Accepting request 1194679 from network

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1194679
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=181
This commit is contained in:
Ana Guerrero 2024-08-21 21:24:44 +00:00 committed by Git OBS Bridge
commit 8a8ed57387
36 changed files with 1449 additions and 1425 deletions

View File

@ -1,55 +0,0 @@
From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Tue, 30 Apr 2024 02:14:10 +0000
Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
reported
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
by Tõivo Leedjärv; ok deraadt@
OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
---
clientloop.c | 4 ++--
serverloop.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index be8bb5fc1f2..8ea2ada4216 100644
--- a/clientloop.c
+++ b/clientloop.c
#@@ -1,4 +1,4 @@
#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
# /*
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
&npfd_active, channel_did_enqueue, &osigset,
&conn_in_ready, &conn_out_ready);
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (quit_pending)
diff --git a/serverloop.c b/serverloop.c
index f3683c2e4a6..94c8943a616 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
wait_until_can_do_something(ssh, connection_in, connection_out,
&pfd, &npfd_alloc, &npfd_active, &osigset,
&conn_in_ready, &conn_out_ready);
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (received_sigterm) {

View File

@ -1,32 +0,0 @@
From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 21 Feb 2024 05:57:34 +0000
Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
timing
obfuscation was added. GHPR#463 from montag451
OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
---
clientloop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index eb4902905fb..8ec36af94b3 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
{
int r;
- if ((ssh->kex->flags & KEX_HAS_PING) == 0)
+ if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
return 0;
/* XXX probabilistically send chaff? */
/*

View File

@ -1,38 +0,0 @@
From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 1 Jul 2024 04:31:17 +0000
Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
---
clientloop.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index 0b6f3c9be02..8ed8b1c3449 100644
--- a/clientloop.c
+++ b/clientloop.c
#@@ -1,4 +1,4 @@
#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
# /*
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
if (timespeccmp(&now, &chaff_until, >=)) {
/* Stop if there have been no keystrokes for a while */
stop_reason = "chaff time expired";
- } else if (timespeccmp(&now, &next_interval, >=)) {
- /* Otherwise if we were due to send, then send chaff */
+ } else if (timespeccmp(&now, &next_interval, >=) &&
+ !ssh_packet_have_data_to_write(ssh)) {
+ /* If due to send but have no data, then send chaff */
if (send_chaff(ssh))
nchaff++;
}

View File

@ -1,19 +0,0 @@
Index: openssh-9.6p1/log.c
===================================================================
--- openssh-9.6p1.orig/log.c
+++ openssh-9.6p1/log.c
@@ -451,12 +451,14 @@ void
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
+#if 0
va_list args;
va_start(args, fmt);
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
suffix, fmt, args);
va_end(args);
+#endif
_exit(1);
}

View File

@ -0,0 +1,39 @@
From fcc66557503124ab98491a598b706a24eb3cf0e1 Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <alarrosa@suse.com>
Date: Mon, 12 Aug 2024 11:32:42 +0200
Subject: [PATCH] Fix a small memory leak in process_server_config_line_depth
The return value of argv_assemble is owned by the caller and should be
free'd. When processing the sSubsystem case there are two calls to
argv_assemble but only one of them is freed. This patch fixes the small
(29 bytes according to valgrind) memory leak.
The output from valgrind:
==115369== 29 bytes in 1 blocks are definitely lost in loss record 573 of 913
==115369== at 0x4845794: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==115369== by 0x124A22: argv_assemble (misc.c:2165)
==115369== by 0x1385E5: process_server_config_line_depth.constprop.0 (servconf.c:2004)
==115369== by 0x13984D: parse_server_config_depth.constprop.0 (servconf.c:3032)
==115369== by 0x139986: parse_server_config.constprop.0 (servconf.c:3049)
==115369== by 0x111C6E: main (sshd.c:1445)
Submitted to upstream at https://github.com/openssh/openssh-portable/pull/515
---
servconf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/servconf.c b/servconf.c
index 5a20d6f8..0b989b95 100644
--- a/servconf.c
+++ b/servconf.c
@@ -2006,6 +2006,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
xasprintf(&options->subsystem_args[options->num_subsystems],
"%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2);
free(arg2);
+ free(arg);
argv_consume(&ac);
options->num_subsystems++;
break;
--
2.45.2

View File

@ -1,25 +0,0 @@
Index: openssh-9.3p1/Makefile.in
===================================================================
--- openssh-9.3p1.orig/Makefile.in
+++ openssh-9.3p1/Makefile.in
@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
- $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
# FIPS tests
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
- $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
- $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o

View File

@ -14,11 +14,11 @@ index f0ea07e7b..35dcf45f1 100644
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
diff --git a/configure.ac b/configure.ac diff --git a/configure.ac b/configure.ac
index a12c6f7ad..860df3379 100644 index a12c6f7ad..860df3379 100644
--- a/configure.ac --- a/configure.ac
@ -106,7 +106,7 @@ index 86caf83b2..8b413190b 100644
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN #ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
if (li->type == LTYPE_LOGIN && if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line, !sys_auth_record_login(li->username,li->hostname,li->line,
@@ -1476,6 +1486,88 @@ wtmpdb_write_entry(struct logininfo *li) @@ -1476,6 +1486,91 @@ wtmpdb_write_entry(struct logininfo *li)
} }
#endif #endif
@ -171,9 +171,12 @@ index 86caf83b2..8b413190b 100644
+ +
+ free(dbus_path); + free(dbus_path);
+ +
+ if (sd_bus_flush(bus) < 0) + if (sd_bus_flush(bus) < 0) {
+ sd_bus_unref(bus);
+ return (0); + return (0);
+ }
+ +
+ sd_bus_unref(bus);
+ return (1); + return (1);
+} +}
+ +

View File

@ -104,10 +104,10 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.h
#endif #endif
#ifdef LINUX_OOM_ADJUST #ifdef LINUX_OOM_ADJUST
Index: openssh-9.6p1/sshd.c Index: openssh-9.6p1/sshd-session.c
=================================================================== ===================================================================
--- openssh-9.6p1.orig/sshd.c --- openssh-9.6p1.orig/sshd-session.c
+++ openssh-9.6p1/sshd.c +++ openssh-9.6p1/sshd-session.c
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh) @@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
demote_sensitive_data(ssh); demote_sensitive_data(ssh);

View File

@ -37,14 +37,14 @@ Index: openssh-9.3p2/Makefile.in
=================================================================== ===================================================================
--- openssh-9.3p2.orig/Makefile.in --- openssh-9.3p2.orig/Makefile.in
+++ openssh-9.3p2/Makefile.in +++ openssh-9.3p2/Makefile.in
@@ -24,6 +24,7 @@ SSH_PROGRAM=@bindir@/ssh @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+SSH_KEYCAT=$(libexecdir)/ssh-keycat +SSH_KEYCAT=$(libexecdir)/ssh-keycat
SSHD_SESSION=$(libexecdir)/sshd-session
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@ @@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
K5LIBS=@K5LIBS@ K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@ GSSLIBS=@GSSLIBS@
@ -53,12 +53,12 @@ Index: openssh-9.3p2/Makefile.in
LIBEDIT=@LIBEDIT@ LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@ LIBFIDO2=@LIBFIDO2@
LIBWTMPDB=@LIBWTMPDB@ LIBWTMPDB=@LIBWTMPDB@
@@ -75,7 +77,7 @@ MKDIR_P=@MKDIR_P@ @@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
.SUFFIXES: .lo .SUFFIXES: .lo
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@ -99,9 +99,9 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
=================================================================== ===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c --- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c +++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt; @@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
extern Authctxt *the_authctxt;
extern int inetd_flag; extern int inetd_flag;
extern int rexeced_flag;
+/* Wrapper around is_selinux_enabled() to log its return value once only */ +/* Wrapper around is_selinux_enabled() to log its return value once only */
+int +int
@ -129,14 +129,14 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
{ {
const char *reqlvl; const char *reqlvl;
char *role; char *role;
@@ -329,16 +343,16 @@ sshd_selinux_setup_pam_variables(void) @@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void)
ssh_selinux_get_role_level(&role, &reqlvl); ssh_selinux_get_role_level(&role, &reqlvl);
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); - rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : ""); + rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
if (inetd_flag && !rexeced_flag) { if (inetd_flag) {
use_current = "1"; use_current = "1";
} else { } else {
use_current = ""; use_current = "";

View File

@ -52,7 +52,7 @@ Index: openssh-9.3p2/session.c
platform_setusercontext(pw); platform_setusercontext(pw);
- if (platform_privileged_uidswap()) { - if (platform_privileged_uidswap()) {
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) { + if (platform_privileged_uidswap() && !is_child) {
#ifdef HAVE_LOGIN_CAP #ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid, if (setusercontext(lc, pw, pw->pw_uid,
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
@ -98,11 +98,11 @@ Index: openssh-9.3p2/session.c
exit(sftp_server_main(i, argv, s->pw)); exit(sftp_server_main(i, argv, s->pw));
} }
Index: openssh-9.3p2/sshd.c Index: openssh-9.3p2/sshd-session.c
=================================================================== ===================================================================
--- openssh-9.3p2.orig/sshd.c --- openssh-9.3p2.orig/sshd-session.c
+++ openssh-9.3p2/sshd.c +++ openssh-9.3p2/sshd-session.c
@@ -510,6 +510,10 @@ privsep_preauth_child(struct ssh *ssh) @@ -342,6 +342,10 @@ privsep_preauth_child(struct ssh *ssh)
/* Demote the private keys to public keys. */ /* Demote the private keys to public keys. */
demote_sensitive_data(ssh); demote_sensitive_data(ssh);
@ -113,13 +113,12 @@ Index: openssh-9.3p2/sshd.c
/* Demote the child */ /* Demote the child */
if (privsep_chroot) { if (privsep_chroot) {
/* Change our root directory */ /* Change our root directory */
@@ -602,6 +606,9 @@ privsep_postauth(struct ssh *ssh, Authct @@ -444,7 +448,7 @@ privsep_postauth(struct ssh *ssh, Authct
* fd passing, as AFAIK PTY allocation on this platform doesn't require
#ifdef DISABLE_FD_PASSING * special privileges to begin with.
if (1) { */
+#elif defined(WITH_SELINUX) -#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN)
+ if (0) { +#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) && !defined(WITH_SELINUX)
+ /* even root user can be confined by SELinux */ skip_privdrop = 1;
#else
if (authctxt->pw->pw_uid == 0) {
#endif #endif

View File

@ -9,16 +9,16 @@ Index: openssh-9.3p2/auth2-pubkey.c
+extern int inetd_flag; +extern int inetd_flag;
+extern int rexeced_flag; +extern int rexeced_flag;
+extern Authctxt *the_authctxt; +extern Authctxt *the_authctxt;
extern struct authmethod_cfg methodcfg_pubkey;
static char * static char *
format_key(const struct sshkey *key)
@@ -459,7 +462,8 @@ match_principals_command(struct passwd * @@ -459,7 +462,8 @@ match_principals_command(struct passwd *
if ((pid = subprocess("AuthorizedPrincipalsCommand", command, if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
ac, av, &f, ac, av, &f,
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
- runas_pw, temporarily_use_uid, restore_uid)) == 0) - runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid, + runas_pw, temporarily_use_uid, restore_uid,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) + inetd_flag, the_authctxt)) == 0)
goto out; goto out;
uid_swapped = 1; uid_swapped = 1;
@ -28,7 +28,7 @@ Index: openssh-9.3p2/auth2-pubkey.c
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
- runas_pw, temporarily_use_uid, restore_uid)) == 0) - runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid, + runas_pw, temporarily_use_uid, restore_uid,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) + inetd_flag, the_authctxt)) == 0)
goto out; goto out;
uid_swapped = 1; uid_swapped = 1;
@ -87,14 +87,13 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
=================================================================== ===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c --- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c +++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
@@ -49,11 +49,6 @@ @@ -49,10 +49,6 @@
#include <unistd.h> #include <unistd.h>
#endif #endif
-extern ServerOptions options; -extern ServerOptions options;
-extern Authctxt *the_authctxt; -extern Authctxt *the_authctxt;
-extern int inetd_flag; -extern int inetd_flag;
-extern int rexeced_flag;
- -
/* Wrapper around is_selinux_enabled() to log its return value once only */ /* Wrapper around is_selinux_enabled() to log its return value once only */
int int
@ -133,7 +132,7 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
if (r == 0) { if (r == 0) {
/* If launched from xinetd, we must use current level */ /* If launched from xinetd, we must use current level */
- if (inetd_flag && !rexeced_flag) { - if (inetd_flag) {
+ if (inetd) { + if (inetd) {
security_context_t sshdsc=NULL; security_context_t sshdsc=NULL;
@ -157,7 +156,7 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : ""); rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
- if (inetd_flag && !rexeced_flag) { - if (inetd_flag) {
+ if (inetd) { + if (inetd) {
use_current = "1"; use_current = "1";
} else { } else {
@ -222,56 +221,46 @@ Index: openssh-9.3p2/platform.c
=================================================================== ===================================================================
--- openssh-9.3p2.orig/platform.c --- openssh-9.3p2.orig/platform.c
+++ openssh-9.3p2/platform.c +++ openssh-9.3p2/platform.c
@@ -34,6 +34,9 @@ @@ -34,6 +34,8 @@
#include "openbsd-compat/openbsd-compat.h"
extern int use_privsep;
extern ServerOptions options; extern ServerOptions options;
+extern int inetd_flag; +extern int inetd_flag;
+extern int rexeced_flag;
+extern Authctxt *the_authctxt; +extern Authctxt *the_authctxt;
void /* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
platform_pre_listen(void) int
@@ -185,7 +188,9 @@ platform_setusercontext_post_groups(stru @@ -185,7 +187,9 @@ platform_setusercontext_post_groups(stru
} }
#endif /* HAVE_SETPCRED */ #endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(pw->pw_name); - sshd_selinux_setup_exec_context(pw->pw_name);
+ sshd_selinux_setup_exec_context(pw->pw_name, + sshd_selinux_setup_exec_context(pw->pw_name,
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt, + inetd_flag, do_pam_putenv, the_authctxt,
+ options.use_pam); + options.use_pam);
#endif #endif
} }
Index: openssh-9.3p2/sshd.c Index: openssh-9.3p2/sshd-session.c
=================================================================== ===================================================================
--- openssh-9.3p2.orig/sshd.c --- openssh-9.3p2.orig/sshd-session.c
+++ openssh-9.3p2/sshd.c +++ openssh-9.3p2/sshd-session.c
@@ -166,7 +166,7 @@ int debug_flag = 0; @@ -166,7 +166,7 @@ int debug_flag = 0;
static int test_flag = 0; int debug_flag = 0;
/* Flag indicating that the daemon is being started from inetd. */ /* Flag indicating that the daemon is being started from inetd. */
-static int inetd_flag = 0; -static int inetd_flag = 0;
+int inetd_flag = 0; +int inetd_flag = 0;
/* Flag indicating that sshd should not detach and become a daemon. */ /* debug goes to stderr unless inetd_flag is set */
static int no_daemon_flag = 0; static int log_stderr = 0;
@@ -179,7 +179,7 @@ static char **saved_argv;
static int saved_argc;
/* re-exec */
-static int rexeced_flag = 0;
+int rexeced_flag = 0;
static int rexec_flag = 1;
static int rexec_argc = 0;
static char **rexec_argv;
@@ -2396,7 +2396,9 @@ main(int ac, char **av) @@ -2396,7 +2396,9 @@ main(int ac, char **av)
} }
#endif #endif
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name); - sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name, + sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt, + inetd_flag, do_pam_putenv, the_authctxt,
+ options.use_pam); + options.use_pam);
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM

