pool/openssh
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 563724 from home:pcerny:factory

Browse Source 
reworking packaging, gssapi kex patch

OBS-URL: https://build.opensuse.org/request/show/563724
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=128
This commit is contained in:
Petr Cerny 2018-01-12 00:42:53 +00:00 committed by Git OBS Bridge
parent b813991fe5
commit a03a137de1
25 changed files with 306 additions and 4264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

184
cavs_driver-ssh.pl Normal file
View File

@ -0,0 +1,184 @@
#!/usr/bin/env perl
#
# CAVS test driver for OpenSSH
#
# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# NO WARRANTY
#
# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
# REPAIR OR CORRECTION.
#
# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGES.
#
use strict;
use warnings;
use IPC::Open2;
# Executing a program by feeding STDIN and retrieving
# STDOUT
# $1: data string to be piped to the app on STDIN
# rest: program and args
# returns: STDOUT of program as string
sub pipe_through_program($@) {
my $in = shift;
my @args = @_;
my ($CO, $CI);
my $pid = open2($CO, $CI, @args);
my $out = "";
my $len = length($in);
my $first = 1;
while (1) {
my $rin = "";
my $win = "";
# Output of prog is FD that we read
vec($rin,fileno($CO),1) = 1;
# Input of prog is FD that we write
# check for $first is needed because we can have NULL input
# that is to be written to the app
if ( $len > 0 || $first) {
(vec($win,fileno($CI),1) = 1);
$first=0;
}
# Let us wait for 100ms
my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
if ( $wout ) {
my $written = syswrite($CI, $in, $len);
die "broken pipe" if !defined $written;
$len -= $written;
substr($in, 0, $written) = "";
if ($len <= 0) {
close $CI or die "broken pipe: $!";
}
}
if ( $rout ) {
my $tmp_out = "";
my $bytes_read = sysread($CO, $tmp_out, 4096);
$out .= $tmp_out;
last if ($bytes_read == 0);
}
}
close $CO or die "broken pipe: $!";
waitpid $pid, 0;
return $out;
}
# Parser of CAVS test vector file
# $1: Test vector file
# $2: Output file for test results
# return: nothing
sub parse($$) {
my $infile = shift;
my $outfile = shift;
my $out = "";
my $K = "";
my $H = "";
my $session_id = "";
my $ivlen = 0;
my $eklen = "";
my $iklen = "";
open(IN, "<$infile");
while(<IN>) {
my $line = $_;
chomp($line);
$line =~ s/\r//;
if ($line =~ /\[SHA-1\]/) {
$iklen = 20;
} elsif ($line =~ /\[SHA-256\]/) {
$iklen = 32;
} elsif ($line =~ /\[SHA-384\]/) {
$iklen = 48;
} elsif ($line =~ /\[SHA-512\]/) {
$iklen = 64;
} elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
$ivlen = $1;
$ivlen = $ivlen / 8;
} elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
$eklen = $1;
$eklen = $eklen / 8;
} elsif ($line =~ /^K\s*=\s*(.*)/) {
$K = $1;
$K = substr($K, 8);
$K = "00" . $K;
} elsif ($line =~ /^H\s*=\s*(.*)/) {
$H = $1;
} elsif ($line =~ /^session_id\s*=\s*(.*)/) {
$session_id = $1;
}
$out .= $line . "\n";
if ($K ne "" && $H ne "" && $session_id ne "" &&
$ivlen ne "" && $eklen ne "" && $iklen > 0) {
$out .= pipe_through_program("", "@LIBEXECDIR@/ssh/cavstest-kdf -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
$K = "";
$H = "";
$session_id = "";
}
}
close IN;
$out =~ s/\n/\r\n/g; # make it a dos file
open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
print OUT $out;
close OUT;
}
############################################################
#
# let us pretend to be C :-)
sub main() {
my $infile=$ARGV[0];
die "Error: Test vector file $infile not found" if (! -f $infile);
my $outfile = $infile;
# let us add .rsp regardless whether we could strip .req
$outfile =~ s/\.req$//;
$outfile .= ".rsp";
if (-f $outfile) {
die "Output file $outfile could not be removed: $?"
unless unlink($outfile);
}
print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
# Do the job
parse($infile, $outfile);
}
###########################################
# Call it
main();
1;

3
openssh-7.6p1-SUSE_patches.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d2f790931dbda22f81a9d0b80ce3532bfe02d51750f1170b81faef32f4230af8
size 61332

65
openssh-7.6p1-X11_trusted_forwarding.patch
View File

@ -1,65 +0,0 @@
# HG changeset patch
# Parent c004421528bc443fa9a56db1123005c92014e6b3
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
# configuration
# bnc#50836 (was suse #35836)
Enable Trusted X11 forwarding by default, since the security benefits of
having it disabled are negligible these days with XI2 being widely used.
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
--- a/openssh-7.6p1/ssh_config
+++ b/openssh-7.6p1/ssh_config
@@ -12,19 +12,30 @@
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
-# Host *
+Host *
# ForwardAgent no
# ForwardX11 no
+
+# If you do not trust your remote host (or its administrator), you
+# should not forward X11 connections to your local X11-display for
+# security reasons: Someone stealing the authentification data on the
+# remote side (the "spoofed" X-server by the remote sshd) can read your
+# keystrokes as you type, just like any other X11 client could do.
+# Set this to "no" here for global effect or in your own ~/.ssh/config
+# file if you want to have the remote X11 authentification data to
+# expire after twenty minutes after remote login.
+ ForwardX11Trusted yes
+
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
--- a/openssh-7.6p1/sshd_config
+++ b/openssh-7.6p1/sshd_config
@@ -80,17 +80,17 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no

95
openssh-7.6p1-allow_root_password_login.patch
View File

@ -1,95 +0,0 @@
# HG changeset patch
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
Allow root login with password by default. While less secure than upstream
default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
--- a/openssh-7.6p1/servconf.c
+++ b/openssh-7.6p1/servconf.c
@@ -218,17 +218,17 @@ fill_default_server_options(ServerOption
options->address_family = AF_UNSPEC;
if (options->listen_addrs == NULL)
add_listen_addr(options, NULL, 0);
if (options->pid_file == NULL)
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
options->ignore_user_known_hosts = 0;
if (options->print_motd == -1)
options->print_motd = 1;
if (options->print_lastlog == -1)
options->print_lastlog = 1;
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
--- a/openssh-7.6p1/sshd_config
+++ b/openssh-7.6p1/sshd_config
@@ -25,17 +25,17 @@
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
--- a/openssh-7.6p1/sshd_config.0
+++ b/openssh-7.6p1/sshd_config.0
@@ -696,17 +696,17 @@ DESCRIPTION
none can be used to prohibit all forwarding requests. The
wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
ports, respectively. By default all port forwarding requests are
permitted.
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, without-password,
- forced-commands-only, or no. The default is prohibit-password.
+ forced-commands-only, or no. The default is yes.
If this option is set to prohibit-password or without-password,
password and keyboard-interactive authentication are disabled for
root.
If this option is set to forced-commands-only, root login with
public key authentication will be allowed, but only if the
command option has been specified (which may be useful for taking
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
--- a/openssh-7.6p1/sshd_config.5
+++ b/openssh-7.6p1/sshd_config.5
@@ -1188,17 +1188,17 @@ Specifies whether root can log in using
The argument must be
.Cm yes ,
.Cm prohibit-password ,
.Cm without-password ,
.Cm forced-commands-only ,
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm yes .
.Pp
If this option is set to
.Cm prohibit-password
or
.Cm without-password ,
password and keyboard-interactive authentication are disabled for root.
.Pp
If this option is set to

75
openssh-7.6p1-blocksigalrm.patch
View File

@ -1,75 +0,0 @@
# HG changeset patch
# Parent 724c9ea86fe2c4a1f0e0d3aba168357ab1b2c3aa
block SIGALRM while logging through syslog to prevent deadlocks
(through grace_alarm_handler())
bnc#57354
diff --git a/openssh-7.6p1/log.c b/openssh-7.6p1/log.c
--- a/openssh-7.6p1/log.c
+++ b/openssh-7.6p1/log.c
@@ -46,16 +46,17 @@
#include <syslog.h>
#include <unistd.h>
#include <errno.h>
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
# include <vis.h>
#endif
#include "log.h"
+#include <signal.h>
static LogLevel log_level = SYSLOG_LEVEL_INFO;
static int log_on_stderr = 1;
static int log_stderr_fd = STDERR_FILENO;
static int log_facility = LOG_AUTH;
static char *argv0;
static log_handler_fn *log_handler;
static void *log_handler_ctx;
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt,
{
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif
char msgbuf[MSGBUFSIZ];
char fmtbuf[MSGBUFSIZ];
char *txt = NULL;
int pri = LOG_INFO;
+ sigset_t nset, oset;
int saved_errno = errno;
log_handler_fn *tmp_handler;
if (level > log_level)
return;
switch (level) {
case SYSLOG_LEVEL_FATAL:
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt,
log_handler = NULL;
tmp_handler(level, fmtbuf, log_handler_ctx);
log_handler = tmp_handler;
} else if (log_on_stderr) {
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
(int)sizeof msgbuf - 3, fmtbuf);
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
} else {
+ /* Prevent a race between the grace_alarm which writes a
+ * log message and terminates and main sshd code that leads
+ * to deadlock as syslog is not async safe.
+ */
+ sigemptyset(&nset);
+ sigaddset(&nset, SIGALRM);
+ sigprocmask(SIG_BLOCK, &nset, &oset);
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
syslog_r(pri, &sdata, "%.500s", fmtbuf);
closelog_r(&sdata);
#else
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
syslog(pri, "%.500s", fmtbuf);
closelog();
#endif
+ sigprocmask(SIG_SETMASK, &oset, NULL);
}
errno = saved_errno;
}

