Accepting request 563834 from network
- Replace forgotten references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - tighten configuration access rights (forwarded request 563833 from pcerny) OBS-URL: https://build.opensuse.org/request/show/563834 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=112
This commit is contained in:
commit
97dc338ae5
@ -1,72 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 9130c9e19c8a076a7f6f214070283cd3e0326894
|
|
||||||
Correctly parse DISPLAY variable for cases where it contains an IPv6 address
|
|
||||||
(which should - but not always is - in (square) brackets).
|
|
||||||
|
|
||||||
bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/channels.c b/openssh-7.2p2/channels.c
|
|
||||||
--- a/openssh-7.2p2/channels.c
|
|
||||||
+++ b/openssh-7.2p2/channels.c
|
|
||||||
@@ -4049,18 +4049,19 @@ x11_connect_display(void)
|
|
||||||
/* OK, we now have a connection to the display. */
|
|
||||||
return sock;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
/*
|
|
||||||
* Check if it is a unix domain socket. Unix domain displays are in
|
|
||||||
* one of the following formats: unix:d[.s], :d[.s], ::d[.s]
|
|
||||||
*/
|
|
||||||
+ cp = strrchr(display, ':');
|
|
||||||
if (strncmp(display, "unix:", 5) == 0 ||
|
|
||||||
- display[0] == ':') {
|
|
||||||
+ (display[0] == ':' && ((cp - display) < 2)) ) {
|
|
||||||
/* Connect to the unix domain socket. */
|
|
||||||
if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) {
|
|
||||||
error("Could not parse display number from DISPLAY: %.100s",
|
|
||||||
display);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
/* Create a socket. */
|
|
||||||
sock = connect_local_xsocket(display_number);
|
|
||||||
@@ -4068,30 +4069,39 @@ x11_connect_display(void)
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
/* OK, we now have a connection to the display. */
|
|
||||||
return sock;
|
|
||||||
}
|
|
||||||
/*
|
|
||||||
* Connect to an inet socket. The DISPLAY value is supposedly
|
|
||||||
* hostname:d[.s], where hostname may also be numeric IP address.
|
|
||||||
+ * Note that IPv6 numberic addresses contain colons (e.g. ::1:0)
|
|
||||||
*/
|
|
||||||
strlcpy(buf, display, sizeof(buf));
|
|
||||||
- cp = strchr(buf, ':');
|
|
||||||
+ cp = strrchr(buf, ':');
|
|
||||||
if (!cp) {
|
|
||||||
error("Could not find ':' in DISPLAY: %.100s", display);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
*cp = 0;
|
|
||||||
/* buf now contains the host name. But first we parse the display number. */
|
|
||||||
if (sscanf(cp + 1, "%u", &display_number) != 1) {
|
|
||||||
error("Could not parse display number from DISPLAY: %.100s",
|
|
||||||
display);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* Remove brackets surrounding IPv6 addresses if there are any. */
|
|
||||||
+ if (buf[0] == '[' && (cp = strchr(buf, ']'))) {
|
|
||||||
+ *cp = 0;
|
|
||||||
+ cp = buf + 1;
|
|
||||||
+ } else {
|
|
||||||
+ cp = buf;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* Look up the host address */
|
|
||||||
memset(&hints, 0, sizeof(hints));
|
|
||||||
hints.ai_family = IPv4or6;
|
|
||||||
hints.ai_socktype = SOCK_STREAM;
|
|
||||||
snprintf(strport, sizeof strport, "%u", 6000 + display_number);
|
|
||||||
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
|
|
||||||
error("%.100s: unknown host. (%s)", buf,
|
|
@ -1,65 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 7197d7a6b7c90566c68e980b5f8b937c183e79d0
|
|
||||||
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
|
||||||
# configuration
|
|
||||||
# bnc#50836 (was suse #35836)
|
|
||||||
Enable Trusted X11 forwarding by default, since the security benefits of
|
|
||||||
having it disabled are negligible these days with XI2 being widely used.
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
|
||||||
--- a/openssh-7.2p2/ssh_config
|
|
||||||
+++ b/openssh-7.2p2/ssh_config
|
|
||||||
@@ -12,19 +12,30 @@
|
|
||||||
# Any configuration value is only changed the first time it is set.
|
|
||||||
# Thus, host-specific definitions should be at the beginning of the
|
|
||||||
# configuration file, and defaults at the end.
|
|
||||||
|
|
||||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
|
||||||
# list of available options, their meanings and defaults, please see the
|
|
||||||
# ssh_config(5) man page.
|
|
||||||
|
|
||||||
-# Host *
|
|
||||||
+Host *
|
|
||||||
# ForwardAgent no
|
|
||||||
# ForwardX11 no
|
|
||||||
+
|
|
||||||
+# If you do not trust your remote host (or its administrator), you
|
|
||||||
+# should not forward X11 connections to your local X11-display for
|
|
||||||
+# security reasons: Someone stealing the authentification data on the
|
|
||||||
+# remote side (the "spoofed" X-server by the remote sshd) can read your
|
|
||||||
+# keystrokes as you type, just like any other X11 client could do.
|
|
||||||
+# Set this to "no" here for global effect or in your own ~/.ssh/config
|
|
||||||
+# file if you want to have the remote X11 authentification data to
|
|
||||||
+# expire after twenty minutes after remote login.
|
|
||||||
+ ForwardX11Trusted yes
|
|
||||||
+
|
|
||||||
# RhostsRSAAuthentication no
|
|
||||||
# RSAAuthentication yes
|
|
||||||
# PasswordAuthentication yes
|
|
||||||
# HostbasedAuthentication no
|
|
||||||
# GSSAPIAuthentication no
|
|
||||||
# GSSAPIDelegateCredentials no
|
|
||||||
# BatchMode no
|
|
||||||
# CheckHostIP yes
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
|
||||||
--- a/openssh-7.2p2/sshd_config
|
|
||||||
+++ b/openssh-7.2p2/sshd_config
|
|
||||||
@@ -94,17 +94,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# If you just want the PAM account and session checks to run without
|
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
|
||||||
#UsePAM no
|
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
|
||||||
#AllowTcpForwarding yes
|
|
||||||
#GatewayPorts no
|
|
||||||
-#X11Forwarding no
|
|
||||||
+X11Forwarding yes
|
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
#PermitTTY yes
|
|
||||||
#PrintMotd yes
|
|
||||||
#PrintLastLog yes
|
|
||||||
#TCPKeepAlive yes
|
|
||||||
#UseLogin no
|
|
||||||
#UsePrivilegeSeparation sandbox
|
|
@ -1,34 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 2afee80335d5ef7efcf64f3a797e9b10ce0de4ae
|
|
||||||
Do not throw away already open sockets for X11 forwarding if another socket
|
|
||||||
family is not available for bind()
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/channels.c b/openssh-7.2p2/channels.c
|
|
||||||
--- a/openssh-7.2p2/channels.c
|
|
||||||
+++ b/openssh-7.2p2/channels.c
|
|
||||||
@@ -3937,22 +3937,24 @@ x11_create_display_inet(int x11_display_
|
|
||||||
}
|
|
||||||
if (ai->ai_family == AF_INET6)
|
|
||||||
sock_set_v6only(sock);
|
|
||||||
if (x11_use_localhost)
|
|
||||||
channel_set_reuseaddr(sock);
|
|
||||||
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
|
||||||
debug2("bind port %d: %.100s", port, strerror(errno));
|
|
||||||
close(sock);
|
|
||||||
-
|
|
||||||
+ continue;
|
|
||||||
+ /* do not remove successfully opened sockets
|
|
||||||
for (n = 0; n < num_socks; n++) {
|
|
||||||
close(socks[n]);
|
|
||||||
}
|
|
||||||
num_socks = 0;
|
|
||||||
break;
|
|
||||||
+ */
|
|
||||||
}
|
|
||||||
socks[num_socks++] = sock;
|
|
||||||
if (num_socks == NUM_SOCKS)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
freeaddrinfo(aitop);
|
|
||||||
if (num_socks > 0)
|
|
||||||
break;
|
|
@ -1,56 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e7bdbc5ea8971599466becf01bff12b9fcb5df3e
|
|
||||||
Enable the seccomp-bpf sandbox on more architectures
|
|
||||||
|
|
||||||
upstream commit: b9c50614eba9d90939b2b119b6e1b7e03b462278 (7.3p1)
|
|
||||||
Author: Damien Miller <djm@mindrot.org>
|
|
||||||
Date: Fri Jul 8 13:59:13 2016 +1000
|
|
||||||
|
|
||||||
whitelist more architectures for seccomp-bpf
|
|
||||||
|
|
||||||
bz#2590 - testing and patch from Jakub Jelen
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
|
||||||
--- a/openssh-7.2p2/configure.ac
|
|
||||||
+++ b/openssh-7.2p2/configure.ac
|
|
||||||
@@ -818,16 +818,40 @@ main() { if (NSVersionOfRunTimeLibrary("
|
|
||||||
seccomp_audit_arch=AUDIT_ARCH_I386
|
|
||||||
;;
|
|
||||||
arm*-*)
|
|
||||||
seccomp_audit_arch=AUDIT_ARCH_ARM
|
|
||||||
;;
|
|
||||||
aarch64*-*)
|
|
||||||
seccomp_audit_arch=AUDIT_ARCH_AARCH64
|
|
||||||
;;
|
|
||||||
+ s390x-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_S390X
|
|
||||||
+ ;;
|
|
||||||
+ s390-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_S390
|
|
||||||
+ ;;
|
|
||||||
+ powerpc64-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_PPC64
|
|
||||||
+ ;;
|
|
||||||
+ powerpc64le-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_PPC64LE
|
|
||||||
+ ;;
|
|
||||||
+ mips-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPS
|
|
||||||
+ ;;
|
|
||||||
+ mipsel-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL
|
|
||||||
+ ;;
|
|
||||||
+ mips64-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64
|
|
||||||
+ ;;
|
|
||||||
+ mips64el-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
|
|
||||||
+ ;;
|
|
||||||
esac
|
|
||||||
if test "x$seccomp_audit_arch" != "x" ; then
|
|
||||||
AC_MSG_RESULT(["$seccomp_audit_arch"])
|
|
||||||
AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
|
|
||||||
[Specify the system call convention in use])
|
|
||||||
else
|
|
||||||
AC_MSG_RESULT([architecture not supported])
|
|
||||||
fi
|
|
@ -1,129 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent d33bce122aa351a56ce457be35feda52171f9088
|
|
||||||
Enable DSS authentication by default to maintain compatibility with older
|
|
||||||
versions.
|
|
||||||
|
|
||||||
bsc#983784
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/myproposal.h b/openssh-7.2p2/myproposal.h
|
|
||||||
--- a/openssh-7.2p2/myproposal.h
|
|
||||||
+++ b/openssh-7.2p2/myproposal.h
|
|
||||||
@@ -94,21 +94,23 @@
|
|
||||||
#define KEX_CLIENT_KEX KEX_COMMON_KEX \
|
|
||||||
"diffie-hellman-group-exchange-sha1," \
|
|
||||||
"diffie-hellman-group14-sha1"
|
|
||||||
|
|
||||||
#define KEX_DEFAULT_PK_ALG \
|
|
||||||
HOSTKEY_ECDSA_CERT_METHODS \
|
|
||||||
"ssh-ed25519-cert-v01@openssh.com," \
|
|
||||||
"ssh-rsa-cert-v01@openssh.com," \
|
|
||||||
+ "ssh-dss-cert-v01@openssh.com," \
|
|
||||||
HOSTKEY_ECDSA_METHODS \
|
|
||||||
"ssh-ed25519," \
|
|
||||||
"rsa-sha2-512," \
|
|
||||||
"rsa-sha2-256," \
|
|
||||||
- "ssh-rsa"
|
|
||||||
+ "ssh-rsa," \
|
|
||||||
+ "ssh-dss"
|
|
||||||
|
|
||||||
/* the actual algorithms */
|
|
||||||
|
|
||||||
#define KEX_SERVER_ENCRYPT \
|
|
||||||
"chacha20-poly1305@openssh.com," \
|
|
||||||
"aes128-ctr,aes192-ctr,aes256-ctr" \
|
|
||||||
AESGCM_CIPHER_MODES
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
|
|
||||||
--- a/openssh-7.2p2/ssh_config.5
|
|
||||||
+++ b/openssh-7.2p2/ssh_config.5
|
|
||||||
@@ -887,19 +887,19 @@ Alternately if the specified value begin
|
|
||||||
character, then the specified key types will be appended to the default set
|
|
||||||
instead of replacing them.
|
|
||||||
The default for this option is:
|
|
||||||
.Bd -literal -offset 3n
|
|
||||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
||||||
ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
|
||||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,ssh-rsa
|
|
||||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
If hostkeys are known for the destination host then this default is modified
|
|
||||||
to prefer their algorithms.
|
|
||||||
.Pp
|
|
||||||
The list of available key types may also be obtained using the
|
|
||||||
.Fl Q
|
|
||||||
option of
|
|
||||||
@@ -1325,19 +1325,19 @@ Alternately if the specified value begin
|
|
||||||
character, then the key types after it will be appended to the default
|
|
||||||
instead of replacing it.
|
|
||||||
The default for this option is:
|
|
||||||
.Bd -literal -offset 3n
|
|
||||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
||||||
ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
|
||||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,ssh-rsa
|
|
||||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
The
|
|
||||||
.Fl Q
|
|
||||||
option of
|
|
||||||
.Xr ssh 1
|
|
||||||
may be used to list supported key types.
|
|
||||||
.It Cm PubkeyAuthentication
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
|
||||||
@@ -651,19 +651,19 @@ Alternately if the specified value begin
|
|
||||||
character, then the specified key types will be appended to the default set
|
|
||||||
instead of replacing them.
|
|
||||||
The default for this option is:
|
|
||||||
.Bd -literal -offset 3n
|
|
||||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
||||||
ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
|
||||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,ssh-rsa
|
|
||||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
The
|
|
||||||
.Fl Q
|
|
||||||
option of
|
|
||||||
.Xr ssh 1
|
|
||||||
may be used to list supported key types.
|
|
||||||
.It Cm HostbasedAuthentication
|
|
||||||
@@ -743,19 +743,19 @@ environment variable.
|
|
||||||
Specifies the host key algorithms
|
|
||||||
that the server offers.
|
|
||||||
The default for this option is:
|
|
||||||
.Bd -literal -offset 3n
|
|
||||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
||||||
ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
|
||||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,ssh-rsa
|
|
||||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
The list of available key types may also be obtained using the
|
|
||||||
.Fl Q
|
|
||||||
option of
|
|
||||||
.Xr ssh 1
|
|
||||||
with an argument of
|
|
||||||
.Dq key .
|
|
@ -1,95 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent c43ae523939377778762e81743b77b3c75eb4bd1
|
|
||||||
Allow root login with password by default. While less secure than upstream
|
|
||||||
default of forbidding access to the root account with a password, we are
|
|
||||||
temporarily introducing this change to keep the default used in older OpenSSH
|
|
||||||
versions shipped with SLE.
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|
||||||
--- a/openssh-7.2p2/servconf.c
|
|
||||||
+++ b/openssh-7.2p2/servconf.c
|
|
||||||
@@ -233,17 +233,17 @@ fill_default_server_options(ServerOption
|
|
||||||
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
|
||||||
if (options->server_key_bits == -1)
|
|
||||||
options->server_key_bits = 1024;
|
|
||||||
if (options->login_grace_time == -1)
|
|
||||||
options->login_grace_time = 120;
|
|
||||||
if (options->key_regeneration_time == -1)
|
|
||||||
options->key_regeneration_time = 3600;
|
|
||||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
|
||||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
|
||||||
+ options->permit_root_login = PERMIT_YES;
|
|
||||||
if (options->ignore_rhosts == -1)
|
|
||||||
options->ignore_rhosts = 1;
|
|
||||||
if (options->ignore_user_known_hosts == -1)
|
|
||||||
options->ignore_user_known_hosts = 0;
|
|
||||||
if (options->print_motd == -1)
|
|
||||||
options->print_motd = 1;
|
|
||||||
if (options->print_lastlog == -1)
|
|
||||||
options->print_lastlog = 1;
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
|
||||||
--- a/openssh-7.2p2/sshd_config
|
|
||||||
+++ b/openssh-7.2p2/sshd_config
|
|
||||||
@@ -36,17 +36,17 @@
|
|
||||||
# Logging
|
|
||||||
# obsoletes QuietMode and FascistLogging
|
|
||||||
#SyslogFacility AUTH
|
|
||||||
#LogLevel INFO
|
|
||||||
|
|
||||||
# Authentication:
|
|
||||||
|
|
||||||
#LoginGraceTime 2m
|
|
||||||
-#PermitRootLogin prohibit-password
|
|
||||||
+#PermitRootLogin yes
|
|
||||||
#StrictModes yes
|
|
||||||
#MaxAuthTries 6
|
|
||||||
#MaxSessions 10
|
|
||||||
|
|
||||||
#RSAAuthentication yes
|
|
||||||
#PubkeyAuthentication yes
|
|
||||||
|
|
||||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
|
||||||
--- a/openssh-7.2p2/sshd_config.0
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.0
|
|
||||||
@@ -710,17 +710,17 @@ DESCRIPTION
|
|
||||||
restrictions and permit any forwarding requests. An argument of
|
|
||||||
M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. By
|
|
||||||
default all port forwarding requests are permitted.
|
|
||||||
|
|
||||||
PermitRootLogin
|
|
||||||
Specifies whether root can log in using ssh(1). The argument
|
|
||||||
must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\prohibit-passwordM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^],
|
|
||||||
M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is
|
|
||||||
- M-bM-^@M-^\prohibit-passwordM-bM-^@M-^].
|
|
||||||
+ M-bM-^@M-^\yesM-bM-^@M-^].
|
|
||||||
|
|
||||||
If this option is set to M-bM-^@M-^\prohibit-passwordM-bM-^@M-^] or
|
|
||||||
M-bM-^@M-^\without-passwordM-bM-^@M-^], password and keyboard-interactive
|
|
||||||
authentication are disabled for root.
|
|
||||||
|
|
||||||
If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with
|
|
||||||
public key authentication will be allowed, but only if the
|
|
||||||
command option has been specified (which may be useful for taking
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
|
||||||
@@ -1213,17 +1213,17 @@ Specifies whether root can log in using
|
|
||||||
The argument must be
|
|
||||||
.Dq yes ,
|
|
||||||
.Dq prohibit-password ,
|
|
||||||
.Dq without-password ,
|
|
||||||
.Dq forced-commands-only ,
|
|
||||||
or
|
|
||||||
.Dq no .
|
|
||||||
The default is
|
|
||||||
-.Dq prohibit-password .
|
|
||||||
+.Dq yes .
|
|
||||||
.Pp
|
|
||||||
If this option is set to
|
|
||||||
.Dq prohibit-password
|
|
||||||
or
|
|
||||||
.Dq without-password ,
|
|
||||||
password and keyboard-interactive authentication are disabled for root.
|
|
||||||
.Pp
|
|
||||||
If this option is set to
|
|
File diff suppressed because it is too large
Load Diff
@ -1,28 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 51a3a8eab1493a799c5a9df95e8e757f872886d0
|
|
||||||
Various auditing fixes to be merged into the RH-originated patch.
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/packet.c b/openssh-7.2p2/packet.c
|
|
||||||
--- a/openssh-7.2p2/packet.c
|
|
||||||
+++ b/openssh-7.2p2/packet.c
|
|
||||||
@@ -375,16 +375,20 @@ ssh_packet_start_discard(struct ssh *ssh
|
|
||||||
|
|
||||||
int
|
|
||||||
ssh_packet_connection_is_on_socket(struct ssh *ssh)
|
|
||||||
{
|
|
||||||
struct session_state *state = ssh->state;
|
|
||||||
struct sockaddr_storage from, to;
|
|
||||||
socklen_t fromlen, tolen;
|
|
||||||
|
|
||||||
+ /* auditing might get here without valid connection structure when
|
|
||||||
+ * destroying sensitive data on exit and thus aborting disgracefully */
|
|
||||||
+ if (!ssh)
|
|
||||||
+ return 0;
|
|
||||||
/* filedescriptors in and out are the same, so it's a socket */
|
|
||||||
if (state->connection_in == state->connection_out)
|
|
||||||
return 1;
|
|
||||||
fromlen = sizeof(from);
|
|
||||||
memset(&from, 0, sizeof(from));
|
|
||||||
if (getpeername(state->connection_in, (struct sockaddr *)&from,
|
|
||||||
&fromlen) < 0)
|
|
||||||
return 0;
|
|
@ -1,116 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e6ff441d171012183f7bd37cb7399473e8376acd
|
|
||||||
Audit PRNG re-seeding
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/audit-bsm.c b/openssh-7.2p2/audit-bsm.c
|
|
||||||
--- a/openssh-7.2p2/audit-bsm.c
|
|
||||||
+++ b/openssh-7.2p2/audit-bsm.c
|
|
||||||
@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char
|
|
||||||
/* not implemented */
|
|
||||||
}
|
|
||||||
|
|
||||||
void
|
|
||||||
audit_generate_ephemeral_server_key(const char *fp)
|
|
||||||
{
|
|
||||||
/* not implemented */
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
|
||||||
+{
|
|
||||||
+ /* not implemented */
|
|
||||||
+}
|
|
||||||
#endif /* BSM */
|
|
||||||
diff --git a/openssh-7.2p2/audit-linux.c b/openssh-7.2p2/audit-linux.c
|
|
||||||
--- a/openssh-7.2p2/audit-linux.c
|
|
||||||
+++ b/openssh-7.2p2/audit-linux.c
|
|
||||||
@@ -402,9 +402,31 @@ audit_generate_ephemeral_server_key(cons
|
|
||||||
}
|
|
||||||
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
|
||||||
buf, NULL, 0, NULL, 1);
|
|
||||||
audit_close(audit_fd);
|
|
||||||
/* do not abort if the error is EPERM and sshd is run as non root user */
|
|
||||||
if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
|
||||||
error("cannot write into audit");
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
|
||||||
+{
|
|
||||||
+ char buf[AUDIT_LOG_SIZE];
|
|
||||||
+ int audit_fd, audit_ok;
|
|
||||||
+
|
|
||||||
+ snprintf(buf, sizeof(buf), "op=prng_seed kind=server bytes=%li source=%s ", bytes, rf);
|
|
||||||
+ audit_fd = audit_open();
|
|
||||||
+ if (audit_fd < 0) {
|
|
||||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
|
||||||
+ errno != EAFNOSUPPORT)
|
|
||||||
+ error("cannot open audit");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_PARAM_CHANGE_USER,
|
|
||||||
+ buf, NULL, 0, NULL, 1);
|
|
||||||
+ audit_close(audit_fd);
|
|
||||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
|
||||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
|
||||||
+ error("cannot write into audit");
|
|
||||||
+}
|
|
||||||
#endif /* USE_LINUX_AUDIT */
|
|
||||||
diff --git a/openssh-7.2p2/audit.c b/openssh-7.2p2/audit.c
|
|
||||||
--- a/openssh-7.2p2/audit.c
|
|
||||||
+++ b/openssh-7.2p2/audit.c
|
|
||||||
@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char
|
|
||||||
/*
|
|
||||||
* This will be called on generation of the ephemeral server key
|
|
||||||
*/
|
|
||||||
void
|
|
||||||
audit_generate_ephemeral_server_key(const char *)
|
|
||||||
{
|
|
||||||
debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
|
||||||
+{
|
|
||||||
+ debug("audit PRNG seed euid %d bytes %li source %s", geteuid(), bytes, rf);
|
|
||||||
+}
|
|
||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
|
||||||
diff --git a/openssh-7.2p2/audit.h b/openssh-7.2p2/audit.h
|
|
||||||
--- a/openssh-7.2p2/audit.h
|
|
||||||
+++ b/openssh-7.2p2/audit.h
|
|
||||||
@@ -69,10 +69,11 @@ void audit_key(int, int *, const Key *);
|
|
||||||
void audit_unsupported(int);
|
|
||||||
void audit_kex(int, char *, char *, char *, char *);
|
|
||||||
void audit_unsupported_body(int);
|
|
||||||
void audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
|
|
||||||
void audit_session_key_free(int ctos);
|
|
||||||
void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
|
||||||
void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
|
||||||
void audit_generate_ephemeral_server_key(const char *);
|
|
||||||
+void audit_linux_prng_seed(long, const char *);
|
|
||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
|
||||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
|
||||||
--- a/openssh-7.2p2/sshd.c
|
|
||||||
+++ b/openssh-7.2p2/sshd.c
|
|
||||||
@@ -1421,16 +1421,19 @@ server_accept_loop(int *sock_in, int *so
|
|
||||||
if (maxfd < startup_p[0])
|
|
||||||
maxfd = startup_p[0];
|
|
||||||
startups++;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if(!(--re_seeding_counter)) {
|
|
||||||
re_seeding_counter = RESEED_AFTER;
|
|
||||||
linux_seed();
|
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
|
||||||
+ audit_linux_prng_seed(rand_bytes, rand_file);
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Got connection. Fork a child to handle it, unless
|
|
||||||
* we are in debugging mode.
|
|
||||||
*/
|
|
||||||
if (debug_flag) {
|
|
||||||
/*
|
|
@ -1,76 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 0bfb5dd4b190b546a3e40a59483b2b2884a47c39
|
|
||||||
block SIGALRM while logging through syslog to prevent deadlocks
|
|
||||||
(through grace_alarm_handler())
|
|
||||||
|
|
||||||
bnc#57354
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/log.c b/openssh-7.2p2/log.c
|
|
||||||
--- a/openssh-7.2p2/log.c
|
|
||||||
+++ b/openssh-7.2p2/log.c
|
|
||||||
@@ -46,16 +46,17 @@
|
|
||||||
#include <syslog.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <errno.h>
|
|
||||||
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
|
|
||||||
# include <vis.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include "log.h"
|
|
||||||
+#include <signal.h>
|
|
||||||
|
|
||||||
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
|
||||||
static int log_on_stderr = 1;
|
|
||||||
static int log_stderr_fd = STDERR_FILENO;
|
|
||||||
static int log_facility = LOG_AUTH;
|
|
||||||
static char *argv0;
|
|
||||||
static log_handler_fn *log_handler;
|
|
||||||
static void *log_handler_ctx;
|
|
||||||
@@ -383,16 +384,17 @@ do_log(LogLevel level, const char *fmt,
|
|
||||||
{
|
|
||||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
|
||||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
|
||||||
#endif
|
|
||||||
char msgbuf[MSGBUFSIZ];
|
|
||||||
char fmtbuf[MSGBUFSIZ];
|
|
||||||
char *txt = NULL;
|
|
||||||
int pri = LOG_INFO;
|
|
||||||
+ sigset_t nset, oset;
|
|
||||||
int saved_errno = errno;
|
|
||||||
log_handler_fn *tmp_handler;
|
|
||||||
|
|
||||||
if (level > log_level)
|
|
||||||
return;
|
|
||||||
|
|
||||||
switch (level) {
|
|
||||||
case SYSLOG_LEVEL_FATAL:
|
|
||||||
@@ -441,20 +443,29 @@ do_log(LogLevel level, const char *fmt,
|
|
||||||
tmp_handler = log_handler;
|
|
||||||
log_handler = NULL;
|
|
||||||
tmp_handler(level, fmtbuf, log_handler_ctx);
|
|
||||||
log_handler = tmp_handler;
|
|
||||||
} else if (log_on_stderr) {
|
|
||||||
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
|
|
||||||
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
|
|
||||||
} else {
|
|
||||||
+ /* Prevent a race between the grace_alarm
|
|
||||||
+ * which writes a log message and terminates
|
|
||||||
+ * and main sshd code that leads to deadlock
|
|
||||||
+ * as syslog is not async safe.
|
|
||||||
+ */
|
|
||||||
+ sigemptyset(&nset);
|
|
||||||
+ sigaddset(&nset, SIGALRM);
|
|
||||||
+ sigprocmask(SIG_BLOCK, &nset, &oset);
|
|
||||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
|
||||||
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
|
|
||||||
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
|
||||||
closelog_r(&sdata);
|
|
||||||
#else
|
|
||||||
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
|
|
||||||
syslog(pri, "%.500s", fmtbuf);
|
|
||||||
closelog();
|
|
||||||
#endif
|
|
||||||
+ sigprocmask(SIG_SETMASK, &oset, NULL);
|
|
||||||
}
|
|
||||||
errno = saved_errno;
|
|
||||||
}
|
|
@ -1,300 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent cb502e7e796ac9289a571167a97ad9ec91562efb
|
|
||||||
CAVS test for OpenSSH's own CTR encryption mode implementation
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|
||||||
--- a/openssh-7.2p2/Makefile.in
|
|
||||||
+++ b/openssh-7.2p2/Makefile.in
|
|
||||||
@@ -21,16 +21,17 @@ top_srcdir=@top_srcdir@
|
|
||||||
|
|
||||||
DESTDIR=
|
|
||||||
VPATH=@srcdir@
|
|
||||||
SSH_PROGRAM=@bindir@/ssh
|
|
||||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
|
||||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
|
||||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
|
||||||
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
STRIP_OPT=@STRIP_OPT@
|
|
||||||
TEST_SHELL=@TEST_SHELL@
|
|
||||||
|
|
||||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
|
||||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
|
||||||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
|
||||||
@@ -59,16 +60,18 @@ SED=@SED@
|
|
||||||
ENT=@ENT@
|
|
||||||
XAUTH_PATH=@XAUTH_PATH@
|
|
||||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
|
||||||
EXEEXT=@EXEEXT@
|
|
||||||
MANFMT=@MANFMT@
|
|
||||||
|
|
||||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
|
||||||
|
|
||||||
+TARGETS += cavstest-ctr$(EXEEXT)
|
|
||||||
+
|
|
||||||
LIBOPENSSH_OBJS=\
|
|
||||||
ssh_api.o \
|
|
||||||
ssherr.o \
|
|
||||||
sshbuf.o \
|
|
||||||
sshkey.o \
|
|
||||||
sshbuf-getput-basic.o \
|
|
||||||
sshbuf-misc.o \
|
|
||||||
sshbuf-getput-crypto.o \
|
|
||||||
@@ -190,16 +193,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
|
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
|
||||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
|
|
||||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
|
||||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
|
||||||
|
|
||||||
+# FIPS tests
|
|
||||||
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
|
||||||
+ $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
+
|
|
||||||
# test driver for the loginrec code - not built by default
|
|
||||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
|
||||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
$(MANPAGES): $(MANPAGES_IN)
|
|
||||||
if test "$(MANTYPE)" = "cat"; then \
|
|
||||||
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
|
||||||
else \
|
|
||||||
@@ -310,16 +317,17 @@ install-files:
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
|
||||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
|
||||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
|
||||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
|
||||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
|
||||||
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
|
||||||
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
|
||||||
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
|
||||||
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
|
||||||
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
|
||||||
diff --git a/openssh-7.2p2/cavstest-ctr.c b/openssh-7.2p2/cavstest-ctr.c
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openssh-7.2p2/cavstest-ctr.c
|
|
||||||
@@ -0,0 +1,212 @@
|
|
||||||
+/*
|
|
||||||
+ *
|
|
||||||
+ * invocation (all of the following are equal):
|
|
||||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
|
|
||||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
|
|
||||||
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <sys/param.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <ctype.h>
|
|
||||||
+
|
|
||||||
+#include "xmalloc.h"
|
|
||||||
+#include "log.h"
|
|
||||||
+#include "cipher.h"
|
|
||||||
+
|
|
||||||
+/* compatibility with old or broken OpenSSL versions */
|
|
||||||
+#include "openbsd-compat/openssl-compat.h"
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+usage(void)
|
|
||||||
+{
|
|
||||||
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
|
|
||||||
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
|
|
||||||
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
|
|
||||||
+ "Hexadecimal output is printed to stdout.\n"
|
|
||||||
+ "Hexadecimal input data can be alternatively read from stdin.\n");
|
|
||||||
+ exit(1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void *
|
|
||||||
+fromhex(char *hex, size_t * len)
|
|
||||||
+{
|
|
||||||
+ unsigned char *bin;
|
|
||||||
+ char *p;
|
|
||||||
+ size_t n = 0;
|
|
||||||
+ int shift = 4;
|
|
||||||
+ unsigned char out = 0;
|
|
||||||
+ unsigned char *optr;
|
|
||||||
+
|
|
||||||
+ bin = xmalloc(strlen(hex) / 2);
|
|
||||||
+ optr = bin;
|
|
||||||
+
|
|
||||||
+ for (p = hex; *p != '\0'; ++p) {
|
|
||||||
+ unsigned char c;
|
|
||||||
+
|
|
||||||
+ c = *p;
|
|
||||||
+ if (isspace(c))
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ if (c >= '0' && c <= '9') {
|
|
||||||
+ c = c - '0';
|
|
||||||
+ } else if (c >= 'A' && c <= 'F') {
|
|
||||||
+ c = c - 'A' + 10;
|
|
||||||
+ } else if (c >= 'a' && c <= 'f') {
|
|
||||||
+ c = c - 'a' + 10;
|
|
||||||
+ } else {
|
|
||||||
+ /* truncate on nonhex cipher */
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ out |= c << shift;
|
|
||||||
+ shift = (shift + 4) % 8;
|
|
||||||
+
|
|
||||||
+ if (shift) {
|
|
||||||
+ *(optr++) = out;
|
|
||||||
+ out = 0;
|
|
||||||
+ ++n;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *len = n;
|
|
||||||
+ return bin;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define READ_CHUNK 4096
|
|
||||||
+#define MAX_READ_SIZE 1024*1024*100
|
|
||||||
+char *
|
|
||||||
+read_stdin(void)
|
|
||||||
+{
|
|
||||||
+ char *buf;
|
|
||||||
+ size_t n, total = 0;
|
|
||||||
+
|
|
||||||
+ buf = xmalloc(READ_CHUNK);
|
|
||||||
+
|
|
||||||
+ do {
|
|
||||||
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
|
|
||||||
+ if (n < READ_CHUNK) /* terminate on short read */
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ total += n;
|
|
||||||
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
|
|
||||||
+ } while (total < MAX_READ_SIZE);
|
|
||||||
+ return buf;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+main(int argc, char *argv[])
|
|
||||||
+{
|
|
||||||
+
|
|
||||||
+ struct sshcipher *c;
|
|
||||||
+ struct sshcipher_ctx cc;
|
|
||||||
+ char *algo = "aes128-ctr";
|
|
||||||
+ char *hexkey = NULL;
|
|
||||||
+ char *hexiv = "00000000000000000000000000000000";
|
|
||||||
+ char *hexdata = NULL;
|
|
||||||
+ char *p;
|
|
||||||
+ int i;
|
|
||||||
+ int encrypt = 1;
|
|
||||||
+ void *key;
|
|
||||||
+ size_t keylen;
|
|
||||||
+ void *iv;
|
|
||||||
+ size_t ivlen;
|
|
||||||
+ void *data;
|
|
||||||
+ size_t datalen;
|
|
||||||
+ void *outdata;
|
|
||||||
+
|
|
||||||
+ for (i = 1; i < argc; ++i) {
|
|
||||||
+ if (strcmp(argv[i], "--algo") == 0) {
|
|
||||||
+ algo = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--key") == 0) {
|
|
||||||
+ hexkey = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--mode") == 0) {
|
|
||||||
+ ++i;
|
|
||||||
+ if (argv[i] == NULL) {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+ if (strncmp(argv[i], "enc", 3) == 0) {
|
|
||||||
+ encrypt = 1;
|
|
||||||
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
|
|
||||||
+ encrypt = 0;
|
|
||||||
+ } else {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+ } else if (strcmp(argv[i], "--iv") == 0) {
|
|
||||||
+ hexiv = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--data") == 0) {
|
|
||||||
+ hexdata = argv[++i];
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (hexkey == NULL || algo == NULL) {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ SSLeay_add_all_algorithms();
|
|
||||||
+
|
|
||||||
+ c = cipher_by_name(algo);
|
|
||||||
+ if (c == NULL) {
|
|
||||||
+ fprintf(stderr, "Error: unknown algorithm\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (hexdata == NULL) {
|
|
||||||
+ hexdata = read_stdin();
|
|
||||||
+ } else {
|
|
||||||
+ hexdata = xstrdup(hexdata);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ key = fromhex(hexkey, &keylen);
|
|
||||||
+
|
|
||||||
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
|
|
||||||
+ fprintf(stderr, "Error: unsupported key length\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ iv = fromhex(hexiv, &ivlen);
|
|
||||||
+
|
|
||||||
+ if (ivlen != 16) {
|
|
||||||
+ fprintf(stderr, "Error: unsupported iv length\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ data = fromhex(hexdata, &datalen);
|
|
||||||
+
|
|
||||||
+ if (data == NULL || datalen == 0) {
|
|
||||||
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt);
|
|
||||||
+
|
|
||||||
+ free(key);
|
|
||||||
+ free(iv);
|
|
||||||
+
|
|
||||||
+ outdata = malloc(datalen);
|
|
||||||
+ if (outdata == NULL) {
|
|
||||||
+ fprintf(stderr, "Error: memory allocation failure\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
|
|
||||||
+
|
|
||||||
+ free(data);
|
|
||||||
+
|
|
||||||
+ cipher_cleanup(&cc);
|
|
||||||
+
|
|
||||||
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
|
||||||
+ printf("%02X", (unsigned char) *p);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(outdata);
|
|
||||||
+
|
|
||||||
+ printf("\n");
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
@ -1,469 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent f9ffcfb88e5a9d611a61aee3571050dea67e363e
|
|
||||||
CAVS test for KDF implementation in OpenSSH
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|
||||||
--- a/openssh-7.2p2/Makefile.in
|
|
||||||
+++ b/openssh-7.2p2/Makefile.in
|
|
||||||
@@ -22,16 +22,17 @@ top_srcdir=@top_srcdir@
|
|
||||||
DESTDIR=
|
|
||||||
VPATH=@srcdir@
|
|
||||||
SSH_PROGRAM=@bindir@/ssh
|
|
||||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
|
||||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
|
||||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
|
||||||
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
|
||||||
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
STRIP_OPT=@STRIP_OPT@
|
|
||||||
TEST_SHELL=@TEST_SHELL@
|
|
||||||
|
|
||||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
|
||||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
|
||||||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
|
||||||
@@ -60,17 +61,17 @@ SED=@SED@
|
|
||||||
ENT=@ENT@
|
|
||||||
XAUTH_PATH=@XAUTH_PATH@
|
|
||||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
|
||||||
EXEEXT=@EXEEXT@
|
|
||||||
MANFMT=@MANFMT@
|
|
||||||
|
|
||||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
|
||||||
|
|
||||||
-TARGETS += cavstest-ctr$(EXEEXT)
|
|
||||||
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
|
||||||
|
|
||||||
LIBOPENSSH_OBJS=\
|
|
||||||
ssh_api.o \
|
|
||||||
ssherr.o \
|
|
||||||
sshbuf.o \
|
|
||||||
sshkey.o \
|
|
||||||
sshbuf-getput-basic.o \
|
|
||||||
sshbuf-misc.o \
|
|
||||||
@@ -197,16 +198,19 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
|
|
||||||
|
|
||||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
|
||||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
|
||||||
|
|
||||||
# FIPS tests
|
|
||||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
|
||||||
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-kdf.o
|
|
||||||
+ $(LD) -o $@ cavstest-kdf.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
+
|
|
||||||
# test driver for the loginrec code - not built by default
|
|
||||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
|
||||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
$(MANPAGES): $(MANPAGES_IN)
|
|
||||||
if test "$(MANTYPE)" = "cat"; then \
|
|
||||||
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
|
||||||
else \
|
|
||||||
@@ -318,16 +322,17 @@ install-files:
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
|
||||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-kdf$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-kdf$(EXEEXT)
|
|
||||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
|
||||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
|
||||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
|
||||||
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
|
||||||
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
|
||||||
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
|
||||||
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
|
||||||
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
|
||||||
diff --git a/openssh-7.2p2/cavstest-kdf.c b/openssh-7.2p2/cavstest-kdf.c
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openssh-7.2p2/cavstest-kdf.c
|
|
||||||
@@ -0,0 +1,382 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, and the entire permission notice in its entirety,
|
|
||||||
+ * including the disclaimer of warranties.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. The name of the author may not be used to endorse or promote
|
|
||||||
+ * products derived from this software without specific prior
|
|
||||||
+ * written permission.
