex->min = min;
kex->max = max; kex->max = max;
@ -596,10 +596,10 @@ Index: openssh-7.8p1/kexgexs.c
nbits = MINIMUM(DH_GRP_MAX, nbits); nbits = MINIMUM(DH_GRP_MAX, nbits);
if (kex->max < kex->min || kex->nbits < kex->min || if (kex->max < kex->min || kex->nbits < kex->min ||
Index: openssh-7.8p1/mac.c Index: openssh-7.9p1/mac.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/mac.c --- openssh-7.9p1.orig/mac.c
+++ openssh-7.8p1/mac.c +++ openssh-7.9p1/mac.c
@@ -40,6 +40,9 @@ @@ -40,6 +40,9 @@
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
@ -679,11 +679,11 @@ Index: openssh-7.8p1/mac.c
if (strcmp(name, m->name) != 0) if (strcmp(name, m->name) != 0)
continue; continue;
if (mac != NULL) if (mac != NULL)
Index: openssh-7.8p1/myproposal.h Index: openssh-7.9p1/myproposal.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/myproposal.h --- openssh-7.9p1.orig/myproposal.h
+++ openssh-7.8p1/myproposal.h +++ openssh-7.9p1/myproposal.h
@@ -141,6 +141,8 @@ @@ -151,6 +151,8 @@
#else /* WITH_OPENSSL */ #else /* WITH_OPENSSL */
@ -692,10 +692,10 @@ Index: openssh-7.8p1/myproposal.h
#define KEX_SERVER_KEX \ #define KEX_SERVER_KEX \
"curve25519-sha256," \ "curve25519-sha256," \
"curve25519-sha256@libssh.org" "curve25519-sha256@libssh.org"
Index: openssh-7.8p1/readconf.c Index: openssh-7.9p1/readconf.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/readconf.c --- openssh-7.9p1.orig/readconf.c
+++ openssh-7.8p1/readconf.c +++ openssh-7.9p1/readconf.c
@@ -68,6 +68,7 @@ @@ -68,6 +68,7 @@
#include "myproposal.h" #include "myproposal.h"
#include "digest.h" #include "digest.h"
@ -704,7 +704,7 @@ Index: openssh-7.8p1/readconf.c
/* Format of the configuration file: /* Format of the configuration file:
@@ -1800,6 +1801,23 @@ option_clear_or_none(const char *o) @@ -1825,6 +1826,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0; return o == NULL || strcasecmp(o, "none") == 0;
} }
@ -728,7 +728,7 @@ Index: openssh-7.8p1/readconf.c
/* /*
* Initializes options to special values that indicate that they have not yet * Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options * been set. Read_config_file will only set options with this value. Options
@@ -1999,9 +2017,9 @@ fill_default_options(Options * options) @@ -2025,9 +2043,9 @@ fill_default_options(Options * options)
if (options->number_of_password_prompts == -1) if (options->number_of_password_prompts == -1)
options->number_of_password_prompts = 3; options->number_of_password_prompts = 3;
if (options->kex_dhmin == -1) if (options->kex_dhmin == -1)
@ -740,7 +740,7 @@ Index: openssh-7.8p1/readconf.c
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX); options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
} }
dh_grp_min = options->kex_dhmin; dh_grp_min = options->kex_dhmin;
@@ -2086,6 +2104,8 @@ fill_default_options(Options * options) @@ -2112,6 +2130,8 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO; options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1) if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT; options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -749,19 +749,19 @@ Index: openssh-7.8p1/readconf.c
if (options->update_hostkeys == -1) if (options->update_hostkeys == -1)
options->update_hostkeys = 0; options->update_hostkeys = 0;
@@ -2110,6 +2130,7 @@ fill_default_options(Options * options) @@ -2594,6 +2614,7 @@ dump_client_config(Options *o, const cha
free(all_mac); KEX_DEFAULT_PK_ALG, all_key) != 0)
free(all_kex); fatal("%s: kex_assemble_names failed", __func__);
free(all_key); free(all_key);
+ filter_fips_algorithms(options); + filter_fips_algorithms(o);
#define CLEAR_ON_NONE(v) \ /* Most interesting options first: user, host, port */
do { \ dump_cfg_string(oUser, o->user);
Index: openssh-7.8p1/readconf.h Index: openssh-7.9p1/readconf.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/readconf.h --- openssh-7.9p1.orig/readconf.h
+++ openssh-7.8p1/readconf.h +++ openssh-7.9p1/readconf.h
@@ -197,6 +197,7 @@ typedef struct { @@ -198,6 +198,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2 #define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3 #define SSH_STRICT_HOSTKEY_ASK 3
@ -769,10 +769,10 @@ Index: openssh-7.8p1/readconf.h
void initialize_options(Options *); void initialize_options(Options *);
void fill_default_options(Options *); void fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *); void fill_default_options_for_canonicalization(Options *);
Index: openssh-7.8p1/servconf.c Index: openssh-7.9p1/servconf.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/servconf.c --- openssh-7.9p1.orig/servconf.c
+++ openssh-7.8p1/servconf.c +++ openssh-7.9p1/servconf.c
@@ -65,6 +65,7 @@ @@ -65,6 +65,7 @@
#include "myproposal.h" #include "myproposal.h"
#include "digest.h" #include "digest.h"
@ -781,7 +781,7 @@ Index: openssh-7.8p1/servconf.c
/* import from dh.c */ /* import from dh.c */
extern int dh_grp_min; extern int dh_grp_min;
@@ -194,6 +195,23 @@ option_clear_or_none(const char *o) @@ -195,6 +196,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0; return o == NULL || strcasecmp(o, "none") == 0;
} }
@ -805,16 +805,16 @@ Index: openssh-7.8p1/servconf.c
static void static void
assemble_algorithms(ServerOptions *o) assemble_algorithms(ServerOptions *o)
{ {
@@ -220,6 +238,8 @@ assemble_algorithms(ServerOptions *o) @@ -224,6 +242,8 @@ assemble_algorithms(ServerOptions *o)
free(all_mac);
free(all_kex); free(all_kex);
free(all_key); free(all_key);
free(all_sig);
+ +
+ filter_fips_algorithms_s(o); + filter_fips_algorithms_s(o);
} }
static void static void
@@ -269,9 +289,9 @@ fill_default_server_options(ServerOption @@ -273,9 +293,9 @@ fill_default_server_options(ServerOption
options->use_pam_check_locks = 0; options->use_pam_check_locks = 0;
if (options->kex_dhmin == -1) if (options->kex_dhmin == -1)
@ -826,7 +826,7 @@ Index: openssh-7.8p1/servconf.c
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX); options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
} }
dh_grp_min = options->kex_dhmin; dh_grp_min = options->kex_dhmin;
@@ -419,6 +439,8 @@ fill_default_server_options(ServerOption @@ -423,6 +443,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0; options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1) if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT; options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -835,10 +835,10 @@ Index: openssh-7.8p1/servconf.c
if (options->disable_forwarding == -1) if (options->disable_forwarding == -1)
options->disable_forwarding = 0; options->disable_forwarding = 0;
if (options->expose_userauth_info == -1) if (options->expose_userauth_info == -1)
Index: openssh-7.8p1/ssh-keygen.c Index: openssh-7.9p1/ssh-keygen.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/ssh-keygen.c --- openssh-7.9p1.orig/ssh-keygen.c
+++ openssh-7.8p1/ssh-keygen.c +++ openssh-7.9p1/ssh-keygen.c
@@ -61,6 +61,8 @@ @@ -61,6 +61,8 @@
#include "utf8.h" #include "utf8.h"
