Dominique Leuenberger 2023-06-06 17:54:55 +00:00 committed by Git OBS Bridge
commit af4711fbad
24 changed files with 929 additions and 150 deletions

3
_multibuild Normal file
View File

@ -0,0 +1,3 @@
<multibuild>
<package>openssh-askpass-gnome</package>
</multibuild>

25
fix-missing-lz.patch Normal file
View File

@ -0,0 +1,25 @@
Index: openssh-9.3p1/Makefile.in
===================================================================
--- openssh-9.3p1.orig/Makefile.in
+++ openssh-9.3p1/Makefile.in
@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
- $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
# FIPS tests
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
- $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
- $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o

View File

@ -16,28 +16,28 @@ Index: openssh-8.8p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o $(SKOBJS) sshconnect.o sshconnect2.o mux.o $(SKOBJS)
Index: openssh-8.8p1/cipher-ctr.c #Index: openssh-8.8p1/cipher-ctr.c
=================================================================== #===================================================================
--- openssh-8.8p1.orig/cipher-ctr.c #--- openssh-8.8p1.orig/cipher-ctr.c
+++ openssh-8.8p1/cipher-ctr.c #+++ openssh-8.8p1/cipher-ctr.c
@@ -27,6 +27,8 @@ #@@ -27,6 +27,8 @@
#include "xmalloc.h" # #include "xmalloc.h"
#include "log.h" # #include "log.h"
#
+#include "fips.h" #+#include "fips.h"
+ #+
/* compatibility with old or broken OpenSSL versions */ # /* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h" # #include "openbsd-compat/openssl-compat.h"
#
@@ -139,6 +141,8 @@ evp_aes_128_ctr(void) #@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
#ifndef SSH_OLD_EVP # #ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | # aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; # EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ if (fips_mode()) #+ if (fips_mode())
+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS; #+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
#endif # #endif
return (&aes_ctr); # return (&aes_ctr);
} # }
Index: openssh-8.8p1/cipher.c Index: openssh-8.8p1/cipher.c
=================================================================== ===================================================================
--- openssh-8.8p1.orig/cipher.c --- openssh-8.8p1.orig/cipher.c
@ -416,8 +416,8 @@ Index: openssh-8.8p1/kex.c
--- openssh-8.8p1.orig/kex.c --- openssh-8.8p1.orig/kex.c
+++ openssh-8.8p1/kex.c +++ openssh-8.8p1/kex.c
@@ -62,6 +62,8 @@ @@ -62,6 +62,8 @@
#include "sshbuf.h"
#include "digest.h" #include "digest.h"
#include "xmalloc.h"
+#include "fips.h" +#include "fips.h"
+ +
@ -743,7 +743,8 @@ Index: openssh-8.8p1/ssh-keygen.c
+ struct Key_types key_types_all[] = { + struct Key_types key_types_all[] = {
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, #ifdef OPENSSL_HAS_ECC
# { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
@@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw) @@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL } { NULL, NULL, NULL }
}; };

View File

@ -459,8 +459,8 @@ Index: openssh-8.8p1/sshd.c
--- openssh-8.8p1.orig/sshd.c --- openssh-8.8p1.orig/sshd.c
+++ openssh-8.8p1/sshd.c +++ openssh-8.8p1/sshd.c
@@ -1547,6 +1547,10 @@ main(int ac, char **av) @@ -1547,6 +1547,10 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL; struct connection_info *connection_info = NULL;
sigset_t sigmask;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a + /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */ + * OpenBSD-only thing (as of OpenSSH 7.6p1) */

View File

@ -148,7 +148,7 @@ Index: openssh-8.9p1/Makefile.in
sshkey-xmss.o \ sshkey-xmss.o \
@@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve @@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS) SFTP_OBJS= sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS)
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
@ -159,7 +159,7 @@ Index: openssh-8.9p1/Makefile.in
CONFIGFILES=sshd_config.out ssh_config.out moduli.out CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib @@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

View File

@ -10,23 +10,23 @@ Index: openssh-8.8p1/auth.c
--- openssh-8.8p1.orig/auth.c --- openssh-8.8p1.orig/auth.c
+++ openssh-8.8p1/auth.c +++ openssh-8.8p1/auth.c
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas @@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
if (!pw || !pw->pw_name)
return 0; return 0;
#ifdef USE_SHADOW - if (!options.use_pam && platform_locked_account(pw)) {
- if (!options.use_pam) + if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) {
+ if (!options.use_pam || options.use_pam_check_locks) logit("User %.100s not allowed because account is locked",
spw = getspnam(pw->pw_name); pw->pw_name);
#ifdef HAS_SHADOW_EXPIRE return 0;
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) #@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas # #endif
#endif #
# /* check for locked account */
/* check for locked account */ #- if (!options.use_pam && passwd && *passwd) {
- if (!options.use_pam && passwd && *passwd) { #+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) { # int locked = 0;
int locked = 0; #
# #ifdef LOCKED_PASSWD_STRING
#ifdef LOCKED_PASSWD_STRING
Index: openssh-8.8p1/servconf.c Index: openssh-8.8p1/servconf.c
=================================================================== ===================================================================
--- openssh-8.8p1.orig/servconf.c --- openssh-8.8p1.orig/servconf.c

View File

@ -37,5 +37,5 @@ Index: openssh-8.8p1/sandbox-seccomp-filter.c
+ SC_ALLOW(__NR_ipc), + SC_ALLOW(__NR_ipc),
+#endif +#endif
#ifdef __NR_madvise #ifdef __NR_madvise
SC_ALLOW(__NR_madvise), SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL),
#endif # ifdef MADV_FREE

View File

@ -34,8 +34,8 @@ Index: openssh-8.8p1/sftp.c
infile = stdin; infile = stdin;
while ((ch = getopt(argc, argv, while ((ch = getopt(argc, argv,
- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { - "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
+ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { + "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
switch (ch) { switch (ch) {
/* Passed through to ssh(1) */ /* Passed through to ssh(1) */
case 'A': case 'A':

View File

@ -8,8 +8,9 @@ Index: openssh-8.8p1/configure.ac
--- openssh-8.8p1.orig/configure.ac --- openssh-8.8p1.orig/configure.ac
+++ openssh-8.8p1/configure.ac +++ openssh-8.8p1/configure.ac
@@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5], @@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
AC_SUBST([GSSLIBS]) # AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS]) AC_SUBST([K5LIBS])
AC_SUBST([CHANNELLIBS])
+# Check whether user wants systemd support +# Check whether user wants systemd support
+SYSTEMD_MSG="no" +SYSTEMD_MSG="no"

