Accepting request 1090577 from network
OBS-URL: https://build.opensuse.org/request/show/1090577 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=164
This commit is contained in:
commit
af4711fbad
3
_multibuild
Normal file
3
_multibuild
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
<multibuild>
|
||||||
|
<package>openssh-askpass-gnome</package>
|
||||||
|
</multibuild>
|
25
fix-missing-lz.patch
Normal file
25
fix-missing-lz.patch
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
Index: openssh-9.3p1/Makefile.in
|
||||||
|
===================================================================
|
||||||
|
--- openssh-9.3p1.orig/Makefile.in
|
||||||
|
+++ openssh-9.3p1/Makefile.in
|
||||||
|
@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||||
|
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
|
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
|
||||||
|
- $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||||
|
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||||
|
|
||||||
|
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||||
|
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||||
|
|
||||||
|
# FIPS tests
|
||||||
|
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||||
|
- $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||||
|
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||||
|
|
||||||
|
cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
|
||||||
|
- $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||||
|
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||||
|
|
||||||
|
# test driver for the loginrec code - not built by default
|
||||||
|
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
@ -16,28 +16,28 @@ Index: openssh-8.8p1/Makefile.in
|
|||||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||||
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
|
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
|
||||||
|
|
||||||
Index: openssh-8.8p1/cipher-ctr.c
|
#Index: openssh-8.8p1/cipher-ctr.c
|
||||||
===================================================================
|
#===================================================================
|
||||||
--- openssh-8.8p1.orig/cipher-ctr.c
|
#--- openssh-8.8p1.orig/cipher-ctr.c
|
||||||
+++ openssh-8.8p1/cipher-ctr.c
|
#+++ openssh-8.8p1/cipher-ctr.c
|
||||||
@@ -27,6 +27,8 @@
|
#@@ -27,6 +27,8 @@
|
||||||
#include "xmalloc.h"
|
# #include "xmalloc.h"
|
||||||
#include "log.h"
|
# #include "log.h"
|
||||||
|
#
|
||||||
+#include "fips.h"
|
#+#include "fips.h"
|
||||||
+
|
#+
|
||||||
/* compatibility with old or broken OpenSSL versions */
|
# /* compatibility with old or broken OpenSSL versions */
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
# #include "openbsd-compat/openssl-compat.h"
|
||||||
|
#
|
||||||
@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
|
#@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
|
||||||
#ifndef SSH_OLD_EVP
|
# #ifndef SSH_OLD_EVP
|
||||||
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
# aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
||||||
EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
# EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
||||||
+ if (fips_mode())
|
#+ if (fips_mode())
|
||||||
+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
|
#+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
|
||||||
#endif
|
# #endif
|
||||||
return (&aes_ctr);
|
# return (&aes_ctr);
|
||||||
}
|
# }
|
||||||
Index: openssh-8.8p1/cipher.c
|
Index: openssh-8.8p1/cipher.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-8.8p1.orig/cipher.c
|
--- openssh-8.8p1.orig/cipher.c
|
||||||
@ -416,8 +416,8 @@ Index: openssh-8.8p1/kex.c
|
|||||||
--- openssh-8.8p1.orig/kex.c
|
--- openssh-8.8p1.orig/kex.c
|
||||||
+++ openssh-8.8p1/kex.c
|
+++ openssh-8.8p1/kex.c
|
||||||
@@ -62,6 +62,8 @@
|
@@ -62,6 +62,8 @@
|
||||||
#include "sshbuf.h"
|
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
|
#include "xmalloc.h"
|
||||||
|
|
||||||
+#include "fips.h"
|
+#include "fips.h"
|
||||||
+
|
+
|
||||||
@ -743,7 +743,8 @@ Index: openssh-8.8p1/ssh-keygen.c
|
|||||||
+ struct Key_types key_types_all[] = {
|
+ struct Key_types key_types_all[] = {
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||||
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
#ifdef OPENSSL_HAS_ECC
|
||||||
|
# { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
||||||
@@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
@@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||||
{ NULL, NULL, NULL }
|
{ NULL, NULL, NULL }
|
||||||
};
|
};
|
||||||
|
@ -459,8 +459,8 @@ Index: openssh-8.8p1/sshd.c
|
|||||||
--- openssh-8.8p1.orig/sshd.c
|
--- openssh-8.8p1.orig/sshd.c
|
||||||
+++ openssh-8.8p1/sshd.c
|
+++ openssh-8.8p1/sshd.c
|
||||||
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
|
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
|
||||||
Authctxt *authctxt;
|
|
||||||
struct connection_info *connection_info = NULL;
|
struct connection_info *connection_info = NULL;
|
||||||
|
sigset_t sigmask;
|
||||||
|
|
||||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||||
|
@ -148,7 +148,7 @@ Index: openssh-8.9p1/Makefile.in
|
|||||||
sshkey-xmss.o \
|
sshkey-xmss.o \
|
||||||
@@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
|
@@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
|
||||||
|
|
||||||
SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS)
|
SFTP_OBJS= sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS)
|
||||||
|
|
||||||
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
|
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||||
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
|
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
|
||||||
@ -159,7 +159,7 @@ Index: openssh-8.9p1/Makefile.in
|
|||||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||||
@@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib
|
@@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
|
||||||
|
|
||||||
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||||
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
@ -10,23 +10,23 @@ Index: openssh-8.8p1/auth.c
|
|||||||
--- openssh-8.8p1.orig/auth.c
|
--- openssh-8.8p1.orig/auth.c
|
||||||
+++ openssh-8.8p1/auth.c
|
+++ openssh-8.8p1/auth.c
|
||||||
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
|
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
|
||||||
|
if (!pw || !pw->pw_name)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
#ifdef USE_SHADOW
|
- if (!options.use_pam && platform_locked_account(pw)) {
|
||||||
- if (!options.use_pam)
|
+ if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) {
|
||||||
+ if (!options.use_pam || options.use_pam_check_locks)
|
logit("User %.100s not allowed because account is locked",
|
||||||
spw = getspnam(pw->pw_name);
|
pw->pw_name);
|
||||||
#ifdef HAS_SHADOW_EXPIRE
|
return 0;
|
||||||
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
#@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
|
||||||
@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
|
# #endif
|
||||||
#endif
|
#
|
||||||
|
# /* check for locked account */
|
||||||
/* check for locked account */
|
#- if (!options.use_pam && passwd && *passwd) {
|
||||||
- if (!options.use_pam && passwd && *passwd) {
|
#+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
||||||
+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
# int locked = 0;
|
||||||
int locked = 0;
|
#
|
||||||
|
# #ifdef LOCKED_PASSWD_STRING
|
||||||
#ifdef LOCKED_PASSWD_STRING
|
|
||||||
Index: openssh-8.8p1/servconf.c
|
Index: openssh-8.8p1/servconf.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-8.8p1.orig/servconf.c
|
--- openssh-8.8p1.orig/servconf.c
|
||||||
|
@ -37,5 +37,5 @@ Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
|||||||
+ SC_ALLOW(__NR_ipc),
|
+ SC_ALLOW(__NR_ipc),
|
||||||
+#endif
|
+#endif
|
||||||
#ifdef __NR_madvise
|
#ifdef __NR_madvise
|
||||||
SC_ALLOW(__NR_madvise),
|
SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL),
|
||||||
#endif
|
# ifdef MADV_FREE
|
||||||
|
@ -34,8 +34,8 @@ Index: openssh-8.8p1/sftp.c
|
|||||||
infile = stdin;
|
infile = stdin;
|
||||||
|
|
||||||
while ((ch = getopt(argc, argv,
|
while ((ch = getopt(argc, argv,
|
||||||
- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
|
||||||
+ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
+ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
|
||||||
switch (ch) {
|
switch (ch) {
|
||||||
/* Passed through to ssh(1) */
|
/* Passed through to ssh(1) */
|
||||||
case 'A':
|
case 'A':
|
||||||
|
@ -8,8 +8,9 @@ Index: openssh-8.8p1/configure.ac
|
|||||||
--- openssh-8.8p1.orig/configure.ac
|
--- openssh-8.8p1.orig/configure.ac
|
||||||
+++ openssh-8.8p1/configure.ac
|
+++ openssh-8.8p1/configure.ac
|
||||||