View File

@ -7,7 +7,7 @@ Index: openssh-8.8p1/Makefile.in
--- openssh-8.8p1.orig/Makefile.in --- openssh-8.8p1.orig/Makefile.in
+++ openssh-8.8p1/Makefile.in +++ openssh-8.8p1/Makefile.in
@@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server @@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSHD_SESSION=$(libexecdir)/sshd-session
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr +CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
@ -16,7 +16,7 @@ Index: openssh-8.8p1/Makefile.in
STRIP_OPT=@STRIP_OPT@ STRIP_OPT=@STRIP_OPT@
@@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@ @@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS += cavstest-ctr$(EXEEXT) +TARGETS += cavstest-ctr$(EXEEXT)
+ +
@ -29,7 +29,7 @@ Index: openssh-8.8p1/Makefile.in
+# FIPS tests +# FIPS tests
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o +cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+ +
# test driver for the loginrec code - not built by default # test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o

View File

@ -16,7 +16,7 @@ Index: openssh-8.8p1/Makefile.in
STRIP_OPT=@STRIP_OPT@ STRIP_OPT=@STRIP_OPT@
@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@ @@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
-TARGETS += cavstest-ctr$(EXEEXT) -TARGETS += cavstest-ctr$(EXEEXT)
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) +TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@ -25,10 +25,10 @@ Index: openssh-8.8p1/Makefile.in
ssh-xmss.o \ ssh-xmss.o \
@@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S @@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o +cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+ +
# test driver for the loginrec code - not built by default # test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o

View File

@ -389,17 +389,17 @@ Index: openssh-9.6p1/hmac.c
ssh_hmac_update(ctx, m, mlen) < 0 || ssh_hmac_update(ctx, m, mlen) < 0 ||
Index: openssh-9.6p1/kex.c Index: openssh-9.6p1/kex.c
=================================================================== ===================================================================
--- openssh-9.6p1.orig/kex.c --- openssh-9.6p1.orig/kex-names.c
+++ openssh-9.6p1/kex.c +++ openssh-9.6p1/kex-names.c
@@ -64,6 +64,8 @@ @@ -64,6 +64,8 @@
#include "digest.h" #include "ssherr.h"
#include "xmalloc.h" #include "xmalloc.h"
+#include "fips.h" +#include "fips.h"
+ +
/* prototype */ struct kexalg {
static int kex_choose_conf(struct ssh *, uint32_t seq); char *name;
static int kex_input_newkeys(int, u_int32_t, struct ssh *); u_int type;
@@ -87,7 +89,7 @@ struct kexalg { @@ -87,7 +89,7 @@ struct kexalg {
int ec_nid; int ec_nid;
int hash_alg; int hash_alg;
@ -647,8 +647,8 @@ Index: openssh-9.6p1/servconf.c
#include "digest.h" #include "digest.h"
+#include "fips.h" +#include "fips.h"
static void add_listen_addr(ServerOptions *, const char *, #if !defined(SSHD_PAM_SERVICE)
const char *, int); # define SSHD_PAM_SERVICE "sshd"
@@ -207,6 +208,23 @@ option_clear_or_none(const char *o) @@ -207,6 +208,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0; return o == NULL || strcasecmp(o, "none") == 0;
} }
@ -785,8 +785,8 @@ Index: openssh-9.6p1/sshd.c
--- openssh-9.6p1.orig/sshd.c --- openssh-9.6p1.orig/sshd.c
+++ openssh-9.6p1/sshd.c +++ openssh-9.6p1/sshd.c
@@ -128,6 +128,8 @@ @@ -128,6 +128,8 @@
#include "addr.h"
#include "srclimit.h" #include "srclimit.h"
#include "dh.h"
+#include "fips.h" +#include "fips.h"
+ +

View File

@ -459,13 +459,13 @@ Index: openssh-8.8p1/sshd.c
--- openssh-8.8p1.orig/sshd.c --- openssh-8.8p1.orig/sshd.c
+++ openssh-8.8p1/sshd.c +++ openssh-8.8p1/sshd.c
@@ -1547,6 +1547,10 @@ main(int ac, char **av) @@ -1547,6 +1547,10 @@ main(int ac, char **av)
struct connection_info *connection_info = NULL; struct connection_info connection_info;
sigset_t sigmask; sigset_t sigmask;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a + /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */ + * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ fips_ssh_init(); + fips_ssh_init();
+ +
memset(&connection_info, 0, sizeof(connection_info));
#ifdef HAVE_SECUREWARE #ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av); (void)set_auth_parameters(ac, av);
#endif

View File

@ -128,7 +128,7 @@ Index: openssh-8.9p1/Makefile.in
--- openssh-8.9p1.orig/Makefile.in --- openssh-8.9p1.orig/Makefile.in
+++ openssh-8.9p1/Makefile.in +++ openssh-8.9p1/Makefile.in
@@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server @@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSHD_SESSION=$(libexecdir)/sshd-session
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@ -168,7 +168,7 @@ Index: openssh-8.9p1/Makefile.in
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -421,6 +429,10 @@ install-files: @@ -421,6 +429,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sshd-session$(EXEEXT) $(DESTDIR)$(SSHD_SESSION)$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \

View File

@ -32,17 +32,17 @@ Index: openssh-8.8p1/servconf.c
--- openssh-8.8p1.orig/servconf.c --- openssh-8.8p1.orig/servconf.c
+++ openssh-8.8p1/servconf.c +++ openssh-8.8p1/servconf.c
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions @@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
/* Portable-specific options */ /* Portable-specific options */
options->use_pam = -1; options->use_pam = -1;
options->pam_service_name = NULL;
+ options->use_pam_check_locks = -1; + options->use_pam_check_locks = -1;
/* Standard Options */ /* Standard Options */
options->num_ports = 0; options->num_ports = 0;
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption @@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0; options->use_pam = 0;
if (options->pam_service_name == NULL)
options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
+ if (options->use_pam_check_locks == -1) + if (options->use_pam_check_locks == -1)
+ options->use_pam_check_locks = 0; + options->use_pam_check_locks = 0;
@ -52,26 +52,27 @@ Index: openssh-8.8p1/servconf.c
typedef enum { typedef enum {
sBadOption, /* == unknown option */ sBadOption, /* == unknown option */
/* Portable-specific options */ /* Portable-specific options */
- sUsePAM, - sUsePAM, sPAMServiceName,
+ sUsePAM, sUsePAMChecklocks, + sUsePAM, sPAMServiceName, sUsePAMChecklocks,
/* Standard Options */ /* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime, sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
@@ -535,8 +538,10 @@ static struct { @@ -535,9 +538,11 @@ static struct {
/* Portable-specific options */
#ifdef USE_PAM #ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL }, { "usepam", sUsePAM, SSHCFG_GLOBAL },
{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
#else #else
{ "usepam", sUnsupported, SSHCFG_GLOBAL }, { "usepam", sUnsupported, SSHCFG_GLOBAL },
{ "pamservicename", sUnsupported, SSHCFG_ALL },
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */ /* Standard Options */
@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO @@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO
case sUsePAM: if (*activep && *charptr == NULL)
intptr = &options->use_pam; *charptr = xstrdup(arg);
goto parse_flag; break;
+ case sUsePAMChecklocks: + case sUsePAMChecklocks:
+ intptr = &options->use_pam_check_locks; + intptr = &options->use_pam_check_locks;
+ goto parse_flag; + goto parse_flag;
@ -83,9 +84,9 @@ Index: openssh-8.8p1/servconf.h
--- openssh-8.8p1.orig/servconf.h --- openssh-8.8p1.orig/servconf.h
+++ openssh-8.8p1/servconf.h +++ openssh-8.8p1/servconf.h
@@ -200,6 +200,7 @@ typedef struct { @@ -200,6 +200,7 @@ typedef struct {
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */ int use_pam; /* Enable auth via PAM */
char *pam_service_name;
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */ + int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
int permit_tun; int permit_tun;

View File

@ -61,7 +61,7 @@ Index: openssh-8.8p1/sshd.c
+ +
#include "xmalloc.h" #include "xmalloc.h"
#include "ssh.h" #include "ssh.h"
#include "ssh2.h" #include "sshpty.h"
@@ -308,6 +312,10 @@ sighup_handler(int sig) @@ -308,6 +312,10 @@ sighup_handler(int sig)
static void static void
sighup_restart(void) sighup_restart(void)
@ -84,4 +84,4 @@ Index: openssh-8.8p1/sshd.c
+ +
/* Accept a connection and return in a forked child */ /* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out, server_accept_loop(&sock_in, &sock_out,
&newsock, config_s); &newsock, config_s, log_stderr);