View File

@ -12,7 +12,8 @@ Index: openssh-8.9p1/Makefile.in
@@ -132,7 +133,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw @@ -132,7 +133,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \ # auth2-none.o auth2-passwd.o auth2-pubkey.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
monitor.o monitor_wrap.o auth-krb5.o \ monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
@ -379,22 +380,38 @@ Index: openssh-8.9p1/clientloop.c
/* import options */ /* import options */
extern Options options; extern Options options;
@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt #@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
break; ## Replaced with the section below
# break;
/* Do channel operations unless rekeying in progress. */ #
- if (!ssh_packet_is_rekeying(ssh)) # /* Do channel operations unless rekeying in progress. */
+ if (!ssh_packet_is_rekeying(ssh)) { #- if (!ssh_packet_is_rekeying(ssh))
channel_after_poll(ssh, pfd, npfd_active); #+ if (!ssh_packet_is_rekeying(ssh)) {
# channel_after_poll(ssh, pfd, npfd_active);
#
#+#ifdef GSSAPI
#+ if (options.gss_renewal_rekey &&
#+ ssh_gssapi_credentials_updated(NULL)) {
#+ debug("credentials updated - forcing rekey");
#+ need_rekeying = 1;
#+ }
#+#endif
#+ }
#+
# /* Buffer input from the connection. */
# if (conn_in_ready)
# client_process_net_input(ssh);
@@ -1349,6 +1353,14 @@ client_loop(struct ssh *ssh, int have_pt
/* Do channel operations. */
channel_after_poll(ssh, pfd, npfd_active);
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_renewal_rekey && + if (options.gss_renewal_rekey &&
+ ssh_gssapi_credentials_updated(NULL)) { + ssh_gssapi_credentials_updated(NULL)) {
+ debug("credentials updated - forcing rekey"); + debug("credentials updated - forcing rekey");
+ need_rekeying = 1; + need_rekeying = 1;
+ }
+#endif
+ } + }
+#endif
+ +
/* Buffer input from the connection. */ /* Buffer input from the connection. */
if (conn_in_ready) if (conn_in_ready)
@ -1257,15 +1274,9 @@ Index: openssh-8.9p1/kex.c
=================================================================== ===================================================================
--- openssh-8.9p1.orig/kex.c --- openssh-8.9p1.orig/kex.c
+++ openssh-8.9p1/kex.c +++ openssh-8.9p1/kex.c
@@ -57,11 +57,16 @@ @@ -57,6 +57,10 @@
#include "misc.h"
#include "dispatch.h"
#include "monitor.h"
+#include "xmalloc.h"
#include "ssherr.h"
#include "sshbuf.h"
#include "digest.h" #include "digest.h"
#include "xmalloc.h"
+#ifdef GSSAPI +#ifdef GSSAPI
+#include "ssh-gss.h" +#include "ssh-gss.h"
@ -1274,7 +1285,7 @@ Index: openssh-8.9p1/kex.c
#include "fips.h" #include "fips.h"
/* prototype */ /* prototype */
@@ -119,6 +124,19 @@ static const struct kexalg kexalgs_all[] @@ -119,6 +123,19 @@ static const struct kexalg kexalgs_all[]
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, 0, -1, -1}, { NULL, 0, -1, -1},
}; };
@ -1294,7 +1305,7 @@ Index: openssh-8.9p1/kex.c
static const struct kexalg kexalgs_fips140_2[] = { static const struct kexalg kexalgs_fips140_2[] = {
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
@@ -146,12 +164,12 @@ static const struct kexalg kexalgs_fips1 @@ -146,12 +163,12 @@ static const struct kexalg kexalgs_fips1
/* Returns array of macs available depending on selected FIPS mode */ /* Returns array of macs available depending on selected FIPS mode */
static const struct kexalg * static const struct kexalg *
@ -1309,7 +1320,7 @@ Index: openssh-8.9p1/kex.c
case 1: case 1:
return kexalgs_fips140_2; return kexalgs_fips140_2;
default: default:
@@ -162,13 +180,13 @@ fips_select_kexalgs(void) @@ -162,13 +179,13 @@ fips_select_kexalgs(void)
} }
char * char *
@ -1325,7 +1336,7 @@ Index: openssh-8.9p1/kex.c
if (ret != NULL) if (ret != NULL)
ret[rlen++] = sep; ret[rlen++] = sep;
nlen = strlen(k->name); nlen = strlen(k->name);
@@ -183,15 +201,31 @@ kex_alg_list(char sep) @@ -183,15 +200,31 @@ kex_alg_list(char sep)
return ret; return ret;
} }
@ -1358,7 +1369,7 @@ Index: openssh-8.9p1/kex.c
return NULL; return NULL;
} }
@@ -363,6 +397,29 @@ kex_assemble_names(char **listp, const c @@ -363,6 +396,29 @@ kex_assemble_names(char **listp, const c
return r; return r;
} }
@ -1385,10 +1396,10 @@ Index: openssh-8.9p1/kex.c
+ return 1; + return 1;
+} +}
+ +
/* put algorithm proposal into buffer */ /*
int * Fill out a proposal array with dynamically allocated values, which may
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) * be modified as required for compatibility reasons.
@@ -765,6 +822,9 @@ kex_free(struct kex *kex) @@ -765,6 +821,9 @@ kex_free(struct kex *kex)
sshbuf_free(kex->session_id); sshbuf_free(kex->session_id);
sshbuf_free(kex->initial_sig); sshbuf_free(kex->initial_sig);
sshkey_free(kex->initial_hostkey); sshkey_free(kex->initial_hostkey);
@ -1439,9 +1450,9 @@ Index: openssh-8.9p1/kex.h
char *kex_names_cat(const char *, const char *); char *kex_names_cat(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *); int kex_assemble_names(char **, const char *, const char *);
+int kex_gss_names_valid(const char *); +int kex_gss_names_valid(const char *);
void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
int kex_exchange_identification(struct ssh *, int, const char *); const char *, const char *, const char *, const char *, const char *);
void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
@@ -209,6 +226,12 @@ int kexgex_client(struct ssh *); @@ -209,6 +226,12 @@ int kexgex_client(struct ssh *);
int kexgex_server(struct ssh *); int kexgex_server(struct ssh *);
int kex_gen_client(struct ssh *); int kex_gen_client(struct ssh *);
@ -3511,8 +3522,8 @@ Index: openssh-8.9p1/sshconnect2.c
extern Options options; extern Options options;
/* /*
@@ -220,6 +218,11 @@ ssh_kex2(struct ssh *ssh, char *host, st @@ -220,10 +218,44 @@ ssh_kex2(struct ssh *ssh, char *host, st
char *s, *all_key; char *s, *all_key, *hkalgs = NULL;
int r, use_known_hosts_order = 0; int r, use_known_hosts_order = 0;
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -3523,9 +3534,6 @@ Index: openssh-8.9p1/sshconnect2.c
xxx_host = host; xxx_host = host;
xxx_hostaddr = hostaddr; xxx_hostaddr = hostaddr;
xxx_conn_info = cinfo; xxx_conn_info = cinfo;
@@ -264,6 +267,35 @@ ssh_kex2(struct ssh *ssh, char *host, st
compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
}
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ if (options.gss_keyex) { + if (options.gss_keyex) {
@ -3559,7 +3567,7 @@ Index: openssh-8.9p1/sshconnect2.c
if (options.rekey_limit || options.rekey_interval) if (options.rekey_limit || options.rekey_interval)
ssh_packet_set_rekey_limits(ssh, options.rekey_limit, ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
options.rekey_interval); options.rekey_interval);
@@ -282,16 +314,46 @@ ssh_kex2(struct ssh *ssh, char *host, st @@ -282,17 +314,47 @@ ssh_kex2(struct ssh *ssh, char *host, st
# ifdef OPENSSL_HAS_ECC # ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
# endif # endif
@ -3592,6 +3600,7 @@ Index: openssh-8.9p1/sshconnect2.c
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done); ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
/* remove ext-info from the KEX proposals for rekeying */ /* remove ext-info from the KEX proposals for rekeying */
free(myproposal[PROPOSAL_KEX_ALGS]);
myproposal[PROPOSAL_KEX_ALGS] = myproposal[PROPOSAL_KEX_ALGS] =
compat_kex_proposal(ssh, options.kex_algorithms); compat_kex_proposal(ssh, options.kex_algorithms);
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -3751,8 +3760,13 @@ Index: openssh-8.9p1/sshd.c
exit(1); exit(1);
} }
@@ -2397,6 +2398,48 @@ do_ssh2_kex(struct ssh *ssh) @@ -2397,6 +2398,48 @@ do_ssh2_kex(struct ssh *ssh)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( # myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
ssh, list_hostkey_types()); # ssh, list_hostkey_types());
# myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
# compat_pkalg_proposal(ssh, list_hostkey_types());
#
free(hkalgs);
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ { + {
@ -3884,22 +3898,40 @@ Index: openssh-8.9p1/sshkey.c
=================================================================== ===================================================================
--- openssh-8.9p1.orig/sshkey.c --- openssh-8.9p1.orig/sshkey.c
+++ openssh-8.9p1/sshkey.c +++ openssh-8.9p1/sshkey.c
@@ -162,6 +162,7 @@ static const struct keytype keytypes[] = @@ -127,6 +127,17 @@
# endif /* ENABLE_SK */ extern const struct sshkey_impl sshkey_xmss_impl;
# endif /* OPENSSL_HAS_ECC */ extern const struct sshkey_impl sshkey_xmss_cert_impl;
#endif /* WITH_OPENSSL */ #endif
+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 }, +const struct sshkey_impl sshkey_null_impl = {
{ NULL, NULL, NULL, -1, -1, 0, 0 } + /* .name = */ "null",
+ /* .shortname = */ "null",
+ /* .sigalg = */ NULL,
+ /* .type = */ KEY_NULL,
+ /* .nid = */ 0,
+ /* .cert = */ 0,
+ /* .sigonly = */ 0,
+ /* .keybits = */ 0,
+ /* .funcs = */ NULL,
+};
const struct sshkey_impl * const keyimpls[] = {
&sshkey_ed25519_impl,
@@ -162,6 +179,7 @@ static const struct keytype keytypes[] =
&sshkey_xmss_impl,
&sshkey_xmss_cert_impl,
#endif
+ &sshkey_null_impl,
NULL
}; };
@@ -286,7 +287,7 @@ sshkey_alg_list(int certs_only, int plai @@ -286,7 +304,7 @@ sshkey_alg_list(int certs_only, int plai
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) { for (i = 0; keyimpls[i] != NULL; i++) {
- if (kt->name == NULL) impl = keyimpls[i];
+ if (kt->name == NULL || kt->type == KEY_NULL) - if (impl->name == NULL)
+ if (impl->name == NULL || impl->type == KEY_NULL)
continue; continue;
if (!include_sigonly && kt->sigonly) if (!include_sigonly && impl->sigonly)
continue; continue;
Index: openssh-8.9p1/sshkey.h Index: openssh-8.9p1/sshkey.h
=================================================================== ===================================================================

