Dominique Leuenberger 2018-11-28 10:11:24 +00:00 committed by Git OBS Bridge
commit 7ca123a3a4
22 changed files with 922 additions and 4184 deletions

View File

@ -5,16 +5,6 @@ There are following changes in default settings of ssh client and server:
* PAM authentication is enabled and mostly even required, do not turn it off.
* root authentiation with password is enabled by default (PermitRootLogin yes).
NOTE: this has security implications and is only done in order to not change
behaviour of the server in an update. We strongly suggest setting this option
either "prohibit-password" or even better to "no" (which disables direct
remote root login entirely).
* SSH protocol version 1 is enabled for maximum compatibility.
NOTE: do not use protocol version 1. It is less secure then v2 and should
generally be phased out.
* DSA authentication is enabled by default for maximum compatibility.
NOTE: do not use DSA authentication since it is being phased out for a reason
- the size of DSA keys is limited by the standard to 1024 bits which cannot

View File

@ -1,95 +0,0 @@
# HG changeset patch
# Parent 3bf0158be93bd08d60a30a320650ea7f9844ef50
Allow root login with password by default. While less secure than upstream
default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
diff --git a/openssh-7.7p1/servconf.c b/openssh-7.7p1/servconf.c
--- openssh-7.7p1/servconf.c
+++ openssh-7.7p1/servconf.c
@@ -265,17 +265,17 @@ fill_default_server_options(ServerOption
options->address_family = AF_UNSPEC;
if (options->listen_addrs == NULL)
add_listen_addr(options, NULL, NULL, 0);
if (options->pid_file == NULL)
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
options->ignore_user_known_hosts = 0;
if (options->print_motd == -1)
options->print_motd = 1;
if (options->print_lastlog == -1)
options->print_lastlog = 1;
diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
--- openssh-7.7p1/sshd_config
+++ openssh-7.7p1/sshd_config
@@ -24,17 +24,17 @@
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
diff --git a/openssh-7.7p1/sshd_config.0 b/openssh-7.7p1/sshd_config.0
--- openssh-7.7p1/sshd_config.0
+++ openssh-7.7p1/sshd_config.0
@@ -709,17 +709,17 @@ DESCRIPTION
none can be used to prohibit all forwarding requests. The
wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
ports, respectively. By default all port forwarding requests are
permitted.
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, forced-commands-only, or no. The
- default is prohibit-password.
+ default is yes.
If this option is set to prohibit-password (or its deprecated
alias, without-password), password and keyboard-interactive
authentication are disabled for root.
If this option is set to forced-commands-only, root login with
public key authentication will be allowed, but only if the
command option has been specified (which may be useful for taking
diff --git a/openssh-7.7p1/sshd_config.5 b/openssh-7.7p1/sshd_config.5
--- openssh-7.7p1/sshd_config.5
+++ openssh-7.7p1/sshd_config.5
@@ -1220,17 +1220,17 @@ Specifies whether root can log in using
.Xr ssh 1 .
The argument must be
.Cm yes ,
.Cm prohibit-password ,
.Cm forced-commands-only ,
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm yes .
.Pp
If this option is set to
.Cm prohibit-password
(or its deprecated alias,
.Cm without-password ) ,
password and keyboard-interactive authentication are disabled for root.
.Pp
If this option is set to