View File

@ -1,8 +1,7 @@
Index: openssh-9.6p1/auth2.c diff -up openssh/auth2.c.role-mls openssh/auth2.c
=================================================================== --- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth2.c +++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200
+++ openssh-9.6p1/auth2.c @@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
@@ -273,6 +273,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ssh->authctxt; Authctxt *authctxt = ssh->authctxt;
Authmethod *m = NULL; Authmethod *m = NULL;
char *user = NULL, *service = NULL, *method = NULL, *style = NULL; char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
@ -12,7 +11,7 @@ Index: openssh-9.6p1/auth2.c
int r, authenticated = 0; int r, authenticated = 0;
double tstart = monotime_double(); double tstart = monotime_double();
@@ -286,6 +289,11 @@ input_userauth_request(int type, u_int32 @@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method); debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -24,36 +23,32 @@ Index: openssh-9.6p1/auth2.c
if ((style = strchr(user, ':')) != NULL) if ((style = strchr(user, ':')) != NULL)
*style++ = 0; *style++ = 0;
@@ -313,8 +321,15 @@ input_userauth_request(int type, u_int32 @@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : ""); setproctitle("%s [net]", authctxt->valid ? user : "unknown");
authctxt->service = xstrdup(service); authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL; authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ authctxt->role = role ? xstrdup(role) : NULL; + authctxt->role = role ? xstrdup(role) : NULL;
+#endif +#endif
+ if (use_privsep) {
mm_inform_authserv(service, style); mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ mm_inform_authrole(role); + mm_inform_authrole(role);
+#endif +#endif
+ }
userauth_banner(ssh); userauth_banner(ssh);
if ((r = kex_server_update_ext_info(ssh)) != 0) if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed"); fatal_fr(r, "kex_server_update_ext_info failed");
Index: openssh-9.6p1/auth2-gss.c diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
=================================================================== --- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth2-gss.c +++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
+++ openssh-9.6p1/auth2-gss.c @@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -331,6 +331,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ssh->authctxt; Authctxt *authctxt = ssh->authctxt;
Gssctxt *gssctxt; Gssctxt *gssctxt;
int r, authenticated = 0; int r, authenticated = 0;
+ char *micuser; + char *micuser;
struct sshbuf *b; struct sshbuf *b;
gss_buffer_desc mic, gssbuf; gss_buffer_desc mic, gssbuf;
const char *displayname; u_char *p;
@@ -348,7 +349,13 @@ input_gssapi_mic(int type, u_int32_t ple @@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
fatal_f("sshbuf_new failed"); fatal_f("sshbuf_new failed");
mic.value = p; mic.value = p;
mic.length = len; mic.length = len;
@ -68,7 +63,7 @@ Index: openssh-9.6p1/auth2-gss.c
"gssapi-with-mic", ssh->kex->session_id); "gssapi-with-mic", ssh->kex->session_id);
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
@@ -362,6 +369,8 @@ input_gssapi_mic(int type, u_int32_t ple @@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed"); logit("GSSAPI MIC check failed");
sshbuf_free(b); sshbuf_free(b);
@ -76,12 +71,11 @@ Index: openssh-9.6p1/auth2-gss.c
+ free(micuser); + free(micuser);
free(mic.value); free(mic.value);
if ((!use_privsep || mm_is_monitor()) && authctxt->postponed = 0;
Index: openssh-9.6p1/auth2-hostbased.c diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
=================================================================== --- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth2-hostbased.c +++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
+++ openssh-9.6p1/auth2-hostbased.c @@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
@@ -128,7 +128,16 @@ userauth_hostbased(struct ssh *ssh, cons
/* reconstruct packet */ /* reconstruct packet */
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 || if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
@ -98,11 +92,10 @@ Index: openssh-9.6p1/auth2-hostbased.c
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 || (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
(r = sshbuf_put_cstring(b, method)) != 0 || (r = sshbuf_put_cstring(b, method)) != 0 ||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 || (r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
Index: openssh-9.6p1/auth2-pubkey.c diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
=================================================================== --- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
--- openssh-9.6p1.orig/auth2-pubkey.c +++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200
+++ openssh-9.6p1/auth2-pubkey.c @@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
@@ -200,9 +200,16 @@ userauth_pubkey(struct ssh *ssh, const c
goto done; goto done;
} }
/* reconstruct packet */ /* reconstruct packet */
@ -121,10 +114,9 @@ Index: openssh-9.6p1/auth2-pubkey.c
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
(r = sshbuf_put_cstring(b, userstyle)) != 0 || (r = sshbuf_put_cstring(b, userstyle)) != 0 ||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 || (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
Index: openssh-9.6p1/auth.h diff -up openssh/auth.h.role-mls openssh/auth.h
=================================================================== --- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth.h +++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200
+++ openssh-9.6p1/auth.h
@@ -65,6 +65,9 @@ struct Authctxt { @@ -65,6 +65,9 @@ struct Authctxt {
char *service; char *service;
struct passwd *pw; /* set if 'valid' */ struct passwd *pw; /* set if 'valid' */
@ -135,11 +127,10 @@ Index: openssh-9.6p1/auth.h
/* Method lists for multiple authentication */ /* Method lists for multiple authentication */
char **auth_methods; /* modified from server config */ char **auth_methods; /* modified from server config */
Index: openssh-9.6p1/auth-pam.c diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
=================================================================== --- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth-pam.c +++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200
+++ openssh-9.6p1/auth-pam.c @@ -1172,7 +1172,7 @@ is_pam_session_open(void)
@@ -1242,7 +1242,7 @@ is_pam_session_open(void)
* during the ssh authentication process. * during the ssh authentication process.
*/ */
int int
@ -148,24 +139,22 @@ Index: openssh-9.6p1/auth-pam.c
{ {
int ret = 1; int ret = 1;
char *compound; char *compound;
Index: openssh-9.6p1/auth-pam.h diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
=================================================================== --- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth-pam.h +++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
+++ openssh-9.6p1/auth-pam.h
@@ -33,7 +33,7 @@ u_int do_pam_account(void); @@ -33,7 +33,7 @@ u_int do_pam_account(void);
void do_pam_session(struct ssh *); void do_pam_session(struct ssh *);
void do_pam_setcred(int ); void do_pam_setcred(void);
void do_pam_chauthtok(void); void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *); -int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *); +int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void); char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void); char ** fetch_pam_child_environment(void);
void free_pam_environment(char **); void free_pam_environment(char **);
Index: openssh-9.6p1/misc.c diff -up openssh/misc.c.role-mls openssh/misc.c
=================================================================== --- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/misc.c +++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
+++ openssh-9.6p1/misc.c @@ -542,6 +542,7 @@ char *
@@ -771,6 +771,7 @@ char *
colon(char *cp) colon(char *cp)
{ {
int flag = 0; int flag = 0;
@ -173,7 +162,7 @@ Index: openssh-9.6p1/misc.c
if (*cp == ':') /* Leading colon is part of file name. */ if (*cp == ':') /* Leading colon is part of file name. */
return NULL; return NULL;
@@ -786,6 +787,13 @@ colon(char *cp) @@ -557,6 +558,13 @@ colon(char *cp)
return (cp); return (cp);
if (*cp == '/') if (*cp == '/')
return NULL; return NULL;
@ -187,11 +176,10 @@ Index: openssh-9.6p1/misc.c
} }
return NULL; return NULL;
} }
Index: openssh-9.6p1/monitor.c diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
=================================================================== --- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200
--- openssh-9.6p1.orig/monitor.c +++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200
+++ openssh-9.6p1/monitor.c @@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
@@ -120,6 +120,9 @@ int mm_answer_sign(struct ssh *, int, st
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *); int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *); int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
int mm_answer_authserv(struct ssh *, int, struct sshbuf *); int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
@ -201,7 +189,7 @@ Index: openssh-9.6p1/monitor.c
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
@@ -200,6 +203,9 @@ struct mon_table mon_dispatch_proto20[] @@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -211,7 +199,7 @@ Index: openssh-9.6p1/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM #ifdef USE_PAM
@@ -834,6 +840,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in @@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
/* Allow service/style information on the auth context */ /* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -221,7 +209,7 @@ Index: openssh-9.6p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
#ifdef USE_PAM #ifdef USE_PAM
@@ -908,6 +917,26 @@ key_base_type_match(const char *method, @@ -877,6 +886,26 @@ key_base_type_match(const char *method,
return found; return found;
} }
@ -248,7 +236,7 @@ Index: openssh-9.6p1/monitor.c
int int
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m) mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
{ {
@@ -1280,7 +1309,7 @@ monitor_valid_userblob(struct ssh *ssh, @@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
struct sshbuf *b; struct sshbuf *b;
struct sshkey *hostkey = NULL; struct sshkey *hostkey = NULL;
const u_char *p; const u_char *p;
@ -257,7 +245,7 @@ Index: openssh-9.6p1/monitor.c
size_t len; size_t len;
u_char type; u_char type;
int hostbound = 0, r, fail = 0; int hostbound = 0, r, fail = 0;
@@ -1311,6 +1340,8 @@ monitor_valid_userblob(struct ssh *ssh, @@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
fail++; fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal_fr(r, "parse userstyle"); fatal_fr(r, "parse userstyle");
@ -266,7 +254,7 @@ Index: openssh-9.6p1/monitor.c
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "", authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : ""); authctxt->style ? authctxt->style : "");
@@ -1361,7 +1392,7 @@ monitor_valid_hostbasedblob(const u_char @@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
{ {
struct sshbuf *b; struct sshbuf *b;
const u_char *p; const u_char *p;
@ -275,7 +263,7 @@ Index: openssh-9.6p1/monitor.c
size_t len; size_t len;
int r, fail = 0; int r, fail = 0;
u_char type; u_char type;
@@ -1382,6 +1413,8 @@ monitor_valid_hostbasedblob(const u_char @@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
fail++; fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal_fr(r, "parse userstyle"); fatal_fr(r, "parse userstyle");
@ -284,10 +272,9 @@ Index: openssh-9.6p1/monitor.c
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "", authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : ""); authctxt->style ? authctxt->style : "");
Index: openssh-9.6p1/monitor.h diff -up openssh/monitor.h.role-mls openssh/monitor.h
=================================================================== --- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/monitor.h +++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200
+++ openssh-9.6p1/monitor.h
@@ -55,6 +55,10 @@ enum monitor_reqtype { @@ -55,6 +55,10 @@ enum monitor_reqtype {
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
MONITOR_REQ_TERM = 50, MONITOR_REQ_TERM = 50,
@ -299,11 +286,10 @@ Index: openssh-9.6p1/monitor.h
MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
Index: openssh-9.6p1/monitor_wrap.c diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
=================================================================== --- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200
--- openssh-9.6p1.orig/monitor_wrap.c +++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200
+++ openssh-9.6p1/monitor_wrap.c @@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
@@ -396,6 +396,27 @@ mm_inform_authserv(char *service, char *
sshbuf_free(m); sshbuf_free(m);
} }
@ -331,11 +317,10 @@ Index: openssh-9.6p1/monitor_wrap.c
/* Do the password authentication */ /* Do the password authentication */
int int
mm_auth_password(struct ssh *ssh, char *password) mm_auth_password(struct ssh *ssh, char *password)
Index: openssh-9.6p1/monitor_wrap.h diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
=================================================================== --- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
--- openssh-9.6p1.orig/monitor_wrap.h +++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
+++ openssh-9.6p1/monitor_wrap.h @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
@@ -49,6 +49,9 @@ int mm_sshkey_sign(struct ssh *, struct
const u_char *, size_t, const char *, const char *, const u_char *, size_t, const char *, const char *,
const char *, u_int compat); const char *, u_int compat);
void mm_inform_authserv(char *, char *); void mm_inform_authserv(char *, char *);
@ -345,11 +330,10 @@ Index: openssh-9.6p1/monitor_wrap.h
struct passwd *mm_getpwnamallow(struct ssh *, const char *); struct passwd *mm_getpwnamallow(struct ssh *, const char *);
char *mm_auth2_read_banner(void); char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *); int mm_auth_password(struct ssh *, char *);
Index: openssh-9.6p1/openbsd-compat/Makefile.in diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
=================================================================== --- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/openbsd-compat/Makefile.in +++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
+++ openssh-9.6p1/openbsd-compat/Makefile.in @@ -92,7 +92,8 @@ PORTS= port-aix.o \
@@ -100,7 +100,8 @@ PORTS= port-aix.o \
port-prngd.o \ port-prngd.o \
port-solaris.o \ port-solaris.o \
port-net.o \ port-net.o \
@ -359,11 +343,10 @@ Index: openssh-9.6p1/openbsd-compat/Makefile.in
.c.o: .c.o:
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $< $(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
Index: openssh-9.6p1/openbsd-compat/port-linux.c diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
=================================================================== --- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/openbsd-compat/port-linux.c +++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
+++ openssh-9.6p1/openbsd-compat/port-linux.c @@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
return sc; return sc;
} }
@ -401,7 +384,7 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.c
/* Set the TTY context for the specified user */ /* Set the TTY context for the specified user */
void void
ssh_selinux_setup_pty(char *pwname, const char *tty) ssh_selinux_setup_pty(char *pwname, const char *tty)
@@ -144,7 +113,11 @@ ssh_selinux_setup_pty(char *pwname, cons @@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty); debug3("%s: setting TTY context on %s", __func__, tty);
@ -414,10 +397,9 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.c
/* XXX: should these calls fatal() upon failure in enforcing mode? */ /* XXX: should these calls fatal() upon failure in enforcing mode? */
Index: openssh-9.6p1/openbsd-compat/port-linux.h diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
=================================================================== --- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h +++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200
+++ openssh-9.6p1/openbsd-compat/port-linux.h
@@ -20,9 +20,10 @@ @@ -20,9 +20,10 @@
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
int ssh_selinux_enabled(void); int ssh_selinux_enabled(void);
@ -430,11 +412,10 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.h
#endif #endif
#ifdef LINUX_OOM_ADJUST #ifdef LINUX_OOM_ADJUST
Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
=================================================================== --- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
--- /dev/null +++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c @@ -0,0 +1,420 @@
@@ -0,0 +1,421 @@
+/* +/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com> + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -488,7 +469,6 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
+extern ServerOptions options; +extern ServerOptions options;
+extern Authctxt *the_authctxt; +extern Authctxt *the_authctxt;
+extern int inetd_flag; +extern int inetd_flag;
+extern int rexeced_flag;
+ +
+/* Send audit message */ +/* Send audit message */
+static int +static int
@ -694,7 +674,7 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
+ +
+ if (r == 0) { + if (r == 0) {
+ /* If launched from xinetd, we must use current level */ + /* If launched from xinetd, we must use current level */
+ if (inetd_flag && !rexeced_flag) { + if (inetd_flag) {
+ security_context_t sshdsc=NULL; + security_context_t sshdsc=NULL;
+ +
+ if (getcon_raw(&sshdsc) < 0) + if (getcon_raw(&sshdsc) < 0)
@ -768,7 +748,7 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
+ +
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); + rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+ +
+ if (inetd_flag && !rexeced_flag) { + if (inetd_flag) {
+ use_current = "1"; + use_current = "1";
+ } else { + } else {
+ use_current = ""; + use_current = "";
@ -856,11 +836,10 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
+#endif +#endif
+#endif +#endif
+ +
Index: openssh-9.6p1/platform.c diff -up openssh/platform.c.role-mls openssh/platform.c
=================================================================== --- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/platform.c +++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200
+++ openssh-9.6p1/platform.c @@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(stru
} }
#endif /* HAVE_SETPCRED */ #endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
@ -869,11 +848,10 @@ Index: openssh-9.6p1/platform.c
#endif #endif
} }
Index: openssh-9.6p1/sshd.c diff -up openssh/sshd.c.role-mls openssh/sshd.c
=================================================================== --- openssh/sshd-session.c.role-mls 2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/sshd.c +++ openssh/sshd-session.c 2018-08-22 11:14:56.820430957 +0200
+++ openssh-9.6p1/sshd.c @@ -2186,6 +2186,9 @@ main(int ac, char **av)
@@ -2387,6 +2387,9 @@ main(int ac, char **av)
restore_uid(); restore_uid();
} }
#endif #endif
@ -882,4 +860,4 @@ Index: openssh-9.6p1/sshd.c
+#endif +#endif
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) { if (options.use_pam) {
do_pam_setcred(1); do_pam_setcred();