View File

@ -768,8 +768,8 @@ Index: openssh-8.9p1/auth.h
+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t, +int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); + const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
FILE *auth_openkeyfile(const char *, struct passwd *, int); int auth_key_is_revoked(struct sshkey *);
FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -209,6 +211,8 @@ struct sshkey *get_hostkey_private_by_ty @@ -209,6 +211,8 @@ struct sshkey *get_hostkey_private_by_ty
int get_hostkey_index(struct sshkey *, int, struct ssh *); int get_hostkey_index(struct sshkey *, int, struct ssh *);
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *, int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
@ -843,8 +843,8 @@ Index: openssh-8.9p1/auth2-pubkey.c
+} +}
+ +
static int static int
match_principals_option(const char *principal_list, struct sshkey_cert *cert) match_principals_file(struct passwd *pw, char *file,
{ struct sshkey_cert *cert, struct sshauthopt **authoptsp)
Index: openssh-8.9p1/auth2.c Index: openssh-8.9p1/auth2.c
=================================================================== ===================================================================
--- openssh-8.9p1.orig/auth2.c --- openssh-8.9p1.orig/auth2.c
@ -934,9 +934,9 @@ Index: openssh-8.9p1/kex.c
--- openssh-8.9p1.orig/kex.c --- openssh-8.9p1.orig/kex.c
+++ openssh-8.9p1/kex.c +++ openssh-8.9p1/kex.c
@@ -62,6 +62,7 @@ @@ -62,6 +62,7 @@
#include "ssherr.h"
#include "sshbuf.h" #include "sshbuf.h"
#include "digest.h" #include "digest.h"
#include "xmalloc.h"
+#include "audit.h" +#include "audit.h"
#ifdef GSSAPI #ifdef GSSAPI
@ -2165,7 +2165,7 @@ Index: openssh-8.9p1/session.h
@@ -71,10 +77,12 @@ void session_unused(int); @@ -71,10 +77,12 @@ void session_unused(int);
int session_input_channel_req(struct ssh *, Channel *, const char *); int session_input_channel_req(struct ssh *, Channel *, const char *);
void session_close_by_pid(struct ssh *ssh, pid_t, int); void session_close_by_pid(struct ssh *ssh, pid_t, int);
void session_close_by_channel(struct ssh *, int, void *); void session_close_by_channel(struct ssh *, int, int, void *);
-void session_destroy_all(struct ssh *, void (*)(Session *)); -void session_destroy_all(struct ssh *, void (*)(Session *));
+void session_destroy_all(struct ssh *, void (*)(struct ssh*, Session *)); +void session_destroy_all(struct ssh *, void (*)(struct ssh*, Session *));
void session_pty_cleanup2(Session *); void session_pty_cleanup2(Session *);
@ -2357,7 +2357,7 @@ Index: openssh-8.9p1/sshd.c
+server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s) +server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
{ {
struct pollfd *pfd = NULL; struct pollfd *pfd = NULL;
int i, j, ret; int i, j, ret, npfd;
@@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so @@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) { if (received_sigterm) {
logit("Received signal %d; terminating.", logit("Received signal %d; terminating.",

View File

@ -9,7 +9,7 @@ index 767ec24..5d506a9 100644
--- a/ed25519.c --- a/ed25519.c
+++ b/ed25519.c +++ b/ed25519.c
@@ -9,6 +9,13 @@ @@ -9,6 +9,13 @@
#include "includes.h"
#include "crypto_api.h" #include "crypto_api.h"
+#ifdef WITH_OPENSSL +#ifdef WITH_OPENSSL
@ -19,12 +19,12 @@ index 767ec24..5d506a9 100644
+ +
+#include "log.h" +#include "log.h"
+ +
#include "ge25519.h" #define int8 crypto_int8
#define uint8 crypto_uint8
static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen) #define int16 crypto_int16
@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair( @@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
unsigned char extsk[64]; sc25519 scsk;
int i; ge25519 gepk;
+#ifdef WITH_OPENSSL +#ifdef WITH_OPENSSL
+ /* Use FIPS approved RNG */ + /* Use FIPS approved RNG */
@ -32,12 +32,12 @@ index 767ec24..5d506a9 100644
+ fatal("Couldn't obtain random bytes (error 0x%lx)", + fatal("Couldn't obtain random bytes (error 0x%lx)",
+ (unsigned long)ERR_get_error()); + (unsigned long)ERR_get_error());
+#else +#else
randombytes(sk, 32); randombytes(sk,32);
+#endif +#endif
+ +
crypto_hash_sha512(extsk, sk, 32); crypto_hash_sha512(az,sk,32);
extsk[0] &= 248; az[0] &= 248;
extsk[31] &= 127; az[31] &= 127;
diff --git a/kexc25519.c b/kexc25519.c diff --git a/kexc25519.c b/kexc25519.c
index f13d766..2604eda 100644 index f13d766..2604eda 100644
--- a/kexc25519.c --- a/kexc25519.c

