From 6543c1a02bb2723fe04351fd45f29af45acf1877222b4b9538eec61ecc211f6d Mon Sep 17 00:00:00 2001 From: Hans Petter Jansson Date: Mon, 18 Jan 2021 01:12:55 +0000 Subject: [PATCH] Accepting request 863944 from home:dirkmueller:branches:network - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features ------------ * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time OBS-URL: https://build.opensuse.org/request/show/863944 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222 --- openssh-7.7p1-allow_root_password_login.patch | 30 +- openssh-7.7p1-cavstest-ctr.patch | 37 +- openssh-7.7p1-cavstest-kdf.patch | 21 +- openssh-7.7p1-fips.patch | 168 ++++---- openssh-7.7p1-fips_checks.patch | 64 ++- ...1-hostname_changes_when_forwarding_X.patch | 26 +- openssh-7.7p1-pam_check_locks.patch | 50 +-- openssh-7.7p1-sftp_force_permissions.patch | 44 +- ...7.7p1-sftp_print_diagnostic_messages.patch | 30 +- openssh-8.1p1-audit.patch | 387 +++++++++--------- openssh-8.3p1.tar.gz | 3 - openssh-8.3p1.tar.gz.asc | 14 - openssh-8.4p1.tar.gz | 3 + openssh-8.4p1.tar.gz.asc | 14 + openssh-askpass-gnome.spec | 8 +- openssh.changes | 130 ++++++ openssh.spec | 8 +- 17 files changed, 583 insertions(+), 454 deletions(-) delete mode 100644 openssh-8.3p1.tar.gz delete mode 100644 openssh-8.3p1.tar.gz.asc create mode 100644 openssh-8.4p1.tar.gz create mode 100644 openssh-8.4p1.tar.gz.asc diff --git a/openssh-7.7p1-allow_root_password_login.patch b/openssh-7.7p1-allow_root_password_login.patch index 6622776..815b8a5 100644 --- a/openssh-7.7p1-allow_root_password_login.patch +++ b/openssh-7.7p1-allow_root_password_login.patch @@ -5,11 +5,11 @@ default of forbidding access to the root account with a password, we are temporarily introducing this change to keep the default used in older OpenSSH versions shipped with SLE. -Index: openssh-7.9p1/servconf.c +Index: openssh-8.4p1/servconf.c =================================================================== ---- openssh-7.9p1.orig/servconf.c -+++ openssh-7.9p1/servconf.c -@@ -292,7 +292,7 @@ fill_default_server_options(ServerOption +--- openssh-8.4p1.orig/servconf.c ++++ openssh-8.4p1/servconf.c +@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption if (options->login_grace_time == -1) options->login_grace_time = 120; if (options->permit_root_login == PERMIT_NOT_SET) @@ -18,10 +18,10 @@ Index: openssh-7.9p1/servconf.c if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) -Index: openssh-7.9p1/sshd_config +Index: openssh-8.4p1/sshd_config =================================================================== ---- openssh-7.9p1.orig/sshd_config -+++ openssh-7.9p1/sshd_config +--- openssh-8.4p1.orig/sshd_config ++++ openssh-8.4p1/sshd_config @@ -29,7 +29,7 @@ # Authentication: @@ -31,11 +31,11 @@ Index: openssh-7.9p1/sshd_config #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -Index: openssh-7.9p1/sshd_config.0 +Index: openssh-8.4p1/sshd_config.0 =================================================================== ---- openssh-7.9p1.orig/sshd_config.0 -+++ openssh-7.9p1/sshd_config.0 -@@ -749,7 +749,7 @@ DESCRIPTION +--- openssh-8.4p1.orig/sshd_config.0 ++++ openssh-8.4p1/sshd_config.0 +@@ -778,7 +778,7 @@ DESCRIPTION PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The @@ -44,11 +44,11 @@ Index: openssh-7.9p1/sshd_config.0 If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive -Index: openssh-7.9p1/sshd_config.5 +Index: openssh-8.4p1/sshd_config.5 =================================================================== ---- openssh-7.9p1.orig/sshd_config.5 -+++ openssh-7.9p1/sshd_config.5 -@@ -1285,7 +1285,7 @@ The argument must be +--- openssh-8.4p1.orig/sshd_config.5 ++++ openssh-8.4p1/sshd_config.5 +@@ -1331,7 +1331,7 @@ The argument must be or .Cm no . The default is diff --git a/openssh-7.7p1-cavstest-ctr.patch b/openssh-7.7p1-cavstest-ctr.patch index 6772d5c..e2bf8f1 100644 --- a/openssh-7.7p1-cavstest-ctr.patch +++ b/openssh-7.7p1-cavstest-ctr.patch @@ -2,10 +2,10 @@ # Parent cc1022edba2c5eeb0facba08468f65afc2466b63 CAVS test for OpenSSH's own CTR encryption mode implementation -diff --git a/Makefile.in b/Makefile.in -index d5c37b5..5d4fcd2 100644 ---- a/Makefile.in -+++ b/Makefile.in +Index: openssh-8.4p1/Makefile.in +=================================================================== +--- openssh-8.4p1.orig/Makefile.in ++++ openssh-8.4p1/Makefile.in @@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper @@ -14,7 +14,7 @@ index d5c37b5..5d4fcd2 100644 PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ -@@ -70,6 +71,8 @@ MKDIR_P=@MKDIR_P@ +@@ -68,6 +69,8 @@ MKDIR_P=@MKDIR_P@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) @@ -23,7 +23,7 @@ index d5c37b5..5d4fcd2 100644 XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ -@@ -244,6 +247,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) +@@ -242,6 +245,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) @@ -34,7 +34,7 @@ index d5c37b5..5d4fcd2 100644 # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -@@ -398,6 +405,7 @@ install-files: +@@ -400,6 +407,7 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) @@ -42,11 +42,10 @@ index d5c37b5..5d4fcd2 100644 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -diff --git a/cavstest-ctr.c b/cavstest-ctr.c -new file mode 100644 -index 0000000..f81cb72 +Index: openssh-8.4p1/cavstest-ctr.c +=================================================================== --- /dev/null -+++ b/cavstest-ctr.c ++++ openssh-8.4p1/cavstest-ctr.c @@ -0,0 +1,214 @@ +/* + * @@ -262,10 +261,10 @@ index 0000000..f81cb72 + printf("\n"); + return 0; +} -diff --git a/cipher.c b/cipher.c -index 2f5430b..599b54a 100644 ---- a/cipher.c -+++ b/cipher.c +Index: openssh-8.4p1/cipher.c +=================================================================== +--- openssh-8.4p1.orig/cipher.c ++++ openssh-8.4p1/cipher.c @@ -58,15 +58,6 @@ #define EVP_CIPHER_CTX void #endif @@ -282,10 +281,10 @@ index 2f5430b..599b54a 100644 struct sshcipher { char *name; u_int block_size; -diff --git a/cipher.h b/cipher.h -index 1a591cd..10ccb28 100644 ---- a/cipher.h -+++ b/cipher.h +Index: openssh-8.4p1/cipher.h +=================================================================== +--- openssh-8.4p1.orig/cipher.h ++++ openssh-8.4p1/cipher.h @@ -48,7 +48,15 @@ #define CIPHER_DECRYPT 0 diff --git a/openssh-7.7p1-cavstest-kdf.patch b/openssh-7.7p1-cavstest-kdf.patch index c838849..f30919a 100644 --- a/openssh-7.7p1-cavstest-kdf.patch +++ b/openssh-7.7p1-cavstest-kdf.patch @@ -2,10 +2,10 @@ # Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1 CAVS test for KDF implementation in OpenSSH -diff --git a/Makefile.in b/Makefile.in -index 5d4fcd2..9eab827 100644 ---- a/Makefile.in -+++ b/Makefile.in +Index: openssh-8.4p1/Makefile.in +=================================================================== +--- openssh-8.4p1.orig/Makefile.in ++++ openssh-8.4p1/Makefile.in @@ -26,6 +26,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper @@ -14,7 +14,7 @@ index 5d4fcd2..9eab827 100644 PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ -@@ -71,7 +72,7 @@ MKDIR_P=@MKDIR_P@ +@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) @@ -23,7 +23,7 @@ index 5d4fcd2..9eab827 100644 XMSS_OBJS=\ ssh-xmss.o \ -@@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) +@@ -249,6 +250,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) @@ -33,7 +33,7 @@ index 5d4fcd2..9eab827 100644 # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -@@ -406,6 +410,7 @@ install-files: +@@ -408,6 +412,7 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) @@ -41,11 +41,10 @@ index 5d4fcd2..9eab827 100644 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -diff --git a/cavstest-kdf.c b/cavstest-kdf.c -new file mode 100644 -index 0000000..a6ecf45 +Index: openssh-8.4p1/cavstest-kdf.c +=================================================================== --- /dev/null -+++ b/cavstest-kdf.c ++++ openssh-8.4p1/cavstest-kdf.c @@ -0,0 +1,402 @@ +/* + * Copyright (C) 2015, Stephan Mueller diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index beaa40d..80ad852 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -3,11 +3,11 @@ FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved algorithms. -diff --git a/Makefile.in b/Makefile.in -index 62cd072..d5c37b5 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -114,6 +114,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ +Index: openssh-8.4p1/Makefile.in +=================================================================== +--- openssh-8.4p1.orig/Makefile.in ++++ openssh-8.4p1/Makefile.in +@@ -112,6 +112,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ SKOBJS= ssh-sk-client.o @@ -16,10 +16,10 @@ index 62cd072..d5c37b5 100644 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect2.o mux.o $(SKOBJS) -diff --git a/cipher-ctr.c b/cipher-ctr.c -index 32771f2..b66f92f 100644 ---- a/cipher-ctr.c -+++ b/cipher-ctr.c +Index: openssh-8.4p1/cipher-ctr.c +=================================================================== +--- openssh-8.4p1.orig/cipher-ctr.c ++++ openssh-8.4p1/cipher-ctr.c @@ -27,6 +27,8 @@ #include "xmalloc.h" #include "log.h" @@ -38,10 +38,10 @@ index 32771f2..b66f92f 100644 #endif return (&aes_ctr); } -diff --git a/cipher.c b/cipher.c -index 8195199..2f5430b 100644 ---- a/cipher.c -+++ b/cipher.c +Index: openssh-8.4p1/cipher.c +=================================================================== +--- openssh-8.4p1.orig/cipher.c ++++ openssh-8.4p1/cipher.c @@ -51,6 +51,9 @@ #include "openbsd-compat/openssl-compat.h" @@ -61,7 +61,7 @@ index 8195199..2f5430b 100644 #ifdef WITH_OPENSSL #ifndef OPENSSL_NO_DES { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, -@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] = { +@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] { NULL, 0, 0, 0, 0, 0, NULL } }; @@ -132,11 +132,10 @@ index 8195199..2f5430b 100644 if (strcmp(c->name, name) == 0) return c; return NULL; -diff --git a/fips.c b/fips.c -new file mode 100644 -index 0000000..23e3876 +Index: openssh-8.4p1/fips.c +=================================================================== --- /dev/null -+++ b/fips.c ++++ openssh-8.4p1/fips.c @@ -0,0 +1,212 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -350,11 +349,10 @@ index 0000000..23e3876 + return dgst; +} + -diff --git a/fips.h b/fips.h -new file mode 100644 -index 0000000..a115a61 +Index: openssh-8.4p1/fips.h +=================================================================== --- /dev/null -+++ b/fips.h ++++ openssh-8.4p1/fips.h @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -400,11 +398,11 @@ index 0000000..a115a61 + +#endif + -diff --git a/hmac.c b/hmac.c -index 7b58801..5a92074 100644 ---- a/hmac.c -+++ b/hmac.c -@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen) +Index: openssh-8.4p1/hmac.c +=================================================================== +--- openssh-8.4p1.orig/hmac.c ++++ openssh-8.4p1/hmac.c +@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void * size_t i; u_char digest[16]; @@ -413,11 +411,11 @@ index 7b58801..5a92074 100644 printf("ssh_hmac_start failed"); if (ssh_hmac_init(ctx, key, klen) < 0 || ssh_hmac_update(ctx, m, mlen) < 0 || -diff --git a/kex.c b/kex.c -index b09fbac..a5e4be7 100644 ---- a/kex.c -+++ b/kex.c -@@ -63,6 +63,8 @@ +Index: openssh-8.4p1/kex.c +=================================================================== +--- openssh-8.4p1.orig/kex.c ++++ openssh-8.4p1/kex.c +@@ -62,6 +62,8 @@ #include "sshbuf.h" #include "digest.h" @@ -426,7 +424,7 @@ index b09fbac..a5e4be7 100644 /* prototype */ static int kex_choose_conf(struct ssh *); static int kex_input_newkeys(int, u_int32_t, struct ssh *); -@@ -86,7 +88,7 @@ struct kexalg { +@@ -85,7 +87,7 @@ struct kexalg { int ec_nid; int hash_alg; }; @@ -435,7 +433,7 @@ index b09fbac..a5e4be7 100644 #ifdef WITH_OPENSSL { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, -@@ -117,6 +119,47 @@ static const struct kexalg kexalgs[] = { +@@ -116,6 +118,47 @@ static const struct kexalg kexalgs[] = { { NULL, 0, -1, -1}, }; @@ -483,7 +481,7 @@ index b09fbac..a5e4be7 100644 char * kex_alg_list(char sep) { -@@ -124,7 +167,7 @@ kex_alg_list(char sep) +@@ -123,7 +166,7 @@ kex_alg_list(char sep) size_t nlen, rlen = 0; const struct kexalg *k; @@ -492,7 +490,7 @@ index b09fbac..a5e4be7 100644 if (ret != NULL) ret[rlen++] = sep; nlen = strlen(k->name); -@@ -144,7 +187,7 @@ kex_alg_by_name(const char *name) +@@ -143,7 +186,7 @@ kex_alg_by_name(const char *name) { const struct kexalg *k; @@ -501,7 +499,7 @@ index b09fbac..a5e4be7 100644 if (strcmp(k->name, name) == 0) return k; } -@@ -164,7 +207,10 @@ kex_names_valid(const char *names) +@@ -163,7 +206,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { if (kex_alg_by_name(p) == NULL) { @@ -512,10 +510,10 @@ index b09fbac..a5e4be7 100644 free(s); return 0; } -diff --git a/mac.c b/mac.c -index f3dda66..90d71c8 100644 ---- a/mac.c -+++ b/mac.c +Index: openssh-8.4p1/mac.c +=================================================================== +--- openssh-8.4p1.orig/mac.c ++++ openssh-8.4p1/mac.c @@ -41,6 +41,9 @@ #include "openbsd-compat/openssl-compat.h" @@ -586,7 +584,7 @@ index f3dda66..90d71c8 100644 if (ret != NULL) ret[rlen++] = sep; nlen = strlen(m->name); -@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name) +@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name { const struct macalg *m; @@ -595,10 +593,10 @@ index f3dda66..90d71c8 100644 if (strcmp(name, m->name) != 0) continue; if (mac != NULL) -diff --git a/readconf.c b/readconf.c -index 26e80c5..595f053 100644 ---- a/readconf.c -+++ b/readconf.c +Index: openssh-8.4p1/readconf.c +=================================================================== +--- openssh-8.4p1.orig/readconf.c ++++ openssh-8.4p1/readconf.c @@ -68,6 +68,8 @@ #include "myproposal.h" #include "digest.h" @@ -608,7 +606,7 @@ index 26e80c5..595f053 100644 /* Format of the configuration file: # Configuration data is parsed as follows: -@@ -1908,6 +1910,23 @@ option_clear_or_none(const char *o) +@@ -1949,6 +1951,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -632,7 +630,7 @@ index 26e80c5..595f053 100644 /* * Initializes options to special values that indicate that they have not yet * been set. Read_config_file will only set options with this value. Options -@@ -2196,6 +2215,9 @@ fill_default_options(Options * options) +@@ -2240,6 +2259,9 @@ fill_default_options(Options * options) options->canonicalize_hostname = SSH_CANONICALISE_NO; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -642,7 +640,7 @@ index 26e80c5..595f053 100644 #ifdef ENABLE_SK_INTERNAL if (options->sk_provider == NULL) options->sk_provider = xstrdup("internal"); -@@ -2229,6 +2251,7 @@ fill_default_options(Options * options) +@@ -2273,6 +2295,7 @@ fill_default_options(Options * options) ASSEMBLE(pubkey_key_types, def_key, all_key); ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); #undef ASSEMBLE @@ -650,7 +648,7 @@ index 26e80c5..595f053 100644 free(all_cipher); free(all_mac); free(all_kex); -@@ -2240,6 +2263,8 @@ fill_default_options(Options * options) +@@ -2284,6 +2307,8 @@ fill_default_options(Options * options) kex_default_pk_alg_filtered = def_key; /* save for later use */ free(def_sig); @@ -659,11 +657,11 @@ index 26e80c5..595f053 100644 #define CLEAR_ON_NONE(v) \ do { \ if (option_clear_or_none(v)) { \ -diff --git a/readconf.h b/readconf.h -index e143a10..ef18d5c 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -199,6 +199,7 @@ typedef struct { +Index: openssh-8.4p1/readconf.h +=================================================================== +--- openssh-8.4p1.orig/readconf.h ++++ openssh-8.4p1/readconf.h +@@ -200,6 +200,7 @@ typedef struct { #define SSH_STRICT_HOSTKEY_YES 2 #define SSH_STRICT_HOSTKEY_ASK 3 @@ -671,11 +669,11 @@ index e143a10..ef18d5c 100644 const char *kex_default_pk_alg(void); char *ssh_connection_hash(const char *thishost, const char *host, const char *portstr, const char *user); -diff --git a/servconf.c b/servconf.c -index 6be7274..9a51bfb 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -69,6 +69,7 @@ +Index: openssh-8.4p1/servconf.c +=================================================================== +--- openssh-8.4p1.orig/servconf.c ++++ openssh-8.4p1/servconf.c +@@ -70,6 +70,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" @@ -683,7 +681,7 @@ index 6be7274..9a51bfb 100644 static void add_listen_addr(ServerOptions *, const char *, const char *, int); -@@ -200,6 +201,23 @@ option_clear_or_none(const char *o) +@@ -201,6 +202,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -707,7 +705,7 @@ index 6be7274..9a51bfb 100644 static void assemble_algorithms(ServerOptions *o) { -@@ -241,6 +259,8 @@ assemble_algorithms(ServerOptions *o) +@@ -242,6 +260,8 @@ assemble_algorithms(ServerOptions *o) free(def_kex); free(def_key); free(def_sig); @@ -716,7 +714,7 @@ index 6be7274..9a51bfb 100644 } static void -@@ -453,6 +473,8 @@ fill_default_server_options(ServerOptions *options) +@@ -454,6 +474,8 @@ fill_default_server_options(ServerOption options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -725,10 +723,10 @@ index 6be7274..9a51bfb 100644 if (options->disable_forwarding == -1) options->disable_forwarding = 0; if (options->expose_userauth_info == -1) -diff --git a/ssh-keygen.c b/ssh-keygen.c -index 944faca..c1ecc54 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c +Index: openssh-8.4p1/ssh-keygen.c +=================================================================== +--- openssh-8.4p1.orig/ssh-keygen.c ++++ openssh-8.4p1/ssh-keygen.c @@ -66,6 +66,8 @@ #include "ssh-sk.h" #include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */ @@ -738,7 +736,7 @@ index 944faca..c1ecc54 100644 #ifdef WITH_OPENSSL # define DEFAULT_KEY_TYPE_NAME "rsa" #else -@@ -1032,11 +1034,13 @@ do_fingerprint(struct passwd *pw) +@@ -1036,11 +1038,13 @@ do_fingerprint(struct passwd *pw) static void do_gen_all_hostkeys(struct passwd *pw) { @@ -754,7 +752,7 @@ index 944faca..c1ecc54 100644 #ifdef WITH_OPENSSL { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, -@@ -1051,6 +1055,17 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1055,6 +1059,17 @@ do_gen_all_hostkeys(struct passwd *pw) { NULL, NULL, NULL } }; @@ -772,7 +770,7 @@ index 944faca..c1ecc54 100644 u_int32_t bits = 0; int first = 0; struct stat st; -@@ -1058,6 +1073,12 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1062,6 +1077,12 @@ do_gen_all_hostkeys(struct passwd *pw) char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file; int i, type, fd, r; @@ -785,7 +783,7 @@ index 944faca..c1ecc54 100644 for (i = 0; key_types[i].key_type; i++) { public = private = NULL; prv_tmp = pub_tmp = prv_file = pub_file = NULL; -@@ -3532,6 +3553,15 @@ main(int argc, char **argv) +@@ -3586,6 +3607,15 @@ main(int argc, char **argv) key_type_name = DEFAULT_KEY_TYPE_NAME; type = sshkey_type_from_name(key_type_name); @@ -801,11 +799,11 @@ index 944faca..c1ecc54 100644 type_bits_valid(type, key_type_name, &bits); if (!quiet) -diff --git a/ssh_config.5 b/ssh_config.5 -index c45fb8d..55d4b5e 100644 ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -669,6 +669,8 @@ Valid options are: +Index: openssh-8.4p1/ssh_config.5 +=================================================================== +--- openssh-8.4p1.orig/ssh_config.5 ++++ openssh-8.4p1/ssh_config.5 +@@ -682,6 +682,8 @@ Valid options are: and .Cm sha256 (the default). @@ -814,11 +812,11 @@ index c45fb8d..55d4b5e 100644 .It Cm ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. -diff --git a/sshd.c b/sshd.c -index a24241c..e18078f 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -128,6 +128,8 @@ +Index: openssh-8.4p1/sshd.c +=================================================================== +--- openssh-8.4p1.orig/sshd.c ++++ openssh-8.4p1/sshd.c +@@ -124,6 +124,8 @@ #include "ssherr.h" #include "sk-api.h" @@ -827,10 +825,10 @@ index a24241c..e18078f 100644 /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -diff --git a/sshd_config.5 b/sshd_config.5 -index 52552d2..35affe5 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 +Index: openssh-8.4p1/sshd_config.5 +=================================================================== +--- openssh-8.4p1.orig/sshd_config.5 ++++ openssh-8.4p1/sshd_config.5 @@ -594,6 +594,8 @@ and .Cm sha256 . The default is diff --git a/openssh-7.7p1-fips_checks.patch b/openssh-7.7p1-fips_checks.patch index b1ba434..cc0d5dc 100644 --- a/openssh-7.7p1-fips_checks.patch +++ b/openssh-7.7p1-fips_checks.patch @@ -14,11 +14,10 @@ # file is not found (or the hash matches), proceed in non-FIPS mode and abort # otherwise. -diff --git a/fips-check.c b/fips-check.c -new file mode 100644 -index 0000000..eceb031 +Index: openssh-8.4p1/fips-check.c +=================================================================== --- /dev/null -+++ b/fips-check.c ++++ openssh-8.4p1/fips-check.c @@ -0,0 +1,34 @@ +#include "includes.h" +#include @@ -54,10 +53,10 @@ index 0000000..eceb031 + fips_ssh_init(); + return 0; +} -diff --git a/fips.c b/fips.c -index 23e3876..297ae99 100644 ---- a/fips.c -+++ b/fips.c +Index: openssh-8.4p1/fips.c +=================================================================== +--- openssh-8.4p1.orig/fips.c ++++ openssh-8.4p1/fips.c @@ -35,30 +35,293 @@ #include "log.h" #include "xmalloc.h" @@ -246,7 +245,9 @@ index 23e3876..297ae99 100644 { int fips_required = 0; - char *env = getenv(SSH_FORCE_FIPS_ENV); -- ++ int fips_fd; ++ char fips_sys = 0; + - if (env) { - errno = 0; - fips_required = strtol(env, NULL, 10); @@ -256,9 +257,6 @@ index 23e3876..297ae99 100644 - fips_required = 0; - } else - fips_required = 1; -+ int fips_fd; -+ char fips_sys = 0; -+ + struct stat dummy; + if (-1 == stat(FIPS_PROC_PATH, &dummy)) { + switch (errno) { @@ -364,10 +362,10 @@ index 23e3876..297ae99 100644 int fips_mode(void) { -diff --git a/fips.h b/fips.h -index a115a61..3404684 100644 ---- a/fips.h -+++ b/fips.h +Index: openssh-8.4p1/fips.h +=================================================================== +--- openssh-8.4p1.orig/fips.h ++++ openssh-8.4p1/fips.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -404,15 +402,15 @@ index a115a61..3404684 100644 int fips_mode(void); int fips_correct_dgst(int); int fips_dgst_min(void); -@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum fp_type); +@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum int fips_filter_crypto(char **, fips_filters); #endif - -diff --git a/sftp-server.c b/sftp-server.c -index 359204f..d6395fd 100644 ---- a/sftp-server.c -+++ b/sftp-server.c +Index: openssh-8.4p1/sftp-server.c +=================================================================== +--- openssh-8.4p1.orig/sftp-server.c ++++ openssh-8.4p1/sftp-server.c @@ -53,6 +53,8 @@ char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ @@ -422,7 +420,7 @@ index 359204f..d6395fd 100644 /* Our verbosity */ static LogLevel log_level = SYSLOG_LEVEL_ERROR; -@@ -1576,6 +1578,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) +@@ -1577,6 +1579,9 @@ sftp_server_main(int argc, char **argv, extern char *optarg; extern char *__progname; @@ -432,10 +430,10 @@ index 359204f..d6395fd 100644 __progname = ssh_get_progname(argv[0]); log_init(__progname, log_level, log_facility, log_stderr); -diff --git a/ssh.c b/ssh.c -index 98b6ce7..dce28fd 100644 ---- a/ssh.c -+++ b/ssh.c +Index: openssh-8.4p1/ssh.c +=================================================================== +--- openssh-8.4p1.orig/ssh.c ++++ openssh-8.4p1/ssh.c @@ -113,6 +113,8 @@ #include "ssh-pkcs11.h" #endif @@ -445,9 +443,9 @@ index 98b6ce7..dce28fd 100644 extern char *__progname; /* Saves a copy of argv for setproctitle emulation */ -@@ -630,6 +632,10 @@ main(int ac, char **av) - struct addrinfo *addrs = NULL; +@@ -658,6 +660,10 @@ main(int ac, char **av) size_t n, len; + u_int j; + /* initialize fips - can go before ssh_malloc_init(), since that is a + * OpenBSD-only thing (as of OpenSSH 7.6p1) */ @@ -456,11 +454,11 @@ index 98b6ce7..dce28fd 100644 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -diff --git a/sshd.c b/sshd.c -index b2146a6..6092f0f 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -1505,6 +1505,10 @@ main(int ac, char **av) +Index: openssh-8.4p1/sshd.c +=================================================================== +--- openssh-8.4p1.orig/sshd.c ++++ openssh-8.4p1/sshd.c +@@ -1545,6 +1545,10 @@ main(int ac, char **av) Authctxt *authctxt; struct connection_info *connection_info = NULL; diff --git a/openssh-7.7p1-hostname_changes_when_forwarding_X.patch b/openssh-7.7p1-hostname_changes_when_forwarding_X.patch index 70e16c1..b2f8dda 100644 --- a/openssh-7.7p1-hostname_changes_when_forwarding_X.patch +++ b/openssh-7.7p1-hostname_changes_when_forwarding_X.patch @@ -3,11 +3,11 @@ # -- uset do be called '-xauthlocalhostname' handle hostname changes when forwarding X -diff --git a/session.c b/session.c -index 18cdfa8..85a9ee2 100644 ---- a/session.c -+++ b/session.c -@@ -985,7 +985,7 @@ copy_environment(char **source, char ***env, u_int *envsize) +Index: openssh-8.4p1/session.c +=================================================================== +--- openssh-8.4p1.orig/session.c ++++ openssh-8.4p1/session.c +@@ -985,7 +985,7 @@ copy_environment(char **source, char *** #endif static char ** @@ -16,7 +16,7 @@ index 18cdfa8..85a9ee2 100644 { char buf[256]; size_t n; -@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) +@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } @@ -25,7 +25,7 @@ index 18cdfa8..85a9ee2 100644 return env; } -@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) +@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s * first in this order). */ static void @@ -33,9 +33,9 @@ index 18cdfa8..85a9ee2 100644 +do_rc_files(struct ssh *ssh, Session *s, const char *shell, char **env, int *env_size) { FILE *f = NULL; - char cmd[1024]; -@@ -1258,12 +1260,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell) - options.xauth_location); + char *cmd = NULL, *user_rc = NULL; +@@ -1260,12 +1262,20 @@ do_rc_files(struct ssh *ssh, Session *s, + fatal("%s: xasprintf: %s", __func__, strerror(errno)); f = popen(cmd, "w"); if (f) { + char hostname[MAXHOSTNAMELEN]; @@ -55,7 +55,7 @@ index 18cdfa8..85a9ee2 100644 } else { fprintf(stderr, "Could not run %s\n", cmd); -@@ -1519,6 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1526,6 +1536,7 @@ do_child(struct ssh *ssh, Session *s, co char **env, *argv[ARGV_MAX], remote_id[512]; const char *shell, *shell0; struct passwd *pw = s->pw; @@ -63,7 +63,7 @@ index 18cdfa8..85a9ee2 100644 int r = 0; sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); -@@ -1575,7 +1586,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1582,7 +1593,7 @@ do_child(struct ssh *ssh, Session *s, co * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ @@ -72,7 +72,7 @@ index 18cdfa8..85a9ee2 100644 #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); -@@ -1639,7 +1650,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1646,7 +1657,7 @@ do_child(struct ssh *ssh, Session *s, co closefrom(STDERR_FILENO + 1); diff --git a/openssh-7.7p1-pam_check_locks.patch b/openssh-7.7p1-pam_check_locks.patch index d4638f9..c1f8847 100644 --- a/openssh-7.7p1-pam_check_locks.patch +++ b/openssh-7.7p1-pam_check_locks.patch @@ -5,11 +5,11 @@ UsePAM is used bnc#708678, FATE#312033 -Index: openssh-7.8p1/auth.c +Index: openssh-8.4p1/auth.c =================================================================== ---- openssh-7.8p1.orig/auth.c -+++ openssh-7.8p1/auth.c -@@ -112,7 +112,7 @@ allowed_user(struct passwd * pw) +--- openssh-8.4p1.orig/auth.c ++++ openssh-8.4p1/auth.c +@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas return 0; #ifdef USE_SHADOW @@ -18,7 +18,7 @@ Index: openssh-7.8p1/auth.c spw = getspnam(pw->pw_name); #ifdef HAS_SHADOW_EXPIRE if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) -@@ -132,7 +132,7 @@ allowed_user(struct passwd * pw) +@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas #endif /* check for locked account */ @@ -27,11 +27,11 @@ Index: openssh-7.8p1/auth.c int locked = 0; #ifdef LOCKED_PASSWD_STRING -Index: openssh-7.8p1/servconf.c +Index: openssh-8.4p1/servconf.c =================================================================== ---- openssh-7.8p1.orig/servconf.c -+++ openssh-7.8p1/servconf.c -@@ -83,6 +83,7 @@ initialize_server_options(ServerOptions +--- openssh-8.4p1.orig/servconf.c ++++ openssh-8.4p1/servconf.c +@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions /* Portable-specific options */ options->use_pam = -1; @@ -39,7 +39,7 @@ Index: openssh-7.8p1/servconf.c /* Standard Options */ options->num_ports = 0; -@@ -259,6 +260,8 @@ fill_default_server_options(ServerOption +@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption /* Portable-specific options */ if (options->use_pam == -1) options->use_pam = 0; @@ -48,7 +48,7 @@ Index: openssh-7.8p1/servconf.c /* Standard Options */ if (options->num_host_key_files == 0) { -@@ -459,7 +462,7 @@ fill_default_server_options(ServerOption +@@ -501,7 +504,7 @@ fill_default_server_options(ServerOption typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ @@ -57,7 +57,7 @@ Index: openssh-7.8p1/servconf.c /* Standard Options */ sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, -@@ -509,8 +512,10 @@ static struct { +@@ -553,8 +556,10 @@ static struct { /* Portable-specific options */ #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, @@ -68,7 +68,7 @@ Index: openssh-7.8p1/servconf.c #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ -@@ -1250,6 +1255,9 @@ process_server_config_line(ServerOptions +@@ -1318,6 +1323,9 @@ process_server_config_line_depth(ServerO case sUsePAM: intptr = &options->use_pam; goto parse_flag; @@ -78,11 +78,11 @@ Index: openssh-7.8p1/servconf.c /* Standard Options */ case sBadOption: -Index: openssh-7.8p1/servconf.h +Index: openssh-8.4p1/servconf.h =================================================================== ---- openssh-7.8p1.orig/servconf.h -+++ openssh-7.8p1/servconf.h -@@ -181,6 +181,7 @@ typedef struct { +--- openssh-8.4p1.orig/servconf.h ++++ openssh-8.4p1/servconf.h +@@ -195,6 +195,7 @@ typedef struct { char *adm_forced_command; int use_pam; /* Enable auth via PAM */ @@ -90,11 +90,11 @@ Index: openssh-7.8p1/servconf.h int permit_tun; -Index: openssh-7.8p1/sshd_config.0 +Index: openssh-8.4p1/sshd_config.0 =================================================================== ---- openssh-7.8p1.orig/sshd_config.0 -+++ openssh-7.8p1/sshd_config.0 -@@ -961,6 +961,14 @@ DESCRIPTION +--- openssh-8.4p1.orig/sshd_config.0 ++++ openssh-8.4p1/sshd_config.0 +@@ -1032,6 +1032,14 @@ DESCRIPTION If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is no. @@ -109,11 +109,11 @@ Index: openssh-7.8p1/sshd_config.0 VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default -Index: openssh-7.8p1/sshd_config.5 +Index: openssh-8.4p1/sshd_config.5 =================================================================== ---- openssh-7.8p1.orig/sshd_config.5 -+++ openssh-7.8p1/sshd_config.5 -@@ -1613,6 +1613,18 @@ is enabled, you will not be able to run +--- openssh-8.4p1.orig/sshd_config.5 ++++ openssh-8.4p1/sshd_config.5 +@@ -1718,6 +1718,18 @@ is enabled, you will not be able to run as a non-root user. The default is .Cm no . diff --git a/openssh-7.7p1-sftp_force_permissions.patch b/openssh-7.7p1-sftp_force_permissions.patch index 9f313c9..8e0cce8 100644 --- a/openssh-7.7p1-sftp_force_permissions.patch +++ b/openssh-7.7p1-sftp_force_permissions.patch @@ -1,14 +1,16 @@ ---- original/sftp-server.8 2016-12-19 04:59:41.000000000 +0000 -+++ original/sftp-server.8 2017-11-23 08:47:01.267239186 +0000 -@@ -38,6 +38,7 @@ - .Op Fl P Ar blacklisted_requests - .Op Fl p Ar whitelisted_requests +Index: openssh-8.4p1/sftp-server.8 +=================================================================== +--- openssh-8.4p1.orig/sftp-server.8 ++++ openssh-8.4p1/sftp-server.8 +@@ -38,6 +38,7 @@ + .Op Fl P Ar denied_requests + .Op Fl p Ar allowed_requests .Op Fl u Ar umask +.Op Fl m Ar force_file_dir_perms .Ek .Nm .Fl Q Ar protocol_feature -@@ -138,6 +139,10 @@ +@@ -138,6 +139,10 @@ Sets an explicit .Xr umask 2 to be applied to newly-created files and directories, instead of the user's default mask. @@ -19,9 +21,11 @@ .El .Pp On some systems, ---- original/sftp-server.c 2016-12-19 04:59:41.000000000 +0000 -+++ original/sftp-server.c 2017-11-23 13:07:08.481765581 +0000 -@@ -65,6 +65,10 @@ +Index: openssh-8.4p1/sftp-server.c +=================================================================== +--- openssh-8.4p1.orig/sftp-server.c ++++ openssh-8.4p1/sftp-server.c +@@ -69,6 +69,10 @@ struct sshbuf *oqueue; /* Version of client */ static u_int version; @@ -32,7 +36,7 @@ /* SSH2_FXP_INIT received */ static int init_done; -@@ -679,6 +683,7 @@ +@@ -687,6 +691,7 @@ process_open(u_int32_t id) Attrib a; char *name; int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE; @@ -40,7 +44,7 @@ if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 || (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */ -@@ -688,6 +693,10 @@ +@@ -696,6 +701,10 @@ process_open(u_int32_t id) debug3("request %u: open flags %d", id, pflags); flags = flags_from_portable(pflags); mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666; @@ -51,7 +55,7 @@ logit("open \"%s\" flags %s mode 0%o", name, string_from_portable(pflags), mode); if (readonly && -@@ -709,6 +718,8 @@ +@@ -717,6 +726,8 @@ process_open(u_int32_t id) } } } @@ -60,7 +64,7 @@ if (status != SSH2_FX_OK) send_status(id, status); free(name); -@@ -1110,6 +1121,7 @@ +@@ -1131,6 +1142,7 @@ process_mkdir(u_int32_t id) Attrib a; char *name; int r, mode, status = SSH2_FX_FAILURE; @@ -68,7 +72,7 @@ if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 || (r = decode_attrib(iqueue, &a)) != 0) -@@ -1117,9 +1129,16 @@ +@@ -1138,9 +1150,16 @@ process_mkdir(u_int32_t id) mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm & 07777 : 0777; @@ -85,16 +89,16 @@ status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); free(name); -@@ -1490,7 +1509,7 @@ +@@ -1560,7 +1579,7 @@ sftp_server_usage(void) fprintf(stderr, "usage: %s [-ehR] [-d start_directory] [-f log_facility] " - "[-l log_level]\n\t[-P blacklisted_requests] " -- "[-p whitelisted_requests] [-u umask]\n" -+ "[-p whitelisted_requests] [-u umask] [-m force_file_dir_perms]\n" + "[-l log_level]\n\t[-P denied_requests] " +- "[-p allowed_requests] [-u umask]\n" ++ "[-p allowed_requests] [-u umask] [-m force_file_dir_perms]\n" " %s -Q protocol_feature\n", __progname, __progname); exit(1); -@@ -1516,7 +1535,7 @@ +@@ -1588,7 +1607,7 @@ sftp_server_main(int argc, char **argv, pw = pwcopy(user_pw); while (!skipargs && (ch = getopt(argc, argv, @@ -103,7 +107,7 @@ switch (ch) { case 'Q': if (strcasecmp(optarg, "requests") != 0) { -@@ -1576,6 +1595,15 @@ +@@ -1650,6 +1669,15 @@ sftp_server_main(int argc, char **argv, fatal("Invalid umask \"%s\"", optarg); (void)umask((mode_t)mask); break; diff --git a/openssh-7.7p1-sftp_print_diagnostic_messages.patch b/openssh-7.7p1-sftp_print_diagnostic_messages.patch index 7be473f..f3706c4 100644 --- a/openssh-7.7p1-sftp_print_diagnostic_messages.patch +++ b/openssh-7.7p1-sftp_print_diagnostic_messages.patch @@ -2,11 +2,11 @@ # Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835 Put back sftp client diagnostic messages in batch mode -diff --git a/sftp.1 b/sftp.1 -index a305b37..6e802ec 100644 ---- a/sftp.1 -+++ b/sftp.1 -@@ -282,6 +282,9 @@ Specifies the port to connect to on the remote host. +Index: openssh-8.4p1/sftp.1 +=================================================================== +--- openssh-8.4p1.orig/sftp.1 ++++ openssh-8.4p1/sftp.1 +@@ -287,6 +287,9 @@ Specifies the port to connect to on the .It Fl p Preserves modification times, access times, and modes from the original files transferred. @@ -16,10 +16,10 @@ index a305b37..6e802ec 100644 .It Fl q Quiet mode: disables the progress meter as well as warning and diagnostic messages from -diff --git a/sftp.c b/sftp.c -index 2799e4a..52b2c23 100644 ---- a/sftp.c -+++ b/sftp.c +Index: openssh-8.4p1/sftp.c +=================================================================== +--- openssh-8.4p1.orig/sftp.c ++++ openssh-8.4p1/sftp.c @@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1; /* Suppress diagnositic messages */ int quiet = 0; @@ -30,15 +30,15 @@ index 2799e4a..52b2c23 100644 /* This is set to 0 if the progressmeter is not desired. */ int showprogress = 1; -@@ -2409,7 +2412,7 @@ main(int argc, char **argv) +@@ -2408,7 +2411,7 @@ main(int argc, char **argv) infile = stdin; while ((ch = getopt(argc, argv, -- "1246afhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { -+ "1246afhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { +- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { ++ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { switch (ch) { /* Passed through to ssh(1) */ - case '4': + case 'A': @@ -2426,6 +2429,9 @@ main(int argc, char **argv) addargs(&args, "-%c", ch); addargs(&args, "%s", optarg); @@ -56,5 +56,5 @@ index 2799e4a..52b2c23 100644 + if (batchmode && loud) + quiet = 0; - if (!isatty(STDERR_FILENO)) - showprogress = 0; + /* Do this last because we want the user to be able to override it */ + addargs(&args, "-oForwardAgent no"); diff --git a/openssh-8.1p1-audit.patch b/openssh-8.1p1-audit.patch index 4b47951..30247e2 100644 --- a/openssh-8.1p1-audit.patch +++ b/openssh-8.1p1-audit.patch @@ -1,8 +1,8 @@ -diff --git a/Makefile.in b/Makefile.in -index 88aba09..b815eac 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -115,7 +115,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ +Index: openssh-8.4p1/Makefile.in +=================================================================== +--- openssh-8.4p1.orig/Makefile.in ++++ openssh-8.4p1/Makefile.in +@@ -113,7 +113,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ kexgssc.o \ sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ @@ -11,11 +11,11 @@ index 88aba09..b815eac 100644 SKOBJS= ssh-sk-client.o -diff --git a/audit-bsm.c b/audit-bsm.c -index 0ba16c7..d5e9cda 100644 ---- a/audit-bsm.c -+++ b/audit-bsm.c -@@ -372,12 +372,25 @@ audit_connection_from(const char *host, int port) +Index: openssh-8.4p1/audit-bsm.c +=================================================================== +--- openssh-8.4p1.orig/audit-bsm.c ++++ openssh-8.4p1/audit-bsm.c +@@ -372,13 +372,26 @@ audit_connection_from(const char *host, #endif } @@ -33,16 +33,17 @@ index 0ba16c7..d5e9cda 100644 /* not implemented */ } -+void + void +audit_count_session_open(void) +{ + /* not necessary */ +} + - void ++void audit_session_open(struct logininfo *li) { -@@ -390,6 +403,12 @@ audit_session_close(struct logininfo *li) + /* not implemented */ +@@ -390,6 +403,12 @@ audit_session_close(struct logininfo *li /* not implemented */ } @@ -55,7 +56,7 @@ index 0ba16c7..d5e9cda 100644 void audit_event(struct ssh *ssh, ssh_audit_event_t event) { -@@ -451,4 +470,28 @@ audit_event(struct ssh *ssh, ssh_audit_event_t event) +@@ -451,4 +470,28 @@ audit_event(struct ssh *ssh, ssh_audit_e debug("%s: unhandled event %d", __func__, event); } } @@ -84,10 +85,10 @@ index 0ba16c7..d5e9cda 100644 + /* not implemented */ +} #endif /* BSM */ -diff --git a/audit-linux.c b/audit-linux.c -index 3fcbe5c..a823c30 100644 ---- a/audit-linux.c -+++ b/audit-linux.c +Index: openssh-8.4p1/audit-linux.c +=================================================================== +--- openssh-8.4p1.orig/audit-linux.c ++++ openssh-8.4p1/audit-linux.c @@ -33,27 +33,40 @@ #include "log.h" @@ -99,10 +100,11 @@ index 3fcbe5c..a823c30 100644 +#include "servconf.h" #include "canohost.h" #include "packet.h" +- +#include "cipher.h" +#include "channels.h" +#include "session.h" - ++ +#define AUDIT_LOG_SIZE 256 + +extern ServerOptions options; @@ -136,7 +138,7 @@ index 3fcbe5c..a823c30 100644 saved_errno = errno; close(audit_fd); -@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const char *username, const char *hostname, +@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const rc = 0; errno = saved_errno; @@ -234,7 +236,7 @@ index 3fcbe5c..a823c30 100644 /* Below is the sshd audit API code */ void -@@ -76,49 +176,210 @@ audit_connection_from(const