File diff suppressed because it is too large Load Diff

View File

@ -236,7 +236,7 @@ Index: openssh-8.9p1/audit-linux.c
/* Below is the sshd audit API code */ /* Below is the sshd audit API code */
void void
@@ -76,49 +176,210 @@ audit_connection_from(const char *host, @@ -76,49 +176,211 @@ audit_connection_from(const char *host,
/* not implemented */ /* not implemented */
} }
@ -315,6 +315,7 @@ Index: openssh-8.9p1/audit-linux.c
case SSH_AUTH_FAIL_PASSWD: case SSH_AUTH_FAIL_PASSWD:
+ if (options.use_pam) + if (options.use_pam)
+ break; + break;
+ /* Fallthrough */
+ case SSH_LOGIN_EXCEED_MAXTRIES: + case SSH_LOGIN_EXCEED_MAXTRIES:
case SSH_AUTH_FAIL_KBDINT: case SSH_AUTH_FAIL_KBDINT:
case SSH_AUTH_FAIL_PUBKEY: case SSH_AUTH_FAIL_PUBKEY:
@ -451,7 +452,7 @@ Index: openssh-8.9p1/audit-linux.c
+ } + }
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, + audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
+ buf, NULL, + buf, NULL,
+ listening_for_clients() ? NULL : ssh_remote_ipaddr(ssh), + ssh_remote_ipaddr(ssh), /*FIXME listening_for_clients() ? NULL : ssh_remote_ipaddr(ssh) */
+ NULL, 1); + NULL, 1);
+ audit_close(audit_fd); + audit_close(audit_fd);
+ /* do not abort if the error is EPERM and sshd is run as non root user */ + /* do not abort if the error is EPERM and sshd is run as non root user */
@ -518,19 +519,19 @@ Index: openssh-8.9p1/audit.c
+void +void
+audit_unsupported(struct ssh *ssh, int what) +audit_unsupported(struct ssh *ssh, int what)
+{ +{
+ PRIVSEP(audit_unsupported_body(ssh, what)); + mm_audit_unsupported_body(ssh, what);
+} +}
+ +
+void +void
+audit_kex(struct ssh *ssh, int ctos, char *enc, char *mac, char *comp, char *pfs) +audit_kex(struct ssh *ssh, int ctos, char *enc, char *mac, char *comp, char *pfs)
+{ +{
+ PRIVSEP(audit_kex_body(ssh, ctos, enc, mac, comp, pfs, getpid(), getuid())); + mm_audit_kex_body(ssh, ctos, enc, mac, comp, pfs, getpid(), getuid());
+} +}
+ +
+void +void
+audit_session_key_free(struct ssh *ssh, int ctos) +audit_session_key_free(struct ssh *ssh, int ctos)
+{ +{
+ PRIVSEP(audit_session_key_free_body(ssh, ctos, getpid(), getuid())); + mm_audit_session_key_free_body(ssh, ctos, getpid(), getuid());
+} +}
+ +
# ifndef CUSTOM_SSH_AUDIT_EVENTS # ifndef CUSTOM_SSH_AUDIT_EVENTS
@ -778,18 +779,18 @@ Index: openssh-8.9p1/auth.h
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); + const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
/* Key / cert options linkage to auth layer */ /* Key / cert options linkage to auth layer */
const struct sshauthopt *auth_options(struct ssh *); int auth_activate_options(struct ssh *, struct sshauthopt *);
Index: openssh-8.9p1/auth2-hostbased.c Index: openssh-8.9p1/auth2-hostbased.c
=================================================================== ===================================================================
--- openssh-8.9p1.orig/auth2-hostbased.c --- openssh-8.9p1.orig/auth2-hostbased.c
+++ openssh-8.9p1/auth2-hostbased.c +++ openssh-8.9p1/auth2-hostbased.c
@@ -149,7 +149,7 @@ userauth_hostbased(struct ssh *ssh, cons @@ -149,7 +149,7 @@ userauth_hostbased(struct ssh *ssh, cons
authenticated = 0; authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser, if (mm_hostbased_key_allowed(ssh, authctxt->pw, cuser,
chost, key)) && chost, key) &&
- PRIVSEP(sshkey_verify(key, sig, slen, - mm_sshkey_verify(key, sig, slen,
+ PRIVSEP(hostbased_key_verify(ssh, key, sig, slen, + mm_hostbased_key_verify(ssh, key, sig, slen,
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0) sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL) == 0)
authenticated = 1; authenticated = 1;
@@ -166,6 +166,19 @@ done: @@ -166,6 +166,19 @@ done:
@ -819,12 +820,12 @@ Index: openssh-8.9p1/auth2-pubkey.c
@@ -223,7 +223,7 @@ userauth_pubkey(struct ssh *ssh, const c @@ -223,7 +223,7 @@ userauth_pubkey(struct ssh *ssh, const c
/* test for correct signature */ /* test for correct signature */
authenticated = 0; authenticated = 0;
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && if (mm_user_key_allowed(ssh, pw, key, 1, &authopts) &&
- PRIVSEP(sshkey_verify(key, sig, slen, - mm_sshkey_verify(key, sig, slen,
+ PRIVSEP(user_key_verify(ssh, key, sig, slen, + mm_user_key_verify(ssh, key, sig, slen,
sshbuf_ptr(b), sshbuf_len(b), sshbuf_ptr(b), sshbuf_len(b),
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
ssh->compat, &sig_details)) == 0) { ssh->compat, &sig_details) == 0) {
@@ -316,6 +316,19 @@ done: @@ -316,6 +316,19 @@ done:
return authenticated; return authenticated;
} }
@ -854,7 +855,7 @@ Index: openssh-8.9p1/auth2.c
/* Invalid user, fake password information */ /* Invalid user, fake password information */
authctxt->pw = fakepw(); authctxt->pw = fakepw();
-#ifdef SSH_AUDIT_EVENTS -#ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(ssh, SSH_INVALID_USER)); - mm_audit_event(ssh, SSH_INVALID_USER);
-#endif -#endif
} }
#ifdef USE_PAM #ifdef USE_PAM
@ -939,8 +940,8 @@ Index: openssh-8.9p1/kex.c
#include "xmalloc.h" #include "xmalloc.h"
+#include "audit.h" +#include "audit.h"
#ifdef GSSAPI /* prototype */
#include "ssh-gss.h" static int kex_choose_conf(struct ssh *, uint32_t seq);
@@ -879,12 +880,16 @@ kex_start_rekex(struct ssh *ssh) @@ -879,12 +880,16 @@ kex_start_rekex(struct ssh *ssh)
} }
@ -1124,7 +1125,7 @@ Index: openssh-8.9p1/monitor.c
extern struct sshbuf *loginmsg; extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
+extern void destroy_sensitive_data(struct ssh *, int); +extern void destroy_sensitive_data(struct ssh *);
+ +
/* State exported from the child */ /* State exported from the child */
static struct sshbuf *child_state; static struct sshbuf *child_state;
@ -1257,7 +1258,7 @@ Index: openssh-8.9p1/monitor.c
sshpam_cleanup(); sshpam_cleanup();
#endif #endif
+ destroy_sensitive_data(ssh, 0); + destroy_sensitive_data(ssh);
+ +
while (waitpid(pmonitor->m_pid, &status, 0) == -1) while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR) if (errno != EINTR)
@ -1301,12 +1302,12 @@ Index: openssh-8.9p1/monitor.c
+ debug3("%s entering", __func__); + debug3("%s entering", __func__);
+ if ((r = sshbuf_get_u32(m, &handle)) != 0 || + if ((r = sshbuf_get_u32(m, &handle)) != 0 ||
+ (r = sshbuf_get_string(m, &cmd, &len)) != 0) + (r = sshbuf_get_string(m, &cmd, &len)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ s = session_by_id(handle); + s = session_by_id(handle);
+ if (s == NULL || s->ttyfd != -1 || s->command == NULL || + if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
+ strcmp(s->command, cmd) != 0) + strcmp(s->command, cmd) != 0)
+ fatal("%s: invalid handle", __func__); + fatal_f("invalid handle");
+ mm_session_close(ssh, s); + mm_session_close(ssh, s);
free(cmd); free(cmd);
return (0); return (0);
@ -1349,7 +1350,7 @@ Index: openssh-8.9p1/monitor.c
+ int what, r; + int what, r;
+ +
+ if ((r = sshbuf_get_u32(m, &what)) != 0) + if ((r = sshbuf_get_u32(m, &what)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ audit_unsupported_body(ssh, what); + audit_unsupported_body(ssh, what);
+ +
@ -1374,10 +1375,10 @@ Index: openssh-8.9p1/monitor.c
+ (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 || + (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 ||
+ (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 || + (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 ||
+ (r = sshbuf_get_u64(m, &tmp)) != 0) + (r = sshbuf_get_u64(m, &tmp)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ pid = (pid_t) tmp; + pid = (pid_t) tmp;
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0) + if ((r = sshbuf_get_u64(m, &tmp)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ uid = (pid_t) tmp; + uid = (pid_t) tmp;
+ +
+ audit_kex_body(ssh, ctos, cipher, mac, compress, pfs, pid, uid); + audit_kex_body(ssh, ctos, cipher, mac, compress, pfs, pid, uid);
@ -1402,10 +1403,10 @@ Index: openssh-8.9p1/monitor.c
+ +
+ if ((r = sshbuf_get_u32(m, &ctos)) != 0 || + if ((r = sshbuf_get_u32(m, &ctos)) != 0 ||
+ (r = sshbuf_get_u64(m, &tmp)) != 0) + (r = sshbuf_get_u64(m, &tmp)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ pid = (pid_t) tmp; + pid = (pid_t) tmp;
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0) + if ((r = sshbuf_get_u64(m, &tmp)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ uid = (uid_t) tmp; + uid = (uid_t) tmp;
+ +
+ audit_session_key_free_body(ssh, ctos, pid, uid); + audit_session_key_free_body(ssh, ctos, pid, uid);
@ -1427,10 +1428,10 @@ Index: openssh-8.9p1/monitor.c
+ +
+ if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 || + if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 ||
+ (r = sshbuf_get_u64(m, &tmp)) != 0) + (r = sshbuf_get_u64(m, &tmp)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ pid = (pid_t) tmp; + pid = (pid_t) tmp;
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0) + if ((r = sshbuf_get_u64(m, &tmp)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ uid = (uid_t) tmp; + uid = (uid_t) tmp;
+ +
+ audit_destroy_sensitive_data(ssh, fp, pid, uid); + audit_destroy_sensitive_data(ssh, fp, pid, uid);
@ -1526,7 +1527,7 @@ Index: openssh-8.9p1/monitor_wrap.c
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m);
+ +
+ if ((r = sshbuf_get_u32(m, &handle)) != 0) + if ((r = sshbuf_get_u32(m, &handle)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ sshbuf_free(m); + sshbuf_free(m);
+ +
+ return (handle); + return (handle);
@ -1541,19 +1542,19 @@ Index: openssh-8.9p1/monitor_wrap.c
+ debug3("%s entering command %s", __func__, command); + debug3("%s entering command %s", __func__, command);
+ +
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_u32(m, handle)) != 0 || + if ((r = sshbuf_put_u32(m, handle)) != 0 ||
+ (r = sshbuf_put_cstring(m, command)) != 0) + (r = sshbuf_put_cstring(m, command)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m);
sshbuf_free(m); sshbuf_free(m);
} }
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
@@ -1074,3 +1114,130 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc @@ -1217,3 +1257,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
return &ci;
} }
#endif /* GSSAPI */
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+void +void
+mm_audit_unsupported_body(struct ssh *ssh, int what) +mm_audit_unsupported_body(struct ssh *ssh, int what)
@ -1562,9 +1563,9 @@ Index: openssh-8.9p1/monitor_wrap.c
+ struct sshbuf *m; + struct sshbuf *m;
+ +
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_u32(m, what)) != 0) + if ((r = sshbuf_put_u32(m, what)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED, + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
@ -1581,7 +1582,7 @@ Index: openssh-8.9p1/monitor_wrap.c
+ struct sshbuf *m; + struct sshbuf *m;
+ +
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 || + if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
+ (r = sshbuf_put_cstring(m, cipher)) != 0 || + (r = sshbuf_put_cstring(m, cipher)) != 0 ||
+ (r = sshbuf_put_cstring(m, (mac ? mac : "<implicit>"))) != 0 || + (r = sshbuf_put_cstring(m, (mac ? mac : "<implicit>"))) != 0 ||
@ -1589,7 +1590,7 @@ Index: openssh-8.9p1/monitor_wrap.c
+ (r = sshbuf_put_cstring(m, fps)) != 0 || + (r = sshbuf_put_cstring(m, fps)) != 0 ||
+ (r = sshbuf_put_u64(m, pid)) != 0 || + (r = sshbuf_put_u64(m, pid)) != 0 ||
+ (r = sshbuf_put_u64(m, uid)) != 0) + (r = sshbuf_put_u64(m, uid)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX, + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
@ -1605,11 +1606,11 @@ Index: openssh-8.9p1/monitor_wrap.c
+ struct sshbuf *m; + struct sshbuf *m;
+ +
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 || + if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
+ (r = sshbuf_put_u64(m, pid)) != 0 || + (r = sshbuf_put_u64(m, pid)) != 0 ||
+ (r = sshbuf_put_u64(m, uid)) != 0) + (r = sshbuf_put_u64(m, uid)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
@ -1624,62 +1625,15 @@ Index: openssh-8.9p1/monitor_wrap.c
+ struct sshbuf *m; + struct sshbuf *m;
+ +
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_cstring(m, fp)) != 0 || + if ((r = sshbuf_put_cstring(m, fp)) != 0 ||
+ (r = sshbuf_put_u64(m, pid)) != 0 || + (r = sshbuf_put_u64(m, pid)) != 0 ||
+ (r = sshbuf_put_u64(m, uid)) != 0) + (r = sshbuf_put_u64(m, uid)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
+ sshbuf_free(m); + sshbuf_free(m);
+} +}
+
+int mm_forward_audit_messages(int fdin)
+{
+ u_char buf[4];
+ u_int blen, msg_len;
+ struct sshbuf *m;
+ int ret = 0;
+
+ debug3("%s: entering", __func__);
+ m = sshbuf_new();
+ do {
+ int r;
+
+ blen = atomicio(read, fdin, buf, sizeof(buf));
+ if (blen == 0) /* closed pipe */
+ break;
+ if (blen != sizeof(buf)) {
+ error("%s: Failed to read the buffer from child", __func__);
+ ret = -1;
+ break;
+ }
+
+ msg_len = get_u32(buf);
+ if (msg_len > 256 * 1024)
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
+ sshbuf_reset(m);
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
+ error("%s: Failed to read the the buffer conent from the child", __func__);
+ ret = -1;
+ break;
+ }
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
+ error("%s: Failed to write the messag to the monitor", __func__);
+ ret = -1;
+ break;
+ }
+ } while (1);
+ sshbuf_free(m);
+ return ret;
+}
+void mm_set_monitor_pipe(int fd)
+{
+ pmonitor->m_recvfd = fd;
+}
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
Index: openssh-8.9p1/monitor_wrap.h Index: openssh-8.9p1/monitor_wrap.h
=================================================================== ===================================================================
@ -1695,8 +1649,8 @@ Index: openssh-8.9p1/monitor_wrap.h
+int mm_user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t, +int mm_user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
#ifdef GSSAPI void mm_decode_activate_server_options(struct ssh *ssh, struct sshbuf *m);
@@ -83,7 +85,14 @@ void mm_sshpam_free_ctx(void *); @@ -83,7 +85,12 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
#include "audit.h" #include "audit.h"
void mm_audit_event(struct ssh *, ssh_audit_event_t); void mm_audit_event(struct ssh *, ssh_audit_event_t);
@ -1707,8 +1661,6 @@ Index: openssh-8.9p1/monitor_wrap.h
+void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t); +void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t);
+void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t); +void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t);
+void mm_audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t); +void mm_audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
+int mm_forward_audit_messages(int);
+void mm_set_monitor_pipe(int);
#endif #endif
struct Session; struct Session;
@ -1738,12 +1690,7 @@ Index: openssh-8.9p1/packet.c
/* /*
* Returns the IP-address of the remote host as a string. The returned * Returns the IP-address of the remote host as a string. The returned
* string must not be freed. * string must not be freed.
@@ -579,26 +587,23 @@ ssh_packet_rdomain_in(struct ssh *ssh) @@ -579,22 +587,19 @@ ssh_packet_rdomain_in(struct ssh *ssh)
/* Closes the connection and clears and frees internal data structures. */
static void
-ssh_packet_close_internal(struct ssh *ssh, int do_close)
+ssh_packet_close_internal(struct ssh *ssh, int do_close, int do_audit)
{ {
struct session_state *state = ssh->state; struct session_state *state = ssh->state;
u_int mode; u_int mode;
@ -1775,7 +1722,7 @@ Index: openssh-8.9p1/packet.c
#endif /* WITH_ZLIB */ #endif /* WITH_ZLIB */
cipher_free(state->send_context); cipher_free(state->send_context);
cipher_free(state->receive_context); cipher_free(state->receive_context);
+ if (do_audit && had_keys && state->server_side) { + if (had_keys && state->server_side) {
+ /* Assuming this is called only from privsep child */ + /* Assuming this is called only from privsep child */
+ audit_session_key_free(ssh, MODE_MAX); + audit_session_key_free(ssh, MODE_MAX);
+ } + }
@ -1790,28 +1737,6 @@ Index: openssh-8.9p1/packet.c
free(ssh->local_ipaddr); free(ssh->local_ipaddr);
ssh->local_ipaddr = NULL; ssh->local_ipaddr = NULL;
free(ssh->remote_ipaddr); free(ssh->remote_ipaddr);
@@ -650,13 +665,19 @@ ssh_packet_close_internal(struct ssh *ss
void
ssh_packet_close(struct ssh *ssh)
{
- ssh_packet_close_internal(ssh, 1);
+ ssh_packet_close_internal(ssh, 1, 1);
}
void
ssh_packet_clear_keys(struct ssh *ssh)
{
- ssh_packet_close_internal(ssh, 0);
+ ssh_packet_close_internal(ssh, 0, 1);
+}
+
+void
+ssh_packet_clear_keys_noaudit(struct ssh *ssh)
+{
+ ssh_packet_close_internal(ssh, 0, 0);
}
/* Sets remote side protocol flags. */
@@ -892,6 +913,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod @@ -892,6 +913,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
(unsigned long long)state->p_send.bytes, (unsigned long long)state->p_send.bytes,
(unsigned long long)state->p_send.blocks); (unsigned long long)state->p_send.blocks);
@ -1820,7 +1745,7 @@ Index: openssh-8.9p1/packet.c
state->newkeys[mode] = NULL; state->newkeys[mode] = NULL;
} }
/* note that both bytes and the seqnr are not reset */ /* note that both bytes and the seqnr are not reset */
@@ -2183,6 +2205,73 @@ ssh_packet_get_output(struct ssh *ssh) @@ -2183,6 +2205,72 @@ ssh_packet_get_output(struct ssh *ssh)
return (void *)ssh->state->output; return (void *)ssh->state->output;
} }
@ -1850,9 +1775,8 @@ Index: openssh-8.9p1/packet.c
+ return; + return;
+ +
+ cipher_free(state->receive_context); + cipher_free(state->receive_context);
+ state->receive_context = NULL;