|
|
||||||
+ *
|
|
||||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
|
||||||
+ * the GNU General Public License, in which case the provisions of the GPL2
|
|
||||||
+ * are required INSTEAD OF the above restrictions. (This clause is
|
|
||||||
+ * necessary due to a potential bad interaction between the GPL and
|
|
||||||
+ * the restrictions contained in a BSD-style copyright.)
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
||||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
|
|
||||||
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
|
|
||||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
|
||||||
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
||||||
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
||||||
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
|
||||||
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
|
|
||||||
+ * DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+
|
|
||||||
+#include <openssl/bn.h>
|
|
||||||
+
|
|
||||||
+#include "xmalloc.h"
|
|
||||||
+#include "buffer.h"
|
|
||||||
+#include "key.h"
|
|
||||||
+#include "cipher.h"
|
|
||||||
+#include "kex.h"
|
|
||||||
+#include "packet.h"
|
|
||||||
+
|
|
||||||
+static int bin_char(unsigned char hex)
|
|
||||||
+{
|
|
||||||
+ if (48 <= hex && 57 >= hex)
|
|
||||||
+ return (hex - 48);
|
|
||||||
+ if (65 <= hex && 70 >= hex)
|
|
||||||
+ return (hex - 55);
|
|
||||||
+ if (97 <= hex && 102 >= hex)
|
|
||||||
+ return (hex - 87);
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Convert hex representation into binary string
|
|
||||||
+ * @hex input buffer with hex representation
|
|
||||||
+ * @hexlen length of hex
|
|
||||||
+ * @bin output buffer with binary data
|
|
||||||
+ * @binlen length of already allocated bin buffer (should be at least
|
|
||||||
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
|
|
||||||
+ */
|
|
||||||
+static void hex2bin(const char *hex, size_t hexlen,
|
|
||||||
+ unsigned char *bin, size_t binlen)
|
|
||||||
+{
|
|
||||||
+ size_t i = 0;
|
|
||||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < chars; i++) {
|
|
||||||
+ bin[i] = bin_char(hex[(i*2)]) << 4;
|
|
||||||
+ bin[i] |= bin_char(hex[((i*2)+1)]);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Allocate sufficient space for binary representation of hex
|
|
||||||
+ * and convert hex into bin
|
|
||||||
+ *
|
|
||||||
+ * Caller must free bin
|
|
||||||
+ * @hex input buffer with hex representation
|
|
||||||
+ * @hexlen length of hex
|
|
||||||
+ * @bin return value holding the pointer to the newly allocated buffer
|
|
||||||
+ * @binlen return value holding the allocated size of bin
|
|
||||||
+ *
|
|
||||||
+ * return: 0 on success, !0 otherwise
|
|
||||||
+ */
|
|
||||||
+static int hex2bin_alloc(const char *hex, size_t hexlen,
|
|
||||||
+ unsigned char **bin, size_t *binlen)
|
|
||||||
+{
|
|
||||||
+ unsigned char *out = NULL;
|
|
||||||
+ size_t outlen = 0;
|
|
||||||
+
|
|
||||||
+ if (!hexlen)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+
|
|
||||||
+ outlen = (hexlen + 1) / 2;
|
|
||||||
+
|
|
||||||
+ out = calloc(1, outlen);
|
|
||||||
+ if (!out)
|
|
||||||
+ return -errno;
|
|
||||||
+
|
|
||||||
+ hex2bin(hex, hexlen, out, outlen);
|
|
||||||
+ *bin = out;
|
|
||||||
+ *binlen = outlen;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
|
||||||
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
|
|
||||||
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
|
||||||
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
|
||||||
+static char hex_char(unsigned int bin, int u)
|
|
||||||
+{
|
|
||||||
+ if (bin < sizeof(hex_char_map_l))
|
|
||||||
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
|
|
||||||
+ return 'X';
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Convert binary string into hex representation
|
|
||||||
+ * @bin input buffer with binary data
|
|
||||||
+ * @binlen length of bin
|
|
||||||
+ * @hex output buffer to store hex data
|
|
||||||
+ * @hexlen length of already allocated hex buffer (should be at least
|
|
||||||
+ * twice binlen -- if not, only a fraction of binlen is converted)
|
|
||||||
+ * @u case of hex characters (0=>lower case, 1=>upper case)
|
|
||||||
+ */
|
|
||||||
+static void bin2hex(const unsigned char *bin, size_t binlen,
|
|
||||||
+ char *hex, size_t hexlen, int u)
|
|
||||||
+{
|
|
||||||
+ size_t i = 0;
|
|
||||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < chars; i++) {
|
|
||||||
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
|
|
||||||
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+struct kdf_cavs {
|
|
||||||
+ unsigned char *K;
|
|
||||||
+ size_t Klen;
|
|
||||||
+ unsigned char *H;
|
|
||||||
+ size_t Hlen;
|
|
||||||
+ unsigned char *session_id;
|
|
||||||
+ size_t session_id_len;
|
|
||||||
+
|
|
||||||
+ unsigned int iv_len;
|
|
||||||
+ unsigned int ek_len;
|
|
||||||
+ unsigned int ik_len;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static int sshkdf_cavs(struct kdf_cavs *test)
|
|
||||||
+{
|
|
||||||
+ int ret = 0;
|
|
||||||
+ struct kex kex;
|
|
||||||
+ struct ssh ssh;
|
|
||||||
+ BIGNUM *Kbn = NULL;
|
|
||||||
+ int mode = 0;
|
|
||||||
+ struct newkeys *keys_client;
|
|
||||||
+ struct newkeys *keys_server;
|
|
||||||
+
|
|
||||||
+#define HEXOUTLEN 500
|
|
||||||
+ char hex[HEXOUTLEN];
|
|
||||||
+
|
|
||||||
+ memset(&ssh, 0, sizeof(struct ssh));
|
|
||||||
+ memset(&kex, 0, sizeof(struct kex));
|
|
||||||
+ ssh.kex = &kex;
|
|
||||||
+
|
|
||||||
+ Kbn = BN_new();
|
|
||||||
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
|
||||||
+ if (!Kbn) {
|
|
||||||
+ printf("cannot convert K into BIGNUM\n");
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ kex.session_id = test->session_id;
|
|
||||||
+ kex.session_id_len = test->session_id_len;
|
|
||||||
+
|
|
||||||
+ /* setup kex */
|
|
||||||
+
|
|
||||||
+ /* select the right hash based on struct ssh_digest digests */
|
|
||||||
+ switch (test->ik_len) {
|
|
||||||
+ case 20:
|
|
||||||
+ kex.hash_alg = 2;
|
|
||||||
+ break;
|
|
||||||
+ case 32:
|
|
||||||
+ kex.hash_alg = 3;
|
|
||||||
+ break;
|
|
||||||
+ case 48:
|
|
||||||
+ kex.hash_alg = 4;
|
|
||||||
+ break;
|
|
||||||
+ case 64:
|
|
||||||
+ kex.hash_alg = 5;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ printf("Wrong hash type %u\n", test->ik_len);
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* implement choose_enc */
|
|
||||||
+ for (mode = 0; mode < 2; mode++) {
|
|
||||||
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
|
|
||||||
+ if (!kex.newkeys[mode]) {
|
|
||||||
+ printf("allocation of newkeys failed\n");
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
|
|
||||||
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
|
|
||||||
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
|
|
||||||
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* implement kex_choose_conf */
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.key_len;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.block_size;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->mac.key_len;
|
|
||||||
+
|
|
||||||
+ /* MODE_OUT (1) -> server to client
|
|
||||||
+ * MODE_IN (0) -> client to server */
|
|
||||||
+ kex.server = 1;
|
|
||||||
+
|
|
||||||
+ /* do it */
|
|
||||||
+ kex_derive_keys_bn(&ssh, test->H, test->Hlen, Kbn);
|
|
||||||
+
|
|
||||||
+ keys_client = ssh.kex->newkeys[0];
|
|
||||||
+ keys_server = ssh.kex->newkeys[1];
|
|
||||||
+
|
|
||||||
+ /* get data */
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_client->enc.iv, (size_t)keys_client->enc.iv_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Initial IV (client to server) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_server->enc.iv, (size_t)keys_server->enc.iv_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Initial IV (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_client->enc.key, (size_t)keys_client->enc.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Encryption key (client to server) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_server->enc.key, (size_t)keys_server->enc.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Encryption key (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_client->mac.key, (size_t)keys_client->mac.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Integrity key (client to server) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_server->mac.key, (size_t)keys_server->mac.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Integrity key (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ free(keys_client);
|
|
||||||
+ free(keys_server);
|
|
||||||
+
|
|
||||||
+out:
|
|
||||||
+ if (Kbn)
|
|
||||||
+ BN_free(Kbn);
|
|
||||||
+ if (kex.newkeys[0])
|
|
||||||
+ free(kex.newkeys[0]);
|
|
||||||
+ if (kex.newkeys[1])
|
|
||||||
+ free(kex.newkeys[1]);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void usage(void)
|
|
||||||
+{
|
|
||||||
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
|
|
||||||
+ fprintf(stderr, "Usage:\n");
|
|
||||||
+ fprintf(stderr, "\t-K\tShared secret string\n");
|
|
||||||
+ fprintf(stderr, "\t-H\tHash string\n");
|
|
||||||
+ fprintf(stderr, "\t-s\tSession ID string\n");
|
|
||||||
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
|
|
||||||
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
|
|
||||||
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Test command example:
|
|
||||||
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
|
|
||||||
+ *
|
|
||||||
+ * Expected result for example:
|
|
||||||
+ * Initial IV (client to server) = 4bb320d1679dfd3a
|
|
||||||
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
|
|
||||||
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
|
|
||||||
+ * Initial IV (server to client) = 43dea6fdf263a308
|
|
||||||
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
|
|
||||||
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
|
|
||||||
+ */
|
|
||||||
+int main(int argc, char *argv[])
|
|
||||||
+{
|
|
||||||
+ struct kdf_cavs test;
|
|
||||||
+ int ret = 1;
|
|
||||||
+ int opt = 0;
|
|
||||||
+
|
|
||||||
+ memset(&test, 0, sizeof(struct kdf_cavs));
|
|
||||||
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
|
|
||||||
+ {
|
|
||||||
+ size_t len = 0;
|
|
||||||
+ switch(opt)
|
|
||||||
+ {
|
|
||||||
+ /*
|
|
||||||
+ * CAVS K is MPINT
|
|
||||||
+ * we want a hex (i.e. the caller must ensure the
|
|
||||||
+ * following transformations already happened):
|
|
||||||
+ * 1. cut off first four bytes
|
|
||||||
+ * 2. if most significant bit of value is
|
|
||||||
+ * 1, prepend 0 byte
|
|
||||||
+ */
|
|
||||||
+ case 'K':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.K, &test.Klen);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 'H':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.H, &test.Hlen);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 's':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.session_id,
|
|
||||||
+ &test.session_id_len);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 'i':
|
|
||||||
+ test.iv_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ case 'e':
|
|
||||||
+ test.ek_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ case 'm':
|
|
||||||
+ test.ik_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ usage();
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sshkdf_cavs(&test);
|
|
||||||
+
|
|
||||||
+out:
|
|
||||||
+ if (test.session_id)
|
|
||||||
+ free(test.session_id);
|
|
||||||
+ if (test.K)
|
|
||||||
+ free(test.K);
|
|
||||||
+ if (test.H)
|
|
||||||
+ free(test.H);
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
+}
|
|
@ -1,64 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 4821397c95e57962905e6d47554bef9e4ea57483
|
|
||||||
disable run-time check for OpenSSL ABI by version number as that is not a
|
|
||||||
reliable indicator of ABI changes and doesn't make much sense in a
|
|
||||||
distribution package
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
|
||||||
--- a/openssh-7.2p2/configure.ac
|
|
||||||
+++ b/openssh-7.2p2/configure.ac
|
|
||||||
@@ -4663,16 +4663,29 @@ AC_ARG_WITH([bsd-auth],
|
|
||||||
if test "x$withval" != "xno" ; then
|
|
||||||
AC_DEFINE([BSD_AUTH], [1],
|
|
||||||
[Define if you have BSD auth support])
|
|
||||||
BSD_AUTH_MSG=yes
|
|
||||||
fi
|
|
||||||
]
|
|
||||||
)
|
|
||||||
|
|
||||||
+# Whether we are using distribution (Open)SSL, so no runtime checks are necessary
|
|
||||||
+DISTRO_SSL=no
|
|
||||||
+AC_ARG_WITH([distro-ssl],
|
|
||||||
+ [ --with-distro-ssl Disable runtime OpenSSL version checks (good for distributions)],
|
|
||||||
+ [
|
|
||||||
+ if test "x$withval" != "xno" ; then
|
|
||||||
+ AC_DEFINE([DISTRO_SSL], [1],
|
|
||||||
+ [Define if you are using distribution SSL library and don;t expect its API/ABI to change])
|
|
||||||
+ DISTRO_SSL=yes
|
|
||||||
+ fi
|
|
||||||
+ ]
|
|
||||||
+)
|
|
||||||
+
|
|
||||||
# Where to place sshd.pid
|
|
||||||
piddir=/var/run
|
|
||||||
# make sure the directory exists
|
|
||||||
if test ! -d $piddir ; then
|
|
||||||
piddir=`eval echo ${sysconfdir}`
|
|
||||||
case $piddir in
|
|
||||||
NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
|
|
||||||
esac
|
|
||||||
diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c
|
|
||||||
--- a/openssh-7.2p2/entropy.c
|
|
||||||
+++ b/openssh-7.2p2/entropy.c
|
|
||||||
@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m)
|
|
||||||
#endif /* OPENSSL_PRNG_ONLY */
|
|
||||||
|
|
||||||
void
|
|
||||||
seed_rng(void)
|
|
||||||
{
|
|
||||||
#ifndef OPENSSL_PRNG_ONLY
|
|
||||||
unsigned char buf[RANDOM_SEED_SIZE];
|
|
||||||
#endif
|
|
||||||
+#ifndef DISTRO_SSL
|
|
||||||
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
|
|
||||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
|
||||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#ifndef OPENSSL_PRNG_ONLY
|
|
||||||
if (RAND_status() == 1) {
|
|
||||||
debug3("RNG is ready, skipping seeding");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|
|
File diff suppressed because it is too large
Load Diff
@ -1,695 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 7b5f436e0026923299fdd1994f8da8fd9948be7c
|
|
||||||
|
|
||||||
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
|
||||||
7.2. 1024b values are believed to be in breaking range for state adversaries
|
|
||||||
and the default moduli shipped with openssh have been around long enough to
|
|
||||||
make it more likely for them to be broken.
|
|
||||||
|
|
||||||
Also provide an option that allows the client to accept shorter (RFC4419
|
|
||||||
compliant) parameters.
|
|
||||||
|
|
||||||
CVE-2015-4000 (LOGJAM)
|
|
||||||
bsc#932483
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/dh.c b/openssh-7.2p2/dh.c
|
|
||||||
--- a/openssh-7.2p2/dh.c
|
|
||||||
+++ b/openssh-7.2p2/dh.c
|
|
||||||
@@ -37,16 +37,18 @@
|
|
||||||
#include <limits.h>
|
|
||||||
|
|
||||||
#include "dh.h"
|
|
||||||
#include "pathnames.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
|
|
||||||
+int dh_grp_min = DH_GRP_MIN;
|
|
||||||
+
|
|
||||||
static int
|
|
||||||
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
|
||||||
{
|
|
||||||
char *cp, *arg;
|
|
||||||
char *strsize, *gen, *prime;
|
|
||||||
const char *errstr = NULL;
|
|
||||||
long long n;
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/dh.h b/openssh-7.2p2/dh.h
|
|
||||||
--- a/openssh-7.2p2/dh.h
|
|
||||||
+++ b/openssh-7.2p2/dh.h
|
|
||||||
@@ -43,16 +43,17 @@ int dh_gen_key(DH *, int);
|
|
||||||
int dh_pub_is_valid(DH *, BIGNUM *);
|
|
||||||
|
|
||||||
u_int dh_estimate(int);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Max value from RFC4419.
|
|
||||||
* Miniumum increased in light of DH precomputation attacks.
|
|
||||||
*/
|
|
||||||
+#define DH_GRP_MIN_RFC 1024
|
|
||||||
#define DH_GRP_MIN 2048
|
|
||||||
#define DH_GRP_MAX 8192
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Values for "type" field of moduli(5)
|
|
||||||
* Specifies the internal structure of the prime modulus.
|
|
||||||
*/
|
|
||||||
#define MODULI_TYPE_UNKNOWN (0)
|
|
||||||
diff --git a/openssh-7.2p2/kexgexc.c b/openssh-7.2p2/kexgexc.c
|
|
||||||
--- a/openssh-7.2p2/kexgexc.c
|
|
||||||
+++ b/openssh-7.2p2/kexgexc.c
|
|
||||||
@@ -46,29 +46,32 @@
|
|
||||||
#include "packet.h"
|
|
||||||
#include "dh.h"
|
|
||||||
#include "ssh2.h"
|
|
||||||
#include "compat.h"
|
|
||||||
#include "dispatch.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
#include "sshbuf.h"
|
|
||||||
|
|
||||||
+/* import from dh.c */
|
|
||||||
+extern int dh_grp_min;
|
|
||||||
+
|
|
||||||
static int input_kex_dh_gex_group(int, u_int32_t, void *);
|
|
||||||
static int input_kex_dh_gex_reply(int, u_int32_t, void *);
|
|
||||||
|
|
||||||
int
|
|
||||||
kexgex_client(struct ssh *ssh)
|
|
||||||
{
|
|
||||||
struct kex *kex = ssh->kex;
|
|
||||||
int r;
|
|
||||||
u_int nbits;
|
|
||||||
|
|
||||||
nbits = dh_estimate(kex->dh_need * 8);
|
|
||||||
|
|
||||||
- kex->min = DH_GRP_MIN;
|
|
||||||
+ kex->min = dh_grp_min;
|
|
||||||
kex->max = DH_GRP_MAX;
|
|
||||||
kex->nbits = nbits;
|
|
||||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
|
||||||
kex->nbits = MIN(kex->nbits, 4096);
|
|
||||||
/* New GEX request */
|
|
||||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
|
|
||||||
(r = sshpkt_put_u32(ssh, kex->min)) != 0 ||
|
|
||||||
(r = sshpkt_put_u32(ssh, kex->nbits)) != 0 ||
|
|
||||||
@@ -104,16 +107,22 @@ input_kex_dh_gex_group(int type, u_int32
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if ((r = sshpkt_get_bignum2(ssh, p)) != 0 ||
|
|
||||||
(r = sshpkt_get_bignum2(ssh, g)) != 0 ||
|
|
||||||
(r = sshpkt_get_end(ssh)) != 0)
|
|
||||||
goto out;
|
|
||||||
if ((bits = BN_num_bits(p)) < 0 ||
|
|
||||||
(u_int)bits < kex->min || (u_int)bits > kex->max) {
|
|
||||||
+ if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC)
|
|
||||||
+ logit("DH parameter offered by the server (%d bits) "
|
|
||||||
+ "is considered insecure. "
|
|
||||||
+ "You can lower the accepted the minimum "
|
|
||||||
+ "via the KexDHMin option.",
|
|
||||||
+ bits);
|
|
||||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if ((kex->dh = dh_new_group(g, p)) == NULL) {
|
|
||||||
r = SSH_ERR_ALLOC_FAIL;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
p = g = NULL; /* belong to kex->dh now */
|
|
||||||
diff --git a/openssh-7.2p2/kexgexs.c b/openssh-7.2p2/kexgexs.c
|
|
||||||
--- a/openssh-7.2p2/kexgexs.c
|
|
||||||
+++ b/openssh-7.2p2/kexgexs.c
|
|
||||||
@@ -49,16 +49,19 @@
|
|
||||||
#ifdef GSSAPI
|
|
||||||
#include "ssh-gss.h"
|
|
||||||
#endif
|
|
||||||
#include "monitor_wrap.h"
|
|
||||||
#include "dispatch.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
#include "sshbuf.h"
|
|
||||||
|
|
||||||
+/* import from dh.c */
|
|
||||||
+extern int dh_grp_min;
|
|
||||||
+
|
|
||||||
static int input_kex_dh_gex_request(int, u_int32_t, void *);
|
|
||||||
static int input_kex_dh_gex_init(int, u_int32_t, void *);
|
|
||||||
|
|
||||||
int
|
|
||||||
kexgex_server(struct ssh *ssh)
|
|
||||||
{
|
|
||||||
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
|
|
||||||
&input_kex_dh_gex_request);
|
|
||||||
@@ -78,23 +81,29 @@ input_kex_dh_gex_request(int type, u_int
|
|
||||||
if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
|
|
||||||
(r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
|
|
||||||
(r = sshpkt_get_u32(ssh, &max)) != 0 ||
|
|
||||||
(r = sshpkt_get_end(ssh)) != 0)
|
|
||||||
goto out;
|
|
||||||
kex->nbits = nbits;
|
|
||||||
kex->min = min;
|
|
||||||
kex->max = max;
|
|
||||||
- min = MAX(DH_GRP_MIN, min);
|
|
||||||
+ min = MAX(dh_grp_min, min);
|
|
||||||
max = MIN(DH_GRP_MAX, max);
|
|
||||||
- nbits = MAX(DH_GRP_MIN, nbits);
|
|
||||||
+ nbits = MAX(dh_grp_min, nbits);
|
|
||||||
nbits = MIN(DH_GRP_MAX, nbits);
|
|
||||||
|
|
||||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
|
||||||
kex->max < kex->nbits) {
|
|
||||||
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
|
|
||||||
+ logit("DH parameter requested by the client (%d bits) "
|
|
||||||
+ "is considered insecure. "
|
|
||||||
+ "You can lower the accepted minimum "
|
|
||||||
+ "via the KexDHMin option.",
|
|
||||||
+ kex->nbits);
|
|
||||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Contact privileged parent */
|
|
||||||
kex->dh = PRIVSEP(choose_dh(min, nbits, max));
|
|
||||||
if (kex->dh == NULL) {
|
|
||||||
sshpkt_disconnect(ssh, "no matching DH grp found");
|
|
||||||
diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
|
||||||
--- a/openssh-7.2p2/readconf.c
|
|
||||||
+++ b/openssh-7.2p2/readconf.c
|
|
||||||
@@ -56,16 +56,17 @@
|
|
||||||
#include "misc.h"
|
|
||||||
#include "readconf.h"
|
|
||||||
#include "match.h"
|
|
||||||
#include "kex.h"
|
|
||||||
#include "mac.h"
|
|
||||||
#include "uidswap.h"
|
|
||||||
#include "myproposal.h"
|
|
||||||
#include "digest.h"
|
|
||||||
+#include "dh.h"
|
|
||||||
|
|
||||||
/* Format of the configuration file:
|
|
||||||
|
|
||||||
# Configuration data is parsed as follows:
|
|
||||||
# 1. command line options
|
|
||||||
# 2. user-specific file
|
|
||||||
# 3. system-wide file
|
|
||||||
# Any configuration value is only changed the first time it is set.
|
|
||||||
@@ -148,17 +149,18 @@ typedef enum {
|
|
||||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
|
||||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
|
||||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
|
||||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
|
||||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
|
||||||
oHashKnownHosts,
|
|
||||||
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
|
||||||
oVisualHostKey,
|
|
||||||
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
|
||||||
+ oKexAlgorithms, oKexDHMin,
|
|
||||||
+ oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
|
||||||
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
|
||||||
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
|
||||||
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
|
||||||
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
|
||||||
oPubkeyAcceptedKeyTypes,
|
|
||||||
oIgnoredUnknownOption, oDeprecated, oUnsupported
|
|
||||||
} OpCodes;
|
|
||||||
|
|
||||||
@@ -260,16 +262,17 @@ static struct {
|
|
||||||
{ "hashknownhosts", oHashKnownHosts },
|
|
||||||
{ "tunnel", oTunnel },
|
|
||||||
{ "tunneldevice", oTunnelDevice },
|
|
||||||
{ "localcommand", oLocalCommand },
|
|
||||||
{ "permitlocalcommand", oPermitLocalCommand },
|
|
||||||
{ "visualhostkey", oVisualHostKey },
|
|
||||||
{ "useroaming", oDeprecated },
|
|
||||||
{ "kexalgorithms", oKexAlgorithms },
|
|
||||||
+ { "kexdhmin", oKexDHMin },
|
|
||||||
{ "ipqos", oIPQoS },
|
|
||||||
{ "requesttty", oRequestTTY },
|
|
||||||
{ "proxyusefdpass", oProxyUseFdpass },
|
|
||||||
{ "canonicaldomains", oCanonicalDomains },
|
|
||||||
{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
|
|
||||||
{ "canonicalizehostname", oCanonicalizeHostname },
|
|
||||||
{ "canonicalizemaxdots", oCanonicalizeMaxDots },
|
|
||||||
{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
|
|
||||||
@@ -280,16 +283,19 @@ static struct {
|
|
||||||
{ "updatehostkeys", oUpdateHostkeys },
|
|
||||||
{ "hostbasedkeytypes", oHostbasedKeyTypes },
|
|
||||||
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
|
|
||||||
{ "ignoreunknown", oIgnoreUnknown },
|
|
||||||
|
|
||||||
{ NULL, oBadOption }
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* import from dh.c */
|
|
||||||
+extern int dh_grp_min;
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Adds a local TCP/IP port forward to options. Never returns if there is an
|
|
||||||
* error.