@@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
|
@@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
|
||||||
AC_SUBST([GSSLIBS])
|
# AC_SUBST([GSSLIBS])
|
||||||
AC_SUBST([K5LIBS])
|
AC_SUBST([K5LIBS])
|
||||||
|
AC_SUBST([CHANNELLIBS])
|
||||||
|
|
||||||
+# Check whether user wants systemd support
|
+# Check whether user wants systemd support
|
||||||
+SYSTEMD_MSG="no"
|
+SYSTEMD_MSG="no"
|
||||||
|
@ -12,7 +12,8 @@ Index: openssh-8.9p1/Makefile.in
|
|||||||
|
|
||||||
@@ -132,7 +133,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
@@ -132,7 +133,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||||
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
||||||
auth2-none.o auth2-passwd.o auth2-pubkey.o \
|
# auth2-none.o auth2-passwd.o auth2-pubkey.o \
|
||||||
|
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
|
||||||
monitor.o monitor_wrap.o auth-krb5.o \
|
monitor.o monitor_wrap.o auth-krb5.o \
|
||||||
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
||||||
@ -379,12 +380,29 @@ Index: openssh-8.9p1/clientloop.c
|
|||||||
/* import options */
|
/* import options */
|
||||||
extern Options options;
|
extern Options options;
|
||||||
|
|
||||||
@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
|
#@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
|
||||||
break;
|
## Replaced with the section below
|
||||||
|
# break;
|
||||||
/* Do channel operations unless rekeying in progress. */
|
#
|
||||||
- if (!ssh_packet_is_rekeying(ssh))
|
# /* Do channel operations unless rekeying in progress. */
|
||||||
+ if (!ssh_packet_is_rekeying(ssh)) {
|
#- if (!ssh_packet_is_rekeying(ssh))
|
||||||
|
#+ if (!ssh_packet_is_rekeying(ssh)) {
|
||||||
|
# channel_after_poll(ssh, pfd, npfd_active);
|
||||||
|
#
|
||||||
|
#+#ifdef GSSAPI
|
||||||
|
#+ if (options.gss_renewal_rekey &&
|
||||||
|
#+ ssh_gssapi_credentials_updated(NULL)) {
|
||||||
|
#+ debug("credentials updated - forcing rekey");
|
||||||
|
#+ need_rekeying = 1;
|
||||||
|
#+ }
|
||||||
|
#+#endif
|
||||||
|
#+ }
|
||||||
|
#+
|
||||||
|
# /* Buffer input from the connection. */
|
||||||
|
# if (conn_in_ready)
|
||||||
|
# client_process_net_input(ssh);
|
||||||
|
@@ -1349,6 +1353,14 @@ client_loop(struct ssh *ssh, int have_pt
|
||||||
|
/* Do channel operations. */
|
||||||
channel_after_poll(ssh, pfd, npfd_active);
|
channel_after_poll(ssh, pfd, npfd_active);
|
||||||
|
|
||||||
+#ifdef GSSAPI
|
+#ifdef GSSAPI
|
||||||
@ -394,7 +412,6 @@ Index: openssh-8.9p1/clientloop.c
|
|||||||
+ need_rekeying = 1;
|
+ need_rekeying = 1;
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
/* Buffer input from the connection. */
|
/* Buffer input from the connection. */
|
||||||
if (conn_in_ready)
|
if (conn_in_ready)
|
||||||
@ -1257,15 +1274,9 @@ Index: openssh-8.9p1/kex.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-8.9p1.orig/kex.c
|
--- openssh-8.9p1.orig/kex.c
|
||||||
+++ openssh-8.9p1/kex.c
|
+++ openssh-8.9p1/kex.c
|
||||||
@@ -57,11 +57,16 @@
|
@@ -57,6 +57,10 @@
|
||||||
#include "misc.h"
|
|
||||||
#include "dispatch.h"
|
|
||||||
#include "monitor.h"
|
|
||||||
+#include "xmalloc.h"
|
|
||||||
|
|
||||||
#include "ssherr.h"
|
|
||||||
#include "sshbuf.h"
|
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
|
#include "xmalloc.h"
|
||||||
|
|
||||||
+#ifdef GSSAPI
|
+#ifdef GSSAPI
|
||||||
+#include "ssh-gss.h"
|
+#include "ssh-gss.h"
|
||||||
@ -1274,7 +1285,7 @@ Index: openssh-8.9p1/kex.c
|
|||||||
#include "fips.h"
|
#include "fips.h"
|
||||||
|
|
||||||
/* prototype */
|
/* prototype */
|
||||||
@@ -119,6 +124,19 @@ static const struct kexalg kexalgs_all[]
|
@@ -119,6 +123,19 @@ static const struct kexalg kexalgs_all[]
|
||||||
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
|
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
|
||||||
{ NULL, 0, -1, -1},
|
{ NULL, 0, -1, -1},
|
||||||
};
|
};
|
||||||
@ -1294,7 +1305,7 @@ Index: openssh-8.9p1/kex.c
|
|||||||
|
|
||||||
static const struct kexalg kexalgs_fips140_2[] = {
|
static const struct kexalg kexalgs_fips140_2[] = {
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
@@ -146,12 +164,12 @@ static const struct kexalg kexalgs_fips1
|
@@ -146,12 +163,12 @@ static const struct kexalg kexalgs_fips1
|
||||||
|
|
||||||
/* Returns array of macs available depending on selected FIPS mode */
|
/* Returns array of macs available depending on selected FIPS mode */
|
||||||
static const struct kexalg *
|
static const struct kexalg *
|
||||||
@ -1309,7 +1320,7 @@ Index: openssh-8.9p1/kex.c
|
|||||||
case 1:
|
case 1:
|
||||||
return kexalgs_fips140_2;
|
return kexalgs_fips140_2;
|
||||||
default:
|
default:
|
||||||
@@ -162,13 +180,13 @@ fips_select_kexalgs(void)
|
@@ -162,13 +179,13 @@ fips_select_kexalgs(void)
|
||||||
}
|
}
|
||||||
|
|
||||||
char *
|
char *
|
||||||
@ -1325,7 +1336,7 @@ Index: openssh-8.9p1/kex.c
|
|||||||
if (ret != NULL)
|
if (ret != NULL)
|
||||||
ret[rlen++] = sep;
|
ret[rlen++] = sep;
|
||||||
nlen = strlen(k->name);
|
nlen = strlen(k->name);
|
||||||
@@ -183,15 +201,31 @@ kex_alg_list(char sep)
|
@@ -183,15 +200,31 @@ kex_alg_list(char sep)
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1358,7 +1369,7 @@ Index: openssh-8.9p1/kex.c
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -363,6 +397,29 @@ kex_assemble_names(char **listp, const c
|
@@ -363,6 +396,29 @@ kex_assemble_names(char **listp, const c
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1385,10 +1396,10 @@ Index: openssh-8.9p1/kex.c
|
|||||||
+ return 1;
|
+ return 1;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
/* put algorithm proposal into buffer */
|
/*
|
||||||
int
|
* Fill out a proposal array with dynamically allocated values, which may
|
||||||
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
* be modified as required for compatibility reasons.
|
||||||
@@ -765,6 +822,9 @@ kex_free(struct kex *kex)
|
@@ -765,6 +821,9 @@ kex_free(struct kex *kex)
|
||||||
sshbuf_free(kex->session_id);
|
sshbuf_free(kex->session_id);
|
||||||
sshbuf_free(kex->initial_sig);
|
sshbuf_free(kex->initial_sig);
|
||||||
sshkey_free(kex->initial_hostkey);
|
sshkey_free(kex->initial_hostkey);
|
||||||
@ -1439,9 +1450,9 @@ Index: openssh-8.9p1/kex.h
|
|||||||
char *kex_names_cat(const char *, const char *);
|
char *kex_names_cat(const char *, const char *);
|
||||||
int kex_assemble_names(char **, const char *, const char *);
|
int kex_assemble_names(char **, const char *, const char *);
|
||||||
+int kex_gss_names_valid(const char *);
|
+int kex_gss_names_valid(const char *);
|
||||||
|
void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
|
||||||
int kex_exchange_identification(struct ssh *, int, const char *);
|
const char *, const char *, const char *, const char *, const char *);
|
||||||
|
void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
|
||||||
@@ -209,6 +226,12 @@ int kexgex_client(struct ssh *);
|
@@ -209,6 +226,12 @@ int kexgex_client(struct ssh *);
|
||||||
int kexgex_server(struct ssh *);
|
int kexgex_server(struct ssh *);
|
||||||
int kex_gen_client(struct ssh *);
|
int kex_gen_client(struct ssh *);
|
||||||
@ -3511,8 +3522,8 @@ Index: openssh-8.9p1/sshconnect2.c
|
|||||||
extern Options options;
|
extern Options options;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -220,6 +218,11 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
@@ -220,10 +218,44 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
char *s, *all_key;
|
char *s, *all_key, *hkalgs = NULL;
|
||||||
int r, use_known_hosts_order = 0;
|
int r, use_known_hosts_order = 0;
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
@ -3523,9 +3534,6 @@ Index: openssh-8.9p1/sshconnect2.c
|
|||||||
xxx_host = host;
|
xxx_host = host;
|
||||||
xxx_hostaddr = hostaddr;
|
xxx_hostaddr = hostaddr;
|
||||||
xxx_conn_info = cinfo;
|
xxx_conn_info = cinfo;
|
||||||
@@ -264,6 +267,35 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
|
||||||
compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
+ if (options.gss_keyex) {
|
+ if (options.gss_keyex) {
|
||||||
@ -3559,7 +3567,7 @@ Index: openssh-8.9p1/sshconnect2.c
|
|||||||
if (options.rekey_limit || options.rekey_interval)
|
if (options.rekey_limit || options.rekey_interval)
|
||||||
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
|
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
|
||||||
options.rekey_interval);
|
options.rekey_interval);
|
||||||
@@ -282,16 +314,46 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
@@ -282,17 +314,47 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
# ifdef OPENSSL_HAS_ECC
|
# ifdef OPENSSL_HAS_ECC
|
||||||
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
|
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
|
||||||
# endif
|
# endif
|
||||||
@ -3592,6 +3600,7 @@ Index: openssh-8.9p1/sshconnect2.c
|
|||||||