View File

@ -106,7 +106,7 @@ Index: openssh-8.9p1/ssh_config.5
+.Pq Pa /usr/etc/ssh/ssh_config +.Pq Pa /usr/etc/ssh/ssh_config
.El .El
.Pp .Pp
For each parameter, the first obtained value Unless noted otherwise, for each parameter, the first obtained value
@@ -2220,6 +2223,11 @@ This file provides defaults for those @@ -2220,6 +2223,11 @@ This file provides defaults for those
values that are not specified in the user's configuration file, and values that are not specified in the user's configuration file, and
for those users who do not have a configuration file. for those users who do not have a configuration file.

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7
size 1820282

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmIWG5YACgkQKj9BTnNg
YLoL2A//TuX5vo9EplHaoqTbgL5KkwaJGaae2bXczbw1N8anfSlnPi7IAL4TkLFW
SpIAGYcDoxqSAT62Ad9TsIvallPWmzG8mIa1M6dgQHUW95KbI5NHC53NgMkExI7O
x9HGDanLRoXCwbDrYAZN8UlddTsZYGrfoVso7lrW87lcTkM4AYQKNbCum/C8OUq0
esJgaaiXTIK+Rwbtpa+msDo8scfq08IG4rMM+kiNOnYpxaVyPIvspUF/ULinEQ5M
KrgRCZKI6573yZAdzA3KE6fXlzFJuxqcpk8Zimdm6c5+TEk30pzZ65Q+KLLrW7Gm
YK9gkkbdGWvtoRoE66RnPcBbPoFFM3h0mPhY/08iKHZKQL29bhDABx5qqUN0WDtg
uqz21PT/yXwxXglvHRMtq9w1dzjrPs/aEWQiO2ta+tspC+vUwVjnengmvcj7pP6B
4MQWDcw0ZULn5ns/Vzja6VO9V6hKYApCHs0o4lvBnXXtdIRNHmuROoVQsGPlBTKN
jPSfz3XU7lebayJwGpJFVwfHYTzxGu8IuK7k6WUvCA4j98HbRpJCuNEZeE4Jsvlc
CLhee1YTkUDtNb3GaV2F8a4pDyCxvxCBlhoTMdDDWLGibylpZKaqZyxuO+X7QTUM
TfiyQEZ6YFqQj+f1/BjzPDeXXXMOYA5tgHumjB726rtmK1HB7ZQ=
=5Ghp
-----END PGP SIGNATURE-----

3
openssh-9.3p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8
size 1856839

16
openssh-9.3p1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg
YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i
iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB
OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0
EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa
ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf
ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0
CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg
jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu
f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa
NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU
k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k=
=deVJ
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
- openssh-askpass-gnome: require only openssh-clients, not the full
openssh (including -server), to avoid pulling in excessive
dependencies when installing git on Gnome (boo#1211446)
-------------------------------------------------------------------
Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 9.3p1
* No changes for askpass, see main package changelog for
details
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson <hpj@suse.com> Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson <hpj@suse.com>

View File

@ -18,7 +18,7 @@
%define _name openssh %define _name openssh
Name: openssh-askpass-gnome Name: openssh-askpass-gnome
Version: 8.9p1 Version: 9.3p1
Release: 0 Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause License: BSD-2-Clause
@ -26,7 +26,7 @@ Group: Productivity/Networking/SSH
URL: https://www.openssh.com/ URL: https://www.openssh.com/
Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
Requires: %{_name} = %{version} Requires: %{_name}-clients = %{version}
Supplements: packageand(openssh-clients:libgtk-3-0) Supplements: packageand(openssh-clients:libgtk-3-0)
%if 0%{?suse_version} >= 1550 %if 0%{?suse_version} >= 1550
BuildRequires: gtk3-devel BuildRequires: gtk3-devel

View File

@ -31,7 +31,7 @@ Index: openssh-8.9p1/sshd_config.5
--- openssh-8.9p1.orig/sshd_config.5 --- openssh-8.9p1.orig/sshd_config.5
+++ openssh-8.9p1/sshd_config.5 +++ openssh-8.9p1/sshd_config.5
@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec @@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
sntrup761x25519-sha512@openssh.com, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256 -diffie-hellman-group14-sha256

View File

@ -14,7 +14,7 @@ Index: openssh-8.8p1/sandbox-seccomp-filter.c
#endif #endif
@@ -213,6 +216,9 @@ static const struct sock_filter preauth_ @@ -213,6 +216,9 @@ static const struct sock_filter preauth_
#ifdef __NR_futex_time64 #ifdef __NR_futex_time64
SC_ALLOW(__NR_futex_time64), SC_FUTEX(__NR_futex_time64),
#endif #endif
+#ifdef __NR_futex_time64 +#ifdef __NR_futex_time64
+ SC_ALLOW(__NR_futex_time64), + SC_ALLOW(__NR_futex_time64),

