Accepting request 643660 from home:pmonrealgonzalez:branches:network
- Version update to 7.9p1 * No actual changes for the askpass * See main package changelog for details - Version update to 7.9p1 * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option (see below) bans the use of DSA keys as certificate authorities. * sshd(8): the authentication success/failure log message has changed format slightly. It now includes the certificate fingerprint (previously it included only key ID and CA key fingerprint). * ssh(1), sshd(8): allow most port numbers to be specified using service names from getservbyname(3) (typically /etc/services). * sshd(8): support signalling sessions via the SSH protocol. A limited subset of signals is supported and only for login or command sessions (i.e. not subsystems) that were not subject to a forced command via authorized_keys or sshd_config. bz#1424 * ssh(1): support "ssh -Q sig" to list supported signature options. Also "ssh -Q help" to show the full set of supported queries. * ssh(1), sshd(8): add a CASignatureAlgorithms option for the client and server configs to allow control over which signature formats are allowed for CAs to sign certificates. For example, this allows banning CAs that sign certificates using the RSA-SHA1 signature algorithm. * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke keys specified by SHA256 hash. * ssh-keygen(1): allow creation of key revocation lists directly from base64-encoded SHA256 fingerprints. This supports revoking keys using only the information contained in sshd(8) OBS-URL: https://build.opensuse.org/request/show/643660 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=159
This commit is contained in:
parent
c1e40270e4
commit
b21be4c6b4
@ -3,10 +3,10 @@
|
|||||||
Extended auditing through the Linux Auditing subsystem
|
Extended auditing through the Linux Auditing subsystem
|
||||||
RH patch from git://pkgs.fedoraproject.org/openssh.git
|
RH patch from git://pkgs.fedoraproject.org/openssh.git
|
||||||
|
|
||||||
Index: openssh-7.8p1/Makefile.in
|
Index: openssh-7.9p1/Makefile.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/Makefile.in
|
--- openssh-7.9p1.orig/Makefile.in
|
||||||
+++ openssh-7.8p1/Makefile.in
|
+++ openssh-7.9p1/Makefile.in
|
||||||
@@ -110,6 +110,8 @@ LIBSSH_OBJS += fips.o
|
@@ -110,6 +110,8 @@ LIBSSH_OBJS += fips.o
|
||||||
|
|
||||||
LIBSSH_OBJS += kexgssc.o kexgsss.o
|
LIBSSH_OBJS += kexgssc.o kexgsss.o
|
||||||
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
|
|||||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||||
sshconnect.o sshconnect2.o mux.o
|
sshconnect.o sshconnect2.o mux.o
|
||||||
|
|
||||||
Index: openssh-7.8p1/audit-bsm.c
|
Index: openssh-7.9p1/audit-bsm.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/audit-bsm.c
|
--- openssh-7.9p1.orig/audit-bsm.c
|
||||||
+++ openssh-7.8p1/audit-bsm.c
|
+++ openssh-7.9p1/audit-bsm.c
|
||||||
@@ -372,10 +372,23 @@ audit_connection_from(const char *host,
|
@@ -372,10 +372,23 @@ audit_connection_from(const char *host,
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
@ -93,10 +93,10 @@ Index: openssh-7.8p1/audit-bsm.c
|
|||||||
+ /* not implemented */
|
+ /* not implemented */
|
||||||
+}
|
+}
|
||||||
#endif /* BSM */
|
#endif /* BSM */
|
||||||
Index: openssh-7.8p1/audit-linux.c
|
Index: openssh-7.9p1/audit-linux.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/audit-linux.c
|
--- openssh-7.9p1.orig/audit-linux.c
|
||||||
+++ openssh-7.8p1/audit-linux.c
|
+++ openssh-7.9p1/audit-linux.c
|
||||||
@@ -33,27 +33,40 @@
|
@@ -33,27 +33,40 @@
|
||||||
|
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
@ -468,10 +468,10 @@ Index: openssh-7.8p1/audit-linux.c
|
|||||||
+ error("cannot write into audit");
|
+ error("cannot write into audit");
|
||||||
+}
|
+}
|
||||||
#endif /* USE_LINUX_AUDIT */
|
#endif /* USE_LINUX_AUDIT */
|
||||||
Index: openssh-7.8p1/audit.c
|
Index: openssh-7.9p1/audit.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/audit.c
|
--- openssh-7.9p1.orig/audit.c
|
||||||
+++ openssh-7.8p1/audit.c
|
+++ openssh-7.9p1/audit.c
|
||||||
@@ -34,13 +34,19 @@
|
@@ -34,13 +34,19 @@
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "hostfile.h"
|
#include "hostfile.h"
|
||||||
@ -648,10 +648,10 @@ Index: openssh-7.8p1/audit.c
|
|||||||
}
|
}
|
||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
Index: openssh-7.8p1/audit.h
|
Index: openssh-7.9p1/audit.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/audit.h
|
--- openssh-7.9p1.orig/audit.h
|
||||||
+++ openssh-7.8p1/audit.h
|
+++ openssh-7.9p1/audit.h
|
||||||
@@ -26,6 +26,7 @@
|
@@ -26,6 +26,7 @@
|
||||||
# define _SSH_AUDIT_H
|
# define _SSH_AUDIT_H
|
||||||
|
|
||||||
@ -694,10 +694,10 @@ Index: openssh-7.8p1/audit.h
|
|||||||
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
#endif /* _SSH_AUDIT_H */
|
||||||
Index: openssh-7.8p1/auditstub.c
|
Index: openssh-7.9p1/auditstub.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ openssh-7.8p1/auditstub.c
|
+++ openssh-7.9p1/auditstub.c
|
||||||
@@ -0,0 +1,50 @@
|
@@ -0,0 +1,50 @@
|
||||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||||
+
|
+
|
||||||
@ -749,11 +749,11 @@ Index: openssh-7.8p1/auditstub.c
|
|||||||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||||
+{
|
+{
|
||||||
+}
|
+}
|
||||||
Index: openssh-7.8p1/auth.c
|
Index: openssh-7.9p1/auth.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/auth.c
|
--- openssh-7.9p1.orig/auth.c
|
||||||
+++ openssh-7.8p1/auth.c
|
+++ openssh-7.9p1/auth.c
|
||||||
@@ -362,7 +362,7 @@ auth_log(Authctxt *authctxt, int authent
|
@@ -366,7 +366,7 @@ auth_log(Authctxt *authctxt, int authent
|
||||||
# endif
|
# endif
|
||||||
#endif
|
#endif
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
@ -762,7 +762,7 @@ Index: openssh-7.8p1/auth.c
|
|||||||
audit_event(audit_classify_auth(method));
|
audit_event(audit_classify_auth(method));
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
@@ -601,9 +601,6 @@ getpwnamallow(const char *user)
|
@@ -605,9 +605,6 @@ getpwnamallow(const char *user)
|
||||||
record_failed_login(user,
|
record_failed_login(user,
|
||||||
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
||||||
#endif
|
#endif
|
||||||
@ -772,10 +772,10 @@ Index: openssh-7.8p1/auth.c
|
|||||||
return (NULL);
|
return (NULL);
|
||||||
}
|
}
|
||||||
if (!allowed_user(pw))
|
if (!allowed_user(pw))
|
||||||
Index: openssh-7.8p1/auth.h
|
Index: openssh-7.9p1/auth.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/auth.h
|
--- openssh-7.9p1.orig/auth.h
|
||||||
+++ openssh-7.8p1/auth.h
|
+++ openssh-7.9p1/auth.h
|
||||||
@@ -193,6 +193,8 @@ struct passwd * getpwnamallow(const char
|
@@ -193,6 +193,8 @@ struct passwd * getpwnamallow(const char
|
||||||
|
|
||||||
char *expand_authorized_keys(const char *, struct passwd *pw);
|
char *expand_authorized_keys(const char *, struct passwd *pw);
|
||||||
@ -794,11 +794,11 @@ Index: openssh-7.8p1/auth.h
|
|||||||
|
|
||||||
/* Key / cert options linkage to auth layer */
|
/* Key / cert options linkage to auth layer */
|
||||||
const struct sshauthopt *auth_options(struct ssh *);
|
const struct sshauthopt *auth_options(struct ssh *);
|
||||||
Index: openssh-7.8p1/auth2-hostbased.c
|
Index: openssh-7.9p1/auth2-hostbased.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/auth2-hostbased.c
|
--- openssh-7.9p1.orig/auth2-hostbased.c
|
||||||
+++ openssh-7.8p1/auth2-hostbased.c
|
+++ openssh-7.9p1/auth2-hostbased.c
|
||||||
@@ -141,7 +141,7 @@ userauth_hostbased(struct ssh *ssh)
|
@@ -148,7 +148,7 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
/* test for allowed key and correct signature */
|
/* test for allowed key and correct signature */
|
||||||
authenticated = 0;
|
authenticated = 0;
|
||||||
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
|
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
|
||||||
@ -807,7 +807,7 @@ Index: openssh-7.8p1/auth2-hostbased.c
|
|||||||
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
|
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
|
||||||
authenticated = 1;
|
authenticated = 1;
|
||||||
|
|
||||||
@@ -158,6 +158,19 @@ done:
|
@@ -165,6 +165,19 @@ done:
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -827,11 +827,11 @@ Index: openssh-7.8p1/auth2-hostbased.c
|
|||||||
/* return 1 if given hostkey is allowed */
|
/* return 1 if given hostkey is allowed */
|
||||||
int
|
int
|
||||||
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||||
Index: openssh-7.8p1/auth2-pubkey.c
|
Index: openssh-7.9p1/auth2-pubkey.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/auth2-pubkey.c
|
--- openssh-7.9p1.orig/auth2-pubkey.c
|
||||||
+++ openssh-7.8p1/auth2-pubkey.c
|
+++ openssh-7.9p1/auth2-pubkey.c
|
||||||
@@ -187,7 +187,7 @@ userauth_pubkey(struct ssh *ssh)
|
@@ -193,7 +193,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
/* test for correct signature */
|
/* test for correct signature */
|
||||||
authenticated = 0;
|
authenticated = 0;
|
||||||
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
||||||
@ -840,7 +840,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
|
|||||||
sshbuf_ptr(b), sshbuf_len(b),
|
sshbuf_ptr(b), sshbuf_len(b),
|
||||||
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
||||||
ssh->compat)) == 0) {
|
ssh->compat)) == 0) {
|
||||||
@@ -246,6 +246,19 @@ done:
|
@@ -252,6 +252,19 @@ done:
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -860,7 +860,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
|
|||||||
static int
|
static int
|
||||||
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
|
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
|
||||||
{
|
{
|
||||||
@@ -767,7 +780,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
|
@@ -773,7 +786,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
|
||||||
found_principal = 1;
|
found_principal = 1;
|
||||||
/* If principals file or command is specified, then require a match */
|
/* If principals file or command is specified, then require a match */
|
||||||
use_authorized_principals = principals_file != NULL ||
|
use_authorized_principals = principals_file != NULL ||
|
||||||
@ -869,10 +869,10 @@ Index: openssh-7.8p1/auth2-pubkey.c
|
|||||||
if (!found_principal && use_authorized_principals) {
|
if (!found_principal && use_authorized_principals) {
|
||||||
reason = "Certificate does not contain an authorized principal";
|
reason = "Certificate does not contain an authorized principal";
|
||||||
goto fail_reason;
|
goto fail_reason;
|
||||||
Index: openssh-7.8p1/auth2.c
|
Index: openssh-7.9p1/auth2.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/auth2.c
|
--- openssh-7.9p1.orig/auth2.c
|
||||||
+++ openssh-7.8p1/auth2.c
|
+++ openssh-7.9p1/auth2.c
|
||||||
@@ -284,9 +284,6 @@ input_userauth_request(int type, u_int32
|
@@ -284,9 +284,6 @@ input_userauth_request(int type, u_int32
|
||||||
} else {
|
} else {
|
||||||
/* Invalid user, fake password information */
|
/* Invalid user, fake password information */
|
||||||
@ -883,10 +883,10 @@ Index: openssh-7.8p1/auth2.c
|
|||||||
}
|
}
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
if (options.use_pam)
|
if (options.use_pam)
|
||||||
Index: openssh-7.8p1/cipher.c
|
Index: openssh-7.9p1/cipher.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/cipher.c
|
--- openssh-7.9p1.orig/cipher.c
|
||||||
+++ openssh-7.8p1/cipher.c
|
+++ openssh-7.9p1/cipher.c
|
||||||
@@ -54,25 +54,6 @@
|
@@ -54,25 +54,6 @@
|
||||||
#include "fips.h"
|
#include "fips.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
@ -922,10 +922,10 @@ Index: openssh-7.8p1/cipher.c
|
|||||||
return;
|
return;
|
||||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
||||||
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
|
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
|
||||||
Index: openssh-7.8p1/cipher.h
|
Index: openssh-7.9p1/cipher.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/cipher.h
|
--- openssh-7.9p1.orig/cipher.h
|
||||||
+++ openssh-7.8p1/cipher.h
|
+++ openssh-7.9p1/cipher.h
|
||||||
@@ -45,7 +45,25 @@
|
@@ -45,7 +45,25 @@
|
||||||
#define CIPHER_ENCRYPT 1
|
#define CIPHER_ENCRYPT 1
|
||||||
#define CIPHER_DECRYPT 0
|
#define CIPHER_DECRYPT 0
|
||||||
@ -953,10 +953,10 @@ Index: openssh-7.8p1/cipher.h
|
|||||||
struct sshcipher_ctx {
|
struct sshcipher_ctx {
|
||||||
int plaintext;
|
int plaintext;
|
||||||
int encrypt;
|
int encrypt;
|
||||||
Index: openssh-7.8p1/kex.c
|
Index: openssh-7.9p1/kex.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/kex.c
|
--- openssh-7.9p1.orig/kex.c
|
||||||
+++ openssh-7.8p1/kex.c
|
+++ openssh-7.9p1/kex.c
|
||||||
@@ -53,6 +53,7 @@
|
@@ -53,6 +53,7 @@
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
@ -1053,10 +1053,10 @@ Index: openssh-7.8p1/kex.c
|
|||||||
+ mac_destroy(&newkeys->mac);
|
+ mac_destroy(&newkeys->mac);
|
||||||
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
|
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
|
||||||
+}
|
+}
|
||||||
Index: openssh-7.8p1/kex.h
|
Index: openssh-7.9p1/kex.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/kex.h
|
--- openssh-7.9p1.orig/kex.h
|
||||||
+++ openssh-7.8p1/kex.h
|
+++ openssh-7.9p1/kex.h
|
||||||
@@ -213,6 +213,8 @@ int kexgss_client(struct ssh *);
|
@@ -213,6 +213,8 @@ int kexgss_client(struct ssh *);
|
||||||
int kexgss_server(struct ssh *);
|
int kexgss_server(struct ssh *);
|
||||||
#endif
|
#endif
|
||||||
@ -1066,10 +1066,10 @@ Index: openssh-7.8p1/kex.h
|
|||||||
int kex_dh_hash(int, const char *, const char *,
|
int kex_dh_hash(int, const char *, const char *,
|
||||||
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
||||||
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
|
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
|
||||||
Index: openssh-7.8p1/mac.c
|
Index: openssh-7.9p1/mac.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/mac.c
|
--- openssh-7.9p1.orig/mac.c
|
||||||
+++ openssh-7.8p1/mac.c
|
+++ openssh-7.9p1/mac.c
|
||||||
@@ -280,6 +280,20 @@ mac_clear(struct sshmac *mac)
|
@@ -280,6 +280,20 @@ mac_clear(struct sshmac *mac)
|
||||||
mac->umac_ctx = NULL;
|
mac->umac_ctx = NULL;
|
||||||
}
|
}
|
||||||
@ -1091,10 +1091,10 @@ Index: openssh-7.8p1/mac.c
|
|||||||
/* XXX copied from ciphers_valid */
|
/* XXX copied from ciphers_valid */
|
||||||
#define MAC_SEP ","
|
#define MAC_SEP ","
|
||||||
int
|
int
|
||||||
Index: openssh-7.8p1/mac.h
|
Index: openssh-7.9p1/mac.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/mac.h
|
--- openssh-7.9p1.orig/mac.h
|
||||||
+++ openssh-7.8p1/mac.h
|
+++ openssh-7.9p1/mac.h
|
||||||
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3
|
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3
|
||||||
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
|
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
|
||||||
const u_char *, size_t);
|
const u_char *, size_t);
|
||||||
@ -1102,11 +1102,11 @@ Index: openssh-7.8p1/mac.h
|
|||||||
+void mac_destroy(struct sshmac *);
|
+void mac_destroy(struct sshmac *);
|
||||||