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
|
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
|
||||||
|
|
||||||
/* remove ext-info from the KEX proposals for rekeying */
|
/* remove ext-info from the KEX proposals for rekeying */
|
||||||
|
free(myproposal[PROPOSAL_KEX_ALGS]);
|
||||||
myproposal[PROPOSAL_KEX_ALGS] =
|
myproposal[PROPOSAL_KEX_ALGS] =
|
||||||
compat_kex_proposal(ssh, options.kex_algorithms);
|
compat_kex_proposal(ssh, options.kex_algorithms);
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
@ -3751,8 +3760,13 @@ Index: openssh-8.9p1/sshd.c
|
|||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
@@ -2397,6 +2398,48 @@ do_ssh2_kex(struct ssh *ssh)
|
@@ -2397,6 +2398,48 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
# myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||||
ssh, list_hostkey_types());
|
# ssh, list_hostkey_types());
|
||||||
|
# myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
|
||||||
|
# compat_pkalg_proposal(ssh, list_hostkey_types());
|
||||||
|
#
|
||||||
|
|
||||||
|
free(hkalgs);
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
+ {
|
+ {
|
||||||
@ -3884,22 +3898,40 @@ Index: openssh-8.9p1/sshkey.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-8.9p1.orig/sshkey.c
|
--- openssh-8.9p1.orig/sshkey.c
|
||||||
+++ openssh-8.9p1/sshkey.c
|
+++ openssh-8.9p1/sshkey.c
|
||||||
@@ -162,6 +162,7 @@ static const struct keytype keytypes[] =
|
@@ -127,6 +127,17 @@
|
||||||
# endif /* ENABLE_SK */
|
extern const struct sshkey_impl sshkey_xmss_impl;
|
||||||
# endif /* OPENSSL_HAS_ECC */
|
extern const struct sshkey_impl sshkey_xmss_cert_impl;
|
||||||
#endif /* WITH_OPENSSL */
|
#endif
|
||||||
+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
|
+const struct sshkey_impl sshkey_null_impl = {
|
||||||
{ NULL, NULL, NULL, -1, -1, 0, 0 }
|
+ /* .name = */ "null",
|
||||||
|
+ /* .shortname = */ "null",
|
||||||
|
+ /* .sigalg = */ NULL,
|
||||||
|
+ /* .type = */ KEY_NULL,
|
||||||
|
+ /* .nid = */ 0,
|
||||||
|
+ /* .cert = */ 0,
|
||||||
|
+ /* .sigonly = */ 0,
|
||||||
|
+ /* .keybits = */ 0,
|
||||||
|
+ /* .funcs = */ NULL,
|
||||||
|
+};
|
||||||
|
|
||||||
|
const struct sshkey_impl * const keyimpls[] = {
|
||||||
|
&sshkey_ed25519_impl,
|
||||||
|
@@ -162,6 +179,7 @@ static const struct keytype keytypes[] =
|
||||||
|
&sshkey_xmss_impl,
|
||||||
|
&sshkey_xmss_cert_impl,
|
||||||
|
#endif
|
||||||
|
+ &sshkey_null_impl,
|
||||||
|
NULL
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -286,7 +287,7 @@ sshkey_alg_list(int certs_only, int plai
|
@@ -286,7 +304,7 @@ sshkey_alg_list(int certs_only, int plai
|
||||||
const struct keytype *kt;
|
|
||||||
|
|
||||||
for (kt = keytypes; kt->type != -1; kt++) {
|
for (i = 0; keyimpls[i] != NULL; i++) {
|
||||||
- if (kt->name == NULL)
|
impl = keyimpls[i];
|
||||||
+ if (kt->name == NULL || kt->type == KEY_NULL)
|
- if (impl->name == NULL)
|
||||||
|
+ if (impl->name == NULL || impl->type == KEY_NULL)
|
||||||
continue;
|
continue;
|
||||||
if (!include_sigonly && kt->sigonly)
|
if (!include_sigonly && impl->sigonly)
|
||||||
continue;
|
continue;
|
||||||
Index: openssh-8.9p1/sshkey.h
|
Index: openssh-8.9p1/sshkey.h
|
||||||
===================================================================
|
===================================================================
|
||||||
|
@ -768,8 +768,8 @@ Index: openssh-8.9p1/auth.h
|
|||||||
+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||||
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||||
|
|
||||||
FILE *auth_openkeyfile(const char *, struct passwd *, int);
|
int auth_key_is_revoked(struct sshkey *);
|
||||||
FILE *auth_openprincipals(const char *, struct passwd *, int);
|
|
||||||
@@ -209,6 +211,8 @@ struct sshkey *get_hostkey_private_by_ty
|
@@ -209,6 +211,8 @@ struct sshkey *get_hostkey_private_by_ty
|
||||||
int get_hostkey_index(struct sshkey *, int, struct ssh *);
|
int get_hostkey_index(struct sshkey *, int, struct ssh *);
|
||||||
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
|
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
|
||||||
@ -843,8 +843,8 @@ Index: openssh-8.9p1/auth2-pubkey.c
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
static int
|
static int
|
||||||
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
|
match_principals_file(struct passwd *pw, char *file,
|
||||||
{
|
struct sshkey_cert *cert, struct sshauthopt **authoptsp)
|
||||||
Index: openssh-8.9p1/auth2.c
|
Index: openssh-8.9p1/auth2.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-8.9p1.orig/auth2.c
|
--- openssh-8.9p1.orig/auth2.c
|
||||||
@ -934,9 +934,9 @@ Index: openssh-8.9p1/kex.c
|
|||||||
--- openssh-8.9p1.orig/kex.c
|
--- openssh-8.9p1.orig/kex.c
|
||||||
+++ openssh-8.9p1/kex.c
|
+++ openssh-8.9p1/kex.c
|
||||||
@@ -62,6 +62,7 @@
|
@@ -62,6 +62,7 @@
|
||||||
#include "ssherr.h"
|
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
|
#include "xmalloc.h"
|
||||||
+#include "audit.h"
|
+#include "audit.h"
|
||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
@ -2165,7 +2165,7 @@ Index: openssh-8.9p1/session.h
|
|||||||
@@ -71,10 +77,12 @@ void session_unused(int);
|
@@ -71,10 +77,12 @@ void session_unused(int);
|
||||||
int session_input_channel_req(struct ssh *, Channel *, const char *);
|
int session_input_channel_req(struct ssh *, Channel *, const char *);
|
||||||
void session_close_by_pid(struct ssh *ssh, pid_t, int);
|
void session_close_by_pid(struct ssh *ssh, pid_t, int);
|
||||||
void session_close_by_channel(struct ssh *, int, void *);
|
void session_close_by_channel(struct ssh *, int, int, void *);
|
||||||
-void session_destroy_all(struct ssh *, void (*)(Session *));
|
-void session_destroy_all(struct ssh *, void (*)(Session *));
|
||||||
+void session_destroy_all(struct ssh *, void (*)(struct ssh*, Session *));
|
+void session_destroy_all(struct ssh *, void (*)(struct ssh*, Session *));
|
||||||
void session_pty_cleanup2(Session *);
|
void session_pty_cleanup2(Session *);
|
||||||
@ -2357,7 +2357,7 @@ Index: openssh-8.9p1/sshd.c
|
|||||||
+server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
|
+server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||||
{
|
{
|
||||||
struct pollfd *pfd = NULL;
|
struct pollfd *pfd = NULL;
|
||||||
int i, j, ret;
|
int i, j, ret, npfd;
|
||||||
@@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
|
@@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
|
||||||
if (received_sigterm) {
|
if (received_sigterm) {
|
||||||
logit("Received signal %d; terminating.",
|
logit("Received signal %d; terminating.",
|
||||||
|
@ -9,7 +9,7 @@ index 767ec24..5d506a9 100644
|
|||||||
--- a/ed25519.c
|
--- a/ed25519.c
|
||||||
+++ b/ed25519.c
|
+++ b/ed25519.c
|
||||||
@@ -9,6 +9,13 @@
|
@@ -9,6 +9,13 @@
|
||||||
#include "includes.h"
|
|
||||||
#include "crypto_api.h"
|
#include "crypto_api.h"
|
||||||
|
|
||||||
+#ifdef WITH_OPENSSL
|
+#ifdef WITH_OPENSSL
|
||||||
@ -19,12 +19,12 @@ index 767ec24..5d506a9 100644
|
|||||||
+
|
+
|
||||||
+#include "log.h"
|
+#include "log.h"
|
||||||
+
|
+
|
||||||
#include "ge25519.h"
|
#define int8 crypto_int8
|
||||||
|
#define uint8 crypto_uint8
|
||||||
static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen)
|
#define int16 crypto_int16
|
||||||
@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
|
@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
|
||||||
unsigned char extsk[64];
|
sc25519 scsk;
|
||||||
int i;
|
ge25519 gepk;
|
||||||
|
|
||||||
+#ifdef WITH_OPENSSL
|
+#ifdef WITH_OPENSSL
|
||||||
+ /* Use FIPS approved RNG */
|
+ /* Use FIPS approved RNG */
|
||||||
@ -35,9 +35,9 @@ index 767ec24..5d506a9 100644
|
|||||||
randombytes(sk,32);
|
randombytes(sk,32);
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
crypto_hash_sha512(extsk, sk, 32);
|
crypto_hash_sha512(az,sk,32);
|
||||||
extsk[0] &= 248;
|
az[0] &= 248;
|
||||||
extsk[31] &= 127;
|
az[31] &= 127;
|
||||||
diff --git a/kexc25519.c b/kexc25519.c
|
diff --git a/kexc25519.c b/kexc25519.c
|
||||||
index f13d766..2604eda 100644
|
index f13d766..2604eda 100644
|
||||||
--- a/kexc25519.c
|
--- a/kexc25519.c
|
||||||
|
@ -106,7 +106,7 @@ Index: openssh-8.9p1/ssh_config.5
|
|||||||
+.Pq Pa /usr/etc/ssh/ssh_config
|
+.Pq Pa /usr/etc/ssh/ssh_config
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
For each parameter, the first obtained value
|
Unless noted otherwise, for each parameter, the first obtained value
|
||||||
@@ -2220,6 +2223,11 @@ This file provides defaults for those
|
@@ -2220,6 +2223,11 @@ This file provides defaults for those
|
||||||
values that are not specified in the user's configuration file, and
|
values that are not specified in the user's configuration file, and
|
||||||
for those users who do not have a configuration file.
|
for those users who do not have a configuration file.