|
|
||||||
*/
|
|
||||||
|
|
||||||
void
|
|
||||||
add_local_forward(Options *options, const struct Forward *newfwd)
|
|
||||||
{
|
|
||||||
@@ -1157,16 +1163,20 @@ parse_int:
|
|
||||||
filename, linenum);
|
|
||||||
if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
|
||||||
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
|
||||||
filename, linenum, arg ? arg : "<NONE>");
|
|
||||||
if (*activep && options->kex_algorithms == NULL)
|
|
||||||
options->kex_algorithms = xstrdup(arg);
|
|
||||||
break;
|
|
||||||
|
|
||||||
+ case oKexDHMin:
|
|
||||||
+ intptr = &options->kex_dhmin;
|
|
||||||
+ goto parse_int;
|
|
||||||
+
|
|
||||||
case oHostKeyAlgorithms:
|
|
||||||
charptr = &options->hostkeyalgorithms;
|
|
||||||
parse_keytypes:
|
|
||||||
arg = strdelim(&s);
|
|
||||||
if (!arg || *arg == '\0')
|
|
||||||
fatal("%.200s line %d: Missing argument.",
|
|
||||||
filename, linenum);
|
|
||||||
if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
|
|
||||||
@@ -1664,16 +1674,17 @@ initialize_options(Options * options)
|
|
||||||
options->address_family = -1;
|
|
||||||
options->connection_attempts = -1;
|
|
||||||
options->connection_timeout = -1;
|
|
||||||
options->number_of_password_prompts = -1;
|
|
||||||
options->cipher = -1;
|
|
||||||
options->ciphers = NULL;
|
|
||||||
options->macs = NULL;
|
|
||||||
options->kex_algorithms = NULL;
|
|
||||||
+ options->kex_dhmin = -1;
|
|
||||||
options->hostkeyalgorithms = NULL;
|
|
||||||
options->protocol = SSH_PROTO_UNKNOWN;
|
|
||||||
options->num_identity_files = 0;
|
|
||||||
options->num_certificate_files = 0;
|
|
||||||
options->hostname = NULL;
|
|
||||||
options->host_key_alias = NULL;
|
|
||||||
options->proxy_command = NULL;
|
|
||||||
options->user = NULL;
|
|
||||||
@@ -1805,16 +1816,23 @@ fill_default_options(Options * options)
|
|
||||||
options->address_family = AF_UNSPEC;
|
|
||||||
if (options->connection_attempts == -1)
|
|
||||||
options->connection_attempts = 1;
|
|
||||||
if (options->number_of_password_prompts == -1)
|
|
||||||
options->number_of_password_prompts = 3;
|
|
||||||
/* Selected in ssh_login(). */
|
|
||||||
if (options->cipher == -1)
|
|
||||||
options->cipher = SSH_CIPHER_NOT_SET;
|
|
||||||
+ if (options->kex_dhmin == -1)
|
|
||||||
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
|
||||||
+ else {
|
|
||||||
+ options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC);
|
|
||||||
+ options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX);
|
|
||||||
+ }
|
|
||||||
+ dh_grp_min = options->kex_dhmin;
|
|
||||||
/* options->hostkeyalgorithms, default set in myproposals.h */
|
|
||||||
if (options->protocol == SSH_PROTO_UNKNOWN)
|
|
||||||
options->protocol = SSH_PROTO_2;
|
|
||||||
if (options->add_keys_to_agent == -1)
|
|
||||||
options->add_keys_to_agent = 0;
|
|
||||||
if (options->num_identity_files == 0) {
|
|
||||||
if (options->protocol & SSH_PROTO_1) {
|
|
||||||
add_identity_file(options, "~/",
|
|
||||||
diff --git a/openssh-7.2p2/readconf.h b/openssh-7.2p2/readconf.h
|
|
||||||
--- a/openssh-7.2p2/readconf.h
|
|
||||||
+++ b/openssh-7.2p2/readconf.h
|
|
||||||
@@ -69,16 +69,17 @@ typedef struct {
|
|
||||||
* aborting connection attempt */
|
|
||||||
int number_of_password_prompts; /* Max number of password
|
|
||||||
* prompts. */
|
|
||||||
int cipher; /* Cipher to use. */
|
|
||||||
char *ciphers; /* SSH2 ciphers in order of preference. */
|
|
||||||
char *macs; /* SSH2 macs in order of preference. */
|
|
||||||
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
|
||||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
|
||||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
|
||||||
int protocol; /* Protocol in order of preference. */
|
|
||||||
char *hostname; /* Real host to connect. */
|
|
||||||
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
|
||||||
char *proxy_command; /* Proxy command for connecting the host. */
|
|
||||||
char *user; /* User to log in as. */
|
|
||||||
int escape_char; /* Escape character; -2 = none */
|
|
||||||
|
|
||||||
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
|
|
||||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|
||||||
--- a/openssh-7.2p2/servconf.c
|
|
||||||
+++ b/openssh-7.2p2/servconf.c
|
|
||||||
@@ -52,16 +52,20 @@
|
|
||||||
#include "channels.h"
|
|
||||||
#include "groupaccess.h"
|
|
||||||
#include "canohost.h"
|
|
||||||
#include "packet.h"
|
|
||||||
#include "hostfile.h"
|
|
||||||
#include "auth.h"
|
|
||||||
#include "myproposal.h"
|
|
||||||
#include "digest.h"
|
|
||||||
+#include "dh.h"
|
|
||||||
+
|
|
||||||
+/* import from dh.c */
|
|
||||||
+extern int dh_grp_min;
|
|
||||||
|
|
||||||
static void add_listen_addr(ServerOptions *, char *, int);
|
|
||||||
static void add_one_listen_addr(ServerOptions *, char *, int);
|
|
||||||
|
|
||||||
/* Use of privilege separation or not */
|
|
||||||
extern int use_privsep;
|
|
||||||
extern Buffer cfg;
|
|
||||||
|
|
||||||
@@ -134,16 +138,17 @@ initialize_server_options(ServerOptions
|
|
||||||
options->allow_agent_forwarding = -1;
|
|
||||||
options->num_allow_users = 0;
|
|
||||||
options->num_deny_users = 0;
|
|
||||||
options->num_allow_groups = 0;
|
|
||||||
options->num_deny_groups = 0;
|
|
||||||
options->ciphers = NULL;
|
|
||||||
options->macs = NULL;
|
|
||||||
options->kex_algorithms = NULL;
|
|
||||||
+ options->kex_dhmin = -1;
|
|
||||||
options->protocol = SSH_PROTO_UNKNOWN;
|
|
||||||
options->fwd_opts.gateway_ports = -1;
|
|
||||||
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
|
||||||
options->fwd_opts.streamlocal_bind_unlink = -1;
|
|
||||||
options->num_subsystems = 0;
|
|
||||||
options->max_startups_begin = -1;
|
|
||||||
options->max_startups_rate = -1;
|
|
||||||
options->max_startups = -1;
|
|
||||||
@@ -199,16 +204,23 @@ fill_default_server_options(ServerOption
|
|
||||||
int i;
|
|
||||||
|
|
||||||
/* Portable-specific options */
|
|
||||||
if (options->use_pam == -1)
|
|
||||||
options->use_pam = 0;
|
|
||||||
if (options->use_pam_check_locks == -1)
|
|
||||||
options->use_pam_check_locks = 0;
|
|
||||||
|
|
||||||
+ if (options->kex_dhmin == -1)
|
|
||||||
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
|
||||||
+ else {
|
|
||||||
+ options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC);
|
|
||||||
+ options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX);
|
|
||||||
+ }
|
|
||||||
+ dh_grp_min = options->kex_dhmin;
|
|
||||||
/* Standard Options */
|
|
||||||
if (options->protocol == SSH_PROTO_UNKNOWN)
|
|
||||||
options->protocol = SSH_PROTO_2;
|
|
||||||
if (options->num_host_key_files == 0) {
|
|
||||||
/* fill default hostkeys for protocols */
|
|
||||||
if (options->protocol & SSH_PROTO_1)
|
|
||||||
options->host_key_files[options->num_host_key_files++] =
|
|
||||||
_PATH_HOST_KEY_FILE;
|
|
||||||
@@ -423,17 +435,18 @@ typedef enum {
|
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
|
||||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
|
||||||
sAcceptEnv, sPermitTunnel,
|
|
||||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
|
||||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
|
||||||
sHostCertificate,
|
|
||||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
|
||||||
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
|
||||||
- sKexAlgorithms, sIPQoS, sVersionAddendum,
|
|
||||||
+ sKexAlgorithms, sKexDHMin,
|
|
||||||
+ sIPQoS, sVersionAddendum,
|
|
||||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
|
||||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
|
||||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
|
||||||
sAllowStreamLocalForwarding, sFingerprintHash,
|
|
||||||
sDeprecated, sUnsupported
|
|
||||||
} ServerOpCodes;
|
|
||||||
|
|
||||||
#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
|
|
||||||
@@ -561,16 +574,17 @@ static struct {
|
|
||||||
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
|
||||||
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
|
||||||
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
|
|
||||||
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
|
|
||||||
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
|
|
||||||
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
|
||||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
|
||||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
|
||||||
+ { "kexdhmin", sKexDHMin },
|
|
||||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
|
||||||
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
|
||||||
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
|
||||||
{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
|
|
||||||
{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
|
|
||||||
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
|
||||||
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
|
|
||||||
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
|
|
||||||
@@ -1481,16 +1495,20 @@ process_server_config_line(ServerOptions
|
|
||||||
filename, linenum);
|
|
||||||
if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
|
||||||
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
|
||||||
filename, linenum, arg ? arg : "<NONE>");
|
|
||||||
if (options->kex_algorithms == NULL)
|
|
||||||
options->kex_algorithms = xstrdup(arg);
|
|
||||||
break;
|
|
||||||
|
|
||||||
+ case sKexDHMin:
|
|
||||||
+ intptr = &options->kex_dhmin;
|
|
||||||
+ goto parse_int;
|
|
||||||
+
|
|
||||||
case sProtocol:
|
|
||||||
intptr = &options->protocol;
|
|
||||||
arg = strdelim(&cp);
|
|
||||||
if (!arg || *arg == '\0')
|
|
||||||
fatal("%s line %d: Missing argument.", filename, linenum);
|
|
||||||
value = proto_spec(arg);
|
|
||||||
if (value == SSH_PROTO_UNKNOWN)
|
|
||||||
fatal("%s line %d: Bad protocol spec '%s'.",
|
|
||||||
@@ -2247,16 +2265,17 @@ dump_config(ServerOptions *o)
|
|
||||||
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
|
||||||
dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
|
|
||||||
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
|
||||||
dump_cfg_int(sMaxAuthTries, o->max_authtries);
|
|
||||||
dump_cfg_int(sMaxSessions, o->max_sessions);
|
|
||||||
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
|
||||||
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
|
||||||
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
|
||||||
+ dump_cfg_int(sKexDHMin, o->kex_dhmin);
|
|
||||||
|
|
||||||
/* formatted integer arguments */
|
|
||||||
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
|
||||||
dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
|
|
||||||
dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
|
|
||||||
dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
|
|
||||||
dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
|
|
||||||
dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
|
|
||||||
diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h
|
|
||||||
--- a/openssh-7.2p2/servconf.h
|
|
||||||
+++ b/openssh-7.2p2/servconf.h
|
|
||||||
@@ -88,16 +88,17 @@ typedef struct {
|
|
||||||
int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
|
|
||||||
int strict_modes; /* If true, require string home dir modes. */
|
|
||||||
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
|
|
||||||
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
|
|
||||||
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
|
|
||||||
char *ciphers; /* Supported SSH2 ciphers. */
|
|
||||||
char *macs; /* Supported SSH2 macs. */
|
|
||||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
|
||||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
|
||||||
int protocol; /* Supported protocol versions. */
|
|
||||||
struct ForwardOptions fwd_opts; /* forwarding options */
|
|
||||||
SyslogFacility log_facility; /* Facility for system logging. */
|
|
||||||
LogLevel log_level; /* Level for system logging. */
|
|
||||||
int rhosts_rsa_authentication; /* If true, permit rhosts RSA
|
|
||||||
* authentication. */
|
|
||||||
int hostbased_authentication; /* If true, permit ssh2 hostbased auth */
|
|
||||||
int hostbased_uses_name_from_packet_only; /* experimental */
|
|
||||||
diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
|
||||||
--- a/openssh-7.2p2/ssh_config
|
|
||||||
+++ b/openssh-7.2p2/ssh_config
|
|
||||||
@@ -12,16 +12,21 @@
|
|
||||||
# Any configuration value is only changed the first time it is set.
|
|
||||||
# Thus, host-specific definitions should be at the beginning of the
|
|
||||||
# configuration file, and defaults at the end.
|
|
||||||
|
|
||||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
|
||||||
# list of available options, their meanings and defaults, please see the
|
|
||||||
# ssh_config(5) man page.
|
|
||||||
|
|
||||||
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
|
|
||||||
+# to maintain compatibility with RFC4419, but should be set higher.
|
|
||||||
+# Upstream default is identical to setting this to 2048.
|
|
||||||
+#KexDHMin 1024
|
|
||||||
+
|
|
||||||
Host *
|
|
||||||
# ForwardAgent no
|
|
||||||
# ForwardX11 no
|
|
||||||
|
|
||||||
# If you do not trust your remote host (or its administrator), you
|
|
||||||
# should not forward X11 connections to your local X11-display for
|
|
||||||
# security reasons: Someone stealing the authentification data on the
|
|
||||||
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
|
||||||
diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0
|
|
||||||
--- a/openssh-7.2p2/ssh_config.0
|
|
||||||
+++ b/openssh-7.2p2/ssh_config.0
|
|
||||||
@@ -606,16 +606,33 @@ DESCRIPTION
|
|
||||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
||||||
diffie-hellman-group-exchange-sha256,
|
|
||||||
diffie-hellman-group-exchange-sha1,
|
|
||||||
diffie-hellman-group14-sha1
|
|
||||||
|
|
||||||
The list of available key exchange algorithms may also be
|
|
||||||
obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
|
|
||||||
|
|
||||||
+ KexDHMin
|
|
||||||
+ Specifies the minimum accepted bit length of the DH group
|
|
||||||
+ parameter p.
|
|
||||||
+
|
|
||||||
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
|
||||||
+ been seen as insecure, which prompted the change to 2048 bits.
|
|
||||||
+ Setting this option allows the client to accept parameters shorter
|
|
||||||
+ than the current minimum, down to the RFC specified 1024 bits.
|
|
||||||
+ Using this option may be needed when connecting to servers that
|
|
||||||
+ only know short DH group parameters.
|
|
||||||
+
|
|
||||||
+ Note, that while by default this option is set to 1024 to maintain
|
|
||||||
+ maximum backward compatibility, using it can severly impact
|
|
||||||
+ security and thus should be viewed as a temporary fix of last
|
|
||||||
+ resort and all efforts should be made to fix the (broken)
|
|
||||||
+ counterparty.
|
|
||||||
+
|
|
||||||
LocalCommand
|
|
||||||
Specifies a command to execute on the local machine after
|
|
||||||
successfully connecting to the server. The command string
|
|
||||||
extends to the end of the line, and is executed with the user's
|
|
||||||
shell. The following escape character substitutions will be
|
|
||||||
performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host
|
|
||||||
name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the
|
|
||||||
command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or
|
|
||||||
diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
|
|
||||||
--- a/openssh-7.2p2/ssh_config.5
|
|
||||||
+++ b/openssh-7.2p2/ssh_config.5
|
|
||||||
@@ -1092,16 +1092,32 @@ diffie-hellman-group14-sha1
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
The list of available key exchange algorithms may also be obtained using the
|
|
||||||
.Fl Q
|
|
||||||
option of
|
|
||||||
.Xr ssh 1
|
|
||||||
with an argument of
|
|
||||||
.Dq kex .
|
|
||||||
+.It Cm KexDHMin
|
|
||||||
+Specifies the minimum accepted bit length of the DH group
|
|
||||||
+parameter p.
|
|
||||||
+.Pp
|
|
||||||
+As per RFC4419, this is 1024 bits, however this has increasingly
|
|
||||||
+been seen as insecure, which prompted the change to 2048 bits.
|
|
||||||
+Setting this option allows the client to accept parameters shorter
|
|
||||||
+than the current minimum, down to the RFC specified 1024 bits.
|
|
||||||
+Using this option may be needed when connecting to servers that
|
|
||||||
+only know short DH group parameters.
|
|
||||||
+.Pp
|
|
||||||
+Note, that while by default this option is set to 1024 to maintain
|
|
||||||
+maximum backward compatibility, using it can severly impact
|
|
||||||
+security and thus should be viewed as a temporary fix of last
|
|
||||||
+resort and all efforts should be made to fix the (broken)
|
|
||||||
+counterparty.
|
|
||||||
.It Cm LocalCommand
|
|
||||||
Specifies a command to execute on the local machine after successfully
|
|
||||||
connecting to the server.
|
|
||||||
The command string extends to the end of the line, and is executed with
|
|
||||||
the user's shell.
|
|
||||||
The following escape character substitutions will be performed:
|
|
||||||
.Ql %d
|
|
||||||
(local user's home directory),
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
|
||||||
--- a/openssh-7.2p2/sshd_config
|
|
||||||
+++ b/openssh-7.2p2/sshd_config
|
|
||||||
@@ -21,16 +21,21 @@
|
|
||||||
# HostKey for protocol version 1
|
|
||||||
#HostKey /etc/ssh/ssh_host_key
|
|
||||||
# HostKeys for protocol version 2
|
|
||||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
|
||||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
|
|
||||||
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
|
|
||||||
+# to maintain compatibility with RFC4419, but should be set higher.
|
|
||||||
+# Upstream default is identical to setting this to 2048.
|
|
||||||
+#KexDHMin 1024
|
|
||||||
+
|
|
||||||
# Lifetime and size of ephemeral version 1 server key
|
|
||||||
#KeyRegenerationInterval 1h
|
|
||||||
#ServerKeyBits 1024
|
|
||||||
|
|
||||||
# Ciphers and keying
|
|
||||||
#RekeyLimit default none
|
|
||||||
|
|
||||||
# Logging
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
|
||||||
--- a/openssh-7.2p2/sshd_config.0
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.0
|
|
||||||
@@ -539,16 +539,33 @@ DESCRIPTION
|
|
||||||
curve25519-sha256@libssh.org,
|
|
||||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
||||||
diffie-hellman-group-exchange-sha256,
|
|
||||||
diffie-hellman-group14-sha1
|
|
||||||
|
|
||||||
The list of available key exchange algorithms may also be
|
|
||||||
obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
|
|
||||||
|
|
||||||
+ KexDHMin
|
|
||||||
+ Specifies the minimum accepted bit length of the DH group
|
|
||||||
+ parameter p.
|
|
||||||
+
|
|
||||||
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
|
||||||
+ been seen as insecure, which prompted the change to 2048 bits.
|
|
||||||
+ Setting this option allows the server to accept parameters shorter
|
|
||||||
+ than the current minimum, down to the RFC specified 1024 bits.
|
|
||||||
+ Using this option may be needed when some of the connectiong
|
|
||||||
+ clients only know short DH group parameters.
|
|
||||||
+
|
|
||||||
+ Note, that while by default this option is set to 1024 to maintain
|
|
||||||
+ maximum backward compatibility, using it can severly impact
|
|
||||||
+ security and thus should be viewed as a temporary fix of last
|
|
||||||
+ resort and all efforts should be made to fix the (broken)
|
|
||||||
+ counterparty.
|
|
||||||
+
|
|
||||||
KeyRegenerationInterval
|
|
||||||
In protocol version 1, the ephemeral server key is automatically
|
|
||||||
regenerated after this many seconds (if it has been used). The
|
|
||||||
purpose of regeneration is to prevent decrypting captured
|
|
||||||
sessions by later breaking into the machine and stealing the
|
|
||||||
keys. The key is never stored anywhere. If the value is 0, the
|
|
||||||
key is never regenerated. The default is 3600 (seconds).
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
|
||||||
@@ -895,16 +895,32 @@ diffie-hellman-group14-sha1
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
The list of available key exchange algorithms may also be obtained using the
|
|
||||||
.Fl Q
|
|
||||||
option of
|
|
||||||
.Xr ssh 1
|
|
||||||
with an argument of
|
|
||||||
.Dq kex .
|
|
||||||
+.It Cm KexDHMin
|
|
||||||
+Specifies the minimum accepted bit length of the DH group
|
|
||||||
+parameter p.
|
|
||||||
+.Pp
|
|
||||||
+As per RFC4419, this is 1024 bits, however this has increasingly
|
|
||||||
+been seen as insecure, which prompted the change to 2048 bits.
|
|
||||||
+Setting this option allows the server to accept parameters shorter
|
|
||||||
+than the current minimum, down to the RFC specified 1024 bits.
|
|
||||||
+Using this option may be needed when some of the connectiong
|
|
||||||
+clients only know short DH group parameters.
|
|
||||||
+.Pp
|
|
||||||
+Note, that while by default this option is set to 1024 to maintain
|
|
||||||
+maximum backward compatibility, using it can severly impact
|
|
||||||
+security and thus should be viewed as a temporary fix of last
|
|
||||||
+resort and all efforts should be made to fix the (broken)
|
|
||||||
+counterparty.
|
|
||||||
.It Cm KeyRegenerationInterval
|
|
||||||
In protocol version 1, the ephemeral server key is automatically regenerated
|
|
||||||
after this many seconds (if it has been used).
|
|
||||||
The purpose of regeneration is to prevent
|
|
||||||
decrypting captured sessions by later breaking into the machine and
|
|
||||||
stealing the keys.
|
|
||||||
The key is never stored anywhere.
|
|
||||||
If the value is 0, the key is never regenerated.
|
|
@ -1,29 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e4886597a8984ae1594b6866fe1b232370b23529
|
|
||||||
# posix threads are generally not supported nor safe
|
|
||||||
# (see upstream log from 2005-05-24)
|
|
||||||
# --used to be called '-pam-fix3'
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/auth-pam.c b/openssh-7.2p2/auth-pam.c
|
|
||||||
--- a/openssh-7.2p2/auth-pam.c
|
|
||||||
+++ b/openssh-7.2p2/auth-pam.c
|
|
||||||
@@ -782,17 +782,19 @@ sshpam_query(void *ctx, char **name, cha
|
|
||||||
}
|
|
||||||
if (type == PAM_SUCCESS) {
|
|
||||||
if (!sshpam_authctxt->valid ||
|
|
||||||
(sshpam_authctxt->pw->pw_uid == 0 &&
|
|
||||||
options.permit_root_login != PERMIT_YES))
|
|
||||||
fatal("Internal error: PAM auth "
|
|
||||||
"succeeded when it should have "
|
|
||||||
"failed");
|
|
||||||
+#ifndef UNSUPPORTED_POSIX_THREADS_HACK
|
|
||||||
import_environments(&buffer);
|
|
||||||
+#endif
|
|
||||||
*num = 0;
|
|
||||||
**echo_on = 0;
|
|
||||||
ctxt->pam_done = 1;
|
|
||||||
free(msg);
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
error("PAM: %s for %s%.100s from %.100s", msg,
|
|
||||||
sshpam_authctxt->valid ? "" : "illegal user ",
|
|
@ -1,87 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent f19426f2fa9c634474e635bf33b86acea0518f6d
|
|
||||||
fix paths and references in sshd man pages
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
|
|
||||||
--- a/openssh-7.2p2/sshd.8
|
|
||||||
+++ b/openssh-7.2p2/sshd.8
|
|
||||||
@@ -901,17 +901,17 @@ See
|
|
||||||
If this file exists,
|
|
||||||
.Nm
|
|
||||||
refuses to let anyone except root log in.
|
|
||||||
The contents of the file
|
|
||||||
are displayed to anyone trying to log in, and non-root connections are
|
|
||||||
refused.
|
|
||||||
The file should be world-readable.
|
|
||||||
.Pp
|
|
||||||
-.It Pa /etc/shosts.equiv
|
|
||||||
+.It Pa /etc/ssh/shosts.equiv
|
|
||||||
This file is used in exactly the same way as
|
|
||||||
.Pa hosts.equiv ,
|
|
||||||
but allows host-based authentication without permitting login with
|
|
||||||
rlogin/rsh.
|
|
||||||
.Pp
|
|
||||||
.It Pa /etc/ssh/ssh_host_key
|
|
||||||
.It Pa /etc/ssh/ssh_host_dsa_key
|
|
||||||
.It Pa /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
@@ -981,17 +981,17 @@ The content of this file is not sensitiv
|
|
||||||
.Xr scp 1 ,
|
|
||||||
.Xr sftp 1 ,
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
.Xr ssh-agent 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr ssh-keyscan 1 ,
|
|
||||||
.Xr chroot 2 ,
|
|
||||||
-.Xr login.conf 5 ,
|
|
||||||
+.Xr login.defs 5 ,
|
|
||||||
.Xr moduli 5 ,
|
|
||||||
.Xr sshd_config 5 ,
|
|
||||||
.Xr inetd 8 ,
|
|
||||||
.Xr sftp-server 8
|
|
||||||
.Sh AUTHORS
|
|
||||||
OpenSSH is a derivative of the original and free
|
|
||||||
ssh 1.2.12 release by Tatu Ylonen.
|
|
||||||
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
|
||||||
@@ -370,18 +370,17 @@ for details).
|
|
||||||
The contents of the specified file are sent to the remote user before
|
|
||||||
authentication is allowed.
|
|
||||||
If the argument is
|
|
||||||
.Dq none
|
|
||||||
then no banner is displayed.
|
|
||||||
By default, no banner is displayed.
|
|
||||||
.It Cm ChallengeResponseAuthentication
|
|
||||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
|
||||||
-PAM or through authentication styles supported in
|
|
||||||
-.Xr login.conf 5 )
|
|
||||||
+PAM)
|
|
||||||
The default is
|
|
||||||
.Dq yes .
|
|
||||||
.It Cm ChrootDirectory
|
|
||||||
Specifies the pathname of a directory to
|
|
||||||
.Xr chroot 2
|
|
||||||
to after authentication.
|
|
||||||
At session startup
|
|
||||||
.Xr sshd 8
|
|
||||||
@@ -766,17 +765,17 @@ and
|
|
||||||
.Pa .shosts
|
|
||||||
files will not be used in
|
|
||||||
.Cm RhostsRSAAuthentication
|
|
||||||
or
|
|
||||||
.Cm HostbasedAuthentication .
|
|
||||||
.Pp
|
|
||||||
.Pa /etc/hosts.equiv
|
|
||||||
and
|
|
||||||
-.Pa /etc/shosts.equiv
|
|
||||||
+.Pa /etc/ssh/shosts.equiv
|
|
||||||
are still used.
|
|
||||||
The default is
|
|
||||||
.Dq yes .
|
|
||||||
.It Cm IgnoreUserKnownHosts
|
|
||||||
Specifies whether
|
|
||||||
.Xr sshd 8
|
|
||||||
should ignore the user's
|
|
||||||
.Pa ~/.ssh/known_hosts
|
|
@ -1,47 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 980f301b2920c09b30577dd722546bca85d25fc1
|
|
||||||
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
|
||||||
# bnc#46749
|
|
||||||
# --used to be called '-pam-fix2'
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
|
||||||
--- a/openssh-7.2p2/sshd_config
|
|
||||||
+++ b/openssh-7.2p2/sshd_config
|
|
||||||
@@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
#HostbasedAuthentication no
|
|
||||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
|
||||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
|
||||||
#IgnoreUserKnownHosts no
|
|
||||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
|
||||||
#IgnoreRhosts yes
|
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
|
||||||
-#PasswordAuthentication yes
|
|
||||||
+PasswordAuthentication no
|
|
||||||
#PermitEmptyPasswords no
|
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
|
||||||
#ChallengeResponseAuthentication yes
|
|
||||||
|
|
||||||
# Kerberos options
|
|
||||||
#KerberosAuthentication no
|
|
||||||
#KerberosOrLocalPasswd yes
|
|
||||||
@@ -89,17 +89,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
|
||||||
# be allowed through the ChallengeResponseAuthentication and
|
|
||||||
# PasswordAuthentication. Depending on your PAM configuration,
|
|
||||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
|
||||||
# the setting of "PermitRootLogin without-password".
|
|
||||||
# If you just want the PAM account and session checks to run without
|
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
|
||||||
-#UsePAM no
|
|
||||||
+UsePAM yes
|
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
|
||||||
#AllowTcpForwarding yes
|
|
||||||
#GatewayPorts no
|
|
||||||
X11Forwarding yes
|
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
#PermitTTY yes
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,29 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e2f9b3303b4a4ed5d0e5f01009dd1ebea166890d
|
|
||||||
Suggest command line for removal of offending keys from known_hosts file
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshconnect.c b/openssh-7.2p2/sshconnect.c
|
|
||||||
--- a/openssh-7.2p2/sshconnect.c
|
|
||||||
+++ b/openssh-7.2p2/sshconnect.c
|
|
||||||
@@ -1086,16 +1086,21 @@ check_host_key(char *hostname, struct so
|
|
||||||
ip_found->file, ip_found->line);
|
|
||||||
}
|
|
||||||
/* The host key has changed. */
|
|
||||||
warn_changed_key(host_key);
|
|
||||||
error("Add correct host key in %.100s to get rid of this message.",
|
|
||||||
user_hostfiles[0]);
|
|
||||||
error("Offending %s key in %s:%lu", key_type(host_found->key),
|
|
||||||
host_found->file, host_found->line);
|
|
||||||
+ error("You can use following command to remove the offending key:");
|
|
||||||
+ if (host_found->file)
|
|
||||||
+ error("ssh-keygen -R %s -f %s", host, host_found->file);
|
|
||||||
+ else
|
|
||||||
+ error("ssh-keygen -R %s", host);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If strict host key checking is in use, the user will have
|
|
||||||
* to edit the key manually and we can only abort.
|
|
||||||
*/
|
|
||||||
if (options.strict_host_key_checking) {
|
|
||||||
error("%s host key for %.200s has changed and you have "
|
|
||||||
"requested strict checking.", type, host);
|
|
@ -1,145 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent f7ba2081f120bd1e44dbe68737c898f078725aab
|
|
||||||
# -- uset do be called '-xauthlocalhostname'
|
|
||||||
handle hostname changes when forwarding X
|
|
||||||
|
|
||||||
bnc#98627
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
|
||||||
--- a/openssh-7.2p2/session.c
|
|
||||||
+++ b/openssh-7.2p2/session.c
|
|
||||||
@@ -1154,17 +1154,17 @@ copy_environment(char **source, char ***
|
|
||||||
debug3("Copy environment: %s=%s", var_name, var_val);
|
|
||||||
child_set_env(env, envsize, var_name, var_val);
|
|
||||||
|
|
||||||
free(var_name);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static char **
|
|
||||||
-do_setup_env(Session *s, const char *shell)
|
|
||||||
+do_setup_env(Session *s, const char *shell, int *env_size)
|
|
||||||
{
|
|
||||||
char buf[256];
|
|
||||||
u_int i, envsize;
|
|
||||||
char **env, *laddr;
|
|
||||||
struct passwd *pw = s->pw;
|
|
||||||
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
|
|
||||||
char *path = NULL;
|
|
||||||
#endif
|
|
||||||
@@ -1341,25 +1341,27 @@ do_setup_env(Session *s, const char *she
|
|
||||||
read_environment_file(&env, &envsize, buf);
|
|
||||||
}
|
|
||||||
if (debug_flag) {
|
|
||||||
/* dump the environment */
|
|
||||||
fprintf(stderr, "Environment:\n");
|
|
||||||
for (i = 0; env[i]; i++)
|
|
||||||
fprintf(stderr, " %.200s\n", env[i]);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ *env_size = envsize;
|
|
||||||
return env;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
|
|
||||||
* first in this order).
|
|
||||||
*/
|
|
||||||
static void
|
|
||||||
-do_rc_files(Session *s, const char *shell)
|
|
||||||
+do_rc_files(Session *s, const char *shell, char **env, int *env_size)
|
|
||||||
{
|
|
||||||
FILE *f = NULL;
|
|
||||||
char cmd[1024];
|
|
||||||
int do_xauth;
|
|
||||||
struct stat st;
|
|
||||||
|
|
||||||
do_xauth =
|
|
||||||
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
|
|
||||||
@@ -1404,22 +1406,30 @@ do_rc_files(Session *s, const char *shel
|
|
||||||
"%.500s add %.100s %.100s %.100s\n",
|
|
||||||
options.xauth_location, s->auth_display,
|
|
||||||
s->auth_proto, s->auth_data);
|
|
||||||
}
|
|
||||||
snprintf(cmd, sizeof cmd, "%s -q -",
|
|
||||||
options.xauth_location);
|
|
||||||
f = popen(cmd, "w");
|
|
||||||
if (f) {
|
|
||||||
+ char hostname[MAXHOSTNAMELEN];
|
|
||||||
+
|
|
||||||
fprintf(f, "remove %s\n",
|
|
||||||
s->auth_display);
|
|
||||||
fprintf(f, "add %s %s %s\n",
|
|
||||||
s->auth_display, s->auth_proto,
|
|
||||||
s->auth_data);
|
|
||||||
pclose(f);
|
|
||||||
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
|
|
||||||
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
|
|
||||||
+ hostname);
|
|
||||||
+ else
|
|
||||||
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
|
|
||||||
+ strerror(errno));
|
|
||||||
} else {
|
|
||||||
fprintf(stderr, "Could not run %s\n",
|
|
||||||
cmd);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
@@ -1681,16 +1691,17 @@ child_close_fds(void)
|
|
||||||
* ids, and executing the command or shell.
|
|
||||||
*/
|
|
||||||
#define ARGV_MAX 10
|
|
||||||
void
|
|
||||||
do_child(Session *s, const char *command)
|
|
||||||
{
|
|
||||||
extern char **environ;
|
|
||||||
char **env;
|
|
||||||
+ int env_size;
|
|
||||||
char *argv[ARGV_MAX];
|
|
||||||
const char *shell, *shell0, *hostname = NULL;
|
|
||||||
struct passwd *pw = s->pw;
|
|
||||||
int r = 0;
|
|
||||||
|
|
||||||
/* remove hostkey from the child's memory */
|
|
||||||
destroy_sensitive_data();
|
|
||||||
|
|
||||||
@@ -1747,17 +1758,17 @@ do_child(Session *s, const char *command
|
|
||||||
* legal, and means /bin/sh.
|
|
||||||
*/
|
|
||||||
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Make sure $SHELL points to the shell from the password file,
|
|
||||||
* even if shell is overridden from login.conf
|
|
||||||
*/
|
|
||||||
- env = do_setup_env(s, shell);
|
|
||||||
+ env = do_setup_env(s, shell, &env_size);
|
|
||||||
|
|
||||||
#ifdef HAVE_LOGIN_CAP
|
|
||||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* we have to stash the hostname before we close our socket. */
|
|
||||||
if (options.use_login)
|
|
||||||
hostname = get_remote_name_or_ip(utmp_len,
|
|
||||||
@@ -1816,17 +1827,17 @@ do_child(Session *s, const char *command
|
|
||||||
}
|
|
||||||
if (r)
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
closefrom(STDERR_FILENO + 1);
|
|
||||||
|
|
||||||
if (!options.use_login)
|
|
||||||
- do_rc_files(s, shell);
|
|
||||||
+ do_rc_files(s, shell, env, &env_size);
|
|
||||||
|
|
||||||
/* restore SIGPIPE for child */
|
|
||||||
signal(SIGPIPE, SIG_DFL);
|
|
||||||
|
|
||||||
if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) {
|
|
||||||
printf("This service allows sftp connections only.\n");
|
|
||||||
fflush(NULL);
|
|
||||||
exit(1);
|
|
@ -1,33 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 0f00e960e1069c6a6eec975cc184171343701077
|
|
||||||
|
|
||||||
Do not import PAM environment variables when using login, since it may have
|
|
||||||
security implications.
|
|
||||||
|
|
||||||
CVE-2015-8325
|
|
||||||
bsc#975865
|
|
||||||
|
|
||||||
Backport of upstream commit 85bdcd7c92fe7ff133bbc4e10a65c91810f88755
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
|
||||||
--- a/openssh-7.2p2/session.c
|
|
||||||
+++ b/openssh-7.2p2/session.c
|
|
||||||
@@ -1351,17 +1351,17 @@ do_setup_env(Session *s, const char *she
|
|
||||||
child_set_env(&env, &envsize, "KRB5CCNAME",
|
|
||||||
s->authctxt->krb5_ccname);
|
|
||||||
#endif
|
|
||||||
#ifdef USE_PAM
|
|
||||||
/*
|
|
||||||
* Pull in any environment variables that may have
|
|
||||||
* been set by PAM.