#include "authfd.h" #include "authfd.h"
@ -848,7 +848,7 @@ Index: openssh-7.8p1/ssh-keygen.c
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa" # define DEFAULT_KEY_TYPE_NAME "rsa"
#else #else
@@ -965,11 +967,13 @@ do_fingerprint(struct passwd *pw) @@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw)
static void static void
do_gen_all_hostkeys(struct passwd *pw) do_gen_all_hostkeys(struct passwd *pw)
{ {
@ -864,7 +864,7 @@ Index: openssh-7.8p1/ssh-keygen.c
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
@@ -984,6 +988,17 @@ do_gen_all_hostkeys(struct passwd *pw) @@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL } { NULL, NULL, NULL }
}; };
@ -882,7 +882,7 @@ Index: openssh-7.8p1/ssh-keygen.c
int first = 0; int first = 0;
struct stat st; struct stat st;
struct sshkey *private, *public; struct sshkey *private, *public;
@@ -991,6 +1006,12 @@ do_gen_all_hostkeys(struct passwd *pw) @@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw)
int i, type, fd, r; int i, type, fd, r;
FILE *f; FILE *f;
@ -895,7 +895,7 @@ Index: openssh-7.8p1/ssh-keygen.c
for (i = 0; key_types[i].key_type; i++) { for (i = 0; key_types[i].key_type; i++) {
public = private = NULL; public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL; prv_tmp = pub_tmp = prv_file = pub_file = NULL;
@@ -2727,6 +2748,15 @@ main(int argc, char **argv) @@ -2817,6 +2838,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME; key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name); type = sshkey_type_from_name(key_type_name);
@ -911,11 +911,11 @@ Index: openssh-7.8p1/ssh-keygen.c
type_bits_valid(type, key_type_name, &bits); type_bits_valid(type, key_type_name, &bits);
if (!quiet) if (!quiet)
Index: openssh-7.8p1/ssh_config.0 Index: openssh-7.9p1/ssh_config.0
=================================================================== ===================================================================
--- openssh-7.8p1.orig/ssh_config.0 --- openssh-7.9p1.orig/ssh_config.0
+++ openssh-7.8p1/ssh_config.0 +++ openssh-7.9p1/ssh_config.0
@@ -343,6 +343,9 @@ DESCRIPTION @@ -353,6 +353,9 @@ DESCRIPTION
Specifies the hash algorithm used when displaying key Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: md5 and sha256 (the default). fingerprints. Valid options are: md5 and sha256 (the default).
@ -925,7 +925,7 @@ Index: openssh-7.8p1/ssh_config.0
ForwardAgent ForwardAgent
Specifies whether the connection to the authentication agent (if Specifies whether the connection to the authentication agent (if
any) will be forwarded to the remote machine. The argument must any) will be forwarded to the remote machine. The argument must
@@ -612,6 +615,9 @@ DESCRIPTION @@ -627,6 +630,9 @@ DESCRIPTION
resort and all efforts should be made to fix the (broken) resort and all efforts should be made to fix the (broken)
counterparty. counterparty.
@ -935,11 +935,11 @@ Index: openssh-7.8p1/ssh_config.0
LocalCommand LocalCommand
Specifies a command to execute on the local machine after Specifies a command to execute on the local machine after
successfully connecting to the server. The command string successfully connecting to the server. The command string
Index: openssh-7.8p1/ssh_config.5 Index: openssh-7.9p1/ssh_config.5
=================================================================== ===================================================================
--- openssh-7.8p1.orig/ssh_config.5 --- openssh-7.9p1.orig/ssh_config.5
+++ openssh-7.8p1/ssh_config.5 +++ openssh-7.9p1/ssh_config.5
@@ -628,6 +628,8 @@ Valid options are: @@ -642,6 +642,8 @@ Valid options are:
and and
.Cm sha256 .Cm sha256
(the default). (the default).
@ -948,7 +948,7 @@ Index: openssh-7.8p1/ssh_config.5
.It Cm ForwardAgent .It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any) Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine. will be forwarded to the remote machine.
@@ -1041,6 +1043,9 @@ maximum backward compatibility, using it @@ -1063,6 +1065,9 @@ maximum backward compatibility, using it
security and thus should be viewed as a temporary fix of last security and thus should be viewed as a temporary fix of last
resort and all efforts should be made to fix the (broken) resort and all efforts should be made to fix the (broken)
counterparty. counterparty.
@ -958,10 +958,10 @@ Index: openssh-7.8p1/ssh_config.5
.It Cm LocalCommand .It Cm LocalCommand
Specifies a command to execute on the local machine after successfully Specifies a command to execute on the local machine after successfully
connecting to the server. connecting to the server.
Index: openssh-7.8p1/sshd.c Index: openssh-7.9p1/sshd.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/sshd.c --- openssh-7.9p1.orig/sshd.c
+++ openssh-7.8p1/sshd.c +++ openssh-7.9p1/sshd.c
@@ -123,6 +123,8 @@ @@ -123,6 +123,8 @@
#include "version.h" #include "version.h"
#include "ssherr.h" #include "ssherr.h"
@ -971,11 +971,11 @@ Index: openssh-7.8p1/sshd.c
/* Re-exec fds */ /* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
Index: openssh-7.8p1/sshd_config.0 Index: openssh-7.9p1/sshd_config.0
=================================================================== ===================================================================
--- openssh-7.8p1.orig/sshd_config.0 --- openssh-7.9p1.orig/sshd_config.0
+++ openssh-7.8p1/sshd_config.0 +++ openssh-7.9p1/sshd_config.0
@@ -338,6 +338,9 @@ DESCRIPTION @@ -348,6 +348,9 @@ DESCRIPTION
Specifies the hash algorithm used when logging key fingerprints. Specifies the hash algorithm used when logging key fingerprints.
Valid options are: md5 and sha256. The default is sha256. Valid options are: md5 and sha256. The default is sha256.
@ -985,7 +985,7 @@ Index: openssh-7.8p1/sshd_config.0
ForceCommand ForceCommand
Forces the execution of the command specified by ForceCommand, Forces the execution of the command specified by ForceCommand,
ignoring any command supplied by the client and ~/.ssh/rc if ignoring any command supplied by the client and ~/.ssh/rc if
@@ -562,6 +565,9 @@ DESCRIPTION @@ -572,6 +575,9 @@ DESCRIPTION
resort and all efforts should be made to fix the (broken) resort and all efforts should be made to fix the (broken)
counterparty. counterparty.
@ -995,11 +995,11 @@ Index: openssh-7.8p1/sshd_config.0
ListenAddress ListenAddress
Specifies the local addresses sshd(8) should listen on. The Specifies the local addresses sshd(8) should listen on. The
following forms may be used: following forms may be used:
Index: openssh-7.8p1/sshd_config.5 Index: openssh-7.9p1/sshd_config.5
=================================================================== ===================================================================
--- openssh-7.8p1.orig/sshd_config.5 --- openssh-7.9p1.orig/sshd_config.5
+++ openssh-7.8p1/sshd_config.5 +++ openssh-7.9p1/sshd_config.5
@@ -592,6 +592,8 @@ and @@ -603,6 +603,8 @@ and
.Cm sha256 . .Cm sha256 .
The default is The default is
.Cm sha256 . .Cm sha256 .