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7
|
|
||||||
size 1820282
|
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmIWG5YACgkQKj9BTnNg
|
|
||||||
YLoL2A//TuX5vo9EplHaoqTbgL5KkwaJGaae2bXczbw1N8anfSlnPi7IAL4TkLFW
|
|
||||||
SpIAGYcDoxqSAT62Ad9TsIvallPWmzG8mIa1M6dgQHUW95KbI5NHC53NgMkExI7O
|
|
||||||
x9HGDanLRoXCwbDrYAZN8UlddTsZYGrfoVso7lrW87lcTkM4AYQKNbCum/C8OUq0
|
|
||||||
esJgaaiXTIK+Rwbtpa+msDo8scfq08IG4rMM+kiNOnYpxaVyPIvspUF/ULinEQ5M
|
|
||||||
KrgRCZKI6573yZAdzA3KE6fXlzFJuxqcpk8Zimdm6c5+TEk30pzZ65Q+KLLrW7Gm
|
|
||||||
YK9gkkbdGWvtoRoE66RnPcBbPoFFM3h0mPhY/08iKHZKQL29bhDABx5qqUN0WDtg
|
|
||||||
uqz21PT/yXwxXglvHRMtq9w1dzjrPs/aEWQiO2ta+tspC+vUwVjnengmvcj7pP6B
|
|
||||||
4MQWDcw0ZULn5ns/Vzja6VO9V6hKYApCHs0o4lvBnXXtdIRNHmuROoVQsGPlBTKN
|
|
||||||
jPSfz3XU7lebayJwGpJFVwfHYTzxGu8IuK7k6WUvCA4j98HbRpJCuNEZeE4Jsvlc
|
|
||||||
CLhee1YTkUDtNb3GaV2F8a4pDyCxvxCBlhoTMdDDWLGibylpZKaqZyxuO+X7QTUM
|
|
||||||
TfiyQEZ6YFqQj+f1/BjzPDeXXXMOYA5tgHumjB726rtmK1HB7ZQ=
|
|
||||||
=5Ghp
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
openssh-9.3p1.tar.gz
Normal file
3
openssh-9.3p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8
|
||||||
|
size 1856839
|
16
openssh-9.3p1.tar.gz.asc
Normal file
16
openssh-9.3p1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg
|
||||||
|
YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i
|
||||||
|
iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB
|
||||||
|
OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0
|
||||||
|
EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa
|
||||||
|
ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf
|
||||||
|
ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0
|
||||||
|
CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg
|
||||||
|
jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu
|
||||||
|
f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa
|
||||||
|
NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU
|
||||||
|
k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k=
|
||||||
|
=deVJ
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
|
||||||
|
|
||||||
|
- openssh-askpass-gnome: require only openssh-clients, not the full
|
||||||
|
openssh (including -server), to avoid pulling in excessive
|
||||||
|
dependencies when installing git on Gnome (boo#1211446)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
|
- Update to openssh 9.3p1
|
||||||
|
* No changes for askpass, see main package changelog for
|
||||||
|
details
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||||
|
|
||||||
|
@ -18,7 +18,7 @@
|
|||||||
|
|
||||||
%define _name openssh
|
%define _name openssh
|
||||||
Name: openssh-askpass-gnome
|
Name: openssh-askpass-gnome
|
||||||
Version: 8.9p1
|
Version: 9.3p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
License: BSD-2-Clause
|
License: BSD-2-Clause
|
||||||
@ -26,7 +26,7 @@ Group: Productivity/Networking/SSH
|
|||||||
URL: https://www.openssh.com/
|
URL: https://www.openssh.com/
|
||||||
Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
|
Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
|
||||||
Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
|
Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
|
||||||
Requires: %{_name} = %{version}
|
Requires: %{_name}-clients = %{version}
|
||||||
Supplements: packageand(openssh-clients:libgtk-3-0)
|
Supplements: packageand(openssh-clients:libgtk-3-0)
|
||||||
%if 0%{?suse_version} >= 1550
|
%if 0%{?suse_version} >= 1550
|
||||||
BuildRequires: gtk3-devel
|
BuildRequires: gtk3-devel
|
||||||
|
@ -31,7 +31,7 @@ Index: openssh-8.9p1/sshd_config.5
|
|||||||
--- openssh-8.9p1.orig/sshd_config.5
|
--- openssh-8.9p1.orig/sshd_config.5
|
||||||
+++ openssh-8.9p1/sshd_config.5
|
+++ openssh-8.9p1/sshd_config.5
|
||||||
@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
|
@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
|
||||||
sntrup761x25519-sha512@openssh.com,
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
diffie-hellman-group-exchange-sha256,
|
diffie-hellman-group-exchange-sha256,
|
||||||
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||||
-diffie-hellman-group14-sha256
|
-diffie-hellman-group14-sha256
|
||||||
|
@ -14,7 +14,7 @@ Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
|||||||
#endif
|
#endif
|
||||||
@@ -213,6 +216,9 @@ static const struct sock_filter preauth_
|
@@ -213,6 +216,9 @@ static const struct sock_filter preauth_
|
||||||
#ifdef __NR_futex_time64
|
#ifdef __NR_futex_time64
|
||||||
SC_ALLOW(__NR_futex_time64),
|
SC_FUTEX(__NR_futex_time64),
|
||||||
#endif
|
#endif
|
||||||
+#ifdef __NR_futex_time64
|
+#ifdef __NR_futex_time64
|
||||||
+ SC_ALLOW(__NR_futex_time64),
|
+ SC_ALLOW(__NR_futex_time64),
|
||||||
|
476
openssh.changes
476
openssh.changes
@ -1,3 +1,479 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
|
- Update to openssh 9.3p1:
|
||||||
|
= Security
|
||||||
|
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
|
||||||
|
per-hop destination constraints (ssh-add -h ...) added in
|
||||||
|
OpenSSH 8.9, a logic error prevented the constraints from being
|
||||||
|
communicated to the agent. This resulted in the keys being added
|
||||||
|
without constraints. The common cases of non-smartcard keys and
|
||||||
|
keys without destination constraints are unaffected. This
|
||||||
|
problem was reported by Luci Stanescu.
|
||||||
|
|
||||||
|
* ssh(1): Portable OpenSSH provides an implementation of the
|
||||||
|
getrrsetbyname(3) function if the standard library does not
|
||||||
|
provide it, for use by the VerifyHostKeyDNS feature. A
|
||||||
|
specifically crafted DNS response could cause this function to
|
||||||
|
perform an out-of-bounds read of adjacent stack data, but this
|
||||||
|
condition does not appear to be exploitable beyond denial-of-
|
||||||
|
service to the ssh(1) client.
|
||||||
|
The getrrsetbyname(3) replacement is only included if the
|
||||||
|
system's standard library lacks this function and portable
|
||||||
|
OpenSSH was not compiled with the ldns library (--with-ldns).
|
||||||
|
getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
|
||||||
|
fetch SSHFP records. This problem was found by the Coverity
|
||||||
|
static analyzer.
|
||||||
|
|
||||||
|
= New features
|
||||||
|
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
|
||||||
|
when outputting SSHFP fingerprints to allow algorithm
|
||||||
|
selection. bz3493
|
||||||
|
* sshd(8): add a `sshd -G` option that parses and prints the
|
||||||
|
effective configuration without attempting to load private keys
|
||||||
|
and perform other checks. This allows usage of the option
|
||||||
|
before keys have been generated and for configuration
|
||||||
|
evaluation and verification by unprivileged users.
|
||||||
|
|
||||||
|
= Bugfixes
|
||||||
|
* scp(1), sftp(1): fix progressmeter corruption on wide displays;
|
||||||
|
bz3534
|
||||||
|
* ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing
|
||||||
|
usability of private keys as some systems are starting to
|
||||||
|
disable RSA/SHA1 in libcrypto.
|
||||||
|
* sftp-server(8): fix a memory leak. GHPR363
|
||||||
|
* ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
|
||||||
|
compatibility code and simplify what's left.
|
||||||
|
* Fix a number of low-impact Coverity static analysis findings.
|
||||||
|
These include several reported via bz2687
|
||||||
|
* ssh_config(5), sshd_config(5): mention that some options are
|
||||||
|
not first-match-wins.
|
||||||
|
* Rework logging for the regression tests. Regression tests will
|
||||||
|
now capture separate logs for each ssh and sshd invocation in
|
||||||
|
a test.
|
||||||
|
* ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
|
||||||
|
says it should; bz3532.
|
||||||
|
* ssh(1): ensure that there is a terminating newline when adding
|
||||||
|
a new entry to known_hosts; bz3529
|
||||||
|
|
||||||
|
= Portability
|
||||||
|
* sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
|
||||||
|
mmap(2), madvise(2) and futex(2) flags, removing some
|
||||||
|
concerning kernel attack surface.
|
||||||
|
* sshd(8): improve Linux seccomp-bpf sandbox for older systems;
|
||||||
|
bz3537
|
||||||
|
|
||||||
|
- Update to openssh 9.2p1:
|
||||||
|
= Security
|
||||||
|
* sshd(8): fix a pre-authentication double-free memory fault
|
||||||
|
introduced in OpenSSH 9.1. This is not believed to be
|
||||||
|
exploitable, and it occurs in the unprivileged pre-auth process
|
||||||
|
that is subject to chroot(2) and is further sandboxed on most
|
||||||
|
major platforms.
|
||||||
|
* ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen
|
||||||
|
option would ignore its first argument unless it was one of the
|
||||||
|
special keywords "any" or "none", causing the permission list
|
||||||
|
to fail open if only one permission was specified. bz3515
|
||||||
|
* ssh(1): if the CanonicalizeHostname and
|
||||||
|
CanonicalizePermittedCNAMEs options were enabled, and the
|
||||||
|
system/libc resolver did not check that names in DNS responses
|
||||||
|
were valid, then use of these options could allow an attacker
|
||||||
|
with control of DNS to include invalid characters (possibly
|
||||||
|
including wildcards) in names added to known_hosts files when
|
||||||
|
they were updated. These names would still have to match the
|
||||||
|
CanonicalizePermittedCNAMEs allow-list, so practical
|
||||||
|
exploitation appears unlikely.
|
||||||
|
|
||||||
|
= Potentially-incompatible changes
|
||||||
|
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option
|
||||||
|
that controls whether the client-side ~C escape sequence that
|
||||||
|
provides a command-line is available. Among other things, the
|
||||||
|
~C command-line could be used to add additional port-forwards
|
||||||
|
at runtime.
|
||||||
|
This option defaults to "no", disabling the ~C command-line
|
||||||
|
that was previously enabled by default. Turning off the
|
||||||
|
command-line allows platforms that support sandboxing of the
|
||||||
|
ssh(1) client (currently only OpenBSD) to use a stricter
|
||||||
|
default sandbox policy.
|
||||||
|
|
||||||
|
= New features
|
||||||
|
* sshd(8): add support for channel inactivity timeouts via a new
|
||||||
|
sshd_config(5) ChannelTimeout directive. This allows channels
|
||||||
|
that have not seen traffic in a configurable interval to be
|
||||||
|
automatically closed. Different timeouts may be applied to
|
||||||
|
session, X11, agent and TCP forwarding channels.
|
||||||
|
* sshd(8): add a sshd_config UnusedConnectionTimeout option to
|
||||||
|
terminate client connections that have no open channels for a
|
||||||
|
length of time. This complements the ChannelTimeout option
|
||||||
|
above.
|
||||||
|
* sshd(8): add a -V (version) option to sshd like the ssh client
|
||||||
|
has.