|
|
||||||
*/
|
|
||||||
- if (options.use_pam) {
|
|
||||||
+ if (options.use_pam && !options.use_login) {
|
|
||||||
char **p;
|
|
||||||
|
|
||||||
p = fetch_pam_child_environment();
|
|
||||||
copy_environment(p, &env, &envsize);
|
|
||||||
free_pam_environment(p);
|
|
||||||
|
|
||||||
p = fetch_pam_environment();
|
|
||||||
copy_environment(p, &env, &envsize);
|
|
@ -1,66 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 7c29b31d3502bbf5b80e01f8d1db8b2733a3c7f4
|
|
||||||
Add slogin back to the distribution, since it might be used downstreams
|
|
||||||
|
|
||||||
Revert of cupstream commit 69fead5d7cdaa73bdece9fcba80f8e8e70b90346
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|
||||||
--- a/openssh-7.2p2/Makefile.in
|
|
||||||
+++ b/openssh-7.2p2/Makefile.in
|
|
||||||
@@ -354,16 +354,20 @@ install-files:
|
|
||||||
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
|
||||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
|
||||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
|
||||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
|
||||||
if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
|
||||||
$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
|
|
||||||
$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
|
|
||||||
fi
|
|
||||||
+ -rm -f $(DESTDIR)$(bindir)/slogin
|
|
||||||
+ ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
|
|
||||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
|
||||||
+ ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
|
||||||
|
|
||||||
install-sysconf:
|
|
||||||
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
|
|
||||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
|
|
||||||
fi
|
|
||||||
@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
|
|
||||||
$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
|
|
||||||
else \
|
|
||||||
@@ -415,16 +419,17 @@ uninstallall: uninstall
|
|
||||||
-rmdir $(DESTDIR)$(bindir)
|
|
||||||
-rmdir $(DESTDIR)$(sbindir)
|
|
||||||
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)1
|
|
||||||
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)8
|
|
||||||
-rmdir $(DESTDIR)$(mandir)
|
|
||||||
-rmdir $(DESTDIR)$(libexecdir)
|
|
||||||
|
|
||||||
uninstall:
|
|
||||||
+ -rm -f $(DESTDIR)$(bindir)/slogin
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
|
||||||
@@ -440,16 +445,17 @@ uninstall:
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
|
||||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
|
||||||
|
|
||||||
regress-prep:
|
|
||||||
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
|
||||||
[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
|
|
||||||
[ -d `pwd`/regress/unittests/test_helper ] || \
|
|
||||||
mkdir -p `pwd`/regress/unittests/test_helper
|
|
||||||
[ -d `pwd`/regress/unittests/sshbuf ] || \
|
|
||||||
mkdir -p `pwd`/regress/unittests/sshbuf
|
|
@ -1,30 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 5d3b620e9c7c42bfb1d8f24eb7e0645a55d967fa
|
|
||||||
Prevent memory depletion during key exchange
|
|
||||||
|
|
||||||
CVE-2016-8858
|
|
||||||
bsc#1005480
|
|
||||||
|
|
||||||
upstream commit ec165c392ca54317dbe3064a8c200de6531e89ad
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/kex.c b/openssh-7.2p2/kex.c
|
|
||||||
--- a/openssh-7.2p2/kex.c
|
|
||||||
+++ b/openssh-7.2p2/kex.c
|
|
||||||
@@ -523,16 +523,17 @@ kex_input_kexinit(int type, u_int32_t se
|
|
||||||
u_int i;
|
|
||||||
size_t dlen;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
debug("SSH2_MSG_KEXINIT received");
|
|
||||||
if (kex == NULL)
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
|
|
||||||
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
|
|
||||||
ptr = sshpkt_ptr(ssh, &dlen);
|
|
||||||
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
/* discard packet */
|
|
||||||
for (i = 0; i < KEX_COOKIE_LEN; i++)
|
|
||||||
if ((r = sshpkt_get_u8(ssh, NULL)) != 0)
|
|
||||||
return r;
|
|
@ -1,26 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 79c00e0f450c33b3f545ef104112b55186290e2c
|
|
||||||
# set uid for functions that use it to seek in lastlog and wtmp files
|
|
||||||
# bnc#18024 (was suse #3024)
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshlogin.c b/openssh-7.2p2/sshlogin.c
|
|
||||||
--- a/openssh-7.2p2/sshlogin.c
|
|
||||||
+++ b/openssh-7.2p2/sshlogin.c
|
|
||||||
@@ -129,16 +129,17 @@ record_login(pid_t pid, const char *tty,
|
|
||||||
{
|
|
||||||
struct logininfo *li;
|
|
||||||
|
|
||||||
/* save previous login details before writing new */
|
|
||||||
store_lastlog_message(user, uid);
|
|
||||||
|
|
||||||
li = login_alloc_entry(pid, user, host, tty);
|
|
||||||
login_set_addr(li, addr, addrlen);
|
|
||||||
+ li->uid = uid;
|
|
||||||
login_login(li);
|
|
||||||
login_free_entry(li);
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef LOGIN_NEEDS_UTMPX
|
|
||||||
void
|
|
||||||
record_utmp_only(pid_t pid, const char *ttyname, const char *user,
|
|
||||||
const char *host, struct sockaddr *addr, socklen_t addrlen)
|
|
File diff suppressed because it is too large
Load Diff
@ -1,52 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 9888bc3f536eab9f528d9c96e5e8a2501ed168f5
|
|
||||||
Limit accepted passwords length to prevent DoS by resource consumption
|
|
||||||
(via crypt() eating CPU cycles).
|
|
||||||
|
|
||||||
CVE-2016-6515
|
|
||||||
bsc#992533
|
|
||||||
|
|
||||||
upstream commit: fcd135c9df440bcd2d5870405ad3311743d78d97
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c
|
|
||||||
--- a/openssh-7.2p2/auth-passwd.c
|
|
||||||
+++ b/openssh-7.2p2/auth-passwd.c
|
|
||||||
@@ -61,16 +61,18 @@ extern ServerOptions options;
|
|
||||||
#ifdef HAVE_LOGIN_CAP
|
|
||||||
extern login_cap_t *lc;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
|
|
||||||
#define DAY (24L * 60 * 60) /* 1 day in seconds */
|
|
||||||
#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */
|
|
||||||
|
|
||||||
+#define MAX_PASSWORD_LEN 1024
|
|
||||||
+
|
|
||||||
void
|
|
||||||
disable_forwarding(void)
|
|
||||||
{
|
|
||||||
no_port_forwarding_flag = 1;
|
|
||||||
no_agent_forwarding_flag = 1;
|
|
||||||
no_x11_forwarding_flag = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -82,16 +84,19 @@ int
|
|
||||||
auth_password(Authctxt *authctxt, const char *password)
|
|
||||||
{
|
|
||||||
struct passwd * pw = authctxt->pw;
|
|
||||||
int result, ok = authctxt->valid;
|
|
||||||
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
|
|
||||||
static int expire_checked = 0;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ if (strlen(password) > MAX_PASSWORD_LEN)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
#ifndef HAVE_CYGWIN
|
|
||||||
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
|
|
||||||
ok = 0;
|
|
||||||
#endif
|
|
||||||
if (*password == '\0' && options.permit_empty_passwd == 0)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
#ifdef KRB5
|
|
@ -1,32 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent b86c2190c93aeaf958c22fc7b224dcaf87100288
|
|
||||||
# HG changeset patch
|
|
||||||
# Parent b262fd34c8ecd55e93d457b3ca5593abce716856
|
|
||||||
# login-pam cannot handle the option terminator "--" as login from util-linux
|
|
||||||
# (this is correct behaviour considering its man-page), hence use option which
|
|
||||||
# selects the compile-time branch in the code which doesn't use the terminator
|
|
||||||
#
|
|
||||||
# bnc#833605
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
|
||||||
--- a/openssh-7.2p2/configure.ac
|
|
||||||
+++ b/openssh-7.2p2/configure.ac
|
|
||||||
@@ -770,16 +770,18 @@ main() { if (NSVersionOfRunTimeLibrary("
|
|
||||||
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
|
|
||||||
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
|
|
||||||
;;
|
|
||||||
*-*-linux*)
|
|
||||||
no_dev_ptmx=1
|
|
||||||
use_pie=auto
|
|
||||||
check_for_libcrypt_later=1
|
|
||||||
check_for_openpty_ctty_bug=1
|
|
||||||
+ AC_DEFINE([LOGIN_NO_ENDOPT], [1],
|
|
||||||
+ [Define if your login program cannot handle end of options ("--")])
|
|
||||||
AC_DEFINE([PAM_TTY_KLUDGE], [1],
|
|
||||||
[Work around problematic Linux PAM modules handling of PAM_TTY])
|
|
||||||
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
|
|
||||||
[String used in /etc/passwd to denote locked account])
|
|
||||||
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
|
|
||||||
AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
|
|
||||||
[Define to whatever link() returns for "not supported"
|
|
||||||
if it doesn't return EOPNOTSUPP.])
|
|
@ -1,26 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 4011d0f5c00b663976c9940dc4ef79642605cf90
|
|
||||||
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
|
||||||
--- a/openssh-7.2p2/sshd.c
|
|
||||||
+++ b/openssh-7.2p2/sshd.c
|
|
||||||
@@ -2107,17 +2107,17 @@ main(int ac, char **av)
|
|
||||||
signal(SIGCHLD, main_sigchld_handler);
|
|
||||||
signal(SIGTERM, sigterm_handler);
|
|
||||||
signal(SIGQUIT, sigterm_handler);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Write out the pid file after the sigterm handler
|
|
||||||
* is setup and the listen sockets are bound
|
|
||||||
*/
|
|
||||||
- if (options.pid_file != NULL && !debug_flag) {
|
|
||||||
+ if (!no_daemon_flag && options.pid_file != NULL && !debug_flag) {
|
|
||||||
FILE *f = fopen(options.pid_file, "w");
|
|
||||||
|
|
||||||
if (f == NULL) {
|
|
||||||
error("Couldn't create pid file \"%s\": %s",
|
|
||||||
options.pid_file, strerror(errno));
|
|
||||||
} else {
|
|
||||||
fprintf(f, "%ld\n", (long) getpid());
|
|
||||||
fclose(f);
|
|
@ -1,229 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent ac7f843cd7ebec413691d51823cdc67b611abdff
|
|
||||||
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
|
||||||
UsePAM is used
|
|
||||||
|
|
||||||
bnc#708678, FATE#312033
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/auth.c b/openssh-7.2p2/auth.c
|
|
||||||
--- a/openssh-7.2p2/auth.c
|
|
||||||
+++ b/openssh-7.2p2/auth.c
|
|
||||||
@@ -104,17 +104,17 @@ allowed_user(struct passwd * pw)
|
|
||||||
struct spwd *spw = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
|
||||||
if (!pw || !pw->pw_name)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
#ifdef USE_SHADOW
|
|
||||||
- if (!options.use_pam)
|
|
||||||
+ if (!options.use_pam || options.use_pam_check_locks)
|
|
||||||
spw = getspnam(pw->pw_name);
|
|
||||||
#ifdef HAS_SHADOW_EXPIRE
|
|
||||||
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
|
||||||
return 0;
|
|
||||||
#endif /* HAS_SHADOW_EXPIRE */
|
|
||||||
#endif /* USE_SHADOW */
|
|
||||||
|
|
||||||
/* grab passwd field for locked account check */
|
|
||||||
@@ -124,17 +124,17 @@ allowed_user(struct passwd * pw)
|
|
||||||
#ifdef USE_LIBIAF
|
|
||||||
passwd = get_iaf_password(pw);
|
|
||||||
#else
|
|
||||||
passwd = spw->sp_pwdp;
|
|
||||||
#endif /* USE_LIBIAF */
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* check for locked account */
|
|
||||||
- if (!options.use_pam && passwd && *passwd) {
|
|
||||||
+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
|
||||||
int locked = 0;
|
|
||||||
|
|
||||||
#ifdef LOCKED_PASSWD_STRING
|
|
||||||
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
|
|
||||||
locked = 1;
|
|
||||||
#endif
|
|
||||||
#ifdef LOCKED_PASSWD_PREFIX
|
|
||||||
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
|
||||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|
||||||
--- a/openssh-7.2p2/servconf.c
|
|
||||||
+++ b/openssh-7.2p2/servconf.c
|
|
||||||
@@ -69,16 +69,17 @@ extern Buffer cfg;
|
|
||||||
|
|
||||||
void
|
|
||||||
initialize_server_options(ServerOptions *options)
|
|
||||||
{
|
|
||||||
memset(options, 0, sizeof(*options));
|
|
||||||
|
|
||||||
/* Portable-specific options */
|
|
||||||
options->use_pam = -1;
|
|
||||||
+ options->use_pam_check_locks = -1;
|
|
||||||
|
|
||||||
/* Standard Options */
|
|
||||||
options->num_ports = 0;
|
|
||||||
options->ports_from_cmdline = 0;
|
|
||||||
options->queued_listen_addrs = NULL;
|
|
||||||
options->num_queued_listens = 0;
|
|
||||||
options->listen_addrs = NULL;
|
|
||||||
options->address_family = -1;
|
|
||||||
@@ -195,16 +196,18 @@ assemble_algorithms(ServerOptions *o)
|
|
||||||
void
|
|
||||||
fill_default_server_options(ServerOptions *options)
|
|
||||||
{
|
|
||||||
int i;
|
|
||||||
|
|
||||||
/* Portable-specific options */
|
|
||||||
if (options->use_pam == -1)
|
|
||||||
options->use_pam = 0;
|
|
||||||
+ if (options->use_pam_check_locks == -1)
|
|
||||||
+ options->use_pam_check_locks = 0;
|
|
||||||
|
|
||||||
/* Standard Options */
|
|
||||||
if (options->protocol == SSH_PROTO_UNKNOWN)
|
|
||||||
options->protocol = SSH_PROTO_2;
|
|
||||||
if (options->num_host_key_files == 0) {
|
|
||||||
/* fill default hostkeys for protocols */
|
|
||||||
if (options->protocol & SSH_PROTO_1)
|
|
||||||
options->host_key_files[options->num_host_key_files++] =
|
|
||||||
@@ -391,17 +394,17 @@ fill_default_server_options(ServerOption
|
|
||||||
#endif
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Keyword tokens. */
|
|
||||||
typedef enum {
|
|
||||||
sBadOption, /* == unknown option */
|
|
||||||
/* Portable-specific options */
|
|
||||||
- sUsePAM,
|
|
||||||
+ sUsePAM, sUsePAMChecklocks,
|
|
||||||
/* Standard Options */
|
|
||||||
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
|
|
||||||
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
|
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
|
||||||
sKerberosGetAFSToken,
|
|
||||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
|
||||||
@@ -441,18 +444,20 @@ typedef enum {
|
|
||||||
static struct {
|
|
||||||
const char *name;
|
|
||||||
ServerOpCodes opcode;
|
|
||||||
u_int flags;
|
|
||||||
} keywords[] = {
|
|
||||||
/* Portable-specific options */
|
|
||||||
#ifdef USE_PAM
|
|
||||||
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
|
||||||
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
|
||||||
#else
|
|
||||||
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
|
||||||
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
|
||||||
#endif
|
|
||||||
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
|
||||||
/* Standard Options */
|
|
||||||
{ "port", sPort, SSHCFG_GLOBAL },
|
|
||||||
{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
|
|
||||||
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
|
||||||
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
|
||||||
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
|
||||||
@@ -1005,16 +1010,19 @@ process_server_config_line(ServerOptions
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
switch (opcode) {
|
|
||||||
/* Portable-specific options */
|
|
||||||
case sUsePAM:
|
|
||||||
intptr = &options->use_pam;
|
|
||||||
goto parse_flag;
|
|
||||||
+ case sUsePAMChecklocks:
|
|
||||||
+ intptr = &options->use_pam_check_locks;
|
|
||||||
+ goto parse_flag;
|
|
||||||
|
|
||||||
/* Standard Options */
|
|
||||||
case sBadOption:
|
|
||||||
return -1;
|
|
||||||
case sPort:
|
|
||||||
/* ignore ports from configfile if cmdline specifies ports */
|
|
||||||
if (options->ports_from_cmdline)
|
|
||||||
return 0;
|
|
||||||
diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h
|
|
||||||
--- a/openssh-7.2p2/servconf.h
|
|
||||||
+++ b/openssh-7.2p2/servconf.h
|
|
||||||
@@ -167,16 +167,17 @@ typedef struct {
|
|
||||||
*/
|
|
||||||
|
|
||||||
u_int num_authkeys_files; /* Files containing public keys */
|
|
||||||
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
|
|
||||||
|
|
||||||
char *adm_forced_command;
|
|
||||||
|
|
||||||
int use_pam; /* Enable auth via PAM */
|
|
||||||
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
|
||||||
|
|
||||||
int permit_tun;
|
|
||||||
|
|
||||||
int num_permitted_opens;
|
|
||||||
|
|
||||||
char *chroot_directory;
|
|
||||||
char *revoked_keys_file;
|
|
||||||
char *trusted_user_ca_keys;
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
|
||||||
--- a/openssh-7.2p2/sshd_config.0
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.0
|
|
||||||
@@ -946,16 +946,24 @@ DESCRIPTION
|
|
||||||
|
|
||||||
Because PAM challenge-response authentication usually serves an
|
|
||||||
equivalent role to password authentication, you should disable
|
|
||||||
either PasswordAuthentication or ChallengeResponseAuthentication.
|
|
||||||
|
|
||||||
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
|
||||||
non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
||||||
|
|
||||||
+ UsePAMCheckLocks
|
|
||||||
+ When set to ``yes'', the checks whether the account has been
|
|
||||||
+ locked with `passwd -l' are performed even when PAM authentication
|
|
||||||
+ is enabled via UsePAM. This is to ensure that it is not possible
|
|
||||||
+ to log in with e.g. a public key (in such a case PAM is used only
|
|
||||||
+ to set up the session and some PAM modules will not check whether
|
|
||||||
+ the account is locked in this scenario). The default is ``no''.
|
|
||||||
+
|
|
||||||
UsePrivilegeSeparation
|
|
||||||
Specifies whether sshd(8) separates privileges by creating an
|
|
||||||
unprivileged child process to deal with incoming network traffic.
|
|
||||||
After successful authentication, another process will be created
|
|
||||||
that has the privilege of the authenticated user. The goal of
|
|
||||||
privilege separation is to prevent privilege escalation by
|
|
||||||
containing any corruption within the unprivileged processes. The
|
|
||||||
argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\sandboxM-bM-^@M-^]. If
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
|
||||||
@@ -1578,16 +1578,28 @@ or
|
|
||||||
.Pp
|
|
||||||
If
|
|
||||||
.Cm UsePAM
|
|
||||||
is enabled, you will not be able to run
|
|
||||||
.Xr sshd 8
|
|
||||||
as a non-root user.
|
|
||||||
The default is
|
|
||||||
.Dq no .
|
|
||||||
+.It Cm UsePAMCheckLocks
|
|
||||||
+When set to
|
|
||||||
+.Dq yes
|
|
||||||
+, the checks whether the account has been locked with
|
|
||||||
+.Pa passwd -l
|
|
||||||
+are performed even when PAM authentication is enabled via
|
|
||||||
+.Cm UsePAM .
|
|
||||||
+This is to ensure that it is not possible to log in with e.g. a
|
|
||||||
+public key (in such a case PAM is used only to set up the session and some PAM
|
|
||||||
+modules will not check whether the account is locked in this scenario). The
|
|
||||||
+default is
|
|
||||||
+.Dq no .
|
|
||||||
.It Cm UsePrivilegeSeparation
|
|
||||||
Specifies whether
|
|
||||||
.Xr sshd 8
|
|
||||||
separates privileges by creating an unprivileged child process
|
|
||||||
to deal with incoming network traffic.
|
|
||||||
After successful authentication, another process will be created that has
|
|
||||||
the privilege of the authenticated user.
|
|
||||||
The goal of privilege separation is to prevent privilege
|
|
@ -1,188 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e2a8c999f737bca97bbc330ce6683de842ba195e
|
|
||||||
Pre-allocare buffer for private keys data to prevent leaking of sensitive data
|
|
||||||
via heap.
|
|
||||||
|
|
||||||
CVE-2016-10011
|
|
||||||
bsc#1016369
|
|
||||||
|
|
||||||
backported upstream commit 54d022026aae4f53fa74cc636e4a032d9689b64d
|
|
||||||
backported upstream commit a9c746088787549bb5b1ae3add7d06a1b6d93d5e
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/authfile.c b/openssh-7.2p2/authfile.c
|
|
||||||
--- a/openssh-7.2p2/authfile.c
|
|
||||||
+++ b/openssh-7.2p2/authfile.c
|
|
||||||
@@ -95,23 +95,35 @@ sshkey_save_private(struct sshkey *key,
|
|
||||||
|
|
||||||
/* Load a key from a fd into a buffer */
|
|
||||||
int
|
|
||||||
sshkey_load_file(int fd, struct sshbuf *blob)
|
|
||||||
{
|
|
||||||
u_char buf[1024];
|
|
||||||
size_t len;
|
|
||||||
struct stat st;
|
|
||||||
- int r;
|
|
||||||
+ int r, dontmax = 0;
|
|
||||||
|
|
||||||
if (fstat(fd, &st) < 0)
|
|
||||||
return SSH_ERR_SYSTEM_ERROR;
|
|
||||||
if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
|
|
||||||
st.st_size > MAX_KEY_FILE_SIZE)
|
|
||||||
return SSH_ERR_INVALID_FORMAT;
|
|
||||||
+ /*
|
|
||||||
+ * Pre-allocate the buffer used for the key contents and clamp its
|
|
||||||
+ * maximum size. This ensures that key contents are never leaked via
|
|
||||||
+ * implicit realloc() in the sshbuf code.
|
|
||||||
+ */
|
|
||||||
+ if ((st.st_mode & S_IFREG) == 0 || st.st_size <= 0) {
|
|
||||||
+ st.st_size = 64*1024; /* 64k should be enough for anyone :) */
|
|
||||||
+ dontmax = 1;
|
|
||||||
+ }
|
|
||||||
+ if ((r = sshbuf_allocate(blob, st.st_size)) != 0 ||
|
|
||||||
+ (dontmax && (r = sshbuf_set_max_size(blob, st.st_size)) != 0))
|
|
||||||
+ return r;
|
|
||||||
for (;;) {
|
|
||||||
if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
|
|
||||||
if (errno == EPIPE)
|
|
||||||
break;
|
|
||||||
r = SSH_ERR_SYSTEM_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if ((r = sshbuf_put(blob, buf, len)) != 0)
|
|
||||||
diff --git a/openssh-7.2p2/sshbuf.c b/openssh-7.2p2/sshbuf.c
|
|
||||||
--- a/openssh-7.2p2/sshbuf.c
|
|
||||||
+++ b/openssh-7.2p2/sshbuf.c
|
|
||||||
@@ -311,63 +311,73 @@ sshbuf_check_reserve(const struct sshbuf
|
|
||||||
SSHBUF_TELL("check");
|
|
||||||
/* Check that len is reasonable and that max_size + available < len */
|
|
||||||
if (len > buf->max_size || buf->max_size - len < buf->size - buf->off)
|
|
||||||
return SSH_ERR_NO_BUFFER_SPACE;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
-sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp)
|
|
||||||
+sshbuf_allocate(struct sshbuf *buf, size_t len)
|
|
||||||
{
|
|
||||||
size_t rlen, need;
|
|
||||||
u_char *dp;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
- if (dpp != NULL)
|
|
||||||
- *dpp = NULL;
|
|
||||||
-
|
|
||||||
- SSHBUF_DBG(("reserve buf = %p len = %zu", buf, len));
|
|
||||||
+ SSHBUF_DBG(("allocate buf = %p len = %zu", buf, len));
|
|
||||||
if ((r = sshbuf_check_reserve(buf, len)) != 0)
|
|
||||||
return r;
|
|
||||||
/*
|
|
||||||
* If the requested allocation appended would push us past max_size
|
|
||||||
* then pack the buffer, zeroing buf->off.
|
|
||||||
*/
|
|
||||||
sshbuf_maybe_pack(buf, buf->size + len > buf->max_size);
|
|
||||||
- SSHBUF_TELL("reserve");
|
|
||||||
- if (len + buf->size > buf->alloc) {
|
|
||||||
- /*
|
|
||||||
- * Prefer to alloc in SSHBUF_SIZE_INC units, but
|
|
||||||
- * allocate less if doing so would overflow max_size.
|
|
||||||
- */
|
|
||||||
- need = len + buf->size - buf->alloc;
|
|
||||||
- rlen = roundup(buf->alloc + need, SSHBUF_SIZE_INC);
|
|
||||||
- SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen));
|
|
||||||
- if (rlen > buf->max_size)
|
|
||||||
- rlen = buf->alloc + need;
|
|
||||||
- SSHBUF_DBG(("adjusted rlen %zu", rlen));
|
|
||||||
- if ((dp = realloc(buf->d, rlen)) == NULL) {
|
|
||||||
- SSHBUF_DBG(("realloc fail"));
|
|
||||||
- if (dpp != NULL)
|
|
||||||
- *dpp = NULL;
|
|
||||||
- return SSH_ERR_ALLOC_FAIL;
|
|
||||||
- }
|
|
||||||
- buf->alloc = rlen;
|
|
||||||
- buf->cd = buf->d = dp;
|
|
||||||
- if ((r = sshbuf_check_reserve(buf, len)) < 0) {
|
|
||||||
- /* shouldn't fail */
|
|
||||||
- if (dpp != NULL)
|
|
||||||
- *dpp = NULL;
|
|
||||||
- return r;
|
|
||||||
- }
|
|
||||||
+ SSHBUF_TELL("allocate");
|
|
||||||
+ if (len + buf->size <= buf->alloc)
|
|
||||||
+ return 0; /* already have it. */
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Prefer to alloc in SSHBUF_SIZE_INC units, but
|
|
||||||
+ * allocate less if doing so would overflow max_size.
|
|
||||||
+ */
|
|
||||||
+ need = len + buf->size - buf->alloc;
|
|
||||||
+ rlen = roundup(buf->alloc + need, SSHBUF_SIZE_INC);
|
|
||||||
+ SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen));
|
|
||||||
+ if (rlen > buf->max_size)
|
|
||||||
+ rlen = buf->alloc + need;
|
|
||||||
+ SSHBUF_DBG(("adjusted rlen %zu", rlen));
|
|
||||||
+ if ((dp = realloc(buf->d, rlen)) == NULL) {
|
|
||||||
+ SSHBUF_DBG(("realloc fail"));
|
|
||||||
+ return SSH_ERR_ALLOC_FAIL;
|
|
||||||
}
|
|
||||||
+ buf->alloc = rlen;
|
|
||||||
+ buf->cd = buf->d = dp;
|
|
||||||
+ if ((r = sshbuf_check_reserve(buf, len)) < 0) {
|
|
||||||
+ /* shouldn't fail */
|
|
||||||
+ return r;
|
|
||||||
+ }
|
|
||||||
+ SSHBUF_TELL("done");
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp)
|
|
||||||
+{
|
|
||||||
+ u_char *dp;
|
|
||||||
+ int r;
|
|
||||||
+
|
|
||||||
+ if (dpp != NULL)
|
|
||||||
+ *dpp = NULL;
|
|
||||||
+
|
|
||||||
+ SSHBUF_DBG(("reserve buf = %p len = %zu", buf, len));
|
|
||||||
+ if ((r = sshbuf_allocate(buf, len)) != 0)
|
|
||||||
+ return r;
|
|
||||||
+
|
|
||||||
dp = buf->d + buf->size;
|
|
||||||
buf->size += len;
|
|
||||||
- SSHBUF_TELL("done");
|
|
||||||
if (dpp != NULL)
|
|
||||||
*dpp = dp;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
sshbuf_consume(struct sshbuf *buf, size_t len)
|
|
||||||
{
|
|
||||||
diff --git a/openssh-7.2p2/sshbuf.h b/openssh-7.2p2/sshbuf.h
|
|
||||||
--- a/openssh-7.2p2/sshbuf.h
|
|
||||||
+++ b/openssh-7.2p2/sshbuf.h
|
|
||||||
@@ -134,16 +134,24 @@ u_char *sshbuf_mutable_ptr(const struct
|
|
||||||
* Check whether a reservation of size len will succeed in buf
|
|
||||||
* Safer to use than direct comparisons again sshbuf_avail as it copes
|
|
||||||
* with unsigned overflows correctly.
|
|
||||||
* Returns 0 on success, or a negative SSH_ERR_* error code on failure.
|
|
||||||
*/
|
|
||||||
int sshbuf_check_reserve(const struct sshbuf *buf, size_t len);
|
|
||||||
|
|
||||||
/*
|
|
||||||
+ * Preallocates len additional bytes in buf.
|
|
||||||
+ * Useful for cases where the caller knows how many bytes will ultimately be
|
|
||||||
+ * required to avoid realloc in the buffer code.
|
|
||||||
+ * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
|
|
||||||
+ */
|
|
||||||
+int sshbuf_allocate(struct sshbuf *buf, size_t len);
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
* Reserve len bytes in buf.
|
|
||||||
* Returns 0 on success and a pointer to the first reserved byte via the
|
|
||||||
* optional dpp parameter or a negative * SSH_ERR_* error code on failure.
|
|
||||||
*/
|
|
||||||
int sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Consume len bytes from the start of buf
|
|
@ -1,264 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 4a254abf4ef391358257310ad2fe15c9e12dee34
|
|
||||||
Prevent user enumeration through password processing timing
|
|
||||||
CVE-2016-6210
|
|
||||||
bsc#989363
|
|
||||||
|
|
||||||
non-PAM part:
|
|
||||||
upstream commit: 9286875a73b2de7736b5e50692739d314cd8d9dc
|
|
||||||
|
|
||||||
PAM part:
|
|
||||||
upstream commit: 283b97ff33ea2c641161950849931bd578de6946
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/auth-pam.c b/openssh-7.2p2/auth-pam.c
|
|
||||||
--- a/openssh-7.2p2/auth-pam.c
|
|
||||||
+++ b/openssh-7.2p2/auth-pam.c
|
|
||||||
@@ -227,17 +227,16 @@ static pam_handle_t *sshpam_handle = NUL
|
|
||||||
static int sshpam_err = 0;
|
|
||||||
static int sshpam_authenticated = 0;
|
|
||||||
static int sshpam_session_open = 0;
|
|
||||||
static int sshpam_cred_established = 0;
|
|
||||||
static int sshpam_account_status = -1;
|
|
||||||
static char **sshpam_env = NULL;
|
|
||||||
static Authctxt *sshpam_authctxt = NULL;
|
|
||||||
static const char *sshpam_password = NULL;
|
|
||||||
-static char badpw[] = "\b\n\r\177INCORRECT";
|
|
||||||
|
|
||||||
/* Some PAM implementations don't implement this */
|
|
||||||
#ifndef HAVE_PAM_GETENVLIST
|
|
||||||
static char **
|
|
||||||
pam_getenvlist(pam_handle_t *pamh)
|
|
||||||
{
|
|
||||||
/*
|
|
||||||
* XXX - If necessary, we can still support envrionment passing
|
|
||||||
@@ -807,22 +806,45 @@ sshpam_query(void *ctx, char **name, cha
|
|
||||||
free(msg);
|
|
||||||
ctxt->pam_done = -1;
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Returns a junk password of identical length to that the user supplied.
|
|
||||||
+ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
|
|
||||||
+ * vary processing time in proportion to password length.
|
|
||||||
+ */
|
|
||||||
+static char *
|
|
||||||
+fake_password(const char *wire_password)
|
|
||||||
+{
|
|
||||||
+ const char junk[] = "\b\n\r\177INCORRECT";
|
|
||||||
+ char *ret = NULL;
|
|
||||||
+ size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
|
|
||||||
+
|
|
||||||
+ if (l >= INT_MAX)
|
|
||||||
+ fatal("%s: password length too long: %zu", __func__, l);
|
|
||||||
+
|
|
||||||
+ ret = xmalloc(l + 1);
|
|
||||||
+ for (i = 0; i < l; i++)
|
|
||||||
+ ret[i] = junk[i % (sizeof(junk) - 1)];
|
|
||||||
+ ret[i] = '\0';
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* XXX - see also comment in auth-chall.c:verify_response */
|
|
||||||
static int
|
|
||||||
sshpam_respond(void *ctx, u_int num, char **resp)
|
|
||||||
{
|
|
||||||
Buffer buffer;
|
|
||||||
struct pam_ctxt *ctxt = ctx;
|
|
||||||
+ char *fake;
|
|
||||||
|
|
||||||
debug2("PAM: %s entering, %u responses", __func__, num);
|
|
||||||
switch (ctxt->pam_done) {
|
|
||||||
case 1:
|
|
||||||
sshpam_authenticated = 1;
|
|
||||||
return (0);
|
|
||||||
case 0:
|
|
||||||
break;
|
|
||||||
@@ -833,18 +855,21 @@ sshpam_respond(void *ctx, u_int num, cha
|
|
||||||
error("PAM: expected one response, got %u", num);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
buffer_init(&buffer);
|
|
||||||
if (sshpam_authctxt->valid &&
|
|
||||||
(sshpam_authctxt->pw->pw_uid != 0 ||
|
|
||||||
options.permit_root_login == PERMIT_YES))
|
|
||||||
buffer_put_cstring(&buffer, *resp);
|
|
||||||
- else
|
|
||||||
- buffer_put_cstring(&buffer, badpw);
|
|
||||||
+ else {
|
|
||||||
+ fake = fake_password(*resp);
|
|
||||||
+ buffer_put_cstring(&buffer, fake);
|
|
||||||
+ free(fake);
|
|
||||||
+ }
|
|
||||||
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
|
|
||||||
buffer_free(&buffer);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
buffer_free(&buffer);
|
|
||||||
return (1);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1178,41 +1203,43 @@ static struct pam_conv passwd_conv = { s
|
|
||||||
/*
|
|
||||||
* Attempt password authentication via PAM
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
|
||||||
{
|
|
||||||
int flags = (options.permit_empty_passwd == 0 ?
|
|
||||||
PAM_DISALLOW_NULL_AUTHTOK : 0);
|
|
||||||
+ char *fake = NULL;
|
|
||||||
|
|
||||||
if (!options.use_pam || sshpam_handle == NULL)
|
|
||||||
fatal("PAM: %s called when PAM disabled or failed to "
|
|
||||||
"initialise.", __func__);
|
|
||||||
|
|
||||||
sshpam_password = password;
|
|
||||||
sshpam_authctxt = authctxt;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If the user logging in is invalid, or is root but is not permitted
|
|
||||||
* by PermitRootLogin, use an invalid password to prevent leaking
|
|
||||||
* information via timing (eg if the PAM config has a delay on fail).
|
|
||||||
*/
|
|
||||||
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
|
|
||||||
options.permit_root_login != PERMIT_YES))
|
|
||||||
- sshpam_password = badpw;
|
|
||||||
+ sshpam_password = fake = fake_password(password);
|
|
||||||
|
|
||||||
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
|
|
||||||
(const void *)&passwd_conv);
|
|
||||||
if (sshpam_err != PAM_SUCCESS)
|
|
||||||
fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
|
|
||||||
pam_strerror(sshpam_handle, sshpam_err));
|
|
||||||
|
|
||||||
sshpam_err = pam_authenticate(sshpam_handle, flags);
|
|
||||||
sshpam_password = NULL;
|
|
||||||
+ free(fake);
|
|
||||||
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
|
|
||||||
debug("PAM: password authentication accepted for %.100s",
|
|
||||||
authctxt->user);
|
|
||||||
return 1;
|
|
||||||
} else {
|
|
||||||
debug("PAM: password authentication failed for %.100s: %s",
|
|
||||||
authctxt->valid ? authctxt->user : "an illegal user",
|
|
||||||
pam_strerror(sshpam_handle, sshpam_err));
|
|
||||||
diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c
|
|
||||||
--- a/openssh-7.2p2/auth-passwd.c
|
|
||||||
+++ b/openssh-7.2p2/auth-passwd.c
|
|
||||||
@@ -188,28 +188,32 @@ sys_auth_passwd(Authctxt *authctxt, cons
|
|
||||||
return (auth_close(as));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
|
|
||||||
int
|
|
||||||
sys_auth_passwd(Authctxt *authctxt, const char *password)
|
|
||||||
{
|
|
||||||
struct passwd *pw = authctxt->pw;
|
|
||||||
- char *encrypted_password;
|
|
||||||
+ char *encrypted_password, *salt = NULL;
|
|
||||||
|
|
||||||
/* Just use the supplied fake password if authctxt is invalid */
|
|
||||||
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
|
|
||||||
|
|
||||||
/* Check for users with no password. */
|
|
||||||
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
|
|
||||||
return (1);
|
|
||||||
|
|
||||||
- /* Encrypt the candidate password using the proper salt. */
|
|
||||||
- encrypted_password = xcrypt(password,
|
|
||||||
- (pw_password[0] && pw_password[1]) ? pw_password : "xx");
|
|
||||||
+ /*
|
|
||||||
+ * Encrypt the candidate password using the proper salt, or pass a
|
|
||||||
+ * NULL and let xcrypt pick one.
|
|
||||||
+ */
|
|
||||||
+ if (authctxt->valid && pw_password[0] && pw_password[1])
|
|
||||||
+ salt = pw_password;
|
|
||||||
+ encrypted_password = xcrypt(password, salt);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Authentication is accepted if the encrypted passwords
|
|
||||||
* are identical.
|
|
||||||
*/
|
|
||||||
return encrypted_password != NULL &&
|
|
||||||
strcmp(encrypted_password, pw_password) == 0;
|
|
||||||
}
|
|
||||||
diff --git a/openssh-7.2p2/openbsd-compat/xcrypt.c b/openssh-7.2p2/openbsd-compat/xcrypt.c
|
|
||||||
--- a/openssh-7.2p2/openbsd-compat/xcrypt.c
|
|
||||||
+++ b/openssh-7.2p2/openbsd-compat/xcrypt.c
|
|
||||||
@@ -20,16 +20,17 @@
|
|
||||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include "includes.h"
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
+#include <string.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
|
|
||||||
# if defined(HAVE_CRYPT_H) && !defined(HAVE_SECUREWARE)
|
|
||||||
# include <crypt.h>
|
|
||||||
# endif
|
|
||||||
|
|
||||||
# ifdef __hpux
|
|
||||||
@@ -57,21 +58,54 @@
|
|
||||||
# include "md5crypt.h"
|
|
||||||
# endif
|
|
||||||
|
|
||||||
# if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
|
|
||||||
# include <openssl/des.h>
|
|
||||||
# define crypt DES_crypt
|
|
||||||
# endif
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Pick an appropriate password encryption type and salt for the running
|
|
||||||
+ * system.
|
|
||||||
+ */
|
|
||||||
+static const char *
|
|
||||||
+pick_salt(void)
|
|
||||||
+{
|
|
||||||
+ struct passwd *pw;
|
|
||||||
+ char *passwd, *p;
|
|
||||||
+ size_t typelen;
|
|
||||||
+ static char salt[32];
|
|
||||||
+
|
|
||||||
+ if (salt[0] != '\0')
|
|
||||||
+ return salt;
|
|
||||||
+ strlcpy(salt, "xx", sizeof(salt));
|
|
||||||
+ if ((pw = getpwuid(0)) == NULL)
|
|
||||||
+ return salt;
|
|
||||||
+ passwd = shadow_pw(pw);
|
|
||||||
+ if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
|
|
||||||
+ return salt; /* no $, DES */
|
|
||||||
+ typelen = p - passwd + 1;
|
|
||||||
+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
|
|
||||||
+ explicit_bzero(passwd, strlen(passwd));
|
|
||||||
+ return salt;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
char *
|
|
||||||
xcrypt(const char *password, const char *salt)
|
|
||||||
{
|
|
||||||
char *crypted;
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * If we don't have a salt we are encrypting a fake password for
|
|
||||||
+ * for timing purposes. Pick an appropriate salt.
|
|
||||||
+ */
|
|
||||||
+ if (salt == NULL)
|
|
||||||
+ salt = pick_salt();
|
|
||||||
+
|
|
||||||
# ifdef HAVE_MD5_PASSWORDS
|
|
||||||
if (is_md5_salt(salt))
|
|
||||||
crypted = md5_crypt(password, salt);
|
|
||||||
else
|
|
||||||
crypted = crypt(password, salt);
|
|
||||||
# elif defined(__hpux) && !defined(HAVE_SECUREWARE)
|
|
||||||
if (iscomsec())
|
|
||||||
crypted = bigcrypt(password, salt);
|
|
@ -1,49 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 787bc0aab11e5a7b6510c8dbf771958743ca25b0
|
|
||||||
# use same lines naming as utempter (prevents problems with using different
|
|
||||||
# formats in ?tmp? files)
|
|
||||||
# --used to be called '-pts'
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/loginrec.c b/openssh-7.2p2/loginrec.c
|
|
||||||
--- a/openssh-7.2p2/loginrec.c
|
|
||||||
+++ b/openssh-7.2p2/loginrec.c
|
|
||||||
@@ -541,17 +541,17 @@ getlast_entry(struct logininfo *li)
|
|
||||||
/*
|
|
||||||
* 'line' string utility functions
|
|
||||||
*
|
|
||||||
* These functions process the 'line' string into one of three forms:
|
|
||||||
*
|
|
||||||
* 1. The full filename (including '/dev')
|
|
||||||
* 2. The stripped name (excluding '/dev')
|
|
||||||
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
|
|
||||||
- * /dev/pts/1 -> ts/1 )
|
|
||||||
+ * /dev/pts/1 -> /1 )
|
|
||||||
*
|
|
||||||
* Form 3 is used on some systems to identify a .tmp.? entry when
|
|
||||||
* attempting to remove it. Typically both addition and removal is
|
|
||||||
* performed by one application - say, sshd - so as long as the choice
|
|
||||||
* uniquely identifies a terminal it's ok.