File diff suppressed because it is too large Load Diff

View File

@ -10,10 +10,10 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks # internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions) # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
Index: openssh-7.8p1/HOWTO.ldap-keys Index: openssh-7.9p1/HOWTO.ldap-keys
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/HOWTO.ldap-keys +++ openssh-7.9p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@ @@ -0,0 +1,108 @@
+ +
+HOW TO START +HOW TO START
@ -123,10 +123,10 @@ Index: openssh-7.8p1/HOWTO.ldap-keys
+ - frederic peters. + - frederic peters.
+ - Finlay dobbie. + - Finlay dobbie.
+ - Stefan Fisher. + - Stefan Fisher.
Index: openssh-7.8p1/Makefile.in Index: openssh-7.9p1/Makefile.in
=================================================================== ===================================================================
--- openssh-7.8p1.orig/Makefile.in --- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.8p1/Makefile.in +++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas @@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
SFTP_SERVER=$(libexecdir)/sftp-server SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@ -146,7 +146,7 @@ Index: openssh-7.8p1/Makefile.in
XMSS_OBJS=\ XMSS_OBJS=\
ssh-xmss.o \ ssh-xmss.o \
sshkey-xmss.o \ sshkey-xmss.o \
@@ -132,8 +137,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw @@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o uidswap.o sandbox-solaris.o uidswap.o
@ -157,7 +157,7 @@ Index: openssh-7.8p1/Makefile.in
MANTYPE = @MANTYPE@ MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) @@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@ -167,7 +167,7 @@ Index: openssh-7.8p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -363,6 +371,10 @@ install-files: @@ -361,6 +369,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -178,7 +178,7 @@ Index: openssh-7.8p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@@ -381,6 +393,10 @@ install-files: @@ -379,6 +391,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -189,7 +189,7 @@ Index: openssh-7.8p1/Makefile.in
install-sysconf: install-sysconf:
$(MKDIR_P) $(DESTDIR)$(sysconfdir) $(MKDIR_P) $(DESTDIR)$(sysconfdir)
@@ -404,6 +420,13 @@ install-sysconf: @@ -402,6 +418,13 @@ install-sysconf:
else \ else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
fi fi
@ -203,7 +203,7 @@ Index: openssh-7.8p1/Makefile.in
host-key: ssh-keygen$(EXEEXT) host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \ @if [ -z "$(DESTDIR)" ] ; then \
@@ -441,6 +464,8 @@ uninstall: @@ -439,6 +462,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -212,7 +212,7 @@ Index: openssh-7.8p1/Makefile.in
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
@@ -452,6 +477,7 @@ uninstall: @@ -450,6 +475,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -220,11 +220,11 @@ Index: openssh-7.8p1/Makefile.in
regress-prep: regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/test_helper $(MKDIR_P) `pwd`/regress/unittests/test_helper
Index: openssh-7.8p1/configure.ac Index: openssh-7.9p1/configure.ac
=================================================================== ===================================================================
--- openssh-7.8p1.orig/configure.ac --- openssh-7.9p1.orig/configure.ac
+++ openssh-7.8p1/configure.ac +++ openssh-7.9p1/configure.ac
@@ -1680,6 +1680,106 @@ AC_ARG_WITH([audit], @@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
esac ] esac ]
) )
@ -331,10 +331,10 @@ Index: openssh-7.8p1/configure.ac
AC_ARG_WITH([pie], AC_ARG_WITH([pie],
[ --with-pie Build Position Independent Executables if possible], [ [ --with-pie Build Position Independent Executables if possible], [
if test "x$withval" = "xno"; then if test "x$withval" = "xno"; then
Index: openssh-7.8p1/ldap-helper.c Index: openssh-7.9p1/ldap-helper.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldap-helper.c +++ openssh-7.9p1/ldap-helper.c
@@ -0,0 +1,155 @@ @@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -491,10 +491,10 @@ Index: openssh-7.8p1/ldap-helper.c
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; } +void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {} +void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
+ +
Index: openssh-7.8p1/ldap-helper.h Index: openssh-7.9p1/ldap-helper.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldap-helper.h +++ openssh-7.9p1/ldap-helper.h
@@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -528,10 +528,10 @@ Index: openssh-7.8p1/ldap-helper.h
+extern int config_warning_config_file; +extern int config_warning_config_file;
+ +
+#endif /* LDAP_HELPER_H */ +#endif /* LDAP_HELPER_H */
Index: openssh-7.8p1/ldap.conf Index: openssh-7.9p1/ldap.conf
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldap.conf +++ openssh-7.9p1/ldap.conf
@@ -0,0 +1,88 @@ @@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+# +#
@ -621,10 +621,10 @@ Index: openssh-7.8p1/ldap.conf
+#tls_cert +#tls_cert
+#tls_key +#tls_key
+ +
Index: openssh-7.8p1/ldapbody.c Index: openssh-7.9p1/ldapbody.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapbody.c +++ openssh-7.9p1/ldapbody.c
@@ -0,0 +1,494 @@ @@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1120,10 +1120,10 @@ Index: openssh-7.8p1/ldapbody.c
+ return; + return;
+} +}
+ +