696
openssh-7.6p1-disable_short_DH_parameters.patch
View File

@ -1,696 +0,0 @@
# HG changeset patch
# Parent a5b0f249f564de9c9efd023c6430f607d9861acd
Raise minimal size of DH group parameters to 2048 bits like upstream did in
7.2. 1024b values are believed to be in breaking range for state adversaries
and the default moduli shipped with openssh have been around long enough to
make it more likely for them to be broken.
Also provide an option that allows the client to accept shorter (RFC4419
compliant) parameters.
CVE-2015-4000 (LOGJAM)
bsc#932483
diff --git a/openssh-7.6p1/dh.c b/openssh-7.6p1/dh.c
--- a/openssh-7.6p1/dh.c
+++ b/openssh-7.6p1/dh.c
@@ -37,16 +37,18 @@
#include <limits.h>
#include "dh.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"
#include "ssherr.h"
+int dh_grp_min = DH_GRP_MIN;
+
static int
parse_prime(int linenum, char *line, struct dhgroup *dhg)
{
char *cp, *arg;
char *strsize, *gen, *prime;
const char *errstr = NULL;
long long n;
diff --git a/openssh-7.6p1/dh.h b/openssh-7.6p1/dh.h
--- a/openssh-7.6p1/dh.h
+++ b/openssh-7.6p1/dh.h
@@ -45,16 +45,17 @@ int dh_gen_key(DH *, int);
int dh_pub_is_valid(DH *, BIGNUM *);
u_int dh_estimate(int);
/*
* Max value from RFC4419.
* Miniumum increased in light of DH precomputation attacks.
*/
+#define DH_GRP_MIN_RFC 1024
#define DH_GRP_MIN 2048
#define DH_GRP_MAX 8192
/*
* Values for "type" field of moduli(5)
* Specifies the internal structure of the prime modulus.
*/
#define MODULI_TYPE_UNKNOWN (0)
diff --git a/openssh-7.6p1/kexgexc.c b/openssh-7.6p1/kexgexc.c
--- a/openssh-7.6p1/kexgexc.c
+++ b/openssh-7.6p1/kexgexc.c
@@ -46,29 +46,32 @@
#include "dh.h"
#include "ssh2.h"
#include "compat.h"
#include "dispatch.h"
#include "ssherr.h"
#include "sshbuf.h"
#include "misc.h"
+/* import from dh.c */
+extern int dh_grp_min;
+
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
int
kexgex_client(struct ssh *ssh)
{
struct kex *kex = ssh->kex;
int r;
u_int nbits;
nbits = dh_estimate(kex->dh_need * 8);
- kex->min = DH_GRP_MIN;
+ kex->min = dh_grp_min;
kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
kex->nbits = MINIMUM(kex->nbits, 4096);
/* New GEX request */
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
(r = sshpkt_put_u32(ssh, kex->min)) != 0 ||
(r = sshpkt_put_u32(ssh, kex->nbits)) != 0 ||
@@ -103,16 +106,22 @@ input_kex_dh_gex_group(int type, u_int32
goto out;
}
if ((r = sshpkt_get_bignum2(ssh, p)) != 0 ||
(r = sshpkt_get_bignum2(ssh, g)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
if ((bits = BN_num_bits(p)) < 0 ||
(u_int)bits < kex->min || (u_int)bits > kex->max) {
+ if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC)
+ logit("DH parameter offered by the server (%d bits) "
+ "is considered insecure. "
+ "You can lower the accepted the minimum "
+ "via the KexDHMin option.",
+ bits);
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
goto out;
}
if ((kex->dh = dh_new_group(g, p)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
p = g = NULL; /* belong to kex->dh now */
diff --git a/openssh-7.6p1/kexgexs.c b/openssh-7.6p1/kexgexs.c
--- a/openssh-7.6p1/kexgexs.c
+++ b/openssh-7.6p1/kexgexs.c
@@ -49,16 +49,19 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "dispatch.h"
#include "ssherr.h"
#include "sshbuf.h"
#include "misc.h"
+/* import from dh.c */
+extern int dh_grp_min;
+
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
int
kexgex_server(struct ssh *ssh)
{
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
&input_kex_dh_gex_request);
@@ -77,23 +80,29 @@ input_kex_dh_gex_request(int type, u_int
if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
(r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
(r = sshpkt_get_u32(ssh, &max)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
kex->nbits = nbits;
kex->min = min;
kex->max = max;
- min = MAXIMUM(DH_GRP_MIN, min);
+ min = MAXIMUM(dh_grp_min, min);
max = MINIMUM(DH_GRP_MAX, max);
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
+ nbits = MAXIMUM(dh_grp_min, nbits);
nbits = MINIMUM(DH_GRP_MAX, nbits);
if (kex->max < kex->min || kex->nbits < kex->min ||
kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
+ logit("DH parameter requested by the client (%d bits) "
+ "is considered insecure. "
+ "You can lower the accepted minimum "
+ "via the KexDHMin option.",
+ kex->nbits);
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
goto out;
}
/* Contact privileged parent */
kex->dh = PRIVSEP(choose_dh(min, nbits, max));
if (kex->dh == NULL) {
sshpkt_disconnect(ssh, "no matching DH grp found");
diff --git a/openssh-7.6p1/readconf.c b/openssh-7.6p1/readconf.c
--- a/openssh-7.6p1/readconf.c
+++ b/openssh-7.6p1/readconf.c
@@ -61,16 +61,17 @@
#include "misc.h"
#include "readconf.h"
#include "match.h"
#include "kex.h"
#include "mac.h"
#include "uidswap.h"
#include "myproposal.h"
#include "digest.h"
+#include "dh.h"
/* Format of the configuration file:
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
@@ -161,17 +162,18 @@ typedef enum {
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
oTunnel, oTunnelDevice,
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
oVisualHostKey,
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+ oKexAlgorithms, oKexDHMin,
+ oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
oPubkeyAcceptedKeyTypes, oProxyJump,
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
@@ -283,16 +285,17 @@ static struct {
{ "include", oInclude },
{ "tunnel", oTunnel },
{ "tunneldevice", oTunnelDevice },
{ "localcommand", oLocalCommand },
{ "permitlocalcommand", oPermitLocalCommand },
{ "remotecommand", oRemoteCommand },
{ "visualhostkey", oVisualHostKey },
{ "kexalgorithms", oKexAlgorithms },
+ { "kexdhmin", oKexDHMin },
{ "ipqos", oIPQoS },
{ "requesttty", oRequestTTY },
{ "proxyusefdpass", oProxyUseFdpass },
{ "canonicaldomains", oCanonicalDomains },
{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
{ "canonicalizehostname", oCanonicalizeHostname },
{ "canonicalizemaxdots", oCanonicalizeMaxDots },
{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
@@ -304,16 +307,19 @@ static struct {
{ "hostbasedkeytypes", oHostbasedKeyTypes },
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
{ "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
{ NULL, oBadOption }
};
+/* import from dh.c */
+extern int dh_grp_min;
+
/*
* Adds a local TCP/IP port forward to options. Never returns if there is an
* error.
*/
void
add_local_forward(Options *options, const struct Forward *newfwd)
{
@@ -1206,16 +1212,20 @@ parse_int:
if (*arg != '-' &&
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && options->kex_algorithms == NULL)
options->kex_algorithms = xstrdup(arg);
break;
+ case oKexDHMin:
+ intptr = &options->kex_dhmin;
+ goto parse_int;
+
case oHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
parse_keytypes:
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.",
filename, linenum);
if (*arg != '-' &&
@@ -1803,16 +1813,17 @@ initialize_options(Options * options)
options->port = -1;
options->address_family = -1;
options->connection_attempts = -1;
options->connection_timeout = -1;
options->number_of_password_prompts = -1;
options->ciphers = NULL;
options->macs = NULL;
options->kex_algorithms = NULL;
+ options->kex_dhmin = -1;
options->hostkeyalgorithms = NULL;
options->num_identity_files = 0;
options->num_certificate_files = 0;
options->hostname = NULL;
options->host_key_alias = NULL;
options->proxy_command = NULL;
options->jump_user = NULL;
options->jump_host = NULL;
@@ -1951,16 +1962,23 @@ fill_default_options(Options * options)
if (options->port == -1)
options->port = 0; /* Filled in ssh_connect. */
if (options->address_family == -1)
options->address_family = AF_UNSPEC;
if (options->connection_attempts == -1)
options->connection_attempts = 1;
if (options->number_of_password_prompts == -1)
options->number_of_password_prompts = 3;
+ if (options->kex_dhmin == -1)
+ options->kex_dhmin = DH_GRP_MIN_RFC;
+ else {
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
+ }
+ dh_grp_min = options->kex_dhmin;
/* options->hostkeyalgorithms, default set in myproposals.h */
if (options->add_keys_to_agent == -1)
options->add_keys_to_agent = 0;
if (options->num_identity_files == 0) {
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
#ifdef OPENSSL_HAS_ECC
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
diff --git a/openssh-7.6p1/readconf.h b/openssh-7.6p1/readconf.h
--- a/openssh-7.6p1/readconf.h
+++ b/openssh-7.6p1/readconf.h
@@ -64,16 +64,17 @@ typedef struct {
int connection_timeout; /* Max time (seconds) before
* aborting connection attempt */
int number_of_password_prompts; /* Max number of password
* prompts. */
char *ciphers; /* SSH2 ciphers in order of preference. */
char *macs; /* SSH2 macs in order of preference. */
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
char *hostname; /* Real host to connect. */
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
char *proxy_command; /* Proxy command for connecting the host. */
char *user; /* User to log in as. */
int escape_char; /* Escape character; -2 = none */
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
char *system_hostfiles[SSH_MAX_HOSTS_FILES];
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
--- a/openssh-7.6p1/servconf.c
+++ b/openssh-7.6p1/servconf.c
@@ -52,16 +52,20 @@
#include "channels.h"
#include "groupaccess.h"
#include "canohost.h"
#include "packet.h"
#include "hostfile.h"
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
+#include "dh.h"
+
+/* import from dh.c */
+extern int dh_grp_min;
static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
/* Use of privilege separation or not */
extern int use_privsep;
extern Buffer cfg;
@@ -129,16 +133,17 @@ initialize_server_options(ServerOptions
options->allow_agent_forwarding = -1;
options->num_allow_users = 0;
options->num_deny_users = 0;
options->num_allow_groups = 0;
options->num_deny_groups = 0;
options->ciphers = NULL;
options->macs = NULL;
options->kex_algorithms = NULL;
+ options->kex_dhmin = -1;
options->fwd_opts.gateway_ports = -1;
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
options->fwd_opts.streamlocal_bind_unlink = -1;
options->num_subsystems = 0;
options->max_startups_begin = -1;
options->max_startups_rate = -1;
options->max_startups = -1;
options->max_authtries = -1;
@@ -195,16 +200,24 @@ fill_default_server_options(ServerOption
int i;
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
if (options->use_pam_check_locks == -1)
options->use_pam_check_locks = 0;
+ if (options->kex_dhmin == -1)
+ options->kex_dhmin = DH_GRP_MIN_RFC;
+ else {
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
+ }
+ dh_grp_min = options->kex_dhmin;
+
/* Standard Options */
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
options->host_key_files[options->num_host_key_files++] =
_PATH_HOST_RSA_KEY_FILE;
options->host_key_files[options->num_host_key_files++] =
_PATH_HOST_DSA_KEY_FILE;
#ifdef OPENSSL_HAS_ECC
@@ -414,17 +427,18 @@ typedef enum {
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
- sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sKexAlgorithms, sKexDHMin,
+ sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -553,16 +567,17 @@ static struct {
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "kexdhmin", sKexDHMin },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
@@ -1502,16 +1517,20 @@ process_server_config_line(ServerOptions
if (*arg != '-' &&
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (options->kex_algorithms == NULL)
options->kex_algorithms = xstrdup(arg);
break;
+ case sKexDHMin:
+ intptr = &options->kex_dhmin;
+ goto parse_int;
+
case sSubsystem:
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
fatal("%s line %d: too many subsystems defined.",
filename, linenum);
}
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing subsystem name.",
@@ -2285,16 +2304,17 @@ dump_config(ServerOptions *o)
#endif
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
dump_cfg_int(sMaxAuthTries, o->max_authtries);
dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
+ dump_cfg_int(sKexDHMin, o->kex_dhmin);
/* formatted integer arguments */
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
o->hostbased_uses_name_from_packet_only);
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
--- a/openssh-7.6p1/servconf.h
+++ b/openssh-7.6p1/servconf.h
@@ -93,16 +93,17 @@ typedef struct {
int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
int strict_modes; /* If true, require string home dir modes. */
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
char *ciphers; /* Supported SSH2 ciphers. */
char *macs; /* Supported SSH2 macs. */
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
struct ForwardOptions fwd_opts; /* forwarding options */
SyslogFacility log_facility; /* Facility for system logging. */
LogLevel log_level; /* Level for system logging. */
int hostbased_authentication; /* If true, permit ssh2 hostbased auth */
int hostbased_uses_name_from_packet_only; /* experimental */
char *hostbased_key_types; /* Key types allowed for hostbased */
char *hostkeyalgorithms; /* SSH2 server key types */
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
--- a/openssh-7.6p1/ssh_config
+++ b/openssh-7.6p1/ssh_config
@@ -12,16 +12,21 @@
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
+# to maintain compatibility with RFC4419, but should be set higher.
+# Upstream default is identical to setting this to 2048.
+#KexDHMin 1024
+
Host *
# ForwardAgent no
# ForwardX11 no
# If you do not trust your remote host (or its administrator), you
# should not forward X11 connections to your local X11-display for
# security reasons: Someone stealing the authentification data on the
# remote side (the "spoofed" X-server by the remote sshd) can read your
diff --git a/openssh-7.6p1/ssh_config.0 b/openssh-7.6p1/ssh_config.0
--- a/openssh-7.6p1/ssh_config.0
+++ b/openssh-7.6p1/ssh_config.0
@@ -584,16 +584,33 @@ DESCRIPTION
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1
The list of available key exchange algorithms may also be
obtained using "ssh -Q kex".
+ KexDHMin
+ Specifies the minimum accepted bit length of the DH group
+ parameter p.
+
+ As per RFC4419, this is 1024 bits, however this has increasingly
+ been seen as insecure, which prompted the change to 2048 bits.
+ Setting this option allows the client to accept parameters shorter
+ than the current minimum, down to the RFC specified 1024 bits.
+ Using this option may be needed when connecting to servers that
+ only know short DH group parameters.
+
+ Note, that while by default this option is set to 1024 to maintain
+ maximum backward compatibility, using it can severly impact
+ security and thus should be viewed as a temporary fix of last
+ resort and all efforts should be made to fix the (broken)
+ counterparty.
+
LocalCommand
Specifies a command to execute on the local machine after
successfully connecting to the server. The command string
extends to the end of the line, and is executed with the user's
shell. Arguments to LocalCommand accept the tokens described in
the TOKENS section.
The command is run synchronously and does not have access to the
diff --git a/openssh-7.6p1/ssh_config.5 b/openssh-7.6p1/ssh_config.5
--- a/openssh-7.6p1/ssh_config.5
+++ b/openssh-7.6p1/ssh_config.5
@@ -1016,16 +1016,32 @@ curve25519-sha256,curve25519-sha256@libs
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1
.Ed
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
+.It Cm KexDHMin
+Specifies the minimum accepted bit length of the DH group
+parameter p.
+.Pp
+As per RFC4419, this is 1024 bits, however this has increasingly
+been seen as insecure, which prompted the change to 2048 bits.
+Setting this option allows the client to accept parameters shorter
+than the current minimum, down to the RFC specified 1024 bits.
+Using this option may be needed when connecting to servers that
+only know short DH group parameters.
+.Pp
+Note, that while by default this option is set to 1024 to maintain
+maximum backward compatibility, using it can severly impact
+security and thus should be viewed as a temporary fix of last
+resort and all efforts should be made to fix the (broken)
+counterparty.
.It Cm LocalCommand
Specifies a command to execute on the local machine after successfully
connecting to the server.
The command string extends to the end of the line, and is executed with
the user's shell.
Arguments to
.Cm LocalCommand
accept the tokens described in the
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
--- a/openssh-7.6p1/sshd_config
+++ b/openssh-7.6p1/sshd_config
@@ -15,16 +15,21 @@
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
+# to maintain compatibility with RFC4419, but should be set higher.
+# Upstream default is identical to setting this to 2048.
+#KexDHMin 1024
+
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
--- a/openssh-7.6p1/sshd_config.0
+++ b/openssh-7.6p1/sshd_config.0
@@ -532,16 +532,33 @@ DESCRIPTION
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha1
The list of available key exchange algorithms may also be
obtained using "ssh -Q kex".
+ KexDHMin
+ Specifies the minimum accepted bit length of the DH group
+ parameter p.
+
+ As per RFC4419, this is 1024 bits, however this has increasingly
+ been seen as insecure, which prompted the change to 2048 bits.
+ Setting this option allows the server to accept parameters shorter
+ than the current minimum, down to the RFC specified 1024 bits.
+ Using this option may be needed when some of the connectiong
+ clients only know short DH group parameters.
+
+ Note, that while by default this option is set to 1024 to maintain
+ maximum backward compatibility, using it can severly impact
+ security and thus should be viewed as a temporary fix of last
+ resort and all efforts should be made to fix the (broken)
+ counterparty.
+
ListenAddress
Specifies the local addresses sshd(8) should listen on. The
following forms may be used:
ListenAddress host|IPv4_addr|IPv6_addr
ListenAddress host|IPv4_addr:port
ListenAddress [host|IPv6_addr]:port
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
--- a/openssh-7.6p1/sshd_config.5
+++ b/openssh-7.6p1/sshd_config.5
@@ -893,16 +893,32 @@ The default is:
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha1
.Ed
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
+.It Cm KexDHMin
+Specifies the minimum accepted bit length of the DH group
+parameter p.
+.Pp
+As per RFC4419, this is 1024 bits, however this has increasingly
+been seen as insecure, which prompted the change to 2048 bits.
+Setting this option allows the server to accept parameters shorter
+than the current minimum, down to the RFC specified 1024 bits.
+Using this option may be needed when some of the connectiong
+clients only know short DH group parameters.
+.Pp
+Note, that while by default this option is set to 1024 to maintain
+maximum backward compatibility, using it can severly impact
+security and thus should be viewed as a temporary fix of last
+resort and all efforts should be made to fix the (broken)
+counterparty.
.It Cm ListenAddress
Specifies the local addresses
.Xr sshd 8
should listen on.
The following forms may be used:
.Pp
.Bl -item -offset indent -compact
.It

