Accepting request 230190 from network

- Update of the underlying OpenSSH to 6.6p1

- Remove uneeded dependency on the OpenLDAP server (openldap2)
  from openssh-helpers. openssh-helpers just depends on the 
  openldap client libraries, which will be auto-generated by rpm.

- update to 6.6p1
  Security:
  * sshd(8): when using environment passing with a sshd_config(5)
    AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
    be tricked into accepting any enviornment variable that
    contains the characters before the wildcard character.
  Features since 6.5p1:
  * ssh(1), sshd(8): removal of the J-PAKE authentication code,
    which was experimental, never enabled and has been
    unmaintained for some time.
  * ssh(1): skip 'exec' clauses other clauses predicates failed
    to match while processing Match blocks.
  * ssh(1): if hostname canonicalisation is enabled and results
    in the destination hostname being changed, then re-parse
    ssh_config(5) files using the new destination hostname. This
    gives 'Host' and 'Match' directives that use the expanded
    hostname a chance to be applied.
  Bugfixes:
  * ssh(1): avoid spurious "getsockname failed: Bad file
    descriptor" in ssh -W. bz#2200, debian#738692
  * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and
    systrace sandbox modes, as it is reachable if the connection
    is terminated during the pre-auth phase.
  * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1

OBS-URL: https://build.opensuse.org/request/show/230190
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=95
This commit is contained in:
Tomáš Chvátal 2014-04-17 12:43:46 +00:00 committed by Git OBS Bridge
commit 8d7787adc5
45 changed files with 1944 additions and 1303 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027
size 1293187

View File

@ -2,9 +2,9 @@
# configuration
# bnc#50836 (was suse #35836)
diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
--- a/openssh-6.6p1/ssh_config
+++ b/openssh-6.6p1/ssh_config
@@ -12,19 +12,30 @@
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
@ -37,9 +37,9 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config
--- a/openssh-6.6p1/sshd_config
+++ b/openssh-6.6p1/sshd_config
@@ -94,17 +94,17 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication

View File

@ -1,12 +1,12 @@
# HG changeset patch
# Parent bb0162afc928b3eeb69f11419e214e0737bb8034
# Parent 73eb63cbbd603bf8c13995c478333c1b5a2a020a
Do not throw away already open sockets for X11 forwarding if another socket
family is not available for bind()
diff --git a/openssh-6.5p1/channels.c b/openssh-6.5p1/channels.c
--- a/openssh-6.5p1/channels.c
+++ b/openssh-6.5p1/channels.c
@@ -3475,22 +3475,24 @@ x11_create_display_inet(int x11_display_
diff --git a/openssh-6.6p1/channels.c b/openssh-6.6p1/channels.c
--- a/openssh-6.6p1/channels.c
+++ b/openssh-6.6p1/channels.c
@@ -3476,22 +3476,24 @@ x11_create_display_inet(int x11_display_
}
if (ai->ai_family == AF_INET6)
sock_set_v6only(sock);

View File

@ -8,10 +8,10 @@
#
# PRIVSEP(getpwnamallow()) a few lines above already did this.
diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.5p1/auth2.c
+++ b/openssh-6.5p1/auth2.c
@@ -242,19 +242,16 @@ input_userauth_request(int type, u_int32
diff --git a/openssh-6.6p1/auth2.c b/openssh-6.6p1/auth2.c
--- a/openssh-6.6p1/auth2.c
+++ b/openssh-6.6p1/auth2.c
@@ -236,19 +236,16 @@ input_userauth_request(int type, u_int32
authctxt->pw = PRIVSEP(getpwnamallow(user));
authctxt->user = xstrdup(user);
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {

View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2011
# by jchadima@redhat.com
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -370,20 +370,33 @@ audit_connection_from(const char *host,
/* this is used on IPv4-only machines */
tid->port = (dev_t)port;
@ -42,9 +42,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
/* not implemented */
}
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -30,97 +30,210 @@
#include "includes.h"
#if defined(USE_LINUX_AUDIT)
@ -276,9 +276,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
}
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -135,16 +135,27 @@ audit_connection_from(const char *host,
void
audit_event(ssh_audit_event_t event)
@ -344,9 +344,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -44,14 +44,16 @@ enum ssh_audit_event_type {
SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */
SSH_CONNECTION_ABANDON, /* closed without completing auth */
@ -365,10 +365,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
ssh_audit_event_t audit_classify_auth(const char *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -181,16 +181,17 @@ int mm_answer_gss_setup_ctx(int, Buffer
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -175,16 +175,17 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@ -386,7 +386,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -268,16 +269,17 @@ struct mon_table mon_dispatch_postauth20
@@ -255,16 +256,17 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
{MONITOR_REQ_PTY, 0, mm_answer_pty},
@ -404,7 +404,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -310,16 +312,17 @@ struct mon_table mon_dispatch_proto15[]
@@ -297,16 +299,17 @@ struct mon_table mon_dispatch_proto15[]
struct mon_table mon_dispatch_postauth15[] = {
{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
@ -422,7 +422,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -1442,16 +1445,22 @@ mm_record_login(Session *s, struct passw
@@ -1420,16 +1423,22 @@ mm_record_login(Session *s, struct passw
static void
mm_session_close(Session *s)
{
@ -445,7 +445,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{
extern struct monitor *pmonitor;
Session *s;
@@ -1764,21 +1773,53 @@ mm_answer_audit_event(int socket, Buffer
@@ -1742,21 +1751,53 @@ mm_answer_audit_event(int socket, Buffer
return (0);
}
@ -500,10 +500,10 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
void
monitor_apply_keystate(struct monitor *pmonitor)
{
diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -64,16 +64,17 @@ enum monitor_reqtype {
diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h
--- a/openssh-6.6p1/monitor.h
+++ b/openssh-6.6p1/monitor.h
@@ -59,16 +59,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
@ -521,10 +521,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1186,27 +1186,48 @@ mm_audit_event(ssh_audit_event_t event)
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -1184,27 +1184,48 @@ mm_audit_event(ssh_audit_event_t event)
buffer_init(&m);
buffer_put_int(&m, event);
@ -574,9 +574,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
OM_uint32
mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
{
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -69,17 +69,18 @@ void *mm_sshpam_init_ctx(struct Authctxt
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_sshpam_respond(void *, u_int, char **);
@ -597,9 +597,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -740,16 +740,24 @@ do_exec_pty(Session *s, const char *comm
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
#endif
@ -657,8 +657,8 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
original_command = NULL;
@@ -1903,16 +1915,17 @@ session_unused(int id)
bzero(&sessions[id], sizeof(*sessions));
@@ -1908,16 +1920,17 @@ session_unused(int id)
memset(&sessions[id], 0, sizeof(*sessions));
sessions[id].self = id;
sessions[id].used = 0;
sessions[id].chanid = -1;
@ -675,7 +675,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
session_new(void)
{
Session *s, *tmp;
@@ -1985,16 +1998,29 @@ session_open(Authctxt *authctxt, int cha
@@ -1990,16 +2003,29 @@ session_open(Authctxt *authctxt, int cha
if (s->pw == NULL || !authctxt->valid)
fatal("no user for session %d", s->self);
debug("session_open: session %d: link with channel %d", s->self, chanid);
@ -705,7 +705,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
debug("session_by_tty: session %d tty %s", i, tty);
return s;
@@ -2501,16 +2527,40 @@ session_exit_message(Session *s, int sta
@@ -2506,16 +2532,40 @@ session_exit_message(Session *s, int sta
* interested in data we write.
* Note that we must not call 'chan_read_failed', since there could
* be some more data waiting in the pipe.
@ -746,7 +746,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
@@ -2541,16 +2591,20 @@ session_close(Session *s)
@@ -2546,16 +2596,20 @@ session_close(Session *s)
int status;
waitpid(pid, &status, 0);
@ -767,7 +767,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
free(s->auth_proto);
free(s->subsys);
if (s->env != NULL) {
@@ -2755,16 +2809,25 @@ session_setup_x11fwd(Session *s)
@@ -2760,16 +2814,25 @@ session_setup_x11fwd(Session *s)
}
static void
@ -793,7 +793,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
debug("do_cleanup");
/* no cleanup if we're in the child for login shell */
@@ -2803,10 +2866,10 @@ do_cleanup(Authctxt *authctxt)
@@ -2808,10 +2871,10 @@ do_cleanup(Authctxt *authctxt)
/* remove agent socket */
auth_sock_cleanup_proc(authctxt->pw);
@ -805,9 +805,9 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
- session_destroy_all(session_pty_cleanup2);
+ session_destroy_all(do_cleanup_one_session);
}
diff --git a/openssh-6.5p1/session.h b/openssh-6.5p1/session.h
--- a/openssh-6.5p1/session.h
+++ b/openssh-6.5p1/session.h
diff --git a/openssh-6.6p1/session.h b/openssh-6.6p1/session.h
--- a/openssh-6.6p1/session.h
+++ b/openssh-6.6p1/session.h
@@ -56,29 +56,37 @@ struct Session {
int *x11_chanids;
int is_subsystem;
@ -846,10 +846,10 @@ diff --git a/openssh-6.5p1/session.h b/openssh-6.5p1/session.h
const char *value);
#endif
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -2504,13 +2504,14 @@ cleanup_exit(int i)
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -2529,13 +2529,14 @@ cleanup_exit(int i)
if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
errno != ESRCH)
error("%s: kill(%d): %s", __func__,

View File

@ -5,9 +5,9 @@
# (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1975)
# by jchadima@redhat.com
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -401,16 +401,22 @@ audit_session_open(struct logininfo *li)
}
@ -31,9 +31,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
if (cannot_audit(0))
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -36,16 +36,18 @@
#include "log.h"
#include "audit.h"
@ -101,9 +101,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
audit_connection_from(const char *host, int port)
{
/* not implemented */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -31,16 +31,17 @@
#ifdef SSH_AUDIT_EVENTS
@ -178,9 +178,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -23,16 +23,17 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@ -212,69 +212,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
+void audit_key(int, int *, const Key *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
--- a/openssh-6.5p1/auth-rsa.c
+++ b/openssh-6.5p1/auth-rsa.c
@@ -87,17 +87,20 @@ auth_rsa_generate_challenge(Key *key)
return challenge;
}
int
auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
{
u_char buf[32], mdbuf[16];
MD5_CTX md;
- int len;
+ int len, rv;
+#ifdef SSH_AUDIT_EVENTS
+ char *fp;
+#endif
/* don't allow short keys */
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits",
BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
return (0);
}
@@ -108,22 +111,28 @@ auth_rsa_verify_response(Key *key, BIGNU
memset(buf, 0, 32);
BN_bn2bin(challenge, buf + 32 - len);
MD5_Init(&md);
MD5_Update(&md, buf, 32);
MD5_Update(&md, session_id, 16);
MD5_Final(mdbuf, &md);
/* Verify that the response is the original challenge. */
- if (timingsafe_bcmp(response, mdbuf, 16) != 0) {
- /* Wrong answer. */
- return (0);
+ rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
+
+#ifdef SSH_AUDIT_EVENTS
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
+ debug("unsuccessful audit");
+ rv = 0;
}
- /* Correct answer. */
- return (1);
+ free(fp);
+#endif
+
+ return rv;
}
/*
* Performs the RSA authentication challenge-response dialog with the client,
* and returns true (non-zero) if the client gave the correct answer to
* our challenge; returns zero if the client gives a wrong answer.
*/
diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h
--- a/openssh-6.5p1/auth.h
+++ b/openssh-6.5p1/auth.h
@@ -182,16 +182,17 @@ int allowed_user(struct passwd *);
diff --git a/openssh-6.6p1/auth.h b/openssh-6.6p1/auth.h
--- a/openssh-6.6p1/auth.h
+++ b/openssh-6.6p1/auth.h
@@ -178,16 +178,17 @@ int allowed_user(struct passwd *);
struct passwd * getpwnamallow(const char *user);
char *get_challenge(Authctxt *);
@ -292,7 +233,7 @@ diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h
HostStatus
check_key_in_hostfiles(struct passwd *, Key *, const char *,
const char *, const char *);
@@ -199,16 +200,17 @@ check_key_in_hostfiles(struct passwd *,
@@ -195,16 +196,17 @@ check_key_in_hostfiles(struct passwd *,
/* hostkey handling */
Key *get_hostkey_by_index(int);
Key *get_hostkey_public_by_index(int);
@ -310,9 +251,9 @@ diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h
struct passwd *fakepw(void);
diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
--- a/openssh-6.5p1/auth2-hostbased.c
+++ b/openssh-6.5p1/auth2-hostbased.c
diff --git a/openssh-6.6p1/auth2-hostbased.c b/openssh-6.6p1/auth2-hostbased.c
--- a/openssh-6.6p1/auth2-hostbased.c
+++ b/openssh-6.6p1/auth2-hostbased.c
@@ -124,33 +124,45 @@ userauth_hostbased(Authctxt *authctxt)
#endif
@ -360,9 +301,9 @@ diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
const char *resolvedname, *ipaddr, *lookup, *reason;
HostStatus host_status;
int len;
diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
--- a/openssh-6.5p1/auth2-pubkey.c
+++ b/openssh-6.5p1/auth2-pubkey.c
diff --git a/openssh-6.6p1/auth2-pubkey.c b/openssh-6.6p1/auth2-pubkey.c
--- a/openssh-6.6p1/auth2-pubkey.c
+++ b/openssh-6.6p1/auth2-pubkey.c
@@ -153,17 +153,17 @@ userauth_pubkey(Authctxt *authctxt)
#ifdef DEBUG_PK
buffer_dump(&b);
@ -411,10 +352,10 @@ diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
int i;
extra = NULL;
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -1362,26 +1362,30 @@ monitor_valid_hostbasedblob(u_char *data
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -1340,26 +1340,30 @@ monitor_valid_hostbasedblob(u_char *data
}
int
@ -445,7 +386,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
switch (key_blobtype) {
case MM_USERKEY:
valid_data = monitor_valid_userblob(data, datalen);
@@ -1392,17 +1396,27 @@ mm_answer_keyverify(int sock, Buffer *m)
@@ -1370,17 +1374,27 @@ mm_answer_keyverify(int sock, Buffer *m)
break;
default:
valid_data = 0;
@ -474,10 +415,10 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
free(signature);
free(data);
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -428,30 +428,31 @@ mm_key_allowed(enum mm_keytype type, cha
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -426,30 +426,31 @@ mm_key_allowed(enum mm_keytype type, cha
/*
* This key verify needs to send the key type along, because the
@ -510,7 +451,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);
debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__);
@@ -459,16 +460,29 @@ mm_key_verify(Key *key, u_char *sig, u_i
@@ -457,16 +458,29 @@ mm_key_verify(Key *key, u_char *sig, u_i
verified = buffer_get_int(&m);
@ -540,9 +481,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
u_int len;
Newkeys *newkey = NULL;
Enc *enc;
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -44,17 +44,18 @@ int mm_key_sign(Key *, u_char **, u_int
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *);

View File

@ -0,0 +1,61 @@
# HG changeset patch
# Parent c487e15d91bc5cdfb0aedcf4d3c7fe4d0f309a73
diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c
--- a/openssh-6.6p1/auth-rsa.c
+++ b/openssh-6.6p1/auth-rsa.c
@@ -94,16 +94,20 @@ int
auth_rsa_verify_response(Key *key, BIGNUM *challenge,
u_char response[SSH_DIGEST_MAX_LENGTH])
{
u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH];
struct ssh_digest_ctx *md;
int len;
int dgst;
size_t dgst_len;
+ int rv;
+#ifdef SSH_AUDIT_EVENTS
+ char *fp;
+#endif
/* don't allow short keys */
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
error("%s: RSA modulus too small: %d < minimum %d bits",
__func__,
BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
return (0);
}
@@ -121,22 +125,28 @@ auth_rsa_verify_response(Key *key, BIGNU
if ((md = ssh_digest_start(dgst)) == NULL ||
ssh_digest_update(md, buf, 2 * dgst_len) < 0 ||
ssh_digest_update(md, session_id, dgst_len) < 0 ||
ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)
fatal("%s: md5 failed", __func__);
ssh_digest_free(md);
/* Verify that the response is the original challenge. */
- if (timingsafe_bcmp(response, mdbuf, dgst_len) != 0) {
- /* Wrong answer. */
- return (0);
+ rv = timingsafe_bcmp(response, mdbuf, dgst_len) == 0;
+
+#ifdef SSH_AUDIT_EVENTS
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
+ debug("unsuccessful audit");
+ rv = 0;
}
- /* Correct answer. */
- return (1);
+ free(fp);
+#endif
+
+ return rv;
}
/*
* Performs the RSA authentication challenge-response dialog with the client,
* and returns true (non-zero) if the client gave the correct answer to
* our challenge; returns zero if the client gives a wrong answer.
*/