Index: openssh-7.8p1/ldapbody.h Index: openssh-7.9p1/ldapbody.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapbody.h +++ openssh-7.9p1/ldapbody.h
@@ -0,0 +1,37 @@ @@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1162,10 +1162,10 @@ Index: openssh-7.8p1/ldapbody.h
+ +
+#endif /* LDAPBODY_H */ +#endif /* LDAPBODY_H */
+ +
Index: openssh-7.8p1/ldapconf.c Index: openssh-7.9p1/ldapconf.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapconf.c +++ openssh-7.9p1/ldapconf.c
@@ -0,0 +1,711 @@ @@ -0,0 +1,711 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1878,10 +1878,10 @@ Index: openssh-7.8p1/ldapconf.c
+ dump_cfg_string(lSSH_Filter, options.ssh_filter); + dump_cfg_string(lSSH_Filter, options.ssh_filter);
+} +}
+ +
Index: openssh-7.8p1/ldapconf.h Index: openssh-7.9p1/ldapconf.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapconf.h +++ openssh-7.9p1/ldapconf.h
@@ -0,0 +1,71 @@ @@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1954,10 +1954,10 @@ Index: openssh-7.8p1/ldapconf.h
+void dump_config(void); +void dump_config(void);
+ +
+#endif /* LDAPCONF_H */ +#endif /* LDAPCONF_H */
Index: openssh-7.8p1/ldapincludes.h Index: openssh-7.9p1/ldapincludes.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapincludes.h +++ openssh-7.9p1/ldapincludes.h
@@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -2000,10 +2000,10 @@ Index: openssh-7.8p1/ldapincludes.h
+#endif +#endif
+ +
+#endif /* LDAPINCLUDES_H */ +#endif /* LDAPINCLUDES_H */
Index: openssh-7.8p1/ldapmisc.c Index: openssh-7.9p1/ldapmisc.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapmisc.c +++ openssh-7.9p1/ldapmisc.c
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+ +
+#include "ldapincludes.h" +#include "ldapincludes.h"
@ -2084,10 +2084,10 @@ Index: openssh-7.8p1/ldapmisc.c
+} +}
+#endif +#endif
+ +
Index: openssh-7.8p1/ldapmisc.h Index: openssh-7.9p1/ldapmisc.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapmisc.h +++ openssh-7.9p1/ldapmisc.h
@@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -2124,10 +2124,10 @@ Index: openssh-7.8p1/ldapmisc.h
+ +
+#endif /* LDAPMISC_H */ +#endif /* LDAPMISC_H */
+ +
Index: openssh-7.8p1/openbsd-compat/base64.c Index: openssh-7.9p1/openbsd-compat/base64.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/openbsd-compat/base64.c --- openssh-7.9p1.orig/openbsd-compat/base64.c
+++ openssh-7.8p1/openbsd-compat/base64.c +++ openssh-7.9p1/openbsd-compat/base64.c
@@ -46,7 +46,7 @@ @@ -46,7 +46,7 @@
#include "includes.h" #include "includes.h"
@ -2155,10 +2155,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.c
/* skips all whitespace anywhere. /* skips all whitespace anywhere.
converts characters, four at a time, starting at (or after) converts characters, four at a time, starting at (or after)
Index: openssh-7.8p1/openbsd-compat/base64.h Index: openssh-7.9p1/openbsd-compat/base64.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/openbsd-compat/base64.h --- openssh-7.9p1.orig/openbsd-compat/base64.h
+++ openssh-7.8p1/openbsd-compat/base64.h +++ openssh-7.9p1/openbsd-compat/base64.h
@@ -45,16 +45,16 @@ @@ -45,16 +45,16 @@
#include "includes.h" #include "includes.h"
@ -2180,10 +2180,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.h
int b64_pton(char const *src, u_char *target, size_t targsize); int b64_pton(char const *src, u_char *target, size_t targsize);
# endif /* !HAVE_B64_PTON */ # endif /* !HAVE_B64_PTON */
# define __b64_pton(a,b,c) b64_pton(a,b,c) # define __b64_pton(a,b,c) b64_pton(a,b,c)
Index: openssh-7.8p1/openssh-lpk-openldap.schema Index: openssh-7.9p1/openssh-lpk-openldap.schema
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/openssh-lpk-openldap.schema +++ openssh-7.9p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2206,10 +2206,10 @@ Index: openssh-7.8p1/openssh-lpk-openldap.schema
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
Index: openssh-7.8p1/openssh-lpk-sun.schema Index: openssh-7.9p1/openssh-lpk-sun.schema
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/openssh-lpk-sun.schema +++ openssh-7.9p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2234,10 +2234,10 @@ Index: openssh-7.8p1/openssh-lpk-sun.schema
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
Index: openssh-7.8p1/ssh-ldap-helper.8 Index: openssh-7.9p1/ssh-ldap-helper.8
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ssh-ldap-helper.8 +++ openssh-7.9p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"
@ -2318,19 +2318,19 @@ Index: openssh-7.8p1/ssh-ldap-helper.8
+OpenSSH 5.5 + PKA-LDAP . +OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS +.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com +.An Jan F. Chadima Aq jchadima@redhat.com
Index: openssh-7.8p1/ssh-ldap-wrapper Index: openssh-7.9p1/ssh-ldap-wrapper
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ssh-ldap-wrapper +++ openssh-7.9p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@ @@ -0,0 +1,4 @@
+#!/bin/sh +#!/bin/sh
+ +
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1" +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+ +
Index: openssh-7.8p1/ssh-ldap.conf.5 Index: openssh-7.9p1/ssh-ldap.conf.5
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ssh-ldap.conf.5 +++ openssh-7.9p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@ @@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"