+ cipher_free(state->send_context); + cipher_free(state->send_context);
+ state->send_context = NULL; + state->send_context = state->receive_context = NULL;
+ +
+ sshbuf_free(state->input); + sshbuf_free(state->input);
+ state->input = NULL; + state->input = NULL;
@ -1898,14 +1822,6 @@ Index: openssh-8.9p1/packet.h
=================================================================== ===================================================================
--- openssh-8.9p1.orig/packet.h --- openssh-8.9p1.orig/packet.h
+++ openssh-8.9p1/packet.h +++ openssh-8.9p1/packet.h
@@ -102,6 +102,7 @@ int ssh_packet_get_connection_out(s
void ssh_packet_close(struct ssh *);
void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
void ssh_packet_clear_keys(struct ssh *);
+void ssh_packet_clear_keys_noaudit(struct ssh *);
void ssh_clear_newkeys(struct ssh *, int);
int ssh_packet_is_rekeying(struct ssh *);
@@ -220,4 +221,5 @@ const u_char *sshpkt_ptr(struct ssh *, s @@ -220,4 +221,5 @@ const u_char *sshpkt_ptr(struct ssh *, s
# undef EC_POINT # undef EC_POINT
#endif #endif
@ -1921,22 +1837,11 @@ Index: openssh-8.9p1/session.c
extern u_int utmp_len; extern u_int utmp_len;
extern int startup_pipe; extern int startup_pipe;
-extern void destroy_sensitive_data(void); -extern void destroy_sensitive_data(void);
+extern void destroy_sensitive_data(struct ssh *, int); +extern void destroy_sensitive_data(struct ssh *);
extern struct sshbuf *loginmsg; extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; extern struct sshauthopt *auth_opts;
extern char *tun_fwd_ifnames; /* serverloop.c */ extern char *tun_fwd_ifnames; /* serverloop.c */
@@ -157,6 +157,10 @@ static Session *sessions = NULL; @@ -644,6 +644,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
login_cap_t *lc;
#endif
+#ifdef SSH_AUDIT_EVENTS
+int paudit[2];
+#endif
+
static int is_child = 0;
static int in_chroot = 0;
@@ -642,6 +646,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
/* Parent. Close the slave side of the pseudo tty. */ /* Parent. Close the slave side of the pseudo tty. */
close(ttyfd); close(ttyfd);
@ -1951,85 +1856,42 @@ Index: openssh-8.9p1/session.c
/* Enter interactive session. */ /* Enter interactive session. */
s->ptymaster = ptymaster; s->ptymaster = ptymaster;
ssh_packet_set_interactive(ssh, 1, ssh_packet_set_interactive(ssh, 1,
@@ -706,15 +718,21 @@ do_exec(struct ssh *ssh, Session *s, con @@ -736,15 +744,19 @@ do_exec(struct ssh *ssh, Session *s, con
s->self); s->self);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
+ if (s->command != NULL || s->command_handle != -1) + if (s->command != NULL || s->command_handle != -1)
+ fatal("do_exec: command already set"); + fatal("do_exec: command already set");
if (command != NULL) if (command != NULL)
- PRIVSEP(audit_run_command(command)); - mm_audit_run_command(command);
+ s->command = xstrdup(command); + s->command = xstrdup(command);
else if (s->ttyfd == -1) { else if (s->ttyfd == -1) {
char *shell = s->pw->pw_shell; char *shell = s->pw->pw_shell;
if (shell[0] == '\0') /* empty shell means /bin/sh */ if (shell[0] == '\0') /* empty shell means /bin/sh */
shell =_PATH_BSHELL; shell =_PATH_BSHELL;
- PRIVSEP(audit_run_command(shell)); - mm_audit_run_command(shell);
+ s->command = xstrdup(shell); + s->command = xstrdup(shell);
} }
+ if (s->command != NULL && s->ptyfd == -1) + if (s->command != NULL && s->ptyfd == -1)
+ s->command_handle = PRIVSEP(audit_run_command(ssh, s->command)); + s->command_handle = mm_audit_run_command(ssh, s->command);
+ if (pipe(paudit) < 0)
+ fatal("pipe: %s", strerror(errno));
#endif #endif
if (s->ttyfd != -1) if (s->ttyfd != -1)
ret = do_exec_pty(ssh, s, command); ret = do_exec_pty(ssh, s, command);
@@ -730,6 +748,20 @@ do_exec(struct ssh *ssh, Session *s, con @@ -1550,8 +1562,11 @@ do_child(struct ssh *ssh, Session *s, co
*/
sshbuf_reset(loginmsg);
+#ifdef SSH_AUDIT_EVENTS
+ close(paudit[1]);
+ if (use_privsep && ret == 0) {
+ /*
+ * Read the audit messages from forked child and send them
+ * back to monitor. We don't want to communicate directly,
+ * because the messages might get mixed up.
+ * Continue after the pipe gets closed (all messages sent).
+ */
+ ret = mm_forward_audit_messages(paudit[0]);
+ }
+ close(paudit[0]);
+#endif /* SSH_AUDIT_EVENTS */
+
return ret;
}
@@ -1530,11 +1562,30 @@ do_child(struct ssh *ssh, Session *s, co
int env_size;
int r = 0;
+#ifdef SSH_AUDIT_EVENTS
+ int pparent = paudit[1];
+ close(paudit[0]);
+ /* Hack the monitor pipe to avoid race condition with parent */
+ if (use_privsep)
+ mm_set_monitor_pipe(pparent);
+#endif
+
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
/* remove hostkey from the child's memory */ /* remove hostkey from the child's memory */
- destroy_sensitive_data(); - destroy_sensitive_data();
- ssh_packet_clear_keys(ssh); + destroy_sensitive_data(ssh);
+ destroy_sensitive_data(ssh, use_privsep); ssh_packet_clear_keys(ssh);
+ ssh_packet_clear_keys_noaudit(ssh); + /* Don't audit this - both us and the parent would be talking to the
+ /* + monitor over a single socket, with no synchronization. */
+ * We can audit this, because we hacked the pipe to direct the
+ * messages over postauth child. But this message requires an answer
+ * which we can't do using a one-way pipe.
+ */
+ packet_destroy_all(ssh, 0, 1); + packet_destroy_all(ssh, 0, 1);
+
+#ifdef SSH_AUDIT_EVENTS
+ /* Notify parent that we are done */
+ close(pparent);
+#endif
/* Force a password change */ /* Force a password change */
if (s->authctxt->force_pwchange) { if (s->authctxt->force_pwchange) {
@@ -1743,6 +1794,9 @@ session_unused(int id) @@ -1763,6 +1778,9 @@ session_unused(int id)
sessions[id].ttyfd = -1; sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1; sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL; sessions[id].x11_chanids = NULL;
@ -2039,7 +1901,7 @@ Index: openssh-8.9p1/session.c
sessions[id].next_unused = sessions_first_unused; sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id; sessions_first_unused = id;
} }
@@ -1822,6 +1876,19 @@ session_open(Authctxt *authctxt, int cha @@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
} }
Session * Session *
@ -2050,7 +1912,7 @@ Index: openssh-8.9p1/session.c
+ if (s->used) + if (s->used)
+ return s; + return s;
+ } + }
+ debug("%s: unknown id %d", __func__, id); + debug_f("unknown id %d", id);
+ session_dump(); + session_dump();
+ return NULL; + return NULL;
+} +}
@ -2059,7 +1921,7 @@ Index: openssh-8.9p1/session.c
session_by_tty(char *tty) session_by_tty(char *tty)
{ {
int i; int i;
@@ -2429,6 +2496,32 @@ session_exit_message(struct ssh *ssh, Se @@ -2450,6 +2481,32 @@ session_exit_message(struct ssh *ssh, Se
chan_write_failed(ssh, c); chan_write_failed(ssh, c);
} }
@ -2081,7 +1943,7 @@ Index: openssh-8.9p1/session.c
+{ +{
+ if (s->command != NULL) { + if (s->command != NULL) {
+ if (s->command_handle != -1) + if (s->command_handle != -1)
+ PRIVSEP(audit_end_command(ssh, s->command_handle, s->command)); + mm_audit_end_command(ssh, s->command_handle, s->command);
+ free(s->command); + free(s->command);
+ s->command = NULL; + s->command = NULL;
+ s->command_handle = -1; + s->command_handle = -1;
@ -2092,7 +1954,7 @@ Index: openssh-8.9p1/session.c
void void
session_close(struct ssh *ssh, Session *s) session_close(struct ssh *ssh, Session *s)
{ {
@@ -2470,6 +2563,10 @@ session_close(struct ssh *ssh, Session * @@ -2463,6 +2520,10 @@ session_close(struct ssh *ssh, Session *
if (s->ttyfd != -1) if (s->ttyfd != -1)
session_pty_cleanup(s); session_pty_cleanup(s);
@ -2103,7 +1965,7 @@ Index: openssh-8.9p1/session.c
free(s->term); free(s->term);
free(s->display); free(s->display);
free(s->x11_chanids); free(s->x11_chanids);
@@ -2544,14 +2641,14 @@ session_close_by_channel(struct ssh *ssh @@ -2537,14 +2598,14 @@ session_close_by_channel(struct ssh *ssh
} }
void void
@ -2120,7 +1982,7 @@ Index: openssh-8.9p1/session.c
else else
session_close(ssh, s); session_close(ssh, s);
} }
@@ -2677,6 +2774,15 @@ do_authenticated2(struct ssh *ssh, Authc @@ -2671,6 +2732,15 @@ do_authenticated2(struct ssh *ssh, Authc
server_loop2(ssh, authctxt); server_loop2(ssh, authctxt);
} }
@ -2136,10 +1998,10 @@ Index: openssh-8.9p1/session.c
void void
do_cleanup(struct ssh *ssh, Authctxt *authctxt) do_cleanup(struct ssh *ssh, Authctxt *authctxt)
{ {
@@ -2740,7 +2846,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au @@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
* or if running in monitor. * or if running in monitor.
*/ */
if (!use_privsep || mm_is_monitor()) if (mm_is_monitor())
- session_destroy_all(ssh, session_pty_cleanup2); - session_destroy_all(ssh, session_pty_cleanup2);
+ session_destroy_all(ssh, do_cleanup_one_session); + session_destroy_all(ssh, do_cleanup_one_session);
} }
@ -2180,26 +2042,7 @@ Index: openssh-8.9p1/sshd.c
=================================================================== ===================================================================
--- openssh-8.9p1.orig/sshd.c --- openssh-8.9p1.orig/sshd.c
+++ openssh-8.9p1/sshd.c +++ openssh-8.9p1/sshd.c
@@ -125,6 +125,7 @@ @@ -219,6 +219,15 @@ close_listen_socks(void)
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "audit.h"
#include "ssh-sandbox.h"
#include "auth-options.h"
#include "version.h"
@@ -265,8 +266,8 @@ struct sshbuf *loginmsg;
struct passwd *privsep_pw = NULL;
/* Prototypes for various functions defined later in this file. */
-void destroy_sensitive_data(void);
-void demote_sensitive_data(void);
+void destroy_sensitive_data(struct ssh *, int);
+void demote_sensitive_data(struct ssh *);
static void do_ssh2_kex(struct ssh *);
static char *listener_proctitle;
@@ -284,6 +285,15 @@ close_listen_socks(void)
num_listen_socks = 0; num_listen_socks = 0;
} }
@ -2209,14 +2052,45 @@ Index: openssh-8.9p1/sshd.c
+ */ + */
+int listening_for_clients(void) +int listening_for_clients(void)
+{ +{
+ return num_listen_socks >= 0; + return num_listen_socks > 0;
+} +}
+ +
/* Allocate and initialise the children array */
static void static void
close_startup_pipes(void) child_alloc(void)
{ @@ -897,6 +906,7 @@ server_accept_loop(int *sock_in, int *so
@@ -382,18 +392,45 @@ grace_alarm_handler(int sig) if (received_sigterm) {
ssh_remote_port(the_active_state)); logit("Received signal %d; terminating.",
(int) received_sigterm);
+ /* destroy_sensitive_data(ssh, 0); FIXME */
close_listen_socks();
if (options.pid_file != NULL)
unlink(options.pid_file);
Index: openssh-8.9p1/sshd-session.c
===================================================================
--- openssh-8.9p1.orig/sshd-session.c
+++ openssh-8.9p1/sshd-session.c
@@ -125,6 +125,7 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "audit.h"
#include "ssh-sandbox.h"
#include "auth-options.h"
#include "version.h"
@@ -265,8 +266,8 @@ struct sshbuf *loginmsg;
struct sshbuf *loginmsg;
/* Prototypes for various functions defined later in this file. */
-void destroy_sensitive_data(void);
-void demote_sensitive_data(void);
+void destroy_sensitive_data(struct ssh *);
+void demote_sensitive_data(struct ssh *);
static void do_ssh2_kex(struct ssh *);
/*
@@ -382,18 +383,40 @@ grace_alarm_handler(int sig)
_exit(EXIT_LOGIN_GRACE);
} }
-/* Destroy the host and server keys. They will no longer be needed. */ -/* Destroy the host and server keys. They will no longer be needed. */
@ -2226,7 +2100,7 @@ Index: openssh-8.9p1/sshd.c
+ */ + */
void void
-destroy_sensitive_data(void) -destroy_sensitive_data(void)
+destroy_sensitive_data(struct ssh *ssh, int privsep) +destroy_sensitive_data(struct ssh *ssh)
{ {
u_int i; u_int i;
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
@ -2248,12 +2122,7 @@ Index: openssh-8.9p1/sshd.c
sensitive_data.host_keys[i] = NULL; sensitive_data.host_keys[i] = NULL;
+ if (fp != NULL) { + if (fp != NULL) {
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ if (privsep) + audit_destroy_sensitive_data(ssh, fp, pid, uid);
+ PRIVSEP(audit_destroy_sensitive_data(ssh, fp,
+ pid, uid));
+ else
+ audit_destroy_sensitive_data(ssh, fp,
+ pid, uid);
+#endif +#endif
+ free(fp); + free(fp);
+ } + }
@ -2264,7 +2133,7 @@ Index: openssh-8.9p1/sshd.c
sshkey_free(sensitive_data.host_certificates[i]); sshkey_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL; sensitive_data.host_certificates[i] = NULL;
} }
@@ -402,20 +439,38 @@ destroy_sensitive_data(void) @@ -402,20 +430,38 @@ destroy_sensitive_data(void)
/* Demote private to public keys for network child */ /* Demote private to public keys for network child */
void void
@ -2304,7 +2173,7 @@ Index: openssh-8.9p1/sshd.c
} }
/* Certs do not need demotion */ /* Certs do not need demotion */
} }
@@ -443,7 +498,7 @@ reseed_prngs(void) @@ -443,7 +489,7 @@ reseed_prngs(void)
} }
static void static void
@ -2313,7 +2182,7 @@ Index: openssh-8.9p1/sshd.c
{ {
gid_t gidset[1]; gid_t gidset[1];
@@ -458,7 +513,7 @@ privsep_preauth_child(void) @@ -458,7 +504,7 @@ privsep_preauth_child(void)
reseed_prngs(); reseed_prngs();
/* Demote the private keys to public keys. */ /* Demote the private keys to public keys. */
@ -2322,16 +2191,16 @@ Index: openssh-8.9p1/sshd.c
/* Demote the child */ /* Demote the child */
if (privsep_chroot) { if (privsep_chroot) {
@@ -493,7 +548,7 @@ privsep_preauth(struct ssh *ssh) @@ -493,7 +539,7 @@ privsep_preauth(struct ssh *ssh)
pmonitor->m_pkex = &ssh->kex;
if (use_privsep == PRIVSEP_ON)
box = ssh_sandbox_init(pmonitor); box = ssh_sandbox_init(pmonitor);
- pid = fork(); - pid = fork();
+ pmonitor->m_pid = pid = fork(); + pmonitor->m_pid = pid = fork();
if (pid == -1) { if (pid == -1) {
fatal("fork of unprivileged child failed"); fatal("fork of unprivileged child failed");
} else if (pid != 0) { } else if (pid != 0) {
@@ -538,7 +593,7 @@ privsep_preauth(struct ssh *ssh) @@ -538,7 +584,7 @@ privsep_preauth(struct ssh *ssh)
/* Arrange for logging to be sent to the monitor */ /* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor); set_log_handler(mm_log_handler, pmonitor);
@ -2340,7 +2209,7 @@ Index: openssh-8.9p1/sshd.c
setproctitle("%s", "[net]"); setproctitle("%s", "[net]");
if (box != NULL) if (box != NULL)
ssh_sandbox_child(box); ssh_sandbox_child(box);
@@ -582,7 +637,7 @@ privsep_postauth(struct ssh *ssh, Authct @@ -582,7 +628,7 @@ privsep_postauth(struct ssh *ssh, Authct
pmonitor->m_sendfd = -1; pmonitor->m_sendfd = -1;
/* Demote the private keys to public keys. */ /* Demote the private keys to public keys. */
@ -2349,43 +2218,17 @@ Index: openssh-8.9p1/sshd.c
reseed_prngs(); reseed_prngs();
@@ -1136,7 +1191,7 @@ server_listen(void) @@ -2311,6 +2358,9 @@ main(int ac, char **av)
* from this function are in a forked subprocess.
*/
static void
-server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
{
struct pollfd *pfd = NULL;
int i, j, ret, npfd;
@@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) {
logit("Received signal %d; terminating.",
(int) received_sigterm);
+ destroy_sensitive_data(ssh, 0);
close_listen_socks();
if (options.pid_file != NULL)
unlink(options.pid_file);
@@ -2088,7 +2144,7 @@ main(int ac, char **av)
#endif
/* Accept a connection and return in a forked child */
- server_accept_loop(&sock_in, &sock_out,
+ server_accept_loop(ssh, &sock_in, &sock_out,
&newsock, config_s);
}
@@ -2311,6 +2367,9 @@ main(int ac, char **av)
do_authenticated(ssh, authctxt); do_authenticated(ssh, authctxt);
/* The connection has been terminated. */ /* The connection has been terminated. */
+ packet_destroy_all(ssh, 1, 1); + packet_destroy_all(ssh, 1, 1);
+ destroy_sensitive_data(ssh, 1); + destroy_sensitive_data(ssh);
+ +
ssh_packet_get_bytes(ssh, &ibytes, &obytes); ssh_packet_get_bytes(ssh, &ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes", verbose("Transferred: sent %llu, received %llu bytes",
(unsigned long long)obytes, (unsigned long long)ibytes); (unsigned long long)obytes, (unsigned long long)ibytes);
@@ -2491,6 +2550,15 @@ do_ssh2_kex(struct ssh *ssh) @@ -2491,6 +2541,15 @@ do_ssh2_kex(struct ssh *ssh)
void void
cleanup_exit(int i) cleanup_exit(int i)
{ {
@ -2398,24 +2241,17 @@ Index: openssh-8.9p1/sshd.c
+ if (in_cleanup) + if (in_cleanup)
+ _exit(i); + _exit(i);
+ in_cleanup = 1; + in_cleanup = 1;
extern int auth_attempted; /* monitor.c */
if (the_active_state != NULL && the_authctxt != NULL) { if (the_active_state != NULL && the_authctxt != NULL) {
do_cleanup(the_active_state, the_authctxt); @@ -2525,7 +2593,9 @@ cleanup_exit(int i)
if (use_privsep && privsep_is_preauth && _exit(EXIT_AUTH_ATTEMPTED);
@@ -2503,9 +2571,16 @@ cleanup_exit(int i)
}
}
}
+ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
+ if (sensitive_data.host_keys != NULL && the_active_state != NULL)
+ destroy_sensitive_data(the_active_state, is_privsep_child);
+ if (the_active_state != NULL)
+ packet_destroy_all(the_active_state, 1, is_privsep_child);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
/* done after do_cleanup so it can cancel the PAM auth 'thread' */ /* done after do_cleanup so it can cancel the PAM auth 'thread' */
- if (the_active_state != NULL && (!use_privsep || mm_is_monitor())) - if (the_active_state != NULL && mm_is_monitor())
+ if (the_active_state != NULL && + if (the_active_state != NULL &&
+ (the_authctxt == NULL || !the_authctxt->authenticated) && + (the_authctxt == NULL || !the_authctxt->authenticated) &&
+ (!use_privsep || mm_is_monitor())) + mm_is_monitor())
audit_event(the_active_state, SSH_CONNECTION_ABANDON); audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif #endif
_exit(i); _exit(i);