View File

@ -5,32 +5,9 @@
# (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1976)
# by jchadima@redhat.com
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
@@ -71,17 +71,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest.o \
- sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
+ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
+ auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
roaming_common.o roaming_client.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -468,9 +468,21 @@ audit_event(ssh_audit_event_t event)
case SSH_AUTH_FAIL_KBDINT:
bsm_audit_bad_login("interactive password entry");
@ -53,9 +30,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -35,16 +35,18 @@
#include "log.h"
@ -141,9 +118,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
+}
+
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -23,24 +23,27 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@ -233,9 +210,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -53,10 +53,14 @@ void audit_event(ssh_audit_event_t);
void audit_count_session_open(void);
void audit_session_open(struct logininfo *);
@ -251,10 +228,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
+void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c
diff --git a/openssh-6.6p1/auditstub.c b/openssh-6.6p1/auditstub.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/auditstub.c
+++ b/openssh-6.6p1/auditstub.c
@@ -0,0 +1,39 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+
@ -295,45 +272,9 @@ new file mode 100644
+{
+}
+
diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
--- a/openssh-6.5p1/cipher.c
+++ b/openssh-6.5p1/cipher.c
@@ -52,31 +52,17 @@
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
extern const EVP_CIPHER *evp_ssh1_bf(void);
extern const EVP_CIPHER *evp_ssh1_3des(void);
extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-struct Cipher {
- char *name;
- int number; /* for ssh1 only */
- u_int block_size;
- u_int key_len;
- u_int iv_len; /* defaults to block_size */
- u_int auth_len;
- u_int discard_len;
- u_int flags;
-#define CFLAG_CBC (1<<0)
-#define CFLAG_CHACHAPOLY (1<<1)
- const EVP_CIPHER *(*evptype)(void);
-};
-
-static const struct Cipher ciphers[] = {
+struct Cipher ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
{ "blowfish-cbc",
SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
diff --git a/openssh-6.5p1/cipher.h b/openssh-6.5p1/cipher.h
--- a/openssh-6.5p1/cipher.h
+++ b/openssh-6.5p1/cipher.h
diff --git a/openssh-6.6p1/cipher.h b/openssh-6.6p1/cipher.h
--- a/openssh-6.6p1/cipher.h
+++ b/openssh-6.6p1/cipher.h
@@ -58,17 +58,30 @@
#define SSH_CIPHER_MAX 31
@ -366,9 +307,9 @@ diff --git a/openssh-6.5p1/cipher.h b/openssh-6.5p1/cipher.h
const Cipher *cipher;
};
diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.5p1/kex.c
+++ b/openssh-6.5p1/kex.c
diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c
--- a/openssh-6.6p1/kex.c
+++ b/openssh-6.6p1/kex.c
@@ -45,16 +45,17 @@
#include "kex.h"
#include "log.h"
@ -476,16 +417,16 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
for (mode = 0; mode < MODE_MAX; mode++) {
newkeys = kex->newkeys[mode];
need = MAX(need, newkeys->enc.key_len);
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -93,16 +93,17 @@
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -92,16 +92,17 @@
#endif
#include "monitor_wrap.h"
#include "monitor_fdpass.h"
#include "misc.h"
#include "compat.h"
#include "ssh2.h"
#include "jpake.h"
#include "roaming.h"
#include "authfd.h"
+#include "audit.h"
@ -497,7 +438,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Imports */
extern ServerOptions options;
extern u_int utmp_len;
@@ -182,16 +183,18 @@ int mm_answer_gss_accept_ctx(int, Buffer
@@ -176,16 +177,18 @@ int mm_answer_gss_accept_ctx(int, Buffer
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
#endif
@ -516,7 +457,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -233,16 +236,18 @@ struct mon_table mon_dispatch_proto20[]
@@ -227,16 +230,18 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
@ -535,7 +476,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
#ifdef SKEY
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
@@ -270,16 +275,18 @@ struct mon_table mon_dispatch_postauth20
@@ -257,16 +262,18 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
{MONITOR_REQ_PTY, 0, mm_answer_pty},
{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
@ -554,7 +495,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -301,28 +308,32 @@ struct mon_table mon_dispatch_proto15[]
@@ -288,28 +295,32 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
@ -587,16 +528,15 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -2411,8 +2422,52 @@ mm_answer_jpake_check_confirm(int sock,
@@ -2187,8 +2198,52 @@ mm_answer_gss_userok(int sock, Buffer *m
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
auth_method = "gssapi-with-mic";
auth_method = "jpake-01@openssh.com";
return authenticated;
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
#endif /* GSSAPI */
#endif /* JPAKE */
+
+#ifdef SSH_AUDIT_EVENTS
+int
+mm_answer_audit_unsupported_body(int sock, Buffer *m)
@ -640,10 +580,11 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
+}
+
+#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -65,16 +65,18 @@ enum monitor_reqtype {
+
diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h
--- a/openssh-6.6p1/monitor.h
+++ b/openssh-6.6p1/monitor.h
@@ -60,16 +60,18 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
@ -662,19 +603,18 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1483,8 +1483,46 @@ mm_jpake_check_confirm(const BIGNUM *k,
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -1320,8 +1320,46 @@ mm_ssh_gssapi_userok(char *user)
authenticated = buffer_get_int(&m);
success = buffer_get_int(&m);
buffer_free(&m);
debug3("%s: success = %d", __func__, success);
return success;
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
#endif /* JPAKE */
+
#endif /* GSSAPI */
+#ifdef SSH_AUDIT_EVENTS
+void
+mm_audit_unsupported_body(int what)
@ -712,9 +652,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
+ buffer_free(&m);
+}
+#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
+
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -72,16 +72,18 @@ int mm_sshpam_respond(void *, u_int, cha
void mm_sshpam_free_ctx(void *);
#endif
@ -734,28 +675,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -114,16 +114,17 @@
#include "session.h"
#include "monitor_mm.h"
#include "monitor.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "roaming.h"
+#include "audit.h"
#include "ssh-sandbox.h"
#include "version.h"
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
int allow_severity;
int deny_severity;
@@ -2312,16 +2313,20 @@ do_ssh1_kex(void)
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -2325,16 +2325,20 @@ do_ssh1_kex(void)
packet_disconnect("Warning: client selects unsupported cipher.");
/* Get check bytes from the packet. These must match those we

View File

@ -0,0 +1,82 @@
# HG changeset patch
# Parent dec5efd68e0b652282f2b9b31f5999342123d33d
diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in
--- a/openssh-6.6p1/Makefile.in
+++ b/openssh-6.6p1/Makefile.in
@@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest-openssl.o hmac.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
- fips.o
+ fips.o \
+ auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
roaming_common.o roaming_client.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
diff --git a/openssh-6.6p1/cipher.c b/openssh-6.6p1/cipher.c
--- a/openssh-6.6p1/cipher.c
+++ b/openssh-6.6p1/cipher.c
@@ -54,30 +54,16 @@
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
extern const EVP_CIPHER *evp_ssh1_bf(void);
extern const EVP_CIPHER *evp_ssh1_3des(void);
extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-struct Cipher {
- char *name;
- int number; /* for ssh1 only */
- u_int block_size;
- u_int key_len;
- u_int iv_len; /* defaults to block_size */
- u_int auth_len;
- u_int discard_len;
- u_int flags;
-#define CFLAG_CBC (1<<0)
-#define CFLAG_CHACHAPOLY (1<<1)
- const EVP_CIPHER *(*evptype)(void);
-};
-
static const struct Cipher ciphers_all[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
{ "blowfish-cbc",
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -119,16 +119,18 @@
#endif
#include "monitor_wrap.h"
#include "roaming.h"
#include "ssh-sandbox.h"
#include "version.h"
#include "fips.h"
+#include "audit.h"
+
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
int allow_severity;
int deny_severity;
#endif /* LIBWRAP */
#ifndef O_NOCTTY

View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2014
# by jchadima@redhat.com
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -480,9 +480,15 @@ audit_unsupported_body(int what)
/* not implemented */
}
@ -23,9 +23,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -289,24 +289,25 @@ audit_unsupported_body(int what)
/* no problem, the next instruction will be fatal() */
return;
@ -91,9 +91,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
+}
+
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -138,16 +138,22 @@ audit_unsupported(int what)
}
@ -138,9 +138,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -57,10 +57,12 @@ int audit_run_command(const char *);
void audit_end_command(int, const char *);
ssh_audit_event_t audit_classify_auth(const char *);
@ -154,9 +154,9 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c
--- a/openssh-6.5p1/auditstub.c
+++ b/openssh-6.5p1/auditstub.c
diff --git a/openssh-6.6p1/auditstub.c b/openssh-6.6p1/auditstub.c
--- a/openssh-6.6p1/auditstub.c
+++ b/openssh-6.6p1/auditstub.c
@@ -22,18 +22,29 @@
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
@ -187,10 +187,10 @@ diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+}
diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.5p1/kex.c
+++ b/openssh-6.5p1/kex.c
@@ -698,8 +698,39 @@ dump_digest(char *msg, u_char *digest, i
diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c
--- a/openssh-6.6p1/kex.c
+++ b/openssh-6.6p1/kex.c
@@ -700,8 +700,39 @@ dump_digest(char *msg, u_char *digest, i
if (i%32 == 31)
fprintf(stderr, "\n");
else if (i%8 == 7)
@ -230,10 +230,10 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
+
diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
--- a/openssh-6.5p1/kex.h
+++ b/openssh-6.5p1/kex.h
@@ -163,16 +163,18 @@ void kexdh_client(Kex *);
diff --git a/openssh-6.6p1/kex.h b/openssh-6.6p1/kex.h
--- a/openssh-6.6p1/kex.h
+++ b/openssh-6.6p1/kex.h
@@ -162,16 +162,18 @@ void kexdh_client(Kex *);
void kexdh_server(Kex *);
void kexgex_client(Kex *);
void kexgex_server(Kex *);
@ -252,15 +252,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, u_char **, u_int *);
#ifdef OPENSSL_HAS_ECC
diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
--- a/openssh-6.5p1/mac.c
+++ b/openssh-6.5p1/mac.c
@@ -219,16 +219,30 @@ mac_clear(Mac *mac)
diff --git a/openssh-6.6p1/mac.c b/openssh-6.6p1/mac.c
--- a/openssh-6.6p1/mac.c
+++ b/openssh-6.6p1/mac.c
@@ -253,16 +253,30 @@ mac_clear(Mac *mac)
if (mac->umac_ctx != NULL)
umac128_delete(mac->umac_ctx);
} else if (mac->evp_md != NULL)
HMAC_cleanup(&mac->evp_ctx);
mac->evp_md = NULL;
} else if (mac->hmac_ctx != NULL)
ssh_hmac_free(mac->hmac_ctx);
mac->hmac_ctx = NULL;
mac->umac_ctx = NULL;
}
@ -286,9 +286,9 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
char *maclist, *cp, *p;
if (names == NULL || strcmp(names, "") == 0)
diff --git a/openssh-6.5p1/mac.h b/openssh-6.5p1/mac.h
--- a/openssh-6.5p1/mac.h
+++ b/openssh-6.5p1/mac.h
diff --git a/openssh-6.6p1/mac.h b/openssh-6.6p1/mac.h
--- a/openssh-6.6p1/mac.h
+++ b/openssh-6.6p1/mac.h
@@ -24,8 +24,9 @@
*/
@ -299,10 +299,10 @@ diff --git a/openssh-6.5p1/mac.h b/openssh-6.5p1/mac.h
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *);
+void mac_destroy(Mac *);
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -185,16 +185,17 @@ int mm_answer_gss_checkmic(int, Buffer *
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -179,16 +179,17 @@ int mm_answer_gss_checkmic(int, Buffer *
#endif
#ifdef SSH_AUDIT_EVENTS
@ -320,7 +320,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -238,16 +239,17 @@ struct mon_table mon_dispatch_proto20[]
@@ -232,16 +233,17 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
@ -338,7 +338,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
#ifdef SKEY
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
@@ -277,16 +279,17 @@ struct mon_table mon_dispatch_postauth20
@@ -264,16 +266,17 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
{MONITOR_REQ_TERM, 0, mm_answer_term},
#ifdef SSH_AUDIT_EVENTS
@ -356,7 +356,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -310,30 +313,32 @@ struct mon_table mon_dispatch_proto15[]
@@ -297,30 +300,32 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
@ -389,7 +389,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -1971,21 +1976,23 @@ mm_get_keystate(struct monitor *pmonitor
@@ -1949,21 +1954,23 @@ mm_get_keystate(struct monitor *pmonitor
goto skip;
} else {
/* Get the Kex for rekeying */
@ -413,7 +413,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
packets = buffer_get_int(&m);
bytes = buffer_get_int64(&m);
packet_set_state(MODE_OUT, seqnr, blocks, packets, bytes);
@@ -2021,16 +2028,31 @@ mm_get_keystate(struct monitor *pmonitor
@@ -1999,16 +2006,31 @@ mm_get_keystate(struct monitor *pmonitor
/* Roaming */
if (compat20) {
@ -445,7 +445,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
{
size_t len = (size_t) size * ncount;
@@ -2465,9 +2487,27 @@ mm_answer_audit_kex_body(int sock, Buffe
@@ -2240,10 +2262,28 @@ mm_answer_audit_kex_body(int sock, Buffe
free(mac);
free(compress);
buffer_clear(m);
@ -473,10 +473,11 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -67,16 +67,17 @@ enum monitor_reqtype {
diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h
--- a/openssh-6.6p1/monitor.h
+++ b/openssh-6.6p1/monitor.h
@@ -62,16 +62,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -494,10 +495,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -651,22 +651,24 @@ mm_send_keystate(struct monitor *monitor
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -649,22 +649,24 @@ mm_send_keystate(struct monitor *monitor
__func__, packet_get_newkeys(MODE_OUT),
packet_get_newkeys(MODE_IN));
@ -522,7 +523,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
buffer_put_int(&m, packets);
buffer_put_int64(&m, bytes);
packet_get_state(MODE_IN, &seqnr, &blocks, &packets, &bytes);
@@ -1520,9 +1522,24 @@ mm_audit_kex_body(int ctos, char *cipher
@@ -1356,10 +1358,25 @@ mm_audit_kex_body(int ctos, char *cipher
buffer_put_int64(&m, uid);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
@ -547,9 +548,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -74,16 +74,17 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS
@ -568,9 +570,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c
--- a/openssh-6.5p1/packet.c
+++ b/openssh-6.5p1/packet.c
diff --git a/openssh-6.6p1/packet.c b/openssh-6.6p1/packet.c
--- a/openssh-6.6p1/packet.c
+++ b/openssh-6.6p1/packet.c
@@ -56,16 +56,17 @@
#include <stdio.h>
#include <stdlib.h>
@ -701,9 +703,9 @@ diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c
- mac = &active_state->newkeys[mode]->mac;
- comp = &active_state->newkeys[mode]->comp;
- mac_clear(mac);
- memset(enc->iv, 0, enc->iv_len);
- memset(enc->key, 0, enc->key_len);
- memset(mac->key, 0, mac->key_len);
- explicit_bzero(enc->iv, enc->iv_len);
- explicit_bzero(enc->key, enc->key_len);
- explicit_bzero(mac->key, mac->key_len);
- free(enc->name);
- free(enc->iv);
- free(enc->key);
@ -823,9 +825,9 @@ diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c
+ backup_state = NULL;
}
+
diff --git a/openssh-6.5p1/packet.h b/openssh-6.5p1/packet.h
--- a/openssh-6.5p1/packet.h
+++ b/openssh-6.5p1/packet.h
diff --git a/openssh-6.6p1/packet.h b/openssh-6.6p1/packet.h
--- a/openssh-6.6p1/packet.h
+++ b/openssh-6.6p1/packet.h
@@ -119,9 +119,10 @@ void packet_set_rekey_limits(u_int32_t,
time_t packet_get_rekey_timeout(void);
@ -837,10 +839,10 @@ diff --git a/openssh-6.5p1/packet.h b/openssh-6.5p1/packet.h
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
@@ -1689,16 +1689,19 @@ do_child(Session *s, const char *command
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -1694,16 +1694,19 @@ do_child(Session *s, const char *command
int env_size;
char *argv[ARGV_MAX];
const char *shell, *shell0, *hostname = NULL;
@ -860,10 +862,10 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
do_pwchange(s);
exit(1);
}
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -711,16 +711,18 @@ privsep_preauth(Authctxt *authctxt)
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -720,16 +720,18 @@ privsep_preauth(Authctxt *authctxt)
setproctitle("%s", "[net]");
if (box != NULL)
ssh_sandbox_child(box);
@ -882,7 +884,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#ifdef DISABLE_FD_PASSING
if (1) {
#else
@@ -735,16 +737,20 @@ privsep_postauth(Authctxt *authctxt)
@@ -744,16 +746,20 @@ privsep_postauth(Authctxt *authctxt)
monitor_reinit(pmonitor);
pmonitor->m_pid = fork();
@ -903,7 +905,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
/* child */
@@ -2104,16 +2110,17 @@ main(int ac, char **av)
@@ -2118,16 +2124,17 @@ main(int ac, char **av)
do_authentication(authctxt);
}
/*
@ -921,7 +923,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
* Cancel the alarm we set to limit the time taken for
* authentication.
*/
@@ -2156,16 +2163,18 @@ main(int ac, char **av)
@@ -2170,16 +2177,18 @@ main(int ac, char **av)
packet_set_timeout(options.client_alive_interval,
options.client_alive_count_max);
@ -940,7 +942,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
#ifdef USE_PAM
@@ -2497,26 +2506,38 @@ do_ssh2_kex(void)
@@ -2523,26 +2532,38 @@ do_ssh2_kex(void)
#endif
debug("KEX done");
}