|
|
||||||
#endif /* SSHMAC_H */
|
#endif /* SSHMAC_H */
|
||||||
Index: openssh-7.8p1/monitor.c
|
Index: openssh-7.9p1/monitor.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/monitor.c
|
--- openssh-7.9p1.orig/monitor.c
|
||||||
+++ openssh-7.8p1/monitor.c
|
+++ openssh-7.9p1/monitor.c
|
||||||
@@ -91,6 +91,7 @@
|
@@ -93,6 +93,7 @@
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
#include "authfd.h"
|
#include "authfd.h"
|
||||||
@ -1114,7 +1114,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
#include "match.h"
|
#include "match.h"
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
|
|
||||||
@@ -105,6 +106,8 @@ extern u_char session_id[];
|
@@ -107,6 +108,8 @@ extern u_char session_id[];
|
||||||
extern struct sshbuf *loginmsg;
|
extern struct sshbuf *loginmsg;
|
||||||
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
||||||
|
|
||||||
@ -1123,7 +1123,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
/* State exported from the child */
|
/* State exported from the child */
|
||||||
static struct sshbuf *child_state;
|
static struct sshbuf *child_state;
|
||||||
|
|
||||||
@@ -150,6 +153,11 @@ int mm_answer_gss_updatecreds(int, struc
|
@@ -152,6 +155,11 @@ int mm_answer_gss_updatecreds(int, struc
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
int mm_answer_audit_event(int, struct sshbuf *);
|
int mm_answer_audit_event(int, struct sshbuf *);
|
||||||
int mm_answer_audit_command(int, struct sshbuf *);
|
int mm_answer_audit_command(int, struct sshbuf *);
|
||||||
@ -1135,7 +1135,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
static int monitor_read_log(struct monitor *);
|
static int monitor_read_log(struct monitor *);
|
||||||
@@ -203,6 +211,11 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -205,6 +213,11 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
#endif
|
#endif
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
@ -1147,7 +1147,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef BSD_AUTH
|
#ifdef BSD_AUTH
|
||||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||||
@@ -231,6 +244,11 @@ struct mon_table mon_dispatch_postauth20
|
@@ -233,6 +246,11 @@ struct mon_table mon_dispatch_postauth20
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||||
@ -1159,7 +1159,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
|
{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
|
||||||
@@ -1375,6 +1393,7 @@ mm_answer_keyverify(int sock, struct ssh
|
@@ -1379,6 +1397,7 @@ mm_answer_keyverify(int sock, struct ssh
|
||||||
char *sigalg;
|
char *sigalg;
|
||||||
size_t signaturelen, datalen, bloblen;
|
size_t signaturelen, datalen, bloblen;
|
||||||
int r, ret, valid_data = 0, encoded_ret;
|
int r, ret, valid_data = 0, encoded_ret;
|
||||||
@ -1167,7 +1167,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
|
|
||||||
if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
||||||
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
|
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
|
||||||
@@ -1385,6 +1404,8 @@ mm_answer_keyverify(int sock, struct ssh
|
@@ -1389,6 +1408,8 @@ mm_answer_keyverify(int sock, struct ssh
|
||||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||||
!monitor_allowed_key(blob, bloblen))
|
!monitor_allowed_key(blob, bloblen))
|
||||||
fatal("%s: bad key, not previously allowed", __func__);
|
fatal("%s: bad key, not previously allowed", __func__);
|
||||||
@ -1176,7 +1176,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
|
|
||||||
/* Empty signature algorithm means NULL. */
|
/* Empty signature algorithm means NULL. */
|
||||||
if (*sigalg == '\0') {
|
if (*sigalg == '\0') {
|
||||||
@@ -1399,22 +1420,25 @@ mm_answer_keyverify(int sock, struct ssh
|
@@ -1403,22 +1424,25 @@ mm_answer_keyverify(int sock, struct ssh
|
||||||
switch (key_blobtype) {
|
switch (key_blobtype) {
|
||||||
case MM_USERKEY:
|
case MM_USERKEY:
|
||||||
valid_data = monitor_valid_userblob(data, datalen);
|
valid_data = monitor_valid_userblob(data, datalen);
|
||||||
@ -1204,7 +1204,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
debug3("%s: %s %p signature %s", __func__, auth_method, key,
|
debug3("%s: %s %p signature %s", __func__, auth_method, key,
|
||||||
(ret == 0) ? "verified" : "unverified");
|
(ret == 0) ? "verified" : "unverified");
|
||||||
auth2_record_key(authctxt, ret == 0, key);
|
auth2_record_key(authctxt, ret == 0, key);
|
||||||
@@ -1474,6 +1498,12 @@ mm_session_close(Session *s)
|
@@ -1478,6 +1502,12 @@ mm_session_close(Session *s)
|
||||||
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
|
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
|
||||||
session_pty_cleanup2(s);
|
session_pty_cleanup2(s);
|
||||||
}
|
}
|
||||||
@ -1217,7 +1217,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
session_unused(s->self);
|
session_unused(s->self);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1582,6 +1612,8 @@ mm_answer_term(int sock, struct sshbuf *
|
@@ -1586,6 +1616,8 @@ mm_answer_term(int sock, struct sshbuf *
|
||||||
sshpam_cleanup();
|
sshpam_cleanup();
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -1226,7 +1226,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||||
if (errno != EINTR)
|
if (errno != EINTR)
|
||||||
exit(1);
|
exit(1);
|
||||||
@@ -1628,14 +1660,50 @@ mm_answer_audit_command(int socket, stru
|
@@ -1632,14 +1664,50 @@ mm_answer_audit_command(int socket, stru
|
||||||
{
|
{
|
||||||
char *cmd;
|
char *cmd;
|
||||||
int r;
|
int r;
|
||||||
@ -1280,7 +1280,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
}
|
}
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
|
|
||||||
@@ -1697,6 +1765,7 @@ monitor_apply_keystate(struct monitor *p
|
@@ -1701,6 +1769,7 @@ monitor_apply_keystate(struct monitor *p
|
||||||
void
|
void
|
||||||
mm_get_keystate(struct monitor *pmonitor)
|
mm_get_keystate(struct monitor *pmonitor)
|
||||||
{
|
{
|
||||||
@ -1288,7 +1288,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
debug3("%s: Waiting for new keys", __func__);
|
debug3("%s: Waiting for new keys", __func__);
|
||||||
|
|
||||||
if ((child_state = sshbuf_new()) == NULL)
|
if ((child_state = sshbuf_new()) == NULL)
|
||||||
@@ -1704,6 +1773,19 @@ mm_get_keystate(struct monitor *pmonitor
|
@@ -1708,6 +1777,19 @@ mm_get_keystate(struct monitor *pmonitor
|
||||||
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
||||||
child_state);
|
child_state);
|
||||||
debug3("%s: GOT new keys", __func__);
|
debug3("%s: GOT new keys", __func__);
|
||||||
@ -1308,7 +1308,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -1902,19 +1984,19 @@ mm_answer_gss_sign(int socket, struct ss
|
@@ -1906,19 +1988,19 @@ mm_answer_gss_sign(int socket, struct ss
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
if (!options.gss_authentication && !options.gss_keyex)
|
if (!options.gss_authentication && !options.gss_keyex)
|
||||||
@ -1334,7 +1334,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
}
|
}
|
||||||
major = ssh_gssapi_sign(gsscontext, &data, &hash);
|
major = ssh_gssapi_sign(gsscontext, &data, &hash);
|
||||||
|
|
||||||
@@ -1962,3 +2044,102 @@ mm_answer_gss_updatecreds(int socket, st
|
@@ -1966,3 +2048,102 @@ mm_answer_gss_updatecreds(int socket, st
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
@ -1437,10 +1437,10 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
+#endif /* SSH_AUDIT_EVENTS */
|
+#endif /* SSH_AUDIT_EVENTS */
|
||||||
Index: openssh-7.8p1/monitor.h
|
Index: openssh-7.9p1/monitor.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/monitor.h
|
--- openssh-7.9p1.orig/monitor.h
|
||||||
+++ openssh-7.8p1/monitor.h
|
+++ openssh-7.9p1/monitor.h
|
||||||
@@ -61,7 +61,13 @@ enum monitor_reqtype {
|
@@ -61,7 +61,13 @@ enum monitor_reqtype {
|
||||||
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
|
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
|
||||||
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
|
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
|
||||||
@ -1456,10 +1456,10 @@ Index: openssh-7.8p1/monitor.h
|
|||||||
|
|
||||||
MONITOR_REQ_GSSSIGN = 201, MONITOR_ANS_GSSSIGN = 202,
|
MONITOR_REQ_GSSSIGN = 201, MONITOR_ANS_GSSSIGN = 202,
|
||||||
MONITOR_REQ_GSSUPCREDS = 203, MONITOR_ANS_GSSUPCREDS = 204,
|
MONITOR_REQ_GSSUPCREDS = 203, MONITOR_ANS_GSSUPCREDS = 204,
|
||||||
Index: openssh-7.8p1/monitor_wrap.c
|
Index: openssh-7.9p1/monitor_wrap.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/monitor_wrap.c
|
--- openssh-7.9p1.orig/monitor_wrap.c
|
||||||
+++ openssh-7.8p1/monitor_wrap.c
|
+++ openssh-7.9p1/monitor_wrap.c
|
||||||
@@ -497,7 +497,7 @@ mm_key_allowed(enum mm_keytype type, con
|
@@ -497,7 +497,7 @@ mm_key_allowed(enum mm_keytype type, con
|
||||||
*/
|
*/
|
||||||
|
|
||||||
@ -1637,10 +1637,10 @@ Index: openssh-7.8p1/monitor_wrap.c
|
|||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
+}
|
+}
|
||||||
+#endif /* SSH_AUDIT_EVENTS */
|
+#endif /* SSH_AUDIT_EVENTS */
|
||||||
Index: openssh-7.8p1/monitor_wrap.h
|
Index: openssh-7.9p1/monitor_wrap.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/monitor_wrap.h
|
--- openssh-7.9p1.orig/monitor_wrap.h
|
||||||
+++ openssh-7.8p1/monitor_wrap.h
|
+++ openssh-7.9p1/monitor_wrap.h
|
||||||
@@ -53,7 +53,9 @@ int mm_user_key_allowed(struct ssh *, st
|
@@ -53,7 +53,9 @@ int mm_user_key_allowed(struct ssh *, st
|
||||||
struct sshauthopt **);
|
struct sshauthopt **);
|
||||||
int mm_hostbased_key_allowed(struct passwd *, const char *,
|
int mm_hostbased_key_allowed(struct passwd *, const char *,
|
||||||
@ -1666,10 +1666,10 @@ Index: openssh-7.8p1/monitor_wrap.h
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
struct Session;
|
struct Session;
|
||||||
Index: openssh-7.8p1/packet.c
|
Index: openssh-7.9p1/packet.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/packet.c
|
--- openssh-7.9p1.orig/packet.c
|
||||||
+++ openssh-7.8p1/packet.c
|
+++ openssh-7.9p1/packet.c
|
||||||
@@ -76,6 +76,7 @@
|
@@ -76,6 +76,7 @@
|
||||||
#include <zlib.h>
|
#include <zlib.h>
|
||||||
|
|
||||||
@ -1829,20 +1829,20 @@ Index: openssh-7.8p1/packet.c
|
|||||||
/* Reset after_authentication and reset compression in post-auth privsep */
|
/* Reset after_authentication and reset compression in post-auth privsep */
|
||||||
static int
|
static int
|
||||||
ssh_packet_set_postauth(struct ssh *ssh)
|
ssh_packet_set_postauth(struct ssh *ssh)
|
||||||
Index: openssh-7.8p1/packet.h
|
Index: openssh-7.9p1/packet.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/packet.h
|
--- openssh-7.9p1.orig/packet.h
|
||||||
+++ openssh-7.8p1/packet.h
|
+++ openssh-7.9p1/packet.h
|
||||||
@@ -219,4 +219,5 @@ extern struct ssh *active_state;
|
@@ -219,4 +219,5 @@ extern struct ssh *active_state;
|
||||||
# undef EC_POINT
|
# undef EC_POINT
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
+void packet_destroy_all(int, int);
|
+void packet_destroy_all(int, int);
|
||||||
#endif /* PACKET_H */
|
#endif /* PACKET_H */
|
||||||
Index: openssh-7.8p1/session.c
|
Index: openssh-7.9p1/session.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/session.c
|
--- openssh-7.9p1.orig/session.c
|
||||||
+++ openssh-7.8p1/session.c
|
+++ openssh-7.9p1/session.c
|
||||||
@@ -139,7 +139,7 @@ extern char *__progname;
|
@@ -139,7 +139,7 @@ extern char *__progname;
|
||||||
extern int debug_flag;
|
extern int debug_flag;
|
||||||
extern u_int utmp_len;
|
extern u_int utmp_len;
|
||||||
@ -1867,7 +1867,7 @@ Index: openssh-7.8p1/session.c
|
|||||||
/* Enter interactive session. */
|
/* Enter interactive session. */
|
||||||
s->ptymaster = ptymaster;
|
s->ptymaster = ptymaster;
|
||||||
packet_set_interactive(1,
|
packet_set_interactive(1,
|
||||||
@@ -739,15 +747,19 @@ do_exec(struct ssh *ssh, Session *s, con
|
@@ -741,15 +749,19 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||||
s->self);
|
s->self);
|
||||||
|
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
@ -1889,7 +1889,7 @@ Index: openssh-7.8p1/session.c
|
|||||||
#endif
|
#endif
|
||||||
if (s->ttyfd != -1)
|
if (s->ttyfd != -1)
|
||||||
ret = do_exec_pty(ssh, s, command);
|
ret = do_exec_pty(ssh, s, command);
|
||||||
@@ -1551,8 +1563,11 @@ do_child(struct ssh *ssh, Session *s, co
|
@@ -1553,8 +1565,11 @@ do_child(struct ssh *ssh, Session *s, co
|
||||||
int r = 0;
|
int r = 0;
|
||||||
|
|
||||||
/* remove hostkey from the child's memory */
|
/* remove hostkey from the child's memory */
|
||||||
@ -1902,7 +1902,7 @@ Index: openssh-7.8p1/session.c
|
|||||||
|
|
||||||
/* Force a password change */
|
/* Force a password change */
|
||||||
if (s->authctxt->force_pwchange) {
|
if (s->authctxt->force_pwchange) {
|
||||||
@@ -1759,6 +1774,9 @@ session_unused(int id)
|
@@ -1761,6 +1776,9 @@ session_unused(int id)
|
||||||
sessions[id].ttyfd = -1;
|
sessions[id].ttyfd = -1;
|
||||||
sessions[id].ptymaster = -1;
|
sessions[id].ptymaster = -1;
|
||||||
sessions[id].x11_chanids = NULL;
|
sessions[id].x11_chanids = NULL;
|
||||||
@ -1912,7 +1912,7 @@ Index: openssh-7.8p1/session.c
|
|||||||
sessions[id].next_unused = sessions_first_unused;
|
sessions[id].next_unused = sessions_first_unused;
|
||||||
sessions_first_unused = id;
|
sessions_first_unused = id;
|
||||||
}
|
}
|
||||||
@@ -1841,6 +1859,19 @@ session_open(Authctxt *authctxt, int cha
|
@@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
|
||||||
}
|
}
|
||||||
|
|
||||||
Session *
|
Session *
|
||||||
@ -1932,7 +1932,7 @@ Index: openssh-7.8p1/session.c
|
|||||||
session_by_tty(char *tty)
|
session_by_tty(char *tty)
|
||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
@@ -2352,6 +2383,32 @@ session_exit_message(struct ssh *ssh, Se
|
@@ -2428,6 +2459,32 @@ session_exit_message(struct ssh *ssh, Se
|
||||||
chan_write_failed(ssh, c);
|
chan_write_failed(ssh, c);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1965,7 +1965,7 @@ Index: openssh-7.8p1/session.c
|
|||||||
void
|
void
|
||||||
session_close(struct ssh *ssh, Session *s)
|
session_close(struct ssh *ssh, Session *s)
|
||||||
{
|
{
|
||||||
@@ -2393,6 +2450,10 @@ session_close(struct ssh *ssh, Session *
|
@@ -2469,6 +2526,10 @@ session_close(struct ssh *ssh, Session *
|
||||||
|
|
||||||
if (s->ttyfd != -1)
|
if (s->ttyfd != -1)
|
||||||
session_pty_cleanup(s);
|
session_pty_cleanup(s);
|
||||||
@ -1976,7 +1976,7 @@ Index: openssh-7.8p1/session.c
|
|||||||
free(s->term);
|
free(s->term);
|
||||||
free(s->display);
|
free(s->display);
|
||||||
free(s->x11_chanids);
|
free(s->x11_chanids);
|
||||||
@@ -2600,6 +2661,15 @@ do_authenticated2(struct ssh *ssh, Authc
|
@@ -2677,6 +2738,15 @@ do_authenticated2(struct ssh *ssh, Authc
|
||||||
server_loop2(ssh, authctxt);
|
server_loop2(ssh, authctxt);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1992,7 +1992,7 @@ Index: openssh-7.8p1/session.c
|
|||||||
void
|
void
|
||||||
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||||
{
|
{
|
||||||
@@ -2657,7 +2727,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
@@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||||
* or if running in monitor.
|
* or if running in monitor.