View File

@ -123,28 +123,21 @@ Index: openssh-8.9p1/sshd.c
=================================================================== ===================================================================
--- openssh-8.9p1.orig/sshd.c --- openssh-8.9p1.orig/sshd.c
+++ openssh-8.9p1/sshd.c +++ openssh-8.9p1/sshd.c
@@ -148,7 +148,7 @@ extern char *__progname; @@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av)
ServerOptions options;
/* Name of the server configuration file. */
-char *config_file_name = _PATH_SERVER_CONFIG_FILE;
+char *config_file_name = NULL;
/*
* Debug mode flag. This can be set on the command line. If debug
@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av)
int
main(int ac, char **av)
{
+ struct stat st;
struct ssh *ssh = NULL;
extern char *optarg; extern char *optarg;
extern int optind; extern int optind;
int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0;
- char *config_file_name = _PATH_SERVER_CONFIG_FILE;
+ char *config_file_name = NULL;
+ struct stat st;
int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
@@ -1806,7 +1807,21 @@ main(int ac, char **av) @@ -1806,7 +1807,21 @@ main(int ac, char **av)
*/ /* Fetch our configuration */
(void)atomicio(vwrite, startup_pipe, "\0", 1); if ((cfg = sshbuf_new()) == NULL)
} fatal("sshbuf_new config failed");
+ } else if (config_file_name == NULL) { + if (config_file_name == NULL) {
+ /* If only the vendor configuration file exists, use that. + /* If only the vendor configuration file exists, use that.
+ * Else use the standard configuration file. + * Else use the standard configuration file.
+ */ + */
@ -157,11 +150,12 @@ Index: openssh-8.9p1/sshd.c
+ config_file_name = _PATH_SERVER_CONFIG_FILE; + config_file_name = _PATH_SERVER_CONFIG_FILE;
+ } + }
+ load_server_config(config_file_name, cfg); + load_server_config(config_file_name, cfg);
} else if (strcasecmp(config_file_name, "none") != 0) - if (strcasecmp(config_file_name, "none") != 0)
+ } else if (strcasecmp(config_file_name, "none") != 0)
+ /* load config specified on commandline */ + /* load config specified on commandline */
load_server_config(config_file_name, cfg); load_server_config(config_file_name, cfg);
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, parse_server_config(&options, config_file_name, cfg,
Index: openssh-8.9p1/sshd_config.5 Index: openssh-8.9p1/sshd_config.5
=================================================================== ===================================================================
--- openssh-8.9p1.orig/sshd_config.5 --- openssh-8.9p1.orig/sshd_config.5

View File

@ -84,13 +84,14 @@ Index: openssh-9.6p1/ssh_config.5
The list of key exchange algorithms that are offered for GSSAPI The list of key exchange algorithms that are offered for GSSAPI
key exchange. Possible values are key exchange. Possible values are
.Bd -literal -offset 3n .Bd -literal -offset 3n
@@ -991,9 +993,8 @@ gss-nistp256-sha256-, @@ -991,10 +993,8 @@ gss-nistp256-sha256-,
gss-curve25519-sha256- gss-curve25519-sha256-
.Ed .Ed
.Pp .Pp
-The default is -The default is
-.Dq gss-gex-sha1-,gss-group14-sha1- . -.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
This option only applies to protocol version 2 connections using GSSAPI. -gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
This option only applies to connections using GSSAPI.
+.Pp +.Pp
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
@ -159,7 +160,7 @@ Index: openssh-9.6p1/ssh_config.5
.It Cm HostKeyAlias .It Cm HostKeyAlias
Specifies an alias that should be used instead of the Specifies an alias that should be used instead of the
real host name when looking up or saving the host key real host name when looking up or saving the host key
@@ -1311,31 +1313,26 @@ it may be zero or more of: @@ -1311,36 +1313,30 @@ it may be zero or more of:
and and
.Cm pam . .Cm pam .
.It Cm KexAlgorithms .It Cm KexAlgorithms
@ -169,8 +170,12 @@ Index: openssh-9.6p1/ssh_config.5
+existing policies with sub-policies are present in manual page +existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp +.Pp
Specifies the available KEX (Key Exchange) algorithms. Specifies the permitted KEX (Key Exchange) algorithms that will be used and
their preference order.
The selected algorithm will the the first algorithm in this list that
the server also supports.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
.Pp
If the specified list begins with a If the specified list begins with a
.Sq + .Sq +
-character, then the specified algorithms will be appended to the default set -character, then the specified algorithms will be appended to the default set
@ -186,6 +191,7 @@ Index: openssh-9.6p1/ssh_config.5
.Sq ^ .Sq ^
character, then the specified algorithms will be placed at the head of the character, then the specified algorithms will be placed at the head of the
-default set. -default set.
-.Pp
-The default is: -The default is:
-.Bd -literal -offset indent -.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com, -sntrup761x25519-sha512@openssh.com,
@ -199,7 +205,7 @@ Index: openssh-9.6p1/ssh_config.5
-.Ed -.Ed
+built-in openssh default set. +built-in openssh default set.
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The list of supported key exchange algorithms may also be obtained using
.Qq ssh -Q kex . .Qq ssh -Q kex .
@@ -1445,37 +1442,34 @@ function, and all code in the @@ -1445,37 +1442,34 @@ function, and all code in the
file. file.
@ -386,7 +392,7 @@ Index: openssh-9.6p1/sshd_config.5
The list of available ciphers may also be obtained using The list of available ciphers may also be obtained using
.Qq ssh -Q cipher . .Qq ssh -Q cipher .
.It Cm ClientAliveCountMax .It Cm ClientAliveCountMax
@@ -764,52 +760,45 @@ For this to work @@ -764,53 +760,45 @@ For this to work
.Cm GSSAPIKeyExchange .Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client. needs to be enabled in the server and also used by the client.
.It Cm GSSAPIKexAlgorithms .It Cm GSSAPIKexAlgorithms
@ -415,8 +421,9 @@ Index: openssh-9.6p1/sshd_config.5
.Ed .Ed
-.Pp -.Pp
-The default is -The default is
-.Dq gss-gex-sha1-,gss-group14-sha1- . -.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
This option only applies to protocol version 2 connections using GSSAPI. -gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedAlgorithms .It Cm HostbasedAcceptedAlgorithms
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
@ -492,7 +499,7 @@ Index: openssh-9.6p1/sshd_config.5
The list of available signature algorithms may also be obtained using The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms . .Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts .It Cm IgnoreRhosts
@@ -1027,20 +1006,26 @@ file on logout. @@ -1027,24 +1006,30 @@ file on logout.
The default is The default is
.Cm yes . .Cm yes .
.It Cm KexAlgorithms .It Cm KexAlgorithms
@ -502,9 +509,13 @@ Index: openssh-9.6p1/sshd_config.5
+existing policies with sub-policies are present in manual page +existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp +.Pp
Specifies the available KEX (Key Exchange) algorithms. Specifies the permitted KEX (Key Exchange) algorithms that the server will
offer to clients.
The ordering of this list is not important, as the client specifies the
preference order.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
Alternately if the specified list begins with a .Pp
If the specified list begins with a
.Sq + .Sq +
-character, then the specified algorithms will be appended to the default set -character, then the specified algorithms will be appended to the default set
-instead of replacing them. -instead of replacing them.
@ -520,9 +531,9 @@ Index: openssh-9.6p1/sshd_config.5
character, then the specified algorithms will be placed at the head of the character, then the specified algorithms will be placed at the head of the
-default set. -default set.
+built-in openssh default set. +built-in openssh default set.
.Pp
The supported algorithms are: The supported algorithms are:
.Pp .Pp
.Bl -item -compact -offset indent
@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521 @@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com sntrup761x25519-sha512@openssh.com
.El .El
@ -537,7 +548,7 @@ Index: openssh-9.6p1/sshd_config.5
-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 -diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
-.Ed -.Ed
-.Pp -.Pp
The list of available key exchange algorithms may also be obtained using The list of supported key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms . .Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress .It Cm ListenAddress
@@ -1167,21 +1142,27 @@ function, and all code in the @@ -1167,21 +1142,27 @@ function, and all code in the

BIN
openssh-9.6p1.tar.gz (Stored with Git LFS)

Binary file not shown.