View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2015
# by jchadima@redhat.com
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -486,9 +486,27 @@ audit_kex_body(int ctos, char *enc, char
/* not implemented */
}
@ -35,9 +35,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -351,9 +351,55 @@ audit_session_key_free_body(int ctos, pi
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
buf, NULL, get_remote_ipaddr(), NULL, 1);
@ -94,9 +94,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -285,10 +285,29 @@ audit_kex_body(int ctos, char *enc, char
* This will be called on succesfull session key discard
*/
@ -127,9 +127,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -43,26 +43,30 @@ enum ssh_audit_event_type {
SSH_INVALID_USER,
SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */
@ -161,10 +161,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
+void audit_generate_ephemeral_server_key(const char *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.5p1/key.c
+++ b/openssh-6.5p1/key.c
@@ -1959,16 +1959,43 @@ key_demote(const Key *k)
diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c
--- a/openssh-6.6p1/key.c
+++ b/openssh-6.6p1/key.c
@@ -1964,16 +1964,43 @@ key_demote(const Key *k)
fatal("key_demote: bad key type %d", k->type);
break;
}
@ -208,9 +208,9 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
}
/* Return the cert-less equivalent to a certified key type */
diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.5p1/key.h
+++ b/openssh-6.5p1/key.h
diff --git a/openssh-6.6p1/key.h b/openssh-6.6p1/key.h
--- a/openssh-6.6p1/key.h
+++ b/openssh-6.6p1/key.h
@@ -113,16 +113,17 @@ int key_read(Key *, char **);
u_int key_size(const Key *);
enum fp_type key_fp_type_select(void);
@ -229,10 +229,10 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
void key_cert_copy(const Key *, struct Key *);
int key_cert_check_authority(const Key *, int, int, const char *,
const char **);
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -110,16 +110,18 @@ extern u_int utmp_len;
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -109,16 +109,18 @@ extern u_int utmp_len;
extern Newkeys *current_keys[];
extern z_stream incoming_stream;
extern z_stream outgoing_stream;
@ -251,7 +251,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
u_char *keyin;
u_int keyinlen;
u_char *keyout;
@@ -186,16 +188,17 @@ int mm_answer_gss_checkmic(int, Buffer *
@@ -180,16 +182,17 @@ int mm_answer_gss_checkmic(int, Buffer *
#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, Buffer *);
@ -269,7 +269,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -240,16 +243,17 @@ struct mon_table mon_dispatch_proto20[]
@@ -234,16 +237,17 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
@ -287,7 +287,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
#ifdef SKEY
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
@@ -280,16 +284,17 @@ struct mon_table mon_dispatch_postauth20
@@ -267,16 +271,17 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_TERM, 0, mm_answer_term},
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -305,7 +305,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -314,31 +319,33 @@ struct mon_table mon_dispatch_proto15[]
@@ -301,31 +306,33 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
@ -339,7 +339,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -1761,16 +1768,18 @@ mm_answer_term(int sock, Buffer *req)
@@ -1739,16 +1746,18 @@ mm_answer_term(int sock, Buffer *req)
/* The child is terminating */
session_destroy_all(&mm_session_close);
@ -358,7 +358,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Terminate process */
exit(res);
@@ -2505,9 +2514,30 @@ mm_answer_audit_session_key_free_body(in
@@ -2280,10 +2289,31 @@ mm_answer_audit_session_key_free_body(in
audit_session_key_free_body(ctos, pid, uid);
@ -389,10 +389,11 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -68,16 +68,17 @@ enum monitor_reqtype {
diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h
--- a/openssh-6.6p1/monitor.h
+++ b/openssh-6.6p1/monitor.h
@@ -63,16 +63,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
@ -410,10 +411,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1537,9 +1537,25 @@ mm_audit_session_key_free_body(int ctos,
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -1373,10 +1373,26 @@ mm_audit_session_key_free_body(int ctos,
buffer_put_int(&m, ctos);
buffer_put_int64(&m, pid);
buffer_put_int64(&m, uid);
@ -439,9 +440,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -75,16 +75,17 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS
#include "audit.h"
@ -460,9 +462,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -132,17 +132,17 @@ static int session_pty_req(Session *);
/* import */
@ -482,7 +484,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
/* data */
static int sessions_first_unused = -1;
static int sessions_nalloc = 0;
@@ -1688,17 +1688,17 @@ do_child(Session *s, const char *command
@@ -1693,17 +1693,17 @@ do_child(Session *s, const char *command
char **env;
int env_size;
char *argv[ARGV_MAX];
@ -501,10 +503,10 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
if (s->authctxt->force_pwchange) {
do_setusercontext(pw);
child_close_fds();
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -256,17 +256,17 @@ Buffer cfg;
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -259,17 +259,17 @@ Buffer cfg;
/* message to be displayed after login */
Buffer loginmsg;
@ -523,7 +525,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
/*
* Close all listening sockets
*/
@@ -275,16 +275,25 @@ close_listen_socks(void)
@@ -278,16 +278,25 @@ close_listen_socks(void)
{
int i;
@ -549,7 +551,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
if (startup_pipes)
for (i = 0; i < options.max_startups; i++)
if (startup_pipes[i] != -1)
@@ -554,60 +563,99 @@ sshd_exchange_identification(int sock_in
@@ -557,60 +566,99 @@ sshd_exchange_identification(int sock_in
close(sock_out);
logit("Protocol major versions differ for %s: %.200s vs. %.200s",
get_remote_ipaddr(),
@ -606,7 +608,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
}
}
sensitive_data.ssh1_host_key = NULL;
memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH);
explicit_bzero(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
}
/* Demote private to public keys for network child */
@ -618,14 +620,14 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
+ uid_t uid;
int i;
+ pid = getpid();
+ uid = getuid();
if (sensitive_data.server_key) {
tmp = key_demote(sensitive_data.server_key);
key_free(sensitive_data.server_key);
sensitive_data.server_key = tmp;
}
+ pid = getpid();
+ uid = getuid();
for (i = 0; i < options.num_host_key_files; i++) {
if (sensitive_data.host_keys[i]) {
+ char *fp;
@ -652,7 +654,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
}
static void
@@ -1192,16 +1240,17 @@ server_accept_loop(int *sock_in, int *so
@@ -1201,16 +1249,17 @@ server_accept_loop(int *sock_in, int *so
/* Wait in select until there is a connection. */
ret = select(maxfd+1, fdset, NULL, NULL, NULL);
@ -670,7 +672,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
generate_ephemeral_server_key();
key_used = 0;
key_do_regen = 0;
@@ -2153,27 +2202,28 @@ main(int ac, char **av)
@@ -2167,27 +2216,28 @@ main(int ac, char **av)
/*
* In privilege separation, we fork another child and prepare
* file descriptor passing.
@ -700,10 +702,10 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
@@ -2392,17 +2442,17 @@ do_ssh1_kex(void)
MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
MD5_Final(session_key + 16, &md);
memset(buf, 0, bytes);
@@ -2412,17 +2462,17 @@ do_ssh1_kex(void)
fatal("%s: hash failed", __func__);
ssh_digest_free(md);
explicit_bzero(buf, bytes);
free(buf);
for (i = 0; i < 16; i++)
session_id[i] = session_key[i] ^ session_key[i + 16];
@ -719,7 +721,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
BN_clear_free(session_key_int);
/* Set the session key. From this on all communications will be encrypted. */
@@ -2527,16 +2577,18 @@ cleanup_exit(int i)
@@ -2553,16 +2603,18 @@ cleanup_exit(int i)
debug("Killing privsep child %d", pmonitor->m_pid);
if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
errno != ESRCH)

View File

@ -1,8 +1,8 @@
# definitions for AUDIT_CRYPTO_* symbols fom libaudit 2.x
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -25,16 +25,17 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
@ -21,10 +21,10 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
#include "key.h"
#include "hostfile.h"
#include "auth.h"
diff --git a/openssh-6.5p1/compat-libaudit.h b/openssh-6.5p1/compat-libaudit.h
diff --git a/openssh-6.6p1/compat-libaudit.h b/openssh-6.6p1/compat-libaudit.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/compat-libaudit.h
+++ b/openssh-6.6p1/compat-libaudit.h
@@ -0,0 +1,79 @@
+/* AUDIT_CRYPTO symbol definitions from libaudit 2.x */
+/* libaudit.h --

View File

@ -4,9 +4,9 @@
# Note that this particular solution causes the logs to always contain
# "hostname=?, addr=?" when DNS lookups are disabled.
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)

View File

@ -2,9 +2,9 @@
# grace_alarm_handler)
# bnc#57354
diff --git a/openssh-6.5p1/log.c b/openssh-6.5p1/log.c
--- a/openssh-6.5p1/log.c
+++ b/openssh-6.5p1/log.c
diff --git a/openssh-6.6p1/log.c b/openssh-6.6p1/log.c
--- a/openssh-6.6p1/log.c
+++ b/openssh-6.6p1/log.c
@@ -47,16 +47,17 @@
#include <unistd.h>
#include <errno.h>

View File

@ -1,8 +1,8 @@
# only enable SSHv2 protocol by default (upstream default is fallback to v1)
diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
--- a/openssh-6.6p1/ssh_config
+++ b/openssh-6.6p1/ssh_config
@@ -41,17 +41,17 @@ ForwardX11Trusted yes
# CheckHostIP yes
# AddressFamily any

View File

@ -2,9 +2,9 @@
# reliable indicator of ABI changes and doesn't make much sense in a
# distribution package
diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c
--- a/openssh-6.5p1/entropy.c
+++ b/openssh-6.5p1/entropy.c
diff --git a/openssh-6.6p1/entropy.c b/openssh-6.6p1/entropy.c
--- a/openssh-6.6p1/entropy.c
+++ b/openssh-6.6p1/entropy.c
@@ -212,22 +212,23 @@ seed_rng(void)
#endif
/*

View File

@ -1,8 +1,8 @@
# fix paths and references in sshd man pages
diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
--- a/openssh-6.5p1/sshd.8
+++ b/openssh-6.5p1/sshd.8
diff --git a/openssh-6.6p1/sshd.8 b/openssh-6.6p1/sshd.8
--- a/openssh-6.6p1/sshd.8
+++ b/openssh-6.6p1/sshd.8
@@ -875,17 +875,17 @@ See
If this file exists,
.Nm
@ -41,9 +41,9 @@ diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5
--- a/openssh-6.6p1/sshd_config.5
+++ b/openssh-6.6p1/sshd_config.5
@@ -278,18 +278,17 @@ The contents of the specified file are s
authentication is allowed.
If the argument is

View File

@ -1,14 +1,14 @@
# HG changeset patch
# Parent 450c3933f35c6801a682ea32c588e4c9ff73414a
# Parent a3a898b117b0f726e6cc923f18463de8e45e74f5
# select fingerprint hash algorithms based on the environment variable
# SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints
# Petr Cerny <pcerny@suse.cz>
diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
--- a/openssh-6.5p1/auth-rsa.c
+++ b/openssh-6.5p1/auth-rsa.c
@@ -226,17 +226,17 @@ rsa_key_allowed_in_file(struct passwd *p
diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c
--- a/openssh-6.6p1/auth-rsa.c
+++ b/openssh-6.6p1/auth-rsa.c
@@ -230,17 +230,17 @@ rsa_key_allowed_in_file(struct passwd *p
/* check the real bits */
keybits = BN_num_bits(key->rsa->n);
@ -27,9 +27,9 @@ diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
if (auth_key_is_revoked(key))
break;
diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
--- a/openssh-6.5p1/auth.c
+++ b/openssh-6.5p1/auth.c
diff --git a/openssh-6.6p1/auth.c b/openssh-6.6p1/auth.c
--- a/openssh-6.6p1/auth.c
+++ b/openssh-6.6p1/auth.c
@@ -680,17 +680,17 @@ auth_key_is_revoked(Key *key)
case -1:
/* Error opening revoked_keys_file: refuse all keys */
@ -49,9 +49,9 @@ diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
fatal("key_in_file returned junk");
}
diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
--- a/openssh-6.5p1/auth2-hostbased.c
+++ b/openssh-6.5p1/auth2-hostbased.c
diff --git a/openssh-6.6p1/auth2-hostbased.c b/openssh-6.6p1/auth2-hostbased.c
--- a/openssh-6.6p1/auth2-hostbased.c
+++ b/openssh-6.6p1/auth2-hostbased.c
@@ -202,23 +202,23 @@ hostbased_key_allowed(struct passwd *pw,
_PATH_SSH_SYSTEM_HOSTFILE2,
options.ignore_user_known_hosts ? NULL :
@ -78,9 +78,9 @@ diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
return (host_status == HOST_OK);
}
diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
--- a/openssh-6.5p1/auth2-pubkey.c
+++ b/openssh-6.5p1/auth2-pubkey.c
diff --git a/openssh-6.6p1/auth2-pubkey.c b/openssh-6.6p1/auth2-pubkey.c
--- a/openssh-6.6p1/auth2-pubkey.c
+++ b/openssh-6.6p1/auth2-pubkey.c
@@ -208,25 +208,25 @@ pubkey_auth_info(Authctxt *authctxt, con
i = vasprintf(&extra, fmt, ap);
va_end(ap);
@ -166,9 +166,9 @@ diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
options.trusted_user_ca_keys);
goto out;
}
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.5p1/key.c
+++ b/openssh-6.5p1/key.c
diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c
--- a/openssh-6.6p1/key.c
+++ b/openssh-6.6p1/key.c
@@ -420,30 +420,39 @@ key_fingerprint_raw(const Key *k, enum f
*dgst_raw_length = ssh_digest_bytes(hash_alg);
} else {
@ -278,7 +278,7 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
dgst_rep);
break;
}
memset(dgst_raw, 0, dgst_raw_len);
explicit_bzero(dgst_raw, dgst_raw_len);
free(dgst_raw);
return retval;
}
@ -348,9 +348,9 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
* the buffer containing the number.
*/
static int
diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.5p1/key.h
+++ b/openssh-6.5p1/key.h
diff --git a/openssh-6.6p1/key.h b/openssh-6.6p1/key.h
--- a/openssh-6.6p1/key.h
+++ b/openssh-6.6p1/key.h
@@ -53,16 +53,18 @@ enum fp_type {
SSH_FP_MD5,
SSH_FP_SHA256
@ -389,9 +389,9 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
int key_type_is_cert(int);
int key_type_plain(int);
int key_to_certified(Key *, int);
diff --git a/openssh-6.5p1/ssh-add.c b/openssh-6.5p1/ssh-add.c
--- a/openssh-6.5p1/ssh-add.c
+++ b/openssh-6.5p1/ssh-add.c
diff --git a/openssh-6.6p1/ssh-add.c b/openssh-6.6p1/ssh-add.c
--- a/openssh-6.6p1/ssh-add.c
+++ b/openssh-6.6p1/ssh-add.c
@@ -325,17 +325,17 @@ list_identities(AuthenticationConnection
int version;
@ -411,9 +411,9 @@ diff --git a/openssh-6.5p1/ssh-add.c b/openssh-6.5p1/ssh-add.c
if (!key_write(key, stdout))
fprintf(stderr, "key_write failed");
fprintf(stdout, " %s\n", comment);
diff --git a/openssh-6.5p1/ssh-agent.c b/openssh-6.5p1/ssh-agent.c
--- a/openssh-6.5p1/ssh-agent.c
+++ b/openssh-6.5p1/ssh-agent.c
diff --git a/openssh-6.6p1/ssh-agent.c b/openssh-6.6p1/ssh-agent.c
--- a/openssh-6.6p1/ssh-agent.c
+++ b/openssh-6.6p1/ssh-agent.c
@@ -193,17 +193,17 @@ lookup_identity(Key *key, int version)
/* Check confirmation of keysign request */
@ -433,9 +433,9 @@ diff --git a/openssh-6.5p1/ssh-agent.c b/openssh-6.5p1/ssh-agent.c
return (ret);
}
diff --git a/openssh-6.5p1/ssh-keygen.c b/openssh-6.5p1/ssh-keygen.c
--- a/openssh-6.5p1/ssh-keygen.c
+++ b/openssh-6.5p1/ssh-keygen.c
diff --git a/openssh-6.6p1/ssh-keygen.c b/openssh-6.6p1/ssh-keygen.c
--- a/openssh-6.6p1/ssh-keygen.c
+++ b/openssh-6.6p1/ssh-keygen.c
@@ -741,27 +741,27 @@ do_download(struct passwd *pw)
{
#ifdef ENABLE_PKCS11
@ -583,10 +583,10 @@ diff --git a/openssh-6.5p1/ssh-keygen.c b/openssh-6.5p1/ssh-keygen.c
printf("The key's randomart image is:\n");
printf("%s\n", ra);
free(ra);
diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
--- a/openssh-6.5p1/sshconnect.c
+++ b/openssh-6.5p1/sshconnect.c
@@ -906,18 +906,18 @@ check_host_key(char *hostname, struct so
diff --git a/openssh-6.6p1/sshconnect.c b/openssh-6.6p1/sshconnect.c
--- a/openssh-6.6p1/sshconnect.c
+++ b/openssh-6.6p1/sshconnect.c
@@ -909,18 +909,18 @@ check_host_key(char *hostname, struct so
"address '%.128s' to the list of known "
"hosts (%.30s).", type, ip,
user_hostfiles[0]);
@ -607,7 +607,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
break;
case HOST_NEW:
if (options.host_key_alias == NULL && port != 0 &&
@@ -947,18 +947,18 @@ check_host_key(char *hostname, struct so
@@ -950,18 +950,18 @@ check_host_key(char *hostname, struct so
if (show_other_keys(host_hostkeys, host_key))
snprintf(msg1, sizeof(msg1),
@ -628,7 +628,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
"Matching host key fingerprint"
" found in DNS.\n");
else
@@ -1212,17 +1212,17 @@ fail:
@@ -1215,17 +1215,17 @@ fail:
/* returns 0 if key verifies or -1 if key does NOT verify */
int
@ -647,7 +647,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
if (flags & DNS_VERIFY_FOUND) {
@@ -1319,18 +1319,18 @@ show_other_keys(struct hostkeys *hostkey
@@ -1322,18 +1322,18 @@ show_other_keys(struct hostkeys *hostkey
char *fp, *ra;
const struct hostkey_entry *found;
@ -668,7 +668,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
key_type(found->key), fp);
if (options.visual_host_key)
logit("%s", ra);
@@ -1341,17 +1341,17 @@ show_other_keys(struct hostkeys *hostkey
@@ -1344,17 +1344,17 @@ show_other_keys(struct hostkeys *hostkey
return ret;
}
@ -687,10 +687,10 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed.");
error("The fingerprint for the %s key sent by the remote host is\n%s.",
diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
@@ -592,17 +592,17 @@ input_userauth_pk_ok(int type, u_int32_t
diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
--- a/openssh-6.6p1/sshconnect2.c
+++ b/openssh-6.6p1/sshconnect2.c
@@ -577,17 +577,17 @@ input_userauth_pk_ok(int type, u_int32_t
goto done;
}
if (key->type != pktype) {
@ -709,7 +709,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
* moved to the end of the queue. this also avoids confusion by
* duplicate keys
*/
@@ -1206,17 +1206,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
@@ -988,17 +988,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
Buffer b;
u_char *blob, *signature;
u_int bloblen, slen;