View File

@ -3,11 +3,11 @@
Extended auditing through the Linux Auditing subsystem
RH patch from git://pkgs.fedoraproject.org/openssh.git
Index: openssh-7.8p1/Makefile.in
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.8p1.orig/Makefile.in
+++ openssh-7.8p1/Makefile.in
@@ -110,6 +110,8 @@ LIBSSH_OBJS += fips.o
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -111,6 +111,8 @@ LIBSSH_OBJS += fips.o
LIBSSH_OBJS += kexgssc.o kexgsss.o
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o
Index: openssh-7.8p1/audit-bsm.c
Index: openssh-7.9p1/audit-bsm.c
===================================================================
--- openssh-7.8p1.orig/audit-bsm.c
+++ openssh-7.8p1/audit-bsm.c
--- openssh-7.9p1.orig/audit-bsm.c
+++ openssh-7.9p1/audit-bsm.c
@@ -372,10 +372,23 @@ audit_connection_from(const char *host,
#endif
}
@ -93,11 +93,11 @@ Index: openssh-7.8p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
Index: openssh-7.8p1/audit-linux.c
Index: openssh-7.9p1/audit-linux.c
===================================================================
--- openssh-7.8p1.orig/audit-linux.c
+++ openssh-7.8p1/audit-linux.c
@@ -33,27 +33,40 @@
--- openssh-7.9p1.orig/audit-linux.c
+++ openssh-7.9p1/audit-linux.c
@@ -33,27 +33,41 @@
#include "log.h"
#include "audit.h"
@ -106,6 +106,7 @@ Index: openssh-7.8p1/audit-linux.c
+#include "auth.h"
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h"
+#include "ssherr.h"
#include "canohost.h"
#include "packet.h"
-
@ -146,7 +147,7 @@ Index: openssh-7.8p1/audit-linux.c
saved_errno = errno;
close(audit_fd);
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const
@@ -65,9 +79,96 @@ linux_audit_record_event(int uid, const
rc = 0;
errno = saved_errno;
@ -244,7 +245,7 @@ Index: openssh-7.8p1/audit-linux.c
/* Below is the sshd audit API code */
void
@@ -76,24 +176,55 @@ audit_connection_from(const char *host,
@@ -76,24 +177,55 @@ audit_connection_from(const char *host,
/* not implemented */
}
@ -306,7 +307,7 @@ Index: openssh-7.8p1/audit-linux.c
}
void
@@ -102,25 +233,155 @@ audit_event(ssh_audit_event_t event)
@@ -102,25 +234,155 @@ audit_event(ssh_audit_event_t event)
struct ssh *ssh = active_state; /* XXX */
switch(event) {
@ -468,10 +469,10 @@ Index: openssh-7.8p1/audit-linux.c
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
Index: openssh-7.8p1/audit.c
Index: openssh-7.9p1/audit.c
===================================================================
--- openssh-7.8p1.orig/audit.c
+++ openssh-7.8p1/audit.c
--- openssh-7.9p1.orig/audit.c
+++ openssh-7.9p1/audit.c
@@ -34,13 +34,19 @@
#include "log.h"
#include "hostfile.h"
@ -648,10 +649,10 @@ Index: openssh-7.8p1/audit.c
}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
Index: openssh-7.8p1/audit.h
Index: openssh-7.9p1/audit.h
===================================================================
--- openssh-7.8p1.orig/audit.h
+++ openssh-7.8p1/audit.h
--- openssh-7.9p1.orig/audit.h
+++ openssh-7.9p1/audit.h
@@ -26,6 +26,7 @@
# define _SSH_AUDIT_H
@ -694,10 +695,10 @@ Index: openssh-7.8p1/audit.h
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
Index: openssh-7.8p1/auditstub.c
Index: openssh-7.9p1/auditstub.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/auditstub.c
+++ openssh-7.9p1/auditstub.c
@@ -0,0 +1,50 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+
@ -749,11 +750,11 @@ Index: openssh-7.8p1/auditstub.c
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+}
Index: openssh-7.8p1/auth.c
Index: openssh-7.9p1/auth.c
===================================================================
--- openssh-7.8p1.orig/auth.c
+++ openssh-7.8p1/auth.c
@@ -362,7 +362,7 @@ auth_log(Authctxt *authctxt, int authent
--- openssh-7.9p1.orig/auth.c
+++ openssh-7.9p1/auth.c
@@ -366,7 +366,7 @@ auth_log(Authctxt *authctxt, int authent
# endif
#endif
#ifdef SSH_AUDIT_EVENTS
@ -762,7 +763,7 @@ Index: openssh-7.8p1/auth.c
audit_event(audit_classify_auth(method));
#endif
}
@@ -601,9 +601,6 @@ getpwnamallow(const char *user)
@@ -605,9 +605,6 @@ getpwnamallow(const char *user)
record_failed_login(user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
#endif
@ -772,10 +773,10 @@ Index: openssh-7.8p1/auth.c
return (NULL);
}
if (!allowed_user(pw))
Index: openssh-7.8p1/auth.h
Index: openssh-7.9p1/auth.h
===================================================================
--- openssh-7.8p1.orig/auth.h
+++ openssh-7.8p1/auth.h
--- openssh-7.9p1.orig/auth.h
+++ openssh-7.9p1/auth.h
@@ -193,6 +193,8 @@ struct passwd * getpwnamallow(const char
char *expand_authorized_keys(const char *, struct passwd *pw);
@ -794,11 +795,11 @@ Index: openssh-7.8p1/auth.h
/* Key / cert options linkage to auth layer */
const struct sshauthopt *auth_options(struct ssh *);
Index: openssh-7.8p1/auth2-hostbased.c
Index: openssh-7.9p1/auth2-hostbased.c
===================================================================
--- openssh-7.8p1.orig/auth2-hostbased.c
+++ openssh-7.8p1/auth2-hostbased.c
@@ -141,7 +141,7 @@ userauth_hostbased(struct ssh *ssh)
--- openssh-7.9p1.orig/auth2-hostbased.c
+++ openssh-7.9p1/auth2-hostbased.c
@@ -148,7 +148,7 @@ userauth_hostbased(struct ssh *ssh)
/* test for allowed key and correct signature */
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
@ -807,7 +808,7 @@ Index: openssh-7.8p1/auth2-hostbased.c
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
authenticated = 1;
@@ -158,6 +158,19 @@ done:
@@ -165,6 +165,19 @@ done:
return authenticated;
}
@ -827,11 +828,11 @@ Index: openssh-7.8p1/auth2-hostbased.c
/* return 1 if given hostkey is allowed */
int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
Index: openssh-7.8p1/auth2-pubkey.c
Index: openssh-7.9p1/auth2-pubkey.c
===================================================================
--- openssh-7.8p1.orig/auth2-pubkey.c
+++ openssh-7.8p1/auth2-pubkey.c
@@ -187,7 +187,7 @@ userauth_pubkey(struct ssh *ssh)
--- openssh-7.9p1.orig/auth2-pubkey.c
+++ openssh-7.9p1/auth2-pubkey.c
@@ -193,7 +193,7 @@ userauth_pubkey(struct ssh *ssh)
/* test for correct signature */
authenticated = 0;
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@ -840,7 +841,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
sshbuf_ptr(b), sshbuf_len(b),
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
ssh->compat)) == 0) {
@@ -246,6 +246,19 @@ done:
@@ -252,6 +252,19 @@ done:
return authenticated;
}
@ -860,7 +861,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
static int
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
{
@@ -767,7 +780,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
@@ -773,7 +786,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
found_principal = 1;
/* If principals file or command is specified, then require a match */
use_authorized_principals = principals_file != NULL ||
@ -869,10 +870,10 @@ Index: openssh-7.8p1/auth2-pubkey.c
if (!found_principal && use_authorized_principals) {
reason = "Certificate does not contain an authorized principal";
goto fail_reason;
Index: openssh-7.8p1/auth2.c
Index: openssh-7.9p1/auth2.c
===================================================================
--- openssh-7.8p1.orig/auth2.c
+++ openssh-7.8p1/auth2.c
--- openssh-7.9p1.orig/auth2.c
+++ openssh-7.9p1/auth2.c
@@ -284,9 +284,6 @@ input_userauth_request(int type, u_int32
} else {
/* Invalid user, fake password information */
@ -883,10 +884,10 @@ Index: openssh-7.8p1/auth2.c
}
#ifdef USE_PAM
if (options.use_pam)
Index: openssh-7.8p1/cipher.c
Index: openssh-7.9p1/cipher.c
===================================================================
--- openssh-7.8p1.orig/cipher.c
+++ openssh-7.8p1/cipher.c
--- openssh-7.9p1.orig/cipher.c
+++ openssh-7.9p1/cipher.c
@@ -54,25 +54,6 @@
#include "fips.h"
#include "log.h"
@ -922,10 +923,10 @@ Index: openssh-7.8p1/cipher.c
return;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
Index: openssh-7.8p1/cipher.h
Index: openssh-7.9p1/cipher.h
===================================================================
--- openssh-7.8p1.orig/cipher.h
+++ openssh-7.8p1/cipher.h
--- openssh-7.9p1.orig/cipher.h
+++ openssh-7.9p1/cipher.h
@@ -45,7 +45,25 @@
#define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0
@ -953,10 +954,10 @@ Index: openssh-7.8p1/cipher.h
struct sshcipher_ctx {
int plaintext;
int encrypt;
Index: openssh-7.8p1/kex.c
Index: openssh-7.9p1/kex.c
===================================================================
--- openssh-7.8p1.orig/kex.c
+++ openssh-7.8p1/kex.c
--- openssh-7.9p1.orig/kex.c
+++ openssh-7.9p1/kex.c
@@ -53,6 +53,7 @@
#include "ssherr.h"
#include "sshbuf.h"
@ -1053,10 +1054,10 @@ Index: openssh-7.8p1/kex.c
+ mac_destroy(&newkeys->mac);
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
Index: openssh-7.8p1/kex.h
Index: openssh-7.9p1/kex.h
===================================================================
--- openssh-7.8p1.orig/kex.h
+++ openssh-7.8p1/kex.h
--- openssh-7.9p1.orig/kex.h
+++ openssh-7.9p1/kex.h
@@ -213,6 +213,8 @@ int kexgss_client(struct ssh *);
int kexgss_server(struct ssh *);
#endif
@ -1066,10 +1067,10 @@ Index: openssh-7.8p1/kex.h
int kex_dh_hash(int, const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
Index: openssh-7.8p1/mac.c
Index: openssh-7.9p1/mac.c
===================================================================
--- openssh-7.8p1.orig/mac.c
+++ openssh-7.8p1/mac.c
--- openssh-7.9p1.orig/mac.c
+++ openssh-7.9p1/mac.c
@@ -280,6 +280,20 @@ mac_clear(struct sshmac *mac)
mac->umac_ctx = NULL;
}
@ -1091,10 +1092,10 @@ Index: openssh-7.8p1/mac.c
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
Index: openssh-7.8p1/mac.h
Index: openssh-7.9p1/mac.h
===================================================================
--- openssh-7.8p1.orig/mac.h
+++ openssh-7.8p1/mac.h
--- openssh-7.9p1.orig/mac.h
+++ openssh-7.9p1/mac.h
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
const u_char *, size_t);
@ -1102,11 +1103,11 @@ Index: openssh-7.8p1/mac.h
+void mac_destroy(struct sshmac *);
#endif /* SSHMAC_H */
Index: openssh-7.8p1/monitor.c
Index: openssh-7.9p1/monitor.c
===================================================================
--- openssh-7.8p1.orig/monitor.c
+++ openssh-7.8p1/monitor.c
@@ -91,6 +91,7 @@
--- openssh-7.9p1.orig/monitor.c
+++ openssh-7.9p1/monitor.c
@@ -93,6 +93,7 @@
#include "compat.h"
#include "ssh2.h"
#include "authfd.h"
@ -1114,7 +1115,7 @@ Index: openssh-7.8p1/monitor.c
#include "match.h"
#include "ssherr.h"
@@ -105,6 +106,8 @@ extern u_char session_id[];
@@ -107,6 +108,8 @@ extern u_char session_id[];
extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
@ -1123,7 +1124,7 @@ Index: openssh-7.8p1/monitor.c
/* State exported from the child */
static struct sshbuf *child_state;
@@ -150,6 +153,11 @@ int mm_answer_gss_updatecreds(int, struc
@@ -152,6 +155,11 @@ int mm_answer_gss_updatecreds(int, struc
#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, struct sshbuf *);
int mm_answer_audit_command(int, struct sshbuf *);
@ -1135,7 +1136,7 @@ Index: openssh-7.8p1/monitor.c
#endif
static int monitor_read_log(struct monitor *);
@@ -203,6 +211,11 @@ struct mon_table mon_dispatch_proto20[]
@@ -205,6 +213,11 @@ struct mon_table mon_dispatch_proto20[]
#endif
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -1147,7 +1148,7 @@ Index: openssh-7.8p1/monitor.c
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -231,6 +244,11 @@ struct mon_table mon_dispatch_postauth20
@@ -233,6 +246,11 @@ struct mon_table mon_dispatch_postauth20
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@ -1159,15 +1160,19 @@ Index: openssh-7.8p1/monitor.c
#endif
#ifdef GSSAPI
{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
@@ -1375,6 +1393,7 @@ mm_answer_keyverify(int sock, struct ssh
@@ -1379,8 +1397,10 @@ mm_answer_keyverify(int sock, struct ssh
char *sigalg;
size_t signaturelen, datalen, bloblen;
int r, ret, valid_data = 0, encoded_ret;
+ int type = 0;
if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
- if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
+ if ((r = sshbuf_get_u32(m, &type)) != 0 ||
+ (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
@@ -1385,6 +1404,8 @@ mm_answer_keyverify(int sock, struct ssh
(r = sshbuf_get_string(m, &data, &datalen)) != 0 ||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
@@ -1389,6 +1409,8 @@ mm_answer_keyverify(int sock, struct ssh
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen))
fatal("%s: bad key, not previously allowed", __func__);
@ -1176,7 +1181,7 @@ Index: openssh-7.8p1/monitor.c
/* Empty signature algorithm means NULL. */
if (*sigalg == '\0') {
@@ -1399,22 +1420,25 @@ mm_answer_keyverify(int sock, struct ssh
@@ -1403,22 +1425,25 @@ mm_answer_keyverify(int sock, struct ssh
switch (key_blobtype) {
case MM_USERKEY:
valid_data = monitor_valid_userblob(data, datalen);
@ -1204,7 +1209,7 @@ Index: openssh-7.8p1/monitor.c
debug3("%s: %s %p signature %s", __func__, auth_method, key,
(ret == 0) ? "verified" : "unverified");
auth2_record_key(authctxt, ret == 0, key);
@@ -1474,6 +1498,12 @@ mm_session_close(Session *s)
@@ -1478,6 +1503,12 @@ mm_session_close(Session *s)