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
@@ -602,16 +602,20 @@ line_abbrevname(char *dst, const char *s
|
|
||||||
/* Always skip prefix if present */
|
|
||||||
if (strncmp(src, "/dev/", 5) == 0)
|
|
||||||
src += 5;
|
|
||||||
|
|
||||||
#ifdef WITH_ABBREV_NO_TTY
|
|
||||||
if (strncmp(src, "tty", 3) == 0)
|
|
||||||
src += 3;
|
|
||||||
#endif
|
|
||||||
+ if (strncmp(src, "pts/", 4) == 0) {
|
|
||||||
+ src += 3;
|
|
||||||
+ if (strlen(src) > 4) src++;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
len = strlen(src);
|
|
||||||
|
|
||||||
if (len > 0) {
|
|
||||||
if (((int)len - dstsize) > 0)
|
|
||||||
src += ((int)len - dstsize);
|
|
||||||
|
|
||||||
/* note: _don't_ change this to strlcpy */
|
|
@ -1,55 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 18c2690afd988b9cb0fd0fa927d02cf5336dce9c
|
|
||||||
# --used to be called '-xauth'
|
|
||||||
try to remove xauth cookies on logout
|
|
||||||
|
|
||||||
bnc#98815
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
|
||||||
--- a/openssh-7.2p2/session.c
|
|
||||||
+++ b/openssh-7.2p2/session.c
|
|
||||||
@@ -2540,16 +2540,44 @@ session_close(Session *s)
|
|
||||||
u_int i;
|
|
||||||
|
|
||||||
verbose("Close session: user %s from %.200s port %d id %d",
|
|
||||||
s->pw->pw_name,
|
|
||||||
get_remote_ipaddr(),
|
|
||||||
get_remote_port(),
|
|
||||||
s->self);
|
|
||||||
|
|
||||||
+ if ((s->display != NULL) && (s->auth_proto != NULL) &&
|
|
||||||
+ (s->auth_data != NULL) && (options.xauth_location != NULL)) {
|
|
||||||
+ pid_t pid;
|
|
||||||
+ FILE *f;
|
|
||||||
+ char cmd[1024];
|
|
||||||
+ struct passwd * pw = s->pw;
|
|
||||||
+
|
|
||||||
+ if (!(pid = fork())) {
|
|
||||||
+ permanently_set_uid(pw);
|
|
||||||
+
|
|
||||||
+ /* Remove authority data from .Xauthority if appropriate. */
|
|
||||||
+ debug("Running %.500s remove %.100s\n",
|
|
||||||
+ options.xauth_location, s->auth_display);
|
|
||||||
+
|
|
||||||
+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
|
|
||||||
+ s->pw->pw_dir, options.xauth_location);
|
|
||||||
+ f = popen(cmd, "w");
|
|
||||||
+ if (f) {
|
|
||||||
+ fprintf(f, "remove %s\n", s->auth_display);
|
|
||||||
+ pclose(f);
|
|
||||||
+ } else
|
|
||||||
+ error("Could not run %s\n", cmd);
|
|
||||||
+ exit(0);
|
|
||||||
+ } else if (pid > 0) {
|
|
||||||
+ waitpid(pid, NULL, 0);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (s->ttyfd != -1)
|
|
||||||
session_pty_cleanup(s);
|
|
||||||
free(s->term);
|
|
||||||
free(s->display);
|
|
||||||
free(s->x11_chanids);
|
|
||||||
free(s->auth_display);
|
|
||||||
free(s->auth_data);
|
|
||||||
free(s->auth_proto);
|
|
@ -1,297 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 22de9aeddbde2b36da9c23475cfa5dcd42e95287
|
|
||||||
whitelist paths for loading of PKCS#11 modules in ssh-agent
|
|
||||||
|
|
||||||
CVE-2016-10009
|
|
||||||
bsc#1016366
|
|
||||||
|
|
||||||
upstream commit 786d5994da79151180cb14a6cf157ebbba61c0cc
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/ssh-agent.1 b/openssh-7.2p2/ssh-agent.1
|
|
||||||
--- a/openssh-7.2p2/ssh-agent.1
|
|
||||||
+++ b/openssh-7.2p2/ssh-agent.1
|
|
||||||
@@ -1,9 +1,9 @@
|
|
||||||
-.\" $OpenBSD: ssh-agent.1,v 1.62 2015/11/15 23:54:15 jmc Exp $
|
|
||||||
+.\" $OpenBSD: ssh-agent.1,v 1.63 2016/11/30 03:07:37 djm Exp $
|
|
||||||
.\"
|
|
||||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
||||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
||||||
.\" All rights reserved
|
|
||||||
.\"
|
|
||||||
.\" As far as I am concerned, the code I have written for this software
|
|
||||||
.\" can be used freely for any purpose. Any derived versions of this
|
|
||||||
.\" software must be clearly marked as such, and if the derived work is
|
|
||||||
@@ -29,29 +29,30 @@
|
|
||||||
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
||||||
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
||||||
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
||||||
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
.\"
|
|
||||||
-.Dd $Mdocdate: November 15 2015 $
|
|
||||||
+.Dd $Mdocdate: November 30 2016 $
|
|
||||||
.Dt SSH-AGENT 1
|
|
||||||
.Os
|
|
||||||
.Sh NAME
|
|
||||||
.Nm ssh-agent
|
|
||||||
.Nd authentication agent
|
|
||||||
.Sh SYNOPSIS
|
|
||||||
.Nm ssh-agent
|
|
||||||
.Op Fl c | s
|
|
||||||
.Op Fl \&Dd
|
|
||||||
.Op Fl a Ar bind_address
|
|
||||||
.Op Fl E Ar fingerprint_hash
|
|
||||||
.Op Fl t Ar life
|
|
||||||
+.Op Fl P Ar pkcs11_whitelist
|
|
||||||
.Op Ar command Op Ar arg ...
|
|
||||||
.Nm ssh-agent
|
|
||||||
.Op Fl c | s
|
|
||||||
.Fl k
|
|
||||||
.Sh DESCRIPTION
|
|
||||||
.Nm
|
|
||||||
is a program to hold private keys used for public key authentication
|
|
||||||
(RSA, DSA, ECDSA, Ed25519).
|
|
||||||
@@ -116,16 +117,28 @@ Valid options are:
|
|
||||||
and
|
|
||||||
.Dq sha256 .
|
|
||||||
The default is
|
|
||||||
.Dq sha256 .
|
|
||||||
.It Fl k
|
|
||||||
Kill the current agent (given by the
|
|
||||||
.Ev SSH_AGENT_PID
|
|
||||||
environment variable).
|
|
||||||
+.It Fl P
|
|
||||||
+Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
|
|
||||||
+that may be added using the
|
|
||||||
+.Fl s
|
|
||||||
+option to
|
|
||||||
+.Xr ssh-add 1 .
|
|
||||||
+The default is to allow loading PKCS#11 libraries from
|
|
||||||
+.Dq /usr/lib/*,/usr/local/lib/* .
|
|
||||||
+PKCS#11 libraries that do not match the whitelist will be refused.
|
|
||||||
+See PATTERNS in
|
|
||||||
+.Xr ssh_config 5
|
|
||||||
+for a description of pattern-list syntax.
|
|
||||||
.It Fl s
|
|
||||||
Generate Bourne shell commands on
|
|
||||||
.Dv stdout .
|
|
||||||
This is the default if
|
|
||||||
.Ev SHELL
|
|
||||||
does not look like it's a csh style of shell.
|
|
||||||
.It Fl t Ar life
|
|
||||||
Set a default value for the maximum lifetime of identities added to the agent.
|
|
||||||
diff --git a/openssh-7.2p2/ssh-agent.c b/openssh-7.2p2/ssh-agent.c
|
|
||||||
--- a/openssh-7.2p2/ssh-agent.c
|
|
||||||
+++ b/openssh-7.2p2/ssh-agent.c
|
|
||||||
@@ -78,25 +78,30 @@
|
|
||||||
#include "sshbuf.h"
|
|
||||||
#include "sshkey.h"
|
|
||||||
#include "authfd.h"
|
|
||||||
#include "compat.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "digest.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
+#include "match.h"
|
|
||||||
|
|
||||||
#ifdef ENABLE_PKCS11
|
|
||||||
#include "ssh-pkcs11.h"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(HAVE_SYS_PRCTL_H)
|
|
||||||
#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifndef DEFAULT_PKCS11_WHITELIST
|
|
||||||
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
typedef enum {
|
|
||||||
AUTH_UNUSED,
|
|
||||||
AUTH_SOCKET,
|
|
||||||
AUTH_CONNECTION
|
|
||||||
} sock_type;
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
int fd;
|
|
||||||
@@ -134,16 +139,19 @@ time_t parent_alive_interval = 0;
|
|
||||||
|
|
||||||
/* pid of process for which cleanup_socket is applicable */
|
|
||||||
pid_t cleanup_pid = 0;
|
|
||||||
|
|
||||||
/* pathname and directory for AUTH_SOCKET */
|
|
||||||
char socket_name[PATH_MAX];
|
|
||||||
char socket_dir[PATH_MAX];
|
|
||||||
|
|
||||||
+/* PKCS#11 path whitelist */
|
|
||||||
+static char *pkcs11_whitelist;
|
|
||||||
+
|
|
||||||
/* locking */
|
|
||||||
#define LOCK_SIZE 32
|
|
||||||
#define LOCK_SALT_SIZE 16
|
|
||||||
#define LOCK_ROUNDS 1
|
|
||||||
int locked = 0;
|
|
||||||
char lock_passwd[LOCK_SIZE];
|
|
||||||
char lock_salt[LOCK_SALT_SIZE];
|
|
||||||
|
|
||||||
@@ -736,17 +744,17 @@ no_identities(SocketEntry *e, u_int type
|
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
sshbuf_free(msg);
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef ENABLE_PKCS11
|
|
||||||
static void
|
|
||||||
process_add_smartcard_key(SocketEntry *e)
|
|
||||||
{
|
|
||||||
- char *provider = NULL, *pin;
|
|
||||||
+ char *provider = NULL, *pin, canonical_provider[PATH_MAX];
|
|
||||||
int r, i, version, count = 0, success = 0, confirm = 0;
|
|
||||||
u_int seconds;
|
|
||||||
time_t death = 0;
|
|
||||||
u_char type;
|
|
||||||
struct sshkey **keys = NULL, *k;
|
|
||||||
Identity *id;
|
|
||||||
Idtab *tab;
|
|
||||||
|
|
||||||
@@ -768,29 +776,40 @@ process_add_smartcard_key(SocketEntry *e
|
|
||||||
confirm = 1;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
error("process_add_smartcard_key: "
|
|
||||||
"Unknown constraint type %d", type);
|
|
||||||
goto send;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ if (realpath(provider, canonical_provider) == NULL) {
|
|
||||||
+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
|
|
||||||
+ provider, strerror(errno));
|
|
||||||
+ goto send;
|
|
||||||
+ }
|
|
||||||
+ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
|
|
||||||
+ verbose("refusing PKCS#11 add of \"%.100s\": "
|
|
||||||
+ "provider not whitelisted", canonical_provider);
|
|
||||||
+ goto send;
|
|
||||||
+ }
|
|
||||||
+ debug("%s: add %.100s", __func__, canonical_provider);
|
|
||||||
if (lifetime && !death)
|
|
||||||
death = monotime() + lifetime;
|
|
||||||
|
|
||||||
- count = pkcs11_add_provider(provider, pin, &keys);
|
|
||||||
+ count = pkcs11_add_provider(canonical_provider, pin, &keys);
|
|
||||||
for (i = 0; i < count; i++) {
|
|
||||||
k = keys[i];
|
|
||||||
version = k->type == KEY_RSA1 ? 1 : 2;
|
|
||||||
tab = idtab_lookup(version);
|
|
||||||
if (lookup_identity(k, version) == NULL) {
|
|
||||||
id = xcalloc(1, sizeof(Identity));
|
|
||||||
id->key = k;
|
|
||||||
- id->provider = xstrdup(provider);
|
|
||||||
- id->comment = xstrdup(provider); /* XXX */
|
|
||||||
+ id->provider = xstrdup(canonical_provider);
|
|
||||||
+ id->comment = xstrdup(canonical_provider); /* XXX */
|
|
||||||
id->death = death;
|
|
||||||
id->confirm = confirm;
|
|
||||||
TAILQ_INSERT_TAIL(&tab->idlist, id, next);
|
|
||||||
tab->nentries++;
|
|
||||||
success = 1;
|
|
||||||
} else {
|
|
||||||
sshkey_free(k);
|
|
||||||
}
|
|
||||||
@@ -1171,17 +1190,17 @@ check_parent_exists(void)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
usage(void)
|
|
||||||
{
|
|
||||||
fprintf(stderr,
|
|
||||||
"usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
|
|
||||||
- " [-t life] [command [arg ...]]\n"
|
|
||||||
+ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
|
|
||||||
" ssh-agent [-c | -s] -k\n");
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
main(int ac, char **av)
|
|
||||||
{
|
|
||||||
int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0;
|
|
||||||
@@ -1215,31 +1234,36 @@ main(int ac, char **av)
|
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
|
||||||
OpenSSL_add_all_algorithms();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
__progname = ssh_get_progname(av[0]);
|
|
||||||
seed_rng();
|
|
||||||
|
|
||||||
- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
|
|
||||||
+ while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
|
|
||||||
switch (ch) {
|
|
||||||
case 'E':
|
|
||||||
fingerprint_hash = ssh_digest_alg_by_name(optarg);
|
|
||||||
if (fingerprint_hash == -1)
|
|
||||||
fatal("Invalid hash algorithm \"%s\"", optarg);
|
|
||||||
break;
|
|
||||||
case 'c':
|
|
||||||
if (s_flag)
|
|
||||||
usage();
|
|
||||||
c_flag++;
|
|
||||||
break;
|
|
||||||
case 'k':
|
|
||||||
k_flag++;
|
|
||||||
break;
|
|
||||||
+ case 'P':
|
|
||||||
+ if (pkcs11_whitelist != NULL)
|
|
||||||
+ fatal("-P option already specified");
|
|
||||||
+ pkcs11_whitelist = xstrdup(optarg);
|
|
||||||
+ break;
|
|
||||||
case 's':
|
|
||||||
if (c_flag)
|
|
||||||
usage();
|
|
||||||
s_flag++;
|
|
||||||
break;
|
|
||||||
case 'd':
|
|
||||||
if (d_flag || D_flag)
|
|
||||||
usage();
|
|
||||||
@@ -1264,16 +1288,19 @@ main(int ac, char **av)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ac -= optind;
|
|
||||||
av += optind;
|
|
||||||
|
|
||||||
if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
|
|
||||||
usage();
|
|
||||||
|
|
||||||
+ if (pkcs11_whitelist == NULL)
|
|
||||||
+ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
|
|
||||||
+
|
|
||||||
if (ac == 0 && !c_flag && !s_flag) {
|
|
||||||
shell = getenv("SHELL");
|
|
||||||
if (shell != NULL && (len = strlen(shell)) > 2 &&
|
|
||||||
strncmp(shell + len - 3, "csh", 3) == 0)
|
|
||||||
c_flag = 1;
|
|
||||||
}
|
|
||||||
if (k_flag) {
|
|
||||||
const char *errstr = NULL;
|
|
||||||
@@ -1411,17 +1438,17 @@ skip:
|
|
||||||
parent_alive_interval = 10;
|
|
||||||
idtab_init();
|
|
||||||
signal(SIGPIPE, SIG_IGN);
|
|
||||||
signal(SIGINT, (d_flag | D_flag) ? cleanup_handler : SIG_IGN);
|
|
||||||
signal(SIGHUP, cleanup_handler);
|
|
||||||
signal(SIGTERM, cleanup_handler);
|
|
||||||
nalloc = 0;
|
|
||||||
|
|
||||||
- if (pledge("stdio cpath unix id proc exec", NULL) == -1)
|
|
||||||
+ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
|
|
||||||
fatal("%s: pledge: %s", __progname, strerror(errno));
|
|
||||||
platform_pledge_agent();
|
|
||||||
|
|
||||||
while (1) {
|
|
||||||
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
|
|
||||||
result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
|
|
||||||
saved_errno = errno;
|
|
||||||
if (parent_alive_interval != 0)
|
|
@ -1,82 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent bb92b9f037cc3686a669cd84caa44a2716f34058
|
|
||||||
Date: Tue, 9 May 2017 14:27:34 -0300
|
|
||||||
|
|
||||||
[PATCH 0/3] Allow syscalls for openssl engines
|
|
||||||
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
||||||
To: openssh-unix-dev@mindrot.org
|
|
||||||
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
|
||||||
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
|
||||||
implementation) which calls the libraries that will communicate with the
|
|
||||||
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
|
||||||
this is only need on s390 architecture.
|
|
||||||
|
|
||||||
The EP11 crypto card also needs to make an ioctl call, which receives an
|
|
||||||
specific argument.
|
|
||||||
|
|
||||||
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
||||||
|
|
||||||
related to bsc#1016709
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
@@ -150,16 +150,19 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(stat),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_exit
|
|
||||||
SC_ALLOW(exit),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_exit_group
|
|
||||||
SC_ALLOW(exit_group),
|
|
||||||
#endif
|
|
||||||
+#if defined(__NR_flock) && defined(__s390__)
|
|
||||||
+ SC_ALLOW(flock),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_getpgid
|
|
||||||
SC_ALLOW(getpgid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getpid
|
|
||||||
SC_ALLOW(getpid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getuid
|
|
||||||
SC_ALLOW(getuid),
|
|
||||||
@@ -180,16 +183,19 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(gettimeofday),
|
|
||||||
#endif
|
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
|
||||||
SC_ALLOW(getuid),
|
|
||||||
#ifdef __NR_getuid32 /* not defined on x86_64 */
|
|
||||||
SC_ALLOW(getuid32),
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
+#if defined(__NR_ipc) && defined(__s390__)
|
|
||||||
+ SC_ALLOW(ipc),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_madvise
|
|
||||||
SC_ALLOW(madvise),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_mmap
|
|
||||||
SC_ALLOW(mmap),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_mmap2
|
|
||||||
SC_ALLOW(mmap2),
|
|
||||||
@@ -233,16 +239,18 @@ static const struct sock_filter preauth_
|
|
||||||
#ifdef __NR_socketcall
|
|
||||||
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_ioctl
|
|
||||||
#ifdef __s390__
|
|
||||||
SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
|
||||||
SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
|
||||||
SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
|
||||||
+ /* Allow ioctls for EP11 crypto card on s390 */
|
|
||||||
+ SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Default deny */
|
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct sock_fprog preauth_program = {
|
|
@ -1,100 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 6d8637bec747de081eccba9874f640dcbc4fbb68
|
|
||||||
This patch enables specific ioctl calls for ICA crypto card on s390
|
|
||||||
platform. Without this patch, users using the IBMCA engine are not able
|
|
||||||
to perform ssh login as the filter blocks the communication with the
|
|
||||||
crypto card.
|
|
||||||
|
|
||||||
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
|
||||||
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
||||||
|
|
||||||
bsc#1016709
|
|
||||||
|
|
||||||
Upstreamed as:
|
|
||||||
5f1596e11d55539678c41f68aed358628d33d86f
|
|
||||||
58b8cfa2a062b72139d7229ae8de567f55776f24
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
@@ -54,42 +54,53 @@
|
|
||||||
#include <errno.h>
|
|
||||||
#include <signal.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <stddef.h> /* for offsetof */
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
+#include <endian.h>
|
|
||||||
+
|
|
||||||
+#ifdef __s390__
|
|
||||||
+#include <asm/zcrypt.h>
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#include "log.h"
|
|
||||||
#include "ssh-sandbox.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
|
|
||||||
/* Linux seccomp_filter sandbox */
|
|
||||||
#define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL
|
|
||||||
|
|
||||||
/* Use a signal handler to emit violations when debugging */
|
|
||||||
#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
|
|
||||||
# undef SECCOMP_FILTER_FAIL
|
|
||||||
# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
|
|
||||||
#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
|
|
||||||
|
|
||||||
/* Simple helpers to avoid manual errors (but larger BPF programs). */
|
|
||||||
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
|
||||||
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)])
|
|
||||||
+#elif __BYTE_ORDER == __BIG_ENDIAN
|
|
||||||
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(uint32_t)
|
|
||||||
+#else
|
|
||||||
+#error "Unknown endianness"
|
|
||||||
+#endif
|
|
||||||
#define SC_DENY(_nr, _errno) \
|
|
||||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
|
|
||||||
#define SC_ALLOW(_nr) \
|
|
||||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
|
||||||
#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
|
|
||||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
|
|
||||||
- /* load first syscall argument */ \
|
|
||||||
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
|
||||||
- offsetof(struct seccomp_data, args[(_arg_nr)])), \
|
|
||||||
+ /* load the syscall argument to check into accumulator */ \
|
|
||||||
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(_arg_nr)), \
|
|
||||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
|
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
|
|
||||||
/* reload syscall number; all rules expect it in accumulator */ \
|
|
||||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
|
||||||
offsetof(struct seccomp_data, nr))
|
|
||||||
|
|
||||||
/* Syscall filtering set for preauth. */
|
|
||||||
static const struct sock_filter preauth_insns[] = {
|
|
||||||
@@ -217,16 +228,23 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(time),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_write
|
|
||||||
SC_ALLOW(write),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_socketcall
|
|
||||||
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_ioctl
|
|
||||||
+#ifdef __s390__
|
|
||||||
+ SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
|
||||||
+ SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
|
||||||
+ SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
|
||||||
+#endif
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* Default deny */
|
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct sock_fprog preauth_program = {
|
|
||||||
.len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])),
|
|
||||||
.filter = (struct sock_filter *)preauth_insns,
|
|
@ -1,34 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent b07f00d5d805c043f5bdc7b8cf6701d924879fa6
|
|
||||||
Add the 'geteuid' syscall to allowed list, since it may becalled on the
|
|
||||||
mainframes when OpenSSL is using hardware crypto accelerator via libica
|
|
||||||
(via ibmica)
|
|
||||||
|
|
||||||
bsc#1004258
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
@@ -148,16 +148,22 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(getpid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getuid
|
|
||||||
SC_ALLOW(getuid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getuid32
|
|
||||||
SC_ALLOW(getuid32),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_geteuid
|
|
||||||
+ SC_ALLOW(geteuid),
|
|
||||||
+#endif
|
|
||||||
+#ifdef __NR_geteuid32
|
|
||||||
+ SC_ALLOW(geteuid32),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_getrandom
|
|
||||||
SC_ALLOW(getrandom),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_gettimeofday
|
|
||||||
SC_ALLOW(gettimeofday),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_madvise
|
|
||||||
SC_ALLOW(madvise),
|
|
@ -1,31 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent d75417bf0f4d50cabd84299773bab4ac68f68caa
|
|
||||||
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
|
||||||
from being killed by the seccomp filter
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
@@ -142,16 +142,22 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(exit_group),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getpgid
|
|
||||||
SC_ALLOW(getpgid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getpid
|
|
||||||
SC_ALLOW(getpid),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_getuid
|
|
||||||
+ SC_ALLOW(getuid),
|
|
||||||
+#endif
|
|
||||||
+#ifdef __NR_getuid32
|
|
||||||
+ SC_ALLOW(getuid32),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_getrandom
|
|
||||||
SC_ALLOW(getrandom),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_gettimeofday
|
|
||||||
SC_ALLOW(gettimeofday),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_madvise
|
|
||||||
SC_ALLOW(madvise),
|
|
@ -1,30 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 2153c4af090728c778931d2fad72d4b260294122
|
|
||||||
Allow the stat() syscall for OpenSSL re-seed patch
|
|
||||||
(which causes OpenSSL use stat() on some file)
|
|
||||||
|
|
||||||
bnc#912436
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
@@ -130,16 +130,19 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(brk),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_clock_gettime
|
|
||||||
SC_ALLOW(clock_gettime),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_close
|
|
||||||
SC_ALLOW(close),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_stat
|
|
||||||
+ SC_ALLOW(stat),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_exit
|
|
||||||
SC_ALLOW(exit),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_exit_group
|
|
||||||
SC_ALLOW(exit_group),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getpgid
|
|
||||||
SC_ALLOW(getpgid),
|
|
@ -1,51 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 4e1fd41aaa9cafe8f7b07868ac38ed4dbdf594aa
|
|
||||||
Do not allow unix socket when running without privilege separation to prevent
|
|
||||||
privilege escalation through a socket created with root: ownership.
|
|
||||||
|
|
||||||
CVE-2016-10010
|
|
||||||
bsc#1016368
|
|
||||||
|
|
||||||
backported upstream commit b737e4d7433577403a31cff6614f6a1b0b5e22f4
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
|
|
||||||
--- a/openssh-7.2p2/serverloop.c
|
|
||||||
+++ b/openssh-7.2p2/serverloop.c
|
|
||||||
@@ -990,17 +990,17 @@ server_request_direct_streamlocal(void)
|
|
||||||
originator_port = packet_get_int();
|
|
||||||
packet_check_eom();
|
|
||||||
|
|
||||||
debug("server_request_direct_streamlocal: originator %s port %d, target %s",
|
|
||||||
originator, originator_port, target);
|
|
||||||
|
|
||||||
/* XXX fine grained permissions */
|
|
||||||
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
|
|
||||||
- !no_port_forwarding_flag) {
|
|
||||||
+ !no_port_forwarding_flag && use_privsep) {
|
|
||||||
c = channel_connect_to_path(target,
|
|
||||||
"direct-streamlocal@openssh.com", "direct-streamlocal");
|
|
||||||
} else {
|
|
||||||
logit("refused streamlocal port forward: "
|
|
||||||
"originator %s port %d, target %s",
|
|
||||||
originator, originator_port, target);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1274,17 +1274,17 @@ server_input_global_request(int type, u_
|
|
||||||
|
|
||||||
memset(&fwd, 0, sizeof(fwd));
|
|
||||||
fwd.listen_path = packet_get_string(NULL);
|
|
||||||
debug("server_input_global_request: streamlocal-forward listen path %s",
|
|
||||||
fwd.listen_path);
|
|
||||||
|
|
||||||
/* check permissions */
|
|
||||||
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
|
|
||||||
- || no_port_forwarding_flag) {
|
|
||||||
+ || no_port_forwarding_flag || !use_privsep) {
|
|
||||||
success = 0;
|
|
||||||
packet_send_debug("Server has disabled port forwarding.");
|
|
||||||
} else {
|
|
||||||
/* Start listening on the socket */
|
|
||||||
success = channel_setup_remote_fwd_listener(
|
|
||||||
&fwd, NULL, &options.fwd_opts);
|
|
||||||
}
|
|
||||||
free(fwd.listen_path);
|
|
@ -1,461 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 6ece65e11f754d75dd33d72b6f8e487a9d047f2e
|
|
||||||
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
|
||||||
# bnc#703221, FATE#312172
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c
|
|
||||||
--- a/openssh-7.2p2/entropy.c
|
|
||||||
+++ b/openssh-7.2p2/entropy.c
|
|
||||||
@@ -49,16 +49,17 @@
|
|
||||||
|
|
||||||
#include "ssh.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "atomicio.h"
|
|
||||||
#include "pathnames.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "buffer.h"
|
|
||||||
+#include "openbsd-compat/port-linux.h"
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Portable OpenSSH PRNG seeding:
|
|
||||||
* If OpenSSL has not "internally seeded" itself (e.g. pulled data from
|
|
||||||
* /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from
|
|
||||||
* PRNGd.
|
|
||||||
*/
|
|
||||||
#ifndef OPENSSL_PRNG_ONLY
|
|
||||||
@@ -224,16 +225,19 @@ seed_rng(void)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|
|
||||||
fatal("Could not obtain seed from PRNGd");
|
|
||||||
RAND_add(buf, sizeof(buf), sizeof(buf));
|
|
||||||
memset(buf, '\0', sizeof(buf));
|
|
||||||
|
|
||||||
#endif /* OPENSSL_PRNG_ONLY */
|
|
||||||
+
|
|
||||||
+ linux_seed();
|
|
||||||
+
|
|
||||||
if (RAND_status() != 1)
|
|
||||||
fatal("PRNG is not seeded");
|
|
||||||
}
|
|
||||||
|
|
||||||
#else /* WITH_OPENSSL */
|
|
||||||
|
|
||||||
/* Handled in arc4random() */
|
|
||||||
void
|
|
||||||
diff --git a/openssh-7.2p2/openbsd-compat/Makefile.in b/openssh-7.2p2/openbsd-compat/Makefile.in
|
|
||||||
--- a/openssh-7.2p2/openbsd-compat/Makefile.in
|
|
||||||
+++ b/openssh-7.2p2/openbsd-compat/Makefile.in
|
|
||||||
@@ -15,17 +15,17 @@ AR=@AR@
|
|
||||||
RANLIB=@RANLIB@
|
|
||||||
INSTALL=@INSTALL@
|
|
||||||
LDFLAGS=-L. @LDFLAGS@
|
|
||||||
|
|
||||||
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
|
|
||||||
|
|
||||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
|
||||||
|
|
||||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
|
||||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
|
||||||
|
|
||||||
.c.o:
|
|
||||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
|
||||||
|
|
||||||
all: libopenbsd-compat.a
|
|
||||||
|
|
||||||
$(COMPAT): ../config.h
|
|
||||||
$(OPENBSD): ../config.h
|
|
||||||
diff --git a/openssh-7.2p2/openbsd-compat/port-linux-prng.c b/openssh-7.2p2/openbsd-compat/port-linux-prng.c
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openssh-7.2p2/openbsd-compat/port-linux-prng.c
|
|
||||||
@@ -0,0 +1,81 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
|
||||||
+ * (c) 2011 Petr Cerny <pcerny@suse.cz>
|
|
||||||
+ *
|
|
||||||
+ * Permission to use, copy, modify, and distribute this software for any
|
|
||||||
+ * purpose with or without fee is hereby granted, provided that the above
|
|
||||||
+ * copyright notice and this permission notice appear in all copies.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
||||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
||||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
||||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
||||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
||||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Linux-specific portability code - prng support
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+#include "defines.h"
|
|
||||||
+
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <openssl/rand.h>
|
|
||||||
+
|
|
||||||
+#include "log.h"
|
|
||||||
+#include "port-linux.h"
|
|
||||||
+#include "fips.h"
|
|
||||||
+
|
|
||||||
+#define RNG_BYTES_DEFAULT 6L
|
|
||||||
+#define RNG_ENV_VAR "SSH_USE_STRONG_RNG"
|
|
||||||
+
|
|
||||||
+long rand_bytes = 0;
|
|
||||||
+char *rand_file = NULL;
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+linux_seed_init(void)
|
|
||||||
+{
|
|
||||||
+ long elen = 0;
|
|
||||||
+ char *env = getenv(RNG_ENV_VAR);
|
|
||||||
+
|
|
||||||
+ if (env) {
|
|
||||||
+ errno = 0;
|
|
||||||
+ elen = strtol(env, NULL, 10);
|
|
||||||
+ if (errno) {
|
|
||||||
+ elen = RNG_BYTES_DEFAULT;
|
|
||||||
+ debug("bogus value in the %s environment variable, "
|
|
||||||
+ "using %li bytes from /dev/random\n",
|
|
||||||
+ RNG_ENV_VAR, RNG_BYTES_DEFAULT);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (elen || fips_mode())
|
|
||||||
+ rand_file = "/dev/random";
|
|
||||||
+ else
|
|
||||||
+ rand_file = "/dev/urandom";
|
|
||||||
+
|
|
||||||
+ rand_bytes = MAX(elen, RNG_BYTES_DEFAULT);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+linux_seed(void)
|
|
||||||
+{
|
|
||||||
+ long len;
|
|
||||||
+ if (!rand_file)
|
|
||||||
+ linux_seed_init();
|
|
||||||
+
|
|
||||||
+ errno = 0;
|
|
||||||
+ len = RAND_load_file(rand_file, rand_bytes);
|
|
||||||
+ if (len != rand_bytes) {
|
|
||||||
+ if (errno)
|
|
||||||
+ fatal ("cannot read from %s, %s", rand_file, strerror(errno));
|
|
||||||
+ else
|
|
||||||
+ fatal ("EOF reading %s", rand_file);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/openssh-7.2p2/openbsd-compat/port-linux.h b/openssh-7.2p2/openbsd-compat/port-linux.h
|
|
||||||
--- a/openssh-7.2p2/openbsd-compat/port-linux.h
|
|
||||||
+++ b/openssh-7.2p2/openbsd-compat/port-linux.h
|
|
||||||
@@ -14,16 +14,20 @@
|
|
||||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
||||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
||||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifndef _PORT_LINUX_H
|
|
||||||
#define _PORT_LINUX_H
|
|
||||||
|
|
||||||
+extern long rand_bytes;
|
|
||||||
+extern char *rand_file;
|
|
||||||
+void linux_seed(void);
|
|
||||||
+
|
|
||||||
#ifdef WITH_SELINUX
|
|
||||||
int ssh_selinux_enabled(void);
|
|
||||||
void ssh_selinux_setup_pty(char *, const char *);
|
|
||||||
void ssh_selinux_setup_exec_context(char *);
|
|
||||||
void ssh_selinux_change_context(const char *);
|
|
||||||
void ssh_selinux_setfscreatecon(const char *);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/ssh-add.1 b/openssh-7.2p2/ssh-add.1
|
|
||||||
--- a/openssh-7.2p2/ssh-add.1
|
|
||||||
+++ b/openssh-7.2p2/ssh-add.1
|
|
||||||
@@ -166,16 +166,30 @@ or related script.
|
|
||||||
(Note that on some machines it
|
|
||||||
may be necessary to redirect the input from
|
|
||||||
.Pa /dev/null
|
|
||||||
to make this work.)
|
|
||||||
.It Ev SSH_AUTH_SOCK
|
|
||||||
Identifies the path of a
|
|
||||||
.Ux Ns -domain
|
|
||||||
socket used to communicate with the agent.