View File

@ -0,0 +1,517 @@
# HG changeset patch
# Parent 12ad7b6077ef9c6b3a3a53b4f0084c3eb2f80fe7
diff --git a/openssh-6.6p1/fips-check.c b/openssh-6.6p1/fips-check.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.6p1/fips-check.c
@@ -0,0 +1,37 @@
+#include "includes.h"
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "digest.h"
+#include "fips.h"
+
+#include <openssl/err.h>
+
+#define PROC_NAME_LEN 64
+
+static const char *argv0;
+
+void
+print_help_exit(int ev)
+{
+ fprintf(stderr, "%s <-c|-w> <file> <checksum_file>\n", argv0);
+ fprintf(stderr, " -c verify hash of 'file' against hash in 'checksum_file'\n");
+ fprintf(stderr, " -w write hash of 'file' into 'checksum_file'\n");
+ exit(ev);
+}
+
+int
+main(int argc, char **argv)
+{
+
+ fips_ssh_init();
+// printf("SSL Error: %lx: %s", ERR_get_error(), ERR_get_string(ERR_get_error(), NULL));
+
+ return 0;
+}
diff --git a/openssh-6.6p1/fips.c b/openssh-6.6p1/fips.c
--- a/openssh-6.6p1/fips.c
+++ b/openssh-6.6p1/fips.c
@@ -24,21 +24,342 @@
#include "includes.h"
#include "fips.h"
#include "digest.h"
#include "key.h"
#include "log.h"
+#include "xmalloc.h"
+#include <openbsd-compat/openssl-compat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+enum fips_checksum_status {
+ CHECK_OK = 0,
+ CHECK_FAIL,
+ CHECK_MISSING
+};
static int fips_state = -1;
+static char *
+hex_fingerprint(u_int raw_len, u_char *raw)
+{
+ char *retval;
+ u_int i;
+
+ /* reserve space for both the key hash and the string for the hash type */
+ retval = malloc(3 * raw_len);
+ for (i = 0; i < raw_len; i++) {
+ char hex[4];
+ snprintf(hex, sizeof(hex), "%02x:", raw[i]);
+ strlcat(retval, hex, raw_len * 3);
+ }
+
+ return retval;
+}
+
+/* calculates hash of contents of file given by filename using algorithm alg
+ * and placing the resukt into newly allacated memory - remember to free it
+ * when not needed anymore */
+static int
+hash_file(const char *filename, int alg, u_char **hash_out)
+{
+ int check = -1;
+ int hash_len;
+ int fd;
+ struct stat fs;
+ void *hmap;
+ char *hash;
+
+ hash_len = ssh_digest_bytes(alg);
+ hash = xmalloc(hash_len);
+
+ fd = open(filename, O_RDONLY);
+ if (-1 == fd)
+ goto bail_out;
+
+ if (-1 == fstat(fd, &fs))
+ goto bail_out;
+
+ hmap = mmap(NULL, fs.st_size, PROT_READ, MAP_SHARED, fd, 0);
+
+ if ((void *)(-1) != hmap) {
+ check = ssh_digest_memory(alg, hmap, fs.st_size, hash, hash_len);
+ munmap(hmap, fs.st_size);
+ }
+ close(fd);
+
+bail_out:
+ if (0 == check) {
+ check = CHECK_OK;
+ *hash_out = hash;
+ } else {
+ check = CHECK_FAIL;
+ *hash_out = NULL;
+ free(hash);
+ }
+ return check;
+}
+
+/* find pathname of binary of process with PID pid. exe is buffer expected to
+ * be capable of holding at least max_pathlen characters
+ */
+static int
+get_executable_path(pid_t pid, char *exe, int max_pathlen)
+{
+ char exe_sl[PROC_EXE_PATH_LEN];
+ int n;
+
+ n = snprintf(exe_sl, sizeof(exe_sl), "/proc/%u/exe", pid);
+ if ((n <= 10) || (n >= max_pathlen)) {
+ fatal("error compiling filename of link to executable");
+ }
+
+ n = readlink(exe_sl, exe, max_pathlen);
+ if (n < max_pathlen) {
+ exe[n] = 0;
+ } else {
+ fatal("error getting executable pathname");
+ }
+ return 0;
+}
+
+/* Read checksum file chk, storing the algorithm used for generating it into
+ * *alg; allocate enough memory to hold the hash and return it in *hash.
+ * Remember to free() it when not needed anymore.
+ */
+static int
+read_hash(const char *chk, int *alg, u_char **hash)
+{
+ int check = -1;
+ int hash_len;
+ int fdh, n;
+ char alg_c;
+ char *hash_in;
+
+ *hash = NULL;
+
+ fdh = open(chk, O_RDONLY);
+ if (-1 == fdh) {
+ switch (errno) {
+ case ENOENT:
+ check = CHECK_MISSING;
+ debug("fips: checksum file %s is missing\n", chk);
+ break;
+ default:
+ check = CHECK_FAIL;
+ debug("fips: ckecksum file %s not accessible\n", chk);
+ break;
+
+ }
+ goto bail_out;
+ }
+
+ n = read(fdh, &alg_c, 1);
+ if (1 != n) {
+ check = CHECK_FAIL;
+ goto bail_out;
+ }
+
+ *alg = (int)alg_c;
+ hash_len = ssh_digest_bytes(*alg);
+ hash_in = xmalloc(hash_len);
+
+ n = read(fdh, (void *)hash_in, hash_len);
+ if (hash_len != n) {
+ debug("fips: unable to read whole checksum from checksum file\n");
+ free (hash_in);
+ check = CHECK_FAIL;
+ } else {
+ check = CHECK_OK;
+ *hash = hash_in;
+ }
+bail_out:
+ return check;
+}
+
+static int
+fips_hash_self(void)
+{
+ int check = -1;
+ int alg;
+ u_char *hash, *hash_chk;
+ char *exe, *chk;
+
+ exe = xmalloc(PATH_MAX);
+ chk = xmalloc(PATH_MAX);
+
+ /* we will need to add the ".chk" suffix and the null terminator */
+ check = get_executable_path(getpid(), exe
+ , PATH_MAX - strlen(CHECKSUM_SUFFIX) - 1);
+
+ strncpy(chk, exe, PATH_MAX);
+ strlcat(chk, CHECKSUM_SUFFIX, PATH_MAX);
+
+ check = read_hash(chk, &alg, &hash_chk);
+ if (CHECK_OK != check)
+ goto cleanup_chk;
+
+ check = hash_file(exe, alg, &hash);
+ if (CHECK_OK != check)
+ goto cleanup;
+
+ check = memcmp(hash, hash_chk, ssh_digest_bytes(alg));
+ if (0 == check) {
+ check = CHECK_OK;
+ debug("fips: checksum matches\n");
+ } else {
+ check = CHECK_FAIL;
+ debug("fips: checksum mismatch!\n");
+ }
+
+cleanup:
+ free(hash);
+cleanup_chk:
+ free(hash_chk);
+ free(chk);
+ free(exe);
+
+ return check;
+}
+
+static int
+fips_check_required_proc(void)
+{
+ int fips_required = 0;
+ int fips_fd;
+ char fips_sys = 0;
+
+ struct stat dummy;
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
+ switch (errno) {
+ case ENOENT:
+ case ENOTDIR:
+ break;
+ default:
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
+ " be accessed for reason other than non-existence - aborting"
+ , FIPS_PROC_PATH);
+ break;
+ }
+ } else {
+ if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY)))
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
+ " be opened for reading - aborting"
+ , FIPS_PROC_PATH);
+ if (1 > read(fips_fd, &fips_sys, 1))
+ fatal("Check for system-wide FIPS mode is required and %s doesn't"
+ " return at least one character - aborting"
+ , FIPS_PROC_PATH);
+ close(fips_sys);
+ switch (fips_sys) {
+ case '0':
+ case '1':
+ fips_required = fips_sys - '0';
+ break;
+ default:
+ fatal("Bogus character %c found in %s - aborting"
+ , fips_sys, FIPS_PROC_PATH);
+ }
+ }
+ return fips_required;
+}
+
+static int
+fips_check_required_env(void)
+{
+ int fips_required = 0;
+ char *env = getenv(SSH_FORCE_FIPS_ENV);
+
+ if (env) {
+ errno = 0;
+ fips_required = strtol(env, NULL, 10);
+ if (errno) {
+ debug("bogus value in the %s environment variable, ignoring\n"
+ , SSH_FORCE_FIPS_ENV);
+ fips_required = 0;
+ } else
+ fips_required = 1;
+ }
+ return fips_required;
+}
+
+static int
+fips_required(void)
+{
+ int fips_requests = 0;
+ fips_requests += fips_check_required_proc();
+ fips_requests += fips_check_required_env();
+ return fips_requests;
+}
+
+/* check whether FIPS mode is required and perform selfchecksum/selftest */
+void
+fips_ssh_init(void)
+{
+ int checksum;
+
+ checksum = fips_hash_self();
+
+ if (fips_required()) {
+ switch (checksum) {
+ case CHECK_OK:
+ debug("fips: mandatory checksum ok");
+ break;
+ case CHECK_FAIL:
+ fatal("fips: mandatory checksum failed - aborting");
+ break;
+ case CHECK_MISSING:
+ fatal("fips: mandatory checksum data missing - aborting");
+ break;
+ default:
+ fatal("Fatal error: internal error at %s:%u"
+ , __FILE__, __LINE__);
+ break;
+ }
+ fips_state = FIPS_mode_set(1);
+ if (1 != fips_state) {
+ ERR_load_crypto_strings();
+ u_long err = ERR_get_error();
+ error("fips: OpenSSL error %lx: %s", err, ERR_error_string(err, NULL));
+ fatal("fips: unable to set OpenSSL into FIPS mode - aborting"
+ , fips_state);
+ }
+ } else {
+ switch (checksum) {
+ case CHECK_OK:
+ debug("fips: checksum ok");
+ break;
+ case CHECK_FAIL:
+ fatal("fips: checksum failed - aborting");
+ break;
+ case CHECK_MISSING:
+ debug("fips: mandatory checksum data missing, but not required - continuing non-FIPS");
+ break;
+ default:
+ fatal("Fatal error: internal error at %s:%u",
+ __FILE__, __LINE__);
+ break;
+ }
+ }
+ return;
+}
+
int
fips_mode()
{
if (-1 == fips_state) {
fips_state = FIPS_mode();
if (fips_state)
debug("FIPS mode initialized");
}
diff --git a/openssh-6.6p1/fips.h b/openssh-6.6p1/fips.h
--- a/openssh-6.6p1/fips.h
+++ b/openssh-6.6p1/fips.h
@@ -1,10 +1,10 @@
/*
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
+ * Copyright (c) 2012-2014 Petr Cerny. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
@@ -19,15 +19,22 @@
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef FIPS_H
#define FIPS_H
+#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
+#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled"
+
+#define PROC_EXE_PATH_LEN 64
+#define CHECKSUM_SUFFIX ".chk"
+
+void fips_ssh_init(void);
int fips_mode(void);
int fips_correct_dgst(int);
int fips_dgst_min(void);
enum fp_type fips_correct_fp_type(enum fp_type);
#endif
diff --git a/openssh-6.6p1/sftp-server.c b/openssh-6.6p1/sftp-server.c
--- a/openssh-6.6p1/sftp-server.c
+++ b/openssh-6.6p1/sftp-server.c
@@ -47,16 +47,18 @@
#include "log.h"
#include "misc.h"
#include "match.h"
#include "uidswap.h"
#include "sftp.h"
#include "sftp-common.h"
+#include "fips.h"
+
/* helper */
#define get_int64() buffer_get_int64(&iqueue);
#define get_int() buffer_get_int(&iqueue);
#define get_string(lenp) buffer_get_string(&iqueue, lenp);
/* Our verbosity */
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
@@ -1453,16 +1455,19 @@ sftp_server_main(int argc, char **argv,
ssize_t len, olen, set_size;
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
char *cp, *homedir = NULL, buf[4*4096];
long mask;
extern char *optarg;
extern char *__progname;
+ /* initialize fips */
+ fips_ssh_init();
+
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
"d:f:l:P:p:Q:u:m:cehR")) != -1) {
switch (ch) {
diff --git a/openssh-6.6p1/ssh.c b/openssh-6.6p1/ssh.c
--- a/openssh-6.6p1/ssh.c
+++ b/openssh-6.6p1/ssh.c
@@ -420,16 +420,19 @@ main(int ac, char **av)
struct stat st;
struct passwd *pw;
int timeout_ms;
extern int optind, optreset;
extern char *optarg;
Forward fwd;
struct addrinfo *addrs = NULL;
+ /* initialize fips */
+ fips_ssh_init();
+
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
/* Save argv so it isn't clobbered by setproctitle() emulation */
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -1466,16 +1466,19 @@ main(int ac, char **av)
u_int64_t ibytes, obytes;
mode_t new_umask;
Key *key;
Key *pubkey;
int keytype;
Authctxt *authctxt;
struct connection_info *connection_info = get_connection_info(0, 0);
+ /* initialize fips */
+ fips_ssh_init();
+
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
#endif
__progname = ssh_get_progname(av[0]);
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;