|
||||||
*/
|
*/
|
||||||
if (!use_privsep || mm_is_monitor())
|
if (!use_privsep || mm_is_monitor())
|
||||||
@ -2001,11 +2001,11 @@ Index: openssh-7.8p1/session.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Return a name for the remote host that fits inside utmp_size */
|
/* Return a name for the remote host that fits inside utmp_size */
|
||||||
Index: openssh-7.8p1/session.h
|
Index: openssh-7.9p1/session.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/session.h
|
--- openssh-7.9p1.orig/session.h
|
||||||
+++ openssh-7.8p1/session.h
|
+++ openssh-7.9p1/session.h
|
||||||
@@ -60,6 +60,12 @@ struct Session {
|
@@ -61,6 +61,12 @@ struct Session {
|
||||||
char *name;
|
char *name;
|
||||||
char *val;
|
char *val;
|
||||||
} *env;
|
} *env;
|
||||||
@ -2018,7 +2018,7 @@ Index: openssh-7.8p1/session.h
|
|||||||
};
|
};
|
||||||
|
|
||||||
void do_authenticated(struct ssh *, Authctxt *);
|
void do_authenticated(struct ssh *, Authctxt *);
|
||||||
@@ -72,8 +78,10 @@ void session_close_by_pid(struct ssh *s
|
@@ -73,8 +79,10 @@ void session_close_by_pid(struct ssh *s
|
||||||
void session_close_by_channel(struct ssh *, int, void *);
|
void session_close_by_channel(struct ssh *, int, void *);
|
||||||
void session_destroy_all(struct ssh *, void (*)(Session *));
|
void session_destroy_all(struct ssh *, void (*)(Session *));
|
||||||
void session_pty_cleanup2(Session *);
|
void session_pty_cleanup2(Session *);
|
||||||
@ -2029,10 +2029,10 @@ Index: openssh-7.8p1/session.h
|
|||||||
Session *session_by_tty(char *);
|
Session *session_by_tty(char *);
|
||||||
void session_close(struct ssh *, Session *);
|
void session_close(struct ssh *, Session *);
|
||||||
void do_setusercontext(struct passwd *);
|
void do_setusercontext(struct passwd *);
|
||||||
Index: openssh-7.8p1/sshd.c
|
Index: openssh-7.9p1/sshd.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshd.c
|
--- openssh-7.9p1.orig/sshd.c
|
||||||
+++ openssh-7.8p1/sshd.c
|
+++ openssh-7.9p1/sshd.c
|
||||||
@@ -124,6 +124,7 @@
|
@@ -124,6 +124,7 @@
|
||||||
#include "ssh-gss.h"
|
#include "ssh-gss.h"
|
||||||
#endif
|
#endif
|
||||||
@ -2117,30 +2117,28 @@ Index: openssh-7.8p1/sshd.c
|
|||||||
sshkey_free(sensitive_data.host_certificates[i]);
|
sshkey_free(sensitive_data.host_certificates[i]);
|
||||||
sensitive_data.host_certificates[i] = NULL;
|
sensitive_data.host_certificates[i] = NULL;
|
||||||
}
|
}
|
||||||
@@ -513,9 +551,22 @@ demote_sensitive_data(void)
|
@@ -513,8 +551,21 @@ demote_sensitive_data(void)
|
||||||
struct sshkey *tmp;
|
struct sshkey *tmp;
|
||||||
u_int i;
|
u_int i;
|
||||||
int r;
|
int r;
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ pid_t pid;
|
+ pid_t pid;
|
||||||
+ uid_t uid;
|
+ uid_t uid;
|
||||||
|
+
|
||||||
- for (i = 0; i < options.num_host_key_files; i++) {
|
|
||||||
+ pid = getpid();
|
+ pid = getpid();
|
||||||
+ uid = getuid();
|
+ uid = getuid();
|
||||||
+#endif
|
+#endif
|
||||||
+
|
|
||||||
+ for (i = 0; i < options.num_host_key_files; i++) {
|
for (i = 0; i < options.num_host_key_files; i++) {
|
||||||
if (sensitive_data.host_keys[i]) {
|
|
||||||
+ char *fp;
|
+ char *fp;
|
||||||
+
|
+
|
||||||
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
|
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
|
||||||
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
||||||
+ else
|
+ else
|
||||||
+ fp = NULL;
|
+ fp = NULL;
|
||||||
if ((r = sshkey_demote(sensitive_data.host_keys[i],
|
if (sensitive_data.host_keys[i]) {
|
||||||
&tmp)) != 0)
|
if ((r = sshkey_from_private(
|
||||||
fatal("could not demote host %s key: %s",
|
sensitive_data.host_keys[i], &tmp)) != 0)
|
||||||
@@ -523,6 +574,12 @@ demote_sensitive_data(void)
|
@@ -523,6 +574,12 @@ demote_sensitive_data(void)
|
||||||
ssh_err(r));
|
ssh_err(r));
|
||||||
sshkey_free(sensitive_data.host_keys[i]);
|
sshkey_free(sensitive_data.host_keys[i]);
|
||||||
@ -2213,11 +2211,11 @@ Index: openssh-7.8p1/sshd.c
|
|||||||
audit_event(SSH_CONNECTION_ABANDON);
|
audit_event(SSH_CONNECTION_ABANDON);
|
||||||
#endif
|
#endif
|
||||||
_exit(i);
|
_exit(i);
|
||||||
Index: openssh-7.8p1/sshkey.c
|
Index: openssh-7.9p1/sshkey.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshkey.c
|
--- openssh-7.9p1.orig/sshkey.c
|
||||||
+++ openssh-7.8p1/sshkey.c
|
+++ openssh-7.9p1/sshkey.c
|
||||||
@@ -326,6 +326,32 @@ sshkey_type_is_valid_ca(int type)
|
@@ -331,6 +331,32 @@ sshkey_type_is_valid_ca(int type)
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
@ -2250,11 +2248,11 @@ Index: openssh-7.8p1/sshkey.c
|
|||||||
sshkey_is_cert(const struct sshkey *k)
|
sshkey_is_cert(const struct sshkey *k)
|
||||||
{
|
{
|
||||||
if (k == NULL)
|
if (k == NULL)
|
||||||
Index: openssh-7.8p1/sshkey.h
|
Index: openssh-7.9p1/sshkey.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshkey.h
|
--- openssh-7.9p1.orig/sshkey.h
|
||||||
+++ openssh-7.8p1/sshkey.h
|
+++ openssh-7.9p1/sshkey.h
|
||||||
@@ -148,6 +148,7 @@ u_int sshkey_size(const struct sshkey
|
@@ -147,6 +147,7 @@ u_int sshkey_size(const struct sshkey
|
||||||
int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
|
int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
|
||||||
int sshkey_from_private(const struct sshkey *, struct sshkey **);
|
int sshkey_from_private(const struct sshkey *, struct sshkey **);
|
||||||
int sshkey_type_from_name(const char *);
|
int sshkey_type_from_name(const char *);
|
||||||
|
@ -12,23 +12,23 @@ compliant) parameters.
|
|||||||
CVE-2015-4000 (LOGJAM)
|
CVE-2015-4000 (LOGJAM)
|
||||||
bsc#932483
|
bsc#932483
|
||||||
|
|
||||||
Index: openssh-7.8p1/dh.c
|
Index: openssh-7.9p1/dh.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/dh.c
|
--- openssh-7.9p1.orig/dh.c
|
||||||
+++ openssh-7.8p1/dh.c
|
+++ openssh-7.9p1/dh.c
|
||||||
@@ -43,6 +43,8 @@
|
@@ -45,6 +45,8 @@
|
||||||
#include "misc.h"
|
|
||||||
#include "ssherr.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
|
||||||
+int dh_grp_min = DH_GRP_MIN;
|
+int dh_grp_min = DH_GRP_MIN;
|
||||||
+
|
+
|
||||||
static int
|
static int
|
||||||
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
||||||
{
|
{
|
||||||
Index: openssh-7.8p1/dh.h
|
Index: openssh-7.9p1/dh.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/dh.h
|
--- openssh-7.9p1.orig/dh.h
|
||||||
+++ openssh-7.8p1/dh.h
|
+++ openssh-7.9p1/dh.h
|
||||||
@@ -50,6 +50,7 @@ u_int dh_estimate(int);
|
@@ -50,6 +50,7 @@ u_int dh_estimate(int);
|
||||||
* Max value from RFC4419.
|
* Max value from RFC4419.
|
||||||
* Miniumum increased in light of DH precomputation attacks.
|
* Miniumum increased in light of DH precomputation attacks.
|
||||||
@ -37,11 +37,11 @@ Index: openssh-7.8p1/dh.h
|
|||||||
#define DH_GRP_MIN 2048
|
#define DH_GRP_MIN 2048
|
||||||
#define DH_GRP_MAX 8192
|
#define DH_GRP_MAX 8192
|
||||||
|
|
||||||
Index: openssh-7.8p1/kexgexc.c
|
Index: openssh-7.9p1/kexgexc.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/kexgexc.c
|
--- openssh-7.9p1.orig/kexgexc.c
|
||||||
+++ openssh-7.8p1/kexgexc.c
|
+++ openssh-7.9p1/kexgexc.c
|
||||||
@@ -51,6 +51,9 @@
|
@@ -53,6 +53,9 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
|
|
||||||
@ -51,7 +51,7 @@ Index: openssh-7.8p1/kexgexc.c
|
|||||||
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
||||||
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
||||||
|
|
||||||
@@ -63,7 +66,7 @@ kexgex_client(struct ssh *ssh)
|
@@ -65,7 +68,7 @@ kexgex_client(struct ssh *ssh)
|
||||||
|
|
||||||
nbits = dh_estimate(kex->dh_need * 8);
|
nbits = dh_estimate(kex->dh_need * 8);
|
||||||
|
|
||||||
@ -60,7 +60,7 @@ Index: openssh-7.8p1/kexgexc.c
|
|||||||
kex->max = DH_GRP_MAX;
|
kex->max = DH_GRP_MAX;
|
||||||
kex->nbits = nbits;
|
kex->nbits = nbits;
|
||||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||||
@@ -108,6 +111,12 @@ input_kex_dh_gex_group(int type, u_int32
|
@@ -111,6 +114,12 @@ input_kex_dh_gex_group(int type, u_int32
|
||||||
goto out;
|
goto out;
|
||||||
if ((bits = BN_num_bits(p)) < 0 ||
|
if ((bits = BN_num_bits(p)) < 0 ||
|
||||||
(u_int)bits < kex->min || (u_int)bits > kex->max) {
|
(u_int)bits < kex->min || (u_int)bits > kex->max) {
|
||||||
@ -73,11 +73,11 @@ Index: openssh-7.8p1/kexgexc.c
|
|||||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
Index: openssh-7.8p1/kexgexs.c
|
Index: openssh-7.9p1/kexgexs.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/kexgexs.c
|
--- openssh-7.9p1.orig/kexgexs.c
|
||||||
+++ openssh-7.8p1/kexgexs.c
|
+++ openssh-7.9p1/kexgexs.c
|
||||||
@@ -54,6 +54,9 @@
|
@@ -56,6 +56,9 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
|
|
||||||
@ -87,7 +87,7 @@ Index: openssh-7.8p1/kexgexs.c
|
|||||||
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
||||||
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
||||||
|
|
||||||
@@ -82,13 +85,19 @@ input_kex_dh_gex_request(int type, u_int
|
@@ -85,13 +88,19 @@ input_kex_dh_gex_request(int type, u_int
|
||||||
kex->nbits = nbits;
|
kex->nbits = nbits;
|
||||||
kex->min = min;
|
kex->min = min;
|
||||||
kex->max = max;
|
kex->max = max;
|
||||||
@ -109,10 +109,10 @@ Index: openssh-7.8p1/kexgexs.c
|
|||||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
Index: openssh-7.8p1/readconf.c
|
Index: openssh-7.9p1/readconf.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/readconf.c
|
--- openssh-7.9p1.orig/readconf.c
|
||||||
+++ openssh-7.8p1/readconf.c
|
+++ openssh-7.9p1/readconf.c
|
||||||
@@ -67,6 +67,7 @@
|
@@ -67,6 +67,7 @@
|
||||||
#include "uidswap.h"
|
#include "uidswap.h"
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
@ -130,7 +130,7 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
||||||
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
||||||
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
||||||
@@ -291,6 +292,7 @@ static struct {
|
@@ -292,6 +293,7 @@ static struct {
|
||||||
{ "remotecommand", oRemoteCommand },
|
{ "remotecommand", oRemoteCommand },
|
||||||
{ "visualhostkey", oVisualHostKey },
|
{ "visualhostkey", oVisualHostKey },
|
||||||
{ "kexalgorithms", oKexAlgorithms },
|
{ "kexalgorithms", oKexAlgorithms },
|
||||||
@ -138,7 +138,7 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
{ "ipqos", oIPQoS },
|
{ "ipqos", oIPQoS },
|
||||||
{ "requesttty", oRequestTTY },
|
{ "requesttty", oRequestTTY },
|
||||||
{ "proxyusefdpass", oProxyUseFdpass },
|
{ "proxyusefdpass", oProxyUseFdpass },
|
||||||
@@ -312,6 +314,9 @@ static struct {
|
@@ -313,6 +315,9 @@ static struct {
|
||||||
{ NULL, oBadOption }
|
{ NULL, oBadOption }
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -148,7 +148,7 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
/*
|
/*
|
||||||
* Adds a local TCP/IP port forward to options. Never returns if there is an
|
* Adds a local TCP/IP port forward to options. Never returns if there is an
|
||||||
* error.
|
* error.
|
||||||
@@ -1206,6 +1211,10 @@ parse_int:
|
@@ -1216,6 +1221,10 @@ parse_int:
|
||||||
options->kex_algorithms = xstrdup(arg);
|
options->kex_algorithms = xstrdup(arg);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -159,15 +159,15 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
case oHostKeyAlgorithms:
|
case oHostKeyAlgorithms:
|
||||||
charptr = &options->hostkeyalgorithms;
|
charptr = &options->hostkeyalgorithms;
|
||||||
parse_keytypes:
|
parse_keytypes:
|
||||||
@@ -1835,6 +1844,7 @@ initialize_options(Options * options)
|
@@ -1860,6 +1869,7 @@ initialize_options(Options * options)
|
||||||
options->ciphers = NULL;
|
options->ciphers = NULL;
|
||||||
options->macs = NULL;
|
options->macs = NULL;
|
||||||
options->kex_algorithms = NULL;
|
options->kex_algorithms = NULL;
|
||||||
+ options->kex_dhmin = -1;
|
+ options->kex_dhmin = -1;
|
||||||
options->hostkeyalgorithms = NULL;
|
options->hostkeyalgorithms = NULL;
|
||||||
|
options->ca_sign_algorithms = NULL;
|
||||||
options->num_identity_files = 0;
|
options->num_identity_files = 0;
|
||||||
options->num_certificate_files = 0;
|
@@ -2014,6 +2024,13 @@ fill_default_options(Options * options)
|
||||||
@@ -1988,6 +1998,13 @@ fill_default_options(Options * options)
|
|
||||||
options->connection_attempts = 1;
|
options->connection_attempts = 1;
|
||||||
if (options->number_of_password_prompts == -1)
|
if (options->number_of_password_prompts == -1)
|
||||||
options->number_of_password_prompts = 3;
|
options->number_of_password_prompts = 3;
|
||||||
@ -181,22 +181,22 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
/* options->hostkeyalgorithms, default set in myproposals.h */
|
/* options->hostkeyalgorithms, default set in myproposals.h */
|
||||||
if (options->add_keys_to_agent == -1)
|
if (options->add_keys_to_agent == -1)
|
||||||
options->add_keys_to_agent = 0;
|
options->add_keys_to_agent = 0;
|
||||||
Index: openssh-7.8p1/readconf.h
|
Index: openssh-7.9p1/readconf.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/readconf.h
|
--- openssh-7.9p1.orig/readconf.h
|
||||||
+++ openssh-7.8p1/readconf.h
|
+++ openssh-7.9p1/readconf.h
|
||||||
@@ -67,6 +67,7 @@ typedef struct {
|
@@ -68,6 +68,7 @@ typedef struct {
|
||||||
char *macs; /* SSH2 macs in order of preference. */
|
|
||||||
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
||||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||||
|
char *ca_sign_algorithms; /* Allowed CA signature algorithms */
|
||||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||||
char *hostname; /* Real host to connect. */
|
char *hostname; /* Real host to connect. */
|
||||||
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
||||||
char *proxy_command; /* Proxy command for connecting the host. */
|
char *proxy_command; /* Proxy command for connecting the host. */
|
||||||
Index: openssh-7.8p1/servconf.c
|
Index: openssh-7.9p1/servconf.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/servconf.c
|
--- openssh-7.9p1.orig/servconf.c
|
||||||
+++ openssh-7.8p1/servconf.c
|
+++ openssh-7.9p1/servconf.c
|
||||||
@@ -64,6 +64,10 @@
|
@@ -64,6 +64,10 @@
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
@ -213,10 +213,10 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
options->macs = NULL;
|
options->macs = NULL;
|
||||||
options->kex_algorithms = NULL;
|
options->kex_algorithms = NULL;
|
||||||
+ options->kex_dhmin = -1;
|
+ options->kex_dhmin = -1;
|
||||||
|
options->ca_sign_algorithms = NULL;
|
||||||
options->fwd_opts.gateway_ports = -1;
|
options->fwd_opts.gateway_ports = -1;
|
||||||
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
||||||
options->fwd_opts.streamlocal_bind_unlink = -1;
|
@@ -267,6 +272,14 @@ fill_default_server_options(ServerOption
|
||||||
@@ -263,6 +268,14 @@ fill_default_server_options(ServerOption
|
|
||||||
if (options->use_pam_check_locks == -1)
|
if (options->use_pam_check_locks == -1)
|
||||||
options->use_pam_check_locks = 0;
|
options->use_pam_check_locks = 0;
|
||||||
|
|
||||||
@ -231,16 +231,16 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
/* Standard Options */
|
/* Standard Options */
|
||||||
if (options->num_host_key_files == 0) {
|
if (options->num_host_key_files == 0) {
|
||||||
/* fill default hostkeys for protocols */
|
/* fill default hostkeys for protocols */
|
||||||
@@ -490,7 +503,7 @@ typedef enum {
|
@@ -494,7 +507,7 @@ typedef enum {
|
||||||
sHostCertificate,
|
sHostCertificate,
|
||||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||||
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
||||||
- sKexAlgorithms, sIPQoS, sVersionAddendum,
|
- sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
|
||||||
+ sKexAlgorithms, sKexDHMin, sIPQoS, sVersionAddendum,
|
+ sKexAlgorithms, sKexDHMin, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
|
||||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||||
@@ -631,6 +644,7 @@ static struct {
|
@@ -635,6 +648,7 @@ static struct {
|
||||||
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
||||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
||||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||||
@ -248,7 +248,7 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||||
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
||||||
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
||||||
@@ -1726,6 +1740,10 @@ process_server_config_line(ServerOptions
|
@@ -1735,6 +1749,10 @@ process_server_config_line(ServerOptions
|
||||||
options->kex_algorithms = xstrdup(arg);
|
options->kex_algorithms = xstrdup(arg);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -259,7 +259,7 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
case sSubsystem:
|
case sSubsystem:
|
||||||
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
|
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
|
||||||
fatal("%s line %d: too many subsystems defined.",
|
fatal("%s line %d: too many subsystems defined.",
|
||||||
@@ -2540,6 +2558,7 @@ dump_config(ServerOptions *o)
|
@@ -2549,6 +2567,7 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
||||||
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
||||||
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
||||||
@ -267,10 +267,10 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
|
|
||||||
/* formatted integer arguments */
|
/* formatted integer arguments */
|
||||||
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
||||||
Index: openssh-7.8p1/servconf.h
|
Index: openssh-7.9p1/servconf.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/servconf.h
|
--- openssh-7.9p1.orig/servconf.h
|
||||||
+++ openssh-7.8p1/servconf.h
|
+++ openssh-7.9p1/servconf.h
|
||||||
@@ -103,6 +103,7 @@ typedef struct {
|
@@ -103,6 +103,7 @@ typedef struct {
|
||||||
char *ciphers; /* Supported SSH2 ciphers. */
|
char *ciphers; /* Supported SSH2 ciphers. */
|
||||||
char *macs; /* Supported SSH2 macs. */
|
char *macs; /* Supported SSH2 macs. */
|
||||||
@ -279,10 +279,10 @@ Index: openssh-7.8p1/servconf.h
|
|||||||
struct ForwardOptions fwd_opts; /* forwarding options */
|
struct ForwardOptions fwd_opts; /* forwarding options */
|
||||||
SyslogFacility log_facility; /* Facility for system logging. */
|
SyslogFacility log_facility; /* Facility for system logging. */
|
||||||
LogLevel log_level; /* Level for system logging. */
|
LogLevel log_level; /* Level for system logging. */
|
||||||
Index: openssh-7.8p1/ssh_config
|
Index: openssh-7.9p1/ssh_config
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/ssh_config
|
--- openssh-7.9p1.orig/ssh_config
|
||||||
+++ openssh-7.8p1/ssh_config
|
+++ openssh-7.9p1/ssh_config
|
||||||
@@ -17,6 +17,11 @@
|
@@ -17,6 +17,11 @@
|
||||||
# list of available options, their meanings and defaults, please see the
|
# list of available options, their meanings and defaults, please see the
|
||||||
# ssh_config(5) man page.
|
# ssh_config(5) man page.
|
||||||
@ -295,11 +295,11 @@ Index: openssh-7.8p1/ssh_config
|
|||||||
Host *
|
Host *
|
||||||
# ForwardAgent no
|
# ForwardAgent no
|
||||||
# ForwardX11 no
|
# ForwardX11 no
|
||||||
Index: openssh-7.8p1/ssh_config.0
|
Index: openssh-7.9p1/ssh_config.0
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/ssh_config.0
|
--- openssh-7.9p1.orig/ssh_config.0
|
||||||
+++ openssh-7.8p1/ssh_config.0
|
+++ openssh-7.9p1/ssh_config.0
|
||||||
@@ -595,6 +595,23 @@ DESCRIPTION
|
@@ -610,6 +610,23 @@ DESCRIPTION
|
||||||
The list of available key exchange algorithms may also be
|
The list of available key exchange algorithms may also be
|
||||||
obtained using "ssh -Q kex".