File diff suppressed because it is too large Load Diff

View File

@ -15,15 +15,11 @@ this is only need on s390 architecture.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c Index: openssh-7.9p1/sandbox-seccomp-filter.c
--- openssh-7.7p1/sandbox-seccomp-filter.c ===================================================================
+++ openssh-7.7p1/sandbox-seccomp-filter.c --- openssh-7.9p1.orig/sandbox-seccomp-filter.c
@@ -167,16 +167,19 @@ static const struct sock_filter preauth_ +++ openssh-7.9p1/sandbox-seccomp-filter.c
SC_ALLOW(__NR_exit_group), @@ -175,6 +175,9 @@ static const struct sock_filter preauth_
#endif
#ifdef __NR_geteuid
SC_ALLOW(__NR_geteuid),
#endif
#ifdef __NR_geteuid32 #ifdef __NR_geteuid32
SC_ALLOW(__NR_geteuid32), SC_ALLOW(__NR_geteuid32),
#endif #endif
@ -33,17 +29,7 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
#ifdef __NR_getpgid #ifdef __NR_getpgid
SC_ALLOW(__NR_getpgid), SC_ALLOW(__NR_getpgid),
#endif #endif
#ifdef __NR_getpid @@ -193,6 +196,9 @@ static const struct sock_filter preauth_
SC_ALLOW(__NR_getpid),
#endif
#ifdef __NR_getrandom
SC_ALLOW(__NR_getrandom),
@@ -185,16 +188,19 @@ static const struct sock_filter preauth_
SC_ALLOW(__NR_gettimeofday),
#endif
#ifdef __NR_getuid
SC_ALLOW(__NR_getuid),
#endif
#ifdef __NR_getuid32 #ifdef __NR_getuid32
SC_ALLOW(__NR_getuid32), SC_ALLOW(__NR_getuid32),
#endif #endif
@ -53,8 +39,3 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
#ifdef __NR_madvise #ifdef __NR_madvise
SC_ALLOW(__NR_madvise), SC_ALLOW(__NR_madvise),
#endif #endif
#ifdef __NR_mmap
SC_ALLOW(__NR_mmap),
#endif
#ifdef __NR_mmap2
SC_ALLOW(__NR_mmap2),