File diff suppressed because it is too large Load Diff

View File

@ -1,10 +1,10 @@
# HG changeset patch
# Parent fd62140898f5f8bfaa6d0b527c5893001322a662
# Parent b50b01e06558d268ae59e8be8c1a41fde44fc70d
diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi
diff --git a/openssh-6.6p1/ChangeLog.gssapi b/openssh-6.6p1/ChangeLog.gssapi
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ChangeLog.gssapi
+++ b/openssh-6.6p1/ChangeLog.gssapi
@@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
@ -119,10 +119,10 @@ new file mode 100644
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
@@ -71,16 +71,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in
--- a/openssh-6.6p1/Makefile.in
+++ b/openssh-6.6p1/Makefile.in
@@ -67,16 +67,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
canohost.o channels.o cipher.o cipher-aes.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
@ -133,35 +133,35 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
+ kexgssc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest.o \
ssh-ed25519.o digest-openssl.o hmac.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
auditstub.o \
fips.o
fips.o \
auditstub.o
@@ -92,17 +93,17 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
@@ -86,17 +87,17 @@ SSHOBJS= ssh.o readconf.o clientloop.o s
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
- monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
+ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o kexgsss.o \
kexc25519s.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-capsicum.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
--- a/openssh-6.5p1/auth-krb5.c
+++ b/openssh-6.5p1/auth-krb5.c
diff --git a/openssh-6.6p1/auth-krb5.c b/openssh-6.6p1/auth-krb5.c
--- a/openssh-6.6p1/auth-krb5.c
+++ b/openssh-6.6p1/auth-krb5.c
@@ -177,18 +177,23 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
@ -230,11 +230,11 @@ diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
}
#endif /* !HEIMDAL */
#endif /* KRB5 */
diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
--- a/openssh-6.5p1/auth2-gss.c
+++ b/openssh-6.5p1/auth2-gss.c
diff --git a/openssh-6.6p1/auth2-gss.c b/openssh-6.6p1/auth2-gss.c
--- a/openssh-6.6p1/auth2-gss.c
+++ b/openssh-6.6p1/auth2-gss.c
@@ -1,12 +1,12 @@
/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
/* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -298,7 +298,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
userauth_gssapi(Authctxt *authctxt)
{
gss_OID_desc goid = {0, NULL};
@@ -244,17 +278,18 @@ input_gssapi_exchange_complete(int type,
@@ -239,17 +273,18 @@ input_gssapi_exchange_complete(int type,
/*
* We don't need to check the status, because we're only enabled in
@ -318,7 +318,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}
@@ -279,31 +314,38 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -274,31 +309,38 @@ input_gssapi_mic(int type, u_int32_t ple
ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
"gssapi-with-mic");
@ -358,10 +358,10 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
Authmethod method_gssapi_old = {
"gssapi",
diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.5p1/auth2.c
+++ b/openssh-6.5p1/auth2.c
@@ -64,27 +64,29 @@ extern Buffer loginmsg;
diff --git a/openssh-6.6p1/auth2.c b/openssh-6.6p1/auth2.c
--- a/openssh-6.6p1/auth2.c
+++ b/openssh-6.6p1/auth2.c
@@ -64,24 +64,26 @@ extern Buffer loginmsg;
/* methods */
extern Authmethod method_none;
@ -374,9 +374,6 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
extern Authmethod method_gssapi;
extern Authmethod method_gssapi_old;
#endif
#ifdef JPAKE
extern Authmethod method_jpake;
#endif
Authmethod *authmethods[] = {
&method_none,
@ -385,15 +382,15 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
+ &method_gsskeyex,
&method_gssapi,
&method_gssapi_old,
#endif
#ifdef JPAKE
&method_jpake,
#endif
&method_passwd,
&method_kbdint,
diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
--- a/openssh-6.5p1/clientloop.c
+++ b/openssh-6.5p1/clientloop.c
&method_hostbased,
NULL
};
diff --git a/openssh-6.6p1/clientloop.c b/openssh-6.6p1/clientloop.c
--- a/openssh-6.6p1/clientloop.c
+++ b/openssh-6.6p1/clientloop.c
@@ -106,16 +106,20 @@
#include "authfd.h"
#include "atomicio.h"
@ -441,9 +438,9 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
}
}
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.5p1/configure.ac
diff --git a/openssh-6.6p1/configure.ac b/openssh-6.6p1/configure.ac
--- a/openssh-6.6p1/configure.ac
+++ b/openssh-6.6p1/configure.ac
@@ -579,16 +579,40 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
@ -485,9 +482,9 @@ diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
[Define if pututxline updates lastlog too])
)
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c
--- a/openssh-6.5p1/gss-genr.c
+++ b/openssh-6.5p1/gss-genr.c
diff --git a/openssh-6.6p1/gss-genr.c b/openssh-6.6p1/gss-genr.c
--- a/openssh-6.6p1/gss-genr.c
+++ b/openssh-6.6p1/gss-genr.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
@ -875,9 +872,9 @@ diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c
+}
+
#endif /* GSSAPI */
diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
--- a/openssh-6.5p1/gss-serv-krb5.c
+++ b/openssh-6.5p1/gss-serv-krb5.c
diff --git a/openssh-6.6p1/gss-serv-krb5.c b/openssh-6.6p1/gss-serv-krb5.c
--- a/openssh-6.6p1/gss-serv-krb5.c
+++ b/openssh-6.6p1/gss-serv-krb5.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
@ -1024,11 +1021,11 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
#endif /* KRB5 */
#endif /* GSSAPI */
diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
--- a/openssh-6.5p1/gss-serv.c
+++ b/openssh-6.5p1/gss-serv.c
diff --git a/openssh-6.6p1/gss-serv.c b/openssh-6.6p1/gss-serv.c
--- a/openssh-6.6p1/gss-serv.c
+++ b/openssh-6.6p1/gss-serv.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -1074,7 +1071,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
ssh_gssapi_mech* supported_mechs[]= {
#ifdef KRB5
&gssapi_kerberos_mech,
@@ -76,59 +81,91 @@ ssh_gssapi_mech* supported_mechs[]= {
@@ -95,59 +100,91 @@ ssh_gssapi_test_oid_supported(OM_uint32
/* Privileged (called from ssh_gssapi_server_ctx) */
static OM_uint32
ssh_gssapi_acquire_cred(Gssctxt *ctx)
@ -1181,7 +1178,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
if (present)
gss_add_oid_set_member(&min_status,
&supported_mechs[i]->oid, oidset);
@@ -244,32 +281,79 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss
@@ -263,32 +300,79 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss
/* Extract the client details from a given context. This can only reliably
* be called once for a context */
@ -1262,7 +1259,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
if ((ctx->major = gss_export_name(&ctx->minor, ctx->client,
&ename))) {
@@ -277,16 +361,18 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
@@ -296,16 +380,18 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
return (ctx->major);
}
@ -1281,7 +1278,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
/* As user - called on fatal/exit */
void
@@ -324,44 +410,122 @@ ssh_gssapi_do_child(char ***envp, u_int
@@ -343,45 +429,124 @@ ssh_gssapi_do_child(char ***envp, u_int
gssapi_client.store.envval);
child_set_env(envp, envsizep, gssapi_client.store.envvar,
gssapi_client.store.envval);
@ -1312,7 +1309,8 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
gss_release_cred(&lmin, &gssapi_client.creds);
memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
explicit_bzero(&gssapi_client,
sizeof(ssh_gssapi_client));
return 0;
}
else
@ -1320,7 +1318,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
return (0);
}
-/* Privileged */
/* Privileged */
-OM_uint32
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+/* These bits are only used for rekeying. The unpriviledged child is running
@ -1413,9 +1411,9 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
}
#endif
diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.5p1/kex.c
+++ b/openssh-6.5p1/kex.c
diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c
--- a/openssh-6.6p1/kex.c
+++ b/openssh-6.6p1/kex.c
@@ -47,16 +47,20 @@
#include "mac.h"
#include "match.h"
@ -1459,9 +1457,9 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
{
char *ret = NULL;
size_t nlen, rlen = 0;
diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
--- a/openssh-6.5p1/kex.h
+++ b/openssh-6.5p1/kex.h
diff --git a/openssh-6.6p1/kex.h b/openssh-6.6p1/kex.h
--- a/openssh-6.6p1/kex.h
+++ b/openssh-6.6p1/kex.h
@@ -71,16 +71,19 @@ enum kex_modes {
enum kex_exchange {
@ -1482,7 +1480,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
typedef struct Kex Kex;
typedef struct Mac Mac;
typedef struct Comp Comp;
@@ -131,16 +134,22 @@ struct Kex {
@@ -130,16 +133,22 @@ struct Kex {
int kex_type;
int roaming;
Buffer my;
@ -1505,7 +1503,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
int (*host_key_index)(Key *);
void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int);
void (*kex[KEX_MAX])(Kex *);
@@ -164,16 +173,21 @@ void kexdh_server(Kex *);
@@ -163,16 +172,21 @@ void kexdh_server(Kex *);
void kexgex_client(Kex *);
void kexgex_server(Kex *);
void kexecdh_client(Kex *);
@ -1527,10 +1525,10 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
kexgex_hash(int, char *, char *, char *, int, char *,
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, u_char **, u_int *);
diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c
diff --git a/openssh-6.6p1/kexgssc.c b/openssh-6.6p1/kexgssc.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/kexgssc.c
+++ b/openssh-6.6p1/kexgssc.c
@@ -0,0 +1,334 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1866,10 +1864,10 @@ new file mode 100644
+}
+
+#endif /* GSSAPI */
diff --git a/openssh-6.5p1/kexgsss.c b/openssh-6.5p1/kexgsss.c
diff --git a/openssh-6.6p1/kexgsss.c b/openssh-6.6p1/kexgsss.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/kexgsss.c
+++ b/openssh-6.6p1/kexgsss.c
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -2159,10 +2157,10 @@ new file mode 100644
+ ssh_gssapi_rekey_creds();
+}
+#endif /* GSSAPI */
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.5p1/key.c
+++ b/openssh-6.5p1/key.c
@@ -1052,16 +1052,18 @@ static const struct keytype keytypes[] =
diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c
--- a/openssh-6.6p1/key.c
+++ b/openssh-6.6p1/key.c
@@ -1053,16 +1053,18 @@ static const struct keytype keytypes[] =
# endif
#endif /* OPENSSL_HAS_ECC */
{ "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
@ -2181,9 +2179,9 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
{
const struct keytype *kt;
diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.5p1/key.h
+++ b/openssh-6.5p1/key.h
diff --git a/openssh-6.6p1/key.h b/openssh-6.6p1/key.h
--- a/openssh-6.6p1/key.h
+++ b/openssh-6.6p1/key.h
@@ -41,16 +41,17 @@ enum types {
KEY_ECDSA,
KEY_ED25519,
@ -2202,10 +2200,10 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
SSH_FP_SHA256
};
enum fp_rep {
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -179,16 +179,18 @@ int mm_answer_pam_respond(int, Buffer *)
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -173,16 +173,18 @@ int mm_answer_pam_respond(int, Buffer *)
int mm_answer_pam_free_ctx(int, Buffer *);
#endif
@ -2224,7 +2222,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
int mm_answer_audit_end_command(int, Buffer *);
int mm_answer_audit_unsupported_body(int, Buffer *);
int mm_answer_audit_kex_body(int, Buffer *);
@@ -260,28 +262,35 @@ struct mon_table mon_dispatch_proto20[]
@@ -254,21 +256,28 @@ struct mon_table mon_dispatch_proto20[]
#endif
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
@ -2234,13 +2232,6 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
#endif
#ifdef JPAKE
{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
{MONITOR_REQ_JPAKE_STEP1, MON_ISAUTH, mm_answer_jpake_step1},
{MONITOR_REQ_JPAKE_STEP2, MON_ONCE, mm_answer_jpake_step2},
{MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm},
{MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm},
#endif
{0, 0, NULL}
};
@ -2260,7 +2251,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@@ -394,16 +403,20 @@ monitor_child_preauth(Authctxt *_authctx
@@ -381,16 +390,20 @@ monitor_child_preauth(Authctxt *_authctx
authctxt->loginmsg = &loginmsg;
if (compat20) {
@ -2281,7 +2272,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* The first few requests do not require asynchronous access */
while (!authenticated) {
@@ -508,16 +521,20 @@ monitor_child_postauth(struct monitor *p
@@ -486,16 +499,20 @@ monitor_child_postauth(struct monitor *p
if (compat20) {
mon_dispatch = mon_dispatch_postauth20;
@ -2302,7 +2293,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
}
@@ -1931,16 +1948,23 @@ mm_get_kex(Buffer *m)
@@ -1909,16 +1926,23 @@ mm_get_kex(Buffer *m)
fatal("mm_get_get: internal error: bad session id");
kex->we_need = buffer_get_int(m);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
@ -2326,7 +2317,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
buffer_append(&kex->my, blob, bloblen);
free(blob);
blob = buffer_get_string(m, &bloblen);
@@ -2155,16 +2179,19 @@ monitor_reinit(struct monitor *mon)
@@ -2133,16 +2157,19 @@ monitor_reinit(struct monitor *mon)
#ifdef GSSAPI
int
mm_answer_gss_setup_ctx(int sock, Buffer *m)
@ -2346,7 +2337,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
free(goid.elements);
buffer_clear(m);
@@ -2182,16 +2209,19 @@ int
@@ -2160,16 +2187,19 @@ int
mm_answer_gss_accept_ctx(int sock, Buffer *m)
{
gss_buffer_desc in;
@ -2366,7 +2357,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
buffer_clear(m);
buffer_put_int(m, major);
buffer_put_string(m, out.value, out.length);
@@ -2199,27 +2229,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
@@ -2177,27 +2207,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
gss_release_buffer(&minor, &out);
@ -2398,7 +2389,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
free(gssbuf.value);
@@ -2236,29 +2270,101 @@ mm_answer_gss_checkmic(int sock, Buffer
@@ -2214,29 +2248,101 @@ mm_answer_gss_checkmic(int sock, Buffer
return (0);
}
@ -2495,16 +2486,16 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
+
#endif /* GSSAPI */
#ifdef JPAKE
#ifdef SSH_AUDIT_EVENTS
int
mm_answer_jpake_step1(int sock, Buffer *m)
mm_answer_audit_unsupported_body(int sock, Buffer *m)
{
struct jpake_ctx *pctx;
u_char *x3_proof, *x4_proof;
diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -70,16 +70,19 @@ enum monitor_reqtype {
int what;
diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h
--- a/openssh-6.6p1/monitor.h
+++ b/openssh-6.6p1/monitor.h
@@ -65,16 +65,19 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
MONITOR_ANS_AUDIT_COMMAND = 114, MONITOR_REQ_AUDIT_END_COMMAND = 115,
@ -2524,10 +2515,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
int m_sendfd;
int m_log_recvfd;
int m_log_sendfd;
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1305,33 +1305,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
&m);
major = buffer_get_int(&m);
@ -2601,15 +2592,15 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
+
#endif /* GSSAPI */
#ifdef JPAKE
#ifdef SSH_AUDIT_EVENTS
void
mm_auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
char **hash_scheme, char **salt)
mm_audit_unsupported_body(int what)
{
Buffer m;
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -54,18 +54,20 @@ int mm_user_key_verify(Key *, u_char *,
int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
@ -2632,10 +2623,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
void *mm_sshpam_init_ctx(struct Authctxt *);
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_sshpam_respond(void *, u_int, char **);
diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
--- a/openssh-6.5p1/readconf.c
+++ b/openssh-6.5p1/readconf.c
@@ -135,16 +135,18 @@ typedef enum {
diff --git a/openssh-6.6p1/readconf.c b/openssh-6.6p1/readconf.c
--- a/openssh-6.6p1/readconf.c
+++ b/openssh-6.6p1/readconf.c
@@ -136,16 +136,18 @@ typedef enum {
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
@ -2650,11 +2641,11 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oVisualHostKey, oUseRoaming,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
@@ -177,22 +179,31 @@ static struct {
@@ -178,22 +180,31 @@ static struct {
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
@ -2686,7 +2677,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
{ "identitiesonly", oIdentitiesOnly },
{ "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias },
@@ -836,24 +847,44 @@ parse_time:
@@ -838,24 +849,44 @@ parse_time:
case oChallengeResponseAuthentication:
intptr = &options->challenge_response_authentication;
goto parse_flag;
@ -2731,7 +2722,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
intptr = &options->check_host_ip;
goto parse_flag;
@@ -1489,18 +1520,23 @@ initialize_options(Options * options)
@@ -1498,18 +1529,23 @@ initialize_options(Options * options)
options->exit_on_forward_failure = -1;
options->xauth_location = NULL;
options->gateway_ports = -1;
@ -2755,7 +2746,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
options->batch_mode = -1;
options->check_host_ip = -1;
options->strict_host_key_checking = -1;
@@ -1596,20 +1632,26 @@ fill_default_options(Options * options)
@@ -1618,20 +1654,26 @@ fill_default_options(Options * options)
if (options->rsa_authentication == -1)
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
@ -2782,9 +2773,9 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
--- a/openssh-6.5p1/readconf.h
+++ b/openssh-6.5p1/readconf.h
diff --git a/openssh-6.6p1/readconf.h b/openssh-6.6p1/readconf.h
--- a/openssh-6.6p1/readconf.h
+++ b/openssh-6.6p1/readconf.h
@@ -49,18 +49,23 @@ typedef struct {
int rhosts_rsa_authentication; /* Try rhosts with RSA
* authentication. */
@ -2805,13 +2796,13 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
int zero_knowledge_password_authentication; /* Try jpake */
int batch_mode; /* Batch mode: do not ask for passwords. */
int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */
diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.5p1/servconf.c
+++ b/openssh-6.5p1/servconf.c
int compression; /* Compress packets in both directions. */
diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c
--- a/openssh-6.6p1/servconf.c
+++ b/openssh-6.6p1/servconf.c
@@ -104,18 +104,21 @@ initialize_server_options(ServerOptions
options->hostbased_uses_name_from_packet_only = -1;
options->rsa_authentication = -1;
@ -2834,7 +2825,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->use_login = -1;
options->compression = -1;
options->rekey_limit = -1;
@@ -244,20 +247,26 @@ fill_default_server_options(ServerOption
@@ -243,20 +246,26 @@ fill_default_server_options(ServerOption
if (options->kerberos_or_local_passwd == -1)
options->kerberos_or_local_passwd = 1;
if (options->kerberos_ticket_cleanup == -1)
@ -2861,7 +2852,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->challenge_response_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
@@ -345,16 +354,17 @@ typedef enum {
@@ -342,16 +351,17 @@ typedef enum {
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
@ -2873,13 +2864,13 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
+ sGssStrictAcceptor, sGssKeyEx, sGssStoreRekey,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent,
sDeprecated, sUnsupported
@@ -414,21 +424,31 @@ static struct {
@@ -411,21 +421,31 @@ static struct {
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
@ -2907,11 +2898,11 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
#ifdef JPAKE
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
#else
{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
@@ -1102,24 +1122,36 @@ process_server_config_line(ServerOptions
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
@@ -1094,24 +1114,36 @@ process_server_config_line(ServerOptions
case sKerberosGetAFSToken:
intptr = &options->kerberos_get_afs_token;
goto parse_flag;
@ -2944,11 +2935,11 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
intptr = &options->password_authentication;
goto parse_flag;
case sZeroKnowledgePasswordAuthentication:
intptr = &options->zero_knowledge_password_authentication;
case sKbdInteractiveAuthentication:
intptr = &options->kbd_interactive_authentication;
goto parse_flag;
@@ -2020,17 +2052,20 @@ dump_config(ServerOptions *o)
@@ -2007,17 +2039,20 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
# ifdef USE_AFS
@ -2961,17 +2952,17 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
#endif
#ifdef JPAKE
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
o->zero_knowledge_password_authentication);
#endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
o->kbd_interactive_authentication);
diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.5p1/servconf.h
+++ b/openssh-6.5p1/servconf.h
dump_cfg_fmtint(sChallengeResponseAuthentication,
o->challenge_response_authentication);
dump_cfg_fmtint(sPrintMotd, o->print_motd);
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h
--- a/openssh-6.6p1/servconf.h
+++ b/openssh-6.6p1/servconf.h
@@ -107,18 +107,21 @@ typedef struct {
* authentication mechanism,
* such as SecurID or
@ -2990,15 +2981,15 @@ diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
int challenge_response_authentication;
int zero_knowledge_password_authentication;
/* If true, permit jpake auth */
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
diff --git a/openssh-6.5p1/ssh-gss.h b/openssh-6.5p1/ssh-gss.h
--- a/openssh-6.5p1/ssh-gss.h
+++ b/openssh-6.5p1/ssh-gss.h
int permit_user_env; /* If true, read ~/.ssh/environment */
int use_login; /* If true, login(1) is used */
diff --git a/openssh-6.6p1/ssh-gss.h b/openssh-6.6p1/ssh-gss.h
--- a/openssh-6.6p1/ssh-gss.h
+++ b/openssh-6.6p1/ssh-gss.h
@@ -1,11 +1,11 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -3080,9 +3071,9 @@ diff --git a/openssh-6.5p1/ssh-gss.h b/openssh-6.5p1/ssh-gss.h
void ssh_gssapi_set_oid(Gssctxt *, gss_OID);
void ssh_gssapi_supported_oids(gss_OID_set *);
ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
@@ -112,21 +129,35 @@ OM_uint32 ssh_gssapi_accept_ctx(Gssctxt
void ssh_gssapi_prepare_supported_oids(void);
OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
@@ -114,21 +131,35 @@ OM_uint32 ssh_gssapi_accept_ctx(Gssctxt
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
OM_uint32 ssh_gssapi_getclient(Gssctxt *, ssh_gssapi_client *);
void ssh_gssapi_error(Gssctxt *);
@ -3120,9 +3111,9 @@ diff --git a/openssh-6.5p1/ssh-gss.h b/openssh-6.5p1/ssh-gss.h
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
--- a/openssh-6.6p1/ssh_config
+++ b/openssh-6.6p1/ssh_config
@@ -32,16 +32,18 @@ Host *
ForwardX11Trusted yes
@ -3142,10 +3133,10 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
--- a/openssh-6.5p1/ssh_config.5
+++ b/openssh-6.5p1/ssh_config.5
@@ -671,21 +671,53 @@ host key database, separated by whitespa
diff --git a/openssh-6.6p1/ssh_config.5 b/openssh-6.6p1/ssh_config.5
--- a/openssh-6.6p1/ssh_config.5
+++ b/openssh-6.6p1/ssh_config.5
@@ -677,21 +677,53 @@ host key database, separated by whitespa
The default is
.Pa /etc/ssh/ssh_known_hosts ,
.Pa /etc/ssh/ssh_known_hosts2 .
@ -3200,10 +3191,10 @@ diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
These hashed names may be used normally by
.Xr ssh 1
and
diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
@@ -156,19 +156,44 @@ order_hostkeyalgs(char *host, struct soc
diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
--- a/openssh-6.6p1/sshconnect2.c
+++ b/openssh-6.6p1/sshconnect2.c
@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc
return ret;
}
@ -3248,7 +3239,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
} else if (fips_mode()) {
@@ -204,32 +229,63 @@ ssh_kex2(char *host, struct sockaddr *ho
@@ -203,32 +228,63 @@ ssh_kex2(char *host, struct sockaddr *ho
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(
@ -3312,7 +3303,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
debug("Roaming not allowed by server");
options.use_roaming = 0;
}
@@ -315,31 +371,37 @@ void userauth_jpake_cleanup(Authctxt *);
@@ -308,31 +364,37 @@ int userauth_hostbased(Authctxt *);
#ifdef GSSAPI
int userauth_gssapi(Authctxt *authctxt);
@ -3350,7 +3341,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
{"gssapi",
userauth_gssapi,
NULL,
@@ -638,29 +700,41 @@ done:
@@ -624,29 +686,41 @@ done:
int
userauth_gssapi(Authctxt *authctxt)
{
@ -3394,7 +3385,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
if (!ok)
return 0;
@@ -749,18 +823,18 @@ process_gssapi_token(void *ctxt, gss_buf
@@ -735,18 +809,18 @@ process_gssapi_token(void *ctxt, gss_buf
}
/* ARGSUSED */
@ -3415,7 +3406,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
/* Setup our OID */
oidv = packet_get_string(&oidlen);
@@ -859,16 +933,58 @@ input_gssapi_error(int type, u_int32_t p
@@ -845,16 +919,58 @@ input_gssapi_error(int type, u_int32_t p
lang=packet_get_string(NULL);
packet_check_eom();
@ -3474,18 +3465,18 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
/* initial userauth request */
packet_start(SSH2_MSG_USERAUTH_REQUEST);
packet_put_cstring(authctxt->server_user);
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -121,16 +121,20 @@
#endif
#include "monitor_wrap.h"
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -123,16 +123,20 @@
#include "roaming.h"
#include "audit.h"
#include "ssh-sandbox.h"
#include "version.h"
#include "fips.h"
#include "audit.h"
+#ifdef USE_SECURITY_SESSION_API
+#include <Security/AuthSession.h>
+#endif
@ -3498,7 +3489,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#endif /* LIBWRAP */
#ifndef O_NOCTTY
@@ -1795,20 +1799,23 @@ main(int ac, char **av)
@@ -1804,20 +1808,23 @@ main(int ac, char **av)
if ((options.protocol & SSH_PROTO_1) && fips_mode()) {
logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
options.protocol &= ~SSH_PROTO_1;
@ -3522,7 +3513,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
/*
* Load certificates. They are stored in an array at identical
* indices to the public keys that they relate to.
@@ -1998,16 +2005,70 @@ main(int ac, char **av)
@@ -2007,16 +2014,70 @@ main(int ac, char **av)
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);
@ -3593,7 +3584,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#if !defined(SSHD_ACQUIRES_CTTY)
/*
* If setsid is called, on some platforms sshd will later acquire a
@@ -2125,16 +2186,70 @@ main(int ac, char **av)
@@ -2134,16 +2195,70 @@ main(int ac, char **av)
}
#endif /* LIBWRAP */
@ -3664,7 +3655,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
* mode; it is just annoying to have the server exit just when you
* are about to discover the bug.
*/
@@ -2544,24 +2659,73 @@ do_ssh2_kex(void)
@@ -2559,24 +2674,73 @@ do_ssh2_kex(void)
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
@ -3738,9 +3729,9 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
kex->host_key_index=&get_hostkey_index;
kex->sign = sshd_hostkey_sign;
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config
--- a/openssh-6.6p1/sshd_config
+++ b/openssh-6.6p1/sshd_config
@@ -79,16 +79,18 @@ PasswordAuthentication no
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
@ -3760,9 +3751,9 @@ diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
#GSSAPIEnableMITMAttack no
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5
--- a/openssh-6.6p1/sshd_config.5
+++ b/openssh-6.6p1/sshd_config.5
@@ -487,22 +487,50 @@ to force remote port forwardings to bind
to allow the client to select the address to which the forwarding is bound.
The default is