|
||||||
|
* ssh(1): add a "Host" line to the output of ssh -G showing the
|
||||||
|
original hostname argument. bz3343
|
||||||
|
* scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
|
||||||
|
allow control over some SFTP protocol parameters: the copy
|
||||||
|
buffer length and the number of in-flight requests, both of
|
||||||
|
which are used during upload/download. Previously these could
|
||||||
|
be controlled in sftp(1) only. This makes them available in
|
||||||
|
both SFTP protocol clients using the same option character
|
||||||
|
sequence.
|
||||||
|
* ssh-keyscan(1): allow scanning of complete CIDR address ranges,
|
||||||
|
e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed,
|
||||||
|
then it will be expanded to all possible addresses in the range
|
||||||
|
including the all-0s and all-1s addresses. bz#976
|
||||||
|
* ssh(1): support dynamic remote port forwarding in escape
|
||||||
|
command-line's -R processing. bz#3499
|
||||||
|
|
||||||
|
= Bugfixes
|
||||||
|
* ssh(1): when restoring non-blocking mode to stdio fds, restore
|
||||||
|
exactly the flags that ssh started with and don't just clobber
|
||||||
|
them with zero, as this could also remove the append flag from
|
||||||
|
the set. bz3523
|
||||||
|
* ssh(1): avoid printf("%s", NULL) if using
|
||||||
|
UserKnownHostsFile=none and a hostkey in one of the system
|
||||||
|
known hosts file changes.
|
||||||
|
* scp(1): switch scp from using pipes to a socket-pair for
|
||||||
|
communication with its ssh sub-processes, matching how sftp(1)
|
||||||
|
operates.
|
||||||
|
* sshd(8): clear signal mask early in main(); sshd may have been
|
||||||
|
started with one or more signals masked (sigprocmask(2) is not
|
||||||
|
cleared on fork/exec) and this could interfere with various
|
||||||
|
things, e.g. the login grace timer. Execution environments that
|
||||||
|
fail to clear the signal mask before running sshd are clearly
|
||||||
|
broken, but apparently they do exist.
|
||||||
|
* ssh(1): warn if no host keys for hostbased auth can be loaded.
|
||||||
|
* sshd(8): Add server debugging for hostbased auth that is queued
|
||||||
|
and sent to the client after successful authentication, but
|
||||||
|
also logged to assist in diagnosis of HostbasedAuthentication
|
||||||
|
problems. bz3507
|
||||||
|
* ssh(1): document use of the IdentityFile option as being usable
|
||||||
|
to list public keys as well as private keys. GHPR352
|
||||||
|
* sshd(8): check for and disallow MaxStartups values less than or
|
||||||
|
equal to zero during config parsing, rather than failing later
|
||||||
|
at runtime. bz3489
|
||||||
|
* ssh-keygen(1): fix parsing of hex cert expiry times specified
|
||||||
|
on the command-line when acting as a CA.
|
||||||
|
* scp(1): when scp(1) is using the SFTP protocol for transport
|
||||||
|
(the default), better match scp/rcp's handling of globs that
|
||||||
|
don't match the globbed characters but do match literally (e.g.
|
||||||
|
trying to transfer a file named "foo.[1]"). Previously scp(1)
|
||||||
|
in SFTP mode would not match these pathnames but legacy scp/rcp
|
||||||
|
mode would. bz3488
|
||||||
|
* ssh-agent(1): document the "-O no-restrict-websafe"
|
||||||
|
command-line option.
|
||||||
|
* ssh(1): honour user's umask(2) if it is more restrictive then
|
||||||
|
the ssh default (022).
|
||||||
|
|
||||||
|
= Portability
|
||||||
|
* sshd(8): allow writev(2) in the Linux seccomp sandbox. This
|
||||||
|
seems to be used by recent glibcs at least in some
|
||||||
|
configurations during error conditions. bz3512.
|
||||||
|
* sshd(8): simply handling of SSH_CONNECTION PAM env var,
|
||||||
|
removing global variable and checking the return value from
|
||||||
|
pam_putenv. bz3508
|
||||||
|
* sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was
|
||||||
|
mistakenly enabled during the OpenSSH 9.1 release cycle.
|
||||||
|
* misc: update autotools and regenerate the config files using
|
||||||
|
the latest autotools
|
||||||
|
* all: use -fzero-call-used-regs=used on clang 15 instead of
|
||||||
|
-fzero-call-used-reg=all, as some versions of clang 15 have
|
||||||
|
miscompile code when it was enabled. bz3475
|
||||||
|
* sshd(8): defer PRNG seeding until after the initial
|
||||||
|
closefrom(2) call. PRNG seeding will initialize OpenSSL, and
|
||||||
|
some engine providers (e.g. Intel's QAT) will open descriptors
|
||||||
|
for their own use that closefrom(2) could clobber. bz3483
|
||||||
|
* misc: in the poll(2)/ppoll(2) compatibility code, avoid
|
||||||
|
assuming the layout of fd_set.
|
||||||
|
* sftp-server(8), ssh-agent(1): fix ptrace(2) disabling on older
|
||||||
|
FreeBSD kernels. Some versions do not support using id 0 to
|
||||||
|
refer to the current PID for procctl, so try again with
|
||||||
|
getpid() explicitly before failing.
|
||||||
|
* configure.ac: fix -Wstrict-prototypes in configure test code.
|
||||||
|
Clang 16 now warns on this and legacy prototypes will be
|
||||||
|
removed in C23. GHPR355
|
||||||
|
* configure.ac: fix setres*id checks to work with clang-16. glibc
|
||||||
|
has the prototypes for setresuid behind _GNU_SOURCE, and
|
||||||
|
clang 16 will error out on implicit function definitions.
|
||||||
|
bz3497
|
||||||
|
|
||||||
|
- Update to openssh 9.1p1:
|
||||||
|
= Security
|
||||||
|
* ssh-keyscan(1): fix a one-byte overflow in SSH- banner
|
||||||
|
processing.
|
||||||
|
Reported by Qualys
|
||||||
|
* ssh-keygen(1): double free() in error path of file hashing step
|
||||||
|
in signing/verify code; GHPR333
|
||||||
|
* ssh-keysign(8): double-free in error path introduced in
|
||||||
|
openssh-8.9
|
||||||
|
|
||||||
|
= Potentially-incompatible changes
|
||||||
|
* The portable OpenSSH project now signs commits and release tags
|
||||||
|
using git's recent SSH signature support. The list of developer
|
||||||
|
signing keys is included in the repository as
|
||||||
|
.git_allowed_signers and is cross-signed using the PGP key that
|
||||||
|
is still used to sign release artifacts:
|
||||||
|
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
|
||||||
|
* ssh(1), sshd(8): SetEnv directives in ssh_config and
|
||||||
|
sshd_config are now first-match-wins to match other directives.
|
||||||
|
Previously if an environment variable was multiply specified
|
||||||
|
the last set value would have been used. bz3438
|
||||||
|
* ssh-keygen(8): ssh-keygen -A (generate all default host key
|
||||||
|
types) will no longer generate DSA keys, as these are insecure
|
||||||
|
and have not been used by default for some years.
|
||||||
|
|
||||||
|
= New features
|
||||||
|
* ssh(1), sshd(8): add a RequiredRSASize directive to set a
|
||||||
|
minimum RSA key length. Keys below this length will be ignored
|
||||||
|
for user authentication and for host authentication in sshd(8).
|
||||||
|
ssh(1) will terminate a connection if the server offers an RSA
|
||||||
|
key that falls below this limit, as the SSH protocol does not
|
||||||
|
include the ability to retry a failed key exchange.
|
||||||
|
* sftp-server(8): add a "users-groups-by-id@openssh.com"
|
||||||
|
extension request that allows the client to obtain user/group
|
||||||
|
names that correspond to a set of uids/gids.
|
||||||
|
* sftp(1): use "users-groups-by-id@openssh.com" sftp-server
|
||||||
|
extension (when available) to fill in user/group names for
|
||||||
|
directory listings.
|
||||||
|
* sftp-server(8): support the "home-directory" extension request
|
||||||
|
defined in draft-ietf-secsh-filexfer-extensions-00. This
|
||||||
|
overlaps a bit with the existing "expand-path@openssh.com", but
|
||||||
|
some other clients support it.
|
||||||
|
* ssh-keygen(1), sshd(8): allow certificate validity intervals,
|
||||||
|
sshsig verification times and authorized_keys expiry-time
|
||||||
|
options to accept dates in the UTC time zone in addition to the
|
||||||
|
default of interpreting them in the system time zone. YYYYMMDD
|
||||||
|
and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if
|
||||||
|
suffixed with a 'Z' character.
|
||||||
|
Also allow certificate validity intervals to be specified in
|
||||||
|
raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890.
|
||||||
|
This is intended for use by regress tests and other tools that
|
||||||
|
call ssh-keygen as part of a CA workflow. bz3468
|
||||||
|
* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
|
||||||
|
"/usr/libexec/sftp-server -el debug3"
|
||||||
|
* ssh-keygen(1): allow the existing -U (use agent) flag to work
|
||||||
|
with "-Y sign" operations, where it will be interpreted to
|
||||||
|
require that the private keys is hosted in an agent; bz3429
|
||||||
|
|
||||||
|
= Bugfixes
|
||||||
|
* ssh-keygen(1): implement the "verify-required" certificate
|
||||||
|
option.
|
||||||
|
This was already documented when support for user-verified FIDO
|
||||||
|
keys was added, but the ssh-keygen(1) code was missing.
|
||||||
|
* ssh-agent(1): hook up the restrict_websafe command-line flag;
|
||||||
|
previously the flag was accepted but never actually used.
|
||||||
|
* sftp(1): improve filename tab completions: never try to
|
||||||
|
complete names to non-existent commands, and better match the
|
||||||
|
completion type (local or remote filename) against the argument
|
||||||
|
position being completed.