View File

@ -1,123 +1,100 @@
# HG changeset patch --- original/sftp-server.8 2016-12-19 04:59:41.000000000 +0000
# Parent 37bba3ff816d9ab93ddcf23389a4eb29d7716006 +++ original/sftp-server.8 2017-11-23 08:47:01.267239186 +0000
additional option for sftp-server to force file mode for new files @@ -38,6 +38,7 @@
FATE#312774
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
http://marc.info/?l=openssh-unix-dev&m=128896838930893
diff --git a/openssh-7.7p1/sftp-server.8 b/openssh-7.7p1/sftp-server.8
--- openssh-7.7p1/sftp-server.8
+++ openssh-7.7p1/sftp-server.8
@@ -33,16 +33,17 @@
.Bk -words
.Op Fl ehR
.Op Fl d Ar start_directory
.Op Fl f Ar log_facility
.Op Fl l Ar log_level
.Op Fl P Ar blacklisted_requests .Op Fl P Ar blacklisted_requests
.Op Fl p Ar whitelisted_requests .Op Fl p Ar whitelisted_requests
.Op Fl u Ar umask .Op Fl u Ar umask
+.Op Fl m Ar force_file_permissions +.Op Fl m Ar force_file_dir_perms
.Ek .Ek
.Nm .Nm
.Fl Q Ar protocol_feature .Fl Q Ar protocol_feature
.Sh DESCRIPTION @@ -138,6 +139,10 @@
.Nm
is a program that speaks the server side of SFTP protocol
to stdout and expects client requests from stdin.
.Nm
@@ -133,16 +134,20 @@ Places this instance of
into a read-only mode.
Attempts to open files for writing, as well as other operations that change
the state of the filesystem, will be denied.
.It Fl u Ar umask
Sets an explicit
.Xr umask 2 .Xr umask 2
to be applied to newly-created files and directories, instead of the to be applied to newly-created files and directories, instead of the
user's default mask. user's default mask.
+.It Fl m Ar force_file_permissions +.It Fl m Ar force_file_dir_perms
+Sets explicit file permissions to be applied to newly-created files instead +Sets explicit permissions to be applied to newly-created files and directories
+of the default or client requested mode. Numeric values include: +instead of the default or client requested mode. Numeric values include:
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set. +777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
.El .El
.Pp .Pp
On some systems, On some systems,
.Nm --- original/sftp-server.c 2016-12-19 04:59:41.000000000 +0000
must be able to access +++ original/sftp-server.c 2017-11-23 13:07:08.481765581 +0000
.Pa /dev/log @@ -65,6 +65,10 @@
for logging to work, and use of /* Version of client */
.Nm static u_int version;
diff --git a/openssh-7.7p1/sftp-server.c b/openssh-7.7p1/sftp-server.c
--- openssh-7.7p1/sftp-server.c
+++ openssh-7.7p1/sftp-server.c
@@ -71,16 +71,20 @@ static u_int version;
static int init_done;
/* Disable writes */ +/* Force file and directory permissions */
static int readonly;
/* Requests that are allowed/denied */
static char *request_whitelist, *request_blacklist;
+/* Force file permissions */
+int permforce = 0; +int permforce = 0;
+long permforcemode; +long permforcemode;
+ +
/* portable attributes, etc. */ /* SSH2_FXP_INIT received */
typedef struct Stat Stat; static int init_done;
struct Stat { @@ -679,6 +683,7 @@
Attrib a;
char *name; char *name;
char *long_name; int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
Attrib attrib; + mode_t old_umask = 0;
};
@@ -685,16 +689,20 @@ process_open(u_int32_t id)
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 || if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */ (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
(r = decode_attrib(iqueue, &a)) != 0) @@ -688,6 +693,10 @@
fatal("%s: buffer error: %s", __func__, ssh_err(r));
debug3("request %u: open flags %d", id, pflags); debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags); flags = flags_from_portable(pflags);
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666; mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
+ if (permforce == 1) { + if (permforce == 1) { /* Force perm if -m is set */
+ mode = permforcemode; + mode = permforcemode;
+ (void)umask(0); /* so umask does not interfere */ + old_umask = umask(0); /* so umask does not interfere */
+ } + }
logit("open \"%s\" flags %s mode 0%o", logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode); name, string_from_portable(pflags), mode);
if (readonly && if (readonly &&
((flags & O_ACCMODE) != O_RDONLY || @@ -709,6 +718,8 @@
(flags & (O_CREAT|O_TRUNC)) != 0)) { }
verbose("Refusing open request in read-only mode"); }
status = SSH2_FX_PERMISSION_DENIED; }
} else { + if (permforce == 1)
@@ -1487,17 +1495,18 @@ sftp_server_cleanup_exit(int i) + (void) umask(old_umask); /* restore umask to something sane */
static void if (status != SSH2_FX_OK)
sftp_server_usage(void) send_status(id, status);
{ free(name);
extern char *__progname; @@ -1110,6 +1121,7 @@
Attrib a;
char *name;
int r, mode, status = SSH2_FX_FAILURE;
+ mode_t old_umask = 0;
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = decode_attrib(iqueue, &a)) != 0)
@@ -1117,9 +1129,16 @@
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
a.perm & 07777 : 0777;
+ if (permforce == 1) { /* Force perm if -m is set */
+ mode = permforcemode;
+ old_umask = umask(0); /* so umask does not interfere */
+ }
+
debug3("request %u: mkdir", id);
logit("mkdir name \"%s\" mode 0%o", name, mode);
r = mkdir(name, mode);
+ if (permforce == 1)
+ (void) umask(old_umask); /* restore umask to something sane */
status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
send_status(id, status);
free(name);
@@ -1490,7 +1509,7 @@
fprintf(stderr, fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] " "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P blacklisted_requests] " "[-l log_level]\n\t[-P blacklisted_requests] "
- "[-p whitelisted_requests] [-u umask]\n" - "[-p whitelisted_requests] [-u umask]\n"
+ "[-p whitelisted_requests] [-u umask]\n\t" + "[-p whitelisted_requests] [-u umask] [-m force_file_dir_perms]\n"
+ "[-m force_file_permissions]\n"
" %s -Q protocol_feature\n", " %s -Q protocol_feature\n",
__progname, __progname); __progname, __progname);
exit(1); exit(1);
} @@ -1516,7 +1535,7 @@
int
sftp_server_main(int argc, char **argv, struct passwd *user_pw)
{
@@ -1516,17 +1525,17 @@ sftp_server_main(int argc, char **argv,
ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
pw = pwcopy(user_pw); pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv, while (!skipargs && (ch = getopt(argc, argv,
@ -126,32 +103,19 @@ diff --git a/openssh-7.7p1/sftp-server.c b/openssh-7.7p1/sftp-server.c
switch (ch) { switch (ch) {
case 'Q': case 'Q':
if (strcasecmp(optarg, "requests") != 0) { if (strcasecmp(optarg, "requests") != 0) {
fprintf(stderr, "Invalid query type\n"); @@ -1576,6 +1595,15 @@
exit(1);
}
for (i = 0; handlers[i].handler != NULL; i++)
printf("%s\n", handlers[i].name);
@@ -1576,16 +1585,23 @@ sftp_server_main(int argc, char **argv,
case 'u':
errno = 0;
mask = strtol(optarg, &cp, 8);
if (mask < 0 || mask > 0777 || *cp != '\0' ||
cp == optarg || (mask == 0 && errno != 0))
fatal("Invalid umask \"%s\"", optarg); fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask); (void)umask((mode_t)mask);
break; break;
+ case 'm': + case 'm':
+ /* Force permissions on file and directory received via sftp */
+ permforce = 1; + permforce = 1;
+ permforcemode = strtol(optarg, &cp, 8); + permforcemode = strtol(optarg, &cp, 8);
+ if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' || + if (permforcemode < 0 || permforcemode > 0777 ||
+ cp == optarg || (permforcemode == 0 && errno != 0)) + *cp != '\0' || (permforcemode == 0 &&
+ fatal("Invalid umask \"%s\"", optarg); + errno != 0))
+ fatal("Invalid file mode \"%s\"", optarg);
+ break; + break;
case 'h': case 'h':
default: default:
sftp_server_usage(); sftp_server_usage();
}
}
log_init(__progname, log_level, log_facility, log_stderr);