char *host, int port) +@@ -76,49 +176,210 @@ audit_connection_from(const char *host, /* not implemented */ } @@ -457,10 +459,10 @@ index 3fcbe5c..a823c30 100644 + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -diff --git a/audit.c b/audit.c -index dd2f035..c8d54b1 100644 ---- a/audit.c -+++ b/audit.c +Index: openssh-8.4p1/audit.c +=================================================================== +--- openssh-8.4p1.orig/audit.c ++++ openssh-8.4p1/audit.c @@ -34,6 +34,12 @@ #include "log.h" #include "hostfile.h" @@ -534,11 +536,10 @@ index dd2f035..c8d54b1 100644 # ifndef CUSTOM_SSH_AUDIT_EVENTS /* * Null implementations of audit functions. -@@ -137,6 +170,17 @@ audit_event(struct ssh *ssh, ssh_audit_event_t event) - audit_username(), event, audit_event_lookup(event)); +@@ -138,6 +171,17 @@ audit_event(struct ssh *ssh, ssh_audit_e } -+/* + /* + * Called when a child process has called, or will soon call, + * audit_session_open. + */ @@ -549,10 +550,11 @@ index dd2f035..c8d54b1 100644 + audit_username()); +} + - /* ++/* * Called when a user session is started. Argument is the tty allocated to * the session, or NULL if no tty was allocated. -@@ -172,13 +216,82 @@ audit_session_close(struct logininfo *li) + * +@@ -172,13 +216,82 @@ audit_session_close(struct logininfo *li /* * This will be called when a user runs a non-interactive command. Note that * it may be called multiple times for a single connection since SSH2 allows @@ -638,10 +640,10 @@ index dd2f035..c8d54b1 100644 } # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/audit.h b/audit.h -index 38cb5ad..45d66cc 100644 ---- a/audit.h -+++ b/audit.h +Index: openssh-8.4p1/audit.h +=================================================================== +--- openssh-8.4p1.orig/audit.h ++++ openssh-8.4p1/audit.h @@ -26,6 +26,7 @@ # define _SSH_AUDIT_H @@ -684,11 +686,10 @@ index 38cb5ad..45d66cc 100644 +void audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t); #endif /* _SSH_AUDIT_H */ -diff --git a/auditstub.c b/auditstub.c -new file mode 100644 -index 0000000..639a798 +Index: openssh-8.4p1/auditstub.c +=================================================================== --- /dev/null -+++ b/auditstub.c ++++ openssh-8.4p1/auditstub.c @@ -0,0 +1,52 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -742,11 +743,11 @@ index 0000000..639a798 +audit_session_key_free_body(struct ssh *ssh, int ctos, pid_t pid, uid_t uid) +{ +} -diff --git a/auth.c b/auth.c -index 779a1af..f6f3c86 100644 ---- a/auth.c -+++ b/auth.c -@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authenticated, int partial, +Index: openssh-8.4p1/auth.c +=================================================================== +--- openssh-8.4p1.orig/auth.c ++++ openssh-8.4p1/auth.c +@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica # endif #endif #ifdef SSH_AUDIT_EVENTS @@ -755,7 +756,7 @@ index 779a1af..f6f3c86 100644 audit_event(ssh, audit_classify_auth(method)); #endif } -@@ -593,9 +593,6 @@ getpwnamallow(struct ssh *ssh, const char *user) +@@ -593,9 +593,6 @@ getpwnamallow(struct ssh *ssh, const cha record_failed_login(ssh, user, auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); #endif @@ -765,11 +766,11 @@ index 779a1af..f6f3c86 100644 return (NULL); } if (!allowed_user(ssh, pw)) -diff --git a/auth.h b/auth.h -index becc672..c8a99fb 100644 ---- a/auth.h -+++ b/auth.h -@@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh *, const char *user); +Index: openssh-8.4p1/auth.h +=================================================================== +--- openssh-8.4p1.orig/auth.h ++++ openssh-8.4p1/auth.h +@@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh char *expand_authorized_keys(const char *, struct passwd *pw); char *authorized_principals_file(struct passwd *); @@ -778,7 +779,7 @@ index becc672..c8a99fb 100644 FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int); -@@ -208,6 +210,8 @@ struct sshkey *get_hostkey_private_by_type(int, int, struct ssh *); +@@ -208,6 +210,8 @@ struct sshkey *get_hostkey_private_by_ty int get_hostkey_index(struct sshkey *, int, struct ssh *); int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *, u_char **, size_t *, const u_char *, size_t, const char *); @@ -787,10 +788,10 @@ index becc672..c8a99fb 100644 /* Key / cert options linkage to auth layer */ const struct sshauthopt *auth_options(struct ssh *); -diff --git a/auth2-hostbased.c b/auth2-hostbased.c -index 5e9b7c6..c0a09a3 100644 ---- a/auth2-hostbased.c -+++ b/auth2-hostbased.c +Index: openssh-8.4p1/auth2-hostbased.c +=================================================================== +--- openssh-8.4p1.orig/auth2-hostbased.c ++++ openssh-8.4p1/auth2-hostbased.c @@ -150,7 +150,7 @@ userauth_hostbased(struct ssh *ssh) authenticated = 0; if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser, @@ -820,10 +821,10 @@ index 5e9b7c6..c0a09a3 100644 /* return 1 if given hostkey is allowed */ int hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index 815ea0f..f8a4325 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c +Index: openssh-8.4p1/auth2-pubkey.c +=================================================================== +--- openssh-8.4p1.orig/auth2-pubkey.c ++++ openssh-8.4p1/auth2-pubkey.c @@ -212,7 +212,7 @@ userauth_pubkey(struct ssh *ssh) /* test for correct signature */ authenticated = 0; @@ -833,7 +834,7 @@ index 815ea0f..f8a4325 100644 sshbuf_ptr(b), sshbuf_len(b), (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, ssh->compat, &sig_details)) == 0) { -@@ -294,6 +294,19 @@ done: +@@ -308,6 +308,19 @@ done: return authenticated; } @@ -853,11 +854,11 @@ index 815ea0f..f8a4325 100644 static int match_principals_option(const char *principal_list, struct sshkey_cert *cert) { -diff --git a/auth2.c b/auth2.c -index a4a5e00..b12d2ac 100644 ---- a/auth2.c -+++ b/auth2.c -@@ -293,9 +293,6 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) +Index: openssh-8.4p1/auth2.c +=================================================================== +--- openssh-8.4p1.orig/auth2.c ++++ openssh-8.4p1/auth2.c +@@ -293,9 +293,6 @@ input_userauth_request(int type, u_int32 } else { /* Invalid user, fake password information */ authctxt->pw = fakepw(); @@ -867,10 +868,10 @@ index a4a5e00..b12d2ac 100644 } #ifdef USE_PAM if (options.use_pam) -diff --git a/cipher.c b/cipher.c -index 599b54a..7f25a18 100644 ---- a/cipher.c -+++ b/cipher.c +Index: openssh-8.4p1/cipher.c +=================================================================== +--- openssh-8.4p1.orig/cipher.c ++++ openssh-8.4p1/cipher.c @@ -58,25 +58,6 @@ #define EVP_CIPHER_CTX void #endif @@ -897,7 +898,7 @@ index 599b54a..7f25a18 100644 static const struct sshcipher ciphers_all[] = { #ifdef WITH_OPENSSL #ifndef OPENSSL_NO_DES -@@ -462,7 +443,7 @@ cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr, +@@ -462,7 +443,7 @@ cipher_get_length(struct sshcipher_ctx * void cipher_free(struct sshcipher_ctx *cc) { @@ -906,10 +907,10 @@ index 599b54a..7f25a18 100644 return; if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { chachapoly_free(cc->cp_ctx); -diff --git a/cipher.h b/cipher.h -index 626f2f5..b3383a5 100644 ---- a/cipher.h -+++ b/cipher.h +Index: openssh-8.4p1/cipher.h +=================================================================== +--- openssh-8.4p1.orig/cipher.h ++++ openssh-8.4p1/cipher.h @@ -47,7 +47,25 @@ #define CIPHER_ENCRYPT 1 #define CIPHER_DECRYPT 0 @@ -937,10 +938,10 @@ index 626f2f5..b3383a5 100644 struct sshcipher_ctx { int plaintext; int encrypt; -diff --git a/kex.c b/kex.c -index fbb8e4f..39cad99 100644 ---- a/kex.c -+++ b/kex.c +Index: openssh-8.4p1/kex.c +=================================================================== +--- openssh-8.4p1.orig/kex.c ++++ openssh-8.4p1/kex.c @@ -62,6 +62,7 @@ #include "ssherr.h" #include "sshbuf.h" @@ -968,7 +969,7 @@ index fbb8e4f..39cad99 100644 if ((enc->cipher = cipher_by_name(name)) == NULL) { error("%s: unsupported cipher %s", __func__, name); free(name); -@@ -883,8 +888,12 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) +@@ -883,8 +888,12 @@ choose_mac(struct ssh *ssh, struct sshma { char *name = match_list(client, server, NULL); @@ -982,7 +983,7 @@ index fbb8e4f..39cad99 100644 if (mac_setup(mac, name) < 0) { error("%s: unsupported MAC %s", __func__, name); free(name); -@@ -897,12 +906,16 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) +@@ -897,12 +906,16 @@ choose_mac(struct ssh *ssh, struct sshma } static int @@ -1030,7 +1031,7 @@ index fbb8e4f..39cad99 100644 } /* XXX need runden? */ kex->we_need = need; -@@ -1245,6 +1262,36 @@ dump_digest(const char *msg, const u_char *digest, int len) +@@ -1245,6 +1262,36 @@ dump_digest(const char *msg, const u_cha } #endif @@ -1067,10 +1068,10 @@ index fbb8e4f..39cad99 100644 /* * Send a plaintext error message to the peer, suffixed by \r\n. * Only used during banner exchange, and there only for the server. -diff --git a/kex.h b/kex.h -index 4dc48fd..fdf0cf6 100644 ---- a/kex.h -+++ b/kex.h +Index: openssh-8.4p1/kex.h +=================================================================== +--- openssh-8.4p1.orig/kex.h ++++ openssh-8.4p1/kex.h @@ -226,6 +226,8 @@ int kexgss_client(struct ssh *); int kexgss_server(struct ssh *); #endif @@ -1080,10 +1081,10 @@ index 4dc48fd..fdf0cf6 100644 int kex_dh_keypair(struct kex *); int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); -diff --git a/mac.c b/mac.c -index 90d71c8..6d87a80 100644 ---- a/mac.c -+++ b/mac.c +Index: openssh-8.4p1/mac.c +=================================================================== +--- openssh-8.4p1.orig/mac.c ++++ openssh-8.4p1/mac.c @@ -277,6 +277,20 @@ mac_clear(struct sshmac *mac) mac->umac_ctx = NULL; } @@ -1105,21 +1106,21 @@ index 90d71c8..6d87a80 100644 /* XXX copied from ciphers_valid */ #define MAC_SEP "," int -diff --git a/mac.h b/mac.h -index 0b119d7..5fb593b 100644 ---- a/mac.h -+++ b/mac.h -@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int32_t, const u_char *, int, +Index: openssh-8.4p1/mac.h +=================================================================== +--- openssh-8.4p1.orig/mac.h ++++ openssh-8.4p1/mac.h +@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3 int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t, const u_char *, size_t); void mac_clear(struct sshmac *); +void mac_destroy(struct sshmac *); #endif /* SSHMAC_H */ -diff --git a/monitor.c b/monitor.c -index cf775e5..fcd8283 100644 ---- a/monitor.c -+++ b/monitor.c +Index: openssh-8.4p1/monitor.c +=================================================================== +--- openssh-8.4p1.orig/monitor.c ++++ openssh-8.4p1/monitor.c @@ -93,6 +93,7 @@ #include "compat.h" #include "ssh2.h" @@ -1137,7 +1138,7 @@ index cf775e5..fcd8283 100644 /* State exported from the child */ static struct sshbuf *child_state; -@@ -155,6 +158,11 @@ int mm_answer_gss_updatecreds(struct ssh*, int, struct sshbuf *); +@@ -155,6 +158,11 @@ int mm_answer_gss_updatecreds(struct ssh #ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(struct ssh *, int, struct sshbuf *); int mm_answer_audit_command(struct ssh *, int, struct sshbuf *); @@ -1149,7 +1150,7 @@ index cf775e5..fcd8283 100644 #endif static Authctxt *authctxt; -@@ -210,6 +218,10 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -210,6 +218,10 @@ struct mon_table mon_dispatch_proto20[] #endif #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -1160,7 +1161,7 @@ index cf775e5..fcd8283 100644 #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, -@@ -244,6 +256,11 @@ struct mon_table mon_dispatch_postauth20[] = { +@@ -244,6 +256,11 @@ struct mon_table mon_dispatch_postauth20 #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, @@ -1172,9 +1173,9 @@ index cf775e5..fcd8283 100644 #endif {0, 0, NULL} }; -@@ -1406,8 +1423,10 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) - size_t signaturelen, datalen, bloblen; - int r, ret, req_presence = 0, valid_data = 0, encoded_ret; +@@ -1407,8 +1424,10 @@ mm_answer_keyverify(struct ssh *ssh, int + int r, ret, req_presence = 0, req_verify = 0, valid_data = 0; + int encoded_ret; struct sshkey_sig_details *sig_details = NULL; + int type = 0; @@ -1184,7 +1185,7 @@ index cf775e5..fcd8283 100644 (r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 || (r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 || (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0) -@@ -1416,6 +1435,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1417,6 +1436,8 @@ mm_answer_keyverify(struct ssh *ssh, int if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) fatal("%s: bad key, not previously allowed", __func__); @@ -1193,7 +1194,7 @@ index cf775e5..fcd8283 100644 /* Empty signature algorithm means NULL. */ if (*sigalg == '\0') { -@@ -1431,14 +1452,19 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1432,14 +1453,19 @@ mm_answer_keyverify(struct ssh *ssh, int case MM_USERKEY: valid_data = monitor_valid_userblob(data, datalen); auth_method = "publickey"; @@ -1213,7 +1214,7 @@ index cf775e5..fcd8283 100644 break; } if (!valid_data) -@@ -1448,8 +1474,6 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1449,8 +1475,6 @@ mm_answer_keyverify(struct ssh *ssh, int SSH_FP_DEFAULT)) == NULL) fatal("%s: sshkey_fingerprint failed", __func__); @@ -1222,7 +1223,7 @@ index cf775e5..fcd8283 100644 debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key, (ret == 0) ? "verified" : "unverified", (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); -@@ -1524,13 +1548,19 @@ mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw) +@@ -1537,13 +1561,19 @@ mm_record_login(struct ssh *ssh, Session } static void @@ -1243,7 +1244,7 @@ index cf775e5..fcd8283 100644 session_unused(s->self); } -@@ -1597,7 +1627,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1610,7 +1640,7 @@ mm_answer_pty(struct ssh *ssh, int sock, error: if (s != NULL) @@ -1252,7 +1253,7 @@ index cf775e5..fcd8283 100644 if ((r = sshbuf_put_u32(m, 0)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); mm_request_send(sock, MONITOR_ANS_PTY, m); -@@ -1616,7 +1646,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1629,7 +1659,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); if ((s = session_by_tty(tty)) != NULL) @@ -1261,7 +1262,7 @@ index cf775e5..fcd8283 100644 sshbuf_reset(m); free(tty); return (0); -@@ -1638,6 +1668,8 @@ mm_answer_term(struct ssh *ssh, int sock, struct sshbuf *req) +@@ -1651,6 +1681,8 @@ mm_answer_term(struct ssh *ssh, int sock sshpam_cleanup(); #endif @@ -1270,7 +1271,7 @@ index cf775e5..fcd8283 100644 while (waitpid(pmonitor->m_pid, &status, 0) == -1) if (errno != EINTR) exit(1); -@@ -1684,12 +1716,47 @@ mm_answer_audit_command(struct ssh *ssh, int socket, struct sshbuf *m) +@@ -1697,12 +1729,47 @@ mm_answer_audit_command(struct ssh *ssh, { char *cmd; int r; @@ -1319,7 +1320,7 @@ index cf775e5..fcd8283 100644 free(cmd); return (0); } -@@ -1755,6 +1822,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) +@@ -1768,6 +1835,7 @@ monitor_apply_keystate(struct ssh *ssh, void mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor) { @@ -1327,7 +1328,7 @@ index cf775e5..fcd8283 100644 debug3("%s: Waiting for new keys", __func__); if ((child_state = sshbuf_new()) == NULL) -@@ -1762,6 +1830,19 @@ mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor) +@@ -1775,6 +1843,19 @@ mm_get_keystate(struct ssh *ssh, struct mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, child_state); debug3("%s: GOT new keys", __func__); @@ -1347,7 +1348,7 @@ index cf775e5..fcd8283 100644 } -@@ -2039,3 +2120,102 @@ mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) { +@@ -2052,3 +2133,102 @@ mm_answer_gss_updatecreds(struct ssh *ss #endif /* GSSAPI */ @@ -1450,10 +1451,10 @@ index cf775e5..fcd8283 100644 + return 0; +} +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/monitor.h b/monitor.h -index 2b1a2d5..7817990 100644 ---- a/monitor.h -+++ b/monitor.h +Index: openssh-8.4p1/monitor.h +=================================================================== +--- openssh-8.4p1.orig/monitor.h ++++ openssh-8.4p1/monitor.h @@ -61,7 +61,13 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, @@ -1469,11 +1470,11 @@ index 2b1a2d5..7817990 100644 MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, -diff --git a/monitor_wrap.c b/monitor_wrap.c -index 6edb509..cb5e5f3 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -492,7 +492,7 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host, +Index: openssh-8.4p1/monitor_wrap.c +=================================================================== +--- openssh-8.4p1.orig/monitor_wrap.c ++++ openssh-8.4p1/monitor_wrap.c +@@ -492,7 +492,7 @@ mm_key_allowed(enum mm_keytype type, con */ int @@ -1482,7 +1483,7 @@ index 6edb509..cb5e5f3 100644 const u_char *data, size_t datalen, const char *sigalg, u_int compat, struct sshkey_sig_details **sig_detailsp) { -@@ -508,7 +508,8 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen, +@@ -508,7 +508,8 @@ mm_sshkey_verify(const struct sshkey *ke *sig_detailsp = NULL; if ((m = sshbuf_new()) == NULL) fatal("%s: sshbuf_new failed", __func__); @@ -1492,7 +1493,7 @@ index 6edb509..cb5e5f3 100644 (r = sshbuf_put_string(m, sig, siglen)) != 0 || (r = sshbuf_put_string(m, data, datalen)) != 0 || (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0) -@@ -541,6 +542,20 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen, +@@ -541,6 +542,20 @@ mm_sshkey_verify(const struct sshkey *ke return 0; } @@ -1513,7 +1514,7 @@ index 6edb509..cb5e5f3 100644 void mm_send_keystate(struct ssh *ssh, struct monitor *monitor) { -@@ -894,11 +909,12 @@ mm_audit_event(struct ssh *ssh, ssh_audit_event_t event) +@@ -894,11 +909,12 @@ mm_audit_event(struct ssh *ssh, ssh_audi sshbuf_free(m); } @@ -1528,7 +1529,7 @@ index 6edb509..cb5e5f3 100644 debug3("%s entering command %s", __func__, command); -@@ -908,6 +924,30 @@ mm_audit_run_command(const char *command) +@@ -908,6 +924,30 @@ mm_audit_run_command(const char *command fatal("%s: buffer error: %s", __func__, ssh_err(r)); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m); @@ -1559,7 +1560,7 @@ index 6edb509..cb5e5f3 100644 sshbuf_free(m); } #endif /* SSH_AUDIT_EVENTS */ -@@ -1068,3 +1108,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) +@@ -1068,3 +1108,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc } #endif /* GSSAPI */ @@ -1643,11 +1644,11 @@ index 6edb509..cb5e5f3 100644 + sshbuf_free(m); +} +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/monitor_wrap.h b/monitor_wrap.h -index 485590c..73c095e 100644 ---- a/monitor_wrap.h -+++ b/monitor_wrap.h -@@ -57,7 +57,9 @@ int mm_user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int, +Index: openssh-8.4p1/monitor_wrap.h +=================================================================== +--- openssh-8.4p1.orig/monitor_wrap.h ++++ openssh-8.4p1/monitor_wrap.h +@@ -58,7 +58,9 @@ int mm_user_key_allowed(struct ssh *, st struct sshauthopt **); int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *, const char *, struct sshkey *); @@ -1658,7 +1659,7 @@ index 485590c..73c095e 100644 const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); #ifdef GSSAPI -@@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *); +@@ -83,7 +85,12 @@ void mm_sshpam_free_ctx(void *); #ifdef SSH_AUDIT_EVENTS #include "audit.h" void mm_audit_event(struct ssh *, ssh_audit_event_t); @@ -1672,10 +1673,10 @@ index 485590c..73c095e 100644 #endif struct Session; -diff --git a/packet.c b/packet.c -index e7abb34..997c338 100644 ---- a/packet.c -+++ b/packet.c +Index: openssh-8.4p1/packet.c +=================================================================== +--- openssh-8.4p1.orig/packet.c ++++ openssh-8.4p1/packet.c @@ -81,6 +81,7 @@ #endif @@ -1684,7 +1685,7 @@ index e7abb34..997c338 100644 #include "compat.h" #include "ssh2.h" #include "cipher.h" -@@ -515,6 +516,13 @@ ssh_packet_get_connection_out(struct ssh *ssh) +@@ -518,6 +519,13 @@ ssh_packet_get_connection_out(struct ssh return ssh->state->connection_out; } @@ -1698,7 +1699,7 @@ index e7abb34..997c338 100644 /* * Returns the IP-address of the remote host as a string. The returned * string must not be freed. -@@ -592,22 +600,19 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close) +@@ -595,22 +603,19 @@ ssh_packet_close_internal(struct ssh *ss { struct session_state *state = ssh->state; u_int mode; @@ -1726,7 +1727,7 @@ index e7abb34..997c338 100644 for (mode = 0; mode < MODE_MAX; mode++) { kex_free_newkeys(state->newkeys[mode]); /* current keys */ state->newkeys[mode] = NULL; -@@ -643,8 +648,18 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close) +@@ -646,8 +651,18 @@ ssh_packet_close_internal(struct ssh *ss #endif /* WITH_ZLIB */ cipher_free(state->send_context); cipher_free(state->receive_context); @@ -1745,7 +1746,7 @@ index e7abb34..997c338 100644 free(ssh->local_ipaddr); ssh->local_ipaddr = NULL; free(ssh->remote_ipaddr); -@@ -899,6 +914,7 @@ ssh_set_newkeys(struct ssh *ssh, int mode) +@@ -904,6 +919,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod (unsigned long long)state->p_send.bytes, (unsigned long long)state->p_send.blocks); kex_free_newkeys(state->newkeys[mode]); @@ -1753,7 +1754,7 @@ index e7abb34..997c338 100644 state->newkeys[mode] = NULL; } /* note that both bytes and the seqnr are not reset */ -@@ -2205,6 +2221,73 @@ ssh_packet_get_output(struct ssh *ssh) +@@ -2210,6 +2226,73 @@ ssh_packet_get_output(struct ssh *ssh) return (void *)ssh->state->output; } @@ -1827,20 +1828,20 @@ index e7abb34..997c338 100644 /* Reset after_authentication and reset compression in post-auth privsep */ static int ssh_packet_set_postauth(struct ssh *ssh) -diff --git a/packet.h b/packet.h -index c2544bd..239b391 100644 ---- a/packet.h -+++ b/packet.h -@@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); +Index: openssh-8.4p1/packet.h +=================================================================== +--- openssh-8.4p1.orig/packet.h ++++ openssh-8.4p1/packet.h +@@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, s # undef EC_POINT #endif +void packet_destroy_all(struct ssh *, int, int); #endif /* PACKET_H */ -diff --git a/session.c b/session.c -index 530aa26..9e7a8f8 100644 ---- a/session.c -+++ b/session.c +Index: openssh-8.4p1/session.c +=================================================================== +--- openssh-8.4p1.orig/session.c ++++ openssh-8.4p1/session.c @@ -136,7 +136,7 @@ extern char *__progname; extern int debug_flag; extern u_int utmp_len; @@ -1850,7 +1851,7 @@ index 530aa26..9e7a8f8 100644 extern struct sshbuf *loginmsg; extern struct sshauthopt *auth_opts; extern char *tun_fwd_ifnames; /* serverloop.c */ -@@ -647,6 +647,14 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command) +@@ -647,6 +647,14 @@ do_exec_pty(struct ssh *ssh, Session *s, /* Parent. Close the slave side of the pseudo tty. */ close(ttyfd); @@ -1865,7 +1866,7 @@ index 530aa26..9e7a8f8 100644 /* Enter interactive session. */ s->ptymaster = ptymaster; ssh_packet_set_interactive(ssh, 1, -@@ -711,15 +719,19 @@ do_exec(struct ssh *ssh, Session *s, const char *command) +@@ -711,15 +719,19 @@ do_exec(struct ssh *ssh, Session *s, con s->self); #ifdef SSH_AUDIT_EVENTS @@ -1887,7 +1888,7 @@ index 530aa26..9e7a8f8 100644 #endif if (s->ttyfd != -1) ret = do_exec_pty(ssh, s, command); -@@ -1535,8 +1547,11 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1542,8 +1554,11 @@ do_child(struct ssh *ssh, Session *s, co sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); /* remove hostkey from the child's memory */ @@ -1900,7 +1901,7 @@ index 530aa26..9e7a8f8 100644 /* Force a password change */ if (s->authctxt->force_pwchange) { -@@ -1745,6 +1760,9 @@ session_unused(int id) +@@ -1752,6 +1767,9 @@ session_unused(int id) sessions[id].ttyfd = -1; sessions[id].ptymaster = -1; sessions[id].x11_chanids = NULL; @@ -1910,11 +1911,10 @@ index 530aa26..9e7a8f8 100644 sessions[id].next_unused = sessions_first_unused; sessions_first_unused = id; } -@@ -1826,6 +1844,19 @@ session_open(Authctxt *authctxt, int chanid) - return 1; +@@ -1834,6 +1852,19 @@ session_open(Authctxt *authctxt, int cha } -+Session * + Session * +session_by_id(int id) +{ + if (id >= 0 && id < sessions_nalloc) { @@ -1927,10 +1927,11 @@ index 530aa26..9e7a8f8 100644 + return NULL; +} + - Session * ++Session * session_by_tty(char *tty) { -@@ -2437,6 +2468,32 @@ session_exit_message(struct ssh *ssh, Session *s, int status) + int i; +@@ -2444,6 +2475,32 @@ session_exit_message(struct ssh *ssh, Se chan_write_failed(ssh, c); } @@ -1963,7 +1964,7 @@ index 530aa26..9e7a8f8 100644 void session_close(struct ssh *ssh, Session *s) { -@@ -2478,6 +2535,10 @@ session_close(struct ssh *ssh, Session *s) +@@ -2485,6 +2542,10 @@ session_close(struct ssh *ssh, Session * if (s->ttyfd != -1) session_pty_cleanup(s); @@ -1974,7 +1975,7 @@ index 530aa26..9e7a8f8 100644 free(s->term); free(s->display); free(s->x11_chanids); -@@ -2553,14 +2614,14 @@ session_close_by_channel(struct ssh *ssh, int id, void *arg) +@@ -2560,14 +2621,14 @@ session_close_by_channel(struct ssh *ssh } void @@ -1991,7 +1992,7 @@ index 530aa26..9e7a8f8 100644 else session_close(ssh, s); } -@@ -2686,6 +2747,15 @@ do_authenticated2(struct ssh *ssh, Authctxt *authctxt) +@@ -2693,6 +2754,15 @@ do_authenticated2(struct ssh *ssh, Authc server_loop2(ssh, authctxt); } @@ -2007,7 +2008,7 @@ index 530aa26..9e7a8f8 100644 void do_cleanup(struct ssh *ssh, Authctxt *authctxt) { -@@ -2749,7 +2819,7 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) +@@ -2756,7 +2826,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au * or if running in monitor. */ if (!use_privsep || mm_is_monitor()) @@ -2016,10 +2017,10 @@ index 530aa26..9e7a8f8 100644 } /* Return a name for the remote host that fits inside utmp_size */ -diff --git a/session.h b/session.h -index ce59dab..bcd4b1d 100644 ---- a/session.h -+++ b/session.h +Index: openssh-8.4p1/session.h +=================================================================== +--- openssh-8.4p1.orig/session.h ++++ openssh-8.4p1/session.h @@ -61,6 +61,12 @@ struct Session { char *name; char *val; @@ -2047,10 +2048,10 @@ index ce59dab..bcd4b1d 100644 Session *session_by_tty(char *); void session_close(struct ssh *, Session *); void do_setusercontext(struct passwd *); -diff --git a/sshd.c b/sshd.c -index 7d23232..9c83ce0 100644 ---- a/sshd.c -+++ b/sshd.c +Index: openssh-8.4p1/sshd.c +=================================================================== +--- openssh-8.4p1.orig/sshd.c ++++ openssh-8.4p1/sshd.c @@ -122,6 +122,7 @@ #include "ssh-gss.h" #endif @@ -2212,7 +2213,7 @@ index 7d23232..9c83ce0 100644 setproctitle("%s", "[net]"); if (box != NULL) ssh_sandbox_child(box); -@@ -592,7 +647,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) +@@ -592,7 +647,7 @@ privsep_postauth(struct ssh *ssh, Authct pmonitor->m_sendfd = -1; /* Demote the private keys to public keys. */ @@ -2221,7 +2222,7 @@ index 7d23232..9c83ce0 100644 reseed_prngs(); -@@ -1101,7 +1156,7 @@ server_listen(void) +@@ -1159,7 +1214,7 @@ server_listen(void) * from this function are in a forked subprocess. */ static void @@ -2230,7 +2231,7 @@ index 7d23232..9c83ce0 100644 { fd_set *fdset; int i, j, ret, maxfd; -@@ -1162,6 +1217,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) +@@ -1220,6 +1275,7 @@ server_accept_loop(int *sock_in, int *so if (received_sigterm) { logit("Received signal %d; terminating.", (int) received_sigterm); @@ -2238,7 +2239,7 @@ index 7d23232..9c83ce0 100644 close_listen_socks(); if (options.pid_file != NULL) unlink(options.pid_file); -@@ -2039,7 +2095,7 @@ main(int ac, char **av) +@@ -2089,7 +2145,7 @@ main(int ac, char **av) #endif /* Accept a connection and return in a forked child */ @@ -2247,7 +2248,7 @@ index 7d23232..9c83ce0 100644 &newsock, config_s); } -@@ -2274,6 +2330,9 @@ main(int ac, char **av) +@@ -2325,6 +2381,9 @@ main(int ac, char **av) do_authenticated(ssh, authctxt); /* The connection has been terminated. */ @@ -2257,7 +2258,7 @@ index 7d23232..9c83ce0 100644 ssh_packet_get_bytes(ssh, &ibytes, &obytes); verbose("Transferred: sent %llu, received %llu bytes", (unsigned long long)obytes, (unsigned long long)ibytes); -@@ -2457,6 +2516,15 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2509,6 +2568,15 @@ do_ssh2_kex(struct ssh *ssh) void cleanup_exit(int i) { @@ -2273,7 +2274,7 @@ index 7d23232..9c83ce0 100644 if (the_active_state != NULL && the_authctxt != NULL) { do_cleanup(the_active_state, the_authctxt); if (use_privsep && privsep_is_preauth && -@@ -2468,9 +2536,16 @@ cleanup_exit(int i) +@@ -2520,9 +2588,16 @@ cleanup_exit(int i) pmonitor->m_pid, strerror(errno)); } } @@ -2291,15 +2292,14 @@ index 7d23232..9c83ce0 100644 audit_event(the_active_state, SSH_CONNECTION_ABANDON); #endif _exit(i); -diff --git a/sshkey.c b/sshkey.c -index 1ac32a0..f579108 100644 ---- a/sshkey.c -+++ b/sshkey.c -@@ -368,6 +368,38 @@ sshkey_type_is_valid_ca(int type) - } +Index: openssh-8.4p1/sshkey.c +=================================================================== +--- openssh-8.4p1.orig/sshkey.c ++++ openssh-8.4p1/sshkey.c +@@ -371,6 +371,38 @@ sshkey_type_is_valid_ca(int type) } -+int + int +sshkey_is_private(const struct sshkey *k) +{ + switch (k->type) { @@ -2331,14 +2331,15 @@ index 1ac32a0..f579108 100644 + } +} + - int ++int sshkey_is_cert(const struct sshkey *k) { -diff --git a/sshkey.h b/sshkey.h -index f586e89..a08bc65 100644 ---- a/sshkey.h -+++ b/sshkey.h -@@ -187,6 +187,7 @@ int sshkey_shield_private(struct sshkey *); + if (k == NULL) +Index: openssh-8.4p1/sshkey.h +=================================================================== +--- openssh-8.4p1.orig/sshkey.h ++++ openssh-8.4p1/sshkey.h +@@ -187,6 +187,7 @@ int sshkey_shield_private(struct sshke int sshkey_unshield_private(struct sshkey *); int sshkey_type_from_name(const char *); diff --git a/openssh-8.3p1.tar.gz b/openssh-8.3p1.tar.gz deleted file mode 100644 index 958a16b..0000000 --- a/openssh-8.3p1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2 -size 1706358 diff --git a/openssh-8.3p1.tar.gz.asc b/openssh-8.3p1.tar.gz.asc deleted file mode 100644 index 23d640c..0000000 --- a/openssh-8.3p1.tar.gz.asc +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl7N2TQACgkQ0+X1a22S -DTCXbAx/eycNNXxdVK3JtDQBUuSyup/eXeiuAdfTb77dKhdInk6ivaaKtVZ+3rlu -eEUwAY2Bf/majUUigI5OI/niODMqbYWBBDKRudQlDSGfH8XnRge6dRjIWXU6XvZP -MJpxVZWRorjnuCArWemlJ5QFxSds938Ae+7MFkveQ59UpRDeslYiI6twCXjRiZEL -e8lBfsfZqcOLO8KLVRvDx6sqD8EXlak8fhdjmjKdbvA4oWHLcwUcuaNT/o5I2ZWn -m2sOQcuhwt3+jm+f9SQKLURHcmGC6Hu5YXBq4+Ut7P9Qc9lAf76SDDnsrRQ8pv+Z -tLsXBO+bNe3tSkRbG/AQQRZtGEzlhM8KPyQ6oA0JqlN4Wb5XMWYFyYyJTwJ/95ZI -dluMmpwQTRVQGUNU7kVNe04TwRl+8APqvcnE3/i7MDm6EG5BHGcAneRmZfvt209F -z8yGtKQKCvZm5Rn9V0/Gm3+pq5O2sie90CPW9ebyPsajzQlrYBQPoJ1aQ+Ue4QE6 -gee5eO3TZOJJ3peTqjihGUtpKH+21w== -=lhX0 ------END PGP SIGNATURE----- diff --git a/openssh-8.4p1.tar.gz b/openssh-8.4p1.tar.gz new file mode 100644 index 0000000..40e43fe --- /dev/null +++ b/openssh-8.4p1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 +size 1742201 diff --git a/openssh-8.4p1.tar.gz.asc b/openssh-8.4p1.tar.gz.asc new file mode 100644 index 0000000..1f83b75 --- /dev/null +++ b/openssh-8.4p1.tar.gz.