27
openssh-7.6p1-eal3.patch
View File

@ -1,27 +0,0 @@
# HG changeset patch
# Parent 9797aecac98b26573a295fd75128b7c68dfc5aad
fix paths and references in sshd man pages
diff --git a/openssh-7.6p1/Makefile.in b/openssh-7.6p1/Makefile.in
--- a/openssh-7.6p1/Makefile.in
+++ b/openssh-7.6p1/Makefile.in
@@ -119,17 +119,18 @@ MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
CONFIGFILES_IN=sshd_config ssh_config moduli
PATHSUBS = \
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
-e 's|/usr/libexec|$(libexecdir)|g' \
- -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
+ -e 's|login\.conf|login.defs|g' \
+ -e 's|/etc/shosts.equiv|$(sysconfdir)/ssh/shosts.equiv|g' \
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
-e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \

28
openssh-7.6p1-enable_PAM_by_default.patch
View File

@ -1,28 +0,0 @@
# HG changeset patch
# Parent d47e806f23ad0649ef38b24e8cb9d5617e5d5d15
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
# bnc#46749
# --used to be called '-pam-fix2'
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
--- a/openssh-7.6p1/sshd_config
+++ b/openssh-7.6p1/sshd_config
@@ -75,17 +75,17 @@ AuthorizedKeysFile .ssh/authorized_keys
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes

1400
openssh-7.6p1-fips.patch
View File

File diff suppressed because it is too large Load Diff

520
openssh-7.6p1-fips_checks.patch
View File

@ -1,520 +0,0 @@
# HG changeset patch
# Parent 4ed7a1ce08460bfdb1ed5b57e6b45940eb7e7167
#
# Simple implementation of FIPS 140-2 selfchecks. Use OpenSSL to generate and
# verify checksums of binaries. Any hash iused in OpenSSH can be used (MD5 would
# obviously be a poor choice, since OpenSSL would barf and abort immediately in
# FIPS mode). SHA-2 seems to be a reasonable choice.
#
# The logic of the checks is as follows: decide whether FIPS mode is mandated
# (either by checking /proc/sys/crypto/fips_enabled or envoroinment variable
# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
# still must be performed, unless the hashes are not installed. Thus if the hash
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
# otherwise.
diff --git a/openssh-7.6p1/fips-check.c b/openssh-7.6p1/fips-check.c
new file mode 100644
--- /dev/null
+++ b/openssh-7.6p1/fips-check.c
@@ -0,0 +1,34 @@
+#include "includes.h"
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "digest.h"
+#include "fips.h"
+
+#include <openssl/err.h>
+
+#define PROC_NAME_LEN 64
+
+static const char *argv0;
+
+void
+print_help_exit(int ev)
+{
+ fprintf(stderr, "%s <-c|-w> <file> <checksum_file>\n", argv0);
+ fprintf(stderr, " -c verify hash of 'file' against hash in 'checksum_file'\n");
+ fprintf(stderr, " -w write hash of 'file' into 'checksum_file'\n");
+ exit(ev);
+}
+
+int
+main(int argc, char **argv)
+{
+ fips_ssh_init();
+ return 0;
+}
diff --git a/openssh-7.6p1/fips.c b/openssh-7.6p1/fips.c
--- a/openssh-7.6p1/fips.c
+++ b/openssh-7.6p1/fips.c
@@ -30,41 +30,304 @@
#include "dh.h"
#include "digest.h"
#include "kex.h"
#include "key.h"
#include "mac.h"
#include "log.h"
#include "xmalloc.h"
+#include <errno.h>
+#include <fcntl.h>
#include <string.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/hmac.h>
/* import from dh.c */
extern int dh_grp_min;
static int fips_state = -1;
+/* calculates HMAC of contents of a file given by filename using the hash
+ * algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into
+ * newly allacated memory - remember to free it when not needed anymore */
+static int
+hmac_file(const char *filename, u_char **hmac_out)
+{
+ int check = -1;
+ int fd;
+ struct stat fs;
+ void *hmap;
+ unsigned char *hmac;
+ unsigned char *hmac_rv = NULL;
+
+ hmac = xmalloc(FIPS_HMAC_LEN);
+
+ fd = open(filename, O_RDONLY);
+ if (-1 == fd)
+ goto bail_out;
+
+ if (-1 == fstat(fd, &fs))
+ goto bail_out;
+
+ hmap = mmap(NULL, fs.st_size, PROT_READ, MAP_SHARED, fd, 0);
+
+ if ((void *)(-1) != hmap) {
+ hmac_rv = HMAC(FIPS_HMAC_EVP(), FIPS_HMAC_KEY
+ , strlen(FIPS_HMAC_KEY), hmap, fs.st_size, hmac, NULL);
+ check = CHECK_OK;
+ munmap(hmap, fs.st_size);
+ }
+ close(fd);
+
+bail_out:
+ if (hmac_rv) {
+ check = CHECK_OK;
+ *hmac_out = hmac;
+ } else {
+ check = CHECK_FAIL;
+ *hmac_out = NULL;
+ free(hmac);
+ }
+ return check;
+}
+
+/* find pathname of binary of process with PID pid. exe is buffer expected to
+ * be capable of holding at least max_pathlen characters
+ */
+static int
+get_executable_path(pid_t pid, char *exe, int max_pathlen)
+{
+ char exe_sl[PROC_EXE_PATH_LEN];
+ int n;
+ int rv = -1;
+
+ n = snprintf(exe_sl, sizeof(exe_sl), "/proc/%u/exe", pid);
+ if ((n <= 10) || (n >= max_pathlen)) {
+ fatal("error compiling filename of link to executable");
+ }
+
+ exe[0] = 0;
+ n = readlink(exe_sl, exe, max_pathlen);
+ /* the file doesn't need to exist - procfs might not be mounted in
+ * chroot */
+ if (n == -1) {
+ rv = CHECK_MISSING;
+ } else {
+ if (n < max_pathlen) {
+ exe[n] = 0;
+ rv = CHECK_OK;
+ } else {
+ rv = CHECK_FAIL;
+ }
+ }
+ return rv;
+}
+
+/* Read HMAC from file chk, allocating enough memory to hold the HMAC and
+ * return it in *hmac.
+ * Remember to free() it when it's not needed anymore.
+ */
+static int
+read_hmac(const char *chk, u_char **hmac)
+{
+ int check = -1;
+ int fdh, n;
+ u_char *hmac_in;
+
+ *hmac = NULL;
+
+ fdh = open(chk, O_RDONLY);
+ if (-1 == fdh) {
+ switch (errno) {
+ case ENOENT:
+ check = CHECK_MISSING;
+ debug("fips: checksum file %s is missing\n", chk);
+ break;
+ default:
+ check = CHECK_FAIL;
+ debug("fips: ckecksum file %s not accessible\n", chk);
+ break;
+
+ }
+ goto bail_out;
+ }
+
+ hmac_in = xmalloc(FIPS_HMAC_LEN);
+
+ n = read(fdh, (void *)hmac_in, FIPS_HMAC_LEN);
+ if (FIPS_HMAC_LEN != n) {
+ debug("fips: unable to read whole checksum from checksum file\n");
+ free (hmac_in);
+ check = CHECK_FAIL;
+ } else {
+ check = CHECK_OK;
+ *hmac = hmac_in;
+ }
+bail_out:
+ return check;
+}
+
+static int
+fips_hmac_self(void)
+{
+ int check = -1;
+ u_char *hmac = NULL, *hmac_chk = NULL;
+ char *exe, *chk;
+
+ exe = xmalloc(PATH_MAX);
+ chk = xmalloc(PATH_MAX);
+
+ /* we will need to add the suffix and the null terminator */
+ check = get_executable_path(getpid(), exe
+ , PATH_MAX - strlen(CHECKSUM_SUFFIX) - 1);
+ if (CHECK_OK != check)
+ goto cleanup;
+
+ strncpy(chk, exe, PATH_MAX);
+ strlcat(chk, CHECKSUM_SUFFIX, PATH_MAX);
+
+ check = read_hmac(chk, &hmac_chk);
+ if (CHECK_OK != check)
+ goto cleanup;
+
+ check = hmac_file(exe, &hmac);
+ if (CHECK_OK != check)
+ goto cleanup;
+
+ check = memcmp(hmac, hmac_chk, FIPS_HMAC_LEN);
+ if (0 == check) {
+ check = CHECK_OK;
+ debug("fips: checksum matches\n");
+ } else {
+ check = CHECK_FAIL;
+ debug("fips: checksum mismatch!\n");
+ }
+
+cleanup:
+ free(hmac);
+ free(hmac_chk);
+ free(chk);
+ free(exe);
+
+ return check;
+}
+
+static int
+fips_check_required_proc(void)
+{
+ int fips_required = 0;
+ int fips_fd;
+ char fips_sys = 0;
+
+ struct stat dummy;
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
+ switch (errno) {
+ case ENOENT:
+ case ENOTDIR:
+ break;
+ default:
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
+ " be accessed for reason other than non-existence - aborting"
+ , FIPS_PROC_PATH);
+ break;
+ }
+ } else {
+ if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY)))
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
+ " be opened for reading - aborting"
+ , FIPS_PROC_PATH);
+ if (1 > read(fips_fd, &fips_sys, 1))
+ fatal("Check for system-wide FIPS mode is required and %s doesn't"
+ " return at least one character - aborting"
+ , FIPS_PROC_PATH);
+ close(fips_sys);
+ switch (fips_sys) {
+ case '0':
+ case '1':
+ fips_required = fips_sys - '0';
+ break;
+ default:
+ fatal("Bogus character %c found in %s - aborting"
+ , fips_sys, FIPS_PROC_PATH);
+ }
+ }
+ return fips_required;
+}
+
static int
fips_check_required_env(void)
{
- int fips_required = 0;
- char *env = getenv(SSH_FORCE_FIPS_ENV);
+ return (NULL != getenv(SSH_FORCE_FIPS_ENV));
+}
+
+static int
+fips_required(void)
+{
+ int fips_requests = 0;
+ fips_requests += fips_check_required_proc();
+ fips_requests += fips_check_required_env();
+ return fips_requests;
+}
+
+/* check whether FIPS mode is required and perform selfchecksum/selftest */
+void
+fips_ssh_init(void)
+{
+ int checksum;
+
+ checksum = fips_hmac_self();
- if (env) {
- errno = 0;
- fips_required = strtol(env, NULL, 10);
- if (errno) {
- debug("bogus value in the %s environment variable, ignoring\n"
- , SSH_FORCE_FIPS_ENV);
- fips_required = 0;
- } else
- fips_required = 1;
- }
- return fips_required;
+ if (fips_required()) {
+ switch (checksum) {
+ case CHECK_OK:
+ debug("fips: mandatory checksum ok");
+ break;
+ case CHECK_FAIL:
+ fatal("fips: mandatory checksum failed - aborting");
+ break;
+ case CHECK_MISSING:
+ fatal("fips: mandatory checksum data missing - aborting");
+ break;
+ default:
+ fatal("Fatal error: internal error at %s:%u"
+ , __FILE__, __LINE__);
+ break;
+ }
+ fips_state = FIPS_mode_set(1);
+ if (1 != fips_state) {
+ ERR_load_crypto_strings();
+ u_long err = ERR_get_error();
+ error("fips: OpenSSL error %lx: %s"
+ , err, ERR_error_string(err, NULL));
+ fatal("fips: unable to set OpenSSL into FIPS mode - aborting");
+ }
+ } else {
+ switch (checksum) {
+ case CHECK_OK:
+ debug("fips: checksum ok");
+ break;
+ case CHECK_FAIL:
+ fatal("fips: checksum failed - aborting");
+ break;
+ case CHECK_MISSING:
+ debug("fips: checksum data missing, but not required - continuing non-FIPS");
+ break;
+ default:
+ fatal("Fatal error: internal error at %s:%u",
+ __FILE__, __LINE__);
+ break;
+ }
+ }
+ return;
}
int
fips_mode(void)
{
if (-1 == fips_state) {
fips_state = FIPS_mode();
if (fips_state)
diff --git a/openssh-7.6p1/fips.h b/openssh-7.6p1/fips.h
--- a/openssh-7.6p1/fips.h
+++ b/openssh-7.6p1/fips.h
@@ -1,10 +1,10 @@
/*
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
+ * Copyright (c) 2012-2014 Petr Cerny. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
@@ -22,23 +22,38 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef FIPS_H
#define FIPS_H
#include "key.h"
#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
+#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled"
+
+#define PROC_EXE_PATH_LEN 64
+#define CHECKSUM_SUFFIX ".hmac"
+#define FIPS_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
+#define FIPS_HMAC_EVP EVP_sha256
+#define FIPS_HMAC_LEN 32
+
+void fips_ssh_init(void);
typedef enum {
FIPS_FILTER_CIPHERS,
FIPS_FILTER_MACS,
FIPS_FILTER_KEX_ALGS
} fips_filters;
+typedef enum {
+ CHECK_OK = 0,
+ CHECK_FAIL,
+ CHECK_MISSING
+} fips_checksum_status;
+
int fips_mode(void);
int fips_correct_dgst(int);
int fips_dgst_min(void);
int fips_dh_grp_min(void);
enum fp_type fips_correct_fp_type(enum fp_type);
int fips_filter_crypto(char **, fips_filters);
#endif
diff --git a/openssh-7.6p1/sftp-server.c b/openssh-7.6p1/sftp-server.c
--- a/openssh-7.6p1/sftp-server.c
+++ b/openssh-7.6p1/sftp-server.c
@@ -46,16 +46,18 @@
#include "log.h"
#include "misc.h"
#include "match.h"
#include "uidswap.h"
#include "sftp.h"
#include "sftp-common.h"
+#include "fips.h"
+
/* Our verbosity */
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
/* Our client */
static struct passwd *pw = NULL;
static char *client_addr = NULL;
/* input and output queue */
@@ -1504,16 +1506,19 @@ sftp_server_main(int argc, char **argv,
ssize_t len, olen, set_size;
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
char *cp, *homedir = NULL, buf[4*4096];
long mask;
extern char *optarg;
extern char *__progname;
+ /* initialize fips */
+ fips_ssh_init();
+
ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
"d:f:l:P:p:Q:u:cehR")) != -1) {
diff --git a/openssh-7.6p1/ssh.c b/openssh-7.6p1/ssh.c
--- a/openssh-7.6p1/ssh.c
+++ b/openssh-7.6p1/ssh.c
@@ -518,16 +518,20 @@ main(int ac, char **av)
struct passwd *pw;
extern int optind, optreset;
extern char *optarg;
struct Forward fwd;
struct addrinfo *addrs = NULL;
struct ssh_digest_ctx *md;
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ fips_ssh_init();
+
ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
diff --git a/openssh-7.6p1/sshd.c b/openssh-7.6p1/sshd.c
--- a/openssh-7.6p1/sshd.c
+++ b/openssh-7.6p1/sshd.c
@@ -1367,16 +1367,20 @@ main(int ac, char **av)
u_int64_t ibytes, obytes;
mode_t new_umask;
struct sshkey *key;
struct sshkey *pubkey;
int keytype;
Authctxt *authctxt;
struct connection_info *connection_info = get_connection_info(0, 0);
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ fips_ssh_init();
+
ssh_malloc_init(); /* must be called before any mallocs */
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
#endif
__progname = ssh_get_progname(av[0]);
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */