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmWAXvAACgkQKj9BTnNg
YLrypA/6A1O8e80XnzVWIFhXkbv/biGL10Q5ZMvjQvND6mbkphNWZ4G4QOEh0nBG
rseD3Fce7me9pfeLYVhaNXO9R3OYAXxjbWfQwI7FpBU4QUCnbH53PG32B6ESq7pl
0vlDqdqI7aBAyMpp+8WFD+EvHWUVA77JtfU4MFw7myKJacrVrDUygDaZkJKOhqKf
N1Nurz4YppdQ5zIK1ElL0jlRJXm08flLFRg8fD5/5rwabpUbZIY9b5qZzGKgnR7I
sxUBlDkfLnvKIlKzUXbRvOHazvFAHYH1ltJZGlJUc/+H/ZaPigWf4IR+E1FB9c2O
zxaZhlbwGKyD+p7l08F9n8T21taxpBCW1Uxkx7MLTz8k9huPNpdX5l8VM4Gotmn8
I4V3Fevyx+M3XJYeKtkspa51h0GqF3gNFPLxW7ERGaIuqwoxuHxIEKwYE+JPmQag
UDma5LDrSrasa8Rw8g5urGE48PeDQ5muPy8Bi9eIGZU5JLqX6TNgz7QDDs/dQsHB
iny4wQOLmdIA78IGttiCo0rqikEvFtFDFR4mCUTC8K0nQKzWwGewO3gRTcHttzyU
xMalxw+wt9cUJ8gb1E9p7OeMUuXdaHMmem8/PcFCar/vKx1mdV/On6evnp3P8yQA
la8WnbcP0+zJg0GGwGszpFlOMjWCDB0kUTBCT+MR+IWbj/pVZVA=
=G9YA
-----END PGP SIGNATURE-----

3
openssh-9.8p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3
size 1910393

16
openssh-9.8p1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmaCMn0ACgkQKj9BTnNg
YLrjcBAAgO7xhKUXp8YxdqSZigDbcHu7T37bm1pRTKg2ihPepz+q6pV+DY8AHSRu
eyuOCOHYzjLyArFpiMX3z9iT2NqO+KNBvKQoh8loaxNrECmgRGk2jBEKiibFSP5M
i6CYkF3sET9xnVDkt4P6KievWXY1/Tl93qve3K2a/bvvgT8s2AaBMM8u4BMGNm3D
sc3A6euN0aiXRts2V6I885VyrQDMK++E7+eTHet0ex82KH4I+ceIOwB48hny4wpb
Zaqy9pTFisTmFNOF6d3TB58yMWoLQIbLuVrbbbcr7hFYCWsgj0yN5iYQNOR9pU4E
ooF+aC0kK9M4iUXthzjjgIjnMzsCmPeKisbwblsPSfSgccj/pCMzW8C3CMVL6AvG
slSSLK42qm3f38kx3sg2S8LDW0v+hoyvBmKNFMiBwsF2tWCXIG+oP1PDYpJUpaOJ
RFHG7JEPtY94UJGdo5C4YhqDWr3HOqEwuVIt1gWMMPs9IvDkDRo6emmDd64FFAKH
ss3hHixu6OHqU5iw6JIVVtYiur6s9m6N/Xxt5Ho6wuqnzUZ+Dwj3L6lF9IOJbJxU
Ufb70I1Uko9kXcoje9ONUsqr88wfQY+JZxxVTlzDUDadytCzmO3wXsz+cosMQ5Rw
aOZwXYyvmcoZuUQG8GIqRO1wfOcD7o7pI6IyVJQjOeG/rA0eu/4=
=Gj2n
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 9.8p1:
* No changes for askpass, see main package changelog for
details.
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com> Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>

View File

@ -1,7 +1,7 @@
# #
# spec file for package openssh-askpass-gnome # spec file for package openssh-askpass-gnome
# #
# Copyright (c) 2020 SUSE LLC # Copyright (c) 2024 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -18,7 +18,7 @@
%define _name openssh %define _name openssh
Name: openssh-askpass-gnome Name: openssh-askpass-gnome
Version: 9.6p1 Version: 9.8p1
Release: 0 Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause License: BSD-2-Clause

View File

@ -207,9 +207,9 @@ Index: openssh-9.3p2/packet.h
--- openssh-9.3p2.orig/packet.h --- openssh-9.3p2.orig/packet.h
+++ openssh-9.3p2/packet.h +++ openssh-9.3p2/packet.h
@@ -103,6 +103,7 @@ void ssh_packet_close(struct ssh *); @@ -103,6 +103,7 @@ void ssh_packet_close(struct ssh *);
void ssh_packet_close(struct ssh *);
void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *); void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
void ssh_packet_clear_keys(struct ssh *); void ssh_packet_clear_keys(struct ssh *);
void ssh_packet_clear_keys_noaudit(struct ssh *);
+void ssh_clear_curkeys(struct ssh *, int); +void ssh_clear_curkeys(struct ssh *, int);
void ssh_clear_newkeys(struct ssh *, int); void ssh_clear_newkeys(struct ssh *, int);
@ -264,12 +264,12 @@ Index: openssh-9.3p2/sshbuf.h
/* Macros for decoding/encoding integers */ /* Macros for decoding/encoding integers */
#define PEEK_U64(p) \ #define PEEK_U64(p) \
(((u_int64_t)(((const u_char *)(p))[0]) << 56) | \ (((u_int64_t)(((const u_char *)(p))[0]) << 56) | \
Index: openssh-9.3p2/sshd.c Index: openssh-9.3p2/sshd-session.c
=================================================================== ===================================================================
--- openssh-9.3p2.orig/sshd.c --- openssh-9.3p2.orig/sshd-session.c
+++ openssh-9.3p2/sshd.c +++ openssh-9.3p2/sshd-session.c
@@ -272,6 +272,19 @@ static void do_ssh2_kex(struct ssh *); @@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *);
static char *listener_proctitle; static void do_ssh2_kex(struct ssh *);
/* /*
+ * Clear some stack space. This is a bit naive, but hopefully helps mitigate + * Clear some stack space. This is a bit naive, but hopefully helps mitigate
@ -285,10 +285,10 @@ Index: openssh-9.3p2/sshd.c
+} +}
+ +
+/* +/*
* Close all listening sockets * Signal handler for the alarm after the login grace period has expired.
*/ * As usual, this may only take signal-safe actions, even though it is
static void * terminal.
@@ -430,6 +443,8 @@ destroy_sensitive_data(struct ssh *ssh, @@ -260,6 +260,8 @@ destroy_sensitive_data(struct ssh *ssh,
sensitive_data.host_certificates[i] = NULL; sensitive_data.host_certificates[i] = NULL;
} }
} }
@ -297,32 +297,32 @@ Index: openssh-9.3p2/sshd.c
} }
/* Demote private to public keys for network child */ /* Demote private to public keys for network child */
@@ -600,6 +615,8 @@ privsep_preauth(struct ssh *ssh) @@ -431,6 +432,8 @@ privsep_preauth(struct ssh *ssh)
static void
privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
{ {
int skip_privdrop = 0;
+ clobber_stack(); + clobber_stack();
+ +
#ifdef DISABLE_FD_PASSING /*
if (1) { * Hack for systems that don't support FD passing: retain privileges
#else * in the post-auth privsep process so it can allocate PTYs directly.
@@ -2360,6 +2377,7 @@ main(int ac, char **av) @@ -1354,6 +1356,7 @@ main(int ac, char **av)
if (use_privsep) { */
mm_send_keystate(ssh, pmonitor); mm_send_keystate(ssh, pmonitor);
ssh_packet_clear_keys(ssh); ssh_packet_clear_keys(ssh);
+ clobber_stack(); + clobber_stack();
exit(0); exit(0);
}
@@ -2436,6 +2454,7 @@ main(int ac, char **av) authenticated:
if (use_privsep) @@ -1431,6 +1434,7 @@ main(int ac, char **av)
mm_terminate(); mm_terminate();
+ clobber_stack(); + clobber_stack();
exit(0); exit(0);
} }
@@ -2596,8 +2615,10 @@ cleanup_exit(int i) @@ -1577,8 +1581,10 @@ cleanup_exit(int i)
/* cleanup_exit can be called at the very least from the privsep /* cleanup_exit can be called at the very least from the privsep
wrappers used for auditing. Make sure we don't recurse wrappers used for auditing. Make sure we don't recurse
indefinitely. */ indefinitely. */
@ -332,10 +332,10 @@ Index: openssh-9.3p2/sshd.c
_exit(i); _exit(i);
+ } + }
in_cleanup = 1; in_cleanup = 1;
if (the_active_state != NULL && the_authctxt != NULL) { extern int auth_attempted; /* monitor.c */
do_cleanup(the_active_state, the_authctxt);
@@ -2623,5 +2644,7 @@ cleanup_exit(int i) @@ -1604,5 +1610,7 @@ cleanup_exit(int i)
(!use_privsep || mm_is_monitor())) mm_is_monitor())
audit_event(the_active_state, SSH_CONNECTION_ABANDON); audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif #endif
+ +

View File

@ -25,7 +25,7 @@ Index: openssh-8.9p1/ssh_config.5
+diffie-hellman-group14-sha1 +diffie-hellman-group14-sha1
.Ed .Ed
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The list of supported key exchange algorithms may also be obtained using
Index: openssh-8.9p1/sshd_config.5 Index: openssh-8.9p1/sshd_config.5
=================================================================== ===================================================================
--- openssh-8.9p1.orig/sshd_config.5 --- openssh-8.9p1.orig/sshd_config.5
@ -38,4 +38,4 @@ Index: openssh-8.9p1/sshd_config.5
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 +diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
.Ed .Ed
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The list of supported key exchange algorithms may also be obtained using