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.El
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds
|
|
||||||
.It Pa ~/.ssh/identity
|
|
||||||
Contains the protocol version 1 RSA authentication identity of the user.
|
|
||||||
.It Pa ~/.ssh/id_dsa
|
|
||||||
Contains the protocol version 2 DSA authentication identity of the user.
|
|
||||||
.It Pa ~/.ssh/id_ecdsa
|
|
||||||
diff --git a/openssh-7.2p2/ssh-agent.1 b/openssh-7.2p2/ssh-agent.1
|
|
||||||
--- a/openssh-7.2p2/ssh-agent.1
|
|
||||||
+++ b/openssh-7.2p2/ssh-agent.1
|
|
||||||
@@ -196,16 +196,33 @@ line terminates.
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds
|
|
||||||
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
|
|
||||||
.Ux Ns -domain
|
|
||||||
sockets used to contain the connection to the authentication agent.
|
|
||||||
These sockets should only be readable by the owner.
|
|
||||||
The sockets should get automatically removed when the agent exits.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr sshd 8
|
|
||||||
.Sh AUTHORS
|
|
||||||
OpenSSH is a derivative of the original and free
|
|
||||||
ssh 1.2.12 release by Tatu Ylonen.
|
|
||||||
diff --git a/openssh-7.2p2/ssh-keygen.1 b/openssh-7.2p2/ssh-keygen.1
|
|
||||||
--- a/openssh-7.2p2/ssh-keygen.1
|
|
||||||
+++ b/openssh-7.2p2/ssh-keygen.1
|
|
||||||
@@ -841,16 +841,33 @@ on all machines
|
|
||||||
where the user wishes to log in using public key authentication.
|
|
||||||
There is no need to keep the contents of this file secret.
|
|
||||||
.Pp
|
|
||||||
.It Pa /etc/moduli
|
|
||||||
Contains Diffie-Hellman groups used for DH-GEX.
|
|
||||||
The file format is described in
|
|
||||||
.Xr moduli 5 .
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
.Xr ssh-agent 1 ,
|
|
||||||
.Xr moduli 5 ,
|
|
||||||
.Xr sshd 8
|
|
||||||
.Rs
|
|
||||||
.%R RFC 4716
|
|
||||||
diff --git a/openssh-7.2p2/ssh-keysign.8 b/openssh-7.2p2/ssh-keysign.8
|
|
||||||
--- a/openssh-7.2p2/ssh-keysign.8
|
|
||||||
+++ b/openssh-7.2p2/ssh-keysign.8
|
|
||||||
@@ -75,16 +75,33 @@ must be set-uid root if host-based authe
|
|
||||||
.Pp
|
|
||||||
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
|
|
||||||
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
|
|
||||||
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
||||||
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
|
|
||||||
If these files exist they are assumed to contain public certificate
|
|
||||||
information corresponding with the private keys above.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr ssh_config 5 ,
|
|
||||||
.Xr sshd 8
|
|
||||||
.Sh HISTORY
|
|
||||||
.Nm
|
|
||||||
first appeared in
|
|
||||||
diff --git a/openssh-7.2p2/ssh.1 b/openssh-7.2p2/ssh.1
|
|
||||||
--- a/openssh-7.2p2/ssh.1
|
|
||||||
+++ b/openssh-7.2p2/ssh.1
|
|
||||||
@@ -1411,16 +1411,30 @@ reads
|
|
||||||
and adds lines of the format
|
|
||||||
.Dq VARNAME=value
|
|
||||||
to the environment if the file exists and users are allowed to
|
|
||||||
change their environment.
|
|
||||||
For more information, see the
|
|
||||||
.Cm PermitUserEnvironment
|
|
||||||
option in
|
|
||||||
.Xr sshd_config 5 .
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds -compact
|
|
||||||
.It Pa ~/.rhosts
|
|
||||||
This file is used for host-based authentication (see above).
|
|
||||||
On some machines this file may need to be
|
|
||||||
world-readable if the user's home directory is on an NFS partition,
|
|
||||||
because
|
|
||||||
.Xr sshd 8
|
|
||||||
diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
|
|
||||||
--- a/openssh-7.2p2/sshd.8
|
|
||||||
+++ b/openssh-7.2p2/sshd.8
|
|
||||||
@@ -972,16 +972,33 @@ and not group or world-writable.
|
|
||||||
.It Pa /var/run/sshd.pid
|
|
||||||
Contains the process ID of the
|
|
||||||
.Nm
|
|
||||||
listening for connections (if there are several daemons running
|
|
||||||
concurrently for different ports, this contains the process ID of the one
|
|
||||||
started last).
|
|
||||||
The content of this file is not sensitive; it can be world-readable.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr scp 1 ,
|
|
||||||
.Xr sftp 1 ,
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
.Xr ssh-agent 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr ssh-keyscan 1 ,
|
|
||||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
|
||||||
--- a/openssh-7.2p2/sshd.c
|
|
||||||
+++ b/openssh-7.2p2/sshd.c
|
|
||||||
@@ -50,16 +50,18 @@
|
|
||||||
#ifdef HAVE_SYS_STAT_H
|
|
||||||
# include <sys/stat.h>
|
|
||||||
#endif
|
|
||||||
#ifdef HAVE_SYS_TIME_H
|
|
||||||
# include <sys/time.h>
|
|
||||||
#endif
|
|
||||||
#include "openbsd-compat/sys-tree.h"
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
+#include "openbsd-compat/port-linux.h"
|
|
||||||
+
|
|
||||||
#include <sys/wait.h>
|
|
||||||
|
|
||||||
#include <errno.h>
|
|
||||||
#include <fcntl.h>
|
|
||||||
#include <netdb.h>
|
|
||||||
#ifdef HAVE_PATHS_H
|
|
||||||
#include <paths.h>
|
|
||||||
#endif
|
|
||||||
@@ -209,16 +211,23 @@ struct {
|
|
||||||
Key **host_pubkeys; /* all public host keys */
|
|
||||||
Key **host_certificates; /* all public host certificates */
|
|
||||||
int have_ssh1_key;
|
|
||||||
int have_ssh2_key;
|
|
||||||
u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH];
|
|
||||||
} sensitive_data;
|
|
||||||
|
|
||||||
/*
|
|
||||||
+ * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the
|
|
||||||
+ * random pool.
|
|
||||||
+ */
|
|
||||||
+#define RESEED_AFTER 100
|
|
||||||
+static int re_seeding_counter = RESEED_AFTER;
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
* Flag indicating whether the RSA server key needs to be regenerated.
|
|
||||||
* Is set in the SIGALRM handler and cleared when the key is regenerated.
|
|
||||||
*/
|
|
||||||
static volatile sig_atomic_t key_do_regen = 0;
|
|
||||||
|
|
||||||
/* This is set to true when a signal is received. */
|
|
||||||
static volatile sig_atomic_t received_sighup = 0;
|
|
||||||
static volatile sig_atomic_t received_sigterm = 0;
|
|
||||||
@@ -1343,16 +1352,20 @@ server_accept_loop(int *sock_in, int *so
|
|
||||||
for (j = 0; j < options.max_startups; j++)
|
|
||||||
if (startup_pipes[j] == -1) {
|
|
||||||
startup_pipes[j] = startup_p[0];
|
|
||||||
if (maxfd < startup_p[0])
|
|
||||||
maxfd = startup_p[0];
|
|
||||||
startups++;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
+ if(!(--re_seeding_counter)) {
|
|
||||||
+ re_seeding_counter = RESEED_AFTER;
|
|
||||||
+ linux_seed();
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Got connection. Fork a child to handle it, unless
|
|
||||||
* we are in debugging mode.
|
|
||||||
*/
|
|
||||||
if (debug_flag) {
|
|
||||||
/*
|
|
||||||
* In debugging mode. Close the listening
|
|
@ -1,53 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent dfcac093fca4d826a806b9d1c0bdc26e7ae8ee8e
|
|
||||||
send locales in default configuration
|
|
||||||
bnc#65747
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
|
||||||
--- a/openssh-7.2p2/ssh_config
|
|
||||||
+++ b/openssh-7.2p2/ssh_config
|
|
||||||
@@ -26,16 +26,21 @@ Host *
|
|
||||||
# security reasons: Someone stealing the authentification data on the
|
|
||||||
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
|
||||||
# keystrokes as you type, just like any other X11 client could do.
|
|
||||||
# Set this to "no" here for global effect or in your own ~/.ssh/config
|
|
||||||
# file if you want to have the remote X11 authentification data to
|
|
||||||
# expire after twenty minutes after remote login.
|
|
||||||
ForwardX11Trusted yes
|
|
||||||
|
|
||||||
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
|
|
||||||
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
+ SendEnv LC_IDENTIFICATION LC_ALL
|
|
||||||
+
|
|
||||||
# RhostsRSAAuthentication no
|
|
||||||
# RSAAuthentication yes
|
|
||||||
# PasswordAuthentication yes
|
|
||||||
# HostbasedAuthentication no
|
|
||||||
# GSSAPIAuthentication no
|
|
||||||
# GSSAPIDelegateCredentials no
|
|
||||||
# BatchMode no
|
|
||||||
# CheckHostIP yes
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
|
||||||
--- a/openssh-7.2p2/sshd_config
|
|
||||||
+++ b/openssh-7.2p2/sshd_config
|
|
||||||
@@ -120,14 +120,19 @@ X11Forwarding yes
|
|
||||||
#VersionAddendum none
|
|
||||||
|
|
||||||
# no default banner path
|
|
||||||
#Banner none
|
|
||||||
|
|
||||||
# override default of no subsystems
|
|
||||||
Subsystem sftp /usr/libexec/sftp-server
|
|
||||||
|
|
||||||
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
|
|
||||||
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
+AcceptEnv LC_IDENTIFICATION LC_ALL
|
|
||||||
+
|
|
||||||
# Example of overriding settings on a per-user basis
|
|
||||||
#Match User anoncvs
|
|
||||||
# X11Forwarding no
|
|
||||||
# AllowTcpForwarding no
|
|
||||||
# PermitTTY no
|
|
||||||
# ForceCommand cvs server
|
|
@ -1,157 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 7b45c4f3fef6836db00c5b198736cce17290c5cd
|
|
||||||
additional option for sftp-server to force file mode for new files
|
|
||||||
FATE#312774
|
|
||||||
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
|
|
||||||
http://marc.info/?l=openssh-unix-dev&m=128896838930893
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sftp-server.8 b/openssh-7.2p2/sftp-server.8
|
|
||||||
--- a/openssh-7.2p2/sftp-server.8
|
|
||||||
+++ b/openssh-7.2p2/sftp-server.8
|
|
||||||
@@ -33,16 +33,17 @@
|
|
||||||
.Bk -words
|
|
||||||
.Op Fl ehR
|
|
||||||
.Op Fl d Ar start_directory
|
|
||||||
.Op Fl f Ar log_facility
|
|
||||||
.Op Fl l Ar log_level
|
|
||||||
.Op Fl P Ar blacklisted_requests
|
|
||||||
.Op Fl p Ar whitelisted_requests
|
|
||||||
.Op Fl u Ar umask
|
|
||||||
+.Op Fl m Ar force_file_permissions
|
|
||||||
.Ek
|
|
||||||
.Nm
|
|
||||||
.Fl Q Ar protocol_feature
|
|
||||||
.Sh DESCRIPTION
|
|
||||||
.Nm
|
|
||||||
is a program that speaks the server side of SFTP protocol
|
|
||||||
to stdout and expects client requests from stdin.
|
|
||||||
.Nm
|
|
||||||
@@ -133,16 +134,20 @@ Places this instance of
|
|
||||||
into a read-only mode.
|
|
||||||
Attempts to open files for writing, as well as other operations that change
|
|
||||||
the state of the filesystem, will be denied.
|
|
||||||
.It Fl u Ar umask
|
|
||||||
Sets an explicit
|
|
||||||
.Xr umask 2
|
|
||||||
to be applied to newly-created files and directories, instead of the
|
|
||||||
user's default mask.
|
|
||||||
+.It Fl m Ar force_file_permissions
|
|
||||||
+Sets explicit file permissions to be applied to newly-created files instead
|
|
||||||
+of the default or client requested mode. Numeric values include:
|
|
||||||
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
|
|
||||||
.El
|
|
||||||
.Pp
|
|
||||||
On some systems,
|
|
||||||
.Nm
|
|
||||||
must be able to access
|
|
||||||
.Pa /dev/log
|
|
||||||
for logging to work, and use of
|
|
||||||
.Nm
|
|
||||||
diff --git a/openssh-7.2p2/sftp-server.c b/openssh-7.2p2/sftp-server.c
|
|
||||||
--- a/openssh-7.2p2/sftp-server.c
|
|
||||||
+++ b/openssh-7.2p2/sftp-server.c
|
|
||||||
@@ -73,16 +73,20 @@ static u_int version;
|
|
||||||
static int init_done;
|
|
||||||
|
|
||||||
/* Disable writes */
|
|
||||||
static int readonly;
|
|
||||||
|
|
||||||
/* Requests that are allowed/denied */
|
|
||||||
static char *request_whitelist, *request_blacklist;
|
|
||||||
|
|
||||||
+/* Force file permissions */
|
|
||||||
+int permforce = 0;
|
|
||||||
+long permforcemode;
|
|
||||||
+
|
|
||||||
/* portable attributes, etc. */
|
|
||||||
typedef struct Stat Stat;
|
|
||||||
|
|
||||||
struct Stat {
|
|
||||||
char *name;
|
|
||||||
char *long_name;
|
|
||||||
Attrib attrib;
|
|
||||||
};
|
|
||||||
@@ -687,16 +691,20 @@ process_open(u_int32_t id)
|
|
||||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
|
||||||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
|
||||||
(r = decode_attrib(iqueue, &a)) != 0)
|
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
|
|
||||||
debug3("request %u: open flags %d", id, pflags);
|
|
||||||
flags = flags_from_portable(pflags);
|
|
||||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
|
||||||
+ if (permforce == 1) {
|
|
||||||
+ mode = permforcemode;
|
|
||||||
+ (void)umask(0); /* so umask does not interfere */
|
|
||||||
+ }
|
|
||||||
logit("open \"%s\" flags %s mode 0%o",
|
|
||||||
name, string_from_portable(pflags), mode);
|
|
||||||
if (readonly &&
|
|
||||||
((flags & O_ACCMODE) == O_WRONLY ||
|
|
||||||
(flags & O_ACCMODE) == O_RDWR)) {
|
|
||||||
verbose("Refusing open request in read-only mode");
|
|
||||||
status = SSH2_FX_PERMISSION_DENIED;
|
|
||||||
} else {
|
|
||||||
@@ -1489,17 +1497,18 @@ sftp_server_cleanup_exit(int i)
|
|
||||||
static void
|
|
||||||
sftp_server_usage(void)
|
|
||||||
{
|
|
||||||
extern char *__progname;
|
|
||||||
|
|
||||||
fprintf(stderr,
|
|
||||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
|
||||||
"[-l log_level]\n\t[-P blacklisted_requests] "
|
|
||||||
- "[-p whitelisted_requests] [-u umask]\n"
|
|
||||||
+ "[-p whitelisted_requests] [-u umask]\n\t"
|
|
||||||
+ "[-m force_file_permissions]\n"
|
|
||||||
" %s -Q protocol_feature\n",
|
|
||||||
__progname, __progname);
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
|
||||||
{
|
|
||||||
@@ -1515,17 +1524,17 @@ sftp_server_main(int argc, char **argv,
|
|
||||||
|
|
||||||
ssh_malloc_init(); /* must be called before any mallocs */
|
|
||||||
__progname = ssh_get_progname(argv[0]);
|
|
||||||
log_init(__progname, log_level, log_facility, log_stderr);
|
|
||||||
|
|
||||||
pw = pwcopy(user_pw);
|
|
||||||
|
|
||||||
while (!skipargs && (ch = getopt(argc, argv,
|
|
||||||
- "d:f:l:P:p:Q:u:cehR")) != -1) {
|
|
||||||
+ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
|
|
||||||
switch (ch) {
|
|
||||||
case 'Q':
|
|
||||||
if (strcasecmp(optarg, "requests") != 0) {
|
|
||||||
fprintf(stderr, "Invalid query type\n");
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
for (i = 0; handlers[i].handler != NULL; i++)
|
|
||||||
printf("%s\n", handlers[i].name);
|
|
||||||
@@ -1575,16 +1584,23 @@ sftp_server_main(int argc, char **argv,
|
|
||||||
case 'u':
|
|
||||||
errno = 0;
|
|
||||||
mask = strtol(optarg, &cp, 8);
|
|
||||||
if (mask < 0 || mask > 0777 || *cp != '\0' ||
|
|
||||||
cp == optarg || (mask == 0 && errno != 0))
|
|
||||||
fatal("Invalid umask \"%s\"", optarg);
|
|
||||||
(void)umask((mode_t)mask);
|
|
||||||
break;
|
|
||||||
+ case 'm':
|
|
||||||
+ permforce = 1;
|
|
||||||
+ permforcemode = strtol(optarg, &cp, 8);
|
|
||||||
+ if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
|
|
||||||
+ cp == optarg || (permforcemode == 0 && errno != 0))
|
|
||||||
+ fatal("Invalid umask \"%s\"", optarg);
|
|
||||||
+ break;
|
|
||||||
case 'h':
|
|
||||||
default:
|
|
||||||
sftp_server_usage();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
log_init(__progname, log_level, log_facility, log_stderr);
|
|
||||||
|
|
@ -1,366 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent fc81df6f2bf393e45e703c89976c3a0fe6e0a273
|
|
||||||
run sftp sessions inside a chroot
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
|
||||||
--- a/openssh-7.2p2/session.c
|
|
||||||
+++ b/openssh-7.2p2/session.c
|
|
||||||
@@ -123,16 +123,18 @@ int do_exec(Session *, const char *);
|
|
||||||
void do_login(Session *, const char *);
|
|
||||||
#ifdef LOGIN_NEEDS_UTMPX
|
|
||||||
static void do_pre_login(Session *s);
|
|
||||||
#endif
|
|
||||||
void do_child(Session *, const char *);
|
|
||||||
void do_motd(void);
|
|
||||||
int check_quietlogin(Session *, const char *);
|
|
||||||
|
|
||||||
+int chroot_no_tree = 0;
|
|
||||||
+
|
|
||||||
static void do_authenticated1(Authctxt *);
|
|
||||||
static void do_authenticated2(Authctxt *);
|
|
||||||
|
|
||||||
static int session_pty_req(Session *);
|
|
||||||
|
|
||||||
/* import */
|
|
||||||
extern ServerOptions options;
|
|
||||||
extern char *__progname;
|
|
||||||
@@ -838,16 +840,21 @@ do_exec(Session *s, const char *command)
|
|
||||||
"subsystem '%.900s'", s->subsys);
|
|
||||||
} else if (command == NULL) {
|
|
||||||
snprintf(session_type, sizeof(session_type), "shell");
|
|
||||||
} else {
|
|
||||||
/* NB. we don't log unforced commands to preserve privacy */
|
|
||||||
snprintf(session_type, sizeof(session_type), "command");
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) {
|
|
||||||
+ logit("You aren't welcomed, go away!");
|
|
||||||
+ exit (1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (s->ttyfd != -1) {
|
|
||||||
tty = s->tty;
|
|
||||||
if (strncmp(tty, "/dev/", 5) == 0)
|
|
||||||
tty += 5;
|
|
||||||
}
|
|
||||||
|
|
||||||
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
|
||||||
session_type,
|
|
||||||
@@ -1492,58 +1499,123 @@ do_nologin(struct passwd *pw)
|
|
||||||
while (fgets(buf, sizeof(buf), f))
|
|
||||||
fputs(buf, stderr);
|
|
||||||
fclose(f);
|
|
||||||
}
|
|
||||||
exit(254);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
+ * Test if filesystem is mounted nosuid and nodev
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+test_nosuid (char * path, dev_t fs)
|
|
||||||
+{
|
|
||||||
+ FILE *f;
|
|
||||||
+ struct stat st;
|
|
||||||
+ char buf[4096], *s, *on, *mountpoint, *opt;
|
|
||||||
+ int nodev, nosuid;
|
|
||||||
+
|
|
||||||
+ if (!(f = popen ("/bin/mount", "r")))
|
|
||||||
+ fatal ("%s: popen(\"/bin/mount\", \"r\"): %s",
|
|
||||||
+ __func__, strerror (errno));
|
|
||||||
+ for (;;) {
|
|
||||||
+ s = fgets (buf, sizeof (buf), f);
|
|
||||||
+ if (ferror (f))
|
|
||||||
+ fatal ("%s: read from popen: %s", __func__,
|
|
||||||
+ strerror (errno));
|
|
||||||
+ if (!s) {
|
|
||||||
+ pclose (f);
|
|
||||||
+ fatal ("cannot find filesystem with the chroot directory");
|
|
||||||
+ }
|
|
||||||
+ (void) strtok (buf, " ");
|
|
||||||
+ on = strtok (NULL, " ");
|
|
||||||
+ if (strcmp (on, "on")) {
|
|
||||||
+ pclose (f);
|
|
||||||
+ fatal ("bad format of mount output");
|
|
||||||
+ }
|
|
||||||
+ mountpoint = strtok (NULL, " ");
|
|
||||||
+ if (memcmp (path, mountpoint, strlen (mountpoint)))
|
|
||||||
+ continue;
|
|
||||||
+ if (stat(mountpoint, &st) != 0) {
|
|
||||||
+ pclose (f);
|
|
||||||
+ fatal("%s: stat(\"%s\"): %s", __func__,
|
|
||||||
+ mountpoint, strerror(errno));
|
|
||||||
+ }
|
|
||||||
+ if (fs != st.st_dev)
|
|
||||||
+ continue;
|
|
||||||
+ nodev = nosuid = 0;
|
|
||||||
+ for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) {
|
|
||||||
+ if (!strcmp (opt, "nodev"))
|
|
||||||
+ nodev = 1;
|
|
||||||
+ else if (!strcmp (opt, "nosuid"))
|
|
||||||
+ nosuid = 1;
|
|
||||||
+ else if (!strcmp (opt, "noexec"))
|
|
||||||
+ nosuid = 1;
|
|
||||||
+ if (nodev && nosuid) {
|
|
||||||
+ pclose (f);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ fatal ("chroot into directory without nodev and either noexec or nosuid");
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
* Chroot into a directory after checking it for safety: all path components
|
|
||||||
* must be root-owned directories with strict permissions.
|
|
||||||
*/
|
|
||||||
static void
|
|
||||||
safely_chroot(const char *path, uid_t uid)
|
|
||||||
{
|
|
||||||
const char *cp;
|
|
||||||
char component[PATH_MAX];
|
|
||||||
struct stat st;
|
|
||||||
+ int last;
|
|
||||||
|
|
||||||
if (*path != '/')
|
|
||||||
fatal("chroot path does not begin at root");
|
|
||||||
if (strlen(path) >= sizeof(component))
|
|
||||||
fatal("chroot path too long");
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Descend the path, checking that each component is a
|
|
||||||
* root-owned directory with strict permissions.
|
|
||||||
*/
|
|
||||||
for (cp = path; cp != NULL;) {
|
|
||||||
- if ((cp = strchr(cp, '/')) == NULL)
|
|
||||||
+ if (last = ((cp = strchr(cp, '/')) == NULL))
|
|
||||||
strlcpy(component, path, sizeof(component));
|
|
||||||
else {
|
|
||||||
cp++;
|
|
||||||
memcpy(component, path, cp - path);
|
|
||||||
component[cp - path] = '\0';
|
|
||||||
}
|
|
||||||
|
|
||||||
debug3("%s: checking '%s'", __func__, component);
|
|
||||||
|
|
||||||
if (stat(component, &st) != 0)
|
|
||||||
fatal("%s: stat(\"%s\"): %s", __func__,
|
|
||||||
component, strerror(errno));
|
|
||||||
- if (st.st_uid != 0 || (st.st_mode & 022) != 0)
|
|
||||||
+ if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid))
|
|
||||||
fatal("bad ownership or modes for chroot "
|
|
||||||
"directory %s\"%s\"",
|
|
||||||
cp == NULL ? "" : "component ", component);
|
|
||||||
if (!S_ISDIR(st.st_mode))
|
|
||||||
fatal("chroot path %s\"%s\" is not a directory",
|
|
||||||
cp == NULL ? "" : "component ", component);
|
|
||||||
|
|
||||||
}
|
|
||||||
+ setenv ("TZ", "/etc/localtime", 0);
|
|
||||||
+ tzset();
|
|
||||||
+
|
|
||||||
+ if (st.st_uid) {
|
|
||||||
+ test_nosuid(path, st.st_dev);
|
|
||||||
+ ++chroot_no_tree;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (chdir(path) == -1)
|
|
||||||
fatal("Unable to chdir to chroot path \"%s\": "
|
|
||||||
"%s", path, strerror(errno));
|
|
||||||
if (chroot(path) == -1)
|
|
||||||
fatal("chroot(\"%s\"): %s", path, strerror(errno));
|
|
||||||
if (chdir("/") == -1)
|
|
||||||
fatal("%s: chdir(/) after chroot: %s",
|
|
||||||
diff --git a/openssh-7.2p2/sftp-chrootenv.h b/openssh-7.2p2/sftp-chrootenv.h
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openssh-7.2p2/sftp-chrootenv.h
|
|
||||||
@@ -0,0 +1,30 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2009 Jan F Chadima. All rights reserved.
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
||||||
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
||||||
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
||||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
||||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
||||||
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
+ */
|
|
||||||
+#ifndef CHROOTENV_H
|
|
||||||
+#define CHROOTENV_H
|
|
||||||
+
|
|
||||||
+extern int chroot_no_tree;
|
|
||||||
+
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
diff --git a/openssh-7.2p2/sftp-common.c b/openssh-7.2p2/sftp-common.c
|
|
||||||
--- a/openssh-7.2p2/sftp-common.c
|
|
||||||
+++ b/openssh-7.2p2/sftp-common.c
|
|
||||||
@@ -43,16 +43,17 @@
|
|
||||||
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
#include "sshbuf.h"
|
|
||||||
#include "log.h"
|
|
||||||
|
|
||||||
#include "sftp.h"
|
|
||||||
#include "sftp-common.h"
|
|
||||||
+#include "sftp-chrootenv.h"
|
|
||||||
|
|
||||||
/* Clear contents of attributes structure */
|
|
||||||
void
|
|
||||||
attrib_clear(Attrib *a)
|
|
||||||
{
|
|
||||||
a->flags = 0;
|
|
||||||
a->size = 0;
|
|
||||||
a->uid = 0;
|
|
||||||
@@ -216,23 +217,23 @@ ls_file(const char *name, const struct s
|
|
||||||
int ulen, glen, sz = 0;
|
|
||||||
struct tm *ltime = localtime(&st->st_mtime);
|
|
||||||
char *user, *group;
|
|
||||||
char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
|
|
||||||
char sbuf[FMT_SCALED_STRSIZE];
|
|
||||||
time_t now;
|
|
||||||
|
|
||||||
strmode(st->st_mode, mode);
|
|
||||||
- if (!remote) {
|
|
||||||
+ if (!remote && !chroot_no_tree) {
|
|
||||||
user = user_from_uid(st->st_uid, 0);
|
|
||||||
} else {
|
|
||||||
snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
|
|
||||||
user = ubuf;
|
|
||||||
}
|
|
||||||
- if (!remote) {
|
|
||||||
+ if (!remote && !chroot_no_tree) {
|
|
||||||
group = group_from_gid(st->st_gid, 0);
|
|
||||||
} else {
|
|
||||||
snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
|
|
||||||
group = gbuf;
|
|
||||||
}
|
|
||||||
if (ltime != NULL) {
|
|
||||||
now = time(NULL);
|
|
||||||
if (now - (365*24*60*60)/2 < st->st_mtime &&
|
|
||||||
diff --git a/openssh-7.2p2/sftp-server-main.c b/openssh-7.2p2/sftp-server-main.c
|
|
||||||
--- a/openssh-7.2p2/sftp-server-main.c
|
|
||||||
+++ b/openssh-7.2p2/sftp-server-main.c
|
|
||||||
@@ -17,22 +17,25 @@
|
|
||||||
|
|
||||||
#include "includes.h"
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
+//#include <time.h>
|
|
||||||
|
|
||||||
#include "log.h"
|
|
||||||
#include "sftp.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
|
|
||||||
+int chroot_no_tree = 0;
|
|
||||||
+
|
|
||||||
void
|
|
||||||
cleanup_exit(int i)
|
|
||||||
{
|
|
||||||
sftp_server_cleanup_exit(i);
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
main(int argc, char **argv)
|
|
||||||
diff --git a/openssh-7.2p2/sftp.c b/openssh-7.2p2/sftp.c
|
|
||||||
--- a/openssh-7.2p2/sftp.c
|
|
||||||
+++ b/openssh-7.2p2/sftp.c
|
|
||||||
@@ -112,16 +112,18 @@ struct complete_ctx {
|
|
||||||
char **remote_pathp;
|
|
||||||
};
|
|
||||||
|
|
||||||
int remote_glob(struct sftp_conn *, const char *, int,
|
|
||||||
int (*)(const char *, int), glob_t *); /* proto for sftp-glob.c */
|
|
||||||
|
|
||||||
extern char *__progname;
|
|
||||||
|
|
||||||
+int chroot_no_tree = 0;
|
|
||||||
+
|
|
||||||
/* Separators for interactive commands */
|
|
||||||
#define WHITESPACE " \t\r\n"
|
|
||||||
|
|
||||||
/* ls flags */
|
|
||||||
#define LS_LONG_VIEW 0x0001 /* Full view ala ls -l */
|
|
||||||
#define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */
|
|
||||||
#define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */
|
|
||||||
#define LS_NAME_SORT 0x0008 /* Sort by name (default) */
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
|
||||||
--- a/openssh-7.2p2/sshd_config.0
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.0
|
|
||||||
@@ -251,16 +251,24 @@ DESCRIPTION
|
|
||||||
directory on some operating systems (see sftp-server(8) for
|
|
||||||
details).
|
|
||||||
|
|
||||||
For safety, it is very important that the directory hierarchy be
|
|
||||||
prevented from modification by other processes on the system
|
|
||||||
(especially those outside the jail). Misconfiguration can lead
|
|
||||||
to unsafe environments which sshd(8) cannot detect.
|
|
||||||
|
|
||||||
+ In the special case when only sftp is used, not ssh nor scp, it
|
|
||||||
+ is possible to use ChrootDirectory %h or ChrootDirectory
|
|
||||||
+ /some/path/%u. The file system containing this directory must be
|
|
||||||
+ mounted with options nodev and either nosuid or noexec. The owner
|
|
||||||
+ of the directory should be the user. The ownership of the other
|
|
||||||
+ components of the path must fulfill the usual conditions. No adi-
|
|
||||||
+ tional files are required to be present in the directory.
|
|
||||||
+
|
|
||||||
The default is M-bM-^@M-^\noneM-bM-^@M-^], indicating not to chroot(2).
|
|
||||||
|
|
||||||
Ciphers
|
|
||||||
Specifies the ciphers allowed. Multiple ciphers must be comma-
|
|
||||||
separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
|
|
||||||
then the specified ciphers will be appended to the default set
|
|
||||||
instead of replacing them.