|
obtained using "ssh -Q kex".
|
||||||
|
|
||||||
@ -323,11 +323,11 @@ Index: openssh-7.8p1/ssh_config.0
|
|||||||
LocalCommand
|
LocalCommand
|
||||||
Specifies a command to execute on the local machine after
|
Specifies a command to execute on the local machine after
|
||||||
successfully connecting to the server. The command string
|
successfully connecting to the server. The command string
|
||||||
Index: openssh-7.8p1/ssh_config.5
|
Index: openssh-7.9p1/ssh_config.5
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/ssh_config.5
|
--- openssh-7.9p1.orig/ssh_config.5
|
||||||
+++ openssh-7.8p1/ssh_config.5
|
+++ openssh-7.9p1/ssh_config.5
|
||||||
@@ -1025,6 +1025,22 @@ diffie-hellman-group14-sha1
|
@@ -1047,6 +1047,22 @@ diffie-hellman-group14-sha1
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Qq ssh -Q kex .
|
.Qq ssh -Q kex .
|
||||||
@ -350,10 +350,10 @@ Index: openssh-7.8p1/ssh_config.5
|
|||||||
.It Cm LocalCommand
|
.It Cm LocalCommand
|
||||||
Specifies a command to execute on the local machine after successfully
|
Specifies a command to execute on the local machine after successfully
|
||||||
connecting to the server.
|
connecting to the server.
|
||||||
Index: openssh-7.8p1/sshd_config
|
Index: openssh-7.9p1/sshd_config
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshd_config
|
--- openssh-7.9p1.orig/sshd_config
|
||||||
+++ openssh-7.8p1/sshd_config
|
+++ openssh-7.9p1/sshd_config
|
||||||
@@ -19,6 +19,13 @@
|
@@ -19,6 +19,13 @@
|
||||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
@ -368,11 +368,11 @@ Index: openssh-7.8p1/sshd_config
|
|||||||
# Ciphers and keying
|
# Ciphers and keying
|
||||||
#RekeyLimit default none
|
#RekeyLimit default none
|
||||||
|
|
||||||
Index: openssh-7.8p1/sshd_config.0
|
Index: openssh-7.9p1/sshd_config.0
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshd_config.0
|
--- openssh-7.9p1.orig/sshd_config.0
|
||||||
+++ openssh-7.8p1/sshd_config.0
|
+++ openssh-7.9p1/sshd_config.0
|
||||||
@@ -545,6 +545,23 @@ DESCRIPTION
|
@@ -555,6 +555,23 @@ DESCRIPTION
|
||||||
The list of available key exchange algorithms may also be
|
The list of available key exchange algorithms may also be
|
||||||
obtained using "ssh -Q kex".
|
obtained using "ssh -Q kex".
|
||||||
|
|
||||||
@ -396,11 +396,11 @@ Index: openssh-7.8p1/sshd_config.0
|
|||||||
ListenAddress
|
ListenAddress
|
||||||
Specifies the local addresses sshd(8) should listen on. The
|
Specifies the local addresses sshd(8) should listen on. The
|
||||||
following forms may be used:
|
following forms may be used:
|
||||||
Index: openssh-7.8p1/sshd_config.5
|
Index: openssh-7.9p1/sshd_config.5
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshd_config.5
|
--- openssh-7.9p1.orig/sshd_config.5
|
||||||
+++ openssh-7.8p1/sshd_config.5
|
+++ openssh-7.9p1/sshd_config.5
|
||||||
@@ -912,6 +912,22 @@ diffie-hellman-group14-sha256,diffie-hel
|
@@ -923,6 +923,22 @@ diffie-hellman-group14-sha256,diffie-hel
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Qq ssh -Q kex .
|
.Qq ssh -Q kex .
|
||||||
|
@ -3,10 +3,10 @@
|
|||||||
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
||||||
algorithms.
|
algorithms.
|
||||||
|
|
||||||
Index: openssh-7.8p1/Makefile.in
|
Index: openssh-7.9p1/Makefile.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/Makefile.in
|
--- openssh-7.9p1.orig/Makefile.in
|
||||||
+++ openssh-7.8p1/Makefile.in
|
+++ openssh-7.9p1/Makefile.in
|
||||||
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||||
platform-pledge.o platform-tracing.o platform-misc.o
|
platform-pledge.o platform-tracing.o platform-misc.o
|
||||||
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
|
|||||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||||
sshconnect.o sshconnect2.o mux.o
|
sshconnect.o sshconnect2.o mux.o
|
||||||
|
|
||||||
Index: openssh-7.8p1/cipher-ctr.c
|
Index: openssh-7.9p1/cipher-ctr.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/cipher-ctr.c
|
--- openssh-7.9p1.orig/cipher-ctr.c
|
||||||
+++ openssh-7.8p1/cipher-ctr.c
|
+++ openssh-7.9p1/cipher-ctr.c
|
||||||
@@ -27,6 +27,8 @@
|
@@ -27,6 +27,8 @@
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
@ -38,10 +38,10 @@ Index: openssh-7.8p1/cipher-ctr.c
|
|||||||
#endif
|
#endif
|
||||||
return (&aes_ctr);
|
return (&aes_ctr);
|
||||||
}
|
}
|
||||||
Index: openssh-7.8p1/cipher.c
|
Index: openssh-7.9p1/cipher.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/cipher.c
|
--- openssh-7.9p1.orig/cipher.c
|
||||||
+++ openssh-7.8p1/cipher.c
|
+++ openssh-7.9p1/cipher.c
|
||||||
@@ -51,6 +51,8 @@
|
@@ -51,6 +51,8 @@
|
||||||
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
@ -131,10 +131,10 @@ Index: openssh-7.8p1/cipher.c
|
|||||||
if (strcmp(c->name, name) == 0)
|
if (strcmp(c->name, name) == 0)
|
||||||
return c;
|
return c;
|
||||||
return NULL;
|
return NULL;
|
||||||
Index: openssh-7.8p1/dh.h
|
Index: openssh-7.9p1/dh.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/dh.h
|
--- openssh-7.9p1.orig/dh.h
|
||||||
+++ openssh-7.8p1/dh.h
|
+++ openssh-7.9p1/dh.h
|
||||||
@@ -52,6 +52,7 @@ u_int dh_estimate(int);
|
@@ -52,6 +52,7 @@ u_int dh_estimate(int);
|
||||||
*/
|
*/
|
||||||
#define DH_GRP_MIN_RFC 1024
|
#define DH_GRP_MIN_RFC 1024
|
||||||
@ -143,10 +143,10 @@ Index: openssh-7.8p1/dh.h
|
|||||||
#define DH_GRP_MAX 8192
|
#define DH_GRP_MAX 8192
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Index: openssh-7.8p1/fips.c
|
Index: openssh-7.9p1/fips.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ openssh-7.8p1/fips.c
|
+++ openssh-7.9p1/fips.c
|
||||||
@@ -0,0 +1,237 @@
|
@@ -0,0 +1,237 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||||
@ -385,10 +385,10 @@ Index: openssh-7.8p1/fips.c
|
|||||||
+ return dh;
|
+ return dh;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
Index: openssh-7.8p1/fips.h
|
Index: openssh-7.9p1/fips.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ openssh-7.8p1/fips.h
|
+++ openssh-7.9p1/fips.h
|
||||||
@@ -0,0 +1,45 @@
|
@@ -0,0 +1,45 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||||
@ -435,10 +435,10 @@ Index: openssh-7.8p1/fips.h
|
|||||||
+
|
+
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
Index: openssh-7.8p1/hmac.c
|
Index: openssh-7.9p1/hmac.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/hmac.c
|
--- openssh-7.9p1.orig/hmac.c
|
||||||
+++ openssh-7.8p1/hmac.c
|
+++ openssh-7.9p1/hmac.c
|
||||||
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
|
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
|
||||||
size_t i;
|
size_t i;
|
||||||
u_char digest[16];
|
u_char digest[16];
|
||||||
@ -448,10 +448,10 @@ Index: openssh-7.8p1/hmac.c
|
|||||||
printf("ssh_hmac_start failed");
|
printf("ssh_hmac_start failed");
|
||||||
if (ssh_hmac_init(ctx, key, klen) < 0 ||
|
if (ssh_hmac_init(ctx, key, klen) < 0 ||
|
||||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||||
Index: openssh-7.8p1/kex.c
|
Index: openssh-7.9p1/kex.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/kex.c
|
--- openssh-7.9p1.orig/kex.c
|
||||||
+++ openssh-7.8p1/kex.c
|
+++ openssh-7.9p1/kex.c
|
||||||
@@ -54,6 +54,8 @@
|
@@ -54,6 +54,8 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
@ -547,11 +547,11 @@ Index: openssh-7.8p1/kex.c
|
|||||||
free(s);
|
free(s);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
Index: openssh-7.8p1/kexgexc.c
|
Index: openssh-7.9p1/kexgexc.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/kexgexc.c
|
--- openssh-7.9p1.orig/kexgexc.c
|
||||||
+++ openssh-7.8p1/kexgexc.c
|
+++ openssh-7.9p1/kexgexc.c
|
||||||
@@ -51,8 +51,7 @@
|
@@ -53,8 +53,7 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
|
|
||||||
@ -561,7 +561,7 @@ Index: openssh-7.8p1/kexgexc.c
|
|||||||
|
|
||||||
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
||||||
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
||||||
@@ -66,7 +65,7 @@ kexgex_client(struct ssh *ssh)
|
@@ -68,7 +67,7 @@ kexgex_client(struct ssh *ssh)
|
||||||
|
|
||||||
nbits = dh_estimate(kex->dh_need * 8);
|
nbits = dh_estimate(kex->dh_need * 8);
|
||||||
|
|
||||||
@ -570,11 +570,11 @@ Index: openssh-7.8p1/kexgexc.c
|
|||||||
kex->max = DH_GRP_MAX;
|
kex->max = DH_GRP_MAX;
|
||||||
kex->nbits = nbits;
|
kex->nbits = nbits;
|
||||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||||
Index: openssh-7.8p1/kexgexs.c
|
Index: openssh-7.9p1/kexgexs.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/kexgexs.c
|
--- openssh-7.9p1.orig/kexgexs.c
|
||||||
+++ openssh-7.8p1/kexgexs.c
|
+++ openssh-7.9p1/kexgexs.c
|
||||||
@@ -54,8 +54,7 @@
|
@@ -56,8 +56,7 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
|
|
||||||
@ -584,7 +584,7 @@ Index: openssh-7.8p1/kexgexs.c
|
|||||||
|
|
||||||
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
||||||
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
||||||
@@ -85,9 +84,9 @@ input_kex_dh_gex_request(int type, u_int
|
@@ -88,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
|
||||||
kex->nbits = nbits;
|
kex->nbits = nbits;
|
||||||
kex->min = min;
|
kex->min = min;
|
||||||
kex->max = max;
|
kex->max = max;
|
||||||
@ -596,10 +596,10 @@ Index: openssh-7.8p1/kexgexs.c
|
|||||||
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
||||||
|
|
||||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||||
Index: openssh-7.8p1/mac.c
|
Index: openssh-7.9p1/mac.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/mac.c
|
--- openssh-7.9p1.orig/mac.c
|
||||||
+++ openssh-7.8p1/mac.c
|
+++ openssh-7.9p1/mac.c
|
||||||
@@ -40,6 +40,9 @@
|
@@ -40,6 +40,9 @@
|
||||||
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
@ -679,11 +679,11 @@ Index: openssh-7.8p1/mac.c
|
|||||||
if (strcmp(name, m->name) != 0)
|
if (strcmp(name, m->name) != 0)
|
||||||
continue;
|
continue;
|
||||||
if (mac != NULL)
|
if (mac != NULL)
|
||||||
Index: openssh-7.8p1/myproposal.h
|
Index: openssh-7.9p1/myproposal.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/myproposal.h
|
--- openssh-7.9p1.orig/myproposal.h
|
||||||
+++ openssh-7.8p1/myproposal.h
|
+++ openssh-7.9p1/myproposal.h
|
||||||
@@ -141,6 +141,8 @@
|
@@ -151,6 +151,8 @@
|
||||||
|
|
||||||
#else /* WITH_OPENSSL */
|
#else /* WITH_OPENSSL */
|
||||||
|
|
||||||
@ -692,10 +692,10 @@ Index: openssh-7.8p1/myproposal.h
|
|||||||
#define KEX_SERVER_KEX \
|
#define KEX_SERVER_KEX \
|
||||||
"curve25519-sha256," \
|
"curve25519-sha256," \
|
||||||
"curve25519-sha256@libssh.org"
|
"curve25519-sha256@libssh.org"
|
||||||
Index: openssh-7.8p1/readconf.c
|
Index: openssh-7.9p1/readconf.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/readconf.c
|
--- openssh-7.9p1.orig/readconf.c
|
||||||
+++ openssh-7.8p1/readconf.c
|
+++ openssh-7.9p1/readconf.c
|
||||||
@@ -68,6 +68,7 @@
|
@@ -68,6 +68,7 @@
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
@ -704,7 +704,7 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
|
|
||||||
/* Format of the configuration file:
|
/* Format of the configuration file:
|
||||||
|
|
||||||
@@ -1800,6 +1801,23 @@ option_clear_or_none(const char *o)
|
@@ -1825,6 +1826,23 @@ option_clear_or_none(const char *o)
|
||||||
return o == NULL || strcasecmp(o, "none") == 0;
|
return o == NULL || strcasecmp(o, "none") == 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -728,7 +728,7 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
/*
|
/*
|
||||||
* Initializes options to special values that indicate that they have not yet
|
* Initializes options to special values that indicate that they have not yet
|
||||||
* been set. Read_config_file will only set options with this value. Options
|
* been set. Read_config_file will only set options with this value. Options
|
||||||
@@ -1999,9 +2017,9 @@ fill_default_options(Options * options)
|
@@ -2025,9 +2043,9 @@ fill_default_options(Options * options)
|
||||||
if (options->number_of_password_prompts == -1)
|
if (options->number_of_password_prompts == -1)
|
||||||
options->number_of_password_prompts = 3;
|
options->number_of_password_prompts = 3;
|
||||||
if (options->kex_dhmin == -1)
|
if (options->kex_dhmin == -1)
|
||||||
@ -740,7 +740,7 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||||
}
|
}
|
||||||
dh_grp_min = options->kex_dhmin;
|
dh_grp_min = options->kex_dhmin;
|
||||||
@@ -2086,6 +2104,8 @@ fill_default_options(Options * options)
|
@@ -2112,6 +2130,8 @@ fill_default_options(Options * options)
|
||||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||||
if (options->fingerprint_hash == -1)
|
if (options->fingerprint_hash == -1)
|
||||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||||
@ -749,19 +749,19 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
if (options->update_hostkeys == -1)
|
if (options->update_hostkeys == -1)
|
||||||
options->update_hostkeys = 0;
|
options->update_hostkeys = 0;
|
||||||
|
|
||||||
@@ -2110,6 +2130,7 @@ fill_default_options(Options * options)
|
@@ -2594,6 +2614,7 @@ dump_client_config(Options *o, const cha
|
||||||
free(all_mac);
|
KEX_DEFAULT_PK_ALG, all_key) != 0)
|
||||||
free(all_kex);
|
fatal("%s: kex_assemble_names failed", __func__);
|
||||||
free(all_key);
|
free(all_key);
|
||||||
+ filter_fips_algorithms(options);
|
+ filter_fips_algorithms(options);
|
||||||
|
|
||||||
#define CLEAR_ON_NONE(v) \
|
/* Most interesting options first: user, host, port */
|
||||||
do { \
|
dump_cfg_string(oUser, o->user);
|
||||||
Index: openssh-7.8p1/readconf.h
|
Index: openssh-7.9p1/readconf.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/readconf.h
|
--- openssh-7.9p1.orig/readconf.h
|
||||||
+++ openssh-7.8p1/readconf.h
|
+++ openssh-7.9p1/readconf.h
|
||||||
@@ -197,6 +197,7 @@ typedef struct {
|
@@ -198,6 +198,7 @@ typedef struct {
|
||||||
#define SSH_STRICT_HOSTKEY_YES 2
|
#define SSH_STRICT_HOSTKEY_YES 2
|
||||||
#define SSH_STRICT_HOSTKEY_ASK 3
|
#define SSH_STRICT_HOSTKEY_ASK 3
|
||||||
|
|
||||||
@ -769,10 +769,10 @@ Index: openssh-7.8p1/readconf.h
|
|||||||
void initialize_options(Options *);
|
void initialize_options(Options *);
|
||||||
void fill_default_options(Options *);
|
void fill_default_options(Options *);
|
||||||
void fill_default_options_for_canonicalization(Options *);
|
void fill_default_options_for_canonicalization(Options *);
|
||||||
Index: openssh-7.8p1/servconf.c
|
Index: openssh-7.9p1/servconf.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/servconf.c
|
--- openssh-7.9p1.orig/servconf.c
|
||||||
+++ openssh-7.8p1/servconf.c
|
+++ openssh-7.9p1/servconf.c
|
||||||
@@ -65,6 +65,7 @@
|
@@ -65,6 +65,7 @@
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
@ -781,7 +781,7 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
|
|
||||||
/* import from dh.c */
|
/* import from dh.c */
|
||||||
extern int dh_grp_min;
|
extern int dh_grp_min;
|
||||||
@@ -194,6 +195,23 @@ option_clear_or_none(const char *o)
|
@@ -195,6 +196,23 @@ option_clear_or_none(const char *o)
|
||||||
return o == NULL || strcasecmp(o, "none") == 0;
|
return o == NULL || strcasecmp(o, "none") == 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -805,16 +805,16 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
static void
|
static void
|
||||||
assemble_algorithms(ServerOptions *o)
|
assemble_algorithms(ServerOptions *o)
|
||||||
{
|
{
|
||||||
@@ -220,6 +238,8 @@ assemble_algorithms(ServerOptions *o)
|
@@ -224,6 +242,8 @@ assemble_algorithms(ServerOptions *o)
|
||||||
free(all_mac);
|
|
||||||
free(all_kex);
|
free(all_kex);
|
||||||
free(all_key);
|
free(all_key);
|
||||||
|
free(all_sig);
|
||||||
+
|
+
|
||||||
+ filter_fips_algorithms_s(o);
|
+ filter_fips_algorithms_s(o);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@@ -269,9 +289,9 @@ fill_default_server_options(ServerOption
|
@@ -273,9 +293,9 @@ fill_default_server_options(ServerOption
|
||||||
options->use_pam_check_locks = 0;
|
options->use_pam_check_locks = 0;
|
||||||
|
|
||||||
if (options->kex_dhmin == -1)
|
if (options->kex_dhmin == -1)
|
||||||
@ -826,7 +826,7 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||||
}
|
}
|
||||||
dh_grp_min = options->kex_dhmin;
|
dh_grp_min = options->kex_dhmin;
|
||||||
@@ -419,6 +439,8 @@ fill_default_server_options(ServerOption
|
@@ -423,6 +443,8 @@ fill_default_server_options(ServerOption
|
||||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||||
if (options->fingerprint_hash == -1)
|
if (options->fingerprint_hash == -1)
|
||||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||||
@ -835,10 +835,10 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
if (options->disable_forwarding == -1)
|
if (options->disable_forwarding == -1)
|
||||||
options->disable_forwarding = 0;
|
options->disable_forwarding = 0;
|
||||||
if (options->expose_userauth_info == -1)
|
if (options->expose_userauth_info == -1)
|
||||||
Index: openssh-7.8p1/ssh-keygen.c
|
Index: openssh-7.9p1/ssh-keygen.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/ssh-keygen.c
|
--- openssh-7.9p1.orig/ssh-keygen.c
|
||||||
+++ openssh-7.8p1/ssh-keygen.c
|
+++ openssh-7.9p1/ssh-keygen.c
|
||||||
@@ -61,6 +61,8 @@
|
@@ -61,6 +61,8 @@
|
||||||
#include "utf8.h"
|
#include "utf8.h"
|
||||||
#include "authfd.h"
|
#include "authfd.h"
|
||||||
@ -848,7 +848,7 @@ Index: openssh-7.8p1/ssh-keygen.c
|
|||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
# define DEFAULT_KEY_TYPE_NAME "rsa"
|
# define DEFAULT_KEY_TYPE_NAME "rsa"
|
||||||
#else
|
#else
|
||||||
@@ -965,11 +967,13 @@ do_fingerprint(struct passwd *pw)
|
@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw)
|
||||||
static void
|
static void
|
||||||
do_gen_all_hostkeys(struct passwd *pw)
|
do_gen_all_hostkeys(struct passwd *pw)
|
||||||
{
|
{
|
||||||
@ -864,7 +864,7 @@ Index: openssh-7.8p1/ssh-keygen.c
|
|||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||||
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
||||||
@@ -984,6 +988,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||||
{ NULL, NULL, NULL }
|
{ NULL, NULL, NULL }
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -882,7 +882,7 @@ Index: openssh-7.8p1/ssh-keygen.c
|
|||||||
int first = 0;
|
int first = 0;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
struct sshkey *private, *public;
|
struct sshkey *private, *public;
|
||||||
@@ -991,6 +1006,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||||
int i, type, fd, r;
|
int i, type, fd, r;
|
||||||
FILE *f;
|
FILE *f;
|
||||||
|
|
||||||
@ -895,7 +895,7 @@ Index: openssh-7.8p1/ssh-keygen.c
|
|||||||
for (i = 0; key_types[i].key_type; i++) {
|
for (i = 0; key_types[i].key_type; i++) {
|
||||||
public = private = NULL;
|
public = private = NULL;
|
||||||
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
||||||
@@ -2727,6 +2748,15 @@ main(int argc, char **argv)
|
@@ -2817,6 +2838,15 @@ main(int argc, char **argv)
|
||||||
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||||
|
|
||||||
type = sshkey_type_from_name(key_type_name);
|
type = sshkey_type_from_name(key_type_name);
|
||||||
@ -911,11 +911,11 @@ Index: openssh-7.8p1/ssh-keygen.c
|
|||||||
type_bits_valid(type, key_type_name, &bits);
|
type_bits_valid(type, key_type_name, &bits);
|
||||||
|
|
||||||
if (!quiet)
|
if (!quiet)
|
||||||
Index: openssh-7.8p1/ssh_config.0
|
Index: openssh-7.9p1/ssh_config.0
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/ssh_config.0
|
--- openssh-7.9p1.orig/ssh_config.0
|
||||||
+++ openssh-7.8p1/ssh_config.0
|
+++ openssh-7.9p1/ssh_config.0
|
||||||
@@ -343,6 +343,9 @@ DESCRIPTION
|
@@ -353,6 +353,9 @@ DESCRIPTION
|
||||||
Specifies the hash algorithm used when displaying key
|
Specifies the hash algorithm used when displaying key
|
||||||
fingerprints. Valid options are: md5 and sha256 (the default).