View File

@ -1,3 +1,479 @@
-------------------------------------------------------------------
Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 9.3p1:
= Security
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in
OpenSSH 8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This
problem was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the
system's standard library lacks this function and portable
OpenSSH was not compiled with the ldns library (--with-ldns).
getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
fetch SSHFP records. This problem was found by the Coverity
static analyzer.
= New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
when outputting SSHFP fingerprints to allow algorithm
selection. bz3493
* sshd(8): add a `sshd -G` option that parses and prints the
effective configuration without attempting to load private keys
and perform other checks. This allows usage of the option
before keys have been generated and for configuration
evaluation and verification by unprivileged users.
= Bugfixes
* scp(1), sftp(1): fix progressmeter corruption on wide displays;
bz3534
* ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing
usability of private keys as some systems are starting to
disable RSA/SHA1 in libcrypto.
* sftp-server(8): fix a memory leak. GHPR363
* ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
compatibility code and simplify what's left.
* Fix a number of low-impact Coverity static analysis findings.
These include several reported via bz2687
* ssh_config(5), sshd_config(5): mention that some options are
not first-match-wins.
* Rework logging for the regression tests. Regression tests will
now capture separate logs for each ssh and sshd invocation in
a test.
* ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
says it should; bz3532.
* ssh(1): ensure that there is a terminating newline when adding
a new entry to known_hosts; bz3529
= Portability
* sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
mmap(2), madvise(2) and futex(2) flags, removing some
concerning kernel attack surface.
* sshd(8): improve Linux seccomp-bpf sandbox for older systems;
bz3537
- Update to openssh 9.2p1:
= Security
* sshd(8): fix a pre-authentication double-free memory fault
introduced in OpenSSH 9.1. This is not believed to be
exploitable, and it occurs in the unprivileged pre-auth process
that is subject to chroot(2) and is further sandboxed on most
major platforms.
* ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen
option would ignore its first argument unless it was one of the
special keywords "any" or "none", causing the permission list
to fail open if only one permission was specified. bz3515
* ssh(1): if the CanonicalizeHostname and
CanonicalizePermittedCNAMEs options were enabled, and the
system/libc resolver did not check that names in DNS responses
were valid, then use of these options could allow an attacker
with control of DNS to include invalid characters (possibly
including wildcards) in names added to known_hosts files when
they were updated. These names would still have to match the
CanonicalizePermittedCNAMEs allow-list, so practical
exploitation appears unlikely.
= Potentially-incompatible changes
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option
that controls whether the client-side ~C escape sequence that
provides a command-line is available. Among other things, the
~C command-line could be used to add additional port-forwards
at runtime.
This option defaults to "no", disabling the ~C command-line
that was previously enabled by default. Turning off the
command-line allows platforms that support sandboxing of the
ssh(1) client (currently only OpenBSD) to use a stricter
default sandbox policy.
= New features
* sshd(8): add support for channel inactivity timeouts via a new
sshd_config(5) ChannelTimeout directive. This allows channels
that have not seen traffic in a configurable interval to be
automatically closed. Different timeouts may be applied to
session, X11, agent and TCP forwarding channels.
* sshd(8): add a sshd_config UnusedConnectionTimeout option to
terminate client connections that have no open channels for a
length of time. This complements the ChannelTimeout option
above.
* sshd(8): add a -V (version) option to sshd like the ssh client
has.
* ssh(1): add a "Host" line to the output of ssh -G showing the
original hostname argument. bz3343
* scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
allow control over some SFTP protocol parameters: the copy
buffer length and the number of in-flight requests, both of
which are used during upload/download. Previously these could
be controlled in sftp(1) only. This makes them available in
both SFTP protocol clients using the same option character
sequence.
* ssh-keyscan(1): allow scanning of complete CIDR address ranges,
e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed,
then it will be expanded to all possible addresses in the range
including the all-0s and all-1s addresses. bz#976
* ssh(1): support dynamic remote port forwarding in escape
command-line's -R processing. bz#3499
= Bugfixes
* ssh(1): when restoring non-blocking mode to stdio fds, restore
exactly the flags that ssh started with and don't just clobber
them with zero, as this could also remove the append flag from
the set. bz3523
* ssh(1): avoid printf("%s", NULL) if using
UserKnownHostsFile=none and a hostkey in one of the system
known hosts file changes.
* scp(1): switch scp from using pipes to a socket-pair for
communication with its ssh sub-processes, matching how sftp(1)
operates.
* sshd(8): clear signal mask early in main(); sshd may have been
started with one or more signals masked (sigprocmask(2) is not
cleared on fork/exec) and this could interfere with various
things, e.g. the login grace timer. Execution environments that
fail to clear the signal mask before running sshd are clearly
broken, but apparently they do exist.
* ssh(1): warn if no host keys for hostbased auth can be loaded.
* sshd(8): Add server debugging for hostbased auth that is queued
and sent to the client after successful authentication, but
also logged to assist in diagnosis of HostbasedAuthentication
problems. bz3507
* ssh(1): document use of the IdentityFile option as being usable
to list public keys as well as private keys. GHPR352
* sshd(8): check for and disallow MaxStartups values less than or
equal to zero during config parsing, rather than failing later
at runtime. bz3489
* ssh-keygen(1): fix parsing of hex cert expiry times specified
on the command-line when acting as a CA.
* scp(1): when scp(1) is using the SFTP protocol for transport
(the default), better match scp/rcp's handling of globs that
don't match the globbed characters but do match literally (e.g.
trying to transfer a file named "foo.[1]"). Previously scp(1)
in SFTP mode would not match these pathnames but legacy scp/rcp
mode would. bz3488
* ssh-agent(1): document the "-O no-restrict-websafe"
command-line option.
* ssh(1): honour user's umask(2) if it is more restrictive then
the ssh default (022).
= Portability
* sshd(8): allow writev(2) in the Linux seccomp sandbox. This
seems to be used by recent glibcs at least in some
configurations during error conditions. bz3512.
* sshd(8): simply handling of SSH_CONNECTION PAM env var,
removing global variable and checking the return value from
pam_putenv. bz3508
* sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was
mistakenly enabled during the OpenSSH 9.1 release cycle.
* misc: update autotools and regenerate the config files using
the latest autotools
* all: use -fzero-call-used-regs=used on clang 15 instead of
-fzero-call-used-reg=all, as some versions of clang 15 have
miscompile code when it was enabled. bz3475
* sshd(8): defer PRNG seeding until after the initial
closefrom(2) call. PRNG seeding will initialize OpenSSL, and
some engine providers (e.g. Intel's QAT) will open descriptors
for their own use that closefrom(2) could clobber. bz3483
* misc: in the poll(2)/ppoll(2) compatibility code, avoid
assuming the layout of fd_set.
* sftp-server(8), ssh-agent(1): fix ptrace(2) disabling on older
FreeBSD kernels. Some versions do not support using id 0 to
refer to the current PID for procctl, so try again with
getpid() explicitly before failing.
* configure.ac: fix -Wstrict-prototypes in configure test code.
Clang 16 now warns on this and legacy prototypes will be
removed in C23. GHPR355
* configure.ac: fix setres*id checks to work with clang-16. glibc
has the prototypes for setresuid behind _GNU_SOURCE, and
clang 16 will error out on implicit function definitions.
bz3497
- Update to openssh 9.1p1:
= Security
* ssh-keyscan(1): fix a one-byte overflow in SSH- banner
processing.
Reported by Qualys
* ssh-keygen(1): double free() in error path of file hashing step
in signing/verify code; GHPR333
* ssh-keysign(8): double-free in error path introduced in
openssh-8.9
= Potentially-incompatible changes
* The portable OpenSSH project now signs commits and release tags
using git's recent SSH signature support. The list of developer
signing keys is included in the repository as
.git_allowed_signers and is cross-signed using the PGP key that
is still used to sign release artifacts:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
* ssh(1), sshd(8): SetEnv directives in ssh_config and
sshd_config are now first-match-wins to match other directives.
Previously if an environment variable was multiply specified
the last set value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key
types) will no longer generate DSA keys, as these are insecure
and have not been used by default for some years.
= New features
* ssh(1), sshd(8): add a RequiredRSASize directive to set a
minimum RSA key length. Keys below this length will be ignored
for user authentication and for host authentication in sshd(8).
ssh(1) will terminate a connection if the server offers an RSA
key that falls below this limit, as the SSH protocol does not
include the ability to retry a failed key exchange.
* sftp-server(8): add a "users-groups-by-id@openssh.com"
extension request that allows the client to obtain user/group
names that correspond to a set of uids/gids.
* sftp(1): use "users-groups-by-id@openssh.com" sftp-server
extension (when available) to fill in user/group names for
directory listings.
* sftp-server(8): support the "home-directory" extension request
defined in draft-ietf-secsh-filexfer-extensions-00. This
overlaps a bit with the existing "expand-path@openssh.com", but
some other clients support it.
* ssh-keygen(1), sshd(8): allow certificate validity intervals,
sshsig verification times and authorized_keys expiry-time
options to accept dates in the UTC time zone in addition to the
default of interpreting them in the system time zone. YYYYMMDD
and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if
suffixed with a 'Z' character.
Also allow certificate validity intervals to be specified in
raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890.