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
session_pty_cleanup2(s);
}
@ -1217,7 +1222,7 @@ Index: openssh-7.8p1/monitor.c
session_unused(s->self);
}
@@ -1582,6 +1612,8 @@ mm_answer_term(int sock, struct sshbuf *
@@ -1586,6 +1617,8 @@ mm_answer_term(int sock, struct sshbuf *
sshpam_cleanup();
#endif
@ -1226,7 +1231,7 @@ Index: openssh-7.8p1/monitor.c
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR)
exit(1);
@@ -1628,14 +1660,50 @@ mm_answer_audit_command(int socket, stru
@@ -1632,14 +1665,50 @@ mm_answer_audit_command(int socket, stru
{
char *cmd;
int r;
@ -1280,7 +1285,7 @@ Index: openssh-7.8p1/monitor.c
}
#endif /* SSH_AUDIT_EVENTS */
@@ -1697,6 +1765,7 @@ monitor_apply_keystate(struct monitor *p
@@ -1701,6 +1770,7 @@ monitor_apply_keystate(struct monitor *p
void
mm_get_keystate(struct monitor *pmonitor)
{
@ -1288,7 +1293,7 @@ Index: openssh-7.8p1/monitor.c
debug3("%s: Waiting for new keys", __func__);
if ((child_state = sshbuf_new()) == NULL)
@@ -1704,6 +1773,19 @@ mm_get_keystate(struct monitor *pmonitor
@@ -1708,6 +1778,19 @@ mm_get_keystate(struct monitor *pmonitor
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
child_state);
debug3("%s: GOT new keys", __func__);
@ -1308,33 +1313,16 @@ Index: openssh-7.8p1/monitor.c
}
@@ -1902,19 +1984,19 @@ mm_answer_gss_sign(int socket, struct ss
int r;
if (!options.gss_authentication && !options.gss_keyex)
- fatal("In GSSAPI monitor when GSSAPI is disabled");
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
@@ -1909,7 +1992,7 @@ mm_answer_gss_sign(int socket, struct ss
fatal("In GSSAPI monitor when GSSAPI is disabled");
if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (data.length != 20)
- fatal("%s: data length incorrect: %d", __func__,
- (int) data.length);
+ fatal("%s: data length incorrect: %d", __func__,
+ (int) data.length);
/* Save the session ID on the first time around */
if (session_id2_len == 0) {
- session_id2_len = data.length;
- session_id2 = xmalloc(session_id2_len);
- memcpy(session_id2, data.value, session_id2_len);
+ session_id2_len = data.length;
+ session_id2 = xmalloc(session_id2_len);
+ memcpy(session_id2, data.value, session_id2_len);
}
major = ssh_gssapi_sign(gsscontext, &data, &hash);
@@ -1962,3 +2044,102 @@ mm_answer_gss_updatecreds(int socket, st
fatal("%s: data length incorrect: %d", __func__,
(int) data.length);
@@ -1966,3 +2049,102 @@ mm_answer_gss_updatecreds(int socket, st
}
#endif /* GSSAPI */
@ -1437,10 +1425,10 @@ Index: openssh-7.8p1/monitor.c
+ return 0;
+}
+#endif /* SSH_AUDIT_EVENTS */
Index: openssh-7.8p1/monitor.h
Index: openssh-7.9p1/monitor.h
===================================================================
--- openssh-7.8p1.orig/monitor.h
+++ openssh-7.8p1/monitor.h
--- openssh-7.9p1.orig/monitor.h
+++ openssh-7.9p1/monitor.h
@@ -61,7 +61,13 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1456,10 +1444,10 @@ Index: openssh-7.8p1/monitor.h
MONITOR_REQ_GSSSIGN = 201, MONITOR_ANS_GSSSIGN = 202,
MONITOR_REQ_GSSUPCREDS = 203, MONITOR_ANS_GSSUPCREDS = 204,
Index: openssh-7.8p1/monitor_wrap.c
Index: openssh-7.9p1/monitor_wrap.c
===================================================================
--- openssh-7.8p1.orig/monitor_wrap.c
+++ openssh-7.8p1/monitor_wrap.c
--- openssh-7.9p1.orig/monitor_wrap.c
+++ openssh-7.9p1/monitor_wrap.c
@@ -497,7 +497,7 @@ mm_key_allowed(enum mm_keytype type, con
*/
@ -1637,10 +1625,10 @@ Index: openssh-7.8p1/monitor_wrap.c
+ sshbuf_free(m);
+}
+#endif /* SSH_AUDIT_EVENTS */
Index: openssh-7.8p1/monitor_wrap.h
Index: openssh-7.9p1/monitor_wrap.h
===================================================================
--- openssh-7.8p1.orig/monitor_wrap.h
+++ openssh-7.8p1/monitor_wrap.h
--- openssh-7.9p1.orig/monitor_wrap.h
+++ openssh-7.9p1/monitor_wrap.h
@@ -53,7 +53,9 @@ int mm_user_key_allowed(struct ssh *, st
struct sshauthopt **);
int mm_hostbased_key_allowed(struct passwd *, const char *,
@ -1666,10 +1654,10 @@ Index: openssh-7.8p1/monitor_wrap.h
#endif
struct Session;
Index: openssh-7.8p1/packet.c
Index: openssh-7.9p1/packet.c
===================================================================
--- openssh-7.8p1.orig/packet.c
+++ openssh-7.8p1/packet.c
--- openssh-7.9p1.orig/packet.c
+++ openssh-7.9p1/packet.c
@@ -76,6 +76,7 @@
#include <zlib.h>
@ -1829,20 +1817,20 @@ Index: openssh-7.8p1/packet.c
/* Reset after_authentication and reset compression in post-auth privsep */
static int
ssh_packet_set_postauth(struct ssh *ssh)
Index: openssh-7.8p1/packet.h
Index: openssh-7.9p1/packet.h
===================================================================
--- openssh-7.8p1.orig/packet.h
+++ openssh-7.8p1/packet.h
--- openssh-7.9p1.orig/packet.h
+++ openssh-7.9p1/packet.h
@@ -219,4 +219,5 @@ extern struct ssh *active_state;
# undef EC_POINT
#endif
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
Index: openssh-7.8p1/session.c
Index: openssh-7.9p1/session.c
===================================================================
--- openssh-7.8p1.orig/session.c
+++ openssh-7.8p1/session.c
--- openssh-7.9p1.orig/session.c
+++ openssh-7.9p1/session.c
@@ -139,7 +139,7 @@ extern char *__progname;
extern int debug_flag;
extern u_int utmp_len;
@ -1867,7 +1855,7 @@ Index: openssh-7.8p1/session.c
/* Enter interactive session. */
s->ptymaster = ptymaster;
packet_set_interactive(1,
@@ -739,15 +747,19 @@ do_exec(struct ssh *ssh, Session *s, con
@@ -741,15 +749,19 @@ do_exec(struct ssh *ssh, Session *s, con
s->self);
#ifdef SSH_AUDIT_EVENTS
@ -1889,7 +1877,7 @@ Index: openssh-7.8p1/session.c
#endif
if (s->ttyfd != -1)
ret = do_exec_pty(ssh, s, command);
@@ -1551,8 +1563,11 @@ do_child(struct ssh *ssh, Session *s, co
@@ -1553,8 +1565,11 @@ do_child(struct ssh *ssh, Session *s, co
int r = 0;
/* remove hostkey from the child's memory */
@ -1902,7 +1890,7 @@ Index: openssh-7.8p1/session.c
/* Force a password change */
if (s->authctxt->force_pwchange) {
@@ -1759,6 +1774,9 @@ session_unused(int id)
@@ -1761,6 +1776,9 @@ session_unused(int id)
sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL;
@ -1912,7 +1900,7 @@ Index: openssh-7.8p1/session.c
sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id;
}
@@ -1841,6 +1859,19 @@ session_open(Authctxt *authctxt, int cha
@@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
}
Session *
@ -1932,7 +1920,7 @@ Index: openssh-7.8p1/session.c
session_by_tty(char *tty)
{
int i;
@@ -2352,6 +2383,32 @@ session_exit_message(struct ssh *ssh, Se
@@ -2428,6 +2459,32 @@ session_exit_message(struct ssh *ssh, Se
chan_write_failed(ssh, c);
}
@ -1965,7 +1953,7 @@ Index: openssh-7.8p1/session.c
void
session_close(struct ssh *ssh, Session *s)
{
@@ -2393,6 +2450,10 @@ session_close(struct ssh *ssh, Session *
@@ -2469,6 +2526,10 @@ session_close(struct ssh *ssh, Session *
if (s->ttyfd != -1)
session_pty_cleanup(s);
@ -1976,7 +1964,7 @@ Index: openssh-7.8p1/session.c
free(s->term);
free(s->display);
free(s->x11_chanids);
@@ -2600,6 +2661,15 @@ do_authenticated2(struct ssh *ssh, Authc
@@ -2677,6 +2738,15 @@ do_authenticated2(struct ssh *ssh, Authc
server_loop2(ssh, authctxt);
}
@ -1992,7 +1980,7 @@ Index: openssh-7.8p1/session.c
void
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
{
@@ -2657,7 +2727,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
@@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
* or if running in monitor.
*/
if (!use_privsep || mm_is_monitor())
@ -2001,11 +1989,11 @@ Index: openssh-7.8p1/session.c
}
/* Return a name for the remote host that fits inside utmp_size */
Index: openssh-7.8p1/session.h
Index: openssh-7.9p1/session.h
===================================================================
--- openssh-7.8p1.orig/session.h
+++ openssh-7.8p1/session.h
@@ -60,6 +60,12 @@ struct Session {
--- openssh-7.9p1.orig/session.h
+++ openssh-7.9p1/session.h
@@ -61,6 +61,12 @@ struct Session {
char *name;
char *val;
} *env;
@ -2018,7 +2006,7 @@ Index: openssh-7.8p1/session.h
};
void do_authenticated(struct ssh *, Authctxt *);
@@ -72,8 +78,10 @@ void session_close_by_pid(struct ssh *s
@@ -73,8 +79,10 @@ void session_close_by_pid(struct ssh *s
void session_close_by_channel(struct ssh *, int, void *);
void session_destroy_all(struct ssh *, void (*)(Session *));
void session_pty_cleanup2(Session *);
@ -2029,10 +2017,10 @@ Index: openssh-7.8p1/session.h
Session *session_by_tty(char *);
void session_close(struct ssh *, Session *);
void do_setusercontext(struct passwd *);
Index: openssh-7.8p1/sshd.c
Index: openssh-7.9p1/sshd.c
===================================================================
--- openssh-7.8p1.orig/sshd.c
+++ openssh-7.8p1/sshd.c
--- openssh-7.9p1.orig/sshd.c
+++ openssh-7.9p1/sshd.c
@@ -124,6 +124,7 @@
#include "ssh-gss.h"
#endif
@ -2091,24 +2079,24 @@ Index: openssh-7.8p1/sshd.c
for (i = 0; i < options.num_host_key_files; i++) {
if (sensitive_data.host_keys[i]) {
- sshkey_free(sensitive_data.host_keys[i]);
+ char *fp;
+ char *fp;
+
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
+ sshkey_free(sensitive_data.host_keys[i]);
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
+ sshkey_free(sensitive_data.host_keys[i]);
sensitive_data.host_keys[i] = NULL;
+ if (fp != NULL) {
+#ifdef SSH_AUDIT_EVENTS
+ if (privsep)
+ PRIVSEP(audit_destroy_sensitive_data(fp,
+ pid, uid));
+ else
+ audit_destroy_sensitive_data(fp,
+ pid, uid);
+ if (privsep)
+ PRIVSEP(audit_destroy_sensitive_data(fp,
+ pid, uid));
+ else
+ audit_destroy_sensitive_data(fp,
+ pid, uid);
+#endif
+ free(fp);
+ free(fp);
+ }
}
- if (sensitive_data.host_certificates[i]) {
@ -2117,30 +2105,28 @@ Index: openssh-7.8p1/sshd.c
sshkey_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL;
}
@@ -513,9 +551,22 @@ demote_sensitive_data(void)
@@ -513,8 +551,21 @@ demote_sensitive_data(void)
struct sshkey *tmp;
u_int i;
int r;
+#ifdef SSH_AUDIT_EVENTS
+ pid_t pid;
+ uid_t uid;
- for (i = 0; i < options.num_host_key_files; i++) {
+ pid = getpid();
+ uid = getuid();
+ pid_t pid;
+ uid_t uid;
+
+ pid = getpid();
+ uid = getuid();
+#endif
for (i = 0; i < options.num_host_key_files; i++) {
+ char *fp;
+
+ for (i = 0; i < options.num_host_key_files; i++) {
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
if (sensitive_data.host_keys[i]) {
+ char *fp;
+
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
if ((r = sshkey_demote(sensitive_data.host_keys[i],
&tmp)) != 0)
fatal("could not demote host %s key: %s",
if ((r = sshkey_from_private(
sensitive_data.host_keys[i], &tmp)) != 0)
@@ -523,6 +574,12 @@ demote_sensitive_data(void)
ssh_err(r));
sshkey_free(sensitive_data.host_keys[i]);
@ -2213,48 +2199,11 @@ Index: openssh-7.8p1/sshd.c
audit_event(SSH_CONNECTION_ABANDON);
#endif
_exit(i);
Index: openssh-7.8p1/sshkey.c
Index: openssh-7.9p1/sshkey.h
===================================================================
--- openssh-7.8p1.orig/sshkey.c
+++ openssh-7.8p1/sshkey.c
@@ -326,6 +326,32 @@ sshkey_type_is_valid_ca(int type)
}
int
+sshkey_is_private(const struct sshkey *k)
+{
+ switch (k->type) {
+#ifdef WITH_OPENSSL
+ case KEY_RSA_CERT:
+ case KEY_RSA:
+ return k->rsa->d != NULL;
+ case KEY_DSA_CERT:
+ case KEY_DSA:
+ return k->dsa->priv_key != NULL;
+#ifdef OPENSSL_HAS_ECC
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA:
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+ case KEY_ED25519_CERT:
+ case KEY_ED25519:
+ return (k->ed25519_pk != NULL);
+ default:
+ /* fatal("key_is_private: bad key type %d", k->type); */
+ return 0;
+ }
+}
+
+int
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)
Index: openssh-7.8p1/sshkey.h
===================================================================
--- openssh-7.8p1.orig/sshkey.h
+++ openssh-7.8p1/sshkey.h
@@ -148,6 +148,7 @@ u_int sshkey_size(const struct sshkey
--- openssh-7.9p1.orig/sshkey.h
+++ openssh-7.9p1/sshkey.h
@@ -147,6 +147,7 @@ u_int sshkey_size(const struct sshkey
int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
int sshkey_from_private(const struct sshkey *, struct sshkey **);
int sshkey_type_from_name(const char *);
@ -2262,3 +2211,46 @@ Index: openssh-7.8p1/sshkey.h
int sshkey_is_cert(const struct sshkey *);
int sshkey_type_is_cert(int);
int sshkey_type_plain(int);
Index: openssh-7.9p1/sshkey.c
===================================================================
--- openssh-7.9p1.orig/sshkey.c
+++ openssh-7.9p1/sshkey.c
@@ -331,6 +331,38 @@ sshkey_type_is_valid_ca(int type)
}
int
+sshkey_is_private(const struct sshkey *k)
+{
+ switch (k->type) {
+#ifdef WITH_OPENSSL
+ case KEY_RSA_CERT:
+ case KEY_RSA: {
+ const BIGNUM *d;
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
+ return d != NULL;
+ }
+ case KEY_DSA_CERT:
+ case KEY_DSA: {
+ const BIGNUM *priv_key;
+ DSA_get0_key(k->dsa, NULL, &priv_key);
+ return priv_key != NULL;
+ }
+#ifdef OPENSSL_HAS_ECC
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA:
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+ case KEY_ED25519_CERT:
+ case KEY_ED25519:
+ return (k->ed25519_pk != NULL);
+ default:
+ /* fatal("key_is_private: bad key type %d", k->type); */
+ return 0;
+ }
+}
+
+int
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)