145
openssh-7.6p1-hostname_changes_when_forwarding_X.patch
View File

@ -1,145 +0,0 @@
# HG changeset patch
# Parent e4a7e5799420a3d4b8047c5984c75c4bd4331951
# -- uset do be called '-xauthlocalhostname'
handle hostname changes when forwarding X
bnc#98627
diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
--- a/openssh-7.6p1/session.c
+++ b/openssh-7.6p1/session.c
@@ -953,17 +953,17 @@ copy_environment_blacklist(char **source
void
copy_environment(char **source, char ***env, u_int *envsize)
{
copy_environment_blacklist(source, env, envsize, NULL);
}
static char **
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
+do_setup_env(struct ssh *ssh, Session *s, const char *shell, int *env_size)
{
char buf[256];
u_int i, envsize;
char **env, *laddr;
struct passwd *pw = s->pw;
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
#endif
@@ -1142,25 +1142,27 @@ do_setup_env(struct ssh *ssh, Session *s
read_environment_file(&env, &envsize, buf);
}
if (debug_flag) {
/* dump the environment */
fprintf(stderr, "Environment:\n");
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
+
+ *env_size = envsize;
return env;
}
/*
* Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
* first in this order).
*/
static void
-do_rc_files(Session *s, const char *shell)
+do_rc_files(Session *s, const char *shell, char **env, int *env_size)
{
FILE *f = NULL;
char cmd[1024];
int do_xauth;
struct stat st;
do_xauth =
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
@@ -1205,22 +1207,30 @@ do_rc_files(Session *s, const char *shel
"%.500s add %.100s %.100s %.100s\n",
options.xauth_location, s->auth_display,
s->auth_proto, s->auth_data);
}
snprintf(cmd, sizeof cmd, "%s -q -",
options.xauth_location);
f = popen(cmd, "w");
if (f) {
+ char hostname[MAXHOSTNAMELEN];
+
fprintf(f, "remove %s\n",
s->auth_display);
fprintf(f, "add %s %s %s\n",
s->auth_display, s->auth_proto,
s->auth_data);
pclose(f);
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
+ hostname);
+ else
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
+ strerror(errno));
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
}
}
}
static void
@@ -1461,16 +1471,17 @@ child_close_fds(struct ssh *ssh)
* ids, and executing the command or shell.
*/
#define ARGV_MAX 10
void
do_child(struct ssh *ssh, Session *s, const char *command)
{
extern char **environ;
char **env;
+ int env_size;
char *argv[ARGV_MAX];
const char *shell, *shell0;
struct passwd *pw = s->pw;
int r = 0;
/* remove hostkey from the child's memory */
destroy_sensitive_data();
packet_clear_keys();
@@ -1522,17 +1533,17 @@ do_child(struct ssh *ssh, Session *s, co
* legal, and means /bin/sh.
*/
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
/*
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
- env = do_setup_env(ssh, s, shell);
+ env = do_setup_env(ssh, s, shell, &env_size);
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
#endif
/*
* Close the connection descriptors; note that this is the child, and
* the server will still have the socket open, and it is important
@@ -1586,17 +1597,17 @@ do_child(struct ssh *ssh, Session *s, co
strerror(errno));
}
if (r)
exit(1);
}
closefrom(STDERR_FILENO + 1);
- do_rc_files(s, shell);
+ do_rc_files(s, shell, env, &env_size);
/* restore SIGPIPE for child */
signal(SIGPIPE, SIG_DFL);
if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) {
printf("This service allows sftp connections only.\n");
fflush(NULL);
exit(1);

26
openssh-7.6p1-lastlog.patch
View File

@ -1,26 +0,0 @@
# HG changeset patch
# Parent b26f93cf21e4cfff1212ad2e61696ad099cfaf5e
# set uid for functions that use it to seek in lastlog and wtmp files
# bnc#18024 (was suse #3024)
diff --git a/openssh-7.6p1/sshlogin.c b/openssh-7.6p1/sshlogin.c
--- a/openssh-7.6p1/sshlogin.c
+++ b/openssh-7.6p1/sshlogin.c
@@ -129,16 +129,17 @@ record_login(pid_t pid, const char *tty,
{
struct logininfo *li;
/* save previous login details before writing new */
store_lastlog_message(user, uid);
li = login_alloc_entry(pid, user, host, tty);
login_set_addr(li, addr, addrlen);
+ li->uid = uid;
login_login(li);
login_free_entry(li);
}
#ifdef LOGIN_NEEDS_UTMPX
void
record_utmp_only(pid_t pid, const char *ttyname, const char *user,
const char *host, struct sockaddr *addr, socklen_t addrlen)

229
openssh-7.6p1-pam_check_locks.patch
View File

@ -1,229 +0,0 @@
# HG changeset patch
# Parent ee0459c1b5173da57f9b3a6e62b232dcf9b3a029
new option UsePAMCheckLocks to enforce checking for locked accounts while
UsePAM is used
bnc#708678, FATE#312033
diff --git a/openssh-7.6p1/auth.c b/openssh-7.6p1/auth.c
--- a/openssh-7.6p1/auth.c
+++ b/openssh-7.6p1/auth.c
@@ -105,17 +105,17 @@ allowed_user(struct passwd * pw)
struct spwd *spw = NULL;
#endif
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
if (!pw || !pw->pw_name)
return 0;
#ifdef USE_SHADOW
- if (!options.use_pam)
+ if (!options.use_pam || options.use_pam_check_locks)
spw = getspnam(pw->pw_name);
#ifdef HAS_SHADOW_EXPIRE
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
return 0;
#endif /* HAS_SHADOW_EXPIRE */
#endif /* USE_SHADOW */
/* grab passwd field for locked account check */
@@ -125,17 +125,17 @@ allowed_user(struct passwd * pw)
#ifdef USE_LIBIAF
passwd = get_iaf_password(pw);
#else
passwd = spw->sp_pwdp;
#endif /* USE_LIBIAF */
#endif
/* check for locked account */
- if (!options.use_pam && passwd && *passwd) {
+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
int locked = 0;
#ifdef LOCKED_PASSWD_STRING
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
locked = 1;
#endif
#ifdef LOCKED_PASSWD_PREFIX
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
--- a/openssh-7.6p1/servconf.c
+++ b/openssh-7.6p1/servconf.c
@@ -69,16 +69,17 @@ extern Buffer cfg;
void
initialize_server_options(ServerOptions *options)
{
memset(options, 0, sizeof(*options));
/* Portable-specific options */
options->use_pam = -1;
+ options->use_pam_check_locks = -1;
/* Standard Options */
options->num_ports = 0;
options->ports_from_cmdline = 0;
options->queued_listen_addrs = NULL;
options->num_queued_listens = 0;
options->listen_addrs = NULL;
options->address_family = -1;
@@ -191,16 +192,18 @@ assemble_algorithms(ServerOptions *o)
void
fill_default_server_options(ServerOptions *options)
{
int i;
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
+ if (options->use_pam_check_locks == -1)
+ options->use_pam_check_locks = 0;
/* Standard Options */
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
options->host_key_files[options->num_host_key_files++] =
_PATH_HOST_RSA_KEY_FILE;
options->host_key_files[options->num_host_key_files++] =
_PATH_HOST_DSA_KEY_FILE;
@@ -382,17 +385,17 @@ fill_default_server_options(ServerOption
#endif
}
/* Keyword tokens. */
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
- sUsePAM,
+ sUsePAM, sUsePAMChecklocks,
/* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
sKerberosGetAFSToken,
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
@@ -433,18 +436,20 @@ typedef enum {
static struct {
const char *name;
ServerOpCodes opcode;
u_int flags;
} keywords[] = {
/* Portable-specific options */
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
#else
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
{ "port", sPort, SSHCFG_GLOBAL },
{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
@@ -1040,16 +1045,19 @@ process_server_config_line(ServerOptions
}
}
switch (opcode) {
/* Portable-specific options */
case sUsePAM:
intptr = &options->use_pam;
goto parse_flag;
+ case sUsePAMChecklocks:
+ intptr = &options->use_pam_check_locks;
+ goto parse_flag;
/* Standard Options */
case sBadOption:
return -1;
case sPort:
/* ignore ports from configfile if cmdline specifies ports */
if (options->ports_from_cmdline)
return 0;
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
--- a/openssh-7.6p1/servconf.h
+++ b/openssh-7.6p1/servconf.h
@@ -168,16 +168,17 @@ typedef struct {
*/
u_int num_authkeys_files; /* Files containing public keys */
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
int permit_tun;
char **permitted_opens;
u_int num_permitted_opens; /* May also be one of PERMITOPEN_* */
char *chroot_directory;
char *revoked_keys_file;
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
--- a/openssh-7.6p1/sshd_config.0
+++ b/openssh-7.6p1/sshd_config.0
@@ -901,16 +901,24 @@ DESCRIPTION
Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable
either PasswordAuthentication or ChallengeResponseAuthentication.
If UsePAM is enabled, you will not be able to run sshd(8) as a
non-root user. The default is no.
+ UsePAMCheckLocks
+ When set to ``yes'', the checks whether the account has been
+ locked with `passwd -l' are performed even when PAM authentication
+ is enabled via UsePAM. This is to ensure that it is not possible
+ to log in with e.g. a public key (in such a case PAM is used only
+ to set up the session and some PAM modules will not check whether
+ the account is locked in this scenario). The default is ``no''.
+
VersionAddendum
Optionally specifies additional text to append to the SSH
protocol banner sent by the server upon connection. The default
is none.
X11DisplayOffset
Specifies the first display number available for sshd(8)'s X11
forwarding. This prevents sshd from interfering with real X11
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
--- a/openssh-7.6p1/sshd_config.5
+++ b/openssh-7.6p1/sshd_config.5
@@ -1496,16 +1496,28 @@ or
.Pp
If
.Cm UsePAM
is enabled, you will not be able to run
.Xr sshd 8
as a non-root user.
The default is
.Cm no .
+.It Cm UsePAMCheckLocks
+When set to
+.Dq yes
+, the checks whether the account has been locked with
+.Pa passwd -l
+are performed even when PAM authentication is enabled via
+.Cm UsePAM .
+This is to ensure that it is not possible to log in with e.g. a
+public key (in such a case PAM is used only to set up the session and some PAM
+modules will not check whether the account is locked in this scenario). The
+default is
+.Dq no .
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
.Cm none .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's