This is intended for use by regress tests and other tools that
call ssh-keygen as part of a CA workflow. bz3468
* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
"/usr/libexec/sftp-server -el debug3"
* ssh-keygen(1): allow the existing -U (use agent) flag to work
with "-Y sign" operations, where it will be interpreted to
require that the private keys is hosted in an agent; bz3429
= Bugfixes
* ssh-keygen(1): implement the "verify-required" certificate
option.
This was already documented when support for user-verified FIDO
keys was added, but the ssh-keygen(1) code was missing.
* ssh-agent(1): hook up the restrict_websafe command-line flag;
previously the flag was accepted but never actually used.
* sftp(1): improve filename tab completions: never try to
complete names to non-existent commands, and better match the
completion type (local or remote filename) against the argument
position being completed.
* ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key
handling, especially relating to keys that request
user-verification. These should reduce the number of
unnecessary PIN prompts for keys that support intrinsic user
verification. GHPR302, GHPR329
* ssh-keygen(1): when enrolling a FIDO resident key, check if a
credential with matching application and user ID strings
already exists and, if so, prompt the user for confirmation
before overwriting the credential. GHPR329
* sshd(8): improve logging of errors when opening authorized_keys
files. bz2042
* ssh(1): avoid multiplexing operations that could cause SIGPIPE
from causing the client to exit early. bz3454
* ssh_config(5), sshd_config(5): clarify that the RekeyLimit
directive applies to both transmitted and received data.
GHPR328
* ssh-keygen(1): avoid double fclose() in error path.
* sshd(8): log an error if pipe() fails while accepting a
connection. bz3447
* ssh(1), ssh-keygen(1): fix possible NULL deref when built
without FIDO support. bz3443
* ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
GHPR294.
* sshd(8): ensure that authentication passwords are cleared from
memory in error paths. GHPR286
* ssh(1), ssh-agent(1): avoid possibility of notifier code
executing kill(-1). GHPR286
* ssh_config(5): note that the ProxyJump directive also accepts
the same tokens as ProxyCommand. GHPR305.
* scp(1): do not not ftruncate(3) files early when in sftp mode.
The previous behaviour of unconditionally truncating the
destination file would cause "scp ~/foo localhost:foo" and the
reverse "scp localhost:foo ~/foo" to delete all the contents of
their destination. bz3431
* ssh-keygen(1): improve error message when 'ssh-keygen -Y sign'
is unable to load a private key; bz3429
* sftp(1), scp(1): when performing operations that glob(3) a
remote path, ensure that the implicit working directory used to
construct that path escapes glob(3) characters. This prevents
glob characters from being processed in places they shouldn't,
e.g. "cd /tmp/a*/", "get *.txt" should have the get operation
treat the path "/tmp/a*" literally and not attempt to expand
it.
* ssh(1), sshd(8): be stricter in which characters will be
accepted in specifying a mask length; allow only 0-9. GHPR278
* ssh-keygen(1): avoid printing hash algorithm twice when dumping
a KRL
* ssh(1), sshd(8): continue running local I/O for open channels
during SSH transport rekeying. This should make ~-escapes work
in the client (e.g. to exit) if the connection happened to have
stalled during a rekey event.
* ssh(1), sshd(8): avoid potential poll() spin during rekeying
* Further hardening for sshbuf internals: disallow "reparenting"
a hierarchical sshbuf and zero the entire buffer if
reallocation fails. GHPR287
= Portability
* ssh(1), ssh-keygen(1), sshd(8): automatically enable the
built-in FIDO security key support if libfido2 is found and
usable, unless --without-security-key-builtin was requested.
* ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello
FIDO device usable on Cygwin. The windows://hello FIDO device
will be automatically used by default on this platform unless
requested otherwise, or when probing resident FIDO credentials
(an operation not currently supported by WinHello).
* Portable OpenSSH: remove workarounds for obsolete and
unsupported versions of OpenSSL libcrypto. In particular, this
release removes fallback support for OpenSSL that lacks AES-CTR
or AES-GCM. Those AES cipher modes were added to OpenSSL prior
to the minimum version currently supported by OpenSSH, so this
is not expected to impact any currently supported
configurations.
* sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current
Linux/glibc
* All: resync and clean up internal CSPRNG code.
* scp(1), sftp(1), sftp-server(8): avoid linking these programs
with unnecessary libraries. They are no longer linked against
libz and libcrypto. This may be of benefit to space constrained
systems using any of those components in isolation.
* sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
architectures.
* configure: remove special casing of crypt(). configure will no
longer search for crypt() in libcrypto, as it was removed from
there years ago. configure will now only search libc and
libcrypt.
* configure: refuse to use OpenSSL 3.0.4 due to potential RCE in
its RSA implementation (CVE-2022-2274) on x86_64.
* All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR322
* ssh(1), ssh-keygen(1), sshd(8): fix a number of missing
includes required by the XMSS code on some platforms.
* sshd(8): cache timezone data in capsicum sandbox.
- Update to openssh 9.0p1:
= Potentially-incompatible changes
* This release switches scp(1) from using the legacy scp/rcp
protocol to using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames
(e.g. "scp host:* .") through the remote shell. This has the
side effect of requiring double quoting of shell
meta-characters in file names included on scp(1) command-lines,
otherwise they could be interpreted as shell commands on the
remote side.
This creates one area of potential incompatibility: scp(1) when
using the SFTP protocol no longer requires this finicky and
brittle quoting, and attempts to use it may cause transfers to
fail. We consider the removal of the need for double-quoting
shell characters in file names to be a benefit and do not
intend to introduce bug-compatibility for legacy scp/rcp in
scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of
remote paths relative to other user's home directories, for
example - "scp host:~user/file /tmp". The SFTP protocol has no
native way to expand a ~user path. However, sftp-server(8) in
OpenSSH 8.7 and later support a protocol extension
"expand-path@openssh.com" to support this.
In case of incompatibility, the scp(1) client may be instructed
to use the legacy scp/rcp using the -O flag.
= New features
* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519
key exchange method by default
("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is
believed to resist attacks enabled by future quantum computers
and is paired with the X25519 ECDH key exchange (the previous
default) as a backstop against any weaknesses in NTRU Prime
that may be discovered in the future. The combination ensures
that the hybrid exchange offers at least as good security as
the status quo.
We are making this change now (i.e. ahead of cryptographically-
relevant quantum computers) to prevent "capture now, decrypt
later" attacks where an adversary who can record and store SSH
session ciphertext would be able to decrypt it once a
sufficiently advanced quantum computer is available.
* sftp-server(8): support the "copy-data" extension to allow
server-side copying of files/data, following the design in
draft-ietf-secsh-filexfer-extensions-00. bz2948
* sftp(1): add a "cp" command to allow the sftp client to perform
server-side file copies.
= Bugfixes
* ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's
output fd closes without data in the channel buffer. bz3405 and
bz3411
* sshd(8): pack pollfd array in server listen/accept loop. Could
cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE
* ssh-keygen(1): avoid NULL deref via the find-principals and
check-novalidate operations. bz3409 and GHPR307 respectively.
* scp(1): fix a memory leak in argument processing. bz3404
* sshd(8): don't try to resolve ListenAddress directives in the
sshd re-exec path. They are unused after re-exec and parsing
errors (possible for example if the host's network
configuration changed) could prevent connections from being
accepted.
* sshd(8): when refusing a public key authentication request from
a client for using an unapproved or unsupported signature
algorithm include the algorithm name in the log message to make
debugging easier.
= Portability
* sshd(8): refactor platform-specific locked account check,
fixing an incorrect free() on platforms with both libiaf and
shadow passwords (probably only Unixware) GHPR284,
* ssh(1), sshd(8): Fix possible integer underflow in
scan_scaled(3) parsing of K/M/G/etc quantities. bz#3401.
* sshd(8): provide killpg implementation (mostly for Tandem
NonStop) GHPR301.
* Check for missing ftruncate prototype. GHPR301
* sshd(8): default to not using sandbox when cross compiling. On
most systems poll(2) does not work when the number of FDs is
reduced with setrlimit, so assume it doesn't when cross
compiling and we can't run the test. bz#3398.
* sshd(8): allow ppoll_time64 in seccomp sandbox. Should fix
sandbox violations on some (at least i386 and armhf) 32bit
Linux platforms. bz#3396.
* Improve detection of -fzero-call-used-regs=all support in
configure script.
- Add patch that explicitly adds -lz in Makefile.in to some
binaries which need it:
* fix-missing-lz.patch
- Rebase patches:
* openssh-7.7p1-fips.patch
* openssh-7.7p1-fips_checks.patch
* openssh-7.7p1-ldap.patch
* openssh-7.7p1-pam_check_locks.patch
* openssh-7.7p1-seccomp_ipc_flock.patch
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
* openssh-7.7p1-systemd-notify.patch
* openssh-8.0p1-gssapi-keyex.patch
* openssh-8.1p1-audit.patch
* openssh-8.1p1-ed25519-use-openssl-rng.patch
* openssh-8.4p1-vendordir.patch
* openssh-reenable-dh-group14-sha1-default.patch
* openssh-whitelist-syscalls.patch
* wtmpdb.patch
- Fix setting libexec dir in the LDAP patch.
- Fix build in Leap 15.x which doesn't use %{_distconfdir}
-------------------------------------------------------------------
Fri May 5 15:18:20 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
- Add _multibuild to define 2nd spec file as additional flavor.
Eliminates the need for source package links in OBS.
-------------------------------------------------------------------
Mon Apr 17 13:14:49 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
- wtmpdb.patch: add support for wtmpdb to sshd [jsc#PED-3144]
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Mar 27 08:39:38 UTC 2023 - Thorsten Kukuk <kukuk@suse.com> Mon Mar 27 08:39:38 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>