View File

@ -1,75 +0,0 @@
# HG changeset patch
# Parent 2e66b48b2212113d9897a58aaada67557b7c4f35
block SIGALRM while logging through syslog to prevent deadlocks
(through grace_alarm_handler())
bnc#57354
diff --git a/openssh-7.7p1/log.c b/openssh-7.7p1/log.c
--- openssh-7.7p1/log.c
+++ openssh-7.7p1/log.c
@@ -46,16 +46,17 @@
#include <syslog.h>
#include <unistd.h>
#include <errno.h>
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
# include <vis.h>
#endif
#include "log.h"
+#include <signal.h>
static LogLevel log_level = SYSLOG_LEVEL_INFO;
static int log_on_stderr = 1;
static int log_stderr_fd = STDERR_FILENO;
static int log_facility = LOG_AUTH;
static char *argv0;
static log_handler_fn *log_handler;
static void *log_handler_ctx;
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt,
{
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif
char msgbuf[MSGBUFSIZ];
char fmtbuf[MSGBUFSIZ];
char *txt = NULL;
int pri = LOG_INFO;
+ sigset_t nset, oset;
int saved_errno = errno;
log_handler_fn *tmp_handler;
if (level > log_level)
return;
switch (level) {
case SYSLOG_LEVEL_FATAL:
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt,
log_handler = NULL;
tmp_handler(level, fmtbuf, log_handler_ctx);
log_handler = tmp_handler;
} else if (log_on_stderr) {
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
(int)sizeof msgbuf - 3, fmtbuf);
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
} else {
+ /* Prevent a race between the grace_alarm which writes a
+ * log message and terminates and main sshd code that leads
+ * to deadlock as syslog is not async safe.
+ */
+ sigemptyset(&nset);
+ sigaddset(&nset, SIGALRM);
+ sigprocmask(SIG_BLOCK, &nset, &oset);
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
syslog_r(pri, &sdata, "%.500s", fmtbuf);
closelog_r(&sdata);
#else
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
syslog(pri, "%.500s", fmtbuf);
closelog();
#endif
+ sigprocmask(SIG_SETMASK, &oset, NULL);
}
errno = saved_errno;
}