|
fingerprints. Valid options are: md5 and sha256 (the default).
|
||||||
|
|
||||||
@ -925,7 +925,7 @@ Index: openssh-7.8p1/ssh_config.0
|
|||||||
ForwardAgent
|
ForwardAgent
|
||||||
Specifies whether the connection to the authentication agent (if
|
Specifies whether the connection to the authentication agent (if
|
||||||
any) will be forwarded to the remote machine. The argument must
|
any) will be forwarded to the remote machine. The argument must
|
||||||
@@ -612,6 +615,9 @@ DESCRIPTION
|
@@ -627,6 +630,9 @@ DESCRIPTION
|
||||||
resort and all efforts should be made to fix the (broken)
|
resort and all efforts should be made to fix the (broken)
|
||||||
counterparty.
|
counterparty.
|
||||||
|
|
||||||
@ -935,11 +935,11 @@ Index: openssh-7.8p1/ssh_config.0
|
|||||||
LocalCommand
|
LocalCommand
|
||||||
Specifies a command to execute on the local machine after
|
Specifies a command to execute on the local machine after
|
||||||
successfully connecting to the server. The command string
|
successfully connecting to the server. The command string
|
||||||
Index: openssh-7.8p1/ssh_config.5
|
Index: openssh-7.9p1/ssh_config.5
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/ssh_config.5
|
--- openssh-7.9p1.orig/ssh_config.5
|
||||||
+++ openssh-7.8p1/ssh_config.5
|
+++ openssh-7.9p1/ssh_config.5
|
||||||
@@ -628,6 +628,8 @@ Valid options are:
|
@@ -642,6 +642,8 @@ Valid options are:
|
||||||
and
|
and
|
||||||
.Cm sha256
|
.Cm sha256
|
||||||
(the default).
|
(the default).
|
||||||
@ -948,7 +948,7 @@ Index: openssh-7.8p1/ssh_config.5
|
|||||||
.It Cm ForwardAgent
|
.It Cm ForwardAgent
|
||||||
Specifies whether the connection to the authentication agent (if any)
|
Specifies whether the connection to the authentication agent (if any)
|
||||||
will be forwarded to the remote machine.
|
will be forwarded to the remote machine.
|
||||||
@@ -1041,6 +1043,9 @@ maximum backward compatibility, using it
|
@@ -1063,6 +1065,9 @@ maximum backward compatibility, using it
|
||||||
security and thus should be viewed as a temporary fix of last
|
security and thus should be viewed as a temporary fix of last
|
||||||
resort and all efforts should be made to fix the (broken)
|
resort and all efforts should be made to fix the (broken)
|
||||||
counterparty.
|
counterparty.
|
||||||
@ -958,10 +958,10 @@ Index: openssh-7.8p1/ssh_config.5
|
|||||||
.It Cm LocalCommand
|
.It Cm LocalCommand
|
||||||
Specifies a command to execute on the local machine after successfully
|
Specifies a command to execute on the local machine after successfully
|
||||||
connecting to the server.
|
connecting to the server.
|
||||||
Index: openssh-7.8p1/sshd.c
|
Index: openssh-7.9p1/sshd.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshd.c
|
--- openssh-7.9p1.orig/sshd.c
|
||||||
+++ openssh-7.8p1/sshd.c
|
+++ openssh-7.9p1/sshd.c
|
||||||
@@ -123,6 +123,8 @@
|
@@ -123,6 +123,8 @@
|
||||||
#include "version.h"
|
#include "version.h"
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
@ -971,11 +971,11 @@ Index: openssh-7.8p1/sshd.c
|
|||||||
/* Re-exec fds */
|
/* Re-exec fds */
|
||||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||||
Index: openssh-7.8p1/sshd_config.0
|
Index: openssh-7.9p1/sshd_config.0
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshd_config.0
|
--- openssh-7.9p1.orig/sshd_config.0
|
||||||
+++ openssh-7.8p1/sshd_config.0
|
+++ openssh-7.9p1/sshd_config.0
|
||||||
@@ -338,6 +338,9 @@ DESCRIPTION
|
@@ -348,6 +348,9 @@ DESCRIPTION
|
||||||
Specifies the hash algorithm used when logging key fingerprints.
|
Specifies the hash algorithm used when logging key fingerprints.
|
||||||
Valid options are: md5 and sha256. The default is sha256.
|
Valid options are: md5 and sha256. The default is sha256.
|
||||||
|
|
||||||
@ -985,7 +985,7 @@ Index: openssh-7.8p1/sshd_config.0
|
|||||||
ForceCommand
|
ForceCommand
|
||||||
Forces the execution of the command specified by ForceCommand,
|
Forces the execution of the command specified by ForceCommand,
|
||||||
ignoring any command supplied by the client and ~/.ssh/rc if
|
ignoring any command supplied by the client and ~/.ssh/rc if
|
||||||
@@ -562,6 +565,9 @@ DESCRIPTION
|
@@ -572,6 +575,9 @@ DESCRIPTION
|
||||||
resort and all efforts should be made to fix the (broken)
|
resort and all efforts should be made to fix the (broken)
|
||||||
counterparty.
|
counterparty.
|
||||||
|
|
||||||
@ -995,11 +995,11 @@ Index: openssh-7.8p1/sshd_config.0
|
|||||||
ListenAddress
|
ListenAddress
|
||||||
Specifies the local addresses sshd(8) should listen on. The
|
Specifies the local addresses sshd(8) should listen on. The
|
||||||
following forms may be used:
|
following forms may be used:
|
||||||
Index: openssh-7.8p1/sshd_config.5
|
Index: openssh-7.9p1/sshd_config.5
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshd_config.5
|
--- openssh-7.9p1.orig/sshd_config.5
|
||||||
+++ openssh-7.8p1/sshd_config.5
|
+++ openssh-7.9p1/sshd_config.5
|
||||||
@@ -592,6 +592,8 @@ and
|
@@ -603,6 +603,8 @@ and
|
||||||
.Cm sha256 .
|
.Cm sha256 .
|
||||||
The default is
|
The default is
|
||||||
.Cm sha256 .
|
.Cm sha256 .
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 6a2300496d25e85647e718287d4d9f37170f492a
|
# Parent 6a2300496d25e85647e718287d4d9f37170f492a
|
||||||
|
|
||||||
Index: openssh-7.8p1/Makefile.in
|
Index: openssh-7.9p1/Makefile.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/Makefile.in
|
--- openssh-7.9p1.orig/Makefile.in
|
||||||
+++ openssh-7.8p1/Makefile.in
|
+++ openssh-7.9p1/Makefile.in
|
||||||
@@ -108,6 +108,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -108,6 +108,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
|
|
||||||
LIBSSH_OBJS += fips.o
|
LIBSSH_OBJS += fips.o
|
||||||
@ -14,10 +14,10 @@ Index: openssh-7.8p1/Makefile.in
|
|||||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||||
sshconnect.o sshconnect2.o mux.o
|
sshconnect.o sshconnect2.o mux.o
|
||||||
|
|
||||||
Index: openssh-7.8p1/auth-krb5.c
|
Index: openssh-7.9p1/auth-krb5.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/auth-krb5.c
|
--- openssh-7.9p1.orig/auth-krb5.c
|
||||||
+++ openssh-7.8p1/auth-krb5.c
|
+++ openssh-7.9p1/auth-krb5.c
|
||||||
@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c
|
@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||||
|
|
||||||
len = strlen(authctxt->krb5_ticket_file) + 6;
|
len = strlen(authctxt->krb5_ticket_file) + 6;
|
||||||
@ -60,11 +60,11 @@ Index: openssh-7.8p1/auth-krb5.c
|
|||||||
|
|
||||||
return (krb5_cc_resolve(ctx, ccname, ccache));
|
return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
}
|
}
|
||||||
Index: openssh-7.8p1/auth.c
|
Index: openssh-7.9p1/auth.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/auth.c
|
--- openssh-7.9p1.orig/auth.c
|
||||||
+++ openssh-7.8p1/auth.c
|
+++ openssh-7.9p1/auth.c
|
||||||
@@ -395,6 +395,7 @@ auth_root_allowed(struct ssh *ssh, const
|
@@ -399,6 +399,7 @@ auth_root_allowed(struct ssh *ssh, const
|
||||||
case PERMIT_NO_PASSWD:
|
case PERMIT_NO_PASSWD:
|
||||||
if (strcmp(method, "publickey") == 0 ||
|
if (strcmp(method, "publickey") == 0 ||
|
||||||
strcmp(method, "hostbased") == 0 ||
|
strcmp(method, "hostbased") == 0 ||
|
||||||
@ -72,10 +72,10 @@ Index: openssh-7.8p1/auth.c
|
|||||||
strcmp(method, "gssapi-with-mic") == 0)
|
strcmp(method, "gssapi-with-mic") == 0)
|
||||||
return 1;
|
return 1;
|
||||||
break;
|
break;
|
||||||
Index: openssh-7.8p1/auth2-gss.c
|
Index: openssh-7.9p1/auth2-gss.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/auth2-gss.c
|
--- openssh-7.9p1.orig/auth2-gss.c
|
||||||
+++ openssh-7.8p1/auth2-gss.c
|
+++ openssh-7.9p1/auth2-gss.c
|
||||||
@@ -31,6 +31,7 @@
|
@@ -31,6 +31,7 @@
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
@ -162,10 +162,10 @@ Index: openssh-7.8p1/auth2-gss.c
|
|||||||
Authmethod method_gssapi = {
|
Authmethod method_gssapi = {
|
||||||
"gssapi-with-mic",
|
"gssapi-with-mic",
|
||||||
userauth_gssapi,
|
userauth_gssapi,
|
||||||
Index: openssh-7.8p1/auth2.c
|
Index: openssh-7.9p1/auth2.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/auth2.c
|
--- openssh-7.9p1.orig/auth2.c
|
||||||
+++ openssh-7.8p1/auth2.c
|
+++ openssh-7.9p1/auth2.c
|
||||||
@@ -74,6 +74,7 @@ extern Authmethod method_passwd;
|
@@ -74,6 +74,7 @@ extern Authmethod method_passwd;
|
||||||
extern Authmethod method_kbdint;
|
extern Authmethod method_kbdint;
|
||||||
extern Authmethod method_hostbased;
|
extern Authmethod method_hostbased;
|
||||||
@ -182,10 +182,10 @@ Index: openssh-7.8p1/auth2.c
|
|||||||
&method_gssapi,
|
&method_gssapi,
|
||||||
#endif
|
#endif
|
||||||
&method_passwd,
|
&method_passwd,
|
||||||
Index: openssh-7.8p1/clientloop.c
|
Index: openssh-7.9p1/clientloop.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/clientloop.c
|
--- openssh-7.9p1.orig/clientloop.c
|
||||||
+++ openssh-7.8p1/clientloop.c
|
+++ openssh-7.9p1/clientloop.c
|
||||||
@@ -112,6 +112,10 @@
|
@@ -112,6 +112,10 @@
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
#include "hostfile.h"
|
#include "hostfile.h"
|
||||||
@ -197,7 +197,7 @@ Index: openssh-7.8p1/clientloop.c
|
|||||||
/* import options */
|
/* import options */
|
||||||
extern Options options;
|
extern Options options;
|
||||||
|
|
||||||
@@ -1357,9 +1361,18 @@ client_loop(struct ssh *ssh, int have_pt
|
@@ -1370,9 +1374,18 @@ client_loop(struct ssh *ssh, int have_pt
|
||||||
break;
|
break;
|
||||||
|
|
||||||
/* Do channel operations unless rekeying in progress. */
|
/* Do channel operations unless rekeying in progress. */
|
||||||
@ -217,11 +217,11 @@ Index: openssh-7.8p1/clientloop.c
|
|||||||
/* Buffer input from the connection. */
|
/* Buffer input from the connection. */
|
||||||
client_process_net_input(readset);
|
client_process_net_input(readset);
|
||||||
|
|
||||||
Index: openssh-7.8p1/configure.ac
|
Index: openssh-7.9p1/configure.ac
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/configure.ac
|
--- openssh-7.9p1.orig/configure.ac
|
||||||
+++ openssh-7.8p1/configure.ac
|
+++ openssh-7.9p1/configure.ac
|
||||||
@@ -673,6 +673,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||||
[Use tunnel device compatibility to OpenBSD])
|
[Use tunnel device compatibility to OpenBSD])
|
||||||
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
||||||
[Prepend the address family to IP tunnel traffic])
|
[Prepend the address family to IP tunnel traffic])
|
||||||
@ -252,7 +252,7 @@ Index: openssh-7.8p1/configure.ac
|
|||||||
m4_pattern_allow([AU_IPv])
|
m4_pattern_allow([AU_IPv])
|
||||||
AC_CHECK_DECL([AU_IPv4], [],
|
AC_CHECK_DECL([AU_IPv4], [],
|
||||||
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
|
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
|
||||||
@@ -1853,9 +1877,9 @@ AC_RUN_IFELSE(
|
@@ -1844,9 +1868,9 @@ AC_RUN_IFELSE(
|
||||||
)
|
)
|
||||||
|
|
||||||
AC_LINK_IFELSE(
|
AC_LINK_IFELSE(
|
||||||
@ -265,7 +265,7 @@ Index: openssh-7.8p1/configure.ac
|
|||||||
[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
|
[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
|
||||||
])
|
])
|
||||||
|
|
||||||
@@ -2161,7 +2185,7 @@ int snprintf(char *a, size_t b, const ch
|
@@ -2175,7 +2199,7 @@ int snprintf(char *a, size_t b, const ch
|
||||||
]])],
|
]])],
|
||||||
[AC_MSG_RESULT([yes])
|
[AC_MSG_RESULT([yes])
|
||||||
AC_DEFINE([SNPRINTF_CONST], [const],
|
AC_DEFINE([SNPRINTF_CONST], [const],
|
||||||
@ -274,7 +274,7 @@ Index: openssh-7.8p1/configure.ac
|
|||||||
[AC_MSG_RESULT([no])
|
[AC_MSG_RESULT([no])
|
||||||
AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
|
AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
|
||||||
|
|
||||||
@@ -2176,7 +2200,7 @@ if test "x$ac_cv_func_getpeereid" != "xy
|
@@ -2190,7 +2214,7 @@ if test "x$ac_cv_func_getpeereid" != "xy
|
||||||
AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
|
AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
|
||||||
], [AC_MSG_RESULT([no])
|
], [AC_MSG_RESULT([no])
|
||||||
NO_PEERCHECK=1
|
NO_PEERCHECK=1
|
||||||
@ -283,23 +283,7 @@ Index: openssh-7.8p1/configure.ac
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
dnl see whether mkstemp() requires XXXXXX
|
dnl see whether mkstemp() requires XXXXXX
|
||||||
@@ -2600,12 +2624,12 @@ if test "x$openssl" = "xyes" ; then
|
@@ -4601,7 +4625,7 @@ AC_ARG_WITH([maildir],
|
||||||
case "$ssl_library_ver" in
|
|
||||||
10000*|0*)
|
|
||||||
AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
|
|
||||||
- ;;
|
|
||||||
+ ;;
|
|
||||||
100*) ;; # 1.0.x
|
|
||||||
200*) ;; # LibreSSL
|
|
||||||
- *)
|
|
||||||
+ *)
|
|
||||||
AC_MSG_ERROR([OpenSSL >= 1.1.0 is not yet supported (have "$ssl_library_ver")])
|
|
||||||
- ;;
|
|
||||||
+ ;;
|
|
||||||
esac
|
|
||||||
AC_MSG_RESULT([$ssl_library_ver])
|
|
||||||
],
|
|
||||||
@@ -4473,7 +4497,7 @@ AC_ARG_WITH([maildir],
|
|
||||||
if test "X$withval" != X && test "x$withval" != xno && \
|
if test "X$withval" != X && test "x$withval" != xno && \
|
||||||
test "x${withval}" != xyes; then
|
test "x${withval}" != xyes; then
|
||||||
AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
|
AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
|
||||||
@ -308,10 +292,10 @@ Index: openssh-7.8p1/configure.ac
|
|||||||
fi
|
fi
|
||||||
],[
|
],[
|
||||||
if test "X$maildir" != "X"; then
|
if test "X$maildir" != "X"; then
|
||||||
Index: openssh-7.8p1/gss-genr.c
|
Index: openssh-7.9p1/gss-genr.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/gss-genr.c
|
--- openssh-7.9p1.orig/gss-genr.c
|
||||||
+++ openssh-7.8p1/gss-genr.c
|
+++ openssh-7.9p1/gss-genr.c
|
||||||
@@ -41,12 +41,169 @@
|
@@ -41,12 +41,169 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
@ -657,10 +641,10 @@ Index: openssh-7.8p1/gss-genr.c
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
Index: openssh-7.8p1/gss-serv-krb5.c
|
Index: openssh-7.9p1/gss-serv-krb5.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/gss-serv-krb5.c
|
--- openssh-7.9p1.orig/gss-serv-krb5.c
|
||||||
+++ openssh-7.8p1/gss-serv-krb5.c
|
+++ openssh-7.9p1/gss-serv-krb5.c
|
||||||
@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||||
krb5_error_code problem;
|
krb5_error_code problem;
|
||||||
krb5_principal princ;
|
krb5_principal princ;
|
||||||
@ -788,10 +772,10 @@ Index: openssh-7.8p1/gss-serv-krb5.c
|
|||||||
};
|
};
|
||||||
|
|
||||||
#endif /* KRB5 */
|
#endif /* KRB5 */
|
||||||
Index: openssh-7.8p1/gss-serv.c
|
Index: openssh-7.9p1/gss-serv.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/gss-serv.c
|
--- openssh-7.9p1.orig/gss-serv.c
|
||||||
+++ openssh-7.8p1/gss-serv.c
|
+++ openssh-7.9p1/gss-serv.c
|
||||||
@@ -44,17 +44,19 @@
|
@@ -44,17 +44,19 @@
|
||||||
#include "session.h"
|
#include "session.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
@ -1073,10 +1057,10 @@ Index: openssh-7.8p1/gss-serv.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Privileged */
|
/* Privileged */
|
||||||
Index: openssh-7.8p1/kex.c
|
Index: openssh-7.9p1/kex.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/kex.c
|
--- openssh-7.9p1.orig/kex.c
|
||||||
+++ openssh-7.8p1/kex.c
|
+++ openssh-7.9p1/kex.c
|
||||||
@@ -56,6 +56,10 @@
|
@@ -56,6 +56,10 @@
|
||||||
|
|
||||||
#include "fips.h"
|
#include "fips.h"
|
||||||
@ -1124,10 +1108,10 @@ Index: openssh-7.8p1/kex.c
|
|||||||
}
|
}
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
Index: openssh-7.8p1/kex.h
|
Index: openssh-7.9p1/kex.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/kex.h
|
--- openssh-7.9p1.orig/kex.h
|
||||||
+++ openssh-7.8p1/kex.h
|
+++ openssh-7.9p1/kex.h
|
||||||