View File

@ -24,13 +24,20 @@
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' ) %define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac %define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE" %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
%bcond_without ldap
%if 0%{?suse_version} >= 1550
%bcond_without wtmpdb
%else
%bcond_with wtmpdb
%endif
#Compat macro for new _fillupdir macro introduced in Nov 2017 #Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir} %if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: openssh Name: openssh
Version: 8.9p1 Version: 9.3p1
Release: 0 Release: 0
Summary: Secure Shell Client and Server (Remote Login Program) Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT License: BSD-2-Clause AND MIT
@ -107,17 +114,21 @@ Patch47: openssh-8.4p1-vendordir.patch
Patch48: openssh-8.4p1-pam_motd.patch Patch48: openssh-8.4p1-pam_motd.patch
Patch49: openssh-do-not-send-empty-message.patch Patch49: openssh-do-not-send-empty-message.patch
Patch50: openssh-openssl-3.patch Patch50: openssh-openssl-3.patch
Patch51: wtmpdb.patch
Patch100: fix-missing-lz.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: automake BuildRequires: automake
BuildRequires: groff BuildRequires: groff
BuildRequires: libedit-devel BuildRequires: libedit-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
%if %{with ldap}
BuildRequires: openldap2-devel BuildRequires: openldap2-devel
%endif
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: pkgconfig(libfido2) BuildRequires: pkgconfig(libfido2) >= 1.2.0
BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libsystemd)
BuildRequires: sysuser-shadow BuildRequires: sysuser-shadow
BuildRequires: sysuser-tools BuildRequires: sysuser-tools
@ -128,6 +139,9 @@ BuildRequires: pkgconfig(krb5)
%else %else
BuildRequires: krb5-mini-devel BuildRequires: krb5-mini-devel
%endif %endif
%if %{with wtmpdb}
BuildRequires: pkgconfig(libwtmpdb)
%endif
Requires(pre): findutils Requires(pre): findutils
Requires(pre): grep Requires(pre): grep
@ -215,6 +229,7 @@ also be forwarded over the secure channel.
This package contains clients for making secure connections to Secure This package contains clients for making secure connections to Secure
Shell servers. Shell servers.
%if %{with ldap}
%package helpers %package helpers
Summary: OpenSSH AuthorizedKeysCommand helpers Summary: OpenSSH AuthorizedKeysCommand helpers
Group: Productivity/Networking/SSH Group: Productivity/Networking/SSH
@ -231,6 +246,7 @@ also be forwarded over the secure channel.
This package contains helper applications for OpenSSH which retrieve This package contains helper applications for OpenSSH which retrieve
keys from various sources. keys from various sources.
%endif
%package fips %package fips
Summary: OpenSSH FIPS crypto module HMACs Summary: OpenSSH FIPS crypto module HMACs
@ -262,7 +278,7 @@ cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
# set libexec dir in the LDAP patch # set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
$( grep -Rl @LIBEXECDIR@ \ $( grep -Rl @LIBEXECDIR@ \
$( grep "^+++" openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) $( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
) )
%build %build
@ -294,9 +310,14 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%endif %endif
--disable-strip \ --disable-strip \
--with-audit=linux \ --with-audit=linux \
%if %{with ldap}
--with-ldap \ --with-ldap \
%endif
--with-xauth=%{_bindir}/xauth \ --with-xauth=%{_bindir}/xauth \
--with-libedit \ --with-libedit \
%if %{with wtmpdb}
--with-wtmpdb \
%endif
--with-security-key-builtin \ --with-security-key-builtin \
--target=%{_target_cpu}-suse-linux --target=%{_target_cpu}-suse-linux
@ -327,12 +348,16 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
# Move /etc to /usr/etc/ssh # Move /etc to /usr/etc/ssh
%if %{defined _distconfdir}
mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
echo "PermitRootLogin yes" > %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
%if 0%{?suse_version} < 1550 %if 0%{?suse_version} < 1550
# install firewall definitions # install firewall definitions
@ -426,9 +451,15 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%license LICENCE %license LICENCE
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0755,root,root) %dir %{_sysconfdir}/ssh
%if %{defined _distconfdir}
%attr(0755,root,root) %dir %{_distconfdir}/ssh %attr(0755,root,root) %dir %{_distconfdir}/ssh
%attr(0755,root,root) %dir /usr/etc/ssh/ssh_config.d
%attr(0600,root,root) %{_distconfdir}/ssh/moduli %attr(0600,root,root) %{_distconfdir}/ssh/moduli
%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
%else
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %{_sysconfdir}/ssh/moduli
%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
%endif
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0444,root,root) %{_mandir}/man5/moduli.5* %attr(0444,root,root) %{_mandir}/man5/moduli.5*
%attr(0755,root,root) %{_bindir}/ssh-keygen* %attr(0755,root,root) %{_bindir}/ssh-keygen*
@ -439,12 +470,13 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start %attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd %dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d %dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
%attr(0755,root,root) %dir %{_distconfdir}/ssh
%attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d
%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
%if %{defined _distconfdir} %if %{defined _distconfdir}
%attr(0755,root,root) %dir %{_distconfdir}/ssh
%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
%attr(0644,root,root) %{_pam_vendordir}/sshd %attr(0644,root,root) %{_pam_vendordir}/sshd
%else %else
%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%endif %endif
%attr(0644,root,root) %{_unitdir}/sshd.service %attr(0644,root,root) %{_unitdir}/sshd.service
@ -463,11 +495,19 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%endif %endif
%files server-config-rootlogin %files server-config-rootlogin
%if %{defined _distconfdir}
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%else
%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
%files clients %files clients
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
%if %{defined _distconfdir}
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config %attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
%else
%attr(0644,root,root) %{_sysconfdir}/ssh/ssh_config
%endif
%attr(0755,root,root) %{_bindir}/ssh %attr(0755,root,root) %{_bindir}/ssh
%attr(0755,root,root) %{_bindir}/scp* %attr(0755,root,root) %{_bindir}/scp*
%attr(0755,root,root) %{_bindir}/sftp* %attr(0755,root,root) %{_bindir}/sftp*
@ -492,6 +532,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8* %attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8* %attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
%if %{with ldap}
%files helpers %files helpers
%attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0755,root,root) %dir %{_sysconfdir}/ssh
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
@ -500,6 +541,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap* %attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap* %attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
%endif
%files fips %files fips
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX} %attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}