View File

@ -2,15 +2,11 @@
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
CAVS test for OpenSSH's own CTR encryption mode implementation
diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
--- openssh-7.7p1/Makefile.in
+++ openssh-7.7p1/Makefile.in
@@ -19,16 +19,17 @@ top_srcdir=@top_srcdir@
DESTDIR=
VPATH=@srcdir@
SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -18,17 +14,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
TEST_SHELL=@TEST_SHELL@
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
@@ -57,16 +58,18 @@ ENT=@ENT@
XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
MKDIR_P=@MKDIR_P@
@@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
@ -37,17 +23,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
xmss_commons.o \
xmss_fast.o \
xmss_hash.o \
xmss_hash_address.o \
xmss_wots.o
@@ -199,16 +202,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
@ -58,17 +34,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
$(MANPAGES): $(MANPAGES_IN)
if test "$(MANTYPE)" = "cat"; then \
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
else \
@@ -339,16 +346,17 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
@@ -348,6 +355,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -76,15 +42,10 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
diff --git a/openssh-7.7p1/cavstest-ctr.c b/openssh-7.7p1/cavstest-ctr.c
new file mode 100644
Index: openssh-7.9p1/cavstest-ctr.c
===================================================================
--- /dev/null
+++ openssh-7.7p1/cavstest-ctr.c
+++ openssh-7.9p1/cavstest-ctr.c
@@ -0,0 +1,214 @@
+/*
+ *
@ -238,7 +199,7 @@ new file mode 100644
+ usage();
+ }
+
+ SSLeay_add_all_algorithms();
+ OpenSSL_add_all_algorithms();
+
+ c = cipher_by_name(algo);
+ if (c == NULL) {
@ -300,15 +261,11 @@ new file mode 100644
+ printf("\n");
+ return 0;
+}
diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
--- openssh-7.7p1/cipher.c
+++ openssh-7.7p1/cipher.c
@@ -49,25 +49,16 @@
#include "ssherr.h"
#include "digest.h"
#include "openbsd-compat/openssl-compat.h"
Index: openssh-7.9p1/cipher.c
===================================================================
--- openssh-7.9p1.orig/cipher.c
+++ openssh-7.9p1/cipher.c
@@ -54,15 +54,6 @@
#include "fips.h"
#include "log.h"
@ -324,20 +281,11 @@ diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
struct sshcipher {
char *name;
u_int block_size;
u_int key_len;
u_int iv_len; /* defaults to block_size */
u_int auth_len;
u_int flags;
#define CFLAG_CBC (1<<0)
diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
--- openssh-7.7p1/cipher.h
+++ openssh-7.7p1/cipher.h
@@ -41,17 +41,25 @@
#include <openssl/evp.h>
#include "cipher-chachapoly.h"
#include "cipher-aesctr.h"
#define CIPHER_ENCRYPT 1
Index: openssh-7.9p1/cipher.h
===================================================================
--- openssh-7.9p1.orig/cipher.h
+++ openssh-7.9p1/cipher.h
@@ -46,7 +46,15 @@
#define CIPHER_DECRYPT 0
struct sshcipher;
@ -354,8 +302,3 @@ diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
const struct sshcipher *cipher_by_name(const char *);
const char *cipher_warning_message(const struct sshcipher_ctx *);
int ciphers_valid(const char *);
char *cipher_alg_list(char, int);
int cipher_init(struct sshcipher_ctx **, const struct sshcipher *,
const u_char *, u_int, const u_char *, u_int, int);
int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,

View File

@ -12,23 +12,23 @@ compliant) parameters.
CVE-2015-4000 (LOGJAM)
bsc#932483
Index: openssh-7.8p1/dh.c
Index: openssh-7.9p1/dh.c
===================================================================
--- openssh-7.8p1.orig/dh.c
+++ openssh-7.8p1/dh.c
@@ -43,6 +43,8 @@
#include "misc.h"
#include "ssherr.h"
--- openssh-7.9p1.orig/dh.c
+++ openssh-7.9p1/dh.c
@@ -45,6 +45,8 @@
#include "openbsd-compat/openssl-compat.h"
+int dh_grp_min = DH_GRP_MIN;
+
static int
parse_prime(int linenum, char *line, struct dhgroup *dhg)
{
Index: openssh-7.8p1/dh.h
Index: openssh-7.9p1/dh.h
===================================================================
--- openssh-7.8p1.orig/dh.h
+++ openssh-7.8p1/dh.h
--- openssh-7.9p1.orig/dh.h
+++ openssh-7.9p1/dh.h
@@ -50,6 +50,7 @@ u_int dh_estimate(int);
* Max value from RFC4419.
* Miniumum increased in light of DH precomputation attacks.
@ -37,11 +37,11 @@ Index: openssh-7.8p1/dh.h
#define DH_GRP_MIN 2048
#define DH_GRP_MAX 8192
Index: openssh-7.8p1/kexgexc.c
Index: openssh-7.9p1/kexgexc.c
===================================================================
--- openssh-7.8p1.orig/kexgexc.c
+++ openssh-7.8p1/kexgexc.c
@@ -51,6 +51,9 @@
--- openssh-7.9p1.orig/kexgexc.c
+++ openssh-7.9p1/kexgexc.c
@@ -53,6 +53,9 @@
#include "sshbuf.h"
#include "misc.h"
@ -51,7 +51,7 @@ Index: openssh-7.8p1/kexgexc.c
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
@@ -63,7 +66,7 @@ kexgex_client(struct ssh *ssh)
@@ -65,7 +68,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8);
@ -60,7 +60,7 @@ Index: openssh-7.8p1/kexgexc.c
kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
@@ -108,6 +111,12 @@ input_kex_dh_gex_group(int type, u_int32
@@ -111,6 +114,12 @@ input_kex_dh_gex_group(int type, u_int32
goto out;
if ((bits = BN_num_bits(p)) < 0 ||
(u_int)bits < kex->min || (u_int)bits > kex->max) {
@ -73,11 +73,11 @@ Index: openssh-7.8p1/kexgexc.c
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
goto out;
}
Index: openssh-7.8p1/kexgexs.c
Index: openssh-7.9p1/kexgexs.c
===================================================================
--- openssh-7.8p1.orig/kexgexs.c
+++ openssh-7.8p1/kexgexs.c
@@ -54,6 +54,9 @@
--- openssh-7.9p1.orig/kexgexs.c
+++ openssh-7.9p1/kexgexs.c
@@ -56,6 +56,9 @@
#include "sshbuf.h"
#include "misc.h"
@ -87,7 +87,7 @@ Index: openssh-7.8p1/kexgexs.c
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
@@ -82,13 +85,19 @@ input_kex_dh_gex_request(int type, u_int
@@ -85,13 +88,19 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits;
kex->min = min;
kex->max = max;
@ -109,10 +109,10 @@ Index: openssh-7.8p1/kexgexs.c
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
goto out;
}
Index: openssh-7.8p1/readconf.c
Index: openssh-7.9p1/readconf.c
===================================================================
--- openssh-7.8p1.orig/readconf.c
+++ openssh-7.8p1/readconf.c
--- openssh-7.9p1.orig/readconf.c
+++ openssh-7.9p1/readconf.c
@@ -67,6 +67,7 @@
#include "uidswap.h"
#include "myproposal.h"
@ -130,7 +130,7 @@ Index: openssh-7.8p1/readconf.c
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
@@ -291,6 +292,7 @@ static struct {
@@ -292,6 +293,7 @@ static struct {
{ "remotecommand", oRemoteCommand },
{ "visualhostkey", oVisualHostKey },
{ "kexalgorithms", oKexAlgorithms },
@ -138,7 +138,7 @@ Index: openssh-7.8p1/readconf.c
{ "ipqos", oIPQoS },
{ "requesttty", oRequestTTY },
{ "proxyusefdpass", oProxyUseFdpass },
@@ -312,6 +314,9 @@ static struct {
@@ -313,6 +315,9 @@ static struct {
{ NULL, oBadOption }
};
@ -148,7 +148,7 @@ Index: openssh-7.8p1/readconf.c
/*
* Adds a local TCP/IP port forward to options. Never returns if there is an
* error.
@@ -1206,6 +1211,10 @@ parse_int:
@@ -1216,6 +1221,10 @@ parse_int:
options->kex_algorithms = xstrdup(arg);
break;
@ -159,15 +159,15 @@ Index: openssh-7.8p1/readconf.c
case oHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
parse_keytypes:
@@ -1835,6 +1844,7 @@ initialize_options(Options * options)
@@ -1860,6 +1869,7 @@ initialize_options(Options * options)
options->ciphers = NULL;
options->macs = NULL;
options->kex_algorithms = NULL;
+ options->kex_dhmin = -1;
options->hostkeyalgorithms = NULL;
options->ca_sign_algorithms = NULL;
options->num_identity_files = 0;
options->num_certificate_files = 0;
@@ -1988,6 +1998,13 @@ fill_default_options(Options * options)
@@ -2014,6 +2024,13 @@ fill_default_options(Options * options)
options->connection_attempts = 1;
if (options->number_of_password_prompts == -1)
options->number_of_password_prompts = 3;
@ -181,22 +181,22 @@ Index: openssh-7.8p1/readconf.c
/* options->hostkeyalgorithms, default set in myproposals.h */
if (options->add_keys_to_agent == -1)
options->add_keys_to_agent = 0;
Index: openssh-7.8p1/readconf.h
Index: openssh-7.9p1/readconf.h
===================================================================
--- openssh-7.8p1.orig/readconf.h
+++ openssh-7.8p1/readconf.h
@@ -67,6 +67,7 @@ typedef struct {
char *macs; /* SSH2 macs in order of preference. */
--- openssh-7.9p1.orig/readconf.h
+++ openssh-7.9p1/readconf.h
@@ -68,6 +68,7 @@ typedef struct {
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
char *ca_sign_algorithms; /* Allowed CA signature algorithms */
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
char *hostname; /* Real host to connect. */
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
char *proxy_command; /* Proxy command for connecting the host. */
Index: openssh-7.8p1/servconf.c
Index: openssh-7.9p1/servconf.c
===================================================================
--- openssh-7.8p1.orig/servconf.c
+++ openssh-7.8p1/servconf.c
--- openssh-7.9p1.orig/servconf.c
+++ openssh-7.9p1/servconf.c
@@ -64,6 +64,10 @@
#include "auth.h"
#include "myproposal.h"
@ -213,10 +213,10 @@ Index: openssh-7.8p1/servconf.c
options->macs = NULL;
options->kex_algorithms = NULL;
+ options->kex_dhmin = -1;
options->ca_sign_algorithms = NULL;
options->fwd_opts.gateway_ports = -1;
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
options->fwd_opts.streamlocal_bind_unlink = -1;
@@ -263,6 +268,14 @@ fill_default_server_options(ServerOption
@@ -267,6 +272,14 @@ fill_default_server_options(ServerOption
if (options->use_pam_check_locks == -1)
options->use_pam_check_locks = 0;
@ -231,16 +231,16 @@ Index: openssh-7.8p1/servconf.c
/* Standard Options */
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
@@ -490,7 +503,7 @@ typedef enum {
@@ -494,7 +507,7 @@ typedef enum {
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
- sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sKexAlgorithms, sKexDHMin, sIPQoS, sVersionAddendum,
- sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
+ sKexAlgorithms, sKexDHMin, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
@@ -631,6 +644,7 @@ static struct {
@@ -635,6 +648,7 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
@ -248,7 +248,7 @@ Index: openssh-7.8p1/servconf.c
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
@@ -1726,6 +1740,10 @@ process_server_config_line(ServerOptions
@@ -1735,6 +1749,10 @@ process_server_config_line(ServerOptions
options->kex_algorithms = xstrdup(arg);
break;
@ -259,7 +259,7 @@ Index: openssh-7.8p1/servconf.c
case sSubsystem:
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
fatal("%s line %d: too many subsystems defined.",
@@ -2540,6 +2558,7 @@ dump_config(ServerOptions *o)
@@ -2549,6 +2567,7 @@ dump_config(ServerOptions *o)
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
@ -267,10 +267,10 @@ Index: openssh-7.8p1/servconf.c
/* formatted integer arguments */
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
Index: openssh-7.8p1/servconf.h
Index: openssh-7.9p1/servconf.h
===================================================================
--- openssh-7.8p1.orig/servconf.h
+++ openssh-7.8p1/servconf.h
--- openssh-7.9p1.orig/servconf.h
+++ openssh-7.9p1/servconf.h
@@ -103,6 +103,7 @@ typedef struct {
char *ciphers; /* Supported SSH2 ciphers. */
char *macs; /* Supported SSH2 macs. */
@ -279,10 +279,10 @@ Index: openssh-7.8p1/servconf.h
struct ForwardOptions fwd_opts; /* forwarding options */
SyslogFacility log_facility; /* Facility for system logging. */
LogLevel log_level; /* Level for system logging. */
Index: openssh-7.8p1/ssh_config
Index: openssh-7.9p1/ssh_config
===================================================================
--- openssh-7.8p1.orig/ssh_config
+++ openssh-7.8p1/ssh_config
--- openssh-7.9p1.orig/ssh_config
+++ openssh-7.9p1/ssh_config
@@ -17,6 +17,11 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
@ -295,11 +295,11 @@ Index: openssh-7.8p1/ssh_config
Host *
# ForwardAgent no
# ForwardX11 no
Index: openssh-7.8p1/ssh_config.0
Index: openssh-7.9p1/ssh_config.0
===================================================================
--- openssh-7.8p1.orig/ssh_config.0
+++ openssh-7.8p1/ssh_config.0
@@ -595,6 +595,23 @@ DESCRIPTION
--- openssh-7.9p1.orig/ssh_config.0
+++ openssh-7.9p1/ssh_config.0
@@ -610,6 +610,23 @@ DESCRIPTION
The list of available key exchange algorithms may also be
obtained using "ssh -Q kex".
@ -323,11 +323,11 @@ Index: openssh-7.8p1/ssh_config.0
LocalCommand
Specifies a command to execute on the local machine after
successfully connecting to the server. The command string
Index: openssh-7.8p1/ssh_config.5
Index: openssh-7.9p1/ssh_config.5
===================================================================
--- openssh-7.8p1.orig/ssh_config.5
+++ openssh-7.8p1/ssh_config.5
@@ -1025,6 +1025,22 @@ diffie-hellman-group14-sha1
--- openssh-7.9p1.orig/ssh_config.5
+++ openssh-7.9p1/ssh_config.5
@@ -1047,6 +1047,22 @@ diffie-hellman-group14-sha1
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
@ -350,10 +350,10 @@ Index: openssh-7.8p1/ssh_config.5
.It Cm LocalCommand
Specifies a command to execute on the local machine after successfully
connecting to the server.
Index: openssh-7.8p1/sshd_config
Index: openssh-7.9p1/sshd_config
===================================================================
--- openssh-7.8p1.orig/sshd_config
+++ openssh-7.8p1/sshd_config
--- openssh-7.9p1.orig/sshd_config
+++ openssh-7.9p1/sshd_config
@@ -19,6 +19,13 @@
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
@ -368,11 +368,11 @@ Index: openssh-7.8p1/sshd_config
# Ciphers and keying
#RekeyLimit default none
Index: openssh-7.8p1/sshd_config.0
Index: openssh-7.9p1/sshd_config.0
===================================================================
--- openssh-7.8p1.orig/sshd_config.0
+++ openssh-7.8p1/sshd_config.0
@@ -545,6 +545,23 @@ DESCRIPTION
--- openssh-7.9p1.orig/sshd_config.0
+++ openssh-7.9p1/sshd_config.0
@@ -555,6 +555,23 @@ DESCRIPTION
The list of available key exchange algorithms may also be
obtained using "ssh -Q kex".
@ -396,11 +396,11 @@ Index: openssh-7.8p1/sshd_config.0
ListenAddress
Specifies the local addresses sshd(8) should listen on. The
following forms may be used:
Index: openssh-7.8p1/sshd_config.5
Index: openssh-7.9p1/sshd_config.5
===================================================================
--- openssh-7.8p1.orig/sshd_config.5
+++ openssh-7.8p1/sshd_config.5
@@ -912,6 +912,22 @@ diffie-hellman-group14-sha256,diffie-hel
--- openssh-7.9p1.orig/sshd_config.5
+++ openssh-7.9p1/sshd_config.5
@@ -923,6 +923,22 @@ diffie-hellman-group14-sha256,diffie-hel
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .

View File

@ -3,10 +3,10 @@
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.
Index: openssh-7.8p1/Makefile.in
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.8p1.orig/Makefile.in
+++ openssh-7.8p1/Makefile.in
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
platform-pledge.o platform-tracing.o platform-misc.o
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o
Index: openssh-7.8p1/cipher-ctr.c
Index: openssh-7.9p1/cipher-ctr.c
===================================================================
--- openssh-7.8p1.orig/cipher-ctr.c
+++ openssh-7.8p1/cipher-ctr.c
--- openssh-7.9p1.orig/cipher-ctr.c
+++ openssh-7.9p1/cipher-ctr.c
@@ -27,6 +27,8 @@
#include "xmalloc.h"
#include "log.h"
@ -38,10 +38,10 @@ Index: openssh-7.8p1/cipher-ctr.c
#endif
return (&aes_ctr);
}
Index: openssh-7.8p1/cipher.c
Index: openssh-7.9p1/cipher.c
===================================================================
--- openssh-7.8p1.orig/cipher.c
+++ openssh-7.8p1/cipher.c
--- openssh-7.9p1.orig/cipher.c
+++ openssh-7.9p1/cipher.c
@@ -51,6 +51,8 @@
#include "openbsd-compat/openssl-compat.h"
@ -131,10 +131,10 @@ Index: openssh-7.8p1/cipher.c
if (strcmp(c->name, name) == 0)
return c;
return NULL;
Index: openssh-7.8p1/dh.h
Index: openssh-7.9p1/dh.h
===================================================================
--- openssh-7.8p1.orig/dh.h
+++ openssh-7.8p1/dh.h
--- openssh-7.9p1.orig/dh.h
+++ openssh-7.9p1/dh.h
@@ -52,6 +52,7 @@ u_int dh_estimate(int);
*/
#define DH_GRP_MIN_RFC 1024
@ -143,10 +143,10 @@ Index: openssh-7.8p1/dh.h
#define DH_GRP_MAX 8192
/*
Index: openssh-7.8p1/fips.c
Index: openssh-7.9p1/fips.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/fips.c
+++ openssh-7.9p1/fips.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -385,10 +385,10 @@ Index: openssh-7.8p1/fips.c
+ return dh;
+}
+
Index: openssh-7.8p1/fips.h
Index: openssh-7.9p1/fips.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/fips.h
+++ openssh-7.9p1/fips.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -435,10 +435,10 @@ Index: openssh-7.8p1/fips.h
+
+#endif
+
Index: openssh-7.8p1/hmac.c
Index: openssh-7.9p1/hmac.c
===================================================================
--- openssh-7.8p1.orig/hmac.c
+++ openssh-7.8p1/hmac.c
--- openssh-7.9p1.orig/hmac.c
+++ openssh-7.9p1/hmac.c
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
size_t i;
u_char digest[16];
@ -448,10 +448,10 @@ Index: openssh-7.8p1/hmac.c
printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
Index: openssh-7.8p1/kex.c
Index: openssh-7.9p1/kex.c
===================================================================
--- openssh-7.8p1.orig/kex.c
+++ openssh-7.8p1/kex.c
--- openssh-7.9p1.orig/kex.c
+++ openssh-7.9p1/kex.c
@@ -54,6 +54,8 @@
#include "sshbuf.h"
#include "digest.h"
@ -547,11 +547,11 @@ Index: openssh-7.8p1/kex.c
free(s);
return 0;
}
Index: openssh-7.8p1/kexgexc.c
Index: openssh-7.9p1/kexgexc.c
===================================================================
--- openssh-7.8p1.orig/kexgexc.c
+++ openssh-7.8p1/kexgexc.c
@@ -51,8 +51,7 @@
--- openssh-7.9p1.orig/kexgexc.c
+++ openssh-7.9p1/kexgexc.c
@@ -53,8 +53,7 @@
#include "sshbuf.h"
#include "misc.h"
@ -561,7 +561,7 @@ Index: openssh-7.8p1/kexgexc.c
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
@@ -66,7 +65,7 @@ kexgex_client(struct ssh *ssh)
@@ -68,7 +67,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8);
@ -570,11 +570,11 @@ Index: openssh-7.8p1/kexgexc.c
kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
Index: openssh-7.8p1/kexgexs.c
Index: openssh-7.9p1/kexgexs.c
===================================================================
--- openssh-7.8p1.orig/kexgexs.c
+++ openssh-7.8p1/kexgexs.c
@@ -54,8 +54,7 @@
--- openssh-7.9p1.orig/kexgexs.c
+++ openssh-7.9p1/kexgexs.c
@@ -56,8 +56,7 @@
#include "sshbuf.h"
#include "misc.h"
@ -584,7 +584,7 @@ Index: openssh-7.8p1/kexgexs.c
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
@@ -85,9 +84,9 @@ input_kex_dh_gex_request(int type, u_int
@@ -88,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits;
kex->min = min;
kex->max = max;
@ -596,10 +596,10 @@ Index: openssh-7.8p1/kexgexs.c
nbits = MINIMUM(DH_GRP_MAX, nbits);
if (kex->max < kex->min || kex->nbits < kex->min ||
Index: openssh-7.8p1/mac.c
Index: openssh-7.9p1/mac.c
===================================================================
--- openssh-7.8p1.orig/mac.c
+++ openssh-7.8p1/mac.c
--- openssh-7.9p1.orig/mac.c
+++ openssh-7.9p1/mac.c
@@ -40,6 +40,9 @@
#include "openbsd-compat/openssl-compat.h"
@ -679,11 +679,11 @@ Index: openssh-7.8p1/mac.c
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
Index: openssh-7.8p1/myproposal.h
Index: openssh-7.9p1/myproposal.h
===================================================================
--- openssh-7.8p1.orig/myproposal.h
+++ openssh-7.8p1/myproposal.h
@@ -141,6 +141,8 @@
--- openssh-7.9p1.orig/myproposal.h
+++ openssh-7.9p1/myproposal.h
@@ -151,6 +151,8 @@
#else /* WITH_OPENSSL */
@ -692,10 +692,10 @@ Index: openssh-7.8p1/myproposal.h
#define KEX_SERVER_KEX \
"curve25519-sha256," \
"curve25519-sha256@libssh.org"
Index: openssh-7.8p1/readconf.c
Index: openssh-7.9p1/readconf.c
===================================================================
--- openssh-7.8p1.orig/readconf.c
+++ openssh-7.8p1/readconf.c
--- openssh-7.9p1.orig/readconf.c
+++ openssh-7.9p1/readconf.c
@@ -68,6 +68,7 @@
#include "myproposal.h"
#include "digest.h"
@ -704,7 +704,7 @@ Index: openssh-7.8p1/readconf.c
/* Format of the configuration file:
@@ -1800,6 +1801,23 @@ option_clear_or_none(const char *o)
@@ -1825,6 +1826,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@ -728,7 +728,7 @@ Index: openssh-7.8p1/readconf.c
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
@@ -1999,9 +2017,9 @@ fill_default_options(Options * options)
@@ -2025,9 +2043,9 @@ fill_default_options(Options * options)
if (options->number_of_password_prompts == -1)
options->number_of_password_prompts = 3;
if (options->kex_dhmin == -1)
@ -740,7 +740,7 @@ Index: openssh-7.8p1/readconf.c
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
}
dh_grp_min = options->kex_dhmin;
@@ -2086,6 +2104,8 @@ fill_default_options(Options * options)
@@ -2112,6 +2130,8 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -749,19 +749,19 @@ Index: openssh-7.8p1/readconf.c
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
@@ -2110,6 +2130,7 @@ fill_default_options(Options * options)
free(all_mac);
free(all_kex);
@@ -2594,6 +2614,7 @@ dump_client_config(Options *o, const cha
KEX_DEFAULT_PK_ALG, all_key) != 0)
fatal("%s: kex_assemble_names failed", __func__);
free(all_key);
+ filter_fips_algorithms(options);
+ filter_fips_algorithms(o);
#define CLEAR_ON_NONE(v) \
do { \
Index: openssh-7.8p1/readconf.h
/* Most interesting options first: user, host, port */
dump_cfg_string(oUser, o->user);
Index: openssh-7.9p1/readconf.h
===================================================================
--- openssh-7.8p1.orig/readconf.h
+++ openssh-7.8p1/readconf.h
@@ -197,6 +197,7 @@ typedef struct {
--- openssh-7.9p1.orig/readconf.h
+++ openssh-7.9p1/readconf.h
@@ -198,6 +198,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3
@ -769,10 +769,10 @@ Index: openssh-7.8p1/readconf.h
void initialize_options(Options *);
void fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *);
Index: openssh-7.8p1/servconf.c
Index: openssh-7.9p1/servconf.c
===================================================================
--- openssh-7.8p1.orig/servconf.c
+++ openssh-7.8p1/servconf.c
--- openssh-7.9p1.orig/servconf.c
+++ openssh-7.9p1/servconf.c
@@ -65,6 +65,7 @@
#include "myproposal.h"
#include "digest.h"
@ -781,7 +781,7 @@ Index: openssh-7.8p1/servconf.c
/* import from dh.c */
extern int dh_grp_min;
@@ -194,6 +195,23 @@ option_clear_or_none(const char *o)
@@ -195,6 +196,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@ -805,16 +805,16 @@ Index: openssh-7.8p1/servconf.c
static void
assemble_algorithms(ServerOptions *o)
{
@@ -220,6 +238,8 @@ assemble_algorithms(ServerOptions *o)
free(all_mac);
@@ -224,6 +242,8 @@ assemble_algorithms(ServerOptions *o)
free(all_kex);
free(all_key);
free(all_sig);
+
+ filter_fips_algorithms_s(o);
}
static void
@@ -269,9 +289,9 @@ fill_default_server_options(ServerOption
@@ -273,9 +293,9 @@ fill_default_server_options(ServerOption
options->use_pam_check_locks = 0;
if (options->kex_dhmin == -1)
@ -826,7 +826,7 @@ Index: openssh-7.8p1/servconf.c
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
}
dh_grp_min = options->kex_dhmin;
@@ -419,6 +439,8 @@ fill_default_server_options(ServerOption
@@ -423,6 +443,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -835,10 +835,10 @@ Index: openssh-7.8p1/servconf.c
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
Index: openssh-7.8p1/ssh-keygen.c
Index: openssh-7.9p1/ssh-keygen.c
===================================================================
--- openssh-7.8p1.orig/ssh-keygen.c
+++ openssh-7.8p1/ssh-keygen.c
--- openssh-7.9p1.orig/ssh-keygen.c
+++ openssh-7.9p1/ssh-keygen.c
@@ -61,6 +61,8 @@
#include "utf8.h"
#include "authfd.h"
@ -848,7 +848,7 @@ Index: openssh-7.8p1/ssh-keygen.c
#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"
#else
@@ -965,11 +967,13 @@ do_fingerprint(struct passwd *pw)
@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
@ -864,7 +864,7 @@ Index: openssh-7.8p1/ssh-keygen.c
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
@@ -984,6 +988,17 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
@ -882,7 +882,7 @@ Index: openssh-7.8p1/ssh-keygen.c
int first = 0;
struct stat st;
struct sshkey *private, *public;
@@ -991,6 +1006,12 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw)
int i, type, fd, r;
FILE *f;
@ -895,7 +895,7 @@ Index: openssh-7.8p1/ssh-keygen.c
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
@@ -2727,6 +2748,15 @@ main(int argc, char **argv)
@@ -2817,6 +2838,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
@ -911,11 +911,11 @@ Index: openssh-7.8p1/ssh-keygen.c
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
Index: openssh-7.8p1/ssh_config.0
Index: openssh-7.9p1/ssh_config.0
===================================================================
--- openssh-7.8p1.orig/ssh_config.0
+++ openssh-7.8p1/ssh_config.0
@@ -343,6 +343,9 @@ DESCRIPTION
--- openssh-7.9p1.orig/ssh_config.0
+++ openssh-7.9p1/ssh_config.0
@@ -353,6 +353,9 @@ DESCRIPTION
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: md5 and sha256 (the default).
@ -925,7 +925,7 @@ Index: openssh-7.8p1/ssh_config.0
ForwardAgent
Specifies whether the connection to the authentication agent (if
any) will be forwarded to the remote machine. The argument must
@@ -612,6 +615,9 @@ DESCRIPTION
@@ -627,6 +630,9 @@ DESCRIPTION
resort and all efforts should be made to fix the (broken)
counterparty.
@ -935,11 +935,11 @@ Index: openssh-7.8p1/ssh_config.0
LocalCommand
Specifies a command to execute on the local machine after
successfully connecting to the server. The command string
Index: openssh-7.8p1/ssh_config.5
Index: openssh-7.9p1/ssh_config.5
===================================================================
--- openssh-7.8p1.orig/ssh_config.5
+++ openssh-7.8p1/ssh_config.5
@@ -628,6 +628,8 @@ Valid options are:
--- openssh-7.9p1.orig/ssh_config.5
+++ openssh-7.9p1/ssh_config.5
@@ -642,6 +642,8 @@ Valid options are:
and
.Cm sha256
(the default).
@ -948,7 +948,7 @@ Index: openssh-7.8p1/ssh_config.5
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
@@ -1041,6 +1043,9 @@ maximum backward compatibility, using it
@@ -1063,6 +1065,9 @@ maximum backward compatibility, using it
security and thus should be viewed as a temporary fix of last
resort and all efforts should be made to fix the (broken)
counterparty.
@ -958,10 +958,10 @@ Index: openssh-7.8p1/ssh_config.5
.It Cm LocalCommand
Specifies a command to execute on the local machine after successfully
connecting to the server.
Index: openssh-7.8p1/sshd.c
Index: openssh-7.9p1/sshd.c
===================================================================
--- openssh-7.8p1.orig/sshd.c
+++ openssh-7.8p1/sshd.c
--- openssh-7.9p1.orig/sshd.c
+++ openssh-7.9p1/sshd.c
@@ -123,6 +123,8 @@
#include "version.h"
#include "ssherr.h"
@ -971,11 +971,11 @@ Index: openssh-7.8p1/sshd.c
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
Index: openssh-7.8p1/sshd_config.0
Index: openssh-7.9p1/sshd_config.0
===================================================================
--- openssh-7.8p1.orig/sshd_config.0
+++ openssh-7.8p1/sshd_config.0
@@ -338,6 +338,9 @@ DESCRIPTION
--- openssh-7.9p1.orig/sshd_config.0
+++ openssh-7.9p1/sshd_config.0
@@ -348,6 +348,9 @@ DESCRIPTION
Specifies the hash algorithm used when logging key fingerprints.
Valid options are: md5 and sha256. The default is sha256.
@ -985,7 +985,7 @@ Index: openssh-7.8p1/sshd_config.0
ForceCommand
Forces the execution of the command specified by ForceCommand,
ignoring any command supplied by the client and ~/.ssh/rc if
@@ -562,6 +565,9 @@ DESCRIPTION
@@ -572,6 +575,9 @@ DESCRIPTION
resort and all efforts should be made to fix the (broken)
counterparty.
@ -995,11 +995,11 @@ Index: openssh-7.8p1/sshd_config.0
ListenAddress
Specifies the local addresses sshd(8) should listen on. The
following forms may be used:
Index: openssh-7.8p1/sshd_config.5
Index: openssh-7.9p1/sshd_config.5
===================================================================
--- openssh-7.8p1.orig/sshd_config.5
+++ openssh-7.8p1/sshd_config.5
@@ -592,6 +592,8 @@ and
--- openssh-7.9p1.orig/sshd_config.5
+++ openssh-7.9p1/sshd_config.5
@@ -603,6 +603,8 @@ and
.Cm sha256 .
The default is
.Cm sha256 .