49
openssh-7.6p1-pts_names_formatting.patch
View File

@ -1,49 +0,0 @@
# HG changeset patch
# Parent 6dd892b74f13d258dc1bb3a70db7397dfb46c5e0
# use same lines naming as utempter (prevents problems with using different
# formats in ?tmp? files)
# --used to be called '-pts'
diff --git a/openssh-7.6p1/loginrec.c b/openssh-7.6p1/loginrec.c
--- a/openssh-7.6p1/loginrec.c
+++ b/openssh-7.6p1/loginrec.c
@@ -541,17 +541,17 @@ getlast_entry(struct logininfo *li)
/*
* 'line' string utility functions
*
* These functions process the 'line' string into one of three forms:
*
* 1. The full filename (including '/dev')
* 2. The stripped name (excluding '/dev')
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
- * /dev/pts/1 -> ts/1 )
+ * /dev/pts/1 -> /1 )
*
* Form 3 is used on some systems to identify a .tmp.? entry when
* attempting to remove it. Typically both addition and removal is
* performed by one application - say, sshd - so as long as the choice
* uniquely identifies a terminal it's ok.
*/
@@ -602,16 +602,20 @@ line_abbrevname(char *dst, const char *s
/* Always skip prefix if present */
if (strncmp(src, "/dev/", 5) == 0)
src += 5;
#ifdef WITH_ABBREV_NO_TTY
if (strncmp(src, "tty", 3) == 0)
src += 3;
#endif
+ if (strncmp(src, "pts/", 4) == 0) {
+ src += 3;
+ if (strlen(src) > 4) src++;
+ }
len = strlen(src);
if (len > 0) {
if (((int)len - dstsize) > 0)
src += ((int)len - dstsize);
/* note: _don't_ change this to strlcpy */

55
openssh-7.6p1-remove_xauth_cookies_on_exit.patch
View File

@ -1,55 +0,0 @@
# HG changeset patch
# Parent 2c6d52d1229cbfd1cd4b7b356bb649470df4d3b3
# --used to be called '-xauth'
try to remove xauth cookies on logout
bnc#98815
diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
--- a/openssh-7.6p1/session.c
+++ b/openssh-7.6p1/session.c
@@ -2294,16 +2294,44 @@ session_close(struct ssh *ssh, Session *
u_int i;
verbose("Close session: user %s from %.200s port %d id %d",
s->pw->pw_name,
ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh),
s->self);
+ if ((s->display != NULL) && (s->auth_proto != NULL) &&
+ (s->auth_data != NULL) && (options.xauth_location != NULL)) {
+ pid_t pid;
+ FILE *f;
+ char cmd[1024];
+ struct passwd * pw = s->pw;
+
+ if (!(pid = fork())) {
+ permanently_set_uid(pw);
+
+ /* Remove authority data from .Xauthority if appropriate. */
+ debug("Running %.500s remove %.100s\n",
+ options.xauth_location, s->auth_display);
+
+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
+ s->pw->pw_dir, options.xauth_location);
+ f = popen(cmd, "w");
+ if (f) {
+ fprintf(f, "remove %s\n", s->auth_display);
+ pclose(f);
+ } else
+ error("Could not run %s\n", cmd);
+ exit(0);
+ } else if (pid > 0) {
+ waitpid(pid, NULL, 0);
+ }
+ }
+
if (s->ttyfd != -1)
session_pty_cleanup(s);
free(s->term);
free(s->display);
free(s->x11_chanids);
free(s->auth_display);
free(s->auth_data);
free(s->auth_proto);

34
openssh-7.6p1-seccomp_geteuid.patch
View File

@ -1,34 +0,0 @@
# HG changeset patch
# Parent 85f3cd6c8291c7feb0c1e7a0a3645c130532d206
Add the 'geteuid' syscall to allowed list, since it may becalled on the
mainframes when OpenSSL is using hardware crypto accelerator via libica
(via ibmica)
bsc#1004258
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
@@ -161,16 +161,22 @@ static const struct sock_filter preauth_
SC_ALLOW(__NR_close),
#endif
#ifdef __NR_exit
SC_ALLOW(__NR_exit),
#endif
#ifdef __NR_exit_group
SC_ALLOW(__NR_exit_group),
#endif
+#ifdef __NR_geteuid
+ SC_ALLOW(__NR_geteuid),
+#endif
+#ifdef __NR_geteuid32
+ SC_ALLOW(__NR_geteuid32),
+#endif
#ifdef __NR_getpgid
SC_ALLOW(__NR_getpgid),
#endif
#ifdef __NR_getpid
SC_ALLOW(__NR_getpid),
#endif
#ifdef __NR_getrandom
SC_ALLOW(__NR_getrandom),

31
openssh-7.6p1-seccomp_getuid.patch
View File

@ -1,31 +0,0 @@
# HG changeset patch
# Parent 004731f82470b22b9bd563ef3216034cf00ba133
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
from being killed by the seccomp filter
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
@@ -173,16 +173,22 @@ static const struct sock_filter preauth_
SC_ALLOW(__NR_getpid),
#endif
#ifdef __NR_getrandom
SC_ALLOW(__NR_getrandom),
#endif
#ifdef __NR_gettimeofday
SC_ALLOW(__NR_gettimeofday),
#endif
+#ifdef __NR_getuid
+ SC_ALLOW(__NR_getuid),
+#endif
+#ifdef __NR_getuid32
+ SC_ALLOW(__NR_getuid32),
+#endif
#ifdef __NR_madvise
SC_ALLOW(__NR_madvise),
#endif
#ifdef __NR_mmap
SC_ALLOW(__NR_mmap),
#endif
#ifdef __NR_mmap2
SC_ALLOW(__NR_mmap2),

30
openssh-7.6p1-seccomp_stat.patch
View File

@ -1,30 +0,0 @@
# HG changeset patch
# Parent ddbb42a2825e7e837d7b0387b79a9542c7869174
Allow the stat() syscall for OpenSSL re-seed patch
(which causes OpenSSL use stat() on some file)
bnc#912436
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
@@ -224,16 +224,19 @@ static const struct sock_filter preauth_
SC_ALLOW(__NR_select),
#endif
#ifdef __NR_shutdown
SC_ALLOW(__NR_shutdown),
#endif
#ifdef __NR_sigprocmask
SC_ALLOW(__NR_sigprocmask),
#endif
+#ifdef __NR_stat
+ SC_ALLOW(__NR_stat),
+#endif
#ifdef __NR_time
SC_ALLOW(__NR_time),
#endif
#ifdef __NR_write
SC_ALLOW(__NR_write),
#endif
#ifdef __NR_socketcall
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),