@@ -100,6 +100,11 @@ enum kex_exchange {
|
@@ -100,6 +100,11 @@ enum kex_exchange {
|
||||||
KEX_DH_GEX_SHA256,
|
KEX_DH_GEX_SHA256,
|
||||||
KEX_ECDH_SHA2,
|
KEX_ECDH_SHA2,
|
||||||
@ -1164,10 +1148,10 @@ Index: openssh-7.8p1/kex.h
|
|||||||
|
|
||||||
int kex_dh_hash(int, const char *, const char *,
|
int kex_dh_hash(int, const char *, const char *,
|
||||||
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
||||||
Index: openssh-7.8p1/kexgssc.c
|
Index: openssh-7.9p1/kexgssc.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ openssh-7.8p1/kexgssc.c
|
+++ openssh-7.9p1/kexgssc.c
|
||||||
@@ -0,0 +1,348 @@
|
@@ -0,0 +1,348 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
@ -1517,10 +1501,10 @@ Index: openssh-7.8p1/kexgssc.c
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+#endif /* GSSAPI */
|
+#endif /* GSSAPI */
|
||||||
Index: openssh-7.8p1/kexgsss.c
|
Index: openssh-7.9p1/kexgsss.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ openssh-7.8p1/kexgsss.c
|
+++ openssh-7.9p1/kexgsss.c
|
||||||
@@ -0,0 +1,307 @@
|
@@ -0,0 +1,307 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
@ -1829,11 +1813,11 @@ Index: openssh-7.8p1/kexgsss.c
|
|||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
+#endif /* GSSAPI */
|
+#endif /* GSSAPI */
|
||||||
Index: openssh-7.8p1/monitor.c
|
Index: openssh-7.9p1/monitor.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/monitor.c
|
--- openssh-7.9p1.orig/monitor.c
|
||||||
+++ openssh-7.8p1/monitor.c
|
+++ openssh-7.9p1/monitor.c
|
||||||
@@ -143,6 +143,8 @@ int mm_answer_gss_setup_ctx(int, struct
|
@@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(int, struct
|
||||||
int mm_answer_gss_accept_ctx(int, struct sshbuf *);
|
int mm_answer_gss_accept_ctx(int, struct sshbuf *);
|
||||||
int mm_answer_gss_userok(int, struct sshbuf *);
|
int mm_answer_gss_userok(int, struct sshbuf *);
|
||||||
int mm_answer_gss_checkmic(int, struct sshbuf *);
|
int mm_answer_gss_checkmic(int, struct sshbuf *);
|
||||||
@ -1842,7 +1826,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
@@ -213,6 +215,7 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -215,6 +217,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
|
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
|
||||||
{MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
|
{MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
|
||||||
{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
|
{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
|
||||||
@ -1850,7 +1834,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -229,6 +232,12 @@ struct mon_table mon_dispatch_postauth20
|
@@ -231,6 +234,12 @@ struct mon_table mon_dispatch_postauth20
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||||
#endif
|
#endif
|
||||||
@ -1863,7 +1847,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -287,7 +296,10 @@ monitor_child_preauth(Authctxt *_authctx
|
@@ -289,7 +298,10 @@ monitor_child_preauth(Authctxt *_authctx
|
||||||
/* Permit requests for moduli and signatures */
|
/* Permit requests for moduli and signatures */
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||||
@ -1875,7 +1859,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
/* The first few requests do not require asynchronous access */
|
/* The first few requests do not require asynchronous access */
|
||||||
while (!authenticated) {
|
while (!authenticated) {
|
||||||
partial = 0;
|
partial = 0;
|
||||||
@@ -399,6 +411,10 @@ monitor_child_postauth(struct monitor *p
|
@@ -401,6 +413,10 @@ monitor_child_postauth(struct monitor *p
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||||
@ -1886,7 +1870,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
|
|
||||||
if (auth_opts->permit_pty_flag) {
|
if (auth_opts->permit_pty_flag) {
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
||||||
@@ -605,7 +621,7 @@ mm_answer_moduli(int sock, struct sshbuf
|
@@ -609,7 +625,7 @@ mm_answer_moduli(int sock, struct sshbuf
|
||||||
int
|
int
|
||||||
mm_answer_sign(int sock, struct sshbuf *m)
|
mm_answer_sign(int sock, struct sshbuf *m)
|
||||||
{
|
{
|
||||||
@ -1895,7 +1879,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
extern int auth_sock; /* XXX move to state struct? */
|
extern int auth_sock; /* XXX move to state struct? */
|
||||||
struct sshkey *key;
|
struct sshkey *key;
|
||||||
struct sshbuf *sigbuf = NULL;
|
struct sshbuf *sigbuf = NULL;
|
||||||
@@ -1643,7 +1659,7 @@ monitor_apply_keystate(struct monitor *p
|
@@ -1647,7 +1663,7 @@ monitor_apply_keystate(struct monitor *p
|
||||||
|
|
||||||
debug3("%s: packet_set_state", __func__);
|
debug3("%s: packet_set_state", __func__);
|
||||||
if ((r = ssh_packet_set_state(ssh, child_state)) != 0)
|
if ((r = ssh_packet_set_state(ssh, child_state)) != 0)
|
||||||
@ -1904,7 +1888,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
sshbuf_free(child_state);
|
sshbuf_free(child_state);
|
||||||
child_state = NULL;
|
child_state = NULL;
|
||||||
|
|
||||||
@@ -1662,6 +1678,13 @@ monitor_apply_keystate(struct monitor *p
|
@@ -1666,6 +1682,13 @@ monitor_apply_keystate(struct monitor *p
|
||||||
# endif
|
# endif
|
||||||
#endif /* WITH_OPENSSL */
|
#endif /* WITH_OPENSSL */
|
||||||
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
||||||
@ -1918,7 +1902,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||||
kex->load_host_private_key=&get_hostkey_private_by_type;
|
kex->load_host_private_key=&get_hostkey_private_by_type;
|
||||||
kex->host_key_index=&get_hostkey_index;
|
kex->host_key_index=&get_hostkey_index;
|
||||||
@@ -1752,8 +1775,8 @@ mm_answer_gss_setup_ctx(int sock, struct
|
@@ -1756,8 +1779,8 @@ mm_answer_gss_setup_ctx(int sock, struct
|
||||||
u_char *p;
|
u_char *p;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
@ -1929,7 +1913,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
|
|
||||||
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
@@ -1785,7 +1808,7 @@ mm_answer_gss_accept_ctx(int sock, struc
|
@@ -1789,7 +1812,7 @@ mm_answer_gss_accept_ctx(int sock, struc
|
||||||
OM_uint32 flags = 0; /* GSI needs this */
|
OM_uint32 flags = 0; /* GSI needs this */
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
@ -1938,7 +1922,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
fatal("%s: GSSAPI authentication not enabled", __func__);
|
fatal("%s: GSSAPI authentication not enabled", __func__);
|
||||||
|
|
||||||
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
||||||
@@ -1806,6 +1829,7 @@ mm_answer_gss_accept_ctx(int sock, struc
|
@@ -1810,6 +1833,7 @@ mm_answer_gss_accept_ctx(int sock, struc
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||||
@ -1946,7 +1930,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
}
|
}
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
@@ -1817,7 +1841,7 @@ mm_answer_gss_checkmic(int sock, struct
|
@@ -1821,7 +1845,7 @@ mm_answer_gss_checkmic(int sock, struct
|
||||||
OM_uint32 ret;
|
OM_uint32 ret;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
@ -1955,7 +1939,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
fatal("%s: GSSAPI authentication not enabled", __func__);
|
fatal("%s: GSSAPI authentication not enabled", __func__);
|
||||||
|
|
||||||
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
||||||
@@ -1847,10 +1871,11 @@ mm_answer_gss_userok(int sock, struct ss
|
@@ -1851,10 +1875,11 @@ mm_answer_gss_userok(int sock, struct ss
|
||||||
int r, authenticated;
|
int r, authenticated;
|
||||||
const char *displayname;
|
const char *displayname;
|
||||||
|
|
||||||
@ -1969,7 +1953,7 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
|
|
||||||
sshbuf_reset(m);
|
sshbuf_reset(m);
|
||||||
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
||||||
@@ -1867,5 +1892,73 @@ mm_answer_gss_userok(int sock, struct ss
|
@@ -1871,5 +1896,73 @@ mm_answer_gss_userok(int sock, struct ss
|
||||||
/* Monitor loop will terminate if authenticated */
|
/* Monitor loop will terminate if authenticated */
|
||||||
return (authenticated);
|
return (authenticated);
|
||||||
}
|
}
|
||||||
@ -2044,10 +2028,10 @@ Index: openssh-7.8p1/monitor.c
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+#endif /* GSSAPI */
|
+#endif /* GSSAPI */
|
||||||
Index: openssh-7.8p1/monitor.h
|
Index: openssh-7.9p1/monitor.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/monitor.h
|
--- openssh-7.9p1.orig/monitor.h
|
||||||
+++ openssh-7.8p1/monitor.h
|
+++ openssh-7.9p1/monitor.h
|
||||||
@@ -63,6 +63,9 @@ enum monitor_reqtype {
|
@@ -63,6 +63,9 @@ enum monitor_reqtype {
|
||||||
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
|
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
|
||||||
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
|
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
|
||||||
@ -2058,10 +2042,10 @@ Index: openssh-7.8p1/monitor.h
|
|||||||
};
|
};
|
||||||
|
|
||||||
struct monitor {
|
struct monitor {
|
||||||
Index: openssh-7.8p1/monitor_wrap.c
|
Index: openssh-7.9p1/monitor_wrap.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/monitor_wrap.c
|
--- openssh-7.9p1.orig/monitor_wrap.c
|
||||||
+++ openssh-7.8p1/monitor_wrap.c
|
+++ openssh-7.9p1/monitor_wrap.c
|
||||||
@@ -984,7 +984,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
@@ -984,7 +984,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2124,10 +2108,10 @@ Index: openssh-7.8p1/monitor_wrap.c
|
|||||||
+ return (ok);
|
+ return (ok);
|
||||||
+}
|
+}
|
||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
Index: openssh-7.8p1/monitor_wrap.h
|
Index: openssh-7.9p1/monitor_wrap.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/monitor_wrap.h
|
--- openssh-7.9p1.orig/monitor_wrap.h
|
||||||
+++ openssh-7.8p1/monitor_wrap.h
|
+++ openssh-7.9p1/monitor_wrap.h
|
||||||
@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey
|
@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey
|
||||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||||
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
||||||
@ -2140,10 +2124,10 @@ Index: openssh-7.8p1/monitor_wrap.h
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
Index: openssh-7.8p1/readconf.c
|
Index: openssh-7.9p1/readconf.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/readconf.c
|
--- openssh-7.9p1.orig/readconf.c
|
||||||
+++ openssh-7.8p1/readconf.c
|
+++ openssh-7.9p1/readconf.c
|
||||||
@@ -163,6 +163,8 @@ typedef enum {
|
@@ -163,6 +163,8 @@ typedef enum {
|
||||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||||
@ -2174,7 +2158,7 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef ENABLE_PKCS11
|
#ifdef ENABLE_PKCS11
|
||||||
{ "smartcarddevice", oPKCS11Provider },
|
{ "smartcarddevice", oPKCS11Provider },
|
||||||
@@ -979,10 +991,30 @@ parse_time:
|
@@ -980,10 +992,30 @@ parse_time:
|
||||||
intptr = &options->gss_authentication;
|
intptr = &options->gss_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -2205,7 +2189,7 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
case oBatchMode:
|
case oBatchMode:
|
||||||
intptr = &options->batch_mode;
|
intptr = &options->batch_mode;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -1844,7 +1876,12 @@ initialize_options(Options * options)
|
@@ -1869,7 +1901,12 @@ initialize_options(Options * options)
|
||||||
options->pubkey_authentication = -1;
|
options->pubkey_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
options->gss_authentication = -1;
|
options->gss_authentication = -1;
|
||||||
@ -2218,7 +2202,7 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->kbd_interactive_devices = NULL;
|
options->kbd_interactive_devices = NULL;
|
||||||
@@ -1990,8 +2027,14 @@ fill_default_options(Options * options)
|
@@ -2016,8 +2053,14 @@ fill_default_options(Options * options)
|
||||||
options->challenge_response_authentication = 1;
|
options->challenge_response_authentication = 1;
|
||||||
if (options->gss_authentication == -1)
|
if (options->gss_authentication == -1)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
@ -2233,10 +2217,10 @@ Index: openssh-7.8p1/readconf.c
|
|||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
Index: openssh-7.8p1/readconf.h
|
Index: openssh-7.9p1/readconf.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/readconf.h
|
--- openssh-7.9p1.orig/readconf.h
|
||||||
+++ openssh-7.8p1/readconf.h
|
+++ openssh-7.9p1/readconf.h
|
||||||
@@ -40,7 +40,12 @@ typedef struct {
|
@@ -40,7 +40,12 @@ typedef struct {
|
||||||
int challenge_response_authentication;
|
int challenge_response_authentication;
|
||||||
/* Try S/Key or TIS, authentication. */
|
/* Try S/Key or TIS, authentication. */
|
||||||
@ -2250,10 +2234,10 @@ Index: openssh-7.8p1/readconf.h
|
|||||||
int password_authentication; /* Try password
|
int password_authentication; /* Try password
|
||||||
* authentication. */
|
* authentication. */
|
||||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||||
Index: openssh-7.8p1/regress/cert-hostkey.sh
|
Index: openssh-7.9p1/regress/cert-hostkey.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/regress/cert-hostkey.sh
|
--- openssh-7.9p1.orig/regress/cert-hostkey.sh
|
||||||
+++ openssh-7.8p1/regress/cert-hostkey.sh
|
+++ openssh-7.9p1/regress/cert-hostkey.sh
|
||||||
@@ -66,7 +66,7 @@ touch $OBJ/host_revoked_plain
|
@@ -66,7 +66,7 @@ touch $OBJ/host_revoked_plain
|
||||||
touch $OBJ/host_revoked_cert
|
touch $OBJ/host_revoked_cert
|
||||||
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
|
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
|
||||||
@ -2263,10 +2247,10 @@ Index: openssh-7.8p1/regress/cert-hostkey.sh
|
|||||||
|
|
||||||
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
||||||
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
||||||
Index: openssh-7.8p1/regress/cert-userkey.sh
|
Index: openssh-7.9p1/regress/cert-userkey.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/regress/cert-userkey.sh
|
--- openssh-7.9p1.orig/regress/cert-userkey.sh
|
||||||
+++ openssh-7.8p1/regress/cert-userkey.sh
|
+++ openssh-7.9p1/regress/cert-userkey.sh
|
||||||
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
|
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
|
||||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||||
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||||
@ -2276,10 +2260,10 @@ Index: openssh-7.8p1/regress/cert-userkey.sh
|
|||||||
EXTRA_TYPES=""
|
EXTRA_TYPES=""
|
||||||
|
|
||||||
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
||||||
Index: openssh-7.8p1/regress/kextype.sh
|
Index: openssh-7.9p1/regress/kextype.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/regress/kextype.sh
|
--- openssh-7.9p1.orig/regress/kextype.sh
|
||||||
+++ openssh-7.8p1/regress/kextype.sh
|
+++ openssh-7.9p1/regress/kextype.sh
|
||||||
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
|
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
|
||||||
|
|
||||||
tries="1 2 3 4"
|
tries="1 2 3 4"
|
||||||
@ -2290,10 +2274,10 @@ Index: openssh-7.8p1/regress/kextype.sh
|
|||||||
verbose "kex $k"
|
verbose "kex $k"
|
||||||
for i in $tries; do
|
for i in $tries; do
|
||||||
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
|
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
|
||||||
Index: openssh-7.8p1/regress/rekey.sh
|
Index: openssh-7.9p1/regress/rekey.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/regress/rekey.sh
|
--- openssh-7.9p1.orig/regress/rekey.sh
|
||||||
+++ openssh-7.8p1/regress/rekey.sh
|
+++ openssh-7.9p1/regress/rekey.sh
|
||||||
@@ -38,6 +38,9 @@ increase_datafile_size 300
|
@@ -38,6 +38,9 @@ increase_datafile_size 300
|
||||||
|
|
||||||