File diff suppressed because it is too large Load Diff

View File

@ -10,10 +10,10 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
Index: openssh-7.8p1/HOWTO.ldap-keys
Index: openssh-7.9p1/HOWTO.ldap-keys
===================================================================
--- /dev/null
+++ openssh-7.8p1/HOWTO.ldap-keys
+++ openssh-7.9p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
+
+HOW TO START
@ -123,10 +123,10 @@ Index: openssh-7.8p1/HOWTO.ldap-keys
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
Index: openssh-7.8p1/Makefile.in
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.8p1.orig/Makefile.in
+++ openssh-7.8p1/Makefile.in
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@ -146,7 +146,7 @@ Index: openssh-7.8p1/Makefile.in
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
@@ -132,8 +137,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o uidswap.o
@ -157,7 +157,7 @@ Index: openssh-7.8p1/Makefile.in
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@ -167,7 +167,7 @@ Index: openssh-7.8p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -363,6 +371,10 @@ install-files:
@@ -361,6 +369,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -178,7 +178,7 @@ Index: openssh-7.8p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@@ -381,6 +393,10 @@ install-files:
@@ -379,6 +391,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -189,7 +189,7 @@ Index: openssh-7.8p1/Makefile.in
install-sysconf:
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
@@ -404,6 +420,13 @@ install-sysconf:
@@ -402,6 +418,13 @@ install-sysconf:
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
fi
@ -203,7 +203,7 @@ Index: openssh-7.8p1/Makefile.in
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
@@ -441,6 +464,8 @@ uninstall:
@@ -439,6 +462,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -212,7 +212,7 @@ Index: openssh-7.8p1/Makefile.in
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
@@ -452,6 +477,7 @@ uninstall:
@@ -450,6 +475,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -220,11 +220,11 @@ Index: openssh-7.8p1/Makefile.in
regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/test_helper
Index: openssh-7.8p1/configure.ac
Index: openssh-7.9p1/configure.ac
===================================================================
--- openssh-7.8p1.orig/configure.ac
+++ openssh-7.8p1/configure.ac
@@ -1680,6 +1680,106 @@ AC_ARG_WITH([audit],
--- openssh-7.9p1.orig/configure.ac
+++ openssh-7.9p1/configure.ac
@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
esac ]
)
@ -331,10 +331,10 @@ Index: openssh-7.8p1/configure.ac
AC_ARG_WITH([pie],
[ --with-pie Build Position Independent Executables if possible], [
if test "x$withval" = "xno"; then
Index: openssh-7.8p1/ldap-helper.c
Index: openssh-7.9p1/ldap-helper.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldap-helper.c
+++ openssh-7.9p1/ldap-helper.c
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -491,10 +491,10 @@ Index: openssh-7.8p1/ldap-helper.c
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
+
Index: openssh-7.8p1/ldap-helper.h
Index: openssh-7.9p1/ldap-helper.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldap-helper.h
+++ openssh-7.9p1/ldap-helper.h
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -528,10 +528,10 @@ Index: openssh-7.8p1/ldap-helper.h
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
Index: openssh-7.8p1/ldap.conf
Index: openssh-7.9p1/ldap.conf
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldap.conf
+++ openssh-7.9p1/ldap.conf
@@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@ -621,10 +621,10 @@ Index: openssh-7.8p1/ldap.conf
+#tls_cert
+#tls_key
+
Index: openssh-7.8p1/ldapbody.c
Index: openssh-7.9p1/ldapbody.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapbody.c
+++ openssh-7.9p1/ldapbody.c
@@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1120,10 +1120,10 @@ Index: openssh-7.8p1/ldapbody.c
+ return;
+}
+
Index: openssh-7.8p1/ldapbody.h
Index: openssh-7.9p1/ldapbody.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapbody.h
+++ openssh-7.9p1/ldapbody.h
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1162,10 +1162,10 @@ Index: openssh-7.8p1/ldapbody.h
+
+#endif /* LDAPBODY_H */
+
Index: openssh-7.8p1/ldapconf.c
Index: openssh-7.9p1/ldapconf.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapconf.c
+++ openssh-7.9p1/ldapconf.c
@@ -0,0 +1,711 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1878,10 +1878,10 @@ Index: openssh-7.8p1/ldapconf.c
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
+}
+
Index: openssh-7.8p1/ldapconf.h
Index: openssh-7.9p1/ldapconf.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapconf.h
+++ openssh-7.9p1/ldapconf.h
@@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1954,10 +1954,10 @@ Index: openssh-7.8p1/ldapconf.h
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
Index: openssh-7.8p1/ldapincludes.h
Index: openssh-7.9p1/ldapincludes.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapincludes.h
+++ openssh-7.9p1/ldapincludes.h
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2000,10 +2000,10 @@ Index: openssh-7.8p1/ldapincludes.h
+#endif
+
+#endif /* LDAPINCLUDES_H */
Index: openssh-7.8p1/ldapmisc.c
Index: openssh-7.9p1/ldapmisc.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapmisc.c
+++ openssh-7.9p1/ldapmisc.c
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@ -2084,10 +2084,10 @@ Index: openssh-7.8p1/ldapmisc.c
+}
+#endif
+
Index: openssh-7.8p1/ldapmisc.h
Index: openssh-7.9p1/ldapmisc.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapmisc.h
+++ openssh-7.9p1/ldapmisc.h
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2124,10 +2124,10 @@ Index: openssh-7.8p1/ldapmisc.h
+
+#endif /* LDAPMISC_H */
+
Index: openssh-7.8p1/openbsd-compat/base64.c
Index: openssh-7.9p1/openbsd-compat/base64.c
===================================================================
--- openssh-7.8p1.orig/openbsd-compat/base64.c
+++ openssh-7.8p1/openbsd-compat/base64.c
--- openssh-7.9p1.orig/openbsd-compat/base64.c
+++ openssh-7.9p1/openbsd-compat/base64.c
@@ -46,7 +46,7 @@
#include "includes.h"
@ -2155,10 +2155,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.c
/* skips all whitespace anywhere.
converts characters, four at a time, starting at (or after)
Index: openssh-7.8p1/openbsd-compat/base64.h
Index: openssh-7.9p1/openbsd-compat/base64.h
===================================================================
--- openssh-7.8p1.orig/openbsd-compat/base64.h
+++ openssh-7.8p1/openbsd-compat/base64.h
--- openssh-7.9p1.orig/openbsd-compat/base64.h
+++ openssh-7.9p1/openbsd-compat/base64.h
@@ -45,16 +45,16 @@
#include "includes.h"
@ -2180,10 +2180,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.h
int b64_pton(char const *src, u_char *target, size_t targsize);
# endif /* !HAVE_B64_PTON */
# define __b64_pton(a,b,c) b64_pton(a,b,c)
Index: openssh-7.8p1/openssh-lpk-openldap.schema
Index: openssh-7.9p1/openssh-lpk-openldap.schema
===================================================================
--- /dev/null
+++ openssh-7.8p1/openssh-lpk-openldap.schema
+++ openssh-7.9p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2206,10 +2206,10 @@ Index: openssh-7.8p1/openssh-lpk-openldap.schema
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
Index: openssh-7.8p1/openssh-lpk-sun.schema
Index: openssh-7.9p1/openssh-lpk-sun.schema
===================================================================
--- /dev/null
+++ openssh-7.8p1/openssh-lpk-sun.schema
+++ openssh-7.9p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2234,10 +2234,10 @@ Index: openssh-7.8p1/openssh-lpk-sun.schema
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
Index: openssh-7.8p1/ssh-ldap-helper.8
Index: openssh-7.9p1/ssh-ldap-helper.8
===================================================================
--- /dev/null
+++ openssh-7.8p1/ssh-ldap-helper.8
+++ openssh-7.9p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@ -2318,19 +2318,19 @@ Index: openssh-7.8p1/ssh-ldap-helper.8
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com
Index: openssh-7.8p1/ssh-ldap-wrapper
Index: openssh-7.9p1/ssh-ldap-wrapper
===================================================================
--- /dev/null
+++ openssh-7.8p1/ssh-ldap-wrapper
+++ openssh-7.9p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+
Index: openssh-7.8p1/ssh-ldap.conf.5
Index: openssh-7.9p1/ssh-ldap.conf.5
===================================================================
--- /dev/null
+++ openssh-7.8p1/ssh-ldap.conf.5
+++ openssh-7.9p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"

File diff suppressed because it is too large Load Diff

View File

@ -15,15 +15,11 @@ this is only need on s390 architecture.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
--- openssh-7.7p1/sandbox-seccomp-filter.c
+++ openssh-7.7p1/sandbox-seccomp-filter.c
@@ -167,16 +167,19 @@ static const struct sock_filter preauth_
SC_ALLOW(__NR_exit_group),
#endif
#ifdef __NR_geteuid
SC_ALLOW(__NR_geteuid),
#endif
Index: openssh-7.9p1/sandbox-seccomp-filter.c
===================================================================
--- openssh-7.9p1.orig/sandbox-seccomp-filter.c
+++ openssh-7.9p1/sandbox-seccomp-filter.c
@@ -175,6 +175,9 @@ static const struct sock_filter preauth_
#ifdef __NR_geteuid32
SC_ALLOW(__NR_geteuid32),
#endif
@ -33,17 +29,7 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
#ifdef __NR_getpgid
SC_ALLOW(__NR_getpgid),
#endif
#ifdef __NR_getpid
SC_ALLOW(__NR_getpid),
#endif
#ifdef __NR_getrandom
SC_ALLOW(__NR_getrandom),
@@ -185,16 +188,19 @@ static const struct sock_filter preauth_
SC_ALLOW(__NR_gettimeofday),
#endif
#ifdef __NR_getuid
SC_ALLOW(__NR_getuid),
#endif
@@ -193,6 +196,9 @@ static const struct sock_filter preauth_
#ifdef __NR_getuid32
SC_ALLOW(__NR_getuid32),
#endif
@ -53,8 +39,3 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
#ifdef __NR_madvise
SC_ALLOW(__NR_madvise),
#endif
#ifdef __NR_mmap
SC_ALLOW(__NR_mmap),
#endif
#ifdef __NR_mmap2
SC_ALLOW(__NR_mmap2),

View File

@ -1,123 +1,100 @@
# HG changeset patch
# Parent 37bba3ff816d9ab93ddcf23389a4eb29d7716006
additional option for sftp-server to force file mode for new files
FATE#312774
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
http://marc.info/?l=openssh-unix-dev&m=128896838930893
diff --git a/openssh-7.7p1/sftp-server.8 b/openssh-7.7p1/sftp-server.8
--- openssh-7.7p1/sftp-server.8
+++ openssh-7.7p1/sftp-server.8
@@ -33,16 +33,17 @@
.Bk -words
.Op Fl ehR
.Op Fl d Ar start_directory
.Op Fl f Ar log_facility
.Op Fl l Ar log_level
--- original/sftp-server.8 2016-12-19 04:59:41.000000000 +0000
+++ original/sftp-server.8 2017-11-23 08:47:01.267239186 +0000
@@ -38,6 +38,7 @@
.Op Fl P Ar blacklisted_requests
.Op Fl p Ar whitelisted_requests
.Op Fl u Ar umask
+.Op Fl m Ar force_file_permissions
+.Op Fl m Ar force_file_dir_perms
.Ek
.Nm
.Fl Q Ar protocol_feature
.Sh DESCRIPTION
.Nm
is a program that speaks the server side of SFTP protocol
to stdout and expects client requests from stdin.
.Nm
@@ -133,16 +134,20 @@ Places this instance of
into a read-only mode.
Attempts to open files for writing, as well as other operations that change
the state of the filesystem, will be denied.
.It Fl u Ar umask
Sets an explicit
@@ -138,6 +139,10 @@
.Xr umask 2
to be applied to newly-created files and directories, instead of the
user's default mask.
+.It Fl m Ar force_file_permissions
+Sets explicit file permissions to be applied to newly-created files instead
+of the default or client requested mode. Numeric values include:
+.It Fl m Ar force_file_dir_perms
+Sets explicit permissions to be applied to newly-created files and directories
+instead of the default or client requested mode. Numeric values include:
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
.El
.Pp
On some systems,
.Nm
must be able to access
.Pa /dev/log
for logging to work, and use of
.Nm
diff --git a/openssh-7.7p1/sftp-server.c b/openssh-7.7p1/sftp-server.c
--- openssh-7.7p1/sftp-server.c
+++ openssh-7.7p1/sftp-server.c
@@ -71,16 +71,20 @@ static u_int version;
static int init_done;
--- original/sftp-server.c 2016-12-19 04:59:41.000000000 +0000
+++ original/sftp-server.c 2017-11-23 13:07:08.481765581 +0000
@@ -65,6 +65,10 @@
/* Version of client */
static u_int version;
/* Disable writes */
static int readonly;
/* Requests that are allowed/denied */
static char *request_whitelist, *request_blacklist;
+/* Force file permissions */
+/* Force file and directory permissions */
+int permforce = 0;
+long permforcemode;
+
/* portable attributes, etc. */
typedef struct Stat Stat;
/* SSH2_FXP_INIT received */
static int init_done;
struct Stat {
@@ -679,6 +683,7 @@
Attrib a;
char *name;
char *long_name;
Attrib attrib;
};
@@ -685,16 +689,20 @@ process_open(u_int32_t id)
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
+ mode_t old_umask = 0;
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
(r = decode_attrib(iqueue, &a)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
@@ -688,6 +693,10 @@
debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags);
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
+ if (permforce == 1) {
+ if (permforce == 1) { /* Force perm if -m is set */
+ mode = permforcemode;
+ (void)umask(0); /* so umask does not interfere */
+ old_umask = umask(0); /* so umask does not interfere */
+ }
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
((flags & O_ACCMODE) != O_RDONLY ||
(flags & (O_CREAT|O_TRUNC)) != 0)) {
verbose("Refusing open request in read-only mode");
status = SSH2_FX_PERMISSION_DENIED;
} else {
@@ -1487,17 +1495,18 @@ sftp_server_cleanup_exit(int i)
static void
sftp_server_usage(void)
{
extern char *__progname;
@@ -709,6 +718,8 @@
}
}
}
+ if (permforce == 1)
+ (void) umask(old_umask); /* restore umask to something sane */
if (status != SSH2_FX_OK)
send_status(id, status);
free(name);
@@ -1110,6 +1121,7 @@
Attrib a;
char *name;
int r, mode, status = SSH2_FX_FAILURE;
+ mode_t old_umask = 0;
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = decode_attrib(iqueue, &a)) != 0)
@@ -1117,9 +1129,16 @@
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
a.perm & 07777 : 0777;
+ if (permforce == 1) { /* Force perm if -m is set */
+ mode = permforcemode;
+ old_umask = umask(0); /* so umask does not interfere */
+ }
+
debug3("request %u: mkdir", id);
logit("mkdir name \"%s\" mode 0%o", name, mode);
r = mkdir(name, mode);
+ if (permforce == 1)
+ (void) umask(old_umask); /* restore umask to something sane */
status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
send_status(id, status);
free(name);
@@ -1490,7 +1509,7 @@
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P blacklisted_requests] "
- "[-p whitelisted_requests] [-u umask]\n"
+ "[-p whitelisted_requests] [-u umask]\n\t"
+ "[-m force_file_permissions]\n"
+ "[-p whitelisted_requests] [-u umask] [-m force_file_dir_perms]\n"
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);
}
int
sftp_server_main(int argc, char **argv, struct passwd *user_pw)
{
@@ -1516,17 +1525,17 @@ sftp_server_main(int argc, char **argv,
ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
@@ -1516,7 +1535,7 @@
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
@ -126,32 +103,19 @@ diff --git a/openssh-7.7p1/sftp-server.c b/openssh-7.7p1/sftp-server.c
switch (ch) {
case 'Q':
if (strcasecmp(optarg, "requests") != 0) {
fprintf(stderr, "Invalid query type\n");
exit(1);
}
for (i = 0; handlers[i].handler != NULL; i++)
printf("%s\n", handlers[i].name);
@@ -1576,16 +1585,23 @@ sftp_server_main(int argc, char **argv,
case 'u':
errno = 0;
mask = strtol(optarg, &cp, 8);
if (mask < 0 || mask > 0777 || *cp != '\0' ||
cp == optarg || (mask == 0 && errno != 0))
@@ -1576,6 +1595,15 @@
fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask);
break;
+ case 'm':
+ /* Force permissions on file and directory received via sftp */
+ permforce = 1;
+ permforcemode = strtol(optarg, &cp, 8);
+ if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
+ cp == optarg || (permforcemode == 0 && errno != 0))
+ fatal("Invalid umask \"%s\"", optarg);
+ if (permforcemode < 0 || permforcemode > 0777 ||
+ *cp != '\0' || (permforcemode == 0 &&
+ errno != 0))
+ fatal("Invalid file mode \"%s\"", optarg);
+ break;
case 'h':
default:
sftp_server_usage();
}
}
log_init(__progname, log_level, log_facility, log_stderr);