|
||||||
|
* ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key
|
||||||
|
handling, especially relating to keys that request
|
||||||
|
user-verification. These should reduce the number of
|
||||||
|
unnecessary PIN prompts for keys that support intrinsic user
|
||||||
|
verification. GHPR302, GHPR329
|
||||||
|
* ssh-keygen(1): when enrolling a FIDO resident key, check if a
|
||||||
|
credential with matching application and user ID strings
|
||||||
|
already exists and, if so, prompt the user for confirmation
|
||||||
|
before overwriting the credential. GHPR329
|
||||||
|
* sshd(8): improve logging of errors when opening authorized_keys
|
||||||
|
files. bz2042
|
||||||
|
* ssh(1): avoid multiplexing operations that could cause SIGPIPE
|
||||||
|
from causing the client to exit early. bz3454
|
||||||
|
* ssh_config(5), sshd_config(5): clarify that the RekeyLimit
|
||||||
|
directive applies to both transmitted and received data.
|
||||||
|
GHPR328
|
||||||
|
* ssh-keygen(1): avoid double fclose() in error path.
|
||||||
|
* sshd(8): log an error if pipe() fails while accepting a
|
||||||
|
connection. bz3447
|
||||||
|
* ssh(1), ssh-keygen(1): fix possible NULL deref when built
|
||||||
|
without FIDO support. bz3443
|
||||||
|
* ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
|
||||||
|
GHPR294.
|
||||||
|
* sshd(8): ensure that authentication passwords are cleared from
|
||||||
|
memory in error paths. GHPR286
|
||||||
|
* ssh(1), ssh-agent(1): avoid possibility of notifier code
|
||||||
|
executing kill(-1). GHPR286
|
||||||
|
* ssh_config(5): note that the ProxyJump directive also accepts
|
||||||
|
the same tokens as ProxyCommand. GHPR305.
|
||||||
|
* scp(1): do not not ftruncate(3) files early when in sftp mode.
|
||||||
|
The previous behaviour of unconditionally truncating the
|
||||||
|
destination file would cause "scp ~/foo localhost:foo" and the
|
||||||
|
reverse "scp localhost:foo ~/foo" to delete all the contents of
|
||||||
|
their destination. bz3431
|
||||||
|
* ssh-keygen(1): improve error message when 'ssh-keygen -Y sign'
|
||||||
|
is unable to load a private key; bz3429
|
||||||
|
* sftp(1), scp(1): when performing operations that glob(3) a
|
||||||
|
remote path, ensure that the implicit working directory used to
|
||||||
|
construct that path escapes glob(3) characters. This prevents
|
||||||
|
glob characters from being processed in places they shouldn't,
|
||||||
|
e.g. "cd /tmp/a*/", "get *.txt" should have the get operation
|
||||||
|
treat the path "/tmp/a*" literally and not attempt to expand
|
||||||
|
it.
|
||||||
|
* ssh(1), sshd(8): be stricter in which characters will be
|
||||||
|
accepted in specifying a mask length; allow only 0-9. GHPR278
|
||||||
|
* ssh-keygen(1): avoid printing hash algorithm twice when dumping
|
||||||
|
a KRL
|
||||||
|
* ssh(1), sshd(8): continue running local I/O for open channels
|
||||||
|
during SSH transport rekeying. This should make ~-escapes work
|
||||||
|
in the client (e.g. to exit) if the connection happened to have
|
||||||
|
stalled during a rekey event.
|
||||||
|
* ssh(1), sshd(8): avoid potential poll() spin during rekeying
|
||||||
|
* Further hardening for sshbuf internals: disallow "reparenting"
|
||||||
|
a hierarchical sshbuf and zero the entire buffer if
|
||||||
|
reallocation fails. GHPR287
|
||||||
|
|
||||||
|
= Portability
|
||||||
|
* ssh(1), ssh-keygen(1), sshd(8): automatically enable the
|
||||||
|
built-in FIDO security key support if libfido2 is found and
|
||||||
|
usable, unless --without-security-key-builtin was requested.
|
||||||
|
* ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello
|
||||||
|
FIDO device usable on Cygwin. The windows://hello FIDO device
|
||||||
|
will be automatically used by default on this platform unless
|
||||||
|
requested otherwise, or when probing resident FIDO credentials
|
||||||
|
(an operation not currently supported by WinHello).
|
||||||
|
* Portable OpenSSH: remove workarounds for obsolete and
|
||||||
|
unsupported versions of OpenSSL libcrypto. In particular, this
|
||||||
|
release removes fallback support for OpenSSL that lacks AES-CTR
|
||||||
|
or AES-GCM. Those AES cipher modes were added to OpenSSL prior
|
||||||
|
to the minimum version currently supported by OpenSSH, so this
|
||||||
|
is not expected to impact any currently supported
|
||||||
|
configurations.
|
||||||
|
* sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current
|
||||||
|
Linux/glibc
|
||||||
|
* All: resync and clean up internal CSPRNG code.
|
||||||
|
* scp(1), sftp(1), sftp-server(8): avoid linking these programs
|
||||||
|
with unnecessary libraries. They are no longer linked against
|
||||||
|
libz and libcrypto. This may be of benefit to space constrained
|
||||||
|
systems using any of those components in isolation.
|
||||||
|
* sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
|
||||||
|
architectures.
|
||||||
|
* configure: remove special casing of crypt(). configure will no
|
||||||
|
longer search for crypt() in libcrypto, as it was removed from
|
||||||
|
there years ago. configure will now only search libc and
|
||||||
|
libcrypt.
|
||||||
|
* configure: refuse to use OpenSSL 3.0.4 due to potential RCE in
|
||||||
|
its RSA implementation (CVE-2022-2274) on x86_64.
|
||||||
|
* All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR322
|
||||||
|
* ssh(1), ssh-keygen(1), sshd(8): fix a number of missing
|
||||||
|
includes required by the XMSS code on some platforms.
|
||||||
|
* sshd(8): cache timezone data in capsicum sandbox.
|
||||||
|
|
||||||
|
- Update to openssh 9.0p1:
|
||||||
|
= Potentially-incompatible changes
|
||||||
|
* This release switches scp(1) from using the legacy scp/rcp
|
||||||
|
protocol to using the SFTP protocol by default.
|
||||||
|
Legacy scp/rcp performs wildcard expansion of remote filenames
|
||||||
|
(e.g. "scp host:* .") through the remote shell. This has the
|
||||||
|
side effect of requiring double quoting of shell
|
||||||
|
meta-characters in file names included on scp(1) command-lines,
|
||||||
|
otherwise they could be interpreted as shell commands on the
|
||||||
|
remote side.
|
||||||
|
This creates one area of potential incompatibility: scp(1) when
|
||||||
|
using the SFTP protocol no longer requires this finicky and
|
||||||
|
brittle quoting, and attempts to use it may cause transfers to
|
||||||
|
fail. We consider the removal of the need for double-quoting
|
||||||
|
shell characters in file names to be a benefit and do not
|
||||||
|
intend to introduce bug-compatibility for legacy scp/rcp in
|
||||||
|
scp(1) when using the SFTP protocol.
|
||||||
|
Another area of potential incompatibility relates to the use of
|
||||||
|
remote paths relative to other user's home directories, for
|
||||||
|
example - "scp host:~user/file /tmp". The SFTP protocol has no
|
||||||
|
native way to expand a ~user path. However, sftp-server(8) in
|
||||||
|
OpenSSH 8.7 and later support a protocol extension
|
||||||
|
"expand-path@openssh.com" to support this.
|
||||||
|
In case of incompatibility, the scp(1) client may be instructed
|
||||||
|
to use the legacy scp/rcp using the -O flag.
|
||||||
|
|
||||||
|
= New features
|
||||||
|
* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519
|
||||||
|
key exchange method by default
|
||||||
|
("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is
|
||||||
|
believed to resist attacks enabled by future quantum computers
|
||||||
|
and is paired with the X25519 ECDH key exchange (the previous
|
||||||
|
default) as a backstop against any weaknesses in NTRU Prime
|
||||||
|
that may be discovered in the future. The combination ensures
|
||||||
|
that the hybrid exchange offers at least as good security as
|
||||||
|
the status quo.
|
||||||
|
We are making this change now (i.e. ahead of cryptographically-
|
||||||
|
relevant quantum computers) to prevent "capture now, decrypt
|
||||||
|
later" attacks where an adversary who can record and store SSH
|
||||||
|
session ciphertext would be able to decrypt it once a
|
||||||
|
sufficiently advanced quantum computer is available.
|
||||||
|
* sftp-server(8): support the "copy-data" extension to allow
|
||||||
|
server-side copying of files/data, following the design in
|
||||||
|
draft-ietf-secsh-filexfer-extensions-00. bz2948
|
||||||
|
* sftp(1): add a "cp" command to allow the sftp client to perform
|
||||||
|
server-side file copies.
|
||||||
|
|
||||||
|
= Bugfixes
|
||||||
|
* ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's
|
||||||
|
output fd closes without data in the channel buffer. bz3405 and
|
||||||
|
bz3411
|
||||||
|
* sshd(8): pack pollfd array in server listen/accept loop. Could
|
||||||
|
cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE
|
||||||
|
* ssh-keygen(1): avoid NULL deref via the find-principals and
|
||||||
|
check-novalidate operations. bz3409 and GHPR307 respectively.
|
||||||
|
* scp(1): fix a memory leak in argument processing. bz3404
|
||||||
|
* sshd(8): don't try to resolve ListenAddress directives in the
|
||||||
|
sshd re-exec path. They are unused after re-exec and parsing
|
||||||
|
errors (possible for example if the host's network
|
||||||
|
configuration changed) could prevent connections from being
|
||||||
|
accepted.
|
||||||
|
* sshd(8): when refusing a public key authentication request from
|
||||||
|
a client for using an unapproved or unsupported signature
|
||||||
|
algorithm include the algorithm name in the log message to make
|
||||||
|
debugging easier.
|
||||||
|
|
||||||
|
= Portability
|
||||||
|
* sshd(8): refactor platform-specific locked account check,
|
||||||
|
fixing an incorrect free() on platforms with both libiaf and
|
||||||
|
shadow passwords (probably only Unixware) GHPR284,
|
||||||
|
* ssh(1), sshd(8): Fix possible integer underflow in
|
||||||
|
scan_scaled(3) parsing of K/M/G/etc quantities. bz#3401.