185
wtmpdb.patch Normal file
View File

@ -0,0 +1,185 @@
diff -ur openssh-8.9p1.old/configure.ac openssh-8.9p1/configure.ac
--- openssh-8.9p1.old/configure.ac 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/configure.ac 2023-04-17 14:52:21.499002203 +0200
@@ -1703,6 +1703,49 @@
fi ]
)
+# Check whether user wants wtmpdb support
+WTMPDB_MSG="no"
+AC_ARG_WITH([wtmpdb],
+ [ --with-wtmpdb[[=PATH]] Enable wtmpdb support for sshd],
+ [ if test "x$withval" != "xno" ; then
+ if test "x$withval" = "xyes" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "x$PKGCONFIG" != "xno"; then
+ AC_MSG_CHECKING([if $PKGCONFIG knows about wtmpdb])
+ if "$PKGCONFIG" libwtmpdb; then
+ AC_MSG_RESULT([yes])
+ use_pkgconfig_for_libwtmpdb=yes
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ else
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ fi
+ if test "x$use_pkgconfig_for_libwtmpdb" = "xyes"; then
+ LIBWTMPDB=`$PKGCONFIG --libs libwtmpdb`
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libwtmpdb`"
+ else
+ LIBWTMPDB="-lwtmpdb"
+ fi
+ OTHERLIBS=`echo $LIBWTMPDB | sed 's/-lwtmpdb//'`
+ AC_CHECK_LIB([wtmpdb], [wtmpdb_login],
+ [ AC_DEFINE([USE_WTMPDB], [1], [Use libwtmpdb for sshd])
+ WTMPDB_MSG="yes"
+ AC_SUBST([LIBWTMPDB])
+ ],
+ [ AC_MSG_ERROR([libwtmpdb not found]) ],
+ [ $OTHERLIBS ]
+ )
+ fi ]
+)
+
+
AUDIT_MODULE=none
AC_ARG_WITH([audit],
[ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
diff -ur openssh-8.9p1.old/loginrec.c openssh-8.9p1/loginrec.c
--- openssh-8.9p1.old/loginrec.c 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/loginrec.c 2023-04-18 10:05:04.311193333 +0200
@@ -187,6 +187,10 @@
# include <util.h>
#endif
+#ifdef USE_WTMPDB
+# include <wtmpdb.h>
+#endif
+
/**
** prototypes for helper functions in this file
**/
@@ -207,6 +211,9 @@
int wtmpx_write_entry(struct logininfo *li);
int lastlog_write_entry(struct logininfo *li);
int syslogin_write_entry(struct logininfo *li);
+#ifdef USE_WTMPDB
+int wtmpdb_write_entry(struct logininfo *li);
+#endif
int getlast_entry(struct logininfo *li);
int lastlog_get_entry(struct logininfo *li);
@@ -467,6 +474,9 @@
#ifdef USE_WTMPX
wtmpx_write_entry(li);
#endif
+#ifdef USE_WTMPDB
+ wtmpdb_write_entry(li);
+#endif
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line,
@@ -1409,6 +1419,64 @@
}
#endif /* USE_WTMPX */
+#ifdef USE_WTMPDB
+static int
+wtmpdb_perform_login(struct logininfo *li)
+{
+ uint64_t login_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
+ const char *tty;
+
+ if (strncmp(li->line, "/dev/", 5) == 0)
+ tty = &(li->line[5]);
+ else
+ tty = li->line;
+
+ li->wtmpdb_id = wtmpdb_login(NULL, USER_PROCESS, li->username,
+ login_time, tty, li->hostname, 0, 0);
+ if (li->wtmpdb_id < 0)
+ return (0);
+
+ return (1);
+}
+
+
+static int
+wtmpdb_perform_logout(struct logininfo *li)
+{
+ uint64_t logout_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
+
+ if (li->wtmpdb_id == 0) {
+ const char *tty;
+
+ if (strncmp(li->line, "/dev/", 5) == 0)
+ tty = &(li->line[5]);
+ else
+ tty = li->line;
+
+ li->wtmpdb_id = wtmpdb_get_id(NULL, tty, NULL);
+ }
+ wtmpdb_logout(NULL, li->wtmpdb_id, logout_time, NULL);
+
+ return (1);
+}
+
+
+int
+wtmpdb_write_entry(struct logininfo *li)
+{
+ switch(li->type) {
+ case LTYPE_LOGIN:
+ return (wtmpdb_perform_login(li));
+ case LTYPE_LOGOUT:
+ return (wtmpdb_perform_logout(li));
+ default:
+ logit("%s: invalid type field", __func__);
+ return (0);
+ }
+}
+#endif
+
+
/**
** Low-level libutil login() functions
**/
diff -ur openssh-8.9p1.old/loginrec.h openssh-8.9p1/loginrec.h
--- openssh-8.9p1.old/loginrec.h 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/loginrec.h 2023-04-17 14:58:20.808850750 +0200
@@ -79,6 +79,9 @@
unsigned int tv_sec;
unsigned int tv_usec;
union login_netinfo hostaddr; /* caller's host address(es) */
+#ifdef USE_WTMPDB
+ int64_t wtmpdb_id; /* ID for wtmpdb_logout */
+#endif
}; /* struct logininfo */
/*
diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
--- openssh-8.9p1.old/Makefile.in 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/Makefile.in 2023-04-17 14:44:32.156538001 +0200
@@ -55,6 +55,7 @@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@
+LIBWTMPDB=@LIBWTMPDB@
AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
@@ -212,7 +213,7 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)