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- + +iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl9wQnwACgkQ0+X1a22S +DTAR6wyAjRcvW7Jg9v73AR7TUO4WAD085sYi4ZLsECMZqhVZUBVv0Ofmcz2ISg3I +NU1nr9Kiqf1/i05OUIR64kJEd4wTSwv+4HhyP5MPJqyCkKcFJ9TyRy6pASZtyH6D +hKezJ79iGUg1U46bI6yyxchcAKrz0if97fKd0/1h5yE7T5lcbo+zQPsAg9dDXHBJ +nL5mpBQXU3xbU8bC+E+vZ7VAyxEm6kzuY7MRW2wOhpPQ5DJgEjAUjtvzvd9SJhKl +u/hgKXqIJBQB1pHlAFI1knfTrGUGrzob8QphukrvmbMJC3dO/o3Dplvx6lZkes0c +6hP66rhTRp5Tmw9ae3iUmoDf6SyStlo/4QomCuw0NxHrSOng16VjCR+NRWHvZbXC +JckIqparyOJ2jtHz0+e52sRZCZKauFBDMZboNj7f+htwQRUFOVfeSecpJiYut4bM +YALdayOQwL96J6aMdoMKfMGZUevCPN6OM96E6cMC1fmanBenZQ/vatmskIvvvO/P +rwECYTpGVRezhAvXMEy9x+EVdV6ctA== +=PW3D +-----END PGP SIGNATURE----- diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 7df1ed5..351edc1 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -18,14 +18,14 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 8.3p1 +Version: 8.4p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause Group: Productivity/Networking/SSH -URL: http://www.openssh.com/ -Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz -Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc +URL: https://www.openssh.com/ +Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz +Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc Requires: %{_name} = %{version} Supplements: packageand(openssh-clients:libgtk-3-0) %if 0%{?suse_version} >= 1550 diff --git a/openssh.changes b/openssh.changes index 58e5361..d35b282 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,133 @@ +------------------------------------------------------------------- +Mon Jan 18 00:30:37 UTC 2021 - Dirk Müller + +- update to 8.4p1: + Security + ======== + * ssh-agent(1): restrict ssh-agent from signing web challenges for + FIDO/U2F keys. + * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating + a FIDO resident key. + * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for + each use. These keys may be generated using ssh-keygen using a new + "verify-required" option. When a PIN-required key is used, the user + will be prompted for a PIN to complete the signature operation. + New Features + ------------ + * sshd(8): authorized_keys now supports a new "verify-required" + option to require FIDO signatures assert that the token verified + that the user was present before making the signature. The FIDO + protocol supports multiple methods for user-verification, but + currently OpenSSH only supports PIN verification. + + * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn + signatures. Webauthn is a standard for using FIDO keys in web + browsers. These signatures are a slightly different format to plain + FIDO signatures and thus require explicit support. + + * ssh(1): allow some keywords to expand shell-style ${ENV} + environment variables. The supported keywords are CertificateFile, + ControlPath, IdentityAgent and IdentityFile, plus LocalForward and + RemoteForward when used for Unix domain socket paths. bz#3140 + + * ssh(1), ssh-agent(1): allow some additional control over the use of + ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, + including forcibly enabling and disabling its use. bz#69 + + * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time + limit for keys in addition to its current flag options. Time- + limited keys will automatically be removed from ssh-agent after + their expiry time has passed. + + * scp(1), sftp(1): allow the -A flag to explicitly enable agent + forwarding in scp and sftp. The default remains to not forward an + agent, even when ssh_config enables it. + + * ssh(1): add a '%k' TOKEN that expands to the effective HostKey of + the destination. This allows, e.g., keeping host keys in individual + files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654 + + * ssh(1): add %-TOKEN, environment variable and tilde expansion to + the UserKnownHostsFile directive, allowing the path to be + completed by the configuration (e.g. bz#1654) + + * ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted + from stdin. bz#3180 + + * sshd(8): improve logging for MaxStartups connection throttling. + sshd will now log when it starts and stops throttling and periodically + while in this state. bz#3055 + + Bugfixes + -------- + * ssh(1), ssh-keygen(1): better support for multiple attached FIDO + tokens. In cases where OpenSSH cannot unambiguously determine which + token to direct a request to, the user is now required to select a + token by touching it. In cases of operations that require a PIN to + be verified, this avoids sending the wrong PIN to the wrong token + and incrementing the token's PIN failure counter (tokens + effectively erase their keys after too many PIN failures). + * sshd(8): fix Include before Match in sshd_config; bz#3122 + * ssh(1): close stdin/out/error when forking after authentication + completes ("ssh -f ...") bz#3137 + * ssh(1), sshd(8): limit the amount of channel input data buffered, + avoiding peers that advertise large windows but are slow to read + from causing high memory consumption. + * ssh-agent(1): handle multiple requests sent in a single write() to + the agent. + * sshd(8): allow sshd_config longer than 256k + * sshd(8): avoid spurious "Unable to load host key" message when sshd + load a private key but no public counterpart + * ssh(1): prefer the default hostkey algorithm list whenever we have + a hostkey that matches its best-preference algorithm. + * sshd(1): when ordering the hostkey algorithms to request from a + server, prefer certificate types if the known_hosts files contain a key + marked as a @cert-authority; bz#3157 + * ssh(1): perform host key fingerprint comparisons for the "Are you + sure you want to continue connecting (yes/no/[fingerprint])?" + prompt with case sensitivity. + * sshd(8): ensure that address/masklen mismatches in sshd_config + yield fatal errors at daemon start time rather than later when + they are evaluated. + * ssh-keygen(1): ensure that certificate extensions are lexically + sorted. Previously if the user specified a custom extension then + the everything would be in order except the custom ones. bz#3198 + * ssh(1): also compare username when checking for JumpHost loops. + bz#3057 + * ssh-keygen(1): preserve group/world read permission on known_hosts + files across runs of "ssh-keygen -Rf /path". The old behaviour was + to remove all rights for group/other. bz#3146 + * ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen + manual page and usage(). + * sshd(8): explicitly construct path to ~/.ssh/rc rather than + relying on it being relative to the current directory, so that it + can still be found if the shell startup changes its directory. + bz#3185 + * sshd(8): when redirecting sshd's log output to a file, undo this + redirection after the session child process is forked(). Fixes + missing log messages when using this feature under some + circumstances. + * sshd(8): start ClientAliveInterval bookkeeping before first pass + through select() loop; fixed theoretical case where busy sshd may + ignore timeouts from client. + * ssh(1): only reset the ServerAliveInterval check when we receive + traffic from the server and ignore traffic from a port forwarding + client, preventing a client from keeping a connection alive when + it should be terminated. bz#2265 + * ssh-keygen(1): avoid spurious error message when ssh-keygen + creates files outside ~/.ssh + * sftp-client(1): fix off-by-one error that caused sftp downloads to + make one more concurrent request that desired. This prevented using + sftp(1) in unpipelined request/response mode, which is useful when + debugging. bz#3054 + * ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect() + helpers. bz#3071 + * ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to + write to it so we don't leave an empty .ssh directory when it's not + needed. bz#3156 + * ssh(1), sshd(8): fix multiplier when parsing time specifications + when handling seconds after other units. bz#3171 + ------------------------------------------------------------------- Fri Jan 8 01:37:02 UTC 2021 - Hans Petter Jansson diff --git a/openssh.spec b/openssh.spec index 82f8ae5..e572352 100644 --- a/openssh.spec +++ b/openssh.spec @@ -38,14 +38,14 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 8.3p1 +Version: 8.4p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT Group: Productivity/Networking/SSH URL: https://www.openssh.com/ -Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz -Source1: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc +Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz +Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source2: sshd.pamd Source3: README.SUSE Source4: README.kerberos @@ -108,7 +108,7 @@ Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch Patch41: openssh-fips-ensure-approved-moduli.patch Patch42: openssh-link-with-sk.patch BuildRequires: audit-devel -BuildRequires: autoconf +BuildRequires: automake BuildRequires: groff BuildRequires: libedit-devel BuildRequires: libselinux-devel