461
openssh-7.6p1-seed-prng.patch
View File

@ -1,461 +0,0 @@
# HG changeset patch
# Parent e7721ed81bcf77756a79fbd04d377cc420a994cc
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
# bnc#703221, FATE#312172
diff --git a/openssh-7.6p1/entropy.c b/openssh-7.6p1/entropy.c
--- a/openssh-7.6p1/entropy.c
+++ b/openssh-7.6p1/entropy.c
@@ -49,16 +49,17 @@
#include "ssh.h"
#include "misc.h"
#include "xmalloc.h"
#include "atomicio.h"
#include "pathnames.h"
#include "log.h"
#include "buffer.h"
+#include "openbsd-compat/port-linux.h"
/*
* Portable OpenSSH PRNG seeding:
* If OpenSSL has not "internally seeded" itself (e.g. pulled data from
* /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from
* PRNGd.
*/
#ifndef OPENSSL_PRNG_ONLY
@@ -224,16 +225,19 @@ seed_rng(void)
}
if (seed_from_prngd(buf, sizeof(buf)) == -1)
fatal("Could not obtain seed from PRNGd");
RAND_add(buf, sizeof(buf), sizeof(buf));
memset(buf, '\0', sizeof(buf));
#endif /* OPENSSL_PRNG_ONLY */
+
+ linux_seed();
+
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
#else /* WITH_OPENSSL */
/* Handled in arc4random() */
void
diff --git a/openssh-7.6p1/openbsd-compat/Makefile.in b/openssh-7.6p1/openbsd-compat/Makefile.in
--- a/openssh-7.6p1/openbsd-compat/Makefile.in
+++ b/openssh-7.6p1/openbsd-compat/Makefile.in
@@ -15,17 +15,17 @@ AR=@AR@
RANLIB=@RANLIB@
INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o recallocarray.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strcasestr.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o freezero.o
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
all: libopenbsd-compat.a
$(COMPAT): ../config.h
$(OPENBSD): ../config.h
diff --git a/openssh-7.6p1/openbsd-compat/port-linux-prng.c b/openssh-7.6p1/openbsd-compat/port-linux-prng.c
new file mode 100644
--- /dev/null
+++ b/openssh-7.6p1/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
+ * (c) 2011 Petr Cerny <pcerny@suse.cz>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Linux-specific portability code - prng support
+ */
+
+#include "includes.h"
+#include "defines.h"
+
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+#include <stdio.h>
+#include <openssl/rand.h>
+
+#include "log.h"
+#include "port-linux.h"
+#include "fips.h"
+
+#define RNG_BYTES_DEFAULT 6L
+#define RNG_ENV_VAR "SSH_USE_STRONG_RNG"
+
+long rand_bytes = 0;
+char *rand_file = NULL;
+
+static void
+linux_seed_init(void)
+{
+ long elen = 0;
+ char *env = getenv(RNG_ENV_VAR);
+
+ if (env) {
+ errno = 0;
+ elen = strtol(env, NULL, 10);
+ if (errno) {
+ elen = RNG_BYTES_DEFAULT;
+ debug("bogus value in the %s environment variable, "
+ "using %li bytes from /dev/random\n",
+ RNG_ENV_VAR, RNG_BYTES_DEFAULT);
+ }
+ }
+
+ if (elen || fips_mode())
+ rand_file = "/dev/random";
+ else
+ rand_file = "/dev/urandom";
+
+ rand_bytes = MAX(elen, RNG_BYTES_DEFAULT);
+}
+
+void
+linux_seed(void)
+{
+ long len;
+ if (!rand_file)
+ linux_seed_init();
+
+ errno = 0;
+ len = RAND_load_file(rand_file, rand_bytes);
+ if (len != rand_bytes) {
+ if (errno)
+ fatal ("cannot read from %s, %s", rand_file, strerror(errno));
+ else
+ fatal ("EOF reading %s", rand_file);
+ }
+}
diff --git a/openssh-7.6p1/openbsd-compat/port-linux.h b/openssh-7.6p1/openbsd-compat/port-linux.h
--- a/openssh-7.6p1/openbsd-compat/port-linux.h
+++ b/openssh-7.6p1/openbsd-compat/port-linux.h
@@ -12,16 +12,20 @@
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _PORT_LINUX_H
#define _PORT_LINUX_H
+extern long rand_bytes;
+extern char *rand_file;
+void linux_seed(void);
+
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
#endif
diff --git a/openssh-7.6p1/ssh-add.1 b/openssh-7.6p1/ssh-add.1
--- a/openssh-7.6p1/ssh-add.1
+++ b/openssh-7.6p1/ssh-add.1
@@ -167,16 +167,30 @@ or related script.
(Note that on some machines it
may be necessary to redirect the input from
.Pa /dev/null
to make this work.)
.It Ev SSH_AUTH_SOCK
Identifies the path of a
.Ux Ns -domain
socket used to communicate with the agent.
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.El
.Sh FILES
.Bl -tag -width Ds
.It Pa ~/.ssh/id_dsa
Contains the DSA authentication identity of the user.
.It Pa ~/.ssh/id_ecdsa
Contains the ECDSA authentication identity of the user.
.It Pa ~/.ssh/id_ed25519
diff --git a/openssh-7.6p1/ssh-agent.1 b/openssh-7.6p1/ssh-agent.1
--- a/openssh-7.6p1/ssh-agent.1
+++ b/openssh-7.6p1/ssh-agent.1
@@ -209,16 +209,33 @@ line terminates.
.Sh FILES
.Bl -tag -width Ds
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
.Ux Ns -domain
sockets used to contain the connection to the authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-keygen 1 ,
.Xr sshd 8
.Sh AUTHORS
.An -nosplit
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
diff --git a/openssh-7.6p1/ssh-keygen.1 b/openssh-7.6p1/ssh-keygen.1
--- a/openssh-7.6p1/ssh-keygen.1
+++ b/openssh-7.6p1/ssh-keygen.1
@@ -863,16 +863,33 @@ on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.Pp
.It Pa /etc/moduli
Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr moduli 5 ,
.Xr sshd 8
.Rs
.%R RFC 4716
diff --git a/openssh-7.6p1/ssh-keysign.8 b/openssh-7.6p1/ssh-keysign.8
--- a/openssh-7.6p1/ssh-keysign.8
+++ b/openssh-7.6p1/ssh-keysign.8
@@ -75,16 +75,33 @@ must be set-uid root if host-based authe
.Pp
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh_config 5 ,
.Xr sshd 8
.Sh HISTORY
.Nm
first appeared in
diff --git a/openssh-7.6p1/ssh.1 b/openssh-7.6p1/ssh.1
--- a/openssh-7.6p1/ssh.1
+++ b/openssh-7.6p1/ssh.1
@@ -1408,16 +1408,30 @@ reads
and adds lines of the format
.Dq VARNAME=value
to the environment if the file exists and users are allowed to
change their environment.
For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
This file is used for host-based authentication (see above).
On some machines this file may need to be
world-readable if the user's home directory is on an NFS partition,
because
.Xr sshd 8
diff --git a/openssh-7.6p1/sshd.8 b/openssh-7.6p1/sshd.8
--- a/openssh-7.6p1/sshd.8
+++ b/openssh-7.6p1/sshd.8
@@ -929,16 +929,33 @@ and not group or world-writable.
.It Pa /var/run/sshd.pid
Contains the process ID of the
.Nm
listening for connections (if there are several daemons running
concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.Sh SEE ALSO
.Xr scp 1 ,
.Xr sftp 1 ,
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
diff --git a/openssh-7.6p1/sshd.c b/openssh-7.6p1/sshd.c
--- a/openssh-7.6p1/sshd.c
+++ b/openssh-7.6p1/sshd.c
@@ -50,16 +50,18 @@
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
#endif
#ifdef HAVE_SYS_TIME_H
# include <sys/time.h>
#endif
#include "openbsd-compat/sys-tree.h"
#include "openbsd-compat/sys-queue.h"
+#include "openbsd-compat/port-linux.h"
+
#include <sys/wait.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#ifdef HAVE_PATHS_H
#include <paths.h>
#endif
@@ -195,16 +197,23 @@ int have_agent = 0;
*/
struct {
struct sshkey **host_keys; /* all private host keys */
struct sshkey **host_pubkeys; /* all public host keys */
struct sshkey **host_certificates; /* all public host certificates */
int have_ssh2_key;
} sensitive_data;
+/*
+ * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the
+ * random pool.
+ */
+#define RESEED_AFTER 100
+static int re_seeding_counter = RESEED_AFTER;
+
/* This is set to true when a signal is received. */
static volatile sig_atomic_t received_sighup = 0;
static volatile sig_atomic_t received_sigterm = 0;
/* session identifier, used by RSA-auth */
u_char session_id[16];
/* same for ssh2 */
@@ -1208,16 +1217,20 @@ server_accept_loop(int *sock_in, int *so
for (j = 0; j < options.max_startups; j++)
if (startup_pipes[j] == -1) {
startup_pipes[j] = startup_p[0];
if (maxfd < startup_p[0])
maxfd = startup_p[0];
startups++;
break;
}
+ if(!(--re_seeding_counter)) {
+ re_seeding_counter = RESEED_AFTER;
+ linux_seed();
+ }
/*
* Got connection. Fork a child to handle it, unless
* we are in debugging mode.
*/
if (debug_flag) {
/*
* In debugging mode. Close the listening

53
openssh-7.6p1-send_locale.patch
View File

@ -1,53 +0,0 @@
# HG changeset patch
# Parent f258e8b7fc48a4b0f60fc436dc9ec72423a11bfc
send locales in default configuration
bnc#65747
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
--- a/openssh-7.6p1/ssh_config
+++ b/openssh-7.6p1/ssh_config
@@ -26,16 +26,21 @@ Host *
# security reasons: Someone stealing the authentification data on the
# remote side (the "spoofed" X-server by the remote sshd) can read your
# keystrokes as you type, just like any other X11 client could do.
# Set this to "no" here for global effect or in your own ~/.ssh/config
# file if you want to have the remote X11 authentification data to
# expire after twenty minutes after remote login.
ForwardX11Trusted yes
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL
+
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
--- a/openssh-7.6p1/sshd_config
+++ b/openssh-7.6p1/sshd_config
@@ -105,14 +105,19 @@ X11Forwarding yes
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

134
openssh-7.6p1-systemd-notify.patch
View File

@ -1,134 +0,0 @@
# HG changeset patch
# Parent 47bd7a709835b11e8dbd8fdf8779a2281ed46120
Send signals to systemd to prevent various race conditions
bsc#1048367
diff --git a/openssh-7.6p1/configure.ac b/openssh-7.6p1/configure.ac
--- a/openssh-7.6p1/configure.ac
+++ b/openssh-7.6p1/configure.ac
@@ -4304,16 +4304,40 @@ AC_ARG_WITH([kerberos5],
LIBS="$saved_LIBS"
fi
]
)
AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
+# Check whether user wants systemd support
+SYSTEMD_MSG="no"
+AC_ARG_WITH(systemd,
+ [ --with-systemd Enable systemd support],
+ [ if test "x$withval" != "xno" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "$PKGCONFIG" != "no"; then
+ AC_MSG_CHECKING([for libsystemd])
+ if $PKGCONFIG --exists libsystemd; then
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
+ SYSTEMD_MSG="yes"
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ fi ]
+)
+
+
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
AC_ARG_WITH([privsep-path],
[ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
[
if test -n "$withval" && test "x$withval" != "xno" && \
test "x${withval}" != "xyes"; then
@@ -5110,16 +5134,17 @@ echo " SELinux support
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
+echo " systemd support: $SYSTEMD_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
echo ""
diff --git a/openssh-7.6p1/sshd.c b/openssh-7.6p1/sshd.c
--- a/openssh-7.6p1/sshd.c
+++ b/openssh-7.6p1/sshd.c
@@ -82,16 +82,20 @@
#include "openbsd-compat/openssl-compat.h"
#endif
#ifdef HAVE_SECUREWARE
#include <sys/security.h>
#include <prot.h>
#endif
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
#include "xmalloc.h"
#include "ssh.h"
#include "ssh2.h"
#include "sshpty.h"
#include "packet.h"
#include "log.h"
#include "buffer.h"
#include "misc.h"
@@ -293,16 +297,20 @@ sighup_handler(int sig)
/*
* Called from the main program after receiving SIGHUP.
* Restarts the server.
*/
static void
sighup_restart(void)
{
+#ifdef HAVE_SYSTEMD
+ /* Signal systemd that we are reloading */
+ sd_notify(0, "RELOADING=1");
+#endif
logit("Received SIGHUP; restarting.");
if (options.pid_file != NULL)
unlink(options.pid_file);
platform_pre_restart();
close_listen_socks();
close_startup_pipes();
alarm(0); /* alarm timer persists across exec */
signal(SIGHUP, SIG_IGN); /* will be restored after exec */
@@ -1878,16 +1886,21 @@ main(int ac, char **av)
error("Couldn't create pid file \"%s\": %s",
options.pid_file, strerror(errno));
} else {
fprintf(f, "%ld\n", (long) getpid());
fclose(f);
}
}
+#ifdef HAVE_SYSTEMD
+ /* Signal systemd that we are ready to accept connections */
+ sd_notify(0, "READY=1");
+#endif
+
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);
}
/* This is the child processing a new connection. */
setproctitle("%s", "[accepted]");

6
openssh-askpass-gnome.changes
View File

@ -1,9 +1,3 @@
-------------------------------------------------------------------
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
- upgrade to 7.6p1
see main package changelog for details
-------------------------------------------------------------------
Mon Jul 25 13:45:53 UTC 2016 - meissner@suse.com

2
openssh-askpass-gnome.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package openssh-askpass-gnome
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed

118
openssh.changes
View File

@ -1,11 +1,5 @@
-------------------------------------------------------------------
Thu Nov 23 13:38:52 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
Fri Jan 12 00:38:37 CET 2018 - pcerny@suse.com
- Update to vanilla 7.6p1
Most important changes (more details below):
@ -552,34 +546,94 @@ Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
* Add clang libFuzzer harnesses for public key parsing and
signature verification.
- packaging:
* removal of all 7.2 patches
* moving patches into a separate archive
* first round of rebased patches:
[openssh-7.6p1-X11_trusted_forwarding.patch]
[openssh-7.6p1-allow_root_password_login.patch]
[openssh-7.6p1-blocksigalrm.patch]
[openssh-7.6p1-disable_short_DH_parameters.patch]
[openssh-7.6p1-eal3.patch]
[openssh-7.6p1-enable_PAM_by_default.patch]
[openssh-7.6p1-fips.patch]
[openssh-7.6p1-fips_checks.patch]
[openssh-7.6p1-hostname_changes_when_forwarding_X.patch]
[openssh-7.6p1-lastlog.patch]
[openssh-7.6p1-pam_check_locks.patch]
[openssh-7.6p1-pts_names_formatting.patch]
[openssh-7.6p1-remove_xauth_cookies_on_exit.patch]
[openssh-7.6p1-seccomp_geteuid.patch]
[openssh-7.6p1-seccomp_getuid.patch]
[openssh-7.6p1-seccomp_stat.patch]
[openssh-7.6p1-seed-prng.patch]
[openssh-7.6p1-send_locale.patch]
[openssh-7.6p1-systemd-notify.patch]
[-X11_trusted_forwarding]
[-allow_root_password_login]
[-blocksigalrm]
[-cavstest-ctr]
[-cavstest-kdf]
[-disable_short_DH_parameters]
[-eal3]
[-enable_PAM_by_default]
[-fips]
[-fips_checks]
[-gssapi_key_exchange]
[-hostname_changes_when_forwarding_X]
[-lastlog]
[-missing_headers]
[-pam_check_locks]
[-pts_names_formatting]
[-remove_xauth_cookies_on_exit]
[-seccomp_geteuid]
[-seccomp_getuid]
[-seccomp_stat]
[-seed-prng]
[-send_locale]
[-systemd-notify]
* not rebased (obsoleted) patches (so far):
[openssh-7.2p2-saveargv-fix.diff]
[openssh-7.2p2-dont_use_pthreads_in_PAM.diff]
[openssh-7.2p2-gssapimitm.diff]
[openssh-7.2p2-eal3_obsolete.diff]
[openssh-7.2p2-default_protocol.diff]
[-additional_seccomp_archs]
[-allow_DSS_by_default]
[-default_protocol]
[-dont_use_pthreads_in_PAM]
[-eal3_obsolete]
[-gssapimitm]
[-saveargv-fix]
* obviously removing all standalone patch files:
[openssh-7.2p2-allow_root_password_login.patch]
[openssh-7.2p2-allow_DSS_by_default.patch]
[openssh-7.2p2-X11_trusted_forwarding.patch]
[openssh-7.2p2-lastlog.patch]
[openssh-7.2p2-enable_PAM_by_default.patch]
[openssh-7.2p2-dont_use_pthreads_in_PAM.patch]
[openssh-7.2p2-eal3.patch]
[openssh-7.2p2-blocksigalrm.patch]
[openssh-7.2p2-send_locale.patch]
[openssh-7.2p2-hostname_changes_when_forwarding_X.patch]
[openssh-7.2p2-remove_xauth_cookies_on_exit.patch]
[openssh-7.2p2-pts_names_formatting.patch]
[openssh-7.2p2-pam_check_locks.patch]
[openssh-7.2p2-disable_short_DH_parameters.patch]
[openssh-7.2p2-seccomp_getuid.patch]
[openssh-7.2p2-seccomp_geteuid.patch]
[openssh-7.2p2-seccomp_stat.patch]
[openssh-7.2p2-additional_seccomp_archs.patch]
[openssh-7.2p2-fips.patch]
[openssh-7.2p2-cavstest-ctr.patch]
[openssh-7.2p2-cavstest-kdf.patch]
[openssh-7.2p2-seed-prng.patch]
[openssh-7.2p2-gssapi_key_exchange.patch]
[openssh-7.2p2-audit.patch]
[openssh-7.2p2-audit_fixes.patch]
[openssh-7.2p2-audit_seed_prng.patch]
[openssh-7.2p2-login_options.patch]
[openssh-7.2p2-disable_openssl_abi_check.patch]
[openssh-7.2p2-no_fork-no_pid_file.patch]
[openssh-7.2p2-host_ident.patch]
[openssh-7.2p2-sftp_homechroot.patch]
[openssh-7.2p2-sftp_force_permissions.patch]
[openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
[openssh-7.2p2-ldap.patch]
[openssh-7.2p2-IPv6_X_forwarding.patch]
[openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
[openssh-7.2p2-prevent_timing_user_enumeration.patch]
[openssh-7.2p2-limit_password_length.patch]
[openssh-7.2p2-keep_slogin.patch]
[openssh-7.2p2-kex_resource_depletion.patch]
[openssh-7.2p2-verify_CIDR_address_ranges.patch]
[openssh-7.2p2-restrict_pkcs11-modules.patch]
[openssh-7.2p2-prevent_private_key_leakage.patch]
[openssh-7.2p2-secure_unix_sockets_forwarding.patch]
[openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
[openssh-7.2p2-disable_preauth_compression.patch]
[openssh-7.2p2-s390_hw_crypto_syscalls.patch]
[openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
-------------------------------------------------------------------
Thu Nov 23 13:38:52 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
Wed Oct 25 15:09:06 UTC 2017 - jsegitz@suse.com

104
openssh.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package openssh
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -90,8 +90,8 @@ BuildRequires: libopenssl-1_0_0-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
%if %{uses_systemd}
BuildRequires: pkgconfig(systemd)
BuildRequires: systemd-devel
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%endif
BuildRequires: tcpd-devel
@ -118,28 +118,8 @@ Source8: sysconfig.ssh
Source9: sshd-gen-keys-start
Source10: sshd.service
Source11: README.FIPS
#Source12: cavs_driver-ssh.pl
Patch00: openssh-7.6p1-allow_root_password_login.patch
Patch01: openssh-7.6p1-X11_trusted_forwarding.patch
Patch02: openssh-7.6p1-lastlog.patch
Patch03: openssh-7.6p1-enable_PAM_by_default.patch
Patch04: openssh-7.6p1-eal3.patch
Patch05: openssh-7.6p1-blocksigalrm.patch
Patch06: openssh-7.6p1-send_locale.patch
Patch07: openssh-7.6p1-hostname_changes_when_forwarding_X.patch
Patch08: openssh-7.6p1-remove_xauth_cookies_on_exit.patch
Patch09: openssh-7.6p1-pts_names_formatting.patch
Patch10: openssh-7.6p1-pam_check_locks.patch
Patch11: openssh-7.6p1-disable_short_DH_parameters.patch
Patch12: openssh-7.6p1-seccomp_getuid.patch
Patch13: openssh-7.6p1-seccomp_geteuid.patch
Patch14: openssh-7.6p1-seccomp_stat.patch
Patch15: openssh-7.6p1-fips.patch
#Patch16: openssh-7.6p1-cavstest-ctr.patch
#Patch17: openssh-7.6p1-cavstest-kdf.patch
Patch18: openssh-7.6p1-fips_checks.patch
Patch19: openssh-7.6p1-seed-prng.patch
Patch20: openssh-7.6p1-systemd-notify.patch
Source12: cavs_driver-ssh.pl
Source100: openssh-7.6p1-SUSE_patches.tar.xz
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Conflicts: nonfreessh
Recommends: audit
@ -180,47 +160,32 @@ Hashes that together with the main package form the FIPS certifiable
cryptomodule.
#%package cavs
#Summary: OpenSSH FIPS cryptomodule CAVS tests
#Group: Productivity/Networking/SSH
#Requires: %{name} = %{version}-%{release}
#
#%description cavs
#FIPS140 CAVS tests related parts of the OpenSSH package
%package cavs
Summary: OpenSSH FIPS cryptomodule CAVS tests
Group: Productivity/Networking/SSH
Requires: %{name} = %{version}-%{release}
%description cavs
FIPS140 CAVS tests related parts of the OpenSSH package
%prep
%setup -q
%patch00 -p2
%patch01 -p2
%patch02 -p2
%patch03 -p2
%patch04 -p2
%patch05 -p2
%patch06 -p2
%patch07 -p2
%patch08 -p2
%patch09 -p2
%patch10 -p2
%patch11 -p2
%patch12 -p2
%patch13 -p2
%patch14 -p2
%patch15 -p2
#patch16 -p2
#patch17 -p2
%patch18 -p2
%patch19 -p2
%patch20 -p2
%setup -q -b 100
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
# patch sources
PATCH_DIR="../SUSE_patches"
cat $PATCH_DIR/patch.series | while read p; do
printf ">> applying '$p'\n"
patch -p2 < "${PATCH_DIR}/$p"
done
#LDAP: # set libexec dir in the LDAP patch
#LDAP: sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
#LDAP: $( grep -Rl @LIBEXECDIR@ \
#LDAP: $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
#LDAP: )
%build
### TODO: # set libexec dir in the LDAP patch
### TODO: sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
### TODO: $( grep -Rl @LIBEXECDIR@ \
### TODO: $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
### TODO: )
autoreconf -fiv
%ifarch s390 s390x %sparc
PIEFLAGS="-fPIE"
@ -244,7 +209,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%endif
%if %{uses_systemd}
--with-pid-dir=/run \
--with-systemd \
%endif
--with-ssl-engine \
--with-pam \
@ -292,8 +256,8 @@ install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
install -m 0644 %{SOURCE10} .
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
%endif
install -d -m 755 %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
install -d -m 755 %{buildroot}/var/adm/fillup-templates
install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates
# install shell script to automate the process of adding your public key to a remote machine
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
@ -308,7 +272,7 @@ install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
# askpass wrapper
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
#sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
rm -f %{buildroot}%{_datadir}/Ssh.bin
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
@ -345,7 +309,6 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
%else
%{fillup_and_insserv -n ssh sshd}
%endif
%set_permissions /etc/ssh/sshd_config
%preun
%if %{uses_systemd}
@ -369,9 +332,6 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update sshd
%verifyscript
%verify_permissions -e /etc/ssh/sshd_config
%files
%defattr(-,root,root)
%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX}
@ -383,7 +343,7 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%if %{uses_systemd}
%doc sshd.init
@ -402,7 +362,7 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
%attr(0444,root,root) %doc %{_mandir}/man8/*
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg
%{_fillupdir}/sysconfig.ssh
/var/adm/fillup-templates/sysconfig.ssh
%if %{has_fw_dir}
%if %{needs_all_dirs}
%dir %{_fwdir}
@ -425,8 +385,8 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
#files cavs
#defattr(-,root,root)
#attr(0755,root,root) %{_libexecdir}/ssh/cavs*
%files cavs
%defattr(-,root,root)
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
%changelog