View File

@ -1,3 +1,299 @@
-------------------------------------------------------------------
Mon Aug 12 08:55:38 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Fix a dbus connection leaked in the logind patch that was
missing a sd_bus_unref call (found by Matthias Gerstner):
* logind_set_tty.patch
- Add a patch that fixes a small memory leak when parsing the
subsystem configuration option:
* fix-memleak-in-process_server_config_line_depth.patch
-------------------------------------------------------------------
Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 9.8p1:
= Security
* 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
A critical vulnerability in sshd(8) was present in Portable
OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
allow arbitrary code execution with root privileges.
Successful exploitation has been demonstrated on 32-bit
Linux/glibc systems with ASLR. Under lab conditions, the attack
requires on average 6-8 hours of continuous connections up to
the maximum the server will accept. Exploitation on 64-bit
systems is believed to be possible but has not been
demonstrated at this time. It's likely that these attacks will
be improved upon.
Exploitation on non-glibc systems is conceivable but has not
been examined. Systems that lack ASLR or users of downstream
Linux distributions that have modified OpenSSH to disable
per-connection ASLR re-randomisation (yes - this is a thing, no
- we don't understand why) may potentially have an easier path
to exploitation. OpenBSD is not vulnerable.
We thank the Qualys Security Advisory Team for discovering,
reporting and demonstrating exploitability of this problem, and
for providing detailed feedback on additional mitigation
measures.
* 2) Logic error in ssh(1) ObscureKeystrokeTiming (bsc#1227318,
CVE-2024-39894).
In OpenSSH version 9.5 through 9.7 (inclusive), when connected
to an OpenSSH server version 9.5 or later, a logic error in the
ssh(1) ObscureKeystrokeTiming feature (on by default) rendered
this feature ineffective - a passive observer could still
detect which network packets contained real keystrokes when the
countermeasure was active because both fake and real keystroke
packets were being sent unconditionally.
This bug was found by Philippos Giavridis and also
independently by Jacky Wei En Kung, Daniel Hugenroth and
Alastair Beresford of the University of Cambridge Computer Lab.
Worse, the unconditional sending of both fake and real
keystroke packets broke another long-standing timing attack
mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke
echo packets for traffic received on TTYs in echo-off mode,
such as when entering a password into su(8) or sudo(8). This
bug rendered these fake keystroke echoes ineffective and could
allow a passive observer of a SSH session to once again detect
when echo was off and obtain fairly limited timing information
about keystrokes in this situation (20ms granularity by
default).
This additional implication of the bug was identified by
Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and
we thank them for their detailed analysis.
This bug does not affect connections when
ObscureKeystrokeTiming was disabled or sessions where no TTY
was requested.
= Future deprecation notice
* OpenSSH plans to remove support for the DSA signature algorithm
in early 2025. This release disables DSA by default at compile
time.
DSA, as specified in the SSHv2 protocol, is inherently weak -
being limited to a 160 bit private key and use of the SHA1
digest. Its estimated security level is only 80 bits symmetric
equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has
retained run-time optional support for them. DSA was the only
mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
because alternative algorithms were encumbered by patents when
the SSHv2 protocol was specified.
This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining
DSA in OpenSSH to be justified and hope that removing it from
OpenSSH can accelerate its wider deprecation in supporting
cryptography libraries.
This release, and its deactivation of DSA by default at
compile-time, marks the second step in our timeline to finally
deprecate DSA. The final step of removing DSA support entirely
is planned for the first OpenSSH release of 2025.
DSA support may be re-enabled in OpenBSD by setting
"DSAKEY=yes" in Makefile.inc. To enable DSA support in
portable OpenSSH, pass the "--enable-dsa-keys" option to
configure.
= Potentially-incompatible changes
* all: as mentioned above, the DSA signature algorithm is now
disabled at compile time.
* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users,
or servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.
* sshd(8): the server has been split into a listener binary,
sshd(8), and a per-session binary "sshd-session". This allows
for a much smaller listener binary, as it no longer needs to
support the SSH protocol. As part of this work, support for
disabling privilege separation (which previously required code
changes to disable) and disabling re-execution of sshd(8) has
been removed. Further separation of sshd-session into
additional, minimal binaries is planned for the future.
* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".
* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard
error. This release now emits them to standard output, but adds
a new "-q" flag to silence them altogether.
* sshd(8): (portable OpenSSH only) sshd will no longer use
argv[0] as the PAM service name. A new "PAMServiceName"
sshd_config(5) directive allows selecting the service name at
runtime. This defaults to "sshd". bz2101
* (portable OpenSSH only) Automatically-generated files, such as
configure, config.h.in, etc will now be checked in to the
portable OpenSSH git release branch (e.g. V_9_8). This should
ensure that the contents of the signed release branch exactly
match the contents of the signed release tarball.
= New features
* sshd(8): as described above, sshd(8) will now penalise client
addresses that, for various reasons, do not successfully
complete authentication. This feature is controlled by a new
sshd_config(5) PerSourcePenalties option and is on by default.
sshd(8) will now identify situations where the session did not
authenticate as expected. These conditions include when the
client repeatedly attempted authentication unsucessfully
(possibly indicating an attack against one or more accounts,
e.g. password guessing), or when client behaviour caused sshd
to crash (possibly indicating attempts to exploit bugs in
sshd).
When such a condition is observed, sshd will record a penalty
of some duration (e.g. 30 seconds) against the client's
address. If this time is above a minimum configurable
threshold, then all connections from the client address will be
refused (along with any others in the same
PerSourceNetBlockSize CIDR range) until the penalty expire.
Repeated offenses by the same client address will accrue
greater penalties, up to a configurable maximum. Address ranges
may be fully exempted from penalties, e.g. to guarantee access
from a set of trusted management addresses, using the new
sshd_config(5) PerSourcePenaltyExemptList option.
We hope these options will make it significantly more difficult
for attackers to find accounts with weak/guessable passwords or
exploit bugs in sshd(8) itself. This option is enabled by
default.
* ssh(8): allow the HostkeyAlgorithms directive to disable the
implicit fallback from certificate host key to plain host keys.
= Bugfixes
* misc: fix a number of inaccuracies in the PROTOCOL.*
documentation files. GHPR430 GHPR487
* all: switch to strtonum(3) for more robust integer parsing in
most places.
* ssh(1), sshd(8): correctly restore sigprocmask around ppoll()
* ssh-keysign(8): stricter validation of messaging socket fd
GHPR492
* sftp(1): flush stdout after writing "sftp>" prompt when not
using editline. GHPR480
* sftp-server(8): fix home-directory extension implementation,
it previously always returned the current user's home directory
contrary to the spec. GHPR477
* ssh-keyscan(1): do not close stdin to prevent error messages
when stdin is read multiple times. E.g.
echo localhost | ssh-keyscan -f - -f -
* regression tests: fix rekey test that was testing the same KEX
algorithm repeatedly instead of testing all of them. bz3692
* ssh_config(5), sshd_config(5): clarify the KEXAlgorithms
directive documentation, especially around what is supported
vs available. bz3701.
= Portability
* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
unconditionally. The previous behaviour was to expose it only
when particular authentication methods were in use.
* build: fix OpenSSL ED25519 support detection. An incorrect
function signature in configure.ac previously prevented
enabling the recently added support for ED25519 private keys in
PEM PKCS8 format.
* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
environment variable to enable SSH_ASKPASS, similarly to the
X11 DISPLAY environment variable. GHPR479
* build: improve detection of the -fzero-call-used-regs compiler
flag. bz3673.
* build: relax OpenSSL version check to accept all OpenSSL 3.x
versions.
* sshd(8): add support for notifying systemd on server listen and
reload, using a standalone implementation that doesn't depend
on libsystemd. bz2641
- Update to openssh 9.7p1:
= New features
* ssh(1), sshd(8): add a "global" ChannelTimeout type that
watches all open channels and will close all open channels if
there is no traffic on any of them for the specified interval.
This is in addition to the existing per-channel timeouts added
recently.
This supports situations like having both session and x11
forwarding channels open where one may be idle for an extended
period but the other is actively used. The global timeout could
close both channels when both have been idle for too long.
* All: make DSA key support compile-time optional, defaulting to
on.
= Bugfixes
* sshd(8): don't append an unnecessary space to the end of
subsystem arguments (bz3667)
* ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (GHPR#463)
* ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).
* ssh-agent(1): fix potential spin in signal handler (bz3670)
* Many fixes to manual pages and other documentation, including
GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
* Greatly improve interop testing against PuTTY.
= Portability
* Improve the error message when the autoconf OpenSSL header
check fails (bz#3668)
* Improve detection of broken toolchain -fzero-call-used-regs
support (bz3645).
* Fix regress/misc/fuzz-harness fuzzers and make them compile
without warnings when using clang16
- Use gcc-11 in SLE to avoid a "parameter name omitted" error
- Rebase patches:
* logind_set_tty.patch
* openssh-6.6.1p1-selinux-contexts.patch
* openssh-6.6p1-keycat.patch
* openssh-6.6p1-privsep-selinux.patch
* openssh-7.6p1-cleanup-selinux.patch
* openssh-7.7p1-cavstest-ctr.patch
* openssh-7.7p1-cavstest-kdf.patch
* openssh-7.7p1-fips.patch
* openssh-7.7p1-fips_checks.patch
* openssh-7.7p1-ldap.patch
* openssh-7.7p1-pam_check_locks.patch
* openssh-7.7p1-systemd-notify.patch
* openssh-7.8p1-role-mls.patch
* openssh-8.0p1-gssapi-keyex.patch
* openssh-8.1p1-audit.patch
* openssh-8.4p1-vendordir.patch
* openssh-9.6p1-crypto-policies-man.patch
* openssh-mitigate-lingering-secrets.patch
* openssh-reenable-dh-group14-sha1-default.patch
* wtmpdb.patch
- Thanks to Fedora developers for an initial version of the
rebase of the following patches:
* openssh-8.0p1-gssapi-keyex.patch
* openssh-7.8p1-role-mls.patch
* openssh-8.1p1-audit.patch
- Remove patches that are already included in 9.8p1:
* fix-CVE-2024-6387.patch
* 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
* 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
* 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
- Remove patch that is now merged into
openssh-7.7p1-cavstest-ctr.patch and
openssh-7.7p1-cavstest-kdf.patch where it belongs:
* fix-missing-lz.patch
-------------------------------------------------------------------
Mon Jul 15 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Add sshd.socket and sshd@.service units as alternative to the
sshd.service that makes systemd listen to the ssh port
and run sshd per incoming connection. To enable this,
disable sshd.service and enable sshd.socket . If you want to
use a non standard sshd port with sshd.socket you can do
"systemctl edit sshd.socket" and add something like:
[Socket]
ListenStream=8022
which listens on port 8022 as well as on port 22. If you want
to reset the list of listened ports and just use 8022, use:
[Socket]
ListenStream=
ListenStream=8022
- To enable a vsock listener in sshd (which allows to connect to
libvirt VMs), the systemd-experimental package needs to be
installed in the guest system, the libvirt-ssh-proxy package
needs to be installed in the host and the vm needs to have
vsock support (in virt-manager, click in "Add hardware" and
add "VSOCK VirtIO").
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com> Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>

View File

@ -1,7 +1,7 @@
# #
# spec file for package openssh # spec file for package openssh
# #
# Copyright (c) 2020 SUSE LLC # Copyright (c) 2024 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -39,7 +39,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: openssh Name: openssh
Version: 9.6p1 Version: 9.8p1
Release: 0 Release: 0
Summary: Secure Shell Client and Server (Remote Login Program) Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT License: BSD-2-Clause AND MIT
@ -61,6 +61,8 @@ Source12: cavs_driver-ssh.pl
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
Source14: sysusers-sshd.conf Source14: sysusers-sshd.conf
Source15: sshd-sle.pamd Source15: sshd-sle.pamd
Source16: sshd@.service
Source17: sshd.socket
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch Patch4: openssh-7.7p1-eal3.patch
@ -119,7 +121,6 @@ Patch50: openssh-openssl-3.patch
Patch51: wtmpdb.patch Patch51: wtmpdb.patch
Patch52: logind_set_tty.patch Patch52: logind_set_tty.patch
Patch54: openssh-mitigate-lingering-secrets.patch Patch54: openssh-mitigate-lingering-secrets.patch
Patch100: fix-missing-lz.patch
Patch102: openssh-7.8p1-role-mls.patch Patch102: openssh-7.8p1-role-mls.patch
Patch103: openssh-6.6p1-privsep-selinux.patch Patch103: openssh-6.6p1-privsep-selinux.patch
Patch104: openssh-6.6p1-keycat.patch Patch104: openssh-6.6p1-keycat.patch
@ -128,19 +129,15 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch Patch108: openssh-9.6p1-crypto-policies-man.patch
# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387 Patch109: fix-memleak-in-process_server_config_line_depth.patch
Patch109: fix-CVE-2024-6387.patch
# PATCH-FIX-UPSTREAM
Patch110: 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
# PATCH-FIX-UPSTREAM
Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
Patch112: 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
%if 0%{with allow_root_password_login_by_default} %if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch Patch1000: openssh-7.7p1-allow_root_password_login.patch
%endif %endif
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: automake BuildRequires: automake
%if 0%{?sle_version} >= 150500
BuildRequires: gcc11
%endif
BuildRequires: groff BuildRequires: groff
BuildRequires: libedit-devel BuildRequires: libedit-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
@ -328,6 +325,9 @@ sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
) )
%build %build
%if 0%{?sle_version} >= 150500
export CC=gcc-11
%endif
autoreconf -fiv autoreconf -fiv
%ifarch s390 s390x %{sparc} %ifarch s390 s390x %{sparc}
PIEFLAGS="-fPIE" PIEFLAGS="-fPIE"
@ -392,6 +392,8 @@ install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/ install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
%endif %endif
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service
install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket
ln -s service %{buildroot}%{_sbindir}/rcsshd ln -s service %{buildroot}%{_sbindir}/rcsshd
install -d -m 755 %{buildroot}%{_fillupdir} install -d -m 755 %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir} install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
@ -471,11 +473,11 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||: test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||:
%endif %endif
%service_add_pre sshd.service %service_add_pre sshd.service sshd.socket
%post server %post server
%{fillup_only -n ssh} %{fillup_only -n ssh}
%service_add_post sshd.service %service_add_post sshd.service sshd.socket
%if ! %{defined _distconfdir} %if ! %{defined _distconfdir}
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
@ -487,16 +489,16 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
%endif %endif
%preun server %preun server
%service_del_preun sshd.service %service_del_preun sshd.service sshd.socket
%postun server %postun server
# The openssh-fips trigger script for openssh will normally restart sshd once # The openssh-fips trigger script for openssh will normally restart sshd once
# it gets installed, so only restart the service here if openssh-fips is not # it gets installed, so only restart the service here if openssh-fips is not
# present. # present.
if rpm -q openssh-fips >/dev/null 2>/dev/null; then if rpm -q openssh-fips >/dev/null 2>/dev/null; then
%service_del_postun_without_restart sshd.service %service_del_postun_without_restart sshd.service sshd.socket
else else
%service_del_postun sshd.service %service_del_postun sshd.service sshd.socket
fi fi
%if ! %{defined _distconfdir} %if ! %{defined _distconfdir}
@ -584,11 +586,14 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%endif %endif
%attr(0644,root,root) %{_unitdir}/sshd.service %attr(0644,root,root) %{_unitdir}/sshd.service
%attr(0644,root,root) %{_unitdir}/sshd@.service
%attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_sysusersdir}/sshd.conf %attr(0644,root,root) %{_sysusersdir}/sshd.conf
%attr(0444,root,root) %{_mandir}/man5/sshd_config* %attr(0444,root,root) %{_mandir}/man5/sshd_config*
%attr(0444,root,root) %{_mandir}/man8/sftp-server.8* %attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0444,root,root) %{_mandir}/man8/sshd.8* %attr(0444,root,root) %{_mandir}/man8/sshd.8*
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server %attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
%attr(0755,root,root) %{_libexecdir}/ssh/sshd-session
%if 0%{?suse_version} < 1600 %if 0%{?suse_version} < 1600
%dir %{_sysconfdir}/slp.reg.d %dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg %config %{_sysconfdir}/slp.reg.d/ssh.reg

11
sshd.socket Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=OpenSSH Server Socket
Conflicts=sshd.service
[Socket]
ListenStream=22
Accept=yes
[Install]
WantedBy=sockets.target

11
sshd@.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=OpenSSH Per-Connection Server Daemon
Documentation=man:systemd-ssh-generator(8) man:sshd(8)
After=network.target
[Service]
EnvironmentFile=-/etc/sysconfig/ssh
ExecStartPre=/usr/sbin/sshd-gen-keys-start
ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS
StandardInput=socket

View File

@ -174,12 +174,16 @@ diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
AR=@AR@ AR=@AR@
AWK=@AWK@ AWK=@AWK@
RANLIB=@RANLIB@ RANLIB=@RANLIB@
@@ -212,7 +213,7 @@ @@ -212,10 +213,10 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
- $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
+ $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)