|
||||||
|
* sshd(8): provide killpg implementation (mostly for Tandem
|
||||||
|
NonStop) GHPR301.
|
||||||
|
* Check for missing ftruncate prototype. GHPR301
|
||||||
|
* sshd(8): default to not using sandbox when cross compiling. On
|
||||||
|
most systems poll(2) does not work when the number of FDs is
|
||||||
|
reduced with setrlimit, so assume it doesn't when cross
|
||||||
|
compiling and we can't run the test. bz#3398.
|
||||||
|
* sshd(8): allow ppoll_time64 in seccomp sandbox. Should fix
|
||||||
|
sandbox violations on some (at least i386 and armhf) 32bit
|
||||||
|
Linux platforms. bz#3396.
|
||||||
|
* Improve detection of -fzero-call-used-regs=all support in
|
||||||
|
configure script.
|
||||||
|
|
||||||
|
- Add patch that explicitly adds -lz in Makefile.in to some
|
||||||
|
binaries which need it:
|
||||||
|
* fix-missing-lz.patch
|
||||||
|
- Rebase patches:
|
||||||
|
* openssh-7.7p1-fips.patch
|
||||||
|
* openssh-7.7p1-fips_checks.patch
|
||||||
|
* openssh-7.7p1-ldap.patch
|
||||||
|
* openssh-7.7p1-pam_check_locks.patch
|
||||||
|
* openssh-7.7p1-seccomp_ipc_flock.patch
|
||||||
|
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
||||||
|
* openssh-7.7p1-systemd-notify.patch
|
||||||
|
* openssh-8.0p1-gssapi-keyex.patch
|
||||||
|
* openssh-8.1p1-audit.patch
|
||||||
|
* openssh-8.1p1-ed25519-use-openssl-rng.patch
|
||||||
|
* openssh-8.4p1-vendordir.patch
|
||||||
|
* openssh-reenable-dh-group14-sha1-default.patch
|
||||||
|
* openssh-whitelist-syscalls.patch
|
||||||
|
* wtmpdb.patch
|
||||||
|
- Fix setting libexec dir in the LDAP patch.
|
||||||
|
- Fix build in Leap 15.x which doesn't use %{_distconfdir}
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 5 15:18:20 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||||
|
|
||||||
|
- Add _multibuild to define 2nd spec file as additional flavor.
|
||||||
|
Eliminates the need for source package links in OBS.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Apr 17 13:14:49 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
|
||||||
|
|
||||||
|
- wtmpdb.patch: add support for wtmpdb to sshd [jsc#PED-3144]
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Mar 27 08:39:38 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
|
Mon Mar 27 08:39:38 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
|
||||||
|
|
||||||
|
58
openssh.spec
58
openssh.spec
@ -24,13 +24,20 @@
|
|||||||
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
|
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
|
||||||
%define CHECKSUM_SUFFIX .hmac
|
%define CHECKSUM_SUFFIX .hmac
|
||||||
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
||||||
|
%bcond_without ldap
|
||||||
|
|
||||||
|
%if 0%{?suse_version} >= 1550
|
||||||
|
%bcond_without wtmpdb
|
||||||
|
%else
|
||||||
|
%bcond_with wtmpdb
|
||||||
|
%endif
|
||||||
|
|
||||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||||
%if ! %{defined _fillupdir}
|
%if ! %{defined _fillupdir}
|
||||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||||
%endif
|
%endif
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: 8.9p1
|
Version: 9.3p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
License: BSD-2-Clause AND MIT
|
License: BSD-2-Clause AND MIT
|
||||||
@ -107,17 +114,21 @@ Patch47: openssh-8.4p1-vendordir.patch
|
|||||||
Patch48: openssh-8.4p1-pam_motd.patch
|
Patch48: openssh-8.4p1-pam_motd.patch
|
||||||
Patch49: openssh-do-not-send-empty-message.patch
|
Patch49: openssh-do-not-send-empty-message.patch
|
||||||
Patch50: openssh-openssl-3.patch
|
Patch50: openssh-openssl-3.patch
|
||||||
|
Patch51: wtmpdb.patch
|
||||||
|
Patch100: fix-missing-lz.patch
|
||||||
BuildRequires: audit-devel
|
BuildRequires: audit-devel
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: groff
|
BuildRequires: groff
|
||||||
BuildRequires: libedit-devel
|
BuildRequires: libedit-devel
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
|
%if %{with ldap}
|
||||||
BuildRequires: openldap2-devel
|
BuildRequires: openldap2-devel
|
||||||
|
%endif
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
BuildRequires: pkgconfig(libfido2)
|
BuildRequires: pkgconfig(libfido2) >= 1.2.0
|
||||||
BuildRequires: pkgconfig(libsystemd)
|
BuildRequires: pkgconfig(libsystemd)
|
||||||
BuildRequires: sysuser-shadow
|
BuildRequires: sysuser-shadow
|
||||||
BuildRequires: sysuser-tools
|
BuildRequires: sysuser-tools
|
||||||
@ -128,6 +139,9 @@ BuildRequires: pkgconfig(krb5)
|
|||||||
%else
|
%else
|
||||||
BuildRequires: krb5-mini-devel
|
BuildRequires: krb5-mini-devel
|
||||||
%endif
|
%endif
|
||||||
|
%if %{with wtmpdb}
|
||||||
|
BuildRequires: pkgconfig(libwtmpdb)
|
||||||
|
%endif
|
||||||
Requires(pre): findutils
|
Requires(pre): findutils
|
||||||
Requires(pre): grep
|
Requires(pre): grep
|
||||||
|
|
||||||
@ -215,6 +229,7 @@ also be forwarded over the secure channel.
|
|||||||
This package contains clients for making secure connections to Secure
|
This package contains clients for making secure connections to Secure
|
||||||
Shell servers.
|
Shell servers.
|
||||||
|
|
||||||
|
%if %{with ldap}
|
||||||
%package helpers
|
%package helpers
|
||||||
Summary: OpenSSH AuthorizedKeysCommand helpers
|
Summary: OpenSSH AuthorizedKeysCommand helpers
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
@ -231,6 +246,7 @@ also be forwarded over the secure channel.
|
|||||||
|
|
||||||
This package contains helper applications for OpenSSH which retrieve
|
This package contains helper applications for OpenSSH which retrieve
|
||||||
keys from various sources.
|
keys from various sources.
|
||||||
|
%endif
|
||||||
|
|
||||||
%package fips
|
%package fips
|
||||||
Summary: OpenSSH FIPS crypto module HMACs
|
Summary: OpenSSH FIPS crypto module HMACs
|
||||||
@ -262,7 +278,7 @@ cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
|||||||
# set libexec dir in the LDAP patch
|
# set libexec dir in the LDAP patch
|
||||||
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||||
$( grep -Rl @LIBEXECDIR@ \
|
$( grep -Rl @LIBEXECDIR@ \
|
||||||
$( grep "^+++" openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
$( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||||
)
|
)
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -294,9 +310,14 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
|||||||
%endif
|
%endif
|
||||||
--disable-strip \
|
--disable-strip \
|
||||||
--with-audit=linux \
|
--with-audit=linux \
|
||||||
|
%if %{with ldap}
|
||||||
--with-ldap \
|
--with-ldap \
|
||||||
|
%endif
|
||||||
--with-xauth=%{_bindir}/xauth \
|
--with-xauth=%{_bindir}/xauth \
|
||||||
--with-libedit \
|
--with-libedit \
|
||||||
|
%if %{with wtmpdb}
|
||||||
|
--with-wtmpdb \
|
||||||
|
%endif
|
||||||
--with-security-key-builtin \
|
--with-security-key-builtin \
|
||||||
--target=%{_target_cpu}-suse-linux
|
--target=%{_target_cpu}-suse-linux
|
||||||
|
|
||||||
@ -327,12 +348,16 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
|||||||
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
||||||
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||||
|
|
||||||
|
echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||||
|
|
||||||
# Move /etc to /usr/etc/ssh
|
# Move /etc to /usr/etc/ssh
|
||||||
|
%if %{defined _distconfdir}
|
||||||
mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
|
mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
|
||||||
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
|
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
|
||||||
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
|
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
|
||||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
|
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
|
||||||
echo "PermitRootLogin yes" > %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||||
|
%endif
|
||||||
|
|
||||||
%if 0%{?suse_version} < 1550
|
%if 0%{?suse_version} < 1550
|
||||||
# install firewall definitions
|
# install firewall definitions
|
||||||
@ -426,9 +451,15 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
|||||||
%license LICENCE
|
%license LICENCE
|
||||||
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
|
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
|
%if %{defined _distconfdir}
|
||||||
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
||||||
%attr(0755,root,root) %dir /usr/etc/ssh/ssh_config.d
|
|
||||||
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
|
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
|
||||||
|
%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
|
||||||
|
%else
|
||||||
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
|
%attr(0600,root,root) %{_sysconfdir}/ssh/moduli
|
||||||
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
|
||||||
|
%endif
|
||||||
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
|
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||||
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
|
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-keygen*
|
%attr(0755,root,root) %{_bindir}/ssh-keygen*
|
||||||
@ -439,12 +470,13 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
|||||||
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
|
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
|
||||||
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
|
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
|
||||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
|