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
|
||||||
@@ -424,16 +424,27 @@ for details).
|
|
||||||
.Pp
|
|
||||||
For safety, it is very important that the directory hierarchy be
|
|
||||||
prevented from modification by other processes on the system (especially
|
|
||||||
those outside the jail).
|
|
||||||
Misconfiguration can lead to unsafe environments which
|
|
||||||
.Xr sshd 8
|
|
||||||
cannot detect.
|
|
||||||
.Pp
|
|
||||||
+In the special case when only sftp is used, not ssh nor scp,
|
|
||||||
+it is possible to use
|
|
||||||
+.Cm ChrootDirectory
|
|
||||||
+%h or
|
|
||||||
+.Cm ChrootDirectory
|
|
||||||
+/some/path/%u. The file system containing this directory must be
|
|
||||||
+mounted with options nodev and either nosuid or noexec. The owner of the
|
|
||||||
+directory should be the user. The ownership of the other components of the path
|
|
||||||
+must fulfill the usual conditions. No aditional files are required to be present
|
|
||||||
+in the directory.
|
|
||||||
+.Pp
|
|
||||||
The default is
|
|
||||||
.Dq none ,
|
|
||||||
indicating not to
|
|
||||||
.Xr chroot 2 .
|
|
||||||
.It Cm Ciphers
|
|
||||||
Specifies the ciphers allowed.
|
|
||||||
Multiple ciphers must be comma-separated.
|
|
||||||
If the specified value begins with a
|
|
@ -1,87 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 1b99f71db584917a37c5e9140bf63dcb860e8b59
|
|
||||||
Match hostnames in a case-insensitive manner.
|
|
||||||
|
|
||||||
bsc#1017099
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
|
||||||
--- a/openssh-7.2p2/readconf.c
|
|
||||||
+++ b/openssh-7.2p2/readconf.c
|
|
||||||
@@ -526,16 +526,17 @@ execute_in_shell(const char *cmd)
|
|
||||||
* Parse and execute a Match directive.
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
match_cfg_line(Options *options, char **condition, struct passwd *pw,
|
|
||||||
const char *host_arg, const char *original_host, int post_canon,
|
|
||||||
const char *filename, int linenum)
|
|
||||||
{
|
|
||||||
char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
|
|
||||||
+ char *hostlc;
|
|
||||||
const char *ruser;
|
|
||||||
int r, port, this_result, result = 1, attributes = 0, negate;
|
|
||||||
char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Configuration is likely to be incomplete at this point so we
|
|
||||||
* must be prepared to use default values.
|
|
||||||
*/
|
|
||||||
@@ -546,16 +547,20 @@ match_cfg_line(Options *options, char **
|
|
||||||
} else if (options->hostname != NULL) {
|
|
||||||
/* NB. Please keep in sync with ssh.c:main() */
|
|
||||||
host = percent_expand(options->hostname,
|
|
||||||
"h", host_arg, (char *)NULL);
|
|
||||||
} else {
|
|
||||||
host = xstrdup(host_arg);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* match_hostname() requires the hostname to be lowercase */
|
|
||||||
+ hostlc = xstrdup(host);
|
|
||||||
+ lowercase(hostlc);
|
|
||||||
+
|
|
||||||
debug2("checking match for '%s' host %s originally %s",
|
|
||||||
cp, host, original_host);
|
|
||||||
while ((oattrib = attrib = strdelim(&cp)) && *attrib != '\0') {
|
|
||||||
criteria = NULL;
|
|
||||||
this_result = 1;
|
|
||||||
if ((negate = attrib[0] == '!'))
|
|
||||||
attrib++;
|
|
||||||
/* criteria "all" and "canonical" have no argument */
|
|
||||||
@@ -584,18 +589,18 @@ match_cfg_line(Options *options, char **
|
|
||||||
}
|
|
||||||
/* All other criteria require an argument */
|
|
||||||
if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
|
|
||||||
error("Missing Match criteria for %s", attrib);
|
|
||||||
result = -1;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if (strcasecmp(attrib, "host") == 0) {
|
|
||||||
- criteria = xstrdup(host);
|
|
||||||
- r = match_hostname(host, arg) == 1;
|
|
||||||
+ criteria = xstrdup(hostlc);
|
|
||||||
+ r = match_hostname(hostlc, arg) == 1;
|
|
||||||
if (r == (negate ? 1 : 0))
|
|
||||||
this_result = result = 0;
|
|
||||||
} else if (strcasecmp(attrib, "originalhost") == 0) {
|
|
||||||
criteria = xstrdup(original_host);
|
|
||||||
r = match_hostname(original_host, arg) == 1;
|
|
||||||
if (r == (negate ? 1 : 0))
|
|
||||||
this_result = result = 0;
|
|
||||||
} else if (strcasecmp(attrib, "user") == 0) {
|
|
||||||
@@ -658,16 +663,17 @@ match_cfg_line(Options *options, char **
|
|
||||||
error("One or more attributes required for Match");
|
|
||||||
result = -1;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
out:
|
|
||||||
if (result != -1)
|
|
||||||
debug2("match %sfound", result ? "" : "not ");
|
|
||||||
*condition = cp;
|
|
||||||
+ free(hostlc);
|
|
||||||
free(host);
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check and prepare a domain name: removes trailing '.' and lowercases */
|
|
||||||
static void
|
|
||||||
valid_domain(char *name, const char *filename, int linenum)
|
|
||||||
{
|
|
@ -1,175 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 1b2dad1b57b086d094fe09327fcf1c490475a7cd
|
|
||||||
Check for invalid CIDR adress masks.
|
|
||||||
bsc#1005893
|
|
||||||
|
|
||||||
backported upstream commit: 010359b32659f455fddd2bd85fd7cc4d7a3b994a (7.4)
|
|
||||||
backported upstream commit: 1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a
|
|
||||||
backported upstream commit: fe06b68f824f8f55670442fb31f2c03526dd326c
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/auth.c b/openssh-7.2p2/auth.c
|
|
||||||
--- a/openssh-7.2p2/auth.c
|
|
||||||
+++ b/openssh-7.2p2/auth.c
|
|
||||||
@@ -95,16 +95,17 @@ int auth_debug_init;
|
|
||||||
* Otherwise true is returned.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
allowed_user(struct passwd * pw)
|
|
||||||
{
|
|
||||||
struct stat st;
|
|
||||||
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
|
|
||||||
u_int i;
|
|
||||||
+ int r;
|
|
||||||
#ifdef USE_SHADOW
|
|
||||||
struct spwd *spw = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
|
||||||
if (!pw || !pw->pw_name)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
@@ -183,31 +184,41 @@ allowed_user(struct passwd * pw)
|
|
||||||
if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
|
|
||||||
options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
|
||||||
hostname = get_canonical_hostname(options.use_dns);
|
|
||||||
ipaddr = get_remote_ipaddr();
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Return false if user is listed in DenyUsers */
|
|
||||||
if (options.num_deny_users > 0) {
|
|
||||||
- for (i = 0; i < options.num_deny_users; i++)
|
|
||||||
- if (match_user(pw->pw_name, hostname, ipaddr,
|
|
||||||
- options.deny_users[i])) {
|
|
||||||
+ for (i = 0; i < options.num_deny_users; i++) {
|
|
||||||
+ r = match_user(pw->pw_name, hostname, ipaddr,
|
|
||||||
+ options.deny_users[i]);
|
|
||||||
+ if (r < 0) {
|
|
||||||
+ fatal("Invalid DenyUsers pattern \"%.100s\"",
|
|
||||||
+ options.deny_users[i]);
|
|
||||||
+ } else if (r != 0) {
|
|
||||||
logit("User %.100s from %.100s not allowed "
|
|
||||||
"because listed in DenyUsers",
|
|
||||||
pw->pw_name, hostname);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
/* Return false if AllowUsers isn't empty and user isn't listed there */
|
|
||||||
if (options.num_allow_users > 0) {
|
|
||||||
- for (i = 0; i < options.num_allow_users; i++)
|
|
||||||
- if (match_user(pw->pw_name, hostname, ipaddr,
|
|
||||||
- options.allow_users[i]))
|
|
||||||
+ for (i = 0; i < options.num_allow_users; i++) {
|
|
||||||
+ r = match_user(pw->pw_name, hostname, ipaddr,
|
|
||||||
+ options.allow_users[i]);
|
|
||||||
+ if (r < 0) {
|
|
||||||
+ fatal("Invalid AllowUsers pattern \"%.100s\"",
|
|
||||||
+ options.allow_users[i]);
|
|
||||||
+ } else if (r == 1)
|
|
||||||
break;
|
|
||||||
+ }
|
|
||||||
/* i < options.num_allow_users iff we break for loop */
|
|
||||||
if (i >= options.num_allow_users) {
|
|
||||||
logit("User %.100s from %.100s not allowed because "
|
|
||||||
"not listed in AllowUsers", pw->pw_name, hostname);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
|
||||||
diff --git a/openssh-7.2p2/match.c b/openssh-7.2p2/match.c
|
|
||||||
--- a/openssh-7.2p2/match.c
|
|
||||||
+++ b/openssh-7.2p2/match.c
|
|
||||||
@@ -186,41 +186,50 @@ match_hostname(const char *host, const c
|
|
||||||
* successful match.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
match_host_and_ip(const char *host, const char *ipaddr,
|
|
||||||
const char *patterns)
|
|
||||||
{
|
|
||||||
int mhost, mip;
|
|
||||||
|
|
||||||
- /* error in ipaddr match */
|
|
||||||
if ((mip = addr_match_list(ipaddr, patterns)) == -2)
|
|
||||||
- return -1;
|
|
||||||
- else if (mip == -1) /* negative ip address match */
|
|
||||||
- return 0;
|
|
||||||
+ return -1; /* error in ipaddr match */
|
|
||||||
+ else if (host == NULL || ipaddr == NULL || mip == -1)
|
|
||||||
+ return 0; /* negative ip address match, or testing pattern */
|
|
||||||
|
|
||||||
/* negative hostname match */
|
|
||||||
if ((mhost = match_hostname(host, patterns)) == -1)
|
|
||||||
return 0;
|
|
||||||
/* no match at all */
|
|
||||||
if (mhost == 0 && mip == 0)
|
|
||||||
return 0;
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
- * match user, user@host_or_ip, user@host_or_ip_list against pattern
|
|
||||||
+ * Match user, user@host_or_ip, user@host_or_ip_list against pattern.
|
|
||||||
+ * If user, host and ipaddr are all NULL then validate pattern/
|
|
||||||
+ * Returns -1 on invalid pattern, 0 on no match, 1 on match.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
match_user(const char *user, const char *host, const char *ipaddr,
|
|
||||||
const char *pattern)
|
|
||||||
{
|
|
||||||
char *p, *pat;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
+ /* test mode */
|
|
||||||
+ if (user == NULL && host == NULL && ipaddr == NULL) {
|
|
||||||
+ if ((p = strchr(pattern, '@')) != NULL &&
|
|
||||||
+ match_host_and_ip(NULL, NULL, p + 1) < 0)
|
|
||||||
+ return -1;
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if ((p = strchr(pattern,'@')) == NULL)
|
|
||||||
return match_pattern(user, pattern);
|
|
||||||
|
|
||||||
pat = xstrdup(pattern);
|
|
||||||
p = strchr(pat, '@');
|
|
||||||
*p++ = '\0';
|
|
||||||
|
|
||||||
if ((ret = match_pattern(user, pat)) == 1)
|
|
||||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|
||||||
--- a/openssh-7.2p2/servconf.c
|
|
||||||
+++ b/openssh-7.2p2/servconf.c
|
|
||||||
@@ -1462,28 +1462,34 @@ process_server_config_line(ServerOptions
|
|
||||||
multistate_ptr = multistate_privsep;
|
|
||||||
goto parse_multistate;
|
|
||||||
|
|
||||||
case sAllowUsers:
|
|
||||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
|
||||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
|
||||||
fatal("%s line %d: too many allow users.",
|
|
||||||
filename, linenum);
|
|
||||||
+ if (match_user(NULL, NULL, NULL, arg) == -1)
|
|
||||||
+ fatal("%s line %d: invalid AllowUsers pattern: "
|
|
||||||
+ "\"%.100s\"", filename, linenum, arg);
|
|
||||||
if (!*activep)
|
|
||||||
continue;
|
|
||||||
options->allow_users[options->num_allow_users++] =
|
|
||||||
xstrdup(arg);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case sDenyUsers:
|
|
||||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
|
||||||
if (options->num_deny_users >= MAX_DENY_USERS)
|
|
||||||
fatal("%s line %d: too many deny users.",
|
|
||||||
filename, linenum);
|
|
||||||
+ if (match_user(NULL, NULL, NULL, arg) == -1)
|
|
||||||
+ fatal("%s line %d: invalid DenyUsers pattern: "
|
|
||||||
+ "\"%.100s\"", filename, linenum, arg);
|
|
||||||
if (!*activep)
|
|
||||||
continue;
|
|
||||||
options->deny_users[options->num_deny_users++] =
|
|
||||||
xstrdup(arg);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case sAllowGroups:
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c
|
|
||||||
size 1499808
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v2
|
|
||||||
|
|
||||||
iQGsBAABCgAGBQJW4HGiAAoJENPl9Wttkg0w8uUMfRnuvFkcQWBAHy+idRJoL/9W
|
|
||||||
aPis5PRMJW9ENNLUI2eiSNAhcIsAXKZXv3W2S/tuVrztwYv2+ckrlnaOg2GiMc9N
|
|
||||||
l66ZFpoZBNNPqImG88rgl28idkvGlYMwaKoE+YihPdB9BvPvHzZUEKdPtf/HsvI/
|
|
||||||
2vVTKYg2dbIb7M9h8RIXGvSW8UoGd+6pSbjnJaLHsxVsnBXk8ZYqUgq9PT+slS4d
|
|
||||||
/yp9OdZr99JcQqIFEpWs9WG93JxBbRBUif6OdymV3JAGJxfrpA0a0EPbiCNedxkY
|
|
||||||
TB+XZ53ydKx0s9Gv3k2wFfpT4VOIXvlrcPgYyTs7SVbigvT6TomNyK3TUfMQemN6
|
|
||||||
rTP4qt4b74cXne7zfcmr/Axmr3+xg1LybJn4L1IIH7TWAjj5dhPHJwqLRw3owaFB
|
|
||||||
Y8I+5ViCHGNCsBiil8oBOgdg09BITriL76Xs9WEY7+hC+FP/A286ggPDi+De3GPK
|
|
||||||
L7nB1FZgfo3gCGGJVVAH1i8P/ZZEedJHo/AXAYlNax7g6ZDkfmzt1KaVNhtoNvI=
|
|
||||||
=yfYj
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
openssh-7.6p1-SUSE_patches.tar.gz
Normal file
3
openssh-7.6p1-SUSE_patches.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:99ff2a08373933a9a4205908a13079d9cc66aad0475ff12c7ae0fda96801f634
|
||||||
|
size 77379
|
3
openssh-7.6p1.tar.gz
Normal file
3
openssh-7.6p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723
|
||||||
|
size 1489788
|
14
openssh-7.6p1.tar.gz.asc
Normal file
14
openssh-7.6p1.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlnTtXUACgkQ0+X1a22S
|
||||||
|
DTCQxgx+MJ1JjIWwVjXUxwpFfjj4aBv5xSqiKqwzGgVjnlmwtpTn+tqdGiACts3K
|
||||||
|
46fh/8ujknJJ5lBIlWKBfqhKzC7A+gCBaFiLoXiad8Q3NIESbXGxRkuMe6jxFtR7
|
||||||
|
SHidUjRqmn1kLCy1TSkj8mqg0/UZ5UZAJcsldQTmEAnxFVbK1l8CLB7vn4rJnj+v
|
||||||
|
PdbtsSdw8ZHtakkoNHiqQD+mwy+FXY5QcN7IUEX2/E0hKx0wou1S/36j8k89UQf8
|
||||||
|
Jbntg31N4EUOQ0fRwuxdRkHSUrJJpPgwWO4XgHw4u9yghsOCYr+X9Pa1+LCtL4PE
|
||||||
|
o4+08UoD92VORzRETH5Cbtv1XmdUWrpHVHUjVORTgYxVgXbbnoDuzxfsrbfJRRLE
|
||||||
|
NBsFxodltDxfdljL27PReBqpneWBxNJd6ruaY5wYxhu1qTEcszCGXuSd583TJ49b
|
||||||
|
hhkWrk5+knErwFdDbtOy+l3L1pvxXvuyIuWl/aXaoVSPDwtPFui94Dl2G7QbSeEb
|
||||||
|
PQDWU6PReeP+SRsMyYJSoxwgbZIzaQ==
|
||||||
|
=K6iy
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh-askpass-gnome
|
# spec file for package openssh-askpass-gnome
|
||||||
#
|
#
|
||||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -26,7 +26,7 @@ BuildRequires: openssl-devel
|
|||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
BuildRequires: tcpd-devel
|
BuildRequires: tcpd-devel
|
||||||
BuildRequires: update-desktop-files
|
BuildRequires: update-desktop-files
|
||||||
Version: 7.2p2
|
Version: 7.6p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Requires: openssh = %{version}
|
Requires: openssh = %{version}
|
||||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
|
644
openssh.changes
644
openssh.changes
@ -1,3 +1,647 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 12 12:38:09 UTC 2018 - pcerny@suse.com
|
||||||
|
|
||||||
|
- Replace forgotten references to /var/adm/fillup-templates
|
||||||
|
with new %_fillupdir macro (boo#1069468)
|
||||||
|
- tighten configuration access rights
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 12 00:38:37 CET 2018 - pcerny@suse.com
|
||||||
|
|
||||||
|
- Update to vanilla 7.6p1
|
||||||
|
Most important changes (more details below):
|
||||||
|
* complete removal of the ancient SSHv1 protocol
|
||||||
|
* sshd(8) cannot run without privilege separation
|
||||||
|
* removal of suport for arcfourm blowfish and CAST ciphers
|
||||||
|
and RIPE-MD160 HMAC
|
||||||
|
* refuse RSA keys shorter than 1024 bits
|
||||||
|
Distilled upstream log:
|
||||||
|
- OpenSSH 7.3
|
||||||
|
---- Security
|
||||||
|
* sshd(8): Mitigate a potential denial-of-service attack
|
||||||
|
against the system's crypt(3) function via sshd(8). An
|
||||||
|
attacker could send very long passwords that would cause
|
||||||
|
excessive CPU use in crypt(3). sshd(8) now refuses to accept
|
||||||
|
password authentication requests of length greater than 1024
|
||||||
|
characters. Independently reported by Tomas Kuthan (Oracle),
|
||||||
|
Andres Rojas and Javier Nieto.
|
||||||
|
* sshd(8): Mitigate timing differences in password
|
||||||
|
authentication that could be used to discern valid from
|
||||||
|
invalid account names when long passwords were sent and
|
||||||
|
particular password hashing algorithms are in use on the
|
||||||
|
server. CVE-2016-6210, reported by EddieEzra.Harari at
|
||||||
|
verint.com
|
||||||
|
* ssh(1), sshd(8): Fix observable timing weakness in the CBC
|
||||||
|
padding oracle countermeasures. Reported by Jean Paul
|
||||||
|
Degabriele, Kenny Paterson, Torben Hansen and Martin
|
||||||
|
Albrecht. Note that CBC ciphers are disabled by default and
|
||||||
|
only included for legacy compatibility.
|
||||||
|
* ssh(1), sshd(8): Improve operation ordering of MAC
|
||||||
|
verification for Encrypt-then-MAC (EtM) mode transport MAC
|
||||||
|
algorithms to verify the MAC before decrypting any
|
||||||
|
ciphertext. This removes the possibility of timing
|
||||||
|
differences leaking facts about the plaintext, though no such
|
||||||
|
leakage has been observed. Reported by Jean Paul Degabriele,
|
||||||
|
Kenny Paterson, Torben Hansen and Martin Albrecht.
|
||||||
|
* sshd(8): (portable only) Ignore PAM environment vars when
|
||||||
|
UseLogin=yes. If PAM is configured to read user-specified
|
||||||
|
environment variables and UseLogin=yes in sshd_config, then a
|
||||||
|
hostile local user may attack /bin/login via LD_PRELOAD or
|
||||||
|
similar environment variables set via PAM. CVE-2015-8325,
|
||||||
|
found by Shayan Sadigh.
|
||||||
|
---- New Features
|
||||||
|
* ssh(1): Add a ProxyJump option and corresponding -J
|
||||||
|
command-line flag to allow simplified indirection through a
|
||||||
|
one or more SSH bastions or "jump hosts".
|
||||||
|
* ssh(1): Add an IdentityAgent option to allow specifying
|
||||||
|
specific agent sockets instead of accepting one from the
|
||||||
|
environment.
|
||||||
|
* ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to
|
||||||
|
be optionally overridden when using ssh -W. bz#2577
|
||||||
|
* ssh(1), sshd(8): Implement support for the IUTF8 terminal
|
||||||
|
mode as per draft-sgtatham-secsh-iutf8-00.
|
||||||
|
* ssh(1), sshd(8): Add support for additional fixed
|
||||||
|
Diffie-Hellman 2K, 4K and 8K groups from
|
||||||
|
draft-ietf-curdle-ssh-kex-sha2-03.
|
||||||
|
* ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
|
||||||
|
signatures in certificates;
|
||||||
|
* ssh(1): Add an Include directive for ssh_config(5) files.
|
||||||
|
* ssh(1): Permit UTF-8 characters in pre-authentication banners
|
||||||
|
sent from the server. bz#2058
|
||||||
|
---- Bugfixes
|
||||||
|
* ssh(1), sshd(8): Reduce the syslog level of some relatively
|
||||||
|
common protocol events from LOG_CRIT. bz#2585
|
||||||
|
* sshd(8): Refuse AuthenticationMethods="" in configurations
|
||||||
|
and accept AuthenticationMethods=any for the default
|
||||||
|
behaviour of not requiring multiple authentication. bz#2398
|
||||||
|
* sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
|
||||||
|
ATTEMPT!" message when forward and reverse DNS don't match.
|
||||||
|
bz#2585
|
||||||
|
* ssh(1): Close ControlPersist background process stderr except
|
||||||
|
in debug mode or when logging to syslog. bz#1988
|
||||||
|
* misc: Make PROTOCOL description for
|
||||||
|
direct-streamlocal@openssh.com channel open messages match
|
||||||
|
deployed code. bz#2529
|
||||||
|
* ssh(1): Deduplicate LocalForward and RemoteForward entries to
|
||||||
|
fix failures when both ExitOnForwardFailure and hostname
|
||||||
|
canonicalisation are enabled. bz#2562
|
||||||
|
* sshd(8): Remove fallback from moduli to obsolete "primes"
|
||||||
|
file that was deprecated in 2001. bz#2559.
|
||||||
|
* sshd_config(5): Correct description of UseDNS: it affects ssh
|
||||||
|
hostname processing for authorized_keys, not known_hosts;
|
||||||
|
bz#2554
|
||||||
|
* ssh(1): Fix authentication using lone certificate keys in an
|
||||||
|
agent without corresponding private keys on the filesystem.
|
||||||
|
bz#2550
|
||||||
|
* sshd(8): Send ClientAliveInterval pings when a time-based
|
||||||
|
RekeyLimit is set; previously keepalive packets were not
|
||||||
|
being sent. bz#2252
|
||||||
|
---- Portability
|
||||||
|
* ssh(1), sshd(8): Fix compilation by automatically disabling
|
||||||
|
ciphers not supported by OpenSSL. bz#2466
|
||||||
|
* misc: Fix compilation failures on some versions of AIX's
|
||||||
|
compiler related to the definition of the VA_COPY macro.
|
||||||
|
bz#2589
|
||||||
|
* sshd(8): Whitelist more architectures to enable the
|
||||||
|
seccomp-bpf sandbox. bz#2590
|
||||||
|
* ssh-agent(1), sftp-server(8): Disable process tracing on
|
||||||
|
Solaris using setpflags(__PROC_PROTECT, ...). bz#2584
|
||||||
|
* sshd(8): On Solaris, don't call Solaris setproject() with
|
||||||
|
UsePAM=yes it's PAM's responsibility. bz#2425
|
||||||
|
- OpenSSH 7.4
|
||||||
|
---- Potentially-incompatible changes
|
||||||
|
* ssh(1): Remove 3des-cbc from the client's default proposal.
|
||||||
|
64-bit block ciphers are not safe in 2016 and we don't want
|
||||||
|
to wait until attacks like SWEET32 are extended to SSH. As
|
||||||
|
3des-cbc was the only mandatory cipher in the SSH RFCs, this
|
||||||
|
may cause problems connecting to older devices using the
|
||||||
|
default configuration, but it's highly likely that such
|
||||||
|
devices already need explicit configuration for key exchange
|
||||||
|
and hostkey algorithms already anyway.
|
||||||
|
* sshd(8): Remove support for pre-authentication compression.
|
||||||
|
Doing compression early in the protocol probably seemed
|
||||||
|
reasonable in the 1990s, but today it's clearly a bad idea in
|
||||||
|
terms of both cryptography (cf. multiple compression oracle
|
||||||
|
attacks in TLS) and attack surface. Pre-auth compression
|
||||||
|
support has been disabled by default for >10 years. Support
|
||||||
|
remains in the client.
|
||||||
|
* ssh-agent will refuse to load PKCS#11 modules outside a
|
||||||
|
whitelist of trusted paths by default. The path whitelist may
|
||||||
|
be specified at run-time.
|
||||||
|
* sshd(8): When a forced-command appears in both a certificate
|
||||||
|
and an authorized keys/principals command= restriction, sshd
|
||||||
|
will now refuse to accept the certificate unless they are
|
||||||
|
identical. The previous (documented) behaviour of having the
|
||||||
|
certificate forced-command override the other could be a bit
|
||||||
|
confusing and error-prone.
|
||||||
|
* sshd(8): Remove the UseLogin configuration directive and
|
||||||
|
support for having /bin/login manage login sessions.
|
||||||
|
---- Security
|
||||||
|
* ssh-agent(1): Will now refuse to load PKCS#11 modules from
|
||||||
|
paths outside a trusted whitelist (run-time configurable).
|
||||||
|
Requests to load modules could be passed via agent forwarding
|
||||||
|
and an attacker could attempt to load a hostile PKCS#11
|
||||||
|
module across the forwarded agent channel: PKCS#11 modules
|
||||||
|
are shared libraries, so this would result in code execution
|
||||||
|
on the system running the ssh-agent if the attacker has
|
||||||
|
control of the forwarded agent-socket (on the host running
|
||||||
|
the sshd server) and the ability to write to the filesystem
|
||||||
|
of the host running ssh-agent (usually the host running the
|
||||||
|
ssh client). Reported by Jann Horn of Project Zero.
|
||||||
|
* sshd(8): When privilege separation is disabled, forwarded
|
||||||
|
Unix- domain sockets would be created by sshd(8) with the
|
||||||
|
privileges of 'root' instead of the authenticated user. This
|
||||||
|
release refuses Unix-domain socket forwarding when privilege
|
||||||
|
separation is disabled (Privilege separation has been enabled
|
||||||
|
by default for 14 years). Reported by Jann Horn of Project
|
||||||
|
Zero.
|
||||||
|
* sshd(8): Avoid theoretical leak of host private key material
|
||||||
|
to privilege-separated child processes via realloc() when
|
||||||
|
reading keys. No such leak was observed in practice for
|
||||||
|
normal-sized keys, nor does a leak to the child processes
|
||||||
|
directly expose key material to unprivileged users. Reported
|
||||||
|
by Jann Horn of Project Zero.
|
||||||
|
* sshd(8): The shared memory manager used by pre-authentication
|
||||||
|
compression support had a bounds checks that could be elided
|
||||||
|
by some optimising compilers. Additionally, this memory
|
||||||
|
manager was incorrectly accessible when pre-authentication
|
||||||
|
compression was disabled. This could potentially allow
|
||||||
|
attacks against the privileged monitor process from the
|
||||||
|
sandboxed privilege-separation process (a compromise of the
|
||||||
|
latter would be required first). This release removes
|
||||||
|
support for pre-authentication compression from sshd(8).
|
||||||
|
Reported by Guido Vranken using the Stack unstable
|
||||||
|
optimisation identification tool
|
||||||
|
(http://css.csail.mit.edu/stack/)
|
||||||
|
* sshd(8): Fix denial-of-service condition where an attacker
|
||||||
|
who sends multiple KEXINIT messages may consume up to 128MB
|
||||||
|
per connection. Reported by Shi Lei of Gear Team, Qihoo 360.
|
||||||
|
* sshd(8): Validate address ranges for AllowUser and DenyUsers
|
||||||
|
directives at configuration load time and refuse to accept
|
||||||
|
invalid ones. It was previously possible to specify invalid
|
||||||
|
CIDR address ranges (e.g. user@127.1.2.3/55) and these would
|
||||||
|
always match, possibly resulting in granting access where it
|
||||||
|
was not intended. Reported by Laurence Parry.
|
||||||
|
---- New Features
|
||||||
|
* ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by
|
||||||
|
the version in PuTTY by Simon Tatham. This allows a
|
||||||
|
multiplexing client to communicate with the master process
|
||||||
|
using a subset of the SSH packet and channels protocol over a
|
||||||
|
Unix-domain socket, with the main process acting as a proxy
|
||||||
|
that translates channel IDs, etc. This allows multiplexing
|
||||||
|
mode to run on systems that lack file- descriptor passing
|
||||||
|
(used by current multiplexing code) and potentially, in
|
||||||
|
conjunction with Unix-domain socket forwarding, with the
|
||||||
|
client and multiplexing master process on different machines.
|
||||||
|
Multiplexing proxy mode may be invoked using "ssh -O proxy
|
||||||
|
..."
|
||||||
|
* sshd(8): Add a sshd_config DisableForwarding option that
|
||||||
|
disables X11, agent, TCP, tunnel and Unix domain socket
|
||||||
|
forwarding, as well as anything else we might implement in
|
||||||
|
the future. Like the 'restrict' authorized_keys flag, this is
|
||||||
|
intended to be a simple and future-proof way of restricting
|
||||||
|
an account.
|
||||||
|
* sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
|
||||||
|
method. This is identical to the currently-supported method
|
||||||
|
named "curve25519-sha256@libssh.org".
|
||||||
|
* sshd(8): Improve handling of SIGHUP by checking to see if
|
||||||
|
sshd is already daemonised at startup and skipping the call
|
||||||
|
to daemon(3) if it is. This ensures that a SIGHUP restart of
|
||||||
|
sshd(8) will retain the same process-ID as the initial
|
||||||
|
execution. sshd(8) will also now unlink the PidFile prior to
|
||||||
|
SIGHUP restart and re-create it after a successful restart,
|
||||||
|
rather than leaving a stale file in the case of a
|
||||||
|
configuration error. bz#2641
|
||||||
|
* sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
|
||||||
|
directives to appear in sshd_config Match blocks.
|
||||||
|
* sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to
|
||||||
|
match those supported by AuthorizedKeysCommand (key, key
|
||||||
|
type, fingerprint, etc.) and a few more to provide access to
|
||||||
|
the contents of the certificate being offered.
|
||||||
|
* Added regression tests for string matching, address matching
|
||||||
|
and string sanitisation functions.
|
||||||
|
* Improved the key exchange fuzzer harness.
|
||||||
|
---- Bugfixes
|
||||||
|
* ssh(1): Allow IdentityFile to successfully load and use
|
||||||
|
certificates that have no corresponding bare public key.
|
||||||
|
bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub).
|
||||||
|
* ssh(1): Fix public key authentication when multiple
|
||||||
|
authentication is in use and publickey is not just the first
|
||||||
|
method attempted. bz#2642
|
||||||
|
* regress: Allow the PuTTY interop tests to run unattended.
|
||||||
|
bz#2639
|
||||||
|
* ssh-agent(1), ssh(1): improve reporting when attempting to
|
||||||
|
load keys from PKCS#11 tokens with fewer useless log messages
|
||||||
|
and more detail in debug messages. bz#2610
|
||||||
|
* ssh(1): When tearing down ControlMaster connections, don't
|
||||||
|
pollute stderr when LogLevel=quiet.
|
||||||
|
* sftp(1): On ^Z wait for underlying ssh(1) to suspend before
|
||||||
|
suspending sftp(1) to ensure that ssh(1) restores the
|
||||||
|
terminal mode correctly if suspended during a password
|
||||||
|
prompt.
|
||||||
|
* ssh(1): Avoid busy-wait when ssh(1) is suspended during a
|
||||||
|
password prompt.
|
||||||
|
* ssh(1), sshd(8): Correctly report errors during sending of
|
||||||
|
ext- info messages.
|
||||||
|
* sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
|
||||||
|
sequence NEWKEYS message.
|
||||||
|
* sshd(8): Correct list of supported signature algorithms sent
|
||||||
|
in the server-sig-algs extension. bz#2547
|
||||||
|
* sshd(8): Fix sending ext_info message if privsep is disabled.
|
||||||
|
* sshd(8): more strictly enforce the expected ordering of
|
||||||
|
privilege separation monitor calls used for authentication
|
||||||
|
and allow them only when their respective authentication
|
||||||
|
methods are enabled in the configuration
|
||||||
|
* sshd(8): Fix uninitialised optlen in getsockopt() call;
|
||||||
|
harmless on Unix/BSD but potentially crashy on Cygwin.
|
||||||
|
* Fix false positive reports caused by explicit_bzero(3) not
|
||||||
|
being recognised as a memory initialiser when compiled with
|
||||||
|
-fsanitize-memory.
|
||||||
|
* sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet
|
||||||
|
for configuration examples.
|
||||||
|
---- Portability
|
||||||
|
* On environments configured with Turkish locales, fall back to
|
||||||
|
the C/POSIX locale to avoid errors in configuration parsing
|
||||||
|
caused by that locale's unique handling of the letters 'i'
|
||||||
|
and 'I'. bz#2643
|
||||||
|
* sftp-server(8), ssh-agent(1): Deny ptrace on OS X using
|
||||||
|
ptrace(PT_DENY_ATTACH, ..)
|
||||||
|
* ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8)
|
||||||
|
OpenSSL.