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca
size 1548026

View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlt+Xa8ACgkQ0+X1a22S
DTAJPwx9HIW/obxNJYTU7M8trpalBekdl1SqUjxdDwInIsKTLSOpJCsnynBai/3c
SuvZkBwcKwZZFe+xCvRQDHkf/YYLT+d7slUQolb0OJmzFKbvu6xwuv7q12ag9hQj
/8BUfdYRKb63uemfKuVAHfcnUm9WlwSbif+Au/j1yg/MlETY47ezYA9/q75wignx
3g38JVHVgKDenDd8o9/hgjeQpEHKNdCQo71nN2h3MYRlh4xrR9ENZj7y8x65Kp1j
WoZEhlvjYkka4deSGwj2MIAJnzsc39uppEoEjkB7F9SUo4O7CxbWFein70Ct7Xbs
VDWXQibnJGHKatHIecaPLUYexGWO1XYNZErDhY7fPw0ChfMGbz3+0eDfDJqGY49r
Lo6wzsrgv2kDJMqwciT/D/Zb3ocHnCrq1Isnz/Ug2lW58LMk7Y1HisPteZFQ/pkC
xKeO+K1RkaRUSCrB5iToqF+7i8eRNVROYmkKLgKcMrC0WYEjnbEoFdr4bktAS9QM
BS6aIsh2cyg2H0FjDKmYvcKOUf0IgA==
=ZiYm
-----END PGP SIGNATURE-----

3
openssh-7.9p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
size 1565384

14
openssh-7.9p1.tar.gz.asc Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlvJLhsACgkQ0+X1a22S
DTBjHwx/T3EX3EtCzB9I6zHFUgF2/0hEKVYZw2Yl4UbUvgjy/KdEdlJzdH3Hc/yU
jJZzraDY7nJMrCly734FbFGKsKoRkxWMkeuQGOhvpzgTYg+fOa1J0a14xK/ub9Y0
9Z/4zP0Zs7mn+8MApMS3XOZ+AJgdRiXN9i3PXmbYO9Gcg+QthtgE1DeG0d0vVTP/
ipCBBg8mMlAANdlu9IUCv4CJPwJjQt2aYsvCiuUQuzrKYsV5noCOBaGRbmPcN9SM
3cvSTZgDbK3kHdL1RnBgWpcO+o+D8sqSW2rm8xpCQv/ILo86/BLBjXDCYLEt0nSn
+dONPytwhwwJWPPYe7+RSYWHS2cKwVTDk7lr2E636SwU1fM1NiNYle9hB6cUT0nU
sypfHOIARAMSqepnaT3WgffM0jlEWrSB0PuDLTLTO5ZPmUijqqT6xGwWSUc4GQZY
WNyGg1w0Ryj2pRd7DlXDDivTCneXFqV7JZiR3R4ZXJJV0uVQOUitCS/DnwSDpIfp
HlVEWeRAszQFKLKttu0/4SY2NVrRBA==
=4Z9x
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Oct 22 08:59:02 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Version update to 7.9p1
* No actual changes for the askpass
* See main package changelog for details
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Oct 9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> Tue Oct 9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>

View File

@ -18,7 +18,7 @@
%define _name openssh %define _name openssh
Name: openssh-askpass-gnome Name: openssh-askpass-gnome
Version: 7.8p1 Version: 7.9p1
Release: 0 Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause License: BSD-2-Clause

View File

@ -0,0 +1,41 @@
Index: openssh-7.9p1/openbsd-compat/openssl-compat.c
===================================================================
--- openssh-7.9p1.orig/openbsd-compat/openssl-compat.c 2018-11-26 11:47:17.417925053 +0100
+++ openssh-7.9p1/openbsd-compat/openssl-compat.c 2018-11-26 11:52:47.127727580 +0100
@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OPENSSL_config(NULL);
#else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
Index: openssh-7.9p1/gss-genr.c
===================================================================
--- openssh-7.9p1.orig/gss-genr.c 2018-11-26 11:47:17.417925053 +0100
+++ openssh-7.9p1/gss-genr.c 2018-11-26 12:01:40.354642746 +0100
@@ -114,7 +114,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
if ((buf = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ md = EVP_MD_CTX_create();
+#else
md = EVP_MD_CTX_new();
+#endif
oidpos = 0;
for (i = 0; i < gss_supported->count; i++) {
if (gss_supported->elements[i].length < 128 &&
@@ -156,7 +160,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
oidpos++;
}
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_MD_CTX_destroy(md);
+#else
EVP_MD_CTX_free(md);
+#endif
gss_enc2oid[oidpos].oid = NULL;
gss_enc2oid[oidpos].encoded = NULL;

View File

@ -1,3 +1,89 @@
-------------------------------------------------------------------
Mon Nov 26 11:07:42 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>
- Fix build with openssl < 1.1.0
* add openssh-openssl-1_0_0-compatibility.patch
-------------------------------------------------------------------
Wed Oct 31 00:27:41 UTC 2018 - Cristian Rodríguez <crrodriguez@opensuse.org>
- openssh-7.7p1-audit.patch: fix sshd fatal error in
mm_answer_keyverify: buffer error: incomplete message [bnc#1114008]
-------------------------------------------------------------------
Mon Oct 22 08:51:30 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Version update to 7.9p1
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
option (see below) bans the use of DSA keys as certificate
authorities.
* sshd(8): the authentication success/failure log message has
changed format slightly. It now includes the certificate
fingerprint (previously it included only key ID and CA key
fingerprint).
* ssh(1), sshd(8): allow most port numbers to be specified using
service names from getservbyname(3) (typically /etc/services).
* sshd(8): support signalling sessions via the SSH protocol.
A limited subset of signals is supported and only for login or
command sessions (i.e. not subsystems) that were not subject to
a forced command via authorized_keys or sshd_config. bz#1424
* ssh(1): support "ssh -Q sig" to list supported signature options.
Also "ssh -Q help" to show the full set of supported queries.
* ssh(1), sshd(8): add a CASignatureAlgorithms option for the
client and server configs to allow control over which signature
formats are allowed for CAs to sign certificates. For example,
this allows banning CAs that sign certificates using the RSA-SHA1
signature algorithm.
* sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
revoke keys specified by SHA256 hash.
* ssh-keygen(1): allow creation of key revocation lists directly
from base64-encoded SHA256 fingerprints. This supports revoking
keys using only the information contained in sshd(8)
authentication log messages.
- Removed obsolete configuration option --with-tcp-wrappers, and
--with-opensc for s390 and s390x.
- Removed patch merged upstream
* openssh-7.7p1-openssl_1.1.0.patch
- Refreshed patches
* openssh-7.7p1-audit.patch
* openssh-7.7p1-disable_short_DH_parameters.patch
* openssh-7.7p1-fips.patch
* openssh-7.7p1-gssapi_key_exchange.patch
* openssh-7.7p1-seccomp_ipc_flock.patch
* openssh-7.7p1-cavstest-ctr.patch
* openssh-7.7p1-ldap.patch
-------------------------------------------------------------------
Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Mention upstream bugs on multiple local patches
- Adjust service to not spam restart and reload only on fails
-------------------------------------------------------------------
Fri Oct 19 13:11:34 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Update openssh-7.7p1-sftp_force_permissions.patch from the
upstream bug, and mention the bug in the spec
-------------------------------------------------------------------
Fri Oct 19 08:36:52 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Drop patch openssh-7.7p1-allow_root_password_login.patch
* There is no reason to set less secure default value, if
users need the behaviour they can still set it up themselves
- Drop patch openssh-7.7p1-blocksigalrm.patch
* We had a bug way in past about this but it was never reproduced
or even confirmed in the ticket, thus rather drop the patch
-------------------------------------------------------------------
Wed Oct 17 09:22:36 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Disable ssh1 protocol support as neither RH or Debian enable
this protocol by default anymore either.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Oct 17 08:42:12 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> Wed Oct 17 08:42:12 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>