opts=""
|
opts=""
|
||||||
@ -2314,10 +2298,10 @@ Index: openssh-7.8p1/regress/rekey.sh
|
|||||||
verbose "client rekey $c $kex"
|
verbose "client rekey $c $kex"
|
||||||
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
|
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
|
||||||
done
|
done
|
||||||
Index: openssh-7.8p1/servconf.c
|
Index: openssh-7.9p1/servconf.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/servconf.c
|
--- openssh-7.9p1.orig/servconf.c
|
||||||
+++ openssh-7.8p1/servconf.c
|
+++ openssh-7.9p1/servconf.c
|
||||||
@@ -130,8 +130,10 @@ initialize_server_options(ServerOptions
|
@@ -130,8 +130,10 @@ initialize_server_options(ServerOptions
|
||||||
options->kerberos_ticket_cleanup = -1;
|
options->kerberos_ticket_cleanup = -1;
|
||||||
options->kerberos_get_afs_token = -1;
|
options->kerberos_get_afs_token = -1;
|
||||||
@ -2329,7 +2313,7 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
@@ -369,10 +371,14 @@ fill_default_server_options(ServerOption
|
@@ -373,10 +375,14 @@ fill_default_server_options(ServerOption
|
||||||
options->kerberos_get_afs_token = 0;
|
options->kerberos_get_afs_token = 0;
|
||||||
if (options->gss_authentication == -1)
|
if (options->gss_authentication == -1)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
@ -2344,7 +2328,7 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -519,6 +525,7 @@ typedef enum {
|
@@ -523,6 +529,7 @@ typedef enum {
|
||||||
sHostKeyAlgorithms,
|
sHostKeyAlgorithms,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
@ -2352,7 +2336,7 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
sAcceptEnv, sSetEnv, sPermitTunnel,
|
sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||||
@@ -596,11 +603,17 @@ static struct {
|
@@ -600,11 +607,17 @@ static struct {
|
||||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||||
@ -2370,7 +2354,7 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
||||||
@@ -1503,6 +1516,10 @@ process_server_config_line(ServerOptions
|
@@ -1512,6 +1525,10 @@ process_server_config_line(ServerOptions
|
||||||
intptr = &options->gss_authentication;
|
intptr = &options->gss_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -2381,7 +2365,7 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
case sGssCleanupCreds:
|
case sGssCleanupCreds:
|
||||||
intptr = &options->gss_cleanup_creds;
|
intptr = &options->gss_cleanup_creds;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -1511,6 +1528,10 @@ process_server_config_line(ServerOptions
|
@@ -1520,6 +1537,10 @@ process_server_config_line(ServerOptions
|
||||||
intptr = &options->gss_strict_acceptor;
|
intptr = &options->gss_strict_acceptor;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -2392,7 +2376,7 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
case sPasswordAuthentication:
|
case sPasswordAuthentication:
|
||||||
intptr = &options->password_authentication;
|
intptr = &options->password_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -2304,6 +2325,10 @@ copy_set_server_options(ServerOptions *d
|
@@ -2313,6 +2334,10 @@ copy_set_server_options(ServerOptions *d
|
||||||
|
|
||||||
M_CP_INTOPT(password_authentication);
|
M_CP_INTOPT(password_authentication);
|
||||||
M_CP_INTOPT(gss_authentication);
|
M_CP_INTOPT(gss_authentication);
|
||||||
@ -2403,7 +2387,7 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
M_CP_INTOPT(pubkey_authentication);
|
M_CP_INTOPT(pubkey_authentication);
|
||||||
M_CP_INTOPT(kerberos_authentication);
|
M_CP_INTOPT(kerberos_authentication);
|
||||||
M_CP_INTOPT(hostbased_authentication);
|
M_CP_INTOPT(hostbased_authentication);
|
||||||
@@ -2600,7 +2625,10 @@ dump_config(ServerOptions *o)
|
@@ -2609,7 +2634,10 @@ dump_config(ServerOptions *o)
|
||||||
#endif
|
#endif
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||||
@ -2414,10 +2398,10 @@ Index: openssh-7.8p1/servconf.c
|
|||||||
#endif
|
#endif
|
||||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||||
Index: openssh-7.8p1/servconf.h
|
Index: openssh-7.9p1/servconf.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/servconf.h
|
--- openssh-7.9p1.orig/servconf.h
|
||||||
+++ openssh-7.8p1/servconf.h
|
+++ openssh-7.9p1/servconf.h
|
||||||
@@ -16,6 +16,8 @@
|
@@ -16,6 +16,8 @@
|
||||||
#ifndef SERVCONF_H
|
#ifndef SERVCONF_H
|
||||||
#define SERVCONF_H
|
#define SERVCONF_H
|
||||||
@ -2427,7 +2411,7 @@ Index: openssh-7.8p1/servconf.h
|
|||||||
#define MAX_PORTS 256 /* Max # ports. */
|
#define MAX_PORTS 256 /* Max # ports. */
|
||||||
|
|
||||||
#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
|
#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
|
||||||
@@ -125,8 +127,10 @@ typedef struct {
|
@@ -126,8 +128,10 @@ typedef struct {
|
||||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||||
* authenticated with Kerberos. */
|
* authenticated with Kerberos. */
|
||||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
@ -2438,10 +2422,10 @@ Index: openssh-7.8p1/servconf.h
|
|||||||
int password_authentication; /* If true, permit password
|
int password_authentication; /* If true, permit password
|
||||||
* authentication. */
|
* authentication. */
|
||||||
int kbd_interactive_authentication; /* If true, permit */
|
int kbd_interactive_authentication; /* If true, permit */
|
||||||
Index: openssh-7.8p1/ssh-gss.h
|
Index: openssh-7.9p1/ssh-gss.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/ssh-gss.h
|
--- openssh-7.9p1.orig/ssh-gss.h
|
||||||
+++ openssh-7.8p1/ssh-gss.h
|
+++ openssh-7.9p1/ssh-gss.h
|
||||||
@@ -61,10 +61,22 @@
|
@@ -61,10 +61,22 @@
|
||||||
|
|
||||||
#define SSH_GSS_OIDTYPE 0x06
|
#define SSH_GSS_OIDTYPE 0x06
|
||||||
@ -2532,10 +2516,10 @@ Index: openssh-7.8p1/ssh-gss.h
|
|||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
|
|
||||||
#endif /* _SSH_GSS_H */
|
#endif /* _SSH_GSS_H */
|
||||||
Index: openssh-7.8p1/ssh_config
|
Index: openssh-7.9p1/ssh_config
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/ssh_config
|
--- openssh-7.9p1.orig/ssh_config
|
||||||
+++ openssh-7.8p1/ssh_config
|
+++ openssh-7.9p1/ssh_config
|
||||||
@@ -45,6 +45,8 @@ Host *
|
@@ -45,6 +45,8 @@ Host *
|
||||||
# HostbasedAuthentication no
|
# HostbasedAuthentication no
|
||||||
# GSSAPIAuthentication no
|
# GSSAPIAuthentication no
|
||||||
@ -2545,11 +2529,11 @@ Index: openssh-7.8p1/ssh_config
|
|||||||
# BatchMode no
|
# BatchMode no
|
||||||
# CheckHostIP yes
|
# CheckHostIP yes
|
||||||
# AddressFamily any
|
# AddressFamily any
|
||||||
Index: openssh-7.8p1/ssh_config.0
|
Index: openssh-7.9p1/ssh_config.0
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/ssh_config.0
|
--- openssh-7.9p1.orig/ssh_config.0
|
||||||
+++ openssh-7.8p1/ssh_config.0
|
+++ openssh-7.9p1/ssh_config.0
|
||||||
@@ -410,9 +410,40 @@ DESCRIPTION
|
@@ -422,9 +422,40 @@ DESCRIPTION
|
||||||
Specifies whether user authentication based on GSSAPI is allowed.
|
Specifies whether user authentication based on GSSAPI is allowed.
|
||||||
The default is no.
|
The default is no.
|
||||||
|
|
||||||
@ -2590,11 +2574,11 @@ Index: openssh-7.8p1/ssh_config.0
|
|||||||
HashKnownHosts
|
HashKnownHosts
|
||||||
Indicates that ssh(1) should hash host names and addresses when
|
Indicates that ssh(1) should hash host names and addresses when
|
||||||
they are added to ~/.ssh/known_hosts. These hashed names may be
|
they are added to ~/.ssh/known_hosts. These hashed names may be
|
||||||
Index: openssh-7.8p1/ssh_config.5
|
Index: openssh-7.9p1/ssh_config.5
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/ssh_config.5
|
--- openssh-7.9p1.orig/ssh_config.5
|
||||||
+++ openssh-7.8p1/ssh_config.5
|
+++ openssh-7.9p1/ssh_config.5
|
||||||
@@ -720,10 +720,40 @@ The default is
|
@@ -738,10 +738,40 @@ The default is
|
||||||
Specifies whether user authentication based on GSSAPI is allowed.
|
Specifies whether user authentication based on GSSAPI is allowed.
|
||||||
The default is
|
The default is
|
||||||
.Cm no .
|
.Cm no .
|
||||||
@ -2635,10 +2619,10 @@ Index: openssh-7.8p1/ssh_config.5
|
|||||||
.It Cm HashKnownHosts
|
.It Cm HashKnownHosts
|
||||||
Indicates that
|
Indicates that
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
Index: openssh-7.8p1/sshconnect2.c
|
Index: openssh-7.9p1/sshconnect2.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshconnect2.c
|
--- openssh-7.9p1.orig/sshconnect2.c
|
||||||
+++ openssh-7.8p1/sshconnect2.c
|
+++ openssh-7.9p1/sshconnect2.c
|
||||||
@@ -82,6 +82,124 @@ extern char *client_version_string;
|
@@ -82,6 +82,124 @@ extern char *client_version_string;
|
||||||
extern char *server_version_string;
|
extern char *server_version_string;
|
||||||
extern Options options;
|
extern Options options;
|
||||||
@ -2871,7 +2855,7 @@ Index: openssh-7.8p1/sshconnect2.c
|
|||||||
{"gssapi-with-mic",
|
{"gssapi-with-mic",
|
||||||
userauth_gssapi,
|
userauth_gssapi,
|
||||||
NULL,
|
NULL,
|
||||||
@@ -657,19 +840,31 @@ userauth_gssapi(Authctxt *authctxt)
|
@@ -686,19 +869,31 @@ userauth_gssapi(Authctxt *authctxt)
|
||||||
static u_int mech = 0;
|
static u_int mech = 0;
|
||||||
OM_uint32 min;
|
OM_uint32 min;
|
||||||
int r, ok = 0;
|
int r, ok = 0;
|
||||||
@ -2905,7 +2889,7 @@ Index: openssh-7.8p1/sshconnect2.c
|
|||||||
ok = 1; /* Mechanism works */
|
ok = 1; /* Mechanism works */
|
||||||
} else {
|
} else {
|
||||||
mech++;
|
mech++;
|
||||||
@@ -906,6 +1101,51 @@ input_gssapi_error(int type, u_int32_t p
|
@@ -935,6 +1130,51 @@ input_gssapi_error(int type, u_int32_t p
|
||||||
free(lang);
|
free(lang);
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
@ -2957,7 +2941,7 @@ Index: openssh-7.8p1/sshconnect2.c
|
|||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
|
|
||||||
int
|
int
|
||||||
@@ -1443,8 +1683,8 @@ key_type_allowed_by_config(struct sshkey
|
@@ -1473,8 +1713,8 @@ key_type_allowed_by_config(struct sshkey
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* try keys in the following order:
|
* try keys in the following order:
|
||||||
@ -2968,10 +2952,10 @@ Index: openssh-7.8p1/sshconnect2.c
|
|||||||
* 3. agent keys that are found in the config file
|
* 3. agent keys that are found in the config file
|
||||||
* 4. other agent keys
|
* 4. other agent keys
|
||||||
* 5. keys that are only listed in the config file
|
* 5. keys that are only listed in the config file
|
||||||
Index: openssh-7.8p1/sshd.c
|
Index: openssh-7.9p1/sshd.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshd.c
|
--- openssh-7.9p1.orig/sshd.c
|
||||||
+++ openssh-7.8p1/sshd.c
|
+++ openssh-7.9p1/sshd.c
|
||||||
@@ -131,6 +131,10 @@
|
@@ -131,6 +131,10 @@
|
||||||
|
|
||||||
#include "fips.h"
|
#include "fips.h"
|
||||||
@ -2983,16 +2967,17 @@ Index: openssh-7.8p1/sshd.c
|
|||||||
/* Re-exec fds */
|
/* Re-exec fds */
|
||||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||||
@@ -555,7 +559,7 @@ privsep_preauth_child(void)
|
@@ -555,7 +559,8 @@ privsep_preauth_child(void)
|
||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
/* Cache supported mechanism OIDs for later use */
|
/* Cache supported mechanism OIDs for later use */
|
||||||
- if (options.gss_authentication)
|
- ssh_gssapi_prepare_supported_oids();
|
||||||
+ if (options.gss_authentication || options.gss_keyex)
|
+ if (options.gss_authentication || options.gss_keyex)
|
||||||
ssh_gssapi_prepare_supported_oids();
|
+ ssh_gssapi_prepare_supported_oids();
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@@ -898,8 +902,9 @@ notify_hostkeys(struct ssh *ssh)
|
reseed_prngs();
|
||||||
|
@@ -897,8 +902,9 @@ notify_hostkeys(struct ssh *ssh)
|
||||||
}
|
}
|
||||||
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
||||||
if (nkeys == 0)
|
if (nkeys == 0)
|
||||||
@ -3004,7 +2989,7 @@ Index: openssh-7.8p1/sshd.c
|
|||||||
sshbuf_free(buf);
|
sshbuf_free(buf);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1838,7 +1843,12 @@ main(int ac, char **av)
|
@@ -1837,7 +1843,12 @@ main(int ac, char **av)
|
||||||
free(fp);
|
free(fp);
|
||||||
}
|
}
|
||||||
accumulate_host_timing_secret(cfg, NULL);
|
accumulate_host_timing_secret(cfg, NULL);
|
||||||
@ -3017,7 +3002,7 @@ Index: openssh-7.8p1/sshd.c
|
|||||||
logit("sshd: no hostkeys available -- exiting.");
|
logit("sshd: no hostkeys available -- exiting.");
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
@@ -2016,6 +2026,60 @@ main(int ac, char **av)
|
@@ -2015,6 +2026,60 @@ main(int ac, char **av)
|
||||||
/* This is the child processing a new connection. */
|
/* This is the child processing a new connection. */
|
||||||
setproctitle("%s", "[accepted]");
|
setproctitle("%s", "[accepted]");
|
||||||
|
|
||||||
@ -3078,7 +3063,7 @@ Index: openssh-7.8p1/sshd.c
|
|||||||
/*
|
/*
|
||||||
* Create a new session and process group since the 4.4BSD
|
* Create a new session and process group since the 4.4BSD
|
||||||
* setlogin() affects the entire process group. We don't
|
* setlogin() affects the entire process group. We don't
|
||||||
@@ -2137,6 +2201,60 @@ main(int ac, char **av)
|
@@ -2136,6 +2201,60 @@ main(int ac, char **av)
|
||||||
rdomain == NULL ? "" : "\"");
|
rdomain == NULL ? "" : "\"");
|
||||||
free(laddr);
|
free(laddr);
|
||||||
|
|
||||||
@ -3139,7 +3124,7 @@ Index: openssh-7.8p1/sshd.c
|
|||||||
/*
|
/*
|
||||||
* We don't want to listen forever unless the other side
|
* We don't want to listen forever unless the other side
|
||||||
* successfully authenticates itself. So we set up an alarm which is
|
* successfully authenticates itself. So we set up an alarm which is
|
||||||
@@ -2320,6 +2438,48 @@ do_ssh2_kex(void)
|
@@ -2319,6 +2438,48 @@ do_ssh2_kex(void)
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||||
list_hostkey_types());
|
list_hostkey_types());
|
||||||
|
|
||||||
@ -3188,7 +3173,7 @@ Index: openssh-7.8p1/sshd.c
|
|||||||
/* start key exchange */
|
/* start key exchange */
|
||||||
if ((r = kex_setup(active_state, myproposal)) != 0)
|
if ((r = kex_setup(active_state, myproposal)) != 0)
|
||||||
fatal("kex_setup: %s", ssh_err(r));
|
fatal("kex_setup: %s", ssh_err(r));
|
||||||
@@ -2337,6 +2497,13 @@ do_ssh2_kex(void)
|
@@ -2336,6 +2497,13 @@ do_ssh2_kex(void)
|
||||||
# endif
|
# endif
|
||||||
#endif
|
#endif
|
||||||
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
||||||
@ -3202,10 +3187,10 @@ Index: openssh-7.8p1/sshd.c
|
|||||||
kex->server = 1;
|
kex->server = 1;
|
||||||
kex->client_version_string=client_version_string;
|
kex->client_version_string=client_version_string;
|
||||||
kex->server_version_string=server_version_string;
|
kex->server_version_string=server_version_string;
|
||||||
Index: openssh-7.8p1/sshd_config
|
Index: openssh-7.9p1/sshd_config
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshd_config
|
--- openssh-7.9p1.orig/sshd_config
|
||||||
+++ openssh-7.8p1/sshd_config
|
+++ openssh-7.9p1/sshd_config
|
||||||
@@ -76,6 +76,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
@@ -76,6 +76,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||||
# GSSAPI options
|
# GSSAPI options
|
||||||
#GSSAPIAuthentication no
|
#GSSAPIAuthentication no
|
||||||
@ -3215,11 +3200,11 @@ Index: openssh-7.8p1/sshd_config
|
|||||||
|
|
||||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
Index: openssh-7.8p1/sshd_config.5
|
Index: openssh-7.9p1/sshd_config.5
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshd_config.5
|
--- openssh-7.9p1.orig/sshd_config.5
|
||||||
+++ openssh-7.8p1/sshd_config.5
|
+++ openssh-7.9p1/sshd_config.5
|
||||||
@@ -644,6 +644,11 @@ Specifies whether to automatically destr
|
@@ -655,6 +655,11 @@ Specifies whether to automatically destr
|
||||||
on logout.
|
on logout.