View File

@ -13,10 +13,10 @@
# recommended to use the 'gssapi-with-mic' mechanism. Existing installations
# are encouraged to upgrade as soon as possible.
diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
--- a/openssh-6.5p1/auth2-gss.c
+++ b/openssh-6.5p1/auth2-gss.c
@@ -173,16 +173,25 @@ input_gssapi_token(int type, u_int32_t p
diff --git a/openssh-6.6p1/auth2-gss.c b/openssh-6.6p1/auth2-gss.c
--- a/openssh-6.6p1/auth2-gss.c
+++ b/openssh-6.6p1/auth2-gss.c
@@ -168,16 +168,25 @@ input_gssapi_token(int type, u_int32_t p
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
if (flags & GSS_C_INTEG_FLAG)
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
@ -42,7 +42,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
static void
input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
@@ -291,9 +300,15 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -286,9 +295,15 @@ input_gssapi_mic(int type, u_int32_t ple
}
Authmethod method_gssapi = {
@ -58,10 +58,10 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
+};
+
#endif /* GSSAPI */
diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.5p1/auth2.c
+++ b/openssh-6.5p1/auth2.c
@@ -65,26 +65,28 @@ extern Buffer loginmsg;
diff --git a/openssh-6.6p1/auth2.c b/openssh-6.6p1/auth2.c
--- a/openssh-6.6p1/auth2.c
+++ b/openssh-6.6p1/auth2.c
@@ -65,23 +65,25 @@ extern Buffer loginmsg;
extern Authmethod method_none;
extern Authmethod method_pubkey;
@ -72,9 +72,6 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
extern Authmethod method_gssapi;
+extern Authmethod method_gssapi_old;
#endif
#ifdef JPAKE
extern Authmethod method_jpake;
#endif
Authmethod *authmethods[] = {
&method_none,
@ -82,18 +79,18 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
#ifdef GSSAPI
&method_gssapi,
+ &method_gssapi_old,
#endif
#ifdef JPAKE
&method_jpake,
#endif
&method_passwd,
&method_kbdint,
&method_hostbased,
NULL
diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
--- a/openssh-6.5p1/readconf.c
+++ b/openssh-6.5p1/readconf.c
@@ -134,17 +134,17 @@ typedef enum {
};
/* protocol */
diff --git a/openssh-6.6p1/readconf.c b/openssh-6.6p1/readconf.c
--- a/openssh-6.6p1/readconf.c
+++ b/openssh-6.6p1/readconf.c
@@ -135,17 +135,17 @@ typedef enum {
oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
@ -108,11 +105,11 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oVisualHostKey, oUseRoaming,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
@@ -178,19 +178,21 @@ static struct {
@@ -179,19 +179,21 @@ static struct {
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
{ "kerberosauthentication", oUnsupported },
@ -134,7 +131,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
{ "identitiesonly", oIdentitiesOnly },
{ "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias },
@@ -837,16 +839,20 @@ parse_time:
@@ -839,16 +841,20 @@ parse_time:
case oGssAuthentication:
intptr = &options->gss_authentication;
@ -155,7 +152,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
case oCheckHostIP:
intptr = &options->check_host_ip;
goto parse_flag;
@@ -1484,16 +1490,17 @@ initialize_options(Options * options)
@@ -1493,16 +1499,17 @@ initialize_options(Options * options)
options->xauth_location = NULL;
options->gateway_ports = -1;
options->use_privileged_port = -1;
@ -173,7 +170,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
options->batch_mode = -1;
options->check_host_ip = -1;
options->strict_host_key_checking = -1;
@@ -1591,16 +1598,18 @@ fill_default_options(Options * options)
@@ -1613,16 +1620,18 @@ fill_default_options(Options * options)
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
if (options->challenge_response_authentication == -1)
@ -192,9 +189,9 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
--- a/openssh-6.5p1/readconf.h
+++ b/openssh-6.5p1/readconf.h
diff --git a/openssh-6.6p1/readconf.h b/openssh-6.6p1/readconf.h
--- a/openssh-6.6p1/readconf.h
+++ b/openssh-6.6p1/readconf.h
@@ -50,16 +50,17 @@ typedef struct {
* authentication. */
int rsa_authentication; /* Try RSA authentication. */
@ -209,13 +206,13 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
int zero_knowledge_password_authentication; /* Try jpake */
int batch_mode; /* Batch mode: do not ask for passwords. */
int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */
diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.5p1/servconf.c
+++ b/openssh-6.5p1/servconf.c
int compression; /* Compress packets in both directions. */
diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c
--- a/openssh-6.6p1/servconf.c
+++ b/openssh-6.6p1/servconf.c
@@ -104,16 +104,17 @@ initialize_server_options(ServerOptions
options->rsa_authentication = -1;
options->pubkey_authentication = -1;
@ -234,7 +231,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->use_login = -1;
options->compression = -1;
options->rekey_limit = -1;
@@ -242,16 +243,18 @@ fill_default_server_options(ServerOption
@@ -241,16 +242,18 @@ fill_default_server_options(ServerOption
if (options->kerberos_ticket_cleanup == -1)
options->kerberos_ticket_cleanup = 1;
if (options->kerberos_get_afs_token == -1)
@ -253,7 +250,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->challenge_response_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
@@ -338,17 +341,17 @@ typedef enum {
@@ -335,17 +338,17 @@ typedef enum {
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@ -266,13 +263,13 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent,
sDeprecated, sUnsupported
@@ -405,19 +408,21 @@ static struct {
@@ -402,19 +405,21 @@ static struct {
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@ -291,10 +288,10 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
#ifdef JPAKE
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
#else
@@ -1093,16 +1098,20 @@ process_server_config_line(ServerOptions
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
@@ -1085,16 +1090,20 @@ process_server_config_line(ServerOptions
case sGssAuthentication:
intptr = &options->gss_authentication;
goto parse_flag;
@ -311,13 +308,13 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
intptr = &options->password_authentication;
goto parse_flag;
case sZeroKnowledgePasswordAuthentication:
intptr = &options->zero_knowledge_password_authentication;
case sKbdInteractiveAuthentication:
intptr = &options->kbd_interactive_authentication;
goto parse_flag;
diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.5p1/servconf.h
+++ b/openssh-6.5p1/servconf.h
diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h
--- a/openssh-6.6p1/servconf.h
+++ b/openssh-6.6p1/servconf.h
@@ -108,16 +108,17 @@ typedef struct {
* such as SecurID or
* /etc/passwd */
@ -332,13 +329,13 @@ diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
int challenge_response_authentication;
int zero_knowledge_password_authentication;
/* If true, permit jpake auth */
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
int permit_user_env; /* If true, read ~/.ssh/environment */
int use_login; /* If true, login(1) is used */
diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
--- a/openssh-6.6p1/ssh_config
+++ b/openssh-6.6p1/ssh_config
@@ -51,9 +51,16 @@ ForwardX11Trusted yes
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
@ -356,10 +353,10 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
+# GSSAPIEnableMITMAttack no
+
# RekeyLimit 1G 1h
diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
@@ -324,16 +324,21 @@ static char *authmethods_get(void);
diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
--- a/openssh-6.6p1/sshconnect2.c
+++ b/openssh-6.6p1/sshconnect2.c
@@ -316,16 +316,21 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@ -381,7 +378,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
NULL},
{"publickey",
userauth_pubkey,
@@ -698,17 +703,19 @@ process_gssapi_token(void *ctxt, gss_buf
@@ -683,17 +688,19 @@ process_gssapi_token(void *ctxt, gss_buf
packet_put_string(send_tok.value, send_tok.length);
packet_send();
@ -402,9 +399,9 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b);
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config
--- a/openssh-6.6p1/sshd_config
+++ b/openssh-6.6p1/sshd_config
@@ -80,16 +80,23 @@ PasswordAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

View File

@ -1,10 +1,10 @@
# identify hashed hosts in known_hosts and suggest command line for their
# removal
diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
--- a/openssh-6.5p1/sshconnect.c
+++ b/openssh-6.5p1/sshconnect.c
@@ -1067,16 +1067,21 @@ check_host_key(char *hostname, struct so
diff --git a/openssh-6.6p1/sshconnect.c b/openssh-6.6p1/sshconnect.c
--- a/openssh-6.6p1/sshconnect.c
+++ b/openssh-6.6p1/sshconnect.c
@@ -1070,16 +1070,21 @@ check_host_key(char *hostname, struct so
ip_found->file, ip_found->line);
}
/* The host key has changed. */

View File

@ -1,9 +1,9 @@
# SSHv1 to SSHv2 RSA keys converter
diff --git a/openssh-6.5p1/converter/Makefile b/openssh-6.5p1/converter/Makefile
diff --git a/openssh-6.6p1/converter/Makefile b/openssh-6.6p1/converter/Makefile
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/converter/Makefile
+++ b/openssh-6.6p1/converter/Makefile
@@ -0,0 +1,17 @@
+
+bindir=/usr/bin
@ -22,10 +22,10 @@ new file mode 100644
+ install -m 755 ssh-keyconverter $(DESTDIR)$(bindir)
+ if [ ! -d $(DESTDIR)$(mandir)/man1 ]; then install -d -m 755 $(DESTDIR)$(mandir)/man1; fi
+ install -m 644 ssh-keyconverter.1 $(DESTDIR)$(mandir)/man1
diff --git a/openssh-6.5p1/converter/ssh-keyconverter.1 b/openssh-6.5p1/converter/ssh-keyconverter.1
diff --git a/openssh-6.6p1/converter/ssh-keyconverter.1 b/openssh-6.6p1/converter/ssh-keyconverter.1
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/converter/ssh-keyconverter.1
+++ b/openssh-6.6p1/converter/ssh-keyconverter.1
@@ -0,0 +1,155 @@
+.\" Manpage for ssh-keyconverter
+.\"
@ -182,10 +182,10 @@ new file mode 100644
+.%D March 2001
+.%O work in progress material
+.Re
diff --git a/openssh-6.5p1/converter/ssh-keyconverter.c b/openssh-6.5p1/converter/ssh-keyconverter.c
diff --git a/openssh-6.6p1/converter/ssh-keyconverter.c b/openssh-6.6p1/converter/ssh-keyconverter.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/converter/ssh-keyconverter.c
+++ b/openssh-6.6p1/converter/ssh-keyconverter.c
@@ -0,0 +1,345 @@
+/*
+ * SSH v1 to v2 RSA key converter.

View File

@ -1,9 +1,9 @@
# set uid for functions that use it to seek in lastlog and wtmp files
# bnc#18024 (was suse #3024)
diff --git a/openssh-6.5p1/sshlogin.c b/openssh-6.5p1/sshlogin.c
--- a/openssh-6.5p1/sshlogin.c
+++ b/openssh-6.5p1/sshlogin.c
diff --git a/openssh-6.6p1/sshlogin.c b/openssh-6.6p1/sshlogin.c
--- a/openssh-6.6p1/sshlogin.c
+++ b/openssh-6.6p1/sshlogin.c
@@ -128,16 +128,17 @@ record_login(pid_t pid, const char *tty,
{
struct logininfo *li;

View File

@ -8,10 +8,10 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
diff --git a/openssh-6.5p1/HOWTO.ldap-keys b/openssh-6.5p1/HOWTO.ldap-keys
diff --git a/openssh-6.6p1/HOWTO.ldap-keys b/openssh-6.6p1/HOWTO.ldap-keys
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/HOWTO.ldap-keys
+++ b/openssh-6.6p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
+
+HOW TO START
@ -121,9 +121,9 @@ new file mode 100644
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in
--- a/openssh-6.6p1/Makefile.in
+++ b/openssh-6.6p1/Makefile.in
@@ -20,16 +20,18 @@ srcdir=@srcdir@
top_srcdir=@top_srcdir@
@ -164,7 +164,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
@@ -94,18 +98,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
@@ -96,18 +100,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
kexc25519s.o auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
@ -185,7 +185,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
PATHSUBS = \
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
@@ -169,16 +173,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
@@ -171,16 +175,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
@ -205,7 +205,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
@@ -271,30 +278,38 @@ install-files:
@@ -273,30 +280,38 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@ -244,7 +244,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
install-sysconf:
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
@@ -314,16 +329,23 @@ install-sysconf:
@@ -316,16 +331,23 @@ install-sysconf:
echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
else \
@ -268,7 +268,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
else \
./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
fi ; \
@@ -377,27 +399,30 @@ uninstall:
@@ -379,27 +401,30 @@ uninstall:
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@ -299,10 +299,10 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.5p1/configure.ac
@@ -1573,16 +1573,116 @@ AC_ARG_WITH([audit],
diff --git a/openssh-6.6p1/configure.ac b/openssh-6.6p1/configure.ac
--- a/openssh-6.6p1/configure.ac
+++ b/openssh-6.6p1/configure.ac
@@ -1599,16 +1599,116 @@ AC_ARG_WITH([audit],
AC_MSG_RESULT([no])
;;
*)
@ -419,10 +419,10 @@ diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
if test "x$withval" = "xyes"; then
use_pie=yes
fi
diff --git a/openssh-6.5p1/ldap-helper.c b/openssh-6.5p1/ldap-helper.c
diff --git a/openssh-6.6p1/ldap-helper.c b/openssh-6.6p1/ldap-helper.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldap-helper.c
+++ b/openssh-6.6p1/ldap-helper.c
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -579,10 +579,10 @@ new file mode 100644
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+
diff --git a/openssh-6.5p1/ldap-helper.h b/openssh-6.5p1/ldap-helper.h
diff --git a/openssh-6.6p1/ldap-helper.h b/openssh-6.6p1/ldap-helper.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldap-helper.h
+++ b/openssh-6.6p1/ldap-helper.h
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -616,10 +616,10 @@ new file mode 100644
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
diff --git a/openssh-6.5p1/ldap.conf b/openssh-6.5p1/ldap.conf
diff --git a/openssh-6.6p1/ldap.conf b/openssh-6.6p1/ldap.conf
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldap.conf
+++ b/openssh-6.6p1/ldap.conf
@@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@ -709,10 +709,10 @@ new file mode 100644
+#tls_cert
+#tls_key
+
diff --git a/openssh-6.5p1/ldapbody.c b/openssh-6.5p1/ldapbody.c
diff --git a/openssh-6.6p1/ldapbody.c b/openssh-6.6p1/ldapbody.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapbody.c
+++ b/openssh-6.6p1/ldapbody.c
@@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1208,10 +1208,10 @@ new file mode 100644
+ return;
+}
+
diff --git a/openssh-6.5p1/ldapbody.h b/openssh-6.5p1/ldapbody.h
diff --git a/openssh-6.6p1/ldapbody.h b/openssh-6.6p1/ldapbody.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapbody.h
+++ b/openssh-6.6p1/ldapbody.h
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1250,10 +1250,10 @@ new file mode 100644
+
+#endif /* LDAPBODY_H */
+
diff --git a/openssh-6.5p1/ldapconf.c b/openssh-6.5p1/ldapconf.c
diff --git a/openssh-6.6p1/ldapconf.c b/openssh-6.6p1/ldapconf.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapconf.c
+++ b/openssh-6.6p1/ldapconf.c
@@ -0,0 +1,682 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1937,10 +1937,10 @@ new file mode 100644
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
+}
+
diff --git a/openssh-6.5p1/ldapconf.h b/openssh-6.5p1/ldapconf.h
diff --git a/openssh-6.6p1/ldapconf.h b/openssh-6.6p1/ldapconf.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapconf.h
+++ b/openssh-6.6p1/ldapconf.h
@@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2013,10 +2013,10 @@ new file mode 100644
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
diff --git a/openssh-6.5p1/ldapincludes.h b/openssh-6.5p1/ldapincludes.h
diff --git a/openssh-6.6p1/ldapincludes.h b/openssh-6.6p1/ldapincludes.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapincludes.h
+++ b/openssh-6.6p1/ldapincludes.h
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2059,10 +2059,10 @@ new file mode 100644
+#endif
+
+#endif /* LDAPINCLUDES_H */
diff --git a/openssh-6.5p1/ldapmisc.c b/openssh-6.5p1/ldapmisc.c
diff --git a/openssh-6.6p1/ldapmisc.c b/openssh-6.6p1/ldapmisc.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapmisc.c
+++ b/openssh-6.6p1/ldapmisc.c
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@ -2143,10 +2143,10 @@ new file mode 100644
+}
+#endif
+
diff --git a/openssh-6.5p1/ldapmisc.h b/openssh-6.5p1/ldapmisc.h
diff --git a/openssh-6.6p1/ldapmisc.h b/openssh-6.6p1/ldapmisc.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapmisc.h
+++ b/openssh-6.6p1/ldapmisc.h
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2183,9 +2183,9 @@ new file mode 100644
+
+#endif /* LDAPMISC_H */
+
diff --git a/openssh-6.5p1/openbsd-compat/base64.c b/openssh-6.5p1/openbsd-compat/base64.c
--- a/openssh-6.5p1/openbsd-compat/base64.c
+++ b/openssh-6.5p1/openbsd-compat/base64.c
diff --git a/openssh-6.6p1/openbsd-compat/base64.c b/openssh-6.6p1/openbsd-compat/base64.c
--- a/openssh-6.6p1/openbsd-compat/base64.c
+++ b/openssh-6.6p1/openbsd-compat/base64.c
@@ -41,17 +41,17 @@
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
@ -2243,9 +2243,9 @@ diff --git a/openssh-6.5p1/openbsd-compat/base64.c b/openssh-6.5p1/openbsd-compa
*/
int
diff --git a/openssh-6.5p1/openbsd-compat/base64.h b/openssh-6.5p1/openbsd-compat/base64.h
--- a/openssh-6.5p1/openbsd-compat/base64.h
+++ b/openssh-6.5p1/openbsd-compat/base64.h
diff --git a/openssh-6.6p1/openbsd-compat/base64.h b/openssh-6.6p1/openbsd-compat/base64.h
--- a/openssh-6.6p1/openbsd-compat/base64.h
+++ b/openssh-6.6p1/openbsd-compat/base64.h
@@ -42,24 +42,24 @@
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
*/
@ -2275,10 +2275,10 @@ diff --git a/openssh-6.5p1/openbsd-compat/base64.h b/openssh-6.5p1/openbsd-compa
#endif /* HAVE___B64_PTON */
#endif /* _BSD_BASE64_H */
diff --git a/openssh-6.5p1/openssh-lpk-openldap.schema b/openssh-6.5p1/openssh-lpk-openldap.schema
diff --git a/openssh-6.6p1/openssh-lpk-openldap.schema b/openssh-6.6p1/openssh-lpk-openldap.schema
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/openssh-lpk-openldap.schema
+++ b/openssh-6.6p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2301,10 +2301,10 @@ new file mode 100644
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
diff --git a/openssh-6.5p1/openssh-lpk-sun.schema b/openssh-6.5p1/openssh-lpk-sun.schema
diff --git a/openssh-6.6p1/openssh-lpk-sun.schema b/openssh-6.6p1/openssh-lpk-sun.schema
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/openssh-lpk-sun.schema
+++ b/openssh-6.6p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2329,10 +2329,10 @@ new file mode 100644
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
diff --git a/openssh-6.5p1/ssh-ldap-helper.8 b/openssh-6.5p1/ssh-ldap-helper.8
diff --git a/openssh-6.6p1/ssh-ldap-helper.8 b/openssh-6.6p1/ssh-ldap-helper.8
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ssh-ldap-helper.8
+++ b/openssh-6.6p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@ -2413,19 +2413,19 @@ new file mode 100644
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com
diff --git a/openssh-6.5p1/ssh-ldap-wrapper b/openssh-6.5p1/ssh-ldap-wrapper
diff --git a/openssh-6.6p1/ssh-ldap-wrapper b/openssh-6.6p1/ssh-ldap-wrapper
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ssh-ldap-wrapper
+++ b/openssh-6.6p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+
diff --git a/openssh-6.5p1/ssh-ldap.conf.5 b/openssh-6.5p1/ssh-ldap.conf.5
diff --git a/openssh-6.6p1/ssh-ldap.conf.5 b/openssh-6.6p1/ssh-ldap.conf.5
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ssh-ldap.conf.5
+++ b/openssh-6.6p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"