View File

@ -27,8 +27,7 @@
%bcond_without susefirewall %bcond_without susefirewall
%bcond_with tirpc %bcond_with tirpc
%endif %endif
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d %define _fwdefdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
%define _fwdefdir %{_fwdir}/services
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' ) %define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac %define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE" %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
@ -37,7 +36,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: openssh Name: openssh
Version: 7.8p1 Version: 7.9p1
Release: 0 Release: 0
Summary: Secure Shell Client and Server (Remote Login Program) Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT License: BSD-2-Clause AND MIT
@ -56,37 +55,49 @@ Source9: sshd-gen-keys-start
Source10: sshd.service Source10: sshd.service
Source11: README.FIPS Source11: README.FIPS
Source12: cavs_driver-ssh.pl Source12: cavs_driver-ssh.pl
Patch0: openssh-7.7p1-allow_root_password_login.patch
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch Patch4: openssh-7.7p1-eal3.patch
Patch5: openssh-7.7p1-blocksigalrm.patch
Patch6: openssh-7.7p1-send_locale.patch Patch6: openssh-7.7p1-send_locale.patch
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Patch9: openssh-7.7p1-pts_names_formatting.patch Patch9: openssh-7.7p1-pts_names_formatting.patch
Patch10: openssh-7.7p1-pam_check_locks.patch Patch10: openssh-7.7p1-pam_check_locks.patch
Patch11: openssh-7.7p1-disable_short_DH_parameters.patch Patch11: openssh-7.7p1-disable_short_DH_parameters.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch14: openssh-7.7p1-seccomp_stat.patch Patch14: openssh-7.7p1-seccomp_stat.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11.patch Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
# Local FIPS patchset
Patch17: openssh-7.7p1-fips.patch Patch17: openssh-7.7p1-fips.patch
# Local cavs patchset
Patch18: openssh-7.7p1-cavstest-ctr.patch Patch18: openssh-7.7p1-cavstest-ctr.patch
# Local cavs patchset
Patch19: openssh-7.7p1-cavstest-kdf.patch Patch19: openssh-7.7p1-cavstest-kdf.patch
# Local FIPS patchset
Patch20: openssh-7.7p1-fips_checks.patch Patch20: openssh-7.7p1-fips_checks.patch
Patch21: openssh-7.7p1-seed-prng.patch Patch21: openssh-7.7p1-seed-prng.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch22: openssh-7.7p1-systemd-notify.patch Patch22: openssh-7.7p1-systemd-notify.patch
Patch23: openssh-7.7p1-gssapi_key_exchange.patch Patch23: openssh-7.7p1-gssapi_key_exchange.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch24: openssh-7.7p1-audit.patch Patch24: openssh-7.7p1-audit.patch
Patch25: openssh-7.7p1-openssl_1.1.0.patch # Local patch to disable runtime abi SSL checks, quite pointless for us
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch27: openssh-7.7p1-no_fork-no_pid_file.patch Patch27: openssh-7.7p1-no_fork-no_pid_file.patch
Patch28: openssh-7.7p1-host_ident.patch Patch28: openssh-7.7p1-host_ident.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Patch29: openssh-7.7p1-sftp_force_permissions.patch Patch29: openssh-7.7p1-sftp_force_permissions.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Patch31: openssh-7.7p1-ldap.patch Patch31: openssh-7.7p1-ldap.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
Patch34: openssh-openssl-1_0_0-compatibility.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: groff BuildRequires: groff
@ -176,7 +187,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \ %configure \
--sysconfdir=%{_sysconfdir}/ssh \ --sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/ssh \ --libexecdir=%{_libexecdir}/ssh \
--with-tcp-wrappers \
--with-selinux \ --with-selinux \
--with-pid-dir=/run \ --with-pid-dir=/run \
--with-systemd \ --with-systemd \
@ -188,19 +198,14 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
--with-sandbox=seccomp_filter \ --with-sandbox=seccomp_filter \
%else %else
--with-sandbox=rlimit \ --with-sandbox=rlimit \
%endif
%ifnarch s390 s390x
--with-opensc \
%endif %endif
--disable-strip \ --disable-strip \
--with-audit=linux \ --with-audit=linux \
--with-ldap \ --with-ldap \
--with-xauth=%{_bindir}/xauth \ --with-xauth=%{_bindir}/xauth \
--with-libedit \ --with-libedit \
--with-ssh1 \ --target=%{_target_cpu}-suse-linux
--target=%{_target_cpu}-suse-linux \
### configure end
make %{?_smp_mflags} make %{?_smp_mflags}
%install %install

View File

@ -10,7 +10,8 @@ ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
KillMode=process KillMode=process
Restart=always Restart=on-failure
RestartPreventExitStatus=255
TasksMax=infinity TasksMax=infinity
[Install] [Install]