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
@ -3231,7 +3216,7 @@ Index: openssh-7.8p1/sshd_config.5
|
|||||||
.It Cm GSSAPIStrictAcceptorCheck
|
.It Cm GSSAPIStrictAcceptorCheck
|
||||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||||
a client authenticates against.
|
a client authenticates against.
|
||||||
@@ -658,6 +663,11 @@ machine's default store.
|
@@ -669,6 +674,11 @@ machine's default store.
|
||||||
This facility is provided to assist with operation on multi homed machines.
|
This facility is provided to assist with operation on multi homed machines.
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
@ -3243,7 +3228,7 @@ Index: openssh-7.8p1/sshd_config.5
|
|||||||
.It Cm HostbasedAcceptedKeyTypes
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
as a list of comma-separated patterns.
|
as a list of comma-separated patterns.
|
||||||
@@ -1632,16 +1642,16 @@ as a non-root user.
|
@@ -1643,16 +1653,16 @@ as a non-root user.
|
||||||
The default is
|
The default is
|
||||||
.Cm no .
|
.Cm no .
|
||||||
.It Cm UsePAMCheckLocks
|
.It Cm UsePAMCheckLocks
|
||||||
@ -3263,11 +3248,11 @@ Index: openssh-7.8p1/sshd_config.5
|
|||||||
.Dq no .
|
.Dq no .
|
||||||
.It Cm VersionAddendum
|
.It Cm VersionAddendum
|
||||||
Optionally specifies additional text to append to the SSH protocol banner
|
Optionally specifies additional text to append to the SSH protocol banner
|
||||||
Index: openssh-7.8p1/sshkey.c
|
Index: openssh-7.9p1/sshkey.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshkey.c
|
--- openssh-7.9p1.orig/sshkey.c
|
||||||
+++ openssh-7.8p1/sshkey.c
|
+++ openssh-7.9p1/sshkey.c
|
||||||
@@ -140,6 +140,7 @@ static const struct keytype keytypes[] =
|
@@ -135,6 +135,7 @@ static const struct keytype keytypes[] =
|
||||||
# endif /* OPENSSL_HAS_NISTP521 */
|
# endif /* OPENSSL_HAS_NISTP521 */
|
||||||
# endif /* OPENSSL_HAS_ECC */
|
# endif /* OPENSSL_HAS_ECC */
|
||||||
#endif /* WITH_OPENSSL */
|
#endif /* WITH_OPENSSL */
|
||||||
@ -3275,11 +3260,11 @@ Index: openssh-7.8p1/sshkey.c
|
|||||||
{ NULL, NULL, NULL, -1, -1, 0, 0 }
|
{ NULL, NULL, NULL, -1, -1, 0, 0 }
|
||||||
};
|
};
|
||||||
|
|
||||||
Index: openssh-7.8p1/sshkey.h
|
Index: openssh-7.9p1/sshkey.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshkey.h
|
--- openssh-7.9p1.orig/sshkey.h
|
||||||
+++ openssh-7.8p1/sshkey.h
|
+++ openssh-7.9p1/sshkey.h
|
||||||
@@ -63,6 +63,7 @@ enum sshkey_types {
|
@@ -64,6 +64,7 @@ enum sshkey_types {
|
||||||
KEY_ED25519_CERT,
|
KEY_ED25519_CERT,
|
||||||
KEY_XMSS,
|
KEY_XMSS,
|
||||||
KEY_XMSS_CERT,
|
KEY_XMSS_CERT,
|
||||||
@ -3287,11 +3272,11 @@ Index: openssh-7.8p1/sshkey.h
|
|||||||
KEY_UNSPEC
|
KEY_UNSPEC
|
||||||
};
|
};
|
||||||
|
|
||||||
Index: openssh-7.8p1/sshd_config.0
|
Index: openssh-7.9p1/sshd_config.0
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.8p1.orig/sshd_config.0
|
--- openssh-7.9p1.orig/sshd_config.0
|
||||||
+++ openssh-7.8p1/sshd_config.0
|
+++ openssh-7.9p1/sshd_config.0
|
||||||
@@ -370,6 +370,12 @@ DESCRIPTION
|
@@ -380,6 +380,12 @@ DESCRIPTION
|
||||||
Specifies whether user authentication based on GSSAPI is allowed.
|
Specifies whether user authentication based on GSSAPI is allowed.
|
||||||
The default is no.
|
The default is no.
|
||||||
|
|
||||||
@ -3304,7 +3289,7 @@ Index: openssh-7.8p1/sshd_config.0
|
|||||||
GSSAPICleanupCredentials
|
GSSAPICleanupCredentials
|
||||||
Specifies whether to automatically destroy the user's credentials
|
Specifies whether to automatically destroy the user's credentials
|
||||||
cache on logout. The default is yes.
|
cache on logout. The default is yes.
|
||||||
@@ -383,6 +388,12 @@ DESCRIPTION
|
@@ -393,6 +399,12 @@ DESCRIPTION
|
||||||
facility is provided to assist with operation on multi homed
|
facility is provided to assist with operation on multi homed
|
||||||
machines. The default is yes.
|
machines. The default is yes.
|
||||||
|
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -15,15 +15,11 @@ this is only need on s390 architecture.
|
|||||||
|
|
||||||
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||||
|
|
||||||
diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
|
Index: openssh-7.9p1/sandbox-seccomp-filter.c
|
||||||
--- openssh-7.7p1/sandbox-seccomp-filter.c
|
===================================================================
|
||||||
+++ openssh-7.7p1/sandbox-seccomp-filter.c
|
--- openssh-7.9p1.orig/sandbox-seccomp-filter.c
|
||||||
@@ -167,16 +167,19 @@ static const struct sock_filter preauth_
|
+++ openssh-7.9p1/sandbox-seccomp-filter.c
|
||||||
SC_ALLOW(__NR_exit_group),
|
@@ -175,6 +175,9 @@ static const struct sock_filter preauth_
|
||||||
#endif
|
|
||||||
#ifdef __NR_geteuid
|
|
||||||
SC_ALLOW(__NR_geteuid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_geteuid32
|
#ifdef __NR_geteuid32
|
||||||
SC_ALLOW(__NR_geteuid32),
|
SC_ALLOW(__NR_geteuid32),
|
||||||
#endif
|
#endif
|
||||||
@ -33,17 +29,7 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
|
|||||||
#ifdef __NR_getpgid
|
#ifdef __NR_getpgid
|
||||||
SC_ALLOW(__NR_getpgid),
|
SC_ALLOW(__NR_getpgid),
|
||||||
#endif
|
#endif
|
||||||
#ifdef __NR_getpid
|
@@ -193,6 +196,9 @@ static const struct sock_filter preauth_
|
||||||
SC_ALLOW(__NR_getpid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getrandom
|
|
||||||
SC_ALLOW(__NR_getrandom),
|
|
||||||
@@ -185,16 +188,19 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(__NR_gettimeofday),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getuid
|
|
||||||
SC_ALLOW(__NR_getuid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getuid32
|
#ifdef __NR_getuid32
|
||||||
SC_ALLOW(__NR_getuid32),
|
SC_ALLOW(__NR_getuid32),
|
||||||
#endif
|
#endif
|
||||||
@ -53,8 +39,3 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
|
|||||||
#ifdef __NR_madvise
|
#ifdef __NR_madvise
|
||||||
SC_ALLOW(__NR_madvise),
|
SC_ALLOW(__NR_madvise),
|
||||||
#endif
|
#endif
|
||||||
#ifdef __NR_mmap
|
|
||||||
SC_ALLOW(__NR_mmap),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_mmap2
|
|
||||||
SC_ALLOW(__NR_mmap2),
|
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca
|
|
||||||
size 1548026
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlt+Xa8ACgkQ0+X1a22S
|
|
||||||
DTAJPwx9HIW/obxNJYTU7M8trpalBekdl1SqUjxdDwInIsKTLSOpJCsnynBai/3c
|
|
||||||
SuvZkBwcKwZZFe+xCvRQDHkf/YYLT+d7slUQolb0OJmzFKbvu6xwuv7q12ag9hQj
|
|
||||||
/8BUfdYRKb63uemfKuVAHfcnUm9WlwSbif+Au/j1yg/MlETY47ezYA9/q75wignx
|
|
||||||
3g38JVHVgKDenDd8o9/hgjeQpEHKNdCQo71nN2h3MYRlh4xrR9ENZj7y8x65Kp1j
|
|
||||||
WoZEhlvjYkka4deSGwj2MIAJnzsc39uppEoEjkB7F9SUo4O7CxbWFein70Ct7Xbs
|
|
||||||
VDWXQibnJGHKatHIecaPLUYexGWO1XYNZErDhY7fPw0ChfMGbz3+0eDfDJqGY49r
|
|
||||||
Lo6wzsrgv2kDJMqwciT/D/Zb3ocHnCrq1Isnz/Ug2lW58LMk7Y1HisPteZFQ/pkC
|
|
||||||
xKeO+K1RkaRUSCrB5iToqF+7i8eRNVROYmkKLgKcMrC0WYEjnbEoFdr4bktAS9QM
|
|
||||||
BS6aIsh2cyg2H0FjDKmYvcKOUf0IgA==
|
|
||||||
=ZiYm
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
openssh-7.9p1.tar.gz
Normal file
3
openssh-7.9p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
|
||||||
|
size 1565384
|
14
openssh-7.9p1.tar.gz.asc
Normal file
14
openssh-7.9p1.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlvJLhsACgkQ0+X1a22S
|
||||||
|
DTBjHwx/T3EX3EtCzB9I6zHFUgF2/0hEKVYZw2Yl4UbUvgjy/KdEdlJzdH3Hc/yU
|
||||||
|
jJZzraDY7nJMrCly734FbFGKsKoRkxWMkeuQGOhvpzgTYg+fOa1J0a14xK/ub9Y0
|
||||||
|
9Z/4zP0Zs7mn+8MApMS3XOZ+AJgdRiXN9i3PXmbYO9Gcg+QthtgE1DeG0d0vVTP/
|
||||||
|
ipCBBg8mMlAANdlu9IUCv4CJPwJjQt2aYsvCiuUQuzrKYsV5noCOBaGRbmPcN9SM
|
||||||
|
3cvSTZgDbK3kHdL1RnBgWpcO+o+D8sqSW2rm8xpCQv/ILo86/BLBjXDCYLEt0nSn
|
||||||
|
+dONPytwhwwJWPPYe7+RSYWHS2cKwVTDk7lr2E636SwU1fM1NiNYle9hB6cUT0nU
|
||||||
|
sypfHOIARAMSqepnaT3WgffM0jlEWrSB0PuDLTLTO5ZPmUijqqT6xGwWSUc4GQZY
|
||||||
|
WNyGg1w0Ryj2pRd7DlXDDivTCneXFqV7JZiR3R4ZXJJV0uVQOUitCS/DnwSDpIfp
|
||||||
|
HlVEWeRAszQFKLKttu0/4SY2NVrRBA==
|
||||||
|
=4Z9x
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 22 08:59:02 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||||
|
|
||||||
|
- Version update to 7.9p1
|
||||||
|
* No actual changes for the askpass
|
||||||
|
* See main package changelog for details
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Oct 9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
Tue Oct 9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||||
|
|
||||||
|
@ -18,7 +18,7 @@
|
|||||||
|
|
||||||
%define _name openssh
|
%define _name openssh
|
||||||
Name: openssh-askpass-gnome
|
Name: openssh-askpass-gnome
|
||||||
Version: 7.8p1
|
Version: 7.9p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
License: BSD-2-Clause
|
License: BSD-2-Clause
|
||||||
|
@ -1,3 +1,47 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 22 08:51:30 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||||
|
|
||||||
|
- Version update to 7.9p1
|
||||||
|
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
|
||||||
|
option (see below) bans the use of DSA keys as certificate
|
||||||
|
authorities.
|
||||||
|
* sshd(8): the authentication success/failure log message has
|
||||||
|
changed format slightly. It now includes the certificate
|
||||||
|
fingerprint (previously it included only key ID and CA key
|
||||||
|
fingerprint).
|
||||||
|
* ssh(1), sshd(8): allow most port numbers to be specified using
|
||||||
|
service names from getservbyname(3) (typically /etc/services).
|
||||||
|
* sshd(8): support signalling sessions via the SSH protocol.
|
||||||
|
A limited subset of signals is supported and only for login or
|
||||||
|
command sessions (i.e. not subsystems) that were not subject to
|
||||||
|
a forced command via authorized_keys or sshd_config. bz#1424
|
||||||
|
* ssh(1): support "ssh -Q sig" to list supported signature options.
|
||||||
|
Also "ssh -Q help" to show the full set of supported queries.
|
||||||
|
* ssh(1), sshd(8): add a CASignatureAlgorithms option for the
|
||||||
|
client and server configs to allow control over which signature
|
||||||
|
formats are allowed for CAs to sign certificates. For example,
|
||||||
|
this allows banning CAs that sign certificates using the RSA-SHA1
|
||||||
|
signature algorithm.
|
||||||
|
* sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
|
||||||
|
revoke keys specified by SHA256 hash.
|
||||||
|
* ssh-keygen(1): allow creation of key revocation lists directly
|
||||||
|
from base64-encoded SHA256 fingerprints. This supports revoking
|
||||||
|
keys using only the information contained in sshd(8)
|
||||||
|
authentication log messages.
|
||||||
|
|
||||||
|
- Removed obsolete configuration option --with-tcp-wrappers, and
|
||||||
|
--with-opensc for s390 and s390x.
|
||||||
|
|
||||||
|
- Removed patch merged upstream
|
||||||
|
* openssh-7.7p1-openssl_1.1.0.patch
|
||||||
|
|
||||||
|
- Refreshed patches
|
||||||
|
* openssh-7.7p1-audit.patch
|
||||||
|
* openssh-7.7p1-disable_short_DH_parameters.patch
|
||||||
|
* openssh-7.7p1-fips.patch
|
||||||
|
* openssh-7.7p1-gssapi_key_exchange.patch
|
||||||
|
* openssh-7.7p1-seccomp_ipc_flock.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@
|
|||||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||||
%endif
|
%endif
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: 7.8p1
|
Version: 7.9p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
License: BSD-2-Clause AND MIT
|
License: BSD-2-Clause AND MIT
|
||||||
@ -84,8 +84,6 @@ Patch22: openssh-7.7p1-systemd-notify.patch
|
|||||||
Patch23: openssh-7.7p1-gssapi_key_exchange.patch
|
Patch23: openssh-7.7p1-gssapi_key_exchange.patch
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||||
Patch24: openssh-7.7p1-audit.patch
|
Patch24: openssh-7.7p1-audit.patch
|
||||||
# Upstream patch, already merged
|
|
||||||
Patch25: openssh-7.7p1-openssl_1.1.0.patch
|
|
||||||
# Local patch to disable runtime abi SSL checks, quite pointless for us
|
# Local patch to disable runtime abi SSL checks, quite pointless for us
|
||||||
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
|
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
||||||
@ -188,7 +186,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
|||||||
%configure \
|
%configure \
|
||||||
--sysconfdir=%{_sysconfdir}/ssh \
|
--sysconfdir=%{_sysconfdir}/ssh \
|
||||||
--libexecdir=%{_libexecdir}/ssh \
|
--libexecdir=%{_libexecdir}/ssh \
|
||||||
--with-tcp-wrappers \
|
|
||||||
--with-selinux \
|
--with-selinux \
|
||||||
--with-pid-dir=/run \
|
--with-pid-dir=/run \
|
||||||
--with-systemd \
|
--with-systemd \
|
||||||
@ -200,9 +197,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
|||||||
--with-sandbox=seccomp_filter \
|
--with-sandbox=seccomp_filter \
|
||||||
%else
|
%else
|
||||||
--with-sandbox=rlimit \
|
--with-sandbox=rlimit \
|
||||||
%endif
|
|
||||||
%ifnarch s390 s390x
|
|
||||||
--with-opensc \
|
|
||||||
%endif
|
%endif
|
||||||
--disable-strip \
|
--disable-strip \
|
||||||
--with-audit=linux \
|
--with-audit=linux \
|
||||||
|
Loading…
Reference in New Issue
Block a user