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca
size 1548026

View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlt+Xa8ACgkQ0+X1a22S
DTAJPwx9HIW/obxNJYTU7M8trpalBekdl1SqUjxdDwInIsKTLSOpJCsnynBai/3c
SuvZkBwcKwZZFe+xCvRQDHkf/YYLT+d7slUQolb0OJmzFKbvu6xwuv7q12ag9hQj
/8BUfdYRKb63uemfKuVAHfcnUm9WlwSbif+Au/j1yg/MlETY47ezYA9/q75wignx
3g38JVHVgKDenDd8o9/hgjeQpEHKNdCQo71nN2h3MYRlh4xrR9ENZj7y8x65Kp1j
WoZEhlvjYkka4deSGwj2MIAJnzsc39uppEoEjkB7F9SUo4O7CxbWFein70Ct7Xbs
VDWXQibnJGHKatHIecaPLUYexGWO1XYNZErDhY7fPw0ChfMGbz3+0eDfDJqGY49r
Lo6wzsrgv2kDJMqwciT/D/Zb3ocHnCrq1Isnz/Ug2lW58LMk7Y1HisPteZFQ/pkC
xKeO+K1RkaRUSCrB5iToqF+7i8eRNVROYmkKLgKcMrC0WYEjnbEoFdr4bktAS9QM
BS6aIsh2cyg2H0FjDKmYvcKOUf0IgA==
=ZiYm
-----END PGP SIGNATURE-----

3
openssh-7.9p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
size 1565384

14
openssh-7.9p1.tar.gz.asc Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlvJLhsACgkQ0+X1a22S
DTBjHwx/T3EX3EtCzB9I6zHFUgF2/0hEKVYZw2Yl4UbUvgjy/KdEdlJzdH3Hc/yU
jJZzraDY7nJMrCly734FbFGKsKoRkxWMkeuQGOhvpzgTYg+fOa1J0a14xK/ub9Y0
9Z/4zP0Zs7mn+8MApMS3XOZ+AJgdRiXN9i3PXmbYO9Gcg+QthtgE1DeG0d0vVTP/
ipCBBg8mMlAANdlu9IUCv4CJPwJjQt2aYsvCiuUQuzrKYsV5noCOBaGRbmPcN9SM
3cvSTZgDbK3kHdL1RnBgWpcO+o+D8sqSW2rm8xpCQv/ILo86/BLBjXDCYLEt0nSn
+dONPytwhwwJWPPYe7+RSYWHS2cKwVTDk7lr2E636SwU1fM1NiNYle9hB6cUT0nU
sypfHOIARAMSqepnaT3WgffM0jlEWrSB0PuDLTLTO5ZPmUijqqT6xGwWSUc4GQZY
WNyGg1w0Ryj2pRd7DlXDDivTCneXFqV7JZiR3R4ZXJJV0uVQOUitCS/DnwSDpIfp
HlVEWeRAszQFKLKttu0/4SY2NVrRBA==
=4Z9x
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Oct 22 08:59:02 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Version update to 7.9p1
* No actual changes for the askpass
* See main package changelog for details
-------------------------------------------------------------------
Tue Oct 9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>

View File

@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
Version: 7.8p1
Version: 7.9p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause

View File

@ -0,0 +1,41 @@
Index: openssh-7.9p1/openbsd-compat/openssl-compat.c
===================================================================
--- openssh-7.9p1.orig/openbsd-compat/openssl-compat.c 2018-11-26 11:47:17.417925053 +0100
+++ openssh-7.9p1/openbsd-compat/openssl-compat.c 2018-11-26 11:52:47.127727580 +0100
@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OPENSSL_config(NULL);
#else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
Index: openssh-7.9p1/gss-genr.c
===================================================================
--- openssh-7.9p1.orig/gss-genr.c 2018-11-26 11:47:17.417925053 +0100
+++ openssh-7.9p1/gss-genr.c 2018-11-26 12:01:40.354642746 +0100
@@ -114,7 +114,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
if ((buf = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ md = EVP_MD_CTX_create();
+#else
md = EVP_MD_CTX_new();
+#endif
oidpos = 0;
for (i = 0; i < gss_supported->count; i++) {
if (gss_supported->elements[i].length < 128 &&
@@ -156,7 +160,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
oidpos++;
}
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_MD_CTX_destroy(md);
+#else
EVP_MD_CTX_free(md);
+#endif
gss_enc2oid[oidpos].oid = NULL;
gss_enc2oid[oidpos].encoded = NULL;

View File

@ -1,3 +1,89 @@
-------------------------------------------------------------------
Mon Nov 26 11:07:42 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>
- Fix build with openssl < 1.1.0
* add openssh-openssl-1_0_0-compatibility.patch
-------------------------------------------------------------------
Wed Oct 31 00:27:41 UTC 2018 - Cristian Rodríguez <crrodriguez@opensuse.org>
- openssh-7.7p1-audit.patch: fix sshd fatal error in
mm_answer_keyverify: buffer error: incomplete message [bnc#1114008]
-------------------------------------------------------------------
Mon Oct 22 08:51:30 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Version update to 7.9p1
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
option (see below) bans the use of DSA keys as certificate
authorities.
* sshd(8): the authentication success/failure log message has
changed format slightly. It now includes the certificate
fingerprint (previously it included only key ID and CA key
fingerprint).
* ssh(1), sshd(8): allow most port numbers to be specified using
service names from getservbyname(3) (typically /etc/services).
* sshd(8): support signalling sessions via the SSH protocol.
A limited subset of signals is supported and only for login or
command sessions (i.e. not subsystems) that were not subject to
a forced command via authorized_keys or sshd_config. bz#1424
* ssh(1): support "ssh -Q sig" to list supported signature options.
Also "ssh -Q help" to show the full set of supported queries.
* ssh(1), sshd(8): add a CASignatureAlgorithms option for the
client and server configs to allow control over which signature
formats are allowed for CAs to sign certificates. For example,
this allows banning CAs that sign certificates using the RSA-SHA1
signature algorithm.
* sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
revoke keys specified by SHA256 hash.
* ssh-keygen(1): allow creation of key revocation lists directly
from base64-encoded SHA256 fingerprints. This supports revoking
keys using only the information contained in sshd(8)
authentication log messages.
- Removed obsolete configuration option --with-tcp-wrappers, and
--with-opensc for s390 and s390x.
- Removed patch merged upstream
* openssh-7.7p1-openssl_1.1.0.patch
- Refreshed patches
* openssh-7.7p1-audit.patch
* openssh-7.7p1-disable_short_DH_parameters.patch
* openssh-7.7p1-fips.patch
* openssh-7.7p1-gssapi_key_exchange.patch
* openssh-7.7p1-seccomp_ipc_flock.patch
* openssh-7.7p1-cavstest-ctr.patch
* openssh-7.7p1-ldap.patch
-------------------------------------------------------------------
Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Mention upstream bugs on multiple local patches
- Adjust service to not spam restart and reload only on fails
-------------------------------------------------------------------
Fri Oct 19 13:11:34 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Update openssh-7.7p1-sftp_force_permissions.patch from the
upstream bug, and mention the bug in the spec
-------------------------------------------------------------------
Fri Oct 19 08:36:52 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Drop patch openssh-7.7p1-allow_root_password_login.patch
* There is no reason to set less secure default value, if
users need the behaviour they can still set it up themselves
- Drop patch openssh-7.7p1-blocksigalrm.patch
* We had a bug way in past about this but it was never reproduced
or even confirmed in the ticket, thus rather drop the patch
-------------------------------------------------------------------
Wed Oct 17 09:22:36 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Disable ssh1 protocol support as neither RH or Debian enable
this protocol by default anymore either.
-------------------------------------------------------------------
Wed Oct 17 08:42:12 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>

View File

@ -27,8 +27,7 @@
%bcond_without susefirewall
%bcond_with tirpc
%endif
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
%define _fwdefdir %{_fwdir}/services
%define _fwdefdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
@ -37,7 +36,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
Version: 7.8p1
Version: 7.9p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@ -56,37 +55,49 @@ Source9: sshd-gen-keys-start
Source10: sshd.service
Source11: README.FIPS
Source12: cavs_driver-ssh.pl
Patch0: openssh-7.7p1-allow_root_password_login.patch
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch
Patch5: openssh-7.7p1-blocksigalrm.patch
Patch6: openssh-7.7p1-send_locale.patch
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Patch9: openssh-7.7p1-pts_names_formatting.patch
Patch10: openssh-7.7p1-pam_check_locks.patch
Patch11: openssh-7.7p1-disable_short_DH_parameters.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch14: openssh-7.7p1-seccomp_stat.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
# Local FIPS patchset
Patch17: openssh-7.7p1-fips.patch
# Local cavs patchset
Patch18: openssh-7.7p1-cavstest-ctr.patch
# Local cavs patchset
Patch19: openssh-7.7p1-cavstest-kdf.patch
# Local FIPS patchset
Patch20: openssh-7.7p1-fips_checks.patch
Patch21: openssh-7.7p1-seed-prng.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch22: openssh-7.7p1-systemd-notify.patch
Patch23: openssh-7.7p1-gssapi_key_exchange.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch24: openssh-7.7p1-audit.patch
Patch25: openssh-7.7p1-openssl_1.1.0.patch
# Local patch to disable runtime abi SSL checks, quite pointless for us
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch27: openssh-7.7p1-no_fork-no_pid_file.patch
Patch28: openssh-7.7p1-host_ident.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Patch29: openssh-7.7p1-sftp_force_permissions.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Patch31: openssh-7.7p1-ldap.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
Patch34: openssh-openssl-1_0_0-compatibility.patch
BuildRequires: audit-devel
BuildRequires: autoconf
BuildRequires: groff
@ -176,7 +187,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/ssh \
--with-tcp-wrappers \
--with-selinux \
--with-pid-dir=/run \
--with-systemd \
@ -188,19 +198,14 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
--with-sandbox=seccomp_filter \
%else
--with-sandbox=rlimit \
%endif
%ifnarch s390 s390x
--with-opensc \
%endif
--disable-strip \
--with-audit=linux \
--with-ldap \
--with-xauth=%{_bindir}/xauth \
--with-libedit \
--with-ssh1 \
--target=%{_target_cpu}-suse-linux \
--target=%{_target_cpu}-suse-linux
### configure end
make %{?_smp_mflags}
%install

View File

@ -10,7 +10,8 @@ ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always
Restart=on-failure
RestartPreventExitStatus=255
TasksMax=infinity
[Install]