View File

@ -4,9 +4,9 @@
#
# bnc#833605
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.5p1/configure.ac
diff --git a/openssh-6.6p1/configure.ac b/openssh-6.6p1/configure.ac
--- a/openssh-6.6p1/configure.ac
+++ b/openssh-6.6p1/configure.ac
@@ -719,16 +719,18 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])

View File

@ -1,9 +1,9 @@
# Do not write a PID file when not daemonizing (e.g. when running from systemd)
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -1985,17 +1985,17 @@ main(int ac, char **av)
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -1994,17 +1994,17 @@ main(int ac, char **av)
signal(SIGCHLD, main_sigchld_handler);
signal(SIGTERM, sigterm_handler);
signal(SIGQUIT, sigterm_handler);

View File

@ -2,9 +2,9 @@
# UsePAM is used
# bnc#708678, FATE#312033
diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
--- a/openssh-6.5p1/auth.c
+++ b/openssh-6.5p1/auth.c
diff --git a/openssh-6.6p1/auth.c b/openssh-6.6p1/auth.c
--- a/openssh-6.6p1/auth.c
+++ b/openssh-6.6p1/auth.c
@@ -103,17 +103,17 @@ allowed_user(struct passwd * pw)
struct spwd *spw = NULL;
#endif
@ -43,9 +43,9 @@ diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
#endif
#ifdef LOCKED_PASSWD_PREFIX
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.5p1/servconf.c
+++ b/openssh-6.5p1/servconf.c
diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c
--- a/openssh-6.6p1/servconf.c
+++ b/openssh-6.6p1/servconf.c
@@ -66,16 +66,17 @@ extern Buffer cfg;
void
@ -64,7 +64,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->address_family = -1;
options->num_host_key_files = 0;
options->num_host_cert_files = 0;
@@ -158,16 +159,18 @@ initialize_server_options(ServerOptions
@@ -157,16 +158,18 @@ initialize_server_options(ServerOptions
}
void
@ -83,7 +83,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
/* fill default hostkeys for protocols */
if (options->protocol & SSH_PROTO_1)
options->host_key_files[options->num_host_key_files++] =
@@ -320,17 +323,17 @@ fill_default_server_options(ServerOption
@@ -317,17 +320,17 @@ fill_default_server_options(ServerOption
#endif
}
@ -102,7 +102,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
sKerberosGetAFSToken,
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
@@ -365,18 +368,20 @@ typedef enum {
@@ -362,18 +365,20 @@ typedef enum {
static struct {
const char *name;
ServerOpCodes opcode;
@ -123,7 +123,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
@@ -878,16 +883,19 @@ process_server_config_line(ServerOptions
@@ -870,16 +875,19 @@ process_server_config_line(ServerOptions
}
}
@ -143,10 +143,10 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
/* ignore ports from configfile if cmdline specifies ports */
if (options->ports_from_cmdline)
return 0;
diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.5p1/servconf.h
+++ b/openssh-6.5p1/servconf.h
@@ -162,16 +162,17 @@ typedef struct {
diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h
--- a/openssh-6.6p1/servconf.h
+++ b/openssh-6.6p1/servconf.h
@@ -160,16 +160,17 @@ typedef struct {
*/
u_int num_authkeys_files; /* Files containing public keys */
@ -164,10 +164,10 @@ diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
--- a/openssh-6.5p1/sshd_config.0
+++ b/openssh-6.5p1/sshd_config.0
@@ -720,16 +720,24 @@ DESCRIPTION
diff --git a/openssh-6.6p1/sshd_config.0 b/openssh-6.6p1/sshd_config.0
--- a/openssh-6.6p1/sshd_config.0
+++ b/openssh-6.6p1/sshd_config.0
@@ -728,16 +728,24 @@ DESCRIPTION
Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable
@ -192,10 +192,10 @@ diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
privilege separation is to prevent privilege escalation by
containing any corruption within the unprivileged processes. The
default is ``yes''. If UsePrivilegeSeparation is set to
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
@@ -1199,16 +1199,28 @@ or
diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5
--- a/openssh-6.6p1/sshd_config.5
+++ b/openssh-6.6p1/sshd_config.5
@@ -1214,16 +1214,28 @@ or
.Pp
If
.Cm UsePAM

View File

@ -1,9 +1,9 @@
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
# bnc#46749
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config
--- a/openssh-6.6p1/sshd_config
+++ b/openssh-6.6p1/sshd_config
@@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for

View File

@ -1,9 +1,9 @@
# posix threads are generally not supported nor safe
# (see upstream log from 2005-05-24)
diff --git a/openssh-6.5p1/auth-pam.c b/openssh-6.5p1/auth-pam.c
--- a/openssh-6.5p1/auth-pam.c
+++ b/openssh-6.5p1/auth-pam.c
diff --git a/openssh-6.6p1/auth-pam.c b/openssh-6.6p1/auth-pam.c
--- a/openssh-6.6p1/auth-pam.c
+++ b/openssh-6.6p1/auth-pam.c
@@ -781,17 +781,19 @@ sshpam_query(void *ctx, char **name, cha
}
if (type == PAM_SUCCESS) {

View File

@ -1,9 +1,9 @@
# use same lines naming as utempter (prevents problems with using different
# formats in ?tmp? files)
diff --git a/openssh-6.5p1/loginrec.c b/openssh-6.5p1/loginrec.c
--- a/openssh-6.5p1/loginrec.c
+++ b/openssh-6.5p1/loginrec.c
diff --git a/openssh-6.6p1/loginrec.c b/openssh-6.6p1/loginrec.c
--- a/openssh-6.6p1/loginrec.c
+++ b/openssh-6.6p1/loginrec.c
@@ -538,17 +538,17 @@ getlast_entry(struct logininfo *li)
/*
* 'line' string utility functions

View File

@ -1,9 +1,9 @@
# related to bnc#49845, upstream bug #529
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -1399,17 +1399,21 @@ main(int ac, char **av)
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -1405,17 +1405,21 @@ main(int ac, char **av)
saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
for (i = 0; i < ac; i++)
saved_argv[i] = xstrdup(av[i]);

View File

@ -1,11 +1,11 @@
# HG changeset patch
# Parent d625afd0d51ac51161b25728bc2f227c098fa0fb
# Parent 47040f4641d43b039f19c8c902b0259729bb88e2
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
from being killed by the seccomp filter
diff --git a/openssh-6.5p1/sandbox-seccomp-filter.c b/openssh-6.5p1/sandbox-seccomp-filter.c
--- a/openssh-6.5p1/sandbox-seccomp-filter.c
+++ b/openssh-6.5p1/sandbox-seccomp-filter.c
diff --git a/openssh-6.6p1/sandbox-seccomp-filter.c b/openssh-6.6p1/sandbox-seccomp-filter.c
--- a/openssh-6.6p1/sandbox-seccomp-filter.c
+++ b/openssh-6.6p1/sandbox-seccomp-filter.c
@@ -85,16 +85,20 @@ static const struct sock_filter preauth_
offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0),

View File

@ -1,9 +1,9 @@
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
# bnc#703221, FATE#312172
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char
/* not implemented */
}
@ -20,9 +20,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -398,9 +398,31 @@ audit_generate_ephemeral_server_key(cons
}
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
@ -55,9 +55,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char
/*
* This will be called on generation of the ephemeral server key
@ -75,9 +75,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -63,10 +63,11 @@ void audit_key(int, int *, const Key *);
void audit_unsupported(int);
void audit_kex(int, char *, char *, char *);
@ -90,9 +90,9 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
+void audit_linux_prng_seed(long, const char *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c
--- a/openssh-6.5p1/entropy.c
+++ b/openssh-6.5p1/entropy.c
diff --git a/openssh-6.6p1/entropy.c b/openssh-6.6p1/entropy.c
--- a/openssh-6.6p1/entropy.c
+++ b/openssh-6.6p1/entropy.c
@@ -45,16 +45,17 @@
#include "ssh.h"
@ -126,15 +126,15 @@ diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
diff --git a/openssh-6.5p1/openbsd-compat/Makefile.in b/openssh-6.5p1/openbsd-compat/Makefile.in
--- a/openssh-6.5p1/openbsd-compat/Makefile.in
+++ b/openssh-6.5p1/openbsd-compat/Makefile.in
diff --git a/openssh-6.6p1/openbsd-compat/Makefile.in b/openssh-6.6p1/openbsd-compat/Makefile.in
--- a/openssh-6.6p1/openbsd-compat/Makefile.in
+++ b/openssh-6.6p1/openbsd-compat/Makefile.in
@@ -15,17 +15,17 @@ AR=@AR@
RANLIB=@RANLIB@
INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@ -148,10 +148,10 @@ diff --git a/openssh-6.5p1/openbsd-compat/Makefile.in b/openssh-6.5p1/openbsd-co
$(COMPAT): ../config.h
$(OPENBSD): ../config.h
diff --git a/openssh-6.5p1/openbsd-compat/port-linux-prng.c b/openssh-6.5p1/openbsd-compat/port-linux-prng.c
diff --git a/openssh-6.6p1/openbsd-compat/port-linux-prng.c b/openssh-6.6p1/openbsd-compat/port-linux-prng.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/openbsd-compat/port-linux-prng.c
+++ b/openssh-6.6p1/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
@ -232,9 +232,9 @@ new file mode 100644
+ fatal ("EOF reading %s", random);
+ }
+}
diff --git a/openssh-6.5p1/openbsd-compat/port-linux.h b/openssh-6.5p1/openbsd-compat/port-linux.h
--- a/openssh-6.5p1/openbsd-compat/port-linux.h
+++ b/openssh-6.5p1/openbsd-compat/port-linux.h
diff --git a/openssh-6.6p1/openbsd-compat/port-linux.h b/openssh-6.6p1/openbsd-compat/port-linux.h
--- a/openssh-6.6p1/openbsd-compat/port-linux.h
+++ b/openssh-6.6p1/openbsd-compat/port-linux.h
@@ -14,16 +14,20 @@
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
@ -256,9 +256,9 @@ diff --git a/openssh-6.5p1/openbsd-compat/port-linux.h b/openssh-6.5p1/openbsd-c
void ssh_selinux_setfscreatecon(const char *);
#endif
diff --git a/openssh-6.5p1/ssh-add.1 b/openssh-6.5p1/ssh-add.1
--- a/openssh-6.5p1/ssh-add.1
+++ b/openssh-6.5p1/ssh-add.1
diff --git a/openssh-6.6p1/ssh-add.1 b/openssh-6.6p1/ssh-add.1
--- a/openssh-6.6p1/ssh-add.1
+++ b/openssh-6.6p1/ssh-add.1
@@ -156,16 +156,30 @@ or related script.
(Note that on some machines it
may be necessary to redirect the input from
@ -290,9 +290,9 @@ diff --git a/openssh-6.5p1/ssh-add.1 b/openssh-6.5p1/ssh-add.1
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa ~/.ssh/id_ecdsa
diff --git a/openssh-6.5p1/ssh-agent.1 b/openssh-6.5p1/ssh-agent.1
--- a/openssh-6.5p1/ssh-agent.1
+++ b/openssh-6.5p1/ssh-agent.1
diff --git a/openssh-6.6p1/ssh-agent.1 b/openssh-6.6p1/ssh-agent.1
--- a/openssh-6.6p1/ssh-agent.1
+++ b/openssh-6.6p1/ssh-agent.1
@@ -196,16 +196,33 @@ Contains the protocol version 2 ED25519
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
@ -327,9 +327,9 @@ diff --git a/openssh-6.5p1/ssh-agent.1 b/openssh-6.5p1/ssh-agent.1
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
diff --git a/openssh-6.5p1/ssh-keygen.1 b/openssh-6.5p1/ssh-keygen.1
--- a/openssh-6.5p1/ssh-keygen.1
+++ b/openssh-6.5p1/ssh-keygen.1
diff --git a/openssh-6.6p1/ssh-keygen.1 b/openssh-6.6p1/ssh-keygen.1
--- a/openssh-6.6p1/ssh-keygen.1
+++ b/openssh-6.6p1/ssh-keygen.1
@@ -827,16 +827,33 @@ on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
@ -364,9 +364,9 @@ diff --git a/openssh-6.5p1/ssh-keygen.1 b/openssh-6.5p1/ssh-keygen.1
.Xr sshd 8
.Rs
.%R RFC 4716
diff --git a/openssh-6.5p1/ssh-keysign.8 b/openssh-6.5p1/ssh-keysign.8
--- a/openssh-6.5p1/ssh-keysign.8
+++ b/openssh-6.5p1/ssh-keysign.8
diff --git a/openssh-6.6p1/ssh-keysign.8 b/openssh-6.6p1/ssh-keysign.8
--- a/openssh-6.6p1/ssh-keysign.8
+++ b/openssh-6.6p1/ssh-keysign.8
@@ -75,16 +75,33 @@ must be set-uid root if host-based authe
.Pp
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
@ -401,9 +401,9 @@ diff --git a/openssh-6.5p1/ssh-keysign.8 b/openssh-6.5p1/ssh-keysign.8
.Sh HISTORY
.Nm
first appeared in
diff --git a/openssh-6.5p1/ssh.1 b/openssh-6.5p1/ssh.1
--- a/openssh-6.5p1/ssh.1
+++ b/openssh-6.5p1/ssh.1
diff --git a/openssh-6.6p1/ssh.1 b/openssh-6.6p1/ssh.1
--- a/openssh-6.6p1/ssh.1
+++ b/openssh-6.6p1/ssh.1
@@ -1304,16 +1304,30 @@ reads
and adds lines of the format
.Dq VARNAME=value
@ -435,9 +435,9 @@ diff --git a/openssh-6.5p1/ssh.1 b/openssh-6.5p1/ssh.1
world-readable if the user's home directory is on an NFS partition,
because
.Xr sshd 8
diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
--- a/openssh-6.5p1/sshd.8
+++ b/openssh-6.5p1/sshd.8
diff --git a/openssh-6.6p1/sshd.8 b/openssh-6.6p1/sshd.8
--- a/openssh-6.6p1/sshd.8
+++ b/openssh-6.6p1/sshd.8
@@ -946,16 +946,33 @@ and not group or world-writable.
.It Pa /var/run/sshd.pid
Contains the process ID of the
@ -472,9 +472,9 @@ diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -50,16 +50,18 @@
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
@ -494,7 +494,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#ifdef HAVE_PATHS_H
#include <paths.h>
#endif
@@ -215,16 +217,23 @@ struct {
@@ -218,16 +220,23 @@ struct {
Key **host_pubkeys; /* all public host keys */
Key **host_certificates; /* all public host certificates */
int have_ssh1_key;
@ -518,7 +518,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
/* This is set to true when a signal is received. */
static volatile sig_atomic_t received_sighup = 0;
static volatile sig_atomic_t received_sigterm = 0;
@@ -1313,16 +1322,21 @@ server_accept_loop(int *sock_in, int *so
@@ -1322,16 +1331,21 @@ server_accept_loop(int *sock_in, int *so
for (j = 0; j < options.max_startups; j++)
if (startup_pipes[j] == -1) {
startup_pipes[j] = startup_p[0];

View File

@ -1,9 +1,9 @@
# send locales in default configuration
# bnc#65747
diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
--- a/openssh-6.6p1/ssh_config
+++ b/openssh-6.6p1/ssh_config
@@ -58,9 +58,14 @@ ForwardX11Trusted yes
# ProxyCommand ssh -q -W %h:%p gateway.example.com
@ -19,9 +19,9 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
+SendEnv LC_IDENTIFICATION LC_ALL
+
# RekeyLimit 1G 1h
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config
--- a/openssh-6.6p1/sshd_config
+++ b/openssh-6.6p1/sshd_config
@@ -127,14 +127,19 @@ UsePrivilegeSeparation sandbox # Defaul
#VersionAddendum none