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
|
||||||
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
|
||||||
%attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d
|
|
||||||
%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
|
|
||||||
%if %{defined _distconfdir}
|
%if %{defined _distconfdir}
|
||||||
|
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
||||||
|
%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
|
||||||
|
%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
|
||||||
%attr(0644,root,root) %{_pam_vendordir}/sshd
|
%attr(0644,root,root) %{_pam_vendordir}/sshd
|
||||||
%else
|
%else
|
||||||
|
%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
||||||
%endif
|
%endif
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||||
@ -463,11 +495,19 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files server-config-rootlogin
|
%files server-config-rootlogin
|
||||||
|
%if %{defined _distconfdir}
|
||||||
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||||
|
%else
|
||||||
|
%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||||
|
%endif
|
||||||
|
|
||||||
%files clients
|
%files clients
|
||||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
|
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
|
||||||
|
%if %{defined _distconfdir}
|
||||||
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
|
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
|
||||||
|
%else
|
||||||
|
%attr(0644,root,root) %{_sysconfdir}/ssh/ssh_config
|
||||||
|
%endif
|
||||||
%attr(0755,root,root) %{_bindir}/ssh
|
%attr(0755,root,root) %{_bindir}/ssh
|
||||||
%attr(0755,root,root) %{_bindir}/scp*
|
%attr(0755,root,root) %{_bindir}/scp*
|
||||||
%attr(0755,root,root) %{_bindir}/sftp*
|
%attr(0755,root,root) %{_bindir}/sftp*
|
||||||
@ -492,6 +532,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
|||||||
%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
|
%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
|
||||||
%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
|
%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||||
|
|
||||||
|
%if %{with ldap}
|
||||||
%files helpers
|
%files helpers
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
||||||
@ -500,6 +541,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
|||||||
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
|
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
|
||||||
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
|
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
|
||||||
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
||||||
|
%endif
|
||||||
|
|
||||||
%files fips
|
%files fips
|
||||||
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
||||||
|
185
wtmpdb.patch
Normal file
185
wtmpdb.patch
Normal file
@ -0,0 +1,185 @@
|
|||||||
|
diff -ur openssh-8.9p1.old/configure.ac openssh-8.9p1/configure.ac
|
||||||
|
--- openssh-8.9p1.old/configure.ac 2022-02-23 12:31:11.000000000 +0100
|
||||||
|
+++ openssh-8.9p1/configure.ac 2023-04-17 14:52:21.499002203 +0200
|
||||||
|
@@ -1703,6 +1703,49 @@
|
||||||
|
fi ]
|
||||||
|
)
|
||||||
|
|
||||||
|
+# Check whether user wants wtmpdb support
|
||||||
|
+WTMPDB_MSG="no"
|
||||||
|
+AC_ARG_WITH([wtmpdb],
|
||||||
|
+ [ --with-wtmpdb[[=PATH]] Enable wtmpdb support for sshd],
|
||||||
|
+ [ if test "x$withval" != "xno" ; then
|
||||||
|
+ if test "x$withval" = "xyes" ; then
|
||||||
|
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||||
|
+ if test "x$PKGCONFIG" != "xno"; then
|
||||||
|
+ AC_MSG_CHECKING([if $PKGCONFIG knows about wtmpdb])
|
||||||
|
+ if "$PKGCONFIG" libwtmpdb; then
|
||||||
|
+ AC_MSG_RESULT([yes])
|
||||||
|
+ use_pkgconfig_for_libwtmpdb=yes
|
||||||
|
+ else
|
||||||
|
+ AC_MSG_RESULT([no])
|
||||||
|
+ fi
|
||||||
|
+ fi
|
||||||
|
+ else
|
||||||
|
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
|
||||||
|
+ if test -n "${rpath_opt}"; then
|
||||||
|
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
|
||||||
|
+ else
|
||||||
|
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||||
|
+ fi
|
||||||
|
+ fi
|
||||||
|
+ if test "x$use_pkgconfig_for_libwtmpdb" = "xyes"; then
|
||||||
|
+ LIBWTMPDB=`$PKGCONFIG --libs libwtmpdb`
|
||||||
|
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libwtmpdb`"
|
||||||
|
+ else
|
||||||
|
+ LIBWTMPDB="-lwtmpdb"
|
||||||
|
+ fi
|
||||||
|
+ OTHERLIBS=`echo $LIBWTMPDB | sed 's/-lwtmpdb//'`
|
||||||
|
+ AC_CHECK_LIB([wtmpdb], [wtmpdb_login],
|
||||||
|
+ [ AC_DEFINE([USE_WTMPDB], [1], [Use libwtmpdb for sshd])
|
||||||
|
+ WTMPDB_MSG="yes"
|
||||||
|
+ AC_SUBST([LIBWTMPDB])
|
||||||
|
+ ],
|
||||||
|
+ [ AC_MSG_ERROR([libwtmpdb not found]) ],
|
||||||
|
+ [ $OTHERLIBS ]
|
||||||
|
+ )
|
||||||
|
+ fi ]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
AUDIT_MODULE=none
|
||||||
|
AC_ARG_WITH([audit],
|
||||||
|
[ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
|
||||||
|
diff -ur openssh-8.9p1.old/loginrec.c openssh-8.9p1/loginrec.c
|
||||||
|
--- openssh-8.9p1.old/loginrec.c 2022-02-23 12:31:11.000000000 +0100
|
||||||
|
+++ openssh-8.9p1/loginrec.c 2023-04-18 10:05:04.311193333 +0200
|
||||||
|
@@ -187,6 +187,10 @@
|
||||||
|
# include <util.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifdef USE_WTMPDB
|
||||||
|
+# include <wtmpdb.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
** prototypes for helper functions in this file
|
||||||
|
**/
|
||||||
|
@@ -207,6 +211,9 @@
|
||||||
|
int wtmpx_write_entry(struct logininfo *li);
|
||||||
|
int lastlog_write_entry(struct logininfo *li);
|
||||||
|
int syslogin_write_entry(struct logininfo *li);
|
||||||
|
+#ifdef USE_WTMPDB
|
||||||
|
+int wtmpdb_write_entry(struct logininfo *li);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
int getlast_entry(struct logininfo *li);
|
||||||
|
int lastlog_get_entry(struct logininfo *li);
|
||||||
|
@@ -467,6 +474,9 @@
|
||||||
|
#ifdef USE_WTMPX
|
||||||
|
wtmpx_write_entry(li);
|
||||||
|
#endif
|
||||||
|
+#ifdef USE_WTMPDB
|
||||||
|
+ wtmpdb_write_entry(li);
|
||||||
|
+#endif
|
||||||
|
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
|
||||||
|
if (li->type == LTYPE_LOGIN &&
|
||||||
|
!sys_auth_record_login(li->username,li->hostname,li->line,
|
||||||
|
@@ -1409,6 +1419,64 @@
|
||||||
|
}
|
||||||
|
#endif /* USE_WTMPX */
|
||||||
|
|
||||||
|
+#ifdef USE_WTMPDB
|
||||||
|
+static int
|
||||||
|
+wtmpdb_perform_login(struct logininfo *li)
|
||||||
|
+{
|
||||||
|
+ uint64_t login_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
|
||||||
|
+ const char *tty;
|
||||||
|
+
|
||||||
|
+ if (strncmp(li->line, "/dev/", 5) == 0)
|
||||||
|
+ tty = &(li->line[5]);
|
||||||
|
+ else
|
||||||
|
+ tty = li->line;
|
||||||
|
+
|
||||||
|
+ li->wtmpdb_id = wtmpdb_login(NULL, USER_PROCESS, li->username,
|
||||||
|
+ login_time, tty, li->hostname, 0, 0);
|
||||||
|
+ if (li->wtmpdb_id < 0)
|
||||||
|
+ return (0);
|
||||||
|
+
|
||||||
|
+ return (1);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+wtmpdb_perform_logout(struct logininfo *li)
|
||||||
|
+{
|
||||||
|
+ uint64_t logout_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
|
||||||
|
+
|
||||||
|
+ if (li->wtmpdb_id == 0) {
|
||||||
|
+ const char *tty;
|
||||||
|
+
|
||||||
|
+ if (strncmp(li->line, "/dev/", 5) == 0)
|
||||||
|
+ tty = &(li->line[5]);
|
||||||
|
+ else
|
||||||
|
+ tty = li->line;
|
||||||
|
+
|
||||||
|
+ li->wtmpdb_id = wtmpdb_get_id(NULL, tty, NULL);
|
||||||
|
+ }
|
||||||
|
+ wtmpdb_logout(NULL, li->wtmpdb_id, logout_time, NULL);
|
||||||
|
+
|
||||||
|
+ return (1);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+wtmpdb_write_entry(struct logininfo *li)
|
||||||
|
+{
|
||||||
|
+ switch(li->type) {
|
||||||
|
+ case LTYPE_LOGIN:
|
||||||
|
+ return (wtmpdb_perform_login(li));
|
||||||
|
+ case LTYPE_LOGOUT:
|
||||||
|
+ return (wtmpdb_perform_logout(li));
|
||||||
|
+ default:
|
||||||
|
+ logit("%s: invalid type field", __func__);
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
** Low-level libutil login() functions
|
||||||
|
**/
|
||||||
|
diff -ur openssh-8.9p1.old/loginrec.h openssh-8.9p1/loginrec.h
|
||||||
|
--- openssh-8.9p1.old/loginrec.h 2022-02-23 12:31:11.000000000 +0100
|
||||||
|
+++ openssh-8.9p1/loginrec.h 2023-04-17 14:58:20.808850750 +0200
|
||||||
|
@@ -79,6 +79,9 @@
|
||||||
|
unsigned int tv_sec;
|
||||||
|
unsigned int tv_usec;
|
||||||
|
union login_netinfo hostaddr; /* caller's host address(es) */
|
||||||
|
+#ifdef USE_WTMPDB
|
||||||
|
+ int64_t wtmpdb_id; /* ID for wtmpdb_logout */
|
||||||
|
+#endif
|
||||||
|
}; /* struct logininfo */
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
|
||||||
|
--- openssh-8.9p1.old/Makefile.in 2022-02-23 12:31:11.000000000 +0100
|
||||||
|
+++ openssh-8.9p1/Makefile.in 2023-04-17 14:44:32.156538001 +0200
|
||||||
|
@@ -55,6 +55,7 @@
|
||||||
|
SSHDLIBS=@SSHDLIBS@
|
||||||
|
LIBEDIT=@LIBEDIT@
|
||||||
|
LIBFIDO2=@LIBFIDO2@
|
||||||
|
+LIBWTMPDB=@LIBWTMPDB@
|
||||||
|
AR=@AR@
|
||||||
|
AWK=@AWK@
|
||||||
|
RANLIB=@RANLIB@
|
||||||
|
@@ -212,7 +213,7 @@
|
||||||
|
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
|
||||||
|
|
||||||
|
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||||
|
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
|
||||||
|
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||||
|
|
||||||
|
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
||||||
|
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
Loading…
Reference in New Issue
Block a user