|
||||||
|
* Fix compilation for libcrypto compiled without RIPEMD160
|
||||||
|
support.
|
||||||
|
* contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640
|
||||||
|
* sshd(8): Improve PRNG reseeding across privilege separation
|
||||||
|
and force libcrypto to obtain a high-quality seed before
|
||||||
|
chroot or sandboxing.
|
||||||
|
* All: Explicitly test for broken strnvis. NetBSD added an
|
||||||
|
strnvis and unfortunately made it incompatible with the
|
||||||
|
existing one in OpenBSD and Linux's libbsd (the former having
|
||||||
|
existed for over ten years). Try to detect this mess, and
|
||||||
|
assume the only safe option if we're cross compiling.
|
||||||
|
- OpenSSH 7.5
|
||||||
|
---- Potentially-incompatible changes
|
||||||
|
* This release deprecates the sshd_config
|
||||||
|
UsePrivilegeSeparation option, thereby making privilege
|
||||||
|
separation mandatory. Privilege separation has been on by
|
||||||
|
default for almost 15 years and sandboxing has been on by
|
||||||
|
default for almost the last five.
|
||||||
|
* The format of several log messages emitted by the packet code
|
||||||
|
has changed to include additional information about the user
|
||||||
|
and their authentication state. Software that monitors
|
||||||
|
ssh/sshd logs may need to account for these changes. For
|
||||||
|
example:
|
||||||
|
Connection closed by user x 1.1.1.1 port 1234 [preauth]
|
||||||
|
Connection closed by authenticating user x 10.1.1.1 port 1234
|
||||||
|
[preauth] Connection closed by invalid user x 1.1.1.1 port
|
||||||
|
1234 [preauth]
|
||||||
|
Affected messages include connection closure, timeout, remote
|
||||||
|
disconnection, negotiation failure and some other fatal
|
||||||
|
messages generated by the packet code.
|
||||||
|
* [Portable OpenSSH only] This version removes support for
|
||||||
|
building against OpenSSL versions prior to 1.0.1. OpenSSL
|
||||||
|
stopped supporting versions prior to 1.0.1 over 12 months ago
|
||||||
|
(i.e. they no longer receive fixes for security bugs).
|
||||||
|
---- Security
|
||||||
|
* ssh(1), sshd(8): Fix weakness in CBC padding oracle
|
||||||
|
countermeasures that allowed a variant of the attack fixed in
|
||||||
|
OpenSSH 7.3 to proceed. Note that the OpenSSH client
|
||||||
|
disables CBC ciphers by default, sshd offers them as
|
||||||
|
lowest-preference options and will remove them by default
|
||||||
|
entriely in the next release. Reported by Jean Paul
|
||||||
|
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen
|
||||||
|
of Royal Holloway, University of London.
|
||||||
|
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client
|
||||||
|
making a recursive file transfer could be maniuplated by a
|
||||||
|
hostile server to perform a path-traversal attack. creating
|
||||||
|
or modifying files outside of the intended target directory.
|
||||||
|
Reported by Jann Horn of Google Project Zero.
|
||||||
|
---- New Features
|
||||||
|
* ssh(1), sshd(8): Support "=-" syntax to easily remove methods
|
||||||
|
from algorithm lists, e.g. Ciphers=-*cbc. bz#2671
|
||||||
|
---- Bugfixes
|
||||||
|
* sshd(1): Fix NULL dereference crash when key exchange start
|
||||||
|
messages are sent out of sequence.
|
||||||
|
* ssh(1), sshd(8): Allow form-feed characters to appear in
|
||||||
|
configuration files.
|
||||||
|
* sshd(8): Fix regression in OpenSSH 7.4 support for the
|
||||||
|
server-sig-algs extension, where SHA2 RSA signature methods
|
||||||
|
were not being correctly advertised. bz#2680
|
||||||
|
* ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs
|
||||||
|
in known_hosts processing. bz#2591 bz#2685
|
||||||
|
* ssh(1): Allow ssh to use certificates accompanied by a
|
||||||
|
private key file but no corresponding plain *.pub public key.
|
||||||
|
bz#2617
|
||||||
|
* ssh(1): When updating hostkeys using the UpdateHostKeys
|
||||||
|
option, accept RSA keys if HostkeyAlgorithms contains any RSA
|
||||||
|
keytype. Previously, ssh could ignore RSA keys when only the
|
||||||
|
ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and
|
||||||
|
not the old ssh-rsa method. bz#2650
|
||||||
|
* ssh(1): Detect and report excessively long configuration file
|
||||||
|
lines. bz#2651
|
||||||
|
* Merge a number of fixes found by Coverity and reported via
|
||||||
|
Redhat and FreeBSD. Includes fixes for some memory and file
|
||||||
|
descriptor leaks in error paths. bz#2687
|
||||||
|
* ssh-keyscan(1): Correctly hash hosts with a port number.
|
||||||
|
bz#2692
|
||||||
|
* ssh(1), sshd(8): When logging long messages to stderr, don't
|
||||||
|
truncate "\r\n" if the length of the message exceeds the
|
||||||
|
buffer. bz#2688
|
||||||
|
* ssh(1): Fully quote [host]:port in generated ProxyJump/-J
|
||||||
|
command- line; avoid confusion over IPv6 addresses and shells
|
||||||
|
that treat square bracket characters specially.
|
||||||
|
* ssh-keygen(1): Fix corruption of known_hosts when running
|
||||||
|
"ssh-keygen -H" on a known_hosts containing already-hashed
|
||||||
|
entries.
|
||||||
|
* Fix various fallout and sharp edges caused by removing SSH
|
||||||
|
protocol 1 support from the server, including the server
|
||||||
|
banner string being incorrectly terminated with only \n
|
||||||
|
(instead of \r\n), confusing error messages from ssh-keyscan
|
||||||
|
bz#2583 and a segfault in sshd if protocol v.1 was enabled
|
||||||
|
for the client and sshd_config contained references to legacy
|
||||||
|
keys bz#2686.
|
||||||
|
* ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
|
||||||
|
* sshd(8): Fix Unix domain socket forwarding for root
|
||||||
|
(regression in OpenSSH 7.4).
|
||||||
|
* sftp(1): Fix division by zero crash in "df" output when
|
||||||
|
server returns zero total filesystem blocks/inodes.
|
||||||
|
* ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL
|
||||||
|
errors encountered during key loading to more meaningful
|
||||||
|
error codes. bz#2522 bz#2523
|
||||||
|
* ssh-keygen(1): Sanitise escape sequences in key comments sent
|
||||||
|
to printf but preserve valid UTF-8 when the locale supports
|
||||||
|
it; bz#2520
|
||||||
|
* ssh(1), sshd(8): Return reason for port forwarding failures
|
||||||
|
where feasible rather than always "administratively
|
||||||
|
prohibited". bz#2674
|
||||||
|
* sshd(8): Fix deadlock when AuthorizedKeysCommand or
|
||||||
|
AuthorizedPrincipalsCommand produces a lot of output and a
|
||||||
|
key is matched early. bz#2655
|
||||||
|
* Regression tests: several reliability fixes. bz#2654 bz#2658
|
||||||
|
bz#2659
|
||||||
|
* ssh(1): Fix typo in ~C error message for bad port forward
|
||||||
|
cancellation. bz#2672
|
||||||
|
* ssh(1): Show a useful error message when included config
|
||||||
|
files can't be opened; bz#2653
|
||||||
|
* sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the
|
||||||
|
manual page (previously incorrectly) advertised. bz#2637
|
||||||
|
* sshd_config(5): Repair accidentally-deleted mention of %k
|
||||||
|
token in AuthorizedKeysCommand; bz#2656
|
||||||
|
* sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
|
||||||
|
bz#2665
|
||||||
|
* ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
|
||||||
|
common 32-bit compatibility library directories.
|
||||||
|
* sftp-client(1): Fix non-exploitable integer overflow in
|
||||||
|
SSH2_FXP_NAME response handling.
|
||||||
|
* ssh-agent(1): Fix regression in 7.4 of deleting
|
||||||
|
PKCS#11-hosted keys. It was not possible to delete them
|
||||||
|
except by specifying their full physical path. bz#2682
|
||||||
|
---- Portability
|
||||||
|
* sshd(8): Avoid sandbox errors for Linux S390 systems using an
|
||||||
|
ICA crypto coprocessor.
|
||||||
|
* sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox
|
||||||
|
arg inspection.
|
||||||
|
* ssh(1): Fix X11 forwarding on OSX where X11 was being started
|
||||||
|
by launchd. bz#2341
|
||||||
|
* ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for
|
||||||
|
various that contain non-printable characters where the
|
||||||
|
codeset in use is ASCII.
|
||||||
|
* build: Fix builds that attempt to link a kerberised libldns.
|
||||||
|
bz#2603
|
||||||
|
* build: Fix compilation problems caused by unconditionally
|
||||||
|
defining _XOPEN_SOURCE in wide character detection.
|
||||||
|
* sshd(8): Fix sandbox violations for clock_gettime VSDO
|
||||||
|
syscall fallback on some Linux/X32 kernels. bz#2142
|
||||||
|
- OpenSSH 7.6
|
||||||
|
---- Potentially-incompatible changes
|
||||||
|
This release includes a number of changes that may affect
|
||||||
|
existing configurations:
|
||||||
|
* ssh(1): delete SSH protocol version 1 support, associated
|
||||||
|
configuration options and documentation.
|
||||||
|
* ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.
|
||||||
|
* ssh(1)/sshd(8): remove support for the arcfour, blowfish and
|
||||||
|
CAST ciphers.
|
||||||
|
* Refuse RSA keys <1024 bits in length and improve reporting
|
||||||
|
for keys that do not meet this requirement.
|
||||||
|
* ssh(1): do not offer CBC ciphers by default.
|
||||||
|
---- Security
|
||||||
|
* sftp-server(8): in read-only mode, sftp-server was
|
||||||
|
incorrectly permitting creation of zero-length files.
|
||||||
|
Reported by Michal Zalewski.
|
||||||
|
---- New Features
|
||||||
|
* ssh(1): add RemoteCommand option to specify a command in the
|
||||||
|
ssh config file instead of giving it on the client's command
|
||||||
|
line. This allows the configuration file to specify the
|
||||||
|
command that will be executed on the remote host.
|
||||||
|
* sshd(8): add ExposeAuthInfo option that enables writing
|
||||||
|
details of the authentication methods used (including public
|
||||||
|
keys where applicable) to a file that is exposed via a
|
||||||
|
$SSH_USER_AUTH environment variable in the subsequent
|
||||||
|
session.
|
||||||
|
* ssh(1): add support for reverse dynamic forwarding. In this
|
||||||
|
mode, ssh will act as a SOCKS4/5 proxy and forward
|
||||||
|
connections to destinations requested by the remote SOCKS
|
||||||
|
client. This mode is requested using extended syntax for the
|
||||||
|
-R and RemoteForward options and, because it is implemented
|
||||||
|
solely at the client, does not require the server be updated
|
||||||
|
to be supported.
|
||||||
|
* sshd(8): allow LogLevel directive in sshd_config Match
|
||||||
|
blocks; bz#2717
|
||||||
|
* ssh-keygen(1): allow inclusion of arbitrary string or flag
|
||||||
|
certificate extensions and critical options.
|
||||||
|
* ssh-keygen(1): allow ssh-keygen to use a key held in
|
||||||
|
ssh-agent as a CA when signing certificates. bz#2377
|
||||||
|
* ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an
|
||||||
|
explicit ToS/DSCP value and just use the operating system
|
||||||
|
default.
|
||||||
|
* ssh-add(1): added -q option to make ssh-add quiet on success.
|
||||||
|
* ssh(1): expand the StrictHostKeyChecking option with two new
|
||||||
|
settings. The first "accept-new" will automatically accept
|
||||||
|
hitherto-unseen keys but will refuse connections for changed
|
||||||
|
or invalid hostkeys. This is a safer subset of the current
|
||||||
|
behaviour of StrictHostKeyChecking=no. The second setting
|
||||||
|
"off", is a synonym for the current behaviour of
|
||||||
|
StrictHostKeyChecking=no: accept new host keys, and continue
|
||||||
|
connection for hosts with incorrect hostkeys. A future
|
||||||
|
release will change the meaning of StrictHostKeyChecking=no
|
||||||
|
to the behaviour of "accept-new". bz#2400
|
||||||
|
* ssh(1): add SyslogFacility option to ssh(1) matching the
|
||||||
|
equivalent option in sshd(8). bz#2705
|
||||||
|
---- Bugfixes
|
||||||
|
* ssh(1): use HostKeyAlias if specified instead of hostname for
|
||||||
|
matching host certificate principal names; bz#2728
|
||||||
|
* sftp(1): implement sorting for globbed ls; bz#2649
|
||||||
|
* ssh(1): add a user@host prefix to client's "Permission
|
||||||
|
denied" messages, useful in particular when using "stacked"
|
||||||
|
connections (e.g. ssh -J) where it's not clear which host is
|
||||||
|
denying. bz#2720
|
||||||
|
* ssh(1): accept unknown EXT_INFO extension values that contain
|
||||||
|
\0 characters. These are legal, but would previously cause
|
||||||
|
fatal connection errors if received.
|
||||||
|
* ssh(1)/sshd(8): repair compression statistics printed at
|
||||||
|
connection exit
|
||||||
|
* sftp(1): print '?' instead of incorrect link count (that the
|
||||||
|
protocol doesn't provide) for remote listings. bz#2710
|
||||||
|
* ssh(1): return failure rather than fatal() for more cases
|
||||||
|
during session multiplexing negotiations. Causes the session
|
||||||
|
to fall back to a non-mux connection if they occur. bz#2707
|
||||||
|
* ssh(1): mention that the server may send debug messages to
|
||||||
|
explain public key authentication problems under some
|
||||||
|
circumstances; bz#2709
|
||||||
|
* Translate OpenSSL error codes to better report incorrect
|
||||||
|
passphrase errors when loading private keys; bz#2699
|
||||||
|
* sshd(8): adjust compatibility patterns for WinSCP to
|
||||||
|
correctly identify versions that implement only the legacy DH
|
||||||
|
group exchange scheme. bz#2748
|
||||||
|
* ssh(1): print the "Killed by signal 1" message only at
|
||||||
|
LogLevel verbose so that it is not shown at the default
|
||||||
|
level; prevents it from appearing during ssh -J and
|
||||||
|
equivalent ProxyCommand configs. bz#1906, bz#2744
|
||||||
|
* ssh-keygen(1): when generating all hostkeys (ssh-keygen -A),
|
||||||
|
clobber existing keys if they exist but are zero length.
|
||||||
|
zero-length keys could previously be made if ssh-keygen
|
||||||
|
failed or was interrupted part way through generating them.
|
||||||
|
bz#2561
|
||||||
|
* ssh(1): fix pledge(2) violation in the escape sequence "~&"
|
||||||
|
used to place the current session in the background.
|
||||||
|
* ssh-keyscan(1): avoid double-close() on file descriptors;
|
||||||
|
bz#2734
|
||||||
|
* sshd(8): avoid reliance on shared use of pointers shared
|
||||||
|
between monitor and child sshd processes. bz#2704
|
||||||
|
* sshd_config(8): document available AuthenticationMethods;
|
||||||
|
bz#2453
|
||||||
|
* ssh(1): avoid truncation in some login prompts; bz#2768
|
||||||
|
* sshd(8): Fix various compilations failures, inc bz#2767
|
||||||
|
* ssh(1): make "--" before the hostname terminate argument
|
||||||
|
processing after the hostname too.
|
||||||
|
* ssh-keygen(1): switch from aes256-cbc to aes256-ctr for
|
||||||
|
encrypting new-style private keys. Fixes problems related to
|
||||||
|
private key handling for no-OpenSSL builds. bz#2754
|
||||||
|
* ssh(1): warn and do not attempt to use keys when the public
|
||||||
|
and private halves do not match. bz#2737
|
||||||
|
* sftp(1): don't print verbose error message when ssh
|
||||||
|
disconnects from under sftp. bz#2750
|
||||||
|
* sshd(8): fix keepalive scheduling problem: activity on a
|
||||||
|
forwarded port from preventing the keepalive from being sent;
|
||||||
|
bz#2756
|
||||||
|
* sshd(8): when started without root privileges, don't require
|
||||||
|
the privilege separation user or path to exist. Makes running
|
||||||
|
the regression tests easier without touching the filesystem.
|
||||||
|
* Make integrity.sh regression tests more robust against
|
||||||
|
timeouts. bz#2658
|
||||||
|
* ssh(1)/sshd(8): correctness fix for channels implementation:
|
||||||
|
accept channel IDs greater than 0x7FFFFFFF.
|
||||||
|
---- Portability
|
||||||
|
* sshd(9): drop two more privileges in the Solaris sandbox:
|
||||||
|
PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723
|
||||||
|
* sshd(8): expose list of completed authentication methods to
|
||||||
|
PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408
|
||||||
|
* ssh(1)/sshd(8): fix several problems in the tun/tap
|
||||||
|
forwarding code, mostly to do with host/network byte order
|
||||||
|
confusion. bz#2735
|
||||||
|
* Add --with-cflags-after and --with-ldflags-after configure
|
||||||
|
flags to allow setting CFLAGS/LDFLAGS after configure has
|
||||||
|
completed. These are useful for setting sanitiser/fuzzing
|
||||||
|
options that may interfere with configure's operation.
|
||||||
|
* sshd(8): avoid Linux seccomp violations on ppc64le over the
|
||||||
|
socketcall syscall.
|
||||||
|
* Fix use of ldns when using ldns-config; bz#2697
|
||||||
|
* configure: set cache variables when cross-compiling. The
|
||||||
|
cross- compiling fallback message was saying it assumed the
|
||||||
|
test passed, but it wasn't actually set the cache variables
|
||||||
|
and this would cause later tests to fail.
|
||||||
|
* Add clang libFuzzer harnesses for public key parsing and
|
||||||
|
signature verification.
|
||||||
|
- packaging:
|
||||||
|
* moving patches into a separate archive
|
||||||
|
* first round of rebased patches:
|
||||||
|
[-X11_trusted_forwarding]
|
||||||
|
[-allow_root_password_login]
|
||||||
|
[-blocksigalrm]
|
||||||
|
[-cavstest-ctr]
|
||||||
|
[-cavstest-kdf]
|
||||||
|
[-disable_short_DH_parameters]
|
||||||
|
[-eal3]
|
||||||
|
[-enable_PAM_by_default]
|
||||||
|
[-fips]
|
||||||
|
[-fips_checks]
|
||||||
|
[-gssapi_key_exchange]
|
||||||
|
[-hostname_changes_when_forwarding_X]
|
||||||
|
[-lastlog]
|
||||||
|
[-missing_headers]
|
||||||
|
[-pam_check_locks]
|
||||||
|
[-pts_names_formatting]
|
||||||
|
[-remove_xauth_cookies_on_exit]
|
||||||
|
[-seccomp_geteuid]
|
||||||
|
[-seccomp_getuid]
|
||||||
|
[-seccomp_stat]
|
||||||
|
[-seed-prng]
|
||||||
|
[-send_locale]
|
||||||
|
[-systemd-notify]
|
||||||
|
* not rebased (obsoleted) patches (so far):
|
||||||
|
[-additional_seccomp_archs]
|
||||||
|
[-allow_DSS_by_default]
|
||||||
|
[-default_protocol]
|
||||||
|
[-dont_use_pthreads_in_PAM]
|
||||||
|
[-eal3_obsolete]
|
||||||
|
[-gssapimitm]
|
||||||
|
[-saveargv-fix]
|
||||||
|
* obviously removing all standalone patch files:
|
||||||
|
[openssh-7.2p2-allow_root_password_login.patch]
|
||||||
|
[openssh-7.2p2-allow_DSS_by_default.patch]
|
||||||
|
[openssh-7.2p2-X11_trusted_forwarding.patch]
|
||||||
|
[openssh-7.2p2-lastlog.patch]
|
||||||
|
[openssh-7.2p2-enable_PAM_by_default.patch]
|
||||||
|
[openssh-7.2p2-dont_use_pthreads_in_PAM.patch]
|
||||||
|
[openssh-7.2p2-eal3.patch]
|
||||||
|
[openssh-7.2p2-blocksigalrm.patch]
|
||||||
|
[openssh-7.2p2-send_locale.patch]
|
||||||
|
[openssh-7.2p2-hostname_changes_when_forwarding_X.patch]
|
||||||
|
[openssh-7.2p2-remove_xauth_cookies_on_exit.patch]
|
||||||
|
[openssh-7.2p2-pts_names_formatting.patch]
|
||||||
|
[openssh-7.2p2-pam_check_locks.patch]
|
||||||
|
[openssh-7.2p2-disable_short_DH_parameters.patch]
|
||||||
|
[openssh-7.2p2-seccomp_getuid.patch]
|
||||||
|
[openssh-7.2p2-seccomp_geteuid.patch]
|
||||||
|
[openssh-7.2p2-seccomp_stat.patch]
|
||||||
|
[openssh-7.2p2-additional_seccomp_archs.patch]
|
||||||
|
[openssh-7.2p2-fips.patch]
|
||||||
|
[openssh-7.2p2-cavstest-ctr.patch]
|
||||||
|
[openssh-7.2p2-cavstest-kdf.patch]
|
||||||
|
[openssh-7.2p2-seed-prng.patch]
|
||||||
|
[openssh-7.2p2-gssapi_key_exchange.patch]
|
||||||
|
[openssh-7.2p2-audit.patch]
|
||||||
|
[openssh-7.2p2-audit_fixes.patch]
|
||||||
|
[openssh-7.2p2-audit_seed_prng.patch]
|
||||||
|
[openssh-7.2p2-login_options.patch]
|
||||||
|
[openssh-7.2p2-disable_openssl_abi_check.patch]
|
||||||
|
[openssh-7.2p2-no_fork-no_pid_file.patch]
|
||||||
|
[openssh-7.2p2-host_ident.patch]
|
||||||
|
[openssh-7.2p2-sftp_homechroot.patch]
|
||||||
|
[openssh-7.2p2-sftp_force_permissions.patch]
|
||||||
|
[openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
|
||||||
|
[openssh-7.2p2-ldap.patch]
|
||||||
|
[openssh-7.2p2-IPv6_X_forwarding.patch]
|
||||||
|
[openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
|
||||||
|
[openssh-7.2p2-prevent_timing_user_enumeration.patch]
|
||||||
|
[openssh-7.2p2-limit_password_length.patch]
|
||||||
|
[openssh-7.2p2-keep_slogin.patch]
|
||||||
|
[openssh-7.2p2-kex_resource_depletion.patch]
|
||||||
|
[openssh-7.2p2-verify_CIDR_address_ranges.patch]
|
||||||
|
[openssh-7.2p2-restrict_pkcs11-modules.patch]
|
||||||
|
[openssh-7.2p2-prevent_private_key_leakage.patch]
|
||||||
|
[openssh-7.2p2-secure_unix_sockets_forwarding.patch]
|
||||||
|
[openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
|
||||||
|
[openssh-7.2p2-disable_preauth_compression.patch]
|
||||||
|
[openssh-7.2p2-s390_hw_crypto_syscalls.patch]
|
||||||
|
[openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 23 13:38:52 UTC 2017 - rbrown@suse.com
|
||||||
|
|
||||||
|
- Replace references to /var/adm/fillup-templates with new
|
||||||
|
%_fillupdir macro (boo#1069468)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 25 15:09:06 UTC 2017 - jsegitz@suse.com
|
Wed Oct 25 15:09:06 UTC 2017 - jsegitz@suse.com
|
||||||
|
|
||||||
|
140
openssh.spec
140
openssh.spec
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh
|
# spec file for package openssh
|
||||||
#
|
#
|
||||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -16,6 +16,11 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
|
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||||
|
%if ! %{defined _fillupdir}
|
||||||
|
%define _fillupdir /var/adm/fillup-templates
|
||||||
|
%endif
|
||||||
|
|
||||||
%if 0%{suse_version} >= 1100
|
%if 0%{suse_version} >= 1100
|
||||||
%define has_fw_dir 1
|
%define has_fw_dir 1
|
||||||
%else
|
%else
|
||||||
@ -85,6 +90,7 @@ BuildRequires: libopenssl-1_0_0-devel
|
|||||||
BuildRequires: openldap2-devel
|
BuildRequires: openldap2-devel
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
%if %{uses_systemd}
|
%if %{uses_systemd}
|
||||||
|
BuildRequires: systemd-devel
|
||||||
BuildRequires: pkgconfig(systemd)
|
BuildRequires: pkgconfig(systemd)
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
%endif
|
%endif
|
||||||
@ -93,7 +99,7 @@ PreReq: pwdutils %{fillup_prereq} coreutils
|
|||||||
%if ! %{uses_systemd}
|
%if ! %{uses_systemd}
|
||||||
PreReq: %{insserv_prereq}
|
PreReq: %{insserv_prereq}
|
||||||
%endif
|
%endif
|
||||||
Version: 7.2p2
|
Version: 7.6p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
License: BSD-2-Clause and MIT
|
License: BSD-2-Clause and MIT
|
||||||
@ -113,54 +119,7 @@ Source9: sshd-gen-keys-start
|
|||||||
Source10: sshd.service
|
Source10: sshd.service
|
||||||
Source11: README.FIPS
|
Source11: README.FIPS
|
||||||
Source12: cavs_driver-ssh.pl
|
Source12: cavs_driver-ssh.pl
|
||||||
Patch00: openssh-7.2p2-allow_root_password_login.patch
|
Source100: openssh-%{version}-SUSE_patches.tar.gz
|
||||||
Patch01: openssh-7.2p2-allow_DSS_by_default.patch
|
|
||||||
Patch02: openssh-7.2p2-X11_trusted_forwarding.patch
|
|
||||||
Patch03: openssh-7.2p2-lastlog.patch
|
|
||||||
Patch04: openssh-7.2p2-enable_PAM_by_default.patch
|
|
||||||
Patch05: openssh-7.2p2-dont_use_pthreads_in_PAM.patch
|
|
||||||
Patch06: openssh-7.2p2-eal3.patch
|
|
||||||
Patch07: openssh-7.2p2-blocksigalrm.patch
|
|
||||||
Patch08: openssh-7.2p2-send_locale.patch
|
|
||||||
Patch09: openssh-7.2p2-hostname_changes_when_forwarding_X.patch
|
|
||||||
Patch10: openssh-7.2p2-remove_xauth_cookies_on_exit.patch
|
|
||||||
Patch11: openssh-7.2p2-pts_names_formatting.patch
|
|
||||||
Patch12: openssh-7.2p2-pam_check_locks.patch
|
|
||||||
Patch13: openssh-7.2p2-disable_short_DH_parameters.patch
|
|
||||||
Patch14: openssh-7.2p2-seccomp_getuid.patch
|
|
||||||
Patch15: openssh-7.2p2-seccomp_geteuid.patch
|
|
||||||
Patch16: openssh-7.2p2-seccomp_stat.patch
|
|
||||||
Patch17: openssh-7.2p2-additional_seccomp_archs.patch
|
|
||||||
Patch18: openssh-7.2p2-fips.patch
|
|
||||||
Patch19: openssh-7.2p2-cavstest-ctr.patch
|
|
||||||
Patch20: openssh-7.2p2-cavstest-kdf.patch
|
|
||||||
Patch21: openssh-7.2p2-seed-prng.patch
|
|
||||||
Patch22: openssh-7.2p2-gssapi_key_exchange.patch
|
|
||||||
Patch23: openssh-7.2p2-audit.patch
|
|
||||||
Patch24: openssh-7.2p2-audit_fixes.patch
|
|
||||||
Patch25: openssh-7.2p2-audit_seed_prng.patch
|
|
||||||
Patch26: openssh-7.2p2-login_options.patch
|
|
||||||
Patch27: openssh-7.2p2-disable_openssl_abi_check.patch
|
|
||||||
Patch28: openssh-7.2p2-no_fork-no_pid_file.patch
|
|
||||||
Patch29: openssh-7.2p2-host_ident.patch
|
|
||||||
Patch30: openssh-7.2p2-sftp_homechroot.patch
|
|
||||||
Patch31: openssh-7.2p2-sftp_force_permissions.patch
|
|
||||||
Patch32: openssh-7.2p2-X_forward_with_disabled_ipv6.patch
|
|
||||||
Patch33: openssh-7.2p2-ldap.patch
|
|
||||||
Patch34: openssh-7.2p2-IPv6_X_forwarding.patch
|
|
||||||
Patch35: openssh-7.2p2-ignore_PAM_with_UseLogin.patch
|
|
||||||
Patch36: openssh-7.2p2-prevent_timing_user_enumeration.patch
|
|
||||||
Patch37: openssh-7.2p2-limit_password_length.patch
|
|
||||||
Patch38: openssh-7.2p2-keep_slogin.patch
|
|
||||||
Patch39: openssh-7.2p2-kex_resource_depletion.patch
|
|
||||||
Patch40: openssh-7.2p2-verify_CIDR_address_ranges.patch
|
|
||||||
Patch41: openssh-7.2p2-restrict_pkcs11-modules.patch
|
|
||||||
Patch42: openssh-7.2p2-prevent_private_key_leakage.patch
|
|
||||||
Patch43: openssh-7.2p2-secure_unix_sockets_forwarding.patch
|
|
||||||
Patch44: openssh-7.2p2-ssh_case_insensitive_host_matching.patch
|
|
||||||
Patch45: openssh-7.2p2-disable_preauth_compression.patch
|
|
||||||
Patch46: openssh-7.2p2-s390_hw_crypto_syscalls.patch
|
|
||||||
Patch47: openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
Conflicts: nonfreessh
|
Conflicts: nonfreessh
|
||||||
Recommends: audit
|
Recommends: audit
|
||||||
@ -211,64 +170,22 @@ FIPS140 CAVS tests related parts of the OpenSSH package
|
|||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q -b 100
|
||||||
%patch00 -p2
|
|
||||||
%patch01 -p2
|
|
||||||
%patch02 -p2
|
|
||||||
%patch03 -p2
|
|
||||||
%patch04 -p2
|
|
||||||
%patch05 -p2
|
|
||||||
%patch06 -p2
|
|
||||||
%patch07 -p2
|
|
||||||
%patch08 -p2
|
|
||||||
%patch09 -p2
|
|
||||||
%patch10 -p2
|
|
||||||
%patch11 -p2
|
|
||||||
%patch12 -p2
|
|
||||||
%patch13 -p2
|
|
||||||
%patch14 -p2
|
|
||||||
%patch15 -p2
|
|
||||||
%patch16 -p2
|
|
||||||
%patch17 -p2
|
|
||||||
%patch18 -p2
|
|
||||||
%patch19 -p2
|
|
||||||
%patch20 -p2
|
|
||||||
%patch21 -p2
|
|
||||||
%patch22 -p2
|
|
||||||
%patch23 -p2
|
|
||||||
%patch24 -p2
|
|
||||||
%patch25 -p2
|
|
||||||
%patch26 -p2
|
|
||||||
%patch27 -p2
|
|
||||||
%patch28 -p2
|
|
||||||
%patch29 -p2
|
|
||||||
%patch30 -p2
|
|
||||||
%patch31 -p2
|
|
||||||
%patch32 -p2
|
|
||||||
%patch33 -p2
|
|
||||||
%patch34 -p2
|
|
||||||
%patch35 -p2
|
|
||||||
%patch36 -p2
|
|
||||||
%patch37 -p2
|
|
||||||
%patch38 -p2
|
|
||||||
%patch39 -p2
|
|
||||||
%patch40 -p2
|
|
||||||
%patch41 -p2
|
|
||||||
%patch42 -p2
|
|
||||||
%patch43 -p2
|
|
||||||
%patch44 -p2
|
|
||||||
%patch45 -p2
|
|
||||||
%patch46 -p2
|
|
||||||
%patch47 -p2
|
|
||||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||||
|
# patch sources
|
||||||
|
PATCH_DIR="../SUSE_patches"
|
||||||
|
cat $PATCH_DIR/patch.series | while read p; do
|
||||||
|
printf ">> applying '$p'\n"
|
||||||
|
patch -p2 < "${PATCH_DIR}/$p"
|
||||||
|
done
|
||||||
|
|
||||||
|
#LDAP: # set libexec dir in the LDAP patch
|
||||||
|
#LDAP: sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||||
|
#LDAP: $( grep -Rl @LIBEXECDIR@ \
|
||||||
|
#LDAP: $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||||
|
#LDAP: )
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# set libexec dir in the LDAP patch
|
|
||||||
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
|
||||||
$( grep -Rl @LIBEXECDIR@ \
|
|
||||||
$( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
|
||||||
)
|
|
||||||
|
|
||||||
autoreconf -fiv
|
autoreconf -fiv
|
||||||
%ifarch s390 s390x %sparc
|
%ifarch s390 s390x %sparc
|
||||||
PIEFLAGS="-fPIE"
|
PIEFLAGS="-fPIE"
|
||||||
@ -292,6 +209,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
|||||||
%endif
|
%endif
|
||||||
%if %{uses_systemd}
|
%if %{uses_systemd}
|
||||||
--with-pid-dir=/run \
|
--with-pid-dir=/run \
|
||||||
|
--with-systemd \
|
||||||
%endif
|
%endif
|
||||||
--with-ssl-engine \
|
--with-ssl-engine \
|
||||||
--with-pam \
|
--with-pam \
|
||||||
@ -339,8 +257,8 @@ install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
|
|||||||
install -m 0644 %{SOURCE10} .
|
install -m 0644 %{SOURCE10} .
|
||||||
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
|
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
|
||||||
%endif
|
%endif
|
||||||
install -d -m 755 %{buildroot}/var/adm/fillup-templates
|
install -d -m 755 %{buildroot}%{_fillupdir}
|
||||||
install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates
|
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
|
||||||
# install shell script to automate the process of adding your public key to a remote machine
|
# install shell script to automate the process of adding your public key to a remote machine
|
||||||
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
||||||
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
||||||
@ -449,7 +367,7 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
|||||||
%attr(0444,root,root) %doc %{_mandir}/man8/*
|
%attr(0444,root,root) %doc %{_mandir}/man8/*
|
||||||
%dir %{_sysconfdir}/slp.reg.d
|
%dir %{_sysconfdir}/slp.reg.d
|
||||||
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
||||||
/var/adm/fillup-templates/sysconfig.ssh
|
%{_fillupdir}/sysconfig.ssh
|
||||||
%if %{has_fw_dir}
|
%if %{has_fw_dir}
|
||||||
%if %{needs_all_dirs}
|
%if %{needs_all_dirs}
|
||||||
%dir %{_fwdir}
|
%dir %{_fwdir}
|
||||||
@ -461,10 +379,10 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
|||||||
%files helpers
|
%files helpers
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
#verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
||||||
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
||||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
#attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
||||||
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
#doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
||||||
|
|
||||||
%files fips
|
%files fips
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
|
Loading…
Reference in New Issue
Block a user