View File

@ -3,9 +3,9 @@
# http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
# http://marc.info/?l=openssh-unix-dev&m=128896838930893
diff --git a/openssh-6.5p1/sftp-server.8 b/openssh-6.5p1/sftp-server.8
--- a/openssh-6.5p1/sftp-server.8
+++ b/openssh-6.5p1/sftp-server.8
diff --git a/openssh-6.6p1/sftp-server.8 b/openssh-6.6p1/sftp-server.8
--- a/openssh-6.6p1/sftp-server.8
+++ b/openssh-6.6p1/sftp-server.8
@@ -33,16 +33,17 @@
.Bk -words
.Op Fl ehR
@ -45,9 +45,9 @@ diff --git a/openssh-6.5p1/sftp-server.8 b/openssh-6.5p1/sftp-server.8
.Pa /dev/log .
Use of
.Nm
diff --git a/openssh-6.5p1/sftp-server.c b/openssh-6.5p1/sftp-server.c
--- a/openssh-6.5p1/sftp-server.c
+++ b/openssh-6.5p1/sftp-server.c
diff --git a/openssh-6.6p1/sftp-server.c b/openssh-6.6p1/sftp-server.c
--- a/openssh-6.6p1/sftp-server.c
+++ b/openssh-6.6p1/sftp-server.c
@@ -75,16 +75,20 @@ static u_int version;
static int init_done;

View File

@ -1,8 +1,8 @@
# run sftp sessions inside a chroot
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -120,16 +120,18 @@ int do_exec(Session *, const char *);
void do_login(Session *, const char *);
#ifdef LOGIN_NEEDS_UTMPX
@ -44,7 +44,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
verbose("Starting session: %s%s%s for %s from %.200s port %d",
session_type,
@@ -1458,67 +1465,132 @@ do_nologin(struct passwd *pw)
@@ -1463,67 +1470,132 @@ do_nologin(struct passwd *pw)
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
@ -153,10 +153,11 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
if (!S_ISDIR(st.st_mode))
fatal("chroot path %s\"%s\" is not a directory",
cp == NULL ? "" : "component ", component);
-
+ }
+ setenv ("TZ", "/etc/localtime", 0);
+ tzset();
+
+ if (st.st_uid) {
+ test_nosuid(path, st.st_dev);
+ ++chroot_no_tree;
@ -179,10 +180,10 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
do_setusercontext(struct passwd *pw)
{
char *chroot_path, *tmp;
diff --git a/openssh-6.5p1/sftp-chrootenv.h b/openssh-6.5p1/sftp-chrootenv.h
diff --git a/openssh-6.6p1/sftp-chrootenv.h b/openssh-6.6p1/sftp-chrootenv.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/sftp-chrootenv.h
+++ b/openssh-6.6p1/sftp-chrootenv.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2009 Jan F Chadima. All rights reserved.
@ -214,9 +215,9 @@ new file mode 100644
+
+#endif
+
diff --git a/openssh-6.5p1/sftp-common.c b/openssh-6.5p1/sftp-common.c
--- a/openssh-6.5p1/sftp-common.c
+++ b/openssh-6.5p1/sftp-common.c
diff --git a/openssh-6.6p1/sftp-common.c b/openssh-6.6p1/sftp-common.c
--- a/openssh-6.6p1/sftp-common.c
+++ b/openssh-6.6p1/sftp-common.c
@@ -42,16 +42,17 @@
#endif
@ -261,9 +262,9 @@ diff --git a/openssh-6.5p1/sftp-common.c b/openssh-6.5p1/sftp-common.c
if (ltime != NULL) {
now = time(NULL);
if (now - (365*24*60*60)/2 < st->st_mtime &&
diff --git a/openssh-6.5p1/sftp-server-main.c b/openssh-6.5p1/sftp-server-main.c
--- a/openssh-6.5p1/sftp-server-main.c
+++ b/openssh-6.5p1/sftp-server-main.c
diff --git a/openssh-6.6p1/sftp-server-main.c b/openssh-6.6p1/sftp-server-main.c
--- a/openssh-6.6p1/sftp-server-main.c
+++ b/openssh-6.6p1/sftp-server-main.c
@@ -17,21 +17,24 @@
#include "includes.h"
@ -289,9 +290,9 @@ diff --git a/openssh-6.5p1/sftp-server-main.c b/openssh-6.5p1/sftp-server-main.c
int
main(int argc, char **argv)
diff --git a/openssh-6.5p1/sftp.c b/openssh-6.5p1/sftp.c
--- a/openssh-6.5p1/sftp.c
+++ b/openssh-6.5p1/sftp.c
diff --git a/openssh-6.6p1/sftp.c b/openssh-6.6p1/sftp.c
--- a/openssh-6.6p1/sftp.c
+++ b/openssh-6.6p1/sftp.c
@@ -109,16 +109,18 @@ struct complete_ctx {
char **remote_pathp;
};
@ -311,9 +312,9 @@ diff --git a/openssh-6.5p1/sftp.c b/openssh-6.5p1/sftp.c
#define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */
#define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */
#define LS_NAME_SORT 0x0008 /* Sort by name (default) */
diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
--- a/openssh-6.5p1/sshd_config.0
+++ b/openssh-6.5p1/sshd_config.0
diff --git a/openssh-6.6p1/sshd_config.0 b/openssh-6.6p1/sshd_config.0
--- a/openssh-6.6p1/sshd_config.0
+++ b/openssh-6.6p1/sshd_config.0
@@ -189,16 +189,24 @@ DESCRIPTION
session this requires at least a shell, typically sh(1), and
basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4),
@ -339,9 +340,9 @@ diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5
--- a/openssh-6.6p1/sshd_config.5
+++ b/openssh-6.6p1/sshd_config.5
@@ -324,16 +324,27 @@ For file transfer sessions using
no additional configuration of the environment is necessary if the
in-process sftp server is used,

View File

@ -1,10 +1,10 @@
# try to remove xauth cookies on logout
# bnc#98815
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
@@ -2505,18 +2505,50 @@ session_exit_message(Session *s, int sta
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -2510,18 +2510,50 @@ session_exit_message(Session *s, int sta
if (c->ostate != CHAN_OUTPUT_CLOSED)
chan_write_failed(c);
}

View File

@ -1,10 +1,10 @@
# handle hostname changes when forwarding X
# bnc#98627
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
@@ -1141,17 +1141,17 @@ copy_environment(char **source, char ***
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -1146,17 +1146,17 @@ copy_environment(char **source, char ***
debug3("Copy environment: %s=%s", var_name, var_val);
child_set_env(env, envsize, var_name, var_val);
@ -23,7 +23,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
#endif
@@ -1328,25 +1328,27 @@ do_setup_env(Session *s, const char *she
@@ -1333,25 +1333,27 @@ do_setup_env(Session *s, const char *she
read_environment_file(&env, &envsize, buf);
}
if (debug_flag) {
@ -52,7 +52,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
do_xauth =
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
@@ -1390,22 +1392,30 @@ do_rc_files(Session *s, const char *shel
@@ -1395,22 +1397,30 @@ do_rc_files(Session *s, const char *shel
"%.500s add %.100s %.100s %.100s\n",
options.xauth_location, s->auth_display,
s->auth_proto, s->auth_data);
@ -83,7 +83,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
}
static void
@@ -1659,16 +1669,17 @@ child_close_fds(void)
@@ -1664,16 +1674,17 @@ child_close_fds(void)
* ids, and executing the command or shell.
*/
#define ARGV_MAX 10
@ -101,7 +101,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
/* remove hostkey from the child's memory */
destroy_sensitive_data();
@@ -1725,17 +1736,17 @@ do_child(Session *s, const char *command
@@ -1730,17 +1741,17 @@ do_child(Session *s, const char *command
* legal, and means /bin/sh.
*/
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
@ -120,7 +120,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
/* we have to stash the hostname before we close our socket. */
if (options.use_login)
hostname = get_remote_name_or_ip(utmp_len,
@@ -1794,17 +1805,17 @@ do_child(Session *s, const char *command
@@ -1799,17 +1810,17 @@ do_child(Session *s, const char *command
strerror(errno));
if (r)
exit(1);

3
openssh-6.6p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb
size 1282502

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Fri Apr 11 21:50:51 UTC 2014 - pcerny@suse.com
- Update of the underlying OpenSSH to 6.6p1
-------------------------------------------------------------------
Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com

View File

@ -26,7 +26,7 @@ BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: tcpd-devel
BuildRequires: update-desktop-files
Version: 6.5p1
Version: 6.6p1
Release: 0
Requires: openssh = %{version}
Summary: A GNOME-Based Passphrase Dialog for OpenSSH

View File

@ -1,4 +1,62 @@
-------------------------------------------------------------------
Tue Apr 15 09:26:16 UTC 2014 - rhafer@suse.com
- Remove uneeded dependency on the OpenLDAP server (openldap2)
from openssh-helpers. openssh-helpers just depends on the
openldap client libraries, which will be auto-generated by rpm.
-------------------------------------------------------------------
Fri Apr 11 21:50:51 UTC 2014 - pcerny@suse.com
- update to 6.6p1
Security:
* sshd(8): when using environment passing with a sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
be tricked into accepting any enviornment variable that
contains the characters before the wildcard character.
Features since 6.5p1:
* ssh(1), sshd(8): removal of the J-PAKE authentication code,
which was experimental, never enabled and has been
unmaintained for some time.
* ssh(1): skip 'exec' clauses other clauses predicates failed
to match while processing Match blocks.
* ssh(1): if hostname canonicalisation is enabled and results
in the destination hostname being changed, then re-parse
ssh_config(5) files using the new destination hostname. This
gives 'Host' and 'Match' directives that use the expanded
hostname a chance to be applied.
Bugfixes:
* ssh(1): avoid spurious "getsockname failed: Bad file
descriptor" in ssh -W. bz#2200, debian#738692
* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and
systrace sandbox modes, as it is reachable if the connection
is terminated during the pre-auth phase.
* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1
bignum parsing. Minimum key length checks render this bug
unexploitable to compromise SSH 1 sessions.
* sshd_config(5): clarify behaviour of a keyword that appears
in multiple matching Match blocks. bz#2184
* ssh(1): avoid unnecessary hostname lookups when
canonicalisation is disabled. bz#2205
* sshd(8): avoid sandbox violation crashes in GSSAPI code by
caching the supported list of GSSAPI mechanism OIDs before
entering the sandbox. bz#2107
* ssh(1): fix possible crashes in SOCKS4 parsing caused by
assumption that the SOCKS username is nul-terminated.
* ssh(1): fix regression for UsePrivilegedPort=yes when
BindAddress is not specified.
* ssh(1), sshd(8): fix memory leak in ECDSA signature
verification.
* ssh(1): fix matching of 'Host' directives in ssh_config(5)
files to be case-insensitive again (regression in 6.5).
- FIPS checks in sftp-server
-------------------------------------------------------------------
Mon Mar 31 01:22:21 UTC 2014 - pcerny@suse.com
- FIPS checks during ssh client and daemon startup
(-fips-checks.patch)
-------------------------------------------------------------------
Tue Mar 25 10:07:18 UTC 2014 - idonmez@suse.com
- Update openssh-6.5p1-audit4-kex_results.patch to ensure that

View File

@ -91,7 +91,7 @@ PreReq: pwdutils %{insserv_prereq} %{fillup_prereq} coreutils
Conflicts: nonfreessh
Recommends: xauth
Recommends: %{name}-helpers
Version: 6.5p1
Version: 6.6p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-3-Clause and MIT
@ -108,43 +108,45 @@ Source7: sshd.fw
Source8: sysconfig.ssh
Source9: sshd-gen-keys-start
Source10: sshd.service
Patch1: openssh-6.5p1-key-converter.patch
Patch2: openssh-6.5p1-X11-forwarding.patch
Patch3: openssh-6.5p1-lastlog.patch
Patch4: openssh-6.5p1-pam-fix2.patch
Patch5: openssh-6.5p1-saveargv-fix.patch
Patch6: openssh-6.5p1-pam-fix3.patch
Patch7: openssh-6.5p1-gssapimitm.patch
Patch8: openssh-6.5p1-eal3.patch
Patch9: openssh-6.5p1-blocksigalrm.patch
Patch10: openssh-6.5p1-send_locale.patch
Patch11: openssh-6.5p1-xauthlocalhostname.patch
Patch12: openssh-6.5p1-xauth.patch
Patch13: openssh-6.5p1-default-protocol.patch
Patch14: openssh-6.5p1-pts.patch
Patch15: openssh-6.5p1-pam-check-locks.patch
Patch16: openssh-6.5p1-fingerprint_hash.patch
Patch17: openssh-6.5p1-audit1-remove_duplicit_audit.patch
Patch18: openssh-6.5p1-audit2-better_audit_of_user_actions.patch
Patch19: openssh-6.5p1-audit3-key_auth_usage.patch
Patch20: openssh-6.5p1-audit4-kex_results.patch
Patch21: openssh-6.5p1-audit5-session_key_destruction.patch
Patch22: openssh-6.5p1-audit6-server_key_destruction.patch
Patch23: openssh-6.5p1-audit7-libaudit_compat.patch
Patch24: openssh-6.5p1-audit8-libaudit_dns_timeouts.patch
Patch25: openssh-6.5p1-seed-prng.patch
Patch26: openssh-6.5p1-ldap.patch
Patch27: openssh-6.5p1-fips.patch
Patch28: openssh-6.5p1-gssapi_key_exchange.patch
Patch29: openssh-6.5p1-login_options.patch
Patch30: openssh-6.5p1-disable-openssl-abi-check.patch
Patch31: openssh-6.5p1-no_fork-no_pid_file.patch
Patch32: openssh-6.5p1-host_ident.patch
Patch33: openssh-6.5p1-sftp_homechroot.patch
Patch34: openssh-6.5p1-sftp_force_permissions.patch
Patch35: openssh-6.5p1-seccomp_getuid.patch
Patch36: openssh-6.5p1-X_forward_with_disabled_ipv6.patch
Patch1: openssh-6.6p1-key-converter.patch
Patch2: openssh-6.6p1-X11-forwarding.patch
Patch3: openssh-6.6p1-lastlog.patch
Patch4: openssh-6.6p1-pam-fix2.patch
Patch5: openssh-6.6p1-saveargv-fix.patch
Patch6: openssh-6.6p1-pam-fix3.patch
Patch7: openssh-6.6p1-gssapimitm.patch
Patch8: openssh-6.6p1-eal3.patch
Patch9: openssh-6.6p1-blocksigalrm.patch
Patch10: openssh-6.6p1-send_locale.patch
Patch11: openssh-6.6p1-xauthlocalhostname.patch
Patch12: openssh-6.6p1-xauth.patch
Patch13: openssh-6.6p1-default-protocol.patch
Patch14: openssh-6.6p1-pts.patch
Patch15: openssh-6.6p1-pam-check-locks.patch
Patch16: openssh-6.6p1-fingerprint_hash.patch
Patch17: openssh-6.6p1-fips.patch
Patch18: openssh-6.6p1-audit1-remove_duplicit_audit.patch
Patch19: openssh-6.6p1-audit2-better_audit_of_user_actions.patch
Patch20: openssh-6.6p1-audit3-key_auth_usage.patch
Patch21: openssh-6.6p1-audit3_fips-key_auth_usage.patch
Patch22: openssh-6.6p1-audit4-kex_results.patch
Patch23: openssh-6.6p1-audit4_fips-kex_results.patch
Patch24: openssh-6.6p1-audit5-session_key_destruction.patch
Patch25: openssh-6.6p1-audit6-server_key_destruction.patch
Patch26: openssh-6.6p1-audit7-libaudit_compat.patch
Patch27: openssh-6.6p1-audit8-libaudit_dns_timeouts.patch
Patch28: openssh-6.6p1-seed-prng.patch
Patch29: openssh-6.6p1-gssapi_key_exchange.patch
Patch30: openssh-6.6p1-login_options.patch
Patch31: openssh-6.6p1-disable-openssl-abi-check.patch
Patch32: openssh-6.6p1-no_fork-no_pid_file.patch
Patch33: openssh-6.6p1-host_ident.patch
Patch34: openssh-6.6p1-sftp_homechroot.patch
Patch35: openssh-6.6p1-sftp_force_permissions.patch
Patch36: openssh-6.6p1-seccomp_getuid.patch
Patch37: openssh-6.6p1-X_forward_with_disabled_ipv6.patch
Patch38: openssh-6.6p1-fips-checks.patch
Patch39: openssh-6.6p1-ldap.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -160,13 +162,22 @@ also be forwarded over the secure channel.
%package helpers
Summary: OpenSSH AuthorizedKeysCommand helpers
Group: Productivity/Networking/SSH
Requires: openldap2
Requires: openssh
%description helpers
Helper applications for OpenSSH which retrieve keys from various sources.
%package fips
Summary: OpenSSH FIPS cryptomodule hashes
Group: Productivity/Networking/SSH
Requires: openssh
%description fips
Hashes that together with the main package form the FIPS certifiable
cryptomodule.
%prep
%setup -q
#patch1 -p2
@ -207,13 +218,16 @@ Helper applications for OpenSSH which retrieve keys from various sources.
%patch34 -p2
%patch35 -p2
%patch36 -p2
%patch37 -p2
%patch38 -p2
%patch39 -p2
cp %{SOURCE3} %{SOURCE4} .
%build
# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
$( grep -Rl @LIBEXECDIR@ \
$( grep "^+++" %{PATCH26} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
$( grep "^+++" %{PATCH39} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
)
autoreconf -fiv
@ -311,6 +325,25 @@ rm -f %{buildroot}%{_datadir}/Ssh.bin
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
# the binaries and thereby invalidates any hashes created earlier.
#
# this shows up earlier because otherwise the %expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
for b in \
%{_bindir}/ssh \
%{_sbindir}/sshd \
%{_libexecdir}/ssh/sftp-server \
; do
( printf "\03"; openssl dgst -sha256 -binary < %{buildroot}$b ) > %{buildroot}$b.chk
done
}}
%pre
getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd
@ -343,6 +376,9 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
%files
%defattr(-,root,root)
%exclude %{_bindir}/*.chk
%exclude %{_sbindir}/*.chk
%exclude %{_libexecdir}/ssh/sftp-server.chk
%dir %attr(755,root,root) /var/lib/sshd
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README TODO LICENCE CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
@ -384,4 +420,10 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
%files fips
%defattr(-,root,root)
%attr(0444,root,root) %{_bindir}/ssh.chk
%attr(0444,root,root) %{_sbindir}/sshd.chk
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server.chk
%changelog